Cisco Cisco Firepower Management Center 4000
21-38
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Managing FireSIGHT Rule State Recommendations
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
You have two options:
•
If you have not generated recommendations, select
No recommendations have been generated. Click here
to set up
FireSIGHT
recommendations
.
•
If you have generated recommendations, select
Click to change recommendations
.
The FireSIGHT Recommended Rules Configuration page appears.
Step 4
You have the following choices:
•
To have the corresponding intrusion policy report list the rule message, recommended state, and
actual state for all rules whose actual state differs from the recommended state, select
actual state for all rules whose actual state differs from the recommended state, select
Include all
differences between recommendations and rule states in policy reports
for more information.
•
To generate recommendations using the default settings, go to step
•
To modify the advanced recommendations options, go to step
.
Step 5
Click the plus icon (
) to expand the
Advanced Settings
section.
The advanced FireSIGHT recommendations options appear.
Step 6
In the
Networks
field, specify the network to examine for recommendations.
For information on using IP address notation in the FireSIGHT System, see
.
Note that lists of addresses are linked with an OR operation except for negations, which are linked with
an AND operation after all OR operations are calculated. See
an AND operation after all OR operations are calculated. See
for more information.
Step 7
Optionally, drag the
Recommendation Threshold (By Rule Overhead)
slide bar to specify the amount of
overhead a rule must have to be included in the recommendations you generate.
Dragging the slide bar to the right includes rules with higher overhead and will likely result in more
recommendations, but may increasingly affect system performance. See
recommendations, but may increasingly affect system performance. See
for more information.
Step 8
You have the following options:
•
To generate recommendations to disable rules, select the
Accept Recommendations to Disable Rules
check box.
Note that accepting recommendations to disable rules restricts your rule coverage.
•
To prevent generating recommendations to disable rules, clear the
Accept Recommendations to Disable
Rules
check box.
Note that omitting recommendations to disable rules augments your rule coverage.
Step 9
You have several options:
•
Click
Generate and Use Recommendations
if you have not yet generated recommendations and want the
system to change your rule states automatically to the recommended states while generating
recommendations.
recommendations.
The system generates recommended rule state changes and automatically sets rules to the
recommended states.
recommended states.