Cisco Cisco Firepower Management Center 4000
21-39
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Managing FireSIGHT Rule State Recommendations
•
Click
Generate Recommendations
if you want the system to generate recommendations without
changing your rule states automatically to the recommended states.
The system generates recommended rule state changes.
•
If you have generated recommendations before,
Update Recommendations
to update existing
recommendations.
The system generates recommended rule state changes and, if recommendations are in use,
automatically sets rules to the recommended states. The status updates for the number of
recommendations, the number of hosts with recommended rule state changes, and the number of
recommendations to generate events, drop and generate events, or disable rules.
automatically sets rules to the recommended states. The status updates for the number of
recommendations, the number of hosts with recommended rule state changes, and the number of
recommendations to generate events, drop and generate events, or disable rules.
•
If you have generated recommendations before, click
Use Recommendations
to use recommendations
that you have generated but have not used.
The system automatically sets rules to the recommended states.
•
If you have generated and are already using recommendations,
Do Not Use Recommendations
to stop
using recommendations currently in use.
The system automatically resets rules to the default rule states unless a specific rule state was
applied to the rule before using recommendations; in that case, the rule reverts to the specific rule
state.
applied to the rule before using recommendations; in that case, the rule reverts to the specific rule
state.
Note that the system does not recommend a rule state for an intrusion rule that is based on a vulnerability
that you disable using the Impact Qualification feature. For more information, see
that you disable using the Impact Qualification feature. For more information, see
.
Note also that updating the policy to use or not use recommendations may take several minutes,
depending on the size of your network and rule set.
depending on the size of your network and rule set.
Note
The system always recommends that you enable a local rule associated with a third-party
vulnerability mapped to a host. The system does not make state recommendations for unmapped
local rules. For more information, see
vulnerability mapped to a host. The system does not make state recommendations for unmapped
local rules. For more information, see
Step 10
Optionally, click
View
next to a recommendation type to display a recommendations-filtered view of the
Rules page for the type of recommendation you selected.
Step 11
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.