Cisco Cisco Firepower Management Center 4000
23-4
FireSIGHT System User Guide
Chapter 23 Using Layers in an Intrusion Policy
Understanding Intrusion Policy Layers
For example, if you set a rule state to Drop and Generate Events in one layer and to Disabled in a higher
layer, the intrusion policy Rules page shows that the rule is disabled.
layer, the intrusion policy Rules page shows that the rule is disabled.
In another example, if you set a source-based suppression for a rule to 192.168.1.1 in one layer, and you
also set a destination-based suppression for the rule to 192.168.1.2 in another layer, the Rules page
shows that the cumulative effect is to suppress events for the source address 192.168.1.1 and the
destination address 192.168.1.2. Note that suppression and rate-based rule state settings cumulatively
combine settings of the same type for each selected rule down to the first layer where a rule state is set
for the rule. Settings below the layer where a rule state is set are ignored.
also set a destination-based suppression for the rule to 192.168.1.2 in another layer, the Rules page
shows that the cumulative effect is to suppress events for the source address 192.168.1.1 and the
destination address 192.168.1.2. Note that suppression and rate-based rule state settings cumulatively
combine settings of the same type for each selected rule down to the first layer where a rule state is set
for the rule. Settings below the layer where a rule state is set are ignored.
To modify rules in a layer view:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy
.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to view or edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Table 23-1
Rule Settings in Multiple Layers
You can set...
Of this setting type...
To...
one
Rule State
override a rule state set for the rule in a lower layer, and ignore all threshold,
suppression, rate-based rule states, and alerts for that rule configured in
lower layers. See
suppression, rate-based rule states, and alerts for that rule configured in
lower layers. See
for more information.
If you want a rule to inherit the rule state for the rule from the base policy
or a lower layer, set the rule state to Inherit. Note that you cannot set a rule
state to Inherit when you are working on the intrusion policy Rules page,
and the Inherit state does not appear in the Rule State column.
or a lower layer, set the rule state to Inherit. Note that you cannot set a rule
state to Inherit when you are working on the intrusion policy Rules page,
and the Inherit state does not appear in the Rule State column.
Note also that rules with rule states set in a lower layer are highlighted in
yellow and rules with states set in a higher layer are highlighted in red when
you view them on the Rules page for a specific layer. Because the intrusion
policy Rules page is a composite view of all rule settings, rule states are not
color-coded on the policy view of the Rules page.
yellow and rules with states set in a higher layer are highlighted in red when
you view them on the Rules page for a specific layer. Because the intrusion
policy Rules page is a composite view of all rule settings, rule states are not
color-coded on the policy view of the Rules page.
one
Threshold
SNMP Alert
override a setting of the same type for the rule in a lower layer. Note that
setting a threshold overwrites any existing threshold for the rule in the layer.
See
setting a threshold overwrites any existing threshold for the rule in the layer.
See
and
for more information.
one or more
Suppression
Rate-Based Rule State
cumulatively combine settings of the same type for each selected rule down
to the first layer where a rule state is set for the rule. Settings below the layer
where a rule state is set are ignored. See
to the first layer where a rule state is set for the rule. Settings below the layer
where a rule state is set are ignored. See
for more information.
one or more
Comment
add a comment to a rule. Comments are rule-specific, not policy- or
layer-specific. You can add one or more comments to a rule in any layer. See
layer-specific. You can add one or more comments to a rule in any layer. See
for more information.