Cisco Cisco Firepower Management Center 4000
23-6
FireSIGHT System User Guide
Chapter 23 Using Layers in an Intrusion Policy
Understanding Intrusion Policy Layers
Step 4
Locate the rule or rules where you want to remove multiple settings. You have the following options:
•
To sort the current display, click on a column heading or icon. To reverse the sort, click again.
•
Construct a filter by clicking on keywords or arguments in the filter panel on the left. For more
information, see the following topics:
information, see the following topics:
.
The page refreshes to display all matching rules.
Step 5
Select the rule or rules for which you want to remove multiple settings. You have the following options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top of the column.
Step 6
You have the following options:
•
To remove all thresholds for a rule, select
Event Filtering > Remove Thresholds.
Click
OK
in the
confirmation pop-up window that appears.
•
To remove all suppression for a rule, select
Event Filtering > Remove Suppressions.
Click
OK
in the
confirmation pop-up window that appears.
•
To remove all rate-based rule states for a rule, select
Dynamic State > Remove Rate-Based Rule States.
Click
OK
in the confirmation pop-up window that appears.
•
To remove all SNMP alert settings for a rule, select
Alerting > Remove SNMP Alerts.
Click
OK
in the
confirmation pop-up window that appears.
The system removes the selected setting and copies the remaining settings for the rule to the highest
editable layer in the policy. See the introduction to this procedure for conditions that affect how the
system copies the remaining settings.
editable layer in the policy. See the introduction to this procedure for conditions that affect how the
system copies the remaining settings.
Note
Removing rule settings from a shared layer or the base policy causes any changes to this rule
from lower layers or the base policy to be ignored. To stop ignoring changes from lower layers
or the base policy, set the rule state to
from lower layers or the base policy to be ignored. To stop ignoring changes from lower layers
or the base policy, set the rule state to
Inherit
in the topmost layer. See
for more information.
Step 7
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Using the FireSIGHT Recommendations Layer
License:
Protection
When you have generated rule state recommendations, you can choose whether to automatically modify
rule states based on the recommendations.
rule states based on the recommendations.
Choosing to use the recommended rule states adds or updates a read-only, built-in FireSIGHT
Recommendations system layer immediately above the base layer in your intrusion policy. Subsequently
choosing not to use the recommended rule states removes the FireSIGHT Recommendations system
layer. Note that you can repeatedly remove and restore the FireSIGHT Recommendations layer by
choosing to use or not use recommendations, but you cannot delete the layer manually.
Recommendations system layer immediately above the base layer in your intrusion policy. Subsequently
choosing not to use the recommended rule states removes the FireSIGHT Recommendations system
layer. Note that you can repeatedly remove and restore the FireSIGHT Recommendations layer by
choosing to use or not use recommendations, but you cannot delete the layer manually.
Adding the FireSIGHT Recommendations layer adds a FireSIGHT Recommendations link under Policy
Layers in the navigation panel. That link leads you to a read-only view of the FireSIGHT
Recommendations layer page. From the FireSIGHT Recommendations layer page, you can display
Layers in the navigation panel. That link leads you to a read-only view of the FireSIGHT
Recommendations layer page. From the FireSIGHT Recommendations layer page, you can display