Cisco Cisco Firepower Management Center 4000
30-4
FireSIGHT System User Guide
Chapter 30 Using Global Rule Thresholding
Configuring Global Thresholds
The Global Rule Thresholding page appears. A message at the bottom of the page identifies the intrusion
policy layer that contains the configuration. See
policy layer that contains the configuration. See
for more
information.
Step 5
Select the type of threshold from the
Type
drop-down list to do the following during the time specified
by the seconds argument:
•
Select
Limit
to log and display an event for each packet that triggers the rule until the limit specified
by the count argument is exceeded.
•
Select
Threshold
to log and display a single event for each packet that triggers the rule and represents
either the instance that matches the threshold set by the count argument or is a multiple of the
threshold.
threshold.
•
Select
Both
to log and display a single event after the number of packets specified by the count
argument trigger the rule.
Step 6
Select the tracking method from the
Track By
drop-down list:
•
Select
Source
to identify rule matches in traffic coming from a particular source IP address or
addresses.
•
Select
Destination
to identify rule matches in traffic going to a particular destination IP address.
Step 7
You have the following options:
•
For a
Threshold
threshold, specify the number of rule matches you want to use as your threshold in
the
Count
field.
•
For a
Limit
threshold, specify the number of event instances per specified time period per tracking IP
address required to meet the threshold in the
Count
field.
Step 8
You have the following options:
•
For a
Limit
threshold, specify the number of seconds that make up the time period for which attacks
are tracked in the
Seconds
field.
•
For a
Threshold
threshold specify the number of seconds that elapse before the count resets in the
Seconds
field. Note that the count resets if the number of rule matches indicated by the
Count
field
occur before the number of seconds indicated elapse.
Step 9
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Disabling the Global Threshold
License:
Protection
By default, a global limit threshold limits the number of events on traffic going to a destination to one
event per 60 seconds. You can disable global thresholding in the highest policy layer if you want to
threshold events for specific rules and not apply thresholding to every rule by default.
event per 60 seconds. You can disable global thresholding in the highest policy layer if you want to
threshold events for specific rules and not apply thresholding to every rule by default.
To disable global thresholding:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.