Cisco Cisco FirePOWER Appliance 8250
29-3
FireSIGHT System User Guide
Chapter 29 Using Adaptive Profiles
Configuring Adaptive Profiles
Like FireSIGHT recommended rules, adaptive profiles compare metadata in a rule to host information
to determine whether a rule should apply for a particular host. However, while FireSIGHT recommended
rules provide recommendations for enabling or disabling rules using that information, adaptive profiles
use the information to apply specific rules to specific traffic.
to determine whether a rule should apply for a particular host. However, while FireSIGHT recommended
rules provide recommendations for enabling or disabling rules using that information, adaptive profiles
use the information to apply specific rules to specific traffic.
FireSIGHT recommended rules require your interaction to implement suggested changes to rule states.
Adaptive profiles, on the other hand, do not modify the intrusion policy. Adaptive treatment of rules
happens on a packet-by-packet basis.
Adaptive profiles, on the other hand, do not modify the intrusion policy. Adaptive treatment of rules
happens on a packet-by-packet basis.
Additionally, FireSIGHT recommended rules can result in enabling disabled rules. Adaptive profiles, in
contrast, only affect the application of rules that are already enabled in the intrusion policy. Adaptive
profiles never change the rule state.
contrast, only affect the application of rules that are already enabled in the intrusion policy. Adaptive
profiles never change the rule state.
You can use adaptive profiles and FireSIGHT recommended rules in the same policy. Adaptive profiles
use the rule state for a rule when the policy is applied to determine whether to include it as a candidate
for applying, and your choices to accept or decline recommendations are reflected in that rule state. You
can use both features to ensure that you have enabled or disabled the most appropriate rules for each
network you monitor, and then to apply enabled rules most efficiently for specific traffic.
use the rule state for a rule when the policy is applied to determine whether to include it as a candidate
for applying, and your choices to accept or decline recommendations are reflected in that rule state. You
can use both features to ensure that you have enabled or disabled the most appropriate rules for each
network you monitor, and then to apply enabled rules most efficiently for specific traffic.
See
for more information.
Configuring Adaptive Profiles
License:
FireSIGHT + Protection
To use host information to determine which target-based profiles are used for IP defragmentation and
TCP stream preprocessing, you can configure adaptive profiles.
TCP stream preprocessing, you can configure adaptive profiles.
When you configure adaptive profiles, you need to bind the adaptive profile setting to a specific network
or networks. To successfully use adaptive profiles, that network must exist in the network map and must
be in the segment monitored by the device where you apply the access control policy that includes your
intrusion policy.
or networks. To successfully use adaptive profiles, that network must exist in the network map and must
be in the segment monitored by the device where you apply the access control policy that includes your
intrusion policy.
Note
You should enable adaptive profiles only in an intrusion policy that you associate with the default action
of an access control policy.
of an access control policy.
You can indicate the hosts in the network map where adaptive profiles should be used to process traffic
by specifying an IP address, a block of addresses, or a network variable with the desired value configured
in the variable set linked to the intrusion policy associated with the default action of the access control
policy.
by specifying an IP address, a block of addresses, or a network variable with the desired value configured
in the variable set linked to the intrusion policy associated with the default action of the access control
policy.
You can use any of these addressing methods alone or in any combination as a list of IP addresses,
address blocks, or variables separated by commas, as shown in the following example:
address blocks, or variables separated by commas, as shown in the following example:
192.168.1.101, 192.168.4.0/24, $HOME_NET
For information on specifying address blocks in the FireSIGHT System, see
.
Tip
You can apply adaptive profiles to all hosts in the network map by using a variable with a value of
any
or by specifying
0.0.0.0/0
as the network value.
You can also control how frequently network map data is synced from the Defense Center to the managed
device. The system uses the data to determine what profiles should be used when processing traffic.
device. The system uses the data to determine what profiles should be used when processing traffic.