Cisco Cisco Firepower Management Center 4000
C H A P T E R
23-1
FireSIGHT System User Guide
23
Using Layers in an Intrusion Policy
Larger organizations with many managed devices may have many intrusion policies to support the
unique needs of different departments, business units or, in some instances, different companies. The
rule settings and advanced settings in an intrusion policy are contained in building blocks called policy
layers, which you can use to more efficiently manage multiple policies.
unique needs of different departments, business units or, in some instances, different companies. The
rule settings and advanced settings in an intrusion policy are contained in building blocks called policy
layers, which you can use to more efficiently manage multiple policies.
You can create and edit a policy without consciously using layers. You can modify rule settings and
advanced settings and, if you have not added user layers to your policy, the system automatically
includes your changes in a single configurable layer. Optionally, you can also add up to 200 layers where
you can configure any combination of rule settings and advanced settings. You can copy, merge, move,
and delete user layers and, most importantly, share individual user layers with other policies.
advanced settings and, if you have not added user layers to your policy, the system automatically
includes your changes in a single configurable layer. Optionally, you can also add up to 200 layers where
you can configure any combination of rule settings and advanced settings. You can copy, merge, move,
and delete user layers and, most importantly, share individual user layers with other policies.
See the following sections for more information:
•
explains the layers that comprise a basic policy
and how you can use them.
•
explains how you can add, copy, merge, and share
user-configurable layers, and how to view and access the configuration pages for rules and advanced
settings.
settings.
Understanding Intrusion Policy Layers
License:
Protection
A policy where you do not add layers includes the read-only base policy layer and a single
user-configurable layer that is initially named My Changes. If you generate and use rule state
recommendations based on network discovery data, the system automatically inserts a read-only
FireSIGHT Recommendations layer immediately above the base policy. You can copy, merge, move, or
delete any user-configurable layer and set any user-configurable layer to be shared by other intrusion
policies; note that the My Changes layer is a user-configurable layer.
user-configurable layer that is initially named My Changes. If you generate and use rule state
recommendations based on network discovery data, the system automatically inserts a read-only
FireSIGHT Recommendations layer immediately above the base policy. You can copy, merge, move, or
delete any user-configurable layer and set any user-configurable layer to be shared by other intrusion
policies; note that the My Changes layer is a user-configurable layer.
Each policy layer contains complete settings for all intrusion rules, preprocessor rules, and advanced
settings. The layer at the bottom of the stack includes all the settings from the base policy you selected
when you created the policy. A setting in a higher layer in the policy layer stack takes precedence over
the same setting in a lower layer. Features not explicitly set in a layer inherit their settings from the next
highest layer below where they are explicitly set.
settings. The layer at the bottom of the stack includes all the settings from the base policy you selected
when you created the policy. A setting in a higher layer in the policy layer stack takes precedence over
the same setting in a lower layer. Features not explicitly set in a layer inherit their settings from the next
highest layer below where they are explicitly set.
The following figure shows an example intrusion policy layer stack that, in addition to the base policy
layer and the initial My Changes layer, also includes two additional user-configurable layers and the
FireSIGHT Recommendations layer. Note in the figure that each user-configurable layer that you add is
initially positioned as the highest layer in the stack; thus, User Layer 2 in the figure was added last and
is highest in the stack.
layer and the initial My Changes layer, also includes two additional user-configurable layers and the
FireSIGHT Recommendations layer. Note in the figure that each user-configurable layer that you add is
initially positioned as the highest layer in the stack; thus, User Layer 2 in the figure was added last and
is highest in the stack.