Cisco Cisco FirePOWER Appliance 7030
20-14
FireSIGHT System User Guide
Chapter 20 Configuring Intrusion Policies
Setting Drop Behavior in an Inline Deployment
•
To compare two revisions of the same policy, select
Other Revision
.
Remember to commit any changes before you generate an intrusion policy report; only committed
changes appear in the report.
changes appear in the report.
Step 4
Depending on the comparison type you selected, you have the following choices:
•
If you are comparing two different policies, select the policies you want to compare from the
Policy
A
and
Policy B
drop-down lists.
•
If you are comparing two revisions of the same policy, select the policy from the
Policy
drop-down
list, then select the revisions you want to compare from the
Revision A
and
Revision B
drop-down lists.
Step 5
Click
OK
to display the intrusion policy comparison view.
The comparison view appears.
Step 6
Click
Comparison Report
to generate the intrusion policy comparison report.
Step 7
The intrusion policy report appears. Depending on your browser settings, the report may appear in a
pop-up window, or you may be prompted to save the report to your computer.
pop-up window, or you may be prompted to save the report to your computer.
Setting Drop Behavior in an Inline Deployment
License:
Protection
A drop rule is an intrusion rule or preprocessor rule whose rule state is set to Drop and Generate Events.
You can use the
You can use the
Drop when Inline
option in your intrusion policy to determine how the system handles
drop rules in an inline deployment; see
for information on setting rule
states in your intrusion policy.
In an inline deployment, you would typically set your intrusion policy to drop packets that trigger drop
rules. However, you might also set your policy to not drop packets so you can assess how your
configuration functions on your network. In this case, the system would generate events but would not
drop packets that trigger your drop rules. When you are satisfied with the results, you can set your policy
to drop packets; then you can reapply the access control policy that includes your policy.
rules. However, you might also set your policy to not drop packets so you can assess how your
configuration functions on your network. In this case, the system would generate events but would not
drop packets that trigger your drop rules. When you are satisfied with the results, you can set your policy
to drop packets; then you can reapply the access control policy that includes your policy.
When you set your intrusion policy to drop packets in an inline deployment, the system drops packets
that trigger enabled drop rules and generates events for the triggered rules.
that trigger enabled drop rules and generates events for the triggered rules.
For an access control policy using a file policy with
Block Malware
rules for FTP, if you set the default
action to an intrusion policy with
Drop when Inline
disabled, the system generates events for detected files
or malware matching the rules, but does not drop the files. To block FTP fire transfers while using an
intrusion policy as the default action for the access control policy where you select the file policy you
must select an intrusion policy with
intrusion policy as the default action for the access control policy where you select the file policy you
must select an intrusion policy with
Drop when Inline
enabled.
Note that in a passive deployment, including when an inline interface is in tap mode, the system treats
rules set to Drop and Generate Events the same as rules set to Generate Events; that is, the system
generates events but does not drop packets that trigger the rules regardless of the drop behavior of your
policy. See
rules set to Drop and Generate Events the same as rules set to Generate Events; that is, the system
generates events but does not drop packets that trigger the rules regardless of the drop behavior of your
policy. See
for more information.
Note also that the table view of intrusion events indicates when packets are dropped if
Drop when Inline
is enabled in an inline deployment, and when packets would have dropped if
Drop when Inline
is disabled.
In a passive deployment, including when an inline interface is in tap mode, the table view of intrusion
events always shows that drop rules would have dropped packets in a inline deployment, regardless of
the setting for
events always shows that drop rules would have dropped packets in a inline deployment, regardless of
the setting for
Drop when Inline
. See
for more information.