Cisco Cisco FirePOWER Appliance 7030
23-5
FireSIGHT System User Guide
Chapter 23 Using Layers in an Intrusion Policy
Understanding Intrusion Policy Layers
Step 3
Expand
Policy Layers
in the navigation panel and expand the policy layer you want to view or edit.
Step 4
Click
Rules
under the policy layer you want to view or edit.
The Rules page for the layer appears.
You can modify any of the settings in the
table.
To delete an individual setting from an editable layer, double-click the rule message on the Rules page
for the layer to display rule details. Click
for the layer to display rule details. Click
Delete
next to the setting you want to delete, then click
OK
twice.
Removing Multi-Layer Rule Settings
License:
Protection
You can select one or more rules on the intrusion policy view of the Rules page and then simultaneously
remove a specific type of event filter, dynamic state, or alerting from multiple layers in your policy.
remove a specific type of event filter, dynamic state, or alerting from multiple layers in your policy.
The system removes the setting type downward through each layer where it is set until it removes all the
settings or encounters a layer where a rule state is set for the rule. If it encounters a layer where a rule
state is set, it removes the setting from that layer and ignores all layers below it.
settings or encounters a layer where a rule state is set for the rule. If it encounters a layer where a rule
state is set, it removes the setting from that layer and ignores all layers below it.
When the system encounters the setting type in a shared layer or in the base policy, if the highest layer
in the policy is editable, the system copies the remaining settings and rule state for the rule to that
editable layer. Otherwise, if the highest layer in the policy is a shared layer, the system creates a new
editable layer above the shared layer and copies the remaining settings and rule state for the rule to that
editable layer.
in the policy is editable, the system copies the remaining settings and rule state for the rule to that
editable layer. Otherwise, if the highest layer in the policy is a shared layer, the system creates a new
editable layer above the shared layer and copies the remaining settings and rule state for the rule to that
editable layer.
Note
Removing rule settings from a shared layer or the base policy causes any changes to this rule from lower
layers or the base policy to be ignored. To stop ignoring changes from lower layers or the base policy,
set the rule state to
layers or the base policy to be ignored. To stop ignoring changes from lower layers or the base policy,
set the rule state to
Inherit
in the topmost layer. See
for more information.
To remove settings in multiple layers using the Rules page:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy
.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the intrusion policy where you want to remove multiple settings.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
To access the intrusion policy Rules page, click
Rules
in the top of the navigation panel above the
dividing line.
Tip
You can also select
Policy
from the layer drop-down list on the Rules page for any layer, or select
Manage
Rules
on the Policy Information page.
The intrusion policy Rules page appears. By default, the page lists the rules alphabetically by message.