Cisco Cisco FirePOWER Appliance 7030
30-3
FireSIGHT System User Guide
Chapter 30 Using Global Rule Thresholding
Configuring Global Thresholds
Configuring Global Thresholds
License:
Protection
You can set a global threshold to manage the number of events generated by each rule over a period of
time. When you set a global threshold, that threshold applies for each rule that does not have an
overriding specific threshold. For more information on configuring thresholds, see
time. When you set a global threshold, that threshold applies for each rule that does not have an
overriding specific threshold. For more information on configuring thresholds, see
A global threshold is configured by default. The default values are as follows:
•
Type
— Limit
•
Track By
— Destination
•
Count
— 1
•
Seconds
— 60
To configure global thresholding:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Step 3
Click
Advanced Settings
in the navigation panel on the left.
The Advanced Settings page appears.
Step 4
You have two choices, depending on whether
Global Rule Thresholding
under Intrusion Rule Thresholds is
enabled:
•
If the configuration is enabled, click
Edit
.
•
If the configuration is disabled, click
Enabled
, then click
Edit
.
Table 30-2
Thresholding Instance/Time Options
Option
Description
Count
The number of event instances per specified time period per tracking IP
address or address range required to meet the threshold.
address or address range required to meet the threshold.
Seconds
The number of seconds that elapse before the count resets. If you set the
threshold type to
threshold type to
Limit
, the tracking to
Source
,
Count
to 10, and
Seconds
to 10,
the system logs and displays the first 10 events that occur in 10 seconds from
a given source port. If only seven events occur in the first 10 seconds, the
system logs and displays those, if 40 events occur in the first 10 seconds, the
system logs and displays 10, then begins counting again when the 10-second
time period elapses.
a given source port. If only seven events occur in the first 10 seconds, the
system logs and displays those, if 40 events occur in the first 10 seconds, the
system logs and displays 10, then begins counting again when the 10-second
time period elapses.