Cisco Cisco FirePOWER Appliance 8390
23-3
FireSIGHT System User Guide
Chapter 23 Using Layers in an Intrusion Policy
Understanding Intrusion Policy Layers
You can share any user-configurable layer with other intrusion policies. When you share a layer and then
edit a configuration within that layer, the system updates all policies that use the shared layer when you
commit your changes and provides you with a list of all affected policies. A shared layer can only be
modified in the policy where it is created.
edit a configuration within that layer, the system updates all policies that use the shared layer when you
commit your changes and provides you with a list of all affected policies. A shared layer can only be
modified in the policy where it is created.
The following figure shows an example master intrusion policy that serves as the source for site-specific
policies.
policies.
The master policy in the figure includes a company-wide layer with settings applicable to the intrusion
policies at Site A and Site B. It also includes site-specific layers for each policy. For example, Site A
might not have web servers on the monitored network and would not require the protection or processing
overhead of the HTTP Inspect preprocessor, but both sites would likely require TCP stream
preprocessing. You could enable TCP stream processing in the company-wide layer that you share with
both sites, disable the HTTP Inspect preprocessor in the site-specific layer that you share with Site A,
and enable the HTTP Inspect preprocessor in the site-specific layer that you share with Site B. By editing
settings in a higher layer in the site-specific policies, you could also further tune the policy for each site
if necessary with any setting adjustments.
policies at Site A and Site B. It also includes site-specific layers for each policy. For example, Site A
might not have web servers on the monitored network and would not require the protection or processing
overhead of the HTTP Inspect preprocessor, but both sites would likely require TCP stream
preprocessing. You could enable TCP stream processing in the company-wide layer that you share with
both sites, disable the HTTP Inspect preprocessor in the site-specific layer that you share with Site A,
and enable the HTTP Inspect preprocessor in the site-specific layer that you share with Site B. By editing
settings in a higher layer in the site-specific policies, you could also further tune the policy for each site
if necessary with any setting adjustments.
It is unlikely that the flattened net settings in the example master policy would be useful for monitoring
traffic, but the time saved in configuring and updating the site-specific policies makes this a useful
application of policy layers.
traffic, but the time saved in configuring and updating the site-specific policies makes this a useful
application of policy layers.
Many other advanced layer configurations are possible. For example, you could define policy layers by
company, by department, by network, or even by user. You could also include preprocessor settings in
one layer, other advanced settings in a second layer, and rule settings in a third.
company, by department, by network, or even by user. You could also include preprocessor settings in
one layer, other advanced settings in a second layer, and rule settings in a third.
See the
table for instructions on configuring shared layers.
Tip
You cannot add a shared layer to an intrusion policy where your base policy is a custom policy where
the layer you want to share was created. When you attempt to save your changes, an error message
indicates that the policy includes a circular dependency. See
the layer you want to share was created. When you attempt to save your changes, an error message
indicates that the policy includes a circular dependency. See
for more information.
Using Rules in Layers
License:
Protection
You can set the rule state, event filtering, dynamic state, alerting, and rule comments for a rule in any
user-configurable layer. After accessing the layer where you want to make your changes, you add
settings on the Rules page for the layer the same as you would on the intrusion policy Rules page. You
can view individual settings on the Rules page for the layer, or view the effective settings on the policy
view of the Rules page. When you modify rule settings on the policy view of the Rules page, you are
modifying the highest user-configurable layer in the policy. Note that you can switch to another layer at
any time using the layer drop-down list.
user-configurable layer. After accessing the layer where you want to make your changes, you add
settings on the Rules page for the layer the same as you would on the intrusion policy Rules page. You
can view individual settings on the Rules page for the layer, or view the effective settings on the policy
view of the Rules page. When you modify rule settings on the policy view of the Rules page, you are
modifying the highest user-configurable layer in the policy. Note that you can switch to another layer at
any time using the layer drop-down list.
The following table describes the effects of configuring the same type of setting in multiple layers.