Cisco Cisco FirePOWER Appliance 8130
C H A P T E R
20-1
FireSIGHT System User Guide
20
Configuring Intrusion Policies
An intrusion policy is a defined set of intrusion detection and prevention configurations. You can create
an intrusion policy using the settings in the default intrusion policies that Cisco provides, or you can
tailor your own policies to inspect the traffic that traverses your network. You can modify your intrusion
policy to improve performance in your environment and to provide a focused view of the traffic on your
network.
an intrusion policy using the settings in the default intrusion policies that Cisco provides, or you can
tailor your own policies to inspect the traffic that traverses your network. You can modify your intrusion
policy to improve performance in your environment and to provide a focused view of the traffic on your
network.
At a minimum, you consciously choose whether to configure the following settings:
•
Specify whether you want to drop packets that trigger rules set to Drop and Generate events in an
inline deployment. See
inline deployment. See
for more
information.
•
Set variables to accurately reflect your home and external networks and, as appropriate, the servers
on your network. See
on your network. See
for more information.
You should also consider whether to take advantage of the following capabilities, which can improve
performance and better focus your network:
performance and better focus your network:
•
Disable rules that do not apply to your environment, verify that all rules that do apply to your
environment are enabled, and set rule attributes such as suppression, thresholding, and alerting. See
environment are enabled, and set rule attributes such as suppression, thresholding, and alerting. See
for more information.
•
Associate hosts and applications on your network with rules written to protect those hosts and
applications and recommend rule state changes. See
applications and recommend rule state changes. See
for more information.
See the following sections for more information:
•
describes, at a high level, the process you
use to create an intrusion policy.
•
explains how to view a listing of your intrusion policies, and
create and edit policies.
•
explains how to set whether your policy
drops offending packets for rules set to Drop and Generate Events in an inline deployment.
•
explains how to replace your base policy with a different
default intrusion policy provided by Cisco or a custom base policy that you create.
•
explains how you can enable and disable rules and
configure other rule attributes such as thresholds, suppression, and so on.
•
explains how you can generate rule
state recommendations for intrusion rules based on the hosts and applications on your network.