Cisco Cisco FirePOWER Appliance 8130
20-18
FireSIGHT System User Guide
Chapter 20 Configuring Intrusion Policies
Understanding the Base Policy
Allowing Rule Updates to Modify the Base Policy
License:
Protection
Rule updates that you import provide new and updated intrusion rules and preprocessor rules, modified
states for existing rules, and modified default intrusion policy settings. Rule updates can also delete rules
and provide new rule categories and default variables. See
states for existing rules, and modified default intrusion policy settings. Rule updates can also delete rules
and provide new rule categories and default variables. See
for more information.
Rule updates always modify the default policies provided by Cisco with any changes that a rule update
makes to rules and advanced settings. Changes to default variables and rule categories are handled at the
system level. See
makes to rules and advanced settings. Changes to default variables and rule categories are handled at the
system level. See
for more information.
When you use a default policy provided by Cisco as your base policy, you can choose whether to allow
rule updates to modify your base policy.
rule updates to modify your base policy.
If you allow rule updates to update your base policy, a new rule update makes the same changes in your
base policy that it makes to rules and advanced settings in the default policy that you use as your base
policy. If you have not modified the corresponding setting, the setting in your base policy determines the
setting in your policy. However, a new rule update will not override any changes you have made in your
policy.
base policy that it makes to rules and advanced settings in the default policy that you use as your base
policy. If you have not modified the corresponding setting, the setting in your base policy determines the
setting in your policy. However, a new rule update will not override any changes you have made in your
policy.
If you do not allow rule updates to update your base policy, you can manually update your base policy
after importing one or more rule updates.
after importing one or more rule updates.
Note that rule updates always delete rules that VRT deletes, regardless of the rule state in your policy or
whether you allow rule updates to update your base policy. Until you reapply an access control policy
that includes your policy after a rule update deletes a rule, rules in your currently applied intrusion
policies will behave as follows:
whether you allow rule updates to update your base policy. Until you reapply an access control policy
that includes your policy after a rule update deletes a rule, rules in your currently applied intrusion
policies will behave as follows:
•
Disabled rules will remain disabled.
•
Rules set to Generate Events will continue to generate events when triggered.
•
Rules set to Drop and Generate Events will continue to generate events and drop offending packets
when triggered.
when triggered.
Note also that, in a custom base policy, you do not have the option of allowing rule updates to modify
the base policy, because in this case the base policy is not a default policy provided by Cisco. However,
a rule update can modify the custom base policy when both of the following conditions are met:
the base policy, because in this case the base policy is not a default policy provided by Cisco. However,
a rule update can modify the custom base policy when both of the following conditions are met:
•
You allow rule updates to modify the base policy of the parent policy, that is, the policy that
originated the custom base policy.
originated the custom base policy.
•
You have not made changes in the parent policy that override the corresponding settings in the
parent’s base policy.
parent’s base policy.
When both conditions are met, changes in the rule update are passed to the child policy, that is, the policy
using the custom base policy, when you save the parent policy.
using the custom base policy, when you save the parent policy.
For example, if a rule update enables a previously disabled rule, and you have not modified the rule’s
state in the parent policy, the modified rule state will be passed to custom base policy when you save the
parent policy. See
state in the parent policy, the modified rule state will be passed to custom base policy when you save the
parent policy. See
for more information.
Selecting the Base Policy
License:
Protection