Cisco Cisco Firepower Management Center 2000
23-2
FireSIGHT System User Guide
Chapter 23 Using Layers in an Intrusion Policy
Understanding Intrusion Policy Layers
When the highest layer in your policy is a read-only layer, or a shared layer as described in
, the system automatically adds a user-configurable layer as the highest layer in your
intrusion policy if you do either of the following:
•
modify a rule action (that is, a rule state, event filtering, dynamic state, or alerting) from the
intrusion policy Rules page. See
intrusion policy Rules page. See
for more
information.
•
enable, disable, or modify an advanced setting. See
for
more information.
All settings in the system-added layer are inherited except for the rule or advanced setting changes that
resulted in the new layer.
resulted in the new layer.
Note that in the case where the highest layer is a shared layer, the system adds a layer when you have set
the highest layer to be shared by other policies or you have added a shared layer to your policy.
the highest layer to be shared by other policies or you have added a shared layer to your policy.
When the system applies a policy to traffic, it flattens the layers; that is, it applies only one configuration
for each option. If you configure, for example, a rule state for the same rule within more than one layer
in an intrusion policy, the system applies the setting that is configured at the highest layer.
for each option. If you configure, for example, a rule state for the same rule within more than one layer
in an intrusion policy, the system applies the setting that is configured at the highest layer.
Note that regardless of whether you allow rule updates to modify your policy, changes in a rule update
never override changes you make in a layer. This is because changes in a rule update are made in the
base policy, which determines the defaults in your base policy layer; your changes are made in a higher
layer, so they override any changes that a rule update makes to your default policy. See
never override changes you make in a layer. This is because changes in a rule update are made in the
base policy, which determines the defaults in your base policy layer; your changes are made in a higher
layer, so they override any changes that a rule update makes to your default policy. See
for more information.
Tip
You can create an intrusion policy based solely on the default settings in the base policy and, optionally,
using rule state recommendations.
using rule state recommendations.
See the following sections for more information on using policy layers:
•
provides an example intrusion policy that shows how you can share the
settings in a layer with other intrusion policies.
•
explains how you can work with rules in an intrusion policy layer.
•
explains how you can remove settings for event
filters, dynamic states, and alerting from multiple layers using the intrusion policy Rules page.
•
explains how you can view and delete
rule attributes in layers.
•
explains how you can work with advanced settings
in an intrusion policy layer.
Sharing Layers
License:
Protection