Cisco Cisco Firepower Management Center 4000
21-14
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Filtering Rules in an Intrusion Policy
The Rules page updates to display rules according to current rule state.
To use the Recommendation filter:
Access:
Admin/Intrusion Admin
Step 1
Under
Rule Configuration
, click
Recommendation
.
Step 2
Select the FireSIGHT rule state recommendation to filter by.
The Rules page updates to display rules according to recommended rule state.
To use the Threshold filter:
Access:
Admin/Intrusion Admin
Step 1
Under Rule Configuration, click
Threshold
.
Step 2
Select the threshold setting to filter by:
•
To find rules with a threshold type of
limit
, select
Limit
, and click
OK
.
•
To find rules with a threshold type of
threshold
, select
Threshold
, and click
OK
.
•
To find rules with a threshold type of
both
, select
Both
, and click
OK
.
•
To find rules with thresholds tracked by
source
, select
Source
, and click
OK
.
•
To find rules with thresholds tracked by destination, select
Destination
, and click
OK
.
•
To find any rule with a threshold set, select
All
, and click
OK
.
The Rules page updates to display rules where the type of threshold indicated in the filter has been
applied to the rule.
applied to the rule.
To use the Suppression filter:
Access:
Admin/Intrusion Admin
Step 1
Under
Rule Configuration
, click
Suppression
.
Step 2
Select the suppression setting to filter by:
•
To find rules where events are suppressed for packets inspected by that rule, select
Rule
, and click
OK
.
•
To find rules where events are suppressed based on the source of the traffic, select
Source
, and click
OK
.
•
To find rules where events are suppressed based on the destination of the traffic, select
Destination
,
and click
OK
.
•
To find any rule with suppression set, select
All
, and click
OK
.
The Rules page updates to display rules where the type of suppression indicated in the filter has been
applied to the rule.
applied to the rule.