Cisco Cisco FirePOWER Appliance 7020
5-29
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Variable Sets
•
Excluded values must resolve to a subset of included values. For example, you cannot include the
address block 192.168.5.0/24 and exclude 192.168.6.0/24. An error message warns you and
identifies the offending variable, and you cannot save your variable set when you exclude a value
outside the range of included values.
address block 192.168.5.0/24 and exclude 192.168.6.0/24. An error message warns you and
identifies the offending variable, and you cannot save your variable set when you exclude a value
outside the range of included values.
For information on adding and editing network variables, see
.
Working with Port Variables
License:
Protection
Port variables represent TCP and UDP ports you can use in the
Source Port
and
Destination Port
header
fields in intrusion rules that you enable in an intrusion policy. Port variables differ from port objects and
port object groups in that port variables are specific to intrusion rules. You can create port objects for
protocols other than TCP and UDP, and you can use port objects in various places in the system’s web
interface, including port variables, access control policies, network discovery rules, and event searches.
See
port object groups in that port variables are specific to intrusion rules. You can create port objects for
protocols other than TCP and UDP, and you can use port objects in various places in the system’s web
interface, including port variables, access control policies, network discovery rules, and event searches.
See
for more information.
You can use port variables in the intrusion rule
Source Port
and
Destination Port
header fields to restrict
packet inspection to packets originating from or destined to specific TCP or UDP ports.
When you use variables in these fields, the variable set you link to the intrusion policy associated with
an access control rule or policy determines the values for these variables in the network traffic where
you apply the access control policy.
an access control rule or policy determines the values for these variables in the network traffic where
you apply the access control policy.
You can add any combination of the following port configurations to a variable:
•
any combination of port variables and port objects that you select from the list of available ports
Note that the list of available ports does not display port object groups, and you cannot add these to
variables. See
variables. See
for information on creating port objects using
the object manager.
•
individual port objects that you add from the New Variable or Edit Variable page, and can then add
to your variable and to other existing and future variables
to your variable and to other existing and future variables
Only TCP and UDP ports, including the value
any
for either type, are valid variable values. If you
use the new or edit variables page to add a valid port object that is not a valid variable value, the
object is added to the system but is not displayed in the list of available objects. When you use the
object manager to edit a port object that is used in a variable, you can only change its value to a valid
variable value.
object is added to the system but is not displayed in the list of available objects. When you use the
object manager to edit a port object that is used in a variable, you can only change its value to a valid
variable value.
•
single, literal port values and port ranges
You must separate port ranges with a dash (-). Port ranges indicated with a colon (:) are supported
for backward compatibility, but you cannot use a colon in port variables that you create.
for backward compatibility, but you cannot use a colon in port variables that you create.
You can list multiple literal port values and ranges by adding each individually in any combination.
Note the following points when adding or editing port variables:
•
The default value for included ports in any variable you add is the word
any
, which indicates any
port or port range. The default value for excluded ports is none, which indicates no ports.
Tip
To create a variable with the value
any
, name and save the variable without adding a specific value.
•
You cannot logically exclude the value
any
which, if excluded, would indicate no ports. For
example, you cannot save a variable set when you add a variable with the value
any
to the list of
excluded ports.