Cisco Cisco FirePOWER Appliance 7020
5-28
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with Variable Sets
•
dynamic rule states
The
Network
field in source or destination dynamic rule states allows you to detect when too many
matches for an intrusion rule or preprocessor rule occur in a given time period. See
•
adaptive profiles
The adaptive profiles
Networks
field identifies hosts in the network map where you want to improve
reassembly of packet fragments and TCP streams in passive deployments. See
.
Note
You should enable adaptive profiles only in an intrusion policy associated with the default
action of an access control policy.
action of an access control policy.
When you use variables in the fields identified in this section, the variable set you link to an intrusion
policy determines the variable values in the network traffic handled by an access control policy that uses
the intrusion policy.
policy determines the variable values in the network traffic handled by an access control policy that uses
the intrusion policy.
You can add any combination of the following network configurations to a variable:
•
any combination of network variables, network objects, and network object groups that you select
from the list of available networks
from the list of available networks
See
for information on creating individual and group
network objects using the object manager.
•
individual network objects that you add from the New Variable or Edit Variable page, and can then
add to your variable and to other existing and future variables
add to your variable and to other existing and future variables
•
literal, single IP addresses or address blocks
You can list multiple literal IP addresses and address blocks by adding each individually. You can
list IPv4 and IPv6 addresses and address blocks alone or in any combination. When specifying IPv6
addresses, you can use any addressing convention defined in RFC 4291.
list IPv4 and IPv6 addresses and address blocks alone or in any combination. When specifying IPv6
addresses, you can use any addressing convention defined in RFC 4291.
The default value for included networks in any variable you add is the word
any
, which indicates any
IPv4 or IPv6 address. The default value for excluded networks is none, which indicates no network. You
can also specify the address
can also specify the address
::
in a literal value to indicate any IPv6 address in the list of included
networks, or no IPv6 addresses in the list of exclusions.
Adding networks to the excluded list negates the specified addresses and address blocks. That is, you
can match any IP address with the exception of the excluded IP address or address blocks.
can match any IP address with the exception of the excluded IP address or address blocks.
For example, excluding the literal address
192.168.1.1
specifies any IP address other than 192.168.1.1,
and excluding
2001:db8:ca2e::fa4c
specifies any IP address other than 2001:db8:ca2e::fa4c.
You can exclude any combination of networks using literal or available networks. For example,
excluding the literal values
excluding the literal values
192.168.1.1
and
192.168.1.5
includes any IP address other than
192.168.1.1 or 192.168.1.5. That is, the system interprets this as “not 192.168.1.1 and not 192.168.1.5,”
which matches any IP address other than those listed between brackets.
which matches any IP address other than those listed between brackets.
Note the following points when adding or editing network variables:
•
You cannot logically exclude the value
any
which, if excluded, would indicate no address. For
example, you cannot add a variable with the value
any
to the list of excluded networks.
•
Network variables identify traffic for the specified intrusion rule and intrusion policy features. Note
that preprocessor rules can trigger events regardless of the hosts defined by network variables used
in intrusion rules.
that preprocessor rules can trigger events regardless of the hosts defined by network variables used
in intrusion rules.