Note
Although this book primarily uses Secure Firewall software version 7.0 in its screenshots, only Figure 15-24 uses version 7.1 to capture the screenshot. We made this exception because the rule recommendations feature on the Snort 3 version of the intrusion policy is introduced in software version 7.1. To understand the difference, you can compare Figure 15-24 (captured using version 7.1) with Figure 15-26 (captured using version 7.0), and notice that the Recommendations button is missing in Figure 15-26. On software version 7.0, you can still use the rule recommendation feature using the Snort 2 version of the intrusion policy editor, as shown in Figure 15-25.
Figure 15-25 Rule Recommendations Setup—Based on the Snort 2 Intrusion Policy Editor
Figure 15-26 Enabling a Snort Rule on the Snort 3 Version of the Intrusion Policy Editor
Step 2. Select the desired Security Level and the Protected Networks. The number of recommended rules can substantially differ based on your selections for these two options. A higher security level and broader protected networks generate more recommendations.
Step 3. Finally, select the Generate and Apply button to incorporate the rule recommendations into your intrusion policy.
If you selected Snort 2 Version, perform the following tasks in the intrusion policy editor:
Step 1. On the intrusion policy editor page, select Firepower Recommendations on the left panel. The Firepower Recommended Rules Configuration page appears (see Figure 15-25).
Step 2. In the Networks to Examine field, enter the internal networks that you want to protect with the intrusion policy. Optionally, you can set Recommendation Threshold (by Rule Overhead) to Medium so that the intrusion rules with higher processing overhead are not included in the recommended ruleset. Note that the number of recommended rules can substantially differ based on your selections for these two options.
Step 3. Click the Generate and Use Recommendations button to generate rule recommendations and incorporate them into the intrusion policy. If the recommendations were generated before, you would notice different types of buttons, such as Update Recommendations and Do Not Use Recommendations.
Step 4. Finally, go to the Policy Information page and make sure to save the changes by clicking the Commit Changes button.
Note – Cisco Network Analysis and Intrusion Policies
•
Leave a Reply