You can use intrusion rule recommendations to target vulnerabilities associated with host assets detected in the network.
For example, operating systems, servers, and client application protocols. This allows you to tailor your intrusion policy
to the specific needs of your monitored network.
The system makes an individual set of recommendations for each intrusion policy. It typically recommends rule state changes
for standard text rules and shared object rules. However, it can also recommend changes for inspector and decoder rules.
When you generate rule state recommendations, you can use the default settings or configure advanced settings. Advanced settings
allow you to:
-
Redefine which hosts on your network the system monitors for vulnerabilities
-
Influence which rules the system recommends based on rule overhead
-
Specify whether to generate recommendations to disable rules
You can also choose to use the recommendations immediately or review the recommendations (and affected rules) before accepting
them.
Choosing to use recommended rule states adds a read-only Secure
Firewall Recommendations
layer to your intrusion policy, and subsequently choosing not to use recommended rule
states removes the layer.
You can schedule a task to generate recommendations automatically based on the most recently saved configuration settings
in your intrusion policy.
The system does not change rule states that you set manually such as:
-
Manually setting the states of specified rules before you generate recommendations prevents the system from modifying the states of those rules in the future.
-
Manually setting the states of specified rules after you generate recommendations overrides the recommended states of those rules.
Tip
|
The intrusion policy report can include a list of rules with rule states that differ from the recommended state.
|
While displaying the recommendation-filtered Rules page, or after accessing the Rules page directly from the navigation panel
or the Policy Information page, you can manually set rule states, sort rules, and take any of the other actions available
on the Rules page, such as suppressing rules, setting rule thresholds, and so on.
Note
|
The Cisco Talos Intelligence Group (Talos) determines the appropriate state of each rule in the system-provided policies.
If you use a system-provided policy as your base policy, and you allow the system to set your rules to the Secure Firewall recommended rule state, the rules in your intrusion policy match the settings recommended for your network assets.
|