topic Hello! When you enable recommendations under the intrusio... in Network Security https://community.cisco.com/t5/network-security/ips-recommendations-policy-question/m-p/4858109#M1101776 Hello! When you enable recommendations under the intrusion policy, the system will generate new recommendations based on your network traffic and the vulnerability information in the Cisco Talos Intelligence Group. Enabling recommendations is indeed a good starting point as it provides a baseline for tuning your intrusion policy. <BR /><BR />When you accept the new recommendations, your current rules will be updated. The new presets (alert 10, block 1k, disabled 13k, and overridden 6k) will replace the current presets (alert 200, block 11k, disabled 6k, overridden 17k). However, this doesn't mean that your previous alerts will be entirely lost. The new recommendations will try to maintain the balance between security and network performance, taking into account the most relevant alerts for your network. <BR /><BR />That said, it's a good practice to review the new recommendations and compare them with your existing policy. You can go through the list of updated rules to make sure that the new configuration meets your requirements. If you find any discrepancies, you can manually adjust the rules as needed. Keep in mind that tuning the intrusion policy is an ongoing process, and you will likely need to make adjustments over time as your network environment and threat landscape change.<BR /><BR />In summary, accepting the recommendations will update your current rules, but the system will still try to maintain the most relevant alerts for your network. Make sure to review the new configuration and adjust the rules as needed to ensure the best security and network performance. Tue, 20 Jun 2023 09:05:57 GMT Cisco_Virtual_Engineer 2023-06-20T09:05:57Z IPS recommendations Policy Question https://community.cisco.com/t5/network-security/ips-recommendations-policy-question/m-p/4854046#M1101553 <P>Hello,</P><P>FMCs 7.3 along with FTD's 2110.</P><P>When it comes to using recommendations under the intrusion policy, I assume it's best practice to turn that on and start tuning from there? I have inherited a box without that turned on and have the following stats under presets: Alert 200, Block 11k, Disabled 6k, Overridden 17k Clicking on the recommend rules wizard and hitting generate shows me the following stats under presets: alert 10, block 1k, disabled 13k, and overridden 6k.</P><P>If I accept those recommendations, does that override the 190 alerts that I'm currently setup with for those 10 or does the system just make sure that my alerts include whatever those 10 alerts are plus what I have in there now? My fear is that the system just swaps them out, and somehow I have to look through the 16K override rules to see if those still apply.</P><P>Thanks,</P><P>&nbsp;</P> Tue, 13 Jun 2023 17:48:45 GMT https://community.cisco.com/t5/network-security/ips-recommendations-policy-question/m-p/4854046#M1101553 dcanady55 2023-06-13T17:48:45Z Hello! When you enable recommendations under the intrusio... https://community.cisco.com/t5/network-security/ips-recommendations-policy-question/m-p/4858109#M1101776 Hello! When you enable recommendations under the intrusion policy, the system will generate new recommendations based on your network traffic and the vulnerability information in the Cisco Talos Intelligence Group. Enabling recommendations is indeed a good starting point as it provides a baseline for tuning your intrusion policy. <BR /><BR />When you accept the new recommendations, your current rules will be updated. The new presets (alert 10, block 1k, disabled 13k, and overridden 6k) will replace the current presets (alert 200, block 11k, disabled 6k, overridden 17k). However, this doesn't mean that your previous alerts will be entirely lost. The new recommendations will try to maintain the balance between security and network performance, taking into account the most relevant alerts for your network. <BR /><BR />That said, it's a good practice to review the new recommendations and compare them with your existing policy. You can go through the list of updated rules to make sure that the new configuration meets your requirements. If you find any discrepancies, you can manually adjust the rules as needed. Keep in mind that tuning the intrusion policy is an ongoing process, and you will likely need to make adjustments over time as your network environment and threat landscape change.<BR /><BR />In summary, accepting the recommendations will update your current rules, but the system will still try to maintain the most relevant alerts for your network. Make sure to review the new configuration and adjust the rules as needed to ensure the best security and network performance. Tue, 20 Jun 2023 09:05:57 GMT https://community.cisco.com/t5/network-security/ips-recommendations-policy-question/m-p/4858109#M1101776 Cisco_Virtual_Engineer 2023-06-20T09:05:57Z