04-17-2018 03:27 AM - edited 02-21-2020 07:38 AM
Hi All,
I'm in the process of configuring an FMC intrusion policy for all of my remote sites and I have a couple of questions regarding recommendations that I cant find a solid answer to.
I have a single intrusion policy and I have enabled it to use a Base Policy of 'Balanced Security & Connectivity' and to use recommendations. I have also created a schedule to automatically update the recommendations on a weekly basis, however, I'm not sure if I then need to manually commit the changes under the intrusion policy and then apply to the sensors or if all of this is done/can be done automatically as well?
Many thanks
Solved! Go to Solution.
04-17-2018 04:05 AM
Hi Will,
You don't need to. Once the automatic update installs the new SRU( rules) update on FMC, the policy would show out of date. You can simply deploy the policy which will include the new updates.
You can also use the option to deploy the policy automatically once the new updates are installed as well under system>updates>rules update.
Hope this helps,
yogesh
04-17-2018 04:05 AM
Hi Will,
You don't need to. Once the automatic update installs the new SRU( rules) update on FMC, the policy would show out of date. You can simply deploy the policy which will include the new updates.
You can also use the option to deploy the policy automatically once the new updates are installed as well under system>updates>rules update.
Hope this helps,
yogesh
04-17-2018 06:01 AM
Hi Yogesh,
Thanks for the response.
So how do you see customers typically configuring this? For example, do they create a scheduled task to update the Firepower recommended rules daily at 01:00 AM, and then configure the rule updates to deploy the updated polices daily at 01:30
Thanks
04-17-2018 06:06 AM
Hi
Usually users configure the schedule task to do the rule update.
Once the rule update is done, manually deploy the policies again. Anyways the rule updates come once a week. You can probably manually deploy the policy every Thursday or create a schedule task to deploy the policy every Thursday.
Hope it helps,
Yogesh
04-25-2018 01:25 PM
yogdhanu, are we confusing Recurring Rule Update Imports (SRU) with Firepower Recommended Rules? Your answer seems to talk about Recurring Rule Update Imports (SRU), and I want to be clear.
I believe the OP was asking about automating Firepower Recommended Rules. Normally when editing Intrusion Policies, you have to Commit, but in the Scheduler Task there is no mention of Commit. It actually throws an error for me when I try to do this (Failure: Can't call method "shared" on an undefined value) (TAC case opened).
Recurring Rule Update Imports (SRU): System -> Updates -> Rule Updates -> Recurring Rule Update Imports
Firepower Recommended Rules: Policies -> Access Control -> Intrusion -> Edit -> Policy Information -> Firepower Recommendations -> Update Recommendations.
Scheduling of Firepower Recommended Rules: System -> Tools -> Scheduling -> Add Task -> Job Type -> Firepower Recommended Rules
04-26-2018 10:29 PM
Hi Matt,
I was indeed talking about recurring rule updates from Cisco.
11-07-2018 05:55 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide