cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5153
Views
15
Helpful
6
Replies

Firepower Intrusion Policy Recommendations

de1denta
Level 3
Level 3

Hi All,

 

I'm in the process of configuring an FMC intrusion policy for all of my remote sites and I have a couple of questions regarding recommendations that I cant find a solid answer to.

 

I have a single intrusion policy and I have enabled it to use a Base Policy of 'Balanced Security & Connectivity' and to use recommendations. I have also created a schedule to automatically update the recommendations on a weekly basis, however, I'm not sure if I then need to manually commit the changes under the intrusion policy and then apply to the sensors or if all of this is done/can be done automatically as well? 

 

Many thanks

1 Accepted Solution

Accepted Solutions

yogdhanu
Cisco Employee
Cisco Employee

Hi Will,

 

You don't need to. Once the automatic update installs the new SRU( rules) update on FMC, the policy would show out of date. You can simply deploy the policy which will include the new updates.

You can also use the option to deploy the policy automatically once the new updates are installed as well under system>updates>rules update.

 

Hope this helps,

yogesh

View solution in original post

6 Replies 6

yogdhanu
Cisco Employee
Cisco Employee

Hi Will,

 

You don't need to. Once the automatic update installs the new SRU( rules) update on FMC, the policy would show out of date. You can simply deploy the policy which will include the new updates.

You can also use the option to deploy the policy automatically once the new updates are installed as well under system>updates>rules update.

 

Hope this helps,

yogesh

Hi Yogesh,

 

Thanks for the response.

 

So how do you see customers typically configuring this? For example, do they create a scheduled task to update the Firepower recommended rules daily at 01:00 AM, and then configure the rule updates to deploy the updated polices daily at 01:30

 

Thanks

Hi

 

Usually users configure the schedule task to do the rule update.

Once the rule update is done, manually deploy the policies again. Anyways the rule updates come once a week. You can probably manually deploy the policy every Thursday or create a schedule task to deploy the policy every Thursday.

 

Hope it helps,

Yogesh

 

yogdhanu, are we confusing Recurring Rule Update Imports (SRU) with Firepower Recommended Rules?  Your answer seems to talk about Recurring Rule Update Imports (SRU), and I want to be clear.

 

I believe the OP was asking about automating Firepower Recommended Rules. Normally when editing Intrusion Policies, you have to Commit, but in the Scheduler Task there is no mention of Commit. It actually throws an error for me when I try to do this (Failure: Can't call method "shared" on an undefined value) (TAC case opened).

 

 

Recurring Rule Update Imports (SRU): System -> Updates -> Rule Updates -> Recurring Rule Update Imports

 

Firepower Recommended Rules: Policies -> Access Control -> Intrusion -> Edit ->  Policy Information -> Firepower Recommendations -> Update Recommendations.

 

Scheduling of Firepower Recommended Rules: System -> Tools -> Scheduling -> Add Task -> Job Type -> Firepower Recommended Rules

 

 

Hi Matt,

 

I was indeed talking about recurring rule updates from Cisco.

 

is there any workarround to not clicking commit changes on the Intrusion prevention policy after recuring ?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: