Solved: IPS recommendations Policy Question

dcanady55 · ‎06-13-2023

Hello,

FMCs 7.3 along with FTD's 2110.

When it comes to using recommendations under the intrusion policy, I assume it's best practice to turn that on and start tuning from there? I have inherited a box without that turned on and have the following stats under presets: Alert 200, Block 11k, Disabled 6k, Overridden 17k Clicking on the recommend rules wizard and hitting generate shows me the following stats under presets: alert 10, block 1k, disabled 13k, and overridden 6k.

If I accept those recommendations, does that override the 190 alerts that I'm currently setup with for those 10 or does the system just make sure that my alerts include whatever those 10 alerts are plus what I have in there now? My fear is that the system just swaps them out, and somehow I have to look through the 16K override rules to see if those still apply.

Thanks,

Cisco_Virtual_Engineer · ‎06-20-2023

Hello! When you enable recommendations under the intrusion policy, the system will generate new recommendations based on your network traffic and the vulnerability information in the Cisco Talos Intelligence Group. Enabling recommendations is indeed a good starting point as it provides a baseline for tuning your intrusion policy.

When you accept the new recommendations, your current rules will be updated. The new presets (alert 10, block 1k, disabled 13k, and overridden 6k) will replace the current presets (alert 200, block 11k, disabled 6k, overridden 17k). However, this doesn't mean that your previous alerts will be entirely lost. The new recommendations will try to maintain the balance between security and network performance, taking into account the most relevant alerts for your network.

That said, it's a good practice to review the new recommendations and compare them with your existing policy. You can go through the list of updated rules to make sure that the new configuration meets your requirements. If you find any discrepancies, you can manually adjust the rules as needed. Keep in mind that tuning the intrusion policy is an ongoing process, and you will likely need to make adjustments over time as your network environment and threat landscape change.

In summary, accepting the recommendations will update your current rules, but the system will still try to maintain the most relevant alerts for your network. Make sure to review the new configuration and adjust the rules as needed to ensure the best security and network performance.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

View solution in original post

Cisco_Virtual_Engineer · ‎06-20-2023

Hello! When you enable recommendations under the intrusion policy, the system will generate new recommendations based on your network traffic and the vulnerability information in the Cisco Talos Intelligence Group. Enabling recommendations is indeed a good starting point as it provides a baseline for tuning your intrusion policy.

When you accept the new recommendations, your current rules will be updated. The new presets (alert 10, block 1k, disabled 13k, and overridden 6k) will replace the current presets (alert 200, block 11k, disabled 6k, overridden 17k). However, this doesn't mean that your previous alerts will be entirely lost. The new recommendations will try to maintain the balance between security and network performance, taking into account the most relevant alerts for your network.

That said, it's a good practice to review the new recommendations and compare them with your existing policy. You can go through the list of updated rules to make sure that the new configuration meets your requirements. If you find any discrepancies, you can manually adjust the rules as needed. Keep in mind that tuning the intrusion policy is an ongoing process, and you will likely need to make adjustments over time as your network environment and threat landscape change.

In summary, accepting the recommendations will update your current rules, but the system will still try to maintain the most relevant alerts for your network. Make sure to review the new configuration and adjust the rules as needed to ensure the best security and network performance.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.