Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
0
Helpful
2
Replies

Is it better to use Pass Rules or Suppression in FireSIGHT?

rweir0001
Level 1
Level 1

‎09-01-2016 12:45 PM - edited ‎03-10-2019 06:40 AM

I have a Cisco ASA with FirePOWER that I manage with FireSIGHT. I'm trying to determine which method is better when it comes to false-positives...Pass Rules or Suppression? I know that there are probably some variables in determining which is better, but what if I want to stop receiving alerts for a false-positive that doesn't have a drop action? Should I suppress it or create a Pass Rule? How about if I no longer want to see alerts for rules that do have a block action? Is it best in that case to create a Pass Rule? I'm hoping that someone with some experience in these things could offer some insight?

Labels:
0 Helpful
2 Replies 2

chris.proudlock
Level 1
Level 1

‎09-13-2016 04:57 AM

I've always been taught the pass rules are more efficient, simply because on a correct match the entire traffic stream is ignored.

To quote support: You can create pass rules to prevent packets that meet criteria defined in the pass rule from triggering the alert rule in specific situations, rather than disabling the alert rule. By default, pass rules override alert rules.

Though you should be careful, if you have a pass rule that matches an alert rule, but you wanted a few IP address exclusions - if the alert rule changes you're the one who needs to remember to update your pass rule.

0 Helpful

rweir0001
Level 1
Level 1
In response to chris.proudlock

‎09-15-2016 12:46 PM

Thanks, Chris!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card