Skip to main content

 

 

Cisco Defense Orchestrator

Firepower Intrusion Policy Signature Overrides

In most cases, there's no need to tune any IPS rules. If necessary, you have the option to override how an event is handled by changing the matching rule action in CDO. CDO gives you options to resolve issues with the overrides.

Manage Signature Overrides

  1. From the main navigation bar, click Policies > Signature Overrides. You can filter what devices and policy override policies are shown. You can also search for intrusion policies by name or intrusion rule SID.
  2. Click on the name of policy override policy to expand the details panel on the right.
  3. In the Issues pane, a inconsistent_badge.png badge indicates the overrides are inconsistent across the devices. You can see the INCONSISTENT field with the number of devices affected: inconsistent-2-ignore-resolve.png
    • To ignore the issue, click Ignore. This doesn't change the issue but removes the indicator badge from the Issues column.
    • To resolve the issue, click Resolve. In the left panel, select the policies to compare and show their consistent and inconsistent overrides.
      • To merge the policies together:
        1. Click Resolve by Merging to combine them into a single policy with the same overrides on all its devices.
        2. Click Confirm.
      • To rename a policy:
        1. In the policy's section, click Rename and give it a different name.
        2. Click Confirm.
      • To ignore a policy:
        1. In the policy's section, click Ignore.
        2. Click Confirm.
      • To ignore all the inconsistencies, click Ignore All.
  4. If there are individual Talos intrusion rules that were changed on the device using Firepower Device Manager (FDM), you will see them in the Overrides pane. You can change the override action for an intrusion rule by clicking Tune link and choosing an override action. This action will be applied to that rule in all of the Talos intrusion policies it's used in. Note that if you choose to restore the default action rule (Default), you cannot tune the intrusion rule again until it is triggered by the environment.
  • Connectivity over Security
  • Balanced Security and Connectivity
  • Security over Connectivity
  • Maximum Detection

For consistency across devices, the override action will be saved to every device associated with the intrusion override policy.

These are the effects of the override action: 

  • Drop-This choice creates an event when this rule matches traffic and then drops the connection. Use this action to tighten security of certain rules. For example, specifying Drop would make security stricter when the Talos rule is matched even if the "Connectivity over Security” policy is specified for the access control rule.
  • Alert-This choice creates an event when this rule matches traffic, but it does not drop the connection. A use case for “Alert” is when traffic is blocked, but the customer wants to allow, it and look at the alerts before disabling the rule.
  • Disabled-This choice prevents traffic from being matched to the rule. No events are generated. The use case for “Disabled” is to stop false positives in reports, or remove rules that do not apply to your environment, like disabling Apache httpd rules if you don't use httpd.
  • Default-This choice is only applicable if the rule’s default action is different in the Talos intrusion policy levels. For example, when you return an intrusion rule to "Default" that may mean its action returns to "Alert" in the "Connectivity over Security" policy and "Block" in the "Balanced Security and Connectivity" policy. 
  • Edit rule overrides with the following options:
    • Override for all devices - This option sets the required action to all the devices managed by CDO. Select an option from the drop-down menu. If the rule has different override values for different intrusion override policies, the drop-down option is "Multiple" by default. 
    • Edit rule overrides by device - check the Advanced Options slider and select the Overrides by Devices tab. This option shows you the configured rule action for each device, which you can change by checking the affected device, selecting an override action, and clicking Save.
    • Edit rule overrides by policy - check the Advanced Options slider and select the All Overrides tab. This section is only applicable if your tenant has more than one IPS policy configured. You can manage all IPs policies from this page, including policies that have more than one device associated to it. 
  • Affected Devices does not indicate the source devices. Instead, it shows the FTD devices reporting the event.
  1. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Create A Signature Override

You can only create signature overrides for IPS rules that are already triggered on an FTD device. When you create a signature override in CDO, the override is automatically applies the configured action (DropAlertDisabledDefault) to all of the policy levels. 

  1. From the main navigation bar, click Monitoring> Threats
  2. Select a threat from the table and expand it. In the Tune Actions pane, click Tune
  3. Tune the rules as described in step 4 in the Firepower Intrusion Policy Signature Overrides procedure.
  4. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Remove A Signature Override

  1. From the main navigation bar, click Policies > Signature Overrides
  2. Click on the name of override to expand the details panel on the right.
  3. Expand the Overrides pane and select the override you want to remove, then click Tune
  4. Set the default action to Default
  5. Review and deploy now the changes you made, or wait and deploy multiple changes at once.
  • Was this article helpful?