Skip to main content



Cisco Defense Orchestrator

FTD Rulesets

About FTD Rulesets 

A Firepower Threat Defense (FTD) ruleset is a collection of access control rules that can be shared with multiple FTD devices. Any changes made to the rules of a ruleset affect the other managed FTD devices that use this ruleset. An FTD device can have device-specific (local) and shared (rulesets) rules. You can also create rulesets from existing rules in an FTD device. 

Important: The "Rulesets" feature is currently available for devices running Firepower Threat Defense version 6.5 or later that are not Snort 3 enabled devices. The following limitations apply:

  • You cannot attach rulesets to Snort 3-enabled devices.
  • You cannot create a ruleset from an existing device that has Snort 3 installed.
  • You cannot associate a custom IPS policy with a ruleset. 
Copy or Move Rules associated with Rulesets

It’s possible to copy or move access control rules within a ruleset or across different rulesets. Also, you’re allowed to copy or move rules between local and rulesets. See Copy FTD Access Control Rules and Move FTD Access Control Rules for more information. 

Auto-Detect Existing Rulesets

When you onboard a device, CDO auto-detects existing rulesets on them and tries to match them with the rules on the device. On a successful match, CDO automatically attaches the rulesets to the newly onboarded device. However, if there are multiple ruleset matches for the same set of rules on the device, none of them are attached, and you have to assign them manually.


Related Topics


  • Was this article helpful?