Layer Management
The Policy Layers page provides a single-page summary of the complete layer stack for your network analysis or intrusion policy. On this page you can add shared and unshared layers, copy, merge, move, and delete layers, access the summary page for each layer, and access configuration pages for enabled, disabled, and overridden configurations within each layer.
For each layer, you can view the following information:
-
whether the layer is a built-in, shared user, or unshared user layer
-
which layers contain the highest, that is the effective, preprocessor or advanced setting configurations, by feature name
-
in an intrusion policy, the number of intrusion rules whose states are set in the layer, and the number of rules set to each rule state.
The Policy Layers page also provides a summary of the net effect of all enabled preprocessors (network analysis) or advanced settings (intrusion) and, for intrusion policies, intrusion rules.
The feature name in the summary for each layer indicates which configurations are enabled, disabled, overridden, or inherited in the layer, as follows:
When the feature is... |
The feature name is... |
---|---|
enabled in the layer |
written in plain text |
disabled in the layer |
struck out |
overridden by the configuration in a higher layer |
written in italic text |
inherited from a lower layer |
not present |
You can add up to 200 layers to a network analysis or intrusion policy. When you add a layer, it appears as the highest layer in your policy. The initial state is Inherit for all features and, in an intrusion policy, no event filtering, dynamic state, or alerting rule actions are set.
You give a user-configurable layer a unique name when you add the layer to your policy. Later, you can change the name and, optionally, add or modify a description that is visible when you edit the layer.
You can copy a layer, move a layer up or down within the User Layers page area, or delete a user layer, including the initial My Changes layer. Note the following considerations:
-
When you copy a layer, the copy appears as the highest layer.
-
Copying a shared layer creates a layer that is initially unshared and which you can then share if you choose.
-
You cannot delete a shared layer; a layer with sharing enabled that you have not shared with another policy is not a shared layer.
You can merge a user-configurable layer with another user-configurable layer immediately beneath it. A merged layer retains all settings that were unique to either layer, and accepts the settings from the higher layer if both layers included settings for the same preprocessor, intrusion rule, or advanced setting. The merged layer retains the name of the lower layer. In the policy where you create a sharable layer that you can add to other policies, you can merge an unshared layer immediately above the sharable layer with the sharable layer, but you cannot merge the sharable layer with an unshared layer beneath it. In a policy where you add a shared layer that you created in another policy, you can merge the shared layer into an unshared layer immediately beneath it and the resulting layer is no longer shared; you cannot merge an unshared layer into a shared layer beneath it.