Generating and Applying Cisco Recommendations

Starting or stopping use of Cisco recommendations may take several minutes, depending on the size of your network and intrusion rule set.

Before you begin

  • Cisco recommendations have the following requirements:

    • Threat Defense LicenseIPS

    • Classic LicenseProtection

    • User RolesAdmin or Intrusion Admin

  • Configure a network discovery policy before you begin with the steps. Configure the network discovery policy to define internal hosts so that the Cisco recommendations are suitable. See, Network Discovery Customization.

Procedure

Step 1

In the Snort 2 intrusion policy editor's navigation pane, click Cisco Recommendations.

Step 2

(Optional) Configure advanced settings; see Advanced Settings for Cisco Recommendations.

Step 3

Generate and apply recommendations.

  • Generate and Use Recommendations—Generates recommendations and changes rule states to match. Only available if you have never generated recommendations.
  • Generate Recommendations—Regardless of whether you are using recommendations, generates new recommendations but does not change rule states to match.
  • Update Recommendations—If you are using recommendations, generates recommendations and changes rule states to match. Otherwise, generates new recommendations without changing rule states.
  • Use Recommendations—Changes rule states to match any unimplemented recommendations.
  • Do Not Use Recommendations—Stops use of recommendations. If you manually changed a rule's state before you applied recommendations, the rule state returns to the value you gave it. Otherwise, the rule state returns to its default value.

When you generate recommendations, the system displays a summary of the recommended changes. To view a list of rules where the system recommends a state change, click View next to the newly proposed rule state.

Step 4

Evaluate and adjust the recommendations you implemented.

Even if you accept most Cisco recommendations, you can override individual recommendations by setting rule states manually; see Setting Intrusion Rule States.

Step 5

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

What to do next

  • Deploy configuration changes.