Advanced Settings for Cisco Recommendations
- Include all differences between recommendations and rule states in policy reports
-
By default, an intrusion policy report lists the policy's enabled rules, that is, rules set to either Generate Events or Drop and Generate Events. Enabling the Include all differences option also lists the rules whose recommended states differ from their saved states. For information on policy reports, see About Configuration Deployment.
- Networks to Examine
-
Specifies the monitored networks or individual hosts to examine for recommendations. You can specify a single IP address or address block, or a comma-separated list comprised of either or both.
Lists of addresses within the hosts that you specify are linked with an OR operation except for negations, which are linked with an AND operation after all OR operations are calculated.
If you want to dynamically adapt active rule processing for specific packets based on host information, you can also enable adaptive profile updates.
- Recommendation Threshold (By Rule Overhead)
-
Prevents the system from recommending or automatically enabling intrusion rules with a higher overhead than the threshold you choose.
Overhead is based on the rule’s potential impact on system performance and the likelihood that the rule may generate false positives. Permitting rules with higher overhead usually results in more recommendations, but can affect system performance. You can view the overhead rating for a rule in the rule detail view on the intrusion Rules page.
Note that the system does not factor rule overhead into recommendations to disable rules. Also, local rules are considered to have no overhead, unless they are mapped to a third-party vulnerability.
Generating recommendations for rules with the overhead rating at a particular setting does not preclude you from generating recommendations with different overhead, then generating recommendations again for the original overhead setting. You get the same rule state recommendations for each overhead setting each time you generate recommendations for the same rule set, regardless of the number of times you generate recommendations or how many different overhead settings you generate with. For example, you can generate recommendations with overhead set to medium, then to high, then finally to medium again; if the hosts and applications on your network have not changed, both sets of recommendations with overhead set to medium are then the same for that rule set.
- Accept Recommendations to Disable Rules
-
Specifies whether the system disables intrusion rules based on Cisco recommendations.
Accepting recommendations to disable rules restricts your rule coverage. Omitting recommendations to disable rules augments your rule coverage.