Default Settings for Cisco Recommendations
When you generate Cisco recommendations, the system searches your base policy for rules that protect against vulnerabilities associated with your network assets, and identifies the current state of rules in your base policy. The system then recommends rule states and, if you choose to, sets the rules to the recommended states.
The system performs the following basic analysis to generate recommendations:
Rule Protects Discovered Assets? | Base Policy Rule State | Recommend Rule State |
---|---|---|
Yes |
Disabled |
Generate Events |
Generate Events |
Generate Events | |
Drop and Generate Events |
Drop and Generate Events | |
No |
Any |
Disabled |
Note the following in the table:
-
If a rule is disabled in the base policy, or set to Generate Events, the recommended state is always Generate Events.
For example, if the base policy is No Rules Active, in which all rules are disabled, there will be no recommendations to Drop and Generate Events.
-
Recommendations to Drop and Generate Events are made only for rules already set to Drop and Generate Events in the base policy.
If you want a rule to be set to Drop and Generate events and the rule was disabled or set to Generate Events in the base policy, you must manually reset the rule state.
When you generate recommendations without changing the advanced settings for Cisco recommended rules, the system recommends rule state changes for all hosts in your entire discovered network.
By default, the system generates recommendations only for rules with low or medium overhead, and generates recommendations to disable rules.
The system does not recommend a rule state for an intrusion rule that is based on a vulnerability that you disable using the Impact Qualification feature.
The system always recommends that you enable a local rule associated with a third-party vulnerability mapped to a host.
The system does not make state recommendations for unmapped local rules.