Validate Snort 3 Policies

To validate the Snort 3 policies, here is a list of basic information that user can make note of:

  • Current version of the management center can manage multiple threat defense versions.

  • Current version of management center supports NAP configurations which are not applicable to previous version of threat defense devices.

  • Current NAP Policy and validations will work based on the current version support.

  • Changes may include content which is not valid for previous versions of threat defenses.

  • Policy configuration changes are accepted if they are valid configuration for the current version and which is performed using current Snort 3 binary and NAP schema.

  • For previous version threat defenses, validation is performed during deployment using NAP schema and Snort 3 binary for that specific version. If there is any configuration which is not applicable for the given version, user is provided information or warning that we will not deploy the configuration which is not supported on the given version and remaining configuration will get deployed.

In this procedure, when we associate the NAP policy to an Access Control Policy and deploy it on a device, for example any inspector like rate filter configuration is applied to validate the Snort 3 policies.

Procedure

Step 1

Steps to Override NAP Policy Configuration: Under Inspectors in the Snort 3 Version of the network analysis policy, expand the required inspector for which you want to override the default setting.

The default configuration is displayed on the left column and the overridden configuration is displayed on the right column under the inspector.

Step 2

Under the Overridden Configuration on the right column, click Edit Inspector (Pencil) icon to make changes to any inspector like rate_filter.

The Override Configuration pop-up appears where you can make the required edits to the rate_filter inspector.

Step 3

Click OK.

Step 4

Click Save to save the changes.

Alternatively, you can also use the Actions drop-down menu to upload the overridden configuration file.

Step 5

Click the Actions drop-down menu in the Snort 3 Version of the network analysis policy.

Step 6

Under Upload you can click Overridden Configuration to upload the JSON file that contains the overridden configuration.

Caution

Upload only the changes that you require. You should not upload the entire configuration as it makes the overrides sticky in nature and therefore, any subsequent changes to the default configuration as part of the LSP updates will not be applied.

You can drag and drop a file or click to browse to the JSON file saved in your system that contains the overridden inspector configuration.

  • Merge inspector overrides – Content in the uploaded file is merged with the existing configuration if there is no common inspector. If there are common inspectors, then the content in the uploaded file (for common inspectors) takes precedence over the previous content, and it replaces the previous configuration for those inspectors.
  • Replace inspector overrides – Removes all previous overrides and replaces them with the new content in the uploaded file.
    Attention

    As choosing this option deletes all the previous overrides, make an informed decision before you override the configuration using this option.

If any error occurs while uploading the overridden inspectors, you see the error on the Upload Overridden Configuration File pop-up window. You can also download the file with the error, then fix the error and reupload the file.

Step 7

Steps to Associate NAP Policy to Access Control Policy: In the access control policy editor, click Advanced, then click Edit next to the Network Analysis and Intrusion Policies section.

Step 8

From the Default Network Analysis Policy drop-down list, select a default network analysis policy.

If you choose a user-created policy, you can click Edit to edit the policy in a new window. You cannot edit system-provided policies.

Step 9

Click OK.

Step 10

Click Save to save the policy.

Step 11

Alternatively, in the access control policy editor, click Advanced, then click Edit next to the Network Analysis and Intrusion Policies section.

Step 12

Click Add Rule.

Step 13

Configure the rule's conditions by clicking the conditions you want to add.

Step 14

Click Network Analysis and choose the Network Analysis Policy you want to use to preprocess the traffic matching this rule.

Step 15

Click Add.

Step 16

Deployment: On the management center menu bar, click Deploy and then select Deployment.

Step 17

Identify and choose the devices on which you want to deploy configuration changes.

  • Search—Search for the device name, type, domain, group, or status in the search box.
  • Expand—Click Expand Arrow to view device-specific configuration changes to be deployed.

    By selecting the device check box, all the changes for the device, which are listed under the device, are pushed for deployment. However, you can use the Policy Selection to select individual policies or configurations to deploy while withholding the remaining changes without deploying them.

    Optionally, use Show or Hide Policy to selectively view or hide the associated unmodified policies.

Step 18

Click Deploy.

Step 19

If the system identifies errors or warnings in the changes to be deployed, it displays them in the Validation Messages window. To view complete details, click the arrow icon before the warnings or errors.

Note

It shows a warning that Snort 3 Network analysis policy contains inspectors or attributes that are not valid for this threat defense version, following the invalid settings will be skipped in deployment: Invalid inspectors are : [“rate_filter”] only for devices lower than 7.1 version.