Create a Custom IPS Policy

Use the following procedure to create a new custom IPS policy with the IPS rules provided by Talos:

Procedure


Step 1

In the left pane, click Policies > FDM > Intrusion Prevention.

Step 2

Click the blue plus button .

Step 3

Expand the drop-down menu of the Base Template. If your device is running version 7.2 with Snort 3, you must expand the drop-down and then click Choose to select the template.If the device is running version 7.1.x and earlier, simply expand the drop-down menu and select one of the following templates:

  • Maximum Detection - These policies are built for networks where network infrastructure security is given even more emphasis than is given by the Security Over Connectivity policies, with the potential for even greater operational impact.

    Tip

    The Maximum Detection base template requires a considerable amount of memory and CPU to work effectively. Security Cloud Control recommends deploying IPS policies using this template to models such as the 2100, 3100, 4100, or threat defense virtual.

  • Security Over Connectivity - These policies are built for networks where network infrastructure security takes precedence over user convenience. The intrusion policy enables numerous network anomaly intrusion rules that could alert on or drop legitimate traffic.

  • Balanced Security and Connectivity - These policies are built for both speed and detection. Used together, they serve as a good starting point for most networks and deployment types.

  • Connectivity Over Security - These policies are built for networks where connectivity, the ability to get to all resources, takes precedence over network infrastructure security. Only the most critical rules that block traffic are enabled.

  • No Rules Active - The rules included in the policy are disabled by default.

Step 4

Enter a Name for the policy.

We strongly recommend using a name that is unique and different from the default base templates. If you ever need to troubleshoot your IPS policy, Cisco TAC can easily locate the custom policy and revert to a default policy; this keeps your network protected without losing your customized changes.

Step 5

(Optional) Enter a Description for the policy.

Step 6

Select the IPS Mode:

  • Prevention - If a connection matches an intrusion rule whose action is to drop traffic, the connection is actively blocked.

  • Detection - If a connection matches an intrusion rule whose action is to drop traffic, the action result becomes Would Have Blocked and no action is taken.

Step 7

Click Save.

What's Next?

Add your IPS policy to an FDM-managed device access control rule. See Custom IPS Policy in an FDM Access Control Rule for more information.