Variables represent values commonly used in intrusion rules to identify source and destination IP addresses and ports. You can also use variables in intrusion policies to represent IP addresses in rule suppressions, adaptive profiles, and dynamic rule states.
Preprocessor rules can trigger events regardless of the hosts
defined by network variables used in intrusion rules.
You use variable sets to manage, customize, and group your
variables. You can use the default variable set provided by the system or
create your own custom sets. Within any set you can modify predefined default
variables and add and modify user-defined variables.
Most of the shared object rules and standard text rules that the
Firepower System provides use predefined default variables to define networks
and port numbers. For example, the majority of the rules use the variable
$HOME_NET to specify
the protected network and the variable
specify the unprotected (or outside) network. In addition, specialized rules
often use other predefined variables. For example, rules that detect exploits
against web servers use the
Rules are more effective when variables more accurately reflect
your network environment. At a minimum, you should modify default variables in
the default set. By ensuring that a variable such as
defines your network and
includes all web servers on your network, processing is optimized and all
relevant systems are monitored for suspicious activity.
To use your variables, you link variable sets to intrusion
policies associated with access control rules or with the default action of an
access control policy. By default, the default variable set is linked to all
intrusion policies used by access control policies.
Adding a variable to any set adds it to all sets; that is, each
variable set is a collection of all variables currently configured on your
system. Within any variable set, you can add user-defined variables and
customize the value of any variable.
Initially, the Firepower System provides a single, default
variable set comprised of predefined default values. Each variable in the
default set is initially set to its default value, which for a predefined
variable is the value set by the
Cisco Talos Security Intelligence and Research Group
and provided in rule updates.
Although you can leave predefined default variables configured
to their default values, Cisco recommends that you modify a subset of
You could work with variables only in the default set, but in
many cases you can benefit most by adding one or more custom sets, configuring
different variable values in different sets, and perhaps even adding new
When using multiple sets, it is important to remember that the
current value of any variable in the default set determines
default value of the variable in all other sets.
When you select
Variable Sets on the Object Manager page, the object
manager lists the default variable set and any custom sets you created.
On a freshly installed system, the default variable set is
comprised only of the default variables predefined by Cisco.
Each variable set includes the default variables provided by the
system and all custom variables you have added from any variable set. Note that
you can edit the default set, but you cannot rename or delete the default set.
In a multidomain
deployment, the system generates a default variable set for each subdomain.
Importing an access control or an intrusion policy overwrites
existing default variables in the default variable set with the imported
default variables. If your existing default variable set contains a custom
variable not present in the imported default variable set, the unique variable