Intrusion policies are defined sets of intrusion detection
and prevention configurations that inspect traffic for security violations and,
in inline deployments, can block or alter malicious traffic. Intrusion policies
are invoked by your access control policy and are the system’s last line of
defense before traffic is allowed to its destination.
At the heart of each intrusion policy are the intrusion rules.
An enabled rule causes the system to generate intrusion events for (and
optionally block) traffic matching the rule. Disabling a rule stops processing
of the rule.
The Firepower System delivers several base intrusion policies, which
enable you to take advantage of the experience of the
Cisco Talos Security Intelligence and Research Group
For these policies,
sets intrusion and preprocessor rule states (enabled or disabled), as well as
provides the initial configurations for other advanced settings.
System-provided intrusion and network analysis policies are
similarly named but contain different configurations. For example, the Balanced
Security and Connectivity network analysis policy and the Balanced Security and
Connectivity intrusion policy work together and can both be updated in
intrusion rule updates. However, the network analysis policy governs mostly
preprocessing options, whereas the intrusion policy governs mostly intrusion
If you create a custom intrusion policy, you can:
Tune detection by enabling and disabling rules, as well as by
writing and adding your own rules.
Use Firepower recommendations to associate the operating
systems, servers, and client application protocols detected on your network
with rules specifically written to protect those assets.
Configure various advanced settings such as external alerting,
sensitive data preprocessing, and global rule thresholding.
Use layers as building blocks to efficiently manage multiple
In an inline deployment, an intrusion policy can block and
Drop rules can drop matching packets and generate intrusion
events. To configure an intrusion or preprocessor drop rule, set its state to
Drop and Generate Events.
Intrusion rules can use the
replace keyword to replace malicious content.
For intrusion rules to affect traffic, you must correctly
configure drop rules and rules that replace content, as well as well as
correctly deploy managed devices inline, that is, with inline interface sets.
Finally, you must enable the intrusion policy’s
drop behavior, or
Drop when Inline setting.
When tailoring your intrusion policy, especially when enabling
and adding rules, keep in mind that some intrusion rules require that traffic
first be decoded or preprocessed in a certain way. Before an intrusion policy
examines a packet, the packet is preprocessed according to configurations in a
network analysis policy. If you disable a required preprocessor, the system
automatically uses it with its current settings, although the preprocessor
remains disabled in the network analysis policy web interface.
Because preprocessing and intrusion inspection are so closely
related, the network analysis and intrusion policies examining a single packet
must complement each other. Tailoring preprocessing,
especially using multiple custom network analysis policies, is an
After you configure a custom intrusion policy, you can use it as
part of your access control configuration by associating the intrusion policy
with one or more access control rules or an access control policy’s default
action. This forces the system to use the intrusion policy to examine certain
allowed traffic before the traffic passes to its final destination. A variable
set that you pair with the intrusion policy allows you to accurately reflect
your home and external networks and, as appropriate, the servers on your
Note that by default, the system disables intrusion inspection
of encrypted payloads. This helps reduce false positives and improve
performance when an encrypted connection matches an access control rule that
has intrusion inspection configured.