Understanding the Layer Stack
License: Protection
A network analysis or intrusion policy where you do not add layers includes the built-in, read-only base policy layer and a single user-configurable layer that is initially named My Changes. You can copy, merge, move, or delete any user-configurable layer and set any user-configurable layer to be shared by other policies of the same type.
Each policy layer contains complete configurations for either all preprocessors in a network analysis policy or all intrusion rules and advanced settings in an intrusion policy. The lowest, base policy layer includes all the settings from the base policy you selected when you created the policy. A setting in a higher layer takes precedence over the same setting in a lower layer. Features not explicitly set in a layer inherit their settings from the next highest layer where they are explicitly set.
The system flattens the layers, that is, it applies only the cumulative effect of all settings, when it handles network traffic.
Tip |
You can create an intrusion or network analysis policy based solely on the default settings in the base policy. |
The following figure shows an example layer stack that, in addition to the base policy layer and the initial My Changes layer, also includes two additional user-configurable layers, User Layer 1 and User Layer 2 . Note in the figure that each user-configurable layer that you add is initially positioned as the highest layer in the stack; thus, User Layer 2 in the figure was added last and is highest in the stack.
Note the following points when working with multiple layers:
-
When the highest layer in your policy is a read-only layer, or a shared layer as described in Sharing Layers Between Policies, the system automatically adds a user-configurable layer as the highest layer in your intrusion policy if you do either of the following:
-
modify a rule action (that is, a rule state, event filtering, dynamic state, or alerting) on the intrusion policy Rules page. See Tuning Intrusion Policies Using Rules for more information.
-
enable, disable, or modify any preprocessor, intrusion rule, or advanced setting.
-
All settings in the system-added layer are inherited except for the changes that resulted in the new layer.
-
When the highest layer is a shared layer, the system adds a layer when you take either of the following actions:
-
share the highest layer with other policies
-
add a shared layer to your policy
-
-
Regardless of whether you allow rule updates to modify your policy, changes in a rule update never override changes you make in a layer. This is because changes in a rule update are made in the base policy, which determines the default settings in your base policy layer; your changes are always made in a higher layer, so they override any changes that a rule update makes to your base policy. See Importing Rule Updates and Local Rule Files for more information.
Understanding the Base Layer
License: Protection
The base layer, also referred to as the base policy, of an intrusion or network analysis policy defines the default settings for all configurations in the policy, and is the lowest layer in the policy. When you create a new policy and change a setting without adding new layers, the change is stored in the My Changes layer, and overrides—but does not change—the setting in the base policy.
Understanding System-Provided Base Policies
License: Protection
Cisco delivers several pairs of network analysis and intrusion policies with the ASA FirePOWER module. By using system-provided network analysis and intrusion policies, you can take advantage of the experience of the Cisco Vulnerability Research Team (VRT). For these policies, the VRT sets intrusion and preprocessor rule states, as well as provides the initial configurations for preprocessors and other advanced settings. You can use these system-provided policies as-is, or you can use them as the base for custom policies.
If you use a system-provided policy as your base, importing rule updates may modify settings in your base policy. However, you can configure a custom policy to not automatically make these changes to its system-provided base policy. This allows you to update system-provided base policies manually, on a schedule independent of rule update imports. In either case, changes that a rule update makes to your base policy do not change or override settings in your My Changes or any other layer. For more information, see Allowing Rule Updates to Modify a System-Provided Base Policy.
System-provided intrusion and network analysis policies are similarly named but contain different configurations. For example, the Balanced Security and Connectivity network analysis policy and the Balanced Security and Connectivity intrusion policy work together and can both be updated in intrusion rule updates. For more information, see Understanding the System-Provided Policies.
Understanding Custom Base Policies
License: Protection
If you do not want to use a system-provided policy as the base policy in your network analysis or intrusion policy, you can use a custom policy as your base. You can tune settings in custom policies to inspect traffic in ways that matter most to you so you can improve both the performance of your device and your ability to respond effectively to the events they generate.
You can chain up to five custom policies, with four of the five using one of the other four previously created policies as its base policy; the fifth must use a system-provided policy as its base.
Changes you make to a custom policy that you use as the base for another policy are automatically used as the default settings the of policy that uses the base. Additionally, because all policies have a system-provided policy as the eventual base in a policy chain, importing a rule update may affect your policy even if you use a custom base policy. If the first custom policy in a chain (the one that uses the system-provided policy as its base) allows rule updates to modify its base policy, your policy may be affected. For information on changing this setting, see Allowing Rule Updates to Modify a System-Provided Base Policy.
Regardless of how they are made, changes to your base policy—whether by a rule update or when you modify a custom policy that you use as a base policy—do not change or override settings in your My Changes or any other layer.
Changing the Base Policy
License: Protection
You can select a different base policy for your network analysis or intrusion policy and, optionally, allow rule updates to modify a system-provided base policy, without affecting modifications in higher layers.
To change the base policy:
Procedure
Step 1 |
While editing your policy, click Policy Information in the navigation panel. The Policy Information page appears. |
Step 2 |
Select a base policy from the Base Policy drop-down list. |
Step 3 |
Optionally, if you choose a system-provided base policy, click Manage Base Policy to specify whether intrusion rule updates can automatically modify your base policy. For more information, see Allowing Rule Updates to Modify a System-Provided Base Policy. |
Step 4 |
Save your policy, continue editing, discard your changes, revert to the default configuration settings in the base policy, or exit while leaving your changes in the system cache. For more information, see Resolving Conflicts and Committing Policy Changes . |
Allowing Rule Updates to Modify a System-Provided Base Policy
License: Protection
Rule updates that you import provide system-provided policies with modified network analysis preprocessor settings, modified intrusion policy advanced settings, new and updated intrusion rules, and modified states for existing rules. Rule updates can also delete rules and provide new rule categories and default variables. See Importing Rule Updates and Local Rule Files for more information.
Rule updates always modify system-provided policies with any changes to preprocessors, advanced settings, and rules. Changes to default variables and rule categories are handled at the system level. See Understanding System-Provided Base Policies for more information.
When you use a system-provided policy as your base policy, you can allow rule updates to modify your base policy which, in this case, is a copy of the system-provided policy. If you allow rule updates to update your base policy, a new rule update makes the same changes in your base policy that it makes to the system-provided policy that you use as your base policy. If you have not modified the corresponding setting, a setting in your base policy determines the setting in your policy. However, rule updates do not override changes you make in your policy.
If you do not allow rule updates to update your base policy, you can manually update your base policy after importing one or more rule updates.
Rule updates always delete intrusion rules that VRT deletes, regardless of the rule state in your intrusion policy or whether you allow rule updates to update your base intrusion policy. Until you reapply your changes to network traffic, rules in your currently applied intrusion policies behave as follows:
-
Disabled rules remain disabled.
-
Rules set to Generate Events continue to generate events when triggered.
-
Rules set to Drop and Generate Events continue to generate events and drop offending packets when triggered.
Rule updates do not modify a custom base policy unless both of the following conditions are met:
-
You allow rule updates to modify the system-provided base policy of the parent policy, that is, the policy that originated the custom base policy.
-
You have not made changes in the parent policy that override the corresponding settings in the parent’s base policy.
When both conditions are met, changes in the rule update are passed to the child policy, that is, the policy using the custom base policy, when you save the parent policy.
For example, if a rule update enables a previously disabled intrusion rule, and you have not modified the rule’s state in the parent intrusion policy, the modified rule state is passed to the base policy when you save the parent policy.
Likewise, if a rule update modifies a default preprocessor setting and you have not modified the setting in the parent network analysis policy, the modified setting is passed to the base policy when you save the parent policy.
See Changing the Base Policy for more information.
To allow rule updates to modify a system-provided base policy:
Procedure
Step 1 |
While editing a policy that uses a system-provided policy as its base policy, click Policy Information in the navigation panel. The Policy Information page appears. |
Step 2 |
Click Manage Base Policy. The Base Policy summary page appears. |
Step 3 |
Select or clear the Update when a new Rule Update is installed check box. When you save your policy with the check box cleared and then import a rule update, an Update Now button appears on the Base Policy summary page and the status message on the page updates to inform you that the policy is out of date. Optionally, you can click Update Now to update your base policy with the changes in the most recently imported rule update. |
Step 4 |
Save your policy, continue editing, discard your changes, revert to the default configuration settings in the base policy, or exit while leaving your changes in the system cache. For more information, see Resolving Conflicts and Committing Policy Changes. |