Hi net pros,
We use CSA to protect a few call manager clusters. On the old call manager clusters we had the standalone CSAgents running.
With an update to a new call manager version we will setup CSA MC 5.2.
In the lab we use the predefined policies for CCM, CRS etc. and it is working as expected.
With the managed CSA version the goal is of course to protect other server/applications as well - for these applications course no predefined policies exist.
So at the moment I am trying to get an idea how to get to these policies?!
As I understand with learn mode no policies are generated - only all queries will be answered with "yes". But then I don't really know what my server is doing?!
With application behavior investigation you are able to investigate the server which seems very time consuming - and - as far as I understand - you need an extra license if you want to get policies out of that investigation.
I created a few small policies for VNC, McAfee ePO Agent etc. but no "big" policies for complex applications.
Maybe someone here with experience in creating CSA policies can give me some hints - best practice etc.
Should I use learn mode? Buy the rule module creation license?
Any help very appreciated.