cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
210
Views
0
Helpful
1
Replies

MARS - changing the severity of a system rule?

k-bragg
Level 1
Level 1

I would like to change the severity of a system rule from yellow to red. After investigating it doesn't look like the system rules can be changed. So my thought was to copy this rule to a user rule and inactivate the system rule. Is this the best way to go about this?

Also, does anyone know the order in which rules are processed? Are system rules looked at first then user? Is it based on first match? I couldn't find anything on Cisco's website discussing this.

thanks

1 Reply 1

a.kiprawih
Level 7
Level 7

Hi Kurt,

Making a copy of the rule(s) is a better way to do it as you can always revert back to the original rule (set it back to active). This allows you to modify/change any parameters, especially when you're doing testing.

As for how MARS prioritize the rule, I am not sure either (doc?), but it probably uses user-defined rules first before moving to other system rules.

User-define rules should be more specific to suit the filtering requirements in specific network environment.

Rgds,

AK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: