Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best way to edit default rule in CSA

Folks,

Could someone please guide me the best way to edit the default rules on CSA MC. I would like to tune some of the rules and I am not sure how to change the default rules, may be copy them and change them and raise the priority???

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: Best way to edit default rule in CSA

Use the wizard to create the exception. The default is it will create an exception to the policy by creating a new rule module and assigning it to the policy. Then you can see how the exception works and you can change the exception rather than the rule. This keeps the orignal rules unchanged but allows you to make any changes necessary to get your apps to work.

Tom S

5 REPLIES
Blue

Re: Best way to edit default rule in CSA

Make exceptions to the rule rather than change the rule at first. You can change it later if you want.

Tom S

New Member

Re: Best way to edit default rule in CSA

Tom,

Thanks for the response. I will surely rate all posts.

How do i creat exception to the rule and what would be the best way to change it? change the original rule or clone it edit it and then raise the priority.

Any help would be highly appreciated.

Blue

Re: Best way to edit default rule in CSA

Use the wizard to create the exception. The default is it will create an exception to the policy by creating a new rule module and assigning it to the policy. Then you can see how the exception works and you can change the exception rather than the rule. This keeps the orignal rules unchanged but allows you to make any changes necessary to get your apps to work.

Tom S

New Member

Re: Best way to edit default rule in CSA

Tom you are awesome! Please i would appreciate if you could assist a little more:

1) At the present time i am in a tunning process. I have 2 applications shouting all the time svchost and internet explorer trying to make changes to the registry. How do i tackle such problems?

If an application complains and i know that it is a valid application, how do i create an exception for it?

what about CSA complaining about IE trying to make changes to the regitry, what should i do about it?

Blue

Re: Best way to edit default rule in CSA

The trick is to figure out what protection you want, put machines the necessary groups then start looking at events. You can pretty much guess what normal behavior is so you can tune those out first using the wizard to either allow the action, or deny and stop logging it (unless you want to see it). I would start out with very little protection at first and in test mode, then work your way up from there.

104
Views
5
Helpful
5
Replies