Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSA 5.1 Best Practices

When I have an event logged that I need to allow is it best practice to clone only the offending rule module and change the rules in that module as needed or should I also clone the policy and then clone the rules?

This is new rollout just so you know.

Do you create new groups to reflect job duties (Accounting, HR, ETC) and then manually add policies?

Thanks

Kevin

7 REPLIES
Blue

Re: CSA 5.1 Best Practices

By default, CSA chooses to create exceptions to rule modules, not change the rules. That keeps your original rules intact. I pretty much follow this unless I have a good reason not to. I don't clone anything unless I'm going to make major changes to the orignal rules or I'm doing some testing.

Modifying the original rule does have the advantage of not forcing the host to process extra rules but can backfire if the exception is too broad.

All our Desktop and laptop PCs belong to one group so I only have to manage a few policies.

I do create additional groups for specific machine roles and add some PCs to that group as well. For example, we have a group that's allowed to run web process on a PC so those in that group can and no one else is allowed.

Tom

New Member

Re: CSA 5.1 Best Practices

If I create exceptions to the rules using the wizard then don't I loose the integrity of the original rule?

Thanks

Kevin

New Member

Re: CSA 5.1 Best Practices

When you create an exception to a rule, you are typically creating an 'allow' rule whereas the original rule is a 'deny'. The wizard produces an exception for that specific event. The 'allow' rules are processed before the 'deny' rules. So events will still be blocked if they do not match the criteria of the exception. It is up to you to determine if the exception is overly broad.

New Member

Re: CSA 5.1 Best Practices

Thanks for the explanation.

Kevin

New Member

Re: CSA 5.1 Best Practices

I think it is better to copy the rule into the module or a new module like Custom - Windows Module.

Make a file set and application class to use to modify the rule. Or User set or whatever you need.

Then use that to make your allow rule.

I stay away from the wizard as much as I can. You can start the wizard and kinda see how it does it to give you an idea.

New Member

Re: CSA 5.1 Best Practices

I also never put the exception rules into the default policies they are designed to augment. I create a seperate policy and sometimes a group just for exceptions (Desktop Exceptions Policy). That way you essentially have one location to look for rules that you have previously created that may be modified if you run into a similar event later. Additionally, if you need to troubleshoot, there is only one location for rules. Typically, I have a "desktop exception policy", "server exception policy" and sometimes a policy that covers all hosts such as an Enterprise Exception Policy.

When running the wizard you can specify what policy to place the exception rule.

New Member

Re: CSA 5.1 Best Practices

Thanks for the information explanation.

177
Views
17
Helpful
7
Replies