Prioritize the security features you want to implement with CSA policies. You can also prioritize applications and groups. By having clear priorities and working through a single policy improvement at a time, you can manage the complexity of deploying large policy sets in large networks. For example, based on priorities, you can keep a specific rule module in test mode while the rest of the rule modules in the policy are in live mode. For more information refer the following link http://www.cisco.com/en/US/products/sw/secursw/ps5057/products_installation_guide_chapter09186a00805aec7a.html#wp962106
- Start with a brand new policy<->module. I assign a test group to this policy.
- Create all my rules from scratch. Every day, I add one ore two more rules. I do this so I know EXACTLY what my rule is doing, and I have an objective I want to fulfill. I also make the rule as granular/specific as possible.
- Every day I open the module and look at how many events were generated per rule in the last 24 hours. If they're higher than I want, I review the events, then adjust the rule. Sometimes I further break down the rule into even more granular rules.
- When I am satisfied with my rule module, I'm going to sort out the rules into multiple modules attached the same policy. Then I will attach my active groups to the policy.
Keep in mind I'm covering a lot of hosts and not focusing on any one service, so in the end all of my groups/hosts will use this new policy/modules. Then I will add exceptions to each group when needed.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :