I would like to change the severity of a system rule from yellow to red. After investigating it doesn't look like the system rules can be changed. So my thought was to copy this rule to a user rule and inactivate the system rule. Is this the best way to go about this?
Also, does anyone know the order in which rules are processed? Are system rules looked at first then user? Is it based on first match? I couldn't find anything on Cisco's website discussing this.
Re: MARS - changing the severity of a system rule?
Making a copy of the rule(s) is a better way to do it as you can always revert back to the original rule (set it back to active). This allows you to modify/change any parameters, especially when you're doing testing.
As for how MARS prioritize the rule, I am not sure either (doc?), but it probably uses user-defined rules first before moving to other system rules.
User-define rules should be more specific to suit the filtering requirements in specific network environment.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...