I have noticed that after a rule update, rules in "Drop and Generate Events" mode are added to the Base Intrusion Policy. In the case of an inline deployment this is not desired, thus tuning is required every time. Why does this happen? Is there any way to avoid it?
In other words, it would be much more 'safer' if the added rules would be in 'Generate Events' mode only.
The basic idea here is that the rule update changes the default policies. Be it balance security and connectivity or connectivity and security and so on.
Cisco release rule updates with revisions of most common signatures which should always be in drop and generate and some in generate events while also some rules without any action depending upon the base policy.
If you are using balance security and connectivity, that would be most safe (and recommended) base policy. To answer your question, no rule update installation does apply on base policy which affects custom policy as well.
This document describes how to generate an FXOS troubleshoot file for 2100/4100/9300-series devices
The information in this document is based on these software and hardware versions:
Cisco Firepower 9300 Security Appliance r...
FP URL filtering capability can classify the URLs based on:
Reputation (risk level)
This varies from High Risk (level 1) to Well Known (level 5)
Category + Reputation
If you select a reputation level to allow,...
Cisco Press has published a step-by-step visual guide to configuring and troubleshooting of the Cisco Firepower Threat Defense (FTD). Each consistently organized chapter on this book contains definitions of keywords, operational flowcharts, architectural ...