Configure a Pass Rule on a Cisco Firepower System

Available Languages

Download Options

  • PDF     (77.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (119.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (192.0 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 2, 2018
Document ID:118411

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes a pass rule, how to create it, and how to enable it in an intrusion policy.

    You can create pass rules in order to prevent packets that meet criteria defined in the pass rule from triggering the alert rule in specific situations, rather than disabling the alert rule. By default, pass rules override alert rules. A Firepower System compares packets against the conditions specified in each rule and, if the packet data matches all of the conditions specified in a rule, the rule triggers. If a rule is an alert rule, it generates an intrusion event. If it is a pass rule, it ignores the traffic.

    For example, you might want a rule that looks for attempts to log into an FTP server as the user “anonymous” to remain active. However, if your network has one or more legitimate anonymous FTP servers, you could write and activate a pass rule that specifies that, for those specific servers, anonymous users do not trigger the original rule.

    Caution: When an original rule that the pass rule is based on receives a revision, the pass rule is not automatically updated. Therefore, pass rules might be difficult to maintain.

    Note: If you enable the Suppression feature for a rule, it suppresses the event notifications for that rule. However the rule is still is evaluated. For example, if you supress a drop rule, packets that match the rule are silently dropped.

    Prerequisites

    Requirements

    There are no specific requirements for this document.

    Components Used

    This document is not restricted to specific software and hardware versions. 

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

    Configure

    Create a Pass Rule

    1. Navigate to Objects > Intrusion Rules. The list of rule categories appears.
    2. Find the rule category that is associated with the rule you want to filter. Use the arrow icon to expand the rule category from the category listings and find the rule that you want to make a pass rule for. Alternatively, you can use the rule search box.
    3. Once you find the desired rule, click the pencil icon next to it in order to edit the rule.
    4. When you edit a rule, complete these steps:
      1. Click the Edit button that corresponds to the rule.
      2. In the Action drop-down list, choose pass.
      3. Change the Source IPs field and Destination IPs field to the hosts or networks that you do not want the rule to alert on.
      4. Click Save As New.

    5. Note the ID number of the new rule. For example, 1000000.

    Enable a Pass Rule

    You need to enable your new rule in the appropriate intrusion policy in order to pass traffic on the source or destination addresses that you specified. Follow these steps in order to enable a pass rule:

    1. Modify the active intrusion policy:
      1. Navigate to Policies > Access Control > Intrusion.
      2. Click Edit next to the active intrusion policy.
    2. Add the new rule to the rule list:
      1. Click Rules on the left-side pane.
      2. Enter the Rule ID you noted earlier in the filter box.
      3. Check the Rules check box, and change the Rule State to Generate Events.
      4. Click Policy Information on the left-side pane. Click Commit Changes.
    3. Click Deploy in order to deploy the changes on the device.

    Verify

    You should monitor the new events for some time in order to make sure no events are generated for this specific rule for the defined source or destination IP address.

    Troubleshoot

    There is currently no specific troubleshooting information available for this configuration.

    TAC Authored

    Contributed by Cisco Engineers

    • Nazmul Rajib
      Cisco Engineer
    • Josiah Zimmermann
      Cisco Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products