Step 3 | In the Issues pane, a badge indicates the overrides are inconsistent across the devices. You can see the INCONSISTENT field with the number of devices affected:
-
To ignore the issue, click Ignore. This doesn't change the issue but removes the indicator badge from the Issues column.
-
To resolve the issue, click Resolve. In the left panel, select the policies to compare and show their consistent and inconsistent overrides.
|
Step 4 | If there are individual Talos intrusion rules that were changed on the device using an FDM-managed device you will see them in the Overrides pane. You can change the override action for an intrusion rule by clicking Tune link and choosing an override action. This action will be applied to that rule in all of the Talos intrusion policies it's used in. Note that if you choose to restore the default action rule (Default), you cannot tune the intrusion rule again until it is triggered by the environment.
-
Connectivity over Security
-
Balanced Security and Connectivity
-
Security over Connectivity
-
Maximum Detection
For consistency across devices, the override action will be saved to every device associated with the intrusion override policy.
These are the effects of the override action:
-
Drop-This choice creates an event when this rule matches traffic and then drops the connection. Use this action to tighten security of certain rules. For example, specifying Drop would make security stricter when the Talos rule is matched even if the "Connectivity over Security" policy is specified for the access control rule.
-
Alert-This choice creates an event when this rule matches traffic, but it does not drop the connection. A use case for "Alert" is when traffic is blocked, but the customer wants to allow, it and look at the alerts before disabling the rule.
-
Disabled-This choice prevents traffic from being matched to the rule. No events are generated. The use case for "Disabled" is to stop false positives in reports, or remove rules that do not apply to your environment, like disabling Apache httpd rules if you don't use httpd.
-
Default-This choice is only applicable if the rule's default action is different in the Talos intrusion policy levels. For example, when you return an intrusion rule to "Default" that may mean its action returns to "Alert" in the "Connectivity over Security" policy and "Block" in the "Balanced Security and Connectivity" policy.
-
Edit rule overrides with the following options:
-
Override for all devices - This option sets the required action to all the devices managed by CDO. Select an option from the drop-down menu. If the rule has different override values for different intrusion override policies, the drop-down option is "Multiple" by default.
-
Edit rule overrides by device - check the Advanced Options slider and select the Overrides by Devices tab. This option shows you the configured rule action for each device, which you can change by checking the affected device, selecting an override action, and clicking Save.
-
Edit rule overrides by policy - check the Advanced Options slider and select the All Overrides tab. This section is only applicable if your tenant has more than one IPS policy configured. You can manage all IPs policies from this page, including policies that have more than one device associated to it.
|