Automating Firepower Recommendations

You can automatically generate rule state recommendations based on network discovery data for your network using the most recently saved configuration settings in a custom intrusion policy.

Note

If the system automatically generates scheduled recommendations for an intrusion policy with unsaved changes, you must discard your changes in that policy and commit the policy if you want the policy to reflect the automatically generated recommendations.

When the task runs, the system automatically generates recommended rule states, and modifies the states of intrusion rules based on the configuration of your policy. Modified rule states take effect the next time you deploy your intrusion policy.

In a multidomain deployment, you can automate recommendations for intrusion policies at the current domain level. The system builds a separate network map for each leaf domain. In a multidomain deployment, if you enable this feature in an intrusion policy in an ancestor domain, the system generates recommendations using data from all descendant leaf domains. This can enable intrusion rules tailored to assets that may not exist in all leaf domains, which can affect performance.

Before you begin

  • Configure Firepower recommended rules in an intrusion policy as described in Generating and Applying Firepower Recommendations.

  • If you want to email task status messages, configure a valid email relay server.

  • You must have the Threat Smart License or Protection Classic License to generate recommendations.

Procedure

Step 1

Choose System (system gear icon) > Tools > Scheduling.

Step 2

Click Add Task.

Step 3

From Job Type, choose Firepower Recommended Rules.

Step 4

Specify how you want to schedule the task, Once or Recurring:

  • For one-time tasks, use the drop-down lists to specify the start date and time.

  • For recurring tasks, see Configuring a Recurring Task for details.

Step 5

Enter a name in the Job Name field.

Step 6

Next to Policies, choose one or more intrusion policies where you want to generate recommendations. Check All Policies check box to choose all intrusion policies.

Step 7

(Optional) Enter a comment in the Comment field.

Keep comments brief. Comments appear in the Task Details section of the schedule calendar page.

Step 8

(Optional) To email task status messages, type an email address (or multiple email addresses separated by commas) in the Email Status To: field.

Step 9

Click Save.