Generating and Applying Firepower Recommendations

Starting or stopping use of Firepower recommendations may take several minutes, depending on the size of your network and intrusion rule set.

The system builds a separate network map for each leaf domain. In a multidomain deployment, if you enable this feature in an intrusion policy in an ancestor domain, the system generates recommendations using data from all descendant leaf domains. This can enable intrusion rules tailored to assets that may not exist in all leaf domains, which can affect performance.

Before you begin

Firepower recommendations have the following requirements:
- FTD License—Threat
- Classic License—Protection
- User Roles—Admin or Intrusion Admin
Configure a network discovery policy before you begin with the steps. Configure the network discovery policy to define internal hosts so that the Firepower recommendations are suitable. See, Network Discovery Customization.

Procedure

Step 1	In the Snort 2 intrusion policy editor's navigation pane, click Firepower Recommendations.
Step 2	(Optional) Configure advanced settings; see Advanced Settings for Firepower Recommendations.
Step 3	Generate and apply recommendations. Generate and Use Recommendations—Generates recommendations and changes rule states to match. Only available if you have never generated recommendations. Generate Recommendations—Regardless of whether you are using recommendations, generates new recommendations but does not change rule states to match. Update Recommendations—If you are using recommendations, generates recommendations and changes rule states to match. Otherwise, generates new recommendations without changing rule states. Use Recommendations—Changes rule states to match any unimplemented recommendations. Do Not Use Recommendations—Stops use of recommendations. If you manually changed a rule's state before you applied recommendations, the rule state returns to the value you gave it. Otherwise, the rule state returns to its default value. When you generate recommendations, the system displays a summary of the recommended changes. To view a list of rules where the system recommends a state change, click View next to the newly proposed rule state.
Step 4	Evaluate and adjust the recommendations you implemented. Even if you accept most Firepower recommendations, you can override individual recommendations by setting rule states manually; see Setting Intrusion Rule States.
Step 5	To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes. If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.