Specify a Policy to Handle Packets That Pass Before Traffic Identification
Note | This setting is sometimes referred to as the default intrusion policy. (This is distinct from the default action for an access control policy.) |
Caution | Changing the total number of intrusion policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information. You change the the total number of intrusion policies by adding an intrusion policy that is not currently used, or by removing the last instance of an intrusion policy. You can use an intrusion policy in an access control rule, as the default action, or as the default intrusion policy. |
Before you begin
Review best practices for these settings. See Best Practices for Handling Packets That Pass Before Traffic Identification.
Procedure
| Step 1 | In the access control policy editor, click Advanced, then click Edit ( If View ( |
| Step 2 | Select an intrusion policy from the Intrusion Policy used before Access Control rule is determined drop-down list. If you choose a user-created policy, you can click Edit ( |
| Step 3 | Optionally, select a different variable set from the Intrusion Policy Variable Set drop-down list. You can also select Edit ( |
| Step 4 | Click OK. |
| Step 5 | Click Save to save the policy. |
)
)What to do next
-
Deploy configuration changes; see Deploy Configuration Changes.