Chapter 2 Deployment Planning
Policy Tuning and Troubleshooting
If one of the rule modules within a policy is not behaving as expected, you can place it in test mode while still keeping the remaining rule modules in live mode. To do this, select the Test Mode checkbox on any Configuration
Rule Modules -> <platform> Rule Modules -> <module name> page.
Note When running your pilot, explain to participants the difference between test mode and live mode, clearly label whether agent kits are for test mode or live mode, and tell participants which kits to download and use during various phases of the pilot.
Test mode is not intended to be used indefinitely because the area under test is completely vulnerable from a security standpoint. Groups and rule modules in test mode should move to live mode in a timely fashion. Once the pilot is over, you need to carefully control which hosts if any are in test mode. You can remove the test mode kits to ensure they do not get downloaded during deployment and periodically monitor the Systems - test mode group to ensure that all pilot participants have migrated to live mode agent kits. You want to avoid the situation where a security hole exists after deployment because some groups or rule modules were inadvertently left in test mode.
Disabling Specific Rules
When you examine the event log with the Events
•You can disable the rule temporarily. At a later time, you can go back and modify the rule, set up a query with a cached response, or set up an exception rule.
•You can disable the rule permanently if the rule protects a resource that you don’t need protected as part of your security policy.
The easiest way to disable a rule is by clicking on the rule number at the bottom of the event description in the event log. On the rule page, you click on the Enabled checkbox to uncheck it and disable the rule. Once you generate the rules, this rule will be disabled.
|
| Installing Management Center for Cisco Security Agents 5.2 |
|
|
|
|
| ||
|
|
| ||
|
|
|
