Chapter 2 Deployment Planning
Policy Tuning and Troubleshooting
2-12
Installing Management Center for Cisco Security Agents 5.2
78-17916-01
Caching and Resetting Query ResponsesRules can be configured with enforcement actions of allow, deny, terminate, or
query the user. In some cases, there are rules that already query the user but do so
repeatedly instead of caching the user’s response to make it persistent. In other
cases, there are rules that are generating a mix of false positives and valid
enforcements in the event log and need to be modified so they query the user and
cache the user’s response for the false positives.
You set up a query and cache the answer with different MC menus:
• To set up a query, you display the rule you wish to modify by clicking on the
rule number in the event log. You then select Query User from the action
popup menu.
• To cache the response for a query, select the Configuration -> Variables ->
Query Settings menu option, and then select the desired query from the page.
Then, click on the Enable “don’t ask again” option checkbox if it is not
already checked. When users receive the query and indicate they don’t want
to be asked this query again, their answer is cached.
Note One trade-off of setting up a cached query response is that users can answer the
query inappropriately and then the inappropriate response becomes persistent.
After setting up a cached query response, review the event log to make sure users
are responding appropriately to the query. If some users give inappropriate
responses, you can reset their agents and then give the users more information
about responding to the query.
If a user has responded to a query inappropriately and the response is being
cached, you can reset the user’s cache by doing the following:
1. Select the Systems -> Hosts menu option.
2. Click on the <hostname>.
3. Select User Query Responses and click on the Reset Cisco Security Agent
button.