Cisco Systems DOC-78-17916 manual Caching and Resetting Query Responses

Chapter 2 Deployment Planning

Policy Tuning and Troubleshooting

Caching and Resetting Query Responses

Rules can be configured with enforcement actions of allow, deny, terminate, or query the user. In some cases, there are rules that already query the user but do so repeatedly instead of caching the user’s response to make it persistent. In other cases, there are rules that are generating a mix of false positives and valid enforcements in the event log and need to be modified so they query the user and cache the user’s response for the false positives.

You set up a query and cache the answer with different MC menus:

•To set up a query, you display the rule you wish to modify by clicking on the rule number in the event log. You then select Query User from the action popup menu.

•To cache the response for a query, select the Configuration -> Variables -> Query Settings menu option, and then select the desired query from the page. Then, click on the Enable “don’t ask again” option checkbox if it is not already checked. When users receive the query and indicate they don’t want to be asked this query again, their answer is cached.

Note One trade-off of setting up a cached query response is that users can answer the query inappropriately and then the inappropriate response becomes persistent. After setting up a cached query response, review the event log to make sure users are responding appropriately to the query. If some users give inappropriate responses, you can reset their agents and then give the users more information about responding to the query.

If a user has responded to a query inappropriately and the response is being cached, you can reset the user’s cache by doing the following:

1.Select the Systems -> Hosts menu option.

2.Click on the <hostname>.

3.Select User Query Responses and click on the Reset Cisco Security Agent button.