Overview
This section shows how to perform advanced operations for FTD intrusion policies using the REST API. The procedures in this section are written for FTD version 6.5.0.
Understanding Intrusion Policies
FTD devices use intrusion policies, intrusion rules, and network analysis policies (NAP), to monitor traffic and respond to threats. Rules specify network attacks along with actions (ALERT, DROP, DISABLED). Intrusion policies are collections of configured rules and actions that reflect a specific level and type of threat. Network analysis policies ensure that network traffic is correctly decoded and preprocessed in order to detect the associated intrusion rules. An intrusion policy is activated when it is associated with one or more access rules. The intrusion policy tells the inspection engine how to monitor and respond to all traffic that matches the access rule.
Four intrusion/network analysis policy pairs are defined by the system. The intrusion policies share a common set of intrusion rules. Users do not have access to modify network analysis policies. Users can modify rule actions for a given intrusion policy.
FTD supports configuration of individual rule actions for each policy, and assignment of intrusion policies to access rules. The Threat license entitlement must be enabled on the device in order to perform Intrusion policy and rule configuration.
Intrusion Rules
There are more than 30,000 intrusion rules. The rules themselves are not configurable by the user. To change a rule action, the user must update a property on one of the intrusion policies. For the REST API user, this means that intrusion rules can only be accessed via an intrusion policy.
How FTD Uses Intrusion Policies
Access rules that block or trust traffic cannot have an intrusion policy since these actions are unconditional, regardless of the traffic content. An intrusion policy can only be assigned to an access rule that is configured to allow traffic. Any traffic that matches the access rule is also inspected using the rules for that intrusion policy. If connection logging is enabled, traffic that matches a non-disabled rule may trigger an intrusion event. After the initial event, the FTD enters a short cooldown period. During the cooldown period, traffic that should be blocked is still blocked, but new events are not triggered.
Intrusion Policies and Syslog Servers
A single syslog server can be configured to receive events from all activated intrusion policies. The server must be reachable from the FTD management interface.
For more information about configuring FTD devices, see Cisco Installation and Configuration Guides
How to Read the HTTP Request/Response Examples
FTD devices in the examples are given names like ftd.example. Replace these values with your local device name (or IP address) and port. Some request examples use Curl, and include an authorization parameter. Replace this value with your OAUTH access token for the FTD device. For more information on how to obtain an access token, see Authenticating Your REST API Client Using OAUTH.
Responses may include a "self" link that references the device device ip and port. In actual use, you will see the device address, not a value like "ftd.example".