Table Of Contents
Managing Outbreaks
About Outbreak Management Tasks
Terms and Concepts
Types of Tasks
Task Lifetime
Task Creation
About Outbreak Policy ACLs and Pre-ACLs
OPACLs
Pre-ACLs
About Outbreak Prevention Signatures
Downloading and Deploying OPSigs
Verifying OPSig Deployment
Creating a New Manual Outbreak Management Task
Automating Outbreak Management
Configuring the Exception List
Viewing the Network Viruses in a Policy
Viewing a Summary of All Outbreak Management Tasks
Viewing an Active OPACL
Modifying Outbreak Management Task Options
Modifying the OPACL Mode
Stopping an Outbreak Management Task
Stopping an OPACL
Modifying Switch and Router Pre-ACLs
Managing Outbreaks
This chapter explains how to create outbreak management tasks to help protect against network virus outbreaks. It contains the following sections:
•
About Outbreak Management Tasks
• About Outbreak Policy ACLs and Pre-ACLs
• About Outbreak Prevention Signatures
• Creating a New Manual Outbreak Management Task
• Automating Outbreak Management
• Configuring the Exception List
• Viewing the Network Viruses in a Policy
• Viewing a Summary of All Outbreak Management Tasks
• Viewing an Active OPACL
• Modifying Outbreak Management Task Options
• Modifying the OPACL Mode
• Stopping an Outbreak Management Task
• Stopping an OPACL
• Modifying Switch and Router Pre-ACLs
About Outbreak Management Tasks
An outbreak management task is a file that contains an OPACL. Cisco ICS uses outbreak management tasks to help protect the network from various threats. Each task is associated with a single threat. You can manually create and activate tasks or allow Cisco ICS to do so automatically. A maximum of 32 tasks can be active concurrently.
This section describes outbreak management tasks and contains the following topics:
• Terms and Concepts
• Types of Tasks
• Task Lifetime
• Task Creation
Terms and Concepts
Become familiar with the following information before you create and configure tasks:
•Known threats—Viruses, Trojans, and other malicious code that Trend Micro already detected. Only one threat can be associated with an outbreak management task. For more information, see Understanding Network-based Threats, page 1-5, and About Risk Ratings, page 1-6.
•Outbreak Prevention ACL (OPACL)—A file that Cisco ICS deploys to specified devices to log or block certain types of network traffic. On all devices, the OPACL is disabled when the end date is reached or when Cisco ICS deploys the OPSig. For more information, see About Outbreak Policy ACLs and Pre-ACLs.
•Outbreak Prevention Signature (OPSig)—A file that Cisco ICS deploys to IPS devices only to detect and block the a threat from spreading. If automatic deployment is enabled, Cisco ICS deploys the OPSig immediately after downloading it. If automatic deployment is not enabled, you must deploy the OPSig manually. For more information, see About Outbreak Prevention Signatures, Enabling Automatic Deployment, page 5-8, and Deploying Manually, page 5-8.
•OPACL mode—A setting that determines tasks for network devices when they receive an OPACL from the Cisco ICS server. Two modes are available:
–Blocking mode—Instructs devices to block certain types of traffic and ports and create log entries if blocking occurs.
–Logging mode—Instructs IPS devices to create log entries if network packets match the OPACL policy. Note that the devices do not block any traffic
Note Logging mode applies to IPS devices only.
Types of Tasks
Two types of tasks are available:
•Automatic—Tasks that automatically deploy the latest OPACLs to specified devices for newly discovered red and yellow alerts. Cisco ICS periodically checks the update source server and triggers an automatic task when the solution for a new threat is ready. The OPACL for the new task defines the start and end times for the task. However, you can continue to configure basic OPACL settings, such as the task end date; whether to stop the task when Cisco ICS deploys an OPSig; and whether to overwrite an existing OPACL with a newly updated one.
•Manual—Administrator-created tasks with configurable options, such as the end date for the task, and the type of traffic and ports to block or log. Automatic tasks address only the threats discovered after you enable automatic task deployment. However, manual tasks can address existing threats.
Task Lifetime
Table 6-1 explains when tasks are activated and terminated.
Table 6-1 Outbreak Management Task Lifetime
Task Type
|
Activation
|
Termination
|
Automatic
|
Cisco ICS downloads a new task from the update source.
|
•Click Stop Running Tasks or Remove OPACL on the Outbreak Management Task Summary window.
•Cisco ICS deploys an OPSig after you CHOOSE the option to stop the OPACL on the Automatic Outbreak Management Task window.
|
Manual
|
Immediately after creation.
|
Click Stop Running Tasks or Remove OPACL on the Outbreak Management Summary window.
|
Note Do not confuse outbreak management task lifetime with OPACL lifetime. For more information, see About Outbreak Policy ACLs and Pre-ACLs.
Task Creation
Table 6-2 explains when and how you can create automatic and manual tasks.
Table 6-2 Outbreak Management Task Creation
Type
|
Recommendation
|
Automatic
|
We recommend that you enable Cisco ICS to automatically create tasks and keep this option enabled. Cisco ICS can deploy outbreak management tasks for newly discovered red and yellow alerts after it downloads the tasks from Trend Micro. The advantage of enabling automatic tasks is that it relieves you of creating tasks manually. You must enable scheduled download for Cisco ICS to periodically poll the update source for new tasks. For more information, see Configuring Scheduled Download, page 5-3.
However, automatic tasks address only the threats discovered after you enable Cisco ICS to create automatic tasks. To guard against the threats that were discovered before you enabled automatic tasks, which might still be propagating through the Internet, you must create a manual task.
|
Manual
|
We recommend that you create tasks manually if you are concerned that an existing threat poses a risk to your network. Cisco ICS offers protection from a variety of known threats detected by Trend Micro TrendLabs. The advantage of creating a task manually is that you can guard against a threat that is already in circulation before you enabled automatic tasks.
If you enabled automatic tasks immediately after installing Cisco ICS and you are confident that no threats exist on your network, you do not need to create a manual task.
|
About Outbreak Policy ACLs and Pre-ACLs
When outbreak management tasks become active, Cisco ICS can deploy OPACLs and Pre-ACLs.
This section describes OPACLs and ACLs and contains the following topics:
• OPACLs
• About Pre-ACLs
OPACLs
This section describes OPACLs and contains the following topics:
• About OPACLs
• OPACL Mode
• Modifying the OPACL
• OPACL Expiration
• Verifying OPACL Deployment
About OPACLs
An OPACL is an ACL that contains instructions for addressing a variety of threats. Cisco devices use OPACLs to block the types of network traffic and the ports that threats use to launch attacks and infect hosts. When Trend Micro discovers a new threat or new information on an existing threat, the OPACL on the ActiveUpdate server is updated. You must download the new OPACL either manually or by schedule to obtain the most up-to-date virus protection.
Each OPACL is associated with a single outbreak management task (both manual and automatic).
OPACL Mode
If one or more tasks are active, the associated OPACLs are in blocking mode or logging mode.
•Blocking mode—Instructs devices to block certain types of traffic and ports and create log entries if blocking occurs.
•Logging mode—Instructs IPS devices to create log entries if network packets match the OPACL policy. Note that the devices do not block any traffic.
Note Logging mode applies to IPS devices only. You cannot change the OPACL mode if one or more outbreak management tasks are active.
Modifying the OPACL
Each OPACL has default settings that block the type of traffic and the ports that the threat uses to attack hosts. However, you can modify the contents of the OPACL during task creation and after task deployment.
OPACL Expiration
The OPACL stops blocking or logging traffic under the following circumstances:
•The OPACL end date is reached.
–For manual tasks, configure the end date on the Specify Outbreak Management Task window.
–For automatic tasks, configure the end date on the Automatic Outbreak Management Task window. The default is 4 hours.
•You click Remove OPACL on the Outbreak Management Task Summary window, which ends the task and the associated OPACL.
•You click Stop next to OPACL Mode on the summary window for an active outbreak management task. Stopping the OPACL does not stop the task.
•Cisco ICS deploys the OPSig for the threat. Although Cisco ICS deploys OPSigs to IPS devices only, the OPACLs for the same threat on switches and routers also stop when Cisco ICS deploys the OPSig.
Verifying OPACL Deployment
If at least one outbreak management task is active and the registered devices received the required OPACL, a green check mark appears in the OPACL Status column on the Device List window.
Pre-ACLs
This section describes Pre-ACLs and contains the following topics:
• About Pre-ACLs
• Access Control List Precedence
About Pre-ACLs
A Pre-ACL is an optional ACL that takes precedence over an OPACL and any other ACL that already exists on a device. You can deploy a Pre-ACL for each router interface and each switch interface or VLAN to instruct the devices to block or allow traffic not already addressed in an OPACL or existing ACL.
The status of outbreak management tasks and associated OPACLs does not prevent Pre-ACL deployment.
Access Control List Precedence
ACLs on devices that Cisco ICS manages have the following order of priority:
1. Pre-ACL
2. OPACL
3. Other ACL
About Outbreak Prevention Signatures
An OPSig is a file that helps IPS devices identify unique patterns of bits and bytes that signal the presence of a network virus or other threat.
Once deployed, OPSigs continue to help IPS devices scan traffic for network-based threats. Unlike the OPACL, the OPSig never expires. However, an OPSig becomes out-of-date when Trend Micro releases a newer version that addresses new threats and existing threats with improved accuracy.
Tip Trend Micro typically updates OPSigs daily and more frequently during virus outbreaks. To keep your antivirus protection current, set schedules for automated OPSig download and deployment.
This section describes how to download and deploy OPSigs and how to verify the deployment. It contains the following topics:
• Downloading and Deploying OPSigs
• Verifying OPSig Deployment
Downloading and Deploying OPSigs
Download OPSigs manually or by schedule. By default, the OPSig download schedule is enabled and polls the update source every 12 hours. However, if one or more outbreak management tasks are active and Cisco ICS has not yet deployed the required OPSig, downloads follow the OPACL download schedule. For more information, see Scheduled Download Behavior, page 5-3.
Deploy OPSigs manually from the Device List window or use Automatic Download, which is enabled by default and downloads OPSigs under the following circumstances:
•An updated component is downloaded.
•A new device is added.
•The status of any device changes to online.
Verifying OPSig Deployment
After registered IPS devices receive the required OPSig, the version number of the file appears in the OPSig Status column on the Device List window.
Creating a New Manual Outbreak Management Task
To immediately protect your network from an existing threat, you should create a new manual outbreak management task.
To create a manual outbreak management task, follow these steps:
Step 1 Start the Cisco ICS web console.
The Outbreak Management Summary window appears.
Step 2 Choose Outbreak Management > Outbreak Settings > OPACL Settings.
Step 3 Under OPACL Mode, choose one of the following:
•Blocking mode—Instructs devices to block certain types of traffic and ports and create log entries if blocking occurs.
•Logging mode—Instructs IPS devices to create log entries if network packets match the OPACL policy. Note that the devices do not block any traffic.
Note Logging mode applies to IPS devices only. You cannot change the OPACL mode if one or more outbreak management tasks are active.
Step 4 Click Save.
Step 5 Choose Outbreak Management > New Outbreak Management Task.
Step 6 Select a known threat to start monitoring on the network. Only one threat for each task is allowed.
Step 7 Click Next.
The Edit Outbreak Management Task window appears.
Step 8 Configure the following:
•Task name—By default, the task name is the name of the threat and the word Task, for example, WORM_BAGLE.AT Task. You cannot modify the name when the task is active.
•OPACL end date—The date and time that the OPACL settings should cease to be in effect.
•OPACL Configuration—The type of network traffic and ports to block. Select the default policy, or customize the policy by configuring the settings of your choice. To block or log multiple ports, include a dash or semicolon. For example, enter 21;81-65535 to block port 21 and all ports between 81 and 65535, inclusive.
If a port is on the exception list, you cannot add it to the OPACL for a new manual outbreak management task. You must first remove it from the exception list. For more information, see Configuring the Exception List.
Caution The default OPACL settings adequately address the associated threat. If customization is necessary, make the OPACL blocking settings stricter. If you make them less strict, you could expose your network to network-based threats.
Step 9 Click View ACL Configuration to see the rules defined in the OPACL as they appear in Cisco ACL format.
Step 10 Verify that the OPACL configuration is correct. If it is incorrect, do the following:
a. On the Edit Outbreak Management Task window under OPACL configuration, click Custom policy.
b. Modify the OPACL configuration.
c. Click View ACL Configuration again to verify that the OPACL rules are correct. If they are incorrect, modify them under OPACL configuration.
Step 11 Click Next.
Step 12 Select the devices to which to apply the OPACL.
Step 13 Click Finish.
Cisco ICS puts the new outbreak management task into effect immediately.
Step 14 Click Back to go to the summary window for the new task.
Automating Outbreak Management
To relieve administrators of creating new outbreak management tasks, you can automate the creation of tasks. Cisco ICS deploys automatic tasks when a new OPACL becomes available on the update source.
To automate outbreak management, follow these steps:
Step 1 Choose Outbreak Management > Outbreak Settings > OPACL Settings.
Step 2 Under OPACL Mode, choose one of the following:
•Blocking mode—Instructs devices to block certain types of traffic and ports and create log entries if blocking occurs.
•Logging mode—Instructs IPS devices to create log entries if network packets match the OPACL policy. Note that the devices do not block any traffic.
Note Logging mode applies to IPS devices only. You cannot change the OPACL mode if one or more outbreak management tasks are active.
Step 3 Click Save.
Step 4 Choose Outbreak Management > Outbreak Management Task Summary.
Step 5 Do one of the following:
•Click one of the following under Automatic Outbreak Management Task (both links go to the same window):
–Automatic Red Alert Outbreak Management Tasks
–Automatic Yellow Alert Outbreak Management Tasks
•Click Outbreak Management > Automatic Outbreak Management Task.
The Automatic Outbreak Management Task window appears.
Step 6 Choose one or both of the following options:
•Automatically stop the OPACL when Cisco ICS deploys the OPSig to online IPS devices
•Automatically overwrite the OPACL after Cisco ICS downloads a new OPACL
Step 7 Configure OPACL settings:
a. Click the OPACL Settings tab (shown by default).
b. Choose one or both of the following:
–Enable automatic Red Alert Outbreak Management Task
–Enable automatic Yellow Alert Outbreak Management Task
c. Next to End OPACL after: { } days, choose the number of days, hours, and minutes after which the OPACL expires.
Note The Automatically stop the OPACL when Cisco ICS deploys the OPSig to IPS devices selection overrides the number of days you choose from the list.
Step 8 Select the mitigation devices to which Cisco ICS applies the OPACL:
a. Click the OPACL Mitigation Devices tab.
b. From the Specify Mitigation Devices for OPACL table, click one of the following:
–All devices—Click to apply the OPACL to all devices registered to Cisco ICS.
–Specific devices—Click to apply the OPACL to only certain devices registered to Cisco ICS. Check the check boxes next to the devices.
Step 9 Click Save.
Note The automatic task becomes active when Cisco ICS receives a new OPACL. You must enable Scheduled Download to ensure that Cisco ICS regularly receives updated OPACLs.
Configuring the Exception List
Configure the OPACL exception list to exclude specified ports from OPACL blocking settings. The exception list applies to all OPACLs used in active outbreak management tasks, regardless of the OPACL mode (Blocking or Logging).
If a port is on the exception list, you cannot add it to the OPACL for a new manual outbreak management task. You must first remove it from the exception list. For more information, see Creating a New Manual Outbreak Management Task.
To configure the exception list, follow these steps:
Step 1 Choose Outbreak Settings > Exception List.
Step 2 Configure one or more of the following options:
•Under Commonly Used Ports, select the ports to exclude from OPACL blocking. Check the check box at the top to select all commonly used ports.
•Under Specified Port Range, select TCP, UDP, or both and enter the port numbers in the corresponding text boxes. For multiple ports, include a dash or semicolon. For example, enter 21;81-65535 to block port 21 and all ports between 81 and 65535, inclusive.
•Select Internet Control Messaging Protocol to allow all ICMP traffic.
Step 3 Click Save.
Viewing the Network Viruses in a Policy
Each OPACL contains pattern files to detect a large number of threats. If you want to know whether or not the OPACL on the Cisco ICS server is addressing a certain threat that you have in mind, you can view a list of all threats in the Network Viruses in Policy window.
To view the network viruses in a policy, follow these steps:
Step 1 Do one of the following:
•Start the Cisco ICS web console. The Outbreak Management Summary window appears.
•Choose Outbreak Management > Outbreak Management Summary.
Step 2 In the OPACL table, click Network viruses in policy. The Network Viruses in Policy window appears, showing the following information:
•Threat Name—The official name of the threat. Click the threat name to open the Trend Micro Virus Encyclopedia, which contains detailed information about the threat.
•Last Updated—The date the threat information was last updated.
•Alert Type—An indication of the prevalence of the threat.
•Red Alert—An indication that the threat is widespread.
•Yellow Alert—An indication that the threat was detected but is not widespread.
•Risk—An indication of the amount of damage the threat can create. For more information, see About Risk Ratings, page 1-6.
•Req'd OPACL—The version number of the OPACL required to protect the network from the threat.
•Req'd OPSig—The version number of the OPSig required for IPS devices to detect and block the threat.
•Policy—A link to a summary of what the OPACL is doing to address a given threat. For example, a summary that reports TCP Port =8181 means the OPACL instructs devices to block TCP port 8181.
Note The table shows only ten threats per page. To view additional pages, click the advance arrow.
Step 3 Click Back to return to the Outbreak Management Summary window.
Viewing a Summary of All Outbreak Management Tasks
Use the Outbreak Management Summary window to view summaries of all active outbreak management tasks, create a new outbreak management task, set up new automatic outbreak management tasks for red and yellow alerts, and view details of the latest OPACL and OPSig files on the server.
To access the Outbreak Management Summary window, start the Cisco ICS web console. The Outbreak Management Summary window opens by default. If you are not in this window, choose Outbreak Management > Outbreak Management Summary.
The following appears in the Running Outbreak Management Tasks table:
•Task name—An icon indicating whether the task is a yellow alert or red alert and the name of the task.
•Hosts in watch list—The number of hosts on your network that are on the watch list because they are at risk from the threat associated with the task. Click the number to go to the Watch List window.
•Initiated Date/Time—The date and time of day the outbreak management task became active.
•OPACL End Date/Time—The date and time of day the OPACL associated with the task ends.
•Action—One of the following appears:
–Stop Running Task—Appears if the OPACL is not active. Click to stop the task.
–Remove OPACL—Appears if the OPACL is active. Click to stop the task and remove the associated OPACL and Pre-ACL.
The following appear in the OPACL and OPSig tables:
•Current version—The version numbers of the OPACL and OPSig files on the Cisco ICS server.
•Last updated—The date of the last OPACL or OPSig update.
•Network viruses in policy—The number of network viruses the current OPACL addresses. Click the number to view a list of the viruses on the Network Viruses in Policy window.
•Number of devices—The number of registered IPS devices. Click the number to view the devices in the device tree.
•Outdated devices—The number of IPS devices with an out-of-date OPSig. Click the number to view the devices in the device tree.
Viewing an Active OPACL
To verify that the OPACL is correct, you can view any OPACL associated with both an active outbreak management task and a specific router or switch to which the OPACL was applied.
To view an active OPACL, follow these steps:
Step 1 Choose Devices > Device List.
The device list tree appears.
Step 2 Click the device on which the OPACL resides.
Step 3 Verify that a green check mark appears in the OPACL Status column, signifying that the device has the required OPACL.
Step 4 Click Configure.
The configuration window for the device appears, with the Communication Settings tab displayed by default.
Step 5 Click the Interface Settings tab.
Step 6 In the interface settings table, click a link under Current ACL.
The OPACL appears in a read-only window.
Note You cannot modify an active OPACL from this window. For more information, see Modifying the OPACL.
Modifying Outbreak Management Task Options
The first step in modifying an existing outbreak management task is specifying task details and modifying OPACL settings. Details about the selected threat appear at the top of the window.
To modify an existing outbreak management task, follow these steps:
Step 1 Choose Outbreak Management > Outbreak Management Summary.
Step 2 Click the name of the task you want to modify.
The summary window for that task appears.
Step 3 Click View/Edit Outbreak Policy.
The Edit Outbreak Management Task window appears.
Step 4 The Specify Outbreak Management Task table contains the details of the task. Modify any of the following:
•Task name—By default, the task name is the name of the threat and the word "Task," for example, WORM_BAGLE.AT Task. You cannot modify the name when the task is active.
•OPACL end date—The date the OPACL settings should cease to be in effect. If necessary, modify the date by clicking the calendar icon and choose a start time in hours and minutes from the hh and mm lists.
•OPACL Configuration—The traffic and ports the OPACL can block. Choose one of the following:
–Default policy—Click to use the settings associated with the default OPACL for this threat.
–Custom policy—Click to customize the OPACL settings. Check the check boxes to block any of the following types of traffic:
ICMP
TCP Port—Enter the TCP ports to block or log.
UDP Port—Enter the UDP ports to block or log.
Note To block or log multiple ports, include a dash or semicolon. For example, enter 21; 81-65535 to block port 21 and all ports between 81 and 65535, inclusive.
If a port is on the exception list, you cannot add it to the OPACL for a new manual outbreak management task. You must first remove it from the exception list. For more information, see Configuring the Exception List.
•View ACL Configuration—Click to verify that the OPACL settings are correct. If they are incorrect, modify the OPACL settings on this window. You can modify the OPACL mode on the OPACL Settings window.
Step 5 Click Next to continue or click Cancel to stop and return to the Outbreak Management Summary window. The Specify Outbreak Management Task table contains the device tree. The following information appears in the table:
•All devices—Click to apply the OPACL to all devices registered to Cisco ICS.
•Specific devices—Click to apply the OPACL to only certain devices registered to Cisco ICS. Check the check boxes next to the devices.
Step 6 Click Finish to finish modifying the task. Cisco ICS updates the outbreak management task immediately.
Alternatively, click Cancel to stop creating a new task and return to the Outbreak Management Summary window.
Modifying the OPACL Mode
Be default, devices block the traffic and ports specified in OPACLs. The other option is logging mode, which instructs IPS devices to allow the traffic to pass. Cisco ICS then creates Incident log entries when IPS devices detect traffic matching deployed OPACLs in active outbreak management tasks.
Note The OPACL mode applies to all outbreak management tasks. You can change between modes only when no outbreak management tasks are active.
To modify the OPACL mode, follow these steps:
Step 1 Choose Outbreak Management > Outbreak Global Settings > OPACL Settings.
Step 2 Choose one of the following:
•Blocking mode—Instructs devices to block certain types of traffic and ports and create log entries if blocking occurs.
•Logging mode—Instructs IPS devices to create log entries if network packets match the OPACL policy. Note that the devices do not block any traffic.
Step 3 Click Save.
Stopping an Outbreak Management Task
If the threat that a task is addressing no longer poses a risk to the network, you can stop the task, which also stops the associated OPACL and Pre-ACL. The advantage of stopping the task before its expiration is that the network can regain use of the traffic and ports the OPACL is blocking.
Note Do not confuse stopping an outbreak management task with stopping an OPACL. For more information, see Stopping an OPACL.
To stop an outbreak management task, follow these steps:
Step 1 Do one of the following:
•Start the Cisco ICS web console.
The Outbreak Management Summary window appears.
•Choose Outbreak Management > Outbreak Management Summary.
Step 2 Do one of the following:
•In the Running Outbreak Management Tasks table, find the task to end and click Stop. A confirmation message appears.
•In the Running Outbreak Management Tasks table, do the following:
a. Click the name of the task. The summary window for that task appears.
b. Click one of the following:
–Stop Running Task—This appears if the OPACL is not active. Click to stop the task.
–Remove OPACL—This appears if the OPACL is active. Click to stop the task and remove the associated OPACL and Pre-ACL.
A confirmation message appears.
Step 3 Click OK. Cisco ICS notifies you that it ended the task.
Step 4 Click Back to return to the Outbreak Management Summary window.
Step 5 Verify that the task no longer appears in the Running Outbreak Management Tasks table.
Stopping an OPACL
If the threat that a task addresses no longer poses a risk to the network, you can stop the OPACL associated with a task without stopping the task itself. Stopping the OPACL also stops the Pre-ACL. The advantage of stopping the OPACL before it expires without stopping the task is that the network can regain use of the traffic and ports that the OPACL is blocking but Cisco ICS can still monitor hosts on the watch list for the task.
If you did not check the Automatically stop the OPACL when Cisco ICS deploys the OPSig to online IPS devices check box for automatic tasks, Cisco ICS does not stop the OPACL. The OPACL continues blocking or logging until it reaches the end time, which is 4 hours by default.
Note Do not confuse stopping an outbreak management task with stopping an OPACL. For more information, see Stopping an Outbreak Management Task.
To stop an OPACL, follow these steps:
Step 1 Do one of the following:
•Start the Cisco ICS web console. The Outbreak Management Summary window appears.
•Choose Outbreak Management > Outbreak Management Summary.
Step 2 In the Running Outbreak Management Tasks table, click the name of a task which is using the OPACL that you want to stop. The summary window for the task appears.
Step 3 Next to OPACL mode, click Stop A confirmation message appears.
Step 4 Click OK. Cisco ICS notifies you that it stopped the task.
Step 5 Click Back to return to the summary window for the task.
Step 6 Verify that Stopped appears next to OPACL mode.
Modifying Switch and Router Pre-ACLs
While outbreak management tasks are active, you can modify the Pre-ACL directly if necessary. For more information, see About Outbreak Policy ACLs and Pre-ACLs.
To modify switch and router pre-ACLs, follow these steps:
Step 1 Choose Devices > Device List.
Step 2 Click a switch or router in the device list.
Step 3 Click Configure.
The configuration window for the device appears, with the Communications Settings tab displayed by default.
Step 4 Click the Interface Settings tab or the VLAN Settings tab for a switch with configured VLANs.
Step 5 Click the link in the Pre-ACL for an interface.
The editing window for that ACL appears. If the Pre-ACL was already configured, the configuration settings appear in the text field.
Step 6 Modify the Pre-ACL as needed. The Pre-ACL must contain a valid Cisco IOS syntax command or series of commands.
Step 7 Click Save.
Step 8 Click Close.
Step 9 Click Deploy to Network Devices to redeploy the Pre-ACL.
Step 10 To view the current ACL that apply ACLs to interfaces, click the link under Current ACL. If outbreak management tasks are active, the current ACL includes the Pre-ACL, the OPACL, and any other ACL already on the device.
Note To modify the VLAN map name for a switch, connect directly to the switch through a console or Telnet connection. You cannot modify the VLAN map name through the web console.
