topic If you want the same policy in Network Security

IPS Firepower recommendations

evan.chadwick1 — Tue, 12 Mar 2019 13:26:14 GMT

Hi,

If you have say 5 subnets of different traffic requirements

1/ corporate users

2/ payment equipment subnet

3/ dmz

4/ corporate wifi

5/ some other requirement

Would one get better IPS recommendations if you created 5 IPS policies and defined the scope within recommendations according to each of the 5 above? Or would the Firepower recommendations be just as accurate with one IPS policy and it trying to recommend for the entirety?

Similarly if you had a Datacentre Firepower and say 10 sites with Firepower would it be best to use a different IPS policy from the sites for the datacentre, with Recommendations defined just for the Datacentre ?

Firepower will generate the

Dennis Perto — Tue, 27 Jun 2017 21:52:13 GMT

Firepower will generate the recommendations based on the hosts discovered (host profiles) on all sensors.

If you have multiple domains (multi tenancy in v6.0+) within that FMC, each with an IPS sensor, you will se differences in the generated recommendations.

Edit: maybe I misunderstood the question. It is ofcause possible to limit the networks to base the recommendations on, but in my opinion this barely makes sense.

You will use a lot of memory on the sensor if you apply 5 different IPS policies - one for each network.

Got you.

evan.chadwick1 — Thu, 06 Jul 2017 03:59:09 GMT

Got you.

if you had a Datacentre Firepower and say 10 sites with Firepower would it be best to use a different IPS policies for the sites and a different policy for the datacentre, with host Recommendations defined just for the Datacentre hosts?

Or will FMC base the recommendations on all hosts seen for both datacentre and sites?

If you want the same policy

Dennis Perto — Wed, 12 Jul 2017 17:51:52 GMT

If you want the same policy on all 10 sites I recommend that you only make one IPS policy and make the recommendations based on all your subnets.