topic Hi Jack, in Network Security

firepower IPS rules

jack samuel — Tue, 12 Mar 2019 12:58:17 GMT

Dears,

Please find the attached screenshot for an example, there are many rules disabled bydefault how I will know which I have to enable to avoid any attack on the network.

Thanks

Hi

yogdhanu — Mon, 11 Apr 2016 14:17:50 GMT

That depends on your network. There are too many signatures and Firesight recommendation can help you determine what to enable. It would work based on network discovery which will check the application and host used in your network based on which related rules can be enabled.

Further , you can have rules enabled in IDS mode (detect only) and see if events are generated and then decide if you want to block or no.

This will help.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-FireSIGHT-Recs.html

Dear yogdhanu,

jack samuel — Mon, 11 Apr 2016 15:59:49 GMT

Dear yogdhanu,

It would work based on network discovery which will check the application and host used in your network based on which related rules can be enabled.

as per your above statement this has to be enabled manually or firpower will automatically enabled.

Further , you can have rules enabled in IDS mode (detect only) and see if events are generated and then decide if you want to block or no.

the hacker will hack the system by this mode if the network administrator is not monitoring the connection logs

thanks

Dears,

jack samuel — Mon, 18 Apr 2016 19:40:39 GMT

Dears,

what is the best practice for the IPS to be configured in SFR, i have used recommendation but day by day the recommendation are changing sometime it enable 3000 rules with drop and sometimes it enables 2000 rules with drop.

I am confuse how i can configure that.

thanks

Hi,

ankojha — Wed, 04 May 2016 17:54:02 GMT

Hi,

You should enable the default base policy as "balanced security and connectivity" with firesight recommendations enabled.

The rules change dynamically depending on your network host profiles as it takes in to account traffic patterns and other changes and thus change the rule state of some rules

time to time to avoid illegitimate traffic.

In case by the rule changes, your legitimate traffic is getting dropped you can always open a tac case and provide pcaps of the traffic to us for further investigation.

Thanks,

Ankita

Dears,

jack samuel — Fri, 06 May 2016 19:53:53 GMT

Dears,

The rules change dynamically depending on your network host profiles as it takes in to account traffic patterns and other changes and thus change the rule state of some rules

so time to time I have to always use recommendation and check whether the rule are changing , I think definitely the rules should be changed becz the traffic pattern will change.

In case by the rule changes, your legitimate traffic is getting dropped you can always open a tac case and provide pcaps of the traffic to us for further investigation.

how can I trace faster which traffic is getting drop till the TAC joins the webex becz I have a critical network with 99.99% uptime.

thanks

Hi

yogdhanu — Fri, 06 May 2016 20:39:48 GMT

To check which traffic drops , you can rely on intrusion events. There you would see if there is any traffic dropped and if required , you can disable the rule and open TAC case to investigate that if its really false positive

Dear Yogdhanu,

jack samuel — Fri, 06 May 2016 21:27:28 GMT

Dear Yogdhanu,

Thanks for the reply.

The Base policy I have selected is security over connectivity which is more secure than the Balanced security and connectivity please correct me if I m wrong.

thanks

Hi Jack,

yogdhanu — Sat, 07 May 2016 05:36:25 GMT

Hi Jack,

Yes its more secure but I would suggest to make sure there are not too many rules enabled in there as that could impact performance. All the testing on firepower appliance is done using the balance security and connectivity policy. So using security over connectivity does increase the load on system.

But as long as the traffic is not oversubscribing the device it should be ok.

Thanks for the reply

jack samuel — Sat, 07 May 2016 06:33:32 GMT

Thanks for the reply

Yes if it is not affecting the load so I will keep security over connectivity, but incase in future if it impact I will definitely change,

I have created a separate inline policy by copying the existing one and apart from that I have used recommendation to enable rule I am not sure that this is enough,

can you guide what else to be configured in the IPS as a best practice from cisco.

Please find the attached rule update if I m not wrong it will update the rule automatically @1200 and reapply the policies. I don't have to download them manually is that configuration correct.

thanks

Yes , once you select

yogdhanu — Sat, 07 May 2016 09:22:31 GMT

Yes , once you select recurring rule update and apply policies , you don't need to do it manually.

You can enable network discovery and then run the firesight recommendation in IPS policy which would suggest to enable rules based on the hosts,OS ,protocols being used in your network.

Check this out from user guide.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-FireSIGHT-Recs.html#62364

Dear yogdhanu,

jack samuel — Sat, 07 May 2016 19:54:03 GMT

Dear yogdhanu,

You can enable network discovery and then run the firesight recommendation in IPS policy which would suggest to enable rules based on the hosts,OS ,protocols being used in your network.

yes I have done the above anything apart from that to make more professional for IPS configuration.

Do IPS inspect the HTTPS/SSL traffic for any intrusion prevention ??

thanks

Hi Jack,

tsangsl011 — Thu, 06 Jul 2017 06:09:36 GMT

Hi Jack,

Hope you can receive my msg and question, My FireSight are using default base policy " Balanced Security and connectivity.

But i am thinking to create a separate IPS Policy by copying the existing one.

Because the the existing one will be automatically updated from the support site from recurring rule update.

Can you share more information by using separated custom policy? After copying and applying, it should not affected by auto update?

Thanks

Re: firepower IPS rules - new April 2019 Cisco recommendation...

toddlammle — Sun, 28 Apr 2019 21:26:19 GMT

Please read this important update so you understand what cisco updates, and what you should do on your firepower IPS system

https://www.lammle.com/post/which-ips-rules-does-cisco-enable-on-your-firepower-system-think-you-know-youre-probably-wrong/