topic Re: Intrusion Rules in Cisco FMC in Network Security

Intrusion Rules in Cisco FMC

NeWGuy1109 — Fri, 03 Jun 2022 19:09:21 GMT

I have configured around 300 rules in FMC.. a recent requirement is to apply an IPS Policy to all the rules..is there a way an Intrusion Policy can be applied all at once to an entire ACL ? its really inconvenient to edit 300 rules and apply an IPS Policy there.

Also, if i am not using inline mode does Intrusion Policy will act as an IDS only ? it wont drop any traffic ? in custom intrusion policy "drop when inline mode" is specific for inline modes only ?

Any help is appreciated

Re: Intrusion Rules in Cisco FMC

Mohammed al Baqari — Sat, 04 Jun 2022 02:45:19 GMT

Hi,

You can do this through FMC APIs. But from GUI that is not possible. You
can write your own API loop script to edit the setting.

**** please remember to rate useful posts

Re: Intrusion Rules in Cisco FMC

NeWGuy1109 — Sat, 04 Jun 2022 09:22:20 GMT

Thanks...any link i can refer for such scripts?

Re: Intrusion Rules in Cisco FMC

Mohammed al Baqari — Sat, 04 Jun 2022 10:49:19 GMT

Here you go

https://community.cisco.com/t5/network-security/python-scripts-to-create-and-delete-hosts-on-firepower-manager/td-p/4100224

https://community.cisco.com/t5/network-security/my-python-script-to-query-fmc-api-for-list-of-sensor-names-and/td-p/3737313

**** please remember to rate useful posts

Re: Intrusion Rules in Cisco FMC

NeWGuy1109 — Wed, 13 Jul 2022 09:49:34 GMT

If i do not select "Drop when Inline" will the IPS function as an IDS only regardless of rule actions ?

Re: Intrusion Rules in Cisco FMC

Marvin Rhoads — Wed, 13 Jul 2022 14:41:56 GMT

Just select all the rules in the ACP at once (select first one, hold down shift key and then select last one) and right click to edit. You may need to change your display rules per page (bottom right) so that you can see and select all of them at once.

Common tasks (such as IPS policy) will be selectable to change them.

FMC - edit multiple rules

Re: Intrusion Rules in Cisco FMC

NeWGuy1109 — Wed, 13 Jul 2022 15:39:15 GMT

Incredible !!! that was very helpful Marvin.

One more thing if you can please help out with.. if in IPS policy i have unchecked "Drop when Inline" will my policy act as an IDS ?

Re: Intrusion Rules in Cisco FMC

Marvin Rhoads — Wed, 13 Jul 2022 15:48:14 GMT

Deselecting "Drop when Inline" will indeed make the sensor function like what is sometimes referred to as an Intrusion Detection System (IDS) vs. an Intrusion Prevention System (IPS). I seldom see that used in practice though as it removes most of the utility of actually preventing intrusions.