topic Re: IPS traffic in Network Security

IPS traffic

Otvforte — Wed, 06 Aug 2025 12:29:18 GMT

Hello!

I've been trying to figure out the best approach for applying IPS inspection.

Suppose I don't have any internal services or servers exposed to the internet — meaning no port forwarding from Outside to DMZ or Outside to Inside. In that case, does it still make sense to enable IPS on zones like Any/Any, or should I stick with Inside-to-Outside inspection only?

The only exception would be the VPN service, which would still be reachable from the internet.

Thank you,

Re: IPS traffic

MHM Cisco World — Wed, 06 Aug 2025 13:05:16 GMT

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222704-configure-fdm-interfaces-in-inline-pair.html <<- check this maybe it answer your Q

MHM

Re: IPS traffic

Otvforte — Wed, 06 Aug 2025 13:06:07 GMT

Just answering my own question.

If I don't have internal services or servers published on the internet, then I don't have any rules in the Outside-to-Inside or Outside-to-DMZ direction. So the question doesn't really make sense — there's not even a rule where IPS could be enabled.

Re: IPS traffic

MHM Cisco World — Wed, 06 Aug 2025 13:09:42 GMT

IPS can apply with ACP
or can apply as inline <<- here FTD is work as IPS only

MHM

Re: IPS traffic

Otvforte — Wed, 06 Aug 2025 13:13:24 GMT

Thank you! Can you help clarify another related question?

There are some IPS rules for services I don't have, for example, Apache, SQL Server, Oracle, and so on. Should I disable those rules?

Re: IPS traffic

Rob Ingram — Wed, 06 Aug 2025 13:32:11 GMT

@Otvforte it is recommended by cisco to disable rules written for vulnerabilities not found on hosts in your network, so if you are not using Apache, SQL Server, Oracle etc you'd not have a vulnerabilities and can disable those rules. You can use the cisco recommendations to tune the Snort rule set based on host data collected through passive discovery. The Recommendations feature uses this host database to determine which Snort rules apply to your environment.

https://secure.cisco.com/secure-firewall/v7.4/docs/intrusion-policy-73

Re: IPS traffic

Otvforte — Wed, 06 Aug 2025 13:39:33 GMT

I'm currently using FDM, so Network Discovery isn't available at the moment. However, I'll look into it if I get the opportunity in the future.

Thank you,

Re: IPS traffic

MHM Cisco World — Wed, 06 Aug 2025 14:04:24 GMT

Can i know where you see these options

Screenshots is perfect

MHM

Re: IPS traffic

Otvforte — Wed, 06 Aug 2025 14:53:37 GMT

Re: IPS traffic

MHM Cisco World — Wed, 06 Aug 2025 15:26:57 GMT

Dont change anything here
this cisco recommend action and you can not control what user use, so you dont know if user use SQL or not.

you can instead change the no. of rules by change the security level

MHM