topic Re: FMC 6.2 Portscan alerting in Network Security

FMC 6.2 Portscan alerting

Brett Walters — Fri, 21 Feb 2020 15:01:26 GMT

This may be an obvious answer - as in a bad idea - but is there no way to have the FMC/FPwr sensors generate an email alert when being portscanned? The policy is working and dropping traffic as it should, and has been - but I can't find the proper item to enable to get it to email like it does for other malware events and email attacks.

And as a side note - shouldn't it drop traffic leaving the network like this? It definitely drops incoming port scans, but if you port scan out, it doesn't seem to care. Maybe a missed configuration - but if something internally decided to scan out, it would be good to block or know about it.

Re: FMC 6.2 Portscan alerting

mikael.lahtela — Wed, 27 Dec 2017 10:50:50 GMT

Hi,

Maybe you can create a correlation policy for that?
https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/correlation_policies.html

br, Micke

Re: FMC 6.2 Portscan alerting

Brett Walters — Tue, 09 Jan 2018 12:45:36 GMT

I will take a look - it just didn't make sense I can get alerts on a ton of other things, but not that.

Re: FMC 6.2 Portscan alerting

Steven Carnahan — Wed, 07 Feb 2018 23:28:33 GMT

I am also looking for this feature. It seems that it used to be available based on: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Detecting_Specific_Threats.html#ID-2236-0000021b

However when I try to follow the instructions I get to Policies/Intrusion and had to create the Network Analysis Policy. I only had the Initial inline policy listed.

After creating the Network Analysis Policy I tried to continue with the instructions. I don't see a Settings however I do see an Advanced Settings so I selected that. I do not see Portscan Detection under Specific Threat Detection. All I have is Sensitive Data Detection. I am stuck at this point.

Re: FMC 6.2 Portscan alerting

Brett Walters — Fri, 02 Mar 2018 15:18:21 GMT

I haven't forgotten this - just tied up with a huge Mobility Controller issue at the same site.

Re: FMC 6.2 Portscan alerting

Brett Walters — Thu, 15 Mar 2018 11:26:56 GMT

See attached. This is when I edit my Network Analysis Policy. Settings should be top left (you have to click on it to see the options), and Portscan Detection is down a bit.

Re: FMC 6.2 Portscan alerting

Steven Carnahan — Thu, 15 Mar 2018 16:13:20 GMT

capture.pngI apparently have a different view.

Re: FMC 6.2 Portscan alerting

Brett Walters — Thu, 15 Mar 2018 16:17:03 GMT

You are in the Intrusion Policy. Not the network analysis policy. 🙂

Policies > Access Control > Intrusion > Network Analysis Policy in the top right >Create or Edit that policy.

Re: FMC 6.2 Portscan alerting

Steven Carnahan — Thu, 15 Mar 2018 16:25:01 GMT

Well don't I feel foolish. I have a Network Analysis Policy listed under the Intrusion Policy. I suppose I should remove that one.

Re: FMC 6.2 Portscan alerting

Brett Walters — Thu, 15 Mar 2018 16:26:01 GMT

Heh, not at all. It's not like it is a simple or logical process flow to deploy FMC!

Re: FMC 6.2 Portscan alerting

Steven Carnahan — Fri, 30 Mar 2018 18:40:07 GMT

Well I was able to make the proper changes with your guidance however I have not yet seen any report so not sure if it worked yet.

Thank you

Re: FMC 6.2 Portscan alerting

Brett Walters — Fri, 30 Mar 2018 19:07:51 GMT

You should be able to see it in the events before waiting for a report, if you know a portscan is taking place.