topic Re: Firepower, IPS Rule Update frequency for internal FTD firewall in Network Security

Firepower, IPS Rule Update frequency for internal FTD firewall

ejans — Fri, 21 Feb 2020 16:29:13 GMT

Hi,

I'm working with a new FTD HA-setup (Firepower 21x0) that will replace an old ASA-pair. We plan on running the latest 6.2.3.x-patch.

The FTD will handle internal traffic only (another FTD HA pair is handling Internet/WAN-traffic). However, the FTD will handle traffic for a 24/7 live production network with time-critical sensitive applications/protocols.

I have a big question in my mind as to how to best handle IPS Rule Updates that cause SNORT Service Interruptions in this environment. The customer wants to have IPS active to gain visibility, but they do not want the SNORT service interruptions for sensitive flows.

I believe I can work-around this problem by preparing Fastpath Pre-filter rules that can be enabled before the customer wants to do a manual Rule Update. This way critical traffic could be manually excluded from the SNORT Service Interruption (I've also looked at "snort preserve-connection" as an option but this only preserves existing flows, not new ones).

My question bottles down to how often we would recommend installing Rule Updates in an environment such as this. As the Rule Update will be a manual procedure I expect the customer does not want to do it every day/every week.

Considering this FTD will only handle internal traffic, how often would be best practise to do a manual Rule Update?

Would the customer miss out on a lot of features if they only did it once a month? Once a quarter?

Thanks,

Regards,

Erik

Re: Firepower, IPS Rule Update frequency for internal FTD firewall

fatalXerror — Mon, 19 Nov 2018 17:12:45 GMT

Hi @ejans,

Nice question you have there.

Nothing we can do since it is the behavior of the SNORT process when deploying the policy with the updated intrusion rules but I would recommend to pick a day every week which you think it has a less transactions happening (e.g. weekend night).

Thanks

Re: Firepower, IPS Rule Update frequency for internal FTD firewall

ejans — Mon, 19 Nov 2018 17:42:04 GMT

Hi,

Thanks for your reply.

I think I was a bit unclear. This is an always-on (24 hours/7 days a week) production environment with large industrial appliances. No interruption is allowed at all. As I mentioned I think I have a "sort of" manual workaround that would be run regularly. I just wonder how often this environment would get a value out of Rule Updates (also considering it's an internal firewall).

Thanks,
Regards
Erik

Re: Firepower, IPS Rule Update frequency for internal FTD firewall

fatalXerror — Mon, 19 Nov 2018 19:13:31 GMT

Hi @ejans,

Question, in terms of the IPS capability do you need to monitor it only or you also need proactively drop the traffic once intrusion is detected?

Thanks

Re: Firepower, IPS Rule Update frequency for internal FTD firewall

ejans — Mon, 26 Nov 2018 09:24:06 GMT

Hi fatalXerror,

Thanks for your attention.

In the beginning we are going to monitor-only, but in the long run the customer wants to drop-inline. I'm starting with an intrusion policy with "Drop when Inline" un-checked.

//Erik