Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1495
Views
0
Helpful
3
Replies

Directional Impact 1 events - IPS tuning

evan.chadwick1
Level 1
Level 1

‎12-17-2018 02:10 PM - edited ‎03-12-2019 07:10 AM

Hi, 

When Firepower IPS picks up a bad attempt from the internet inbound it blocks it and sends an impact 1 event to my alerting. I typically do not need to action much for such blocked situations.

I'd like to set my alerting up for the other direction. My internal source tries to send back to a known bad destination or with a known bad signature and it gets blocked. I typically do want to run a scan on this host. 

Anyone have success to create alerts in this fashion?

I was thinking a correlation rule that defines internal sources and impact 1 events that also has a negative on the external interface.

Labels:
0 Helpful
3 Replies 3

Sheraz.Salim
VIP
VIP

‎12-18-2018 11:36 AM

Hi Evan,

i agree with you correlation rule can keep the track of this however you need to setup the alerting and remediation rules.

 

Thanks

please do not forget to rate.
0 Helpful

evan.chadwick1
Level 1
Level 1
In response to Sheraz.Salim

‎12-18-2018 02:52 PM

thanks for the reply. 

Yeah I just set the email alert from the Polcy Mgmt tab (explaining in full for other peoples benefit). I intend the scan to be done by the internal IT team, not FMC. I had't thought the FMC would be overly useful to do the scan. 

Now to test the rule, i've tried:

1/ obtaining bad ip addresses from current events from Security intelligence and browsing to them from an internal host (fmc just lets it go through with no issues = surprising)

2/ obtaining ip addresses from high impact1 events from outside to inside. Browsing to these from an internal host also results in FMc letting it go through = surprising. zscaler proxy is in use onsite, so I also do a telnet test, telnet x.x.x.x 443. I"ll ask a person to disable the proxy and repeat this test.

 

any other ideas for confirming the rule/alert works?

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to Sheraz.Salim

‎07-12-2019 03:25 AM

Alerting and remediation via correlation ?

I turned off all Alerting via the inbuilt alerting and only alert via Correlation.

Cisco have not allowed for the product to accomodate a high use of Guest Wifi Networks that a Client might want to 'protect' but NEVER hear anything about.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card