So I've got a network

snowmizer · ‎02-04-2015

I've got an ASA 5525-X with the SourceFire module that will be replacing a 5510. I've got the firewall ACLs from my existing ASA transferred to the new 5525-X and now I'm working on the initial configuration of the Sourcefire module. I've watched a demo video on configuring access rules and read some documentation. In the video I watched the person was controlling web access, etc... from the Sourcefire module. This seems to be the same thing I'm doing on the firewall side.

What I'm wondering is if it's a good idea to duplicate the rules that I've got on the firewall side to the Sourcefire module and have them both places?

Thanks.

Collin Clark · ‎02-04-2015

No it is not. Filter the traffic on the ASA and allow the permitted traffic to be inspected by Sourcefire.

snowmizer · ‎02-05-2015

So I've got a network discovery policy in place where the default action is "Default Network Discovery". I know that I need to block traffic coming into our network based on geolocation. I can configure a rule to do that. But if I'm understanding correctly the default network discovery action will inspect all traffic as it comes into the ASA (providing I specify a service policy on the firewall side to redirect the traffic from all interfaces)? I would only need to configure a rule if I don't want to inspect traffic (e.g. traffic from our internal network to our DMZ) or if I want to do application or URL filtering?

In order to get the intrusion inspection however I need to configure a rule that will apply an intrusion policy to all traffic in my network discovery policy? I understand that I need to change the default variable set to match my network configuration for the IPS stuff to be effective.

From what I am understanding the security intelligence detection happens against the "Sourcefire Intelligence Feed" automatically as part of the network discovery policy?

Thanks.

Configuring Sourcefire Access Rules