cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2227
Views
5
Helpful
3
Replies

Detecting Malware and Suspicious activity

dan hale
Level 3
Level 3

Hi All, I have a 2120  running in FTD mode with the IPS and AMP licenses and an FMC all on version 6.2. I setup the IPS and AMP (file policy) based on the configuration guide.

 

On my Access Control Policy I do have both the file policy and IDS checked to inspect when internal traffic goes out to the internet.

 

There are some weird connection events that lead me to believe some internal hosts maybe compromised when I look in the connection events...some computers talking to other countries that should not.

 

Besides setting up Geofencing to deny internal traffic to those countries is there a better report I can run besides looking at the connection events?

 

Thanks,

Dan.

 

 

3 Replies 3

yogdhanu
Cisco Employee
Cisco Employee

Hi

 

You can also enable security intelligence (both URL and IP) and make sure the default blacklist categories are blocked. That also does the trick sometime.

 

Hope it helps,

Yogesh

Thanks Yogesh I already have SI enabled.

 

Thanks,

Dan

If you have access to Cisco Live, checkout "A Deep Dive into using the Firepower Manager - BRKSEC-2058".
Very helpful tips on how to manage Firepower.

br, Mikael
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: