Solved: Re: pxGrid with FirePower IPS

rsharp001 · ‎03-10-2020

I have a FirePower 8k series appliance that is tied together with ISE pxGrid. Currently, the FP is setup with 2 ports inline on the outside of the firewall(ASA). I have a SPAN on the inside of the firewall that sends trafic to another port on the FP acting as an IDS. Using passive identity with no SGTs

I can see the identity info when traffic is seen inside but once it goes out the firewall it is lost. Is there a way to preserve that data or should I plan to bring the IPS inside the firewall?

Colby LeMaire · ‎03-10-2020

In general, you should place your IPS/IDS devices inside your firewall to reduce the number of false positives. Let your firewall weed out most of the bogus traffic and then your IPS can focus on stuff that actually made it through the firewall. If you are concerned about the firewall load, you can also place a filtering router outside of the firewall to do the initial filtering of bogus traffic. Those are best practices. If you want to leave the IPS on the outside, I am not sure how you can preserve the information unless you also integrate the ASA using pxGrid. I assume you are doing NAT on the firewall which is why the information is lost.

View solution in original post

Colby LeMaire · ‎03-10-2020

In general, you should place your IPS/IDS devices inside your firewall to reduce the number of false positives. Let your firewall weed out most of the bogus traffic and then your IPS can focus on stuff that actually made it through the firewall. If you are concerned about the firewall load, you can also place a filtering router outside of the firewall to do the initial filtering of bogus traffic. Those are best practices. If you want to leave the IPS on the outside, I am not sure how you can preserve the information unless you also integrate the ASA using pxGrid. I assume you are doing NAT on the firewall which is why the information is lost.

rsharp001 · ‎03-10-2020

Thank you Colby.