cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1810
Views
0
Helpful
3
Replies

Acp and intrusion prevention policy

lorenzonerimail
Level 1
Level 1

Hello to everyone,

what about to apply an Access Control Policy with some rules and some Intrusion Prevention Policy in an architecture where the ips is deployed in passive mode with a mirror port?! 

Is it advisable?

thank you in advance

lore

2 Accepted Solutions

Accepted Solutions

Pujita Patni
Cisco Employee
Cisco Employee

Hello Lore, 

IPS deployment in passive mode is quite common but it has its own deployment limitations(discussed below).

Usually, In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This provides the system visibility within the network without being in the flow of network traffic.

Please keep in mind, when configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted.

Here is some more info and configuration :

Cisco.com Guide :  http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.html#ID-2238-00000016

Cisco Validated Design : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sdc_ngips_ig.pdf

Thanks,

Pujita

Rate if it helps !

View solution in original post

No.  Since it can't act upon it.   I have Inline Fail-open across 200 sensors, with all kind of mix of hardware and VM, ASA, and ISR and no issues.  I use Security over Connectivity base policy. I employ Security Intel of all kinds.

Its time to move to Inline....passive in this days i wont recommend it

View solution in original post

3 Replies 3

Pujita Patni
Cisco Employee
Cisco Employee

Hello Lore, 

IPS deployment in passive mode is quite common but it has its own deployment limitations(discussed below).

Usually, In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This provides the system visibility within the network without being in the flow of network traffic.

Please keep in mind, when configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted.

Here is some more info and configuration :

Cisco.com Guide :  http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.html#ID-2238-00000016

Cisco Validated Design : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sdc_ngips_ig.pdf

Thanks,

Pujita

Rate if it helps !

Hello Pujita,

Thank you for your response.

I meant if is make sense to do some ACP and IPP in a passive deployment (for a future put in Inline mode).

Regards,

Lore

No.  Since it can't act upon it.   I have Inline Fail-open across 200 sensors, with all kind of mix of hardware and VM, ASA, and ISR and no issues.  I use Security over Connectivity base policy. I employ Security Intel of all kinds.

Its time to move to Inline....passive in this days i wont recommend it

Review Cisco Networking for a $25 gift card