Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1693
Views
0
Helpful
3
Replies

Acp and intrusion prevention policy

Go to solution
lorenzonerimail
Level 1
Level 1

‎07-12-2016 05:34 AM - edited ‎03-12-2019 06:04 AM

Hello to everyone,

what about to apply an Access Control Policy with some rules and some Intrusion Prevention Policy in an architecture where the ips is deployed in passive mode with a mirror port?! 

Is it advisable?

thank you in advance

lore

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Pujita Patni
Cisco Employee
Cisco Employee

‎07-12-2016 09:22 AM

Hello Lore, 

IPS deployment in passive mode is quite common but it has its own deployment limitations(discussed below).

Usually, In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This provides the system visibility within the network without being in the flow of network traffic.

Please keep in mind, when configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted.

Here is some more info and configuration :

Cisco.com Guide :  http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.html#ID-2238-00000016

Cisco Validated Design : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sdc_ngips_ig.pdf

Thanks,

Pujita

Rate if it helps !

View solution in original post

0 Helpful

Go to solution
Ed Padilla Jr
Level 1
Level 1
In response to lorenzonerimail

‎07-15-2016 11:17 AM

No.  Since it can't act upon it.   I have Inline Fail-open across 200 sensors, with all kind of mix of hardware and VM, ASA, and ISR and no issues.  I use Security over Connectivity base policy. I employ Security Intel of all kinds.

Its time to move to Inline....passive in this days i wont recommend it

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Pujita Patni
Cisco Employee
Cisco Employee

‎07-12-2016 09:22 AM

Hello Lore, 

IPS deployment in passive mode is quite common but it has its own deployment limitations(discussed below).

Usually, In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This provides the system visibility within the network without being in the flow of network traffic.

Please keep in mind, when configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted.

Here is some more info and configuration :

Cisco.com Guide :  http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.html#ID-2238-00000016

Cisco Validated Design : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sdc_ngips_ig.pdf

Thanks,

Pujita

Rate if it helps !

0 Helpful

Go to solution
lorenzonerimail
Level 1
Level 1
In response to Pujita Patni

‎07-12-2016 10:50 AM

Hello Pujita,

Thank you for your response.

I meant if is make sense to do some ACP and IPP in a passive deployment (for a future put in Inline mode).

Regards,

Lore

0 Helpful

Go to solution
Ed Padilla Jr
Level 1
Level 1
In response to lorenzonerimail

‎07-15-2016 11:17 AM

No.  Since it can't act upon it.   I have Inline Fail-open across 200 sensors, with all kind of mix of hardware and VM, ASA, and ISR and no issues.  I use Security over Connectivity base policy. I employ Security Intel of all kinds.

Its time to move to Inline....passive in this days i wont recommend it

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card