Solved: No. Since it can act upon it

lorenzonerimail · ‎07-12-2016

Hello to everyone,

what about to apply an Access Control Policy with some rules and some Intrusion Prevention Policy in an architecture where the ips is deployed in passive mode with a mirror port?!

Is it advisable?

thank you in advance

lore

Pujita Patni · ‎07-12-2016

Hello Lore,

IPS deployment in passive mode is quite common but it has its own deployment limitations(discussed below).

Usually, In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This provides the system visibility within the network without being in the flow of network traffic.

Please keep in mind, when configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted.

Here is some more info and configuration :

Cisco.com Guide : http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.html#ID-2238-00000016

Cisco Validated Design : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sdc_ngips_ig.pdf

Thanks,

Pujita

Rate if it helps !

View solution in original post

Ed Padilla Jr · ‎07-15-2016

No. Since it can't act upon it. I have Inline Fail-open across 200 sensors, with all kind of mix of hardware and VM, ASA, and ISR and no issues. I use Security over Connectivity base policy. I employ Security Intel of all kinds.

Its time to move to Inline....passive in this days i wont recommend it

View solution in original post

Pujita Patni · ‎07-12-2016

Hello Lore,

IPS deployment in passive mode is quite common but it has its own deployment limitations(discussed below).

Usually, In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN or mirror port. The SPAN or mirror port allows for traffic to be copied from other ports on the switch. This provides the system visibility within the network without being in the flow of network traffic.

Please keep in mind, when configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted.

Here is some more info and configuration :

Cisco.com Guide : http://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/fpmc-config-guide-v60_chapter_01011010.html#ID-2238-00000016

Cisco Validated Design : http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-secure-data-center-portfolio/sdc_ngips_ig.pdf

Thanks,

Pujita

Rate if it helps !

lorenzonerimail · ‎07-12-2016

Hello Pujita,

Thank you for your response.

I meant if is make sense to do some ACP and IPP in a passive deployment (for a future put in Inline mode).

Regards,

Lore

Ed Padilla Jr · ‎07-15-2016

No. Since it can't act upon it. I have Inline Fail-open across 200 sensors, with all kind of mix of hardware and VM, ASA, and ISR and no issues. I use Security over Connectivity base policy. I employ Security Intel of all kinds.

Its time to move to Inline....passive in this days i wont recommend it

Acp and intrusion prevention policy