Solved: ACP Rules for IPS and File

dm2020 · ‎12-05-2018

Hi All,

What is the general recommendation for which rules are inspected with IPS/File and which are not?

I'm currently working on a deployment which has a large number of inside to outside zone rules that permit traffic such as dns, http, https, ftp, ICMP etc. All of these rules have been configured as allow with IPS and file inspection, however, I think that this is overkill and not actually needed.

For example, do I need to apply IPS and file inspection to outgoing DNS traffic? Should DNS traffic be set to trust only?

For file inspection, should I only inspect applicable traffic that Firepower can inspect for Malware such as HTTP, SMTP, POP3, FTP etc? I dont see the need to inspect DNS, HTTPs traffic.

Thank you

Marvin Rhoads · ‎12-05-2018

I typically include IPS inspection for anything unencrypted.

File inspection I only set for unencrypted applications that potentially include a file payload (such as the ones you mentioned). Also if you have a lot of east-west traffic (i.e. server to server or users to file servers) I exclude that from file inspection.

(This assumes I don't have an SSL Policy that's decrypting traffic.)

View solution in original post

Marvin Rhoads · ‎12-05-2018

I typically include IPS inspection for anything unencrypted.

File inspection I only set for unencrypted applications that potentially include a file payload (such as the ones you mentioned). Also if you have a lot of east-west traffic (i.e. server to server or users to file servers) I exclude that from file inspection.

(This assumes I don't have an SSL Policy that's decrypting traffic.)