cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1049
Views
0
Helpful
1
Replies

ACP Rules for IPS and File

dm2020
Level 1
Level 1

Hi All,

 

What is the general recommendation for which rules are inspected with IPS/File and which are not?

 

I'm currently working on a deployment which has a large number of inside to outside zone rules that permit traffic such as dns, http, https, ftp, ICMP etc. All of these rules have been configured as allow with IPS and file inspection, however, I think that this is overkill and not actually needed.

 

For example, do I need to apply IPS and file inspection to outgoing DNS traffic? Should DNS traffic be set to trust only?

 

For file inspection, should I only inspect applicable traffic that Firepower can inspect for Malware such as HTTP, SMTP, POP3, FTP etc? I dont see the need to inspect DNS, HTTPs traffic.

 

Thank you

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

I typically include IPS inspection for anything unencrypted.

 

File inspection I only set for unencrypted applications that potentially include a file payload (such as the ones you mentioned). Also if you have a lot of east-west traffic (i.e. server to server or users to file servers) I exclude that from file inspection.

 

(This assumes I don't have an SSL Policy that's decrypting traffic.)

View solution in original post

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

I typically include IPS inspection for anything unencrypted.

 

File inspection I only set for unencrypted applications that potentially include a file payload (such as the ones you mentioned). Also if you have a lot of east-west traffic (i.e. server to server or users to file servers) I exclude that from file inspection.

 

(This assumes I don't have an SSL Policy that's decrypting traffic.)

Review Cisco Networking for a $25 gift card