cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

995
Views
0
Helpful
4
Replies
vtxchris
Beginner

AMP/IPS Rule on FTD 1120 using FDM

I attempted to create an access control rule for IPS and AMP from information I found online, and apparently it was completely wrong, because it had the effect of ignoring all block rules and opening up my whole network to the Internet.  No matter what position I put the AMP/IPS rule in, ports like RDP were open on my Internet-facing servers, so obviously I did it wrong.  I've deleted the rule for now and things seem secure again, but I wanted to ask for help before making another attempt.  Here's a screenshot of the rule I created:

 

AMP-IPS-Rule-01.jpg

It's basically open; the only changes I made were to the Intrusion Policy tab, which I set to Connectivity over Security, and File, which I set to Cloud Lookup. I thought that my Default Action rule (set to Block) at the bottom of the list would successfully block any outside access I hadn't specifically allowed (like SMTP), but that didn't happen.  It seems this rule just overrode all blocks and opened everything. I was able to block RDP by putting a rule above this one, but that wasn't a long term solution so I just got rid of this rule altogether.  Can someone help me format a rule properly to turn on IPS and AMP without opening up the network?  Here's a shot of the current ACL:

 

LYRULESET.jpg

Thanks in advance for any help!

Chris

1 ACCEPTED SOLUTION

Accepted Solutions
Marvin Rhoads
Hall of Fame Guru

In your example, the AMP and IPS settings should be part of each allow rule under the File Policy and Intrusion Policy tabs of the existing access control rules 1-4.

It should not be it's own separate rule. The example of that which you gave will, as you observed, allow any traffic (as long as it doesn't trigger any IPS or file policy rules).

View solution in original post

4 REPLIES 4
Marvin Rhoads
Hall of Fame Guru

In your example, the AMP and IPS settings should be part of each allow rule under the File Policy and Intrusion Policy tabs of the existing access control rules 1-4.

It should not be it's own separate rule. The example of that which you gave will, as you observed, allow any traffic (as long as it doesn't trigger any IPS or file policy rules).

View solution in original post

Thanks Marvin, that makes sense.  Doing it that way I could choose different levels of IPS for each of the rules?  So on the SMTP rule I could choose Balanced, and on that currently blocked rule I could set it to Security over connectivity?

Yes you can choose different levels of IPS and File policies per rule.

Sometimes you don't need them at all - for instance a block rule only blocks so why tell it to inspect or check for file hashes?

While that IPS rule was created I did see it reject some PHP attacks on the blocked port, so I turned that rule off temporarily, but eventually I want to turn it back on. It's just for one specific job so when I re-enable it I'll do it with the highest IPS policy I can get away with. I'll take a lighter touch with the mail rule to make sure it doesn't break anything.

 

Thanks for all the info.  I probably should have known this, but I'm new to the FTD firewalls and IPS in general and had it in my head that it should be its own separate ruleset.  Appreciate your help!


Chris

Content for Community-Ad