Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2931
Views
10
Helpful
4
Replies

ARP Poisoning detection with FTD

Neophyte
Level 1
Level 1

‎10-06-2020 03:32 AM

I'm new to dealing with the FMC and FTD, and new to working directly with Cisco Products in general, but I'm wondering if anyone could point me in the right direction regarding detection for ARP Poisoning from the FTD appliance.

 

So far, I have tried to create a Correlation Rule, which did not work in detecting ARP Poisoning. I have also discovered that the underlying IDS of the FTD is Snort, which does have a preprocessor for detecting ARP Poisoning, however, I cannot see it within the list of preprocessors. I have also noticed some ARP Poison related signatures in the "DELETED" folder in Intrusion Rules.

Basically my questions are:

  1. Is there a way to upgrade the FMC to include more of the preprocessors that come with Snort?
  2. How do you go about moving something from the "DELETED" folder back into the main Intrusion Rule folders.
  3. Failing being able to accomplish either of these, is there another method to go about detecting ARP Poisoning with the FMC/FTD?

Any and all help will be much appreciated! 

0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎10-06-2020 04:39 AM

Hi,

If FTD in routed mode it can not detect arp poisoning. For arp poisoning,
you need DAI feature on the switches along with dhcp snooping.

****** please remember to rate useful posts

Neophyte
Level 1
Level 1
In response to Mohammed al Baqari

‎10-06-2020 05:51 AM

Hi Mohammed,

 

Thank you for the response!

 

So are you saying that the FTD appliance needs to be in Transparent mode and then I would also need to set up the DAI feature on the switches along with DHCP Snooping to make ARP Poisoning detectable within the FMC? Or are the DAI and DHCP Snooping features just a mitigation technique?

 

Cheers.

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Neophyte

‎10-06-2020 07:07 AM

If you use dai then no need to do anything on firepower. If you don't want
to use dai then option B is firepower in transparent mode.

I strongly recommend to use dai its straight forward and well implemented
by the switches. Also generate relevant syslogs.

**** please remember to rate useful posts

Neophyte
Level 1
Level 1
In response to Mohammed al Baqari

‎10-07-2020 01:27 AM

Thank you for you help Mohammed!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card