ASA IP Audit

patoberli · ‎04-16-2020

Hi all

I've got a new ASA Firepower which replaces an other old ASA. The old one has various IP Audit Policies configured, but I think for legacy reasons.

What is the default today in regards to IP Audit?

Is this enabled by default or not?

What are your recommendations?

I could only find this in the legacy documentation for ASA 9.12.x image, so I assume it should be left disabled, unless there are good reasons to enable it?

https://www.cisco.com/c/en/us/td/docs/security/asa/legacy/asa-legacy-gd/protect-tools.html#26683

This device terminates exclusively SSL VPN Client connections, if that is of importance, and sits behind another Firepower ASA.

Thanks

Patrick

Marvin Rhoads · ‎04-17-2020

I've never seen the feature used in production in the past decade of working with 100s of ASA firewalls.

If you have a current ASA with Firepower service module, the basic IPS policy enforced by the service module (most often "Balanced Security and Connectivity") would the the analogous feature. It would also more closely reflect what's appropriate for the current threat landscape.

patoberli · ‎04-17-2020

I don't have a Firepower service module, "only" a Firepower 4110 running the pure ASA image. So no special IPS functionality licensed or similar.

I guess it's slowly getting time to disable that feature, it was dragged from hardware to hardware ;)

Marvin Rhoads · ‎04-17-2020

Ah OK. Hopefully the upstream ASA has the Firepower protections in place.

I imagine the config was on an old Pix that might have been installed there once. That's the last place I recall seeing that config item used.

patoberli · ‎04-17-2020

Nope no FTD image in use anywhere, just good old plain ASA, but with a ton of restrictions.