09-09-2021 04:03 AM
Hi All.
Where can I find a good resource detailing best practices when it comes to IPS inspection enabled on access rules. So in other words which rules should always be enabled for IPS inspection/enforcement (inbound, web server, sql access rules)? I have not been able to find a resource from Cisco on this. This will be for firepower mainly.
Kind Regards,
Adam
Solved! Go to Solution.
09-23-2021 04:40 AM
No worries,
If the post answered your question, could you please select it as a correct answer.
Thanks.
09-09-2021 04:43 AM
09-09-2021 08:23 AM
When enabling IPS, I have used the following rule of thumb, "Enable IPS on all rules except those going from local LAN towards internet."
Disable IPS on rules that are between databases, that would be types of traffic like backups, DR site synchronisation, Umbrella VA to internal DNS, etc.
Ideally you would already have port based access control (for example. SGT using ISE or similar) restricting access between host machines and internal LAN subnets. In this case IPS on rules between host subnets would not be necessary, but still good to have incase there is a misconfiguration. But from hosts towards all internal servers is, in my opinion, a must.
09-23-2021 02:49 AM
Thanks, Guys.
09-23-2021 04:40 AM
No worries,
If the post answered your question, could you please select it as a correct answer.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: