Where can I find a good resource detailing best practices when it comes to IPS inspection enabled on access rules. So in other words which rules should always be enabled for IPS inspection/enforcement (inbound, web server, sql access rules)? I have not been able to find a resource from Cisco on this. This will be for firepower mainly.
Solved! Go to Solution.
When enabling IPS, I have used the following rule of thumb, "Enable IPS on all rules except those going from local LAN towards internet."
Disable IPS on rules that are between databases, that would be types of traffic like backups, DR site synchronisation, Umbrella VA to internal DNS, etc.
Ideally you would already have port based access control (for example. SGT using ISE or similar) restricting access between host machines and internal LAN subnets. In this case IPS on rules between host subnets would not be necessary, but still good to have incase there is a misconfiguration. But from hosts towards all internal servers is, in my opinion, a must.