Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1398
Views
10
Helpful
4
Replies

Best Practices for IPS enablement (Firepower).

Go to solution
adamgerber
Beginner
Beginner

‎09-09-2021 04:03 AM

Hi All.

 

Where can I find a good resource detailing best practices when it comes to IPS inspection enabled on access rules. So in other words which rules should always be enabled for IPS inspection/enforcement (inbound, web server, sql access rules)? I have not been able to find a resource from Cisco on this. This will be for firepower mainly.

 

Kind Regards,
Adam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to adamgerber

‎09-23-2021 04:40 AM

No worries,

If the post answered your question, could you please select it as a correct answer.

Thanks.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Go to solution
Mohammed al Baqari
VIP
VIP

‎09-09-2021 04:43 AM

Hi Adam,

I don't think there is a document describing this in detail because it
varies per environment. The right approach is to enable discovery only for
sometime in order for FTD to build context about your environment (apps,
hosts types, OS versions, etc). Once this is done, you can schedule IPS
recommendations to be executed daily and enforced. The recommendations from
IPS will be based on the fingerprinting done during discovery.

Now, this is not 100% taken that all recommendations are valid. But it can
be a baseline for the engineer to review the IPS logs periodically and see
if there are false positives or more tweaks to be done for rules.

This is a quick summary but once you start the process, you will get more
questions which generate different strategies suited to your environment.

**** please remember to rate useful posts
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎09-09-2021 08:23 AM

When enabling IPS, I have used the following rule of thumb, "Enable IPS on all rules except those going from local LAN towards internet."

Disable IPS on rules that are between databases, that would be types of traffic like backups, DR site synchronisation, Umbrella VA to internal DNS, etc.

Ideally you would already have port based access control (for example. SGT using ISE or similar) restricting access between host machines and internal LAN subnets. In this case IPS on rules between host subnets would not be necessary, but still good to have incase there is a misconfiguration.  But from hosts towards all internal servers is, in my opinion, a must.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
adamgerber
Beginner
Beginner

‎09-23-2021 02:49 AM

Thanks, Guys.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to adamgerber

‎09-23-2021 04:40 AM

No worries,

If the post answered your question, could you please select it as a correct answer.

Thanks.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents