Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
1
Replies

Cisco sourcefire - Best Practices for going from monitor to blocking mode

daniel.herrick
Level 1
Level 1

‎12-29-2016 05:40 PM - edited ‎03-12-2019 06:14 AM

Anyone have experience\best practices\recommendations for going from monitor mode to blocking mode on the SourceFires? I don't want to turn full throttle.

Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎12-30-2016 05:55 PM

#1 - You want to make sure that no legitemate traffic is being dropped by an Access Policy rule and or another NGFW feature (IPS, AMP, etc). For this, make sure that you are logging all of the events and then ensure that you are reviewing the logs

#2 - Make sure that FireSIGHT (FMC) was configured correctly to perform Network, Application, Hosts and Users discovery. The IPS recommendations will be based on that discovery so it very important for this to happen properly. 

#3 - If you have or planning to have the configurations locked down to the App level then make sure that no "uknown" type Apps are showing in your event logs. 

I hope this helps!

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card