Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2686
Views
5
Helpful
3
Replies

Detecting Malware and Suspicious activity

dan hale
Level 3
Level 3

‎07-23-2018 08:45 PM - edited ‎02-21-2020 08:00 AM

Hi All, I have a 2120  running in FTD mode with the IPS and AMP licenses and an FMC all on version 6.2. I setup the IPS and AMP (file policy) based on the configuration guide.

 

On my Access Control Policy I do have both the file policy and IDS checked to inspect when internal traffic goes out to the internet.

 

There are some weird connection events that lead me to believe some internal hosts maybe compromised when I look in the connection events...some computers talking to other countries that should not.

 

Besides setting up Geofencing to deny internal traffic to those countries is there a better report I can run besides looking at the connection events?

 

Thanks,

Dan.

 

 

Labels:
0 Helpful
3 Replies 3

yogdhanu
Cisco Employee
Cisco Employee

‎07-24-2018 05:44 AM

Hi

 

You can also enable security intelligence (both URL and IP) and make sure the default blacklist categories are blocked. That also does the trick sometime.

 

Hope it helps,

Yogesh

dan hale
Level 3
Level 3
In response to yogdhanu

‎07-25-2018 09:11 AM

Thanks Yogesh I already have SI enabled.

 

Thanks,

Dan

0 Helpful

mikael.lahtela
Level 4
Level 4
In response to dan hale

‎08-15-2018 03:36 PM

If you have access to Cisco Live, checkout "A Deep Dive into using the Firepower Manager - BRKSEC-2058".
Very helpful tips on how to manage Firepower.

br, Mikael
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card