12-17-2018 02:10 PM - edited 03-12-2019 07:10 AM
Hi,
When Firepower IPS picks up a bad attempt from the internet inbound it blocks it and sends an impact 1 event to my alerting. I typically do not need to action much for such blocked situations.
I'd like to set my alerting up for the other direction. My internal source tries to send back to a known bad destination or with a known bad signature and it gets blocked. I typically do want to run a scan on this host.
Anyone have success to create alerts in this fashion?
I was thinking a correlation rule that defines internal sources and impact 1 events that also has a negative on the external interface.
12-18-2018 11:36 AM
Hi Evan,
i agree with you correlation rule can keep the track of this however you need to setup the alerting and remediation rules.
Thanks
12-18-2018 02:52 PM
thanks for the reply.
Yeah I just set the email alert from the Polcy Mgmt tab (explaining in full for other peoples benefit). I intend the scan to be done by the internal IT team, not FMC. I had't thought the FMC would be overly useful to do the scan.
Now to test the rule, i've tried:
1/ obtaining bad ip addresses from current events from Security intelligence and browsing to them from an internal host (fmc just lets it go through with no issues = surprising)
2/ obtaining ip addresses from high impact1 events from outside to inside. Browsing to these from an internal host also results in FMc letting it go through = surprising. zscaler proxy is in use onsite, so I also do a telnet test, telnet x.x.x.x 443. I"ll ask a person to disable the proxy and repeat this test.
any other ideas for confirming the rule/alert works?
07-12-2019 03:25 AM
Alerting and remediation via correlation ?
I turned off all Alerting via the inbuilt alerting and only alert via Correlation.
Cisco have not allowed for the product to accomodate a high use of Guest Wifi Networks that a Client might want to 'protect' but NEVER hear anything about.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide