01-29-2016 02:30 PM - edited 03-10-2019 06:33 AM
Greetings,
I come from a Tippingpoint background and am now working with Firesight/Firepower.
We have hosts that trigger an HTTP rule that is set to Drop.
The traffic is valid and we do not want to drop it for this rule but we need all other http traffic from these hosts inspected.
Is manually creating new copy of the Rule with the 'Pass' option for the affected hosts the only way to achieve this?
This seems cumbersome and at risk of human error causing something bad to occur. Plus we'll have to monitor for changes to the original Rule to keep the new one up to date.
If I understand the options:
Using Suppress wont work as it only suppresses the events - the action is still Dropped
Using a Trust (in this case) wont work because the source generates the event against many destinations and maintaining the list not achievable.
Disabling the rule will remove detection of actual infected systems.
Which leaves the above Pass rule method.
We expect to see a number of these false positive requirements in the environment so having the best practice to handle them at the start will be most helpful.
Regards,
John
02-09-2016 01:46 PM
Hello John,
What version of Firesight/Firepower appliances and software are you running in your environment?
To answer your question, my recommendation would be to create a 'Network' object based on the your hosts' IP addresses, and collectively apply an 'Allow' action using an Access Control rule for HTTP protocol. This would pass the valid traffic from these hosts and inspect all other http traffic too.
I would recommend taking a look at this link, http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AC-Rules-Tuning-Overview.html. This should help to understand the different actions and implications of an Access Control rule in FireSight Management Center for a FirePOWER device and assist you in effective rule creation.
Let me know if this helps. Thanks.
Regards,
Brian D'Souza.
02-09-2016 03:59 PM
Brian,
Version is 5.4.1.4
If I understand your recommendation I'd still need a custom rule with Pass for the network group correct?
The 'allow' is still going to send all http traffic to the intrusion policy.
I'll take a look through the linked document.
Thanks,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide