firepower intrusion policy best practice

Tejas Kunte · ‎08-16-2018

are there any best practices for using the intrusion policy on the firepower appliance ?

you have the "intrusion policy used before access control rule is determined" as well as intrusion policy that can be applied to a specific access control rule in the access control policy.

should "intrusion policy used before access control rule is determined" have overall more rules enabled and the access control rule intrusion policy be tailored to the type of traffic it handles ? i.e http, smb, etc

Ajay Saini · ‎09-03-2018

Hello,

There is no best practice as such. It all depends on how one's environment is and depending upon the requirement, we can make it more secure with compromise on Speed/Throughput or give preference to Balanced choice with connectivity and Security both given equal preference.

Normally, customers don't chose the option "Intrusion Policy used before Access Control rule is determined" and frankly I have not seen even one case. Only if you wish to feed the traffic to directly to IPS for strict checking before feeding to the ASA LINA engine, you would chose that option.

A banking environment would have security over connectivity, A small office might have Connectivity over connectivity and a media company would have Balanced connectivity and Security.

It all depends. The choice would be made by a vendor if you are engaging one, or yourself if you are deploying the solution.

Just read the document and decide:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-firepower-services/200451-Configure-Intrusion-Policy-and-Signature.html

Regards,

AJ