Solved: Firepower IPS inspection

keithcclark71 · ‎09-20-2022

Is IPS a "Set it and forget it" type deal? Say I have 50 rules in my ACP and select balanced & security for every rule and on top of select a file & malware policy would this not kill the performance? What do you guys typically do to manage this? I have at bottom of my ACP allow http https so that my url block categories above are not able to be bypassed. Would I just set inspection for File and IPS on my allow http https rule and just forget about it and let it do its thing??? What rules would one typically enable inspection and file and malware policies for??? So confusing every step of the way here

Marvin Rhoads · ‎09-21-2022

I try to use a copy based on "Balanced Security and Connectivity" with an overlay of Firepower Recommendations updated monthly. That will tweak the default rules based on host characteristics observed in your environment. It should not affect performance appreciably since that is what the box is designed to do.

The only times I have manually tweaked individual rules is when the customer had some specific SCADA protocols that they wanted to make sure were covered for their deployment.

View solution in original post

Marvin Rhoads · ‎09-20-2022

I generally apply an IPS policy on all "allow" rules. If there is a Malware license available, create and apply a File policy to all allow rules for clear text protocols (since we cannot inspect the contents of encrypted traffic unless there is an (uncommon) SSL policy as well).

keithcclark71 · ‎09-21-2022

Do you do anything specific as far as your IPS setup and maintaining or do you normally just set your allows to IPS balanced and security defaults and just forget about it? There seems to be a bunch of things one can do but looking at the thousands of snort rules I wouldn't know where to start to adjust to make more efficient. It seems like setting IPS inspection on multiple rules would kill the performance. Thanks Marvin

Marvin Rhoads · ‎09-21-2022

I try to use a copy based on "Balanced Security and Connectivity" with an overlay of Firepower Recommendations updated monthly. That will tweak the default rules based on host characteristics observed in your environment. It should not affect performance appreciably since that is what the box is designed to do.

The only times I have manually tweaked individual rules is when the customer had some specific SCADA protocols that they wanted to make sure were covered for their deployment.

keithcclark71 · ‎09-22-2022

Marvin one last question is do you set IPS inspection for your allows from inside zone initiator to outside zone or do you only do for outside initiator to inside or both traffic flow types?

Alan Inman · ‎09-22-2022

@keithcclark71also ensure your logging is enabled on each rule so you can later troubleshoot events. For allow rules I do "log at end of connection" and for block rules "log at beginning of the connection." In our annual audits we always find a dozen or so rules where our engineers forgot to enable logging. Having a solid rule where you know all of your settings are correct, and then right-clicking and copying and pasting that rule to create your future rules is a good practice so you don't forget to turn on IPS, logging, etc.

keithcclark71 · ‎09-23-2022

Great tip Alan. Do you also enable IPS inspection on all of your allow rules? Do you do them only for Outside Zone to Inside Zone Allow rules or do you do for both Inside zone to Outide & Outside zone to inside