Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2231
Views
0
Helpful
4
Replies

Firepower, IPS Rule Update frequency for internal FTD firewall

ejans
Level 1
Level 1

‎11-19-2018 07:54 AM - edited ‎02-21-2020 08:29 AM

Hi,

 

I'm working with a new FTD HA-setup (Firepower 21x0) that will replace an old ASA-pair. We plan on running the latest 6.2.3.x-patch.

 

The FTD will handle internal traffic only (another FTD HA pair is handling Internet/WAN-traffic). However, the FTD will handle traffic for a 24/7 live production network with time-critical sensitive applications/protocols.

 

I have a big question in my mind as to how to best handle IPS Rule Updates that cause SNORT Service Interruptions in this environment. The customer wants to have IPS active to gain visibility, but they do not want the SNORT service interruptions for sensitive flows.

 

I believe I can work-around this problem by preparing Fastpath Pre-filter rules that can be enabled before the customer wants to do a manual Rule Update. This way critical traffic could be manually excluded from the SNORT Service Interruption (I've also looked at "snort preserve-connection" as an option but this only preserves existing flows, not new ones).

 

 

My question bottles down to how often we would recommend installing Rule Updates in an environment such as this. As the Rule Update will be a manual procedure I expect the customer does not want to do it every day/every week.

 

Considering this FTD will only handle internal traffic, how often would be best practise to do a manual Rule Update?

Would the customer miss out on a lot of features if they only did it once a month? Once a quarter?

 

Thanks,

 

Regards,

Erik

0 Helpful
4 Replies 4

fatalXerror
Level 5
Level 5

‎11-19-2018 09:12 AM

Hi @ejans,

Nice question you have there.

Nothing we can do since it is the behavior of the SNORT process when deploying the policy with the updated intrusion rules but I would recommend to pick a day every week which you think it has a less transactions happening (e.g. weekend night).

Thanks

 

0 Helpful

ejans
Level 1
Level 1
In response to fatalXerror

‎11-19-2018 09:42 AM

Hi,

Thanks for your reply.

I think I was a bit unclear. This is an always-on (24 hours/7 days a week) production environment with large industrial appliances. No interruption is allowed at all. As I mentioned I think I have a "sort of" manual workaround that would be run regularly. I just wonder how often this environment would get a value out of Rule Updates (also considering it's an internal firewall).

Thanks,
Regards
Erik
0 Helpful

fatalXerror
Level 5
Level 5
In response to ejans

‎11-19-2018 11:13 AM

Hi @ejans,

Question, in terms of the IPS capability do you need to monitor it only or you also need proactively drop the traffic once intrusion is detected?

Thanks

0 Helpful

ejans
Level 1
Level 1
In response to fatalXerror

‎11-26-2018 01:24 AM

Hi fatalXerror,

Thanks for your attention.

In the beginning we are going to monitor-only, but in the long run the customer wants to drop-inline. I'm starting with an intrusion policy with "Drop when Inline" un-checked.

//Erik
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card