04-11-2016 03:55 AM - edited 03-12-2019 05:58 AM
Dears,
Please find the attached screenshot for an example, there are many rules disabled bydefault how I will know which I have to enable to avoid any attack on the network.
Thanks
Solved! Go to Solution.
05-06-2016 10:36 PM
Hi Jack,
Yes its more secure but I would suggest to make sure there are not too many rules enabled in there as that could impact performance. All the testing on firepower appliance is done using the balance security and connectivity policy. So using security over connectivity does increase the load on system.
But as long as the traffic is not oversubscribing the device it should be ok.
04-11-2016 07:17 AM
Hi
That depends on your network. There are too many signatures and Firesight recommendation can help you determine what to enable. It would work based on network discovery which will check the application and host used in your network based on which related rules can be enabled.
Further , you can have rules enabled in IDS mode (detect only) and see if events are generated and then decide if you want to block or no.
This will help.
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-FireSIGHT-Recs.html
04-11-2016 08:59 AM
Dear yogdhanu,
It would work based on network discovery which will check the application and host used in your network based on which related rules can be enabled.
as per your above statement this has to be enabled manually or firpower will automatically enabled.
Further , you can have rules enabled in IDS mode (detect only) and see if events are generated and then decide if you want to block or no.
the hacker will hack the system by this mode if the network administrator is not monitoring the connection logs
thanks
04-18-2016 12:40 PM
Dears,
what is the best practice for the IPS to be configured in SFR, i have used recommendation but day by day the recommendation are changing sometime it enable 3000 rules with drop and sometimes it enables 2000 rules with drop.
I am confuse how i can configure that.
thanks
05-04-2016 10:54 AM
Hi,
You should enable the default base policy as "balanced security and connectivity" with firesight recommendations enabled.
The rules change dynamically depending on your network host profiles as it takes in to account traffic patterns and other changes and thus change the rule state of some rules
time to time to avoid illegitimate traffic.
In case by the rule changes, your legitimate traffic is getting dropped you can always open a tac case and provide pcaps of the traffic to us for further investigation.
Thanks,
Ankita
05-06-2016 12:53 PM
Dears,
The rules change dynamically depending on your network host profiles as it takes in to account traffic patterns and other changes and thus change the rule state of some rules
so time to time I have to always use recommendation and check whether the rule are changing , I think definitely the rules should be changed becz the traffic pattern will change.
In case by the rule changes, your legitimate traffic is getting dropped you can always open a tac case and provide pcaps of the traffic to us for further investigation.
how can I trace faster which traffic is getting drop till the TAC joins the webex becz I have a critical network with 99.99% uptime.
thanks
05-06-2016 01:39 PM
Hi
To check which traffic drops , you can rely on intrusion events. There you would see if there is any traffic dropped and if required , you can disable the rule and open TAC case to investigate that if its really false positive
05-06-2016 02:27 PM
Dear Yogdhanu,
Thanks for the reply.
The Base policy I have selected is security over connectivity which is more secure than the Balanced security and connectivity please correct me if I m wrong.
thanks
05-06-2016 10:36 PM
Hi Jack,
Yes its more secure but I would suggest to make sure there are not too many rules enabled in there as that could impact performance. All the testing on firepower appliance is done using the balance security and connectivity policy. So using security over connectivity does increase the load on system.
But as long as the traffic is not oversubscribing the device it should be ok.
05-06-2016 11:33 PM
Thanks for the reply
Yes if it is not affecting the load so I will keep security over connectivity, but incase in future if it impact I will definitely change,
I have created a separate inline policy by copying the existing one and apart from that I have used recommendation to enable rule I am not sure that this is enough,
can you guide what else to be configured in the IPS as a best practice from cisco.
Please find the attached rule update if I m not wrong it will update the rule automatically @1200 and reapply the policies. I don't have to download them manually is that configuration correct.
thanks
05-07-2016 02:22 AM
Yes , once you select recurring rule update and apply policies , you don't need to do it manually.
You can enable network discovery and then run the firesight recommendation in IPS policy which would suggest to enable rules based on the hosts,OS ,protocols being used in your network.
Check this out from user guide.
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-FireSIGHT-Recs.html#62364
05-07-2016 12:54 PM
Dear yogdhanu,
You can enable network discovery and then run the firesight recommendation in IPS policy which would suggest to enable rules based on the hosts,OS ,protocols being used in your network.
yes I have done the above anything apart from that to make more professional for IPS configuration.
Do IPS inspect the HTTPS/SSL traffic for any intrusion prevention ??
thanks
07-05-2017 11:09 PM
Hi Jack,
Hope you can receive my msg and question, My FireSight are using default base policy " Balanced Security and connectivity.
But i am thinking to create a separate IPS Policy by copying the existing one.
Because the the existing one will be automatically updated from the support site from recurring rule update.
Can you share more information by using separated custom policy? After copying and applying, it should not affected by auto update?
Thanks
04-28-2019 02:26 PM
Please read this important update so you understand what cisco updates, and what you should do on your firepower IPS system
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide