Dear yogdhanu,

 It would work based on network discovery which will check the application and host used in your network based on which related rules can be enabled.

as per your above statement this has to be enabled manually or firpower will automatically enabled.

Further , you can have rules enabled in IDS mode (detect only) and see if events are generated and then decide if you want to block or no.

the hacker will hack the system by this  mode if the network administrator is not monitoring the connection logs

thanks

Dears,

what is the best practice for the IPS to be configured in SFR, i have used recommendation but day by day the recommendation are changing sometime it enable 3000 rules with drop  and sometimes it enables 2000 rules with drop.

I am confuse how i can configure that.

thanks

Hi,

You should enable the default base policy as "balanced security and connectivity" with firesight recommendations enabled.

The rules change dynamically depending on your network host profiles as it takes in to account traffic patterns and other changes and thus change the rule state of some rules

time to time to avoid illegitimate traffic.

In case by the rule changes, your legitimate traffic is getting dropped you can always open a tac case and provide pcaps of the traffic to us for further investigation.

Thanks,

Ankita

Dears,

The rules change dynamically depending on your network host profiles as it takes in to account traffic patterns and other changes and thus change the rule state of some rules

so time to time I have to always use recommendation and check whether the rule are changing , I think definitely the rules should be changed becz the traffic pattern will change.

In case by the rule changes, your legitimate traffic is getting dropped you can always open a tac case and provide pcaps of the traffic to us for further investigation.

how can I trace faster which traffic is getting drop till the TAC joins the webex becz I have a critical network with 99.99% uptime.

thanks

Hi

To check which traffic drops , you can rely on intrusion events. There you would see if there is any traffic dropped and if required , you can disable the rule and open TAC case to investigate that if its really false positive

Dear Yogdhanu,

Thanks for the reply.

The Base policy I have selected is security over connectivity which is more secure than the Balanced security and connectivity please correct me if I m wrong.

thanks

Thanks for the reply

Yes if it is not affecting the load so I will keep security over connectivity, but incase in future if it impact I will definitely change,

I have created a separate inline policy by copying the existing one and apart from that I have used recommendation to enable rule I am not sure that this is enough,

can you guide what else to be configured in the IPS as a best practice from cisco.

Please find the attached rule update if I m not wrong it will update the rule automatically @1200 and reapply the policies. I don't have to download them manually is that configuration correct.

thanks

Yes , once you select recurring rule update and apply policies , you don't need to do it manually.

You can enable network discovery and then run the firesight recommendation in IPS policy which would suggest to enable rules based on the hosts,OS ,protocols being used in your network.

Check this out from user guide.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/Intrusion-FireSIGHT-Recs.html#62364

Dear yogdhanu,

You can enable network discovery and then run the firesight recommendation in IPS policy which would suggest to enable rules based on the hosts,OS ,protocols being used in your network.

yes I have done the above anything apart from that to make more professional for IPS configuration.

Do IPS inspect the HTTPS/SSL traffic for any intrusion prevention ??

thanks

Hi Jack,

Hope you can receive my msg and question, My FireSight are using default base policy " Balanced Security and connectivity. 

But i am thinking to create a separate IPS Policy by copying the existing one.

Because the the existing one will be automatically updated from the support site from recurring rule update. 

Can you share more information by using separated custom policy? After copying and applying, it should not affected by auto update?

Thanks