01-30-2019 05:56 AM - edited 03-12-2019 07:15 AM
Kindly ask you to help me.
Well, we deployed IPS on firepower and created network analysis policy to block nmap scanner. When a computer begin scanning another computer firepower blocks it and generate event. It is ok. But yesterday i saw that TFTP traffic cause portscan detection to block the traffic. I mean, one of branch router interface send some traffic to tftp server daily but i don't understand that why ips sees it as malicious traffic. it founds that as if that traffic is generated some network scanning tool. hope you got what i mean
Solved! Go to Solution.
02-01-2019 07:03 AM - edited 02-01-2019 07:07 AM
lets say internal ip ranges are 192.168.0.0, 10.0.0.0, 172.16.0.0. I will enter default set variable and find home_net variable and edit by including only ip addresses shown above. Do you think it is enough?
yes is correct, also you need to exclude your ip address from the External_Net
What about direction? lets say one user attempt to enter some web sites(external ip). will ips inspect that connection as well?
if the initiator is from inside it will be a stateful inspection in regards to ASA code. if you IPS rules in place they will kick in with pareelt with NAP
02-03-2019 10:44 AM
01-30-2019 06:09 AM
There is no easy answer for your question. We do not know what tweaking you did in NAP. I read not long ago in cisco documentiion not to change in setting NAP unless you definitely know how the flow of packet behaves in NAP.
in essence what NAP do is to do the inspection of packet in regards to if packet is malformed, doing decoding, normalization, and preprocessing. in NAP the packet is decorded. according to cisco documentation.
in short there is no answer to fix your issue unless you know what you did apply in your NAP settings.
02-01-2019 04:28 AM
Thanks for answer.
One more question i want to ask about variable set. We use firepower as internal firewall. IPS have already configured connectivity over security with its default variable set. Lots of documentation i read and all of them say we must configure variable set. Frankly i didn't understand how to configure it. please correct me if i am wrong
lets say internal ip ranges are 192.168.0.0, 10.0.0.0, 172.16.0.0. I will enter default set variable and find home_net variable and edit by including only ip addresses shown above. Do you think it is enough?
02-01-2019 05:39 AM
02-01-2019 05:57 AM
I have already watched the video. One question i have again. The video shows that we can edit default set. ok lets say i edit the default set home_net variable and add only 10.0.0.0/8 network. then applied it to ACP. so don't you think it will only inspect that subnet not others (192.168.0.0, 172.16.0.0)?
What about direction? lets say one user attempt to enter some web sites(external ip). will ips inspect that connection as well?
02-01-2019 07:03 AM - edited 02-01-2019 07:07 AM
lets say internal ip ranges are 192.168.0.0, 10.0.0.0, 172.16.0.0. I will enter default set variable and find home_net variable and edit by including only ip addresses shown above. Do you think it is enough?
yes is correct, also you need to exclude your ip address from the External_Net
What about direction? lets say one user attempt to enter some web sites(external ip). will ips inspect that connection as well?
if the initiator is from inside it will be a stateful inspection in regards to ASA code. if you IPS rules in place they will kick in with pareelt with NAP
02-02-2019 11:28 AM
Hello.
yes is correct, also you need to exclude your ip address from the External_Net
Why do i need to exclude private ip address from External_net variable?
Frankly i dont understand why cisco strongly recommend to change variable set. What exactly do variable on ips?
Please explain as simple as possible? thanks in advance
02-03-2019 10:44 AM
02-03-2019 11:18 PM
Hi RJI
I changed default home_net variable by adding my own network(172.16.0.0, 192.168.0.0). And added this ip addresses on External_net exclusion field. Is it enough?
My firewall is internal firewall. I want to inspect traffic beetwen local ip addresses. do you think the configuration i just wrote is enough for my network? Do i need to do something more?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide