Hello Rahul,

Thanks for the reply. I have attached couple config screenshots.

If possible I have couple questions:

 - what the use of Mandatory vs Default Policies in screenshot no2.

 - also on the last screenshot it says that alert is being used by 10 policies. How can I find out where those policies are configured to use it? (this is a scenario I inherited so I am trying to catch up)

Back to the threads original issue: I had accidentally stepped over Network Discovery. By default I had selected only applications and no alarm was triggered. After I clicked on host and I have added the /24 that Kali server was part of only then alerts started to pour in.

Is it mandatory network discovery is configured prior to enabling Acces Control policies?

Thanks,

Florin.

I only see screenshot#5 attached.

To answer your questions:

1) Mostly relevant when you have parent and Child policies. Mandatory rules are looked through first, then any child policies, and finally default policies. I think of Mandatory rules as something all traffic has to check first before child polices, while default are generic policies you want to apply for any traffic that does not match Mandatory or Child Policies.

2) I don't know of any easy way to do this other than looking through the policy section and checking under the "Logging" tab.

Ideally, the Network Discovery rule includes host discovery for all the LAN segments on your network. There may be cases where you can exclude load-balancer's and other high volume devices from this. 

According to the Firepower guide, one of the reasons for having Host discovery is:

Alerting you by email, SNMP trap, or syslog when the system generates either an intrusion event with a specific impact flag, or a specific type of discovery event

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Introduction_to_Network_Discovery.html#concept_B9C9F7BF250847D6A4FB888CB738EA17

Hi,

To answer the initial question of why intrusion policy is not generating any alerts, the easy test/verification is as below:

++ Edit the intrusion policy that is associated with the access control rule.

++ Select the DNS blacklist signature from intrusion policy and set the action to "drop and generate events".

++ Perform the policy deploy and initiate a DNS request for the domain listed in blacklisted signature.

This should generate an event under Intrusion events.

Hello,

DNS blacklist worked fine. Here some details of how to do it:

Go to the IPS profile and search for signature ID 28039 ; select it and the pick Drop and Generate Events.

Make sure the ACL on the ASDM matches source your test machine, destination 8.8.8.8

Lastly perform a DNS query to 8.8.8.8 for this know “bad entry”: jamloop.zrbcn.pw

Now I have another query Google Search doensn't help due to the fact Firepower has its own NMAP.

Security asked me why NMAP scans to our networks DOES NOT TRIGGER any IPS Events.

Please advise!