Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
3
Replies

Firesigth Manager Policy Intrusion

ivan.martin
Level 1
Level 1

‎03-27-2017 05:40 AM - edited ‎03-10-2019 06:48 AM

Hi my name is Ivan

I have a question:

Could you help me to configure a policy to block virus, trojan, worms using only the signature to any traffic, in the Firesigth Manager FS750 v6.0. Mi AMP is 7150.

Please could you help me?.

Regards.

Ivan.

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-27-2017 06:11 AM

Do you have an existing IPS policy in place already? The default IPS policy already has intrusion rules that should catch viruses, trojans etcs. You can change the base IPS policy from "Balanced Security and Connectivity" to "Security over Connectivity" if you want more block rules to be enabled. Some basics regarding creating and modifying intrusion rules are here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/getting_started_with_intrusion_policies.html

For AMP, you would again have to integrate that with your access control policy. You can set file types for detection and malware cloud lookup based on your environment.

http://www.cisco.com/c/en/us/td/docs/security/firepower/610/configuration/guide/fpmc-config-guide-v61/access_control_using_intrusion_and_file_policies.html#ID-2177-0000011b

0 Helpful

ivan.martin
Level 1
Level 1
In response to Rahul Govindan

‎03-27-2017 06:38 AM

Yes

But I would like to see a category specifically for virus, trojans and worms in FSM, to block this signature

Is posible?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivan.martin

‎03-27-2017 07:05 AM

If you pull up a view of all blocked connections you can sort by the reason for blocking. that's the best approach for 90% or more of customers.

If you want to fine tune the signatures (normally not necessary beyond what Rahul already suggested) you can go into your Intrusion Policy and sleclet the categories you want and make sure the action is set to "drop and Generate Events" for all of those.

Trojans and worms you will see a lot of signatures - most of which are already checked for you. Virus not so much as FirePOWER's IPS component is not really an Antivirus product per se. If you have the Malware license, you can block Malware (including viruses) via a Malware & File policy which will check all executables, office documents, pdf files etc for known malware.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card