Firewall Device Manager - IPS rule

mar001 · ‎11-26-2024

Hi guys,

Firewall Device Manager- Firepower 1010 (standalone mode, managed via https locally). I want to enable IPS on it. I created a new policy and I used one of the default IPS policies (maximum detection). I can see some hits but when I do e.g. nmap from a test device to the outside IP, does not trigger anything. The same for DoS etc.

My main question is about zones in that policy:

souce: outside

destination: any

Does that include the Firepower itself when I try to do nmap on the outside IP? Why isn't it triggering anything? I am missing sth obvious, don't I? I am more like Cisco ASA guy so this platfrorm is a bit new for me.

Rob Ingram · ‎11-26-2024

@mar001 no, IPS is for traffic "through" the FTD, not "to" the FTD itself. Generate traffic to a device on the other side of the FTD.

mar001 · ‎11-26-2024

Hmmm.... I cannot see if someone scans all my ports 24/7 or tries to DoS me because I do not have any ports open? Does not seem right

What about ICMP DoS attack? Can someone execute it because they target my firewall and I will not get an alert?

MHM Cisco World · ‎11-26-2024

https://www.youtube.com/watch?v=SutDkvAklsE <<- I think this what you looking for

MHM

mar001 · ‎11-26-2024

Thx, I saw this video, however, this is FMC, I use Firewall Device Manager which is completely different.

MHM Cisco World · ‎11-26-2024

I think FDM is not support this feature.

Open TAC ask cisco about it.

Thanks

MHM