Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4006
Views
15
Helpful
9
Replies

FMC Default Logging and Default IPS

Go to solution
dan hale
Level 3
Level 3

‎12-13-2018 09:22 PM - edited ‎02-21-2020 08:34 AM

Hi....I have a Firepower Management Center running 4110 in FTD. We are on version 6.2.3.4 on FMC.

 

I have about 50 Access Control Policy Rules...is there a way that I can turn on logging to the globally on all the ACP rules or do I have to go to each Access Control Policy and turn on each one.

 

The same goes for my IPS features. I have created an IPS policy but, do I need to go to each ACP rule and turn it on?

 

I see that there is a "Network and Analysis Intrusion Polices" where I can set my default network policy but, I did not see the policy I created

Network Analysis and intrusion policies.JPG

 

Thanks,

Dan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to dan hale

‎12-14-2018 02:31 PM - edited ‎12-14-2018 02:32 PM

Hi Dan Hale,

Network analysis and intrusion policies work together as part of the firepower intrusion detection and prevention feature. 

Network analysis policy governs how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt. 

An Intrusion policy uses intrusion and preprocessor rules (sometimes referred to collectively as intrusion rules) to examine the decoded packets for attacks based on patterns. Intrusion policies are paired with variable sets, which allow you to use named values to accurately reflect your network environment. 

Below is the order of  traffic analysis in an inline, intrusion prevention and advanced malware protection (AMP) deployment. It illustrates how the access control policy invokes other policies to examine traffic, and in which order those policies are invoked. The network analysis and intrusion policy selection phases are highlighted. 

2018-12-15 01_25_29-Understanding Network Analysis and Intrusion Policies.jpg

 

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question.

View solution in original post

9 Replies 9

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni

‎12-13-2018 11:08 PM - edited ‎12-13-2018 11:09 PM

Hi,

For logging and enabling IPS policy on ACP rules, you need to goto each and every rule to enable it. There is no global option for enabling.

 

For network analysis policy, go to Intrusion policy on top right corner you can see network analysis tab and click create a policy. Then goto ACP edit the policy Advanced setting select the Network analysis policy there.

 

Hope This Helps

Abheesh

0 Helpful

Go to solution
dan hale
Level 3
Level 3
In response to Abheesh Kumar

‎12-14-2018 08:57 AM

Thanks Abheesh,

 

So what is the real difference between the Network analysis policy and Intrusion Prevention Policy...I guess I thought they were the same.

 

Thanks,

Dan

0 Helpful

Go to solution
phil.hydea
Level 1
Level 1
In response to dan hale

‎12-14-2018 10:03 AM

Hi Dan

The Network Discovery policy relates to scanning the traffic and builds up
all the host profile intelligence attributes.

The Intrusion Policy relates to the Deep Packet Inspection for known
malware file signatures, vulnerability exploits etc. The IPS (SNORT) engine
provides the pass or block verdict.

Go to solution
Sheraz.Salim
VIP
VIP
In response to dan hale

‎12-14-2018 10:18 AM

As phil mentioned they are two different set of rules.

network discovery policy is a passive policy to gather the network information. however you must have to define a network discovery policy. by default its 0.0.0.0 and limit is 50,000.


IPS as phil mentioned.

you can also do a NAP for more specific network security to define your network parameter etc.

please do not forget to rate.

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to dan hale

‎12-14-2018 02:31 PM - edited ‎12-14-2018 02:32 PM

Hi Dan Hale,

Network analysis and intrusion policies work together as part of the firepower intrusion detection and prevention feature. 

Network analysis policy governs how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt. 

An Intrusion policy uses intrusion and preprocessor rules (sometimes referred to collectively as intrusion rules) to examine the decoded packets for attacks based on patterns. Intrusion policies are paired with variable sets, which allow you to use named values to accurately reflect your network environment. 

Below is the order of  traffic analysis in an inline, intrusion prevention and advanced malware protection (AMP) deployment. It illustrates how the access control policy invokes other policies to examine traffic, and in which order those policies are invoked. The network analysis and intrusion policy selection phases are highlighted. 

2018-12-15 01_25_29-Understanding Network Analysis and Intrusion Policies.jpg

 

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question.

Go to solution
evan.chadwick1
Level 1
Level 1

‎12-17-2018 02:02 PM

Looks like this thread has handled your Q. 

Interested to know your use case for needing 50 rules in an ACL Policy?

0 Helpful

Go to solution
dan hale
Level 3
Level 3
In response to evan.chadwick1

‎01-01-2019 03:17 PM

Hi Evan,

 

I've worked on plenty of older firewalls PIX/ASA that have had far more then 50 ACL rules.

 

This particular firewall we converted from a Cisco ASA 5510. While we cleaned up the ACL's before we converted based on the ACL hitcounts there was ACL's still being used. Long term we will hopefully will clean up more that don't need to be used.

 

Thanks,

Dan

0 Helpful

Go to solution
evan.chadwick1
Level 1
Level 1
In response to dan hale

‎01-24-2019 04:55 PM

Hi, I was referring to FIrepower ACL policy, not ASA.

Thanks for reply however.

 

0 Helpful

Go to solution
dan hale
Level 3
Level 3

‎01-01-2019 03:14 PM

Thank you everyone for the great info...cleared it up!

 

Thanks,

Dan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card