Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1733
Views
0
Helpful
3
Replies

FMC policy examples?

Go to solution
JG1978
Level 1
Level 1

‎10-16-2018 01:38 PM - edited ‎02-21-2020 08:21 AM

Does anyone have any resources showing some good Policy examples for FTD (all the policies not just one)? We have had a FMC system running 4 FTD sensors for over a year now and we are struggling to get any real value from them.

 

I don't know what we are doing wrong here but our LDAP traffic is all being flagged as "Ultrasurf"....(TAC case opened 2 months ago....no progress)....another example is that our system is showing Malware/CNC traffic but everytime we go and investigate one of the PC's there is no other indications of anything malicious etc.

 

I was hoping to find some good samples to compare and see what we could be doing better. Our contracts are coming up soon and we may be heading in a different technology other then Cisco since Firepower has been a disaster for us.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to JG1978

‎10-18-2018 06:55 PM

It sounds like you really need somebody with Firepower experience to sit down and go through your setup and policies.

 

If you can't manage that then have a careful read of the links in the thread I mentioned earlier. you need at a minimum a basic object definition (HOME_NET and EXTERNAL_NET), network discovery policy and identity policy. Depending on where the Firepower device sits logically in your network, there may be other things you want to do with respect to prefilter, access control etc. that will enhance the fidelity of the reports and dashboards.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-18-2018 01:09 AM

Please have a look at the references mentioned in this thread:

 

https://community.cisco.com/t5/intrusion-prevention-and/moving-from-cx-to-firepower/m-p/3008915

 

Did you setup the systems on your own or did a partner field engineer do the initial setup? If the latter, they should have done a lot of the policies to start with. Otherwise "out of the box" there're several steps you need to perform and understand to get good discovery and protection.

0 Helpful

Go to solution
JG1978
Level 1
Level 1
In response to Marvin Rhoads

‎10-18-2018 06:49 PM - edited ‎10-18-2018 06:53 PM

Our Cisco rep helped but really only did 1 policy which was a catch all of "any any". I have read a lot and have started to create my own policies but not really sure what best practices are. Firepower is a beast that can look at everything...its overwhelming to figure out what needs to be filtered etc.

 

I have a 2 month old TAC open because all of our LDAP (TCp 389) traffic is showing up as Ultrasurf instead of LDAP......our DNS sever is being flagged as our top attacker....it has not been a good experience.

 

That PDF looks like a great resource, I will look into it.

 

Thanks!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to JG1978

‎10-18-2018 06:55 PM

It sounds like you really need somebody with Firepower experience to sit down and go through your setup and policies.

 

If you can't manage that then have a careful read of the links in the thread I mentioned earlier. you need at a minimum a basic object definition (HOME_NET and EXTERNAL_NET), network discovery policy and identity policy. Depending on where the Firepower device sits logically in your network, there may be other things you want to do with respect to prefilter, access control etc. that will enhance the fidelity of the reports and dashboards.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card