Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
0
Helpful
5
Replies

FPR1140 FTD IPS performance impact?

andrew.butterworth
Level 7
Level 7

‎11-23-2021 09:35 AM

I have recently migrated an ASA5555-X context over to a standalone FPR1140 running FTD managed by a FMC.

I used the FMT to migrate the objects, NAT & 500+ line ACL policy over which on the whole worked - there were some quirks that needed tweaking but on the whole it worked.

The customer now wants to enable IPS and I'm not sure of the best approach or how much of a performance impact this will have.

My understanding is that each ACE requires the intrusion policy enabling - either one of the four built-in policies or a custom policy.  With FMC 6.6.5 we can select multiple ACE's to edit simultaneously, so can do this relatively quickly from FMC (100 lines per page, select all etc).

I'm not sure about the impact though?  Is it safe just to enable it on all ACE's or should we look at each and decide whether it should be enabled?  There are 500+ ACE's so its not a quick task if each needs to be checked.

Is there a best practise guide for this or is it a finger in the air job?

 

Cheers

Andy

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-23-2021 11:02 AM

There should be negligible impact of turning on IPS on the device. Basically that's what the system is designed to do. The internal performance estimator tool shows 2-3% of CPU delta with IPS on vs. off.

When you bulk edit the ACP entries just be sure to not select any entries whose action is Block as their presence in the group will make applying an Intrusion Policy be greyed out as an available action.

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to Marvin Rhoads

‎11-23-2021 12:54 PM

As always thanks for the reply Marvin.

I have been playing around with the FMCv I have at home.  If you select multiple ACEs and edit them to enable the IPS policy, any of them that are set to Block it doesn't apply the IPS policy to that ACE.

I am guessing enabling logging should also be a must - log at end of connection on all permit rules and log at start on all blocks?

Cheers

Andy

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to andrew.butterworth

‎11-24-2021 12:59 AM

That's right re logging.

0 Helpful

andrew.butterworth
Level 7
Level 7

‎11-24-2021 03:56 PM

I'm not sure of the validity of this but if you open the ACP and then click 'Advanced' you can enable 'Intrusion Policy used before Access Control rule is determined'.  It looks like this allows you to enable an IPS policy for all traffic prior to it hitting the ACP, rather than enabling it on a per-ACE basis.

Is this an option?  Is this a valid way of doing this?  If this was enabled rather than per-ACE, what advantages/disadvantages does this have?

Andy

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to andrew.butterworth

‎11-24-2021 06:32 PM

That particular setting is for situations where you want to IPS-inspect the traffic before the L7 rule gets enough information to properly categorize and treat a given flow. Once a flow is categorized, it will use whatever Intrusion policy is otherwise configured for it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card