Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
2
Replies

FTD as IPS

fatalXerror
Contributor
Contributor

‎10-22-2018 10:55 AM - edited ‎02-21-2020 08:22 AM

Hi, I am having an issue about Elephant flow in my FTD and as per the TAC we need to do flow profiling to pinpoint which traffic is causing it however, it is not an option in my environment because this will have an interruption.

We think of an option to connect another IPS (same model) that will act like a tap. The prod IPS will send a copy of the packet to the other IPS acting as tap then we do the flow profiling there in the tapped IPS?

I would like to know if that is feasible and what configuration should we do for the tapped IPS?

0 Helpful
2 Replies 2

gbekmezi-DD
Contributor
Contributor

‎10-22-2018 01:07 PM

Do you think adding another appliance in line would be less intrusive than one of these options?


* use netflow do try to identify large flows: https://community.cisco.com/t5/security-documents/configuring-nsel-netflow-on-cisco-firepower-threat-defense-ftd/ta-p/3646300
* use packet captures on the FTD appliance itself: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html
* SPAN/Mirror/Monitor traffic from the switch the FTD appliance is connected to
0 Helpful

fatalXerror
Contributor
Contributor
In response to gbekmezi-DD

‎10-22-2018 08:43 PM

@gbekmezi-DD, but we want to pinpoint the actual traffic causing the issue and as per TAC we can only determine that when we do flow profiling but it is not an option in our environment that is why if we can put our spare IPS into passive mode then do flow profiling there if it is possible?

You said netflow, we have a netflow collector deployed in the network. is it possible to use that? What parameters should we look in the netflow data for us to find the elephant flow?

thanks

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents