06-16-2021 06:31 AM
Community,
When Firepower Recommendations are enabled in the Intrusion Policy, are these recommendations generated based on the results of the Network Discovery Policy? If not, how are they generated?
Thank you.
Solved! Go to Solution.
06-16-2021 11:53 AM
Correct. The passive learning isn't the only method though. You can also have the system perform an nmap scan (active learning) or manually edit known hosts to supplement or correct what was learned passively.
06-16-2021 09:46 AM
Hi Community,
After doing some reading it does appear that the Firepower Recommendations does leverage the findings of the Network Discovery Policy. As stated here: "Firepower can learn about the users, applications, and hosts on the network. Firepower uses this for monitoring, access control, customizing IPS rules, and other functions. The IPS rule customization is of particular interest. FMC builds a list of your hosts, their operating systems, and the applications they run. With this, it can recommend ways to tune the intrusion policies. For example, if you don’t have any old NT servers, you don’t need to look for attacks that only target them."
https://networkdirection.net/articles/firewalls/firepowermanagementcentre/networkdiscovery/
I did have a follow-up question though. If the system is using passive learning, how is it able to identify the Operating System that the host is running? Does it do this by inference based on the traffic flows?
Thanks!
06-16-2021 11:53 AM
Correct. The passive learning isn't the only method though. You can also have the system perform an nmap scan (active learning) or manually edit known hosts to supplement or correct what was learned passively.
06-16-2021 12:48 PM
Thank you so much Marvin!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide