Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
5
Helpful
3
Replies

Intrusion Policy Firepower Recommendations question

Go to solution
ChristopherCraddock66504
Level 1
Level 1

‎06-16-2021 06:31 AM

Community,

When Firepower Recommendations are enabled in the Intrusion Policy, are these recommendations generated based on the results of the Network Discovery Policy? If not, how are they generated? 

 

Thank you. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ChristopherCraddock66504

‎06-16-2021 11:53 AM

Correct. The passive learning isn't the only method though. You can also have the system perform an nmap scan (active learning) or manually edit known hosts to supplement or correct what was learned passively.

View solution in original post

3 Replies 3

Go to solution
ChristopherCraddock66504
Level 1
Level 1

‎06-16-2021 09:46 AM

Hi Community,

 

After doing some reading it does appear that the Firepower Recommendations does leverage the findings of the Network Discovery Policy. As stated here: "Firepower can learn about the users, applications, and hosts on the network. Firepower uses this for monitoring, access control, customizing IPS rules, and other functions. The IPS rule customization is of particular interest. FMC builds a list of your hosts, their operating systems, and the applications they run. With this, it can recommend ways to tune the intrusion policies. For example, if you don’t have any old NT servers, you don’t need to look for attacks that only target them."

 

https://networkdirection.net/articles/firewalls/firepowermanagementcentre/networkdiscovery/

 

I did have a follow-up question though. If the system is using passive learning, how is it able to identify the Operating System that the host is running? Does it do this by inference based on the traffic flows?

 

Thanks!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ChristopherCraddock66504

‎06-16-2021 11:53 AM

Correct. The passive learning isn't the only method though. You can also have the system perform an nmap scan (active learning) or manually edit known hosts to supplement or correct what was learned passively.

Go to solution
ChristopherCraddock66504
Level 1
Level 1
In response to Marvin Rhoads

‎06-16-2021 12:48 PM

Thank you so much Marvin!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card