Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
2
Helpful
6
Replies

Intrustion Policy in FMC

damian.dyer
Level 1
Level 1

‎10-23-2024 05:12 PM

We have a customer who migrate from a dedicated McAfee IPS sitting infront of their Cisco ASA to an all in one FTD device. The issue is previously the customer say all traffic flow through their IPS and got tones of alerts, logs and dropped traffic. Now they have the intrusion policy enabled on their access control policy. The default action at the bottom of the policy is set to Block All traffic. Since all traffic is being dropped and the traffic traversing the firewall is allowed traffic we see almost no Intrustion events and they are getting worried. 

Is there anything I can set to inspect the traffic before it is dropped?

0 Helpful
6 Replies 6

Aref Alsouqi
VIP
VIP

‎10-24-2024 02:01 AM

The default action would apply to the traffic that didn't match a rule above. I would say it depends on how the IPS policies have been configured, if they are attached to the ACP rules and they are not triggered then I don't think there should be a reason to be worried about.

0 Helpful

damian.dyer
Level 1
Level 1
In response to Aref Alsouqi

‎10-24-2024 09:36 AM

The customer wants the data, is there a way to have the intrusion policys prefilter the traffic? 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to damian.dyer

‎10-24-2024 10:02 AM - edited ‎10-24-2024 10:03 AM

They would get the logs if the IPS signatures/rules are triggered, alternatively can't see how that would be possible.

0 Helpful

damian.dyer
Level 1
Level 1
In response to Aref Alsouqi

‎10-24-2024 11:20 AM

Yea, that is what I was thinking. My customer has been paranoid that the IPS policies haven't been working because they are not triggering, even though when they run a pen test, all the rules will trigger on that source and destination.

0 Helpful

AigarsK
Level 1
Level 1

‎10-24-2024 11:45 AM

As Aref said, Intrusion rules need to be enabled for this to work. Also, very important part is that you update the Variable set used against the Intrusion policy on you Access Policies.

Variable set has to specify what is HOME_NET aka all subnets that are considered on inside of the network. If you are doing Internal to Internal resource scanning for any intrusions, then a new Variable set needs creating where HOME_NET and EXTERNAL_NET are specified with all internal network subnets and ranges.

Aref Alsouqi
VIP
VIP

‎10-25-2024 01:55 AM

@AigarsK actually I'm glad you mentioned the variable sets because there is a big gotcha in there as shown in this post of mine where a potential attack might be overlooked:

Snort HOME_NET and EXTERNAL_NET Variables

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card