01-25-2023 10:29 AM
Ok, Going to ask a simple one here. Hopefully someone can help me out.
FTD 1140n managed by FMCv. Both running 7.0.4. Setting up my first rule that looks to block IPS and malware from getting to my inside interface connected subnets. Everything looks good to go as far as zones and networks. I have IPS and File (malware) icons selected in the access control rule. Do I set the default action to "allow" which would allow packets to get to snort and malware engines? Or does having the IPS and file(malware) icons selected do this and I should set the default action to "Block".
Thanks
Solved! Go to Solution.
01-25-2023 11:46 PM
The "Allow" action sends traffic to SNORT for further inspection (i.e. IPS, Malware, URL, Application, etc.). If you select block this will drop traffic and it will not be sent to SNORT.
Now depending on how you have configured the IPS policy, or which one you select in the access control policy (user defined, or pre-defined), you might need to configure the IPS policy to drop inline for it to start dropping traffic that triggers due to an intrusion. Normally all this is not needed but worth checking to make sure you are actually dropping traffic rather than just monitoring it (IDS)
01-25-2023 11:46 PM
The "Allow" action sends traffic to SNORT for further inspection (i.e. IPS, Malware, URL, Application, etc.). If you select block this will drop traffic and it will not be sent to SNORT.
Now depending on how you have configured the IPS policy, or which one you select in the access control policy (user defined, or pre-defined), you might need to configure the IPS policy to drop inline for it to start dropping traffic that triggers due to an intrusion. Normally all this is not needed but worth checking to make sure you are actually dropping traffic rather than just monitoring it (IDS)
01-26-2023 04:47 AM
Thanks Marius,
That is what I thought. I appreciate the clarification.
01-26-2023 09:22 AM
The default action (bottom right of your ACP) should generally be to Drop all traffic.
Anything required to be allowed through the firewall should be covered with an explicit entry with allow action.
01-26-2023 12:23 PM
Thanks Marvin,
Appreciate the info
01-30-2023 06:09 AM
So I enabled my intrusion/file policy this morning and there are no events being populated. The file policy is picking up malware events. I know there are quite a few variables in play and I am not asking for any configuration assistance. I am fairly certain my rule setup is good. I was curious if there are any known problems associated with Intrusion policies and version 7.0.4? I do have a TAC case open for this but they seem to all have called sick at once and quite frankly have lost alot of confidence in them getting back to me. I will continue to look for a bug .....maybe?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide