Solved: Re: IPS and file (malware) in an Access Control policy

ethutchinson · ‎01-25-2023

Ok, Going to ask a simple one here. Hopefully someone can help me out.

FTD 1140n managed by FMCv. Both running 7.0.4. Setting up my first rule that looks to block IPS and malware from getting to my inside interface connected subnets. Everything looks good to go as far as zones and networks. I have IPS and File (malware) icons selected in the access control rule. Do I set the default action to "allow" which would allow packets to get to snort and malware engines? Or does having the IPS and file(malware) icons selected do this and I should set the default action to "Block".

Thanks

Marius Gunnerud · ‎01-25-2023

The "Allow" action sends traffic to SNORT for further inspection (i.e. IPS, Malware, URL, Application, etc.). If you select block this will drop traffic and it will not be sent to SNORT.

Now depending on how you have configured the IPS policy, or which one you select in the access control policy (user defined, or pre-defined), you might need to configure the IPS policy to drop inline for it to start dropping traffic that triggers due to an intrusion. Normally all this is not needed but worth checking to make sure you are actually dropping traffic rather than just monitoring it (IDS)

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎01-25-2023

The "Allow" action sends traffic to SNORT for further inspection (i.e. IPS, Malware, URL, Application, etc.). If you select block this will drop traffic and it will not be sent to SNORT.

Now depending on how you have configured the IPS policy, or which one you select in the access control policy (user defined, or pre-defined), you might need to configure the IPS policy to drop inline for it to start dropping traffic that triggers due to an intrusion. Normally all this is not needed but worth checking to make sure you are actually dropping traffic rather than just monitoring it (IDS)

--
Please remember to select a correct answer and rate helpful posts

ethutchinson · ‎01-26-2023

Thanks Marius,

That is what I thought. I appreciate the clarification.

Marvin Rhoads · ‎01-26-2023

The default action (bottom right of your ACP) should generally be to Drop all traffic.

Anything required to be allowed through the firewall should be covered with an explicit entry with allow action.

ethutchinson · ‎01-26-2023

Thanks Marvin,

Appreciate the info

ethutchinson · ‎01-30-2023

So I enabled my intrusion/file policy this morning and there are no events being populated. The file policy is picking up malware events. I know there are quite a few variables in play and I am not asking for any configuration assistance. I am fairly certain my rule setup is good. I was curious if there are any known problems associated with Intrusion policies and version 7.0.4? I do have a TAC case open for this but they seem to all have called sick at once and quite frankly have lost alot of confidence in them getting back to me. I will continue to look for a bug .....maybe?