06-21-2017 04:55 PM - edited 03-12-2019 06:26 AM
Hi,
If you have say 5 subnets of different traffic requirements
1/ corporate users
2/ payment equipment subnet
3/ dmz
4/ corporate wifi
5/ some other requirement
Would one get better IPS recommendations if you created 5 IPS policies and defined the scope within recommendations according to each of the 5 above? Or would the Firepower recommendations be just as accurate with one IPS policy and it trying to recommend for the entirety?
Similarly if you had a Datacentre Firepower and say 10 sites with Firepower would it be best to use a different IPS policy from the sites for the datacentre, with Recommendations defined just for the Datacentre ?
06-27-2017 02:52 PM
Firepower will generate the recommendations based on the hosts discovered (host profiles) on all sensors.
If you have multiple domains (multi tenancy in v6.0+) within that FMC, each with an IPS sensor, you will se differences in the generated recommendations.
Edit: maybe I misunderstood the question. It is ofcause possible to limit the networks to base the recommendations on, but in my opinion this barely makes sense.
You will use a lot of memory on the sensor if you apply 5 different IPS policies - one for each network.
07-05-2017 08:59 PM
Got you.
if you had a Datacentre Firepower and say 10 sites with Firepower would it be best to use a different IPS policies for the sites and a different policy for the datacentre, with host Recommendations defined just for the Datacentre hosts?
Or will FMC base the recommendations on all hosts seen for both datacentre and sites?
07-12-2017 10:51 AM
If you want the same policy on all 10 sites I recommend that you only make one IPS policy and make the recommendations based on all your subnets.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: