Solved: Re: IPS traffic

Otvforte · ‎08-06-2025

Hello!

I've been trying to figure out the best approach for applying IPS inspection.

Suppose I don't have any internal services or servers exposed to the internet — meaning no port forwarding from Outside to DMZ or Outside to Inside. In that case, does it still make sense to enable IPS on zones like Any/Any, or should I stick with Inside-to-Outside inspection only?

The only exception would be the VPN service, which would still be reachable from the internet.

Thank you,

Rob Ingram · ‎08-06-2025

@Otvforte it is recommended by cisco to disable rules written for vulnerabilities not found on hosts in your network, so if you are not using Apache, SQL Server, Oracle etc you'd not have a vulnerabilities and can disable those rules. You can use the cisco recommendations to tune the Snort rule set based on host data collected through passive discovery. The Recommendations feature uses this host database to determine which Snort rules apply to your environment.

https://secure.cisco.com/secure-firewall/v7.4/docs/intrusion-policy-73

View solution in original post

MHM Cisco World · ‎08-06-2025

Dont change anything here
this cisco recommend action and you can not control what user use, so you dont know if user use SQL or not.

you can instead change the no. of rules by change the security level

MHM

View solution in original post

MHM Cisco World · ‎08-06-2025

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222704-configure-fdm-interfaces-in-inline-pair.html <<- check this maybe it answer your Q

MHM

Otvforte · ‎08-06-2025

Just answering my own question.

If I don't have internal services or servers published on the internet, then I don't have any rules in the Outside-to-Inside or Outside-to-DMZ direction. So the question doesn't really make sense — there's not even a rule where IPS could be enabled.

MHM Cisco World · ‎08-06-2025

IPS can apply with ACP
or can apply as inline <<- here FTD is work as IPS only

MHM

Otvforte · ‎08-06-2025

Thank you! Can you help clarify another related question?

There are some IPS rules for services I don't have, for example, Apache, SQL Server, Oracle, and so on. Should I disable those rules?

MHM Cisco World · ‎08-06-2025

Can i know where you see these options

Screenshots is perfect

MHM

Otvforte · ‎08-06-2025

MHM Cisco World · ‎08-06-2025

Dont change anything here
this cisco recommend action and you can not control what user use, so you dont know if user use SQL or not.

you can instead change the no. of rules by change the security level

MHM

Rob Ingram · ‎08-06-2025

@Otvforte it is recommended by cisco to disable rules written for vulnerabilities not found on hosts in your network, so if you are not using Apache, SQL Server, Oracle etc you'd not have a vulnerabilities and can disable those rules. You can use the cisco recommendations to tune the Snort rule set based on host data collected through passive discovery. The Recommendations feature uses this host database to determine which Snort rules apply to your environment.

https://secure.cisco.com/secure-firewall/v7.4/docs/intrusion-policy-73

Otvforte · ‎08-06-2025

I'm currently using FDM, so Network Discovery isn't available at the moment. However, I'll look into it if I get the opportunity in the future.

Thank you,