Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
20
Helpful
8
Replies

is it possible to edit the default FMC IPS policy?

Go to solution
tato386
Level 6
Level 6

‎11-08-2022 02:20 PM

I would like to enable syslog alerts in the default "Connectivity over Security" IPS policy so that I don't have to change a bunch of ACP rules but I don't seem to be able to do this.  There doesn't seem to be a direct way of editing it but if I first create a custom IPS policy using "Conn over Sec" as the base I do see a "manage base policy" option.  The problem is when I edit using this button the changes still seem to go into the custom policy I created.  Maybe I am missing something?

TIA,

Diego

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to tato386

‎11-09-2022 05:32 AM

Are we talking a syslog alert for the IPS or for ACP rule?

If you are looking to log a drop for an ACP rule you need to enable "log at beginning" in that rule and select send to syslog server.  

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

8 Replies 8

Go to solution
manabans
Cisco Employee
Cisco Employee

‎11-08-2022 07:32 PM

System-Provided Intrusion Policies are not editable. Depending on the system-provided base policy that is selected, the settings of the policy vary. To view the policy settings, click the Edit icon next to the policy and then click the Manage Base Policy link.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/overview_of_network_analysis_and_intrusion_policies.html#ID-2247-0000016a 

Go to solution
tato386
Level 6
Level 6
In response to manabans

‎11-09-2022 04:41 AM

OK, I guess that makes sense but I wish they wouldn't use a pencil icon (which I believe is universal symbol for editing) next to the term "base policy" if the policy is not editable. 

If you recall, my purpose for was to generate syslog alerts for IPS connection events so I created a custom policy with syslog enabled and started applying the custom policy to my ACP.  However, I noticed that block rules have a logging option but do not have an IPS policy.  How could I get a block rule to generate a syslog event?

TIA,

Diego

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to tato386

‎11-09-2022 04:53 AM

Strictly speaking, block rules should not have the ability to have IPS or File policy as these are already being dropped based on other criteria.  IPS is meant for "allow" rules where it monitors for matching signatures and irregular traffic.  So this is expected.  If you want to see if you are dropping traffic you are expecting to drop, then add the IPS policy to an "allow" rule and run your test.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
tato386
Level 6
Level 6
In response to Marius Gunnerud

‎11-09-2022 05:08 AM

Yes, I understand why there is no IPS for a block rule and I am OK with that.  My question is that syslog alerting is enabled via the IPS policy linke to an ACP rule.  So if the rule is a block rule and therefore has no IPS, how do I configure/enable a syslog alert for it?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to tato386

‎11-09-2022 05:32 AM

Are we talking a syslog alert for the IPS or for ACP rule?

If you are looking to log a drop for an ACP rule you need to enable "log at beginning" in that rule and select send to syslog server.  

--
Please remember to select a correct answer and rate helpful posts

Go to solution
tato386
Level 6
Level 6
In response to Marius Gunnerud

‎11-09-2022 05:45 AM

"log at beginning" is selected and I see the block events in the FMC.  In addition to that I need to send these events to my SIEM via a syslog alert

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to tato386

‎11-09-2022 05:53 AM - edited ‎11-09-2022 05:53 AM

I am assuming that you have configured the syslog server under the platform settings for the device?

You also need to select send to syslog server under the ACP rule and on the Logging tab in the ACP policy you need to select "Use the syslog settings configured in the FTD Platform Settings policy deployed on the device"

Screenshot 2022-11-09 at 14.52.34.png

--
Please remember to select a correct answer and rate helpful posts

Go to solution
tato386
Level 6
Level 6
In response to Marius Gunnerud

‎11-09-2022 08:09 AM

Things are getting a little clearer now.  It turns out block events *are* getting to the syslog server.  The reason that I thought they were not is the way I was searching for them.  Most of my block events are GEO and I was searching with country codes which apparently are not included in the syslog data.  If I search using IP or name of the GEO rule then I do see the events.  So it seems that IPS events *can* be logged using the defaults below and I *don't* have to create a custom IPS rule to enable syslog.  Does that make sense?   

tato386_0-1668009870118.png

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card