cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

777
Views
0
Helpful
5
Replies
adamgibs7
Frequent Contributor

Network Analysis Policies

Dears,

I have kept network analysis policies in a passive mode ( default mode) but the access control policies has default action of IPS that means if the traffic doesn't match it will pass by the IPS,

 

I have not enabled a network analysis policies that means a firepower is not configured properly or I can keep passive Network analysis policy and Inline IPS that makes more sense

OR

I shld keep both inline.

5 REPLIES 5
babiojd01
Beginner

How is the sensor deployed? What is the policy map settings if its ASA+FP?

Dinesh Verma
Cisco Employee

A network analysis policy governs how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt.

 

if you put NAP policy in passive, means traffic won't be dropped by any of the pre-processors if it matches with those GIDs. (preprocessors won't affect the traffic).

 

We should keep both in Inline mode.

 

Regards,

Dv

adamgibs7
Frequent Contributor

If I am keeping only one  inline will it be a high security risk ??

adamgibs7
Frequent Contributor

anybody can justify the below, if I keep only one in inline does it will be considered as a high security risk.

Hello Team,



The network analysis as stated, is where the Snort preprocessors reside. They are mainly used to normalize the traffic. If its inline and there is some anomalous traffic, it can be dropped here.



We cannot state if this would be a security vulnerability for you since we do not know your network.



I can do tell that most customer have it Inline/ dropping with the Balanced Security and Connectivity policy as the default.



[cid:image002.png@01D3AB2D.C8339CA0]



Thus normally, a default/basic environment, I recommend the Inline Mode for the Network Analysis Policy and the Intrusion Prevention Policy. With Balanced Security and Connectivity as the Base Policy.



If the policy is passive, you will just need to ensure to review your logs more often and take action on any IPS events.


Content for Community-Ad