Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1250
Views
0
Helpful
5
Replies

Network Analysis Policies

adamgibs7
Level 6
Level 6

‎02-20-2018 12:29 PM - edited ‎02-21-2020 07:22 AM

Dears,

I have kept network analysis policies in a passive mode ( default mode) but the access control policies has default action of IPS that means if the traffic doesn't match it will pass by the IPS,

 

I have not enabled a network analysis policies that means a firepower is not configured properly or I can keep passive Network analysis policy and Inline IPS that makes more sense

OR

I shld keep both inline.

Labels:
0 Helpful
5 Replies 5

babiojd01
Level 1
Level 1

‎02-20-2018 01:08 PM

How is the sensor deployed? What is the policy map settings if its ASA+FP?

0 Helpful

Dinesh Verma
Cisco Employee
Cisco Employee

‎02-20-2018 07:18 PM

A network analysis policy governs how traffic is decoded and preprocessed so that it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt.

 

if you put NAP policy in passive, means traffic won't be dropped by any of the pre-processors if it matches with those GIDs. (preprocessors won't affect the traffic).

 

We should keep both in Inline mode.

 

Regards,

Dv

0 Helpful

adamgibs7
Level 6
Level 6
In response to Dinesh Verma

‎02-21-2018 12:47 AM

If I am keeping only one  inline will it be a high security risk ??

0 Helpful

adamgibs7
Level 6
Level 6
In response to adamgibs7

‎02-21-2018 11:29 AM

anybody can justify the below, if I keep only one in inline does it will be considered as a high security risk.

0 Helpful

argrullo
Cisco Employee
Cisco Employee
In response to adamgibs7

‎02-21-2018 01:06 PM

Hello Team,



The network analysis as stated, is where the Snort preprocessors reside. They are mainly used to normalize the traffic. If its inline and there is some anomalous traffic, it can be dropped here.



We cannot state if this would be a security vulnerability for you since we do not know your network.



I can do tell that most customer have it Inline/ dropping with the Balanced Security and Connectivity policy as the default.



[cid:image002.png@01D3AB2D.C8339CA0]



Thus normally, a default/basic environment, I recommend the Inline Mode for the Network Analysis Policy and the Intrusion Prevention Policy. With Balanced Security and Connectivity as the Base Policy.



If the policy is passive, you will just need to ensure to review your logs more often and take action on any IPS events.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card