Solved: Re: Question regarding working with Intrusion Policies

atsukane · ‎12-21-2021

Hi all,

Firstly apologies for a primitive question, but a few questions around Intrusion Policy to better understand it to manage FMC/FTDs going forward.

Based off Katherine McNamara's suggestion I've prepped a gold IPS policy as the base policy, and location/device specific policies using this gold image as the base policy for all managed devices.

Now, I see that there are 3 places where you can enable/apply an Intrusion policy:

1. 'Intrusion Policy used before Access Control rule is determined' under Access Control Policy > Advanced > Network Analysis and Intrusion Policies and

2. Default Action > Intrusion Prevention<desired options>

3. The Inspection tab in each ACEs.

and my understanding of each option is that:

Option 1 means IPS policy is hit and analysed BEFORE ACP is analysed

Option 2 means IPS policy is analysed AFTER ACP is analysed

Option 3 means analysed as per the FTD traffic flow e.g. LINA > SNORT > LINA (https://www.lammle.com/post/cisco-firepower-threat-defense-ftd-packet-flow/)

Please advise my understanding is correct, and also if there are any Pros and Cons of each options.

I'm guessing that option 1 utilises more resources than the other options and perhaps unable to use Prefilter?

Option 3 might allow undesired traffic unless you have Deny Any rule at the bottom of the ACP?

And option 2 can be a pain if having hundreds of ACEs and enabling Intrusion rules on all of them. (Although I guess you can just create one for IPS)

Please also advise Inline-Set is only supported for 'Physical' Interfaces as I don't see none of our logical ones (sub-interfaces) appearing as available sets, and that this is mostly used for Enabling/Disabling Snort Fail-Open option?

Many thanks,

Marvin Rhoads · ‎12-21-2021

Option 1 only applies to the first handful of packets that may otherwise be let through until the right ACP rule is determined (usually in cases where we specify application in the ACP rule vs. the classic 5-tuple elements).

Option 2 is the most common and generally used option. It can be applied in bulk by simply selecting all the rules and editing that common element.

Option 3 is only if your default action is IPS. On Internet edge our default action is usually Deny All.

View solution in original post

Marvin Rhoads · ‎12-21-2021

Option 1 only applies to the first handful of packets that may otherwise be let through until the right ACP rule is determined (usually in cases where we specify application in the ACP rule vs. the classic 5-tuple elements).

Option 2 is the most common and generally used option. It can be applied in bulk by simply selecting all the rules and editing that common element.

Option 3 is only if your default action is IPS. On Internet edge our default action is usually Deny All.

atsukane · ‎12-23-2021

Thanks @Marvin Rhoads and apologies for delay in responding, I was off sick for a few days.

So it seems that enabling Intrusion policy on each rules on ACP and 'Intrusion Policy used before Access Control rule is determined' might be a good combo.

I initially thought that 'Intrusion Policy used before Access Control rule is determined' or changing the default action to IPS would work like 'catch all' but I was mistaken.

It's also good to know that I can select multiple rules and apply Intrusion policy and variable set to all of them at the same time, cheers for that.

Seriously, coming from individually managed ASAs to FMC requires a lot of adjusting!

Thanks again