cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

716
Views
0
Helpful
3
Replies
Highlighted
Beginner

Recommendations on how to setup intrusion polices

Hi,

 

Very brief, our setup consist of ASAs with FPMs sitting at remote branches, the main office, and datacenter.

 

Currently we're using the same intrusion policy on every edge device. 

 

Would it be beneficial to deploy separate intrusion polices on each edge, since firepower recommendations are based on the traffic flows, and all flows through the firewalls are the different. It will generate more admin overhead in having to manage multiple polices, but we'll optimize firepower utilization at each edge?

 

BR, Michael

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

The best practice for creating Intrusion Policies is to make a copy of the out of the box one (like Balanced Security and Connectivity) and associate that copy (or copies if you plan to have differentiated intrusion policies) to your ACP(s). That way if you ever get it all out of whack you can easily revert to a fresh copy of the default one and apply Firepower recommendations to it based on the previously discovered network characteristics.

View solution in original post

3 REPLIES 3
Highlighted
Hall of Fame Guru

In the deployments I have seen organizations typically don't go to the trouble to customize IPS policies per site unless it's a really large site with a lot of services in it (i.e. something like a data center). Not that it wouldn't make the policies slightly more accurate, but rather that it would add more complexity than the marginal additional value delivered.

Highlighted

Thanks Marvin! In my case then, it would make sense to apply a policy to our datacenter, and another to every other location since they act as branches.

 

In regards to intrusion policies, I'm not able to find any documentation that shows how to revert recommendations. Is it possible to clone the policy or is there another way to handle a possible bad intrusion policy? It's my experience that it's often difficult to troubleshoot snort rules that might break a flow. 

Highlighted

The best practice for creating Intrusion Policies is to make a copy of the out of the box one (like Balanced Security and Connectivity) and associate that copy (or copies if you plan to have differentiated intrusion policies) to your ACP(s). That way if you ever get it all out of whack you can easily revert to a fresh copy of the default one and apply Firepower recommendations to it based on the previously discovered network characteristics.

View solution in original post

Content for Community-Ad