Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1733
Views
0
Helpful
3
Replies

Recommendations on how to setup intrusion polices

Go to solution
Michael Bartholomæussen
Level 1
Level 1

‎11-23-2020 05:12 AM

Hi,

 

Very brief, our setup consist of ASAs with FPMs sitting at remote branches, the main office, and datacenter.

 

Currently we're using the same intrusion policy on every edge device. 

 

Would it be beneficial to deploy separate intrusion polices on each edge, since firepower recommendations are based on the traffic flows, and all flows through the firewalls are the different. It will generate more admin overhead in having to manage multiple polices, but we'll optimize firepower utilization at each edge?

 

BR, Michael

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Michael Bartholomæussen

‎12-01-2020 07:55 AM

The best practice for creating Intrusion Policies is to make a copy of the out of the box one (like Balanced Security and Connectivity) and associate that copy (or copies if you plan to have differentiated intrusion policies) to your ACP(s). That way if you ever get it all out of whack you can easily revert to a fresh copy of the default one and apply Firepower recommendations to it based on the previously discovered network characteristics.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-25-2020 07:47 AM

In the deployments I have seen organizations typically don't go to the trouble to customize IPS policies per site unless it's a really large site with a lot of services in it (i.e. something like a data center). Not that it wouldn't make the policies slightly more accurate, but rather that it would add more complexity than the marginal additional value delivered.

0 Helpful

Go to solution
Michael Bartholomæussen
Level 1
Level 1
In response to Marvin Rhoads

‎11-30-2020 11:25 PM

Thanks Marvin! In my case then, it would make sense to apply a policy to our datacenter, and another to every other location since they act as branches.

 

In regards to intrusion policies, I'm not able to find any documentation that shows how to revert recommendations. Is it possible to clone the policy or is there another way to handle a possible bad intrusion policy? It's my experience that it's often difficult to troubleshoot snort rules that might break a flow. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Michael Bartholomæussen

‎12-01-2020 07:55 AM

The best practice for creating Intrusion Policies is to make a copy of the out of the box one (like Balanced Security and Connectivity) and associate that copy (or copies if you plan to have differentiated intrusion policies) to your ACP(s). That way if you ever get it all out of whack you can easily revert to a fresh copy of the default one and apply Firepower recommendations to it based on the previously discovered network characteristics.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card