cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1398
Views
0
Helpful
5
Replies

Suggested FIREPOWER IPS Inpection policy

l.buschi
Level 2
Level 2

Hello,

I want to set up a NGIPS with firepower on my asa.

which policy would you suggest me for traffic inspection?

I.E. all http traffic or some traffic from outside or what else?

Thanks a lot

Johnny

 

5 Replies 5

ArchiTech89
Level 1
Level 1

Well, for what it's worth, FirePower is super intense -- extraordinarily granular.

What I would do to start is to just inspect the traffic in a passive mode (don't drop any packets at first) and look at what's being flagged. After getting used to it, you could begin to selectively prevent certain traffic.

When you setup FirePower, it does provide basic policies and configurations. You can start with their default provisions, then it just comes down to read, read, read the manual (or take a class possibly).

I'm not sure what devices you're working with, but it gets deployed as a 'software blade' on 5525-Xs and above (I believe). In those instances, though, you also have to purchase SSDs from Cisco that get installed into the chassis in order to deploy it. If I'm not mistaken, 5545-Xs and above use the SSDs in a RAID configuration (simple mirroring, I think), and below that it's a single SSD, but I'm not sure.

The only deployment of an actual hardware blade on the ASA itself occurs on the 5585-X.

You also need to know that a separate appliance is required -- it can be either a VMware virtual appliance or a full hardware one -- for running the management console, called FireSIGHT.

And of course there's licensing for all of this...

On the other hand, you may already know all of this, in which case please forgive my presumption.

Cheers!

jeremyNLSO

ArchiTech89
CCNA Routing & Switching, CCNA Security
MCITP, MCTS
Berlin, Germany

Thank you very much jeremy, 

I already have all necessary licenses. 

I'll start using it in a passive mode with default policy (IPS) and see what happens.

I use a 5525 ASA, can you please.

On my asa I sould configure a class map to send traffic to the IPS module, 

which traffic do you suggest me to send to the firepower module to be inspected?

once I'll have controlled for a period of time the behaviour of IPS I'll change the inspection mode from passive to inline. 

The FirePOWER is quite good at not giving false positives. So we usually recommend starting out with an "inspect all" inline policy on the ASA.

The starting FirePOWER IPS policy is usually "Balanced Security and Connectivity". 

Thank you very much Marvin.

What about the class map to send traffic to NGIPS module? Do you think inspecting all traffic could fit?

What about local inspection? Do I have to disable http and icmp from local inspection by asa or only http? (or maybe I have to disable all local inspection)

Yes - the class map should include all traffic.

You can disable http inspection on the ASA if you're running it all through the FirePOWER module for a much more thorough scrub.

Assuming it's currently enabled, don't disable icmp inspection on the ASA because that will break its ability to recognize return icmp traffic from outside hosts. Disabling icmp inspection would thus make you unable to ping or traceroute to anything on the Internet from inside networks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: