Solved: Re: IPS policy on ASA5555-X

rafiqmo_@hotmail.com · ‎02-15-2018

Hi,

We have installed IPS license on our pair 5555-X ASA and created new ips policy which shows approx 30,000 signature when applied. Can some one advise what is the best way to implemt this IPS policy with less numbers of signatures or its ok to implement policy with default 30,000 signature?

What will be the impact on ASA performance? is there any guidlines that shows , how to start with minimum number of signature enabled ?

Regards.

ghalleen · ‎02-15-2018

I'm assuming by IPS license, you're referring to Firepower and not Classic IPS 7.0.

There a number of things you should consider. I'll try to point you to some of them.

1. Make sure you have your Network Discovery Policy properly configured. This policy tells your Firepower what IP addresses are part of your network. By default, this is set as 0.0.0.0/0. You'll want to change this to match the actual IP addresses used in your network. Select Users, Applications, and Hosts. Go to the Advanced settings, and select Capture Banners.

2. In your Intrusion Policy, look at your Base Policy. For most customers, the best Base Policy will be either "Balanced Security and Connectivity" or "Connectivity over Security". Avoid using "Maximum Detection". That Base Policy is intended for IPS testing, and will enable rules that are very old and unlikely to be dangerous in today's environment.

3. When these changes are done, Save and Deploy. After it's had time to run and learn from your network, then it's time to look at Firepower Recommendations. The time to wait is going to be anywhere from 4 hours to maybe a few days. Firepower Recommendations is the ability of FMC to automatically tune the IPS rules for your hosts and applications. It takes the network information learned from what you configure in your Network Discovery Policy, and compares it to known vulnerability in hosts and applications, and compares that to the IPS rules that are included in the Base Policy.

4. To use Firepower Recommendations, click on "Firepower Recommendations" on the left side of your Intrusion Policy. Generate and Use the recommendations. Commit Changes, and then, Deploy again.

You'll notice that the number of rules enabled will be dramatically different from the 30,000 you see now. After you get comfortable with this process, you can automate it by going to System -> Tools -> Scheduling and creating a scheduled task to run the recommendations on a regular basis (like maybe weekly).

View solution in original post

ghalleen · ‎02-15-2018

I'm assuming by IPS license, you're referring to Firepower and not Classic IPS 7.0.

There a number of things you should consider. I'll try to point you to some of them.

1. Make sure you have your Network Discovery Policy properly configured. This policy tells your Firepower what IP addresses are part of your network. By default, this is set as 0.0.0.0/0. You'll want to change this to match the actual IP addresses used in your network. Select Users, Applications, and Hosts. Go to the Advanced settings, and select Capture Banners.

2. In your Intrusion Policy, look at your Base Policy. For most customers, the best Base Policy will be either "Balanced Security and Connectivity" or "Connectivity over Security". Avoid using "Maximum Detection". That Base Policy is intended for IPS testing, and will enable rules that are very old and unlikely to be dangerous in today's environment.

3. When these changes are done, Save and Deploy. After it's had time to run and learn from your network, then it's time to look at Firepower Recommendations. The time to wait is going to be anywhere from 4 hours to maybe a few days. Firepower Recommendations is the ability of FMC to automatically tune the IPS rules for your hosts and applications. It takes the network information learned from what you configure in your Network Discovery Policy, and compares it to known vulnerability in hosts and applications, and compares that to the IPS rules that are included in the Base Policy.

4. To use Firepower Recommendations, click on "Firepower Recommendations" on the left side of your Intrusion Policy. Generate and Use the recommendations. Commit Changes, and then, Deploy again.

You'll notice that the number of rules enabled will be dramatically different from the 30,000 you see now. After you get comfortable with this process, you can automate it by going to System -> Tools -> Scheduling and creating a scheduled task to run the recommendations on a regular basis (like maybe weekly).

rafiqmo_@hotmail.com · ‎02-20-2018

Thanks Ghalleen,

Yes its Firepower with protection license. We will flow your guidlines and update you.

Regards.