Professional Documents
Culture Documents
#CiscoLive
Agenda
• IPS Inspection for ACP Rules
• Network Discovery Policy Mistakes
• Understanding SNORT Restarts
• Firepower Recommendations
• IPS Policy Before ACP
• Understanding the GID and Pre-
Processor Rules
• Latency-Based Protections and Alerts
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Missing IPS
Inspection for
ACP Rules
Why Does This Matter? You could be missing IPS
inspection for certain
allowed traffic!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
ACP Allow Rule Flow
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
No IPS Inspection on Allow Rules - A Mistake
By default, there is no ‘Intrusion’ inspection for ACP rules
You need to
assign an
‘Intrusion
Policy’
manually
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
The Same Goes For ‘Interactive Block’ Rules
Traffic is
Interactive Block Action allowed
User attempts User decides if
to connect to a traffic is allowed
website or blocked Traffic is
blocked
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Interactive Block ACP Rules
Intrusion Policy
needs to be
assigned for
‘Interactive
Block’ rules as
well!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Network
Discovery Policy
Mistakes
Why Does This Matter? Network Discovery Policy
also enables Application
Detection!
Network Discovery is
critical to other features,
such as Firepower
Recommendations.
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Network Discovery in The Packet Flow
Network Discovery is This is primarily for traffic you are ‘Allowing’
builds ‘Host Profiles’ in your network that will get inspected by an
Intrusion Policy
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Mistake #1- Deleting/Changing the Default Rule
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Mistake #2 – Not Defining Internal Networks
When creating a ‘Host Discovery’ rule, define your networks
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Mistake #3 – Overlapping Host Network Ranges
Do NOT add Overlapping can affect
multiple ‘Discover system performance due
Hosts’ rules with to the overlapping host
overlapping IP discovery requirements!
segments
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Mistake #4 – Not Excluding Networks
What to exclude?
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Understanding
SNORT Restarts
Why Does This Matter? SNORT Restarts can
cause traffic interruption
and security issues!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Understanding SNORT Restarts
A SNORT Restart occurs in multiple configuration change scenarios
1) An interruption in traffic
Or both.
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
What Happens When SNORT Restarts?
It depends on your software version and system/interface configuration
https://www.cisco.com/c/en/us/support/secu
rity/defense-center/products-installation-
and-configuration-guides-list.html
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
First Map Out How Your Devices Will Respond
Identify exactly how your devices and interface configurations will behave
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Secondly Learn What Processes Cause a Restart
Again, refer to the fpmc-config-guide for your software version
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
SNORT Reloads Are Here to Help!
A SNORT Reload causes no traffic or inspection interruptions
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
What About VDB Updates
VDB stands for ‘Vulnerability Database Update’
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
VDB Updates and SNORT Restarts
VDB updates restart SNORT… just not how you might expect!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
SNORT Rule Updates (SRU’s) and Older Software
Do you have Managed Devices running software below version 6.3?
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Firepower
Recommendations
Oversights and
Misconfigurations
Why Does This Matter?
Your Firepower
Recommendations may
not be as accurate as
you think!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Firepower Recommendations Mistake #1
Improperly configured Network Discovery Policy
The data FP
Recommendations
uses comes
directly from
Network Discovery
Policy!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Firepower Recommendations Mistake #2
Not waiting enough time after profiling your network
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Firepower Recommendations Mistake #3
Only running Recommendations once
Generally updated at
least weekly, and can
also be scheduled
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Firepower Recommendations Rule Overhead
Not understanding ‘Rule Overhead’
This setting determines which
rules should be considered
for Enabling.
Default is set
to ‘Medium’
‘Overhead’ of a rule indicates the
rule’s performance impact relative
to other rules.
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Rule Overhead Rule Assignment
FP Recommendations is only going to recommend Enabling rules up to this
threshold.
Low: 507
Medium: 8139
High: 8003
Very High: 26682
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Understanding
and Managing
the IPS Policy
Before ACP
Why Does This Matter?
You might be missing
protection from threats!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Do You Know of the ‘Default Intrusion Policy’
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Default Intrusion Policy Protection
Certain features require Firepower to see 3-5 (or more) packets before
matching
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Applicable Firepower Features
E.g., App-detection, URL filtering, QOS, and IAB (Intelligent Application
Bypass)
This is an
example of an
app-detect
ACP rule. In
order to match
the flow,
Firepower
would need to
see 3-5
packets on
average FIRST
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Configuring The ‘Default Intrusion Policy’
This is assigned in
the ‘Advanced’
section of your
ACP
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Tip: Create a ‘User Created’ Policy!
Remember you cannot make changes to system-provided policies
(E.G., Balanced Security and Connectivity). To make the Intrusion
Policy changeable…
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Understanding
the GID
(Generator ID)
Why Does This Matter? As an analyst, you need to
know where Intrusion
Events are being
generated from.
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
'Intrusion Events’ come from SNORT
The GID maps the ‘Intrusion Event’ to the area of SNORT that processed that
rule
Managed by
Network
Analysis
Policy
Managed by
Intrusion
Policies
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Understanding the Generator ID (GID)
The GID tells you if the Intrusion Event came from the Detection Engine or a Preprocessor
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Pre-Processor Rules – 100 and above
Used to alert
on certain
preprocessor
settings Gid 100 and above = preprocessor rule
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Intrusion Policy Rules = Gid 1-3
Gid 1-3 = Processed in the detection engine(s) and are either disabled,
enabled and dropping traffic, or enabled and only generating events.
GID:1 example
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Managing Pre-
Processor Rules
Why Does This Matter? Enabling preprocessor
rules can have
unexpected results.
Configuration of the
preprocessor rules are not
always mapped to the
preprocessor settings!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Network Analysis Policy (NAP) Rule Automation
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Understanding Preprocessor Rules
Example: SIP Preprocessor
Pre-processor rules enable alerting
and drop actions on certain
preprocessor functions
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
The GUI ‘Gotcha’ for Preprocessor Rules
Network Analysis Policy
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
The GUI ‘Gotcha’ for Preprocessor Rules
Intrusion Policy
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
NAP Rule Enabled - Preprocessor is Disabled
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
The Invisible Preprocessor Setting
Network Analysis Policy
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Lessons Learned
If you plan to enable a DISABLING a preproc rule
preprocessor rule, be in the Intrusion Policy will
sure it is configured the NOT disable the preproc
same in the NAP and/or setting if it’s
already enabled in the Moral of the story: The
NAP GUI is trying to protect
you by automating this,
Remember the Intrusion but not knowing how it
Policy and NAP are meant works can really work
to work together! against you
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Understanding
and Alerting on
Latency-Based
Performance
Settings
Why Does This Matter?
You could be missing
threats!
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Firepower Latency Protection
Packet-Based Rule-Based
These are found in
the Access Control
Policy Advanced Tab
Prevents latency for packets Prevents SNORT
going through SNORT rules from
causing latency
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Turn On Latency Threshold Alerting
By default, you are not alerted when these are triggered
Select the ‘Generate Events’ to generate an Intrusion Event when
they fire
Packet-
latency time
exceeded
Rule disabled
Rule re-
enabled
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Further Your Education on Firepower
Enroll for a comprehensive instructor-led experience with hands—on labs and
lots of Firepower!
johnwis@cisco.com
https://learninglocator.cloudapps.cisco.com/#/course-
details/8713 - SSNGFW
https://learninglocator.cloudapps.cisco.com/#/course-
details/8678 - SSFIPS
#CiscoLive BRKCRT-2001 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Thank you
#CiscoLive
#CiscoLive