#Clus

#CLUS
Cisco Firepower NGIPS

Tuning and Best
Practices
John Wise
Security Instructor
BRKCRT-2215
#CLUS
Agenda
• Packet Flow
• Network Discovery
• Traffic to not inspect/Fast Path
• Security Inspections
• Misc. SNORT settings
• Tuning False Positives
#CLUS BRKCRT-2215 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKCRT-2215

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Firepower!!
Security Instructor for Cisco High Touch Delivery

and proud Sourcefire Alumni!
John Wise - johnwis@cisco.com
Reference Slides
When you see this

icon it is a slide for
your reference!
Firepower Packet
Flow
Firepower Threat Defense Packet Flow
This is your Lifeline! Firepower OS
ASA OS (Lina)
Network Discovery
What is Network Discovery?
Firepower can build host information – called Host
Profiles!
Learn about your

Operating
systems,
applications, and
vulnerabilities!
Why Enable Network Discovery Host Profiling?
Learn about your hosts
and their vulnerabilities!
Help analysis with Impact

Flags! (FMC’s ability to
distinguish between likely
false positives and real
security events)
Help tune your SNORT

rules to YOUR environment
(We call this Firepower
Recommendations)
Firepower Network Discovery
Notice that Discovery occurs AFTER both Prefilter and Access Control Policy
Network Discovery occurs here
Enabling Network Discovery Policy for Host Profiling
1) Edit this policy
2) Create a Discover Rule and define 3) Select ‘Hosts'

your networks
2) Create Exclude rules for not building

host profiles (Examples: Load Balancers,
NAT Devices, Guest Wireless Networks)
Network Discovery Discover Rule
Notice only Private IP spaces? This has been changed to represent only internal IP
addresses. By default its all IPs, and you need to change this! Otherwise you will build host
profiles for public hosts, which is NOT good!
Caution! Not
defining your
Network
Discovery Policy
can cause you to
exceed your host
limits!
Note! Leave the Default Application Discovery Rule
Enabled in Your Policy
Caution! Do not delete this rule as SNORT leverages this information
Network Discovery Best Practices
Deploy the Firepower Keep your VDB updates
device as close to your current
hosts as possible
Ensure you have defined Do not create overlapping

your networks and not left rules with the same hosts
it as any/any
URL Filtering
URL Filtering (URL Filtering License Required)
URL Filtering occurs here
URL Filtering License Cloud-based URL intelligence
Category Reputation
URL Filtering– How does it work?
URL Database
• Ensure you have a URL Filtering license and
enable it in the FMC
This forces the

FMC to query the Firepower
cloud every 30 Management
minutes for Center
updates
URL Database on the Managed Device may

not have all URLs. This is based on the Firepower
available memory on the managed device. Managed
Select this to query for unknown URLs. Device
URL Filtering with
SSL Policy
Considering SSL/TLS Decryption For Resign?
First identify how much and what types of encrypted traffic you have
in your network!
Why are you doing decryption?
To protect YOUR servers?
To see into your users’ internet

traffic?
To block or see less

secure connections?
Consider not decrypting well—known sites
The majority of encrypted
traffic will fall into this So you can significantly reduce
category how much you decrypt
URL Filtering For Uncategorized Websites
Decrypt all uncategorized websites – these are the most suspicious!
URL Filtering To Prevent Decryption
Do not decrypt Financial and Healthcare Categories Very important!
Identifying Traffic
to not inspect
Trust Is How We Allow Traffic With No Security
Inspections – And You NEED TO TRUST!
Allow Block all

ASA/Firewall through the rest
What to inspect
Firepower What to Block What to Trust
for security
With Firepower you have to consider your security inspections!
Trusted Traffic = No Security Inspections
You do not want to perform security inspections on certain traffic!
Elephant Flows (Like backup traffic) Voice Traffic
Scanner/Pen-testing traffic
Determine Traffic to Trust and Fast Path
For traffic you completely trust, either Fast Path or Trust in FTD
Trust means do not inspect for security inspections (ACP)

Fast Path means the same thing but is performed in hardware (Prefilter Policy)
• You will want to Trust or Fast Path certain types of traffic, especially:
• Voice Traffic (performance issues)
• Backup Traffic (performance issues) This is a type of ‘Elephant Flow’!
• Scanner Traffic (False positive issues)
Prefilter or Trust in ACP for FTD?
Prefilter is faster since
it’s in hardware, but ACP
All options in your ACP rule, including Application and URL Filtering
lets you use many more
options to identify the
traffic
IP, Port, Vlan, Security Zone Only (outer-header)

Prefilter Vs. Access Control Policy
Prefilter Access Control
• Outer header Only • Inner Header Criteria
• Best for longer-lived flows • NGFW Firewall conditions
• Fast! • Application Firewall
• Can be trouble for short-lived • Directs traffic to security
flows! (on 4100/9300) inspections
• IP, Port, VLAN, Sec Zone ONLY
(L3/L4)
Prefilter Policy – First Firewall Phase
Analyze=Send to SNORT
Fastpath=Skip SNORT
Fast Path Skips SNORT
Fast Path = same as Trust but faster and no SNORT Inspection

Access Control Policy – Second Firewall Phase
Many firewall rule options!
Trust – STOPS SNORT Inspection and passes
permit verdict to Lina
Fast Path
Fast Path on Classic Software Platforms
Cisco ASA with

FirePOWER FirePOWER 7000/8000
Services
Fast path is done differently

on each platform
Fast Path on the ASA with FirePOWER Services
Fast Path is done on the ASA,
not in FirePOWER by not
sending the traffic to
Firepower
Fast Path on the 8000 Series Appliance
Under the Devices tab
However, Cisco Recommends fast pathing on in your Access Control Policy

instead
Rule Promotion in FirePOWER 7000/8000 Series
BLOCK and TRUST ACP rules can be Promoted, which will allow
Firepower to process the traffic in hardware
Traffic identified by:
VLAN
Security
Zone
IP
Port
How to Promote Rules on the 7000/8000 Series
They must: Example:
1. Trust or Block Action The first two rules will be promoted
2. Contain only IP, Port, VLAN, Sec Zone conditions
3. Be placed above all other rules
You will not see this in the GUI, as this is an automatic

system process.
Promoted Rule Processing
The rules are promoted and processed here once you deploy the Policy
In the GUI, however, you will still see the rules in your ACP
Connection Events
Managing Connection Events
You manage the bulk of your Connection Events in your Access Control Policy
Connection Event Logging
In Firepower, a ’Connection Event’ is any packet seen going through the device.
All events are
FMC stored here
‘Event Viewer’ refers to your FMC
Event
data
Managed
Device
Traffic Flow All events on the FMC are first in

first out!
Logging Options
Should I log at beginning or the end?
Log at beginning only if Cisco

you are tying this event recommends
to an alert! logging at the
end of the
connection.
Logging at beginning and

end will cause two
connection events!
Automatic Connection Event Logging
Security Events will automatically log connection events!
With logging off, if the

packet triggers any security
event, an end of connection
is automatically logged!
eStreamer
eStreamer is Firepower’s proprietary tool for streaming events to a SIEM
The FMC uses eStreamer

The 7000/8000
series also lets you
use eStreamer to
Note you can also send stream events
connection events directly to a SIEM
directly to a syslog server
Tune Using an Access Control Policy Rule
Use your ACP rules to create rules to tune connection logging
Every ACP rule allows you to specify
To turn logging off simply
logging options!
select no options under the
logging tab
Choose ‘Log at
End’ unless you are
tying this to an
event you wish to
see immediately
DNS No Logging Rule Example
DNS request rule to reduce logging
Connection logging is off
Notice you are still
sending this traffic
through SNORT (your
Intrusion Policy)
Database Settings in Your FMC
You can adjust the retention amount in your FMC
Under System-Configuration-Database you can
adjust how many events you retain…
Caution! It is not
recommended to
change these
settings unless
recommended by
support!
Determine Security
Inspections
Cisco Talos – The Threat Intel Backbone
Talos feeds
threat intel to
many Cisco
technologies
Security Intelligence Categories
https://www.talosintelligence.com/
Example of a
malicious IP in
the ‘Malware’
Security
Intelligence
category
SNORT Rules (Intrusion Policy)
https://snort.org/ SNORT rule is 1:33089
Example of a
SNORT rule
covering
cve2013-1690
File/Malware Policy (Threat Grid)
Threat Grid
powers the
Malware/File
Policy
Talos Intelligence In Firepower
Threat License Malware License Threat License
Security Malware/File Intrusion
Intelligence Policy Policy
Talos Intelligence – Threat License Only
Security Note! You Intrusion
Intelligence typically use both Policy
these inspections
together!
Talos Intelligence – Malware AND Threat License
Security Malware/File Intrusion
Intelligence Policy Policy
Security
Intelligence
Security Intelligence includes IP, URL, and DNS
We recommend configuring the same categories for all three
 Network (IP-
 URL  DNS
based)
DNS Inspection for Security Intelligence
You need to configure a DNS Policy and append to your ACP
First: Create a DNS Policy and add a rule
with the categories you wish to blacklist
DNS Rule Options
Decide which action to use for your Categories
Tip! Sinkhole allows you to

Second: Decide the appropriate actions you wish to take
identify Malware-infected
hosts!
Assign Your DNS Policy to Your ACP
That’s it! You just configured DNS Security Intelligence
Third: Append your DNS Policy to your Access Control Policy
Malware and File
Policy Strategies
Malware and File Policy Inspection
Malware and File Inspections are performed here
Considering Malware/File Inspection?
First identify how many files you are seeing in the network spaces you are considering to do
inspection in!
Mapping ACP to Your Malware and File Policy
Map your Access Control Policy to the Protocols to the Malware/File Policy
Intrusion
Policy Malware/File
Policy
SafeSearch YouTube
EDU Logging
Application Protocols
available in your
Malware/File Policy
Malware Blocking Behavior
Test the behavior when Blocking Malware in Email Protocols
The way Firepower blocks

malware is by dropping the last
packet, which may not play
nicely with email servers
File Storage This stores the
File on the
Don’t be overzealous with storing files Managed Device,
and selecting all
The 8000, 2100/4100/9300 all have an optional Malware Storage Pack for this!
might over-
burden the
device
Consider
instead storing
only Unknown
so you can
submit them
later for
analysis
Intrusion Policies
Intrusion Policies Manage Your SNORT Rules
SNORT rules get evaluated here. This is your Intrusion Policy!
Understanding Base
Understanding Base Policies
Policies
Base Polices are provided for you by Cisco Talos
These
These are
are updated
updated for
for you
you regularly
regularly during
during Rule
Rule Updates!
Updates!
Great
Great Starting
Starting Policy!
Policy!
Base
Base Policies
Policies
Connectivity
Connectivity Balanced
Balanced Security
Security Security
Security
over
over and
and over
over
Security
Security Connectivity
Connectivity Connectivity
Connectivity
-1,000
- 1,000 rules
rules enabled
enabled +- 8,000 rules
+- 8,000 rules enabled
enabled +-
+- 12,000
12,000 rules
rules enabled
enabled
Increasing
Increasing Protection
Protection Level
Level
#CLUS
#CLUS BRKCRT-2215
BRKCRT- 2215 © 2019
2019 Cisco
Cisco and/or
and/or its
its affiliates.
affiliates. All
All rights
rights reserved.
reserved. Cisco
Cisco Public
Public 75
83
Intrusion Policy Key Points to Remember
For each Managed Device, you can have only one ACP, however:
Each Intrusion Policy

can use its own Base
Policy
The more rules enabled the more

performance is impacted, but the
more security you have.
You can have multiple Intrusion

Policies
Less Common Base Intrusion Policies
• Maximum Detection is not typical for

production networks
• No Rules Active does not give you a
starting point based on the importance
of the rules
Caution! Be careful with Maximum

Detection. Cisco highly
recommends Security Over
Connectivity for high secure
networks
Easy mistake to make!
Do not overlook assigning an IPS policy to ALLOW rules
Allow should be be assigned to an Intrusion Policy

No Intrusion
Policy
assigned!
Interactive Block Mapping to IPS Policy
IPS assignments also apply to Interactive Block rules!
Interactive Block should be be assigned to an

Intrusion Policy
No Intrusion
Policy assigned!
Uh Oh!
Allow and Interactive Block– Map To Further
Inspections
Trust = STOP inspection in SNORT and pass to
Lina
Not mapping an intrusion policy to
An allow rule is essentially Trusting this
Traffic!
Firepower Recommendations!
Maps your Host Profile
CVEs to the CVEs in the
Snort Rules
automatically!
Disable Enable
No CVE seen in CVE seen in host
Host Profiles? Turns profile but rule is
rule with this CVE off? Turns rule with
OFF. this CVE ON.
Firepower Recommendations Gone Wrong
Scenario 1:
Network Discovery ON, but left to Any/Any for Discovery (the default)
Remember this MUST define only your protected network, and all of the network spaces you are
protecting
What would happen? It would enable rules that are not part of your network, and would
likely oversubscribe the box
Scenario 2:
Network Discovery ON, but host profiles are not identifying host information correctly
because of Asymmetric Routing
If Firepower does not see all parts of the conversation, it cannot properly identify host
data, and would cause this feature to be completely inaccurate
Firepower Recommendations Tips
Make sure this
matches your
Network Discovery!
This can work

against you if
you do not have
accurate host
data. Do not
enable unless
Generate first then spend time you have time to
looking at what it recommended by ensure your host
getting familiar with your host data looks good.
profiles! do not rush its initial setup.
Variables
Variables Used in your Intrusion Policy
Assigned to Intrusion Policies in your Access Control Policy Rule
Variables in your SNORT Rules
Rule Header
Rule header determines what traffic the enabled rules will run against
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:”WEB_IIS newdsn.exe access”; flow:to_server,established;

uricontent:”/scripts/tools/newdsn.exe”; nocase;
reference:cve,cve-1999-0191;
classtype:web-application-activity; sid:1024; rev:5;)
Rule body is where SNORT inspects the traffic

Rule Body
So, this rule will only run against a packet coming

from $EXTERNAL_NET destined to $HTTP_SERVERS
1) Packet
Variables in the Flow matches
2) It’s an
’Allow’ rule,
the ACP
and sends the
rule
traffic to the
specified
Intrusion Policy
3) The Variable Set is also assigned here, so

the variable definitions assigned in the
‘Default Set’ Variable Set will be used to
match against the rules
4) The SNORT Rule header’s variable definitions are

used to determine if the rule is run against the packet
Your Default-Set
In your Objects, you will find your ‘Default-Set’ Variable set. This is what is used for all
variable definitions unless otherwise specified.
HOME_NET Variable Tuning
You will need to ensure you have
defined HOME_NET
Server definitions reference

HOME_NET
Notice by default HOME_NET is

set to ‘any’
How to Define HOME_NET Variable
Define Your
HOME_NET as all
RFC1918 Private IP
spaces and any
public spaces you
own
Caution! If you choose to define

server variables, do so with
extreme caution as missing a
server network space will result
in no inspection by SNORT
rules referencing that variable.
EXTERNAL_NET Variable
EXTERNAL_NET is
defined as ‘any’ by
default
Defining EXTERNAL_NET
It is typical to define this
as !HOME_NET which
excludes these networks,
but doing so can result in
missing attacks!
Why? Consider this rule

header
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
If it is an internal to internal attack, the rule will not be run against that traffic!
Consider Two Definitions of EXTERNAL_NET
This variable set will be for all This variable set will be for external to
internally sourced traffic internal traffic
Externally Sourced Traffic EXTERNAL_NET
Security Zones to identify externally sourced traffic
The EXTERNAL_NET
definition is excluding
HOME_NET
Internally Sourced Traffic EXTERNAL_NET
Security Zones to identify internally-sourced traffic
The EXTERNAL_NET
definition is left to ANY for the
Default Set
Advanced Variable Tuning Caution
Please note that incorrectly defining or

mapping your variables can have the
effect of no inspection for certain rules
and/or networks.
In other words, do not make mistakes here!
Misc. Firepower
SNORT Settings
SNORT Misc. Settings
A few settings are configurable to deal with potential latency issues
within SNORT
SNORT begins and ends at the DAQ

Automatic Application Bypass
AAB
Allows you to catch (and automatically
resolve) hung SNORT processes
• Available in all
Classic Device
versions
• Available in FTD
effective 6.2.1
Automatic Application Bypass Settings
Disabled by Default
• Per packet timer

• SNORT core file is
collected
• Process manager will
restart SNORT
Note: Do not change the

Bypass threshold unless
recommended by TAC!
Automatic Application Bypass Alerting
The Health Monitor can alert you to AAB events
Remember the Health

Modules run at 5-minute
intervals
SNORT Performance Thresholds
Firepower has two threshold settings
Packet-Based Rule-Based
These are found in
the Access Control
Policy Advanced
Prevents latency for packets Prevents SNORT Tab!
going through SNORT rules from
causing latency
by disabling and
re-enabling
SNORT rules
automatically
when they are
Note: These are set by default
causing issues
and Cisco does not
recommend you change these
in most environments
Latency Threshold Alerting
By default you are not alerted when these are triggered
Consider alerting on these – select the ‘Generate Events’ to
generate an Intrusion Event
Packet-
latency time
exceeded
Rule disabled
Rule re-
enabled
Tip! You can also choose to DROP a packet that exceeds the
packet-latency threshold!
Tuning False
Positives
False Positive Intrusion Events
Most false positives occur here… with SNORT rules firing on traffic that is
determined to not be a security concern
False Positive
False Positive Tuning
Tuning
SNORTrules
SNORT rulescan
cangenerate
generateFalse
FalsePositives
Positives
Rememberand
Remember andIntrusion
Intrusion
Eventcomes
Event comesfrom
from
SNORT,and
SNORT, andisiseither
eitheraa
SNORTor
SNORT orPreprocessor
Preprocessor
rule.
rule.
Sowhat
So whatisisaafalse
falsepositive?
positive?
Whenwe
When wehave
havean
anintrusion
intrusionevent
eventthat
that
isisbenign
benignand
andNOT
NOTaathreat!
threat!
#CLUS
#CLUS BRKCRT-2215
BRKCRT- 2215 ©© 2019Cisco
2019 Cisco and/or
and/or itsits affiliates.
affiliates. AllAll rights
rights reserved.Cisco
reserved. Cisco Public
Public 107
115
False Positive Example
You can’t change how the
Consider this example:
application operates, so you
A server at 10.2.2.3 has an in- need to address the rule is
house application triggering a breaking the application.
SNORT rule that drops the packet
and breaks the application
X
SNORT drops
the packet 10.2.2.3
because it
Internet matched the
rule
False Positive Option 1
Suppress or Threshold the event
FMC FMC
Intrusion Event
generated and
sent to FMC
when SNORT Suppression
rule fires
If you suppress, the

Dropped event is never Dropped
packet generated, but packet packet
still dropped! This does
not fix the issue.
Set the rule to Generate Events
1’st Select ‘Rule State’
2’nd change to ‘Generate Events’
This fixes the issue with the application but now we

have turned off the protection the rule gave us for all
the other traffic!
Disable the Rule
Unless this rule does not apply to your environment, this is clearly not a viable option
Use your ACP and a new Intrusion Policy to fix this
Here you see a rule written
just for the traffic destined to
that server
You create a second

Intrusion Policy with that
rule disabled
Technically this
solution would
work, but is not
what Cisco
recommends!
A big solution to a
small problem.
Rewrite the SNORT rule
This does not fix the issue, since the

rule is written correctly in this scenario.
It is not the rule's fault!
If you re-wrote the rule, it would no

longer work like it was intended to, and
would no longer be protecting your
environment.
Write a Pass Rule
A Pass Rule is a rule designed match on specific traffic conditions that when
met, pass the respective packet through SNORT.
Pass rules are
processed first!
Intrusion Intrusion
Pass Rules Rules
A Pass rule can be written to identify just the traffic destined to that server, and if it
matches the rule, it passes the traffic through SNORT without being inspected by the
other rule that was dropping the packet.
In this example, a Pass Rule is the solution!
Steps to Writing a Pass Rule
Identify the SNORT Rule causing the issue
The objective: Identify the rule:

Prevent the rule from
dropping traffic for
just your one host, In our example, we know
while leaving it the rule causing the issue is
enabled and set to SID 40134
drop for all the
remaining hosts
Identify the Rule Header
The rule header is what we change in writing a pass rule
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
Identify the Rule Header Modification Needed
The header destination IP is what needs to be changed in our example
Change the destination to the IP or subnet you wish to ‘pass’
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> 10.2.2.3 any
Locate the Rule in your FMC
Remember all your SNORT rules are in your FMC
Click ‘edit’
SID is 40134
Change the Rule Header to Match as Required
Changing the action to pass
puts the rule in the pass
area of SNORT and will be
processed before any alert
rules!
1’st change the

Action to Pass
2’nd change the

required rule header
value
3’rd click ‘Save As New’
Save the New Rule
You just wrote a new SNORT rule!
You cannot modify All imported and

SNORT rules. What created rules in the
you did was create system have a SID of
a new rule 1,000,000+
Find The Rule in Your Intrusion Policy
All imported and created
rules are stored in Local
Rules
Set The Rule to Generate Events
1’st Select ‘Rule State’
2’nd change to ‘Generate Events’
Optionally Add a Suppression
If you wish to now

have the pass rule
silent, suppress
your new rule
Use a New Variable For Frequent Changes
You can use a

custom Variable in
the Pass rule
instead
This allows you to quickly add

new hosts to the PASS rule
Commit Changes and Deploy
Once deployed traffic destined to that IP that matches the rule will be processed by the Pass rule, and will not match on the
unmodified rule!
All Done!
Commit your changes and deploy!
Pass Rule Logic
Pass Rules Alert Rules
Intrusion Rules
All other
traffic
Triggers SID 1,000,000 No Intrusion Rules

evaluated
Traffic to
10.2.2.3
that
matches
that rule
Where To Go Next
Support Documentation
Cisco’s Support Page
Find the Appliances You Have
Here is an example of the

documents available for the
9300 series appliance
Download the Correct FMC User Guide
The User Guide is

called the
‘Configuration Guide’
Download the guide

that matches the
version you are
currently using!
This is officially the FMC user

guide, but it really is your user
guide for everything Firepower
including the devices you are
managing!
Understand Your Managed Devices
‘Classic’ refers to the 7000/8000, NGIPSv,
and the ASA/FP module
‘Firepower Threat Defense’ refers FTD,

which would be the 2100/4100/9000,
FTDv, and ASA 5500-X (if reimaged as
FTD)
Product Updates Perspective
Remember
Classic FTD there are
two
• 5.4 • 6.0 software
• 6.0 • 6.0.1 types
available!
• 6.0.1 • 6.1
• 6.1 • 6.2
• 6.2 • 6.2.1 FTD software
• 6.2.1 • 6.2.2 updates have
• 6.2.2 • 6.2.3 significant
• 6.2.3 • 6.3 new features
available since
• 6.4 it is bringing
over ASA
features!
We Offer Cisco Firepower Training!
Official Cisco Training for Firepower, SNORT
Rule writing, AMP for Endpoints, and more!
Offered In-Person and Virtually.
Just ask me for more information!
Link to trainings: https://learninglocator.cloudapps.cisco.com – and search for Firepower
Do you have the winning number?
Cisco Press
books are 20%
off this week at
the Cisco Store!
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
Thank you
#CLUS
#CLUS

#Clus

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

#Clus

Uploaded by

Copyright:

Available Formats

#CLUS

Cisco Firepower NGIPS

Webex Teams will be moderated cs.co/ciscolivebot#BRKCRT-2215

Security Instructor for Cisco High Touch Delivery

John Wise - johnwis@cisco.com

When you see this

Learn about your

Help analysis with Impact

Help tune your SNORT

Network Discovery occurs here

1) Edit this policy

2) Create a Discover Rule and define 3) Select ‘Hosts'

2) Create Exclude rules for not building

Caution! Do not delete this rule as SNORT leverages this information

Ensure you have defined Do not create overlapping

URL Filtering occurs here

This forces the

URL Database on the Managed Device may

To protect YOUR servers?

To see into your users’ internet

To block or see less

Allow Block all

With Firepower you have to consider your security inspections!

Elephant Flows (Like backup traffic) Voice Traffic

Trust means do not inspect for security inspections (ACP)

IP, Port, Vlan, Security Zone Only (outer-header)

Fast Path = same as Trust but faster and no SNORT Inspection

Cisco ASA with

Fast path is done differently

Under the Devices tab

However, Cisco Recommends fast pathing on in your Access Control Policy

Traffic identified by:

You will not see this in the GUI, as this is an automatic

Traffic Flow All events on the FMC are first in

Log at beginning only if Cisco

Logging at beginning and

With logging off, if the

The FMC uses eStreamer

Tip! Sinkhole allows you to

Third: Append your DNS Policy to your Access Control Policy

Malware and File Inspections are performed here

The way Firepower blocks

SNORT rules get evaluated here. This is your Intrusion Policy!

Each Intrusion Policy

The more rules enabled the more

You can have multiple Intrusion

• Maximum Detection is not typical for

Caution! Be careful with Maximum

Allow should be be assigned to an Intrusion Policy

Interactive Block should be be assigned to an

This can work

Assigned to Intrusion Policies in your Access Control Policy Rule

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS

(msg:”WEB_IIS newdsn.exe access”; flow:to_server,established;

Rule body is where SNORT inspects the traffic

So, this rule will only run against a packet coming

3) The Variable Set is also assigned here, so

4) The SNORT Rule header’s variable definitions are

Server definitions reference

Notice by default HOME_NET is

Caution! If you choose to define

Why? Consider this rule

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS