31 Comments

  1. lammle
    April 13, 2019 @ 1:32 pm

    If you do set the Security Over Connectivy IPS policy, you should match the NAP with the same policy! I’ll cover that in another blog

    Reply

  2. Sam Marshall
    April 14, 2019 @ 1:18 pm

    Great post!! Thanks Todd!!

    Reply

    • lammle
      April 28, 2019 @ 3:52 pm

      That you, Sam!

      Reply

  3. Lalit Teotia
    April 25, 2019 @ 11:37 pm

    That was really awesome…
    We are using Balanced Security and connectivity with Firepower Recommendations enabled. Could you please advice which custom IPS rules (apart from default enabled) we should enable in production environment.

    Reply

    • lammle
      April 26, 2019 @ 6:58 am

      I’d have to look at your network and understand your application flow before the can be decided

      Reply

      • lammle
        April 28, 2019 @ 3:53 pm

        I think that if you turned on Security over connectivity, you’d get more events to you can tune your IPS policy faster and more efficient for your network.

        Reply

        • lalitteotia1234@gmail.com
          May 8, 2019 @ 6:51 am

          Thank you for your reply.. We can try this to fine tune our IPS rules.

          Reply

  4. Ismael
    April 29, 2019 @ 10:58 am

    Thanks for the sharing. great post, you did.
    I will probably test the “maximum detection” on my vFTD before to configure them on four 4120s Firepower. I just wonder that I will hit a high CPU usage with this conf

    Reply

    • lammle
      April 29, 2019 @ 11:53 am

      depends on your user data amount. the maximum doesn’t turn on as many rules as I will! :)

      Reply

  5. evan
    April 29, 2019 @ 3:27 pm

    Hey Todd, Do you advise to turn on 134:1:1 to report on Aborted connections? I turned it on for a week and am finding that its great for learning some stuff, but not going to leave it on permanently.

    Reply

    • lammle
      April 29, 2019 @ 3:58 pm

      Thanks for the heads-up, Evan. I’ll turn that on in class this week and get some feedback!

      Reply

      • lammle
        May 15, 2019 @ 3:32 am

        Evan, I don’t get much events with this. What applications did you use to get this to trigger?

        Reply

  6. Marty
    May 10, 2019 @ 10:10 am

    I am confused by this article. In the past I have always seen:

    Connectivity over Security: ~ 500 Rules
    • CVSS Score of 10
    • Age of Vulnerability: 2 year and newer

    Balanced : ~ 7200 Rules
    • CVSS Score of 9 or greater
    • Age of Vulnerability: 2 year and newer
    • Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit

    Security over Connectivity: ~ 10000 Rules
    • CVSS Score of 8 or greater
    • Age of Vulnerability: 3 years and newer
    • Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect

    Is this still the case? How does this tie in with what you are stating? I have been helping our NOSC personnel with the FMC, I just want to make sure I am telling them and management the right info.

    Reply

    • lammle
      May 10, 2019 @ 10:51 am

      so these change every week.
      can you tell me where you are seeing this CVSS score on a cisco authored IPS policy?
      my article is showing me how they choose rules, and it is based solely on overhead. however, you can change a rules overhead which they may or may not do…
      the sOC is about 500 rules as you state, and this rarely changes. The BSAC is about 9k rules now, the SOC is about 15k rules, and the new Maximum detection is about 28k rules on with the latest updates.

      Reply

    • lammle
      May 10, 2019 @ 1:56 pm

      Marty, I found it. That was from Cisco internal technote. However, that note is from 2014 and not valid any longer. it doesn’t work that way now. They said they were going to update that document since it is 5 years old now!!

      Reply

      • Marty
        May 12, 2019 @ 9:10 am

        Ok, that’s good to know. I actually got that information from a Cisco live presentation I watched not so long ago. I was fairly comfortable with them basing recommendations on CVSS scores, I need think about this new method. Thank you for the time, I appreciate your explanation.

        Reply

        • lammle
          May 12, 2019 @ 9:24 am

          So I talked to Talos after your first post, and they said they were going to update that document. Probably will have it at Cisco Live I imagine….

          Reply

    • lammle
      May 15, 2019 @ 3:34 am

      Cisco updated the document, even though the balanced policy information isn’t accurate, they needed to make this clear. I’ll be updating a video blog on this
      https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214405-what-are-the-metrics-used-to-determine-t.html
      they are also going to rename the overhead folders to the name of the policies as I suggested in this blog, to make it clearer…glad that they are starting to document and let us know how this works internally.

      Reply

  7. shaktavist
    August 15, 2019 @ 3:46 am

    When looking at Firepower recommendations, do you recommend checking the option ‘Accept Recommendations to Disable Rules’?

    Reply

    • Todd Lammle
      August 15, 2019 @ 8:23 am

      No, because I never recommend using Firepower recommendations. You need to tune the IPS policy yourself and make it more efficient. Firepower recommendations are for people that would never login to their system all year long….

      Reply

  8. Brett
    August 19, 2019 @ 8:47 pm

    We have a 5506-X managed by a virtual FMC. I noticed that I have the default settings of Balanced Security and Connectivity with drop when inline checked. I was going to modify this to Security over Connectivity. If I do that, should drop inline be checked? It sounds like I should leave it unchecked for a while. Small network, <30 users.

    Reply

    • Todd Lammle
      August 19, 2019 @ 8:51 pm

      Take off the drop while in line for 2-5 days and see what would have been dropped, and then tune out the ones that shouldn’t. Won’t be much with your small network, but you need to do this!! Let me know how I can help
      Todd

      Reply

      • Brett
        August 21, 2019 @ 2:06 pm

        Before I changed to SOC, I noticed a malware-cnc event (sid 37215) occurred while still on BSAC with drop when inline checked. This event is set to drop and create event with BSAC. However, the inline result was would have dropped. Do you know why the event was not dropped?

        Reply

        • Todd Lammle
          August 21, 2019 @ 2:14 pm

          Two reasons it didn’t drop.
          1. it didn’t receive the whole file in time so it “would have dropped” had it received the full file
          2. it hit another IPS policy in a rule that is set to not drop while inline

          Reply

  9. Brett
    August 21, 2019 @ 6:53 pm

    Understood. Must be reason 1 because I only have one IPS policy. Also, I’ve been running for 48 hours on SOC and have zero intrusion events. Can I assume at this point, I can re-enable drop when inline and keep an eye on the events for a few more days just to be sure nothing legitimate gets caught?

    Reply

  10. Todd Lammle
    August 21, 2019 @ 7:01 pm

    I would! Seems okay at this point, just keep an eye on it
    thanks,
    Todd

    Reply

    • Brett
      August 21, 2019 @ 7:22 pm

      I appreciate your help on this Todd. Thanks again.

      Reply

      • Brett
        August 24, 2019 @ 3:59 pm

        Still no issues with IPS policy setup for SOC and drop when inline. However, I noticed on my Default ACL the default action at the bottom is BSAC. Should I change this to SOC as well?

        Reply

        • Todd Lammle
          August 24, 2019 @ 4:02 pm

          depends on what the rules are above. Most of mine are deny/deny/deny, some details permits, and they an allow any inside>outside, and then the default action is block all. if they are hitting your default action, then yes. You can see which rules are hit in connection>Events>Table view

          Reply

Leave a Reply

Your email address will not be published. Required fields are marked *