20 Comments

  1. lammle
    April 13, 2019 @ 1:32 pm

    If you do set the Security Over Connectivy IPS policy, you should match the NAP with the same policy! I’ll cover that in another blog

    Reply

  2. Sam Marshall
    April 14, 2019 @ 1:18 pm

    Great post!! Thanks Todd!!

    Reply

    • lammle
      April 28, 2019 @ 3:52 pm

      That you, Sam!

      Reply

  3. Lalit Teotia
    April 25, 2019 @ 11:37 pm

    That was really awesome…
    We are using Balanced Security and connectivity with Firepower Recommendations enabled. Could you please advice which custom IPS rules (apart from default enabled) we should enable in production environment.

    Reply

    • lammle
      April 26, 2019 @ 6:58 am

      I’d have to look at your network and understand your application flow before the can be decided

      Reply

      • lammle
        April 28, 2019 @ 3:53 pm

        I think that if you turned on Security over connectivity, you’d get more events to you can tune your IPS policy faster and more efficient for your network.

        Reply

        • lalitteotia1234@gmail.com
          May 8, 2019 @ 6:51 am

          Thank you for your reply.. We can try this to fine tune our IPS rules.

          Reply

  4. Ismael
    April 29, 2019 @ 10:58 am

    Thanks for the sharing. great post, you did.
    I will probably test the “maximum detection” on my vFTD before to configure them on four 4120s Firepower. I just wonder that I will hit a high CPU usage with this conf

    Reply

    • lammle
      April 29, 2019 @ 11:53 am

      depends on your user data amount. the maximum doesn’t turn on as many rules as I will! 🙂

      Reply

  5. evan
    April 29, 2019 @ 3:27 pm

    Hey Todd, Do you advise to turn on 134:1:1 to report on Aborted connections? I turned it on for a week and am finding that its great for learning some stuff, but not going to leave it on permanently.

    Reply

    • lammle
      April 29, 2019 @ 3:58 pm

      Thanks for the heads-up, Evan. I’ll turn that on in class this week and get some feedback!

      Reply

      • lammle
        May 15, 2019 @ 3:32 am

        Evan, I don’t get much events with this. What applications did you use to get this to trigger?

        Reply

  6. Marty
    May 10, 2019 @ 10:10 am

    I am confused by this article. In the past I have always seen:

    Connectivity over Security: ~ 500 Rules
    • CVSS Score of 10
    • Age of Vulnerability: 2 year and newer

    Balanced : ~ 7200 Rules
    • CVSS Score of 9 or greater
    • Age of Vulnerability: 2 year and newer
    • Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit

    Security over Connectivity: ~ 10000 Rules
    • CVSS Score of 8 or greater
    • Age of Vulnerability: 3 years and newer
    • Rule category equals Malware-CnC, blacklist, SQL Injection, Exploit-kit, App-detect

    Is this still the case? How does this tie in with what you are stating? I have been helping our NOSC personnel with the FMC, I just want to make sure I am telling them and management the right info.

    Reply

    • lammle
      May 10, 2019 @ 10:51 am

      so these change every week.
      can you tell me where you are seeing this CVSS score on a cisco authored IPS policy?
      my article is showing me how they choose rules, and it is based solely on overhead. however, you can change a rules overhead which they may or may not do…
      the sOC is about 500 rules as you state, and this rarely changes. The BSAC is about 9k rules now, the SOC is about 15k rules, and the new Maximum detection is about 28k rules on with the latest updates.

      Reply

    • lammle
      May 10, 2019 @ 1:56 pm

      Marty, I found it. That was from Cisco internal technote. However, that note is from 2014 and not valid any longer. it doesn’t work that way now. They said they were going to update that document since it is 5 years old now!!

      Reply

      • Marty
        May 12, 2019 @ 9:10 am

        Ok, that’s good to know. I actually got that information from a Cisco live presentation I watched not so long ago. I was fairly comfortable with them basing recommendations on CVSS scores, I need think about this new method. Thank you for the time, I appreciate your explanation.

        Reply

        • lammle
          May 12, 2019 @ 9:24 am

          So I talked to Talos after your first post, and they said they were going to update that document. Probably will have it at Cisco Live I imagine….

          Reply

    • lammle
      May 15, 2019 @ 3:34 am

      Cisco updated the document, even though the balanced policy information isn’t accurate, they needed to make this clear. I’ll be updating a video blog on this
      https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214405-what-are-the-metrics-used-to-determine-t.html
      they are also going to rename the overhead folders to the name of the policies as I suggested in this blog, to make it clearer…glad that they are starting to document and let us know how this works internally.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *