You are here
SEC0173 - ASA FirePower IPS Basic (Part 1)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video walks you through basic configuration of Intrusion Policy on Cisco ASA FirePower. We begin by explaining significance of the use of Variable Set, the concept of Base Policy, and various settings in an Intrusion Rule. We will adjust some of an Intrusion Rule settings including, Threshold, Suppression, and Dynamic State, and observe how they effect the rule behavior using ICMP Reply Undefined Code rule as our example.
Part 1 of this video goes through Variable Set, Intrusion policy configuration, and rule setting modifications.
Topic:
- Variable Set
- Intrusion Policy (Passive VS Inline)
- Intrusion Base Policy
- Intrusion Rule
-
Intrusion Rule Settings
- Rule State
- Event Filterting with Threshold and Suppression
- Dynamic State
- Alerting
- Comment
- ICMP Reply Undefined Code Rule
- Intrusion Policy Association to Access Control Rule
- Wireshark Packet Capture
About Author
Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
5 comments
IPS
Hi Metha,
Suppose that I configure the follow policy, the IPS function will audit and act only based on traffic redirect for module as configured?
class-map SFR
match access-list SFR
policy-map global_policy
class SFR
sfr fail-open
access-list SFR extended permit tcp any any eq http
access-list SFR extended permit tcp any any eq https
tks
IPS
That is correct. You can use ACL to select which traffic gets sent to SFR.
Tks, so for example with an
Tks, so for example with an attacker try a specific exploit for port8080 from outside, the IPS will not audit and block?
IPS
Correct since traffic on TCP/8080 was never sent to SFR
OK, tks!!
OK, tks!!