You are here
SEC0173 - ASA FirePower IPS Basic (Part 2)
Difficulty Level:
Lab Document:
<Please login to see the content>
Category:
Security
The video walks you through basic configuration of Intrusion Policy on Cisco ASA FirePower. We begin by explaining significance of the use of Variable Set, the concept of Base Policy, and various settings in an Intrusion Rule. We will adjust some of an Intrusion Rule settings including, Threshold, Suppression, and Dynamic State, and observe how they effect the rule behavior using ICMP Reply Undefined Code rule as our example.
Part 2 of this video goes through validation of our modified intrusion rule with an ICMP packet generation tool
Topic:
- Variable Set
- Intrusion Policy (Passive VS Inline)
- Intrusion Base Policy
- Intrusion Rule
-
Intrusion Rule Settings
- Rule State
- Event Filterting with Threshold and Suppression
- Dynamic State
- Alerting
- Comment
- ICMP Reply Undefined Code Rule
- Intrusion Policy Association to Access Control Rule
- Wireshark Packet Capture
4 comments
Access Control default Policy
You changed the Default ACL- Network discovery only to Intrusion prevetion. What happens to the discovery, keeps happening?
and What's the best best practice to create a Access Control with IPS, file inspection and layer7? all together... I'm going to do the layer 3/4 in ASA appliance.
Access Control default Policy
Correct, Discovery process happen as long as there are matches to the defined subnets. For the best practices, we would say use ASA to perform basic L3/L4 filtering and only use FP for application layer filtering to aviod putting unnecessary load on the FP.
icmp type 0 not hitting on ASA
Hi ,
I initiated NPING according to your video but icmp-type 0 doesn't hit in ASA ACL hence FireSIGHT can't see it as event whereas initiated icmp-type 8 successfully .... So even tried icmp-type 14 ( timestamp reply ) or type 18 ( address mask reply ) but these pings dont appeared as hit count on ASA interface .I have got permit ip any any as ACL ....so should I need to setup on ASA to let my reply packet go through then only I would recieve back as unreachable and signature will trigger as intrusion event ...
icmp type 0 not hitting on ASA
The packet should definitely hit the inbound ACL on the ASA first. Also make sure you remove the 'inspect icmp'. Since you said icmp echo works so your NAT and routing should be correct.