View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0173 - ASA FirePower IPS Basic (Part 2)

SEC0173 - ASA FirePower IPS Basic (Part 2)

Rating: 
5
Average: 5 (3 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security
The video walks you through basic configuration of Intrusion Policy on Cisco ASA FirePower. We begin by explaining significance of the use of Variable Set, the concept of Base Policy, and various settings in an Intrusion Rule. We will adjust some of an Intrusion Rule settings including, Threshold, Suppression, and Dynamic State, and observe how they effect the rule behavior using ICMP Reply Undefined Code rule as our example.
 
Part 2 of this video goes through validation of our modified intrusion rule with an ICMP packet generation tool
 
Topic:
  • Variable Set
  • Intrusion Policy (Passive VS Inline)
  • Intrusion Base Policy
  • Intrusion Rule
  • Intrusion Rule Settings
    • Rule State
    • Event Filterting with Threshold and Suppression
    • Dynamic State
    • Alerting
    • Comment
  • ICMP Reply Undefined Code Rule
  • Intrusion Policy Association to Access Control Rule
  • Wireshark Packet Capture
Tag: 
asa
firepower
sourcefire
ngfw
firesight
wireshark
ngips
ips
intrusion
variable set

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

4 comments

Submitted by andrey on Thu, 10/08/2015 - 10:13

You changed the Default ACL- Network discovery only to Intrusion prevetion. What happens to the discovery, keeps happening?

and What's the best best practice to create a Access Control with IPS, file inspection and layer7? all together... I'm going to do the layer 3/4 in ASA appliance.

Submitted by admin on Sun, 10/11/2015 - 23:04

Correct, Discovery process happen as long as there are matches to the defined subnets. For the best practices, we would say use ASA to perform basic L3/L4 filtering and only use FP for application layer filtering to aviod putting unnecessary load on the FP.

Submitted by alijamal77@hotm... on Wed, 11/25/2015 - 08:43

Hi ,
I initiated NPING according to your video but icmp-type 0 doesn't hit in ASA ACL hence FireSIGHT can't see it as event whereas initiated icmp-type 8 successfully .... So even tried icmp-type 14 ( timestamp reply ) or type 18 ( address mask reply ) but these pings dont appeared as hit count on ASA interface .I have got permit ip any any as ACL ....so should I need to setup on ASA to let my reply packet go through then only I would recieve back as unreachable and signature will trigger as intrusion event ...

Submitted by admin on Tue, 12/01/2015 - 00:58

The packet should definitely hit the inbound ACL on the ASA first. Also make sure you remove the 'inspect icmp'. Since you said icmp echo works so your NAT and routing should be correct.