Skip to main content

 

 

Cisco Defense Orchestrator

Configure Firepower Custom IPS Policies

Before you create or modify a custom IPS policy for your Firepower Threat Defense (FTD) device in CDO, be sure to read the Custom IPS Device Requirements

At this time, CDO does not support custom IPS rules. You can create and modify custom IPS policies with rules that are provided by Talos, but you cannot create your own IPS rules and apply them to custom IPS policies. 

Note: You cannot delete or reorder the rules within a custom IPS policy's rule group. 

Create a Custom IPS Policy

Use the following procedure to create a new custom IPS policy with the IPS rules provided by Talos:

  1. From the CDO Navigation pane, click Policies.
  2. Select Intrusion Policies.
  3. Click the blue plus button cli_create_plus.png
  4. Expand the drop-down menu of the Base Template and select the desired template for your policy. The templates you can choose from are as follows:
  • Maximum Detection - These policies are built for networks where network infrastructure security is given even more emphasis than is given by the Security Over Connectivity policies, with the potential for even greater operational impact.
  • Security Over Connectivity - These policies are built for networks where network infrastructure security takes precedence over user convenience. The intrusion policy enables numerous network anomaly intrusion rules that could alert on or drop legitimate traffic.
  • Balanced Security and Connectivity - These policies are built for both speed and detection. Used together, they serve as a good starting point for most networks and deployment types. 
  • Connectivity Over Security - These policies are built for networks where connectivity, the ability to get to all resources, takes precedence over network infrastructure security. Only the most critical rules that block traffic are enabled.
  • No Rules Active - The rules included in the policy are disabled by default.

Tip! The Maximum Detection base template requires a considerable amount of memory and CPU to work effectively. CDO recommends deploying IPS policies using this template to models such as the 2100, 4100, or FTD virtual.

  1. Enter a Name for the policy.

Note: We strongly recommend using a name that is unique and different from the default base templates. If you ever need to troubleshoot your IPS policy, Cisco TAC can easily locate the custom policy and revert to a default policy; this keeps your network protected without losing your customized changes.

  1. (Optional) Enter a Description for the policy. 
  2. Select the IPS Mode:
  • Prevention - If a connection matches an intrusion rule whose action is to drop traffic, the connection is actively blocked.
  • Detection -  If a connection matches an intrusion rule whose action is to drop traffic, the action result becomes Would Have Blocked and no action is taken.
  1. Click Save

 

What's Next?

Add your IPS policy to an FTD access control rule. See Custom IPS Policy in an FTD Access Control Rule for more information. 

We recommend scheduling database updates to automatically update the SRU database on the devices associated to these custom IPS policies. 

 

Edit a Custom IPS Policy

You can edit an existing IPS policy if you have onboarded an FTD device that already has an IPS policy, if you created an IPS policy in FDM and CDO reads the policy from the deployed configuration, or if you just created a new IPS policy.

Use the following procedure to modify an existing custom IPS policy:

  1. From the CDO Navigation pane, click Policies.
  2. Select Intrusion Policies.
  3. Identify the IPS policy you want to edit. Click Edit
  4. At the top of the page, click the edit iconedit.png.
  5. Edit the following desired fields:
  • Base Template
  • Name
  • Description
  • IPS Mode
  1. Click Save
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Edit Rule Groups in a Custom IPS Policy

Note: Changes made a rule group's security level are automatically submitted and cannot be reverted. You do not have to click Save to submit security level modifications. You must manually change the security level back. 

You can override the default action of a rule within a rule group. Use the following procedure to edit the rules contained within the rule group:

  1. From the CDO Navigation pane, click Policies.
  2. Select Intrusion Policies.
  3. Identify the IPS policy you want to edit. Click Edit
  4. From the Rule Group tab located to the left, expand the desired rule group. From the expanded list, select the group. 
  5. Edit the rule group:
    1. Edit the Security Level of the entire rule group by selecting the security level bar. Manually drag the security level to the type of security you want applied to the entire rule group. Click Submit.
    2. Edit the Rule Action of an individual rule by expanding the rule's drop-down menu located to the right. 
    3. Edit the Rule Action of multiple rules by selecting the checkboxes of the desired rules and expanding the drop-down menu located above the table of rules. This selection impacts all selected rules.
    4. Edit the Rule Action of all the rules by selecting the checkbox in the title row of the table and expanding the drop-down menu located above the table of rules. This selection impacts all the rules in the rule group. 
  6. Click Save at the top of the policy page.

Review and deploy now the changes you made, or wait and deploy multiple changes at once. 

Delete a Custom IPS policy

Use the following procedure to delete a custom IPS policy from CDO: 

  1. From the CDO Navigation pane, click Policies.
  2. Select Intrusion Policies.
  3. Identify the IPS policy you want to edit. Click Delete
  4. Click OK to delete the policy.
  5. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

 

Related Information:

  • Was this article helpful?