Skip to main content

 

 

Cisco Defense Orchestrator

Custom Firepower Intrusion Prevention System Policy

About Custom IPS Policies

With the introduction of the improved Snort 3 processing engine in Firepower Version 6.7 and later, you can create and customize Intrusion Prevention System (IPS) policies using rules provided by the Cisco Talos Intelligence Group (Talos). The best practice is to create your own policy based on the provided Talos policy templates and change that if you need to adjust rule actions. 

Some Talos rules are directly associated with a CVE vulnerability. You can manually search the list of provided rules for a specific CVE to discover which rules were added and determine whether you want to add those to a custom IPS policy. 

Custom IPS policies are dependent on Snort 3 being enabled on your FTD device. If an ASA is running Verison 6.7 or later, you 

For more information about Snort 3, supported devices and software, and any limitations, see Upgrade to Snort 3.0

IPS Policy Base Template

The base templates include the same list of intrusion rules (also known as signatures), but they differ in the actions taken for each rule. For example, a rule might be enabled in one policy, but disabled in another policy. For another example, you may find that a particular rule is giving you too many false positives, where the rule is blocking traffic that you do not want blocked; you can disable the rule without needing to switch to a less-secure intrusion policy. You could alternatively change it to alert on matches without dropping traffic.

Warning: We strongly recommend creating a custom IPS policy based on the templates below instead of modifying the base layer of templates mentioned below. If you need to troubleshoot your policies, Cisco TAC can easily revert to a default base template without losing your customized changes. 

As new vulnerabilities become known, Talos releases intrusion rule updates. These rule updates can modify any Cisco-provided network analysis or intrusion policy, and may provide new and updated intrusion rules and preprocessor rules that are automatically applies to existing rules and policy settings. Rule updates might also delete rules from the existing template bases and provide new rule categories, as well as modify the default variable set. 

The base templates provided are suggested configurations based on the type of protection your network might need. You can use any of the following templates as the base when you create a new policy:

  • Maximum Detection - These policies are built for networks where network infrastructure security is given even more emphasis than is given by the Security Over Connectivity policies, with the potential for even greater operational impact.
  • Security Over Connectivity - These policies are built for networks where network infrastructure security takes precedence over user convenience. The intrusion policy enables numerous network anomaly intrusion rules that could alert on or drop legitimate traffic.
  • Balanced Security and Connectivity - These policies are built for both speed and detection. Used together, they serve as a good starting point for most networks and deployment types. 
  • Connectivity Over Security - These policies are built for networks where connectivity, the ability to get to all resources, takes precedence over network infrastructure security. Only the most critical rules that block traffic are enabled.
  • No Rules Active - The rules included in the policy are disabled by default.

Tip! The Maximum Detection base template requires a considerable amount of memory and CPU to work effectively. CDO recommends deploying IPS policies using this template to models such as the 2100, 4100, or FTD virtual.

IPS Policy Mode

By default, all intrusion policies operate in Prevention mode to implement an IPS. In the Prevention inspection mode, if a connection matches an intrusion rule whose action is to drop traffic, the connection is actively blocked.

If you instead want to test the effect of the intrusion policy on your network, you can change the mode to Detection, which implements an Intrusion Detection System (IDS). In this inspection mode, drop rules are treat like alert rules, where you are notified of matching connections, but the action result becomes Would Have Blocked, and connections are never in fact blocked.

IPS Rule Group Security Level

CDO allows you to modify the security level of the rule groups included in your policy. Note that this security level is applied to all the rules in the rule group and not to individual rules. 

Note: Changes made a rule group's security level are automatically submitted and cannot be reverted. You do not have to click Save to submit security level modifications. You must manually change the security level back. 

IPS Rule Action

Modify the actions of an individual rule or multiple rules within a rule group at any time. IPS rules can be set as the following options:

  • Disabled—Do not match traffic against this rule. No events are generated.

  • Alert— Create an event when this rule matches traffic, but do not drop the connection.

  • Drop— Create an event when this rule matches traffic, and also drop the connection.

FTD Templates and Custom IPS Policy

Templates derived from a device with Snort 3 enabled can only be applied to devices that also have Snort 3 enabled. Due to the variability in rules supported and processed by Snort 2 and Snort 3, a template configured with Snort 3 cannot fully support and protect a device configured with Snort 2. See Switching from Snort 2 to Snort 3 for more information.  

If you happen to use the ASA Migration tool to create an FTD template from an ASA configuration, we strongly recommend not configuring, or un-configuring any IPS policies. ASA devices do not support the Snort engine and migrating IPS policies from an ASA configuration to an FTD configuration may cause issues. If you do use the ASA migration tool, we recommend creating custom IPS policies for the device after creating and deploying the template. 

See FTD Templates for more information about templates. 

FTD Rulesets and Custom IPS Policy

Rulesets are not yet support on devices configured for Snort 3. The following limitations apply:

  • You cannot attach rulesets to Snort 3-enabled devices.
  • You cannot create a ruleset from an existing device that has Snort 3 installed. 
  • You cannot associate a custom IPS policy to a ruleset. 

Device Configuration Requirements

You can view the available IPS policies from the Intrusion policies page, but you cannot create or modify custom IPS policies without the following prerequisites:

Device Support

Custom IPS policies are only supported on the following device types:

  • FTD 1000 series
  • FTD 2100 series
  • FTD 4100 series
  • FTDv
  • FTDv with AWS
  • FTDv with Azure
  • FTD templates
Software Support

Devices must be running at least FTD Version 6.7 and later with Snort 3. To find out what version of Firepower and Snort engine your device is running, locate and select the device on the Devices & Services page and look at the Device Details

If your device is running a version prior to 6.7, upgrade your device to at least Version 6.7. See Upgrade an FTD for more information. 

If your device is running Version with Snort 2, upgrade your device to Snort 3. See Upgrade to Snort 3.0 for more information.

Note:  Some intrusion rules in Snort 2.0 might not exist in Snort 3.0. See Switching from Snort 2 to Snort 3 for more information. 

 

Related Articles:

  • Was this article helpful?