Firepower IPS Tuning

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back in this video I'm gonna discuss firepower IPS tuning a little bit by no means is this going to be like an all-inclusive video series on firepower the reason being is because I'm actually helping develop a course for firepower with plural sight and the it should be at the first one should be out today and there's also a really good firepower course that's exist on there as well by Martin Brown and this is kind of you know to explain like you know what a what a am policy is what the intrusion policy is kind of like you know jumping into it for the first time so I don't want to go over like the basics this is actually this video idea kind of spawned from a customer who wanted to have to know more about how to optimize their rules so I wanted to dig into the actual intrusion policy and explain kind of the logic and some of the things that you can do with it so with that being said I'm I'm going to be looking at my lab which has one existing intrusion policy and that's that's applied to the existing access control policy I'm going to show you some of the different things you can do with the rules here so when you first create a access control policy an intrusion policy you have the option to create a base policy that's the the layer that goes at the bottom and you can create you know and tune things above that so right now the existing policy then actually let me go to go back really quick so I'm gonna go back to my intrude intrusion policy and I'm gonna create a new one just so you can see that what that looks like so when we create a policy up yeah don't don't mind when you create a policy of the option to create a base policy and that base policy well it can be an you know a couple different policy policies that are provided by the fire power system and these are Matt the rules that are in those policies are managed by talos which is cisco security intelligence unit so I'm just going to go ahead and name this security demo intrusion - it's just gonna be a second policy set we're and I'll when I'm actually digging to the policy leaders later this video you'll see why I created this and let's go ahead and opened drop one in line if you check that that means that it can actually drop the packets when an event happens if you have a rule that's basically set to drop when an drop an event so let's go ahead and create create an edit of this policy I'll save it afterwards we're not going to actually edit from here because this isn't the one that's actually assigned to my firewall that's in my lab but it's just some more of show you what what this looks like from a perspective so as you can see here the base policy of balance and security connectivity has ten thousand three hundred thirty eight rules enabled ninety four of those are to generate events and 10244 to drop in generate events so let's say if I care more about connectivity over security instead of the balance and I just want everything to go as fast as possible and inspect less we can go ahead and change that base policy nice you can see here the only thing that changes with that is the enabled rules so just give it one moment and one thing to also note is that what these enabled rules can change when you do an update of the security SR use so when tallest issues an update and you download it that actually will can't affect this base policy sorry if you hear in the background a car zoom by so as you can see here now this the policy has a going back has five hundred and seven enabled rules so it's much less so we're just going to go back to bounce security and connectivity and I'm going to commit the changes and save this and we're going to ignore this for half of this video but we will come back to it because I'll show you when I meet mean when we dig into a configuration a little bit later so we'll commit this change don't need to leave a description and we're going to edit the existing one the existing policy that's currently applied to my FTD firewall okay so this is the policy it's currently assigned to my FTD firewall right now it's just very basic it's got the balance policy and nothing else a couple things I want to kind of go over really quickly with you is you can actually dig into what the rules are and you know search for you know real real configuration based on state what's configured you know as far as the state's concerned which ones I have currently configured for drop and generate which ones are disabled which ones are configured for to generate events this little filter thing on the left here is just really useful for that if you've used fire power recommendations you can actually see you know filter by the recommendations I'm not using recommendations right now but we will shortly if you wanted to do Thresh and you know look at based on like how its configured for thresholds and and and suppression if I wanted to dig into us very specific as let me clear this filter really quickly if I wanted to dig into like a specific SID I can actually look it up by number or if I wanted to actually just search for a SID you know something in the name of Sid or in the name of the actual uh the actual intrusion rule I can do a search for ICMP and see everything that's got ICMP set up if I wanted to you know look at any rule that let's look at let's find a good one really quickly like maybe one of the rule updates recent recent rule updates so here I can go ahead and if I wanted to see like why is this rule created why is the dropping traffic you know what is it hoping to mitigate I can highlight the rule and click show details to determine am I going to is this something that I want to enable or not so if I've already enabled it or there's a rule configured or anything configured for it actually actually can see if there's anything additionally that I I configured so in this case if I scroll down here you see the actual raw snort rule which if you can read that that's awesome you can also see references like rule documentation that'll take you to third-party sites so this one's a snort site this one security focus the CVE and website references so it gives you a little bit more detail about this this rule and how it was created so you get a little bit more detail on that if you need to dig in and say hey why is this why is this being uh why is this rule important and if you want to see which snort rule updates this was downloaded on and when it when the the download was done let's say this is something that was applied to your base policy and you started seeing drops from it you can see when that actual that rule those rules were downloaded so with that being said that these snort those are kind of the like table stakes like how to do a search for rules in here you can go to any the next thing I want to kind of explain before we move on is policy layer so let me go ahead and bring my whiteboard up and talk about how policy layers present themselves so in an intrusion policy you start out with you start out with two things you start out with a base policy which is the one that you decide it could be that prefilled talos policy or it could you could actually have a intrusion policy that has a base policy based off of what another intrusion policy so if you create like a if you create kind of a golden you know golden intrusion policy like this guy here you think it's perfect it's it's the the minimum of what you want to be protect configured and protecting when you create a new intrusion policy and apply to a bunch of firewalls or IPS systems out there you can go ahead and use that as your base not just use the prefilled ones are pre created ones that tall is created for you the other thing that comes on on fire power is my changes layer so that's one that any changes you make by default will go there to rules and based on that if there's a pulse like for example if you decide that there's a base policy saying that you know SID you know that the SID for eight 8:8 is you know set to block traffic dropped packets in the base policy but you decide to disable that rule up above and a higher level you're gonna go ahead you can go ahead and do so and the way that firepower evaluates these rules is that it looks at the topmost layer first so if the CID is disabled if it's if it's defined as dropping traffic or generating events if it it'll basically look at the first layer for that CID first and make that decision based on that if nothing's defined in that layer then it goes and looks back you know at each layer underneath so by default you have these two layers that are set up my changes in base policy when you do a snort rule update the snort rule update is it pushes the policy updates to the base policy only depending on which base policy you have it could have certain new changes set to block it could be disabled or it could be just generating events depending on which base policy that you have set up but there's a way to test out those things so if you don't want to just have it apply to that base policy or if you want to you know make to evaluate that by by testing at first you can there's a way to do that and I'm going to show you in this in this video the other thing is you could fire power has the ability to make recommendations based off the off the network discovery data that it sees moving through your network so if you decide you know if you wanted to see you know if you have Windows XP and Windows 7 machines in there it'll look at you know based on the real-life traffic going through fire power these are the type of devices you have out there here's the versions that we think that these devices are in and these are the the vulnerabilities that we see based on those versions and the OS and the applications so here are the rules that we recommend to to to enable so that's a good way to like kind of kind of makeup recommend recommended policy changes based off of what's actually being seen in your environment first Appl if you don't have any Linux hosts in there there's no reason to have a bunch of policy or a bunch of rules enabled that look at Linux traffic or Linux vulnerabilities so when you create when it comes to policy layers you can edit everything above here oh hold on just a moment I'm gonna have to pause my video because my cat started meowing in the background so I need to put them out for a second so everything above firepower and base policy can be can be configured you can add as many layers as you want and I'll show you as we're configuring here how this would be useful when it comes to the firepower recommendations and the base policy you can't directly alter those but as I explained before you don't really need to because if there's something here that you don't like that's enabled or not enabled you can go ahead and make changes to these top layers and those are what are those rules are going to be evaluated first so with that being said there's also another thing in there that you can actually create so when you create layers you can actually put a little marker on one that says it's a shared layer if you want to have one layer that you can use between different intrusion policies and when you do that you can actually if you mark it as a shared layer you can use it in other intrusion policies but when you add the layer there the only problem with this is when you may need to make a change to a shared layer you can't do it in the policy that it's being shared to you like right here it's it it becomes unedible uneditable you have to actually do it in the original policy where you created it from so it's not as useful as one would think and honestly I don't see many people in production doing it this way usually what they prefer Ziff you're gonna if you wanted to create something that a policy that you could use between different different intrusion policy intrusion policies what you could do is just create kind of like a golden template policy over here so this is like your golden template and it could have your you could have your base policy or your base layer plus the custom things that you want to change the you know my changes and then you can just have that instead of using the one of the predefined Talos Talos recommendations or have it starting out with no rules what you can do is you can just use your golden template as the base policy and it would use those that you know the tallest recommendations that you would that you prefer to use plus the custom changes and that's just an easier way to share share between different policies and it's a lot easier to manage because you can the only thing you need to to keep a track of is that golden template you don't need to figure out where that shared layer came from and which policy you have to configure to change it it's all kind of neatly organized somewhere else so that being said let's go ahead and dig into into this policy creation really quickly and you know bear in mind I do this mostly in one take so I'm not doing a lot of editing here I'm just going to kind of show you some of the the tricks and tips of kind of optimizing this policy a little bit more so so here this is kind of a fresh config here's my base policy and it's balance security rules you know in this case we can see everything that's here but I can't make any any changes to it because it's the base policy then we've got my changes above where I can actually make changes to any of the the rules here so I'm going to hide these details and I can make changes I can change the rule state and do other things now when it comes to the firepower recommendations we can also add those here and the customer and specifically that I'm making this video toward towards but I'm also sharing it for the world to see it he wanted to potentially use firepower recommendations but he didn't want to just apply them first and God knows what happens so I wanted to show how to use things like you know snort rule updates and firepower power rule recommendations how to test them out first so to speak so when you go to firepower recommendations you can go to advanced settings and define if there's only certain networks or subnets that you want to to apply you know create recommendations for maybe it's your user subnet or maybe it's for like only server subnets but you know I'm going to just kind of leave blank and you can decide how much you know which rule recommendations like how much overhead you want to potentially have on these rules I'm just going to max it out and and say generate and use recommendations it gives me kind of a summary of which rules are enabled and disabled and it creates a new poll it's going to create a new policy layer here which you'll see shortly let me just go ahead and pull up my pen on this guy so right here we're gonna see a new policy layer being created and again like I said before you can't actually make changes to that policy layer so we're gonna have to get a little creative on how we how we're going to use yet test out these recommendations so just give it a minute while it goes through the host data and determine and the vulnerability data and determines what are the recommendations that we should be using all right so now we see there's a hundred and five rules that have been set to generate events based on the recommendations and 461 rules set to drop and generate events and then 335 thousand seven hundred seventy-seven rules were set to disabled so what if we want to you know before we go into you know have our environment blocking rules we want to test these out and see how accurate they are or if there's a lot of false positives how do we test that because we can't make any changes to the firewall wreck recommendations you're just kind of stuck you're going you know it's all grayed out well the answer would be in policy layers so if I wanted to test out a new poof iyer wall right you know the new firewall recommendations I would go click on policy layers and then click Add layer this is going to be firewall firepower recommendations test and remember 461 rules recommend it to block that's just the number that we're going to keep in mind when we're creating this because you're gonna see exactly how I do this so if I want to go into this this the rules and I would use the the again I can go to just see all rules if I wanted to I can go to a rule content I can do searches based on you know names or SIDS but in this case I'm gonna go to recommendations and go for everything that was recommended to drop and generate events and one thing you'll notice is when you're using layers there's you can see when a rule has been set above or below in this case we see that these rules have been set below this layer and they've been set to drop and generate events so in this case since this layer is above firepower recommendations I'm going to go ahead and change this to generate events since since this layer is above firepower recommendations it will override those changes below and see it set 461 rules the exact amount because they're the exact rules from the firepower recommendations so let's say you apply this and you wait a week you've checked to make sure that there's not a lot false positives there's not a lot of false negatives you're you're liking how these rules are working do you just keep this layer forever no the truth is you would not keep this forever because every time there's recommendations or new updates you can this can get you know tons more layers going so there's a cool way to just kind of merge these with my changes so you can go all you'd have to do is see this button right here that says merge this layer down it will combine the the rules down with my changes and override for those 461 rules my changes so as you see here it flattens the the layer and just kind of condenses it to one and also the thing about my changes you can change the name of this if you don't like it right here it's not an issue and there are certain detections you can also do on here so another thing if I wanted to kind of test out a I'll show you how to use these rules that kind of override rules here's a cool one you can do so there's some some general testing you can do like for example sensitive data detection that's where we can test where we can if clear texts certain information is sent not only clear text but if it's if you wanted to have like decryption on firepower looking for certain numbers you can also do that too so sensitive data detection is like a poor-man's DLP it's the best way I can phrase it because it's looking for common pH P I information like private information like credit card numbers email addresses phone numbers social security numbers with and without dashes and the threat and it looks for it in certain protocol data you can change that as well but I'm just kind of keeping this at the default I'm gonna you have to first enable this and then you have to enable the rule inside of firepower so in this case I'm gonna test this and show you how it looks when we do this the threshold is going to be one number because I'm just trying to I'm going for triggering the rule by default it's it obscures everything except the last four numbers of the credit card or social security number I'm gonna uncheck that and that basically means it's going to actually show it in the PACA data so don't try this at home or in production because if you do that you might be farming social security numbers and credit card numbers and there might be some legal ramifications so first we enable it and then we have to enable the spit the snort rules that are specific to this so in this case sensitive and data I know that the I've tested this enough times to know so I'm going to go ahead and create a rule basically saying generate event from this and just so you can see these are some of the different rules you can create are certain settings in for this policy layer you can have a global rule threshold so you know only alert X amount of times on on in you know for winter rules violated in X amount of time so like one time in 60 seconds when if you only want one event in 60 seconds instead of kind of like maxing out your logs I think the the global threshold rule by default is one count for every 16 seconds and it's tracking by by destination but I'm not going to futz with that and just kind of showing you what that is it you can actually specify a certain SNMP alerting and syslog alerting you can do it by policy layer or you can do global global configuration so if you did this you can go ahead and you know wait for it to enable and you can configure the actuals SNMP server again I'm gonna go back to disable because I'm not going to configure that but first you would enable the the external responses and you can also enable it by rule once you've once you define what that is so I can sit there and say once I've defined what my SNMP or syslog server is I can sit there and add an SNMP alert for that when that specific rule is triggered now with that being said let's go ahead and commit these changes and apply apply it to my firewall and then I'm going to go ahead and try to trigger the alert for social security numbers I have a basically a fake social security number sitting on a text file on an FTP server I'm not going to even bother with decrypting I'm just gonna get it from clear tax and kind of show what it looks like from a fire yeah from a fire power intrusion rule all right now that that's deployed let's go ahead and pull up our our our FTR browser and you know go ahead and trigger this rule so let's go over here real quick I think I have everything kind of I deleted all the existing events before because I kind of wanted this to be clean so let's go ahead and trigger this rule so I'm going to go to the FTP server and just you know browse to it through clear text and I'm gonna pull up the social security numbers oh no bad so let's go ahead and refresh this window and we should see that pulling up now and if we drill down and one was with dashes and without dashes as you can see here I've hit both rules if I want to drink dig down to the actual clear text the packet I can go ahead and do so and that's where you can see where it can be a little dangerous if you don't do the masking because it could you know you could pretty much farm social security numbers or credit cards this way so let's go ahead and see the plaintext packet text so yeah so those are my fake social security numbers right there so just bear in mind when you're doing that that's something important too to be cognitive so let's go back to my events really quickly and I'm going to go ahead and delete those events and let's go back to the policy as well I'm gonna delete these because I it's not really important I just wanted to kind of show you the importance of you do you use sensitive data and you want to mask that probably good idea so let's go back to the policy and I'm gonna create a policy layer above the one that we just created and in that policy layer I'm going to disable the rule for for sensitive data detection and you'll see that since that rules that layer is above this layer it overrides for that specific rule that whatever the policy is and my might changes layer so let's go to policy layers and we'll add a layer this is going to be no sensitive data protection the only thing I'm going to change here is I'm just going to disable that one those two roles that we have might as well also clear my cash out so it's not giving me the same cash data before clear data I want to make this look a nice clean tech test sensitive data in this case we're just going to go ahead and disable these rules as you can see it's it is configured below but we're going to go ahead and just disable them in this pop in this policy a policy layer I'm going to click commit to commit these changes and then we'll deploy it you all right now that that's deployed let's go and go back to we've deleted all of our intrusion events so I'm gonna try this test again and again remember we have a layer under my changes it basically says detect an event on this but then we have a layer above with the same rules that are disabled so what's gonna happen are we going to get detect based off this or not so now we're our fake social security numbers have come up and let's see what happens no detection this time now that's because anything the policy layers above supersede anything below as far as the specific rules are concerned doesn't mean if by the way it doesn't mean if you create a policy level above above and you only enable or disable two rules that means all the other rules you've created below are not used it just doesn't use those rules it doesn't look for those rules on the policy layers below just the ones that you specifically define so going back into this intrusion policy I'm gonna talk about how we can look at the snort rule updates and based on that we can kind of create a policy layer looking at what changes and and test those instead of just relying on the default so when you do a snort rule update if you know and the way does kind of see where you update those if you go to system updates there's a way to update and apply these rules regularly I have them set to look daily at 3:00 a.m. and deploy the updated rules but when those are deployed they're deployed to this guy right here and depending on which default pulse our base policy you have some of those could be enabled some of them can't might not be but it's you know it's really dependent upon that so let's say you want to get a little bit more a little bit more specific on what what you want to have you know defined if you want to maybe there's something you don't want to just trust whatever this base policy is so let's go ahead and take a look I'm gonna just delete this really quickly and you know set these sensitive data rules back on my changes because I'm not really worried about that at this actually I'll kind of leave it as is so let's say we add a layer and this is going to be s are you updates for three twelve nineteen I think that was the last major update so give me just a moment and I partner pardon me if you guys hear any noises in the background there's a lot of cars coming through my Street during the day and I'm kind of towards the front so we've created a new policy layer and this policy layer is just blank as it is everything that's defined is obviously below so if we want to actually test out new updates or we know that there is a snort update that came through the other day we can expand side go to rule updates and we can see what was changed and kind of do a filter based off of you know whether or not it was like is set to disable or anything that was set to block since we care more about what's what's potentially blocking traffic we could just go ahead and filter based off that and set these rules to you know say you know alert just generate an alert don't go don't block anything we don't want to go disrupt anything in the meantime so we'll just change that to generate alert in this this specific policy layer and if we want to look at what what new rules were created we could also kind of glance down here as you can see there's a lot of rules added if I filter all of them that's 1258 rules so that's kind of cool to check if also if we're in this view if you want to quickly change between layers let's say we go to fire power rule recommendations and you know we can we want to see the rule content for see the rule state for generate events sorry I should have cleared my filter up here so here's from generate events so we can see what's what's set in this policy layer hold on second I'm gonna clear all filters I just want to see everything raw really quickly so we can see that these rules are set below and let's see the ones that are set above I'm gonna try to find some good ones for you guys yeah so this one these rules are set above this one and above this policy layer so these ones will be will will be accessed from a different policy layer so going back here so we've created an SR SR you update policy layer and we've changed the which the policy rules that would have normally been blocked down here in the in the base layer we changed them to just alert that gives us a way to kind of test this out before we we commit to those changes from imbalance in the base policy and once we're done with testing this out we can just go ahead and merge either delete this policy layer and let the the base policy kind of take over or if we can change it to block and merge it with the policy layer below it other thing I want to do is I kind of want to talk about some of the different things you guys can do with with the actual rules themselves in a policy layer so let's go to my changes and rules and pick a rule so let's go ahead and I mean I actually noticed it I want to test out so this is going to be for just ICMP echo reply so right now this rule is disabled and a lower in a rule of policy layer below this I'm gonna change this state to event generate events so this is kind of how you change a rule state in the actual policy layer you're in there's a couple different things you can do with it so let's say if a rule is just the way it's set right now every time there's a ping or echo reply it is going to cause a intrusion role to trigger so let's say you still want to be a alerted based off of this but you don't want it you don't want to be slammed with alerts so you can create event filtering so you can suppress all filtering on all events on the rule but it's still you know if it's set to block it's still going to block that's the danger of event filtering just be aware if whatever if the rule is to take action on this or the rule state is to block disable to block and drop packets it's still going to do it so be careful with the event filtering and do it in you know kind of a logical way let's say I want to do a threshold so a threshold would be how many alerts we're gonna get in a set amount of time so what a limit does is it gives you a maximum amount of events per time period and a threshold would be if a number of occurrences happen in a certain time period that just counted as one event in this case I'm gonna do a limit really quickly and I'm gonna set it to if there's only allow five events for pings in five seconds anything more than that just you know don't even log it so that's I said that's threshold now demo that for you shortly the other thing we can do is and going back to threshold really quickly you can see here you can also track by source or destination so if there's one host that gets a lot of pings or or or is attacked often you can kind of track by that host that source host or just keep it a destination which is the default the other thing you can do is you can do dynamic state so maybe I don't care about one ping or one event but I care about you know if it's going to specific source or des destination hosts or destination networks like my server network or I care if the source is coming from this network or I just care about it being triggered you know a certain number of times based on a rule so what we can do is we can change that rule state dynamically right now we have it set to just generate alerts but let's say if it happens more than 50 times in ten seconds I want it to change start dropping those events and the timeout time would be 60 seconds so I'm going to set that so kind of dynamically changes what's happening based on you know how many times as triggers in that in a certain period of time we could also do the SNMP alerting I'm not going to bother with that and if you want to add a rule content rule comment this is for my labbing video deletes when done click OK and to see everything that we've kind of done highlight that rule click show details and we can see that the threshold that we added if it can go up to five five ten times in five seconds and it if the count is 50 times in ten seconds go ahead and drop it at the events and it times out after 60 seconds there's my comments and there's there's the rule references so with that being said I'm going to go ahead and commit these changes and deploy that to firepower and then we're going to test this rule just I'm going to use a switch that's in Tights I'd my land and ping something outside the firewall you all right so that's deployed now we're going to go ahead and test this out so let's go back to tour analysis and intrusion events and make something make something happen okay so we're gonna go ahead and ping the hosts on the outside and we're gonna ping it first not twenty times as we should only see about I think ten events cuz that's what we set it to so let's go alright so let's go take a look at what happened over here if all worked if everything worked correctly we should see ten events exactly even though we pinged it twenty times yep ten right there perfect the next thing we'll do is we're going to test the dynamic rule the dynamic rule update so or dynamic rule adjustment so let's go ahead and do ping again and we're going to do the same target IP address and this time we're gonna ping it a thousand times so that's going to get pretty busy quickly and you're gonna see it start dropping right there so you see here it should now it's starting to drop and change it's now generating alerts and dropping based off that and if you if I sit back and kind of walk away from the video and pause it for a second and speed this up you'll see that after 60 seconds the pings will start going again then stop again just that timeout rate so I'm going to mute my sound and kind of watch you watch this on a sped-up version inside the video I post alright I'm back so as you can see here there's a delay and then starts pinging again and delay as it times out and that that rule so last thing I'm gonna kind of walk through with you is we're gonna go to talk about the shared rules again I'll just kind of our shared policy layers again I was just gonna give you an example that and show how inefficient it is and kind of go back to that golden image idea so give me a moment while I pull up my policy and create a shared policy between the two okay so we're gonna go ahead and create a pulse another policy layer and this is going to be just shared policy test and it make sure that this is a shared policy layer this is going to be a little checkbox that I'll hit over here alright allow share this policy to be used by other policies we're just going to change like one thing on here just grab the first thing just say drop in generate events okay so I'm going to commit the changes and save this and I'll go over to my other intrusion policy to kind of show you how I could use that sorry so once again we'll expand policy layers and we can click Add Paul shared policy layer and there's our shared policy layer from from our other policy click OK to add that and one thing you'll notice is that under the rules I can't make any changes so you kind of have to keep an eye on where that policy originally originated from which where you have it configured in order to make any changes to it that's why I kind of don't like using shared shared Policy layers it's it gets a little messy especially have you know let's maybe have a intrusion policy for edge firewalls intrusion policy for data center intrusion policy for branch that you if you have a lot of different intrusion policies kind of keeping track of where that shared policy is is kind of a pain in the butt to be honest so I'm the best way to do this in my honest opinion is to use a kind of like a golden template so I wanted to create a policy that's you know golden template intrusion and maybe I'll have in this I'll have my base policy that I like to use and then I'll create the policy layers that I know that every single intrusion Paul intrusion policy and I have is going to need so there's custom ones that you want to test out or maybe you'll maybe you're gonna add your snort rule updates after you've tested them on onto this golden policy this is what I would use so given moment while it goes ahead and creates that policy for me and here I can have like going in here I'll just add layer layer one layer one through eight right go ahead and add an you know we'll have like our one layer here so we can create as many layers as we want for this and you know define the the policies but this is going to be our golden template the minimum configuration that we need on all firewalls so we go ahead and commit those changes and instead of applying this template specifically to like an access control policy we could replace our base policy with with this golden template so give it a moment while it loads that and I'll show you how to do that I'm gonna go through here really quickly and remove our shared layer just because I I should have cleaned that up a little bit to make it prettier but let me go ahead and do that while more taking a moment Oh perfect I already actually didn't save that so that's perfect and then I'll go over here and I'll just delete it in here so now that I have that golden template now that can be my new base policy and instead of having shared layers that I have to kind of keep track of where that where it lives at the the original shared shared tab shared layer lives at now I have a golden policy it's just gonna be my new Paul new base policy and if I need to make any changes that applies to all of my intrusion policies I make sure that all my intrusion policy has are using the golden template as the base config and then I go and change that that golden template whenever I need to so that would be a like you know for example if you have let me pull up my whiteboard now I'm just gonna close delete all this so let's say you have 50 rules that need to be apply lat plus the bait the Talos based template that you need apply to all of your firewalls regardless of what zone they're in but each zone has their specific their specific rules that they need to have so like your east-west traffic inside of your data center might have specific rules that are that are that are more restrictive or less restrictive and then your baby your base ones might have different one so you might have like a data center intrusion policy intrusion policy you might have one for edge firewall and then you have one for maybe like branch locations so what you can do is each of these might have different policy like policies applied to it our specific policy layers that you want that are very custom and unique but you have you want to make sure that they all have these custom certain rules enabled plus the tallest based policy so you create that golden template and and you put that golden template as the base policy for everything so at least your minimum rules that you that everything needs to for compliance reasons or whatever else are applied to everything and then every all the layers above are just the stuff that needs to be done for that specific that's specific you know roll that those firewalls or IPS is our in so that being said that was kind of all the firewall optimization like intrusion prevention rule optimization I wanted to go through here I hope that answered a lot of questions when you're you know have the sound production and you're trying to do a little bit more than just having a base policy and how to kind of you know trim down and and suppress or filter some of those events so there we have there's one rule that's not you know very noise you can kind of suppress that a little bit more or if you have actually that's one thing I didn't I didn't show you the under the actual policy layers we're just gonna delete this the only other thing I didn't show you was under the policy are the rule configuration where you you filter suppression thresholds we did limit so it only allows you know ten alerts something like ten alerts forever every five seconds when a rule is triggered so if it happens fifty times it's only going to show actually ten it'll stop for the you know five seconds the other thing that we can do is under threshold instead of doing the having ten alerts in five seconds what we can do is say if it happens this many times in five seconds only only have one event showing in the intrusion log so it's another way to kind of trim down not necessarily false alerts but so you don't have 50,000 alerts for a off one for every packet and you're just getting more of a concern densed view so that being said I hope this actually you know answer some questions as far as firewall tuning event tuning things like that please feel free to check out my plural site course on FTD that's it should be published today and I plan on doing some more or Martin Browns as well he's really good and that can kind of get you the basics that's on Pluralsight with that thank you for watching and hopefully this was useful for you you I'm gonna go through here really quickly and remove our shared layer just because I I should have cleaned that up a little bit to make it prettier but let me go ahead and do that while more taking a moment Oh perfect I already actually didn't save that so that's perfect and then I'll go over here and I'll just delete it in here so now that I have that golden template now that can be my new base policy and instead of having shared layers that I have to kind of keep track of where that where it lives at the the original shared shared tab shared layer lives at now I have a golden policy it's just gonna be my new pal new base policy and if I need to make any changes that applies to all of my intrusion policies I make sure that all my intrusion policy has are using the golden template as the base config and then I go and change that that golden template whenever I need to so that would be a like you know for example if you have me pull up my whiteboard I'm just gonna close delete all this so let's say you have 50 rules that need to be a pools at plus the Bay the Talos based template that you need apply to all of your firewalls regardless of what zone they're in but each zone has their specific their specific rules that they need to have so like your east-west traffic inside of your data center might have specific rules that are that are that are more restrictive or less restrictive and then your baby your base ones might have different one so you might have like a data center intrusion policy intrusion policy you might have one for edge firewall and then you have one for maybe like branch locations so what you can do is each of these might have different policy like policies applied to it our specific policy layers that you want that are very custom and unique but you have you want to make sure that they all have these custom certain rules enabled plus the tallest base policy so you create that golden template and and you put that golden template as the base policy for everything so at least your minimum rules that you that everything needs to for compliance reasons or whatever else are applied to everything and then every all the layers above are just the stuff that needs to be done for that specific that's specific you know roll that those firewalls or IPS is our in so that being said that was kind of all the firewall optimization like intrusion prevention rule optimization I wanted to go through here I hope that answers a lot of questions when you're you know have the sound production and you're trying to do a little bit more than just having a base policy and how to kind of you know trim down and and suppress or filter some of those events so there we have there's one rule that's not you know very noise you can kind of suppress that a little bit more or if you have actually that's one thing I didn't I didn't show you the under the actual policy layers we're just going to delete this the only other thing I didn't show you was under the policy are the role configuration where you you filter suppression thresholds we did limit so it only allows you know ten alerts something like ten alerts forever every five seconds when a rule is triggered so if it happens fifty times it's only going to show actually ten it'll stop for the you know five seconds the other thing that we can do is under threshold instead of doing the do it having ten alerts in five seconds what we can do is say if it happens this many times in five seconds only only have one event showing in the intrusion log so it's another way to kind of trim down not necessarily false alerts but so you don't have 50,000 alerts for off one for every packet and you're just getting more of a canoe condensed view so that being said hope this actually you know answer some questions as far as firewall tuning event tuning things like that please feel free to check out my Pluralsight course on FTD that's it should be published today and I plan on doing some more or Martin Browns as well he's really good and that can kind of get you the basics that's on Pluralsight with that thank you for watching and hopefully this was useful for you

Info

Channel: Katherine McNamara

Views: 16,399

Rating: undefined out of 5

Keywords: Cisco, Cisco Security, Firepower, FTD, Firewalls

Id: CxUKj_tkpU0

Channel Id: undefined

Length: 56min 45sec (3405 seconds)

Published: Tue Mar 19 2019