Custom Firepower Intrusion Prevention System Policy

About Custom IPS Policies

With the introduction of version 6.7, the improved Snort 3 processing engine allows you to create and customize Intrusion Prevention System (IPS) policies using rules provided by the Cisco Talos Intelligence Group (Talos). The best practice is to create your own policy based on the provided Talos policy templates and change that if you need to adjust rule actions.

Note

At this time, CDO does not support custom IPS rules. You can create and modify custom IPS policies with rules that are provided by Talos, but you cannot create your own IPS rules and apply them to custom IPS policies.

The base templates include the same list of intrusion rules (also known as signatures), but they differ in the actions taken for each rule. For example, a rule might be enabled in one policy, but disabled in another policy.For another example, you may find that a particular rule is giving you too many false positives, where the rule is blocking traffic that you do not want blocked; you can disable the rule without needing to switch to a less-secure intrusion policy. You could alternatively change it to alert on matches without dropping traffic.

IPS Policy Base Template

The base templates include the same list of intrusion rules (also known as signatures), but they differ in the actions taken for each rule. For example, a rule might be enabled in one policy, but disabled in another policy. For another example, you may find that a particular rule is giving you too many false positives, where the rule is blocking traffic that you do not want blocked; you can disable the rule without needing to switch to a less-secure intrusion policy. You could alternatively change it to alert on matches without dropping traffic.

The base templates provided are suggested configurations based on the type of protection your network might need. You can use any of the following templates as the base when you create a new policy:

Caution

Do not modify the default IPS policies provided with an FDM-managed device enabled with Snort 3. We strongly recommend creating new custom IPS policies based on the templates below, and to use a unique name for the new policy that is different from the names of the default IPS policies listed below. If you need to troubleshoot your policies, Cisco TAC can easily locate the custom policy and revert to a default policy; this keeps your network protected without losing your customized changes.

The base templates provided are suggested configurations based on the type of protection your network might need. You can use any of the following templates as the base when you create a new policy:

  • Maximum Detection - These policies are built for networks where network infrastructure security is given even more emphasis than is given by the Security Over Connectivity policies, with the potential for even greater operational impact.

  • Security Over Connectivity - These policies are built for networks where network infrastructure security takes precedence over user convenience. The intrusion policy enables numerous network anomaly intrusion rules that could alert on or drop legitimate traffic.

  • Balanced Security and Connectivity - These policies are built for both speed and detection. Used together, they serve as a good starting point for most networks and deployment types.

  • Connectivity Over Security - These policies are built for networks where connectivity, the ability to get to all resources, takes precedence over network infrastructure security. Only the most critical rules that block traffic are enabled.

  • No Rules Active - The rules included in the policy are disabled by default.

Tip

The Maximum Detection base template requires a considerable amount of memory and CPU to work effectively. CDO recommends deploying IPS policies using this template to models such as the 2100, 4100, or virtual device.

As new vulnerabilities become known, Talos releases intrusion rule updates. These rule updates can modify any Cisco-provided network analysis or intrusion policy, and may provide new and updated intrusion rules and preprocessor rules that are automatically applies to existing rules and policy settings. Rule updates might also delete rules from the existing template bases and provide new rule categories, as well as modify the default variable set.

IPS Policy Mode

By default, all intrusion policies operate in Prevention mode to implement an IPS. In the Prevention inspection mode, if a connection matches an intrusion rule whose action is to drop traffic, the connection is actively blocked.

If you instead want to test the effect of the intrusion policy on your network, you can change the mode to Detection, which implements an Intrusion Detection System (IDS). In this inspection mode, drop rules are treat like alert rules, where you are notified of matching connections, but the action result becomes Would Have Blocked, and connections are never in fact blocked.

IPS Rule Group Security Level

CDO allows you to modify the security level of the rule groups included in your policy. Note that this security level is applied to all the rules in the rule group and not to individual rules.

Note

Changes made a rule group's security level are automatically submitted and cannot be reverted. You do not have to click Save to submit security level modifications. You must manually change the security level back.

IPS Rule Action

Modify the actions of an individual rule or multiple rules within a rule group at any time. IPS rules can be set as the following options:

  • Disabled—Do not match traffic against this rule. No events are generated.

  • Alert—Create an event when this rule matches traffic, but do not drop the connection.

  • Drop—Create an event when this rule matches traffic, and also drop the connection.

FDM Templates and Custom IPS Policy

Templates derived from a device with Snort 3 enabled can only be applied to devices that also have Snort 3 enabled. Due to the variability in rules supported and processed by Snort 2 and Snort 3, a template configured with Snort 3 cannot fully support and protect a device configured with Snort 2. See Switching from Snort 2 to Snort 3 for more information.

If you happen to use the ASA Migration tool to create an FDM template from an ASA configuration, we strongly recommend not configuring, or un-configuring any IPS policies. ASA devices do not support the Snort engine and migrating IPS policies from an ASA configuration to an FDM-managed device configuration may cause issues. If you do use the ASA migration tool, we recommend creating custom IPS policies for the device after creating and deploying the template.

See FDM Templates for more information about templates.

Rulesets and Custom IPS Policy

Rulesets are not yet support on devices configured for Snort 3. The following limitations apply:

  • You cannot attach rulesets to Snort 3-enabled devices.

  • You cannot create a ruleset from an existing device that has Snort 3 installed.

  • You cannot associate a custom IPS policy to a ruleset.

Prerequisites

You can view the available IPS policies from the Intrusion policies page, but you cannot create or modify custom IPS policies without the following prerequisites:

Device Support

  • Firepower 1000 series

  • Firepower 2100 series

  • Firepower 4100 series

  • Threat Defense virtual with AWS

  • Threat Defense virtual with Azure

Software Support

s

Devices must be running at least version 6.7 and Snort 3.

If your device is running a version prior to 6.7, upgrade your device. See Upgrade an FDM-Managed Device for more information.

If your device is running version 6.7 with Snort 2, please note that some intrusion rules in Snort 2.0 might not exist in Snort 3.0. See Switching from Snort 2 to Snort 3 for more information.

Note

To find out what version of software version and Snort engine your device is running, simply locate and select the device on the Inventory page and look at the Device Details