06-15-2021 08:28 AM - edited 06-15-2021 08:52 AM
Community,
I had a question regarding the Default Network Analysis Policy in the ACP Advanced tab and how it pertains to the Intrusion Policy used in the ACP ACL rule. It is my understanding that the Default Network Analysis Policy defined in the Advanced tab of the ACP is used for the preprocessing/normalization of traffic so that traffic can be further inspected by the Intrusion Policy defined in any ACP Rule. If this is correct, I have the following question:
-What if the ACP Rule inspection setting is using an intrusion policy that is not in line with the default network analysis policy? Example: The default NAP is Balanced Security and Connectivity but one or more ACP rules are using Security over Connectivity in the Inspection setting of the rule. How will this affect the performance?
I ask because I thought I read that it is best practice to use a NAP that is in line with the actual Intrusion Policy being used (Balanced Security and Connectivity NAP goes with Balanced Security and Connectivity Intrusion Policy) for example.
Or is it just best practice to use Intrusion Policies in all rules that are based on the same exact base policy (Balanced Security and Connectivity for example) and use the complimenting NAP in the Default NAP?
Any insights you can provide are greatly appreciated. Thank you.
Solved! Go to Solution.
06-15-2021 09:05 AM
The default NAP is rarely modified.
Most commonly we use the same Intrusion Policy and NAP across all three places where they are called out:
1. In the Advanced setting of the ACP (invoked BEFORE traffic matches a rule)
2. In the Inspection tab of an Access Rule (invoked WHEN the traffic matches a rule)
3. In the default action of the ACP (invoked when the traffic does NOT match any access rule). (Although with FTD this is usually moot as we generally make the default behavior to Block all traffic).
You might also have a look at the Cisco Live presentation "DGTL-BRKSEC-3300 Advanced Firepower IPS Deployment". There is a whole section on Network Analysis Policies there.
06-15-2021 09:05 AM
The default NAP is rarely modified.
Most commonly we use the same Intrusion Policy and NAP across all three places where they are called out:
1. In the Advanced setting of the ACP (invoked BEFORE traffic matches a rule)
2. In the Inspection tab of an Access Rule (invoked WHEN the traffic matches a rule)
3. In the default action of the ACP (invoked when the traffic does NOT match any access rule). (Although with FTD this is usually moot as we generally make the default behavior to Block all traffic).
You might also have a look at the Cisco Live presentation "DGTL-BRKSEC-3300 Advanced Firepower IPS Deployment". There is a whole section on Network Analysis Policies there.
06-15-2021 10:29 AM
Marvin,
Thank you so much. As always, your explanations are expertly delivered. I really appreciate the link to the cisco live demo. I will be sure to watch it!
01-30-2023 09:11 AM
I'm running into a problem with a Network Analysis Policy with FMC 7.0. The policy is the default balanced security & connectivity policy. No changes have been made to the Snort2 or Snort3 rules. When we enable IPS mode for the NAP, we have some remote printers that we can see from packet captures on the firewall are being (partially blocked). I wasn't able to get a trace while we were troubleshooting. I have been trying to find something in the traffic logs that would show that the traffic is being dropped and what rule is causing it, but from what I'm reading since the NAP is a pre-processor, those drops might not be logged. Is there anyway I can find the rule that is causing the traffic to be dropped in the NAP.
We originally added an Intrusion rule to all rules in the firewall policy but set that rule to IDS mode. I then added a NAP rule to the advanced settings in the firewall policy, also set to IDS mode. When someone reported that printing had broken I switched the Intrusion rule back to IDS mode, but forgot to switch the NAP. It took a little while for me to remember to switch the NAP to IDS mode, but as soon as I did, the printing problem was fixed.
I need to find what rule in the NAP was impacting the printing, but 1, I can't find any log of the traffic being dropped, and 2, even if I turn IPS back on and do a trace from the CLI which should give me the rule, I don't see in the NAP where the snort rules are called out. Everything is just option buttons you can turn or off. Lets say a trace says the drops are occuring because of rule 1:129:8, how do I know what rule that is in the NAP? I can find the rule numbers in the intrusion policy, but when you look at the Snort2 and Snort3 rules in the NAP, it's a completely different interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide