Author Topic: very few intrusion in firesight (Read 19609 times)

vivekkupekar · « **on:** August 19, 2015, 11:36:50 PM »

Hi All,

We have deployed ASA firepower with firesight. Right now we send a copy of all the ASA traffic to firepower module and using monitor only command. There are around 40 users at the site where firepower is deployed. We are using security over connectivity policy. Hence we are expecting that a large number of intrusion so that we can fine tune them.

However we see only 1 or 2 alerts in a week. In a similar type of deployment for IPS (2 years bacj) we had a lot of false positives which we tuned later.

Is is true that firepower generate very few alerts as it is more intelligent than IPS? or Do we have a mis configuration?

Thanks,
Vivek

MC · « **Reply #1 on:** August 20, 2015, 11:17:32 PM »

This is an interesting question. I don't think we can compare the amount of IPS event on FirePower to Cisco traditional IPS as they are two very different products and sets of signature. It is also possible that signatures that are relevant to your environment may be disabled by default in the base template and that's why it is usually recommended to run FireSight recommendation. If you are curious, since you are still in monitor-only, you can create a user layer and enable all signatures and see if you get more events and tune them down like you said.

vivekkupekar · « **Reply #2 on:** August 21, 2015, 12:12:13 PM »

Thanks for the reply, MC!

Let me check if creating a new policy with all signature enabled helps... I will keep you posted

Search

User Info

Author Topic: very few intrusion in firesight (Read 19609 times)

vivekkupekar

very few intrusion in firesight

MC

Re: very few intrusion in firesight

vivekkupekar

Re: very few intrusion in firesight

Related Topics