Lab Minutes Forum
Technical Discussion => Security => Topic started by: vivekkupekar on August 19, 2015, 11:36:50 PM
-
Hi All,
We have deployed ASA firepower with firesight. Right now we send a copy of all the ASA traffic to firepower module and using monitor only command. There are around 40 users at the site where firepower is deployed. We are using security over connectivity policy. Hence we are expecting that a large number of intrusion so that we can fine tune them.
However we see only 1 or 2 alerts in a week. In a similar type of deployment for IPS (2 years bacj) we had a lot of false positives which we tuned later.
Is is true that firepower generate very few alerts as it is more intelligent than IPS? or Do we have a mis configuration?
Thanks,
Vivek
-
This is an interesting question. I don't think we can compare the amount of IPS event on FirePower to Cisco traditional IPS as they are two very different products and sets of signature. It is also possible that signatures that are relevant to your environment may be disabled by default in the base template and that's why it is usually recommended to run FireSight recommendation. If you are curious, since you are still in monitor-only, you can create a user layer and enable all signatures and see if you get more events and tune them down like you said.
-
Thanks for the reply, MC!
Let me check if creating a new policy with all signature enabled helps... I will keep you posted