Hello,
I have some questions about the IPS tuning on Cisco Firepower. (I have more experience on the Palo Alto side)
What do you think about the Firepower Recommandations Rules ? Someone using this on a weekly to make some changes ?
I was thinking to do some layer like :
-Malware (every malware signature = drop and generate events)
-Exploit kit (every exploit signature = drop and generate events)
-Sql injection (every sql injection signature = drop and generate events)
-Custom Application
-FW recommandations (threshold on medium)
-Base Policy
I think it's can be messy to manage manually each signature in big environment. You can have some custom but for the rest. I believe the FW recommandations can add some value because he has the host map context. (which protocol, application , ...)
What do you thinking ?
Thanks
No comments:
Post a Comment