View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0174 - ASA FirePower IPS Advance (Part 1)

Rating: 
5
Average: 5 (4 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video takes you deeper into Intrusion Policy configuration on Cisco ASA FirePower as we use Policy Layer and FireSight Recommendation. Policy Layer provides configuration flexibility, while FireSight Recommendation assist you in determining appropriate intrusion rules to enable or disable. We will also test our configuration by simulating attacks using Metasploit vulnerability testing tool. The video will close by showing you how to setup intrusion event alert and manage intrusion incidents.
 
Part 1 of this video goes through Intrusion Policy configuration using Policy Layer and start looking into FireSight Recommendation
 
Topic:
  • Intrusion Policy using Policy Layer
  • FireSight Recommendations
  • Metasploit Vulnerability Testing
  • Intrusion Event Management
  • Intrusion Event Alerting

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

2 comments

Hello

Thanks for your insight video but I have two questions:

• Is SourceFire blocking specific TCP flows, or ALL connections from a malicious source IP address
• Can SourceFire extract the client IP address from X-Forwarded-For HTTP request header in order to block flows based on the real client IP address instead of the NAT’ed IP address?

You can do both. Configure policy to block certain TCP and use Security Intelligence to block malicious destination. For the second question, a normal access policy would not be able to do it so you will need to look deep into what's available in the IPS signature configuration and see if there is field available. From what we know, it might not be possible at least from the built-in fields on the GUI. You might be able to make it happen by writting your own snort rule.