Securing Networks with Cisco Firepower: Enabling Traffic Inspection and Anomaly Detection

Enabling Traffic Inspection and Anomaly Detection

Prev Question Next Question

Question

An organization has implemented Cisco Firepower without IPS capabilities and now wants to enable inspection for their traffic.

They need to be able to detect protocol anomalies and utilize the Snort rule sets to detect malicious behavior.

How is this accomplished?

Answers

A. Modify the network discovery policy to detect new hosts to inspect.

B. Modify the access control policy to redirect interesting traffic to the engine.

C. Modify the intrusion policy to determine the minimum severity of an event to inspect.

D. Modify the network analysis policy to process the packets for inspection.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/fdm/fptd-fdm-config-guide-670/fptd-fdm-intrusion.html

Cisco Firepower is a comprehensive security solution that provides various capabilities such as firewall, intrusion prevention system (IPS), malware protection, and URL filtering, among others. In this scenario, the organization has already implemented Cisco Firepower without IPS capabilities, and they now want to enable inspection for their traffic.

To detect protocol anomalies and utilize the Snort rule sets to detect malicious behavior, the organization needs to modify the access control policy to redirect interesting traffic to the engine. This can be achieved by selecting the "Intrusion" option under the "Action" column of the access control policy rule. Once selected, the organization can choose the IPS engine they want to use, such as the Snort engine, and configure the necessary settings to detect protocol anomalies and malicious behavior.

In addition to modifying the access control policy, the organization may also need to modify the intrusion policy to determine the minimum severity of an event to inspect. This setting determines which events are considered significant enough to trigger an alert and potentially take action. By setting a higher minimum severity level, the organization can reduce the number of false positives and focus on more critical events.

Lastly, the organization may need to modify the network analysis policy to process the packets for inspection. This policy determines how the packets are processed, such as what data is captured and how it's analyzed. By configuring the network analysis policy, the organization can ensure that the relevant data is captured for inspection and that the Snort rule sets are applied to detect protocol anomalies and malicious behavior.

Overall, to enable inspection for traffic and detect protocol anomalies and malicious behavior using Snort rule sets, the organization needs to modify the access control policy to redirect interesting traffic to the IPS engine, configure the intrusion policy to determine the minimum severity level, and modify the network analysis policy to process the packets for inspection.

Prev Question Next Question