Let’s start by answering that question, and then I’ll circle back to how a Cisco FTD 9300 was brought to it’s knees (Never seen that before!), and how I solved this customers issues.Lastly, what about my customer in Ohio and the 9300 that was brought to its knees? Yes, once we moved the IPS policy to a base of Security over Connectivity, we found the problems they were having quickly. The IPS events started triggering about 6000 hits a minute after we deployed, and the CPU on the 9300 spiked to over 80% as it was trying to process all the IPS events. That’s a LOT of high overhead events to do that to a 9300! The FTD 9300 was no longer passing data…wow, not only have I never seen this, I’ve never even heard of this!
After we were able to do some analysis on the new IPS events (which got to over 100,000 in just a few minutes!), I had to verify these weren’t false positives and then find the culprits. Drilling down, we found that their entire server farm was infested heavily with CnC’s, and only the High Overhead rules found these CnC’s. Those attacks were so well drilled into these servers, they each had thousands of connections, which would explain the bandwidth issue! We immediately started blacklisting these servers and the CPU percentage dropped to less than 10%, and the bandwidth saturation went from 80% to less than 20%!I had to perform troubleshooting of management traffic exchanged between IPS module in ASA5525-X and management station. I had some communication problems resulting in denied traffic on firewall placed in between (and it’s not the ASA itself). The best option is always sniffing packet headers on either end, as I had no possibility to do it on management station IPS was the next option.
As much as IPS software is limited (and also not clear in configuration approach if you are used to IOS) there is easy option to capture the traffic. You can do it in two ways either by displaying traffic flow on terminal or saving to file. First option is probably best for quick analysis and if you don’t care about payload.
More info: it technician jobs