1
00:00:00,740 --> 00:00:06,590
IPX signature matches are classified as one of the four types listed in the slide.

2
00:00:07,690 --> 00:00:17,440
False positives are the main reason that we implement IPX tuning and could potentially drop normal traffic.

3
00:00:17,440 --> 00:00:22,520
Ideally there would only be true positive and true negative matches.

4
00:00:22,690 --> 00:00:27,100
That is what we want the IP to achieve 100 percent of the time.

5
00:00:28,070 --> 00:00:35,750
The IP ass tuning process can be used to help ensure that the alerts you are seeing are real actionable

6
00:00:35,930 --> 00:00:39,360
information without tuning.

7
00:00:39,430 --> 00:00:46,990
You will potentially have thousands of benign events also known as false positives making it difficult

8
00:00:46,990 --> 00:00:52,020
for you to conduct any security research or forensics on the network.

9
00:00:53,180 --> 00:01:01,550
Cisco is power system actually has an auto tuning feature that will tune IP policies to match the traffic

10
00:01:01,610 --> 00:01:04,700
in your environment.

11
00:01:04,700 --> 00:01:12,830
So here I am in the IP policy configuration and firepower and if you click on firepower recommendations

12
00:01:13,760 --> 00:01:20,380
you can actually set your IP policy to be based off of traffic that firepower has learned about.

13
00:01:20,870 --> 00:01:31,400
So based on the traffic in my network there were 139 rules set to only alert and then 5000 354 set to

14
00:01:31,400 --> 00:01:32,700
drop an alert.

15
00:01:33,020 --> 00:01:40,510
And then almost 14000 rules were disabled because based on the traffic flows through my sensors firepower

16
00:01:40,550 --> 00:01:45,130
determine that those rules were not necessary to be unable.

17
00:01:45,160 --> 00:01:51,400
So this can really improve performance and make sure they dont have so many false readings when you're

18
00:01:51,490 --> 00:01:53,530
analyzing intrusion events.