Event Action Filters (difference between column Active & Enabled?)

Unanswered Question
Jun 16th, 2008
User Badges:

I have a IPS4260, running v6.0(3).

Under "Configuration" > "Event Action Rules" > "Event Action Filter".


What is the difference between column "Active" and "Enabled"? This is confusing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
mhellman Tue, 06/17/2008 - 04:51
User Badges:
  • Blue, 1500 points or more

I would guess that it's the same as the signatures and the basic premise is that when a filter is disabled, but still active...it gets it still consumes resources on the sensor. If you inactivate the filter, it does not.


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&topicID=.ee6e1fc&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddcb14e/0#selected_message

stleary Tue, 06/17/2008 - 14:27
User Badges:
  • Cisco Employee,

Event action filters are evaluated in a specified order. Active means that a filter participates in the order. Enabled means that it can perform a filtering action. Use Disable when you want to preserve the order, but not perform the action (e.g. if you want to turn it off for debugging, but want to keep it's place in the list later). Use Inactive when you don't want the filter in the ordering at all (e.g. if you want to keep it as a reminder, but don't plan to use it again). The filter list is displayed by CLI and IDM in logical order - first all of the Active filters in their specified order, and then all of the Inactive filters. I don't think the designers really intended to have 2 similar options; it is more a side effect of the data model used for storing the configuration.

Farrukh Haroon Tue, 06/17/2008 - 18:36
User Badges:
  • Red, 2250 points or more

Thank you for your answer. I wish you guys could put a more helpful description in the CLI Guide, IDM Guide and Onine Help. Currently the CLI guide does not even mention one of these options. Online/IDM guide are also very vague.


Regards


Farrukh

mhellman Wed, 06/18/2008 - 04:56
User Badges:
  • Blue, 1500 points or more

Thanks for the clarification Sean. I like your description...any chance you can have it included in the user guide and/or context help?

Actions

This Discussion