IPS version 6.2 blocking help

Unanswered Question
Oct 21st, 2008

Dear all

please find the attached file.

i have ips 4240 and it is working properly.

i tuned some signatures to block the connections for any pc that has abnormal traffic or try to use P2P application but i want to know something in the attached file , what is the difference between

connection block enabled ----> true

connection block enabled ----> false

In other words , what is the meaning of ture and false in the attached file???

waiting for your replies .



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 10/21/2008 - 05:39

Hello Mohammad

There are three type of blocks on the Cisco IPS, connection block enabled referred to the blocks that match no both source/dest etc. and not just the source. From the user guide:

"There are three types of blocks:

•Host block-Blocks all traffic from a given IP address.

•Connection block-Blocks traffic from a given source IP address to a given destination IP address and destination port.

Multiple connection blocks from the same source IP address to either a different destination IP address or destination port automatically switch the block from a connection block to a host block.


Note Connection blocks are not supported on firewalls. Firewalls only support host blocks with additional connection information.


•Network block-Blocks all traffic from a given network.

You can initiate host and connection blocks manually or automatically when a signature is triggered. You can only initiate network blocks manually.


Caution Do not confuse blocking with the sensor's ability to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline. "

Please rate if helpful.



mohamed_makled Tue, 10/21/2008 - 09:31

Dear Farrukh

Thanks for your reply and your support. What i need to know what is the meaning of True and False in the Connection Block Enabled column in the attached file????



Farrukh Haroon Tue, 10/21/2008 - 23:34

Dear Mohammad

When that field is set to true, then it means a "Connection block" is being done instead of a "Host block" (based on source IP only). When it is false it implies a "Host Block".




This Discussion