Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
3
Replies

IPS version 6.2 blocking help

mohamed_makled
Level 1
Level 1

‎10-21-2008 12:56 AM - edited ‎03-10-2019 04:20 AM

Dear all

please find the attached file.

i have ips 4240 and it is working properly.

i tuned some signatures to block the connections for any pc that has abnormal traffic or try to use P2P application but i want to know something in the attached file , what is the difference between

connection block enabled ----> true

connection block enabled ----> false

In other words , what is the meaning of ture and false in the attached file???

waiting for your replies .

regards

Mohamed

Labels:
Preview file
2121 KB
0 Helpful
3 Replies 3

Farrukh Haroon
VIP Alumni
VIP Alumni

‎10-21-2008 05:39 AM

Hello Mohammad

There are three type of blocks on the Cisco IPS, connection block enabled referred to the blocks that match no both source/dest etc. and not just the source. From the user guide:

"There are three types of blocks:

•Host block-Blocks all traffic from a given IP address.

•Connection block-Blocks traffic from a given source IP address to a given destination IP address and destination port.

Multiple connection blocks from the same source IP address to either a different destination IP address or destination port automatically switch the block from a connection block to a host block.

--------------------------------------------------------------------------------

Note Connection blocks are not supported on firewalls. Firewalls only support host blocks with additional connection information.

--------------------------------------------------------------------------------

•Network block-Blocks all traffic from a given network.

You can initiate host and connection blocks manually or automatically when a signature is triggered. You can only initiate network blocks manually.

--------------------------------------------------------------------------------

Caution Do not confuse blocking with the sensor's ability to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline. "

Please rate if helpful.

Regards

Farrukh

0 Helpful

mohamed_makled
Level 1
Level 1
In response to Farrukh Haroon

‎10-21-2008 09:31 AM

Dear Farrukh

Thanks for your reply and your support. What i need to know what is the meaning of True and False in the Connection Block Enabled column in the attached file????

regards

mohamed

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to mohamed_makled

‎10-21-2008 11:34 PM

Dear Mohammad

When that field is set to true, then it means a "Connection block" is being done instead of a "Host block" (based on source IP only). When it is false it implies a "Host Block".

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card