Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

block attacker only if target is specific host only

I want to do the following:

Only if the target of the attack is MailSrv

and the RR > 85

--->block attacker

If target is any other host -->

don't block

===========

My problem is that I cannot specify the dst IP in the event action override.

So my only choice was:

event action override: if RR > 85 block

but this makes block if attack is against ANY host, not MailSrv only.

2 REPLIES
New Member

Re: block attacker only if target is specific host only

I will try to make it more clear.

I want everything to behave normally.

Only when attacks are on MailSrv I want to block.

New Member

Re: block attacker only if target is specific host only

Hi

Are you already using value target rating for your Mail server?

If you not, then assign a critical host value, doing that will rise the risk rating and fire the block action.

The other targets will have a RR < 85.

Remember the RR depend of 3 parameters, Severity of the alarm, fidelity value and VALUE TARGET RATING

I hope this help (rate if it does)

Alberto Giorgi from spain

239
Views
0
Helpful
2
Replies
CreatePlease to create content