I have enabled blocking on a router to fire when a certain sig fires. this has been working for a while, I can see the ACL on the router with the host being denied access,so I know that it has been working. The sig fired today and the host was added to the ACL on the router - so it should be blocked, right? After I verified that the host was added to the ACL on the router and through the IDM I still receive e-mails on this sig firing with the same host that was supposedly blocked when it first came in. Does the IPS still log events if though the attacker is being blocked?
As long as IPS is recieving the offending traffic causing a signature to trigger, an event will be generated. However, if the router is infront of IPS and should block the offending traffic before it reaches IPS, then events should not be triggered.
If it is in front of the router, you should see events where the sig will fire. You should NOT see any more events from ARC saying it has successfully added a block to the router. If you look at idm/monitoring, you should see the block time being reset back to default every time the sig fires.
How long after did they occur? It takes a small amount of time to re-write the ACL so there is a window of time where one event could fire a block-host event, but more events pass through before the ACL becomes active.
Once the host was added to the ACL I was receiving alerts 10-20 minutes after the fact.
When you setup a router for the IPS to manage and you put in all of the login, IP and ACL info. Is there anything you have to do to make the ACL active on the router to deny or allow traffic? The only thing that I can think of is to assign it to an interface on the router but that was done when setting up the blocking device through IDM right?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...