Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Blocking on a Router

I have enabled blocking on a router to fire when a certain sig fires. this has been working for a while, I can see the ACL on the router with the host being denied access,so I know that it has been working. The sig fired today and the host was added to the ACL on the router - so it should be blocked, right? After I verified that the host was added to the ACL on the router and through the IDM I still receive e-mails on this sig firing with the same host that was supposedly blocked when it first came in. Does the IPS still log events if though the attacker is being blocked?


Re: Blocking on a Router

As long as IPS is recieving the offending traffic causing a signature to trigger, an event will be generated. However, if the router is infront of IPS and should block the offending traffic before it reaches IPS, then events should not be triggered.

Hope this helps.



Cisco Employee

Re: Blocking on a Router

If it is in front of the router, you should see events where the sig will fire. You should NOT see any more events from ARC saying it has successfully added a block to the router. If you look at idm/monitoring, you should see the block time being reset back to default every time the sig fires.

Community Member

Re: Blocking on a Router

The router is in front of the IPS. what can I do to troubleshoot where the fault is?

Thanks for your help.


Re: Blocking on a Router

How long after did they occur? It takes a small amount of time to re-write the ACL so there is a window of time where one event could fire a block-host event, but more events pass through before the ACL becomes active.

Community Member

Re: Blocking on a Router

Once the host was added to the ACL I was receiving alerts 10-20 minutes after the fact.

When you setup a router for the IPS to manage and you put in all of the login, IP and ACL info. Is there anything you have to do to make the ACL active on the router to deny or allow traffic? The only thing that I can think of is to assign it to an interface on the router but that was done when setting up the blocking device through IDM right?

CreatePlease to create content