Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Blocking specific IP addresses for a signature on Cisco IME

Hello,

I am running 4 Cisco IPS-4255 IPS sensors with Cisco IME 7.2.6.

We would like to block all traffic between 2 IP addresses (194.63.143.188 and 113.103.34.20 for the sake of argument) for the signature TCP Source Port 0 (Sig ID 24199).

I've not been able to figure out how to do this.

So far, the only functions I've found to be similar to what I'm trying to achieve are to set the signature to deny all traffic instead of just the traffic between these IP addresses, or to deny all traffic between these IP addresses regardless of the signature. Neither of these are what we want as we still want to see the alert trigger for other attacker/victim combinations and other alerts with the same attacker/victim IPs. I've had a fiddle with setting some Event Action Filters but not sure if these are the way to go.

One thought we've had is to clone the signature in the sig0 policy and amend it for the required attacker and victim IPs. However, we are unsure how this would work with the global sig0 policy.

Can someone please advise if what I want to do is possible on the IME?

Many thanks,

Everyone's tags (1)
144
Views
0
Helpful
0
Replies
CreatePlease to create content