Cisco IPS (global correlation) is downloading lots of updates from the iron-port website
I have query on Global correlation.
Following is the observed behavior
Global Correlation Inspection: ON (Standard) Reputation Filter: ON Result: Global correlation downloads in bytes or KBs (observed on proxy)
Global Correlation Inspection: OFF Reputation Filter: ON Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...