Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
ola
Community Member

Event Action Filter not working

Hi,

We are running an IDSM-2 with 7.0(1)E3 and 2 virtual sensors.

I want to filter alarms from sig 2004 for a monitoring server.

When adding an event action filter, it still sends alarms. Bug?? Is there another way to filter the alarms for a specific host?

Regards

/Ola

6 REPLIES
Community Member

Re: Event Action Filter not working

Event action rules set is assigned to virtual sensor. If you have assigned event action rules set to one virtual sensor and another rules to another vs:

rules0 - vs0

rules1 - vs1

you must create filter on every rules set to substract some action on whole sensor.

ola
Community Member

Re: Event Action Filter not working

Hi,

I tried to apply the same filter to both sensors, same result, I still get the alarms.

Community Member

Re: Event Action Filter not working

Sig 2004/0 ICMP Echo Request is disabled by default.

Did you activate the same action in signature action and substract action in the filter?

ola
Community Member

Re: Event Action Filter not working

I enabled the signature in one sensor and want to filter alarms for one specific ip address.

Community Member

Re: Event Action Filter not working

OK, but, for example, if you activate action "produce verbose alert" in signature but check the action to substract "produce alert" or don't check any filters must not work.

Post the config fragments of signature and of filters here.

ola
Community Member

Re: Event Action Filter not working

I removed produce alert on the signature.

Enabled it again and then reapplied the filter, and for some reason, it now works. Anyway, thanks for your help.

202
Views
0
Helpful
6
Replies
CreatePlease to create content