Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Event Action Filters on 2851

Can I configure 'event action filters' from the CLI or do I have to use SDM?

5 REPLIES

Re: Event Action Filters on 2851

You can change actions from the CLI on a signature/category basis, not so sure about removing actions:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ips_v5.html#wp1053954

Regards

Farrukh

Community Member

Re: Event Action Filters on 2851

I want to change the 'event action filters' where I can put in a certain ip address that should be ignored by the IPS.

Re: Event Action Filters on 2851

This is exactly what the 'event action filter' does. Whichever hosts you want to be ignored, add them using commas (as per my previous post), then subtract the action 'Produce Alert'.

Regards

Farrukh

Community Member

Re: Event Action Filters on 2851

I'm sorry, I didn't see in your last post where 'exactly' you add the ip address of the hosts from the command line. Can you show me the command to enter on the 2851 to ignore a particular host from a particular signature? Thanks.

Re: Event Action Filters on 2851

I'm sorry, I got confused with another thread I was working on. This is how you do it on an IPS sensor.

On IOS IPS, it used to be done using the following command:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i2.html#wp1030715

The ACL at the command was used to select which IPs that particular signature is valid for. However it seems that command has been removed in 12.4(11)T and I can't find any other way to do the same in the 5.x format introduced in 12.4(11)T.

Regards

Farrukh

168
Views
0
Helpful
5
Replies
CreatePlease to create content