Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Inactive CS-MARS reporting device (again)

I created a drop rule, dest and src ip's are "ANY", and the hostnames as seen in MARS. I chose to "drop" as action...not "log to db only". The event is "Inactive CS-MARS reporting device, device is "ANY", severity is "ANY", time range is "ANY" I clicked apply, submit and activate.

How come on my Summary | dashboard screen I still see these incidences. I was hoping this would stop. Is this expected behavior, or have I done something incorrectly?

Thanks,

Bob

4 REPLIES
Gold

Re: Inactive CS-MARS reporting device (again)

I vaguely recall reading something about not being able to use a drop rule to prevent these. You have to inactivate the rule.

Gold

Re: Inactive CS-MARS reporting device (again)

New Member

Re: Inactive CS-MARS reporting device (again)

I've solved that problem including "ANY" and "0.0.0.0" in the source address. CS-MARS doesn't understand that ANY must include 0.0.0.0.

Concerning to the dashboard you'll see the events for a time, and previous incidents will be saved in the incident list. Since you add "0.0.0.0" in source address, you won't see any inactive cs-mars event. The most important issue filtering that event is that it is a very high amount of events and all reports must be created using "!=Inactive CS-MARS reporting device".

As I told you, from now you won't see that event any more.

Good luck!!

ps: Please, rate the post.

New Member

Re: Inactive CS-MARS reporting device (again)

Thanks Juceta,

That seems to have solved the problem, no new incidences for the last couple of hours.

Thanks,

Bob

191
Views
16
Helpful
4
Replies
CreatePlease to create content