Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS version 6.2 blocking help

Dear all

please find the attached file.

i have ips 4240 and it is working properly.

i tuned some signatures to block the connections for any pc that has abnormal traffic or try to use P2P application but i want to know something in the attached file , what is the difference between

connection block enabled ----> true

connection block enabled ----> false

In other words , what is the meaning of ture and false in the attached file???

waiting for your replies .

regards

Mohamed

3 REPLIES

Re: IPS version 6.2 blocking help

Hello Mohammad

There are three type of blocks on the Cisco IPS, connection block enabled referred to the blocks that match no both source/dest etc. and not just the source. From the user guide:

"There are three types of blocks:

•Host block-Blocks all traffic from a given IP address.

•Connection block-Blocks traffic from a given source IP address to a given destination IP address and destination port.

Multiple connection blocks from the same source IP address to either a different destination IP address or destination port automatically switch the block from a connection block to a host block.

--------------------------------------------------------------------------------

Note Connection blocks are not supported on firewalls. Firewalls only support host blocks with additional connection information.

--------------------------------------------------------------------------------

•Network block-Blocks all traffic from a given network.

You can initiate host and connection blocks manually or automatically when a signature is triggered. You can only initiate network blocks manually.

--------------------------------------------------------------------------------

Caution Do not confuse blocking with the sensor's ability to drop packets. The sensor can drop packets when the following actions are configured for a sensor in inline mode: deny packet inline, deny connection inline, and deny attacker inline. "

Please rate if helpful.

Regards

Farrukh

Community Member

Re: IPS version 6.2 blocking help

Dear Farrukh

Thanks for your reply and your support. What i need to know what is the meaning of True and False in the Connection Block Enabled column in the attached file????

regards

mohamed

Re: IPS version 6.2 blocking help

Dear Mohammad

When that field is set to true, then it means a "Connection block" is being done instead of a "Host block" (based on source IP only). When it is false it implies a "Host Block".

Regards

Farrukh

133
Views
0
Helpful
3
Replies
CreatePlease to create content