Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

negating deny-attacker inline best practice

We have recently deployed an inline IPS solution using 5.1(7) E1 software. We would like to deny-attacker-victim-pair-inline for some signatures from one particular subnet on the network but negate the rest.

In order to correctly implement this, I think that we need to use SigEvent Action Filters on the sensor and use the commands <<actions-to-remove/deny-attacker-victim-pair-inline>> for all subnets accept the one that we wish to allow deny actions for.

I have seen that in the configuration on the sensor you can implement under the section <<service network-access>> a <<never-block-networks>> statement. My understanding is that this is used more for shunning rather then deny-inline solutions.

Am I correct about this?

Please could some one on the list validate that this is the best practice solution for negating deny-attackers inline.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: negating deny-attacker inline best practice

create 2 event actions filters.

The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".

The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.

The net result is that the first event action filter will apply when it matches and the second when it doesn't.

1 REPLY
Gold

Re: negating deny-attacker inline best practice

create 2 event actions filters.

The first event action filter will match the signatures and subnets you want to deny on and don't subtract any actions. make sure you set it to "stop on match".

The next one will will match the same signatures but the 0.0.0.0-255.255.255.255 address. remove the appropriate actions.

The net result is that the first event action filter will apply when it matches and the second when it doesn't.

211
Views
0
Helpful
1
Replies
CreatePlease to create content