We have recently deployed an inline IPS solution using 5.1(7) E1 software. We would like to deny-attacker-victim-pair-inline for some signatures from one particular subnet on the network but negate the rest.
In order to correctly implement this, I think that we need to use SigEvent Action Filters on the sensor and use the commands <<actions-to-remove/deny-attacker-victim-pair-inline>> for all subnets accept the one that we wish to allow deny actions for.
I have seen that in the configuration on the sensor you can implement under the section <<service network-access>> a <<never-block-networks>> statement. My understanding is that this is used more for shunning rather then deny-inline solutions.
Am I correct about this?
Please could some one on the list validate that this is the best practice solution for negating deny-attackers inline.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...