Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Preferred method for blocking a source IP on IPS 7?

Is there any advantage to creating a custom atomic signature that blocks the IP address vs making a host block that does not time out?  Seems to me the first would give a lot more logging options, but the second method would be a bit simpler for engineers to maintain.  Is there an official prefered method?  Basically for manual blacklisting.

Everyone's tags (1)
2 REPLIES
Gold

Re: Preferred method for blocking a source IP on IPS 7?

Do you want to block ALL the traffic from a static IP address?

I'm not so sure that an IPS Sensor is the proper platform for manual blacklisting. Wouldn't you rather use your firewall or router that already has static ACLs? Either of them can log attempts.

The IPS can capture packets, but if you're blocking connections, you will only get to see one side attempt to initiate a connection. Using a custom signature that will fire every time a known bad actor attempts a connection could be a waste of sensor resources.

Maybe I don't understand what you're trying to achieve.

- Bob

Community Member

Re: Preferred method for blocking a source IP on IPS 7?

All depends on your scenario and policy requirements of your company , soc or management !

Cisco ips is very good and now scads signatures are also available in latest E4

Kamran

Sent from Cisco Technical Support iPad App

540
Views
0
Helpful
2
Replies
CreatePlease to create content