It works differently depending on whether you're in IDS or IPS mode.
When the trigger packet is seen and the alert fires, 100 TCP RST's are sent from the sensors MONITORING port to both the client and server. These 100 RST's have incrementing SEQ/ACK numbers to give us a better chance of actually getting within the current window and effectively resetting the connection on both ends. (It's important to realise that it is not 100% guaranteed to actually RST the connection due to this sliding window). The RST's are obviously sent out with the actual client and server addresses in them to make it look like it came from the other end. Because they're sent out the monitor port, if this is set up using a "span" session on the switch then it's important to make sure you allow inbound packets on that port (by default span ports drop inbound packets).
Because the sensor is now inline, as soon as the signature fires we send one RST to both ends of the connection and then stop transmitting any further packets on that connection.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...