CSA DAC Rule, Untrusted Hosts, and Global Correlation
I was trying to get tricky and force my Data Access Control rules to show me what the source IP was.
In my DAC rule, instead of setting the action to Monitor, I have it set to Add Process to Application Class, using dynamic application class <*Processes Communicating with Untrusted Hosts>. Then for Global Event Correlation, I have "Correlate Communications with untrusted hosts and add peer addresses to list of dynamically quarantined IP addresses" enabled with Log a message if 1 systems report this event within 60 minutes.
Well, it works. Sort of. The first time one of my DAC rules triggers, I get the event for the DAC rule, then another event when Global Event Correlation logs the IP address. But this comes with a nasty side effect. Right after, any IP address that communicates with the IIS process also gets added to the Global Quarantine IP addresses list and those events are logged, but not with any other DAC rule event. It looks as if the IIS process is being quarantined as well, even though I can't see that tracked anywhere. The details of the Global event don't give any reference information at all.
So what is going on? Is this how its supposed to work? Or did i find a bug?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :