topic Re: IPS Event Showing &quot;would have dropped&quot; as inline result in Endpoint Security https://community.cisco.com/t5/endpoint-security/ips-event-showing-quot-would-have-dropped-quot-as-inline-result/m-p/4541674#M6642 <P>When you select “No” to drop when inline the results regardless of the settings enabled for the rule is NOT to drop the traffic - hence the message would have dropped. This effectively turns the policy into an IDS based policy. If the intention is to drop traffic you need to select “yes” to drop when inline - this effectively turns the policy into an IPS based policy.&nbsp;</P> Sat, 29 Jan 2022 01:50:29 GMT Jason Maynard 2022-01-29T01:50:29Z IPS Event Showing "would have dropped" as inline result https://community.cisco.com/t5/endpoint-security/ips-event-showing-quot-would-have-dropped-quot-as-inline-result/m-p/4539587#M6640 <P>I observed whenever “Inline Result” generated “would have dropped” action , traffic processed by the IPS Policy ( INTPOL-01v1 from the Image ) which is called at Advanced Section of Actual Policy ( <STRONG>Perim-01</STRONG>&nbsp;1st Image ).&nbsp;</P><P>&nbsp;</P><P>Even though&nbsp; “Drop when inline” action is “No” for this IPS Policy ( <A href="https://adc-j13-fmc1/DetectionPolicy/ids.cgi" target="_blank" rel="noopener"><STRONG>INTPOL-01v1</STRONG></A>&nbsp;) that means even though individual signature action is “Drop and Generate Events” it will not DROP Traffic. ?</P><P><STRONG>&nbsp;</STRONG></P><P>However at each rule,&nbsp; IPS Policy&nbsp;<STRONG>Perim-01</STRONG> is called and its “Drop when InLine” Action is YES and specific signature is “Drop and Generate Events” so ultimately when IPS Policy at each Rule is Processed this same traffic is Blocked&nbsp; ? for the Log/traffic which showed "would have dropped" .&nbsp;</P><P>&nbsp;</P><P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image1.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/142289iECB86BE5F60D4CC8/image-size/large?v=v2&amp;px=999" role="button" title="Image1.jpg" alt="Image1.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image2.jpg" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/142290i8D2978269C8308B0/image-size/large?v=v2&amp;px=999" role="button" title="Image2.jpg" alt="Image2.jpg" /></span></STRONG></P> Wed, 26 Jan 2022 18:22:34 GMT https://community.cisco.com/t5/endpoint-security/ips-event-showing-quot-would-have-dropped-quot-as-inline-result/m-p/4539587#M6640 MSJ1 2022-01-26T18:22:34Z Re: IPS Event Showing "would have dropped" as inline result https://community.cisco.com/t5/endpoint-security/ips-event-showing-quot-would-have-dropped-quot-as-inline-result/m-p/4541674#M6642 <P>When you select “No” to drop when inline the results regardless of the settings enabled for the rule is NOT to drop the traffic - hence the message would have dropped. This effectively turns the policy into an IDS based policy. If the intention is to drop traffic you need to select “yes” to drop when inline - this effectively turns the policy into an IPS based policy.&nbsp;</P> Sat, 29 Jan 2022 01:50:29 GMT https://community.cisco.com/t5/endpoint-security/ips-event-showing-quot-would-have-dropped-quot-as-inline-result/m-p/4541674#M6642 Jason Maynard 2022-01-29T01:50:29Z