https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902439#M1103334 <P>We have very few WAN-facing devices and, for the ones which are accessible from the WAN, traffic to and from those IP's is restricted to specific IP ranges and ports within the access control policy.</P><P>However, under 'Security-Related Events' we consistently see a large number of connection attempts to those IP's being blocked.</P><P>I assume that this is because the traffic is inspected by Snort before it hits the access control policy. Is this expected or there a better way to configure the FTD policies?</P><P>&nbsp;</P> Wed, 09 Aug 2023 16:08:11 GMT willb1 2023-08-09T16:08:11Z https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902439#M1103334 <P>We have very few WAN-facing devices and, for the ones which are accessible from the WAN, traffic to and from those IP's is restricted to specific IP ranges and ports within the access control policy.</P><P>However, under 'Security-Related Events' we consistently see a large number of connection attempts to those IP's being blocked.</P><P>I assume that this is because the traffic is inspected by Snort before it hits the access control policy. Is this expected or there a better way to configure the FTD policies?</P><P>&nbsp;</P> Wed, 09 Aug 2023 16:08:11 GMT https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902439#M1103334 willb1 2023-08-09T16:08:11Z https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902476#M1103335 <P>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/460831">@willb1</a>,</P><P><SPAN>Snort operates at a lower level (deep packet inspection) in the network stack compared to the access control policy in Cisco FTD. This means that Snort inspects incoming traffic before it is subject to any rules defined in the access control policy. If Snort detects traffic that matches patterns of known attacks or malicious behavior, it can block or log that traffic regardless of whether it matches any rules in the access control policy.</SPAN></P><P><SPAN>This behavior is generally expected in a security-focused network setup. Snort's primary purpose is to detect and prevent known threats and vulnerabilities, which it does by analyzing traffic patterns and signatures associated with malicious activities. The access control policy, on the other hand, provides additional security by allowing you to define rules that specify which traffic is allowed or denied based on criteria such as source/destination IP addresses, ports, applications, and more.</SPAN></P><P><SPAN>If you're seeing legitimate traffic being blocked by Snort and it's causing issues, you might consider reviewing the Snort rules that are triggering these blocks. You could fine-tune the Snort rules to reduce false positives, and if needed, you can create custom rules to allow specific types of traffic that you know are legitimate.</SPAN></P><P>&nbsp;</P> Wed, 09 Aug 2023 16:57:23 GMT https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902476#M1103335 M02@rt37 2023-08-09T16:57:23Z https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902486#M1103336 <P>Thank you, that answered my question. In this instance, Snort isn't blocking legitimate traffic.</P> Wed, 09 Aug 2023 17:09:21 GMT https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902486#M1103336 willb1 2023-08-09T17:09:21Z https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902507#M1103337 <P>You're welcome&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/460831">@willb1</a>&nbsp;</P> Wed, 09 Aug 2023 18:19:45 GMT https://community.cisco.com/t5/network-security/high-number-of-security-related-events/m-p/4902507#M1103337 M02@rt37 2023-08-09T18:19:45Z