https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915185#M43833 <P>the problem is the rule being referenced is actually disabled in the intrusion policy.</P> <P></P> <P>it is not set to drop.</P> <P></P> <P>thats why is surprising that i am seeing an intrusion block</P> Wed, 29 Jun 2016 12:00:54 GMT Tejas Kunte 2016-06-29T12:00:54Z https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915180#M43828 <P>i am seeing a strange issue with my firesight URL filtering setup</P> <P></P> <P>am seeing an intrusion block for website that is matching an allow rule</P> <P></P> <P>also the intrusion policy rule that is being matched is disabled.</P> <P></P> <P>how is that possible ?</P> Sun, 10 Mar 2019 13:38:08 GMT https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915180#M43828 Tejas Kunte 2019-03-10T13:38:08Z https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915181#M43829 <P>Tejas,<BR /><BR />Could you add more information about the problem? Please add some screenshots from the connection events, and screenshot of your Access control Policy in order to understand the issue and the way the traffic is being analyzed by the Firewall Engine.<BR /><BR /><BR /></P> Mon, 27 Jun 2016 16:51:56 GMT https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915181#M43829 Andres Vega 2016-06-27T16:51:56Z https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915182#M43830 <P>as you can see from the screenshot the access policy being matched in my URL whitelist which allows all traffic, yet traffic is being blocked&nbsp;</P> Mon, 27 Jun 2016 17:01:03 GMT https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915182#M43830 Tejas Kunte 2016-06-27T17:01:03Z https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915183#M43831 <P>Tejas,<BR /><BR />The problem is not the object you created to allow the URL. Basically, your last line of defense (Intrusion Policy) has detected some anomalous content in that specific connection and now you have to confirm if it is a false positive or not.<BR /><BR />In order to identify the rule this connection hits, go to the intrusion events and filter it by initiator IP and then download the capture for that event.<BR /><BR />To confirm if it is a FP or FN, please open a case with TAC by referencing the GID you are matching, and submitting the capture retrieved previously.&nbsp;</P> Mon, 27 Jun 2016 19:23:27 GMT https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915183#M43831 Andres Vega 2016-06-27T19:23:27Z https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915184#M43832 <P>Hello Tejas,</P> <P>Have you verified if this blocked Intrusion rule is called in the Advanced option of Access control policy rule ?</P> <P>Policies &gt; Access Control &gt; Click on Edit button &gt; Advanced&nbsp;</P> <P>Verify if the Intrusion policy is not called here.</P> <P>Regards</P> <P>Jetsy&nbsp;</P> Wed, 29 Jun 2016 05:21:57 GMT https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915184#M43832 Jetsy Mathew 2016-06-29T05:21:57Z https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915185#M43833 <P>the problem is the rule being referenced is actually disabled in the intrusion policy.</P> <P></P> <P>it is not set to drop.</P> <P></P> <P>thats why is surprising that i am seeing an intrusion block</P> Wed, 29 Jun 2016 12:00:54 GMT https://community.cisco.com/t5/network-security/firesight-intrusion-block/m-p/2915185#M43833 Tejas Kunte 2016-06-29T12:00:54Z