Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1125
Views
10
Helpful
1
Replies

IPS Event Showing "would have dropped" as inline result

MSJ1
Level 1
Level 1

‎01-26-2022 10:21 AM - edited ‎01-26-2022 10:22 AM

I observed whenever “Inline Result” generated “would have dropped” action , traffic processed by the IPS Policy ( INTPOL-01v1 from the Image ) which is called at Advanced Section of Actual Policy ( Perim-01 1st Image ). 

 

Even though  “Drop when inline” action is “No” for this IPS Policy ( INTPOL-01v1 ) that means even though individual signature action is “Drop and Generate Events” it will not DROP Traffic. ?

 

However at each rule,  IPS Policy Perim-01 is called and its “Drop when InLine” Action is YES and specific signature is “Drop and Generate Events” so ultimately when IPS Policy at each Rule is Processed this same traffic is Blocked  ? for the Log/traffic which showed "would have dropped" . 

 

Image1.jpgImage2.jpg

Labels:
0 Helpful
1 Reply 1

Jason Maynard
Cisco Employee
Cisco Employee

‎01-28-2022 05:49 PM - edited ‎01-28-2022 05:50 PM

When you select “No” to drop when inline the results regardless of the settings enabled for the rule is NOT to drop the traffic - hence the message would have dropped. This effectively turns the policy into an IDS based policy. If the intention is to drop traffic you need to select “yes” to drop when inline - this effectively turns the policy into an IPS based policy. 

Customers Also Viewed These Support Documents