Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
5
Helpful
3
Replies

Firepower IPS

ccna_security
Level 3
Level 3

‎02-26-2019 12:07 AM

Hi. I recently set IPS on firepower but portscan detection catche traffic from Domain controller to host device that is used to watch cameras. I dont understand what kind of traffic is it to trigger protscan detection. What could be send from domain controller to hosts that trigger portscan rule.? Moreover i observed that the traffic destined to port 135. but again i didnt understand which traffic uses 135 that cause this issue. please help me as sson as possible. thanks in advance

Labels:
0 Helpful
3 Replies 3

Abheesh Kumar
VIP Alumni
VIP Alumni

‎02-26-2019 01:57 AM

Hi, You need to specify correct variable set to detect the network in you environment. You need to specify Home_Net & External_Net.
0 Helpful

ccna_security
Level 3
Level 3
In response to Abheesh Kumar

‎02-26-2019 02:02 AM

hi. i have already specified my private network on variable set. Firepower is internal and i added only private ranges that i use into variable set. i use 172.16.0.0 192.168.0.0 private range. But server on 172.16.0.1(for example) request 192.168.10.1 host. Portscan then detect as if there is anomaly occurs.

0 Helpful

Sheraz.Salim
VIP
VIP

‎02-27-2019 03:53 AM

it could be a false positive. you can change the rules going into a snort rule and change according to your requirements.

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card