cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3073
Views
15
Helpful
7
Replies
Frequent Contributor

Where to check if sourcefire is blocking IP

 

Hi Everyone,

 

In our environment we are frequently asked to check specifc IP addresses to confirm if sourcefire is allowing the connection or not.

Need to confirm if Sourcefire DC is blocking any IP address which is the best place to check?

Under connection events?

or Security Intelligence events?

 

Regards

MAhesh

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

I'd look under "Analysis,

I'd look under "Analysis, Search" make sure you specify a relevant time period for your search.

7 REPLIES 7
Hall of Fame Master

I'd look under "Analysis,

I'd look under "Analysis, Search" make sure you specify a relevant time period for your search.

Frequent Contributor

Many thanks Marvin

Many thanks Marvin

 

Regards

Mahesh

Highlighted
Frequent Contributor

Re: I'd look under "Analysis,

Hi Marvin,

Can you please bring more light over this. All is in place and "sh service-policy sfr" shows some drops.
How can we find out more about them? I went to Analysis \ Search but there're a lot of stuff there....
Hall of Fame Master

Re: I'd look under "Analysis,

I usually right click on an "Allow" event and tell the FMC to exclude all events of that type. That pares down the list quite a bit. You can save that filter as an FMC bookmark as well.

Frequent Contributor

Re: I'd look under "Analysis,

I could spot a saved search named Dropped events as per the attachment - but this is a search within Intrusion Events.

What do you think?

 

 

 

 

Hall of Fame Master

Re: I'd look under "Analysis,

That's a predefined search and, as you noted, specific to Intrusion Events. I don't believe it would include drops due to Security Intelligence, URL Blacklist or other miscellaneous reasons.

I use one like this:

FMC - Connections NOT Allowed.PNGFMC - Connection Events NOT Allowed

 

Re: Where to check if sourcefire is blocking IP

Hello,

 

I see the below results in  sh service-policy sfr command

 

Global policy:
Service-policy: global_policy
Class-map: FIREPOWER-Class
SFR: card status Up, mode fail-open
packet input 2718995, packet output 2719028, drop 357, reset-drop 40

 

Where can i see the 357 drops in FMC? 

 

Thank you