cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
832
Views
0
Helpful
2
Replies

locality in alerts not usable with CSM

mhellman
Level 7
Level 7

Been a while since I've looked at this stuff, so hopefully I don't butcher the terminolgy too bad.  Back in the old days, we defined event action filter variables and policies directly on an IPS sensor.  These two items provided overlapping functionality.  The variables could be used in event action filters, but were also used to provide the locality value in alerts (e.g. IN, OUT, WHATEVER).  With CSM, it appears you define network objects to enable the use of variables in the event action filters....but they don't appear on a sensor unless the policy uses them?  So this begs the question...how do you get the functionality of the old event filter variables when using CSM?  How can we get the alerts to contain useful locality information for the source and destination addresses?

2 Replies 2

mhellman
Level 7
Level 7

BUMP.  Anyone?  Is there a way in CSM to push down these variables independent from the event action filters so that the locality reflects some meaningful network description?

one more bump

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: