05-20-2020 10:23 AM
Hi,
When checking firepower dashboard, saw a number of connection events that should have been dropped were showing as "would have been dropped" indicating the packets were allowed to flow when they shouldn't have. I'll attach screen shots of a few of these. Can anyone inform why this behavior is having? Any assistance will be appreciated.
Thanks,
05-20-2020 12:10 PM
Hello Quintin,
The screenshot you are showing of the packet view is associated with an Intrusion event (aka IPS event). In your particular example, the traffic in question is matching the signature 1:53598:2 (gid:sid:rev).
The "would have dropped" action is generally evidence of an Intrusion policy that does not have "Drop when inline" setting configured, or you are connected to a "passive" interface (Such as a span port from a switch to a single interface on the FTD). Check your configured Intrusion policies Policies->Intrusion and take a look at the "Drop when Inline" setting. Here is what mine looks like:
I hope it helps!
05-29-2020 08:31 AM
05-29-2020 08:34 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide