Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
780
Views
0
Helpful
5
Replies

Blocking on a Router

siscisco05
Level 1
Level 1

‎06-26-2007 11:58 AM - edited ‎03-10-2019 03:40 AM

I have enabled blocking on a router to fire when a certain sig fires. this has been working for a while, I can see the ACL on the router with the host being denied access,so I know that it has been working. The sig fired today and the host was added to the ACL on the router - so it should be blocked, right? After I verified that the host was added to the ACL on the router and through the IDM I still receive e-mails on this sig firing with the same host that was supposedly blocked when it first came in. Does the IPS still log events if though the attacker is being blocked?

Labels:
0 Helpful
5 Replies 5

vitripat
Level 7
Level 7

‎06-26-2007 12:06 PM

As long as IPS is recieving the offending traffic causing a signature to trigger, an event will be generated. However, if the router is infront of IPS and should block the offending traffic before it reaches IPS, then events should not be triggered.

Hope this helps.

Regards,

Vibhor.

0 Helpful

jlively
Cisco Employee
Cisco Employee
In response to vitripat

‎06-26-2007 12:30 PM

If it is in front of the router, you should see events where the sig will fire. You should NOT see any more events from ARC saying it has successfully added a block to the router. If you look at idm/monitoring, you should see the block time being reset back to default every time the sig fires.

0 Helpful

siscisco05
Level 1
Level 1
In response to vitripat

‎06-26-2007 01:44 PM

The router is in front of the IPS. what can I do to troubleshoot where the fault is?

Thanks for your help.

0 Helpful

attmidsteam
Level 1
Level 1

‎06-26-2007 12:11 PM

How long after did they occur? It takes a small amount of time to re-write the ACL so there is a window of time where one event could fire a block-host event, but more events pass through before the ACL becomes active.

0 Helpful

siscisco05
Level 1
Level 1
In response to attmidsteam

‎06-27-2007 09:01 AM

Once the host was added to the ACL I was receiving alerts 10-20 minutes after the fact.

When you setup a router for the IPS to manage and you put in all of the login, IP and ACL info. Is there anything you have to do to make the ACL active on the router to deny or allow traffic? The only thing that I can think of is to assign it to an interface on the router but that was done when setting up the blocking device through IDM right?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card