01-27-2018 11:35 AM - edited 02-21-2020 07:13 AM
When I look at connection events the Reason field is always blank. Is there anyway to correlate this with a line in the Access Control policy? If not what is the field for and how may I use it?
Thanks,
Kirk
Solved! Go to Solution.
01-31-2018 09:32 AM - edited 01-31-2018 09:35 AM
Sorry - Denison hijacked your thread and asked about IME (IPS Manager Express). I didn't notice the changed username when I replied to his question.
Regarding events in FMC, you are correct about the column labeled "Reason". It is a bit misleading since it will only ever show "IP Block, IP Monitor, or User Bypass" - i.e the Security Intelligence reasons.
However when you are blocked (or allowed) the relevant Access Control Policy and Rule still shows up in the table view of connection events. It is in a column that is by default off to the right and you normally need to scroll horizontally to see it (awful user interface design I know).
You can customize the view or make a report to move those columns over. See the Table View section in my example report snippet below - I created a rule in my Lab ACP policy to block Facebook and then tried to access it and was duly blocked. The report shows which policy and rule I encountered.
01-30-2018 07:48 AM
Typically we only see a reason for a block. Allow events don't show one.
You can always use packet tracer (in 6.2+) to see exactly what ACP rule is hit.
01-30-2018 12:39 PM
Even blocks are showing as blank.
01-30-2018 11:39 PM
Hi kirk,
Can you please let me now where can I find the reason column for comparing purpose, I am using IME 7.2.7
01-31-2018 07:30 AM
Sorry - I incorrectly assumed you were using the current product, not the old IPS. That one is almost end of life.
I don't recall off the top of my head how or if you can see block reason on that in near real time. I know it should be a reportable item.
01-31-2018 07:59 AM
I might be a little out of date but I'm using the FMC with 6.2.0.1 software version. So it should be fairly well supported for a long time.
I have just noticed that there are so far two Reasons have populated the Reason field in the last 48 hours. IP block and DNS block. Both are blocked by Security Intelligence Categories not by Access Control Policies.
So I think my understanding of the reason column was flawed. It seems like it is only used when the reason for blocking is outside of the Access Control Policies.
Thoughts?
01-31-2018 09:32 AM - edited 01-31-2018 09:35 AM
Sorry - Denison hijacked your thread and asked about IME (IPS Manager Express). I didn't notice the changed username when I replied to his question.
Regarding events in FMC, you are correct about the column labeled "Reason". It is a bit misleading since it will only ever show "IP Block, IP Monitor, or User Bypass" - i.e the Security Intelligence reasons.
However when you are blocked (or allowed) the relevant Access Control Policy and Rule still shows up in the table view of connection events. It is in a column that is by default off to the right and you normally need to scroll horizontally to see it (awful user interface design I know).
You can customize the view or make a report to move those columns over. See the Table View section in my example report snippet below - I created a rule in my Lab ACP policy to block Facebook and then tried to access it and was duly blocked. The report shows which policy and rule I encountered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide