Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1171
Views
0
Helpful
0
Replies

Firepower Appliance 8350 Monitor MODE - Signatures not firing/alerting

donovan.chetty
Level 1
Level 1

‎11-29-2017 12:31 PM - edited ‎02-21-2020 06:52 AM

Hi,

 

We have a FirePower 8350 appliance configured for IPS "monitor-mode" or IDS mode. The FirePower appliance connects directly to our Nexus 9k core switches. We have SPAN configured on this core switches to send a copy of the traffic to the FirePower for processing.

 

We are seeing connection events on the on the FMC dashboard, however no IPS signaturing are firing or alerting (good thing). We tried to simulate a test attack using an FTP connection - again seeing the connection event, but not the signature alerting. We did confirm that the test signature does indeed work on another SFR module deployment.

 

Will the FP 8350 appliance in passive mode still process the traffic and alert on the signature seeing that is only receives the traffic one way. What I am getting at is - SPAN in the Nexus 9k only processes RX traffic on a VLAN interface (source {interface type [rx | tx | both] | vlan {number | range} [rx]} ). Will this in any way prevent the signature from alerting?

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card