11-01-2020 06:16 AM
I have China geo-blocked, both as a source and destination (separate rules of course), yet still see Intrusion Event blocks for traffic originating in China. Is this working as designed? The intrusion event based block is based on a malware signature being matched, so is it possible traffic hits this filter first, but otherwise would would get blocked via the geo-block policy? Just want to be sure this is working/configured properly and hoping I'm just not clear on the order of operations, so to speak. Thx,
Solved! Go to Solution.
11-01-2020 09:28 AM
Hi,
Yes I agree it seems to be working. By default IPS isn't done before identifying traffic unless you have the option "Intrusion Policy used before Access Control rule is determined" is set. In this case, IPS is done before ACP. This can be checked In the access control policy editor, click Advanced, then click edit next to the Network Analysis and Intrusion Policies section.
**** please remember to rate useful posts
11-01-2020 08:07 AM
11-01-2020 08:36 AM
Mohammed, thanks for the response!
I tried a more refined search (which I should have done in the first place) and can see blacklist, IPS, and I think geo based blocks for China.
For "Reason" I see "IP Block" associated with addresses included in my Global-Blacklist, then <blank> for events that look to be geo-blocked, and then "Intrusion Block" for those events IPS (signature-based) blocked. And, I am getting the source location of "China" from the event log.
I do have a scheduled task to update the Geo-DB, so that looks to be good and it is current.
So, maybe it all is working, and I just wasn't filtering properly. Do you know if the IPS is triggered before geo-blocking?
Thx,
11-01-2020 09:28 AM
Hi,
Yes I agree it seems to be working. By default IPS isn't done before identifying traffic unless you have the option "Intrusion Policy used before Access Control rule is determined" is set. In this case, IPS is done before ACP. This can be checked In the access control policy editor, click Advanced, then click edit next to the Network Analysis and Intrusion Policies section.
**** please remember to rate useful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide