Migrating from 5505 to 5506-X and trying to set up FirePower. Have a full license, currently IPS and AMP in use.
I get logging events from:
- Blacklisted IP - security intelligence field
- Malware detection
But I can see no "intrusion prevention" (snort) events, although "balanced security and connectivity" policy is applied and loggin is switched on.
Anything more I need to do? Any suggestions on how to test the IPS rules?
I did try to use the EICAR file. With IPS enabled it never reached the AMP detection, with IPS switched off AMP caught and logged the EICAR file.
So it seems the IPS rules are working, but there is no logging?
/Mats