Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
0
Helpful
1
Replies

FirePower module - logging of IPS (snort) events

ramnefors
Level 1
Level 1

‎02-21-2016 11:07 PM - edited ‎02-21-2020 05:44 AM

Migrating from 5505 to 5506-X and trying to set up FirePower. Have a full license, currently IPS and AMP in use.

I get logging events from:

- Blacklisted IP - security intelligence field

- Malware detection

But I can see no "intrusion prevention" (snort) events, although "balanced security and connectivity" policy is applied and loggin is switched on.

Anything more I need to do? Any suggestions on how to test the IPS rules?

I did try to use the EICAR file. With IPS enabled it never reached the AMP detection, with IPS switched off AMP caught and logged the EICAR file.

So it seems the IPS rules are working, but there is no logging?

/Mats

0 Helpful
1 Reply 1

miculp
Cisco Employee
Cisco Employee

‎02-27-2016 11:01 PM

Hi Mats,

When you say you've applied the intrusion policy, did you select this policy in the "inspection" tab of the rule(s) in your access control policy? or do you have the default action of your access control policy to be your intrusion policy?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card