Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2687
Views
0
Helpful
5
Replies

FireSight : How to display the list of Blocked Intrusions

Go to solution
guillerm
Level 1
Level 1

‎08-21-2015 07:29 AM - edited ‎03-10-2019 06:26 AM

Hello,

among the numerous and useful menus/options available under FireSight (used to manage Firepower IPS embedded in ASA Firewalls), is there 1  that allows  to display the list of detected intrusions that have been blocked by the Firepower ?

 

thanks for any feedback

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-16-2015 12:38 PM

Yes you can. Go to Analysis > Intrusions > Events > Edit Search. This will load a new window and in there you can see a field called "Inline Result." There you can set the result to "dropped, would have dropped, etc" You can save this search and use it later. 

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
5 Replies 5

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-16-2015 12:38 PM

Yes you can. Go to Analysis > Intrusions > Events > Edit Search. This will load a new window and in there you can see a field called "Inline Result." There you can set the result to "dropped, would have dropped, etc" You can save this search and use it later. 

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
zakameeri
Level 1
Level 1
In response to nspasov

‎08-29-2016 04:48 AM

what is the difference between dropped and would have dropped?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to zakameeri

‎08-29-2016 06:46 AM

"would have dropped" applies when a policy is monitor only (IDS) or when the module is not inline (e.g. on a span port) and thus incapable of telling the network or parent device to drop the connection.

0 Helpful

Go to solution
zakameeri
Level 1
Level 1
In response to Marvin Rhoads

‎08-29-2016 10:23 PM

Thanks Marvin for the response and clarification.

0 Helpful

Go to solution
pro_engineering
Level 1
Level 1
In response to zakameeri

‎05-16-2018 08:07 AM

Just adding quick question, in my search for intrusion event i see Blank in Inline Result, like no action. What could be the reason for this? And how could i figure it out that event was dropped or passed. etc.

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card