08-21-2015 07:29 AM - edited 03-10-2019 06:26 AM
Hello,
among the numerous and useful menus/options available under FireSight (used to manage Firepower IPS embedded in ASA Firewalls), is there 1 that allows to display the list of detected intrusions that have been blocked by the Firepower ?
thanks for any feedback
Solved! Go to Solution.
09-16-2015 12:38 PM
Yes you can. Go to Analysis > Intrusions > Events > Edit Search. This will load a new window and in there you can see a field called "Inline Result." There you can set the result to "dropped, would have dropped, etc" You can save this search and use it later.
Thank you for rating helpful posts!
09-16-2015 12:38 PM
Yes you can. Go to Analysis > Intrusions > Events > Edit Search. This will load a new window and in there you can see a field called "Inline Result." There you can set the result to "dropped, would have dropped, etc" You can save this search and use it later.
Thank you for rating helpful posts!
08-29-2016 04:48 AM
what is the difference between dropped and would have dropped?
08-29-2016 06:46 AM
"would have dropped" applies when a policy is monitor only (IDS) or when the module is not inline (e.g. on a span port) and thus incapable of telling the network or parent device to drop the connection.
08-29-2016 10:23 PM
Thanks Marvin for the response and clarification.
05-16-2018 08:07 AM
Just adding quick question, in my search for intrusion event i see Blank in Inline Result, like no action. What could be the reason for this? And how could i figure it out that event was dropped or passed. etc.
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: