as you can see from the

Tejas Kunte · ‎06-27-2016

i am seeing a strange issue with my firesight URL filtering setup

am seeing an intrusion block for website that is matching an allow rule

also the intrusion policy rule that is being matched is disabled.

how is that possible ?

Andres Vega · ‎06-27-2016

Tejas,

Could you add more information about the problem? Please add some screenshots from the connection events, and screenshot of your Access control Policy in order to understand the issue and the way the traffic is being analyzed by the Firewall Engine.

Tejas Kunte · ‎06-27-2016

as you can see from the screenshot the access policy being matched in my URL whitelist which allows all traffic, yet traffic is being blocked

Andres Vega · ‎06-27-2016

Tejas,

The problem is not the object you created to allow the URL. Basically, your last line of defense (Intrusion Policy) has detected some anomalous content in that specific connection and now you have to confirm if it is a false positive or not.

In order to identify the rule this connection hits, go to the intrusion events and filter it by initiator IP and then download the capture for that event.

To confirm if it is a FP or FN, please open a case with TAC by referencing the GID you are matching, and submitting the capture retrieved previously.

Jetsy Mathew · ‎06-28-2016

Hello Tejas,

Have you verified if this blocked Intrusion rule is called in the Advanced option of Access control policy rule ?

Policies > Access Control > Click on Edit button > Advanced

Verify if the Intrusion policy is not called here.

Regards

Jetsy

Tejas Kunte · ‎06-29-2016

the problem is the rule being referenced is actually disabled in the intrusion policy.

it is not set to drop.

thats why is surprising that i am seeing an intrusion block

firesight intrusion block