cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2244
Views
0
Helpful
2
Replies
maguiluzfr
Beginner

FMC/FTD and Rule Latency Thresholding.

Hi,

 

I have a several ASAs converted to FTD, and I have enabled the latency rules 134:1 and 134:2 and I see several events generated .
I am not sure what happens to traffic once a rule is suspended. So, my question is:
If one rule is suspended because the latency threshold has been reached and the action for that rule is: allow, what would happen?
1. Traffic that should match that rule, does not match because it is suspended, and goes to the Default Action because does not match any other rule.
2. Traffic matches the rule, it is allowed, but it is not inspected.
3. None of the above.

 

Thanks,

Miguel

1 ACCEPTED SOLUTION

Accepted Solutions
Mohammed al Baqari
VIP Advisor

Hi,

The suspension will be for the snort rules not ACP rules. This means that
the packet will match the ACP rule and will be allowed (because your action
is allowed) but no inspection. All other actions will the rule will be
applied as well (for example generate event at beginning, end, etc).


**** please remember to rate useful posts.

View solution in original post

2 REPLIES 2
Mohammed al Baqari
VIP Advisor

Hi,

The suspension will be for the snort rules not ACP rules. This means that
the packet will match the ACP rule and will be allowed (because your action
is allowed) but no inspection. All other actions will the rule will be
applied as well (for example generate event at beginning, end, etc).


**** please remember to rate useful posts.

View solution in original post

Thanks Mohammed,

The documentation is not clear about that behavior. Do you have more information, that explain that, besides de config guide?

Regards,
Miguel.
Content for Community-Ad