Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1276
Views
50
Helpful
4
Replies

FMC - Intrusion event passes instead of drop

hash2k2
Level 1
Level 1

‎02-25-2022 11:50 PM

Hi,

this morning I found in my FMC that some intrusion events are shown as "pass" instead of being dropped.

I find this in my FMC under Analysis -> Intrusion Events -> Table view.

example:

2022-02-26 06:45:38low
 

 

Pass 
 

 

xx.xx.xx.xx
 

 

USA
 

xx.xx.xx.xx

 

 

USA		3200 / tcp80 (http) / tcp  HI_CLIENT_IIS_UNICODE (119:7:1)Unknown TrafficHTTP Inspection Preprocessor 

This happened for different events and different target machines.

 

I am running FMC with 7.1.0

VDB is 351

 

Is that a normal behavior? I have not seen this in the event table before, but I am not that into the fmc at the moment...

4 Replies 4

hurricane05
Level 1
Level 1

‎02-27-2022 12:08 AM

Was there a custom IPS rule created from one of the Cisco default ruleset and configured it as a Pass for valid traffic? I normally do this for different signatures where I want Snort to pass traffic for some of our internal host communications. Just a thought.

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-28-2022 04:36 AM

Check the rule allowing the traffic in the first place. Does it have the Intrusion Policy specified in it?

hash2k2
Level 1
Level 1
In response to Marvin Rhoads

‎02-28-2022 01:17 PM

For every services reachable from external sources I have created an own intrusion policy. Then I have created access policies for every server saying any -> dmz server and added that specific IPS policy. So there is no entry without an IPS policy with allow.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card