01-30-2024 12:57 PM
Please help me understand the following scenario.
I have a L7 application block rule in the FMC yet in the CLI that rule doesn't show a block and quite a few hits.
Then if I look at another rule in the FMC that I have setup with a block and compare that CLI output you can see there is a deny in the statement with a hit count of zero.
Thanks,
Solved! Go to Solution.
01-30-2024 02:54 PM
What you see in the CLI is the LINA access rule. In the first access rule where you are blocking Bittorrent, the inspection and eventual drop will be done in SNORT, there for the LINA needs to permit the traffic so it will be forwarded to SNORT.
In the second access rule you are blocking all traffic and therefor there is not need for traffic to go to SNORT and it will be dropped on LINA.
01-30-2024 02:54 PM
What you see in the CLI is the LINA access rule. In the first access rule where you are blocking Bittorrent, the inspection and eventual drop will be done in SNORT, there for the LINA needs to permit the traffic so it will be forwarded to SNORT.
In the second access rule you are blocking all traffic and therefor there is not need for traffic to go to SNORT and it will be dropped on LINA.
01-30-2024 03:15 PM - edited 01-30-2024 03:17 PM
If the IP's for same traffic then
First policy make traffic pass ACP l3/l4 and forward to snort for inspection'
Second make traffic (same one) inspect by ACP l7 in Snort.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide