FTD / FMC - "Snort - Denied Flows"

brettp · ‎05-28-2025

Hello, I can not find an answer to this anywhere online. It would seem self-explanatory, but apparently it's not. What encompasses the "Snort - Denied Flows" that can be seen for the FTD in FMC's Health Monitor? The numbers I am seeing in the "Snort - Denied Flow" section do not match the number of IPS/SI blocks logged. In fact, the are no IPS rule or SI blocks happening (and I am somewhat certain of this because I log them all) but the Snort - Denied Flow stats go up and down all day. What other events contribute to Snort denied flows that would be show on this graph? Any insight is appreciated. Thanks!

ivanzrv · ‎05-28-2025

You are correct - I have asked myself the same question. To me it looks like all that is blocked by ACL is also reported blocked by Snort - especially if you have GeoBlock( after the Geolocation block is activated all ACLs (below the GeoBlock ACL) have no hit counts as they are Snort blocked).

It will be interesting to find out more about this behavior?

brettp · ‎06-12-2025

@ivanzrv Thank you for that idea. I had not considered geoblocks so you might be on to something. Unfortunately, it seems no one knows of sure!

MHM Cisco World · ‎06-21-2025

Are you sure there are no SI config at all?

MHM

brettp · ‎06-23-2025

Well, there are, but they don’t match the numbers on the graph. I’m pulling random numbers out of a hat here, but for instance, there might be 10 SI blocks in one hour during one day and no IPS rule blocks, but that graph would be going up and down all day and would show 50 blocks for the day. The graph does not match what is happening, unless other things are included in those values.