Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1691
Views
0
Helpful
1
Replies

How to block PSNG_TCP_PORTSCAN (122:1:1) on FTD using FMC

Juan Pablo Hidalgo Villacres
Level 1
Level 1

ā€Ž08-21-2020 07:24 AM

Hi,

I have 2 FTD 2140 (version 6.3.0) managed by FMC 6.4.0.4 (build 34).

i have several portscan (PSNG_TCP_PORTSCAN (122:1:1)) intrusion events and i have tried to block them using the IPS rules (drop and generate events for this attack), NAP policy (enabling portscan preproccessor) and an ACP (activating NAP policy and applying the IPS policy to the correct rule), but i still got the "would have dropped" on the inline result, so they are recognized but not blocked.

So my question is, does anybody have achieved to block a portscan attack on FMC?.. 

best regards,

 

Juan Pablo

0 Helpful
1 Reply 1

manabans
Cisco Employee
Cisco Employee

ā€Ž09-28-2020 10:53 AM - edited ā€Ž09-28-2020 10:54 AM

In a passive deployment, the system does not drop packets, including when an inline interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy.

IPS would have dropped the packet if you enabled the Drop when Inline intrusion policy option (in an inline deployment).
Reference Table "Inline Result Field Contents in Workflow and Table Views":
https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/working_with_intrusion_events.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card