Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2220
Views
0
Helpful
7
Replies

How to create email alerting for some networks but not others

evan.chadwick1
Level 1
Level 1

‎05-24-2016 04:33 PM - edited ‎03-12-2019 06:01 AM

Hi, I have email alerting working but want to only receive emails for my Corporate Subnets and not my Free Wifi Subnets.

How can I achieve this?

1 person had this problem
Labels:
0 Helpful
7 Replies 7

evan.chadwick1
Level 1
Level 1

‎05-24-2016 05:33 PM

Also can you configure different HTTP responses based on different subnets behind a managed device?

0 Helpful

ankojha
Level 3
Level 3
In response to evan.chadwick1

‎05-29-2016 11:16 PM

Hi Evan,

After adding suppression, you have to commit the policy and then deploy it again.

For the HTTP response issue, unfortunately there is no such option of different http response

as this is a global setting under Policy->advanced.

Rate if it helps.

Thanks,

Ankita

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to ankojha

‎06-02-2016 02:06 PM

I still don't feel that adding supression rules is the way forward. Especially since supression rules can not deal with objects. I'm wondering if this is a feature request. As correlation rules don't seem to handle objects either. 

The significance of this means that if I have a large amount of /22 sites to supress for I have to enter each one individually. Also rather than have to create supression rules for each ID that gets triggered, why not enable a feature to globally create Alert Ignores for?

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to evan.chadwick1

‎08-03-2016 05:39 PM

Update:

A feature request has been raised. My workaround:

Turn off all email alerting, via Policy>Alerts

Then apply a correlation rule:

if "intrusion event takes place"

and source ip 'is not in' x.x.x.x/22 (network i want to protect and never hear about)

and source ip 'is not in' x.x.x.x/22 (network i want to protect and never hear about)

etc 

etc

0 Helpful

8pcallahan
Level 1
Level 1
In response to evan.chadwick1

‎04-23-2018 11:29 AM

I know the thread is a couple years old. I have the same need and wondering what is the best way to accomplish. If need be I can open a case with TAC. Thanks.

0 Helpful

evan.chadwick1
Level 1
Level 1

‎05-29-2016 03:30 PM

An update to this. I"ve tried adding a supression rule in my IPS policy. I chose the ever so popular event id of 28039, which makes sourcefire generate an event when a person performs a dns request to a .pw domain. 

I added a supression rule source subnet of my Free Wifi. However I still receive email alerts when an ip in this range browses to a .pw domain.

<update: I had not deployed the policy, once I did this the supression worked. Still in the hunt for a global solution rather than entering supression rules all the time, furthermore which can not take advantage of an Object group>

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to evan.chadwick1

‎06-30-2016 02:15 PM

An update to this, I have a tac case raised. I've tried creating correlation rules to stop email alerting and this has not worked either. SHould hear back from Tac today who are labbing and testing also.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card