Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1297
Views
5
Helpful
4
Replies

How to know the IPS censor (model FP7120-K9) in Block mode or Monitor mode

Go to solution
Tang-Suan Tan
Level 1
Level 1

‎06-03-2020 01:54 AM - edited ‎06-03-2020 02:48 AM

Hi all,

 

May I know by GUI or CLI, how to get to know current IPS censor is in Block mode or Monitor mode?

I have FirePower Management Centre to manage all these IPS censors, is there a way to check also the Block or Monitor mode from the FirePower Management Centre?

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Tang-Suan Tan

‎06-03-2020 09:16 AM - edited ‎06-03-2020 06:42 PM

Inline generally means live traffic enters and exits the IPS. If you are connected to a span port or off of an appliance that copies the traffic like a Gigamon then you would be "not inline".

Sometimes an IPS rule might have a direction associated with it - if the traffic is observed from external to home net then it is dropped. However the same patterns may be allowed from home net (private IP) to external. You can see the "would have dropped" for that latter case.

View solution in original post

4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-03-2020 06:24 AM

In FMC look under the applied IPS policy (Policies > Access Control > Intrusion) and see the setting "Drop When Inline". That check box governs globally how IPS rules affect the traffic with "drop and generate events" action specified.

If the device is not inline, you will get events with "Would have Dropped" as the action when traffic hits a rule with the "drop and generate events" action otherwise specified.

0 Helpful

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to Marvin Rhoads

‎06-03-2020 07:01 AM

Hi Marvin,

 

Many thanks on your reply.

Yes, my FMC is with Yes on the "Drop when inline".

 

As such, I can conclude that the IPS censors are in Block mode.

 

I have a further question that can you explain "inline" and "not inline" in term of IPS operaton?

 

In some cases, under the same rule, I observed that the IPS drops the traffic with source IP in public IP while "would have dropped" source IP in private IP address range such as 10.x.x.x or 192.168.x.x or 172.16.x.x to 172.32.x.x.

 

How to explain such thing in term of "Drop when inline"? 

 

Thanks and regards,

Tangsuan Tan

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Tang-Suan Tan

‎06-03-2020 09:16 AM - edited ‎06-03-2020 06:42 PM

Inline generally means live traffic enters and exits the IPS. If you are connected to a span port or off of an appliance that copies the traffic like a Gigamon then you would be "not inline".

Sometimes an IPS rule might have a direction associated with it - if the traffic is observed from external to home net then it is dropped. However the same patterns may be allowed from home net (private IP) to external. You can see the "would have dropped" for that latter case.

Go to solution
Tang-Suan Tan
Level 1
Level 1
In response to Marvin Rhoads

‎06-03-2020 02:25 PM

Hi Marvin,

 

Thanks a lot on your reply.

 

Appreciate your help on this.

 

regards,

Tangsuan Tan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card