06-03-2020 01:54 AM - edited 06-03-2020 02:48 AM
Hi all,
May I know by GUI or CLI, how to get to know current IPS censor is in Block mode or Monitor mode?
I have FirePower Management Centre to manage all these IPS censors, is there a way to check also the Block or Monitor mode from the FirePower Management Centre?
Thanks!
Solved! Go to Solution.
06-03-2020 09:16 AM - edited 06-03-2020 06:42 PM
Inline generally means live traffic enters and exits the IPS. If you are connected to a span port or off of an appliance that copies the traffic like a Gigamon then you would be "not inline".
Sometimes an IPS rule might have a direction associated with it - if the traffic is observed from external to home net then it is dropped. However the same patterns may be allowed from home net (private IP) to external. You can see the "would have dropped" for that latter case.
06-03-2020 06:24 AM
In FMC look under the applied IPS policy (Policies > Access Control > Intrusion) and see the setting "Drop When Inline". That check box governs globally how IPS rules affect the traffic with "drop and generate events" action specified.
If the device is not inline, you will get events with "Would have Dropped" as the action when traffic hits a rule with the "drop and generate events" action otherwise specified.
06-03-2020 07:01 AM
Hi Marvin,
Many thanks on your reply.
Yes, my FMC is with Yes on the "Drop when inline".
As such, I can conclude that the IPS censors are in Block mode.
I have a further question that can you explain "inline" and "not inline" in term of IPS operaton?
In some cases, under the same rule, I observed that the IPS drops the traffic with source IP in public IP while "would have dropped" source IP in private IP address range such as 10.x.x.x or 192.168.x.x or 172.16.x.x to 172.32.x.x.
How to explain such thing in term of "Drop when inline"?
Thanks and regards,
Tangsuan Tan
06-03-2020 09:16 AM - edited 06-03-2020 06:42 PM
Inline generally means live traffic enters and exits the IPS. If you are connected to a span port or off of an appliance that copies the traffic like a Gigamon then you would be "not inline".
Sometimes an IPS rule might have a direction associated with it - if the traffic is observed from external to home net then it is dropped. However the same patterns may be allowed from home net (private IP) to external. You can see the "would have dropped" for that latter case.
06-03-2020 02:25 PM
Hi Marvin,
Thanks a lot on your reply.
Appreciate your help on this.
regards,
Tangsuan Tan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide