Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
447
Views
0
Helpful
1
Replies

IDSM-2 host blocks

Garrison Botts
Level 4
Level 4

‎02-21-2013 11:59 AM - edited ‎03-10-2019 05:54 AM

Hey guys..... I'm having an issue and need some help....

My inline IDSM-2 is blocking internal hosts from accessing the internet. When I run a report to try and identify "why",  they don't show up. Using IME, I can see they are in the "denied attackers" section.  How can I find out what's causing it?

thanks...

Labels:
0 Helpful
1 Reply 1

jocamare
Level 4
Level 4

‎02-26-2013 09:36 PM

Remove only one of the denied hosts and monitor the logs that have its IP [ IME is great doing this ].

If you identify the host as a malicious unit, move it back to the list.

If you find out that the IPS is reacting to false positives, you can check the signatures that triggger and see how reliable they are.

A packet capture is also a great idea to see what is the unit is seeing and understanding why it is blocking it.

Finally, if you just don't want this host to be affected by the IPS rules, simply create an event action filter for it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card