Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
0
Helpful
5
Replies

Intrusion Prevention on source fire

clark white
Level 2
Level 2

‎01-01-2017 12:37 PM - edited ‎03-12-2019 06:14 AM

Dears

Please find the attached screenshot and anybody can confirm to me IPS is dropping the traffic or letting it go. I have enabled recommended settings in the IPS leaving the decision to IPS  The inline result shows me that it is dropped but infact the teamviewer session is established from the user,

I have a question below.

If a user has full access without any restrictions,  and recommended setting of IPS is enabled in which IPS is automatically enabled to drop the teamviwer traffic then the traffic for the user will be dropped though he has been given full privilege.

Labels:
Preview file
35 KB
Preview file
59 KB
0 Helpful
5 Replies 5

Claudiu Cismaru
Cisco Employee
Cisco Employee

‎01-02-2017 10:27 AM

That event is indeed a Teamviewer related IPS rule. However, it fires on HTTP traffic and I doubt a TV session is HTTP. It seems to be pre session establishment traffic.

The best and correct way to block teamviewer or other application protocols/web applications and so on, add an ACP rule with Teamviewer App ID set and set the rule to block.

0 Helpful

clark white
Level 2
Level 2
In response to Claudiu Cismaru

‎01-02-2017 06:33 PM

Dear

Thanks for your reply,

Yes I can control by application filtering but I I want to know the inline result shown as a dropped in the screen shot but infact it is not dropped, my concern is for such a high risk traffic when it is allowing the traffic it should show me as an allowed traffic instead of dropped,

this is annoying me and feeling me that IPS is not working properly.

thanks

0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to clark white

‎01-03-2017 12:40 AM

As I said, blocking that http traffic doesn't mean the team viewer session capability is blocked.

That http request could be only to check if the servers are reachable through http, for instance. I don't know how Teamviewer is working internally, but before going online it tries to do different checks.

If the http method fails, it could fallback to https, in this case you are not able to see inside it, unless you have an decrypt policy enabled.

I don't think teamviewer is using the http protocol either, for sessions. So, that flow was blocked, but didn't affect the connection of teamviewer.


I mentioned above: to block teamviewer, don't use that specific http IPS, but add an ACP rule with the appid teamviewer in it and it will block the teamviewer.

0 Helpful

clark white
Level 2
Level 2
In response to Claudiu Cismaru

‎01-04-2017 11:51 AM

Dear

how i can check which traffic is blocked and which is not??

thanks

0 Helpful

Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to clark white

‎01-06-2017 01:58 AM

Cheking the connection events. You can filter on application id.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card