cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1722
Views
5
Helpful
2
Replies

IPS wont show inline result

ccna_security
Level 3
Level 3

Dear all.

1. I configured IPS as inline , but when begin testing using nmap it shows as "Would Have been dropped". FMC version is 6.3. 

 

2. Today I saw intrusion event. but this time IPS result wont show anything.Please find screenshot. One of our server was requested FILE-IDENTIFY Microsoft emf file. It is first time we see such event since we configured ips. what do you think about this event?ips.JPG

2 Replies 2

nspasov
Cisco Employee
Cisco Employee

Hi there:

For #1: This would indicate that your Intrusion Policy is not set to "drop" when inline. As a result, your policy is functioning in an IDS (Detection) mode. If you want to change this, you will need to edit your Intrusion Policy and check the box that says "Drop When Inline"

For #2: Similar to the explanation above. The Firepower appliance detected the intrusion but it only alerted you on it. This is why the column labeled "Inline Result" is blank. And again, if you want to change that behavior, you will need to edit your Intrusion Policy. With regards to the intrusion event: You can always click on the event and gather the details on what the event was, the associated Snort signature, etc. 
I hope this helps!

Thank you for rating helpful posts!

thanks for you reply.

1.I have configured IPS as inline by checking Drop when inline checkbox.

2. if I don't make mistake if firepower is configured as IPS it must show as DROP in the event. and if it has been configured as IDS it would show as Would be dropped. but I didn't understand why it is shown blank for that event I depicted to you 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: