02-16-2017 12:29 AM - edited 02-21-2020 06:01 AM
When i learning Firepower Intrusion Policy, i create a IPS Rule like the picture, i want to block traffic from test-pc to http server when the uri contain "configure" keyword, but it not work properly. i didn't see the intrusion events.
02-16-2017 11:50 AM
Add metadata with service http. See whether it fires now.
When you test, add logging to the ACP rule and provide with the connection event screenshot (from the table view of events, multiple screenshots to cover all the fields) associated with the test you're performing.
02-16-2017 05:29 PM
I configure two intrusion rule:intrusion rule "http certsrv" and intrusion rule "http configure". Like the picture, but when i test it, the "http certsrv" is work properly, but the "http configure" didn't. use windows server 2008 as web server for test about "http certsrv", use Cisco IOS as web server for test "http configure".
02-17-2017 01:01 AM
I couldn't reproduce your issue. For me it fires. Are you sure you deployed the ACP after making changes?
Can you provide the full connection event entry screenshot?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide