10-16-2012 12:09 PM - edited 03-10-2019 05:48 AM
Been a while since I've looked at this stuff, so hopefully I don't butcher the terminolgy too bad. Back in the old days, we defined event action filter variables and policies directly on an IPS sensor. These two items provided overlapping functionality. The variables could be used in event action filters, but were also used to provide the locality value in alerts (e.g. IN, OUT, WHATEVER). With CSM, it appears you define network objects to enable the use of variables in the event action filters....but they don't appear on a sensor unless the policy uses them? So this begs the question...how do you get the functionality of the old event filter variables when using CSM? How can we get the alerts to contain useful locality information for the source and destination addresses?
10-18-2012 06:34 AM
BUMP. Anyone? Is there a way in CSM to push down these variables independent from the event action filters so that the locality reflects some meaningful network description?
10-22-2012 01:41 PM
one more bump
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide