01-16-2018 11:27 PM - edited 02-21-2020 07:09 AM
I can see some logs on the FireSight for sourcefire events with action "would be blocked", what is meant by this action and when is it used instead of normal "block"action?
01-17-2018 06:34 AM
We can see this when you have told the appliance to trust traffic that would otherwise have met criteria for blocking via Security Intelligence (SI).
It can also apply when the appliance is in monitor-only mode (e.g acting as an IDS only).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community