I can see some logs on the FireSight for sourcefire events with action "would be blocked", what is meant by this action and when is it used instead of normal "block"action?
We can see this when you have told the appliance to trust traffic that would otherwise have met criteria for blocking via Security Intelligence (SI).
It can also apply when the appliance is in monitor-only mode (e.g acting as an IDS only).
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: