Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
0
Helpful
7
Replies

Send the connection event with "block" action only to Firesight management center

jackson.ku
Level 3
Level 3

‎06-28-2016 06:31 PM - edited ‎03-12-2019 06:03 AM

Hi,

How to send the connection event with "block" action only to Firesight management center, not all connection event?

Best Regards,

Jackson Ku

Labels:
0 Helpful
7 Replies 7

Jetsy Mathew
Cisco Employee
Cisco Employee

‎06-28-2016 11:01 PM

Hello Team,

When you create the individual rules for block action , you can enable the logging option(either end or beginning ) under Policies > Access Control > Add rule > Logginning .

For the allow rules, dont enable logging at all.

Hope your query is clear here.

Kindly rate if this post helps you.

Regards

Jetsy

0 Helpful

jackson.ku
Level 3
Level 3
In response to Jetsy Mathew

‎06-28-2016 11:15 PM

Hi,

Thanks for your help. If I disable logging for the access control rule, does it cause the intrusion log  not send to Firesight management center? How to enable/disable the intrusion event send to Firesight management center?

Best Regards,

Jackson Ku

0 Helpful

ankojha
Level 3
Level 3
In response to jackson.ku

‎07-01-2016 03:27 AM

Hi Jackson, 

If you have enabled the intrusion policy in inspection tab under any access control rule and 

you are disabling logging on that rule , in that case intrusion events will not come for that traffic in management center GUI but it will come for any other intrusion policy normally which is not in this access control rule.

Please mark and rate helpful posts.

Thanks,

Ankita

0 Helpful

jackson.ku
Level 3
Level 3
In response to ankojha

‎07-04-2016 08:40 PM

Hi,

I have tried if I disable the logging for some access control rule, both connection event and intrusion event not send to management center.

How can I configure per access control rule to send the intrusion event and file event to management center but not send the connect event to management center?

Best Regards,

Jackson Ku

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to jackson.ku

‎07-04-2016 10:07 PM

Hello Jackson

Its expected that you dont receive connection events for those intrusion policies called out in the logging disabled AC policy.

Regards

Jetsy

0 Helpful

evan.chadwick1
Level 1
Level 1
In response to jackson.ku

‎07-18-2016 09:27 PM

How are you testing? It is highly probably that your intrusion events will be quiet unless you deliberately creating an event.

IPS and File events are handled outside of your ACL policy rule event connections. 
Basically Cisco designed the product that if it invokes an IPS/File event you will want to report and act on it. 

You can tweak how noisy the alerts are via Policy/ACTION/alerts area. However if you want to be quiet for particular networks over others, well i'm waiting to hear back after a couple of months as to the best way to do this (Correlation and IPS rules is not that scale able).

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to jackson.ku

‎07-01-2016 11:13 PM

Hello Jackson,

Have you tried the steps and did it worked for you?

Regards

Jetsy 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card