All,
I have a pair of ASA 5525 (9.3.1) running SourceFire (5.3.1). I currently have the ASA passing the traffic to the SF via sfr fail-open monitor-only. I'm doing this make sure the rules are being applied correctly. Traffic passes, to the SF, and the global black list works, but none of the rules are being hit under Policies--Access Control--Rules. As I said the Global black List is being hit and is is configured under the same Access Control policy.
Again, I understand that no traffic will actually be blocked, but it should show in the SF console that is was blocked. The Global Black List certainly behaves this way.
Can someone point me in the right direction?
Best regards.
derek