04-18-2015 02:03 PM - edited 03-12-2019 05:39 AM
Hi Everyone,
In our environment we are frequently asked to check specifc IP addresses to confirm if sourcefire is allowing the connection or not.
Need to confirm if Sourcefire DC is blocking any IP address which is the best place to check?
Under connection events?
or Security Intelligence events?
Regards
MAhesh
Solved! Go to Solution.
04-20-2015 09:28 AM
I'd look under "Analysis, Search" make sure you specify a relevant time period for your search.
04-20-2015 09:28 AM
I'd look under "Analysis, Search" make sure you specify a relevant time period for your search.
04-20-2015 10:44 AM
Many thanks Marvin
Regards
Mahesh
09-12-2019 03:25 AM
09-12-2019 05:05 AM
I usually right click on an "Allow" event and tell the FMC to exclude all events of that type. That pares down the list quite a bit. You can save that filter as an FMC bookmark as well.
09-12-2019 11:32 PM
09-13-2019 05:07 AM
That's a predefined search and, as you noted, specific to Intrusion Events. I don't believe it would include drops due to Security Intelligence, URL Blacklist or other miscellaneous reasons.
I use one like this:
08-29-2019 06:03 AM
Hello,
I see the below results in sh service-policy sfr command
Global policy:
Service-policy: global_policy
Class-map: FIREPOWER-Class
SFR: card status Up, mode fail-open
packet input 2718995, packet output 2719028, drop 357, reset-drop 40
Where can i see the 357 drops in FMC?
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide