cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jvdavis456
Level 10
Report Inappropriate Content
Message 1 of 6
‎12-07-2017 09:16 AM

Alerts not being marked with defined sub-interface

Jump to solution

My customer is running NSM 9.1 and latest sigset as of today on a NS7200.

We set up sub-interfaces (CIDR) to segment the alerts for special policy assignment and updated the sensors but we are still seeing alerts from those defined CIDR subnets marked as the original interface and using the original policy. We verified that the last push reported back as successful. This should not require a reboot, but I am thinking that may have to be the next step. Unfortunately, rebooting the sensor causes the Checkpoint Firewall to flap (whole other issue I'm going to ask about in a separate post.

I was hoping someone else may have run into this and can provide some insight before I call Support.

0 Kudos
Reply
1 Solution

Accepted Solutions
d_aloy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6
‎12-07-2017 01:09 PM

Re: Alerts not being marked with defined sub-interface

Jump to solution

The CIDR subinterface should be based on the CIDR block were the target servers are (as long as the root interface can see that traffic).

The subinterface should then be based on the target server's IP addresses/block.

Traffic should be seen as inbound, which should not be an issue based on your previous comment.

If all of these are true then it should work as expected.

Let us know how you get on.

Cheers

David

View solution in original post

Reply
5 Replies
jvdavis456
Level 10
Report Inappropriate Content
Message 2 of 6
‎12-07-2017 10:26 AM

Re: Alerts not being marked with defined sub-interface

Jump to solution

...Also, the newly created sub-interfaces are in Learning mode for the DoS profile.

0 Kudos
Reply
d_aloy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6
‎12-07-2017 10:55 AM

Re: Alerts not being marked with defined sub-interface

Jump to solution

Hi jvdavis

What's the direction on those alerts you consider should be reported from the CIDR subinterfaces? They will only show from the subinterfaces if the traffic generating the alerts is marked as inbound.

This is because you can only define subinterfaces for those assets on the Inside of the network, and the inside/outside is defined by the port configuration.

Regards,

David

0 Kudos
Reply
jvdavis456
Level 10
Report Inappropriate Content
Message 4 of 6
‎12-07-2017 12:30 PM

Re: Alerts not being marked with defined sub-interface

Jump to solution

The alerts were marked as inbound, but I think I see the issue. The parent interface the sub-interfaces were configured on exist at the boundary of the network. The traffic we were trying to segment out is coming from VPN connections -> firewall (were traffic is decrypted) -> IPS interface -> core network. The attacker IP of the alerts in question is the VPN subnet with the target IP being any of several servers. If I am understanding you correctly, for the segmenting to work, we would have had to create the sub-interfaces based on the IP CIDR of the target IPs. Is that correct?

0 Kudos
Reply
d_aloy
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6
‎12-07-2017 01:09 PM

Re: Alerts not being marked with defined sub-interface

Jump to solution

The CIDR subinterface should be based on the CIDR block were the target servers are (as long as the root interface can see that traffic).

The subinterface should then be based on the target server's IP addresses/block.

Traffic should be seen as inbound, which should not be an issue based on your previous comment.

If all of these are true then it should work as expected.

Let us know how you get on.

Cheers

David

Reply
jvdavis456
Level 10
Report Inappropriate Content
Message 6 of 6
‎12-07-2017 01:29 PM

Re: Alerts not being marked with defined sub-interface

Jump to solution

d_aloy,

We were shifting things around to experiment while awaiting your reply, and it is working as you stated. Once I sat back and though about it, it made complete sense... an interface can't sub out traffic it doesn't own...so to speak.

Thank you!!

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC