cancel
Showing results for 
Search instead for 
Did you mean: 

Alerts not being marked with defined sub-interface

Jump to solution

My customer is running NSM 9.1 and latest sigset as of today on a NS7200.

We set up sub-interfaces (CIDR) to segment the alerts for special policy assignment and updated the sensors but we are still seeing alerts from those defined CIDR subnets marked as the original interface and using the original policy. We verified that the last push reported back as successful. This should not require a reboot, but I am thinking that may have to be the next step. Unfortunately, rebooting the sensor causes the Checkpoint Firewall to flap (whole other issue I'm going to ask about in a separate post.

I was hoping someone else may have run into this and can provide some insight before I call Support.

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: Alerts not being marked with defined sub-interface

Jump to solution

The CIDR subinterface should be based on the CIDR block were the target servers are (as long as the root interface can see that traffic).

The subinterface should then be based on the target server's IP addresses/block.

Traffic should be seen as inbound, which should not be an issue based on your previous comment.

If all of these are true then it should work as expected.

Let us know how you get on.

Cheers

David

View solution in original post

5 Replies

Re: Alerts not being marked with defined sub-interface

Jump to solution

...Also, the newly created sub-interfaces are in Learning mode for the DoS profile.

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

Re: Alerts not being marked with defined sub-interface

Jump to solution

Hi jvdavis

What's the direction on those alerts you consider should be reported from the CIDR subinterfaces? They will only show from the subinterfaces if the traffic generating the alerts is marked as inbound.

This is because you can only define subinterfaces for those assets on the Inside of the network, and the inside/outside is defined by the port configuration.

Regards,

David

Re: Alerts not being marked with defined sub-interface

Jump to solution

The alerts were marked as inbound, but I think I see the issue. The parent interface the sub-interfaces were configured on exist at the boundary of the network. The traffic we were trying to segment out is coming from VPN connections -> firewall (were traffic is decrypted) -> IPS interface -> core network. The attacker IP of the alerts in question is the VPN subnet with the target IP being any of several servers. If I am understanding you correctly, for the segmenting to work, we would have had to create the sub-interfaces based on the IP CIDR of the target IPs. Is that correct?

Highlighted
Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: Alerts not being marked with defined sub-interface

Jump to solution

The CIDR subinterface should be based on the CIDR block were the target servers are (as long as the root interface can see that traffic).

The subinterface should then be based on the target server's IP addresses/block.

Traffic should be seen as inbound, which should not be an issue based on your previous comment.

If all of these are true then it should work as expected.

Let us know how you get on.

Cheers

David

View solution in original post

Re: Alerts not being marked with defined sub-interface

Jump to solution

d_aloy,

We were shifting things around to experiment while awaiting your reply, and it is working as you stated. Once I sat back and though about it, it made complete sense... an interface can't sub out traffic it doesn't own...so to speak.

Thank you!!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community