cancel
Showing results for 
Search instead for 
Did you mean: 
unrival
Level 7
Report Inappropriate Content
Message 1 of 11

Dropping traffic

Jump to solution

Hello

Due to the large amount of NetFlow i want to drop these policy

P2P: Skype logon process detected

After reading IPS Administration Guide Network Security Platform 8.2 i found chapter Firewall Policies

However when i created the rule to choose the policy to drop there were no such thing to choose

Thanks, kind regards

1 Solution

Accepted Solutions

Re: Dropping traffic

Jump to solution

Hi Benjamin,

As per luckhack's post above you will need to change the cabling to the sensor to put it in-line.

Each in-line connection requires two ports on the sensor which will be configured as a port pair, the configuration is done on the manager in Devices > (DeviceName) > Setup > Physical Ports.

Change the operation mode to In-line.

For example you could have a cable from a router to port 1A on the IDS, then a cable from port 1B to the switch, now all of the traffic for this connection is going through the sensor.

InLine.jpg

Peter

10 Replies
msitko
Level 10
Report Inappropriate Content
Message 2 of 11

Re: Dropping traffic

Jump to solution

I'm a bit confused, are you trying to disable the alert, or drop the traffic involved in the attack?

For both, you need to edit the policy in use.  From the manager UI, navigate to Policy > Intrusion Prevention > IPS Policies.  Open the policy in question, and find the attack you want to modify.  You can either disable the attack, or change the blocking response.

unrival
Level 7
Report Inappropriate Content
Message 3 of 11

Re: Dropping traffic

Jump to solution

Unfortunately your suggestion did not work, thanks

msitko
Level 10
Report Inappropriate Content
Message 4 of 11

Re: Dropping traffic

Jump to solution

Reach out to the support team and we can figure this out.

unrival
Level 7
Report Inappropriate Content
Message 5 of 11

Re: Dropping traffic

Jump to solution

Since my Sensor installed in Span mode the support team says im unable to drop traffic on this mode, kinda sad

msitko
Level 10
Report Inappropriate Content
Message 6 of 11

Re: Dropping traffic

Jump to solution

Dropping traffic requires that the sensor be inline, however you have the option to send a TCP reset even if the ports are in SPAN mode.  The TCP reset option is also available in the attack settings, you will also need to configure the port properties to define if you will use the response port or send the TCP reset from the monitoring port.

Re: Dropping traffic

Jump to solution

Hi Benjamin,

Do you have the option to change the connection to an in-line connection?

Peter

unrival
Level 7
Report Inappropriate Content
Message 8 of 11

Re: Dropping traffic

Jump to solution

The entire NetFlow already directed to Sensor in Span mode, although how can i change it in-line mode ? just don't tell refer to McAfee Guides cause im sick of them

Re: Dropping traffic

Jump to solution

Operating IPS Sensor is not something than just can be configured from software setting, you have bring your sensor in between Internal Network - IPS - External network, which is physical change and port pair need to be used where as only one port is used in Span mode.

Cheers!

Re: Dropping traffic

Jump to solution

Hi Benjamin,

As per luckhack's post above you will need to change the cabling to the sensor to put it in-line.

Each in-line connection requires two ports on the sensor which will be configured as a port pair, the configuration is done on the manager in Devices > (DeviceName) > Setup > Physical Ports.

Change the operation mode to In-line.

For example you could have a cable from a router to port 1A on the IDS, then a cable from port 1B to the switch, now all of the traffic for this connection is going through the sensor.

InLine.jpg

Peter