Does anyone knows how I can make some sort of ZONES or similar of my network with IP subnets, so I can easily identify which Zone/Subnet generates an alert?
There is a column called ZONE, but I think it is only for NTBA for identifying inside/outside zones.
Suppose that IPS is in a closed network. For example, this is what I can see in alerts dashboard:
Attack | Source IP | Src Port | Dest IP | Dest Port
Attack AAA | 192.168.0.6 I 5555 | 192.168.10.3 | 445
Attack BBB | 192.168.0.3 I 2222 | 192.168.1.5 | 445
Attack CCC | 192.168.20.4 I 5555 | 192.168.10.5 | 445
Attack AAA | 192.168.0.6 I 1111 | 192.168.2.5 | 445
Attack BBB | 192.168.10.5 I 5555 | 192.168.9.9 | 445
Attack AAA | 192.168.0.4 I 5555 | 192.168.6.5 | 445
And that's what I would like to get, as I know all the subnets in our network, I just need the quick way to see them.
Attack | Source IP | Branch /Department | Src Port | Dest IP | Branch /Department | Dest Port
Attack AAA | 192.168.0.6 | New York I 5555 | 192.168.10.3 | Boston | 445
Attack BBB | 192.168.0.3 | Boston I 2222 | 192.168.1.5 | Chicago | 445
Attack CCC | 192.168.20.4 | Miami I 5555 | 192.168.10.5 | New York | 445
Attack AAA | 192.168.0.6 | Las Vegas I 1111 | 192.168.2.5 | New York | 445
Attack BBB | 192.168.10.5 | Boston I 5555 | 192.168.9.9 | New York | 445
Attack AAA | 192.168.0.4 | Boston I 5555 | 192.168.6.5 | New York | 445
Thanks for help.
CIDR based sub interfaces are what you want to look into. When traffic comes in on a specific interface if it matches the CIDR block tagged on the sub interface it will be given the name you specify on the sub interface.
Policies can also be applied at the sub interface level once defined in this way.
Do you know where to find some info how to do that. As NSP Manager Administration Guide only mentions what it is without any example how to configure.
We have a SPAN mode, so probably we won't see any inbound/outbound directions only parent direction.
Do I need to change something in the policy section before changing interface type to CIDR?