1 2 Previous Next 10 Replies Latest reply on Apr 4, 2016 11:45 PM by unrival

    Dropping traffic

    unrival

      Hello

      Due to the large amount of NetFlow i want to drop these policy

      P2P: Skype logon process detected

      After reading IPS Administration Guide Network Security Platform 8.2 i found chapter Firewall Policies

      However when i created the rule to choose the policy to drop there were no such thing to choose

      Thanks, kind regards

        • 1. Re: Dropping traffic
          msitko

          I'm a bit confused, are you trying to disable the alert, or drop the traffic involved in the attack?

           

          For both, you need to edit the policy in use.  From the manager UI, navigate to Policy > Intrusion Prevention > IPS Policies.  Open the policy in question, and find the attack you want to modify.  You can either disable the attack, or change the blocking response.

          • 2. Re: Dropping traffic
            unrival

            Unfortunately your suggestion did not work, thanks

            • 3. Re: Dropping traffic
              msitko

              Reach out to the support team and we can figure this out.

              • 4. Re: Dropping traffic
                unrival

                Since my Sensor installed in Span mode the support team says im unable to drop traffic on this mode, kinda sad

                • 5. Re: Dropping traffic
                  msitko

                  Dropping traffic requires that the sensor be inline, however you have the option to send a TCP reset even if the ports are in SPAN mode.  The TCP reset option is also available in the attack settings, you will also need to configure the port properties to define if you will use the response port or send the TCP reset from the monitoring port.

                  • 6. Re: Dropping traffic
                    peter.mason

                    Hi Benjamin,

                     

                    Do you have the option to change the connection to an in-line connection?

                     

                    Peter

                    • 7. Re: Dropping traffic
                      unrival

                      The entire NetFlow already directed to Sensor in Span mode, although how can i change it in-line mode ? just don't tell refer to McAfee Guides cause im sick of them

                      • 8. Re: Dropping traffic
                        luckhack

                        Operating IPS Sensor is not something than just can be configured from software setting, you have bring your sensor in between Internal Network - IPS - External network, which is physical change and port pair need to be used where as only one port is used in Span mode.

                        Cheers!

                        • 9. Re: Dropping traffic
                          peter.mason

                          Hi Benjamin,

                           

                          As per luckhack's post above you will need to change the cabling to the sensor to put it in-line.

                           

                          Each in-line connection requires two ports on the sensor which will be configured as a port pair, the configuration is done on the manager in Devices > (DeviceName) > Setup > Physical Ports.

                           

                          Change the operation mode to In-line.

                           

                          For example you could have a cable from a router to port 1A on the IDS, then a cable from port 1B to the switch, now all of the traffic for this connection is going through the sensor.

                           

                          InLine.jpg

                          Peter

                          1 2 Previous Next