Wednesday, September 4, 2019

IBM Proventia detecting traffic from a blocked IP

A SOC nobody trying to get some insight into a network architecture.

So one of our clients have IBM Proventia as their IDS and Checkpoint as their Perimeter FW.

So we have blocked an IP due to an offense triggered. Post that, the traffic even though getting dropped on the firewall is getting detected at the IDS.

Does CP send or perform a behavior something akin to SPAN ?

What are the possible architectures that could be causing this behavior?



No comments:

Post a Comment