You can now add another RR with the same action but it must be contiguous range. For example, suppose you have RRs: HIGH: 90-100 MED: 80-89 TEST: 70-79 LOW: 1-69
You will NOT be able to add the same action to HIGH and LOW at the same time. You will, however, be able to do that for HIGH and MED. The problem is between GUI and CLI. On CLI it will be visible like one entry, in GUI those are separate entries. Considering that, you're right. It is not possible from CLI but for non-contiguous RRs. Regards, Piotr 2011/4/26 Kingsley Charles <[email protected]> > By default, the sensor has deny packet inline for RR range of 90-100. I > configured RR range of 70-100 for deny packet inline > > If you look below, the risk rating range for deny packet is inline is 70 - > 100 now. It overwritten 90-100 which means only one RR range can be > configured for an action. > > > > sensor(config-eve)# sh settings > variables (min: 0, max: 256, current: 0) > ------------------------------ > ----------------- > ----------------------------------------------- > overrides (min: 0, max: 15, current: 2) > ----------------------------------------------- > <protected entry> > action-to-add: deny-packet-inline > ----------------------------------------------- > override-item-status: Enabled default: Enabled > risk-rating-range: 70-100 default: 90-100 > > > With regards > Kings > > On Tue, Apr 26, 2011 at 9:12 PM, Piotr Matusiak <[email protected]> wrote: > >> Yes, I'm using 6.1 >> >> >> 2011/4/26 Kingsley Charles <[email protected]> >> >>> Piotr >>> >>> It's not possible in 6.1. But, I guess it should work 7.0. Are you using >>> 6.1? >>> >>> >>> With regards >>> Kings >>> >>> >>> On Tue, Apr 26, 2011 at 8:11 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Why not? I think it is possible to configure the same action on >>>> different RRs. >>>> What's the problem here? >>>> >>>> >>>> >>>> 2011/4/26 Kingsley Charles <[email protected]> >>>> >>>>> Hi all >>>>> >>>>> When configuring Event Action Overrides, it seems that the "action" can >>>>> be associated to only one range of risk rating. In the following example, >>>>> I >>>>> have configured RR range 70-100 for packet inline. >>>>> >>>>> Does that mean, I can't configure "deny packet inline" for other RR >>>>> ranges. This doesn't make sense to me. >>>>> >>>>> >>>>> sensor(config-eve)# sh settings >>>>> variables (min: 0, max: 256, current: 0) >>>>> ----------------------------------------------- >>>>> ----------------------------------------------- >>>>> overrides (min: 0, max: 15, current: 2) >>>>> ----------------------------------------------- >>>>> <protected entry> >>>>> action-to-add: deny-packet-inline >>>>> ----------------------------------------------- >>>>> override-item-status: Enabled default: Enabled >>>>> risk-rating-range: 70-100 default: 90-100 >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
