If the Block IP active response sends the command to all connected firewalls then this could lead to undesirable results such and double entries in the firewall that logged the event. This unfortunately will not satisfy what we are trying to accomplish. What I was hoping to be able to do was build a rule and have it perform the Block IP active response on one specific LEM connected firewall, not all of them. If this type of rule is not currently supported, are there plans to enable this selection functionality in a future version of LEM? This functionality seems like a valuable feature to have as it would offer the flexibility and granularity already present in LEM.
↧