05-21-2007 07:17 AM - edited 03-10-2019 03:37 AM
So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?
Solved! Go to Solution.
05-21-2007 11:56 AM
Planned for the future.
05-21-2007 03:32 PM
Please consider CSM 3.1 to help maintain and scale configs. One suggestion is to import the 1st ASA's config, then share the policies with other sensors, including non-AIP-SSMs. If needed, simply edit from the shared policies.
05-21-2007 10:01 AM
The failover is only applicable to the ASA. For the IPS the configuration has to be replicated manually. IPS is always active. If traffic flows through it it will do the inspection.
HTH
Hoogen
Do rate if this post is helpful :)
05-21-2007 10:43 AM
Well, I guess that's part of it. Though is it not possible to copy off the module config to an FTP server and then suck it up on the Stdby ASA-located module? Will that provide all config elements required for the two to look identical?
05-21-2007 10:53 AM
Yeah you could do the FTP part for the configuration. If you manage through CSM or VMS. You could possibly push same configuration to the IPS device and also tune signatures on both without having to do them seperately.
-Hoogen
05-21-2007 10:57 AM
Something to keep in mind.
The 2 SSMs each need their own independant names and ip addresses.
If you are using blocking/shunning then only one of the 2 SSMs can block/shun on the firewall.
The rest of the configuration can be the same between the 2 sensors.
05-21-2007 11:44 AM
So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?
If there is no good reason, is it on the AIP-SSM road map to provide this feature?
This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip.
05-21-2007 11:56 AM
Planned for the future.
05-21-2007 03:32 PM
Please consider CSM 3.1 to help maintain and scale configs. One suggestion is to import the 1st ASA's config, then share the policies with other sensors, including non-AIP-SSMs. If needed, simply edit from the shared policies.
05-21-2007 10:10 PM
Hasn't Cisco stopped the download of CSM 3.1. It seems that they have run into a lot of issues(bug ridden).
-Hoogen
05-23-2007 08:51 AM
Hi there, yes it is temporarily postponed in brief due to an issue described in the following field notice:
http://www.cisco.com/en/US/customer/products/ps6498/products_field_notice09186a00808434e7.shtml
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide