Solved: AIP-SSM Configuration Maintenance in Active Stdby modes

mprescher · ‎05-21-2007

So, I'm pretty new to the AIP-SSM but not to ASA's. It appears that very little of the AIP module config gets copied over to the Stdby AIP, nothing other than what appears in the ASA config (ACL's, etc.). So, do all the config elements particular to the module itself have to be manually reproduced on the Stdby module, either by hand entry or config copies moved between the two?

marcabal · ‎05-21-2007

Planned for the future.

View solution in original post

paulnguy · ‎05-21-2007

Please consider CSM 3.1 to help maintain and scale configs. One suggestion is to import the 1st ASA's config, then share the policies with other sensors, including non-AIP-SSMs. If needed, simply edit from the shared policies.

View solution in original post

hoogen_82 · ‎05-21-2007

The failover is only applicable to the ASA. For the IPS the configuration has to be replicated manually. IPS is always active. If traffic flows through it it will do the inspection.

HTH

Hoogen

Do rate if this post is helpful :)

mprescher · ‎05-21-2007

Well, I guess that's part of it. Though is it not possible to copy off the module config to an FTP server and then suck it up on the Stdby ASA-located module? Will that provide all config elements required for the two to look identical?

hoogen_82 · ‎05-21-2007

Yeah you could do the FTP part for the configuration. If you manage through CSM or VMS. You could possibly push same configuration to the IPS device and also tune signatures on both without having to do them seperately.

-Hoogen

marcabal · ‎05-21-2007

Something to keep in mind.

The 2 SSMs each need their own independant names and ip addresses.

If you are using blocking/shunning then only one of the 2 SSMs can block/shun on the firewall.

The rest of the configuration can be the same between the 2 sensors.

mprescher · ‎05-21-2007

So in Active/Standby scenarios with AIP-SSM, what is the reasoning for not having a feature for automatically copying over module config changes as with the ASA config?

If there is no good reason, is it on the AIP-SSM road map to provide this feature?

This can be a real pain in the arse for complex IPS configs. You have to do everything twice, and right away, so you won't miss anything should the ASA'a flip.

marcabal · ‎05-21-2007

Planned for the future.

paulnguy · ‎05-21-2007

Please consider CSM 3.1 to help maintain and scale configs. One suggestion is to import the 1st ASA's config, then share the policies with other sensors, including non-AIP-SSMs. If needed, simply edit from the shared policies.

hoogen_82 · ‎05-21-2007

Hasn't Cisco stopped the download of CSM 3.1. It seems that they have run into a lot of issues(bug ridden).

-Hoogen

paulnguy · ‎05-23-2007

Hi there, yes it is temporarily postponed in brief due to an issue described in the following field notice:

http://www.cisco.com/en/US/customer/products/ps6498/products_field_notice09186a00808434e7.shtml

Regards.