cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
3
Replies

Defining IPS filters in CSM

lcuchisanmillan
Level 1
Level 1

When you are defining filters in CSM, is it possible to use several IPs or ranges of IPs in the "Attackers" and "Victims" tab?

Thank you

3 Replies 3

marcabal
Cisco Employee
Cisco Employee

The sensor itself will accept several single IPs and IP ranges in a comma delimited list in it's event action filters.

For example:

10.10.1.1,10.10.1.3,10.20.1.0-10.20.1.255,10.20.5.0-10.20.5.255

I am fairly sure that CSM would also similarly support this ability for filling in those same fields for the sensor.

You can use ranges as Marcabal described above, or you can use variables. If you have IP address ranges that are used across multiple Event Action Filters you can assign them in CSM's "Policy Object Manager" Networks/Hosts (consider this a global variable). If you have the same Event Action Filters on multiple sensors with different IP address ranges, make the above "overwritable" and customize each sensor under CSM's "Device Properties" Networks/Hosts (this would be a similar to a local variable).

We want to use several IPs as in the Marcabal's example but in the CSM appears "Invalid value". We have tried with different separators apart from a comma. It has no sense creating a variable for each filter we use.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: