Monitoring IPS 4240 for positives

Unanswered Question
Oct 31st, 2007

A customer has purchased from us a IPS 4240 box.

I recently configured the box. It will monitor the customers Network in the following configuration:

1 Inline Interface pair created from G0/0 and G0/1. Traffic from the customers edge moves in on the IN (G0/0) interface and then in turn exits out to our Outside Perimeter Firewall which guards the customer DMZ.

We have scheduled the Inline Interfaces to be connected this evening.

I have a question regarding this installation:

1) We have the default "vs0" Virtual Sensor assigned to the Inline Interface Pair. If in fact any Positives are identified, where in IDM would I be able to see what is happening...(very important as in case of False Positives, I have to be able to get traffic moving again.

Kevin Melton

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tstanik Tue, 11/06/2007 - 12:01

The sensor has a limited size event store that will wrap around when it fills up and overwrite previous alerts. SecMon was intended to be the long term storage for the alerts. In looking at the summary numbers, SecMon always has more alerts than the IDM. You can login using CLI and use command "show events alerts".


This Discussion