IPS and Virtual Sensors

brobinson · ‎07-30-2008

Hello.

I am looking to put in an IPS. I would like to monitor two segments, but read this in the docs...

"To avoid definition ordering issues, no conflicts or overlaps are allowed in assignments-you assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a specific virtual sensor so that no packet is processed by more than one virtual sensor."

Say I have two virtual sensors and subnets A and B. My question is that packets from segment A will go thru virtual-sensor1, but may (depending on routing) need to pass thru the VLAN pair of virtual-sensor2 to subnet B. Judging from above, this is not possible, since it says the packet can only be seen once. Please advise if I am interpreting the docs correctly.

Any suggestions or insight is appreciated! Thanks!

Farrukh Haroon · ‎07-31-2008

The quote is talking about Inline/VLan Pair assignment and not assymetric flows. They are two different issues.

Your setup should work fine, you might need to tweak a setting on the virtual sensor page tough (with regards to assymetric flows).

Regards

Farrukh

brobinson · ‎07-31-2008

Ah, okay; just to clarify... What they are speaking of is when the packet goes thru the IPS the first time, it stays in one virtual sensor during it's "session" thru it and is should not processed by any other virtual sensor.

If the packet reenters the IPS on a different interface pair (ie; virtual sensor) then that is OK.

Thanks for the reply!