Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
5
Helpful
2
Replies

Switching to inline mode with our IPS

Go to solution
natehausrath
Level 1
Level 1

‎07-31-2008 10:36 AM - edited ‎03-10-2019 04:13 AM

Hey everyone,

We're considering switching our IPS from promiscuous to inline, but we want to be careful not to interrupt normal traffic when we do so. We have it tuned pretty well at the moment, and we don't appear to get a lot of false positives that would be denied.

So I have a couple questions about this. First, is there anything I should be careful of that can trip people up when doing this? I know that some of the signatures on the IPS are set to deny without alerting, but most of those seem to be bad packets that should probably be this way. Is there anything known to cause issues? (In general that is. I know you guys don't know what's on our network.)

Also, we're using MARS to monitor all of this, so I'd like to set a rule to send an email to a few people whenever something is blocked. So when creating this rule, will the events that trigger the rule be the "AttacksProtected" group? Also, will the alerting device be the ASA when a packet is denied, or will it actually show it came from the IPS module?

We're using MARS 4.3.5, and our IPS is running 6.1-1.

Thanks for any help! Let me know if you need more information.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎07-31-2008 06:15 PM

You can do a number of things for a smooth transition. You can disable the inspection on the IPS (software bypass setting) and then test all network connectivity after placing the sensor inline. Then you could set an event action filter to subtract the deny action from all signatures/events OR you could select all signatures and modify the action to product alert only. However if you are really confident you can go ahead without doing any of the above two, but I would'nt :)

The AIP-SSM will be added to the MARS 'inside' the ASA. It will know that the event came from the module. To receive emails, configure the SMTP/domain settings in the 'Admin' tab and then set the action for the rule to email (by default you can add the admin users group as the recipient).

Regards

Farrukh

View solution in original post

2 Replies 2

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni

‎07-31-2008 06:15 PM

You can do a number of things for a smooth transition. You can disable the inspection on the IPS (software bypass setting) and then test all network connectivity after placing the sensor inline. Then you could set an event action filter to subtract the deny action from all signatures/events OR you could select all signatures and modify the action to product alert only. However if you are really confident you can go ahead without doing any of the above two, but I would'nt :)

The AIP-SSM will be added to the MARS 'inside' the ASA. It will know that the event came from the module. To receive emails, configure the SMTP/domain settings in the 'Admin' tab and then set the action for the rule to email (by default you can add the admin users group as the recipient).

Regards

Farrukh

Go to solution
natehausrath
Level 1
Level 1
In response to Farrukh Haroon

‎08-01-2008 10:54 AM

Thanks, that's a huge help! We'll see how it goes next week. :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card