IPS unable to Block

Unanswered Question
Aug 28th, 2008
User Badges:

I have IPS 4255, I have made a Service HTTP signature to block metacafe.


I have configured the block device for PIX Firewall. Signature triggers when i open www.metacafe.com i can see the user IP in active blocking hosts and also in IP logging but still i m not able to block/shun the users.


I select all actions in signature definiation.




-----Network Access Statistics-----

section Current Configuration

LogAllBlockEventsAndSensors true

EnableNvramWrite false

EnableAclLogging false

AllowSensorBlock false

BlockMaxEntries 250

MaxDeviceInterfaces 250

section NetDevice

Type PIX

IP 172.28.31.68

NATAddr 0.0.0.0

Communications ssh-3des

ResponseCapabilities block

section NeverBlock

IP 172.28.92.72

IP 172.28.31.0

IP 192.168.249.0

IP 192.168.250.0

section State

BlockEnable true

section NetDevice

IP 172.28.31.68

AclSupport Does not use ACLs

Version 0

State Inactive

Firewall-type PIX

Please help me out what i m missing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 08/28/2008 - 03:18
User Badges:
  • Red, 2250 points or more

Did you allow the sensor IP on the PIX for SSH?


ssh interface ?


Did you add the PIX as a trusted host on the sensor?


Is the SSH even working on the PIX from other hosts?


Double check your PIX credentials.


Login to PIX and issue a 'who' command to see if the IPS is logged in.


Regards


Farrukh

wasiimcisco Thu, 08/28/2008 - 06:32
User Badges:

Thanks for the reply,


My firewall is configured for AAA. I gave the same credential in IPS blocking devices that i m using for myself.


SSH is allowed on firewall for any IP.

IPS also has any ip to trusted hosts.


ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside


IPS allowed host

telnet-option enabled

access-list 172.28.0.0/16


IPs only able to push access-list on router but not able to shun pix firewall.


wasiimcisco Thu, 08/28/2008 - 09:00
User Badges:

I have tried even this, but still the problem is there,


I am attaching the screen shot, I am not able to configure block action, the tab is not highlighted.


why it is so, may be this is the reason.?????



Attachment: 
Farrukh Haroon Thu, 08/28/2008 - 10:44
User Badges:
  • Red, 2250 points or more

Have you enabled blocking globally?


Blocking >> Blocking Properties


Regards


Farrukh

wasiimcisco Thu, 08/28/2008 - 13:03
User Badges:

yes blocking is globally enabled. IPs able to write access-list on routers but not able to shun pix firewall.

Farrukh Haroon Fri, 08/29/2008 - 10:54
User Badges:
  • Red, 2250 points or more

Please enable the block action on any common signature like ICMP echo (2004) and then check the event log of the IPS. It will tell you why the shun is failing. Also login to the firewall and do a 'who' command during this test to see if the IPS logs in. Do 'terminal monitor' and 'logging monitor 6' on firewall to see any denies etc.


Regards


Farrukh

wasiimcisco Thu, 09/04/2008 - 03:22
User Badges:

I am not able to configure firewall shun in cisco IPS, The option of blocking is disable in IPS for Firewall.


See the attachement. Please help me out how to do this.


IPS is only able to block the routers but not firewall



Attachment: 
wasiimcisco Thu, 09/04/2008 - 03:44
User Badges:

When i view the log on IPS, it shows me the following error


firewall type unknow. Please see the screen shot.


Secondly when i did who on firewall i didnt see anybody connected. Firewall logging is also not showing that IPS IP address is block.





Attachment: 

Actions

This Discussion