cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
3
Replies

IPS - Startup

AxiomConsulting
Level 1
Level 1

Hi All,

We have recently purchased an AIP-SSM-10 module for our ASA5520. I have installed the module run through the initial configuration and updated the software / signatures to the latest version via the ASDM.

I am about to run through the following...Send Network Traffic from the ASA to the AIP SSM...

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

but would like to know a little more about what will happen once traffic is redirected, my qusetions are as follows...

Does the IPS start blocking traffic by default? or does it just report?

Can we enbale the IPS so that its just reports on what action would have been taken?

Ideally we would like to run traffic through the IPS for a week or so without any blocking, so we can analyze it to reduce false positives.

Is there any documentation expalaining this?

Thanks for all you help

Steve

3 Replies 3

rhermes
Level 7
Level 7

The default actions of an in-line IPS is to drop the packets that match signatures set to drop. There are a few signatures that are not set to generate an alert when dropped.

I think you want to start with your sensor in promiscious mode, not in-line. Then you can watch what signatures fire that would be dropped in an in-line mode.

Thanks for that, I ended up throwing caution to the wind and processing all traffic (inline) all looks good so far.

I am using IPS Event Viewer for 'Real Time' analysis and reporting.

Does anyone have any other recommendations?

Hi,

Could you share the sample configuaration ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: