12-04-2008 02:43 AM - edited 03-10-2019 04:24 AM
Hi All,
We have recently purchased an AIP-SSM-10 module for our ASA5520. I have installed the module run through the initial configuration and updated the software / signatures to the latest version via the ASDM.
I am about to run through the following...Send Network Traffic from the ASA to the AIP SSM...
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml
but would like to know a little more about what will happen once traffic is redirected, my qusetions are as follows...
Does the IPS start blocking traffic by default? or does it just report?
Can we enbale the IPS so that its just reports on what action would have been taken?
Ideally we would like to run traffic through the IPS for a week or so without any blocking, so we can analyze it to reduce false positives.
Is there any documentation expalaining this?
Thanks for all you help
Steve
12-04-2008 02:16 PM
The default actions of an in-line IPS is to drop the packets that match signatures set to drop. There are a few signatures that are not set to generate an alert when dropped.
I think you want to start with your sensor in promiscious mode, not in-line. Then you can watch what signatures fire that would be dropped in an in-line mode.
12-09-2008 02:04 AM
Thanks for that, I ended up throwing caution to the wind and processing all traffic (inline) all looks good so far.
I am using IPS Event Viewer for 'Real Time' analysis and reporting.
Does anyone have any other recommendations?
12-30-2008 02:54 AM
Hi,
Could you share the sample configuaration ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: