Any Luck Editing Actions on Events with ASA SSM

Unanswered Question
Dec 8th, 2009

W are running an ASA 5540 failover pair with SSM-40 modules.  When using the IME version 7.0.2 to manage the IPS we have not been successful in getting anything to work but "Deny Attacker Inline."  Nothing else works.  We have tried every option under the Actions and none work.  There are many signatures that we would like blocked, but only that signature.  ie. block Bittorrent but allow internet access.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
george.goebel Tue, 12/15/2009 - 13:00

Hello and thanks for the reply.  It is running inline.

And we have not had any luck getting the other options to work.

Farrukh Haroon Tue, 12/15/2009 - 22:16

If you manage the device through ASDM or IME should not make a difference.

What I would suggest is to test the action on a simple signature, like the ICMP ones (e.g. Sig 2004, you have to enable it first) and not a complex one like P2P etc.

Also what is exactly happening with the other actions? Do you see the signature fire in IME with the 'action' listed? Or the action field is empty in the IME alerts? Or the signature does not fire at all?


Regards

Farrukh

george.goebel Wed, 12/16/2009 - 05:40

The IPS sees the event and logs it, the action selected doesn't work other than the "Deny Attacker."  We would like to have the IPS just stop the event, but that is the problem.  We have used ASDM and IME latest versions.  The IPS has the latest versions too.  It just doesn't work!

Actions

This Discussion