Any Luck Editing Actions on Events with ASA SSM

Unanswered Question
Dec 8th, 2009
User Badges:

W are running an ASA 5540 failover pair with SSM-40 modules.  When using the IME version 7.0.2 to manage the IPS we have not been successful in getting anything to work but "Deny Attacker Inline."  Nothing else works.  We have tried every option under the Actions and none work.  There are many signatures that we would like blocked, but only that signature.  ie. block Bittorrent but allow internet access.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Tue, 12/15/2009 - 12:18
User Badges:
  • Red, 2250 points or more

Which mode have you configured on the ASA firewall? Inline or Promiscuous?

george.goebel Tue, 12/15/2009 - 13:00
User Badges:

Hello and thanks for the reply.  It is running inline.

And we have not had any luck getting the other options to work.

Farrukh Haroon Tue, 12/15/2009 - 22:16
User Badges:
  • Red, 2250 points or more

If you manage the device through ASDM or IME should not make a difference.

What I would suggest is to test the action on a simple signature, like the ICMP ones (e.g. Sig 2004, you have to enable it first) and not a complex one like P2P etc.

Also what is exactly happening with the other actions? Do you see the signature fire in IME with the 'action' listed? Or the action field is empty in the IME alerts? Or the signature does not fire at all?



george.goebel Wed, 12/16/2009 - 05:40
User Badges:

The IPS sees the event and logs it, the action selected doesn't work other than the "Deny Attacker."  We would like to have the IPS just stop the event, but that is the problem.  We have used ASDM and IME latest versions.  The IPS has the latest versions too.  It just doesn't work!


This Discussion