I have installed a 4255 sensor inline behind an ASA 5550 that connects to the Internet.
The problem is that the IPS is not tuned (brand-new) and as soon as we connect the IPS inline, the CPU goes up to 100% and stops the traffic flow in a matter of minutes.
Therefore we removed the IPS and everything went back to normal.
Now, I connected the 4255 in promiscuous mode (behind the ASA connected to the 4506 backbone Switch), and I still see the CPU between 40% to 80%
The sensor is running the latest image 7.0(2)E3 and the latest signature package S477.0
My questions are:
1. Where do I check on the sensor exactly what is it doing, because we plan to leave the IPS in IDS mode for a couple of weeks. Are there some kind of reports that I can get from it? What is the best way to check it out? I managed the sensor via IDM 7.0
2. After getting the above information what is the recomendation to tune the device? Disable signatures? How do I find out which signatures do I need and if we are getting lots of false positives and/or false negatives?
3. Any other comments are appreciated!
Thank you All as always.