Cisco IPS Manager Express 7.0.1

Answered Question
Apr 21st, 2010
User Badges:

I just want to verify if the following is working properly:


- Under Configuration > IPS > Sensor Monitoring > Time-Based Actons > Host Blocks is configured properly


I have entered in a few hosts to be blocked and I notice the following:


- Under Connection Block Enabled tab it shows "false" for any host that I enter in. ??????


Thank you in advance for your assistance.

Correct Answer by Jennifer Halim about 7 years 1 month ago

False means that the blocking rule was not turned on (not enabled)


It means that someone might have configured the rule before, however, did not enable it.


If you click on the "Add" button, you would be able to see what I mean (the "Enable connection blocking" needs to be ticked to block the host configured), and it will show as "True" once you enable it.


Hope that answers your question.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 04/21/2010 - 22:08
User Badges:
  • Cisco Employee,

The blocking feature on IPS relies on other network devices. IPS itself will not be blocking the hosts.


You would need to configure which network device will be blocking the host via:

Configuration --> Sensor Management --> Blocking --> Blocking Properties, Blocking Devices, and which interface of the network device will be performing the blocking.


Once the above has been configured, and through Monitoring --> Time Based Actions --> Host Blocks, IPS will send this request off to the network device configured above to be blocked.


Hope that helps.

dukeminus Thu, 04/22/2010 - 07:37
User Badges:

Thanks for your response.

All that you have mentioned in regards to setting blocking up has been done and working fine. My question is in regards to the wording that I am seeing if you goto Configuration > IPS > Sensor Monitoring > Time-Based Actons > Host Blocks  Under Connection Block Enabled tab it shows "false"  is this what I should be seeing as supposed to something else ?

Correct Answer
Jennifer Halim Fri, 04/23/2010 - 04:23
User Badges:
  • Cisco Employee,

False means that the blocking rule was not turned on (not enabled)


It means that someone might have configured the rule before, however, did not enable it.


If you click on the "Add" button, you would be able to see what I mean (the "Enable connection blocking" needs to be ticked to block the host configured), and it will show as "True" once you enable it.


Hope that answers your question.

Przemyslaw Konitz Thu, 12/15/2011 - 04:44
User Badges:

Hi,


additional question,


how to configure it from CLI? I couldn't find any command and when I put it from IDM or Express (whether with this option enabled or disabled) it is not shown in cli


Output from show statistics network-access

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = false

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

State

BlockEnable = true

BlockedAddr

Host

IP = 7.7.7.7

Vlan =

ActualIp =

BlockMinutes = 60

MinutesRemaining = 56

Host

IP = 9.9.9.9

Vlan =

ActualIp =

BlockMinutes = 60

MinutesRemaining = 57



what is more when configuring 7.7.7.7 rule I added destination with 8.8.8.8 and where is it stored?


regards

Actions

This Discussion