cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1421
Views
0
Helpful
4
Replies

Cisco IPS Manager Express 7.0.1

dukeminus
Level 1
Level 1

I just want to verify if the following is working properly:

- Under Configuration > IPS > Sensor Monitoring > Time-Based Actons > Host Blocks is configured properly

I have entered in a few hosts to be blocked and I notice the following:

- Under Connection Block Enabled tab it shows "false" for any host that I enter in. ??????

Thank you in advance for your assistance.

1 Accepted Solution

Accepted Solutions

False means that the blocking rule was not turned on (not enabled)

It means that someone might have configured the rule before, however, did not enable it.

If you click on the "Add" button, you would be able to see what I mean (the "Enable connection blocking" needs to be ticked to block the host configured), and it will show as "True" once you enable it.

Hope that answers your question.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

The blocking feature on IPS relies on other network devices. IPS itself will not be blocking the hosts.

You would need to configure which network device will be blocking the host via:

Configuration --> Sensor Management --> Blocking --> Blocking Properties, Blocking Devices, and which interface of the network device will be performing the blocking.

Once the above has been configured, and through Monitoring --> Time Based Actions --> Host Blocks, IPS will send this request off to the network device configured above to be blocked.

Hope that helps.

Thanks for your response.

All that you have mentioned in regards to setting blocking up has been done and working fine. My question is in regards to the wording that I am seeing if you goto Configuration > IPS > Sensor Monitoring > Time-Based Actons > Host Blocks  Under Connection Block Enabled tab it shows "false"  is this what I should be seeing as supposed to something else ?

False means that the blocking rule was not turned on (not enabled)

It means that someone might have configured the rule before, however, did not enable it.

If you click on the "Add" button, you would be able to see what I mean (the "Enable connection blocking" needs to be ticked to block the host configured), and it will show as "True" once you enable it.

Hope that answers your question.

Hi,

additional question,

how to configure it from CLI? I couldn't find any command and when I put it from IDM or Express (whether with this option enabled or disabled) it is not shown in cli

Output from show statistics network-access

Current Configuration

LogAllBlockEventsAndSensors = true

EnableNvramWrite = false

EnableAclLogging = false

AllowSensorBlock = false

BlockMaxEntries = 250

MaxDeviceInterfaces = 250

State

BlockEnable = true

BlockedAddr

Host

IP = 7.7.7.7

Vlan =

ActualIp =

BlockMinutes = 60

MinutesRemaining = 56

Host

IP = 9.9.9.9

Vlan =

ActualIp =

BlockMinutes = 60

MinutesRemaining = 57

what is more when configuring 7.7.7.7 rule I added destination with 8.8.8.8 and where is it stored?

regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: