Kindly help me to configure IPS in ASA firewall.
1) How to divert the traffic to IPS
2) Getting alerts for attacks
3) how to read the signature
All the basic level configuration fo IPS required.
Below is a URL that covers the setup process of configuring the ASA to send traffic to the AIP-SSM module.
Basically the commands from the ASA might look something like this is you wanted to send all the traffic to the AIP-SSM module for inspection and you wanted it to operate inline:
ciscoasa(config)#access-list traffic_for_ips permit ip any any
ciscoasa(config-cmap)#match access-list traffic_for_ips
ciscoasa(config-pmap-c)#ips inline fail-open
cisocasa(config)# service-policy global_policy global
After the above is done you will need to session into the AIP-SSM module and run the setup command to get basic connectivity. Here is a link that covers this process:
The command to session into the AIP-SSM is as follows:
Once you have the basic configuration setup you can then access the AIP-SSM via IDM by going to https://18.104.22.168. In this example replace the 22.214.171.124 with the IP address of the management interface that you configured under the "setup" command. You can also download and use IME (IPS Manager Express). IME is avaliable for download from Cisco with a valid CCO account. I would recommend to use IME as it has several advantages over IDM.
Once in IME you will need to associate the backplane interface with the virtual sensor. You can do this in IME by going to Configuration->Policies->IPS Policies and on the right had side next to "Add virtual Sensor" highlight vs0 and click edit. You can then assign the Gigabit Ethernet0/1 (Backplane Interface) to the virtual sensor. Click on Ok and then click on APPLY.
At this point you should be inspecting traffic.
With IME you can do some historical reporting and setup to be notified via email for certain events. Here is some additional information on IME:
To setup email notification from IME go to Tools->Preferences->Notification.
For any signatures that fire you can find additional details about the specific signatures from within IME by going to Configuration->Policies->Signature Definitions->Active Signatures and highlighting a signature and looking at the MySDM Explanation in the lower right of the IME screen. Alternatively you can also go to the following URL and lookup any specific signatures:
There is also an "Initial Configuration of the AIP-SSM Sensor (Video)" in this suppport forum that you might find beneficial. Hopefully this URL will get you to it https://supportforums.cisco.com/docs/DOC-12233
I hope the above helps!