i have installed IPS 4255 with version 7.0(2)E4 and using IME 7.0.2.
i am not able to see the logs in the IME (Event Monitoring), but when i access it by CLI (show events) i can see the logs.
i also tried to tune a signature for ICMP large packet to log and deny traffic (using deny packet inlne and deny attaker inline), and ping
a server from inside to outside with a large packet. In this case, IME showed the logs but it did not deny the traffic.
i am missing something here ?
One more question, does IPS at least log the traffic for ip that are configured for "never block ip addresses"
Please i need some help.
Thank you and Regards,
1- OK, it's good that the event status is connected.
2- By checking all four severities in the device properties you have instructed IME not to retrieve events of those four severities. You need to uncheck those severities to allow IME to retrieve all event severities. Please note, the text with IME is worded,"Exclude alerts of the following severity level(s)".
3- If there are no real-time events, you will likely not have historical events.
4- As your sensor is configured for both inline and promiscuous operation, the deny actions will only take effect on signature events generated by the inline interface pair. If the signature event is generated by the promiscuous interface, the deny action cannot be actioned.
While your network may be completely IPv4; it is possible for systems running Windows and Mac OS X to have IPv6 enabled by default, and in turn generate this traffic on your network.
If a signature event fires and has an action of 'Produce Alert' assigned, the IPS should log the activity regardless of the host being listed as do not block or not.