Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Anomaly Detection not detecting host machines (learned OS)

I have an ASA5540X firewall with the internal (software based) IPS module. The module has the up-to-date signatures and seems to be running correctly. However, after enabling anomaly detection (ad0), and specifying the internal zones, I don't see any "Learned OS" in IME

 

My settings are pretty basic for the sensor

 

access-list ips_traffic extended permit ip any any

access-list ips_traffic extended permit udp any any

 

class-map ips_class

 match access-list ips_traffic

 

policy-map global_policy

 class ips_class

 ips inline fail-open

 

not sure why it isn't learning the OSs

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Learned OS maps—OS maps

Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.

can you verify the OS finger printing from

sensor# show os-identification learned

Enable passive-traffic-analysis {enabled | disabled}

 

2 REPLIES

Learned OS maps—OS maps

Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.

can you verify the OS finger printing from

sensor# show os-identification learned

Enable passive-traffic-analysis {enabled | disabled}

 

Community Member

I realized that the problem

I realized that the problem was a failover issue--the ASAs are in a pair, and after a failover, the IPS policies had been applied to the wrong (failover) IPS module. Once I applied them on the correct module, I could see all the learned OSs.

71
Views
0
Helpful
2
Replies
CreatePlease to create content