Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
390
Views
0
Helpful
3
Replies

Configure newly deployed inline IPS to alert only

savy-pfsec
Level 1
Level 1

‎04-10-2014 09:25 AM - edited ‎03-10-2019 06:10 AM

All,

I'm hoping some of you experts can assist me with this request. Recently started a new job and they put the IPS into prod  (We are running the software based module on our ASA.) and it started blocking more then they had intended. They configured the ASA to not send any traffic to it, to stop the outage.

So now we have an IPS half-way setup and I need to finish the job. I'm new to Cisco IPS, but I really want to know is there a way I can deploy this sensor so that it is still inline but it will not block anything. This way I can baseline the environment and see what type of alerts are firing?

Any help on the best to set this up / deploy tips would be appreciated!

Labels:
0 Helpful
3 Replies 3

Poonam Garg
Level 3
Level 3

‎04-10-2014 11:07 PM

Refer this link to set up your ips module:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/asdm70/configuration_guide/asdm_70_config/modules_ips.html.

Better you deploy ips module in promiscuous mode if you don't want to block any traffic.

0 Helpful

Saurav Lodh
Level 7
Level 7

‎04-10-2014 11:31 PM

If you don't want IPS to block any thing sitting inline but throw alert, from the event actions opt "produce alert"

Produce Alert

Writes the event to the Event Store as an alert.

Note The Produce Alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select Produce Alert. If you add a second action, you must include Produce Alert if you want an alert sent to the Event Store. Also, every time you configure the event actions, a new list is created and it replaces the old list. Make sure you include all the event actions you need for each signature.

 

0 Helpful

savy-pfsec
Level 1
Level 1
In response to Saurav Lodh

‎04-11-2014 06:51 AM

Poonam and salodh thank you both for your replies!

 

Poonam - I was considering deploying it in promiscuous mode, but I had concerns on signatures that were set to "deny packet inline" only in that mode. In that case it would not "block" anything, but would I still see an alert (even thou "produce alert" is not set in the sig) for this event?

salodh - I think this idea is more what i was initially thinking. I have a question on it however. If using an "Event action override" and I check "Produce Alert" in your example attached would it also still deny the packet inline because "Deny packet inline" is also checked?

 

Again thanks for the help! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card