I'm hoping some of you experts can assist me with this request. Recently started a new job and they put the IPS into prod (We are running the software based module on our ASA.) and it started blocking more then they had intended. They configured the ASA to not send any traffic to it, to stop the outage.
So now we have an IPS half-way setup and I need to finish the job. I'm new to Cisco IPS, but I really want to know is there a way I can deploy this sensor so that it is still inline but it will not block anything. This way I can baseline the environment and see what type of alerts are firing?
Any help on the best to set this up / deploy tips would be appreciated!
If you don't want IPS to block any thing sitting inline but throw alert, from the event actions opt "produce alert"
Writes the event to the Event Store as an alert.
Note The Produce Alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select Produce Alert. If you add a second action, you must include Produce Alert if you want an alert sent to the Event Store. Also, every time you configure the event actions, a new list is created and it replaces the old list. Make sure you include all the event actions you need for each signature.
Poonam and salodh thank you both for your replies!
Poonam - I was considering deploying it in promiscuous mode, but I had concerns on signatures that were set to "deny packet inline" only in that mode. In that case it would not "block" anything, but would I still see an alert (even thou "produce alert" is not set in the sig) for this event?
salodh - I think this idea is more what i was initially thinking. I have a question on it however. If using an "Event action override" and I check "Produce Alert" in your example attached would it also still deny the packet inline because "Deny packet inline" is also checked?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :