Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure newly deployed inline IPS to alert only

All,

I'm hoping some of you experts can assist me with this request. Recently started a new job and they put the IPS into prod  (We are running the software based module on our ASA.) and it started blocking more then they had intended. They configured the ASA to not send any traffic to it, to stop the outage.

So now we have an IPS half-way setup and I need to finish the job. I'm new to Cisco IPS, but I really want to know is there a way I can deploy this sensor so that it is still inline but it will not block anything. This way I can baseline the environment and see what type of alerts are firing?

Any help on the best to set this up / deploy tips would be appreciated!

3 REPLIES
Silver

Refer this link to set up

Refer this link to set up your ips module:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/asdm70/configuration_guide/asdm_70_config/modules_ips.html.

Better you deploy ips module in promiscuous mode if you don't want to block any traffic.

If you don't want IPS to

If you don't want IPS to block any thing sitting inline but throw alert, from the event actions opt "produce alert"

Produce Alert

Writes the event to the Event Store as an alert.

Note The Produce Alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select Produce Alert. If you add a second action, you must include Produce Alert if you want an alert sent to the Event Store. Also, every time you configure the event actions, a new list is created and it replaces the old list. Make sure you include all the event actions you need for each signature.

 

New Member

Poonam and salodh thank you

Poonam and salodh thank you both for your replies!

 

Poonam - I was considering deploying it in promiscuous mode, but I had concerns on signatures that were set to "deny packet inline" only in that mode. In that case it would not "block" anything, but would I still see an alert (even thou "produce alert" is not set in the sig) for this event?

salodh - I think this idea is more what i was initially thinking. I have a question on it however. If using an "Event action override" and I check "Produce Alert" in your example attached would it also still deny the packet inline because "Deny packet inline" is also checked?

 

Again thanks for the help! 

110
Views
0
Helpful
3
Replies
CreatePlease to create content