It seems that 1330 and other normalizer sigs are causing Cicso (and myself) some grief (as evident in CSCsc37875). I am wondering if I can just disable 1330 and all the subs entirely. I am seeing this sig (1330/14 in particular) fire alot. I set the action to either produce an alert or do nothing at all (no packet mod or denying or dropping) so I don't see the point of keeping 1330 enabled.
Some of the 1330 signatures have additional internal functions, like queueing fragments for reassembly, so just turning them off is not recommended...in the extreme case you may just render your IPS into a wire.
The following tunings were included as part of the S248 signature update and represent our suggested "minimal interference" settings that still let the IPS do its job.
1311 Produce Alert ON, Deny_XXX OFF
1330.16 Produce Alert ON, Deny_XXX OFF
HTML sort of killed the formatting...all lines with " are supposed to mean "same as above".
Obviously "Produce Alert" is up to you, but we think that these signatures, if firing, warrant some research into the cause. Removing the Deny_whatever actions will keep the signature from interferring with the packets, yet still leave its other functionality enabled.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :