Could anyone please help. I recently installed a PIX 5520 with AIP-SSM-10. I can manage the sensor just fine and am using "configuring Cisco IPS using CLI 6.0" as a reference. I recently downloaded new signatures as sig1 on my sensor. when I enable the sensors and put them in non-blocking mode after an hour they are blocking half of my users to the INternet. How do I fine-tune the 50K new signatures? Are there any really good examples and references you might know about?
You should be able to quickly locate which signatures are causing problems by using either the ASDM or IPS Express Manager. If you dont have either of these programs go to Cisco's site and download them.
You can use the event viewer in either program and look for signatues which have actions of blocking or dropping packets from your internal users. You should then be able to tune only the signatures causing problems.
Also, when you download the new signatues, look at the txt document that is released with it. It should list any new signatures as well as any changes to old signatures.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...