Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS 4215 and Pix 501

We are configuring an IDS 4215 and a Pix 501. We can manually add a block in the IDS which updates the Pix, but no matter what setting on a signature is made the IDS will not automatically add the block to the pix when the signture is detected. Thank you in advance for any assisatance.

2 REPLIES
New Member

Re: IDS 4215 and Pix 501

IDS-4215 2.4.26-IDS-SNMP-BIGPHYS

PIX-501 6.3(4)

Cisco Employee

Re: IDS 4215 and Pix 501

If you can go to IDM and through the IDM screen add in a address to be Blocked, and can verify with "show shun" on the Pix that it was being blocked by the sensor; then automatic blocking from signature Should work.

Often the problems I have seen is not that the automatic blocks are not making it to the Pix, but that the signature itself is never triggered in the first place, or that the block actions are being removed unintentionally by the user's own configuration.

Things to check:

1) Use "show events" on the sensor CLI to view the actual alert. If you can't see an alert for the attack is unlikely that the signature even triggered. The signature must trigger before the block is requested.

2) If you do see the alerts being generated, then look for a line in the alert itself that shows if the blockHost event action has been requested.

If you don't see that field in the alert, then something is wrong with your configuration.

(NOTE: Do not confuse deny-attacker-inline and request-block-host event actions. The deny-attacker-inline action is for an inline sensor to deny the packets itself without needing a Pix)

Verify in the signature definition configuration that you added the "request-block-host" event action to the signature.

Verify that you do not have a filter in the event action rules configuration that might be removing that action.

3) Other things to check if you Do see the requested block host line in your alert.

a) There should be a corresponding evShunRequest message that you would see in the "show event" output immeditately after seeing the alert.

b) In Most cases you will also see a following evStatus message showing whether or not the host was blocked successfully.

c) Also look in the IDM screen for blocks and see if Host was added to the Block screen in IDM (you may have to hit the refresh button)

146
Views
0
Helpful
2
Replies
CreatePlease login to create content