We are configuring an IDS 4215 and a Pix 501. We can manually add a block in the IDS which updates the Pix, but no matter what setting on a signature is made the IDS will not automatically add the block to the pix when the signture is detected. Thank you in advance for any assisatance.
If you can go to IDM and through the IDM screen add in a address to be Blocked, and can verify with "show shun" on the Pix that it was being blocked by the sensor; then automatic blocking from signature Should work.
Often the problems I have seen is not that the automatic blocks are not making it to the Pix, but that the signature itself is never triggered in the first place, or that the block actions are being removed unintentionally by the user's own configuration.
Things to check:
1) Use "show events" on the sensor CLI to view the actual alert. If you can't see an alert for the attack is unlikely that the signature even triggered. The signature must trigger before the block is requested.
2) If you do see the alerts being generated, then look for a line in the alert itself that shows if the blockHost event action has been requested.
If you don't see that field in the alert, then something is wrong with your configuration.
(NOTE: Do not confuse deny-attacker-inline and request-block-host event actions. The deny-attacker-inline action is for an inline sensor to deny the packets itself without needing a Pix)
Verify in the signature definition configuration that you added the "request-block-host" event action to the signature.
Verify that you do not have a filter in the event action rules configuration that might be removing that action.
3) Other things to check if you Do see the requested block host line in your alert.
a) There should be a corresponding evShunRequest message that you would see in the "show event" output immeditately after seeing the alert.
b) In Most cases you will also see a following evStatus message showing whether or not the host was blocked successfully.
c) Also look in the IDM screen for blocks and see if Host was added to the Block screen in IDM (you may have to hit the refresh button)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :