Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IEV 5.2

Hi,

I have an ASA 5510 with AIP-SSM-10 in my test environment. I have installed IEV 5.2 in one of the servers to analyze the log.

The IEV server is added to IPS acl and has a username and password with Administrator access.

I'm using default filter. However, I don't see any data in IEV. The event realtime graph reports data size as 0 KB and I don't see any data in real-time dashboard too.

Is there any specific configuration needs to be done at IPS or IEV to view the data?

I'd appreciate any insights on this.

Thx in advance.

Regards,

Janakan Rajendran

25 REPLIES
Silver

Re: IEV 5.2

Did you make sure you assigned the Backplane interface to the Virtual Sensor? Check by going to sensor via https, then make sure that in Configuration --> Analysis Engine --> Virtual Sensor that the Backplane is assigned to the virtual sensor. If it is not assigned, Click Edit and assign it....

If this helps, please rate!

Thanks.

New Member

Re: IEV 5.2

Hi,

Yes, it is assigned to vs0. I have a syslog server running on the same machine and I am receiving syslog messages.

But IEV says all the messages (Informational, Low, Medium, High) as zero. IEV can see the IPS though. (red dot next to sensor name)and device status also reports as successful.

I think I'm missing something on the ASDM configuration. I walked through the help file on IEV but no luck yet.

Any more thoughts?

Thank you,

Janakan Rajendran

Silver

Re: IEV 5.2

Also, don't forget to make a policy to send all traffic to the SSM for review on the ASA.

Here is an example:

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

inspect icmp

class global-class

ips inline fail-open

!

service-policy global_policy global

New Member

Re: IEV 5.2

Hi,

Thx for your responses. I'm comfortable with using GUI than CLI. Is there anyway I can do this with ASDM?

Thx again!

Regards,

Janakan Rajendran

New Member

Re: IEV 5.2

Hi,

I just copied u'r config and applied to my ASA. So I think that part is done..Still nothing on IEV..

-Janakan Rajendran

Silver

Re: IEV 5.2

If you log into the sensor, and type sho events past 00:30. What does it say? I just want to be sure your sensor is not getting events... I want to eliminate that as a problem before troubleshooting the IEV.

New Member

Re: IEV 5.2

Hi,

When I ran show events, I get the following for 1-2 pages:

evStatus: eventId=1146009156396483245 vendor=Cisco

originator:

hostId: CPRIPS

appName: login(pam_unix)

appInstanceId: 400

time: 2006/10/02 14:58:59 2006/10/02 09:58:59 GMT-05:00

syslogMessage:

description: session closed for user cisco

evStatus: eventId=1146009156396483246 vendor=Cisco

originator:

hostId: CPRIPS

appName: cidwebserver

appInstanceId: 280

time: 2006/10/02 15:00:32 2006/10/02 10:00:32 GMT-05:00

loginAction: action=loggedOut

description: User's session expired

userName: cisco

userAddress: port=3707 192.168.1.10

-Janakan Rajendran

Silver

Re: IEV 5.2

You may need to add your internal networks... Try this

1) https to your sensor and log in with your admin account

2) Go to Configuration --> Event Action Rules --> Event Variables

3) Add and IN variable and define all of your internal IP ranges

4) Add and OUT variable that includes everything else (kind of a pain)

New Member

Re: IEV 5.2

Hi,

I did as you suggested as I'm dealing with only two subnets for testing. No luck in IEV.

What type of logging and setup needs to be enabled in ASDM to see the data in IEV?

Thx again!

-Janakan Rajendran

Silver

Re: IEV 5.2

What version of ASDM are you running?

Silver

Re: IEV 5.2

If you are running 5.21 (and perhaps earlier versions), use the following references..

Add service policy with this link..

http://www.cisco.com/en/US/products/ps6121/products_user_guide_chapter09186a00806a2f46.html#wp1090495

Add IPS inspections with this link...

http://www.cisco.com/en/US/products/ps6121/products_user_guide_chapter09186a00806a2f46.html#wp1050542

New Member

Re: IEV 5.2

Hi,

Well I have two global service policies which monitors all the services (any traffic) and has IPS inline.

However, I don't see anything under "Enabled" in ASDM. How do I enable these policies?

As I said earlier, I'm just trying to get at least information messages in IEV. Right now I do get them in kiwi syslogd running on the same machine as IEV.

Thx in advance!

New Member

Re: IEV 5.2

Hi,

I attached the configuration from ASA and IPS. I'd appreciate if you could have a look at it.

Thanks!

-Janakan

Silver

Re: IEV 5.2

1) Delete ALL of the inspection policy mess you have first using ASDM...

2) Run the following commands in ASDM (using the multi line command line interface under Tools --> Command Line Interface. The indented commands are subcommands so the outdented command must be run first. I actually would do them in groups.

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

inspect icmp

class global-class

ips inline fail-open

service-policy global_policy global

3) And most important... RATE ALL POSTS.. I am giving you free consulting, so I feel it is only fair...

4) Good luck

New Member

Re: IEV 5.2

Hi,

Thank you for the response and all your help. I'm gonna try this and will let you know. I rated this post. Sorry I'm new here and didn't know about it.

-Janakan

New Member

Re: IEV 5.2

Hi,

What protocol or port IEV uses to receive data from IPS? Does it need to be any ACL or entry in "Logging" setup?

-Janakan Rajendran

Silver

Re: IEV 5.2

You most likely need to setup https access from the Security Monitor to the sensor. Also, I forgot to ask but did you make sure you added your sensor in the Security Monitor Devices before you attempted to view them in the Monitor --> Devices?

New Member

Re: IEV 5.2

Hi,

I just use IEV not Security Monitor. From IEV to IPS, it's a https connection. I can see "Subscription Successfully opened" when I check the "Device Status".

I'm using 'Diesel Test' to simulate DoS attack and can see TCP FIN coneections getting teared down at ASDM. I can also see the activity in hyperterminal under IPS when I give "packet display gigabitethernet0/1"...

I hope this proves that my IPS is working.

I'm hoping at least I should see information messages in IEV. No clue yet :-(

-Janakan

Silver

Re: IEV 5.2

So you are scanning from a lower security zone to a higher security zone through the ASA/PIX? Hopefully this is the case.. Because for your SSM module to see the traffic, you must traverse the firewall. Meaning you must go between firewall interfaces. To pick the traffic up, your firewall would also have to allow traffic through on the ports you are testing. Basically your test might be flawed... Can you describe the test setup ie where are you coming from/ going to?

New Member

Re: IEV 5.2

Hi,

I have a test machine (subnet A-public IP) as a host connected to Outside Interface of ASA5510.

I have another machine(Subnet B-private IP) running IIS which is connected to Inside interface of ASA5510. I configured NAT from subnet A to B. I also configured ACL's to allow "any" http/https traffic to go to my inside host. I can access the webpage using public IP from the test machine connected to outside interface.

I have also configured management interface on ASA 5510 (subnet C-private IP) through which I'm using ASDM to configure ASA. I configured managemnt interface of IPS module in Subnet C.

I have a machine running in Subnet C which has ASDM and IEV which only connected to the managemnet interface of ASA and IPS through a switch.

Outside-----> ASA&IPS----->Inside

70.x.y.z | 10.x.y.z

|

Mgmt (IEV&ASDM&syslog server)

192.x.y.z

As I said earlier, syslog server running on the same machine (UDP/514) collects data from ASA without any trouble.

Hope this gave you an idea of my test setup.

-Janakan

Silver

Re: IEV 5.2

Sounds like it should be able to pick up traffic then... Can you log into the sensor and do a sho config, save it to a file and post it? Perhaps your sensor is not correctly configed... You must do this with the sensor's CLI (try using putty.exe as your SSH client). Then run the command above

New Member

Re: IEV 5.2

Please find the attachment. In my earlier mail today I have posted the ASA configuration as well.

Silver

Re: IEV 5.2

Looks like none of your signatures are enabled (they might not even be installed at all because they should show up on your sho config output).... You need to login to your sensor via IDM. To do this, https to the sensor's IP. Then go to the signature configuration section and enable/disable the necessary signatures....

New Member

Re: IEV 5.2

Hi,

I already have enabled the signatures I needed. The computer on which IEV running is on the same subnet of Management Interface and connected to the ASA through Managment Interface.

Is there a rule that the machine running on should be on specific subnet? The management IP subnet is on the list of Allowed networks on IPS. The same box running IEV has syslog server running and it can receive alrets.

Thx again!

-Janakan

New Member

Re: IEV 5.2

Hi,

I was running IPS 5.0 which doesn't send events to IEV. I upgraded to 5.1(3) and it works now.

Thanks for your help!

-Janakan Rajendran

197
Views
5
Helpful
25
Replies
CreatePlease to create content