Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

IPS and Virtual Sensors


I am looking to put in an IPS. I would like to monitor two segments, but read this in the docs...

"To avoid definition ordering issues, no conflicts or overlaps are allowed in assignments-you assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a specific virtual sensor so that no packet is processed by more than one virtual sensor."

Say I have two virtual sensors and subnets A and B. My question is that packets from segment A will go thru virtual-sensor1, but may (depending on routing) need to pass thru the VLAN pair of virtual-sensor2 to subnet B. Judging from above, this is not possible, since it says the packet can only be seen once. Please advise if I am interpreting the docs correctly.

Any suggestions or insight is appreciated! Thanks!


Re: IPS and Virtual Sensors

The quote is talking about Inline/VLan Pair assignment and not assymetric flows. They are two different issues.

Your setup should work fine, you might need to tweak a setting on the virtual sensor page tough (with regards to assymetric flows).



Community Member

Re: IPS and Virtual Sensors

Ah, okay; just to clarify... What they are speaking of is when the packet goes thru the IPS the first time, it stays in one virtual sensor during it's "session" thru it and is should not processed by any other virtual sensor.

If the packet reenters the IPS on a different interface pair (ie; virtual sensor) then that is OK.

Thanks for the reply!

CreatePlease to create content