I have configured my IPS to manage a router and block traffice when certain sig. fire. I created the login info and ACL through the IDM. My question is by setting up the ACL through the IDM do I still need to apply the ACL to an interface on the router? if so what is the default name of this ACL?
For the most basic configuration (where there is not a pre-existing ACL on your router) there is little you need to do on the router.
From the router side you just need to ensure the router is properly configured for the sensor to reach it. This means usernames/passwords are properly set and either telnet or ssh configured for the sensor to use during the connection.
When you configure the sensor you tell it what usernames and passwords to use for the connection. And you tell the sensor which interface and direction to use.
When you apply the configure the sensor shoudl connect to the router and create a brand new ACL (it creates its own), and will apply it to the interface/direction that you configured the sensor to use.
To verify you can run a "show run" on the router and see the new ACL is created on the router and applied to the correct interface.
You shoudl also check the "show stat network-access" on the sensor and see if any errors are reported.
For a more advanced configuration there are additional things to do.
If you already have an existing ACL applied on the router for the interface you want the sensor to manage then you need to make some decisions.
You can manually remove that ACL in case you just remove it from the router, and then treat it like the basic configuration I mentioned above.
OR you can configure the sensor to do something with that ACL.
The sensor supports the Pre an Post ACL feature for Blocking.
When you configure the sensor to manage an interface/direction there is an option field for the Pre-ACL and for the Post-ACL.
The Pre and Post ACL fields are for the actual Names of ACLS that already exist on your router (you will need to create these ACLs on your router before configuring the sensor).
When the sensor goes to manage the router the sensor will create a brand new ACL.
The first line of that ACL will premit the sensor's own IP Address (or the NAT address of the sensor if configured).
IF a pre-ACL is designated then the sensor will read in the ACL lines from that existing ACL name and will then add copies of those lines into the sensor created ACL.
It will then add Deny lines for each address/connection being Blocked.
IF a Post-ACl is designated then the sensor will read in the ACL lines from that existing ACL name and will then add copied of those into the sensor created ACL.
IF a Post-ACL does not exist then the sensor just puts "permit ip any any" at the bottom of the ACL. (NOTE: If a Post-ACL is configured the sensor will NOT put "permit ip any any" at the bottom so be sure your Post-ACL has that at the bottom if you want it.)
The sensor does not do any kind of periodic checking to see if the Pre or Post ACLs have changed. It caches the entries on the first read of the config.
The Pre and Post ACL entries are re-read in only under the following conditions:
The Blocking configuration is modified and applied.
Or when the sensor is rebooted.
So if you have a pre-existing ACL on the router interface, then your easiest thing to do is to configure the sensor to use that existing ACL name as the Post-ACL.
The sensor will create a new ACL and will place the lines from your existing ACL at the bottom of the sensor's new ACL.
When the new sensor ACL gets applied the router itself will remove the application of your original ACL. It does not remove the lines that define your original ACL (those need to stay), but the original ACL is no longer applied to that interface.
Another option is to take your existing ACL and create 2 new ACLs. Use one of the new ACLs as the Pre-ACL, and the other as a Post-ACL.
This way you can in effect put some lines into the sensor created ACL before the Deny lines for the Blocks as well put some lines after the Deny lines for the Blocks.
Okay, it seems like the IPS is communicating with the router because when I look at the router I see the IDS ACL. There is still a problem though, the router sits in front of the IPS and once the sig fires the host is added to the ACL on the router. But it seems like that host is still getting through because I am still receiving alerts/e-mails from the same hosts trying to access the same IP/server after it has been added to the IDS ACL..
I need some help in figuring out why the router is not blocking host as the IPS is instructing it to?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...