Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS CLI Shunning

How do you shun with an IDS while in command line? I know how to shun from the GUI but I haven't been able to find the command string to shun from CLI.

I will have the 4200 (6.0) send shuns to a PIX 7.0.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: IPS CLI Shunning

Cisco Employee

Re: IPS CLI Shunning

The link provided works for IPS 6.0 and earlier. But is not really recommended.

In IPS 6.1 a new "block" command was added into the CLI to support blocking:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html

The difference is that in 6.0 the cli method actually added the Blocked Host into the "configuration" of the sensor. It is managed differently than entries added dynamically by sensorApp during signature triggerings or added through IDM (or IME). The biggest difference is that all "configuration" blocks are considered permamnent (not time based). If you remove a "configuration" block it does not actually get removed. You have to remove the "configuration" block AND then go through IDM and remove it again. Because when a "configuration" block gets removed, the block still exists but is now managed the way IDM blocks are managed. So it must be removed twice.

The intention is to remove the "configuration" blocks in future versions, and instead a new "block" CLI command is added in IPS 6.1. The new "block" command is managed the same way as the IDM blocking.

So if you want to manage blocking through the CLI you should really upgrade to IPS 6.1. If using IPS 6.0 or earlier you are better off only using IDM.

For IPS 6.1 "block" command examples:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html#wp1066202

3 REPLIES

Re: IPS CLI Shunning

New Member

Re: IPS CLI Shunning

I had not seen the link you provided. I do now. Thanks

Cisco Employee

Re: IPS CLI Shunning

The link provided works for IPS 6.0 and earlier. But is not really recommended.

In IPS 6.1 a new "block" command was added into the CLI to support blocking:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html

The difference is that in 6.0 the cli method actually added the Blocked Host into the "configuration" of the sensor. It is managed differently than entries added dynamically by sensorApp during signature triggerings or added through IDM (or IME). The biggest difference is that all "configuration" blocks are considered permamnent (not time based). If you remove a "configuration" block it does not actually get removed. You have to remove the "configuration" block AND then go through IDM and remove it again. Because when a "configuration" block gets removed, the block still exists but is now managed the way IDM blocks are managed. So it must be removed twice.

The intention is to remove the "configuration" blocks in future versions, and instead a new "block" CLI command is added in IPS 6.1. The new "block" command is managed the same way as the IDM blocking.

So if you want to manage blocking through the CLI you should really upgrade to IPS 6.1. If using IPS 6.0 or earlier you are better off only using IDM.

For IPS 6.1 "block" command examples:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html#wp1066202

138
Views
0
Helpful
3
Replies
CreatePlease to create content