Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
0
Helpful
3
Replies

IPS CLI Shunning

Go to solution
rmeans
Level 3
Level 3

‎08-11-2008 05:53 AM - edited ‎03-10-2019 04:14 AM

How do you shun with an IDS while in command line? I know how to shun from the GUI but I haven't been able to find the command string to shun from CLI.

I will have the 4200 (6.0) send shuns to a PIX 7.0.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to rmeans

‎08-11-2008 10:16 AM

The link provided works for IPS 6.0 and earlier. But is not really recommended.

In IPS 6.1 a new "block" command was added into the CLI to support blocking:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html

The difference is that in 6.0 the cli method actually added the Blocked Host into the "configuration" of the sensor. It is managed differently than entries added dynamically by sensorApp during signature triggerings or added through IDM (or IME). The biggest difference is that all "configuration" blocks are considered permamnent (not time based). If you remove a "configuration" block it does not actually get removed. You have to remove the "configuration" block AND then go through IDM and remove it again. Because when a "configuration" block gets removed, the block still exists but is now managed the way IDM blocks are managed. So it must be removed twice.

The intention is to remove the "configuration" blocks in future versions, and instead a new "block" CLI command is added in IPS 6.1. The new "block" command is managed the same way as the IDM blocking.

So if you want to manage blocking through the CLI you should really upgrade to IPS 6.1. If using IPS 6.0 or earlier you are better off only using IDM.

For IPS 6.1 "block" command examples:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html#wp1066202

View solution in original post

0 Helpful
3 Replies 3

Go to solution
rmeans
Level 3
Level 3
In response to Farrukh Haroon

‎08-11-2008 09:49 AM

I had not seen the link you provided. I do now. Thanks

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to rmeans

‎08-11-2008 10:16 AM

The link provided works for IPS 6.0 and earlier. But is not really recommended.

In IPS 6.1 a new "block" command was added into the CLI to support blocking:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html

The difference is that in 6.0 the cli method actually added the Blocked Host into the "configuration" of the sensor. It is managed differently than entries added dynamically by sensorApp during signature triggerings or added through IDM (or IME). The biggest difference is that all "configuration" blocks are considered permamnent (not time based). If you remove a "configuration" block it does not actually get removed. You have to remove the "configuration" block AND then go through IDM and remove it again. Because when a "configuration" block gets removed, the block still exists but is now managed the way IDM blocks are managed. So it must be removed twice.

The intention is to remove the "configuration" blocks in future versions, and instead a new "block" CLI command is added in IPS 6.1. The new "block" command is managed the same way as the IDM blocking.

So if you want to manage blocking through the CLI you should really upgrade to IPS 6.1. If using IPS 6.0 or earlier you are better off only using IDM.

For IPS 6.1 "block" command examples:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/cli/cli_blocking.html#wp1066202

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card