Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS configuration?

Recently I installed the latest IPS update & noticed all signatures show alarm action only. I thought sdf "action" were pre set by Cisco.

Should any sigs be changed to reset or drop?

How do you determine which sigs to change?

Should an ACL be used with IPS?



Re: IPS configuration?

You're right. Almost all IPS signatures are set to trigger log or alarm only, except for some critical signatures that by default, drop/deny the traffic in.

Normal practise is to monitor your IPS log for at least 1 or 2 days. Review the log for type of violations/misuse. Check for false positive sign as well, as some might not be a real threats.

Once confirmed, you may now start to change the actions for the relevant signatures to either drop/reset. Reset is effective for TCP sessions (between attacker & victim host) only.

Bear in mind, you need to constantly monitor the IPS log for new/missing violations. Frequent review of logs and security postures are highly recommended by Cisco.

Read the SAFE Blueprint for details:

Using ACL is good as it can work in tandem with IPS where you only allow certain/known source addresses/services to come in. IPS, in turn, will provide deep packet inspection to ensure no malicious content is flowing into your network/servers from that permitted external/source addresses