Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

IPS Event Monitoring

 

Dear All,

 

I have deployed Cisco ASA 5525 IPS for one of our customer in inline mode in internet block. I am redirecting traffic from ASA towards built-in IPS module using ACL ( permit ip any any), class map and global service policy. I have verified that built-in IPS module is inspecting the traffic as the hits are increasing on ACL, service policy & show stats virtual-sensor.

But there are no events related to end user traffic appearing. I tried to activate RFC 1918 signature ( which is by default retired) just to verify that events are triggering or not and after activating this signature I received lot of events.

However customer wants to see all the traffic being inspected by the IPS so how I can achieve that ?

 

Thanks & Regards,

Mujeeb

 

 

3 REPLIES
Silver

The AIP-SSM does not support

The AIP-SSM does not support syslog as an alert format.

The default method to receive alert information from the AIP-SSM is through Security Device Event Exchange (SDEE). Another option is to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.

Refer this discussion

 

HTH

"Please rate helpful posts"

New Member

 Hi , So how we can forward

 

Hi ,

 

So how we can forward the alert information (SDEE) to the management/monitoring tool ?

 

Thanks & Regards

Silver

The IPS sensor is a SDEE

The IPS sensor is a SDEE provider (with a built-in web server and SDEE servlet). SDEE specifies that events can be transported using the HTTP or HTTP over SSL and TLS protocols. When HTTP or HTTPS is used, SDEE providers act as HTTP servers, while SDEE clients are the initiators of HTTP requests.

When properly configured, clients {such as IME (IPS Manager Express) and CS-MARS} connect to the sensor via HTTPS (TLS/SSL) or HTTP, authenticate, and if successful, exchange data. SDEE is the preferred protocol for data exchange. The sensor's web server and SDEE servlet are both running by-default. As such, generally the only configuration necessary on the sensor is to allow a SDEE client access is to add a permit entry for the SDEE client's IP address to the sensor's access-list.

 

The SDEE server (IPS Module) only processes authorized requests. A request is authorized if is originates from a web server to authenticate the identity of the client and determine the privilege level of the client. SDEE Client (IME) pulls the IPS events.

 

HTH

 

"Please rate helpful posts"

172
Views
10
Helpful
3
Replies
CreatePlease to create content