Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS installation

Purchased an IPS 4255 to replace a TippingPoint unit we have use for a number of year. I configured the 4255 so I can talk to the mangement interface to get used to the Web Interface. I have loaded the latest software code and SIGs.

Should I run the unit in promiscuous for awhile before going inline? Our TippingPoint updated its SIGs automatic and I reviewed the release to see if I should change the default action. Since I'm new to the 4255 and the Cisco SIGs. How does one get a feel for what all is enabled for denied by default? Would running in promiscuous allow me to see what SIGs when be denied and allow me to adjust until I go inline?

The latest code for the 4255 allow for auto update from Cisco. There isn't a means to force a manual update? We had that with the TippingPoint. The TippingPoint only did auto updates on SIGs. The 4255 appears to do both code and SIGs. I see no way to just select auto SIG updates?

Craig

1 REPLY
Gold

Re: IPS installation

"Should I run the unit in promiscuous for awhile before going inline? "

Unless you have a high tolerance for dropped traffic...yes.

"Would running in promiscuous allow me to see what SIGs when be denied and allow me to adjust until I go inline?"

yes, but you won't be in "promiscious mode per say". You will create your inline pair as normal and then create an event action filter that removes any actions that interfere with the normal flow of traffic:

Deny Attacker Inline

Deny Attacker Service Pair Inline

Deny Attacker Victim Pair Inline

Deny Connection Inline

Deny Packet Inline

Request Block Connection

Request Block Host

Request Rate Limit

Request Snmp Trap

Reset Tcp Connection

You might also want to open your SIG policy using "select by: active signatures" and sort by engine (click the engine column header). Find any normalizer sigs that have an deny/modify action and add the "product alert" and "produce verbose alert" actions. You probably shouldn't add actions to sigs that don't have any action. There are a couple normalizer sigs like this, the point of which I don't know.

187
Views
0
Helpful
1
Replies