Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPS - Startup

Hi All,

We have recently purchased an AIP-SSM-10 module for our ASA5520. I have installed the module run through the initial configuration and updated the software / signatures to the latest version via the ASDM.

I am about to run through the following...Send Network Traffic from the ASA to the AIP SSM...

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807335ca.shtml

but would like to know a little more about what will happen once traffic is redirected, my qusetions are as follows...

Does the IPS start blocking traffic by default? or does it just report?

Can we enbale the IPS so that its just reports on what action would have been taken?

Ideally we would like to run traffic through the IPS for a week or so without any blocking, so we can analyze it to reduce false positives.

Is there any documentation expalaining this?

Thanks for all you help

Steve

3 REPLIES
Gold

Re: IPS - Startup

The default actions of an in-line IPS is to drop the packets that match signatures set to drop. There are a few signatures that are not set to generate an alert when dropped.

I think you want to start with your sensor in promiscious mode, not in-line. Then you can watch what signatures fire that would be dropped in an in-line mode.

New Member

Re: IPS - Startup

Thanks for that, I ended up throwing caution to the wind and processing all traffic (inline) all looks good so far.

I am using IPS Event Viewer for 'Real Time' analysis and reporting.

Does anyone have any other recommendations?

New Member

Re: IPS - Startup

Hi,

Could you share the sample configuaration ?

187
Views
0
Helpful
3
Replies