08-28-2008 02:08 AM - edited 03-10-2019 04:16 AM
I have IPS 4255, I have made a Service HTTP signature to block metacafe.
I have configured the block device for PIX Firewall. Signature triggers when i open www.metacafe.com i can see the user IP in active blocking hosts and also in IP logging but still i m not able to block/shun the users.
I select all actions in signature definiation.
-----Network Access Statistics-----
section Current Configuration
LogAllBlockEventsAndSensors true
EnableNvramWrite false
EnableAclLogging false
AllowSensorBlock false
BlockMaxEntries 250
MaxDeviceInterfaces 250
section NetDevice
Type PIX
IP 172.28.31.68
NATAddr 0.0.0.0
Communications ssh-3des
ResponseCapabilities block
section NeverBlock
IP 172.28.92.72
IP 172.28.31.0
IP 192.168.249.0
IP 192.168.250.0
section State
BlockEnable true
section NetDevice
IP 172.28.31.68
AclSupport Does not use ACLs
Version 0
State Inactive
Firewall-type PIX
Please help me out what i m missing.
08-28-2008 03:18 AM
Did you allow the sensor IP on the PIX for SSH?
ssh
Did you add the PIX as a trusted host on the sensor?
Is the SSH even working on the PIX from other hosts?
Double check your PIX credentials.
Login to PIX and issue a 'who' command to see if the IPS is logged in.
Regards
Farrukh
08-28-2008 06:32 AM
Thanks for the reply,
My firewall is configured for AAA. I gave the same credential in IPS blocking devices that i m using for myself.
SSH is allowed on firewall for any IP.
IPS also has any ip to trusted hosts.
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
IPS allowed host
telnet-option enabled
access-list 172.28.0.0/16
IPs only able to push access-list on router but not able to shun pix firewall.
08-28-2008 06:42 AM
"IPS also has any ip to trusted hosts. " this is not possible you have to do it manually.
I am talking about adding the SSH key of the PIX in the IPS.
http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp553621
Go to the IPS CLI and issue the following command:
ssh host-key
Regards
Farrukh
08-28-2008 09:00 AM
08-28-2008 10:44 AM
Have you enabled blocking globally?
Blocking >> Blocking Properties
Regards
Farrukh
08-28-2008 01:03 PM
yes blocking is globally enabled. IPs able to write access-list on routers but not able to shun pix firewall.
08-29-2008 10:54 AM
Please enable the block action on any common signature like ICMP echo (2004) and then check the event log of the IPS. It will tell you why the shun is failing. Also login to the firewall and do a 'who' command during this test to see if the IPS logs in. Do 'terminal monitor' and 'logging monitor 6' on firewall to see any denies etc.
Regards
Farrukh
09-04-2008 03:22 AM
09-04-2008 03:44 AM
09-07-2008 03:58 AM
can anybody help me out in this matter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide