I have IPS 4255, I have made a Service HTTP signature to block metacafe.
I have configured the block device for PIX Firewall. Signature triggers when i open www.metacafe.com i can see the user IP in active blocking hosts and also in IP logging but still i m not able to block/shun the users.
I select all actions in signature definiation.
-----Network Access Statistics-----
section Current Configuration
AclSupport Does not use ACLs
Please help me out what i m missing.
Did you allow the sensor IP on the PIX for SSH?
Did you add the PIX as a trusted host on the sensor?
Is the SSH even working on the PIX from other hosts?
Double check your PIX credentials.
Login to PIX and issue a 'who' command to see if the IPS is logged in.
Thanks for the reply,
My firewall is configured for AAA. I gave the same credential in IPS blocking devices that i m using for myself.
SSH is allowed on firewall for any IP.
IPS also has any ip to trusted hosts.
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
IPS allowed host
IPs only able to push access-list on router but not able to shun pix firewall.
"IPS also has any ip to trusted hosts. " this is not possible you have to do it manually.
I am talking about adding the SSH key of the PIX in the IPS.
Go to the IPS CLI and issue the following command:
Please enable the block action on any common signature like ICMP echo (2004) and then check the event log of the IPS. It will tell you why the shun is failing. Also login to the firewall and do a 'who' command during this test to see if the IPS logs in. Do 'terminal monitor' and 'logging monitor 6' on firewall to see any denies etc.