We are noticing a strange behavior with several IPS AIM modules and IPS Appliances. Events are generated and can be seen from the event viewer but nothing is displayed on the Network Security Gadget on the Dashboard.
We've verified and compared configurations with other working Appliances and can't find why the count event on the dashboard is 0 while the event viewer is showing several events. We've tested from different computers with different Java versions to rule out a problem with the viewer, but the result is the same.
IPS is working and denying traffic if configured, the event action overrides are configured to produce alert for all severities (to test).
We've seen this on Appliances and ASA IPS modules running 7.0(1)3, 6.0(5)E3 and other 6.x versions, the only common denominator we can see is the E3.
It's a difficult event to troubleshoot and I haven't found any reports from similar behavior, has anyone noticed something similar?
Any ideas on where to look will be greatly appreciated.
Question : the virtual sensor configured in all the cases u mentioned in default vs0 or did you create a new one ?
There is a known issue with non-vs0 sensor events not reported in net sec. gad.
No, all of them have the default vs0.
But it's good to know that, thank you. Do you have any related documentation??
Any other ideas will be greatly appreciated.
How often are your alerts being generated?
If I remember right the counts are based on the alerts within the past 10 seconds.
If your sensor hasn't seen any signature triggers in the last 10 seconds, then the counts will be 0.
If your sensor is monitoring a fairly clean network (few attacks), or you've highly tuned your sensor to only monitor for a subset of signatures; then it is possible your sensor may only be triggering signatures every few seconds, or even every few minutes. In which case seeing counts of 0 for the past 10 seconds would be normal.
In addition if I remember right there was a bug introduced in some of the versions back when E3 was released.
And instead of counting based on the last 10 seconds, I think it incorrectly counted only base on the last 1/10th of a second.
This was fixed in the 6.1(2)E3 Service Pack, and I think was fixed for 7.0(1)E3 before it was released so I don't think you are running into this with your 7.0(1)E3 sensors.
We are testing with a continuous ping and have the signature 2004 (ICMP request) enabled. This and other events are constantly showing on the event viewer, but nothing on the Dashboard.
Same configuration with version 6.1(1)E3 shows events on the Dashboard, but nothing if running version 7.0(1)E3.
I tested 6.0(5) and I'm having no problem with that one. 6.1(1)E3 is running fine. 7.0(1)E3 is not showing events on the Network security gadget on the dashboard.
I'm running tests with other versions to try to catch the issue.
I am having a similiar issue.
i was running IDM 6.0 and Network Security Gadget was seeing all of the Events and displaying the Risk vs Threat Graph and # of Events Graph perfectly. The I upgraded to 7.0 and IPS Version 7.0(2)E3, and everything works except the Network Security Gadget. It scrolls Zero accross both Graphs. I have attached a snapshot:
We could never find an answer or reported issues on that.
We ended up installing the IPS Manager Express for our customer and it seems to be working fine for them since then, maybe you can try that.
Thank you for the quick response Daherrer.
I tried loading the Express software, which is great by the way, but it also has the exact same problem. Am i right in thinking that all events that show up under the event monitoring tool, should show up on the Network Security Graph?
We have found that using the older version of IME (6.1.1) will show all events from sensors running the 7.0 release, unfortunately you cannot make configuration changes. Anyone who has upgraded to the new 7.0.2 client cannot see the events from the sensor in real-time, but can make configuration changes.
FYI - I downgraded from the 7.0.2 client to the 7.0.1 client today and the event reporting began working again.
Thanks for the response.
Did you downgrade the IPS sensor software or the IME software? I dowgraded the IME to 7.0.1 and still have the IPS running 7.0(2)E3 and it still does not work.
I downgraded the IME software to 7.0.1 and left the sensor at 7.0.2 E3. Since you are still having difficulties.....maybe more detail of what I did will help? I uninstalled the IME 7.0.2, rebooted, then installed 7.0.1. IME didn't pickup the events right away, so I restarted the MySQL-IME service. I opened IME and choose realtime events, clicked apply and the events began appearing..... Hope that helps.
I have been able to get the Events to display in Realtime, but the Network Security Gadget still does not show anything above 0.
Not sure if you have that issue as well.
No, sorry. I didn't recheck the Network Security gadget after the events started appearing. Everything on the events dashboard is now working, but I still have no events in the Network security gadget.
Wow! so no solution on this yet.
I have a new implementation now and Cisco suggested us to use version 6.0(4) for all our IPS modules and appliances. I'm looking forward to upgrading but I cant find a newer version that seems stable enough (i.e. the network security gadget not working).
On your experience would you recommend the 7.x version you are using for your IPS?
Thanks and regards,
I am using Version 7.0(2)E4 for over a year now, and it is stable, but I like the old version better. It actually looks like it is doing something. Without the Gauge, it is deceiving. We have had a few card failures recently, but I don't know if it is the card or the software.
To me, if you keep your IPS up to date with the latest protection downloads, it is good enough. This version does not seem to give you anything better.
Gino DiCarlo | Network Communications | International Derivatives Clearing Group | 150 East 52nd Street, New York, NY 10022 USA | Office 646-867-2533 | Cell 646-824-8380 | firstname.lastname@example.org