Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

New to IDM

Hi,

I'm new IDM

We have a ASA 5520 with IPS 10 module.

i wanted to know how the traffiic will flow in & out

My thoughts: from outside Internet>IPS>FW>LAn

is it right ?

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: New to IDM

hi,

well you can configure the IPS module from the asa cli only. it depends upon the mode you want. promiscous or inline.

if you configure in promiscous mode a copy of packet is sent to the AIP-SSM-10 module, in this case it will act as IDS.

if you configure in inline mode then the traffic comes to inside/outside interface of the ASA and then it will be sent to AIP-SSM-10 module but dont forget to configure "bypass mode on"

load will always be there on the firewall because the module is inbuilt.

and it has to transfer the traffic to the module.

hope your doubt is cleared.

5 REPLIES
Bronze

Re: New to IDM

The traffic flow will be like this: Internet>FW/ACL>IPS>LAN

Community Member

Re: New to IDM

Is this the recommended design ?

If any application level attack is coming then it come inside the FW & blocked in IPS. This unnecessarily creates load on FW right.

Please correct me if I'm wrong.

Community Member

Re: New to IDM

hi,

well you can configure the IPS module from the asa cli only. it depends upon the mode you want. promiscous or inline.

if you configure in promiscous mode a copy of packet is sent to the AIP-SSM-10 module, in this case it will act as IDS.

if you configure in inline mode then the traffic comes to inside/outside interface of the ASA and then it will be sent to AIP-SSM-10 module but dont forget to configure "bypass mode on"

load will always be there on the firewall because the module is inbuilt.

and it has to transfer the traffic to the module.

hope your doubt is cleared.

Community Member

Re: New to IDM

Thanks,

One more query

Fw logs can be sent to syslog servers.

What about the logs or attacks in IPS?

Re: New to IDM

Cisco IPS sensors do not support syslog protocol. They support SNMP traps and SDEE protocol.

You will need to use SDEE (Security

Device Event Exchange) client like CS-MARS and IME( Cisco IPS Manager Express - Free software from Cisco that can monitor/manage upto 5 sensors) to get events data out of IPS devices.

Syed Iftekhar Ahmed

174
Views
0
Helpful
5
Replies
CreatePlease to create content