09-20-2016 04:09 AM - edited 03-10-2019 06:41 AM
Hello,
I have 3 SFR modules on monitor-only mode within a virtualized ASAs registered on a Cisco Firepower Management Center for VMWare 6.0.1 . I can see normal traffic statistics on the dashboard but even I tuned signatures to generate IPS alerts for any ICMP echo reply I don't see anything.
The licenses are applied, access policy is applied and intrusion policiy is also created and linked to the access policy on the default action.
Could anyone help me to find where the problem is?
Relevant configuration on virtual firewall:
class-map global-class
match any
policy-map global_policy
class global-class
sfr fail-open monitor-only
MUA-FW1/ACCESS# sh service-policy sfr
Global policy:
Service-policy: global_policy
Class-map: global-class
SFR: card status Up, mode fail-open monitor-only
packet input 0, packet output 626950891, drop 0, reset-drop 0
MUA-FW1/ACCESS# sh module
Mod Card Type Model Serial No.
---- -------------------------------------------- ------------------ -----------
0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515 -Deleted-
ips Unknown N/A -Deleted-
cxsc Unknown N/A -Deleted-
sfr FirePOWER Services Software Module ASA5515 -Deleted-
Mod SSM Application Name Status SSM Application Version
---- ------------------------------ ---------------- --------------------------
ips Unknown No Image Present Not Applicable
cxsc Unknown No Image Present Not Applicable
sfr ASA FirePOWER Up 6.0.0-1005
Mod Status Data Plane Status Compatibility
---- ------------------ --------------------- -------------
0 Up Sys Not Applicable
ips Unresponsive Not Applicable
cxsc Unresponsive Not Applicable
sfr Up Up
Mod License Name License Status Time Remaining
---- -------------- --------------- ---------------
ips IPS Module Disabled perpetual
Thanks,
Miquel
01-11-2018 10:16 PM
Hi,
We would suggest you to follow below steps to verify if IPS policy is working fine or not.
- Modify the intrusion policy in use and enabled the portscan detection / ICMP detection snort id 408.
- Assign a Network Analysis to the Access Control policy in use on the FirePOWER Management Center, and adjust the preprocessor settings.
-after deployment of the policy, initiate the traffic for ICMP and verify under intrusion events.
Regards
Jawed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: