Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7006
Views
0
Helpful
6
Replies

Temporarily Disable IPS

Go to solution
brobertson
Level 1
Level 1

‎04-23-2008 05:44 AM - edited ‎03-10-2019 04:04 AM

We have an ASA-5510 with an AIP-SSM IPS module. From time to time I need to run a network scanner against assets in the DMZ from the inside network. Of course the IPS is going to block most of the scanners activities. Is there an easy way to temporarily disable the IPS functionality while the scans are running? Either command line or through the ASDM?

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
scothrel
Level 3
Level 3

‎04-23-2008 06:52 AM

In addition to the filter idea(s) mentioned elsewhere, the sure fire way to get IPS out of the way is to set its bypass mode to "on" (vice the auto it defaults to). This will cause the IPS software to turn around packets without inspection.

View solution in original post

0 Helpful

Go to solution
chickman
Level 1
Level 1
In response to scothrel

‎04-23-2008 07:56 AM

This is exactly what you want to stay away from. The purpose of the device is to inspect traffic. So, if you're looking to do this on a continuous basis look into the filter. If you are only going to be doing this one time, Scothrel is right thought, putting it in bypass will basically inert the device.

You can accomplish this by going to "interface configuration," "Bypass," and while there select ON. When you are doing with what ever you're doing, ensure you go back on put the device in Auto or OFF.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
chickman
Level 1
Level 1

‎04-23-2008 06:26 AM

Why don't you just setup a filter to not block the traffic coming from your scanning system. This would be easy to accomplish and yet leave the security of the network intact.

There have been many conversations regarding this on the forum these past few weeks. Simply go into your IPS and create an "Event Action Filter." Simply modify the source address with that of your scanning system. You can leave the rest pretty much stock or, adjust the destination to the subnet of your DMZ. Also, you'll want to keep an eye on the areas to subtract. Making sure to take away the deny actions, and if necessary, reporting as well.

0 Helpful

Go to solution
scothrel
Level 3
Level 3

‎04-23-2008 06:52 AM

In addition to the filter idea(s) mentioned elsewhere, the sure fire way to get IPS out of the way is to set its bypass mode to "on" (vice the auto it defaults to). This will cause the IPS software to turn around packets without inspection.

0 Helpful

Go to solution
chickman
Level 1
Level 1
In response to scothrel

‎04-23-2008 07:56 AM

This is exactly what you want to stay away from. The purpose of the device is to inspect traffic. So, if you're looking to do this on a continuous basis look into the filter. If you are only going to be doing this one time, Scothrel is right thought, putting it in bypass will basically inert the device.

You can accomplish this by going to "interface configuration," "Bypass," and while there select ON. When you are doing with what ever you're doing, ensure you go back on put the device in Auto or OFF.

0 Helpful

Go to solution
brobertson
Level 1
Level 1
In response to chickman

‎04-23-2008 09:32 AM

Thanks Chickman,

Exactly the info I was looking for.

I am only going to be scanning the DMZ quarterly at most, so i will probably just bypass. Nice to know the other option exist. Have not had much time to really learn the nuts and bolts of the AIP-SSM since deployment.

0 Helpful

Go to solution
brobertson
Level 1
Level 1
In response to scothrel

‎04-23-2008 09:34 AM

Thanks for the advice, just what i was looking for..

0 Helpful

Go to solution
chickman
Level 1
Level 1
In response to brobertson

‎04-23-2008 09:40 AM

Not a problem, if you come up with other situations, just post your questions.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card