Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Temporarily Disable IPS

We have an ASA-5510 with an AIP-SSM IPS module. From time to time I need to run a network scanner against assets in the DMZ from the inside network. Of course the IPS is going to block most of the scanners activities. Is there an easy way to temporarily disable the IPS functionality while the scans are running? Either command line or through the ASDM?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Temporarily Disable IPS

In addition to the filter idea(s) mentioned elsewhere, the sure fire way to get IPS out of the way is to set its bypass mode to "on" (vice the auto it defaults to). This will cause the IPS software to turn around packets without inspection.

New Member

Re: Temporarily Disable IPS

This is exactly what you want to stay away from. The purpose of the device is to inspect traffic. So, if you're looking to do this on a continuous basis look into the filter. If you are only going to be doing this one time, Scothrel is right thought, putting it in bypass will basically inert the device.

You can accomplish this by going to "interface configuration," "Bypass," and while there select ON. When you are doing with what ever you're doing, ensure you go back on put the device in Auto or OFF.

6 REPLIES
New Member

Re: Temporarily Disable IPS

Why don't you just setup a filter to not block the traffic coming from your scanning system. This would be easy to accomplish and yet leave the security of the network intact.

There have been many conversations regarding this on the forum these past few weeks. Simply go into your IPS and create an "Event Action Filter." Simply modify the source address with that of your scanning system. You can leave the rest pretty much stock or, adjust the destination to the subnet of your DMZ. Also, you'll want to keep an eye on the areas to subtract. Making sure to take away the deny actions, and if necessary, reporting as well.

Cisco Employee

Re: Temporarily Disable IPS

In addition to the filter idea(s) mentioned elsewhere, the sure fire way to get IPS out of the way is to set its bypass mode to "on" (vice the auto it defaults to). This will cause the IPS software to turn around packets without inspection.

New Member

Re: Temporarily Disable IPS

This is exactly what you want to stay away from. The purpose of the device is to inspect traffic. So, if you're looking to do this on a continuous basis look into the filter. If you are only going to be doing this one time, Scothrel is right thought, putting it in bypass will basically inert the device.

You can accomplish this by going to "interface configuration," "Bypass," and while there select ON. When you are doing with what ever you're doing, ensure you go back on put the device in Auto or OFF.

New Member

Re: Temporarily Disable IPS

Thanks Chickman,

Exactly the info I was looking for.

I am only going to be scanning the DMZ quarterly at most, so i will probably just bypass. Nice to know the other option exist. Have not had much time to really learn the nuts and bolts of the AIP-SSM since deployment.

New Member

Re: Temporarily Disable IPS

Thanks for the advice, just what i was looking for..

New Member

Re: Temporarily Disable IPS

Not a problem, if you come up with other situations, just post your questions.

4317
Views
0
Helpful
6
Replies
CreatePlease to create content