Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

v6 and Multiple Virtual Sensors

In a few places, we have a sensor both behind and in front of a firewall and both of them are underutilized. With v6, it would seem that monitoring both links using separate physical monitoring interfaces and virtual sensors would be possible. I'm concerned about problems this might cause. For example, I already know that today CSMARS doesn't include the interface from the original raw message, so I won't be able to differentiate based on that. Will CSMARS toss the "duplicate" event anyway? Any other reasons this configuration isn't advisable? Anyone doing this in production today?

2 REPLIES
Silver

Re: v6 and Multiple Virtual Sensors

Well the normalizer engine gets affected by putting your IPS in front and behind your firewall. With different Virtual sensor you would be able to take out this issue. I had some issues with this. So what i did was to have my IPS inline pair behind the PIX firewall and have promiscous port connect outside. Something like you have your Router connect to your hub and your pix outside connect to the hub too. Then you have a promiscous port connected to this hub. This way you would know the attacks happening outside of your Firewall. This is what i use, but my design is a bit more than this and i have a specific reason to use the hub here.

-Hoogen

Cisco Employee

Re: v6 and Multiple Virtual Sensors

I can't comment on what CSMARS is going to do with Alarms, but the sensor should be fine. The virtualization provided by the virtualsensor instances will keep the data, including normalizer data, separated. The alarm data should contain both the vs # and the interface data.

134
Views
0
Helpful
2
Replies
CreatePlease to create content