In a few places, we have a sensor both behind and in front of a firewall and both of them are underutilized. With v6, it would seem that monitoring both links using separate physical monitoring interfaces and virtual sensors would be possible. I'm concerned about problems this might cause. For example, I already know that today CSMARS doesn't include the interface from the original raw message, so I won't be able to differentiate based on that. Will CSMARS toss the "duplicate" event anyway? Any other reasons this configuration isn't advisable? Anyone doing this in production today?
Well the normalizer engine gets affected by putting your IPS in front and behind your firewall. With different Virtual sensor you would be able to take out this issue. I had some issues with this. So what i did was to have my IPS inline pair behind the PIX firewall and have promiscous port connect outside. Something like you have your Router connect to your hub and your pix outside connect to the hub too. Then you have a promiscous port connected to this hub. This way you would know the attacks happening outside of your Firewall. This is what i use, but my design is a bit more than this and i have a specific reason to use the hub here.
I can't comment on what CSMARS is going to do with Alarms, but the sensor should be fine. The virtualization provided by the virtualsensor instances will keep the data, including normalizer data, separated. The alarm data should contain both the vs # and the interface data.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :