I'm using CSPM Demo license. Event reporting is working fine, but I can't get the IDS (4210)to block the attacker IP. I generated an ICMP flood event; the IDS reported it correctly to the CSPM but didn't try to block it. I have defined the blocking devices and modified the signature actions.
I'm wondering if the demo version does support blocking or if I should be looking somewhere else.
The demo version does support blocking, but you may be running into a bug in 2.3.1i. Please use 2.3.3i - it definitely works. You may just have a configuration issue.
Here's a path to help you resolve it:
When operating properly, the netrangr user will always be logged into the blocking device so that it can apply an ACL, and modify that ACL as necessary. Also, if you enable logging on your sensor (archiving, not ip logging), then you will also be able to monitor your sensor logs to see if a shun action was executed to be sent to the blocking device.
1) If you log into your router, does it show the netrangr user logged in?
If not, then you need to check your sensor's /usr/nr/etc/managed file to make sure that it is properly configured to telnet to your blocking device. Try logging into your sensor, then telnetting to your blocking device and logging in, and going into enable mode. If you can't do it manually from your sensor, then your sensor won't be able to either.
2) If you have enabled logging on your logging tab in CSPM, then pushed that config out to the sensor, then loggerd should be one of the daemons running on the sensor. Then, appropriate events will be logged in /usr/nr/var/log.. Included in those events will be the generation of your icmp flood alarm, as well as the command to shun the origin (assuming that managed and packetd have been appropriately modified by CSPM to block).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...