my environment is a MC for IDS v1.1 installed on a w2k machine with security monitor1.1, and my IDS4.0 installed on a linux box.
On my sensor, I have configured telnet enabled, access-list to enable the whole /24 subnet, for example, 22.214.171.124, 255.255.255.0 for allowed hosts. And did TLS generate-key.
Using MC for IDS1.1, I am able to add the sensor, but I am quite lost about the actual deployment of the sensor. Sometimes I have to save it, sometimes, to deploy.
When I do some changes, I have to save it to database, so I have to go to pending and then save it.
However, when do I do a generate, approving and deploying?
Cause after doing an immediate deploying, and naming the job 'test', and going to history, I see it not deployed, and there are errors.
May someone enlighten me on the proper steps to do?
For Security Monitor (SM),
Using Cisco guide Chpt3, Configuring devices to monitor,I am able to add the RDEP sensor (since IDS is 4.0), and under Monitor>Connections, I am able to see that the sensor is connected via TLS. Cause I believe that this SM is suppose to retrieve the logs from the sensor, so how do I confirm this?
You are doing it right. Don't see where are you stuck. After doing changes, save it to the db by going to Pending and save. Then, go under deployment for doing the Generate, then Approve (Approving might not be turned on), if that's the case, then move onto Deploy and conduct an immediate deploy.
As for the SM, the status of "connected TLS" is good. You may need to tune a particular signature e.g.icmp echo reply (2004) and set it to High Severity and generate the icmp traffic on that segment where the sniffing interface is connected. This will generate the events into the SM.
I realised that i got the "connected TLS" when I did not plug in the sniffing link, when I do that, it show not connected.
When I did a diagnotic on the sensor, IDM, strangely, I see two sensing interface, int0 & int1 under group0. I thought, it should be int0 sniffing, and int1 control? How do I configure them? Cause in 4.0, I can't see the feature of sensing interface unlike 4.1.
Now, I created the sensor under a group, and I realise that under the group, there are more options to configure, then if I were to configure individual sensors. Can I take it that for group, it is global, and for sensors, it is more individual?
And I realise from a colleague, that in order for the sensor reporting back to IDS MC, to pipe events to Security monitor, I need to install a MC integrator, is that true?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :