Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Minimum IDS components for PIX Firewall shunning

As they are the minimum components to carry out automatic shunning of an ip address on PIX Firewall during an intrusion attempt attack?

Cisco Employee

Re: Minimum IDS components for PIX Firewall shunning

Can you clarify what you mean by minimum components? For example, do

you mean the minimum number of processes running on a sensor, or the

minimum configuration actions, or something else? Are you referring to 3.x

sensors or the new 4.0 sensor?

Here is my best answer, absent other information:

For a 3.x sensor, at the minimum, the PIX needs to have a 3DES license and

configured to allow ssh connections on the outside interface or telnet

connections on the inside interface. The PIX should be running at least

version 6.0. Note: there is an engineering build of the process nr.managed

that can connect to a PIX with a DES license, but it requires a manual

configuration step. This build also fixes a bug that would otherwise

prevent a sensor from connecting via telnet to a 6.2.1 or later PIX. If using

SSH, it necessary to connect to the PIX from the sensor command line

one time before the sensor can connect. Also you will need to configure

the pix interface IP, username, password, and enable password using

the sensor management software. If the PIX RSA key or interface IP

is changed for any reason, then you need to delete the PIX entry from the

SSH known_hosts file and repeat the manual connection.

For a 4.0 sensor, at the minimum, the same PIX requirements apply.

On the sensor, the same requirements apply except that instead of a

manual connection you need to add the PIX interface IP as a trusted


Finally, you must configure one or more signatures to shun the attacker

when they are fired. Of course the signature must be enabled as well.

This is done via the management software.