Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

The 'Internal Network' setting in IDM

I'm trying to find any reference to this setting that may provide some detail. Should I have my internal address defined in this? (eg: 192.168.0.0/16 ) If so, what function does it provide?

I believe I read somewhere that certain signatures will ignore traffic on addresses defined here. True or false?

Thanks,

Darren

1 REPLY
Community Member

Re: The 'Internal Network' setting in IDM

False.

By defining "internal networks", you allow your IDS to identify which traffic is "IN" and which is "OUT", with regards to the direction. Given this information, you can create filters based on this data. If you specify 192.160.0.0/16 (in the form of "192.160.0.0 255.255.0.0" in IDM), any intrusion events to/from that network will be properly identified in the Event Viewer in the "Src" or "Dst" as "IN".

You can then create a filter to exclude any events if the source originates from "inside", etc.

I have found a bug in this configuration which I have not confirmed has been fixed. The bug used to include any configuration of internal networks that weren't a full Class A, B, or C. Example: if you configured an Internal Network of:

10.20.30.0 255.255.255.192 - it would not properly identify traffic from that network as being "IN". Only networks with full class masks were properly interpreted. Again, I have not confirm this bug has been resolved and I first noticed it somewhere around the S4 signature release dates.

83
Views
0
Helpful
1
Replies
CreatePlease to create content