topic If you don't want IPS to in Network Security

Configure newly deployed inline IPS to alert only

savy-pfsec — Sun, 10 Mar 2019 13:10:59 GMT

All,

I'm hoping some of you experts can assist me with this request. Recently started a new job and they put the IPS into prod (We are running the software based module on our ASA.) and it started blocking more then they had intended. They configured the ASA to not send any traffic to it, to stop the outage.

So now we have an IPS half-way setup and I need to finish the job. I'm new to Cisco IPS, but I really want to know is there a way I can deploy this sensor so that it is still inline but it will not block anything. This way I can baseline the environment and see what type of alerts are firing?

Any help on the best to set this up / deploy tips would be appreciated!

Refer this link to set up

Poonam Garg — Fri, 11 Apr 2014 06:07:46 GMT

Refer this link to set up your ips module:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/asdm70/configuration_guide/asdm_70_config/modules_ips.html.

Better you deploy ips module in promiscuous mode if you don't want to block any traffic.

If you don't want IPS to

Saurav Lodh — Fri, 11 Apr 2014 06:31:11 GMT

If you don't want IPS to block any thing sitting inline but throw alert, from the event actions opt "produce alert"

Produce Alert

Writes the event to the Event Store as an alert.

Note The Produce Alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select Produce Alert. If you add a second action, you must include Produce Alert if you want an alert sent to the Event Store. Also, every time you configure the event actions, a new list is created and it replaces the old list. Make sure you include all the event actions you need for each signature.

Poonam and salodh thank you

savy-pfsec — Fri, 11 Apr 2014 13:51:19 GMT

Poonam and salodh thank you both for your replies!

Poonam - I was considering deploying it in promiscuous mode, but I had concerns on signatures that were set to "deny packet inline" only in that mode. In that case it would not "block" anything, but would I still see an alert (even thou "produce alert" is not set in the sig) for this event?

salodh - I think this idea is more what i was initially thinking. I have a question on it however. If using an "Event action override" and I check "Produce Alert" in your example attached would it also still deny the packet inline because "Deny packet inline" is also checked?

Again thanks for the help!