IPS blocking most web sites

andrewjballard — Sun, 10 Mar 2019 12:28:12 GMT

Hello,

I have installed an SSM module in a 5510 firewall, and am running IPS in promiscous mode. Using the default configuration i can see lots of packets being denied, and when i tested it in inline mode almost all the websites i tried to connect to didn't work including Cisco.com.

google.com, and gmail both worked, Cisco.com only loaded half a page, microsoft.com, bbc.co.uk, telegraaf.nl, and sportinglife failed to load.

My first question is did i do something wrong?

Why is it so restrictive, this doesn't meet the balance between security and productivity?

Is there a suggested configuration that i can download, or do i need to go through each alert and assess the security risk?

Any advice would be appreciated.

Thanks

Andrew

The device is running 7.0(5a)E4S589.0 signature 589.0

IPS blocking most web sites

rhermes — Thu, 08 Sep 2011 19:13:41 GMT

Andrew -

If your AIP-SSM module is really in promiscious mode, it shouldn't be blocking ANY traffic. Did you enable shunning on the sensor? (that would pop a blocking ACL in the ASA for 30 min or so per event).

Where are you seeing the packets denied?

If you remove the IDS configuration from your ASA does your web blocking problem stop?

- Bob

topic IPS blocking most web sites in Network Security

IPS blocking most web sites

IPS blocking most web sites