topic Re: IPS unable to Block in Network Security

IPS unable to Block

wasiimcisco — Sun, 10 Mar 2019 11:16:17 GMT

I have IPS 4255, I have made a Service HTTP signature to block metacafe.

I have configured the block device for PIX Firewall. Signature triggers when i open www.metacafe.com i can see the user IP in active blocking hosts and also in IP logging but still i m not able to block/shun the users.

I select all actions in signature definiation.

-----Network Access Statistics-----

section Current Configuration

LogAllBlockEventsAndSensors true

EnableNvramWrite false

EnableAclLogging false

AllowSensorBlock false

BlockMaxEntries 250

MaxDeviceInterfaces 250

section NetDevice

Type PIX

IP 172.28.31.68

NATAddr 0.0.0.0

Communications ssh-3des

ResponseCapabilities block

section NeverBlock

IP 172.28.92.72

IP 172.28.31.0

IP 192.168.249.0

IP 192.168.250.0

section State

BlockEnable true

section NetDevice

IP 172.28.31.68

AclSupport Does not use ACLs

Version 0

State Inactive

Firewall-type PIX

Please help me out what i m missing.

Re: IPS unable to Block

Farrukh Haroon — Thu, 28 Aug 2008 10:18:34 GMT

Did you allow the sensor IP on the PIX for SSH?

ssh interface ?

Did you add the PIX as a trusted host on the sensor?

Is the SSH even working on the PIX from other hosts?

Double check your PIX credentials.

Regards

Farrukh

Re: IPS unable to Block

wasiimcisco — Thu, 28 Aug 2008 13:32:16 GMT

Thanks for the reply,

My firewall is configured for AAA. I gave the same credential in IPS blocking devices that i m using for myself.

SSH is allowed on firewall for any IP.

IPS also has any ip to trusted hosts.

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

IPS allowed host

telnet-option enabled

access-list 172.28.0.0/16

IPs only able to push access-list on router but not able to shun pix firewall.

Re: IPS unable to Block

Farrukh Haroon — Thu, 28 Aug 2008 13:42:30 GMT

"IPS also has any ip to trusted hosts. " this is not possible you have to do it manually.

I am talking about adding the SSH key of the PIX in the IPS.

http://www.cisco.com/en/US/docs/security/ips/6.0/command/reference/crCmds.html#wp553621

Go to the IPS CLI and issue the following command:

ssh host-key

Regards

Farrukh

Re: IPS unable to Block

wasiimcisco — Thu, 28 Aug 2008 16:00:11 GMT

I have tried even this, but still the problem is there,

I am attaching the screen shot, I am not able to configure block action, the tab is not highlighted.

why it is so, may be this is the reason.?????

Re: IPS unable to Block

Farrukh Haroon — Thu, 28 Aug 2008 17:44:17 GMT

Have you enabled blocking globally?

Blocking >> Blocking Properties

Regards

Farrukh

Re: IPS unable to Block

wasiimcisco — Thu, 28 Aug 2008 20:03:23 GMT

yes blocking is globally enabled. IPs able to write access-list on routers but not able to shun pix firewall.

Re: IPS unable to Block

Farrukh Haroon — Fri, 29 Aug 2008 17:54:35 GMT

Please enable the block action on any common signature like ICMP echo (2004) and then check the event log of the IPS. It will tell you why the shun is failing. Also login to the firewall and do a 'who' command during this test to see if the IPS logs in. Do 'terminal monitor' and 'logging monitor 6' on firewall to see any denies etc.

Regards

Farrukh

Re: IPS unable to Block

wasiimcisco — Thu, 04 Sep 2008 10:22:41 GMT

I am not able to configure firewall shun in cisco IPS, The option of blocking is disable in IPS for Firewall.

See the attachement. Please help me out how to do this.

IPS is only able to block the routers but not firewall

Re: IPS unable to Block

wasiimcisco — Thu, 04 Sep 2008 10:44:00 GMT

When i view the log on IPS, it shows me the following error

firewall type unknow. Please see the screen shot.

Secondly when i did who on firewall i didnt see anybody connected. Firewall logging is also not showing that IPS IP address is block.

Re: IPS unable to Block

wasiimcisco — Sun, 07 Sep 2008 10:58:32 GMT

can anybody help me out in this matter.