Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
1
Replies

idsm in promiscuous mode for multiple firewall context

networksecurity2010
Level 1
Level 1

‎11-23-2010 04:52 AM - edited ‎03-10-2019 05:11 AM

Hello

we want to monitor the outside interface on virtual firewalls using idsm in promiscuous mode.

can someone provide the sample config on what to be configured on 7600 chasis and idsm?

if there are 20 virtual firewalls, how to monitor the outside interface of these firewalls.

a step by step config will be much apprecaited. would like to use only one sensing interface of the IDSM module

if we are  using promiscuous mode should Global Correlation be enabled?

IDSM doesnt operate in failover mode like fwsm/ace on chasis, what is the best practice in this scenario

if idsm A of switch A goes down, how can we make idsm B from switch B to monitor the active fwsm outside interface on switch A

Thanks

Labels:
0 Helpful
1 Reply 1

fadlouni
Level 1
Level 1

‎12-01-2010 01:33 PM

Hi.

you can configure the 7600 to span all 20 virtual firewall vlan interfaces and forward them to the IDSM. example:

monitor session 1 source vlan 200 - 220  (change this to reflect your vlan)

monitor  session 1 destination intrusion-detection-module 8 data-port 1 (assuming module is in slot 8 and using data port 1)

Then on the idsm itself, you set this up just like any other sensor. you assign the physical interface you used above to the virtual sensor and you can configure you signatures etc..

then i recommend configuring the sensor side using idm:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_getting_started.html

As for global correlation although it's usually used with inline mode, But it can also add benefit in promiscuous mode. for example you may see signatures that are normally informational get elevated to medium. And depending if you are using blocking or not it might drop the traffic.

As for failover. IDSM doesn't have a failover mode (like FWSMs). but there is no need for it when you are in promiscuous mode. just configure both blades the same way and monitoring the same vlans (which should already be trunked across the switches). This way the IDSM on which the switch is getting the traffic will act on the traffic.

Let me know if this answers your questions.

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card