07-02-2013 02:20 PM - edited 03-10-2019 05:59 AM
Hello,
ASA Firewall is running in Active/Active mode. Below is the configuration of the firewall and IPS SSM module.
We are not getting event on IPS sensor when we type "show event alerts".
IPS configuration:
++++++++++++++++++++++
IPS1#
IPS1# sh configuration
! ------------------------------
! Current configuration last modified Tue Jul 02 07:19:13 2013
! ------------------------------
! Version 7.1(1)
! Host:
! Realm Keys key1.0
! Signature Definition:
! Signature Update S552.0 2011-03-07
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 10.15.1.58/28,10.15.1.57
host-name IPS1
telnet-option disabled
access-list 0.0.0.0/0
dns-primary-server disabled
dns-secondary-server disabled
dns-tertiary-server disabled
exit
time-zone-settings
offset 60
standard-time-zone-name GMT+03:00
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
! ------------------------------
service anomaly-detection ad0
exit
! ------------------------------
service external-product-interface
exit
! ------------------------------
service health-monitor
exit
! ------------------------------
service global-correlation
exit
! ------------------------------
service analysis-engine
virtual-sensor vs1
description virtual-sensor-1
anomaly-detection
operational-mode learn
exit
physical-interface PortChannel0/0
exit
exit
IPS1#
ASA in system mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/act/pri# sh run
: Saved
:
ASA Version 9.1(1) <system>
!
hostname ASA-1
enable password u14FkAnxI.kNNH7a encrypted
no mac-address auto
!
interface GigabitEthernet0/0
description LAN Failover Interface
!
interface GigabitEthernet0/1
description STATE Failover Interface
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface Management0/0
!
interface Management0/1
!
interface TenGigabitEthernet0/6
channel-group 20 mode active
!
interface TenGigabitEthernet0/7
channel-group 20 mode active
!
interface TenGigabitEthernet0/8
channel-group 10 mode active
!
interface TenGigabitEthernet0/9
channel-group 10 mode active
!
interface GigabitEthernet1/0
shutdown
!
interface GigabitEthernet1/1
shutdown
!
interface GigabitEthernet1/2
shutdown
!
interface GigabitEthernet1/3
shutdown
!
interface GigabitEthernet1/4
shutdown
!
interface GigabitEthernet1/5
shutdown
!
interface TenGigabitEthernet1/6
shutdown
!
interface TenGigabitEthernet1/7
shutdown
!
interface TenGigabitEthernet1/8
shutdown
!
interface TenGigabitEthernet1/9
shutdown
!
interface Port-channel10
!
interface Port-channel10.96
description "Inside-CTX-1"
vlan 96
!
interface Port-channel10.97
description "Inside-CTX-2"
vlan 97
!
interface Port-channel20
!
interface Port-channel20.98
description "Outside-CTX-1"
vlan 98
!
interface Port-channel20.99
description "Outside-CTX-2"
vlan 99
!
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
pager lines 24
failover
failover lan unit primary
failover lan interface FOL GigabitEthernet0/0
failover link STATEFULL-LINK GigabitEthernet0/1
failover interface ip FOL 10.15.1.33 255.255.255.252 standby 10.15.1.34
failover interface ip STATEFULL-LINK 10.15.1.37 255.255.255.252 standby 10.15.1.38
failover group 1
preempt
failover group 2
secondary
preempt
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0
!
tls-proxy maximum-session 1000
!
admin-context admin
context admin
allocate-ips vs0 adminvs0
config-url disk0:/admin.cfg
!
context arm-1
description ARM-1
allocate-interface Management0/0 MGT
allocate-interface Port-channel10.96 inside
allocate-interface Port-channel20.98 outside
allocate-ips vs1 arm-1vs1
config-url disk0:/arm-1_Context.cfg
join-failover-group 1
!
context arm-2
description ARM-2
allocate-interface Management0/1 MGT
allocate-interface Port-channel10.97 inside
allocate-interface Port-channel20.99 outside
allocate-ips vs1 arm-2vs1
config-url disk0:/arm-2_Context.cfg
join-failover-group 2
!
prompt hostname context state priority
no call-home reporting anonymous
Cryptochecksum:ad532251aad3ca65f6da8f1ff0762816
ASA in one arm context mode
+++++++++++++++++++++++++++++++++++++++
ASA-1/arm-1/act/pri# sh run
: Saved
:
ASA Version 9.1(1) <context>
!
firewall transparent
hostname arm-1
enable password u14FkAnxI.kNNH7a encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface BVI1
ip address 10.15.1.57 255.255.255.240
!
interface MGT
management-only
nameif management
security-level 0
ip address 10.14.1.9 255.255.255.0 standby 10.14.1.10
!
interface inside
nameif inside
bridge-group 1
security-level 100
!
interface outside
nameif outside
bridge-group 1
security-level 0
!
access-list global extended permit ip any any
access-list out extended permit ip any any
access-list in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group in in interface inside
access-group out in interface outside
route inside 10.0.0.0 255.255.0.0 10.15.1.51 1
route inside 10.0.10.45 255.255.255.255 10.15.1.51 1
route outside 10.11.0.0 255.255.0.0 10.15.1.53 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
no threat-detection statistics tcp-intercept
username admin password fMQ/rjnxl9Vwe9mv encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
class-map any
match access-list global
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map IPS
class any
ips promiscuous fail-open sensor arm-1vs1
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
service-policy IPS interface outside
Cryptochecksum:00b87b7c25f21d91cf5b90cb18c4d745
: end
+++++++++++++++++++++++++++++++++++++++++++++++++++++++
Why we are not able to see any event on IPS. As MPF is configured on ASA and that ACL is gettin hit count?
Regards,
07-02-2013 08:27 PM
Hello,
Please advice how to fix this issue.
Regards,
07-03-2013 05:54 AM
In the CLI enter the following command to see if any signatures are triggering, it could just be that you haven't had the right combination of signatures trigger to cause an actual event:
show stat virtual-sensor | begin Per-Signature
You could also enable Signature 2000 and that will usually generate events in a short time to ensure you have traffic configured correctly for inspection by the IDS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide