Solved: I realized that the problem

Colin Higgins · ‎04-10-2014

I have an ASA5540X firewall with the internal (software based) IPS module. The module has the up-to-date signatures and seems to be running correctly. However, after enabling anomaly detection (ad0), and specifying the internal zones, I don't see any "Learned OS" in IME

My settings are pretty basic for the sensor

access-list ips_traffic extended permit ip any any

access-list ips_traffic extended permit udp any any

class-map ips_class

match access-list ips_traffic

policy-map global_policy

class ips_class

ips inline fail-open

not sure why it isn't learning the OSs

Saurav Lodh · ‎04-10-2014

Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.

can you verify the OS finger printing from

sensor# show os-identification learned

Enable passive-traffic-analysis {enabled | disabled}

View solution in original post

Saurav Lodh · ‎04-10-2014

Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.

can you verify the OS finger printing from

sensor# show os-identification learned

Enable passive-traffic-analysis {enabled | disabled}

Colin Higgins · ‎04-11-2014

I realized that the problem was a failover issue--the ASAs are in a pair, and after a failover, the IPS policies had been applied to the wrong (failover) IPS module. Once I applied them on the correct module, I could see all the learned OSs.

Anomaly Detection not detecting host machines (learned OS)