Re: Any Luck Editing Actions on Events with ASA SSM

george.goebel · ‎12-08-2009

W are running an ASA 5540 failover pair with SSM-40 modules. When using the IME version 7.0.2 to manage the IPS we have not been successful in getting anything to work but "Deny Attacker Inline." Nothing else works. We have tried every option under the Actions and none work. There are many signatures that we would like blocked, but only that signature. ie. block Bittorrent but allow internet access.

Farrukh Haroon · ‎12-15-2009

Which mode have you configured on the ASA firewall? Inline or Promiscuous?

george.goebel · ‎12-15-2009

Hello and thanks for the reply. It is running inline.

And we have not had any luck getting the other options to work.

Farrukh Haroon · ‎12-15-2009

If you manage the device through ASDM or IME should not make a difference.

What I would suggest is to test the action on a simple signature, like the ICMP ones (e.g. Sig 2004, you have to enable it first) and not a complex one like P2P etc.

Also what is exactly happening with the other actions? Do you see the signature fire in IME with the 'action' listed? Or the action field is empty in the IME alerts? Or the signature does not fire at all?

Regards

Farrukh

george.goebel · ‎12-16-2009

The IPS sees the event and logs it, the action selected doesn't work other than the "Deny Attacker." We would like to have the IPS just stop the event, but that is the problem. We have used ASDM and IME latest versions. The IPS has the latest versions too. It just doesn't work!