Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23304
Views
33
Helpful
78
Replies

Ask the Expert: Cisco Intrusion Prevention System (IPS)

ciscomoderator
Community Manager
Community Manager

‎08-24-2012 11:45 AM - last edited on ‎02-13-2020 12:56 PM by Community Manager

Read the bioWith Robert Albach

 

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about security best practices and management for the Cisco Intrusion Prevention System (IPS) with Robert Albach. The Cisco Intrusion Prevention System is a context aware threat prevention system for your networked environments. The module unobtrusively detects and prevents problematic traffic from reaching its target; uses contextual inputs to determine the proper level of response; and tightly integrates with the ASA firewall for greater network security.

 

 

Robert Albach is a product manager in the Security Business Unit at Cisco, responsible  for intrusion prevention offerings. Before joining Cisco in 2010 he held product management positions for intrusion prevention offerings at Hewlett-Packard/TippingPoint. He has more than 15 years of experience with systems management and security product offerings and has presented at the RSA trade show and other security venues.

 

 

 

Remember to use the rating system to let Robert know if you have received an adequate response. 

 

Robert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Security sub-community discussion forum shortly after the event. This event lasts through through September 7, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

 
Labels:
0 Helpful
78 Replies 78

Tarjeet Singh
Beginner
Beginner

‎01-31-2013 03:01 PM

Hi Robert,

My client has active (ASA1)/passive (ASA2) firewalls 5520 both firewalls have IPS ASA-SSM-20… On Active (ASA1) Firewall IPS module failed and failover method found ASA1 is unhealthy because IPS is failed and Failover switched over to Standby ASA2.

Yes we need to replace ASA1 IPS to bring back failover to ASA1.. But my client doesn’t want to buy new one..  So he requested me to take out secondary ASA2 IPS. So ASA2 will switch back to ASA1 once Failover will find out that there is no more IPS

Please help me, How I can remove IPS from ASA2 which is Active now. So failover switch back to ASA1 Active.

Should I just shut down IPS on both routers so failover method will not check for IPS

hw-module module 1 shutdown

0 Helpful

Robert Albach
Cisco Employee
Cisco Employee
In response to Tarjeet Singh

‎02-01-2013 02:09 PM

Hi Tarjeet,

The important thing to do is to determine the cause for the initial failure of ASA1/IPS1. It may be the case that this is a potential misconfiguration or software error. In both cases there should be no need to purchase another device. Further if there is a hardware problem and the system is still under warranty then they should look into an RMA.

In all of these cases lets get to the bottom of the failure condition. Please contact TAC and open a case and let them determine a solution. That IPS unit should not fail and force an ASA failover.

Good Luck!

-Robert

0 Helpful

jimmyc_2
Beginner
Beginner

‎02-05-2013 07:57 AM

How do you save a copy of the IDS to flash, or the ASA?   I understand you can save to backup-config, but I'd really like to save a working copy in a repository, in case future modifications go sour.

Also, if you have failover enabled on 5510s, can you easily update the active ASA and the backup IDS pick up the active config?

thanks.

Jimmyc

0 Helpful

Tarjeet Singh
Beginner
Beginner
In response to jimmyc_2

‎02-05-2013 10:01 AM

Hi Jimmyc,

  If you have failover then only Active ASA config save on Standby ASA but IPS/IDS do not save config on Standby. you have to make change manually every time on both IPS.

Robert Albach
Cisco Employee
Cisco Employee
In response to jimmyc_2

‎02-06-2013 12:57 PM

Hi Jimmy,

I think that Tarjeet gave you a good answer but I wanted to be certain that what you were asking about was in fact the configuration of the system rather than the image itself. CSM makes much of your configuration import / export and general management process very easy and with varying degrees of granularity as you chose.

-Robert

0 Helpful

Pavel Pokorny
Beginner
Beginner

‎02-06-2013 12:07 AM

Dear Robert,

I have spent a lot of time with searching but without success.

My answer is simple.

Is there SNMP OID for IPS module (this one is SSM-20), which tell me Inspection  Load?

I have found OID for CPU load, but this one is not what I need (CPU load can be high and inspection load can be low at same time), because important for me is inspection load.

Thank you very much,

Pavel

0 Helpful

Robert Albach
Cisco Employee
Cisco Employee
In response to Pavel Pokorny

‎02-06-2013 01:40 PM

Hi Pavel,

This is where I have to apologize for you. In the 7.1 code release there was a whole new set of health metrics available oand  also had a new MIB CISCO-CIDS_MIB.my.7.1. The particular OID you would seek is

1.3.6.1.4.1.9.9.383.1.4.30.0.

Unfortunately that MIB has been caught up in our internal processes for far too long and is not posted.

I believe however that TAC has access to it so open a case and ask for it.

Our apologies for the delay and good luck.

Thanks,

-Robert

0 Helpful

Pavel Pokorny
Beginner
Beginner
In response to Robert Albach

‎02-07-2013 02:14 AM

Hi Robert,

Thank you for answer. I have now 7.0.6 version, and now I'm not planning upgrade to 7.1 (I think it's too new).

One more question - is there plan to implement SNMPv3 in IPS module (now it's SNMP 2c max.) ?

Thanks,

Pavel

0 Helpful

Robert Albach
Cisco Employee
Cisco Employee
In response to Pavel Pokorny

‎02-19-2013 03:00 PM

Hi Pavel,

I missed your second question so my apologies. If you are comfortable with 7.0 then stick with it. 7.0.8 is the latest in that revision family.

You are correct that we are only on SNMPv2. SNMPv3 is on a proposed roadmap for about 1 year from now but we do not yet have this plan committed to delivery yet.

-Robert

0 Helpful

eng.malak
Beginner
Beginner

‎02-19-2013 12:22 AM

Hi Robert

is there any way to make the IME,IDSM,or IPS to do reverse DNS lookup so the report or the signature event generated on IME show the hostname instead of the ip address ?

thank you

Malak

0 Helpful

Robert Albach
Cisco Employee
Cisco Employee
In response to eng.malak

‎02-19-2013 03:18 PM

Hi Malak,

First my apologies as I cannot seem to paste screen shots which I am certain would be helpful but alas. I am referencing IME 7.2.3.

So within the EVENT MONITORING / EVENT VIEWS / BASIC VIEW - select an Event and the Tools / WhoIs / Attacker.

Then within the Reports section look at a Top Attacker Report such as Top 10 Attackers last 1 hour - in the Report Settings / General tab in the Report box on the left the lowest postioned option is a check box which says Resolve Addresses using DNS.

That should do what you are asking.

Hope this helps.

-Robert

0 Helpful

eng.malak
Beginner
Beginner
In response to Robert Albach

‎02-20-2013 07:22 AM

Thank you Robert for your reply

I have another question , i configured IDSM-2 to send  TCP RESET and it works fine except for users behind FWSM so i expect  that the FWSM drops the message , is there anyway solve it ?

Regards

Malak

0 Helpful