We are changing our IPS (aip-ssm10) mode of operation from promiscous to Inline mode. Is there any caveats or anything i need to take into consideration before doing the switch? Is there a possibility to roll back incase something doesn't go the way we planned?
changing from promiscous to inline and back is done with the ips-command in the ASA MPF-config. So if you run into problems you can easily switch back.
What you should do before changing to inline: - check your alerts for false positives and eliminate them first. - if you can't eliminate all, make sure that the risk-rating doesn't exeed the threshold for the automatic deny-action if configured. - and of course keep monitoring your events after the switch to inline.