04-10-2014 09:25 AM - edited 03-10-2019 06:10 AM
All,
I'm hoping some of you experts can assist me with this request. Recently started a new job and they put the IPS into prod (We are running the software based module on our ASA.) and it started blocking more then they had intended. They configured the ASA to not send any traffic to it, to stop the outage.
So now we have an IPS half-way setup and I need to finish the job. I'm new to Cisco IPS, but I really want to know is there a way I can deploy this sensor so that it is still inline but it will not block anything. This way I can baseline the environment and see what type of alerts are firing?
Any help on the best to set this up / deploy tips would be appreciated!
04-10-2014 11:07 PM
Refer this link to set up your ips module:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/asdm70/configuration_guide/asdm_70_config/modules_ips.html.
Better you deploy ips module in promiscuous mode if you don't want to block any traffic.
04-10-2014 11:31 PM
If you don't want IPS to block any thing sitting inline but throw alert, from the event actions opt "produce alert"
Produce Alert
Writes the event to the Event Store as an alert.
Note The Produce Alert action is not automatic when you enable alerts for a signature. To have an alert created in the Event Store, you must select Produce Alert. If you add a second action, you must include Produce Alert if you want an alert sent to the Event Store. Also, every time you configure the event actions, a new list is created and it replaces the old list. Make sure you include all the event actions you need for each signature.
04-11-2014 06:51 AM
Poonam and salodh thank you both for your replies!
Poonam - I was considering deploying it in promiscuous mode, but I had concerns on signatures that were set to "deny packet inline" only in that mode. In that case it would not "block" anything, but would I still see an alert (even thou "produce alert" is not set in the sig) for this event?
salodh - I think this idea is more what i was initially thinking. I have a question on it however. If using an "Event action override" and I check "Produce Alert" in your example attached would it also still deny the packet inline because "Deny packet inline" is also checked?
Again thanks for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide