Dual sensors - do they replicate?

lukeprimm · ‎01-26-2011

Im fairly new to IPS. I inherated a system that has two ASA's in a active/passive configuration. We also have an IDS module in each ASA. Ive been doing a little maintenance work on them lately and realized that they dont sync. I was under the impression that, similar to a failover config with ASA's, the IDS modules would sync with each other? Afte looking at the primary, its clear that they do not replicate changes to each other.

So, my question then is should they replicate? If not, Can I simply copy the config from the primary (that I have done the work on) over to the secondary? They are both running version 7.0(4).

Thanks

Jennifer Halim · ‎01-26-2011

IPS module on the ASA does not replicate at all. They are independent from the ASA. The only config replication in Active/Standby ASA failover is the ASA configuration.

As far as the IPS is concern, configuration needs to be configured manually on each IPS. Typically, there will not be too many configuration changes on IPS device, unless you are tweaking a lot of the signatures. Once you have setup the ip address, enable the virtual sensors, and configure the signature auto updates, typically there is very low maintenance as far as the configuration is concern, unless you are tweaking a lot of the signatures.

No, again, you don't have to copy the config from the primary IPS to secondary IPS as they should have different ip address for management. For brand new IPS, you would just need to run the "setup" command on each IPS (this will configure the basic networking on the IPS), and once you configure the IP address, you can HTTPS (IDM) to the IPS directly, and enabled the virtual sensor, and lastly configure the auto update. That is all you need to configure for IPS (and those are one off configuration).

lukeprimm · ‎01-27-2011

Thanks for the info, that clears up some of the questions we had. My underlying issue is that we run a RSA Envivion to which analyzes and reports on our ASA and IPS logs. Since we have failed over to the secondary IPS sensor we no longer are getting syslog data to RSA. So it works in the primary, but not on the seconday sensor. I also dont see a place in the IPS module to tell it dump syslog to a particlar address.

Our instructions from RSA to setup each module to dump data are as follows:

configure terminal
service web-server
configurable-service rdep-event-server
enabled true

Unfortuantely when I try and run "configurable-service rdep-event-server" it errors out and states: "Error: Cannot create a new configurable-service entry. Available entry(s):"

Jennifer Halim · ‎01-27-2011

From the RSA Envivion's point of view, it should have 2 IP Addresses configured for the IPS module, one for each module separately with different ip addresses.

From the IPS, I would suggest that you session into the module from both ASA:

session 1

And obtain a copy of "show config" from both modules, and compares the configuration.

The error message that you are getting seems to advise it has been configured. But pls double check by comparing the configuration from both modules.