how to completely ignore an IP address

wgorman · ‎09-10-2013

Once in a while, it becomes necessary to troubleshoot network activity and the packets' journey through the IPS.

Is there a simple way to completely ignore an IP address?

This question pertains to the asa 5585 with the IPS module and IME v7.1(6)E4.

I know how to 'ignore an ip address' in the ad0 of the Anomaly Detection feature of IME, but does this mean that no IPS processing occurs?

Please advise.

-Will

Karsten Iwen · ‎09-10-2013

The filter (under event action rules) is the feature you are looking for. There you can tell the sensor to remove all actions for all signatures for this particular IP.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

sokakkar · ‎09-11-2013

Hi Will,

Like Karsten mentioned, event action filter is the way to ensure no IPS processing for the said IP/subnet.

Configuration from CLI:

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html#wp1030749

Using IME:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_event_action_rules.html#wp2034816

HTH.

-

Regards,

Sourav Kakkar