Impact of changing the IPS mode from promiscous to inline mode

Farooq Razzaque · ‎11-21-2015

Dear

We have ASA-5585-X-SSP40, currently the IPS is running in promiscous mode and now we want to change the mode from promiscous mode to inline mode. I want to know is there any impact on the traffic of changing the IPS mode to inline mode. Is there any precautions needs to be taken care while changing the IPS mode to inline mode.

Karsten Iwen · ‎11-21-2015

In inline mode, the sensor can drop traffic if a signature is triggering. If this is a false positive, you can lose "normal" traffic. It's you who knows if this is relevant or not. If you don't have false positives in your environment, then the impact should be low to nonexistent. If you still see false positives in your environment you should first tune your sensor and then change to inline mode.

In addition to that you can use the event action filters to remove all deny-actions before changing to inline mode. When you see that you don't have any relevant false politives, you can remove these filters to protect your network with deny-actions.

Farooq Razzaque · ‎11-22-2015

Dear Karsten,

Thanks for the reply.

Can you please let me know how to use event action filters to remove deny-actions.

And also can you please tell what do you mean by removing deny-actions, do you mean signatures which are configured in blocking mode.

Karsten Iwen · ‎11-22-2015

A signature could have a deny action, but more likely is that there are event-action overrides that add a deny action based on risk rating. Event action filters can remove any action taht you don't want to have.

You should first go through the "Configuring event action rules" of the config guide to learn about how an IPS sensor behaves.