01-19-2011 06:21 AM - edited 03-10-2019 05:14 AM
Hello,
We're using AIP-SSM-40, Version 7.0(2)E4.
We send traffic from all interfaces to the IPS. When we test it with sigID 2004, we don't have any alarm.
the configuration on the ASA is as follow :
access-list inside_mpc extended permit ip any any
class-map inside-ip-class
match access-list inside_mpc
policy-map inside-ips-policy
class inside-ip-class
ips inline fail-open
service-policy inside-ips-policy interface inside
on the AIP-SSM, the configuration is as follow:
signatures 2004 0
alert-severity high
engine atomic-ip
event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-connection-inline|deny-packet-inline
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-type no
what we should do to have alarm?
Solved! Go to Solution.
01-24-2011 12:11 AM
What do you mean by alarm? Are you saying that you are not able to see the events that is triggered by signature# 2004?
Can you check what is the Alert Frequency configured for this signature? The default is "Summarize" every 30 seconds. You might want to change the Alert Frequency to "Fire All" if you are using signature#2004 to test.
Plus you would need to send the traffic across the ASA so traffic will be inspected by the IPS.
Lastly, I am assuming that you have already enabled/assigned the IPS virtual sensor (vs0) to the signature (sig0).
Hope that helps.
01-24-2011 12:11 AM
What do you mean by alarm? Are you saying that you are not able to see the events that is triggered by signature# 2004?
Can you check what is the Alert Frequency configured for this signature? The default is "Summarize" every 30 seconds. You might want to change the Alert Frequency to "Fire All" if you are using signature#2004 to test.
Plus you would need to send the traffic across the ASA so traffic will be inspected by the IPS.
Lastly, I am assuming that you have already enabled/assigned the IPS virtual sensor (vs0) to the signature (sig0).
Hope that helps.
01-31-2011 01:55 AM
Hello,
The alert frequency is "fire all" and we sent continuous ping. we also tested with other signature (FTP authentication failure) but no alarm.
we used default sensor on each interface. so do we need to change it into vs0 ?
01-31-2011 07:52 AM
Can you please confirm if you are sending the traffic through the ASA firewall? I would suggest that you assign the IPS as global policy on your ASA, and on the IPS itself, pls check if the virtual sensor has been enabled.
02-02-2011 12:40 AM
Hi Jennifer,
we sent traffic through the ASA, it is enabled on each interface, not globally.
we used vs0 as you suggested, it's working.
Thanks indeed.
the configuration is now like that:
policy-map dmz-ips-policy
class dmz-ips-class
ips inline fail-open sensor vs0
policy-map outside-ips-policy
class outside-ips-class
ips inline fail-open sensor vs0
policy-map inside-ips-policy
class inside-ips-class
ips inline fail-open sensor vs0
Before, we use default sensor and the configuration is as follow :
policy-map inside-ips-policy
class inside-ips-class
ips inline fail-open sensor
didn't work.
We used default sensor on another ASA, with other IPS version, it worked fine.
is there any explanation?
02-02-2011 10:24 AM
Are you running multiple context on the firewall, or just a single context?
The initial configuration that you have should work just fine, as long as you have enabled vs0 on the IPS module itself.
02-02-2011 11:58 PM
Hi,
We're running single context.
How to check on the IPS if vs0 is enabled?
02-03-2011 09:38 AM
If you IDM into the IPS, under Configuration --> Interface Configuration --> Summary --> check if under the "Assigned Virtual sensor" colum if vs0 is assigned.
02-10-2011 06:19 AM
Thanks for your reply.
One more question Jennifer, we'd like to know which is applied first, the ASA rules or IPS ?
02-10-2011 03:30 PM
ASA rules will be applied first before the IPS inspection because IPS is getting the traffic from the ASA.
02-18-2011 12:45 AM
Ok, thanks for all Jennifer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide