Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
0
Helpful
10
Replies

no alarm from IPS

Go to solution
harinirina
Level 1
Level 1

‎01-19-2011 06:21 AM - edited ‎03-10-2019 05:14 AM

Hello,

We're using AIP-SSM-40, Version 7.0(2)E4.

We send traffic from all interfaces to the IPS. When we test it with sigID 2004, we don't have any alarm.


the configuration on the ASA is as follow :

access-list inside_mpc extended permit ip any any


class-map inside-ip-class
match access-list inside_mpc


policy-map inside-ips-policy
class inside-ip-class
  ips inline fail-open


service-policy inside-ips-policy interface inside

on the AIP-SSM, the configuration is as follow:


signatures 2004 0
alert-severity high
engine atomic-ip
event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-connection-inline|deny-packet-inline
specify-l4-protocol yes
l4-protocol icmp
specify-icmp-type no


what we should do to have alarm?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-24-2011 12:11 AM

What do you mean by alarm? Are you saying that you are not able to see the events that is triggered by signature# 2004?

Can you check what is the Alert Frequency configured for this signature? The default is "Summarize" every 30 seconds. You might want to change the Alert Frequency to "Fire All" if you are using signature#2004 to test.

Plus you would need to send the traffic across the ASA so traffic will be inspected by the IPS.

Lastly, I am assuming that you have already enabled/assigned the IPS virtual sensor (vs0) to the signature (sig0).

Hope that helps.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-24-2011 12:11 AM

What do you mean by alarm? Are you saying that you are not able to see the events that is triggered by signature# 2004?

Can you check what is the Alert Frequency configured for this signature? The default is "Summarize" every 30 seconds. You might want to change the Alert Frequency to "Fire All" if you are using signature#2004 to test.

Plus you would need to send the traffic across the ASA so traffic will be inspected by the IPS.

Lastly, I am assuming that you have already enabled/assigned the IPS virtual sensor (vs0) to the signature (sig0).

Hope that helps.

0 Helpful

Go to solution
harinirina
Level 1
Level 1
In response to Jennifer Halim

‎01-31-2011 01:55 AM

Hello,

The alert frequency is "fire all" and we sent continuous ping. we also tested with other signature (FTP authentication failure) but no alarm.

we used default sensor on each interface. so do we need to change it into vs0 ?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to harinirina

‎01-31-2011 07:52 AM

Can you please confirm if you are sending the traffic through the ASA firewall? I would suggest that you assign the IPS as global policy on your ASA, and on the IPS itself, pls check if the virtual sensor has been enabled.

0 Helpful

Go to solution
harinirina
Level 1
Level 1
In response to Jennifer Halim

‎02-02-2011 12:40 AM

Hi Jennifer,

we sent traffic through the ASA, it is enabled on each interface, not globally.

we used vs0 as you suggested, it's working.

Thanks indeed.

the configuration is now like that:

policy-map dmz-ips-policy
class dmz-ips-class
  ips inline fail-open sensor vs0
policy-map outside-ips-policy
class outside-ips-class
  ips inline fail-open sensor vs0
policy-map inside-ips-policy
class inside-ips-class
  ips inline fail-open sensor vs0

Before, we use default sensor and the configuration is as follow :

policy-map inside-ips-policy
class inside-ips-class
   ips inline fail-open sensor

didn't work.

We used default sensor on another ASA, with other IPS version, it worked fine.

is there any explanation?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to harinirina

‎02-02-2011 10:24 AM

Are you running multiple context on the firewall, or just a single context?

The initial configuration that you have should work just fine, as long as you have enabled vs0 on the IPS module itself.

0 Helpful

Go to solution
harinirina
Level 1
Level 1
In response to Jennifer Halim

‎02-02-2011 11:58 PM

Hi,

We're running single context.

How to check on the IPS if vs0 is enabled?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to harinirina

‎02-03-2011 09:38 AM

If you IDM into the IPS, under Configuration --> Interface Configuration --> Summary --> check if under the "Assigned Virtual sensor" colum if vs0 is assigned.

0 Helpful

Go to solution
harinirina
Level 1
Level 1
In response to Jennifer Halim

‎02-10-2011 06:19 AM

Thanks for your reply.

One more question Jennifer, we'd like to know which is applied first, the ASA rules or IPS ?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to harinirina

‎02-10-2011 03:30 PM

ASA rules will be applied first before the IPS inspection because IPS is getting the traffic from the ASA.

0 Helpful

Go to solution
harinirina
Level 1
Level 1
In response to Jennifer Halim

‎02-18-2011 12:45 AM

Ok, thanks for all Jennifer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card