Query on Virtual Sensor and VLAN Pairs

ahamadfaiz · ‎07-16-2013

Hi All,

We have a single IPS device (IPS4270-20-K9 V7.0(2)E4) to monitor the DMZ and INSIDE zones.

Everything was fine until we found some issue with the IPS manApp and had to reimage the appliance.

We have two VLAN Pairs each to monitor the INISIDE zone and the DMZ. We created one virtual sensor and assigned the same virtual sensor to both the VLAN pairs. However, at this time traffic through the proxy (located in DMZ) was not working. When I created an event action filter to exclude the Proxy IP, traffic through Proxy was working.

I then created another virtual sensor and assigned this virtual sensor to the second vlan pair. It is working fine now. Below are the config:

PROBLEM CONFIG:

service analysis-engine

virtual-sensor IPSVS

description Virtual Sensor

signature-definition sig1

event-action-rules rules1

physical-interface TenGigabitEthernet7/0 subinterface-number 1

physical-interface TenGigabitEthernet7/1 subinterface-number 2

WORKING CONFIG:

service analysis-engine

virtual-sensor IPSVS01

description Virtual Sensor for DMZ

signature-definition sig1

physical-interface TenGigabitEthernet7/0 subinterface-number 1

exit

virtual-sensor IPSVS02

description Virtual Sensor for INSIDE

signature-definition sig0

physical-interface TenGigabitEthernet7/1 subinterface-number 2

I need to know if we can assign the same virtual sensor to two VLAN Pairs. Also, please let me know what is wrong with the first config and why it was not working.

Regards,

Faiz

Andrew Phirsov · ‎07-16-2013

Normally, there shouldn't be no issues with assigning one virtual sensor to any number of interfaces pairs. This is surely supported. And to my understanding, everything is fine with the first config.

Maybe that event-action filter is still in place in your current config?