Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
0
Helpful
1
Replies

Shunning with IDS 4.0 and PIX 6.2(2)

efink
Level 1
Level 1

‎06-13-2003 03:21 AM - edited ‎02-20-2020 10:48 PM

1. I am trying to shun a host for 1 minute when a specific alarm is triggered. Shunning works O.K. but after 1 minute the entry in Block Host menu on IDS sensor dissappears but there's still a shun command on PIX. In other words it seems that the sensor passes the shun command to the PIX, but it doesn't pass the no shun properly.

Any suggestions ?

2. What is the difference between shunnig the connnection and shunning the host ? It' seems to me that both settings have the same outcome on PIX:

--- shun connection ----

Shun 195.210.201.225(10.5.0.187) 195.246.6.25 3046 80

--- shun host -----

Shun 195.210.201.225(10.5.0.187) 195.246.6.25 3314 80

Thanks in advance.

0 Helpful
1 Reply 1

stleary
Cisco Employee
Cisco Employee

‎06-13-2003 07:58 AM

If the sensor is configured and working correctly then the shun should have

been removed from the PIX after it timed out. The most common reason

for a shun to remain on a blocking device after it times out on the sensor

is if communications with the blocking device has been lost. To check

this in IDM, click Monitoring/Statistics. Search for NetworkAccess Statistics.

The PIX device should be listed, and the state should be Active. If

not, then something is wrong with the sensor configuration for the PIX,

or possibly with network connectivity between sensor and PIX.

On the PIX, there is no difference between a host shun and a connection

shun. In either case, all packets from the attacking host are dropped

unconditionally.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card