Re: SSM-AIP function

itlibrary · ‎01-04-2013

I've just had a TAC opened and the technician did some global inspection rule and a ping test from internal server to the firewall/IPS and we saw the event. A few weeks have passed and none of the reports have any data.

I've ran a NeXpose vulnerability scanner from inside against the firewall's internal IP and ran NeXpose from the outside against multiple firewall's IPs. I still don't see any events in the IDM, IPS Manager Express, or the ASDM.

Shouldn't the vulnerability scanner trigger the IPS internally and externally?

Rudy Sanjoko · ‎01-07-2013

Yes it should, but it needs to be configured. Have you checked if the logging is still enabled? Can you verify if the ASA is sending IPS traffic to the AIP? please refer to below link for configuring AIP on ASA.

http://www.cisco.com/en/US/docs/security/ips/5.0/configuration/guide/cli/clissm.pdf

itlibrary · ‎01-07-2013

Where do I check to see if logging is still enabled?

I've enabled rule 2000 and 2004 for ICMP and I do see ICMP Echo Request and ICMP Echo Reply in IME Event View when I ping google.com from the inside. When I run NeXpsoe scanner against the firewall from inside and outside, there are no events displayed.

Rudy Sanjoko · ‎01-07-2013

If you are saying that you can see ICMP traffic but no event being generated from nmap, that makes me think that perhaps your IPS has been tuned to ignores the alerts from the nexpose in your network, I'm not so sure how you configured it but here is on how to tuning it, please verify if you have deployed and configured it correctly, also check your ips policies and signature file,

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/overview_c17-464691_ps6120_Products_White_Paper.html

itlibrary · ‎01-07-2013

Ping Firewall produces no events

Ping Google.com produces ICMP events

No specific Policy or rule for NeXpose scanner or it's IP address.

Logging is enabled