We have an ASA5585-X with SSP-10 module installed that we are testing. The firewall's outside interface is connected to the internet and has a public address. We have CSM 4.2 installed and are sending events from the IPS to it.
After we configured the IPS module we expected to get lots of alerts for attacks originating from the internet, but we hardly see anything.
The ACL that we have on the outside interface doesn't actually allow much in, just some SMTP, HTTP, DNS, SSH.
My question is this - should the IPS see all traffic/attacks coming from the internet, or JUST packets that have passed the outside ACL?
I suspect this is why we are seeing very few alerts - can anyone confirm this?
Solved! Go to Solution.
The traffic does not automatically get copied to the IPS, you need to create an access-list and class-map to apply (like QoS)
access-list IPS extended permit ip any any
match access-list IPS
ips inline fail-open
Internally the traffic is passed from the firewall to the IPS module through an internal interface (port channel on the 5585's) at the last step just prior to the traffic exiting the firewall. This is why the IPS modules do not have a "normalizer" engine, this is already performed by the ASA prior to inspection, the ASA normalizer is essentially the same as what is found on IPS.
I'm aware of that - we have the policy map configured.
We're getting very few alerts from IPS - I was expecting more, as the outside interface has a public IP address and there are scans, probes etc happening all the time.
Let me put my question a different way - does the IPS module ever see traffic that is DROPPED by the outside interface ACL??
Thanks for the replies.
So if there was a DOS attack occurring on the outside interface (possibly saturating our internet link) and the DOS traffic was being dropped by the ACL, IPS would have no visibility of that??