Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
552
Views
0
Helpful
5
Replies

How to activate a change in the Post Shun ACL for blocking?

dlac455
Level 1
Level 1

‎05-22-2002 05:59 AM - edited ‎02-20-2020 09:17 PM

I am using blocking with CSPM/IDS/7204 router. A pre and post ACL is specified for blocking. That works OK, but when I want to change the post shun ACL, I am at a loss to force the IDS to rebuild its ACL using the new post shun ACL. Tried nrstop and nrstart on the sensor. Tried adding a new block host from CSPM. Any suggestions? Thanks

Labels:
0 Helpful
5 Replies 5

jlively
Cisco Employee
Cisco Employee

‎05-22-2002 06:21 AM

What version of software are you running on the IDS and the 7200?

If you changed the post shun acl on the 7200, saved it to memory, then did a sh conf and it was there, then managed should definately have incorporated it when you did a nrstop;nrstart.

0 Helpful

dlac455
Level 1
Level 1
In response to jlively

‎05-22-2002 08:00 AM

IDS has 3.1.(1) S23

7200 has 12.2(7)

The updated ACL finally appear, but only after roughly 15 minute time delay, and after 2 nrstops and nrstarts

0 Helpful

stleary
Cisco Employee
Cisco Employee
In response to dlac455

‎05-22-2002 08:24 AM

The sensor will find and apply the new ACL if these setup steps are followed:

1. Disable sensor blocking on the router.

2. Update the pre/post shun/ ACL on the router.

3. Enable sensor blocking on the router.

It is important to disable blocking on the sensor from your management

software whenever you change the configuration of the router. Errors

may occur if anyone changes the configuration of a sensor controlled

router while the sensor is actively controlling it.

.

You can execute nrstop/nrstart to let the sensor detect the changes,

but it is not necessary, as long as you enable blocking after you are

done with the router.

Please try this and let us know if you get any unexpected results,

including a delay in the appearance of the new ACLs.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to stleary

‎05-22-2002 09:23 AM

Some additional tips/information:

1) Disable and Enable Sensor blocking/shunning should be options in both the CSPM Event View er and the Unix Director HP OpenView Security Menu Advanced options.

2) As Sean said it is good practice to Disable blocking or even stop the sensor prior to editing the router configuration. We have had situations where user editing of the router configuration at the same time that managed is configuring the router results in corrupted configuration files on the router. This is not an issue with all routers, but has been found on the 1600 and 2600 series. It is usually only seen when managed is shunning alot of addresses fairly quickly.

3) Managed should read on the Pre and Post ACLs in the following situations:

a) Sensor is started (after having been stopped)

b) Blocking is re-enabled (generally after having been disabled)

c) Sensor is reconfigured by CSPM, nrConfigure, or IDSM. (I wouldn't rely on this one, because as I said above you should have stopped the sensor or disabled blocking/shunning before making the router changes.)

4) When you do make the router changes, be sure to save the changes. I can't remember whether managed reads in the running configuration or the saved configuration.

0 Helpful

dlac455
Level 1
Level 1
In response to marcabal

‎05-22-2002 10:16 AM

Thanks for the tips. The sensor must read the running config because I never saved it.

0 Helpful
Customers Also Viewed These Support Documents