cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

IPS-SSM10 Events not getting generated

804
Views
5
Helpful
0
Comments

Introduction

This document shows issue of "Events not getting generated" faced by a user.

Problem

 

Pls see below policy config of ASA.

============================

 

ASA-01# sh run policy-map

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

  inspect skinny

  inspect icmp

class class-default

  flow-export event-type all destination 10.xx.xx.xx

!

ASA-01# sh run class-map

!

class-map inspection_default

match default-inspection-traffic

 

.

image 1.png

 

Scenario 2

User trying to determine  is it possible to create custom IPS signatures on the ASA-CX module?  Not the ASA + Legacy IPS combo, but the ASA + ASA-CX (Application Detection, Web Filtering, IPS) combo. He couldn't find anything in the docs that said this was possible.

Solution

To the best of my knowledge, expired license does not stop the IPS from producing event actions.

On IDM or IME, go to Monitor -> Events click the "warning", "error", "fatal" and the "show status events" if not already checked. set "show pat even to at least 1hr. and click "view" at the bottom, You should see some events how ever these may not be created by any signature.

Click "configuration" ->Interfaces -> summary and see if any interface is assigned to a VS. If "none", then there lies the issue.

To fix this, goto

Configuration->IPS Policy, select the VS and click edit.

If the interface is not selected, click the check box to select the interface and click apply.

 

image 2.png

 

From above mentioned configuration there is no configuration on  ASA that passes traffic to the IPS for inspection in your show run class-map and show run policy-map out put.

In global config mode type the following command below:

 

Access-list IPS_acl extended permit ip any any

class-map IPS_class

match access-list IPS_acl

policy-map IPS_policy

class IPS_class

ips promiscuous fail-open

service-policy IPS_policy global

 

Scenario 2

Not with the current release. Currently, Cisco ASA Next-Generation Firewall Services include a robust set of more than 1200 applications and 150000 micro-applications. The ability for administrators to create their own application signatures is a feature that will be included in a future release. No, those capabilities are not available with the NGFW IPS. Cisco currently recommends that the classic IPS (ASA module of stand-alone appliance) for customers requiring that capability. Expect this all to change significantly over the coming year though as more of the SourceFire technology is integrated into the ASA product line.

Source Discussion

IPS-SSM10-Events