Cisco Systems IPS4510K9 manual Enter multiple mode, Add three context modes to multiple mode, 18-8

Page 502

Chapter 18 Configuring the ASA 5500-X IPS SSP

Creating Virtual Sensors for the ASA 5500-X IPS SSP

Sensor Name

Sensor ID

-----------

---------

vs0

1

vs1

2

asa#

 

Step 3 Enter configuration mode.

asa# configure terminal asa(config)#

Step 4 Enter multiple mode.

asa(config)# mode multiple

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] yes asa(config)#

Step 5 Add three context modes to multiple mode.

asa(config)# admin-context admin

Creating context 'admin'... Done. (13) asa(config)# context admin

asa(config-ctx)#allocate-interface GigabitEthernet0/0.101 asa(config-ctx)#allocate-interface GigabitEthernet0/1.102 asa(config-ctx)#allocate-interface Management0/0 asa(config-ctx)#config-url disk0:/admin.cfg

Cryptochecksum (changed): 0c34dc67 f413ad74 e297464a db211681

INFO: Context admin was created with URL disk0:/admin.cfg

INFO: Admin context will take some time to come up .... please wait.

asa(config-ctx)# asa(config-ctx)# context c2 Creating context 'c2'... Done. (14)

asa(config-ctx)#allocate-interface GigabitEthernet0/0.103 asa(config-ctx)#allocate-interface GigabitEthernet0/1.104 asa(config-ctx)#config-url disk0:/c2.cfg

WARNING: Could not fetch the URL disk0:/c2.cfg

INFO: Creating context with default config asa(config-ctx)#

asa(config-ctx)# context c3 Creating context 'c3'... Done. (15) asa(config-ctx)# all asa(config-ctx)# allocate-inasa(config-ctx)# allocate-interface g0/2 asa(config-ctx)# allocate-interface g0/3 asa(config-ctx)# config-url disk0:/c3.cfg

WARNING: Could not fetch the URL disk0:/c3.cfg

INFO: Creating context with default config asa(config-ctx)#

Step 6 Assign virtual sensors to the security contexts.

asa(config)# context admin

asa(config-ctx)#allocate-ips vs0 adminvs0

asa(config-ctx)# exit asa(config)# context c2

asa(config-ctx)#allocate-ips vs1 c2vs1

 

 

 

asa(config)# context c3

 

 

 

asa(config-ctx)#allocate-ips vs0 c3vs0

 

 

 

asa(config-ctx)#allocate-ips vs1 c3vs1

 

 

 

asa(config-ctx)#

 

 

 

Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2

 

 

 

 

18-8

 

OL-29168-01

 

 

 

 

Image 502
Contents Americas Headquarters Text Part Number OL-29168-01Page N T E N T S IiiAdvanced Setup for the Appliance Interface Support Understanding Inline Vlan Pair Mode Configuring Alert Severity ViiExample String XL TCP Engine Match Offset Signature ViiiUnderstanding Worms Configuring Global Correlation Configuring IP Logging Routers XiiUsing Rommon XiiiConfiguring the ASA 5585-X IPS SSP XivUpgrading, Downgrading, and Installing System Images NotificationApp XviAIC Engine B-10 XviiCreating the Service Account C-5 XviiiCommunication Problems XixUnderstanding the show tech-support Command C-75 CLI Validation Error Messages D-6 XxiXxii Audience ContentsOrganization Xxiv Convention Indication ConventionsRelated Documentation XxvObtaining Documentation and Submitting a Service Request XxviSupported User Roles Logging In Notes and CaveatsIi-1 For More Information Logging In to the ApplianceIi-2 Ii-3 Connecting an Appliance to a Terminal ServerConfig t Exit Wr memIi-4 Logging In to the ASA 5500-X IPS SSPAsa# session ips Ii-5 Logging In to the ASA 5585-X IPS SSPAsa# session Logging In to the Sensor Ii-6Ii-7 Ii-8 IPS CLI Configuration Guide Supported IPS PlatformsSensor Configuration Sequence User Roles Operators AdministratorService ViewersPrompts CLI BehaviorFollowing tips help you use the Cisco IPS CLI HelpCase Sensitivity Command Line EditingRecall Display OptionsKeys Description Character Description IPS Command ModesRegular Expression Syntax StringMatches any character Only if it is at the end of the stringMatches a as well as b Or more timesGeneric CLI Commands Sensor# configure terminalCLI Keywords OL-29168-01 Initializing the Sensor Initializing Notes and CaveatsSystem Configuration Dialog Simplified Setup ModeUnderstanding Initialization Example 2-1shows a sample System Configuration Dialog Example 2-1 Example System Configuration DialogBasic Sensor Setup Initializing the Sensor Basic Sensor SetupInitializing the Sensor Basic Sensor Setup Following configuration was entered Advanced Setup Initializing the Sensor Advanced SetupAdvanced Setup for the Appliance Enter numbers for Vlan 1 Enter 1 to edit the interface configurationEnter a subinterface number and description Press Enter to return to the available interfaces menuEnter 2 to modify the virtual sensor configuration, vs0 Enter 2 to edit the virtual sensor configurationPress Enter to return to the top-level editing menu Host-ip 192.168.1.2/24,192.168.1.1 Enter 2 to save the configuration Advanced Setup for the ASA 5500-X IPS SSP Reboot the applianceEnter 2 to modify the virtual sensor vs0 configuration Enter a name and description for your virtual sensorModify default threat prevention settings?no Reboot the ASA 5500-X IPS SSP Asa-ips#show tls fingerprintAdvanced Setup for the ASA 5585-X IPS SSP Enter 2 to edit the virtual sensor configuration Exit Service analysis-engine Verifying Initialization Reboot the ASA 5585-X IPS SSPIps-ssp#show tls fingerprint View your configuration Sensor# show configurationDisplay the self-signed X.509 certificate needed by TLS Sensor# show tls fingerprintSetting Up the Sensor Setup Notes and CaveatsUnderstanding Sensor Setup Changing Network SettingsChanging the Hostname Change the sensor IP address, netmask, and default gateway Exit network settings modeEnter network settings mode Changing the IP Address, Netmask, and GatewayEnable Telnet services Enabling and Disabling TelnetChanging the Access List Verify that Telnet is enabledChange the value back to the default Verify the change you made to the access-listRemove the entry from the access list Verify the value has been set back to the defaultChange the number of seconds of the FTP timeout Changing the FTP TimeoutTo change the FTP timeout, follow these steps Verify the FTP timeout changeAdd the banner login text Adding a Login BannerVerify the banner login text message Verify the login text has been removed Enable a DNS server Verify the settingsLogin-banner-text defaulted dns-primary-server Verify that SSHv1 fallback is enabled Enabling SSHv1 FallbackVerify the CLI session timeout change Changing the CLI Session TimeoutChange the number of seconds of the CLI session timeout Exit authentication modeWhen disabled, the client can use the following ciphers Changing Web Server SettingsTLSDHERSAWITHAES256CBCSHA256 TLSDHEDSSWITHAES256CBCSHA256 Sensor# configure terminal Sensorconfig# service web-server Change the port numberVerify the defaults have been replaced Specify the web session inactivity timeoutTurn on logging for web session inactivity timeouts Turn on TLS client ciphers restrictionConfiguring Authentication and User Parameters Adding and Removing UsersSpecify the parameters for the user Sensorconfig# username username password password privilegeSensorconfig# username tester privilege administrator Sensor# show users allTo remove a user, use the no form of the command Configuring AuthenticationSensor# configure terminal Sensorconfig# no username jsmith Radius Authentication Options Configuring Local or Radius Authentication Sensorconfig-aaa-rad#default-user-role operator Enter AAA submodeIps-role=administrator Ips-role=service Enter the Radius server IP addressSpecify the type of console authentication Enter the IP address of the second Radius serverExit AAA mode Configuring Packet Command RestrictionAAA Radius Users Sensorconfig-aut#permit-packet-logging true Enter authentication submodeCheck your new setting Sensorconfig-aut#permit-packet-logging falseCreating the Service Account Sensorconfig# user username privilege serviceConfiguring Passwords Service Account and Radius AuthenticationRadius Authentication Functionality and Limitations Exit configuration modeChange your password Changing User Privilege LevelsDisplay your current level of privilege Showing User StatusChange the privilege level from viewer to operator Verify all users. The account of the user jsmith is lockedTo unlock the account of jsmith, reset the password Configuring the Password PolicyExample Check that the setting has returned to the default Set the value back to the system default settingLocking User Accounts Parentheses Enter global configuration modeUnlocking User Accounts Unlock the accountTime Sources and the Sensor Configuring TimeIPS Standalone Appliances Correcting Time on the Sensor Configuring Time on the SensorASA IPS Modules Displaying the System Clock Manually Setting the System ClockSymbol Sensor# show clockEnter start summertime submode Configuring Recurring Summertime SettingsEnter the month you want to start summertime settings Sensor# clock set 1321 Mar 29Enter end summertime submode Verify your settingsEnter the month you want to end summertime settings Specify the local time zone used during summertimeConfiguring Nonrecurring Summertime Settings Exit recurring summertime submodeExit non-recurring summertime submode Exit time zone settings submode Configuring NTPConfiguring Time Zones Settings Sensorconfig-hos-tim#standard-time-zone-name CSTConfiguring a Cisco Router to be an NTP Server ExampleConfigure unauthenticated NTP Enter NTP configuration mode Configuring the Sensor to Use an NTP Time SourceEnter service host mode Verify the unauthenticated NTP settingsVerify the NTP settings Configuring SSHConfigure authenticated NTP Enter NTP configuration mode Exit NTP configuration modeUnderstanding SSH Adding Hosts to the SSH Known Hosts ListView the key for a specific IP address Sensorconfig# ssh host-keyAdd an entry to the known hosts list Sensor# show ssh host-keysSensorconfig# no ssh host-key Adding Authorized RSA1 and RSA2 KeysGenerating the RSA Server Host Key Sensor# ssh generate-key Sensor# show ssh server-keyConfiguring TLS Understanding TLSSensorconfig# tls trusted-host ip-address 10.89.146.110 port Adding TLS Trusted HostsRemove an entry from the trusted hosts list Displaying and Generating the Server CertificateView the fingerprint for a specific host Verify that the key was generatedInstalling the License Key Understanding the License KeyService Programs for IPS Products Obtaining and Installing the License KeyInstalling the License Key Licensing the ASA 5500-X IPS SSP Verify the sensor is licensedVerify the sensor key has been uninstalled Uninstalling the License KeySensor# erase license-key Setting Up the Sensor Installing the License Key OL-29168-01 Configuring Interfaces Interface Notes and CaveatsUnderstanding Interfaces IPS InterfacesCommand and Control Interface Sensor Command and Control InterfaceUnderstanding Alternate TCP Reset Interfaces TCP Reset InterfacesSensing Interfaces Sensor Alternate TCP Reset Interface Designating the Alternate TCP Reset Interface2lists the alternate TCP reset interfaces NoneInterfaces Not Interface SupportBase Chassis Cards Sensing Ports Inline Interface Pairs Combinations Supporting Command and Control Interface Configuration Restrictions Configuring Interfaces Understanding Interfaces Interface Configuration Sequence Configuring Physical Interfaces Specify the interface for promiscuous mode Configuring the Physical Interface SettingsDisplay the list of available interfaces Sensorconfig-int-phy#alt-tcp-reset-interface none Remove TCP resets from an interfaceAdd a description of this interface Understanding Promiscuous Mode Configuring Promiscuous ModeExit interface submode Configuring Promiscuous Mode IPv6, Switches, and Lack of Vacl CaptureUnderstanding Inline Interface Mode Configuring Inline Interface ModeSet span 930, 932, 960, 962 4/1-4 both Configuring Inline Interface Pairs Creating Inline Interface PairsDisplay the available interfaces Enable the interfaces assigned to the interface pairName the inline pair It can monitor traffic see StepVerify that the interfaces are enabled Sensorconfig-int#no inline-interfaces PAIR1 Exit interface configuration submodeVerify the inline interface pair has been deleted Configuring Inline Vlan Pair Mode Understanding Inline Vlan Pair ModeConfiguring Inline Vlan Pairs Configuring Inline Vlan Pairs Been configuredOL-29168-01 Sensorconfig-int#no inline-interfaces interfacename Set up the inline Vlan pairVerify the inline Vlan pair settings Designate an interfaceUnderstanding Vlan Group Mode Configuring Vlan Group ModeTo delete Vlan pairs Delete one Vlan pair Deploying Vlan Groups Configuring Vlan Groups Configuring Inline Vlan Groups None Subinterface-type Specify an interface Set up the Vlan groupAssign the VLANs to this group Assign specific VLANs Verify the Vlan group settings Configure unassigned VLANsAdd a description for the Vlan group Understanding Inline Bypass Mode Configuring Inline Bypass ModeDelete Vlan groups Delete one Vlan group Configuring Bypass Mode Configuring Inline Bypass ModeConfigure bypass mode Configuring Interface Notifications Configuring Interface NotificationsConfiguring CDP Mode Sensorconfig-int#cdp-mode forward-cdp-packets Enabling CDP ModeEnable CDP mode Displaying Interface StatisticsSensor# show interfaces brief Sensor# show interfaces Interface StatisticsSensor# show interfaces Management0/0 Display the statistics for a specific interfaceClear the statistics Sensor# show interfaces clear Interface StatisticsDisplaying Interface Traffic History Display the interface traffic history by the hour Displaying Historical Interface StatisticsTo display interface traffic history, follow these steps Display the interface traffic history by the minuteBytes Received Mbps Configuring Virtual Sensors Virtual Sensor Notes and CaveatsUnderstanding Virtual Sensors Understanding the Analysis EngineAdvantages and Restrictions of Virtualization Inline TCP Session Tracking Mode Adding, Editing, and Deleting Virtual Sensors Normalization and Inline TCP Evasion Protection ModeHttp Advanced Decoding RestrictionsAdding Virtual Sensors Add a virtual sensor Sensorconfig-ana-vir#description virtual sensorAdding a Virtual Sensor Add a description for this virtual sensorAssign an event action rules policy to this virtual sensor Enable Http advanced decodingVerify the virtual sensor settings Assign a signature definition policy to this virtual sensorExit analysis engine mode Edit the virtual sensor, vs1 Editing and Deleting Virtual SensorsEditing or Deleting a Virtual Sensor Edit the description of this virtual sensorSensorconfig-ana-vir#physical-interface GigabitEthernet0/2 Verify the edited virtual sensor settingsDelete a virtual sensor Sensorconfig-ana# exit Create the variable for the maximum number of open IP logs Configuring Global VariablesCreating a Global Variable Create the flow depth variableVerify the global variable settings Create the variable for service activitySensor# show statistic analysis-engine OL-29168-01 Signature Definition Notes and Caveats Understanding PoliciesDelete a signature definition policy Sensor# list signature-definition-configurationsWorking With Signature Definition Policies Sensor# copy signature-definition sig0 sig1Understanding Signatures Reset a signature definition policy to factory settingsConfirm the signature definition policy has been deleted Understanding Signature Variables Configuring Signature VariablesCreating Signature Variables Adding, Editing, and Deleting Signature Variables Configuring Signatures Signature Definition OptionsConfiguring Alert Frequency Enter alert frequency submode Configuring Alert FrequencySpecify the signature you want to configure Specify the summary keyTo configure the alert severity, follow these steps Configuring Alert SeverityConfiguring Alert Severity Assign the alert severityConfiguring the Event Counter Configuring the Event CounterExit signatures submode Optional Enable alert interval Enter event counter submodeConfiguring the Signature Fidelity Rating Configuring Signature Fidelity RatingSpecify the signature fidelity rating for this signature Changing the Signature Status Configuring the Status of SignaturesChoose the signature you want to configure Change the status for this signatureConfiguring Vulnerable OSes Configuring the Vulnerable OSes for a SignatureSpecify the vulnerable OSes for this signature Assigning Actions to Signatures Configure the event action Configuring Event ActionsSpecify the percentage for rate limiting Understanding the AIC Engine Configuring AIC SignaturesExit event action submode Configuring the Application Policy AIC Engine and Sensor PerformanceEnable Http application policy enforcement Configuring the Application PolicyEnable inspection of FTP traffic Sensorconfig-sig-app-htt#aic-web-ports 80-80,3128-3128AIC Request Method Signatures Signature ID Define Request MethodAIC Mime Define Content Type Signatures Signature ID Signature DescriptionSignature ID Signature Description Signature ID Signature Description AIC Transfer Encoding Signatures Signature ID Transfer Encoding MethodAIC FTP Commands Signatures Signature ID FTP CommandCreating an AIC Signature Specify the event action Define the content typeDefining a MIME-Type Policy Signature Define the signature typeUnderstanding IP Fragment Reassembly Configuring IP Fragment ReassemblySignature ID and Name Description Range Default Action For More Information Enter edit default signatures submode Configuring IP Fragment Reassembly ParametersConfiguring the Method for IP Fragment Reassembly Specify the engineConfiguring the IP Fragment Reassembly Method Configuring TCP Stream ReassemblyUnderstanding TCP Stream Reassembly Verify the settingTCP Stream Reassembly Signatures and Configurable Parameters TCP Stream Reassembly Signatures SYN SYN Configuring TCP Stream Reassembly Signatures Configuring the Mode for TCP Stream Reassembly Sensorconfig-sig-str#tcp-3-way-handshake-required true Configuring the TCP Stream Reassembly ParametersSensorconfig-sig-str#tcp-reassembly-mode strict Specify the number of packets you want logged Configuring IP LoggingConfiguring IP Logging Parameters Specify the length of time you want the sensor to logCreating Custom Signatures Sequence for Creating a Custom SignatureExample String TCP Engine Signature Creating a String TCP Engine Signature Verify the settings Example Service Http Engine Signature Specify a signature name Creating a Service Http Engine SignatureEnter signature description mode Specify the alert traits. The valid range is from 0 toExit alert frequency submode Configure the Regex parametersExample Meta Engine Signature Exit Regex submodeMeta Signature Engine Enhancement Defining Signatures Creating Custom Signatures Creating a Meta Engine Signature Example IPv6 Engine Signature Specify IPv6 Sensorconfig-sig-sig#engine atomic-ip-advancedSpecify the IP version Specify the L4 protocolExample String XL TCP Engine Match Offset Signature Creating a String XL TCP Engine SignatureSpecify the regex string to search for in the TCP packet Sensorconfig-sig-sig-str#specify-exact-match-offset yesSpecify the String XL TCP engine Specify an exact match offset for this signatureSpecify a minimum match offset for this signature Example String XL TCP Engine Minimum Match Length Signature Specify a signature ID and subsignature ID for the signature Specify a new Regex string to search for and turn on UTF-8 OL-29168-01 Configuring Event Action Rules Event Action Rules Notes and CaveatsUnderstanding Security Policies Understanding Event Action RulesSignature Event Action Processor Alert and Log Actions Action filterDeny Actions Other Actions Understanding Deny Packet InlineEvent Action Rules Configuration Sequence TCP Normalizer Signature WarningWorking With Event Action Rules Policies Working With Event Action Rules PoliciesSensor# copy event-action-rules rules0 rules1 Delete an event action rules policy Reset an event action rules policy to factory settingsEvent Action Variables Confirm the event action rules instance has been deletedIPv4 Addresses When configuring IPv6 addresses, use the following formatUnderstanding Event Action Variables IPv6 AddressesAdding, Editing, and Deleting Event Action Variables Sensorconfig-eve#variables variable-ipv4 addressWorking With Event Action Variables Delete an event action rules variable Verify that you added the event action rules variableVerify that you edited the event action rules variable Verify the event action rules variable you deletedConfiguring Target Value Ratings Calculating the Risk RatingUnderstanding Threat Rating 2illustrates the risk rating formulaAdding, Editing, and Deleting Target Value Ratings Adding, Editing, and Deleting Target Value Ratings Configuring Event Action Overrides Understanding Event Action OverridesConfiguring Event Action Overrides Write verbose alerts to Event Store Log packets from both the attacker and victim IP addressesWrite an alert to Event Store Write events that request an Snmp trap to the Event StoreConfiguring Event Action Filters Understanding Event Action FiltersConfiguring Event Action Filters OL-29168-01 Configuring Event Action Filters Edit an existing filter Verify the settings for the filterAdd any comments you want to use to explain this filter Edit the parameters see Steps 4a through 4lMove a filter to the inactive list Sensorconfig-eve#filters move name1 inactiveVerify that the filter has been moved to the inactive list Configuring OS Identifications Understanding Passive OS FingerprintingPassive OS Fingerprinting Configuration Considerations IOS Adding, Editing, Deleting, and Moving Configured OS MapsIP Address Range Set UnixVerify the settings for the OS map Configuring OS MapsSpecify the host OS type Verify that you have moved the OS maps Enable passive OS fingerprintingEdit an existing OS map Move an OS map to the inactive listDelete an OS map Sensorconfig-eve-os#no configured-os-map name2Displaying and Clearing OS Identifications Verify that the OS map has been deletedVerify that the OS IDs have been cleared Configuring General SettingsDisplaying and Clearing OS Identifications Sensor# clear os-identification learnedUnderstanding Event Action Summarization Understanding Event Action AggregationEnable or disable the summarizer. The default is enabled Configuring the General SettingsConfiguring Event Action General Settings Enter general submodeSensorconfig-eve-gen#global-filters-status enabled disabled Configuring the Denied Attackers ListVerify the settings for general submode Adding a Deny Attacker Entry to the Denied Attackers ListRemove the deny attacker entry from the list Monitoring and Clearing the Denied Attackers ListAdding Entries to the Denied Attacker List Enter yes to remove the deny attacker entry from the listDisplaying and Deleting Denied Attackers Delete the denied attackers listClear only the statistics Monitoring EventsDisplaying Events Important to know if the list has been clearedTo display events from the Event Store, follow these steps Displaying EventsSensor# show events Display alerts from the past 45 seconds Sensor# show events error warning 100000 Feb 9Sensor# show events alert past Enter yes to clear the events Clearing Events from Event StoreDisplay events that began 30 seconds in the past Sensor# show events pastOL-29168-01 Configuring Anomaly Detection Anomaly Detection Notes and CaveatsUnderstanding Anomaly Detection Understanding WormsAnomaly Detection Modes Anomaly Detection Zones Anomaly Detection Configuration Sequence Anomaly Detection Signatures Signature ID Subsignature ID Name DescriptionSignature ID Subsignature ID Name Description Working With Anomaly Detection Policies Enable anomaly detection operational modeEnabling Anomaly Detection Exit analysis engine submodeDelete an anomaly detection policy Working With Anomaly Detection PoliciesSensor# copy anomaly-detection ad0 ad1 Sensor# list anomaly-detection-configurations Configuring Anomaly Detection Operational SettingsReset an anomaly detection policy to factory settings Verify that the anomaly detection instance has been deletedSpecify the worm timeout Configuring the Internal ZoneConfiguring Anomaly Detection Operational Settings Sensorconfig-ano-ign#source-ip-address-rangeEnable the internal zone Configuring the Internal ZoneConfiguring the Internal Zone Configure TCP protocol Configure UDP protocolConfiguring Internal Zone TCP Protocol Configuring TCP Protocol for the Internal ZoneConfigure the other protocols Enable TCP protocolVerify the TCP configuration settings Enable the service for that portThem and configure your own scanner values Set the scanner thresholdConfiguring UDP Protocol for the Internal Zone Verify the UDP configuration settings Configuring the Internal Zone UDP ProtocolEnable UDP protocol Associate a specific port with UDP protocolConfiguring Anomaly Detection Configuring the Internal Zone Enable the other protocols Configuring Other Protocols for the Internal ZoneConfiguring the Internal Zone Other Protocols Associate a specific number for the other protocolsVerify the other configuration settings Configuring the Illegal Zone Configuring the Illegal ZoneConfiguring the Illegal Zone Understanding the Illegal ZoneEnable the illegal zone Configuring TCP Protocol for the Illegal ZoneSensorconfig-ano-ill#ip-address-range Configuring the Illegal Zone TCP Protocol Enabled true defaulted Sensorconfig-ano-ill-tcp# Configuring UDP Protocol for the Illegal Zone Configuring the Illegal Zone UDP ProtocolSensorconfig-ano-ill-udp-dst-yes# scanner-threshold Configuring Other Protocols for the Illegal Zone Configuring the Illegal Zone Other ProtocolsVerify the other protocols configuration settings Configuring the External Zone Configuring the External ZoneUnderstanding the External Zone Configuring the External Zone Configuring TCP Protocol for the External ZoneEnable the external zone Configuring the External Zone TCP Protocol Sensorconfig-ano-ext-tcp# Configuring UDP Protocol for the External Zone Configuring the External Zone UDP ProtocolSensorconfig-ano-ext-udp-dst-yes# scanner-threshold Configuring Other Protocols for the External Zone Configuring the External Zone Other Protocols To configure other protocols for a zone, follow these stepsConfiguring Learning Accept Mode KB and HistogramsExample Histogram Configuring Learning Accept Mode Configuring Learning Accept ModeSensorconfig-ano#learning-accept-mode auto Sensorconfig-ano#learning-accept-mode manualDisplay the KB files for all virtual sensors Working With KB FilesDisplaying KB Files Sensor# show ad-knowledge-base filesManually Saving and Loading KBs Saving and Loading KBs ManuallyDisplay the KB files for a specific virtual sensor Save the current KB file and store it as a new nameCopying, Renaming, and Erasing KBs Rename a KB file Copying, Renaming, and Removing KB FilesRemove a KB file from a specific virtual sensor To compare two KBs, follow these steps Displaying the Differences Between Two KBsComparing Two KBs Locate the file you want to compareDisplaying the Thresholds for a KB Displaying KB Thresholds Sensor# show ad-knowledge-base vs1 files Virtual Sensor vs1To display anomaly detection statistics, follow these steps Displaying Anomaly Detection StatisticsSensor# show statistics anomaly-detection vs0 Disabling Anomaly Detection Display the statistics for all virtual sensorsDisable anomaly detection operational mode OL-29168-01 Global Correlation Notes and Caveats 10-1Participating in the SensorBase Network Understanding Global Correlation10-2 Type of Data Purpose Understanding Reputation1shows how we use the data 10-3Understanding Network Participation 10-4Understanding Efficacy 10-5Understanding Reputation and Risk Rating Global Correlation Features and Goals10-6 Global Correlation Requirements 10-7Understanding Global Correlation Sensor Health Metrics 10-8Global Correlation Update Client 10-9Turn on global correlation inspection Configuring Global CorrelationSensorconfig-glo#global-correlation-inspection on Specify the level of global correlation inspectionExit global correlation submode Configuring Network ParticipationTurn on reputation filtering 10-11Enter yes to agree to participate in the SensorBase Network Turning on Network ParticipationTurn on network participation 10-12Disabling Global Correlation Troubleshooting Global Correlation10-13 Disabling Global Correlation Displaying Global Correlation Statistics10-14 Clear the statistics for global correlation 10-1510-16 Understanding External Product Interfaces External Product Interface Notes and Caveats11-1 Understanding the CSA MC 11-2External Product Interface Issues 11-3Adding External Product Interfaces and Posture ACLs Configuring the CSA MC to Support the IPS Interface11-4 Adding External Product Interfaces 11-511-6 Enter the network address the posture ACL will use Sensorconfig-ext-cis-hos#allow-unreachable-postures yesSensorconfig-ext-cis-hos#posture-acls insert name1 begin Choose the action deny or permit the posture ACL will takeExit external product interface submode Troubleshooting External Product Interfaces11-8 IP Logging Notes and Caveats 12-1Understanding IP Logging Configuring Automatic IP Logging12-2 Configuring Automatic IP Logging 12-312-4 Configuring Manual IP LoggingMonitor the IP log status with the iplog-status command Sensor# iplog vs0 192.0.2.1 durationDisplaying the Contents of IP Logs Disabling IP Logging Sessions Stopping Active IP LogsDisplay a brief list of all IP logs Stop the IP log sessionCopying IP Log Files Copying IP Log Files to Be ViewedStop all IP logging sessions on a virtual sensor 12-7Copy the IP log to your FTP or SCP server 12-8Packet Display And Capture Notes and Caveats 13-1Displaying Live Traffic on an Interface Understanding Packet Display and Capture13-2 13-3 Displaying Live Traffic From an InterfaceSensor# packet display GigabitEthernet0/1 13-4 Capturing Live Traffic on an InterfaceDisplay information about the packet file Expression ip proto \\tcp13-5 Capturing Live Traffic on an InterfaceView the captured packet file Sensor# packet capture GigabitEthernet0/1View any information about the packet file Copying the Packet File13-6 Erase the packet file View the packet file with Wireshark or TcpdumpErasing the Packet File Verify that you have erased the packet file13-8 Blocking Notes and Caveats 14-1Understanding Blocking 14-2Vlan B 14-3Data Understanding Rate LimitingDestination IP Signature ID Signature Name Protocol IcmpUDP Understanding Service Policies for Rate LimitingBefore Configuring ARC TCPSupported Devices 14-6Configuring Blocking Properties 14-7Allowing the Sensor to Block Itself Enter network access submodeSensorconfig# service network-access 14-8Disabling Blocking Configure the sensor not to block itselfExit network access submode 14-9Enable blocking on the sensor Blocks on the devices are updatedTo disable blocking or rate limiting, follow these steps Verify that the setting has been returned to the defaultSpecifying Maximum Block Entries 14-11Change the maximum number of block entries Return to the default value of 250 blocksSensorconfig-net-gen#default block-max-entries 14-12Signatures Time for manual blocks is set when you request the blockSpecifying the Block Time These stepsEnabling ACL Logging 14-14Enabling Writing to Nvram 14-15Verify that writing to Nvram is disabled Logging All Blocking Events and ErrorsDisable writing to Nvram 14-16Configuring the Maximum Number of Blocking Interfaces 14-17Specify the maximum number of interfaces Return the setting to the defaultVerify the default setting Verify the number of maximum interfacesSensorconfig-net-gen#never-block-hosts Configuring Addresses Never to BlockConfiguring Addresses Never to Be Blocked For a networkCreate the user profile name Configuring User ProfilesSpecify the password for the user Enter the username for that user profileHow the Sensor Manages Devices Configuring Blocking and Rate Limiting DevicesSpecify the enable password for the user 14-21Configuring the Sensor to Manage Cisco Routers 14-22Specify the IP address for the router controlled by the ARC Routers and ACLs14-23 14-24 Switches and VACLs 14-25Sensorconfig-net-cat#communication telnet ssh-3des 14-26Optional Add the pre-VACL name Configuring the Sensor to Manage Cisco FirewallsSpecify the Vlan number Optional Add the post-VACL nameConfiguring the Sensor to be a Master Blocking Sensor 14-28Sensorconfig-web# exit Configuring the Master Blocking Sensor14-29 Add a master blocking sensor entry Sensorconfig# tls trusted-host ip-address 192.0.2.1 portEnter password Specify whether or not the host uses TLS/SSLBlocking a Host Configuring Host BlockingConfiguring Network Blocking End the host blockEnd the network block Configuring Connection BlockingBlocking a Network 14-32End the connection block Obtaining a List of Blocked Hosts and ConnectionsBlocking a Connection Blocks are14-34 Understanding Snmp Snmp Notes and Caveats15-1 Configuring Snmp 15-2Configuring Snmp General Parameters 15-3Exit notification submode Configuring Snmp Traps15-4 Specify whether you want detailed Snmp traps Configuring Snmp TrapsEnable Snmp traps Enter the trap community stringCISCO-CIDS-MIB CISCO-ENHANCED-MEMPOOL-MIB CISCO-ENTITY-ALARM-MIBSupported Mibs 15-615-7 15-8 Displaying the Current Configuration 16-1First Review Cisco Confidential 16-2Displaying the Current Submode Configuration 16-316-4 16-5 16-6 16-7 Sensorconfig# service health-monitor 16-816-9 16-10 16-11 16-12 Severity warning defaulted protected entry zone-name csi 16-1316-14 Sensorconfig# service trusted-certificate 16-15Filtering the Current Configuration Output 16-16Press Ctrl-Cto stop the output and return to the CLI prompt Filtering Using the More CommandTo filter the more command, follow these steps 16-17Filtering the Submode Output Filtering the Current Submode Configuration Output16-18 Displaying the Contents of a Logical File Displaying the Logical File Contents 16-2016-21 16-22 Restoring the Current Configuration From a Backup File Backing Up the Current Configuration to a Remote Server16-23 Erasing the Configuration File Creating and Using a Backup Configuration File16-24 Press Enter to continue or enter no to stop 16-2516-26 Administrative Tasks for the Sensor 17-1Understanding Password Recovery Administrative Notes and CaveatsRecovering the Password 17-2Platform Description Recovery Method Recovering the Password for the ApplianceUsing the Grub Menu 17-3Enter the following commands to reset the password Recovering the Password for the ASA 5500-X IPS SSPUsing Rommon Sample Rommon sessionSession to the ASA 5500-X IPS SSP Enter your new password twicePress Enter to confirm 17-5Asa# hw-module module 1 password-reset Recovering the Password for the ASA 5585-X IPS SSPUsing the Asdm 17-617-7 Session to the ASA 5585-X IPS SSPAsa# show module Disabling Password Recovery Using the IDM or IME Disabling Password RecoveryDisabling Password Recovery Using the CLI 17-8Sensorconfig-hos#show settings include password Verifying the State of Password RecoveryTroubleshooting Password Recovery Clearing the Sensor DatabasesEnter yes to clear the inspectors database Clearing the Sensor Database17-10 Show the histogram of the inspection load Displaying the Inspection Load of the SensorOver the past 60 minutes and over the past 72 hours 17-1117-12 Configuring Health Status Information 17-13Platform Yellow Red Memory Used Configuring Health StatisticsASA 5500-X IPS SSP and Memory Usage 17-1417-15 Set the missed packet threshold Set the number of days since the last signature updateSet the threshold for memory usage 17-16Exit health monitoring submode Showing Sensor Overall Health Status17-17 Show the health and security status of the sensor Creating a Banner LoginCreate the banner login Enter your messageTo terminate a CLI session, follow these steps Find the CLI ID number associated with the login sessionTerminating CLI Sessions Terminate the CLI session of jsmithModifying Terminal Properties Configuring Events17-20 17-21 17-22 Clearing Events from the Event Store 17-2317-24 Configuring the System ClockDisplaying the System Clock Sensor# show clock detailClearing the Denied Attackers List Manually Setting the System Clock17-25 17-26 Displaying Policy Lists 17-27Display the list of policies for signature definition Displaying StatisticsDisplay the list of policies for event action rules 17-28Administrative Tasks for the Sensor 17-2917-30 Display the statistics for anomaly detection Display the statistics for authenticationSensor# show statistics authentication 17-3117-32 Display the statistics for the Event ServerDisplay the statistics for the Event Store Sensor# show statistics event-server General17-33 Display the statistics for the hostShow statistics host 17-34 Display the statistics for the logging applicationDisplay the statistics for the ARC Sensor# show statistics logger17-35 17-36 17-37 17-38 Display the statistics for the web serverStatistics web-server 17-39 Sensor# show statistics logger clearDisplaying Tech Support Information Displaying Tech Support InformationVarlog Files 17-4017-41 Displaying Version InformationView version information Sensor# show versionView configuration information Cancel the output and get back to the CLI prompt17-42 Diagnosing Network Connectivity 17-43Following example shows a successful ping Resetting the ApplianceEnter yes to continue the reset Following example shows an unsuccessful pingEnter yes to continue with the reset and power down Displaying Command HistoryStop all applications and power down the appliance 17-4517-46 Displaying Hardware InventorySensor# show inventory 17-47 PID IPS-4360-PWR-AC17-48 Tracing the Route of an IP PacketDisplay the route of IP packet you are interested InventorySensor config# service network-access Displaying Submode SettingsShow the current configuration for ARC submode 17-4917-50 Show the ARC settings in terse mode 17-5117-52 Configuring the ASA 5500-X IPS SSP 18-1Configuration Sequence for the ASA 5500-X IPS SSP 18-2Confirm the information Verifying Initialization for the ASA 5500-X IPS SSPObtain the details about the ASA 5500-X IPS Ssps 18-3Creating Virtual Sensors Creating Virtual Sensors for the ASA 5500-X IPS SSPASA 5500-X IPS SSP and Virtualization 18-4Creating Virtual Sensors 18-5Sensorconfig-ana-vir#physical-interface PortChannel0/0 18-618-7 Assigning Virtual Sensors to ContextsAsa# show ips Assign virtual sensors to the security contexts Enter multiple modeAdd three context modes to multiple mode 18-8Confirm the configuration ASA 5500-X IPS SSP and Bypass ModeConfigure MPF for each context SensorApp FailsASA 5500-X IPS SSP and the Normalizer Engine SensorApp is Reconfigured18-10 ASA 5500-X IPS SSP and Memory Usage ASA 5500-X IPS SSP and Jumbo Packets18-11 Health and Status Information 18-12Asa-ips#debug module-boot 18-13Early reservations == bootmem 0000000000 18-1418-15 18-16 18-17 18-18 18-19 IRQTwo ASAs in Fail-Open Mode Single ASA in Fail-Open ModeSingle ASA in Fail-Close Mode ASA 5500-X IPS SSP Failover ScenariosConfiguration Examples New and Modified CommandsTwo ASAs in Fail-Close Mode 18-21Allocate-ips DefaultsFirewall Mode Security Context Multiple Command Mode Routed Single Context SystemExamples Command History Release ModificationRelated Commands Description 18-2318-24 ASA 5585-XIPS SSP Notes and Caveats 19-1Configuration Sequence for the ASA 5585-X IPS SSP 19-219-3 Verifying Initialization for the ASA 5585-X IPS SSPObtain the details about the ASA 5585-X IPS SSP Asa# show module 1 detailsASA 5585-X IPS SSP and Virtualization Creating Virtual Sensors for the ASA 5585-X IPS SSP19-4 ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence 19-5Virtual sensor that you create Command, for example sig1Example, rules1 19-619-7 Asaconfig-ctx# Config-url disk0/c2.cfg Asaconfig-ctx#19-8 19-9 ASA 5585-X IPS SSP and the Normalizer Engine ASA 5585-X IPS SSP and Bypass Mode19-10 ASA 5585-X IPS SSP and Jumbo Packets 19-11Ips-ssp#hardware-module module 1 recover configure 19-1219-13 Asa# hw-module module 1 resetModule 1 details Ips-ssp#hw-module module 1 recover configure 19-14Asaconfig# debug module-boot Traffic Flow Stopped on IPS Switchports19-15 Failover Scenarios 19-1619-17 19-18 Obtaining Cisco IPS Software IPS 7.2 File List20-1 Downloading Cisco IPS Software Enter your username and passwordIPS Software Versioning 20-2Service Pack Major UpdateMinor Update Patch ReleaseSignature Engine Update Signature Update20-4 Recovery and System Image Files 20-5IPS Software Release Examples 20-6Accessing IPS Documentation 20-7Cisco Security Intelligence Operations 20-8Upgrade Notes and Caveats 21-1Upgrades, Downgrades, and System Images 21-2IPS 7.21E4 Files Supported FTP and HTTP/HTTPS ServersUpgrading the Sensor 21-3Manually Upgrading the Sensor Upgrade Notes and Caveats21-4 Sensorconfig# upgrade url/IPS-SSP10-K9-7.2-1-E4.pkg Upgrade the sensorEnter the password when prompted Upgrading the SensorWorking With Upgrade Files 21-6Upgrading the Recovery Partition 21-7Enter the server password. The upgrade process begins Configuring Automatic UpgradesConfiguring Automatic Updates 21-821-9 Configuring Automatic Upgrades 21-10Exit automatic upgrade submode Specify the username for authenticationSpecify the password of the user 21-1121-12 Applying an Immediate UpdateSensor# autoupdatenow Sensor# show statistics hostDowngrading the Sensor Recovering the Application Partition21-13 Recover the application partition image Installing System ImagesRecovering the Application Partition Image Sensorconfig# recover application-partitionTftp Servers Connecting an Appliance to a Terminal Server21-15 Installing the System Image for the IPS 4345 and IPS 21-1621-17 PCI21-18 Assign the Tftp server IP addressIf necessary, assign the gateway IP address Rommon ping serverRommon Installing the System Image for the IPS 4510 and IPS21-19 21-20 If necessary, assign the Tftp server IP address 21-21Image the ASA 5500-X IPS SSP Installing the System Image for the ASA 5500-X IPS SSPPeriodically check the recovery until it is complete 21-22Installing the System Image for the ASA 5585-X IPS SSP 21-2321-24 Asa# hw-module module 1 recover boot Specify the default gateway of the ASA 5585-X IPS SSPTo enable debugging of the software installation process Leave the Vlan ID atInstalling the ASA 5585-X IPS SSP System Image Using Rommon 21-2621-27 Rommon #0 set21-28 21-29 21-30 Understanding the IPS System Architecture IPS System DesignFigure A-1illustrates the system design for IPS software System Applications Figure A-2 System Design for IPS 4500 Series SensorsAppendix a System Architecture System Applications Security Features For detailed information about SDEE, see SDEE, page A-33MainApp Responsibilities MainAppUnderstanding the MainApp ARCEvent Store Understanding the Event StoreTable A-1shows some examples Event Data StructuresStamp Value Meaning NotificationApp IPS EventsVlan CtlTransSource PEPAttack Response Controller Figure A-3Understanding the ARC Figure A-4illustrates the ARCARC Features Supported Blocking Devices Maintaining State Across Restarts ACLs and VACLsFwsm Connection-Based and Unconditional Blocking ScenarioTo clear all blocks Blocking with Cisco FirewallsTo unblock an IP address No shun ipBlocking with Catalyst Switches LoggerAuthenticating Users AuthenticationAppUnderstanding the AuthenticationApp Configuring Authentication on the SensorManaging TLS and SSH Trust Relationships SensorApp Web ServerUnderstanding the SensorApp Inline, Normalization, and Event Risk Rating Features SensorApp New Features Packet FlowSignature Event Action Processor CollaborationApp Update Components SwitchApp Error EventsCLI User RolesService Account CommunicationsIdapi Idconf Cisco IPS File Structure CideeApplication Description Using the IdapiSummary of Cisco IPS Applications CLIIME IDMJava applet that provides an Html IPS management interface EventsSignature Engines Understanding Signature EnginesAppendix B Signature Engines Understanding Signature Engines Appendix B Signature Engines Understanding Signature Engines Parameter Description Value Master EngineGeneral Parameters Signature-id Specifies the ID of this signatureSig-name Promiscuous Delta Obsoletes Alert FrequencyVulnerable OS List Event Actions Name Description \NNN AIC EngineTo Match Regular Expression AIC Engine and Sensor Performance Understanding the AIC EngineAIC Engine Parameters Alarm-on-non-http-traffic Parameter DescriptionTable B-6 AIC FTP Engine Parameters Atomic Engine Atomic ARP EngineAtomic IP Advanced Engine Isatap Atomic IP Advanced Engine RestrictionsString IPv6 Parameter Description Value OL-29168-01 IPV4 Icmp ID L4 Protocol ICMPv6L4 Protocol TCP and UDP OL-29168-01 Atomic IP Engine Parameter Description Value Appendix B Signature Engines OL-29168-01 Atomic IPv6 Engine Atomic IPv6 SignaturesFixed Engine Table B-11 Fixed TCP Engine Parameters Flood Engine Protocol Specifies which kind of traffic to inspect Meta EngineFlood Net Engine Parameters Component-list Specifies the Meta engine component Name1Multi String Engine Normalizer Engine TCP Normalization IP Fragmentation NormalizationIPv6 Fragments ASA IPS Modules and the Normalizer Engine Service Engines Understanding the Service Engines Service DNS EngineService FTP Engine Service Generic Engine Table B-20 Service Generic Engine Parameters Service H225 Engine ASN.1-PER SetupSetup TpktService Http Engine Crlfcrlf Service Ident Engine Service Msrpc Engine Smbcomtransaction Service Mssql Engine Service NTP Engine Service P2P Engine Service RPC EngineParameter Description Value Service SMB Advanced Engine Msrpc Uuid Service Snmp Engine Service SSH Engine Specify-object-id-EnablesService TNS Engine State Engine Table B-32lists the parameters specific to the State engine String Engines Table B-33 String Icmp Engine Parameters Table B-35 String UDP Engine String XL Engines Parameter Description Value Unsupported String XL Parameters Sweep Engine Sweep EnginesData Nodes Type Sweep Other TCP Engine Traffic Anomaly Engine Sweep Other TCP Engine ParametersSignature Traffic Icmp Engine Trojan Engines Troubleshooting Bug ToolkitUnderstanding Preventive Maintenance Preventive MaintenanceCreating and Using a Backup Configuration File Sensor# copy current-config backup-config Backing Up the Current Configuration to a Remote Server Creating the Service Account Disaster Recovery Password Recovery Security appliance IPS modules Command ASA 5500 series adaptive Adaptive security appliance CLIUsing Rommon Password-Reset issued for module ips Recovering the Password for the ASA 5585-X IPS SSP 0123 21E4 Disabling Password Recovery Verifying the State of Password Recovery Time Sources and the Sensor For the procedure for configuring NTP, see Configuring NTP,Synchronizing IPS Clocks with Parent Device Clocks Generate the host statistics Verifying the Sensor is Synchronized with the NTP ServerGenerate the hosts statistics again after a few minutes Advantages and Restrictions of Virtualization TFor More Information When to Disable Anomaly Detection To learn more about Worms, see Understanding Worms,Analysis Engine Not Responding Reboot the sensorCommand output Enter show tech-support and save the outputExternal Product Interfaces Issues External Product Interfaces Troubleshooting Tips Troubleshooting the ApplianceTroubleshooting Loose Connections Communication Problems Analysis Engine is BusyCannot Access the Sensor CLI Through Telnet or SSH More Correcting a Misconfigured Access List Sensor# show configuration include access-listDuplicate IP Address Shuts Interface Down Make sure the sensor cabling is correctSensorApp is Not Running SensorApp and AlertingMake sure the IP address is correct AnalysisEngine 20130410110072014 Release Physical Connectivity, SPAN, or Vacl Port Issue Unable to See Alerts Sensor# show interfacesCheck for alerts Make sure you have Produce Alert configuredSensor# show interfaces FastEthernet0/1 Sensor Not Seeing Packets Sensorconfig-int#physical-interfaces GigabitEthernet0/1Sensor# show interfaces GigabitEthernet0/1 Check to see that the interface is up and receiving packets Cleaning Up a Corrupted SensorApp ConfigurationExit the service account Log in to the sensor CLI Replace the virtual sensor fileBlocking Troubleshooting BlockingStart the IPS services Sensor# cids startVerifying the ARC is Running Sensor# show events error hhmmss month day year include nac If the ARC is not connecting, look for recurring errorsMake sure you have the latest software updates Sensor# show events error 000000 Apr 01 2011 include nacFor More Information Device Access Issues Verify the IP address for the managed devicesSensorname Sensor Management Time-Based Actions Host Blocks Start the manual block of the bogus host IP addressEnabling SSH Connections to the Network Device Blocking Not Occurring for a SignatureVerifying the Master Blocking Sensor Configuration Exit network access general submode Logging Enable debug logging for all zonesEnabling Debug Logging Exit master zone control Turn on individual zone controlView the zone names Protected entry zone-name nac Turn on debugging for a particular zone Exit the logger submodeTable C-2lists the debug logger zone names Zone NamesPress Enter to apply changes or type no to discard them Zone Name DescriptionDirecting cidLog Messages to SysLog TCP Reset Not Occurring for a Signature Make sure the correct alarms are being generated Software UpgradesUpgrading Error Sensor# show events alertWhich Updates to Apply and Their Prerequisites Issues With Automatic UpdateUpdating a Sensor with the Update Stored on the Sensor Cannot Launch the IDM Loading Java Applet Failed Troubleshooting the IDMClick the Advanced tab Cannot Launch the IDM-The Analysis Engine Busy Delete the temp files and clear the history in the browserTroubleshooting the IME Signatures Not Producing AlertsNot Supported Error Message Troubleshooting the ASA 5500-X IPS SSPTime Synchronization on IME and the Sensor Health and Status Information E1000 00000005.0 PCI INT a disabled 303 Appendix C Troubleshooting Usb CRS IRQ Failover Scenerios ASA 5500-X IPS SSP and the Normalizer Engine ASA 5500-X IPS SSP and Memory Usage ASA 5500-X IPS SSP and Jumbo PacketsTroubleshooting the ASA 5585-X IPS SSP Hw-module module 1 reset commandReset issued for module in slot Asa# show Mgmt IP addr 192.0.2.3 Failover Scenarios Traffic Flow Stopped on IPS Switchports ASA 5585-X IPS SSP and the Normalizer EngineGathering Information ASA 5585-X IPS SSP and Jumbo PacketsHealth and Network Security Information Tech Support InformationUnderstanding the show tech-support Command Displaying Tech Support InformationTech Support Command Output Sensor# show tech-support page System Status Report= No Version Information Understanding the show version CommandDisplaying Version Information Version 29.1 Platform IPS4360 Serial Number Service aaa Statistics Information Understanding the show statistics CommandDisplaying Statistics Percentage Thread Sec Min Average Inspection Stats Inspector Active Call Create Delete Display the statistics for anomaly detection Sensor# show statistics event-server Sensor# show statistics denied-attackersSensor# show statistics event-store Threat Multicast MTU1500 Metric1 Appendix C Troubleshooting Gathering Information Display the statistics for the notification application Name Current OL-29168-01 Sensor# show statistics web-server listener-443 Understanding the show interfaces Command Interfaces InformationInterfaces Command Output Displaying Interface Traffic HistoryAvg Load Peak Load GigabitEthernet0/1 Time Packets Received Bytes Received Mbps Events Information Sensor Events Understanding the show events CommandDisplaying Events Displaying Events 100 Clearing Events CidDump Script101 102 Uploading and Accessing Files on the Cisco FTP SiteEnter the following command Usr/cids/idsRoot/bin/cidDumpReason Command CLI Error MessagesURI Error Message Reason Command Been captured System that has not been upgradedPacket-file but no packet-file has User attempted to downgrade aLog in when the maximum number User attempted to cancel a CLIOperator or viewer user attempted to Initial login Administrator user attempted to log Initial loginAppendix D CLI Error Messages CLI Validation Error Messages Reason/LocationAdded to the virtual sensor entry physical Detection configuration file that is currently in useInterface and optional sub-interface being Interface set has already been assigned to anotherOL-29168-01 GL-1 To detect worm-infected hosts GL-2GL-3 Authoritative private key Certificate for one CA issued by another CAGL-4 GL-5 GL-6 To the transmit line and reads data from the receive line Dual In-line Memory ModulesA public outside network 802.1q to be usedGL-8 An ITU standard that governs H.245 endpoint control Procedures, and basic data transport methodsGL-9 GL-10 GL-11 GL-12 Detailed information about signatures Proprietary branchesGL-13 GL-14 GL-15 Quality and service availability GL-16GL-17 Analysis Engine Network devices. Used with the IDS MCUnauthorized activity GL-18GL-19 GL-20 Local system. Telnet is defined in RFC Authorization, and accountingNetwork asset through its IP address GL-21GL-22 Version identifier. Part of the UDI Through a switch. Also known as security ACLsRFC GL-23GL-24 Hosts Payload reassemblyGL-25 GL-26 AIC Http AIC FTPIN-1 IN-2 ARP NATTACACS+ IN-3SSP AsdmIN-4 Radius IN-5URL Cidee BO2KIN-6 Exec IN-7IN-8 IN-9 IN-10 CSA MC IN-11TFN IN-12AIC FTP AIC Http IN-13IN-14 IN-15 Idconf IdapiIN-16 ASA 5500-X IPS SSP ASA 5585-X IPS SSP IdiomIN-17 Tcpdump IN-18IPS SSP IN-19Loki SSHIN-20 Snmp IN-21IN-22 IN-23 IN-24 Http A-33 RTTSdee IN-25IN-26 IN-27 AIC IN-28Smtp Cidee Idconf Idiom SdeeIN-29 IN-30 TLS TACTFN2K IN-31BO2K Loki TFN2K IN-32Sensing process not running Upgrade commandSensor initialization Sensor setup Version display Viewer role privilegesIN-34
Related manuals
Manual 36 pages 45.7 Kb

IPS4510K9 specifications

Cisco Systems has long been a leading player in network security, and its IPS (Intrusion Prevention System) series is a testament to its commitment to safeguarding digital environments. Among its notable offerings are the IPS4510K9 and IPS4520K9 models, both designed to provide advanced threat protection for mid-sized to large enterprise networks.

The Cisco IPS4510K9 and IPS4520K9 are distinguished by their cutting-edge features that help organizations defend against a myriad of cyber threats. These systems utilize a multi-layered approach to security, integrating intrusion prevention, advanced malware protection, and comprehensive visibility across the network.

One of the primary characteristics of the IPS4510K9 is its high performance. It boasts a throughput of up to 1 Gbps, making it suitable for environments that demand rapid data processing and real-time responses to threats. The IPS4520K9, on the other hand, enhances that capability with improved throughput of up to 2 Gbps, accommodating larger enterprises with heavier network traffic. These models are equipped with powerful processors that support complex signature matching and can intelligently distinguish between legitimate traffic and potential threats.

In addition to performance, both models are designed with scalability in mind. They can be easily integrated into existing Cisco infrastructures. This facilitates a seamless enhancement of security without causing significant interruptions to ongoing operations. Moreover, they offer flexible deployment options, allowing organizations to operate them inline or out of band depending on their specific needs.

The Cisco IPS4510K9 and IPS4520K9 leverage advanced detection technologies, utilizing a variety of signature types and heuristic analysis to detect known and unknown threats effectively. They are equipped with real-time alerting and reporting capabilities, giving security teams immediate visibility into potential breaches and enabling them to respond swiftly.

Furthermore, both models support a range of management options through the Cisco Security Manager, allowing for centralized administration, streamlined policy management, and enhanced monitoring capabilities. Automated updates ensure the systems remain current with the latest threat intelligence, vital for staying ahead of evolving cyber threats.

In summary, the Cisco Systems IPS4510K9 and IPS4520K9 represent powerful solutions for organizations seeking robust intrusion prevention capabilities. With their high performance, scalability, and advanced detection technologies, these systems are essential tools in the ever-changing landscape of cybersecurity, providing enterprises with the peace of mind needed to operate securely in today's digital world.