35-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 5 Getting Started with IPS Configuration
Identifying Allowed Hosts
Step 9 If you use any of the Request Block or Request Rate Limit event actions, configure blocking or rate
limiting hosts. See Configuring IPS Blocking and Rate Limiting, page42-7.
Step 10 Configure other desired advanced IPS services. See the following topics:
Chapter 41, “Configuring Global Correlation”
Configuring Anomaly Detection, page 40-6
Step 11 Maintain the device:
Update and redeploy configurations as necessary.
Apply updated signature and engine packages. For information about checking for updates, applying
them, and setting up regular automated updates, see Managing IPS Updates, page 43-4.
Manage the device licenses. You can update and redeploy licenses, or automate license updates. For
more information, see the following topics:
Updating IPS License Files, page 43-1
Redeploying IPS License Files, page 43-2
Automating IPS License File Updates, page 43-3
Manage the certificates required for SSL (HTTPS) communication. These certificates expire, so you
need to regenerate them approximately every 2 years. For information on regenerating certificates
and ensuring that the certificates defined on the device are synchronized with those stored in the
Security Manager certificate store, see Managing IPS Certificates, page 43-10.
Step 12 Monitor the device:
Use the Event Viewer application to view alerts generated from the device. You can open Event
Viewer from the Launch menu in Configuration Manager or Report Manager, or from the Windows
Start menu.
For information on using Event Viewer, see Chapter 66, “Viewing Events”.
For an example of how to filter IPS alerts, see Removing False Positive IPS Events from the
Event Table, page66-58.
Use the Report Manager application to generate reports on IPS usage, including comparisons of
inline vs. promiscuous mode, and global correlation vs. traditional inspection. You can also analyze
top attackers, victims, signatures, blocked signatures, and perform target analysis. The following
topics explain Report Manager and the IPS reports in more detail:
Chapter 67, “Managing Reports”
Understanding General IPS Reports, page 67-17
Understanding IPS Top Reports, page67-16
Opening and Generating Reports, page 67-18
Identifying Allowed Hosts
Use the Allowed Hosts policy to identify which hosts or networks have permission to access the IPS
sensor. By default, no hosts are permitted to access a sensor, so you must add hosts or networks to this
policy.