CHAP TER
37-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
37
Configuring Virtual Sensors
All IPS devices and service modules have a base virtual sensor named vs0. When you configure the IPS
appliance or service module, you must configure the base vs0 sensor to assign interfaces to it. This
assignment tells the device which interfaces to inspect. There are also other settings that are configured
on virtual sensors.
In addition to the base vs0 virtual sensor, many IPS appliances and service modules allow you to create
user-defined virtual sensors. You can use these virtual sensors to create separate policies for traffic, so
that a single physical sensor can act as if it were multiple sensors. A virtual sensor is a logical grouping
of sensing interfaces and the configuration policy for the signature engines and event action filters to
apply.
This chapter contains the following topics:
Understanding the Virtual Sensor, page37-1
Defining A Virtual Sensor, page37-5
Editing Policies for a Virtual Sensor, page37-9
Deleting A Virtual Sensor, page37-10

Understanding the Virtual Sensor

The sensor can receive data inputs from one or many monitored data streams. These monitored data
streams can either be physical interface ports or virtual interface ports. For example, a single sensor can
monitor traffic from in front of the firewall, from behind the firewall, or from in front of and behind the
firewall concurrently. A single sensor can monitor one or more data streams. In this situation a single
sensor policy or configuration is applied to all monitored data streams.
With virtual sensors, you can create separate policies to apply to specific traffic feeds. For example, if
you want to create a policy for a data center and a second much different policy for the campus network,
yet run both policies on the same hardware device, you can configure separate virtual sensors to
implement these policies.
You configure the following policies and settings separately for a virtual sensor:
Signature and signature settings (policies in the IPS > Signatures folder).
Event action policies (policies in the IPS > Event Actions folder).
Anomaly detection policies (the IPS > Anomaly Detection policy) and the anomaly detection mode
(in the Virtual Sensors policy).
The promiscuous interfaces, inline interface pairs, inline VLAN pairs, inline VLAN groups, or
promiscuous VLAN groups that the virtual sensor monitors.