42-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting
Understanding IPS Blocking
If ARC is managing a device and you need to configure the ACL/VACLs on that device, you should
disable blocking first. You want to avoid a situation in which both you and ARC could be making a
change at the same time on the same device. This could cause the device or ARC to fail. If you need to
modify the Pre-Block or Post-Block ACL/VACL, do the following:
1. Disable blocking on the sensor.
Because you are making a temporary change, you can disable and then reenable blocking by using
the IPS Device Manager (IDM) on the device. Alternatively, you can deselect the Enable Blocking
option on the General tab of the Blocking policy in Security Manager, then deploy the configuration
to the IPS sensor. To reenable blocking, select the Enable Blocking option again and deploy the
configuration to the IPS sensor.
2. Make the changes to the configuration of the device. For example, if you manage the blocking device
in Security Manager, deploy the updated configuration and wait for the device to reload.
3. Reenable blocking on the sensor.
Understanding the Master Blocking Sensor
Multiple sensors (blocking forwarding sensors) can forward blocking requests to a specified master
blocking sensor, which controls one or more devices. The master blocking sensor is the ARC running on
a sensor that controls blocking on one or more devices on behalf of one or more other sensors. When a
signature fires that has blocking or rate limit requests configured as event actions, the sensor forwards
the block or rate limit request to the master blocking sensor, which then performs the block or rate limit.
When you add a master blocking sensor, you reduce the number of blocking devices per sensor. For
example, if you want to block on 10 firewalls and 10 routers with one blocking interface/direction each,
you can assign 10 to the sensor and assign the other 10 to a master blocking sensor.
You configure master blocking sensors on the Master Blocking Sensors tab of the Blocking policy, as
described in Blocking Page, page 42-8.
When configuring master blocking sensors, keep the following tips in mind:
Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed,
configure one sensor as the master blocking sensor to manage the devices and the other sensors can
forward their requests to the master blocking sensor.
On the blocking forwarding sensor, identify which remote host serves as the master blocking sensor;
on the master blocking sensor you must add the blocking forwarding sensors to its access list using
the Allowed Hosts policy. See Identifying Allowed Hosts, page 35-7.
If the master blocking sensor requires TLS for web connections, you must configure the ARC of the
blocking forwarding sensor to accept the X.509 certificate of the master blocking sensor remote
host. Sensors by default have TLS enabled, but you can change this option. For more information,
see Master Blocking Sensor Dialog Box, page 42-13.
Typically the master blocking sensor is configured to manage the network devices. Blocking
forwarding sensors are not normally configured to manage other network devices, although doing
so is permissible.
Only one sensor should control all blocking interfaces on a device.