AIP SSM and virtual devices

Similar Questions

• Question of the clock of the AIP - SSM

  We have configured our AIP - SSM and synchronized with our command NTP servers.show clock shows the time corrcet in the CLI

  See the sensor clock #.
  16:42:35 GMT + 05:30 Sunday, March 28, 2010

  probe # show clock detai
  16:53:25 GMT + 05:30 Sunday, March 28, 2010
  Time source is NTP

  But the time indicated in the last TAB update shows the hour UTC. Even in my case logs are updated with the time information UTC only. I set the time zone correctly.

  

  What do I need to configure something else to update my timestamp in the event log.

  In the second version of the IPS, a new column has been added for "time sensor" in the event viewer.

• Do I need two AIP - SSM modules if I'm failover configuration?

  Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?

  I would like to configure the module in the first ASA with the relief setting.  Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.

  Would there be problems, configure it in this way?

  Would be the active / standby ASA complaining that there is that one module AIP - SSM?

  Thanks in advance.

  Hello

  You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)

  Kind regards

  Julio

• AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts

  Hello guys,.

  The scenario is as follows:

  2 ASA 5500 with virtual contexts for failover.

  The ASA elementary school has the work of the AIP-SSM20.

  ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.

  Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.

  Now questions, documentation Cisco re-imaging view orders under ASA #.

  but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).

  What is the solution? Is there documentation for it (with security contexts)?

  Thank you very much for reading ;) comment on possible solutions.

  Yes,

  Some things to keep in mind.

  (1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.

  (2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.

  (3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.

  (4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.

  (5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.

• The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

  Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

  Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

  Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

  Here is the response from Cisco itself:

  http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

  Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

  A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

  Q: how is Cisco AVS Firewall application differs by a network firewall?

  A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

  Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

  Concerning

  Farrukh

• New deployment with the ASA and AIP - SSM module

  Hi guys and girls,

  I think to deploy an ASA with IPS module AIP - SSM to my perimeter. I'm going to use / * Style Definitions * / table. MsoNormalTable {mso-style-name : « Table Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 à 5.4pt 0 à 5.4pt ; mso-para-margin : 0 ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;} Cisco IPS Manager Express (IME) to monitor the IP addresses to monitor the ASA. I have no plans on deploying a device IDS.

  Question: The IME is designed to send notices to the subject of threats? What are some of the configurations in your network? (Just prick with the last question.)

  THX...

  IME is designed only for IPS monitor (whether it be IPS appliance, module AIP - SSM on ASA or other module IPS). IME is not able on the control of ASA.

  EMI can provide advice by email about events which are fires on the IPS, while the IPS itself cannot. EMI may also keep all the events triggered by the IPS, while SPI buffer is small enough, that so if you have huge demonstrations, the buffer gets replaced pretty quickly.

  Here is more information about IME, if you are interested:

  http://www.Cisco.com/en/us/products/ps9610/index.html

• ASA5510 and AIP-SSM-10 module in promiscuous mode

  Hello

  I have a 5510 ASA with the AIP-SSM-10 and want to use just like an ID in promicuous mode.

  ASA 5510: ASA version 7.0 (8)

  AIP-SSM-10: IPS version 5,0000 E2

  At this point, we would like to configure a single interface of ASA to send traffic to the agreement in principle for the inspection of IDS (and continue to use our firewalls third existing). Is this possible?

  The following discussion gives to think this isn't:

  https://supportforums.Cisco.com/message/957351

  22.1.100.2/28 I have it configured on the interface Eth0/0 (outside) and 10.5.100.3/24 on the AIP - SSM management interface and switchports (Cisco 6509) have been configured by SPAN.

  Thanks for your advice in advance.

  Kind regards

  Lay

  You are right. Unfortunately, module AIP on ASA firewall does not listen on traffic SPAN. If you want that SPAN ports, then you can use the IPS (IPS 4200 series appliance) appliance that supports the SPAN traffic to inspect.

  PIX is also a firewall, not a feature of IPS, which cannot be used as an IPS device.

• Question on the CSC - ssm modules and aip - ssm in the ASA5500

  Is it true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time?

  Another issue is the site of cisco using the command keyword intra-interface involving NO IPSEC TRAFFIC, there are example of config/example

  It is true that the CSC - ssm and aip - ssm modules cannot coexist in the device of ASA5500 at the same time.

  It is not a sample configuration partitions on the spot yet. However, outside the control of the same security, you must the ordinary rule of translation to pass traffic. Also, because of the dynamic nature, it allows only one-way traffic. For example:

  NAT (inside) 10 192.168.1.0 255.255.255.0

  Global interface (10 Interior)

  Global (ouotside) 10 interface (is not required however)

  Sincerely,

  ~ AJ

• What are different between the IPS and AIP - SSC and AIP - SSM?

  Dear all,

  I'm not clear about the IPS, AIP - SSC and AIP - SSM module which are different?

  Then, when we can use IP addresses?

  When we use the AIP - SSC?

  When we can use AIP - SSM?

  Thus, a different IPS and AIP - SSC and AIP - SSM material or the same material?

  Best regards

  Rechard

  AIP - SSM is an IPS Firewall ASA module.

  IPS is available in different flavors:

  -Device of the IPS 4200 series

  AIP - SSM - module IPS Firewall ASA

  -IDSM2 - IPS module on 6500 series switch

  AIM - IPS - map IPS on router IOS

  Please rate and mark post useful.

• NTP Windows Server and AIP - SSM

  We use a server based on Windows as the NTP server. But I need the NTP key to configure NTP on the AIP - SSM, key to the ID value and the NTP. How do you find this information or bypass? Or is it possible to set the clock without using an NTP server. I disabled the NTP service, hoping that it will use the firewall clock, but it didn't.

  Kind regards

  Your offset must be-360.

  The offset is in minutes rather than hours. Now, you say that the CDT is only 6 MINUTES from GMT when what you want-6 HOURS-360 minutes.

  offset - 360

• AIP-SSM-10 and syslog

  I ASA5520 with AIP-SSM-10, and I want to send messages from IPS sensor to the external syslog server. I'm not able to find, how to configure it.

  Thank you for any suspicion.

  From now on, SSM modules cannot be configured to send events as syslogs to a syslog server. You can send these events to the spectators of the event or security monitor.

  Kind regards

  Maryse.

• Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

  I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

  Thank you!

  Jeremy

  Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

  And it is also on my site, with a tar of scripts to:

  http://www.LHB-consulting.com/pages/apps/index.html

  Good luck.

  -Lisa

• Support for hardware and signature to the AIP SSM-10

  We have a 5510 which we bought a map AIP SSM-10 for the SAA, which is already the subject of a support contract. We now want to add the hardware maintenance for the new card AIP SSM-10 as signature updates. Our Cisco provider is confirmed we will receive that updates of signature with hardware support (we tried to get a response from them since June or July now).

  Could someone let us know what is the correct part number, and so we can ask the specific option that will allow both the material cover and signature updates.

  I think it is need you

  CON-SU1-AS1A1PK9

  IPS, NBD SVC, AR ASA5510-AIP10SP-K9

  support for Cisco smartnet

• AIP SSM-10 and tests

  In my lab, I have a new 5510 with AIP - SSM card.

  In my view, it is configured correctly to assess traffic, but I can't be sure.

  This is part of the configuration of the ASA:

  Global class-card class

  match any

  class-map inspection_default

  match default-inspection-traffic

  World-Policy policy-map

  class inspection_default

  inspect the ftp, etc.,

  Global category

  IPS inline help

  global service-policy global_policy

  I have a PC to a switch, go to the ASA (inside interface)

  The ASA outside interface goes to a VLAN separate on the switch.

  Both interfaces VLANS configured.

  Is there a command ping, or other traffic I can generate from PC that will throw an alert?

  I tried Ping s of a bogus address, but which did not cause an event.

  How will I know if the traffic actually crosses the ID?

  Thank you.

  Hello Jimmy

  Lass-map: global-class

  IPS: Status of card upward, inline mode rescue

  Package of 0 Packet output 0 0 drop, discount entry to zero - drop 0

  No package get the IPS module

  You have told me is assigned to virtual sensor 0 on the right side of the AIP - SSM?

• (ASA) AIP - SSM 10 Inline; Supreme events?

  A 5520 ASA with SSM-10 GOAL is set to inline mode, but the events of the show for 2 hours (sensor > HS event past 02:00) of the Interior of the sensor shows and "promicuous mode", "left promicuous mode'."

  This AIP SSM - 10 has only one gig0/0 and gig0/1 where o/o is taken out of service and a value default virtual sensor (vs0) is assigned to gig0/1. I see the statistics (sensor > sh SEO-engine of analysis) to gig0/1 so I collect statistics.

  If the configuration of the ASA 5520 has the following policy of inline and events log shows that enter and exit in promiscuous mode so how do I check if I am inspection/recovery in inline mode?

  (ASA > sh run access-list IPS)

  IPS list extended access permitted ip DMZ 255.255.255.0 26.26.1.0 255.255.255.0

  (ASA > sh run | b class-map)

  class-map IPS

  corresponds to the IP access list

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the netbios

  inspect the rsh

  inspect the rtsp

  inspect the skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect the tftp

  inspect the sip

  inspect xdmcp

  inspect the waas

  inspect the icmp

  class IPS

  IPS inline help

  !

  global service-policy global_policy

  (sensor > sh interfaces)

  ...

  Statistics interface GigabitEthernet0/1 MAC

  Function of interface = interface detection

  Description =

  Support type = backplane

  By default Vlan = 0

  Inline = unpaired mode

  Pair of status = n/a

  Circumvention of Capable hardware = no.

  Twin derivation material = n/a

  Link status = upwards

  Link speed = Auto_1000

  Link Duplex = Auto_Full

  Lack of Packet percentage = 0

  Total packets received = 95044

  Total number of bytes received = 8715230

  Total multicast packets received = 0

  Total of broadcast packets received = 0

  Total fat packets received = 0

  Total sousdimensionnés packets received = 0

  Receive the total errors = 0

  Receive FIFO overruns total = 0

  Total packets transmitted = 95044

  Total number of bytes sent = 9047702

  Total multicast packets sent = 0

  Total broadcast packets sent = 0

  Total fat transmitted packets = 0

  Total packets transmitted sousdimensionnés = 0

  Total transmit errors = 0

  Total transmit FIFO overruns = 0

  sensor > sh events last 02:00

  evStatus: eventId = 1203360411830836145 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:46 2008/02/20 19:01:46 UTC

  syslogMessage:

  Description: device ge0_1 entered promiscuous mode

  evStatus: eventId = 1203360411830836146 = Cisco vendor

  Author:

  login host: ASA2_IPS

  appName: kernel

  appInstanceId:

  time: 2008-02-20 19:01:53 2008/02/20 19:01:53 UTC

  syslogMessage:

  Description: the promiscuous mode device ge0_1 left

  The left State events and entered promiscuous mode are usually generated when you do a 'package of display' or 'the capture of packets' command on the CLI of the sensor.

  Track order of the package is promiscuity but is independent of promiscuity or inline followed by analysis of the probe engine.

  If you have inline monitoring using the probe analysis engine.

  And still make command package to the cli for your own monitoring promiscuity of those same packets. Here are 2 independent monitors of the same packages.

  If I remember right inline monitored packets always get returned to the ASA (unless expressly denied), which is not promiscuous packets. So check sensors gig0/1 interface statistics and the number of packets for transmission. If receive and transmit accounts are quite close, then packets are monitored by the analytical engine InLine. If the number of transmission is nil or very low then the packets are likely promiscuous monitored.

  With the configuration of your ASA you are correctly configured for online tracking.

  So I don't think that you are investigating inline, and status messages are specific to your start and stop of the command 'package' on the CLI for your own independent viewing packages promiscuity.