The IPS with ASA5520 failover
We have a pair of 5520 s defined as active / standby, the two have an AIP - SSM.
These two AIP are set to automatic update, that the SIG files so this is not a problem, but what about detecting active? The primary IPS will have seen a lot of traffic that switching IPS is not how active rule sets is performed when the ASA switches to the rescue unit? Will I 'holes' in my security of lack of sets of rules?
Hello
The units of the IPS are completely independent and don't sync anything without additional aid (for example using the Manager of security or other).
Given their auto-update is good, but you must also ensure that the config is replicated, so when you make a change on one that you have to remember not to make the same change on the other.
Situation normal active IPS is transfer of traffic (and sleep mode sees nothing), but when they flipping the day before IPS is suddenly in the ASA active - he doesn't know that the other IP address is out of action, he sees just the traffic which it will inspect according to its configuration.
HTH
Andrew.
Tags: Cisco Security
Similar Questions
-
Discovers all THE IPs with VLanID vMotion
Dear,
Is it possible to find the vMotion active IP with VLanID. I'm looking for a table as VMHost, IP, VLanID vMotion.
Thanks in advance.
Rajesh Bhuvanan
Try something like this
{foreach ($esx in Get-VMHost)
foreach ($vmk in (Get-VMHostNetworkAdapter - VMHost $esx | where {$_.})) {VMotionEnabled}))
Get-VirtualPortGroup-name $vmk. PortGroupName - VMHost $esx |
Select @{N = "$vmhost"; E = {$vmk. VMHost.Name}},@{N='PG'; E={$_. Name}},VlanId,@{n='IP'; E = {$vmk. IP}}
}
}
Note that this will not display the VlanId for distributed switches.
-
We use the ASA 5510 with AIP - SSM 10 IPS version 6.0 (3) E1 with a licensee agreement valid. Now, we want to update version IPS 1.0000 E2, is that the update is possible? If so guide me how and also guide me or provide the link how to make a previous backup.
Yes, I just do the same thing. You will need to download the upgrade with the extension pkg (not the image file that I kept trying to do). The file is: IPS - K9 - 6.1 - 1 - E2.pkg under the security software, software updates.
Link:
http://www.Cisco.com/cgi-bin/tablebuild.pl/ips6
Once you have this file, put it on an FTP server, or place the file on the local client that you use to connect to the IPS with IDM. You will need to go to the update of sensor in the IDM and either choose FTP or local update path and point to the file. Sensor recharges when it is made, but you don't won't restart ASA. It will take about 5 minutes, and then you should be able to reconnect to your sensor with IDM.
Here is a useful link on the upgrade:
Here is a link to make a backup of the config:
I hope this helps!
Jason
-
Where can I get the license for the IPS module file?
We just bought an ASA 5515 X with internal IPS module.
I registed the IPS with Cisco and got a license key
However, the module IPS needs a license file (, lic)
I see nothing in the documentation or the instructions that came with the device to get this file. I don't see anything on the cisco Web page of license.
can someone help me?
Try this
-
ASA with different failover module IPS
Hi all
Is it possible to configure the failover of the ASA with different IPS module configuration because we have: ASA 5585-X with firepower PHC-10 and ASA 5585-X with IPS SSP-10
Thank you
N °
Inventories of material (basic unit, memory and optional modules) must be the same in a pair of failover ASA.
-
I can't discover a device ips with the CSM, the connectivity test failed!
Hello world
As I say I IC discovering my unit IPS with CSM, I have this message:
The connectivity test failed. Elapsed time: 0 seconds. Expired certificate expiry of the certificate by the device. Certificate of details he received the device: [[Version: V1 subject: CN = X.X.X.X, OR is SSM-IPS10, O is "Cisco Systems, Inc.", C = us Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 key: public module of 1024 bits Sun RSA key:]]
163313595958527341944117022920288114482504180720578005561064955313643774990976715676633248342066152083691325258722628818351428036183713571418359362172457378662626088225882179602799780417125413462000959388084832050518999958663965078068279649170934515615745020420256153072567949117948346991874191887565159544369
[public exponent: 65537 validity: [from: Tue Dec 07 10:42:59 THIS 2010, to: Fri Dec 07 10:42:59 HEC 2012] issuer: CN = X.X.X.X, OR is SSM-IPS10, O is "Cisco Systems, Inc.", C = SerialNumber us: [-XXXXXXX]] algorithm: [SHA1withRSA] Signature: 0000: E1 DF 3 a 84 EF E5 C8 F5 F8 EB D1 BA C8 55 54 61:... a... T.. U 0010: F8 E4 54 28 0F 0F DB F8 DB CA 0A 5F 63 B0 0E 0C. T. (..... _c 0020: 4 a 28 46 9th D0 B7 B9 F1 A7 B7 35 95 2 CA EB FD J (F...) 5,... 0030:03 32 D1 1A 13 DB B3 9B C9 E2 E6 22 04 D1 84 3 B. 2... ». ;.. 0040:4 4TH BD D2 E0 25 27 46 5F 1 D ED 39 EC 8F 38 BD MN...%'F_... 9.8 0050: BE ED E8 7 02 AE 62 92 89 66 86 BB B4 B6 FD 1F... b... f... 0060:6 46 27 2 4 b EF F8 C9 1F 81 29 82 C1 AB lF 5F 4F,'K... O..._)... 0070:06 33 0D EA THIS 3F 85 CC 2F 82 6 B 8 90 AND 8 B.3 D8 D6...? ... /...k... ] Please synchronize the time settings on the device and the server of the Security Manager and the time-out value of the certificate, and then generate a new certificate.
I already generate a new key rsa on the ASA FW IOS version 8.4, my connection is ok and my password. I discovered the FW ASA successfully but not IPS module.
worm CSM 4.3.0 service pack2
Thank you for your help.
This is a common problem with IPS and is easily fixed.
The IPS uses a self-signed certificate for the protection of its channels of management TLS (Transport Layer Security). When an IPS is initialized who signed a certificate is valid for two years. This certificate is separate from the ASA RSA key.
To regenerate, please see the procedure described here.
Do not forget to rate helpful answers and mark your question as answered when solved.
-
IPS with surveillance mode?
Hello
I just new ASA 5555 - X with IPS activate the installation planning. However, how to set up so the IPS just race as a way of monitoring with so I can more easy to active before tune.
Because even during execution promiscuous mode active measures to block traffic I want he should through.
Thank you!
If the SPI is the fire power module, the guide for installation:
http://www.Cisco.com/c/en/us/support/docs/security/ASA-firepower-service...You will need to use "monitor only" to use as an ID instead of the IPS.
sfr fail-open monitor-only
-
Hi Netpros,
I want to implement the IPS solution in our company as well as management software to manage mailboxes of the IPS. What is the latest version of the Cisco management software I have to deploy. It will be compatible with the ID?
Thanks in advance.
You can implement 2.3 VMS of Cisco who has the CiscoWorks Center for IDS sensors
For more information, please visit http://www.cisco.com/en/US/partner/products/sw/cscowork/ps2330/products_qanda_item09186a008009253c.shtml
It may be useful
Franco Zamora
-
Recover password of the IPS module (ASA)
Dear experts,
I have an ASA 5500 series with AIP SSM (IPS module), the username and password are lost.
According to cisco portal, there are two approaches to recover the password:
1 using the CLI command: hw-module module reset slot_number password;
2. with the help of ASDM--> tools--> 'IPS password reset.
Not sure whether the two commands to achieve the same result (retrieve password) or they may have different results (i.e. need to reset the module).
The device is online, reset module is not privileged.
After checking the information from the internet, it offers to reset the IPS module. Any problem will be produced if the IPS module is not reset?RDG
AnitaHi Anita,.
You can try using:
HW-module module slot_number password reset
Who will reset just the IPS to its default username/password:
Cisco and cisco
You can access the ASA CLI IPS:
session 1
Then type cisco and cisco (username/password)
For example, you could add a new password.
Don't forget to evaluate and select the right answer.
-
Problem to run the IPS of ASDM
Hi guys, I have an ASA 5520 ver 8.4 with a module AIP-SSM-40, when I finished the configuration, I can ping from ASA IPS module and the IPS module to ASA. I can ping IPS module to my PC and so on. the problem is when I try to launch the IDM (IPS tab) of the ASDM,
This error message appears on the GUI. Error connecting to the sensor. Load sensor error. I have connected the interface of management of IP addresses to a switch, the ASA is connected to the same switch, and my PC is also connected to this switch, all in the same vlan.
Can you help me on what can I do to solve it.
Thank you.
Hi Hugo,.
Please see the following link
https://supportforums.Cisco.com/thread/2092783
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00808908d5.shtml
Kind regards
Prashant
-
Hello
It is possible to use the ASA with IPS-Module as sensor only, located with its external interface on a mirrored switch port?
Kind regards.
Volker
The external interface is for command and control only and cannot be used for monitoring.
The SSM is only able to monitor traffic passing by the ASA.
The ASA does not support the connection ports to ports switched mirror either.
The closest you get is to configure the ASA is transparent with ACLs on each interface that allow all traffic and then place the ASA between 2 of your existing devices. And then place a policy on the SAA to copy all packages to the SSM for surveillance of promiscuity.
If you have another type of firewall, existing installation, you can try placing the ASA transparent among other things your firewall and your DMZ switch for example.
All traffic would be passed through the ASA and copied in the SSM for surveillance of promiscuity.
This mode could better be described as using the ASA as a simulated click to send traffic to the SSM.
-
Just got an ASA with a SSM - 20 module. I am trying to determine the latest revision of sensor for the IPS module software. V5.1 (7) E1 has a date of October 18, 2007 and the 3,0000 E1 version has a date June 28, 2007. Which is the latest version?
6.x is the latest version. What you're talking about are simply patch levels. It is certainly possible that the versions 5.x and 6.x are both actively maintained (I was not paying much attention to 5.x since coming to 6.x). The press release or the patch 'most recent' is compared to the version of the software you are using. IOW, if 8,0000 E1 is released tomorrow, 3,0000 E1 is still the latest hotfix for customers running 6.x.
-
I do ASA5510 with IPS, the initial Setup. I can access the ASDM ASA. But when I click on the IPS tab in ASDM, it will retrieve the IP address of management of the IPS, but finally said 'unable to connect '.
I tried same chaning IP using the CLI management, still no luck.
Any ideas?
Hello
The SSM management interface is connected to your local network. At the back of the asa, where aip - ssm is plugged, you would see a management interface. This management interface should have a cable at your local lan switch or router. There must be a connectivity of LAN to the management interface so that info aip - ssm. has been found.
Please note if help. :)
Kind regards
Sushil
-
IME for version 6.0 of the IPS
Hi, iam using the module AIP-SSM-10 in ASA 5510.
my version of the ips is: 6.0 (6) and I want to use ips manager express (IME). I tried with version 6.1.1 and 7.0.2 IME, but both are not supported for the current version of ips.
1. Please tell me which IME support for ips 6.0 (6) version.
2. how to level my ips 6.0 version to the current version or higher.
Please send me url links.
1. the EMI version 7.0.2 supports IPS version 6.0.6 according file following IME 7.0.2 Readme:
http://www.Cisco.com/Web/software/282829584/28797/IME-7.0-2.Readme.txt
Only the new features of the EMI, including monitoring console, dashboard and integrated configuration, health are supported only on the sensors running IPS version 6.1 or later. However, all the other features on IPS 6.0.6 is supported on IME 7.0.2.
2. you can update the IP addresses directly to version 7.0.2 (E4) using the upgrade package: IPS-K9-7, 0-2 - E4.pkg
Hope that helps.
-
Hello
We use the AIP-SSM-40, Version 7.0 (2) E4.
Send us traffic from all the interfaces of the IPS. When we test with hamid 2004, we have no alarm.
the ASA configuration is as follows:
inside_mpc of access allowed any ip an extended list
Interior-ip-class of the class-map
corresponds to the inside_mpc access listInterior-ips-policy policy-map
class internal ip class
IPS inline helpservice inside Interior-ips-policy-policy interface
on the AIP - SSM, the configuration is the following:
signatures 2004 0
high severity alert
Atomic-ip engine
event-action produce-alert|produce-verbose-alert|deny-attacker-inline|deny-connection-inline|deny-packet-inline
Yes specify-l4-Protocol
L4-icmp Protocol
Specify-icmp-type no.What we should do to get the alarm?
What do you mean alarm? Do you mean that you are not able to see the events triggered by signature # 2004?
You can check what is the frequency of the alerts configured for this signature? The default value is "Summarize" every 30 seconds. You can change the frequency of the alerts to "All fires", if you use the #2004 signature for testing.
In addition, you must send traffic across the ASA for traffic is inspected by the PPE.
Finally, I'm assuming you already activated/assigned the virtual IPS (vs0) sensor for signature (sig0).
Hope that helps.
Maybe you are looking for
-
I play games on my ipad. When the game asks you to go to my facebook account, it brings me to my wife's facebook account. Any suggestions?
-
Unlock editing Audio and Audio for a movie
Hi all Looking for help here. Try to change some audio of a movie in Garage band V.10.1 - how unlock the audio so that you can cut and paste the track? Thanks in advance for your help, Joe
-
HP just replaced the plug for my laptop Pavilion. Is - this dual voltage? There is NO switch on it, but the label says 110-240. I bought in the United States, but take it to the New Zealand. I received conflicting information - (a) the fact that
-
Reinstalling Windows XP Home edition, cannot get into the BIOS (Satellite A60)
I would like to install wxp pro, but I can't in the BIOS, so it will boot from the cd. Is there any way how to?I have the Satellite A60.Thank you very much.sepilo
-
FPGA programming depends on the time
I think my problem is simple, but I need help... In an FPGA VI, I acquire an entry and compare it to a control (if the input is greater than the order, the contiues code with an error response). What I want to do is to add a condition of time. I want