Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

11-7

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 11 Configuring External Product Interfaces

Adding External Product Interfaces and Posture ACLs

Step 8 (Optional) Allow the host posture information to be passed from the external product to the sensor.

sensor(config-ext-cis)# host-posture-settings

sensor(config-ext-cis-hos)# enabled yes

Note If you do not enable the host posture information, the host posture information received from a

CSA MC is deleted.

Step 9 (Optional) Allow the host posture information from unreachable hosts to be passed from the external

product to the sensor.

sensor(config-ext-cis-hos)# allow-unreachable-postures yes

Note A host is not reachable if the CSA MC cannot establish a connection with the host on any of the

IP addresses in the host’s posture. This option is useful in filtering the postures whose IP

addresses may not be visible to the IPS or may be duplicated across the network. This filter is

most applicable in network topologies where hosts that are not reachable by the CSA MC are

also not reachable by the IPS, for example if the IPS and the CSA MC are on the same network

segment.

Step 10 Configure a posture ACL:

a. Add the posture ACL into the ACL list.

sensor(config-ext-cis-hos)# posture-acls insert name1 begin

sensor(config-ext-cis-hos-pos)#

Note Posture ACLs are network address ranges for which host postures are allowed or denied. Use

posture ACLs to filter postures that have IP addresses that may not be visible to the IPS or

may be duplicated across the network.

b. Enter the network address the posture ACL will use.

sensor(config-ext-cis-hos-pos)# network-address 192.0.2.0/24

c. Choose the action (deny or permit) the posture ACL will take.

sensor(config-ext-cis-hos-pos)# action permit

Step 11 Verify the settings.

sensor(config-ext-cis-hos-pos)# exit

sensor(config-ext-cis-hos)# exit

sensor(config-ext-cis)# exit

sensor(config-ext)# show settings

cisco-security-agents-mc-settings (min: 0, max: 2, current: 1)

-----------------------------------------------

ip-address: 209.165.200.225

-----------------------------------------------

interface-type: extended-sdee <protected>

enabled: yes default: yes

url: /csamc50/sdee-server <protected>

port: 80 default: 443

use-ssl

-----------------------------------------------

always-yes: yes <protected>

-----------------------------------------------

previous next