Filter
Top Products
14-29
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 14 Configuring Attack Response Controller for Blocking and Rate Limiting
Configuring the Sensor to be a Master Blocking Sensor
Caution Two sensors cannot control blocking or rate limiting on the same device. If this situation is needed,
configure one sensor as the master blocking sensor to manage the devices and the other sensors can
forward their requests to the master blocking sensor.
When you add a master blocking sensor, you reduce the number of blocking devices per sensor. For
example, if you want to block on 10 firewalls and 10 routers with one blocking interface/direction each,
you can assign 10 to the sensor and assign the other 10 to a master blocking sensor.
On the blocking forwarding sensor, identify which remote host serves as the master blocking sensor; on
the master blocking sensor you must add the blocking forwarding sensors to its access list.
If the master blocking sensor requires TLS for web connections, you must configure the ARC of the
blocking forwarding sensor to accept the X.509 certificate of the master blocking sensor remote host.
Sensors by default have TLS enabled, but you can change this option.
Note Typically the master blocking sensor is configured to manage the network devices. Blocking forwarding
sensors are not normally configured to manage other network devices, although doing so is permissible.
Even if you have no devices configured for blocking or rate limiting, a sensor that is configured for
blocking or rate limiting can forward blocking and rate limiting requests to a master blocking sensor.
When a signature fires that has blocking or rate limit requests configured as event actions, the sensor
forwards the block or rate limit request to the master blocking sensor, which then performs the block or
rate limit.
Caution Only one sensor should control all blocking interfaces on a device.
Use the master-blocking-sensors
master_blocking_sensor_ip_address command in the service
network access submode to configure a master blocking sensor. The following options apply:
• master_blocking_sensor_ip_address—Specifies the IP address of sensor for forward block requests.
• password—Specifies the account password of sensor for forward block requests.
• port—Specifies the port of sensor for forward block requests.
• tls {true | false} —Set to true if the remote sensor requires TLS; otherwise, set to false.
• username—Specifies the account name of sensor for forward block requests.
Configuring the Master Blocking Sensor
To configure ARC on a sensor to forward blocks to a master blocking sensor, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges on both the master blocking sensor and
the blocking forwarding sensor.
Step 2 Enter configuration mode on both sensors.
sensor# configure terminal
Step 3 Configure TLS if necessary:
a. On the master blocking sensor, check to see if it requires TLS and what port number is used. If
enable-tls is true, go to Step b.
sensor(config)# service web-server