Filter
Top Products
20-5
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 20 Configuring the ASA 5585-X IPS SSP
Creating Virtual Sensors for the ASA 5585-X IPS SSP
The ASA 5585-X IPS SSP has one sensing interface, PortChannel 0/0. When you create multiple virtual
sensors, you must assign this interface to only one virtual sensor. For the other virtual sensors you do
not need to designate an interface.
After you create virtual sensors, you must map them to a security context on the adaptive security
appliance using the allocate-ips command. You can map many security contexts to many virtual sensors.
Note The allocate-ips command does not apply to single mode. In this mode, the adaptive security appliance
accepts any virtual sensor named in a policy-map command.
The allocate-ips command adds a new entry to the security context database. A warning is issued if the
specified virtual sensor does not exist; however, the configuration is allowed. The configuration is
checked again when the service-policy command is processed. If the virtual sensor is not valid, the
fail-open policy is enforced.
The ASA 5585-X IPS SSP Virtual Sensor Configuration Sequence
Follow this sequence to create virtual sensors on the ASA 5585-X IPS SSP, and to assign them to
adaptive security appliance contexts:
1. Configure up to four virtual sensors.
2. Assign the ASA 5585-X IPS SSP sensing interface (PortChannel 0/0), to one of the virtual sensors.
3. (Optional) Assign virtual sensors to different contexts on the adaptive security appliance.
4. Use MPF to direct traffic to the targeted virtual sensor.
Creating Virtual Sensors
Note You can create four virtual sensors.
Use the virtual-sensor name command in service analysis engine submode to create virtual sensors on
the ASA 5585-X IPS SSP. You assign policies (anomaly detection, event action rules, and signature
definition) to the virtual sensor. You can use the default policies, ad0, rules0, or sig0, or you can create
new policies.Then you assign the sensing interface, PortChannel 0/0 for the ASA 5500-X IPS SSP, to
one virtual sensor.
The following options apply:
• anomaly-detection—Specifies the anomaly detection parameters:
–
anomaly-detection-name name—Specifies the name of the anomaly detection policy.
–
operational-mode—Specifies the anomaly detection mode (inactive, learn, detect).
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it
to configure or apply an anomaly detection policy. Enabling anomaly detection results
in a decrease in performance.
• description—Provides a description of the virtual sensor.
• event-action-rules—Specifies the name of the event action rules policy.