User Guide for Cisco Security Manager 4.4
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting
Configuring IPS Blocking and Rate Limiting
Configuring IPS Blocking and Rate Limiting
If you use the Request Block Host, Request Block Connection, or Request Rate Limit actions on any
signatures, or add them to events using the event action override policy, you must configure blocking
devices. If you do not use these actions, there is no need to configure blocking devices.
Before you configure blocking, read the following topics:
• Understanding IPS Blocking, page 42-1
• Strategies for Applying Blocks, page 42-3
• Understanding Rate Limiting, page 42-4
• Understanding Router and Switch Blocking Devices, page 42-4
• Understanding the Master Blocking Sensor, page 42-6
Step 1 Do one of the following:
• (Device view) Select Platform > Security > Blocking from the Policy selector.
• (Policy view) Select IPS > Platform > Security > Blocking, then select an existing policy or create
a new one.
For an overview of the blocking policy, see Blocking Page, page 42-8.
Step 2 On the General tab, change any settings where you want non-default values. However, the default values
are appropriate for most networks. For detailed information about the settings, see General Tab, IPS
Blocking Policy, page 42-10.
Step 3 Click the User Profiles tab and create the user profiles that are required to log into the blocking devices.
• To add a profile, click the Add Row button and fill in the Add User Profile dialog box (see User
Profile Dialog Box, page 42-12).
• To edit a profile, select it and click the Edit Row button.
• To delete a profile, select it and click the Delete Row button. Before you delete a profile, ensure that
it is not currently being used by a blocking device.
Step 4 If you need to use a master blocking sensor, as described in Understanding the Master Blocking Sensor,
page 42-6, click the Master Blocking Sensors tab and do the following:
• To add a master blocking sensor, click the Add Row button and fill in the Add Master Blocking
Sensor dialog box (see Master Blocking Sensor Dialog Box, page 42-13).
• To edit a master blocking sensor, select it and click the Edit Row button.
• To delete a master blocking sensor, select it and click the Delete Row button.
Step 5 Identify the blocking devices (unless you will use master blocking sensors only). You must add the
devices to the correct tab:
• Routers tab—For all Cisco IOS Software devices, including Catalyst 6500 switches that are running
IOS Software.
• Firewalls tab—For ASA, PIX, and FWSM.
• Catalyst 6K tab—For Catalyst 6500/7600 devices that are running the Catalyst operating system.
On each tab, the configuration steps are the same:
• To add a device, click the Add Row button and fill in the Add Router, Firewall, or Cat6K Device
dialog box (see Router, Firewall, Cat6K Device Dialog Box, page 42-14).