Basic Sensor Setup
You can perform basic sensor setup using the setup command, and then finish setting up the sensor using the CLI, IDM, or IME. To perform basic sensor setup using the setup command, follow these steps:
Step 1
Log in to the sensor using an account with administrator privileges.
Note Both the default username and password are cisco.
Step 2 The first time you log in to the sensor you are prompted to change the default password. Passwords must be at least eight characters long and be strong, that is, not be a dictionary word. After you change the password, basic setup begins.
Step 3 Enter the setup command. The System Configuration Dialog is displayed.
Step 4 Specify the hostname. The hostname is a case-sensitive character string up to 64 characters. Numbers, “_” and “-” are valid, but spaces are not acceptable. The default is sensor.
Step 5 Specify the IP interface. The IP interface is in the form of IP Address/Netmask,Gateway: X.X.X.X/nn , Y.Y.Y.Y , where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods.
Step 6 Enter yes to modify the network access list:
a. If you want to delete an entry, enter the number of the entry and press Enter , or press Enter to get to the Permit line.
b. Enter the IP address and netmask of the network you want to add to the access list.
Note For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network (10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.1.1.0 subnet (10.1.1.0-10.1.1.255). If you want to permit access to a single IP address than the entire network, use a 32-bit netmask. For example, 10.1.1.1/32 permits just the 10.1.1.1 address.
c. Repeat Step b until you have added all networks that you want to add to the access list, and then press Enter at a blank permit line to go to the next step.
Step 7 You must configure a DNS server or an HTTP proxy server for global correlation to operate:
a. Enter yes to add a DNS server, and then enter the DNS server IP address.
b. Enter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port number.
Caution You must have a valid sensor license for
global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.
Step 8 Enter yes to modify the system clock settings:
a. Enter yes to modify summertime settings.
Note Summertime is also known as DST. If your location does not use Summertime, go to Step m.
b. Enter yes to choose the USA summertime defaults, or enter no and choose recurring, date, or disable to specify how you want to configure summertime settings. The default is recurring.
c. If you chose recurring, specify the month you want to start summertime settings. Valid entries are january, february, march, april, may, june, july, august, september, october, november, and december. The default is march.
d. Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth, fifth, and last. The default is second.
e. Specify the day you want to start summertime settings. Valid entries are sunday, monday, tuesday, wednesday, thursday, friday, and saturday. The default is sunday.
f. Specify the time you want to start summertime settings. The default is 02:00:00.
Note The default recurring summertime parameters are correct for time zones in the United States. The default values specify a start time of 2:00 a.m. on the second Sunday in March, and a stop time of 2:00 a.m. on the first Sunday in November. The default summertime offset is 60 minutes.
g. Specify the month you want summertime settings to end. Valid entries are january, february, march, april, may, june, july, august, september, october, november, and december. The default is november.
h. Specify the week you want the summertime settings to end. Valid entries are first, second, third, fourth, fifth, and last. The default is first.
i. Specify the day you want the summertime settings to end. Valid entries are sunday, monday, tuesday, wednesday, thursday, friday, and saturday. The default is sunday.
j. Specify the time you want summertime settings to end. The default is 02:00:00.
k. Specify the DST zone. The zone name is a character string up to 24 characters long in the pattern [A-Za-z0-9()+:,_/-]+$.
l. Specify the summertime offset. Specify the summertime offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 60.
m. Enter yes to modify the system time zone.
n. Specify the standard time zone name. The zone name is a character string up to 24 characters long.
o. Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 0.
p. Enter yes if you want to use NTP. To use authenticated NTP, you need the NTP server IP address, the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure NTP later. Otherwise, you can choose unauthenticated NTP.
Step 9 Enter off , partial , or full to participate in the SensorBase Network Participation:
- Off—No data is contributed to the SensorBase Network.
- Partial—Data is contributed to the SensorBase Network, but data considered potentially sensitive is filtered out and never sent.
- Full—All data is contributed to the SensorBase Network except the attacker/victim IP addresses that you exclude.
The SensorBase Network Participation disclaimer appears. It explains what is involved in participating in the SensorBase Network.
Step 10 Enter yes to participate in the SensorBase Network.
The following configuration was entered.
host-ip 192.168.1.2/24, 192.168.1.1
dns-primary-server enabled
dns-secondary-server disabled
dns-tertiary-server disabled
standard-time-zone-name CST
summertime-option recurring
ntp-keys 1 md5-key 8675309
ntp-servers 10.10.1.2 key-id 1
service global-correlation
network-participation full
[0] Go to the command prompt without saving this config.
[1] Return to setup without saving this config.
[2] Save this configuration and exit setup.
[3] Continue to Advanced setup.
Step 11 Enter 2 to save the configuration (or 3 to continue with advanced setup using the CLI).
Enter your selection[2]: 2
Step 12 If you changed the time setting, enter yes to reboot the sensor.
For More Information
For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software.
Advanced Setup
This section describes how to continue with Advanced Setup in the CLI, and contains the following sections:
IPS Appliance Advanced Setup
Note The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
Note Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which virtual sensors.
The interfaces change according to the appliance model, but the prompts are the same for all models. To continue with advanced setup for the appliance, follow these steps:
Step 1
Log in to the appliance using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled. Valid for IPS 7.1(8)E4 and later.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note If you change the web server port, you must specify the port in the URL address of your browser when you connect to the IDM in the following format: https://
appliance_ip_address:port
(for example, https://10.1.9.201:1040
).
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration and to see the current interface configuration.
Current interface configuration
Command control: Management0/0
Event Action Rules: rules0
Signature Definitions: sig0
Event Action Rules: rules0
Signature Definitions: sig0
Event Action Rules: rules0
Signature Definitions: sig0
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 8 Enter 1 to edit the interface configuration.
Note The following options let you create and delete interfaces. You assign the interfaces to virtual sensors in the virtual sensor configuration. If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary.
[1] Remove interface configurations.
[2] Add/Modify Inline Vlan Pairs.
[3] Add/Modify Promiscuous Vlan Groups.
[4] Add/Modify Inline Interface Pairs.
[5] Add/Modify Inline Interface Pair Vlan Groups.
[6] Modify interface default-vlan.
Step 9 Enter 2 to add inline VLAN pairs and display the list of available interfaces.
Caution The new VLAN pair is not automatically added to a virtual sensor.
Step 10 Enter 1 to add an inline VLAN pair to GigabitEthernet 0/0, for example.
Inline Vlan Pairs for GigabitEthernet0/0
Step 11 Enter a subinterface number and description.
Description[Created via setup by user asmith]:
Step 12 Enter numbers for VLAN 1 and 2.
Step 13 Press Enter to return to the available interfaces menu.
Note Entering a carriage return at a prompt without a value returns you to the previous menu.
Note At this point, you can configure another interface, for example, GigabitEthernet 0/1, for inline VLAN pair.
Step 14 Press Enter to return to the top-level interface editing menu.
[1] Remove interface configurations.
[2] Add/Modify Inline Vlan Pairs.
[3] Add/Modify Promiscuous Vlan Groups.
[4] Add/Modify Inline Interface Pairs.
[5] Add/Modify Inline Interface Pair Vlan Groups.
[6] Modify interface default-vlan.
Step 15 Enter 4 to add an inline interface pair and see these options.
Step 16 Enter the pair name, description, and which interfaces you want to pair.
Description[Created via setup by user asmith:
Interface1[]: GigabitEthernet0/1
Interface2[]: GigabitEthernet0/2
Step 17 Press Enter to return to the top-level interface editing menu.
[1] Remove interface configurations.
[2] Add/Modify Inline Vlan Pairs.
[3] Add/Modify Promiscuous Vlan Groups.
[4] Add/Modify Inline Interface Pairs.
[5] Add/Modify Inline Interface Pair Vlan Groups.
[6] Modify interface default-vlan.
Step 18 Press Enter to return to the top-level editing menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 19 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Step 20 Enter 2 to modify the virtual sensor configuration, vs0.
Event Action Rules: rules0
Signature Definitions: sig0
[3] GigabitEthernet0/0:1 (Vlans: 200, 300)
[4] newPair (GigabitEthernet0/1, GigabitEthernet0/2)
Step 21 Enter 3 to add inline VLAN pair GigabitEthernet0/0:1.
Step 22 Enter 4 to add inline interface pair NewPair.
Step 23 Press Enter to return to the top-level virtual sensor menu.
Event Action Rules: rules0
Signature Definitions: sig0
GigabitEthernet0/0:1 (Vlans: 200, 300)
newPair (GigabitEthernet0/1, GigabitEthernet0/2)
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Option: GigabitEthernet0/1, GigabitEthernet0/2)
Step 24 Press Enter to return to the top-level interface and virtual sensor configuration menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 25 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating 90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
Step 26 Enter yes to disable automatic threat prevention on all virtual sensors.
Step 27 Press Enter to exit the interface and virtual sensor configuration.
The following configuration was entered.
host-ip 192.168.1.2/24,192.168.1.1
standard-time-zone-name UTC
summertime-option disabled
physical-interfaces GigabitEthernet0/0
subinterface-type inline-vlan-pair
description Created via setup by user asmith
physical-interfaces GigabitEthernet0/1
physical-interfaces GigabitEthernet0/2
physical-interfaces GigabitEthernet0/0
inline-interfaces newPair
description Created via setup by user asmith
interface1 GigabitEthernet0/1
interface2 GigabitEthernet0/2
description Created via setup by user cisco
signature-definition newSig
event-action-rules rules0
anomaly-detection-name ad0
operational-mode inactive
physical-interface GigabitEthernet0/0
physical-interface GigabitEthernet0/0 subinterface-number 1
logical-interface newPair
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 28 Enter 2 to save the configuration.
Enter your selection[2]: 2
Step 29 Reboot the appliance.
Warning: Executing this command will stop all applications and reboot the node.
Step 30 Enter yes to continue the reboot.
Step 31 Apply the most recent service pack and signature update. You are now ready to configure your appliance for intrusion prevention.
For More Information
ASA 5500 AIP SSM Advanced Setup
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
To continue with advanced setup for the ASA 5500 AIP SSM, follow these steps:
Step 1
Session in to the ASA 5500 AIP SSM using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled. Valid for IPS 7.1(8)E4 and later.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note If you change the web server port, you must specify the port in the URL address of your browser when you connect to IDM. Use the following format: https://
aip_ssm_ip_address:port
(for example, https://10.1.9.201:1040
).
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Current interface configuration
Command control: Management0/0
Event Action Rules: rules0
Signature Definitions: sig0
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5500 AIP SSM. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500 AIP SSM than for other sensors.
[1] Modify interface default-vlan.
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 10 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Event Action Rules: rules0
Signature Definitions: sig0
Step 12 Enter 1 to add GigabitEthernet 0/1 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign GigabitEthernet 0/1. We recommend that you assign GigabitEthernet 0/1 to vs0, but you can assign it to another virtual sensor if you want to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Step 15 Enter a name and description for your virtual sensor.
Description[Created via setup by user cisco]: New Sensor
Anomaly Detection Configuration
[2] Create a new anomaly detection configuration
Step 16 Enter 1 to use the existing anomaly detection configuration, ad0.
Signature Definition Configuration
[2] Create a new signature definition configuration
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig .
Event Action Rules Configuration
[2] Create a new event action rules configuration
Step 19 Enter 1 to use the existing event-action-rules configuration, rules0.
Note If GigabitEthernet 0/1 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Event Action Rules: rules0
Signature Definitions: newSig
[1] Remove virtual sensor.
[2] Modify "newVs" virtual sensor configuration.
[3] Modify "vs0" virtual sensor configuration.
[4] Create new virtual sensor.
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Modify default threat prevention settings?[no]:
Step 21 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating 90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
The following configuration was entered.
host-ip 10.1.9.201/24,10.1.9.1
standard-time-zone-name UTC
summertime-option disabled
signature-definition newSig
event-action-rules rules0
anomaly-detection-name ad0
physical-interfaces GigabitEthernet0/1
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 23 Enter 2 to save the configuration.
Enter your selection[2]: 2
Step 24 Reboot the ASA 5500 AIP SSM.
Warning: Executing this command will stop all applications and reboot the node.
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
aip-ssm# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5500 AIP SSM with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure your ASA 5500 AIP SSM for intrusion prevention.
For More Information
ASA 5500-X IPS SSP Advanced Setup
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
To continue with advanced setup for the ASA 5500-X IPS SSP, follow these steps:
Step 1
Session in to the IPS using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled. Valid for IPS 7.1(8)E4 and later.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note If you change the web server port, you must specify the port in the URL address of your browser when you connect to the IDM. Use the following format: https://
ips_ssp_ip_address:port
(for example, https://10.1.9.201:1040
).
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Current interface configuration
Command control: Management0/0
Event Action Rules: rules0
Signature Definitions: sig0
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5500-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500-X IPS SSP than for other sensors.
[1] Modify interface default-vlan.
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 10 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Event Action Rules: rules0
Signature Definitions: sig0
Step 12 Enter 1 to add PortChannel 0/0 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Step 15 Enter a name and description for your virtual sensor.
Description[Created via setup by user cisco]: New Sensor
Anomaly Detection Configuration
[2] Create a new anomaly detection configuration
Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0.
Signature Definition Configuration
[2] Create a new signature definition configuration
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig .
Event Action Rules Configuration
[2] Create a new event action rules configuration
Step 19 Enter 1 to use the existing event-action-rules configuration, rules0.
Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Event Action Rules: rules0
Signature Definitions: newSig
[1] Remove virtual sensor.
[2] Modify "newVs" virtual sensor configuration.
[3] Modify "vs0" virtual sensor configuration.
[4] Create new virtual sensor.
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Modify default threat prevention settings?[no]:
Step 21 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating 90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
The following configuration was entered.
host-ip 192.168.1.2/24,192.168.1.1
standard-time-zone-name UTC
summertime-option disabled
signature-definition newSig
event-action-rules rules0
anomaly-detection-name ad0
physical-interfaces PortChannel0/0
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 23 Enter 2 to save the configuration.
Enter your selection[2]: 2
Step 24 Reboot the ASA 5500-X IPS SSP.
Warning: Executing this command will stop all applications and reboot the node.
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
asa-ips# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5500-X IPS SSP with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure the ASA 5500-X IPS SSP for intrusion prevention.
For More Information
ASA 5585-X IPS SSP Advanced Setup
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
To continue with advanced setup for the ASA 5585-X IPS SSP, follow these steps:
Step 1
Session in to the ASA 5585-X IPS SSP using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled. Valid for IPS 7.1(8)E4 and later.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note If you change the web server port, you must specify the port in the URL address of your browser when you connect to IDM. Use the following format: https://
ips_ssp_ip_address:port
(for example, https://10.1.9.201:1040
).
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Current interface configuration
Command control: Management0/0
Event Action Rules: rules0
Signature Definitions: sig0
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5585-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5585-X IPS SSP than for other sensors.
[1] Modify interface default-vlan.
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
[1] Edit Interface Configuration
[2] Edit Virtual Sensor Configuration
[3] Display configuration
Step 10 Enter 2 to edit the virtual sensor configuration.
[1] Remove virtual sensor.
[2] Modify "vs0" virtual sensor configuration.
[3] Create new virtual sensor.
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Event Action Rules: rules0
Signature Definitions: sig0
Step 12 Enter 1 to add PortChannel 0/0 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Step 15 Enter a name and description for your virtual sensor.
Description[Created via setup by user cisco]: New Sensor
Anomaly Detection Configuration
[2] Create a new anomaly detection configuration
Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0.
Signature Definition Configuration
[2] Create a new signature definition configuration
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig .
Event Action Rules Configuration
[2] Create a new event action rules configuration
Step 19 Enter 1 to use the existing event action rules configuration, rules0.
Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Event Action Rules: rules0
Signature Definitions: newSig
[1] Remove virtual sensor.
[2] Modify "newVs" virtual sensor configuration.
[3] Modify "vs0" virtual sensor configuration.
[4] Create new virtual sensor.
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Modify default threat prevention settings?[no]:
Step 21 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Virtual sensor newVs is configured to prevent high risk threats in inline mode. (Risk Rating 90-100)
Virtual sensor vs0 is configured to prevent high risk threats in inline mode.(Risk Rating 90-100)
Do you want to disable automatic threat prevention on all virtual sensors?[no]:
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
The following configuration was entered.
host-ip 10.1.9.201/24,10.1.9.1
standard-time-zone-name UTC
summertime-option disabled
signature-definition newSig
event-action-rules rules0
anomaly-detection-name ad0
physical-interfaces PortChannel0/0
service event-action-rules rules0
overrides deny-packet-inline
override-item-status Disabled
[0] Go to the command prompt without saving this config.
[1] Return back to the setup without saving this config.
[2] Save this configuration and exit setup.
Step 23 Enter 2 to save the configuration.
Enter your selection[2]: 2
Step 24 Reboot the ASA 5585-X IPS SSP.
Warning: Executing this command will stop all applications and reboot the node.
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
ips-ssp# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5585-X IPS SSP with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure your ASA 5585-X IPS SSP for intrusion prevention.
For More Information