Cisco ASA SSM-10 Global Correlation critical

Similar Messages

• Correlating Cisco ASA-SSM-IPS Events/Logs

  I have just configured a Cisco ASA-SSM-IPS10. An exciting feature of this decice is the ability to monitor, analyse, and correlate security events. Can anybody help with a documentation to simplify daily (or periodic) analysis, and correlation of the IPS Logs? As I am not yet to up to speed with this task yet, a "How-to" document would be just fine.  Thank you.

  Hi Chris,
  Good to have you get on the case. I am yet to setup and ips manager software. Presently, I use an ASDM 6 interface, with this interface, I am able to view events and alerts, and perform other adminsitrative cores... The IPS manager express does it comes bundle with our device purchase? Does it contain necesary templates/docs for correlating events/Logs?

• CISCO ASA SSM-10

  I have an ASA 5520, and I have Cisco ASA SSM-10, but I'm not sure how to work with it. My problems are here:
  1. What software do I need to get this to work
  2. From the rj45 connection on this module, where does it connects to.
  3. Give me some guide to configure it and test to see if it works.

  Hi,
  you need to do couple of things to get this to work.
  1. Configuration on ASA to forward the traffic to the module
  2. Chose whether you are going to plug the IPS in inline/promiscious mode
  3. Configure the IPS module
  Configuring ASA to forward the traffic to the module:-
  access-l IPS permit ip any any
  class-IPS
  match access-list IPS
  policy-map global-policy
  class IPS
  IPS inline/promiscious fail-open/fail-close
  When you do this ASa is configured to send the traffic to the module.
  Now you need to get in to the IPS
  you can get in to the through CLI on ASA:-
  do session 1
  it will ask you for username and password
  both are cisco by default
  run the command setup
  and it will walk you through the initial configuration of the sensor.
  once the sensor is configured
  log in to the IDM
  and need to go to configuration>> policies and assign vs0 to the backplane interface of the module so that sigs come in to the act of the traffic.
  you can connect the module in front of the IPS to the switch vlan where the other interface exist from where you want to see this traffic and want ips to come into act.
  Suppose you want to apply the IPS on inside network
  ASA inside interface ip:-192.168.1.1
  Module ip:-192.168.1.3/192.168.1.1
  Here the gateway for the module is the ASA inside interface.
  now all the traffic going outbound or coming in from the inside itnerface will be monitored by the IPS.
  now connect the ethernet interface of the module to the same vlan on switch where your inside interface is connected.
  Now you can even manage the IDM of the IPS just like you manage the ASDM for the ASA, you just need to have your host/network allowed to gain access to it.
  Thanks

• Swap Cisco ASA SSM-10 from dead firewall

          Good afternoon,
  I currenty have 2 cisco 5510 firewalls one of the firewals is completly dead but contains a Cisco ASA SSM-10 can i remove this card and just place it into a working unit, will i have any problems doing so.
  Regards
  Paul

  No, that shouldn't be a problem at all as the serial number of the SSM-10 module does not get linked to the actual ASA appliance.

• "Global Correlation" = Critical - Cisco AIP-SSM-20

  We are getting this error on both IME and IDM. What causes this, and how does one resolve it?
  We are also not getting new events in IME - could this be related to the problem?

  correct..The sensor must operate in Inline mode so that the Global Correlation features can increase efficacy by being able to use the inline deny actions.
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html

• IPS-4420 Global Correlation status critcal

  How to check in the IPS 4420 is Globel correlation license are there or not?
  In IDS 4420 IDM event montor page I am facing two below problem
  1. Event Retrieval       =========== Critical
  2. Global Correlation  =========== Critical.
  I configure IPS box got to the Internet without proxy. But I don't how to check the IPS are connected to Cisco Global Correlation server?
  Why its shwoing critcal on Event Retrieval and Global Correlation.

  Are you planning to use the Global Correlation feature?
  Here is the information on Global Correlation for your reference:
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_collaboration.html
  If don't want to use that feature, you can disable that in the sensor health metric section so it's not showing Critical.
  Similarly, for Even Retrieval, you can just disable that in the sensor health metric section. This is only useful if your IPS events are retrieved by an external monitoring system, eg: IME.
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2117358
  Message was edited by: Jennifer Halim

• SSM-AIP 7.0(1) Global Correlation config nightmare!

  Thanks, Cisco, for creating a Management nightmare with your "Global Correlation" option in version 7.0...
  Lets start with the SSM-AIP-20 Management interface...
  We have an OOB Management network, with a single POI into this through a separate PIX515E appliance. Both the ASA5540 AND the SSM-AIP-20 reside on this network.
  The first issue was in Routing, since the ASA sees the Management network as "directly attached", and we ROUTE the traffic through the PIX for updates on the SSM module, we had to add translation entries in the PIX515E for the SSM module (10.x.x.x Management, 172.x.x.x translated).
  This was not a big issue, but here is where the nightmare begins...
  First a note: We have the Management network locked down TIGHT, only a couple of Network Management stations allowed into that network to access these devices.
  I enabled Global Correlation in test mode, but it was "failed" every time it tried to update.. Reading other posts, I created ACL and Static NAT in the PIX515E for these IP's:
  204.15.82.17 (IP listed in the IME Global Correlation update server)
  97.65.135.170 and .137 (from another post in these forums)
  207.15.82.17 (IP found in a trace)
  Still no updates. Looking in the PIX logs, I found "no translation" entries for the following addresses:
  198.133.219.25
  209.107.213.40
  208.90.57.73
  I put these in, and it started updating! FIXED? NOT!
  This morning, it was again failing... Looked in the PIX logs again, and found these:
  77.67.85.33
  77.67.85.9
  Entered them, and the SSM is happy again. How long? Who knows?
  So, now I have NINE holes in my "secure" network, and who knows when Cisco will change or add new IP addresses to this list.
  Cisco, if you are listening - ALL access to/from the Global correlation through a single IP? PLEASE?
  (use the one listed in the IME - 204.15.82.17, for the URL "update-manifests.ironport.com")

  A few of the addresses belong to Cisco (originally ironport.com addresses from the ironport aquisition) and are used as manifest servers to provide the sensor a list of files to download.
  The sensor then downloads those files from Akamai servers. Akamai has a large number of servers across the world. Cisco sends the update to Akamai and they replicate it across their servers. When sensors try to connect to the Akamai server it does a DNS query and by controlling the DNS response it can direct sensors to an Akamai server located nearer to the sensor. This allows for better load balancing, response times, and download speeds.
  However, Akamai has a large number of servers (in the thousands I think) world wide, and you can't predict which server your specific sensor will be directed to.
  Sensor connections to the cisco servers for the manifest (file list) is on port 443, and usually to update-manifests.ironport.com URLs.
  Sensor connections to the Akamai servers for the actual file downloads are on port 80 and usually to updates.ironport.com URLs.
  The above is all based on my limited understanding of how the updates work. I may have gotten a few details wrong, but should at least give you a general idea.
  I will be working with development to get this better documented in Release Notes and Readme with the next IPS software release.

• ASA botnet filter vs ips global correlation

  Does the global correlation include the data from botnet filter? On Cisc's site it says this on the global correlation
  Customers deploying Cisco IPS can benefit from  Global Correlation in multiple ways. First, bad traffic from known  sources is stopped immediately. This includes zero-day attacks, for  which no traditional threat prevention currently exists, advanced  persistent threats (APTs), and botnet command and control traffic

  Hello Matt,
  Check the following info:
  Cisco ASA Botnet Traffic Filter
  This paper focuses on how Cisco Security Intelligence Operations relates to botnet threat identification, and its interaction with the Cisco ASA Botnet Traffic Filter. It is important to realize that a comprehensive security deployment should include Cisco Intrusion Prevention Systems (IPS) with its reputation based Global Correlation service and IPS signatures in conjunction with the security services provided by the ASA security appliance such as Botnet Traffic Filter.
  So I would say they both provide you security based on databases from the SIO but they will not be equal on their funcionalities, that is why Cisco recommend to use both when possible,
  Regards

• Single AIP-SSM in Cisco ASA Failover Active / Standby Mode

  Hi,
  I can add single AIP-SSM on Cisco ASA in failover active / standby mode?

  No, both units need the same hardware, that includes the installed modules.
  Sent from Cisco Technical Support iPad App

• CISCO IPS Global Correlation

  Hi,
  While enabling Global correlation, I understood that we need to configure proxy or DNS.
  Also, I hope that needs to open the port (80/443) on the firewall for the management IP address of IPSto reach the cisco sensor database. If i'm correct what about the destination IP, do we need to enable "any" or specific IP is there.
  ACL:
  Source (IPS Management IP) -> Port (80/443) -> Destination?

  Hi,
  Global correlation features only contain external IP addresses, so if you position a sensor in an
  internal lab, you may never receive global correlation information.
  Source (IPS Management IP) -> Port (80/443) -Detination is https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
  Regards
  Rajeswar

• Cisco ASA IPS SSM-10

  Hello,
  I just upgraded one of my Cisco ASA IPS SSM-10 from version 7.0 (6) E4 to version 7.0 (7) E4 and the Radius authentication stopped working. I use Microsoft 2008 Radius and I still have 10 more of these working with version 7.0 (6) E4.
  I used to have the same Radius authentication issue with version 6 until we upgraded to ver 7.0 (6) E4 and this latest version screwed up again.
  Does anyone know if there is a Radius authentication bug in this latest version 7.0 (7) E4?
  Thank you
  Si

  There is a known issue CSCty46104. However a show-tech log can give more details as to why there was a failure in your case.
  Regards
  Sawan Gupta

• Cisco IPS SSM 10 Sensor can't update signature file from ASA 5510

  Cisco ASA 5510 IPS Firewall with ASA-SSM-10 Module.  I am trying to do a manual update of the signature file and get the following error:
  Error: execUpgradeSoftware : couldn't connect to host
  I have confirmed that I can ping the ftp server successfully from the ASA and the command I am trying to use from the configure terminal of the module is:
  upgrade ftp://[email protected]//IPS-sig-S813-req-E4.pkg
  I have also tried via http and it does not work as well.  Any thoughts?

  to connect to ftp there should be username usually anonymous and password whitch can be any. check in ftp server
  aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
  User: anonymous
  Password: *********
  the username and/or the password are incorrect
  aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
  User: 123
  Password: ***
  File opening error
  I made special user 123 on ftp server with password 123
  aip_ssm_card# copy  ftp://192.168.15.12/JAF1308ARNJ_20131009032200919.lic license-key 
  User: 123
  Password: ***
  aip_ssm_card# 
  and dont forget to rate post

• Cisco IPS (global correlation) is downloading lots of updates from the iron-port website

  I have query on Global correlation.
  Following is the observed behavior
  Scenario 1:
  Global Correlation Inspection: ON (Standard)
  Reputation Filter: ON
  Result: Global correlation downloads in bytes or KBs (observed on proxy)
  Scenario 2:
  Global Correlation Inspection: OFF
  Reputation Filter: ON
  Result: Global correlation downloads 4-5 MB every 5 Minutes (observed on proxy)
  This behavior has been observed on both IPS devices one by one. What we wanted the clarity on is why is does global correlation download so much of data when it is OFF, and downloads only minimal data when ON. The equation does not seem to be right.
  Request you for your prompt response.
  Regards,
  Neal

  Both global correlation and reputation filtering retrieve updates from the SensorBase network, or IronPort. By default, they communicate with the network every five minutes. This value cannot be changed by the IPS administrator.

• Cisco IPS ASA SSM-10

  I am using an ASA SSM-10 IPS. Currently it keeps logging those event of alerts.
  Where does the IPS keeps all those event logs? In the disk space?
  Where can i see how much space i left?
  Will it went down if the space is full?

  This is from the post I linked earlier, and you don't have to worry the sensor will definitely not go 'down', the event-log data structure is circular and is over-written every time it is full.
  "The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a *circular* eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application (like IEV,IME etc.) that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events."
  I'm assuming since the event-store is only 30 MB, its a 'part' of one of the following parititions:
  application-data OR application-log
  Most probably the first one.
  Regards
  Farrukh

• Global correlation can't updated

  version is IPS7.0, asa5520-aip-ssm.
  Singatrue and  IME can be sucessfully updated,
  Global correlation can't updated,
  the Status of global correlation is Critical.
  I saw the website
  http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/ime/ime_collaboration.html#wp1053280
  and updated following the web page. But  can't work it.
  How could I update global correlation
  or go back old sensorbase?

  The output provided clearly indicates that the AIP-SSM is unable to resolve the update server address.  The server name update-manifests.ironport.com is not user configurable.
  Do you have more than one DNS server configured?  If so, disable all but the primary DNS server.
  If you only have one DNS server configured, please verify the AIP-SSM's management IP address has unrestricted access to the Internet.  (At a minimum TCP ports 80 and 443 and UDP port 53).
  Scott