Hi Stu Even I am facing the issue, where the shun is not initiated on the ASA. The events O/P informs that the ASA is unreachable.
But I am able to ping and ssh to the ASA. BTW, what is algorithm that you are using for SSH in the profile - DES or 3DES? With regards Kings On Mon, Nov 30, 2009 at 6:04 PM, Stuart Hare <[email protected]>wrote: > Kings, > > Yes the IPS will try and apply the block or rate limit to all the blocking > devices it manages. > I have only really seen an issue like this when blocking to both IOS and > ASA devices. > Double check that all the devices can be managed by the IPS, and that your > blocking device profiles are correct. > > Stu > > 2009/11/30 Kingsley Charles <[email protected]> > >> Hi Stuart >> >> I am just trying to trigger a request block host and rate limit. >> >> The request block host is working and I see that the sesnor is configuring >> ACLs on the router (blocking device). >> >> If there are four blocking devices (routers) defined in the list, will the >> ACL be configured by the sensor on all the four devices interfaces when the >> signature is triggered? >> >> >> >> >> >> With regards >> Kings >> >> On Mon, Nov 30, 2009 at 1:48 PM, Stuart Hare < >> [email protected]> wrote: >> >>> Kings, >>> >>> Do you have a specific issue? If so can you explain further? >>> >>> Generally if you are having trouble with this its always a good idea to >>> check the logs of the blocking device itself, its more likely to give you >>> more info as to whether the IPS can log in or why the block was failing. >>> >>> If you are doing requests to both ASA and IOS device using the sensor, >>> you typically will need to ignore the alerts for the ASA, when and IOS event >>> is triggered, as it will only support the block host / shun requests, hence >>> the possible failures. >>> It would be good to supress these but I never managed to find a way. >>> >>> Stu >>> 2009/11/30 Kingsley Charles <[email protected]> >>> >>> Hi Stuart >>>> >>>> That's true, same here. I am not able to verify the functionality of >>>> request host block/rate limit because always I see login failure issues. >>>> >>>> I suceeded just once or twice. >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Mon, Nov 30, 2009 at 12:03 PM, Stuart Hare < >>>> [email protected]> wrote: >>>> >>>>> Kings >>>>> >>>>> I found this a little frustrating myself especially considering when >>>>> you have asa as a blocking device, you get a lot of failure messages in >>>>> the >>>>> log due to certain methods being unsupported. Unfortunately I couldn't >>>>> find >>>>> a way to bypass this for certain devices. Not sure whether this has >>>>> changed >>>>> in the latest code though. >>>>> >>>>> Stu >>>>> >>>>> Sent from my iPhone >>>>> >>>>> >>>>> On 30 Nov 2009, at 05:57, Kingsley Charles <[email protected]> >>>>> wrote: >>>>> >>>>> Hi all >>>>>> >>>>>> We can configure the sesnor to "Request block host"and "Request Rate >>>>>> limit." If these actions are configured for the signatures and the >>>>>> signatures are triggered, request is sent to >>>>>> routers/switches that are present in the blocking devcies list. >>>>>> >>>>>> >>>>>> My understanding is that the request is sent to all the devices in the >>>>>> blocking device list. >>>>>> >>>>>> In that case, the block request or rate limit will be also sent to >>>>>> devices that are not relevent to the attack. >>>>>> >>>>>> Is there any way where we can tie the blocking request or rate limit >>>>>> request triggered by signature to specific hosts or subset of hosts in >>>>>> the >>>>>> blocking device list defined in the sensor. >>>>>> >>>>>> >>>>>> >>>>>> With regards >>>>>> Kingsley Charles >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
