Chapter 22 Managing Aip Ssm And Csc Ssm - Cisco FirePOWER ASA 5500 series Configuration Manual

Managing the AIP SSM
The AIP SSM can operate in one of two modes, as follows:
•
•
You can specify how the adaptive security appliance treats traffic when the AIP SSM is unavailable due
to hardware failure or other causes. Two keywords of the ips command control this behavior. The
fail-close keyword sets the adaptive security appliance to block all traffic if the AIP SSM is unavailable.
The fail-open keyword sets the adaptive security appliance to allow all traffic through, uninspected, if
the AIP SSM is unavailable.
For more information about configuring the operating mode of the AIP SSM and how the adaptive
security appliance treats traffic during an AIP SSM failure, see the
section on page
Getting Started with the AIP SSM
Configuring the AIP SSM is a two-part process that involves configuration of the ASA 5500 series
adaptive security appliance first, and then configuration of the AIP SSM:
1.
2.
Diverting Traffic to the AIP SSM
You use MPF commands to configure the adaptive security appliance to divert traffic to the AIP SSM.
Before configuring the adaptive security appliance to do so, read
Framework,"
To identify traffic to divert from the adaptive security appliance to the AIP SSM, perform the following
steps:
Step 1 Create an access list that matches all traffic:
hostname(config)# access-list acl-name permit ip any any
Cisco Security Appliance Command Line Configuration Guide
22-2
Inline mode—Places the AIP SSM directly in the traffic flow. No traffic can continue through the
adaptive security appliance without first passing through, and being inspected by, the AIP SSM. This
mode is the most secure because every packet is analyzed before being allowed through. Also, the
AIP SSM can implement a blocking policy on a packet-by-packet basis. This mode, however, can
affect throughput. You specify this mode with the inline keyword of the ips command.
Promiscuous mode—Sends a duplicate stream of traffic to the AIP SSM. This mode is less secure,
but has little impact on traffic throughput. Unlike operation in inline mode, the SSM operating in
promiscuous mode can only block traffic by instructing the adaptive security appliance to shun the
traffic or by resetting a connection on the adaptive security appliance. Also, while the AIP SSM is
analyzing the traffic, a small amount of traffic might pass through the adaptive security appliance
before the AIP SSM can block it. You specify this mode with the inline keyword of the ips
command.
22-2.
On the ASA 5500 series adaptive security appliance, identify traffic to divert to the AIP SSM (as
described in the "Diverting Traffic to the AIP SSM" section on page
On the AIP SSM, configure the inspection and protection policy, which determines how to inspect
traffic and what to do when an intrusion is detected. Because the IPS software that runs on the AIP
SSM is very robust and beyond the scope of this document, detailed configuration information is
available in the following separate documentation:
Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface
•
Cisco Intrusion Prevention System Command Reference
•
which introduces MPF concepts and common commands.
Chapter 22 Managing AIP SSM and CSC SSM
"Diverting Traffic to the AIP SSM"
22-2).
Chapter 21, "Using Modular Policy
OL-10088-01