Checking Ssm Status - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 22
Managing AIP SSM and CSC SSM
Example 22-1
policy, csc_out_policy, is applied to the inside interface and uses the csc_out access list to ensure that
all outbound requests for FTP and POP3 are scanned. The csc_out access list also ensures that HTTP
connections from inside to networks on the outside interface are scanned but it includes a deny ACE to
exclude HTTP connections from inside to servers on the DMZ network.
The second policy, csc_in_policy, is applied to the outside interface and uses the csc_in access list to
ensure that requests for SMTP and HTTP originating on the outside interface and destined for the DMZ
network are scanned by the CSC SSM. Scanning HTTP requests protects the web server from HTTP file
uploads.
Example 22-1 Service Policies for a Common CSC SSM Scanning Scenario
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 21
hostname(config)# access-list csc_out deny tcp 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 eq 80
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 80
hostname(config)# access-list csc_out permit tcp 192.168.10.0 255.255.255.0 any eq 110
hostname(config)# class-map csc_outbound_class
hostname(config-cmap)# match access-list csc_out
hostname(config)# policy-map csc_out_policy
hostname(config-pmap)# class csc_outbound_class
hostname(config-pmap-c)# csc fail-close
hostname(config)# service-policy csc_out_policy interface inside
hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 25
hostname(config)# access-list csc_in permit tcp any 192.168.20.0 255.255.255.0 eq 80
hostname(config)# class-map csc_inbound_class
hostname(config-cmap)# match access-list csc_in
hostname(config)# policy-map csc_in_policy
hostname(config-pmap)# class csc_inbound_class
hostname(config-pmap-c)# csc fail-close
hostname(config)# service-policy csc_in_policy interface outside
Note
FTP inspection must be enabled for CSC SSM to scan files transferred by FTP. FTP inspection is enabled
by default.
Checking SSM Status
To check the status of an SSM, use the show module command.
The follow example output is from an adaptive security appliance with a CSC SSM installed. The Status
field indicates the operational status of the SSM. An SSM operating normally has a status of "Up" in the
output of the show module command. While the adaptive security appliance transfers an application
image to the SSM, the Status field in the output reads "Recover". For more information about possible
statuses, see the entry for the show module command in the Cisco Security Appliance Command
Reference.
hostname# show module 1
Mod Card Type
--- -------------------------------------------- ------------------ -----------
OL-10088-01
is based on the network shown in
Model
Figure
22-3. It creates two service policies. The first
Serial No.
Cisco Security Appliance Command Line Configuration Guide
Checking SSM Status
22-13
Advertisement
Table of Contents
Troubleshooting
