Cisco ASA 5506-X Configuration Manual page 414
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Configuring the ASA IPS module
Detailed Steps
Command
Step 1
class-map name
Example:
hostname(config)# class-map ips_class
Step 2
match parameter
Example:
hostname(config-cmap)# match access-list
ips_traffic
Step 3
policy-map name
Example:
hostname(config)# policy-map ips_policy
Step 4
class name
Example:
hostname(config-pmap)# class ips_class
Step 5
ips {inline | promiscuous} {fail-close |
fail-open} [sensor {sensor_name |
mapped_name}]
Example:
hostname(config-pmap-c)# ips promiscuous
fail-close
Cisco ASA Series Firewall CLI Configuration Guide
18-16
Purpose
Creates a class map to identify the traffic for which you want to
send to the ASA IPS module.
If you want to send multiple traffic classes to the ASA IPS
module, you can create multiple class maps for use in the security
policy.
Specifies the traffic in the class map. See
3/4 Class Maps), page 1-13
Adds or edits a policy map that sets the actions to take with the
class map traffic.
Identifies the class map you created in
Specifies that the traffic should be sent to the ASA IPS module.
The inline and promiscuous keywords control the operating
mode of the ASA IPS module. See
for more details.
The fail-close keyword sets the ASA to block all traffic if the ASA
IPS module is unavailable.
The fail-open keyword sets the ASA to allow all traffic through,
uninspected, if the ASA IPS module is unavailable.
If you use virtual sensors, you can specify a sensor name using the
sensor sensor_name argument. To see available sensor names,
enter the ips {inline | promiscuous} {fail-close | fail-open}
sensor ? command. Available sensors are listed. You can also use
the show ips command. If you use multiple context mode on the
ASA, you can only specify sensors that you assigned to the
context (see
Assigning Virtual Sensors to a Security Context,
page
18-13). Use the mapped_name if configured in the context.
If you do not specify a sensor name, then the traffic uses the
default sensor. In multiple context mode, you can specify a default
sensor for the context. In single mode or if you do not specify a
default sensor in multiple mode, the traffic uses the default sensor
that is set on the ASA IPS module. If you enter a name that does
not yet exist on the ASA IPS module, you get an error, and the
command is rejected.
Chapter 18
ASA IPS Module
Identify Traffic (Layer
for more information.
Step
1.
Operating Modes, page 18-2
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
