Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
146 Cards in this Set
- Front
- Back
needs question
|
ip inspect (name) inspect tcp router-traffic
|
|
needs question
|
ip inspect (name) inspect udp router-traffic
|
|
needs question
|
ip inspect (name) inspect sip router-traffic
|
|
needs question
|
ip inspect (name) inspect ftp router-traffic
|
|
needs question
|
ip inspect (name) inspect h.323 router-traffic
|
|
needs question
|
if you use any protocols that have separate data and control streams (like ftp), you have to list them in the configuration before using the TCP or UDP keywords
|
|
This command will help you alleviate having problems with TCP packets being dropped in the fast patch due to asymmetric routing
|
tcp state-bypass
|
|
On an ISO firewall, CBAC policies must be applied in this direction if traffic originating from the router itself is to be accounted for
|
Outbound
|
|
These are the four actions that can be taken against traffic identified in an inspect type layer 3 policy map
|
inspect, pass, drop, police
|
|
Needs question CBAC
|
inspect
|
|
Needs Question CBAC
|
pass
|
|
needs CBAC question
|
drop
|
|
needs CBAC question
|
police
|
|
This TCP option is used by BGP by is stripped when passing through an ASA
|
This TCP option is used by BGP by is stripped when passing through an ASA
Option 19 - The MD5 signature option |
|
This IOS feature allows for the filtering of traffic based on application-layer protocols. Traffic originating on the internal network is inspected as it leaves the router and an entry is appended to the incoming access list to allow return traffic from the same session
|
This IOS feature allows for the filtering of traffic based on application-layer protocols. Traffic originating on the internal network is inspected as it leaves the router and an entry is appended to the incoming access list to allow return traffic from the same session
Context based access control |
|
Traffic originating from the router itself is not by default included in the inspection rule applied to the external interface. To fix this, we need to append this keyword to our inspection rule
|
router-traffic
for example: R2(config)# ip inspect name OUTBOUND icmp router-traffic |
|
CBAC makes use of two components to filter traffic traversing an untrusted interface
|
A set of inspection rules for traffic egressing the interface and an access-list to permit or deny ingress traffic
|
|
Cisco recommends that you first make changes to these values before configuring your CBAC inspection rules
|
Cisco recommends that you first make changes to these values before configuring your CBAC inspection rules
global timer and threshold timer |
|
DOS attack question
|
ip inspect udp idle-time seconds
|
|
DOS attack question
|
ip inspect dns idle-time seconds
|
|
DOS attack question needed
|
ip inspect tcp idle-time seconds
|
|
DOS attack question needed
|
ip inspect tcp syn-wait time seconds
|
|
DOS attack question needed
|
ip inspect tcp fin-wait time seconds
|
|
question needed
|
show inspect all
|
|
When attempting to configure a RSPAN session on a switch to allow a VLAN to be monitored by an IPS in promiscuous mode, the monitored VLAN must be manually added to each participating switch under this circumstance
|
The switch is operating in VTP transparent mode
|
|
needs question
|
sh monitor session 1
|
|
needs question
|
sh vlan remote-span
|
|
Use this keyword to configure RSPAN destinations to receive traffic from attached devices
|
ingress
for example: monitor session 1 destination interface fastethernet0/12 ingress vlan 2 Use this keyword to configure RSPAN destinations to receive traffic from attached devices |
|
needs question - setting up switch for vlan pairs for the IPS
|
switchport mode trunk
|
|
In order to do VLAN pairing with an IPS, the switch port connected to the sensing interfaces must be a trunk port and must have the VLAN allowed to cross the trunk.
this is done with this command on a Cisco switch |
- switchport trunk allowed vlan 18,19,28,30
|
|
To verify that trunking is configured properly on a cisco switch to allow for vlan pairing on the IPS, issue this command
|
show interface fastethernet 0/19 trunk
|
|
To display the interface status or a list of interfaces in error-disabled state, use this command
|
the show interfaces status command.
show interfaces status [err-disabled] |
|
This keyword must be used when configuring the switch's destination RSPAN interface to allow an attached IPS to send TCP resets (which are usually un-encapsulated
|
INGRESS keyword
|
|
In order for IPS VLAN paring to work, the switch port connected to the IPS must be in this swithport mode
|
Trunk
for example: switch(config)# switchport mode trunk |
|
If the paired interfaces are connected to the same switch from the IPS
|
you should configure them on the switch as access ports with different access VLANs for the two ports. Otherwise, traffic does not flow through the inline interface.
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml |
|
Interface pairs are configured in this sub-mode on the IPS
|
interface sub-mode
Enter the interface submode: sensor#configure terminal sensor(config)#service interface sensor(config-int)# http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml |
|
this IPS command give a name to an inline pair
|
sensor(config-int)#inline-interfaces PAIR1
|
|
TO display the list of available interfaces, issue this command
|
sensor(config-int)#physical-interfaces ?
sensor(config-int)#physical-interfaces ? GigabitEthernet0/0 GigabitEthernet0/0 physical interface. GigabitEthernet0/1 GigabitEthernet0/1 physical interface. GigabitEthernet0/2 GigabitEthernet0/2 physical interface. GigabitEthernet0/3 GigabitEthernet0/3 physical interface. Management0/0 Management0/0 physical interface. |
|
Before an IPS interface can monitor traffic, this must happen
|
You must assign the interface to a virtual sensor and enable it before it can monitor traffic
|
|
needs question - configuring interface pairs
|
Configure two interfaces into a pair:
sensor(config-int)#interface1 GigabitEthernet0/0 sensor(config-int-inl)#interface2 GigabitEthernet0/1 |
|
needs question - adding a description to an interface pair
|
Add a description of this interface:
sensor(config-int-phy)#description PAIR1 Gig0/0 and Gig0/1 |
|
The IPS command to enable an interface
|
Enable the interfaces"
sensor(config-int)#physical-interfaces GigabitEthernet0/0 sensor(config-int-phy)#admin-state enabled |
|
Issue this command in order to delete an inline interface pair and return the interfaces to promiscuous mode:
|
sensor(config-int)#no inline-interfaces PAIR1
|
|
To display only ASA access-list entries that have non-zero hit counts
|
To display only access-list entries that have non-zero hit counts
PIX#sh access-list | grep -v hticnt=0 sh access-list TACACS | grep -v hitcnt=0 access-list TACACS; 4 elements access-list TACACS line 4 extended permit icmp any host 136.1.125.100 (hitcnt=1) |
|
There is a quick and easy way to coax a vpn configuration template from the Cisco ASA.
|
There is a quick and easy way to coax a vpn configuration template from the Cisco ASA. Simply use the ‘vpnsetup’ command in global configuration
ASA(config)# vpnsetup ? configure mode commands/options: ipsec-remote-access Display IPSec Remote Access Configuration Commands l2tp-remote-access Display L2TP/IPSec Configuration Commands site-to-site Display IPSec Site-to-Site Configuration Commands ssl-remote-access Display SSL Remote Access Configuration Comman |
|
To quickly display ‘tacacs’ and ‘radius’ ports (or any ports you don’t remember)
|
To quickly display ‘tacacs’ and ‘radius’ ports (or any ports you don’t remember)
ROUTER#show ip port-map | in tacacs|radius Default mapping: tacacs udp port 49 system defined Default mapping: radius udp port 1812,1813 system defined Default mapping: tacacs-ds tcp port 65 system defined |
|
Erase IOS configuration (very important in Cisco training labs):
|
Erase IOS configuration (very important in Cisco training labs):
ROUTER#erase nvram:startyp-config ROUTER#config replace nvram:startup-config list force |
|
needs question
|
ROUTER#erase nvram:startyp-config
|
|
needs question
|
ROUTER#config replace nvram:startup-config list force
|
|
What is the default signature ID number for ICMP echo-request and
echo-reply packets when configuring signatures on the Cisco IPS sensor appliance? |
*An ICMP echo-request is sig ID 2000 and an echo-reply is 2004.
|
|
This command dumps the entire parse chain on the ASA, displaying the privilege level of the commmand (first column), followed by the modifier (if applicable), the command, and any keywords or options.
|
show parser dump <feature>
This command dumps the entire parse chain on the ASA, displaying the privilege level of the commmand (first column), followed by the modifier (if applicable), the command, and any keywords or options. |
|
This command displays all of the processes running on the ASA that have non-zero cpu usage (meaning they are using some of the CPU) and sorts them by the amount of CPU usage.
|
show proccess cpu-usage sorted non-zero
This command displays all of the processes running on the ASA that have non-zero cpu usage (meaning they are using some of the CPU) and sorts them by the amount of CPU usage. |
|
this low-priority ASA process functions to constantly poll the embedded 8-port switch on a 5505
|
esw_stats is the top process, but this is normal since it is a ASA 5505 model, and this low-priority process functions to constantly poll the embedded 8-port switch
|
|
This command allows you to run any command from one firewall in an HA pair on the other. For example, from the PRIMARY ACTIVE firewall, one can run show failover on the mate (STANDBY) firewall:
|
failover exec mate
For Example: asa/pri/act# failover exec ? active Execute command on the active unit mate Execute command on the peer unit standby Execute command on the standby unit This command allows you to run any command from one firewall in an HA pair on the other. For example, from the PRIMARY ACTIVE firewall, one can run show failover on the mate (STANDBY) firewall: |
|
This command is useful when it comes to upgrading code. This command allows you to reload the Standby ASA in a failover pair from the Active ASA:
|
failover reload-standby
This command is useful when it comes to upgrading code. This command allows you to reload the Standby ASA in a failover pair from the Active ASA: |
|
Shows each of the Modular Policy Framework (MPF) objects (access-lists, class-maps, policy-maps, and service-policies) that will affect a particular flow.
|
show service-policy flow
Shows each of the Modular Policy Framework (MPF) objects (access-lists, class-maps, policy-maps, and service-policies) that will affect a particular flow. asa# show service-policy flow tcp host 10.1.1.1 eq 55555 host 198.133.219.25 eq 80 FOR EXAMPLE: asa# show service-policy flow tcp host 10.1.1.1 eq 55555 host 198.133.219.25 eq 80 |
|
This command shows the utilization of the different port ranges for a NAT global IP addresses configured on the ASA. In the example below, there is one global IP address of 172.18.254.123
|
show nat pool
Example: ASA5505# show nat pool TCP PAT pool outside, address 172.18.254.123, range 1-511, allocated 2 TCP PAT pool outside, address 172.18.254.123, range 512-1023, allocated 0 TCP PAT pool outside, address 172.18.254.123, range 1024-65535, allocated 38 UDP PAT pool outside, address 172.18.254.123, range 1-511, allocated 4 UDP PAT pool outside, address 172.18.254.123, range 512-1023, allocated 0 UDP PAT pool outside, address 172.18.254.123, range 1024-65535, allocated 4 |
|
This ASA command is very useful for displaying all the commands which make up a given feature.
|
show run <feature>
This command is very useful for displaying all the commands which make up a given feature. In the below, we can output all the commands which make up the call-home feature. The only other way of getting this data would be to issue show run | begin call-home. |
|
1330 sub-signatures are part of the this signature engine
|
1330 sub-signatures are part of the TCP Normalizer Engine.
|
|
Defining a packet capture on an IPS:
|
Defining a packet capture:
sensor# packet capture GigabitEthernet0/1 count 250 expression host 10.1.1.1 and tcp port 80 |
|
Displaying a live packet capture on an IPS:
|
packet display
Displaying a live packet capture: sensor# packet display GigabitEthernet0/1 count 250 expression host 10.1.1.1 and tcp port 80 |
|
Displaying the contents of a previous packet capture on an IPS:
|
Displaying the contents of a previous packet capture:
sensor# packet display packet-file |
|
needs question
|
ciscoasa(config)# vpnsetup ?
configure mode commands/options: ipsec-remote-access Display IPSec Remote Access Configuration Commands l2tp-remote-access Display L2TP/IPSec Configuration Commands site-to-site Display IPSec Site-to-Site Configuration Commands ssl-remote-access Display SSL Remote Access Configuration Commands |
|
ASA command that will display the Steps to configure a remote access IKE/IPSec connection with examples:
|
ciscoasa(config)# vpnsetup ipsec-remote-access steps
https://supportforums.cisco.com/docs/DOC-16112 |
|
ASA command that will display the Steps to configure a remote access L2TP/IPSec connection with examples
|
Steps to configure a remote access L2TP/IPSec connection with examples:
ciscoasa(config)# vpnsetup l2tp-remote-access steps |
|
ASA command that will display Steps to configure a remote access SSL VPN remote access connection and AnyConnect with examples:
|
ciscoasa(config)# vpnsetup ssl-remote-access steps
|
|
You want to create multiple event filters that use the same parameter value. What would be the
most efficient way to accomplish this task? |
create an event variable
|
|
You think users on your corporate network are disguising the use of file-sharing applications
by tunneling the traffic through port 80. How can you configure your Cisco IPS Sensor to identify and stop this activity? |
Enable both the HTTP application policy and the alarm on non-HTTP traffic signature.
|
|
A user with which user account role on a Cisco IPS Sensor can log into the native operating
system shell for advanced troubleshooting purposes when directed to do so by Cisco TAC? |
service account
|
|
Which character must precede a variable to indicate that you are using a variable rather than a
string? |
dollar sign
|
|
needs question
|
You must download service pack and signature updates from Cisco.com to a locally
accessible server before they can be automatically applied to your Cisco IPS Sensor. |
|
This IPS command will clear events from the event store?
|
clear events
|
|
needs question
|
You must use the CLI clear events command.
|
|
Which action does the copy /erase ftp://172.26.26.1/sensor_config01 current-config command
perform? |
overwrites the backup configuration and applies the source configuration file to the system
default configuration |
|
With Cisco IPS 6.0, what is the maximum number of virtual sensors that can be configured on
a single platform? |
four
|
|
What is used to perform password recovery for the "cisco" admin account on a Cisco IPS 4200
Series Sensor? |
GRUB menu
|
|
What is the best way to mitigate the risk that executable-code exploits will perform malicious
acts such as erasing your hard drive? |
assign deny actions to signatures that are controlled by the Trojan engines
|
|
needs question
|
Trojan Engine
|
|
You would like to have your inline sensor deny attackers inline when events occur that have risk ratings over 85. Which two actions, when taken in conjunction will accomplish this?
|
Assign the risk rating range of 85 to 100 to the Deny Attacker inline event action
Enable Event Action overrides |
|
Which two management access methods are enabled by default on a Cisco IPS sensor?
|
SSH and HTTPS
|
|
How should you create a custom signature that will fire when a series of pre-defined signature occur and you want the Cisco IPS Sensor to generate alerts only for the new custom signature, not for the individual signatures?
|
Use the Meta engine and remove the produce alert action from the component signatures
|
|
needs question
|
Meta Engine
|
|
Which signature action or actions should be selected to cause the attacker's traffic flow to terminate when the Cisco IPS Sensor is operating in promiscuous mode?
|
reset tcp connection
|
|
If you have an IP address space that applies to your engineering group and there are no Windows systems in that group, and you are not worried about any Windows-based attacks to that group, you could do this
|
If you have an IP address space that applies to your engineering group and there are no Windows systems in that group, and you are not worried about any Windows-based attacks to that group, you could set up a variable to be the IP address space of the engineering group. You could then use this variable to configure a filter that would ignore all Windows-based attacks for this group.
|
|
needs question
|
Enter event action rules submode.
sensor# configure terminal sensor(config)# service event-action-rules rules0 |
|
When you want to use
the same value within multiple IPS filters, use this feature. When you change the value of this, any filter that uses this feature variable is updated with the new value. |
You can create event variables and then use those variables in event action filters. When you want to use
the same value within multiple filters, use a variable. When you change the value of the variable, any filter that uses that variable is updated with the new value. |
|
needs question
|
Create an Event Action override to stop alerting on any signature hit with a risk rating of less than 30. It is rare that a signature hit whose risk rating value stays below 30 is real or worth your attention. Therefore tuning out any RR hit less than 30 maintains your security and cuts down on frivolous event data.
http://www.networkworld.com/community/node/55244 |
|
needs question
|
IPS global correlation
|
|
needs question
|
reputation filtering
|
|
needs question
|
Some signatures are set to drop packets by default. To quickly override the drop functions of these signatures while you are tuning your sensor, create an event action filter. This filter rule will remove all drop functions from signatures. The two tasks in tip number 4 will ensure that your IPS sensor does not drop any traffic until you want it to. It gives you peace of mind that you'll not drop any critical traffic while you are still in the middle of tuning the sensor for the environment.
|
|
needs question
|
While you are going through your tuning stage and your IPS is inline I recommend that you turn off the default Event Action Override. The default rule will drop any traffic that has a risk rating of 90-100. Disabling this rule stops the sensor from dropping traffic based on risk rating.
|
|
To configure the router to expect ssh connections on port 2009 issue these commands
|
we will configure the router to expect ssh connections on port 2009. This is done with the command ip ssh port and applying a rotary group. Then, that rotary group is configured on the VTY lines:
R1(config)# ip ssh port 2009 rotary 1 R1(config)# line vty 0 4 R1(config-line)# rotary 1 |
|
With this IPS event action, the initial attack is typically completed before the IPS can take action
|
TCP reset
|
|
With this IPS signature event action, the IPS can take action on suspicious traffic and never allows the completion of even the initial attack
|
inline protection
|
|
Identifies the number of packets you want logged on a cisco IPS
|
ip-log-packets—Identifies the number of packets you want logged.
The valid value is 0 to 65535. The default is 0. |
|
Identifies the duration you want the sensor to log packets on a Cisco IPS
|
ip-log-time
—Identifies the duration you want the sensor to log packets. |
|
Identifies the maximum number of bytes you want logged on a Cisco IPS
|
ip-log-bytes —Identifies the maximum number of bytes you want logged.
The valid value is 0 to 2147483647. The default is 0. |
|
Automatic IP logging is configured on a per signature basis or as an event action override. The following actions trigger automatic IP logging:
|
Automatic IP logging is configured on a per signature basis or as an event action override. The following actions trigger automatic IP logging:
•log-attacker-packets •log-victim-packets •log-pair-packets |
|
You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged.
When does the sensor stops logging IP traffic? |
the sensor stops logging IP traffic when the first parameter you specify is reached.
|
|
User this IPS command in service interface mode to have the sensor either forward or drop CDP
packets. |
sensor(config-int)# cdp-mode forward-cdp-packets
|
|
The ability to forward or drop CDP packets can be configured in this service mode
|
SERVICE INTERFACE mode
User the cdp-mode command in service interface mode to have the sensor either forward or drop CDP packets. Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter interface submode. sensor# configure terminal sensor(config)# service interface Step 3 Enable CDP mode. sensor(config-int)# cdp-mode forward-cdp-packets |
|
needs question
|
The Meta engine defines events that occur in a related manner within a sliding time interval. This engine
processes events rather than packets. As signature events are generated, the Meta engine inspects them to determine if they match any or several Meta definitions. |
|
A signature engine is composed of what two components?
|
An engine is composed of a parser and an inspector.
|
|
What are the two IPS AIC engines
|
There are two AIC
engines: AIC FTP and AIC HTTP |
|
This IPS engine Provides thorough analysis of web traffic.
|
AIC engine
|
|
Defines events that occur in a related manner within a sliding time interval. This engine processes events rather than packets.
|
Meta Engine
|
|
Inspects Layer 4 transport protocols and payloads by matching several strings for one
signature. This engine inspects stream-based TCP and single UDP and ICMP packets. |
Multi string engine
|
|
Configures how the IP and TCP normalizer functions and provides configuration for
signature events related to the IP and TCP normalizer. Allows you to enforce RFC compliance. |
normalizer signature engine
|
|
You
can clear all denied attacker entries with this command, which permits the addresses back on the network. |
clear denied-attackers command
|
|
This engine inspects HTTP web traffic and enforces FTP
commands. |
The Application Inspection and Control (AIC)
|
|
If traffic is web traffic, but not
received on the AIC web ports, this engine is executed. AIC inspection can be on any port if it is configured as an AIC web port and the traffic to be inspected is HTTP traffic |
Service HTTP
If traffic is web traffic, but not received on the AIC web ports, this engine is executed. AIC inspection can be on any port if it is configured as an AIC web port and the traffic to be inspected is HTTP traffic |
|
This engine is used for FTP command authorization and enforcement
|
AIC engine
|
|
How do you effectively disable the event action override for a deny-packet-inline - which is usually protected
|
You cannot delete the event action override for deny-packet-inline because it is protected. If you do not
want to use that override, set the override-item-status option to disabled for that entry. |
|
event action overrides are configured in this service submode
|
service event-action-rules rules0
Enter event action rules submode. sensor# configure terminal sensor(config)# service event-action-rules rules0 sensor(config-eve)# |
|
What is the result of the following commands on the Cisco IPS?
sensor(config-eve)# overrides deny-attacker-inline sensor(config-eve-ove)# |
Deny packets from the source IP address of the attacker
|
|
Enable or disable the use of this override item.
|
sensor(config-eve-ove)# override-item-status {enabled | disabled}
|
|
Do not transmit the single packet causing the alert.- event action override
|
sensor(config-eve)# overrides deny-packet-inline
sensor(config-eve-ove)# |
|
Do not transmit packets on the specified TCP connection.
|
sensor(config-eve)# overrides deny-connection-inline
sensor(config-eve-ove)# |
|
Send TCP RST packets to terminate the connection.
|
sensor(config-eve)# overrides reset-tcp-connection
sensor(config-eve-ove)# |
|
Request a block of the connection.
|
sensor(config-eve)# overrides request-block-connection
sensor(config-eve-ove)# |
|
Log packets from both the attacker and victim IP addresses.
|
sensor(config-eve)# overrides log-pair-packets
sensor(config-eve-ove)# |
|
Configure the risk rating for this override item.
|
sensor(config-eve-ove)# risk-rating-range 85-100
|
|
Edit the risk rating of an event action override.
|
sensor(config-eve)# overrides deny-attacker-inline
sensor(config-eve-ove)# risk-rating 95-100 |
|
To delete the event action override:
|
sensor(config-eve)# no overrides deny-attacker-inline
sensor(config-eve-ove)# |
|
In which service submode are event action filters configured?
|
use service event action rules submode to set up event action filters.
|
|
To Create the event action filter name.
|
sensor(config-eve)# filters insert name1 begin
|
|
IPS commands to move an event action filter to the inactive list:
|
sensor(config-eve)# filters move name1 inactive
|
|
Run this command to initialize the cisco IPs sensor
|
Run the setup command to initialize the sensor.
|
|
This IPS user role has unrestricted
view access and can perform the following functions: – Modify their passwords – Tune signatures – Manage routers – Assign configuration to a virtual sensor |
Operators
Operators can: – Modify their passwords – Tune signatures – Manage routers |
|
This user role can view configuration and event data and can modify their passwords
|
Viewers user role
|
|
Use this command to disable the cisco account on an IPs
|
no password cisco command, but you cannot remove the account only disable it
|
|
needs question
|
service-module ids-sensor slot/port session command,
|
|
To reboot the IPS appliance, enter this command -
|
sensor# reset
Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: |
|
To View your cisco IPS configuration, enter this command.
|
View your configuration.
sensor# show configuration |
|
Use these commands to change the sensor IP address, netmask, and default gateway.
|
Change the sensor IP address, netmask, and default gateway.
sensor(config-hos-net)# host-ip 10.89.146.110/24,10.89.146.254 |
|
To add an entry to the host access-list, use this command
|
sensor(config-hos-net)# access-list 10.89.146.110/32
|
|
IPS access-list modifications are done under this submode
|
host then network settings
|
|
IPS IP address and default gateway changes are done under this submode
|
host then network settings
|
|
use this command to see what users are enabled on the IPS
|
sensor# show users all
CLI ID User Privilege * 13491 cisco administrator jsmith operator jtaylor service jroberts viewer sensor# A list of users is displayed. |
|
IPS password policies are modified in this submode
|
sensor(config-aut-pas)#
authentication > password-strength |
|
Setting the number of attempts users will have to log in to accounts is done under this submode .
|
sensor(config-aut)# attemptLimit 3
|
|
For local accounts on the IPS, you can reset the password or use this command to unlock the account.
|
unlock user USERNAME
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1250248 |
|
On the Cisco IPS, Virtual sensors are added in this service submode
|
service analysis mode.
sensor(config-ana)# virtual-sensor vs1 |
|
Event action filters are modified under this service submode
|
sensor(config-ana-vir)# event-action-rules rules1
sensor(config)# service analysis-engine |
|
To Change the inline interface pairs assigned to a virtual sensor, enter this command
|
sensor(config-ana-vir)# logical-interface inline_interface_pair_name
|
|
Global IPS parameters are modified under this submode
|
Use the global-parameters command in service analysis engine submode to create global variables.
sensor(config-ana)# global-parameters sensor(config-ana-glo)# ip-logging |