Cisco Cisco IPS 4520 Sensor White Paper
52
Intrusion Prevention
August 2012 Series
52
Step 6:
In the Edit Virtual Sensor dialog box, for
GigabitEthernet0/1
, select
the
Assigned
box, and then click
OK
.
Step 7:
Click
Apply
.
Procedure 6
Modify the inline security policy
(Optional)
If you opted to run inline mode on an IPS device, the sensor is configured
to drop high-risk traffic. By default, this means that if an alert fires with a risk
rating of at least 90 or if the traffic comes from an IP address with a nega-
tive reputation that raises the risk rating to 90 or higher, the sensor drops
the traffic. If the risk rating is raised to 100 because of the source address
reputation score, then the sensor drops all traffic from that IP address.
If you opted to run inline mode on an IPS device, the sensor is configured
to drop high-risk traffic. By default, this means that if an alert fires with a risk
rating of at least 90 or if the traffic comes from an IP address with a nega-
tive reputation that raises the risk rating to 90 or higher, the sensor drops
the traffic. If the risk rating is raised to 100 because of the source address
reputation score, then the sensor drops all traffic from that IP address.
The chances of the IPS dropping traffic that is not malicious when using a
risk threshold of 90 is very low. However, if you want to adopt a more conser-
vative policy, for the risk threshold, raise the value to 100.
risk threshold of 90 is very low. However, if you want to adopt a more conser-
vative policy, for the risk threshold, raise the value to 100.
Step 1:
Navigate to
Configuration > IPS > Policies > IPS Policies
(when
using ASDM to configure an IPS module).
Step 2:
In the Virtual Sensor panel, right-click the
vs0
entry, and then
select
Edit
.
Step 3:
In the Event Action Rule work pane, click
Deny Packet Inline
Override
, and then click
Delete
.
Step 4:
In the Event Action Rule work pane, Click
Add
.