Filter
Top Products
35-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 35 Getting Started with IPS Configuration
Configuring IPS Logging Policies
Posture ACL Dialog Box
Use the Add or Modify Posture ACL dialog box to configure posture ACLs for Management Center for
Security Agents. Posture ACLs are network addresses for which host postures are allowed or denied. Use
posture ACLs to filter postures that have IP addresses that might not be visible to the IPS or that might
be duplicated across the network.
Configure the following fields to define a posture ACL:
• Network Address—Enter the IP address of a host or network, or the name of a network/host object
that specifies one. You can click Select to select the object from a list or to create a new object.
• Action—Whether host postures will be permitted or denied from the hosts on the network address.
Navigation Path
From the External Product Interface dialog box (see External Product Interface Dialog Box, page 35-24),
click the Add Row (+) button underneath the Posture ACL table, or select a posture ACL and click the
Edit Row (pencil) button.
Configuring IPS Logging Policies
Use the IPS platform Logging policy to configure traffic flow notifications and Analysis Engine global
variables. These settings apply to the general operation of the IPS sensor.
Traffic flow notifications have to do with the flow of traffic across the interface of a sensor. You can
configure the sensor to monitor the flow of packets across an interface and send notification if that flow
changes (starts and stops) during a specified interval. You can configure the missed packet threshold
within a specific notification interval and also configure the interface idle delay before a status event is
reported.
The Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows through
specified interfaces. For the Analysis Engine, there is only one global variable: Maximum Open IP Log
Files.
Navigation Path
• (Device view) Select Platform > Logging from the Policy selector.
• (Policy view) Select IPS > Platform > Logging, then select an existing policy or create a new one.
Enable receipt of watch listed
addresses
Whether to allow the receipt of the watch list information from CSA
MC. The watch list information received from a CSA MC is deleted if
you disable this option.
Manual Watch List RR
increase
The percentage of the manual watch list risk rating (RR). The default is
25, and the valid range is 0 to 35.
Session-based Watch List RR
Increase
The percentage of the session-based watch list risk rating. The default
is 25, and the valid range is 0 to 35.
Packed-based Watch List RR
Increase
The percentage of the packet-based watch list risk rating. The default is
10, and the valid range is 0 to 35.
Table 35-6 External Product Interface Dialog Box (Continued)
Element Description