Filter
Top Products
41-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 41 Configuring Global Correlation
Configuring Global Correlation Inspection and Reputation
Tip When you view IPS events in Event Viewer, there are several columns specific to global correlation that
you can add to the event table; these columns are not shown by default, so you must add them to your
view. To monitor global correlation in general, use the IPS device manager (IDM) and look at the Sensor
Health gadget. Use either the full IDM or open a read-only copy from Security Manager by right-clicking
the device in Device view and selecting Device Manager.
Before You Begin
• You must also configure a DNS server or HTTP proxy for global correlation to function. For details,
see Identifying DNS Servers, page 35-22 or Identifying an HTTP Proxy Server, page 35-23.
• There are several configuration requirements and limitations that you should be aware of before
configuring global configuration. For details, see Global Correlation Requirements and Limitations,
page 41-4.
Related Topics
• Understanding Global Correlation, page 41-1
• Understanding Reputation, page 41-2
• Configuring Network Participation, page 41-7
Step 1 Do one of the following to open the Inspection/Reputation policy:
• (Device view) Select IPS > Global Correlation > Inspection/Reputation from the Policy selector.
• (Policy view) Select IPS > Global Correlation > Inspection/Reputation from the Policy Type
selector. Select an existing policy or create a new one.
Step 2 Configure the following settings:
• Global Correlation Inspection—Whether to enable global correlation inspection. When turned on,
the sensor uses updates from the SensorBase Network to adjust the risk rating. Deselect this option
to disable inspection.
• Global Correlation Influence—How aggressively the sensor uses global correlation information
to initiate deny actions. Select one of the following:
–
Permissive—Has the least aggressive effect on deny actions.
–
Standard—(The default.) Has a moderately aggressive effect on deny actions.
–
Aggressive—Has a very aggressive effect on deny actions.
• Reputation Filtering—Select whether you want reputation filtering on or off. When turned on, the
sensor denies access to malicious hosts that are listed in the global correlation database.
• Test Global Correlation—Whether to place global correlation in audit mode. In audit mode,
reputation filtering does not deny access to known malicious hosts; only a report of what could have
happened is generated.
Audit mode allows you to test the global correlation features without actually denying any hosts. If
you decide the effects are desirable, you can deselect this option to activate reputation filtering.