Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
42-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 42 Configuring Attack Response Controller for Blocking and Rate Limiting
Blocking Page
Navigation Path
(Device view) Select Platform > Security > Blocking from the Policy selector. If necessary, select
the General tab.
(Policy view) Select IPS > Platform > Security > Blocking, then select an existing policy or create
a new one. If necessary, select the General tab.
Related Topic
Understanding IPS Blocking, page 42-1
Configuring IPS Blocking and Rate Limiting, page 42-7
Blocking Page, page 42-8
Field Reference
Table 42-2 General Tab, IPS Blocking Policy
Element Description
Log All Block Events and
Errors
Whether to log events that follow blocks from start to finish and any
error messages that occur. When a block is added to or removed from a
device, an event is logged. You may not want all these events and errors
to be logged. Disabling this option suppresses new events and errors.
The default is enabled.
Note Log all block events and errors also applies to rate limiting.
Enable NVRAM Write Whether to have the router write to non-volatile RAM (NVRAM) when
Attack Response Controller (ARC) first connects. If enabled, NVRAM
is written each time the ACLs are updated. The default is disabled.
Enabling NVRAM writing ensures that all changes for blocking and
rate limiting are written to NVRAM. If the router is rebooted, the
correct blocks and rate limits will still be active. If NVRAM writing is
disabled, a short time without blocking or rate limiting occurs after a
router reboot. Not enabling NVRAM writing increases the life of the
NVRAM and decreases the time for new blocks and rate limits to be
configured.
Enable ACL Logging Whether to have ARC append the log parameter to block entries in the
access control list (ACL) or VLAN ACL (VACL). This causes the
device to generate syslog events when packets are filtered. This option
applies to routers and switches only. The default is disabled.
Allow Sensor IP address to
be Blocked
Whether the sensor IP address can be blocked. The default is disabled.
Tip If you allow the sensor address to be blocked, the IPS does not
add an explicit permit entry to the interface ACL to allow the
IPS address. You must ensure that the IPS address is permitted
by the device ACL or the IPS cannot implement blocking on the
device.
Enable Blocking Whether to enable the blocking and rate limiting of hosts. The default
is enabled.
Note When you enable blocking, you also enable rate limiting. When
you disable blocking, you also disable rate limiting. This means
that ARC cannot add new or remove existing blocks or rate
limits.