18-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 ASA IPS Module
Information About the ASA IPS Module
packet that you identify for inspection is analyzed before being allowed through. Also, the ASA IPS
module can implement a blocking policy on a packet-by-packet basis. This mode, however, can
affect throughput.
•
Promiscuous mode—This mode sends a duplicate stream of traffic to the ASA IPS module. This
mode is less secure, but has little impact on traffic throughput. Unlike inline mode, in promiscuous
mode the ASA IPS module can only block traffic by instructing the ASA to shun the traffic or by
resetting a connection on the ASA. Also, while the ASA IPS module is analyzing the traffic, a small
amount of traffic might pass through the ASA before the ASA IPS module can shun it.
shows the ASA IPS module in promiscuous mode. In this example, the ASA IPS module sends a
shun message to the ASA for traffic it identified as a threat.
Figure 18-2
ASA IPS module Traffic Flow in the ASA: Promiscuous Mode
Using Virtual Sensors
The ASA IPS module running IPS software Version 6.0 and later can run multiple virtual sensors, which
means you can configure multiple security policies on the ASA IPS module. You can assign each ASA
security context or single mode ASA to one or more virtual sensors, or you can assign multiple security
contexts to the same virtual sensor. See the IPS documentation for more information about virtual
sensors, including the maximum number of sensors supported.
shows one security context paired with one virtual sensor (in inline mode), while two
security contexts share the same virtual sensor.
A
S
A
Main
S
ystem
in
s
ide
IP
S
IP
S
in
s
pection
o
u
t
s
ide
VPN
Decryption
Firew
a
ll
Policy
S
h
u
n
me
ssa
ge
251
1
5
8
Copied Tr
a
ffic
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...