18-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 18 ASA IPS Module
Configuring the ASA IPS module
Detailed Steps
Command
Purpose
Step 1
class-map
name
Example:
hostname(config)# class-map ips_class
Creates a class map to identify the traffic for which you want to
send to the ASA IPS module.
If you want to send multiple traffic classes to the ASA IPS
module, you can create multiple class maps for use in the security
policy.
Step 2
match
parameter
Example:
hostname(config-cmap)# match access-list
ips_traffic
Specifies the traffic in the class map. See
for more information.
Step 3
policy-map
name
Example:
hostname(config)# policy-map ips_policy
Adds or edits a policy map that sets the actions to take with the
class map traffic.
Step 4
class
name
Example:
hostname(config-pmap)# class ips_class
Identifies the class map you created in
Step 5
ips
{
inline
|
promiscuous
} {
fail-close
|
fail-open
} [
sensor
{
sensor_name
|
mapped_name
}]
Example:
hostname(config-pmap-c)# ips promiscuous
fail-close
Specifies that the traffic should be sent to the ASA IPS module.
The
inline
and
promiscuous
keywords control the operating
mode of the ASA IPS module. See
for more details.
The
fail-close
keyword sets the ASA to block all traffic if the ASA
IPS module is unavailable.
The
fail-open
keyword sets the ASA to allow all traffic through,
uninspected, if the ASA IPS module is unavailable.
If you use virtual sensors, you can specify a sensor name using the
sensor
sensor_name
argument. To see available sensor names,
enter the
ips
{
inline
|
promiscuous
} {
fail-close
|
fail-open
}
sensor ?
command. Available sensors are listed. You can also use
the
show ips
command. If you use multiple context mode on the
ASA, you can only specify sensors that you assigned to the
context (see
Assigning Virtual Sensors to a Security Context,
). Use the
mapped_name
if configured in the context.
If you do not specify a sensor name, then the traffic uses the
default sensor. In multiple context mode, you can specify a default
sensor for the context. In single mode or if you do not specify a
default sensor in multiple mode, the traffic uses the default sensor
that is set on the ASA IPS module. If you enter a name that does
not yet exist on the ASA IPS module, you get an error, and the
command is rejected.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...