cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 4

Baseline inline IPS

Jump to solution

Hey Everyone,

I am currently just trying to determine the best way to baseline the NSP while using it as an inline IPS. The desired outcome is to be able to baseline an inline IPS policy, but have blocking disabled globally, so that the actions are recorded but no blocking actually occurs until set to "Blocking" mode after a soak and configuration period.

Other products I have experience with have the option to utilize an IPS policy(with blocking enabled on signatures) but put it in a learning mode globally so that the blocks do not apply(however in the logs it  will show that it would have been blocked if enabled)

I have only found a learning mode for the DOS portion of the NSP.

So far with the McAfee device I have only found the following way to semi-accomplish this behaviour:

1 - Create two duplicate policies, disable the blocking actions on one. Use this policy for your baseline period to ensure the IPS does not negatively impact the environment. Mirror any changes to this policy with the other duplicate that has blocking enabled. Once the baseline has been completed then switch over to the policy with blocking enabled.      This would not be my ideal solution.

Is there a better way to accomplish this outcome?

Thanks,

Pete

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Baseline inline IPS

Jump to solution

Also on version 7 you have the command 'set ipssimulation (enableZdisable) which allows you to put the sensor in simulation mode so you could use a default inline IPS policy in simulation mode where nothing would be blocked either.

View solution in original post

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Baseline inline IPS

Jump to solution

HI Pete,

you can do as you say or else apply default inline IDS policy which won't block anything and then move to default inline IPS.

Another solution would be either to use the sensors in TAP mode with a default inline IPS policy, where the attacks would be blocked but the traffic won't be affected as you are using taps, or you could use the sensors in SPAN mode with a default inline IPS policy, and once you are happy with the configuration of the policies move the sensors in inline mode.

HTH.

David

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Baseline inline IPS

Jump to solution

Also on version 7 you have the command 'set ipssimulation (enableZdisable) which allows you to put the sensor in simulation mode so you could use a default inline IPS policy in simulation mode where nothing would be blocked either.

View solution in original post

Highlighted
Level 10
Report Inappropriate Content
Message 4 of 4

Re: Baseline inline IPS

Jump to solution

This is definitely what I was looking for. This way you can see simulated blocks and tune accordingly before moving to full IPS. Thanks!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community