Determining the Status of the Managed Device and Blocked Addresses

Determining the Status of the Managed Device and Blocked Addresses

We have determined our specific needs for Signature selections, picked our blocking devices (less our critical hosts), and established our master blocking sensors. We now need to see what is happening on our network in regards to IP blocking. This is, in fact one, of the most important elements of IP blocking. It probably wouldn't be very beneficial to utilize IP blocking and monitor the usage and threats our network has been, or is being, protected from. We will use the Cisco Secure Policy Manager Event Viewer for monitoring our managed devices and blocked addresses. The CSPM Event Viewer is covered in more depth later in the book.

1. Select Tools | View Sensor Events | Database to open the Event Viewer – Database Events. The CSPM Event Viewer can be seen in Figure 8.11.

   
   Figure 8.11: The Cisco Secure Policy Manager Event Viewer

2. Select View | Connection Status Pane that will give us a cleaner look for information we want by listing the reporting sensors in the left pane of the window.

3. Select a sensor to view its current blocking information in the right pane. An example of this can be seen in Figure 8.12.

   
   Figure 8.12: Event Viewer – Connection Status Pane

4. Choose View | Block List… to view a list of currently blocked IPs and their corresponding block duration time left. The title of the window is actually called the Shun List. This list has all the currently blocked IP addresses for the sensor currently selected. Next to the IP addresses is the time, in seconds, left for the IP address to be blocked.

One method that can also be used to monitor blocked addresses is to log on to a specific blocking device and check the ACL manually with a show access-list command. This may be a good choice if no CSPM access is available or working on a specific issue.