There are several ways to test the various steps that allow ThreatSTOP to give you automated IP protection.
There are 5 specific functions that can be tested to make sure that the ThreatSTOP solution is working properly:
- Does the management VM pull IPs from our database
- Are the IPs applied to firewall rules
- Do the blocked IPs get logged
- Can the logs be uploaded to our database.
- Can 1-4 be done automatically
1. Does the management VM pull IPs from our database?
During the install the ./ts-asa.pl script is run which pulls the IP address for your policy. A correct output will show no erros. The important out lines are as follows:
You have now verified that the management VM can contact our servers and pull your selected policy.
2. Are the IPs applied to firewall rules?
Further down the initial running of the ./ts-asa.pl script the VM adds the IPs to the threatstop-block and theratstop-allow object groups. A correct out put will look like:
You can also verify from you cisco via CLI by typing the command
ciscoasa# show object-group id threatstop-block
The output will look similar to
You can also verify from an ASDM connection by going to Firewall >> Access Rules and hovering over a threatstop-block or threatstop-allow source which will pull up a limited list of IPs in that object group.
Take note of one of the IP address in the threatstop-block object group for the next step. You have now verified that the IP are getting added to the firewall rules.
3. Do the blocked IPs get logged?
Either place the IP from the threatstop-block object group in a web browser or attempt to ping the IP. (if you are using a windows CMD make sure to use the -t option to allow the ping to run indefinitely)
From a putty connection to the management VM and enter
tail -f /var/log/remotes.log
You should see the file log the attempts with the output looking similar to
4. Can the logs be uploaded to our database?
5. Can 1-4 be done automatically?
Comments