Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.1
Getting Started
Downloads: This chapterpdf (PDF - 272.0 KB) | Feedback

Table of Contents

Getting Started


Participating in the SensorBase Network

Introducing the IDM

The IDM User Interface

IDM Home Window

System Requirements

Logging In to the IDM

Supported User Role

Logging In

IDM and Cookies

IDM and Certificates

Validating the CA

Licensing the Sensor

Understanding Licensing

Service Programs for IPS Products

Licensing Pane Field Definitions

Obtaining and Installing the License Key

Getting Started

This chapter describes the IDM and provides information for getting started using the IDM. It contains the following sections:


The IDM contains cryptographic features and is subject to United States and local country laws governing import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at the following website:

If you require further assistance, contact us by sending e-mail to

Participating in the SensorBase Network

The Cisco IPS contains a security capability, Cisco Global Correlation, which uses the immense security intelligence that we have amassed over the years. At regular intervals, the Cisco IPS receives threat updates from the Cisco SensorBase Network, which contain detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS uses this information to filter out the worst attackers before they have a chance to attack critical assets. It then incorporates the global threat data in to its system to detect and prevent malicious activity even earlier.

If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about traffic sent to your IPS. This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other confidential business or personal information. All data is aggregated and sent by secure HTTP to the Cisco SensorBase Network servers in periodic intervals. All data shared with Cisco will be anonymous and treated as strictly confidential.

Table 1-1 shows how we use the data.


Table 1-1 Cisco Network Participation Data Use

Participation Level
Type of Data


Protocol attributes
(TCP maximum segment size and options string, for example)

Tracks potential threats and helps us to understand threat exposure.

Attack type
(signature fired and risk rating, for example)

Used to understand current attacks and attack severity.

Connecting IP address and port

Identifies attack source.

Summary IPS performance
(CPU utilization, memory usage, inline vs. promiscuous, for example)

Tracks product efficacy.


Victim IP address and port

Detects threat behavioral patterns.

When you enable Partial or Full Network Participation, the Network Participation Disclaimer appears. You must click Agree to participate. If you do not have a license installed, you receive a warning telling you that global correlation inspection and reputation filtering are disabled until the sensor is licensed. You can obtain a license at .

For More Information

Introducing the IDM

This section describes the IDM user interface and Home window, and contains the following topics:

The IDM User Interface

The IDM is a web-based, Java Web Start application that enables you to configure and manage your sensor. The web server for the IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.

The IDM user interface consists of the File, View, and Help menus. There are Home, Configuration, and Monitoring buttons. The Configuration, and Monitoring buttons open menus in the left-hand TOC pane with the configuration pane on the right. The following four buttons appear next to the Home, Configuration, and Monitoring buttons:

  • Back—Takes you to the pane you were previously on.
  • Forward—Takes you forward to the next pane you have been on.
  • Refresh—Loads the current configuration from the sensor.
  • Help—Opens the online help in a new window. The IDM contains hover-over help in addition to online help.

The navigation bar is a docking frame, which you can float or hide if you need more work space. To restore the navigation bar, click View > Navigation . To configure the sensor, choose Configuration and go through the menus in the left-hand pane. The IDM contains a Startup Wizard to aid you in configuring your sensor after you have initialized it. You can change setup settings by using the Startup Wizard. To configure monitoring, click Monitoring and go through the menus in the left-hand pane.

New configurations do not take effect until you click Apply on the pane you are configuring. Click Reset to discard current changes and return settings to their previous state for that pane.

IDM Home Window

The Home pane displays the most important information about a sensor, such as device information, licensing information, sensor health, and interface status. The IDM continuously sends control transactions to retrieve sensor status information at different snapshots and builds the corresponding graphs in the Home pane.

The Home pane provides information about the state of the sensor according to the gadgets that you choose to display. Each gadget displays the local host time. The gadgets contain the following information:

  • Sensor Information—Displays specific device information.
  • Sensor Health—Displays information about the overall health of the sensor and network.
  • Licensing—Displays information about the status of the license key, signature updates, and signature engine updates. The timestamp on the graph is the sensor local time at each snapshot.
  • Interface Status—Displays the details about the management and sensing interfaces.
  • Global Correlation Reports—Displays the alerts and the denied packets resulting from reputation data.
  • Global Correlation Health—Displays the configuration status of global correlation and network participation.
  • Network Security—Displays alert counts and average and maximum threat and risk ratings. The timestamp on the graph is the sensor local time at each snapshot.
  • Top Applications—Displays the top ten Layer 4 protocols the sensor has discovered.
  • CPU, Memory, & Load—Displays the sensor load, CPU, memory, and disk usage for the sensor.

Note In IDM 7.1.8 and later the CPU, Memory, & Load gadget has been renamed to Memory & Load. The CPU usage is no longer displayed.

By default, the IDM displays the Sensor Information, Sensor Health, Licensing, Interface Status, Top Applications, and CPU, Memory, & Load gadgets in the Home pane.

To display the available sensor gadgets, click Add Gadgets . You can drag and drop the gadgets on to a tab to display more sensor information. To create another tab in the Home pane to display more information, click Add Dashboard . Use the icons in the top-right corner to collapse, configure the display, or close the gadget.

The IDM constantly retrieves status information to keep the Home pane updated. By default the window is refreshed every 10 seconds. To refresh the pane manually, click File > Refresh .

For More Information

For more information on configuring dashboards and gadgets, see Chapter2, “Configuring Dashboards”

System Requirements

The IDM has the following system requirements:

  • Supported IPS versions

IPS 6.2

IPS 7.0

IPS 7.1

  • Supported Operating Systems

Windows Vista Business and Ultimate (32-bit only)

Windows XP Professional (32-bit only)

Windows 7 (32- and 64-bit)

Windows Server 2003

Windows Server 2008 (32- and 64-bit)

Red Hat Linux Desktop Version 4

Red Hat Enterprise Linux Server Version 4

  • Supported Java Plug-in

Java SE 6.0

  • Supported browsers

Internet Explorer 6.0 and 7.0

Firefox 2.0

  • Minimum hardware requirements

512 MB or more strongly recommended

Pentium, AMD Athlon, or equivalent running at 1 Ghz or higher

1024 x 768 resolution and 256 colors (minimum)

  • Supported Cisco IPS hardware platforms:

IPS 4240

IPS 4255

IPS 4260

IPS 4270-20

IPS 4345

IPS 4360

IPS 4510

IPS 4520

ASA 5500 AIP SSM-10

ASA 5500 AIP SSM-20

ASA 5500 AIP SSM-40






ASA 5585-X IPS SSP-10

ASA 5585-X IPS SSP-20

ASA 5585-X IPS SSP-40

ASA 5585-X IPS SSP-60

Note For a list of which sensor supports which IPS version, refer to the Release Notes for your IPS version at this URL:

Logging In to the IDM

Note The IDM is part of the sensor. You must use the setup command to initialize the sensor so that it can communicate with the IDM.

This section explains how to log in to the IDM and how the IDM uses cookies and certificates. It contains the following topics:

Supported User Role

The following user roles are supported:

  • Administrator
  • Operator
  • Viewer

Logging In

The IDM is a web-based, Java Web Start application that enables you to configure and manage your sensor. The web server for the IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.

Note The IDM is already installed on the sensor.

To log in to the IDM, follow these steps:

Step 1 Open a web browser and enter the sensor IP address. A Security Alert dialog box appears.


Note The default IP address is,, which you change to reflect your network environment when you initialize the sensor. When you change the web server port, you must specify the port in the URL address of your browser when you connect to the IDM in the format https://sensor_ip_address:port (for example,

Step 2 Click Yes to accept the security certificate. The Cisco IPS Device Manager Version window appears.

Step 3 To launch the IDM, click Run IDM . The JAVA loading message box appears, and then the Warning - Security dialog box appears.

Step 4 To verify the security certificate, check the Always trust content from this publisher check box, and click Yes . The JAVA Web Start progress dialog box appears, and then the IDM on ip_address dialog box appears.

Step 5 To create a shortcut for the IDM, click Yes . The Cisco IDM Launcher dialog box appears.

Note You must have JRE 1.5 (JAVA 5) installed to create shortcuts for the IDM. If you have JRE 1.6 (JAVA 6) installed, the shortcut is created automatically.

Step 6 To authenticate the IDM, enter your username and password, and click OK . Both the default username and password are cisco . You were prompted to change the password during sensor initialization. The IDM begins to load. If you change panes from Home to Configuration or Monitoring before the IDM has completed initialization, a Status dialog box appears with the following message:

Please wait while IDM is loading the current configuration from the sensor.

The main window of the IDM appears.

Note If you created a shortcut, you can launch the IDM by double-clicking the IDM shortcut icon. You can also close the The Cisco IPS Device Manager Version window. After you launch the IDM, it is not necessary for this window to remain open.


For More Information

IDM and Cookies

The IDM uses cookies to track sessions, which provide a consistent view. The IDM uses only session cookies (temporary), not stored cookies. Because the cookies are not stored locally, there is no conflict with your browser cookie policy. The cookies are handled by the IDM Java Start application rather than the browser.

IDM and Certificates

The Cisco IPS contains a web server that is running the IDM. Management stations connect to this web server. Blocking forwarding sensors also connect to the web server of the master blocking sensor. To provide security, this web server uses an encryption protocol known as TLS, which is closely related to SSL protocol. When you enter a URL into the web browser that starts with https:// ip_address , the web browser responds by using either TLS or SSL protocol to negotiate an encrypted session with the host.

Caution The web browser initially rejects the certificate presented by the IDM because it does not trust the certificate authority (CA).

Note The IDM is enabled by default to use TLS and SSL.We highly recommend that you use TLS and SSL.

The process of negotiating an encrypted session in TLS is called “handshaking,” because it involves a number of coordinated exchanges between client and server. The server sends its certificate to the client. The client performs the following three-part test on this certificate:

1. Is the issuer identified in the certificate trusted?

Every web browser ships with a list of trusted third-party CAs. If the issuer identified in the certificate is among the list of CAs trusted by your browser, the first test is passed.

2. Is the date within the range of dates during which the certificate is considered valid?

Each certificate contains a Validity field, which is a pair of dates. If the date falls within this range of dates, the second test is passed.

3. Does the common name of the subject identified in the certificate match the URL hostname?

The URL hostname is compared with the subject common name. If they match, the third test is passed.

When you direct your web browser to connect with the IDM, the certificate that is returned fails because the sensor issues its own certificate (the sensor is its own CA) and the sensor is not already in the list of CAs trusted by your browser.

When you receive an error message from your browser, you have three options:

  • Disconnect from the site immediately.
  • Accept the certificate for the remainder of the web browsing session.
  • Add the issuer identified in the certificate to the list of trusted CAs of the web browser and trust the certificate until it expires.

The most convenient option is to permanently trust the issuer. However, before you add the issuer, use out-of-band methods to examine the fingerprint of the certificate. This prevents you from being victimized by an attacker posing as a sensor. Confirm that the fingerprint of the certificate appearing in your web browser is the same as the one on your sensor.

Caution If you change the organization name or hostname of the sensor, a new certificate is generated the next time the sensor is rebooted. The next time your web browser connects to the IDM, you will receive the manual override dialog boxes. You must perform the certificate fingerprint validation again for Internet Explorer and Firefox.

Validating the CA

Use the following procedure to validate the CA for the web browsers. This example shows how to validate the CA for Internet Explorer, but you can also use it for validating the CA for Firefox.

To use Internet Explorer to validate the certificate fingerprint, follow these steps:

Step 1 Open a web browser and enter the sensor IP address to connect to the IDM. The Security Alert window appears.

https://sensor_ ip_address

Step 2 Click View Certificate . The Certificate Information window appears.

Step 3 Click the Details tab.

Step 4 Scroll down the list to find Thumbprint and select it. You can see the thumbprint in the text field.

Note Leave the Certificate window open.

Step 5 Connect to the sensor in one of the following ways:

    • Connect a terminal to the console port of the sensor.
    • Use a keyboard and monitor directly connected to the sensor.
    • Telnet to the sensor.
    • Connect through SSH.

Step 6 Display the TLS fingerprint:

sensor# show tls fingerprint
MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01
SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27

Step 7 Compare the SHA1 fingerprint with the value displayed in the open Certificate thumbprint text field. You have validated that the certificate that you are about to accept is authentic.

Caution If the fingerprints do not match, you need to determine why. Make sure you are connected to the correct IP address for the sensor. If you are connected to the correct IP address and the fingerprints do not match, this could indicate that your sensor may have been compromised.

Step 8 Click the General tab.

Step 9 Click Install Certificate . The Certificate Import Wizard appears.

Step 10 Click Next . The Certificate Store dialog box appears.

Step 11 Check the Place all certificates in the following store check box, and then click Browse . The Select Certificate Store dialog box appears.

Step 12 Click Trusted Root Certification Authorities , and then click OK .

Step 13 Click Next , and then click Finish . The Security Warning dialog box appears.

Step 14 Click Yes , and then click OK .

Step 15 Click OK to close the Certificate dialog box.

Step 16 Click Yes to open the IDM.


Licensing the Sensor

This section describes how to license the sensor, and contains the following topics:

Understanding Licensing

Caution You must have a valid sensor license for global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.

Although the sensor functions without the license key, you must have a license key to obtain signature updates and use the global correlation features. To obtain a license key, you must have the following:

  • Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to purchase a contract.
  • Your IPS device serial number—To find the IPS device serial number in the IDM, choose Configuration > Sensor Management > Licensing ., or in the CLI use the show version command.
  • Valid username and password.

Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to and click IPS Signature Subscription Service to apply for a license key.

You can view the status of the license key in these places:

  • The IDM Home window Licensing section on the Health tab
  • The IDM Licensing pane ( Configuration > Licensing )
  • License Notice at CLI login

Whenever you start the IDM or the CLI, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use the IDM and the CLI, but you cannot download signature updates.

If you already have a valid license on the sensor, you can click Download on the License pane to download a copy of your license key to the computer that the IDM is running on and save it to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have reimaged the sensor.

For More Information

For more information on global correlation, see Chapter11, “Configuring Global Correlation”

Service Programs for IPS Products

You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.

When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract:

  • IPS 4240
  • IPS 4255
  • IPS 4260
  • IPS 4270-20
  • IPS 4345
  • IPS 4360
  • IPS 4510
  • IPS 4520

When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract.

Note SMARTnet provides operating system updates, access to, access to TAC, and hardware replacement NBD on site.

When you purchase an ASA 5500 series adaptive security appliance product that ships with an IPS module installed, or if you purchase one to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract.

Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to, access to TAC, and hardware replacement NBD on site.

For example, if you purchase an ASA 5585-X and then later want to add IPS and purchase an ASA-IPS10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.

Caution If you ever send your product for RMA, the serial number changes. You must then get a new license key for the new serial number.

For More Information

For information on obtaining and installing the sensor license key, see Obtaining and Installing the License Key.

Licensing Pane Field Definitions

Note You must be administrator to view license information in the Licensing pane and to install the sensor license key.

The following fields are found in the Licensing pane:

  • Current License—Provides the status of the current license:

License Status—Displays the current license status of the sensor.

Expiration Date—Displays the date when the license key expires (or has expired). If the key is invalid, no date is displayed.

Serial Number—Displays the serial number of the sensor.

Product ID—Displays the product ID of your sensor.

  • Update License—Specifies from where to obtain the new license key:—Contacts the license server at for a license key.

License File—Specifies that a license file be used.

Local File Path—Indicates where the local file is that contains the license key.

Obtaining and Installing the License Key

Note In addition to a valid username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.

To obtain and install the license key, follow these steps:

Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Licensing .

Step 3 The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed.

Step 4 Obtain a license key by doing one of the following:

  • Click the radio button to obtain the license from the IDM contacts the license server on and sends the server the serial number to obtain the license key. This is the default method. Go to Step 5.
  • Click the License File radio button to use a license file. To use this option, you must apply for a license key at this URL: . The license key is sent to you in e-mail and you save it to a drive that the IDM can access. This option is useful if your computer cannot access Go to Step 7.

Step 5 Click Update License , and in the Licensing dialog box, click Yes to continue. The Status dialog box informs you that the sensor is trying to connect to An Information dialog box confirms that the license key has been updated.

Step 6 Click OK .

Step 7 Log in to .

Step 8 Go to .

Step 9 Fill in the required fields. Your license key will be sent to the e-mail address you specified.

Caution You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.

Step 10 Save the license key to a hard-disk drive or a network drive that the client running the IDM can access.

Step 11 Log in to the IDM.

Step 12 Choose Configuration > Sensor Management > Licensing .

Step 13 Under Update License, click the License File radio button.

Step 14 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.

Step 15 Browse to the license file and click Open .

Step 16 Click Update License .