Managing the Sensor
ErrorMessage : Error while constructing the Hinav

null
Downloads: This chapterpdf (PDF - 339.0KB) | Feedback

Managing the Sensor

Table Of Contents

Managing the Sensor

Configuring Passwords

Password Pane

Passwords Pane Field Definitions

Configuring Password Requirements

Configuring Packet Logging

Recovering the Password

Understanding Password Recovery

Recovering the Appliance Password

Using the GRUB Menu

Using ROMMON

Recovering the ASA 5500 AIP SSM Password

Recovering the ASA 5500-X IPS SSP Password

Recovering the ASA 5585-X IPS SSP Password

Disabling Password Recovery

Troubleshooting Password Recovery

Verifying the State of Password Recovery

Configuring Licensing

Licensing Pane

Understanding Licensing

Service Programs for IPS Products

Licensing Pane Field Definitions

Obtaining and Installing the License Key

Installing the IPS 4270-20 License

Installing the ASA 5500-X IPS SSP License

Uninstalling the License

Configuring Sensor Health

Sensor Health Pane

Sensor Health Pane Field Definitions

Configuring IP Logging Variables

Configuring Automatic Update

Auto/Cisco.com Update Pane

Supported FTP and HTTP Servers

UNIX-Style Directory Listings

Signature Updates and Installation Time

Auto/Cisco.com Update Pane Field Definitions

Configuring Auto Update

Manually Updating the Sensor

Update Sensor Pane

Update Sensor Pane Field Definitions

Updating the Sensor

Restoring Defaults

Rebooting the Sensor

Shutting Down the Sensor


Managing the Sensor


This chapter describes how to manage your sensor, for example, how to set passwords, obtain and install license keys, set up IP logging variables, update your sensor with the latest software, restore sensor defaults, reboot the sensor, and shut down the sensor. It contains the following sections:

Configuring Passwords

Configuring Packet Logging

Recovering the Password

Configuring Licensing

Configuring Sensor Health

Configuring IP Logging Variables

Configuring Automatic Update

Manually Updating the Sensor

Restoring Defaults

Rebooting the Sensor

Shutting Down the Sensor

Configuring Passwords

This section describes how to set up passwords for users on the sensor, and contains the following topics:

Password Pane

Passwords Pane Field Definitions

Configuring Password Requirements

Password Pane

As sensor administrator, you can configure how passwords are created in the Passwords pane. All user-created passwords must conform to the policy that you set in the Passwords pane.

Passwords Pane Field Definitions

The following fields are found in the Passwords pane:

Attempt Limit—Lets you lock accounts so that users cannot keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.

Size Range—Specifies the range for the minimum and maximum allowed size for a password. The valid range is 6 to 64 characters.

Minimum Digit Characters—Specifies the minimum number of numeric digits that you specify must be in a password.

Minimum Upper Case Characters—Specifies the maximum number of upper-case alphabet characters that you specify must be in a password.

Minimum Lower Case Characters—Specifies the minimum number of lower-case alphabet characters that you specify must be in a password.

Minimum Other Characters—Specifies the minimum number of non-alphanumeric printable characters that you specify must be in a password.

Number of Historical Passwords—Specifies the number of historical passwords you want the sensor to remember for each account. Any attempt to change the password of an account fails if the new password matches any of the remembered passwords. When this value is 0, no previous passwords are remembered.

Configuring Password Requirements

To configure password requirements, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Passwords.

Step 3 In the Attempt Limit field, enter how many attempts a user has to enter the correct password.


Note The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.


Step 4 In the Size Range field, enter how long the password can be. The valid range is 6 to 64.

Step 5 In the Minimum Digit Characters field, enter the minimum number of numeric digits a password can have.

Step 6 In the Minimum Upper Case Characters field, enter the least number of upper case characters the password can have.

Step 7 In the Minimum Lower Case Characters field, enter the least number of lower case characters the password can have.


Caution If the password policy includes minimum numbers of character sets, such as upper case or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.

Step 8 In the Minimum Other Characters field, enter the least number of other characters the password can have.

Step 9 In the Number of Historical Passwords field, enter the number of historical passwords you want the sensor to remember for each account.


Tip To discard your changes, click Reset.


Step 10 Click Apply to apply your changes and save the revised configuration.


Configuring Packet Logging


Note Packet logging is supported in IPS 7.1(3)E4 and later.



Note Make sure that the user is configured with the appropriate Cisco av-pair on the RADIUS server. This pair would be in the form "permit-packet-logging=true/false."


On the Packet Logging pane, you can restrict the use of packet capture-related commands—packet capture/display, IP logging—for local and AAA RADIUS users. RADIUS users with the correct av-pair are authorized to execute packet capture, packet display, and IP logging commands. Local users with the correct permissions can use the packet capture and IP log commands. To restrict all users from executing packet capture and IP log commands, uncheck the Permit packet capture and iplog commands checkbox. To allow AAA RADIUS users with the correct av-pair and local users with the correct privilege levels to execute all packet capture and IP log commands, check the Permit packet capture and iplog commands checkbox. The default is to permit packet capture and IP log commands.

When you modify the permit packet capture and IP log command option, you receive the following warning:

Modified packet settings would take effect only for new sessions, existing sessions will 
continue with previous settings.
 
   

The IP Logging pane (Sensor Management > Time-Based Actions > IP Logging) reflects the packet capture command restriction. The current user is verified for the appropriate permissions to add, edit, download, or stop IP logging. Once the user is verified, IP logging is enabled. If the user does not have the appropriate permissions, the following error message is displayed:

You do not have sufficient permissions to perform this action. Packet and IP logging have 
been restricted for this user. 

For More Information

For more information about IP logging, see Configuring IP Logging.

For detailed information about AAA RADIUS authentication, see Configuring Authentication and Users.

Recovering the Password

For most IPS platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. This section describes how to recover the password on the various platforms, and contains the following topics:

Understanding Password Recovery

Recovering the Appliance Password

Recovering the ASA 5500 AIP SSM Password

Recovering the ASA 5500-X IPS SSP Password

Recovering the ASA 5585-X IPS SSP Password

Disabling Password Recovery

Troubleshooting Password Recovery

Verifying the State of Password Recovery

Understanding Password Recovery


Note Administrators may need to disable the password recovery feature for security reasons.


Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.

Table 17-1 lists the password recovery methods according to platform.

Table 17-1 Password Recovery Methods According to Platform 

Platform
Description
Recovery Method

4200 series sensors
4300 series sensors
4500 series sensors

Standalone IPS appliances

GRUB prompt or ROMMON

ASA 5500 AIP SSM
ASA 5500-X IPS SSP
ASA 5585-X IPS SSP

ASA 5500 series adaptive security appliance IPS modules

Adaptive security appliance CLI command


Recovering the Appliance Password

There are two ways to recover the password for appliances—using the GRUB menu or ROMMON. This section describes how to recover the password on appliances, and contains the following topics:

Using the GRUB Menu

Using ROMMON

Using the GRUB Menu


Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password.


For the IPS 4270-20, IPS 4355, IPS 4360, IPS 4510, and IPS 4520 appliances, the password recovery is found in the GRUB menu, which appears during bootup. When the GRUB menu appears, press any key to pause the boot process. To recover the password on appliances, follow these steps:


Step 1 Reboot the appliance to see the GRUB menu.

GNU GRUB version 0.94 (632K lower / 523264K upper memory)
-------------------------------------------
0: Cisco IPS
1: Cisco IPS Recovery
2: Cisco IPS Clear Password (cisco)
-------------------------------------------
 
   
    Use the ^ and v keys to select which entry is highlighted.
    Press enter to boot the selected OS, 'e' to edit the
    Commands before booting, or 'c' for a command-line.
 
   
    Highlighted entry is 0:
 
   

Step 2 Press any key to pause the boot process.

Step 3 Choose 2: Cisco IPS Clear Password (cisco). The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.


Using ROMMON

For theIPS 4240, IPS 4255, IPS 4345, IPS 4360, IPS 4510, and IPS 4520, you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process. To recover the password using the ROMMON CLI, follow these steps:


Step 1 Reboot the appliance.

Step 2 To interrupt the boot process, press ESC or Control-R (terminal server) or send a BREAK command (direct connection). The boot code either pauses for 10 seconds or displays something similar to one of the following:

Evaluating boot options

Use BREAK or ESC to interrupt boot

Step 3 Enter the following commands to reset the password:

confreg 0x7
boot
 
   

Sample ROMMON session:

Booting system, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17
...
Evaluating BIOS Options...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Platform IPS-4360-K9
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted. 
Management0/0
Link is UP
MAC Address:000b.fcfa.d155
Use ? for help.
rommon #0> confreg 0x7
Update Config Register (0x7) in NVRAM...
rommon #1> boot
 
   

Recovering the ASA 5500 AIP SSM Password


Note To reset the password, you must have ASA 7.2.2 or later.


You can reset the password to the default (cisco) for the ASA 5500 AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.

Use the hw-module module slot_number password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:

ERROR: the module in slot <n> does not support password recovery.

Resetting the Password Using the CLI

To reset the password on the ASA 5500 AIP SSM, follow these steps:


Step 1 Log into the adaptive security appliance and enter the following command to verify the module slot number:

asa# show module
Mod Card Type                                    Model              Serial No.
--- -------------------------------------------- ------------------ -----------
  0 ASA 5510 Adaptive Security Appliance         ASA5510            JMX1135L097
  1 ASA 5500 Series Security Services Module-40  ASA-SSM-40         JAF1214AMRL
 
   
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
--- --------------------------------- ------------ ------------ ---------------
  0 001b.d5e8.e0c8 to 001b.d5e8.e0cc  2.0          1.0(11)2     8.4(3)
  1 001e.f737.205f to 001e.f737.205f  1.0          1.0(14)5     7.0(7)E4
 
   
Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
  1 IPS                            Up               7.0(7)E4
 
   
Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  0 Up Sys             Not Applicable
  1 Up                 Up
 
   

Step 2 Reset the password for module 1.

asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
 
   

Step 3 Press Enter to confirm.

Password-Reset issued for slot 1.
 
   

Step 4 Verify the status of the module. Once the status reads Up, you can session to the ASA 5500 AIP SSM.

asa# show module 1
Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  1 ASA 5500 Series Security Services Module-40  ASA-SSM-40         JAF1214AMRL
 
   
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
  1 001e.f737.205f to 001e.f737.205f  1.0          1.0(14)5     7.0(7)E4
 
   
Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
  1 IPS                            Up               7.0(7)E4
 
   
Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  1 Up                 Up         
 
   
 
   

Step 5 Session to the ASA 5500 AIP SSM.

asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
 
   

Step 6 Enter the default username (cisco) and password (cisco) at the login prompt.

login: cisco 
Password: cisco
 
   
You are required to change your password immediately (password aged) 
Changing password for cisco. 
(current) password: cisco
 
   

Step 7 Enter your new password twice.

New password: new password
Retype new password: new password
 
   
***NOTICE*** 
This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption. Importers, exporters, distributors and users are responsible for compliance 
with U.S. and local country laws. By using this product you agree to comply with 
applicable laws and regulations. If you are unable to comply with U.S. and local laws, 
return this product immediately. 
 
   
A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html 
 
   
If you require further assistance please contact us by sending email to export@cisco.com. 
 
   
***LICENSE NOTICE*** 
There is no license key installed on this IPS platform. The system will continue to 
operate with the currently installed signature set. A valid license must be obtained in 
order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a 
new license or install a license. 
aip_ssm#
 
   

Using the ASDM

To reset the password in the ASDM, follow these steps:


Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset.


Note This option does not appear in the menu if there is no IPS present.


Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.

Step 3 Click Close to close the dialog box. The sensor reboots.


Recovering the ASA 5500-X IPS SSP Password

You can reset the password to the default (cisco) for the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.


Note To reset the password, you must have ASA 8.6.1 or later.


Use the sw-module module ips password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:

ERROR: the module in slot <n> does not support password recovery.
 
   

To reset the password on the ASA 5500-X IPS SSP, follow these steps:


Step 1 Log into the adaptive security appliance and enter the following command:

asa# sw-module module ips password-reset
Reset the password on module ips? [confirm]
 
   

Step 2 Press Enter to confirm.

Password-Reset issued for module ips.
 
   

Step 3 Verify the status of the module. Once the status reads Up, you can session to the ASA 5500-X IPS SSP.

asa# show module ips
Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
ips ASA 5555-X IPS Security Services Processor   ASA5555-IPS        FCH151070GR
 
   
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
ips 503d.e59c.7c4c to 503d.e59c.7c4c  N/A          N/A          7.1(4)E4
 
   
Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips IPS                            Up               7.1(4)E4
 
   
Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
ips Up                 Up                    
 
   
Mod License Name   License Status  Time Remaining
--- -------------- --------------- ---------------
ips IPS Module     Enabled         210 days      
 
   

Step 4 Session to the ASA 5500-X IPS SSP.

asa# session ips
Opening command session with module ips.
Connected to module ips. Escape character sequence is 'CTRL-^X'.
 
   

Step 5 Enter the default username (cisco) and password (cisco) at the login prompt.

login: cisco
Password: cisco
 
   
You are required to change your password immediately (password aged) 
Changing password for cisco. 
(current) password: cisco 
 
   

Step 6 Enter your new password twice.

New password: new password 
Retype new password: new password 
 
   
***NOTICE*** 
This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption. Importers, exporters, distributors and users are responsible for compliance 
with U.S. and local country laws. By using this product you agree to comply with 
applicable laws and regulations. If you are unable to comply with U.S. and local laws, 
return this product immediately. 
 
   
A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html 
 
   
If you require further assistance please contact us by sending email to export@cisco.com. 
 
   
***LICENSE NOTICE*** 
There is no license key installed on this IPS platform. The system will continue to 
operate with the currently installed signature set. A valid license must be obtained in 
order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a 
new license or install a license. 
 
   
asa-ssp#

Using the ASDM

To reset the password in the ASDM, follow these steps:


Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset.


Note This option does not appear in the menu if there is no IPS present.


Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.

Step 3 Click Close to close the dialog box. The sensor reboots.


Recovering the ASA 5585-X IPS SSP Password


Note To reset the password, you must have ASA 8.2.(4.4) or later or ASA 8.4.2 or later. The ASA 5585-X IPS SSP is not supported in ASA 8.3(x).


You can reset the password to the default (cisco) for the ASA 5585-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.

Use the hw-module module slot_number password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:

ERROR: the module in slot <n> does not support password recovery.
 
   

To reset the password on the ASA 5585-X IPS SSP, follow these steps:


Step 1 Log into the adaptive security appliance and enter the following command:

asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
 
   

Step 2 Press Enter to confirm.

Password-Reset issued for slot 1.
 
   

Step 3 Verify the status of the module. Once the status reads Up, you can session to the ASA 5585-X IPS SSP.

asa# show module 1
Mod Card Type                                    Model              Serial No. 
--- -------------------------------------------- ------------------ -----------
  1 ASA 5585-X IPS Security Services Processor-4 ASA5585-SSP-IPS40  JAF1436ABSG
 
   
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version     
--- --------------------------------- ------------ ------------ ---------------
  1 5475.d029.8c74 to 5475.d029.8c7f  0.1          2.0(12)3     7.1(4)E4
 
   
Mod SSM Application Name           Status           SSM Application Version
--- ------------------------------ ---------------- --------------------------
  1 IPS                            Up               7.1(4)E4
 
   
Mod Status             Data Plane Status     Compatibility
--- ------------------ --------------------- -------------
  1 Up                 Up                     
 
   

Step 4 Session to the ASA 5585-X IPS SSP.

asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
 
   

Step 5 Enter the default username (cisco) and password (cisco) at the login prompt.

login: cisco
Password: cisco
 
   
You are required to change your password immediately (password aged) 
Changing password for cisco. 
(current) password: cisco
 
   

Step 6 Enter your new password twice.

New password: new password
Retype new password: new password
 
   
***NOTICE*** 
This product contains cryptographic features and is subject to United States and local 
country laws governing import, export, transfer and use. Delivery of Cisco cryptographic 
products does not imply third-party authority to import, export, distribute or use 
encryption. Importers, exporters, distributors and users are responsible for compliance 
with U.S. and local country laws. By using this product you agree to comply with 
applicable laws and regulations. If you are unable to comply with U.S. and local laws, 
return this product immediately. 
 
   
A summary of U.S. laws governing Cisco cryptographic products may be found at: 
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html 
 
   
If you require further assistance please contact us by sending email to export@cisco.com. 
 
   
***LICENSE NOTICE*** 
There is no license key installed on this IPS platform. The system will continue to 
operate with the currently installed signature set. A valid license must be obtained in 
order to apply signature updates. Please go to http://www.cisco.com/go/license to obtain a 
new license or install a license. 
ips_ssp#
 
   

Using the ASDM

To reset the password in the ASDM, follow these steps:


Step 1 From the ASDM menu bar, choose Tools > IPS Password Reset.


Note This option does not appear in the menu if there is no IPS present.


Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.

Step 3 Click Close to close the dialog box. The sensor reboots.


Disabling Password Recovery


Caution If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.

Password recovery is enabled by default. You can disable password recovery through the CLI or IDM.

Disabling Password Recovery Using the CLI

To disable password recovery in the CLI, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter global configuration mode.

sensor# configure terminal
 
   

Step 3 Enter host mode.

sensor(config)# service host
 
   

Step 4 Disable password recovery.

sensor(config-hos)# password-recovery disallowed
 
   

Disabling Password Recovery Using the IDM

To disable password recovery in the IDM, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Setup > Network.

Step 3 To disable password recovery, uncheck the Allow Password Recovery check box.


Troubleshooting Password Recovery

When you troubleshoot password recovery, pay attention to the following:

You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.

You can disable password recovery in the host configuration. For the platforms that use external mechanisms, such as ROMMON, although you can run commands to clear the password, if password recovery is disabled in the IPS, the IPS detects that password recovery is not allowed and rejects the external request.

To check the state of password recovery, use the show settings | include password command.

Verifying the State of Password Recovery

Use the show settings | include password command to verify whether password recovery is enabled. To verify whether password recovery is enabled, follow these steps:


Step 1 Log in to the CLI.

Step 2 Enter service host submode.

sensor# configure terminal
sensor (config)# service host
sensor (config-hos)# 
 
   

Step 3 Verify the state of password recovery by using the include keyword to show settings in a filtered output.

sensor(config-hos)# show settings | include password
   password-recovery: allowed <defaulted>
sensor(config-hos)#
 
   

Configuring Licensing

This section describes how to obtain and install the license key, and contains the following topics:

Licensing Pane

Understanding Licensing

Service Programs for IPS Products

Licensing Pane Field Definitions

Obtaining and Installing the License Key

Installing the IPS 4270-20 License

Installing the ASA 5500-X IPS SSP License

Uninstalling the License

Licensing Pane


Note You must be administrator to view license information in the Licensing pane and to install the sensor license key.


In the Licensing pane, you can obtain and install the sensor license key. The Licensing pane displays the status of the current license.

Understanding Licensing

Although the sensor functions without the license key, you must have a license key to obtain signature updates and use the global correlation features. To obtain a license key, you must have the following:

Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to purchase a contract.

Your IPS device serial number—To find the IPS device serial number in the IDM, choose Configuration > Sensor Management > Licensing., or in the CLI use the show version command.

Valid Cisco.com username and password.

Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license key.

You can view the status of the license key in these places:

The IDM Home window Licensing section on the Health tab

The IDM Licensing pane (Configuration > Licensing)

License Notice at CLI login

Whenever you start the IDM or the CLI, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use the IDM and the CLI, but you cannot download signature updates.

If you already have a valid license on the sensor, you can click Download on the License pane to download a copy of your license key to the computer that the IDM is running on and save it to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have reimaged the sensor.

Service Programs for IPS Products

You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.

When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract:

IPS 4240

IPS 4255

IPS 4260

IPS 4270-20

IPS 4345

IPS 4360

IPS 4510

IPS 4520

When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract.


Note SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.


When you purchase an ASA 5500 series adaptive security appliance product that ships with an IPS module installed, or if you purchase one to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract.


Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.


For example, if you purchase an ASA 5585-X and then later want to add IPS and purchase an ASA-IPS10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.


Caution If you ever send your product for RMA, the serial number changes. You must then get a new license key for the new serial number.

Licensing Pane Field Definitions

The following fields are found in the Licensing pane:

Current License—Provides the status of the current license:

License Status—Displays the current license status of the sensor.

Expiration Date—Displays the date when the license key expires (or has expired). If the key is invalid, no date is displayed.

Serial Number—Displays the serial number of the sensor.

Product ID—Displays the product ID of your sensor.

Update License—Specifies from where to obtain the new license key:

Cisco.com—Contacts the license server at Cisco.com for a license key.

License File—Specifies that a license file be used.

Local File Path—Indicates where the local file is that contains the license key.

Obtaining and Installing the License Key


Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.


To obtain and install the license key, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Licensing.

Step 3 The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed.

Step 4 Obtain a license key by doing one of the following:

Click the Cisco.com radio button to obtain the license from Cisco.com. the IDM contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 5.

Click the License File radio button to use a license file. To use this option, you must apply for a license key at this URL: www.cisco.com/go/license. The license key is sent to you in e-mail and you save it to a drive that the IDM can access. This option is useful if your computer cannot access Cisco.com. Go to Step 7.

Step 5 Click Update License, and in the Licensing dialog box, click Yes to continue. The Status dialog box informs you that the sensor is trying to connect to Cisco.com. An Information dialog box confirms that the license key has been updated.

Step 6 Click OK.

Step 7 Log in to Cisco.com.

Step 8 Go to www.cisco.com/go/license.

Step 9 Fill in the required fields. Your license key will be sent to the e-mail address you specified.


Caution You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.

Step 10 Save the license key to a hard-disk drive or a network drive that the client running the IDM can access.

Step 11 Log in to the IDM.

Step 12 Choose Configuration > Sensor Management > Licensing.

Step 13 Under Update License, click the License File radio button.

Step 14 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.

Step 15 Browse to the license file and click Open.

Step 16 Click Update License.


Installing the IPS 4270-20 License

If your IPS 4270-20 has a license that was generated for IPS 6.0.x versions or earlier, you need to get a new license.

To obtain a new license for your IPS 4270-20, follow these steps:


Step 1 Log in to Cisco.com.

Step 2 Go to www.cisco.com/go/license.

Step 3 Under Licenses Not Requiring a PAK, click Demo and Evaluation licenses.

Step 4 Under Security Products/Cisco Services for IPS service license (Version 6.1 and later), click All IPS Hardware Platforms.

Step 5 Fill in the required fields. Your license key will be sent to the email address you specified.


Caution You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.

Step 6 Save the license key to a hard-disk drive or a network drive that the client running the IDM can access.

Step 7 Log in to the IDM.

Step 8 Choose Configuration > Sensor Management > Licensing.

Step 9 Under Update License, click the License File radio button.

Step 10 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.

Step 11 Browse to the license file and click Open.

Step 12 Click Update License.


Installing the ASA 5500-X IPS SSP License

For the ASA 5500-X series adaptive security appliances with the IPS SSP, the ASA requires the IPS Module license. To view your current ASA licenses, in ASDM choose Home > Device Dashboard > Device Information > Device License. For more information about ASA licenses, refer to the licensing chapter in the configuration guide. After you obtain the ASA IPS Module license, you can obtain and install the IPS license key.

For More Information

For more information about getting started using the ASA 5500-X IPS SSP, refer to the Cisco IPS Module on the ASA Quick Start Guide.

For the procedures for obtaining and installing the IPS License key, see Obtaining and Installing the License Key.

Uninstalling the License

Use the erase license-key command to uninstall the license key on your sensor. This allows you to delete an installed license key from a sensor without restarting the sensor or logging into the sensor using the service account. Uninstalling the license key is supported in IPS 7.1(3)E4 and later.

To uninstall the license key, follow these steps:


Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Uninstall the license key on the sensor.

sensor# erase license-key
Warning: Executing this command will remove the license key installed on the sensor.
 
   
You must have a valid license key installed on the sensor to apply the Signature Updates 
and use the Global Correlation features.
 
   
Continue? []: yes
sensor#
 
   

Step 3 Verify the sensor key has been uninstalled.

sensor# show version
Application Partition:
 
   
Cisco Intrusion Prevention System, Version 7.1(5)E4
 
   
Host:                                                         
    Realm Keys          key1.0                                
Signature Definition:                                         
    Signature Update    S615.0                   2012-01-03   
OS Version:             2.6.29.1
Platform:               IPS-4345-K9
Serial Number:          FCH1445V00N
No license present
Sensor up-time is 5 days.
Using 5318M out of 7864M bytes of available memory (67% usage)
system is using 33.6M out of 160.0M bytes of available disk space (21% usage)
application-data is using 70.5M out of 169.4M bytes of available disk space (44% usage)
boot is using 62.5M out of 70.1M bytes of available disk space (94% usage)
application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage)
 
   
 
   
MainApp            S-2012_APR_26_07_45_7_1_4_68   (Release)   2012-04-26T07:48:4
3-0500   Running
AnalysisEngine     S-2012_APR_26_07_45_7_1_4_68   (Release)   2012-04-26T07:48:4
3-0500   Running
CollaborationApp   S-2012_APR_26_07_45_7_1_4_68   (Release)   2012-04-26T07:48:4
3-0500   Running
CLI                S-2012_APR_26_07_45_7_1_4_68   (Release)   2012-04-26T07:48:4
3-0500
 
   
Upgrade History:
 
   
  IPS-K9-7.1-5-E4   08:05:07 UTC Thu Apr 26 2012
 
   
Recovery Partition Version 1.1 - 7.1(5)E4
 
   
Host Certificate Valid from: 25-Apr-2012 to 26-Apr-2014
 
   

Configuring Sensor Health

This section describes how to configure sensor health metrics, and contains the following topics:

Sensor Health Pane

Sensor Health Pane Field Definitions

Sensor Health Pane


Note You must be administrator to configure sensor health metrics.


In the Sensor Health pane, you can configure the metrics that are used to determine the health and network security status of the IPS. The results show up in the Home pane in the various gadgets. If you do not select a metric by checking the check box, it does not show up in the health and network security status results. You can accept the default configuration or edit the values.

The overall health is set to the most critical settings of any of the metrics. For instance, if all the selected metrics are green except for one that is red, the overall health becomes red. The IPS produces a health and security status event when the overall health status of the IPS changes.

The security status of the sensor is determined for each virtual sensor using the threat ratings of events detected by the virtual sensors. The security status of the virtual sensor is raised when the virtual sensor detects an event with a threat rating that exceeds the threshold for that virtual sensor. Once a threshold has been exceeded, the security status remains at a critical level until the configured amount of time has passed with no more events being detected at the higher level.

ASA 5500-X IPS SSP and Memory Usage

For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even for normal operating conditions. You can tune the threshold percentage for memory usage so that it reads more accurately for these platforms by configuring the Memory Usage option in the sensor health metrics.


Note Make sure you have the Memory Usage option in the sensor health metrics enabled.


Table 17-2 lists the Yellow Threshold and the Red Threshold health values.

Table 17-2 ASA 5500-X IPS SSP Memory Usage Values 

Platform
Yellow
Red
Memory Used

ASA 5512-X IPS SSP

85%

91%

28%

ASA 5515-X IPS SSP

88%

92%

14%

ASA 5525-X IPS SSP

88%

92%

14%

ASA 5545-X IPS SSP

93%

96%

13%

ASA 5555-X IPS SSP

95%

98%

17%


Sensor Health Pane Field Definitions

The following fields are found in the Sensor Health pane:

Inspection Load—Lets you set a threshold for inspection load and whether this metric is applied to the overall sensor health rating.

Missed Packet—Lets you set a threshold percentage for missed packets and whether this metric is applied to the overall sensor health rating.

Memory Usage—Lets you set a threshold percentage for memory usage and whether this metric is applied to the overall sensor health rating.

Signature Update—Lets you set a threshold for when the last signature update was applied and whether this metric is applied to the overall sensor health rating.

License Expiration—Lets you set a threshold for when the license expires and whether this metric is applied to the overall sensor health rating.

Event Retrieval—Lets you set a threshold for when the last event was retrieved and whether this metric is applied to the overall sensor health rating.


Note The event retrieval metric keeps track of when the last event was retrieved by an external monitoring application such as the IME. Disable Event Retrieval if you are not doing external event monitoring.


Network Participation—Lets you choose whether the network participation health metrics contribute to the overall sensor health rating.

Global Correlation—Let you choose whether the global correlation health metrics contribute to the overall sensor health rating.

The global correlation features are supported in IPS 7.0 and later.

Application Failure—Lets you choose to have an application failure applied to the overall sensor health rating.

IPS in Bypass Mode—Let you choose to know if bypass mode is active and have that apply to the overall sensor health rating.

One or More Active Interfaces Down—Lets you choose to know if one or more enabled interfaces are down and have that apply to the overall sensor health rating.

Yellow Threshold—Lets you set the lowest threshold in percentage, days, seconds, or failures for yellow.

Red Threshold—Lets you set the lowest threshold in percentage, days, seconds, or failures for red.

Configuring IP Logging Variables


Note You must be administrator to configure the IP logging variable.


You can configure the IP logging variable, Maximum Open IP Log Files, which applies to the general operation of the sensor.

Field Definitions

The following field is found in the IP Logging Variables pane:

Maximum Open IP Log Files—Specifies the maximum number of concurrently open IP log files. The valid range is from 20 to 100. The default is 20.

Configuring Automatic Update

This section describes how to configure your sensor for automatic software updates, and contains the following topics:

Auto/Cisco.com Update Pane

Supported FTP and HTTP Servers

UNIX-Style Directory Listings

Signature Updates and Installation Time

Auto/Cisco.com Update Pane Field Definitions

Configuring Auto Update

Auto/Cisco.com Update Pane


Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.


Note You must be administrator to view the Auto/Cisco.com Update pane and to configure automatic updates.



Caution Automatic updates do not work with Windows FTP servers configured with DOS-style paths. Make sure the server configuration has the UNIX-style path option enabled rather than DOS-style paths.

You can configure the sensor to automatically download signature and signature engine updates from Cisco.com and from a local server. When you enable automatic updates, the sensor logs in to Cisco.com and checks for signature and signature engine updates. When an update is available, the sensor downloads the update and installs it. You must have a Cisco.com user account with cryptographic privileges to download Cisco IPS signature and signature engine updates from Cisco.com. The first time you download Cisco software you set up an account with cryptographic privileges.


Caution The sensor does not support communication with Cisco.com through nontransparent proxy servers.

Supported FTP and HTTP Servers

The following FTP servers are supported for IPS software updates:

WU-FTPD 2.6.2 (Linux)

Solaris 2.8

Sambar 6.0 (Windows 2000)

Serv-U 5.0 (Windows 2000)

MS IIS 5.0 (Windows 2000)

The following HTTP/HTTPS servers are supported for IPS software updates:

CSM - Apache Server (Tomcat)

CSM - Apache Server (JRun)

UNIX-Style Directory Listings

To configure automatic update using an FTP server, the FTP server must provide directory listing responses in UNIX style. MS-DOS style directory listing is not supported by the sensor automatic update feature.


Note If the server supplies MS-DOS style directory listings, the sensor cannot parse the directory listing and does not know that there is a new update available.


To change Microsoft IIS to use UNIX-style directory listings, follow these steps:


Step 1 Choose Start > Program Files > Administrative Tools.

Step 2 Click the Home Directory tab.

Step 3 Click the UNIX directory listings style radio button.


Signature Updates and Installation Time

There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.

When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.

If a signature update only adds one or two new signatures on a high-end platform, the recompile can be as fast as a few seconds.

The recompile takes several minutes and even up to a half hour under the following conditions:

When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.

When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.

During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.


Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.


Auto/Cisco.com Update Pane Field Definitions

The following fields are found in the Auto/Cisco.com Update pane:

Enable Auto Update From a Remote Server—Lets the sensor install updates stored on a remote server.


Note If Enable Auto Update From a Remote Server is not checked, all fields are disabled and cleared. You cannot toggle this on or off without losing all other settings.


Remote Server Settings—Lets you specify the following options for the remote server:

IP Address—Identifies the IP address of the remote server.

File Copy Protocol—Specifies whether to use FTP or SCP.

Directory—Identifies the path to the update on the remote server.

Username—Identifies the username corresponding to the user account on the remote server.

Password—Identifies the password for the user account on the remote server.

Confirm Password—Confirms the password by forcing you to retype the remote server password.

Enable Signature and Engine Updates from Cisco.com—Lets the sensor go to Cisco.com to download signature and engine updates.

Cisco.com Server Settings—Lets you specify the following options for the Cisco.com server:

Username—Identifies the username corresponding to the user account on Cisco.com.

Cisco.com URL—Automatically populated with the correct URL when you check the Enable Signature and Engine Updates from Cisco.com check box.

Password—Identifies the password for the user account on Cisco.com.

Confirm Password—Confirms the password by forcing you to retype the Cisco.com password.

Schedule—Lets you specify the following schedule options:

Start Time—Identifies the time to start the update process. This is the time when the sensor will contact the remote server and search for an available update.

Frequency—Specifies whether to perform updates on an hourly or weekly basis.

Hourly—Specifies to check for an update every n hours.

Daily—Specifies the days of the week to perform the updates.

Auto Update Info—Displays information about automatic update attempts:

Last Directory Read Attempt—Displays the last time the sensor accessed the automatic update directory to check for new updates.

Last Download Attempt—Displays the last time the sensor tried to download updates.

Last Install Attempt—Displays the last time the sensor tried to install updates.

Next Attempt—Displays the next time the sensor will try to download updates.

Configuring Auto Update

To configure automatic updates from a remote server or Cisco.com, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Auto/Cisco.com Update.

Step 3 To enable automatic updates from a remote server, check the Enable Auto Update from a Remote Server check box:

a. In the IP Address field, enter the IP address of the remote server where you have downloaded and stored updates.

b. To identify the protocol used to connect to the remote server, from the File Copy Protocol drop-down list, choose either FTP or SCP.

c. In the Directory field, enter the path to the directory on the remote server where the updates are located. A valid value for the path is 1 to 128 characters.

d. In the Username field, enter the username to use when logging in to the remote server. A valid value for the username is 1 to 2047 characters.

e. In the Password field, enter the username password on the remote server. A valid value for the password is 1 to 2047 characters.

f. In the Confirm Password field, enter the password to confirm it.

g. For hourly updates, check the Hourly check box, and follow these steps:

In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.

In the Every_hours field, enter the hour interval at which you want every update to occur. The valid value is 1 to 8760.

For example, if you enter 5, every 5 hours the sensor looks at the directory of files on the server. If there is an available update candidate, it is downloaded and installed. Only one update is installed per cycle even if there are multiple available candidates. The sensor determines the most recent update that can be installed and installs that file.

h. For weekly updates, check the Daily check box, and follow these steps:

In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.

In the Days field, check the day(s) you want the sensor to check for and download available updates.

Step 4 To enable signature and engine updates from Cisco.com, check the Enable Signature and Engine Updates from Cisco.com check box:

a. In the Username field, enter the username to use when logging in to Cisco.com. A valid value for the username is 1 to 2047 characters.

b. In the Password field, enter the username password for Cisco.com. A valid value for the password is 1 to 2047 characters.

c. In the Confirm Password field, enter the password to confirm it.

d. For hourly updates, check the Hourly check box, and follow these steps:

In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.

In the Every_hours field, enter the hour interval at which you want every update to occur. The valid value is 1 to 8760.

For example, if you enter 5, every 5 hours the sensor looks at the directory of files on the server. If there is an available update candidate, it is downloaded and installed. Only one update is installed per cycle even if there are multiple available candidates. The sensor determines the most recent update that can be installed and installs that file.

e. For weekly updates, check the Daily check box, and follow these steps:

In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.

In the Days field, check the day(s) you want the sensor to check for and download available updates.


Tip To discard your changes, click Reset.


Step 5 Click Apply to save your changes.


Manually Updating the Sensor

This section describes how to manually update the sensor, and contains the following topics:

Update Sensor Pane

Update Sensor Pane Field Definitions

Updating the Sensor

Update Sensor Pane


Note You must be administrator to view the Update Sensor pane and to update the sensor with service packs and signature updates.


In the Update Sensor pane, you can immediately apply service pack and signature updates. Sensor upgrade/update package filenames have the .pkg extension.


Note To manually update the sensor, you must download the service pack and signature updates from Cisco.com to your FTP server, and then configure the sensor to download them from your FTP server.



Caution You cannot apply system image files on the Update Sensor pane. You must follow the procedures for reimaging your sensor. System image filenames have the .img or .aip extension.

Update Sensor Pane Field Definitions

The following fields are found in the Update Sensor pane:

Update is located on a remote server and is accessible by the sensor—Lets you specify the following options:

URL—Identifies the type of server where the update is located. Specify whether to use FTP, HTTP, HTTPS, or SCP.

://—Identifies the path to the update on the remote server.

Username—Identifies the username corresponding to the user account on the remote server.

Password—Identifies the password for the user account on the remote server.

Update is located on this client—Lets you specify the following options:

Local File Path—Identifies the path to the update file on this local client.

Browse Local—Opens the Browse dialog box for the file system on this local client. From this dialog box, you can navigate to the update file.

Updating the Sensor

To immediately apply a service pack and signature update, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Update Sensor.

Step 3 To pull an update down from a remote server and install it on the sensor, follow these steps:

a. Check the Update is located on a remote server and is accessible by the sensor check box.

b. In the URL field, enter the URL where the update can be found.


Note You must have already downloaded the update from Cisco.com and put it on the FTP server.


The following URL types are supported:

FTP:—Source URL for an FTP network server.

The syntax for this prefix is the following:

ftp://location/relative_directory/filename
 
   

or

ftp://location//absolute_directory/filename
 
   

HTTPS:—Source URL for a web server.


Note Before using the HTTPS protocol, set up a TLS trusted host.


The syntax for this prefix is the following:

https://location/directory/filename
 
   

SCP:—Source URL for a SCP network server.

The syntax for this prefix is the following:

scp://location/relative_directory/filename
 
   

or

scp://location/absolute_directory/filename
 
   

HTTP:—Source URL for a web server.

The syntax for this prefix is the following:

http://location/directory/filename
 
   

The following example shows the FTP protocol:

ftp://user@ip_address/UPDATES/file_name.rpm.pkg
 
   

c. In the Username field, enter the username for an account on the remote server.

d. In the Password field, enter the password associated with this account on the remote server.

Step 4 To push from the local client and install it on the sensor, follow these steps:

a. Check the Update is located on this client check box.

b. Specify the path to the update file on the local client or click Browse Local to navigate through the files on the local client.

Step 5 Click Update Sensor. The Update Sensor dialog box tells you that if you want to update, you will lose your connection to the sensor and you must log in again.

Step 6 Click OK to update the sensor.


Note The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.



Tip To discard your changes and close the dialog box, click Cancel.



Restoring Defaults


Note You must be administrator to view the Restore Defaults pane and to restore the sensor defaults.


On the Restore Defaults pane, you can restore the default configuration at any time to your sensor.


Warning Restoring the defaults removes the current application settings and restores the default settings. Your network settings also return to the defaults and you immediately lose connection to the sensor.

To restore the default configuration, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Restore Defaults.

Step 3 To restore the default configuration, click Restore Defaults.

Step 4 In the Restore Defaults dialog box, click OK.


Note Restoring defaults resets the IP address, netmask, default gateway, and access list. The password and time are not reset. Manual and automatic blocks also remain in effect. You must manually reboot your sensor.



Rebooting the Sensor


Note You must be administrator to see the Reboot Sensor pane and to reboot the sensor.


You can shut down and restart the sensor from the Reboot Sensor pane.

To reboot the sensor, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Reboot Sensor, and then click Reboot Sensor.

Step 3 To shut down and restart the sensor, click OK. The sensor applications shut down and then the sensor reboots. After the reboot, you must log back in.


Note There is a 30-second delay during which users who are logged in to the CLI are notified that the sensor applications are going to shut down.



Shutting Down the Sensor


Note You must be administrator to view the Shut Down Sensor pane and to shut down the sensor.


You can shut down the IPS applications and then put the sensor in a state in which it is safe to power it off.

To shut down the sensor, follow these steps:


Step 1 Log in to the IDM using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Management > Shut Down Sensor, and then click Shut Down Sensor.

Step 3 In the Shut Down Sensor dialog box, click OK. The sensor applications shut down and any open connections to the sensor are closed.


Note There is a 30-second delay during which users who are logged in to the CLI are notified that the sensor applications are going to shut down.