IDS Device Manager Administration Tasks [Cisco IPS 4200 Series Sensors]

Table Of Contents

IDS Device Manager Administration Tasks

Viewing Diagnostics

Viewing System Information

Applying Service Pack and Signature Updates

Configuring IP Logging

Blocking Hosts Manually

Blocking Networks Manually

Resetting and Powering Down the Sensor

IDS Device Manager Administration Tasks

The Administration tab enables you to perform the following tasks:

•Viewing Diagnostics

•Viewing System Information

•Applying Service Pack and Signature Updates

•Configuring IP Logging

•Blocking Hosts Manually

•Blocking Networks Manually

•Resetting and Powering Down the Sensor

Viewing Diagnostics

You can obtain diagnostics information on your sensors for troubleshooting purposes.

Note Running diagnostics takes several minutes to complete.

To run diagnostics, follow these steps:

Step 1 Select Administration > Support > Diagnostics.

The Diagnostics page appears.

Step 2 Click Run Diagnostics.

The Cancel Diagnostics Command page appears with the following message:
Diagnostics are being generated. Please stand by. 
The View Diagnostics Result page appears.

Step 3 Click View Results to see the diagnostics report.

The IDS 4.1 System Status Report appears in HTML format in another window.

Note The next time you open the Diagnostics page, there is an additional button, View Last Report. Click View Last Report to view the most recent report. This report is deleted when you run a new one.

Step 4 To save this report as a file, view the report in your browser and select File > Save As.

Viewing System Information

The System Information page displays the following information:

•TAC contact information.

•Software version.

•Status of applications.

•Interface information.

•Resource usage.

To view system information, follow these steps:

Step 1 Select Administration > Support > System Information.

The System Information page appears.

Step 2 To access the Cisco Technical Support website, click the following link:

http://www.cisco.com/en/US/support/index.html

Applying Service Pack and Signature Updates

The Update page enables you to immediately apply service pack and signature updates.

Note The sensor cannot download service pack and signature updates from Cisco.com. You must download the service pack and signature updates from Cisco.com to your FTP server, and then configure the sensor to download them from your FTP server.

See Supported FTP Servers, for a list of supported servers.

To immediately apply a service pack and signature update, follow these steps:

Step 1 Select Administration > Update.

The Update page appears.

Step 2 In the URL field, enter the URL where the update can be found.

The following URL types are supported:

•ftp:—Source URL for File Transfer Protocol network server.

The syntax for this prefix is

ftp://username@location/relativeDirectory/filename

or

ftp://username@location//absoluteDirectory/filename.

•https:—Source URL for web server.

The syntax for this prefix is https://username@location/directory/filename.

Note Before using the https protocol, use the tls trusted-host command to set up a TLS trusted host. Refer to Cisco Intrusion Detection System Command Reference Version 4.1 for more information.

•scp:—Source URL for the Secure Copy Protocol network server.

The syntax for this prefix is

scp://username@]location/relativeDirectory/filename

or

scp://username@location/absoluteDirectory/filename.

•http:—Source URL for web server.

The syntax for this prefix is

http://username@location/directory/filename.

The following example shows the FTP protocol:
ftp://user@ip_address/UPDATES/file_name.rpm.pkg 
Note You must have already downloaded the update from Cisco.com and put it on the FTP server. See Obtaining Cisco IDS Software, for the procedure for obtaining updates from Cisco.com.

Step 3 In the Password field, enter the particular transport protocol password.

Note You can use the following transport protocols: FTP, or HTTPS, SCP, HTTP.

Note To reset the form, click Reset.

Step 4 Click Apply to Sensor to apply the update.

Note The sensor applications are stopped while the update is applied. If you are applying a service pack, the installer will automatically reboot the Sensor.

Note To schedule regular updates, see Configuring Automatic Updates.

Configuring IP Logging

You can configure the sensor to catch all IP traffic associated with the hosts you specify by IP address.

To generate logs files for specific IP addresses, follow these steps:

Step 1 Select Administration > IP Logging.

The Ip Logging Configuration page appears.

Step 2 Click Add to add hosts whose IP traffic you want to log.

The Adding page appears.

Step 3 In the IP address field, enter the IP address of the host whose IP traffic you want to log.

Step 4 In the Duration field, enter the number of minutes you want to the sensor to log IP traffic (optional).

Step 5 In the Number of Packets field, enter the number of packets you want the sensor to count (optional).

Step 6 In the Number of Bytes field, enter the number of bytes you want to log (optional).

Note When any one of the duration, number of packets, or number of bytes limits is met, the log closes.

Note To reset the form, click Reset.

Step 7 Click Apply to Sensor to save your changes.

The Ip Logging Configuration page now displays the new Log ID.

Note The sensor begins logging and creates a log file that you can view by selecting Monitoring > IP Logs. See Downloading IP Logs, page 4-1, for more information.

Step 8 To discontinue logging IP traffic, select the check box next to the log ID, and then click Stop.

Note The IP log is overwritten when the sensor uses up its allocated space for IP logging.

Blocking Hosts Manually

If you have blocking configured (see Configuring Blocking), you can manually block a host. From the Host Manual Blocks page, you can configure which host is blocked and for how long, and you can view a list of hosts that are being blocked.

To set up the manual blocking of a host, follow these steps:

Step 1 Select Administration > Manual Blocking > Host Manual Blocks.

The Host Manual Blocks page appears.

Step 2 Click Add to add a host to block.

The Adding Page appears.

Step 3 In the Source Address field, enter the IP address of the host you want to block.

Step 4 In the Source Port field, enter the port you want to use to block the host (optional).

Step 5 In the Destination Address field, enter the destination address (optional).

Step 6 From the Protocol list box, select one of these options (optional):

•None

•tcp

•udp

Step 7 Select the Connection Shun check box to block only those connections that have the source IP address, destination IP address, destination port, or protocol specified (optional).

Note If you select the Connection Shun check box, the attacking host is free to connect to other hosts or to other services on the protected host. If destination port and protocol are not specified, the attacking host cannot send packets to the protected host at all, but can access other hosts on the network.

Step 8 In the Timeout field, enter the number of minutes you want the block to last.

Note To create a permanent block, enter -1.

Note To reset the form, click Reset.

Step 9 Click Apply to Sensor to save your changes.

The Host Manual Blocks page lists the hosts that you are blocking and the time remaining.

Step 10 To see how many minutes have passed for a specific block, select the check box next to the host you want to check and click Refresh. The page is refreshed and the remaining block time is shown.

Step 11 To delete a block, select the check box next to the host you want to discontinue the block for, and then click Delete.

The host is no longer in the list of blocked hosts.

Blocking Networks Manually

If you have blocking configured (see Configuring Blocking), you can manually block a network. From the Network Manual Blocks page, you can configure which network is blocked and for how long, and you can view a list of networks that are being blocked.

To set up manual blocking of a network, follow these steps:

Step 1 Select Administration > Manual Blocking > Network Manual Blocks.

The Network Manual Blocks page appears.

Step 2 Click Add to add a network to block.

The Adding page appears.

Step 3 In the IP Address field, enter the IP address of the network you want to block.

Step 4 In the Netmask field, enter the netmask of the network you want to block.

Step 5 In the Timeout field, enter the number of minutes you want the block to last.

Note To create a permanent block, enter -1.

Note To reset the form, click Reset.

Step 6 Click Apply to Sensor to save your changes.

The Network Manual Blocks page lists the networks that you are blocking and the time remaining.

Step 7 To see how many minutes have passed for a specific block, select the check box next to the network you want to check, and then click Refresh. The page is refreshed and the remaining block time is shown.

Step 8 To delete a block, select the check box next to the network you want to discontinue a block for, and then click Delete.

The network is no longer in the list of blocked networks.

Resetting and Powering Down the Sensor

From the System Control page, you can reset or put the sensor in a state where it is safe to power down. Reset shuts down the sensor safely and then restarts the sensor. Power Down safely shuts down the sensor to a point where it is safe to power the unit off.

To reset or power down the sensor, follow these steps:

Step 1 Select Administration > System Control.

The System Control page appears.

Step 2 Select one of the following options from the list box:

•Reset—Shuts down the IDS applications and the sensor, and then reboots. After the reboot, you must log in.

Note There is a 30-second delay during which users who are logged in to the CLI are notified that the IDS applications and sensor are going to shut down.

•Power Down—Shuts down the IDS applications and then puts the sensor in a state in which it is safe to power it off.

Note There is a 30-second delay during which users who are logged in to the CLI are notified that the IDS applications and the sensor are going to shut down.


	IDS Device Manager Administration Tasks
	Download this chapter IDS Device Manager Administration Tasks Feedback Table Of Contents IDS Device Manager Administration Tasks Viewing Diagnostics Viewing System Information Applying Service Pack and Signature Updates Configuring IP Logging Blocking Hosts Manually Blocking Networks Manually Resetting and Powering Down the Sensor IDS Device Manager Administration Tasks The Administration tab enables you to perform the following tasks: •Viewing Diagnostics •Viewing System Information •Applying Service Pack and Signature Updates •Configuring IP Logging •Blocking Hosts Manually •Blocking Networks Manually •Resetting and Powering Down the Sensor Viewing Diagnostics You can obtain diagnostics information on your sensors for troubleshooting purposes. Note Running diagnostics takes several minutes to complete. To run diagnostics, follow these steps: Step 1 Select Administration > Support > Diagnostics. The Diagnostics page appears. Step 2 Click Run Diagnostics. The Cancel Diagnostics Command page appears with the following message: Diagnostics are being generated. Please stand by. The View Diagnostics Result page appears. Step 3 Click View Results to see the diagnostics report. The IDS 4.1 System Status Report appears in HTML format in another window. Note The next time you open the Diagnostics page, there is an additional button, View Last Report. Click View Last Report to view the most recent report. This report is deleted when you run a new one. Step 4 To save this report as a file, view the report in your browser and select File > Save As. Viewing System Information The System Information page displays the following information: •TAC contact information. •Software version. •Status of applications. •Interface information. •Resource usage. To view system information, follow these steps: Step 1 Select Administration > Support > System Information. The System Information page appears. Step 2 To access the Cisco Technical Support website, click the following link: http://www.cisco.com/en/US/support/index.html Applying Service Pack and Signature Updates The Update page enables you to immediately apply service pack and signature updates. Note The sensor cannot download service pack and signature updates from Cisco.com. You must download the service pack and signature updates from Cisco.com to your FTP server, and then configure the sensor to download them from your FTP server. See Supported FTP Servers, for a list of supported servers. To immediately apply a service pack and signature update, follow these steps: Step 1 Select Administration > Update. The Update page appears. Step 2 In the URL field, enter the URL where the update can be found. The following URL types are supported: •ftp:—Source URL for File Transfer Protocol network server. The syntax for this prefix is `ftp://`username@location/relativeDirectory/filename or `ftp://`username@location//absoluteDirectory/filename. •https:—Source URL for web server. The syntax for this prefix is `https://`username@location/directory/filename. Note Before using the https protocol, use the tls trusted-host command to set up a TLS trusted host. Refer to Cisco Intrusion Detection System Command Reference Version 4.1 for more information. •scp:—Source URL for the Secure Copy Protocol network server. The syntax for this prefix is `scp://`username@]location/relativeDirectory/filename or `scp://`username@location/absoluteDirectory/filename. •http:—Source URL for web server. The syntax for this prefix is `http://`username@location/directory/filename. The following example shows the FTP protocol: ftp://user@ip_address/UPDATES/file_name.rpm.pkg Note You must have already downloaded the update from Cisco.com and put it on the FTP server. See Obtaining Cisco IDS Software, for the procedure for obtaining updates from Cisco.com. Step 3 In the Password field, enter the particular transport protocol password. Note You can use the following transport protocols: FTP, or HTTPS, SCP, HTTP. Note To reset the form, click Reset. Step 4 Click Apply to Sensor to apply the update. Note The sensor applications are stopped while the update is applied. If you are applying a service pack, the installer will automatically reboot the Sensor. Note To schedule regular updates, see Configuring Automatic Updates. Configuring IP Logging You can configure the sensor to catch all IP traffic associated with the hosts you specify by IP address. To generate logs files for specific IP addresses, follow these steps: Step 1 Select Administration > IP Logging. The Ip Logging Configuration page appears. Step 2 Click Add to add hosts whose IP traffic you want to log. The Adding page appears. Step 3 In the IP address field, enter the IP address of the host whose IP traffic you want to log. Step 4 In the Duration field, enter the number of minutes you want to the sensor to log IP traffic (optional). Step 5 In the Number of Packets field, enter the number of packets you want the sensor to count (optional). Step 6 In the Number of Bytes field, enter the number of bytes you want to log (optional). Note When any one of the duration, number of packets, or number of bytes limits is met, the log closes. Note To reset the form, click Reset. Step 7 Click Apply to Sensor to save your changes. The Ip Logging Configuration page now displays the new Log ID. Note The sensor begins logging and creates a log file that you can view by selecting Monitoring > IP Logs. See Downloading IP Logs, page 4-1, for more information. Step 8 To discontinue logging IP traffic, select the check box next to the log ID, and then click Stop. Note The IP log is overwritten when the sensor uses up its allocated space for IP logging. Blocking Hosts Manually If you have blocking configured (see Configuring Blocking), you can manually block a host. From the Host Manual Blocks page, you can configure which host is blocked and for how long, and you can view a list of hosts that are being blocked. To set up the manual blocking of a host, follow these steps: Step 1 Select Administration > Manual Blocking > Host Manual Blocks. The Host Manual Blocks page appears. Step 2 Click Add to add a host to block. The Adding Page appears. Step 3 In the Source Address field, enter the IP address of the host you want to block. Step 4 In the Source Port field, enter the port you want to use to block the host (optional). Step 5 In the Destination Address field, enter the destination address (optional). Step 6 From the Protocol list box, select one of these options (optional): •None •tcp •udp Step 7 Select the Connection Shun check box to block only those connections that have the source IP address, destination IP address, destination port, or protocol specified (optional). Note If you select the Connection Shun check box, the attacking host is free to connect to other hosts or to other services on the protected host. If destination port and protocol are not specified, the attacking host cannot send packets to the protected host at all, but can access other hosts on the network. Step 8 In the Timeout field, enter the number of minutes you want the block to last. Note To create a permanent block, enter -1. Note To reset the form, click Reset. Step 9 Click Apply to Sensor to save your changes. The Host Manual Blocks page lists the hosts that you are blocking and the time remaining. Step 10 To see how many minutes have passed for a specific block, select the check box next to the host you want to check and click Refresh. The page is refreshed and the remaining block time is shown. Step 11 To delete a block, select the check box next to the host you want to discontinue the block for, and then click Delete. The host is no longer in the list of blocked hosts. Blocking Networks Manually If you have blocking configured (see Configuring Blocking), you can manually block a network. From the Network Manual Blocks page, you can configure which network is blocked and for how long, and you can view a list of networks that are being blocked. To set up manual blocking of a network, follow these steps: Step 1 Select Administration > Manual Blocking > Network Manual Blocks. The Network Manual Blocks page appears. Step 2 Click Add to add a network to block. The Adding page appears. Step 3 In the IP Address field, enter the IP address of the network you want to block. Step 4 In the Netmask field, enter the netmask of the network you want to block. Step 5 In the Timeout field, enter the number of minutes you want the block to last. Note To create a permanent block, enter -1. Note To reset the form, click Reset. Step 6 Click Apply to Sensor to save your changes. The Network Manual Blocks page lists the networks that you are blocking and the time remaining. Step 7 To see how many minutes have passed for a specific block, select the check box next to the network you want to check, and then click Refresh. The page is refreshed and the remaining block time is shown. Step 8 To delete a block, select the check box next to the network you want to discontinue a block for, and then click Delete. The network is no longer in the list of blocked networks. Resetting and Powering Down the Sensor From the System Control page, you can reset or put the sensor in a state where it is safe to power down. Reset shuts down the sensor safely and then restarts the sensor. Power Down safely shuts down the sensor to a point where it is safe to power the unit off. To reset or power down the sensor, follow these steps: Step 1 Select Administration > System Control. The System Control page appears. Step 2 Select one of the following options from the list box: •Reset—Shuts down the IDS applications and the sensor, and then reboots. After the reboot, you must log in. Note There is a 30-second delay during which users who are logged in to the CLI are notified that the IDS applications and sensor are going to shut down. •Power Down—Shuts down the IDS applications and then puts the sensor in a state in which it is safe to power it off. Note There is a 30-second delay during which users who are logged in to the CLI are notified that the IDS applications and the sensor are going to shut down.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks