Release Notes for Cisco Intrusion Prevention System 6.0(4a)E1 [Cisco IPS 4200 Series Sensors]

Table Of Contents

Release Notes for Cisco Intrusion Prevention System 6.0(4a)E1

Contents

IPS 6.0(4a)E1 Installation Issue

IPS 6.0(4a)E1 File List

Supported Platforms

Supported Servers

ROMMON and TFTP

IPS Management and Event Viewers

Receiving Cisco IPS Active Update Bulletins

Cisco Security Center

New and Changed Information

Before Upgrading to Cisco IPS 6.0(4a)E1

Perform These Tasks

Copying and Restoring the Configuration File Using a Remote Server

Obtaining Software on Cisco.com

IPS Software Versioning

Major and Minor Updates, Service Packs, and Patch Releases

Signature/Virus Updates and Signature Engine Updates

Recovery and System Image Filenames

6.x Software Release Examples

Upgrading the IDS-4215 BIOS

Upgrading to Cisco IPS 6.0(4a)E1

Upgrade Notes and Caveats

Upgrading to 6.0(4a)E1

Installing the ISO Image File

After Upgrading to Cisco IPS 6.0(4a)E1

Comparing Configurations

SSL Certificate

Logging In to IDM

Licensing the Sensor

Understanding the License

Service Programs for IPS Products

Obtaining and Installing the License Key

Restrictions and Limitations

Recovering the Password

Understanding Password Recovery

Recovering the Appliance Password

Using the GRUB Menu

Using ROMMON

Recovering the IDSM-2 Password

Recovering the NM-CIDS Password

Recovering the AIP-SSM Password

Recovering the AIM-IPS Password

Disabling Password Recovery

Verifying the State of Password Recovery

Troubleshooting Password Recovery

Caveats

Resolved Caveats

Known Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco Intrusion Prevention System 6.0(4a)E1

April 1, 2008

Revised: October 6, 2009

Contents

•IPS 6.0(4a)E1 Installation Issue

•IPS 6.0(4a)E1 File List

•Supported Platforms

•Supported Servers

•ROMMON and TFTP

•IPS Management and Event Viewers

•Receiving Cisco IPS Active Update Bulletins

•Cisco Security Center

•New and Changed Information

•Before Upgrading to Cisco IPS 6.0(4a)E1

•Upgrading to Cisco IPS 6.0(4a)E1

•After Upgrading to Cisco IPS 6.0(4a)E1

•Restrictions and Limitations

•Recovering the Password

•Caveats

•Related Documentation

•Obtaining Documentation and Submitting a Service Request

Caution The BIOS on Cisco IDS/IPS sensors is specific to Cisco IDS/IPS sensors and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on Cisco IDS/IPS sensors voids the warranty. For more information on how to obtain instructions and BIOS files from the Cisco website, see Obtaining Software on Cisco.com.

IPS 6.0(4a)E1 Installation Issue

The 6.0(4a)E1E1 service pack upgrade file was repackaged to address an installation issue (CSCs031217).

Caution This repackaged upgrade file replaces the 6.0(4a)E1E1 service pack. Do not install 6.0(4a)E1 over an existing 6.0(4a)E1E1 or higher version sensor. Doing may render your sensor inoperable, which may require you to recover the application partition.

You cannot uninstall the 6.0(4a)E1 service pack. You must reimage your sensor using a system image file. All configuration settings will be lost.

For More Information

•For the procedure for installing system image files, refer to Upgrading, Downgrading, and Installing System Images.

•For the procedure for installing recovery image files, refer to Recovering the Application Partition.

IPS 6.0(4a)E1 File List

The following files are part of Cisco IPS 6.0(4a)E1:

•Service Pack Files

–IPS-K9-6.0-4a-E1.pkg

–IPS-CS-MGR-K9-6.0-4a-E1.zip

•System Image Files

–IPS-4215-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-4240-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-4255-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-4260-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-4270_20-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-SSM_10-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-SSM_20-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-SSM_40-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-AIM-K9-sys-1.1-a-6.0-4a-E1.img

–IPS-NM_CIDS-K9-sys-1.1-a-6.0-4a-E1.img

–WS-IDSM2-K9-sys-1.1-a-6.0-4a-E1.bin.gz

•Recovery Image Files

–IPS-K9-r-1.1-a-6.0-4a-E1.pkg

–IPS-AIM-K9-r-1.1-a-6.0-4a-E1.pkg

•ISO Image File

–IPS-K9-cd-1.1-a-6.0-4a-E1.iso

Note The ISO Image is for IDS-4235 and IDS-4250 series sensors only.

•Readme File

–IPS-6.0-4a-E1.readme.txt

For More Information

•For the procedure for obtaining these files on Cisco.com, see Obtaining Software on Cisco.com.

•For the procedure for installing IOS image files, see Installing the ISO Image File.

Supported Platforms

Note The number of concurrent CLI sessions is limited based on the platform. IDS-4215 and NM-CIDS are limited to three concurrent CLI sessions. All other platforms allow ten concurrent sessions.

Cisco IPS 6.0(4a)E1 is supported on the following platforms:

•IDS-4215 Series Sensor Appliances

•IDS-4235 Series Sensor Appliances

•IPS-4240 Series Sensor Appliances

•IDS-4250 Series Sensor Appliances

•IPS-4255 Series Sensor Appliances

•IPS-4260 Series Sensor Appliances

•IPS 4270-20 Series Sensor Appliances

•WS-SVC-IDSM2 series Intrusion Detection System Module (IDSM-2)

•Intrusion Detection System Network Module (NM-CIDS)

•ASA-SSM-AIP-10 series Cisco ASA Advanced Inspection and Prevention Security Service Modules (AIP-SSM-10)

•ASA-SSM-AIP-20 series Cisco ASA Advanced Inspection and Prevention Security Service Modules (AIP-SSM-20)

•ASA-SSM-AIP-40 series Cisco ASA Advanced Inspection and Prevention Security Service Modules (AIP-SSM-40)

•Intrusion Prevention System Advanced Integration Module (AIM-IPS)

Supported Servers

The following FTP servers are supported for IPS software updates:

•WU-FTPD 2.6.2 (Linux)

•Solaris 2.8.

•Sambar 6.0 (Windows 2000)

•Serv-U 5.0 (Windows 2000)

•MS IIS 5.0 (Windows 2000)

The following HTTP/HTTPS servers are supported for IPS software updates:

•VMS - Apache Server (Tomcat)

•VMS - Apache Server (JRun)

Note The sensor cannot download software updates from Cisco.com. You must download the software updates from Cisco.com to your FTP server, and then configure the sensor to download them from your FTP server.

ROMMON and TFTP

ROMMON uses TFTP to download an image and launch it. TFTP does not address network issues such as latency or error recovery. It does implement a limited packet integrity check so that packets arriving in sequence with the correct integrity value have an extremely low probability of error. But TFTP does not offer pipelining so the total transfer time is equal to the number of packets to be transferred times the network average RTT. Because of this limitation, we recommend that the TFTP server be located on the same LAN segment as the sensor. Any network with an RTT less than a 100 milliseconds should provide reliable delivery of the image.

Some TFTP servers limit the maximum file size that can be transferred to ~32 MB. Therefore, we recommend the following TFTP servers:

•For Windows:

Tftpd32 version 2.0, available at:

http://tftpd32.jounin.net/

•For UNIX:

Tftp-hpa series, available at:

http://www.kernel.org/pub/software/network/tftp/

For More Information

•For the procedure for downloading IPS software updates from Cisco.com, see Obtaining Software on Cisco.com.

•For the procedure for configuring automatic updates, refer to Configuring Automatic Upgrades.

IPS Management and Event Viewers

Use the following tools for configuring IPS 6.0(4a)E1 and E2 sensors:

•IDM 6.0

•IPS CLI 6.0

•ASDM 5.2

•CSM 3.1

Use the following tools for monitoring 6.0(4a)E1 sensors:

•MARS 4.2 and 4.3(1)

•IEV 5.2

•CWSIMS v3.3.1.v3.4 mad v3.4.1

•CIC Security Monitor 3.6

Note Viewers that are already configured to monitor the 5.x sensors may need to be configured to accept a new SSL certificate for the 6.0(4a)E1 sensors.

Receiving Cisco IPS Active Update Bulletins

You can subscribe to Cisco IPS Active Update Bulletins on Cisco.com to receive e-mails when signature updates and service pack updates occur.

To receive bulletins about updates, follow these steps:

Step 1 Log in to Cisco.com.

Step 2 Under Quick Links, choose Security Center.

Step 3 Under Products and Services Updates, choose Cisco IPS Active Update Bulletins.

Step 4 Under Cisco IPS Active Update Bulletins, choose one of the Cisco IPS Active Update Bulletins.

Step 5 Under In this Issue, choose Subscription Information.

Step 6 Under Subscription Information, choose subscribe now.

Step 7 Fill out the required information, as follows:

a. Would you like to receive IDS Active Update Bulletin? Select Yes or No from the drop-down list.

b. In the First Name field, enter your first name.

c. In the Last Name field, enter your last name.

d. In the Company field, enter the name of your company.

e. Choose your country from the drop-down menu.

f. In the E-mail field, enter your e-mail address.

Step 8 Check the check box if you want to receive further information about Cisco products and offerings by e-mail.

Step 9 Fill in the optional information if desired.

a. Choose your job function from the drop-down list.

b. Choose your job level from the drop-down list.

c. Choose your industry or business type from the drop-down list.

d. Choose how many people your organization employs worldwide from the drop-down list.

e. Choose your company or organization type from the drop-down list.

Step 10 Click Submit.

You receive e-mail notifications of updates when they occur and instructions on how to obtain them.

Cisco Security Center

The Cisco Security Center site on Cisco.com provides intelligence reports about current vulnerabilities and security threats. It also has reports on other security topics that help you protect your network and deploy your security systems to reduce organizational risk.

You should be aware of the most recent security threats so that you can most effectively secure and manage your network. The Cisco Security Center contains the top ten intelligence reports listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.

The Cisco Security Center contains a Security News section that lists security articles of interest. There are related security tools and links.

You can access the Cisco Security Center at this URL:

http://tools.cisco.com/MySDN/Intelligence/home.x

The Cisco Security Center is also a repository of information for individual signatures, including signature ID, type, structure, and description.

You can access the signature search at this URL:

http://tools.cisco.com/security/center/search.x?search=Signature

New and Changed Information

Cisco IPS 6.0(4a)E1 includes the following new features and hardware platforms:

•S317 signature update

•Intrusion Prevention System Advanced Integration Module (AIM-IPS)

•Inline asymmetric traffic

Analysis Engine now allows asymmetric traffic to be tracked and analyzed using a relaxed normalization process rather than the standard normalization process.

You can now configure inline interface mode in situations where the Normalizer engine normally blocks or delays traffic because of the strict nature of stream processing, and where normalization is achieved by not doing any protocol checking or packet reordering. You can relax the Normalizer process by adding a flag to the sensorApp.conf file, which requires using the service account. It also requires a sensor reboot.

To enable Asymmetric mode processing, log in to the sensor service account, and edit the /usr/cids/idsRoot/etc/sensorApp.conf file by adding the AsymmetricFlows=true flag to the file:
  [NormalizerSettings]
  QueuedTimeout=4
  AsymmetricFlows=true
After you add the Asymmetric flag, reboot the sensor.

To verify that the Asymmetric mode processing has been enabled, run traffic through the inline sensor and verify that TCP packets pass through the system unaltered and not reordered. You can also verify Asymmetric mode processing in the TCP Normalizer stage statistics. Verify that the number of Current Streams is increasing, but the number of Closed, Closing, Embryonic, and Established streams are all 0:
  Current Streams = 1630
  Current Streams Closed = 0
  Current Streams Closing = 0
  Current Streams Embryonic = 0
  Current Streams Established = 0
•Ability to enable and disable CDP forwarding

Log in to the service account and in the /usr/cids/idsRoot/etc/interface.conf file, change cdp-mode=block to cdp-mode=forward.

Save your changes to the interface.conf file, and reboot the sensor.

For More Information

For more information on the Normalizer engine, refer to Normalizer Engine.

Before Upgrading to Cisco IPS 6.0(4a)E1

This section describes the actions you should take before upgrading to Cisco IPS 6.0(4a)E1. It contains the following topics:

•Perform These Tasks

•Copying and Restoring the Configuration File Using a Remote Server

•Obtaining Software on Cisco.com

•IPS Software Versioning

•Upgrading the IDS-4215 BIOS

Perform These Tasks

Before you upgrade your sensors to Cisco IPS 6.0(4a)E1, make sure you perform the following tasks:

•Upgrade all version 4.x or earlier sensors to IPS 5.0(1) before applying the IPS 6.0(4a)E1 service pack.

•Make sure you have a valid Cisco Service for IPS service contract per sensor so that you can apply software upgrades.

•Created a backup copy of your configuration.

•Saved the output of the show version command.

If you need to downgrade a signature update, you will know what version you had, and you can then apply the configuration you saved when you backed up your configuration.

•Upgraded the IDS-4215 BIOS to the most recent version.

•If you are using SNMP set and/or get features, you must configure the read-only-community and read-write-community parameters before upgrading to IPS 6.0(4a)E1.

In IPS 5.x, the read-only-community was set to public by default, and the read-write-community was set to private by default. In IPS 6.0(4a)E1 these two options do not have default values. If you were not using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to false), there is no problem upgrading to IPS 6.0(4a)E1. If you were using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to true), you must configure the read-only-community and read-write-community parameters to specific values or the IPS 6.0(4a)E1 upgrade fails. You receive the following error message:
Error: execUpgradeSoftware : Notification Application "enable-set-get" value set to 
true, but "read-only-community" and/or "read-write-community" are set to null. Upgrade 
may not continue with null values in these fields.
For More Information

•For more information on Cisco service contracts, see Service Programs for IPS Products.

•For the procedure for creating a backup copy of your configuration, see Copying and Restoring the Configuration File Using a Remote Server.

•For the procedure for displaying version information, refer to Displaying Version Information.

•For the procedure for downgrading signature updates on your sensor, refer to Upgrading, Downgrading, and Installing System Images.

•For the procedure for upgrading the IDS-4215 BIOS, see Upgrading the IDS-4215 BIOS.

•For more information on configuring SNMP, for the CLI procedure, refer to Configuring SNMP. For the IDM procedure, refer to Configuring SNMP.

Copying and Restoring the Configuration File Using a Remote Server

Use the copy [/erase] source_url destination_url keyword command to copy the configuration file to a remote server. You can then restore the current configuration from the remote server. You are prompted to back up the current configuration first.

Note We recommend copying the current configuration file to a remote server before upgrading.

The following options apply:

•/erase—Erases the destination file before copying.

This keyword only applies to the current-config; the backup-config is always overwritten. If this keyword is specified for destination current-config, the source configuration is applied to the system default configuration. If it is not specified for the destination current-config, the source configuration is merged with the current-config.

•source_url—The location of the source file to be copied. It can be a URL or keyword.

•destination_url—The location of the destination file to be copied. It can be a URL or a keyword.

The exact format of the source and destination URLs varies according to the file. Here are the valid types:

•ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:

ftp:[//[username@] location]/relativeDirectory]/filename

ftp:[//[username@]location]//absoluteDirectory]/filename

•scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:

scp:[//[username@] location]/relativeDirectory]/filename

scp:[//[username@] location]//absoluteDirectory]/filename

Note If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol, you must also add the remote host to the SSH known hosts list.

•http:—Source URL for the web server. The syntax for this prefix is:

http:[[/[username@]location]/directory]/filename

•https:—Source URL for the web server. The syntax for this prefix is:

https:[[/[username@]location]/directory]/filename

Note HTTP and HTTPS prompt for a password if a username is required to access the website. If you use HTTPS protocol, the remote host must be a TLS trusted host.

The following keywords are used to designate the file location on the sensor:

•current-config—The current running configuration. The configuration becomes persistent as the commands are entered.

•backup-config—The storage location for the configuration backup.

Caution Copying a configuration file from another sensor may result in errors if the sensing interfaces and virtual sensors are not configured the same.

To back up and restore your current configuration, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 To back up the current configuration to the remote server:
sensor# copy current-config ftp://user@10.1.1.1//configs/sensor89.cfg
Password: ********
Step 3 To restore the configuration file that you copied to the remote server:
sensor# copy ftp://user@10.1.1.1//configs/sensor89.cfg current-config 
Password: ********
Warning: Copying over the current configuration may leave the box in an unstable state.
Would you like to copy current-config to backup-config before proceeding? [yes]:
Step 4 Press Enter to copy the configuration file or enter no to stop.

For More Information

•For the CLI procedure for adding TLS trusted hosts, refer to Adding TLS Trusted Hosts. For the IDM procedure, refer to Adding Trusted Hosts.

•For the CLI procedure for adding remote hosts to the SSH known hosts list, refer to Adding Hosts to the SSH Known Hosts List. For the IDM procedure, refer to Defining Known Host Keys.

Obtaining Software on Cisco.com

You can find major and minor updates, service packs, signature and signature engine updates, system and recovery files, firmware upgrades, and readmes on the Download Software site on Cisco.com.

Note You must be logged in to Cisco.com to download software.

Signature updates are posted to Cisco.com approximately every week, more often if needed. Service packs are posted to Cisco.com as needed. Major and minor updates are also posted periodically. Check Cisco.com regularly for the latest IPS software.

Note You must have an active IPS maintenance contract and a Cisco.com password to download software.

Note You must have a license to apply signature updates.

To download software on Cisco.com, follow these steps:

Step 1 Log in to Cisco.com.

Step 2 From the Support drop-down menu, choose Download Software.

Step 3 Under Select a Software Product Category, choose Security Software.

Step 4 Choose Intrusion Prevention System (IPS).

Step 5 Enter your username and password.

Step 6 In the Download Software window, choose IPS Appliances > Cisco Intrusion Prevention System and then click the version you want to download.

Note You must have an IPS subscription service license to download software.

Step 7 Click the type of software file you need.

The available files appear in a list in the right side of the window. You can sort by file name, file size, memory, and release date. And you can access the Release Notes and other product documentation.

Step 8 Click the file you want to download.

The file details appear.

Step 9 Verify that it is the correct file, and click Download.

Step 10 Click Agree to accept the software download rules.

The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software.

•Fill out the form and click Submit.

The Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy appears.

•Read the policy and click I Accept.

The Encryption Software Export/Distribution Form appears.

If you previously filled out the Encryption Software Export Distribution Authorization form, and read and accepted the Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy, these forms are not displayed again.

The File Download dialog box appears.

Step 11 Open the file or save it to your computer.

Step 12 Follow the instructions in the Readme to install the update.

Note Major and minor updates, service packs, recovery files, signature and signature engine updates are the same for all sensors. System image files are unique per platform.

For More Information

•For the procedure for obtaining and installing the license, see Licensing the Sensor.

•For an explanation of the IPS file versioning scheme, see IPS Software Versioning.

IPS Software Versioning

This section describes the various IPS software files, and contains the following sections:

•Major and Minor Updates, Service Packs, and Patch Releases

•Signature/Virus Updates and Signature Engine Updates

•Recovery and System Image Filenames

•6.x Software Release Examples

Major and Minor Updates, Service Packs, and Patch Releases

Figure 1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases.

Figure 1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases

Major Update

Contains new functionality or an architectural change in the product. For example, the IPS 6.0 base version includes everything (except deprecated features) since the previous major release (the minor update features, service pack fixes, and signature updates) plus any new changes. Major update 6.0(1) requires 5.x. With each major update there are corresponding system and recovery packages.

Note The 6.0(1) major update is only used to upgrade 5.x sensors to 6.0(1). If you are reinstalling 6.0(1) on a sensor that already has 6.0(1) installed, use the system image or recovery procedures rather than the major update.

Minor Update

Incremental to the major version. Minor updates are also base versions for service packs. The first minor update for 6.0 is 6.1(1). Minor updates are released for minor enhancements to the product. Minor updates contain all previous minor features (except deprecated features), service pack fixes, signature updates since the last major version, and the new minor features being released. You can install the minor updates on the previous major or minor version (and often even on earlier versions). The minimum supported version needed to upgrade to the newest minor version is listed in the Readme that accompanies the minor update. With each minor update there are corresponding system and recovery packages.

Service Packs

Cumulative following a base version release (minor or major). Service packs are used for the release of defect fixes with no new enhancements. Service packs contain all service pack fixes since the last base version (minor or major) and the new defect fixes being released. Service packs require the minor version. The minimum supported version needed to upgrade to the newest service pack is listed in the Readme that accompanies the service pack. Service packs also include the latest engine update. For example, if service pack 6.0(3) is released, and E3 is the latest engine level, the service pack is released as 6.0(3)E3.

Patch Release

Used to address defects that are identified in the upgrade binaries after a software release. Rather than waiting until the next major or minor update, or service pack to address these defects, a patch can be posted. Patches include all prior patch releases within the associated service pack level. The patches roll into the next official major or minor update, or service pack.

Before you can install a patch release, the most recent major or minor update, or service pack must be installed. For example, patch release 5.0(1p1) requires 5.0(1).

Note Upgrading to a newer patch does not require you to uninstall the old patch. For example, you can upgrade from patch 5.0(1p1) to 5.0(1p2) without first uninstalling 5.0(1p1).

For More Information

For a table listing the types of files with examples of filenames and corresponding software releases, see 6.x Software Release Examples.

Signature/Virus Updates and Signature Engine Updates

Figure 2 illustrates what each part of the IPS software file represents for signature/virus updates.

Figure 2 IPS Software File Name for Signature/Virus Updates,

Signature/Virus Updates

Executable file containing a set of rules designed to recognize malicious network activities. Signature updates are released independently from other software updates. Each time a major or minor update is released, you can install signature updates on the new version and the next oldest version for a period of at least six months. Signature updates are dependent on a required signature engine version. Because of this, a req designator lists the signature engine required to support a particular signature update.

A virus component for the signature updates is packaged with the signature update. Virus updates are generated by Trend Microsystems for use by the Cisco Intrusion Containment System (Cisco ICS). Once created for use by Cisco ICS, they are later be incorporated into standard Cisco signature updates.

Figure 3 illustrates what each part of the IPS software file represents for signature engine updates.

Figure 3 IPS Software File Name for Signature Engine Updates

Signature Engine Updates

Executable files containing binary code to support new signature updates. Signature engine files require a specific service pack, which is also identified by the req designator.

Recovery and System Image Filenames

Figure 4 illustrates what each part of the IPS software file represents for recovery and system image filenames.

Figure 4 IPS Software File Name for Recovery and System Image Filenames

Recovery and system images contain separate versions for the installer and the underlying application. The installer version contains a major and minor version field.

Installer Major Version

The major version is incremented by one of any major changes to the image installer, for example, switching from .tar to rpm or changing kernels.

Installer Minor Version

The minor version can be incremented by any one of the following:

•Minor change to the installer, for example, a user prompt added.

•Repackages require the installer minor version to be incremented by one if the image file must be repackaged to address a defect or problem with the installer.

6.x Software Release Examples

Table 1 lists platform-independent IDS 6.x software release examples. Refer to the Readmes that accompany the software files for detailed instructions on how to install the files.

Table 1 Platform-Independent Release Examples

Release

Target Frequency

Identifier

Example Version

Example Filename

Signature update¹

Weekly

sig

S700

IPS-sig-S700-req-E1.pkg

Signature engine update²

As needed

engine

E1

IPS-engine-E1-req-6.1-3.pkg

Service packs³

Semi-annually
or as needed

—

6.1(3)

IPS-K9-6.1-3-E1.pkg

Minor version update⁴

Annually

—

6.1(1)

IPS-K9-6.1-1-E1.pkg

Major version update⁵

Annually

—

6.0(1)

IPS-K9-6.0-1-E1.pkg

Patch release⁶

As needed

patch

6.0(1p1)

IPS-K9-patch-6.0-1pl-E1.pkg

Recovery package⁷

Annually or as needed

r

1.1-6.0(1)

IPS-K9-r-1.1-a-6.0-1-E1.pkg

¹Signature updates include the latest cumulative IPS signatures.

²Signature engine updates add new engines or engine parameters that are used by new signatures in later signature updates.

³Service packs include defect fixes.

⁴Minor versions include new minor version features and/or minor version functionality.

⁵Major versions include new major version functionality or new architecture.

⁶Patch releases are for interim fixes.

⁷The r 1.1 can be revised to r 1.2 if it is necessary to release a new recovery package that contains the same underlying application image. If there are defect fixes for the installer, for example, the underlying application version may still be 6.0(1), but the recovery partition image will be r 1.2.

Table 2 describes platform-dependent software release examples.

Table 2 Platform-Dependent Release Examples

Release

Target Frequency

Identifier

Supported Platform

Example Filename

System image¹

Annually

sys

Separate file for each sensor platform

IPS-4240-K9-sys-1.1-a-6.0-1-E1.img

Maintenance partition image²

Annually

mp

IDSM-2

c6svc-mp.2-1-2.bin.gz

Bootloader

As needed

bl

NM-CIDS
AIM-IPS

servicesengine-boot-1.0-4.bin
pse_aim_x.y.z.bin (where x, y, z is the release number)

Mini-kernel

As needed

mini-kernel

AIM-IPS

pse_mini_kernel_1.1.10.64.bz2

¹The system image includes the combined recovery and application image used to reimage an entire sensor.

²The maintenance partition image includes the full image for the IDSM-2 maintenance partition. The file is installed from but does not affect the IDSM-2 application partition.

Table 3 describes the platform identifiers used in platform-specific names.

Note IDS-4235 and IDS-4250 do not use platform-specific image files.

Table 3 Platform Identifiers

Sensor Family

Identifier

IDS-4215 series

4215

IPS-4240 series

4240

IPS-4255 series

4255

IPS-4260 series

4260

IPS 4270-20 series

4270_20

IDS module for Catalyst 6K

IDSM2

IDS network module

NM_CIDS

IPS network module

AIM

AIP-SSM

SSM_10
SSM_20
SSM_40

For More Information

For instructions on how to access these files on Cisco.com, see Obtaining Software on Cisco.com.

Upgrading the IDS-4215 BIOS

The BIOS/ROMMON upgrade utility (IDS-4215-bios-5.1.7-rom-1.4.bin) upgrades the BIOS of IDS-4215 to version 5.1.7 and the ROMMON to version 1.4.

To upgrade the BIOS and ROMMON on IDS-4215, follow these steps:

Step 1 Download the BIOS ROMMON upgrade utility (IDS-4215-bios-5.1.7-rom-1.4.bin) to the TFTP root directory of a TFTP server that is accessible from IDS-4215.

Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of IDS-4215.

Step 2 Boot IDS-4215.

While rebooting, IDS-4215 runs the BIOS POST. After the completion of POST, the console displays the message: Evaluating Run Options ...for about 5 seconds.

Step 3 Press Ctrl-R while this message is displayed to display the ROMMON menu.

The console display resembles the following:
CISCO SYSTEMS IDS-4215
Embedded BIOS Version 5.1.3 05/12/03 10:18:14.84
Compiled by ciscouser
Evaluating Run Options ...
Cisco ROMMON (1.2) #0: Mon May 12 10:21:46 MDT 2003
Platform IDS-4215
0: i8255X @ PCI(bus:0 dev:13 irq:11)
1: i8255X @ PCI(bus:0 dev:14 irq:11)
Using 1: i82557 @ PCI(bus:0 dev:14 irq:11), MAC: 0000.c0ff.ee01
Use ? for help.
rommon>
Step 4 If necessary, change the port number used for the TFTP download:
rommon> interface port_number 
The port in use is listed just before the rommon prompt. Port 1 (default port) is being used as indicated by the text, Using 1: i82557 @ PCI(bus:0 dev:14 irq:11), MAC: 0000.c0ff.ee01.

Note Ports 0 (monitoring port) and 1 (command and control port) are labeled on the back of the chassis.

Step 5 Specify an IP address for the local port on IDS-4215:
rommon> address ip_address
Note Use the same IP address that is assigned to IDS-4215.

Step 6 Specify the TFTP server IP address:
rommon> server ip_address
Step 7 Specify the gateway IP address:
rommon> gateway ip_address
Step 8 Verify that you have access to the TFTP server by pinging it from the local Ethernet port:
rommon> ping server_ip_address
rommon> ping server
Step 9 Specify the filename on the TFTP file server from which you are downloading the image:
rommon> file filename
Example:
rommon> file IDS-4215-bios-5.1.7-rom-1.4.bin
Note The syntax of the file location depends on the type of TFTP server used. Contact your system or network administrator for the appropriate syntax if the above format does not work.

Step 10 Download and run the update utility:
rommon> tftp
Step 11 Enter y at the upgrade prompt and the update is executed.

IDS-4215 reboots when the update is complete.

Caution Do not remove power to IDS-4215 during the update process, otherwise the upgrade can get corrupted. If this occurs, IDS-4215 will be unusable and require an RMA.

For More Information

•For a list of supported TFTP servers, see Supported Servers.

•For the procedure for locating software on Cisco.com, see Obtaining Software on Cisco.com.

Upgrading to Cisco IPS 6.0(4a)E1

This section provides information on upgrading to IPS 6.0(4a)E, and contains the following topics:

•Upgrade Notes and Caveats

•Upgrading to 6.0(4a)E1

•Installing the ISO Image File

Upgrade Notes and Caveats

The following upgrade notes and caveats apply to upgrading to 6.0(4a)E1:

•If you have 4.x installed on your sensor, you must upgrade to 5.0(1), then upgrade to 6.0(4a)E1.

•You can upgrade all 5.0 or 5.1 sensors directly to 6.0(4a)E1.

Note 5.1(3) and earlier sensors may display an error message that the upgrade file is not a recognized type. You can ignore this error and continue with the upgrade.

•If you try to upgrade an IPS 5.x sensor to 6.0(4a)E1, you may receive an error that Analysis Engine is not running:

sensor# upgrade scp://user@10.1.1.1/upgrades/IPS-K9-6.0-4a-E1.pkg

Password: ********

Warning: Executing this command will apply a major version upgrade to the application partition. The system may be rebooted to complete the upgrade.

Continue with upgrade?: yes

Error: Analysis Engine is not running. Please reset box and attempt upgrade again.
If you receive this error, you must get Analysis Engine running before trying to upgrade again. This error is often caused by a defect in the currently running version. Try rebooting the sensor, and after reboot, run setup and remove the interfaces from the virtual sensor vs0. When it is not monitoring traffic, Analysis Engine usually stays up and running. You can upgrade to 6.0(4a)E1 at this time. After the upgrade to IPS 6.0(4a)E1, add the interfaces back to the virtual sensor vs0 using the setup command.

Or you can use the recovery CD (if your sensor has a CD-ROM) or the system image file to reimage directly to IPS 6.0(4a)E1. You can reimage a 5.x sensor to 6.0(4a)E1 because the reimage process does not check to see Analysis Engine is running.

Caution Reimaging using the CD or system image file restores all configuration defaults.

•You receive SNMP error messages if you do not have the read-only-community and read-write-community parameters configured before upgrading to IPS 6.0(4a)E1 or E2. If you are using SNMP set and/or get features, you must configure the read-only-community and read-write-community parameters before upgrading to IPS 6.0(4a)E1 or E2. In IPS 5.x, the read-only-community was set to public by default, and the read-write-community was set to private by default. In IPS 6.0(4a)E1 or E2 these two options do not have default values. If you were not using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to false), there is no problem upgrading to IPS 6.0(4a)E1 or E2. If you were using SNMP gets and sets with IPS 5.x (for example, enable-set-get was set to true), you must configure the read-only-community and read-write-community parameters to specific values or the IPS 6.0(4a)E1 or E2 upgrade fails. You receive the following error message:
Error: execUpgradeSoftware : Notification Application "enable-set-get" value set to 
true, but "read-only-community" and/or "read-write-community" are set to null. Upgrade 
may not continue with null values in these fields.
•IPS 6.0(4a)E1 denies high risk events by default. This is a change from 5.x. To change the default, edit the event action override for the deny packet inline action and configure it to be disabled.

•In 6.0(4a)E1, you will receive messages indicating the you need to install a license. The sensor functions properly without a license, but you will need a license to install signature updates.

•Although upgrading from 5.x to 6.0(4a)E1 preserves sensor configuration settings, all data written to the Event Store as well as any unsupported customizations are lost.

The upgrade may stop if it comes across a value that it cannot translate. If this occurs, the resulting error message provides enough information to adjust the parameter to an acceptable value. After editing the configuration, try the upgrade again.

•After you upgrade from 5.x to 6.0(4a)E1, you cannot downgrade using the downgrade command. If you want to return to the previous version, you must reimage and then copy the backup configuration from a remote server to the reimaged sensor.

For More Information

•For more information on running the setup command, refer to Initializing the Sensor.

•For the procedures for reimaging sensors, refer to Upgrading, Downgrading, and Installing System Images.

•For the procedure for obtaining and installing the license, see Licensing the Sensor.

•For information about SNMP values that must be configured before upgrading from 5.x to 6.0(4a)E1, see Before Upgrading to Cisco IPS 6.0(4a)E1.

•For the procedure for copying the backup configuration file to the reimaged sensor, see Copying and Restoring the Configuration File Using a Remote Server.

•For more information on configuring SNMP in the CLI, refer to Configuring SNMP. For IDM, refer to Configuring SNMP.

•For more information on configuring event action overrides in the CLI, refer to Adding, Editing, Enabling, and Disabling Event Action Overrides. For IDM, refer to Adding, Editing, Deleting, Enabling, and Disabling Event Action Overrides.

Upgrading to 6.0(4a)E1

Note You must have a valid Cisco Service for IPS Maintenance contract per sensor to receive and use software upgrades from Cisco.com.

To upgrade the sensor, follow these steps:

Step 1 Download the service pack update file (IPS-K9-6.0-4a-E1.pkg) to an FTP, SCP, HTTP, or HTTPS server that is accessible from your sensor.

Caution You must log in to Cisco.com using an account with cryptographic privileges to download software. The first time you download software on Cisco.com, you receive instructions for setting up an account with cryptographic privileges.

Caution Do not change the filename. You must preserve the original filename for the sensor to accept the update.

Step 2 Log in to the CLI using an account with administrator privileges.

Step 3 Determine the sensor version:
sensor# show version
Note To install IPS 6.0(4a)E1, the sensor must be at 5.0(1) or later. You must upgrade 4.x and earlier sensors to 5.1(1) before applying the 6.0(4a)E1service pack.

Step 4 Enter configuration mode:
sensor# configure terminal
Step 5 Upgrade the sensor with the service pack:
sensor(config)# upgrade scp://tester@10.1.1.1//upgrade/IPS-K9-6.0-4a-E1.pkg
Step 6 Enter the password when prompted:
Enter password: ********
Step 7 Enter yes to complete the upgrade.

Note The sensor reboots after installing the service pack.

Note 5.1(3) and earlier sensors may display an error message that the upgrade file is not a recognized type. You can ignore this error and continue with the upgrade.

Step 8 Verify your new sensor version:
sensor# show version
Application Partition:
Cisco Intrusion Prevention System, Version 6.0(4a)E1
Host:
    Realm Keys          key1.0
Signature Definition:
    Signature Update    S291.0                   2007-06-18
    Virus Update        V1.2                     2005-11-24
OS Version:             2.4.30-IDS-smp-bigphys
Platform:               ASA-SSM-20
Serial Number:          P300000220
No license present
Sensor up-time is 13 days.
Using 1039052800 out of 2093682688 bytes of available memory (49% usage)
system is using 17.8M out of 29.0M bytes of available disk space (61% usage)
application-data is using 49.9M out of 166.6M bytes of available disk space (32% usage)
boot is using 37.8M out of 68.5M bytes of available disk space (58% usage)
MainApp          N-2007_JUN_19_16_45   (Release)   2007-06-19T17:10:20-0500   Running
AnalysisEngine   N-2007_JUN_19_16_45   (Release)   2007-06-19T17:10:20-0500   Running
CLI              N-2007_JUN_19_16_45   (Release)   2007-06-19T17:10:20-0500
Upgrade History:
  IPS-K9-6.0-4-E.1 15:31:13 UTC Mon Sep 10 2007
Recovery Partition Version 1.1 - 6.0(4a)E1
sensor#
Note For 5.x, you receive a message saying the upgrade is of unknown type. You can ignore this message.

Note The operating system is reimaged and all files that have been placed on the sensor through the service account are removed.

For More Information

•For more information on Cisco service contracts, see Service Programs for IPS Products.

•For the procedure for locating software on Cisco.com and obtaining an account with cryptographic privileges, see Obtaining Software on Cisco.com.

Installing the ISO Image File

Note You must create a recovery CD on a Linux system to install the ISO image for IDS-4235 and IDS-4250.

The Recovery ISO Image is for IDS-4235 and IDS-4250 sensors only.

To create the recovery CD for the ISO image for IDS-4235 and IDS-4250, follow these steps:

Step 1 Insert a blank CD-R media in to the CD-R recorder of the burn host.

Step 2 Enter the following command:
host# cdrecord -v speed=6 dev=0,0 IPS-K9-cd-1.1-a-6.0-5-E3.iso
host# cdrecord -v speed=6 dev=0,0 IPS-K9-cd-1.1-a-6.0-4a-E1.iso
Step 3 Follow the command line arguments for cdrecord.

Note The command line arguments are self-explanatory. For more information, refer to the cdrecord man page.

Step 4 Follow the instructions for using a recovery CD to install the ISO image on IDS-4235 and IDS-4250.

For More Information

For the procedure for using a recovery CD to install images, refer to Using the Recovery/Upgrade CD.

After Upgrading to Cisco IPS 6.0(4a)E1

This section provides information about what to do after you install IPS 6.0(4a)E1. It contains the following topics:

•Comparing Configurations

•SSL Certificate

•Logging In to IDM

•Licensing the Sensor

Comparing Configurations

Compare your backed up and saved 5.1 configuration with the output of the show configuration command after upgrading to 6.0(4a)E1 to verify that all the configuration has been properly converted.

Caution If the configuration is not properly converted, check the list of caveats, or check Cisco.com for any upgrade issues that have been found. Contact the TAC if no DDTS refers to your situation.

For More Information

For a list of the IPS 6.0(4a)E1 caveats, see Caveats.

SSL Certificate

If necessary, import the new SSL certificate for the upgraded sensor in to each tool being used to monitor the sensor.

For More Information

For the CLI procedure for importing a new SSL certificate, refer to Configuring TLS. For IDM, refer to Configuring Certificates.

Logging In to IDM

IDM is a web-based, Java Start application that enables you to configure and manage your sensor. The web server for IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.

To log in to IDM, follow these steps:

Step 1 Open a web browser and enter the sensor IP address:
https://sensor_ip_address
Note IDM is already installed on the sensor.

Note The default address is https://10.1.9.201, which you change to reflect your network environment when you initialize the sensor. When you change the web server port, you must specify the port in the URL address of your browser when you connect to IDM in the format https://sensor_ip_ address:port (for example, https://10.1.9.201:1040).

A Security Alert dialog box appears.

Step 2 Click Yes to accept the security certificate.

The Cisco IPS Device Manager Version 6.0 window appears.

Step 3 To launch IDM, click Run IDM.

The JAVA loading message box appears.

The Warning - Security dialog box appears.

Step 4 To verify the security certificate, check the Always trust content from this publisher check box, and click Yes.

The JAVA Web Start progress dialog box appears.

The IDM on ip_address dialog box appears.

Step 5 To create a shortcut for IDM, click Yes.

Note You must have JRE 1.4.2 or JRE 1.5 (JAVA 5) installed to create shortcuts for IDM. If you have JRE 1.6 (JAVA 6) installed, the shortcut is created automatically.

The Cisco IDM Launcher dialog box appears.

Step 6 To authenticate IDM, enter your username and password, and click OK.

Note Both the default username and password are cisco. You were prompted to change the password during sensor initialization.

IDM begins to load.

The Status dialog box appears with the following message:
Please wait while IDM is loading the current configuration from the sensor.
The main window of IDM appears.

Note If you created a shortcut, you can launch IDM by double-clicking the IDM shortcut icon. You can also close the The Cisco IPS Device Manager Version 6.0 window. After you launch IDM, is it not necessary for this window to remain open.

For More Information

•For more information about security and IDM, refer to IDM and Certificates.

•For the procedure for initializing the sensor, refer to Initializing the Sensor.

Licensing the Sensor

This section describes how to obtain a license key and how to license the sensor using the CLI or IDM. It contains the following topics:

•Understanding the License

•Service Programs for IPS Products

•Obtaining and Installing the License Key

Understanding the License

Although the sensor functions without the license key, you must have a license key to obtain signature updates. To obtain a license key, you must have the following:

•Cisco Service for IPS service contract

Contact your reseller, Cisco service or product sales to purchase a contract.

•Your IPS device serial number

To find the IPS device serial number in IDM, choose Configuration > Licensing, or in the CLI use the show version command.

•Valid Cisco.com username and password

Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.

You can obtain a license key from the Cisco.com licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service to apply for a license key.

You can view the status of the license key on the Licensing pane in IDM. Whenever you start IDM, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use IDM but you cannot download signature updates.

When you enter the CLI, you are informed of your license status. For example, you receive the following message if there is no license installed:
***LICENSE NOTICE***
There is no license key installed on the system.
The system will continue to operate with the currently installed
signature set. A valid license must be obtained in order to apply
signature updates. Please go to http://www.cisco.com/go/license
to obtain a new license or install a license.
You will continue to see this message until you install a license key.

For More Information

•For more information on Cisco service contracts, see Service Programs for IPS Products.

•For the procedure for obtaining and installing the license key, see Obtaining and Installing the License Key.

Service Programs for IPS Products

You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.

When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract:

•IDS-4215

•IDS-4235

•IDS-4250

•IPS-4240

•IPS-4255

•IPS-4260

•IPS 4270-20

•IDSM-2

•NM-CIDS

•AIM-IPS

For ASA 5500 series adaptive security appliance products, if you purchased one of the following ASA 5500 series adaptive security appliance products that do not contain IPS, you must purchase a SMARTnet contract:

•ASA5510-K8

•ASA5510-DC-K8

•ASA5510-SEC-BUN-K9

•ASA5520-K8

•ASA5520-DC-K8

•ASA5520-BUN-K9

•ASA5540-K8

•ASA5540-DC-K8

•ASA5540-BUN-K9

Note SMARTnet provides operating system updates, access to Cisco.com, access to TAC, and hardware replacement NBD on site.

If you purchased one of the following ASA 5500 series adaptive security appliance products that ships with the AIP-SSM installed or if you purchased AIP-SSM to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract:

•ASA5510-AIP10-K9

•ASA5520-AIP10-K9

•ASA5520-AIP20-K9

•ASA5540-AIP20-K9

•ASA5520-AIP40-K9

•ASA5540-AIP40-K9

•ASA-SSM-AIP-10-K9=

•ASA-SSM-AIP-20-K9=

•ASA-SSM-AIP-40-K9=

Note Cisco Services for IPS provides IPS signature updates, operating system updates, access to Cisco.com, access to TAC, and on-site hardware replacement next business day.

For example, if you purchased an ASA-5510 and then later wanted to add IPS and purchased an ASA-SSM-AIP-10-K9, you must now purchase the Cisco Services for IPS service contract.

After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.

Caution If you send your product for RMA, the serial number will change. You must then get a new license key for the new serial number.

For More Information

For the procedure for obtaining and installing the license key, see Obtaining and Installing the License Key.

Obtaining and Installing the License Key

You can install the license key through the CLI or IDM. This section describes how to obtain and install the license key, and contains the following topics:

•Using IDM

•Using the CLI

Using IDM

Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.

To obtain and install the license key, follow these steps:

Step 1 Log in to IDM using an account with administrator privileges.

Step 2 Choose Configuration > Licensing.

The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed.

Step 3 Obtain a license key by doing one of the following:

•Check the Cisco Connection Online check box to obtain the license from Cisco.com.

IDM contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 4.

•Check the License File check box to use a license file.

To use this option, you must apply for a license key at this URL: www.cisco.com/go/license.

The license key is sent to you in e-mail and you save it to a drive that IDM can access. This option is useful if your computer cannot access Cisco.com. Go to Step 7.

Step 4 Click Update License.

The Licensing dialog box appears.

Step 5 Click Yes to continue.

The Status dialog box informs you that the sensor is trying to connect to Cisco.com. An Information dialog box confirms that the license key has been updated.

Step 6 Click OK.

Step 7 Go to www.cisco.com/go/license.

Step 8 Fill in the required fields.

Caution You must have the correct IPS device serial number because the license key only functions on the device with that number.

Your license key will be sent to the e-mail address you specified.

Step 9 Save the license key to a hard-disk drive or a network drive that the client running IDM can access.

Step 10 Log in to IDM.

Step 11 Choose Configuration > Licensing.

Step 12 Under Update License, check the Update From: License File check box.

Step 13 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.

The Select License File Path dialog box appears.

Step 14 Browse to the license file and click Open.

Step 15 Click Update License.

For More Information

For more information on Cisco service contracts, see Service Programs for IPS Products.

Using the CLI

Use the copy source-url license_file_name license-key command to copy the license key to your sensor.

The following options apply:

•source-url—The location of the source file to be copied. It can be a URL or keyword.

•destination-url—The location of the destination file to be copied. It can be a URL or a keyword.

•license-key—The subscription license file.

•license_file_name—The name of the license file you receive.

Note You cannot install an older license key over a newer license key.

The exact format of the source and destination URLs varies according to the file. Here are the valid types:

•ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is:

ftp:[//[username@] location]/relativeDirectory]/filename

ftp:[//[username@]location]//absoluteDirectory]/filename

•scp:—Source or destination URL for the SCP network server. The syntax for this prefix is:

scp:[//[username@] location]/relativeDirectory]/filename

scp:[//[username@] location]//absoluteDirectory]/filename

Note If you use FTP or SCP protocol, you are prompted for a password. If you use SCP protocol, you must add the remote host must to the SSH known hosts list.

•http:—Source URL for the web server. The syntax for this prefix is:

http:[[/[username@]location]/directory]/filename

•https:—Source URL for the web server. The syntax for this prefix is:

https:[[/[username@]location]/directory]/filename

Note If you use HTTPS protocol, the remote host must be a TLS trusted host.

To install the license key, follow these steps:

Step 1 Apply for the license key at this URL: www.cisco.com/go/license.

Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.

Step 2 Fill in the required fields.

Note You must have the correct IPS device serial number because the license key only functions on the device with that number.

Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified.

Step 3 Save the license key to a system that has a web server, FTP server, or SCP server.

Step 4 Log in to the CLI using an account with administrator privileges.

Step 5 Copy the license key to the sensor:
sensor# copy scp://user@10.89.147.3://tftpboot/dev.lic license-key
Password: *******
Step 6 Verify the sensor is licensed:
sensor# show version
Application Partition:
Cisco Intrusion Prevention System, Version 6.0(4a)E1
Host: 
    Realm Keys             key1.0 
Signature Definition: 
    Signature Update       S317.0			2008-02-13 
    Virus Update           V1.2			2005-11-24 
OS Version:                2.4.30-IDS-smp-bigphys 
Platform:                  IPS-4255-K9 
Serial Number:             JAB0815R00N 
Licensed, expires:         30-Dec-2008 UTC 
Sensor up-time is 45 min.
Using 1885913088 out of 3974135808 bytes of available memory (47% usage)
system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
application-data is using 43.5M out of 166.8M bytes of available disk space (28% usage)
boot is using 38.5M out of 68.6M bytes of available disk space (59% usage)
MainApp			N-2008_FEB_15_16_16   (Release)  2008-02-15T17:08:23-0600  Running
AnalysisEngine		N-2008_FEB_15_16_16   (Release)  2008-02-15T17:08:23-0600  Running 
CLI			N-2008_FEB_15_16_16   (Release)  2008-02-15T17:08:23-0600 
Upgrade History:
  IPS-K9-6.0-4a-E1 17:45:18 UTC Tue May 06 2008 
Recovery Partition Version 1.1 - 6.0(4a)E1
sensor#
Step 7 Copy your license key from a sensor to a server to keep a backup copy of the license:
sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic 
Password: *******
sensor#
For More Information

•For the CLI procedure for adding hosts to the SSH known hosts list, refer to Adding Hosts to the SSH Known Hosts List. For the IDM procedure, refer to Defining Known Host Keys.

•For the CLI procedure for adding TLS trusted hosts, refer to Adding TLS Trusted Hosts. For the IDM procedure, refer to Adding Trusted Hosts.

•For more information on Cisco service contracts, see Service Programs for IPS Products.

Restrictions and Limitations

The following restrictions and limitations apply to Cisco IPS 6.0(4a)E1 software and the products that run 6.0(4a)E1:

•Do not confuse Cisco IOS IDS or Cisco IPS (a software-based intrusion-detection/prevention application that runs in the Cisco IOS) with the IPS that runs on the NM-CIDS. The NM-CIDS runs Cisco IPS 6.0(4a)E1. Because performance can be reduced and duplicate alarms can be generated, we recommend that you do not run Cisco IOS IDS and Cisco IPS 6.0(4a)E1 simultaneously.

•Only one NM-CIDS is supported per Cisco 2600, 2811, 2821 2851, 3825, 3845, and 3700 series router.

•Jumbo frames are not supported on the NM-CIDS.

•NM-CIDS does not run in inline mode.

•AIM-IPS, IDS-4215, and NM-CIDS do not support virtualization.

•When you reload the router, AIM-IPS also reloads. To ensure that there is no loss of data on AIM-IPS, make sure you shut down the module using the shutdown command before you use the reload command to reboot the router.

•Do not deploy IOS IPS and AIM-IPS at the same time.

•When AIM-IPS is used with an IOS firewall, make sure SYN flood prevention is done by the IOS firewall.

AIM-IPS and the IOS firewall complement each other's abilities to create security zones in the network and inspect traffic in those zones. Because AIM-IPS and the IOS firewall operate independently, sometimes they are unaware of the other's activities. In this situation, the IOS firewall is the best defense against a SYN flood attack.

•Cisco access routers only support one IDS/IPS per router.

•An IPS appliance can support both promiscuous and inline monitoring at the same time; however you must configure each physical interface in either promiscuous or inline mode. The sensor must contain at least two physical sensing interfaces to perform both promiscuous and inline monitoring. The exceptions to this are AIP-SSM-10, AIP-SSM-20, and AIP-SSM-40. AIP-SSM can support both promiscuous and inline monitoring on its single physical back plane interface inside the adaptive security appliance. The configuration on the main adaptive security appliance can be used to designate which packets/connections should be monitored by AIP-SSM as either promiscuous or inline.

•When deploying an IPS sensor monitoring two sides of a network device that does TCP sequence number randomization, we recommend using a virtual senor for each side of the device. If you are using IDS-4125, which does not support virtualization, configure vs0 to track TCP sessions by VLAN and interface.

•IDM does not support any non-English characters, such as the German umlaut or any other special language characters. If you enter such characters as a part of an object name through IDM, they are turned into something unrecognizable and you will not be able to delete or edit the resulting object through IDM or the CLI.

This is true for any string that is used by CLI as an identifier, for example, names of time periods, inspect maps, server and URL lists, and interfaces.

•You can only install eight IDSM-2s per switch chassis.

•The HTML-based IDM has been replaced with a Java applet.

•When SensorApp is reconfigured, there is a short period when SensorApp is unable to respond to any queries. Wait a few minutes after reconfiguration is complete before querying SensorApp for additional information.

For More Information

For more information about which modules Cisco routers support, refer to Interoperability With Other IPS Modules.

Recovering the Password

For most IPS platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. This section describes how to recover the password for the various IPS platforms. It contains the following topics:

•Understanding Password Recovery

•Recovering the Appliance Password

•Recovering the IDSM-2 Password

•Recovering the NM-CIDS Password

•Recovering the AIP-SSM Password

•Recovering the AIM-IPS Password

•Disabling Password Recovery

•Verifying the State of Password Recovery

•Troubleshooting Password Recovery

Understanding Password Recovery

Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.

Note Administrators may need to disable the password recovery feature for security reasons.

Table 4 lists the password recovery methods according to platform.

Table 4 Password Recovery Methods According to Platform

Platform

Description

Recovery Method

4200 series sensors

Stand-alone IPS appliances

GRUB prompt or ROMMON

AIP-SSM

ASA 5500 series adaptive security appliance modules

ASA CLI command

IDSM-2

Switch IPS module

Download image through maintenance partition

NM-CIDS
AIM-IPS

Router IPS modules

Bootloader command

For More Information

For more information on when and how to disable password recovery, see Disabling Password Recovery.

Recovering the Appliance Password

This section describes the two ways to recover the password for appliances. It contains the following topics:

•Using the GRUB Menu

•Using ROMMON

Using the GRUB Menu

For 4200 series appliances, the password recovery is found in the GRUB menu, which appears during bootup. When the GRUB menu appears, press any key to pause the boot process.

Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password.

To recover the password on appliances, follow these steps:

Step 1 Reboot the appliance.

•The following menu appears:
GNU GRUB version 0.94 (632K lower / 523264K upper memory)
-------------------------------------------
0: Cisco IPS
1: Cisco IPS Recovery
2: Cisco IPS Clear Password (cisco)
-------------------------------------------
    Use the ^ and v keys to select which entry is highlighted.
    Press enter to boot the selected OS, 'e' to edit the
    Commands before booting, or 'c' for a command-line.
    Highlighted entry is 0:
Step 2 Press any key to pause the boot process.

Step 3 Choose 2: Cisco IPS Recovery.

The password is reset to cisco. You can change the password the next time you log into the CLI.

For More Information

For more information about setting up a terminal server, refer to Connecting an Appliance to a Terminal Server.

Using ROMMON

For IPS-4240 and IPS-4255 you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.

To recover the password using the ROMMON CLI, follow these steps:

Step 1 Reboot the appliance.

Step 2 To interrupt the boot process, press ESC or Control-R (terminal server) or send a BREAK command (direct connection).

The boot code either pauses for 10 seconds or displays something similar to one of the following:

•Evaluating boot options

•Use BREAK or ESC to interrupt boot

Step 3 Enter the following commands to reset the password:
confreg=0x7
boot
Sample ROMMON session:
Booting system, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17
...
Evaluating BIOS Options...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Platform IPS-4240-K9
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted. 
Management0/0
Link is UP
MAC Address:000b.fcfa.d155
Use ? for help.
rommon #0> confreg 0x7
Update Config Register (0x7) in NVRAM...
rommon #1> boot
Recovering the IDSM-2 Password

To recover the password for IDSM-2, you must perform a system image upgrade, which installs a special password recovery image instead of a typical system image. This upgrade only resets the password, all other configuration remains intact. You must have administrative access to the Cisco 6500 series switch to recover the password. You boot to the maintenance partition and execute the upgrade command to install a new image.

Use the following commands:

•For Catalyst software:

reset module_number cf:1

session module_number

•For Cisco IOS software:

hw-module module module_number reset cf:1

session slot slot_number processor 1

The only protocol for upgrades is FTP. Make sure you put the password recovery image file (WS-SVC-IDSM2-K9-a-6.0-password-recovery.bin.gz) on an FTP server.

Note Reimaging the IDSM-2 only changes the cisco account password.

For More Information

For the procedures for reimaging IDSM-2, refer to Installing the IDSM-2 System Image.

Recovering the NM-CIDS Password

To recover the password for NM-CIDS, use the clear password command. You must have console access to NM-CIDS and administrative access to the router.

Note There is no minimum IOS release requirement for password recovery on NM-CIDS.

Note Recovering the password for NM-CIDS requires a new bootloader image.

To recover the password for NM-CIDS, follow these steps:

Step 1 Session in to NM-CIDS:
router# service-module ids module_number/0 session
Step 2 Press Control-shift-6 followed by x to navigate to the router CLI.

Step 3 Reset NM-CIDS from the router console:
router# service-module ids module_number/0 reset
Step 4 Press Enter to return to the router console.

Step 5 When prompted for boot options, enter *** quickly.

You are now in the bootloader.

Step 6 Clear the password:
ServicesEngine boot-loader# clear password
Step 7 Restart NM-CIDS:
ServicesEngine boot-loader# boot disk
Caution Do not use the reboot command to start NM-CIDS. This causes the password recovery action to be ignored. Make sure you use the boot disk command.

For More Information

For the procedure for installing a new bootloader image, refer to Upgrading the NM-CIDS Bootloader.

Recovering the AIP-SSM Password

Note To recover the password on AIP-SSM, you must have ASA 7.2.3.

Use the hw-module module slot_number password-reset command to reset the AIP-SSM password to the default cisco. The ASA 5500 series adaptive security appliance sets the ROMMON confreg bits to 0x7 and then reboots the sensor. The ROMMON bits cause the GRUB menu to default to option 2 (reset password).

If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:
ERROR: the module in slot <n> does not support password recovery.
Recovering the AIM-IPS Password

To recover the password for AIM-IPS, use the clear password command. You must have console access to AIM-IPS and administrative access to the router.

To recover the password for AIM-IPS, follow these steps:

Step 1 Log in to the router.

Step 2 Enter privileged EXEC mode on the router:
router> enable
Step 3 Confirm the module slot number in your router:
router# show run | include ids-sensor
interface IDS-Sensor0/0
router#
Step 4 Session in to AIM-IPS:
router# service-module ids-sensor slot/port session
Example:
router# service-module ids-sensor 0/0 session
Step 5 Press Control-shift-6 followed by x to navigate to the router CLI.

Step 6 Reset AIM-IPS from the router console:
router# service-module ids-sensor 0/0 reset
Step 7 Press Enter to return to the router console.

Step 8 When prompted for boot options, enter *** quickly.

You are now in the bootloader.

Step 9 Clear the password:
ServicesEngine boot-loader# clear password
AIM-IPS reboots.

Disabling Password Recovery

Caution If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with no errors or warnings; however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.

Password recovery is enabled by default. You can disable password recovery through the CLI or IDM.

To disable password recovery in the CLI, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Enter global configuration mode:
sensor# configure terminal
Step 3 Enter host mode:
sensor(config)# service host
Step 4 Disable password recovery:
sensor(config-hos)# password-recovery disallowed
To disable password recovery in IDM, follow these steps:

Step 1 Log in to the CLI using an account with administrator privileges.

Step 2 Choose Configuration > Sensor Setup > Network.

The Network pane appears.

Step 3 To disable password recovery, uncheck the Allow Password Recovery check box.

For More Information

•If you are not certain about whether password recovery is enabled or disabled, see Verifying the State of Password Recovery.

•For the procedures for reimaging sensors, refer to Upgrading, Downgrading, and Installing System Images.

Verifying the State of Password Recovery

Use the show settings | include password command to verify whether password recovery is enabled.

To verify whether password recovery is enabled, follow these steps:

Step 1 Log in to the CLI.

Step 2 Enter service host submode:
sensor# configure terminal
sensor (config)# service host
sensor (config-hos)# 
Step 3 Verify the state of password recovery by using the include keyword to show settings in a filtered output:
sensor(config-hos)# show settings | include password
   password-recovery: allowed <defaulted>
sensor(config-hos)#
Troubleshooting Password Recovery

To troubleshoot password recovery, pay attention to the following:

•You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If password recovery is attempted, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.

•You can disable password recovery in the host configuration. For the platforms that use external mechanisms, such as the NM-CIDS bootloader, ROMMON, and the maintenance partition for IDSM-2, although you can run commands to clear the password, if password recovery is disabled in the IPS, the IPS detects that password recovery is not allowed and rejects the external request.

To check the state of password recovery, use the show settings | include password command.

•When performing password recovery for NM-CIDS, do not use the reboot command to restart NM-CIDS. This causes the recovery action to be ignored. Use the boot disk command.

•When performing password recovery on IDSM-2, you see the following message: Upgrading will wipe out the contents on the storage media. You can ignore this message. Only the password is reset when you use the specified password recovery image.

For More Information

•For information on reimaging the sensor, refer to Upgrading, Downgrading, and Installing System Images.

•For more information on when and how to disable password recovery, see Disabling Password Recovery.

•For the procedure to verify the state of password recovery, see Verifying the State of Password Recovery.

Caveats

For the most complete and up-to-date list of caveats, use the Bug Navigator Tool to refer to the caveat release notes. The Bug Navigator Tool is found at this URL:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

This section lists the resolved and known caveats, and contains the following topics:

•Resolved Caveats

•Known Caveats

Resolved Caveats

The following known issues have been resolved in Cisco IPS 6.0(4a)E1:

•CSCsi23979—4250-xl locks up with 1 gig 256 byte ixia traffic

•CSCsj17459—low-end sensor out of memory during sigupdate

•CSCsi87943—traffic conditions can stimulate small memory leak in inspector SNMP

•CSCsj30225—SNMP gets result in mainApp memory leak

•CSCsl04892—sensorApp failure after show stat vi clear

•CSCsl06936—inline-vlan-pair delays passing traffic after reboot

•CSCsl30784—inline-vlan-pair and bypass off down/notconnect after sig update

•CSCsi44621—Analysis Engine aborts when AD files are copied via destination url

•CSCsj70541—Inline int pair not working after reboot when vlan group assigned

•CSCsk43437—upgrade results in /tmp partition full

•CSCsj53782—Entire sensor hangs while toggling bypass mode

•CSCsj69905—AxBx insertion rate limiting may corrupt database

•CSCsi17548—Tcp Syn Cookies do not appear to work +

•CSCsh31034—SensorApp may abort when file copy attempt failed (libhoard + fork)

•CSCsi40687—Defaulting Sig0 causes sensorApp to stop repsonding

•CSCsj72253—TCP Session Tracking Mode does not separate vlan properly

•CSCsj49640—SensorApp unable to allocate memory during packet processing

•CSCse24364—4FE - interfaces not reporting Missed Packet Percentage

•CSCsg24632—String.TCP sigs may fire out of order +

•CSCsh50516—IPS Fails to remove blocking if the blocked host is in PIX's name list

•CSCsh50205—IPS 5.1(4) 4215 imaged as CF based system because of HD failure

•CSCsh75673—valid NTP key values stored as -1

•CSCsi48979—Sig 2152:0 false alarms after tunings or restore defaults

•CSCsi98677—erase current-config hangs sensor CLI

•CSCsi45463—6.0(2) TCP SYN Flood Cookies not functioning on XL platform

•CSCsi58602—IPS evasion using Unicode encoding for HTTP-based attacks +

•CSCsi84527—Accounts can be created with invalid usernames

•CSCsj95950—ASA/SSM False Data Plane Failover Occuring

•CSCsk14712—Full Database does not leave enough memory for Sig Update and some conf

•CSCsj74455—service pack install should preserve sensorApp.conf

•CSCsk21795—add log to main.log for mainApp shutdown

•CSCsg86162—MSRPC and SMB engine not handling Fragmentation correctly

•CSCsi75856—Some Database statistics always remain 0

•CSCsj41582—IPS 5.1(5)E1 UDP-string engine does not distinguish direction

•CSCsk72811—Sig 1315 causes peformance hit in promisc

•CSCsk09897—IPS: sends ACK with destination mac of orignal packet, breaks MS NLB

•CSCsk11222—show tech contains garbage chars due to new safenet files

•CSCsg45642—Make CDP drop a configurable option.

•CSCsi22195—Refactor normalizer processTcpOptions unit

•CSCsi52422—POSFP feature does not work with SSM

•CSCsj26086—Disabling one CSAMC-EPI removes all the addresses on the Sensor

•CSCsk50777—Anomaly Detection memory/flash usage not restricted for some platforms

•CSCsi58642—IDM does not handle slash in a user name correctly

•CSCsk33892—Engine String may incorrectly warn of regex compile failure

•CSCsh13463—IDSM-2 promiscuous displaying WARNING: Pulled previous index

•CSCsg04913—install - service account's .bash_profile not carried forward

•CSCsl19316—Add ability to enable/disable CDP forwarding from service account

•CSCsi72263—Allow inline Asymmetric traffic

•CSCsj21080—Promiscuous 4255 in s/w bypass and no response from show stat vi

Known Caveats

The following known issues are found in IPS 6.0(4a)E1:

•CSCsk30811—Misconfigured remote application can cause sensor HDD failure

•CSCsm71528—Analysis Engine NotRunning after sig update reconfig

•CSCsm60273—AIP-SSM stays in Unresponsive state after ASA5500's bootup

•CSCsj78809—IPS 6.0(3) SigProcessor failure with reinjected frag

•CSCsi42747—Memory leak in mainApp when checking license status

•CSCsg09619—IPS accepts RSA keys with exponent 3 which are vulnerable to forgery

•CSCsi43787—Memory leak in mainApp when log event initiated remotely

•CSCsg96871—AnalysisEngine InspectorServiceAICWeb::ToServiceInspect abort

•CSCsh50760—NAC causes high mainApp usage

•CSCsk53813—upgrade log files are not preserved during an upgrade

•CSCsj82458—global-block-timeout allows values outside supported range

•CSCsd19619—NO statistics on traffic under heavy load

•CSCse40651—Config operation on heavily loaded system may cause unresponsive system

•CSCsm50539—MainApp fails to load after sensor reset

•CSCsi88201—Error message too cryptic for events with bad XML

•CSCsl08842—Oversubscription in promiscuous mode causes out of memory condition

•CSCsm24466—Jumbo frames on XL interface can cause dropped packets

•CSCsh89833—Delete event variable referenced by filter or sig from IDM

•CSCsm46158—Critical memory condition can cause race condition

•CSCsj15446—MainApp - core on invalid platform test

•CSCsi73502—6.0(2)E1: No warning message when removing sensor used by ASA

•CSCsm42382—Link drops temporarily on hardware-bypass ports during cids shutdown

•CSCsl24036—Analysis Engine NotRunning after processing specific MSRPC traffic

•CSCsl75224—cli command no mars-category causes sensor connection closed

•CSCsk44582—Sig upgrade within grace period fails prior to reboot

•CSCsk09025—idsm2 interface Operational Mode: down after reload from switch

•CSCsj75538—Auto Update - not pulling platform specific patch

•CSCsj57474—Frag traffic with dot1q headers misses a few sweep and atomic-ip sigs

•CSCsi10476—cidsAlertProtocol missing from SNMP Traps

•CSCsj15835—SensorApp - PAWS alerts with telnet through 2 vs

•CSCsl66235—Setup errors after defaulting sensor config via IDM

•CSCsm72321—AIP module get stuck in high cpu due to main application loop

•CSCsk84825—Non-printable character in event XML causes cascading events

•CSCsl69776—AD is not generating an alert for every worm attacker

•CSCsm41026—Updating an expired license can cause the next signature update to hang

Related Documentation

Refer to the following documentation for more information on IPS 6.0 found at this URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html

•Documentation Roadmap for Cisco Intrusion Prevention System 6.0

•Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor

•Installing and Using Cisco Intrusion Prevention System Device Manager 6.0

•Command Reference for Cisco Intrusion Prevention System 6.0

•Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.0

•Installing Cisco Intrusion Prevention System Appliances and Modules 6.0

•Installing and Removing Interface Cards in Cisco IPS-4260 and IPS 4270-20

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)

Copyright © 2006-2009 Cisco Systems, Inc. All rights reserved.

Hierarchical Navigation

Cisco IPS 4200 Series Sensors

Release Notes for Cisco Intrusion Prevention System 6.0(4a)E1

Downloads

Table Of Contents

Release Notes for Cisco Intrusion Prevention System 6.0(4a)E1

Contents

IPS 6.0(4a)E1 Installation Issue

IPS 6.0(4a)E1 File List

Supported Platforms

Supported Servers

ROMMON and TFTP

IPS Management and Event Viewers

Receiving Cisco IPS Active Update Bulletins

Cisco Security Center

New and Changed Information

Before Upgrading to Cisco IPS 6.0(4a)E1

Perform These Tasks

Copying and Restoring the Configuration File Using a Remote Server

Obtaining Software on Cisco.com

IPS Software Versioning

Major and Minor Updates, Service Packs, and Patch Releases

Signature/Virus Updates and Signature Engine Updates

Recovery and System Image Filenames

6.x Software Release Examples

Upgrading the IDS-4215 BIOS

Upgrading to Cisco IPS 6.0(4a)E1

Upgrade Notes and Caveats

Upgrading to 6.0(4a)E1

Installing the ISO Image File

After Upgrading to Cisco IPS 6.0(4a)E1

Comparing Configurations

SSL Certificate

Logging In to IDM

Licensing the Sensor

Understanding the License

Service Programs for IPS Products

Obtaining and Installing the License Key

Using IDM

Using the CLI

Restrictions and Limitations

Recovering the Password

Understanding Password Recovery

Recovering the Appliance Password

Using the GRUB Menu

Using ROMMON

Recovering the IDSM-2 Password

Recovering the NM-CIDS Password

Recovering the AIP-SSM Password

Recovering the AIM-IPS Password

Disabling Password Recovery

Verifying the State of Password Recovery

Troubleshooting Password Recovery

Caveats

Resolved Caveats

Known Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)

Copyright © 2006-2009 Cisco Systems, Inc. All rights reserved.