IPS [Cisco Security Manager]

Table Of Contents

IPS

Adding and Managing IPS Sensors in Security Manager 3.0.1

Importing IPS 5.0 Sensors

Retrieving Signature Updates

Performing IPS Updates

Updating IOS IPS Crypto Configurations

Creating ACLs During IOS IPS Configuration

Performing IOS IPS Deployment

Provisioning Trusted Hosts

Managing Signature Updates

IPS

This chapter contains the following topics:

•Adding and Managing IPS Sensors in Security Manager 3.0.1

•Importing IPS 5.0 Sensors

•Retrieving Signature Updates

•Performing IPS Updates

•Updating IOS IPS Crypto Configurations

•Creating ACLs During IOS IPS Configuration

•Performing IOS IPS Deployment

•Provisioning Trusted Hosts

•Managing Signature Updates

Note Unless marked otherwise, all the troubleshooting information contained in this chapter is relevant to Cisco Security Manager 3.1.

Adding and Managing IPS Sensors in Security Manager 3.0.1

Problem   You cannot add IPS sensors to Security Manager 3.0.1.

Solution   Although sensors are managed with the CiscoWorks Management Center for IPS Sensors (IPS Management Center) when using Security Manager 3.0.1, you cannot add devices directly to the IPS Management Center. Instead, you must first add the device to Security Manager, then perform a re-import from the IPS Management Center. Perform the procedure described below.

Procedure

Step 1 In Security Manager, select File > New Device, then select one of the following options in the New Device wizard:

•Add New Device (Select Device Type > Security and VPN > Cisco IPS 4200 Series Sensors to select the appropriate sensor.)

•Add Device from DCR (if the device is already configured in the DCR)

You cannot use the Add Device from Network or Add from Configuration File options.

Step 2 Select Tools > IPS Manager to launch the IPS Management Center. When using Security Manager 3.0.1, you must use the IPS Management Center to manage IPS sensors.

Step 3 Select Devices > Sensor.

Step 4 Select the IPS sensor that you added in Step 1, then click Re-Import. You can now manage the sensor.

Note•Primary credentials are mandatory when adding IPS devices. SDEE credentials are optional when adding IOS IPS devices.

•Devices are added automatically to the Global sensor group in the IPS Management Center. You can assign the devices to other groups, if required. The sensor groups in the IPS Management Center are not related to the device groups defined in Security Manager.

•In Security Manager 3.1, you can add an IPS sensor using any of the methods available in the New Device wizard. In addition, you can use Security Manager to manage the sensor.

Importing IPS 5.0 Sensors

Problem   You cannot import IPS 5.0 (or earlier) sensors into Security Manager.

Solution   Security Manager 3.1 supports IPS 5.1, IPS 6.0, and IPS-enabled IOS 12.4(11)T2 and above only. When you import a sensor on which virtual sensors are configured, you must submit your changes (or approve your activity when working in Workflow mode) after discovery in order to view the virtual sensors in the Device selector. A warning message that explains this is displayed after discovery.

Retrieving Signature Updates

Problem   You cannot connect to the Update Server or CCO to retrieve signature updates into Security Manager.

Solution   Make sure that you have specified the location from which Security Manager should download signature updates. Select Tools > Security Manager Administration > IPS Updates, then click Edit Settings under Update Server to enter this information.

Performing IPS Updates

Problem   You cannot update your IPS sensor with patches, service packs, or signature updates.

Solution   Check the time on your IPS sensor. If the time on the sensor is ahead of the time on the associated certificate, the certificate is rejected and the update may fail. Use the Network Time Protocol (NTP) to maintain accurate time on an IPS sensor that you are managing with IPS Manager.

The following procedures describes how to identify an NTP server.

Caution If your sensors already have an NTP server configuration (including a configuration performed outside of IPS Manager), you must identify the NTP server by performing the relevant procedure. Otherwise, your NTP server settings are lost.

Note Signature updates are available for IPS 5.1(4) and above.

Procedure When Using Security Manager 3.0.1

Step 1 In IPS Manager, select Configuration > Settings.

Step 2 In the TOC, click the Object Selector handle.

Step 3 In the Object Selector, select the sensor or group for which you want to identify an NTP server. We recommend selecting the Global group.

The Object Selector closes.

Step 4 In the TOC, select NTP Server.

The NTP Server page appears, and the Object bar displays the sensor or group that you selected.

Step 5 In the Server IP field, enter the IP address of the NTP server.

Step 6 In the Key field, enter the key value of the NTP server.

Step 7 In the Key ID field, enter the key ID value of the NTP server. Valid values are 1 through 4294967295.

The Mandatory check box is present if you selected a group in Step 3. Select the Mandatory check box to apply these settings to all objects in the group and in all subgroups. Otherwise, objects in this group and in all subgroups will override the settings of this group.

Procedure When Using Security Manager 3.1

Step 1 In Device view, select the IPS sensor for which you want to identify an NTP server.

Step 2 Select Platform > Device Admin > Server Access > NTP. The Network Time Protocol page appears.

Step 3 In the NTP Server IP Address field, enter the address of the NTP server.

Step 4 In the Key field, enter the key value of the NTP server.

Step 5 In the Key ID field, enter the key ID value of the NTP server. Valid values are 1 through 4294967295.

Step 6 Click Save to save your definitions to the Security Manager server.

Note To publish your changes, click the Submit button on the toolbar.

Note For detailed information on how to set the time on a sensor, refer to Configuring the Sensor to Use an NTP Time Source in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.0, which is available on Cisco.com. You will be prompted for your CCO username and password.

Updating IOS IPS Crypto Configurations

Problem   You cannot update your IOS IPS Crypto configuration.

Solution   Check whether the TFTP server is running on your IPS Manager server. Make sure your TFTP directory has the required permissions to enable IOS IPS to download the certificate from it. The default TFTP directory for Windows 2000 and 2003 is <install-dir>\tftpboot. In addition, you must have a user account with adequate privileges to update IOS IPS crypto configurations.

Creating ACLs During IOS IPS Configuration

Problem   ACL creation during IOS IPS configuration is not producing the expected results.

Solution   Entering the name or number of an ACL on the following IPS Manager pages does not actually create the ACL:

•IOS IPS Rules page

•IOS IPS Filters page

•IOS IPS Port Mapping page

To create the ACL, use the command line on the IOS IPS device that you are configuring. If you enter an ACL number and deploy the configuration while no corresponding ACL exists in the router, this command has no effect.

Performing IOS IPS Deployment

Problem   You receive an error message during initial deployment of an IOS IPS device.

Solution   You may have exceeded the memory available on the IOS IPS device. To work around this problem, select a reduced set of signatures to be deployed and then redeploy the IOS IPS device.

Provisioning Trusted Hosts

Problem   You cannot provision a Management Center for Cisco Security Agent (CSA MC) server as a trusted host to an IPS sensor.

Solution   You must use CLI commands or the IPS Device Manager (IDM). When you add a CSA MC server to an IPS sensor in IDM, a message appears that asks whether to add the server as a trusted host to the sensor. (There is a separate option in IDM for adding a list of IP addresses as trusted hosts to the sensor.)

Managing Signature Updates

Problem   You cannot obtain signature updates for a sensor running IPS 5.1.

Solution   Although Security Manager supports IPS 5.1 and above, signature updates are available only for IPS 5.1(4) and IPS 6.0.


	IPS
	Download this chapter IPS Feedback Table Of Contents IPS Adding and Managing IPS Sensors in Security Manager 3.0.1 Importing IPS 5.0 Sensors Retrieving Signature Updates Performing IPS Updates Updating IOS IPS Crypto Configurations Creating ACLs During IOS IPS Configuration Performing IOS IPS Deployment Provisioning Trusted Hosts Managing Signature Updates IPS This chapter contains the following topics: •Adding and Managing IPS Sensors in Security Manager 3.0.1 •Importing IPS 5.0 Sensors •Retrieving Signature Updates •Performing IPS Updates •Updating IOS IPS Crypto Configurations •Creating ACLs During IOS IPS Configuration •Performing IOS IPS Deployment •Provisioning Trusted Hosts •Managing Signature Updates Note Unless marked otherwise, all the troubleshooting information contained in this chapter is relevant to Cisco Security Manager 3.1. Adding and Managing IPS Sensors in Security Manager 3.0.1 Problem You cannot add IPS sensors to Security Manager 3.0.1. Solution Although sensors are managed with the CiscoWorks Management Center for IPS Sensors (IPS Management Center) when using Security Manager 3.0.1, you cannot add devices directly to the IPS Management Center. Instead, you must first add the device to Security Manager, then perform a re-import from the IPS Management Center. Perform the procedure described below. Procedure Step 1 In Security Manager, select File > New Device, then select one of the following options in the New Device wizard: •Add New Device (Select Device Type > Security and VPN > Cisco IPS 4200 Series Sensors to select the appropriate sensor.) •Add Device from DCR (if the device is already configured in the DCR) You cannot use the Add Device from Network or Add from Configuration File options. Step 2 Select Tools > IPS Manager to launch the IPS Management Center. When using Security Manager 3.0.1, you must use the IPS Management Center to manage IPS sensors. Step 3 Select Devices > Sensor. Step 4 Select the IPS sensor that you added in Step 1, then click Re-Import. You can now manage the sensor. Note•Primary credentials are mandatory when adding IPS devices. SDEE credentials are optional when adding IOS IPS devices. •Devices are added automatically to the Global sensor group in the IPS Management Center. You can assign the devices to other groups, if required. The sensor groups in the IPS Management Center are not related to the device groups defined in Security Manager. •In Security Manager 3.1, you can add an IPS sensor using any of the methods available in the New Device wizard. In addition, you can use Security Manager to manage the sensor. Importing IPS 5.0 Sensors Problem You cannot import IPS 5.0 (or earlier) sensors into Security Manager. Solution Security Manager 3.1 supports IPS 5.1, IPS 6.0, and IPS-enabled IOS 12.4(11)T2 and above only. When you import a sensor on which virtual sensors are configured, you must submit your changes (or approve your activity when working in Workflow mode) after discovery in order to view the virtual sensors in the Device selector. A warning message that explains this is displayed after discovery. Retrieving Signature Updates Problem You cannot connect to the Update Server or CCO to retrieve signature updates into Security Manager. Solution Make sure that you have specified the location from which Security Manager should download signature updates. Select Tools > Security Manager Administration > IPS Updates, then click Edit Settings under Update Server to enter this information. Performing IPS Updates Problem You cannot update your IPS sensor with patches, service packs, or signature updates. Solution Check the time on your IPS sensor. If the time on the sensor is ahead of the time on the associated certificate, the certificate is rejected and the update may fail. Use the Network Time Protocol (NTP) to maintain accurate time on an IPS sensor that you are managing with IPS Manager. The following procedures describes how to identify an NTP server. Caution If your sensors already have an NTP server configuration (including a configuration performed outside of IPS Manager), you must identify the NTP server by performing the relevant procedure. Otherwise, your NTP server settings are lost. Note Signature updates are available for IPS 5.1(4) and above. Procedure When Using Security Manager 3.0.1 Step 1 In IPS Manager, select Configuration > Settings. Step 2 In the TOC, click the Object Selector handle. Step 3 In the Object Selector, select the sensor or group for which you want to identify an NTP server. We recommend selecting the Global group. The Object Selector closes. Step 4 In the TOC, select NTP Server. The NTP Server page appears, and the Object bar displays the sensor or group that you selected. Step 5 In the Server IP field, enter the IP address of the NTP server. Step 6 In the Key field, enter the key value of the NTP server. Step 7 In the Key ID field, enter the key ID value of the NTP server. Valid values are 1 through 4294967295. The Mandatory check box is present if you selected a group in Step 3. Select the Mandatory check box to apply these settings to all objects in the group and in all subgroups. Otherwise, objects in this group and in all subgroups will override the settings of this group. Procedure When Using Security Manager 3.1 Step 1 In Device view, select the IPS sensor for which you want to identify an NTP server. Step 2 Select Platform > Device Admin > Server Access > NTP. The Network Time Protocol page appears. Step 3 In the NTP Server IP Address field, enter the address of the NTP server. Step 4 In the Key field, enter the key value of the NTP server. Step 5 In the Key ID field, enter the key ID value of the NTP server. Valid values are 1 through 4294967295. Step 6 Click Save to save your definitions to the Security Manager server. Note To publish your changes, click the Submit button on the toolbar. Note For detailed information on how to set the time on a sensor, refer to Configuring the Sensor to Use an NTP Time Source in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.0, which is available on Cisco.com. You will be prompted for your CCO username and password. Updating IOS IPS Crypto Configurations Problem You cannot update your IOS IPS Crypto configuration. Solution Check whether the TFTP server is running on your IPS Manager server. Make sure your TFTP directory has the required permissions to enable IOS IPS to download the certificate from it. The default TFTP directory for Windows 2000 and 2003 is <install-dir>\tftpboot. In addition, you must have a user account with adequate privileges to update IOS IPS crypto configurations. Creating ACLs During IOS IPS Configuration Problem ACL creation during IOS IPS configuration is not producing the expected results. Solution Entering the name or number of an ACL on the following IPS Manager pages does not actually create the ACL: •IOS IPS Rules page •IOS IPS Filters page •IOS IPS Port Mapping page To create the ACL, use the command line on the IOS IPS device that you are configuring. If you enter an ACL number and deploy the configuration while no corresponding ACL exists in the router, this command has no effect. Performing IOS IPS Deployment Problem You receive an error message during initial deployment of an IOS IPS device. Solution You may have exceeded the memory available on the IOS IPS device. To work around this problem, select a reduced set of signatures to be deployed and then redeploy the IOS IPS device. Provisioning Trusted Hosts Problem You cannot provision a Management Center for Cisco Security Agent (CSA MC) server as a trusted host to an IPS sensor. Solution You must use CLI commands or the IPS Device Manager (IDM). When you add a CSA MC server to an IPS sensor in IDM, a message appears that asks whether to add the server as a trusted host to the sensor. (There is a separate option in IDM for adding a list of IP addresses as trusted hosts to the sensor.) Managing Signature Updates Problem You cannot obtain signature updates for a sensor running IPS 5.1. Solution Although Security Manager supports IPS 5.1 and above, signature updates are available only for IPS 5.1(4) and IPS 6.0.
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks