Upgrade the IDS 4.1 to IPS 5.0 and Later (AIP-SSM, NM-IDS, IDSM-2) Configuration Example

Document ID: 88954

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configure
Upgrade the Sensor
      Overview
      Upgrade Command and Options
      Use the Upgrade Command
Use the auto-upgrade Command
Re-image the Sensor
Related Information

Introduction

This document describes how to upgrade Cisco Intrusion Detection Sensor (IDS) software from version 4.1 to Cisco Intrusion Prevention System (IPS) 5.0.

Note: From software version 5.x and later, Cisco IPS replaces Cisco IDS which is applicable until version 4.1.

Refer to Password Recovery Procedure for the Cisco IDS Sensor and IDS Services Modules (IDSM-1, IDSM-2) in order to learn more about how to recover the Cisco Secure IDS (formerly NetRanger) appliance and the modules for versions 3.x and 4.x.

Note: Refer to the Upgrading Cisco IPS Software from 5.1 to 6.x section of Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 6.0 for more information about the procedure to upgrade the IPS 5.1 to version 6.x.

Prerequisites

Requirements

The minimum required software version you need in order to upgrade to 5.0 is 4.1(1).

Components Used

The information in this document is based on the Cisco 4200 Series IDS hardware that runs software version 4.1 (to be upgraded to version 5.0).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

The upgrade from Cisco 4.1 to 5.0 is available as a download from Cisco.com. Refer to Obtaining Cisco IPS Software for the procedure you use to access IPS Software downloads on Cisco.com.

You can use any of the methods listed here in order to perform the upgrade:

After you download the 5.0 upgrade file, refer to the Readme for the procedure on how to install the 5.0 upgrade file using the upgrade command. See the Use the Upgrade Command section of this document for more information.
If you configured Auto Update for your Sensor, copy the 5.0 upgrade file to the directory on the server that your Sensor polls for updates. See the Use the auto-upgrade Command section of this document for more information.
If you install an upgrade on your Sensor and the Sensor is unusable after it reboots, you must reimage your Sensor. An upgrade of a Sensor from any Cisco IDS version earlier than 4.1 also requires you to use the recover command or the recovery/upgrade CD. See the Re-image the Sensor section of this document for more information.

Upgrade the Sensor

These sections explain how to use the upgrade command to upgrade the software on the Sensor:

Overview
Upgrade Command and Options
Use the Upgrade Command

Overview

You can upgrade the Sensor with these files, all of which have the extension .pkg:

Signature updates, for example, IPS-sig-S150-minreq-5.0-1.pkg
Major updates, for example, IPS-K9-maj-6.0-1-pkg
Minor updates, for example, IPS-K9-min-5.1-1.pkg
Service pack updates, for example, IPS-K9-sp-5.0-2.pkg
Recovery partition updates, for example, IPS-K9-r-1.1-a-5.0-1.pkg

A Sensor upgrade changes the software version of the Sensor.

Upgrade Command and Options

Use the auto-upgrade-option enabled command in the service host submode to configure automatic upgrades.

These options apply:

default—Sets the value back to the system default setting.
directory—Directory where upgrade files are located on the file server.
file-copy-protocol—File copy protocol used to download files from the file server. The valid values are ftp or scp.

Note: If you use SCP, you must use the ssh host-key command to add the server to the SSH known hosts list so the Sensor can communicate with it through SSH. Refer to Adding Hosts to the Known Hosts List for the procedure.
ip-address—IP address of the file server.
password—User password for authentication on the file server.
schedule-option—Schedules when automatic upgrades occur. Calendar scheduling starts upgrades at specific times on specific days. Periodic scheduling starts upgrades at specific periodic intervals.
- calendar-schedule—Configures the days of the week and times of day that automatic upgrades are performed.
  - days-of-week—Days of the week on which auto-upgrades are performed. You can select multiple days. Sunday through Saturday are the valid values.
  - no—Removes an entry or selection setting.
  - times-of-day—Times of the day at which auto-upgrades begin. You can select multiple times. The valid value is hh:mm[:ss].
- periodic-schedule—Configures the time that the first automatic upgrade should occur, and how long to wait between automatic upgrades.
  - interval—The number of hours to wait between automatic upgrades. Valid values are 0 to 8760.
  - start-time—The time of day to start the first automatic upgrade. The valid value is hh:mm[:ss].
user-name—Username for authentication on the file server.

Use the Upgrade Command

Complete these steps in order to upgrade the Sensor:

Download the major update file (IPS-K9-maj-5.0-1-S149.rpm.pkg ) to an FTP, SCP, HTTP, or HTTPS server that is accessible from your Sensor.

Refer to Obtaining Cisco IPS Software for the procedure on how to locate software on Cisco.com.

Note: You must log in to Cisco.com using an account with cryptographic privileges in order to download the file. Do not change the file name. You must preserve the original file name for the Sensor to accept the update.
Log in to the CLI using an account with administrator privileges.
Enter configuration mode:
```
sensor#configure terminal
```

Upgrade the sensor:

sensor(config)#upgrade scp://<username>@<server IP>//upgrade/<file name>

Example:

Note: This command is on two lines due to spatial reasons.

sensor(config)#upgrade scp://tester@10.1.1.1//upgrade/
IPS-K9-maj-5.0-1-S149.rpm.pkg

Enter the password when prompted:

Enter password: ********
Re-enter password: ********

Type yes to complete the upgrade.

Note: Major updates, minor updates, and service packs might force a restart of the IPS processes or even force a reboot of the Sensor to complete the installation. So, there is an interruption of service for at least two minutes. However, signature updates do not require a reboot after the update is done. Refer to Download Signature Updates (registered customers only) for the latest updates.

Verify your new Sensor version:

sensor#show version

Application Partition:


Cisco Intrusion Prevention System, Version 5.0(1)S149.0


OS Version 2.4.26-IDS-smp-bigphys

Platform: ASA-SSM-20

Serial Number: 021

No license present

Sensor up-time is 5 days.

Using 490110976 out of 1984704512 bytes of available memory (24% usage)

system is using 17.3M out of 29.0M bytes of available disk space (59% usage)

application-data is using 37.7M out of 166.6M bytes of 
available disk space (24 usage)

boot is using 40.5M out of 68.5M bytes of available disk space (62% usage)


MainApp         2005_Mar_04_14.23 (Release)  2005-03-04T14:35:11-0600  Running

AnalysisEngine  2005_Mar_04_14.23 (Release)  2005-03-04T14:35:11-0600  Running

CLI             2005_Mar_04_14.23 (Release)  2005-03-04T14:35:11-0600


Upgrade History:


  IDS-K9-maj-5.0-1-   14:16:00 UTC Thu Mar 04 2004


Recovery Partition Version 1.1 - 5.0(1)S149


sensor#

Use the auto-upgrade Command

See the Upgrade Command and Options section of this document for the auto-update commands.

Complete these steps in order to schedule automatic upgrades:

Configure the Sensor to automatically look for new upgrades in your upgrade directory.

sensor#configure terminal
sensor(config)#service host
sensor(config-hos)#auto-upgrade-option enabled

Specify the scheduling:

For calendar scheduling, which starts upgrades at specific times on specific days:

sensor(config-hos-ena)#schedule-option calendar-schedule
sensor(config-hos-ena-cal#days-of-week sunday
sensor(config-hos-ena-cal#times-of-day 12:00:00

For periodic scheduling, which starts upgrades at specific periodic intervals:

sensor(config-hos-ena)#schedule-option periodic-schedule
sensor(config-hos-ena-per)#interval 24
sensor(config-hos-ena-per)#start-time 13:00:00

Specify the IP address of the file server:

sensor(config-hos-ena-per)#exit
sensor(config-hos-ena)#ip-address 10.1.1.1

Specify the directory where the upgrade files are located on the file server:
```
sensor(config-hos-ena)#directory /tftpboot/update/5.0_dummy_updates
```
Specify the username for authentication on the file server:
```
sensor(config-hos-ena)#user-name tester
```

Specify the password of the user:

sensor(config-hos-ena)#password

Enter password[]: ******
Re-enter password: ******

Specify the file server protocol:
```
sensor(config-hos-ena)#file-copy-protocol ftp
```
Note: If you use SCP, you must use the ssh host-key command to add the server to the SSH known hosts list so the Sensor can communicate with it through SSH. Refer to Adding Hosts to the Known Hosts List for the procedure.

Verify the settings:

sensor(config-hos-ena)#show settings

   enabled

   -----------------------------------------------

      schedule-option

      -----------------------------------------------

         periodic-schedule

         -----------------------------------------------

            start-time: 13:00:00

            interval: 24 hours

         -----------------------------------------------

      -----------------------------------------------

      ip-address: 10.1.1.1

      directory: /tftpboot/update/5.0_dummy_updates

      user-name: tester

      password: <hidden>

      file-copy-protocol: ftp default: scp

   -----------------------------------------------

sensor(config-hos-ena)#

Exit auto-upgrade submode:

sensor(config-hos-ena)#exit
sensor(config-hos)#exit

Apply Changes:?[yes]:

Press Enter to apply the changes or type no to discard them.

Re-image the Sensor

You can reimage your Sensor in these ways:

For IDS appliances with a CD-ROM drive, use the recovery/upgrade CD.

Refer to the Using the Recovery/Upgrade CD section of Upgrading, Downgrading, and Installing System Images for the procedure.
For all Sensors, use the recover command.

Refer to the Recovering the Application Partition section of Upgrading, Downgrading, and Installing System Images for the procedure.
For the IDS-4215, IPS-4240, and IPS 4255, use ROMMON to restore the system image.

Refer to the Installing the IDS-4215 System Image and Installing the IPS-4240 and IPS-4255 System Image sections of Upgrading, Downgrading, and Installing System Images for the procedures.
For NM-CIDS, use the bootloader.

Refer to the Installing the NM-CIDS System Image section of Upgrading, Downgrading, and Installing System Images for the procedure.
For IDSM-2, reimage the application partition from the maintenance partition.

Refer to the Installing the IDSM-2 System Image section of the Upgrading, Downgrading, and Installing System Images for the procedure.
For AIP-SSM, reimage from the ASA using the hw-module module 1 recover [configure | boot] command.

Refer to the Installing the AIP-SSM System Image section of Upgrading, Downgrading, and Installing System Images for the procedure.

Related Information

Updated: Sep 20, 2007

Document ID: 88954

Hierarchical Navigation

Cisco IPS 4200 Series Sensors