Administering the MARS Appliance [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Administering the MARS Appliance

Performing Command Line Administration Tasks

Log In to the Appliance via the Console

Reset the Appliance Administrator Password

Shut Down the Appliance via the Console

Log Off the Appliance via the Console

Reboot the Appliance via the Console

Determine the Status of Appliance Services via the Console

Stop Appliance Services via the Console

Start Appliance Services via the Console

View System Logs via the Console

Checklist for Upgrading the Appliance Software

Burn an Upgrade CD-ROM

Prepare the Internal Upgrade Server

Important Upgrade Notes

Determine the Required Upgrade Path

Download the Upgrade Package from Cisco.com

Specify the Proxy Settings for the Global Controller or Local Controller

Upgrade Global Controller or Local Controller from its User Interface

Upgrade from the CLI

Upgrading a Local Controller from the Global Controller

Configuring and Performing Appliance Data Backups

Typical Uses of the Archived Data

Format of the Archive Share Files

Archive Intervals By Data Type

Configure the NFS Server on Windows

Configure the NFS Server on Linux

Configure Lookup Information for the NFS Server

Configure the Data Archive Setting for the MARS Appliance

Access the Data Within an Archived File

Recovery Management

Recovering a Lost Administrative Password

Downloading and Burning a Recovery DVD

Re-Imaging a Local Controller

Re-Imaging a Global Controller

Restoring Archived Data after Re-Imaging a MARS Appliance

Configuring a Standby or Secondary MARS Appliance

Guidelines for Restoring

Administering the MARS Appliance

Revised: September 10, 2007, 78-17019-01

This chapter describes a core set of maintenance tasks for Cisco Security Monitoring, Analysis, and Response System (MARS). Because these tasks affect the overall health and accuracy of the MARS system, you should develop an operational strategy and process for performing them. This chapter contains the following sections:

• Performing Command Line Administration Tasks

• Checklist for Upgrading the Appliance Software

• Configuring and Performing Appliance Data Backups

• Recovery Management

For all other MARS Appliance configuration and administration tasks, see either the User Guide for Cisco Security MARS Global Controller or the User Guide for Cisco Security MARS Local Controller, depending on which product you own.

Performing Command Line Administration Tasks

This section details basic administrative tasks that you perform using a console connection to the MARS Appliance. This section contains the following procedures:

• Log In to the Appliance via the Console

• Reset the Appliance Administrator Password

• Shut Down the Appliance via the Console

• Log Off the Appliance via the Console

• Reboot the Appliance via the Console

• Determine the Status of Appliance Services via the Console

• Stop Appliance Services via the Console

• Start Appliance Services via the Console

• View System Logs via the Console

Log In to the Appliance via the Console

After the MARS Appliance boots, the console service starts and prompts the user to log in. Successful login launches a command line application (shell) that operates the CLI.

To log in to the MARS Appliance via a console connection, follow these steps:

Step 1 Establish a console connection to the MARS Appliance. For options and details, see Establishing a Console Connection.

Step 2 At the login: prompt, enter the MARS Appliance administrator name.

Step 3 At the password: prompt, enter the MARS Appliance password.

Result: The system prompt appears in the following form:
Last login: Tue Jul  5 05:57:31 2005 from <host>.<domain>.com
  Cisco Security MARS - Mitigation and Response System
    ? for list of commands
[pnadmin]$ 
Note There is only one set of MARS Appliance login credentials (administrator name and password) that have the console connection privilege.

Tip To exit the console connection, enter exit at the command prompt.

Reset the Appliance Administrator Password

There is always a single set of MARS Appliance administrator credentials consisting of the administrator name pnadmin and a corresponding password. Unlike other MARS administrative accounts, this unique administrative account is granted all privileges and cannot be deleted.

This procedure details how to reset the password after you log in with the existing credentials. If you do not have the existing MARS Appliance administrator login credentials with which to log in, the only method of recovery is to re-image the appliance, which resets the password to the factory defaults. For information on resetting the administrator login and password without first logging in, see Recovery Management.

To reset the MARS Appliance administrator login credentials, follow these steps:

Step 1 Log in to the MARS Appliance. For more information, see Log In to the Appliance via the Console.

Step 2 At the system prompt, type passwd and then press Enter.

Result: The MARS Appliance displays the following prompt:
New password:
Step 3 Type the new password, and then press Enter.

Note The new password should not contain the administrator account name, must contain a minimum of 6 characters, and it should include at least 3 character types (numerals, special characters, upper case letters, and lowercase letters). Each of the following examples is acceptable: 1PaSsWoRd, *password44, Pass*word.

The MARS Appliance displays the following prompt:
Retype new password
Step 4 Type the new password again, and then press Enter.

Result: The MARS Appliance displays the command prompt, and the password is changed.

Shut Down the Appliance via the Console

You can shut down an appliance remotely via a console connection. However, to power up the appliance, you must have physical access to the device. For more information on powering up the appliance, see Powering on the Appliance and Verifying Hardware Operation, page 4-8.

Caution Powering off the MARS Appliance by using only the power switch may cause the loss or corruption of data. Use this procedure to shut down the MARS Appliance.

To use the console to shut down the MARS Appliance, follow these steps:

Step 1 Log in to the MARS Appliance. For more information, see Log In to the Appliance via the Console.

Step 2 At the system prompt, type shutdown, and then press Enter.

Step 3 At the Are you sure you want to shut down? (Y/N) prompt, type Y for yes and then press Enter.

Result: The MARS Appliance powers off.

Log Off the Appliance via the Console

Logging off via the console closes the administrative session at the applause. Good security practices recommend logging off when you are not using the console.

To log off the MARS Appliance via the console, follow these steps:

Step 1 At the system prompt, type exit.

Step 2 Press Enter.

Result: The console connection closes, and the login: prompt reappears.

Reboot the Appliance via the Console

From time to time, you may need to manually reboot the appliance. For example, if a service seems to be hung, rebooting may resolve the issue. Rebooting ensures that the services are shut down safely before the appliance restarts.

To reboot the MARS Appliance via the console, follow these steps:

Step 1 Log in to the MARS Appliance. For more information, see Log In to the Appliance via the Console.

Step 2 At the system prompt, type reboot, and then press Enter.

Result: The MARS Appliance displays the following message:
Are you sure you want to reboot? (Y/N)
Step 3 Type Y for yes and then press Enter.

Result: The MARS Appliance reboots. When the reboot is finished, the login: prompt reappears.

Determine the Status of Appliance Services via the Console

You can use the console connection to obtain system and service status information.

To determine the status of the MARS Appliance's services, follow these steps:

Step 1 Log in to the MARS Appliance. For more information, see Log In to the Appliance via the Console.

Step 2 At the system prompt, type pnstatus, and then press Enter.

The system displays the following status information:
Module		State		Uptime
DbIncidentLoaderSrv		RUNNING		01:12:18
csdam		RUNNING		01:12:18
csiosips		RUNNING		01:12:18
csips		RUNNING		01:12:18
cswin		RUNNING		01:12:18
device_monitor		RUNNING		01:12:18
discover		RUNNING		01:12:18
graphgen		RUNNING		01:12:18
pnarchiver		RUNNING		01:12:18
pndbpurger		RUNNING		01:12:18
pnesloader		RUNNING		01:12:18
pnmac		RUNNING		01:12:18
pnparser		RUNNING		01:12:19
process_event_srv		RUNNING		01:12:19
process_inlinerep_srv		RUNNING		01:12:19
process_postfire_srv		RUNNING		01:12:19
process_query_srv		RUNNING		01:12:19
superV		RUNNING		01:12:20
Possible states are:

•RUNNING. The service is operational.

•STOPPED. The service is not running.

Note All services should be running on a Local Controller. However, a Global Controller only has three services running: graphgen, pnarchiver, and superV—all other services are stopped.

Stop Appliance Services via the Console

You can stop all MARS Appliance services from the console. To list the services and their status, you can use the pnstatus command. For more information, see Determine the Status of Appliance Services via the Console.

To stop all services on the MARS Appliance, follow these steps:

Step 1 Log in to the MARS Appliance. For more information, see Log In to the Appliance via the Console.

Step 2 Type pnstop.

Step 3 Press Enter.

Result: The system immediately shows the message:
Please Wait . . . 
Followed by the return of the prompt, indicating the command has completed.

Step 4 To verify the status of the services, enter pnstatus.

The superV service does not stop. This service monitors and restarts the other services as needed.

Start Appliance Services via the Console

If the services are stopped, you can manually start all MARS Appliance services from the console. To list the services and their status, you can use the pnstatus command. For more information, see Determine the Status of Appliance Services via the Console.

To start all stopped MARS services, follow these steps:

Step 1 Log in to the MARS Appliance. For more information, see Log In to the Appliance via the Console.

Step 2 Type pnstart.

Step 3 Press Enter.

Result: The system prompt disappears and then returns, indicating the services are restarted.

Step 4 To verify the status of the services, enter pnstatus.

View System Logs via the Console

This section details the procedure for running the pnlog show command. This command displays the log status and can be used by support personnel for analysis.

For more information on the pnlog command, see pnlog, page A-30, of Appendix A, "Command Reference." The syntax for the pnlog show command is as follows:.
pnlog show <gui|backend|cpdebug>
These options do a running output of a particular log file in the backend. There are three different logs that you can view: the web interface logs, the backend logs (shows logs for processes that the pnstatus command reports on), and CheckPoint debug logs. Use Ctrl+C or ^C to stop this command.

When using cpdebug, you should have pnlog setlevel set to more than 0, which is the default value and turns off the CPE Debug messages.

To generate a .cab file of log and system Registry information, follow these steps:

Step 1 Log in to the MARS Appliance. For more information, see Log In to the Appliance via the Console.

Step 2 Type pnlog show and the appropriate argument.

Step 3 Press Enter.

Result: The console begins scrolling the output of the executed command.

Step 4 To stop the output at any time, press Ctrl+C.

Result: The system returns to the system prompt.

Checklist for Upgrading the Appliance Software

MARS upgrade packages are the primary vehicle for major, minor, and patch software releases. As administrator of the MARS Appliance, you should check the upgrade site weekly for patch upgrades. In addition to addressing high-priority caveats, patch upgrade packages update system inspection rules, event types, and provide the most recent signature support.

Caution Never try to upgrade the hardware components of the MARS Appliance. Doing so could result in bodily injury and void support contracts. Contact Cisco for your hardware upgrade needs.

The following checklist describes the steps required to upgrade your MARS Appliance to the most recent version. Each task might contain several steps; the tasks and steps within should be performed in order. The checklist contains references to the specific procedures used to perform each task.

Task

1. Determine whether you should upgrade or reimage the MARS Appliance.

Two scenarios exist for bringing your MARS Appliance in line with the current software release: upgrade versus reimage. The method required to get to the current release can differ greatly between these two scenarios.

•Upgrade the MARS Appliance to the current release and preserve the configuration and event data. To preserve the configuration and the event data, you must perform the upgrade following the tasks in this checklist; continue with Task 2.

•Reimage the MARS Appliance to the current release without preserving any configuration or event data. If you have no desire to preserve configuration and event data, you can reimage the appliance using the most recent ISO image. For information on how to reimage your appliance, see Recovery Management.

Result: You determine whether you will upgrade or reimage your MARS Appliance.

2. Determine the version that you are running.

Before you upgrade your appliance, you must determine what version you are running. You can determine this in one of two ways:

•web interface. To the determine the version in the web interface, select Help > About.

•CLI. To determine the version from the CLI, enter version at the MARS command prompt.

The format of the version appears as x.y.z (build_number), for example, 3.4.1 (1922).

Note If you are running a version earlier than 3.2.2, please contact Cisco support for information on obtaining the appropriate upgrade files. If you are running 3.2.2 or later, follow the instructions in this checklist.

Result: You have identified the version running on your appliance and know whether you must contact Cisco support or continue with this checklist.

3. Determine the medium for upgrading.

Before upgrading your appliance, you must determine what medium to use. Your choice of medium determines whether you must upgrade from the CLI.

•CD-ROM. Before you can upgrade, you must download the software and burn an image to a CD-ROM. You can insert this CD-ROM in the DVD drive of the MARS Appliance to perform the upgrade. If you select the CD-ROM medium, you must upgrade each appliance individually and you must use the CLI.

•Internal Upgrade Server. Identify the Internal Upgrade Server to be used. Before you can upgrade, you must download the software image to an internal HTTP, HTTPS, or FTP server. It is from this internal server that you must upgrade your MARS Appliance. This server should meet specific requirements, allowing each MARS Appliance to quickly and securely download the updates. When using an Internal Upgrade Server, you can upgrade from the CLI or the HTML interface unless otherwise noted.

Note If you are running a version earlier than 3.4.1, you cannot use the web interface to upgrade. In versions earlier than 3.4.1, the web interface only allows for connections to the upgrade.protegonetworks.com support site, which is no longer available. To upgrade from versions earlier the 3.4.1, you must use the CLI.

Result: You have determined which medium to use for your upgrade. If you chose the Internal Upgrade Server option, you have identified and prepared your server, and you have verified that the server can be reached by each standalone Local Controller or Global Controller that you intend to upgrade. If a proxy server resides between the Internal Upgrade Server and the appliance, you must provide those settings before upgrading.

For more information, see:

• Burn an Upgrade CD-ROM

• Prepare the Internal Upgrade Server.

4. Understand the required upgrade path and limitations.

Upgrading from one version of the appliance software to the next must follow a cumulative upgrade path; you must apply each upgrade package in the order it was made available between the version running on the appliance and the version you want to run. Review Table 6-1 to determine the upgrade path that you must follow.

Also, a limitation exists between a Global Controller and any Local Controllers that it monitors. The Global Controller can only monitor Local Controllers that are running the same version it is. If you are attempting to monitor a Local Controller that is running an earlier software version, the Local Controller will appear offline to the Global Controller. However, MARS includes an upgrade option where the Global Controller pushes the same upgrade version to the Local Controllers that it is monitoring, allowing you to manage the upgrade process from within the Global Controller user interface.

You have identified the complete list of upgrade packages that you must download.

For more information, see:

• Important Upgrade Notes

• Determine the Required Upgrade Path.

5. Download all required upgrade packages from the Cisco.com website.

After you have identified the upgrade packages to download, log in to Cisco.com using your Cisco.com account and download the various packages. To download upgrade packages, you must have a valid SMARTnet support contract for the MARS Appliance.

Depending on your selection in Step 3., you will either store these files on the Internal Upgrade Server or burn a CD-ROM image.

Result: All upgrade packages that are required to upgrade from the version you are running to the most recent version are located in a known path on either the Internal Upgrade Server or a CD-ROM.

For more information, see:

• Download the Upgrade Package from Cisco.com.

6. Understand the upgrade approach you want to use.

Select from the following upgrade options:

Note If you are running a version earlier than 3.4.1, you must select an option that supports upgrading from the CLI.

•Upgrade from an appliance that connects to the Internal Upgrade Server directly (CLI or web interface).

•Upgrade from an appliance that connects to the Internal Upgrade Server through a proxy (CLI or web interface).

•Upgrade a Local Controller using the Global Controller via either a proxy server or a direct connection to the Internal Upgrade Server (web interface only).

•Upgrade from a CD-ROM at the command line (CLI only).

Result: You have determined the appropriate upgrade approach to use based on your selected medium and currently running version.

7. Identify any required proxy server settings.

If your appliance runs on a network that is separated from the Internal Upgrade Server by a proxy server, you must identify the proxy server settings. If you are using the HTML interface to upgrade, you can specify these settings using the Admin > System Parameters > Proxy Settings page. Otherwise, make note of the settings so that you can provide them at the command line during upgrade.

Note You can specify the proxy server settings in the web interface for versions 3.4.1 and later. However, you can specify proxy server settings at the CLI for versions 2.5.1 and later.

Result: You have either specified the proxy server settings in the web interface, or you have noted the settings for later use.

For more information, see:

• Specify the Proxy Settings for the Global Controller or Local Controller.

8. Upgrade the appliance to the next appropriate version, as determined by the upgrade path.

From the appliance, use the method you chose in Step 6. to upgrade incrementally, as determined in Step 5., to the desired version.

Result: You have applied each required upgrade package.

For more information, see:

• Upgrade Global Controller or Local Controller from its User Interface

• Upgrade from the CLI

• Upgrading a Local Controller from the Global Controller

Burn an Upgrade CD-ROM

Burning an upgrade CD-ROM does not have any special requirements. If you require more than one upgrade package, you can include three upgrade packages per CD, as packages are typically around 200 MB.

Note You must apply the upgrade packages in sequential order, and the appliance will reboot between each upgrade. It can take 30-40 minutes for an upgrade to be applied and the system to restart before you can apply the next patch.

Prepare the Internal Upgrade Server

The Internal Upgrade Server requirements vary based on the upgrade option you selected and the version running on your appliance.

Note MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server whether it is accessed via HTTP, HTTPS, or FTP. In addition, if you are passing through a proxy server, that server must also enforce inline authentication.

For CLI-based upgrades of version 2.5.1 or later, the Internal Upgrade Server must be configured to meet the following requirements:

•Be an FTP, HTTP, or HTTPS server

•Require user authentication

•Accept connections from the MARS Appliance

•Connections pass through a proxy server that also uses authentication

For web interface-based upgrades of releases 3.4.1 or later, the Internal Upgrade Server must be configured to meet the following requirements:

•Be an HTTPS or FTP server

•Require user authentication

•Accept connections from the MARS Appliance

•Connections pass through a proxy server that also uses authentication. In addition, the proxy server setting must be configured in the web interface before the upgrade.

Important Upgrade Notes

To ensure that the upgrade from earlier versions is trouble free, this section contains the notes provided in previous releases according the release number. Please refer to the notes that pertain to the release you are upgrading from and any releases following that one.

Upgrade to 4.2.6

No important notes exist for the 4.2.6 upgrade.

Upgrade to 4.2.5

The 4.2.4(2432) patch was released to address an issue with the MARS system timezone patch in 4.2.4 (2428). The 4.2.5 update includes the patch, and therefore, you are not required to apply the 4.2.4(2432) patch if you are currently running 4.2.4 (2428). This issue, detailed in CSCsi08897, only affects a few timezones; therefore, many customers would never experience the issue.

Upgrade to 4.2.4

No important notes exist for the 4.2.2 upgrade.

Upgrade to 4.2.3

The 4.2.3 upgrade package is approximately 1.6 GB due to the large number of signatures updated and due to the inclusion of a patch to the database software, which was added to address CSCsg02873. Downloading the PKG file may take up to 7 times longer than previous packages.

Note Enable archiving on the MARS Appliance for two to three days before you perform you attempt to upgrade from 4.2.2 to the 4.2.3 release. This precaution is strongly recommended in case reinstallation is required due to any encountered errors.

To upgrade from 4.2.2 to 4.2.3, follow these steps:

Step 1 Verify that your MARS Appliance does not have hard drives that are degraded or rebuilding by performing the following steps:

a. At the CLI, enter the following command:

raidstatus

Tip For more information on accessing the CLI, see the " Establishing a Console Connection" section in Chapter 5, Initial MARS Appliance Configuration, of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

For more information on the raidstatus command, see " raidstatus" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

b. Verify that hard drives are neither in rebuilding nor degraded status. If they are, please wait until all hard drives have finished rebuilding before attempting an upgrade.

Step 2 Verify that the MARS Appliance has at least 3GB of space available on the partition /u01 by performing the following steps:

a. At the CLI, enter the following command:

diskuage
One of the lines should describe the /u01 partition:
Filesystem            Size  Used Avail Use% Mounted on
/dev/md3               16G  4.6G   10G  31% /u01
For more information on the diskusage command, see " diskusage" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

b. Verify at least 3 GB available is available (the example has 10G available).

A nightly process runs to clean up any files that accumulate on this partition. If you have less than 3 GB, there is an issue with your appliance that you must resolve prior to upgrading.

Step 3 Perform the software upgrade. The CLI method is strongly recommended.

Note While the GUI upgrade works, it does not show progress of the upgrade. Use the CLI instead to ensure the progress of the update is known. Do not reboot the appliance until the upgrade has completed.

For more information on performing the upgrade using the command line, see the following information:

•" Checklist for Upgrading Appliance Software" in Chapter 6, Administering the MARS Appliance of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

"pnupgrade" command in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

•" Upgrading from the CLI" in Chapter 6, Administering the MARS Appliance of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

Step 4 After the automatic system reboot, verify the upgrade by performing the following steps:

a. At the CLI, enter the following command:

pnstatus
For more information on the pnstatus command, see " pnstatus" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

b. Verify that all processes are running.

If some processes are not running, you must troubleshoot that issue before proceeding with the upgrade.

c. Enter the following command:

pnupgrade log
For more information on the pnupgrade log command, see " pnupgrade" in Appendix A, Command Reference of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.2.x.

d. Verify that the output looks like the following:
[pnadmin]$ pnupgrade log
--------------------------------------
   4.2.2 2303   -->  4.2.3 2403
--------------------------------------
1 Preparing upgrade start
  1.1 Load the step table start
  1.1 Load the step table end
  1.2 Stop pnmonitor start
  1.2 Stop pnmonitor end
  1.3 Stop jboss start
  1.3 Stop jboss end
  1.4 Stop other applications start
  1.4 Stop other applications end
1 Preparing upgrade end
2 Upgrade OS start
  2.1 Patch OS start
  2.1 Patch OS end
  2.2 Patch Oracle start
  2.2 Patch Oracle end
2 Upgrade OS end
3 Upgrade schema start
  3.1 Run upgrade schema script start
  3.1 Run upgrade schema script end
  3.2 Backup schema script start
  3.2 Backup schema script end
3 Upgrade schema end
4 Upgrade MARS applications start
  4.1 Untar MARS executable binary start
  4.2 Untar MARS executable binary end
  4.3 Modify janus.conf start
  4.3 Modify janus.conf end
  4.4 Swap MARS executable binary start
  4.4 Swap MARS executable binary end
  4.5 Run post-unpack-deployment start
  4.5 Run post-unpack-deployment end
4 Upgrade MARS applications end
5 Upgrade data start
  5.1 Start jboss start
  5.1 Start jboss end
  5.2 Importing signature data start
  5.2 Importing signature data end
  5.3 Missing-id fix start
  5.3 Missing-id fix end
5 Upgrade data end
6 reboot ...
Upgrade from 4.2.2 2303 to 4.2.3 2403 finished.
If the log does not include the "Upgrade from 4.2.2 2303 to 4.2.3 2403 finished" line, then a problem occurred during the upgrade regardless of whether the version command reports 4.2.3 (2403).

Special Note for Post Upgrade of a Global Controller/Local Controller Deployment

In a Global Controller/Local Controller deployment upgraded from 4.2.2 to 4.2.3, the communication states between the Global Controller and one or more Local Controllers can be out of sync. This issue is detailed in CSCsh38818.

The Global Controller identifies the Local Controller as Active, and the Local Controller identifies itself as Offline. Toggling "Suspend/Resume" from the Global Controller's Local Controller Management page toggles both states, causing the Global Controller to consider the Local Controller as Suspended while the Local Controller considers itself as Online and resumes pushing information to the Global Controller.

This "out of sync" state affects Global Controller/Local Controller deployments that are upgraded from 4.2.2 to 4.2.3.

To determine whether a Global Controller/Local Controller pair is in this error state, follow these steps:

Step 1 The Global Controller and all associated Local Controllers are upgraded from 4.2.2 to 4.2.3 (see upgrade instructions in Upgrade to 4.2.3).

Step 2 Log into the Global Controller web interface, and select Admin > System Setup >- Local Controller Management.

Step 3 For each Local Controller, select the Local Controller checkbox and click Details.

Step 4 Verify that there is a discrepancy between the status on the Global Controller and the status of the Local Controller. Specifically, the status on the Global Controller shows that an Local Controller is "Active", while the Local Controller web interface shows that the Local Controller is Offline in the header - "CS-MARS Local Controller (Offline)". Confirm the Local Controller status by logging into the Local Controller via its web interface.

Step 5 Note each Local Controller that is in this "out of sync" state.

Once the error has been identified, follow these steps to exit the error state:

Step 1 Log into the Global Controller web interface, and select Admin > System Setup >- Local Controller Management.

Step 2 Select each Local Controller that is in this "out of sync" state, and click Suspend/Resume. Repeat until all Local Controllers in this "out of sync" state have been suspended.

You can verify that the Global Controller sees each Local Controller as "Suspended" by clicking "Details" for that Local Controller to see if it shows that the Local Controller is no longer Offline - "CS-MARS Local Controller: [hostname]/[zone name]"

Step 3 On the Local Controller Management page of the Global Controller web interface, select Refresh Rate "1 minute" from the pull-down menu.

Step 4 Select Admin > System Maintenance > License Key. and verify that the correct number of Local Controllers (20/50s, and 100/200s) are counted by the Global Controller under "used".

Step 5 Select Admin > System Setup > Local Controller Management in the Global Controller browser window

Step 6 Perfrom Step 7 through Step 10 for each Local Controller that is in this "out of sync" state.

Step 7 Open an SSH shell to the Local Controller, and enter the following command:

pnreset -j
Step 8 Enter yes to confirm the pnreset operation.

Step 9 Within 20 seconds of entering the pnreset -j command, switch back to the Global Controller browser window and click the browser refresh button every 3 seconds until the Status message for that Local Controller displays "Not responding". This is needed to re synchronize communication between the Global Controller and Local Controller.

Step 10 Wait for the Local Controller Management page to refresh and verify that the Local Controller's status is now "Active" and the web interface for that Local Controller shows the Local Controller is Active (not Offline). Confirm the Local Controller status by logging into the Local Controller via its web interface.

Upgrade to 4.2.2

No important notes exist for the 4.2.2 upgrade.

Upgrade to 4.2.1

As identified in CSCse17864, CSCse22610 and CSCse22617, the changes in the case management feature requires that you close all cases before upgrading from MARS 4.1.x to 4.2.1. By closing the cases, you ensure that the device, report, and query information is copied to the case, assuming it still exists in the database.

Upgrade to 4.1.5

No important notes exist for the 4.1.4 upgrade.

Upgrade to 4.1.4

No important notes exist for the 4.1.4 upgrade.

Upgrade to 4.1.3

No important notes exist for the 4.1.3 upgrade.

Upgrade to 4.1.2(2042)

The following notes detail changes to the standard upgrade process:

•If you completed the 4.1.1 to 4.1.2 (2040) upgrade, verify whether the upgrade failed by entering `pnlog mailto <SMTP server> <sender> <recipient>' at the CLI. This commands mails the MARS Appliance logs to the recipient. Open the e-mailed file attachment, and then open the newest upgrade*.log found in /var/log/. Successful upgrades from 4.1.1 (2022) to 4.1.2 (2040) include the following line:
Opening file: 
/etc/data/secondarytables/reports/Report.0.Resource-Issues--IOS-IPS-DTM---All-Events.x
ml
If you do not see this line, then a problem occurred during the upgrade regardless of whether the version command reports 4.1.2 (2040).

•To upgrade from 4.1.1 or a successful or unsuccessful 4.1.2 (2040) to 4.1.2 (2042), download the package, perform the upgrade as defined in Checklist for Upgrading the Appliance Software. If you are upgrading from 4.1.1, you must also execute the following command at the CLI of the upgraded MARS Appliance:

script -b patch_or_04_1_16.sh
The 4.1.2 (2042) image includes an additional command `script' that cleans the database of the data referenced in CSCsc31386. As a result of running the script, the total upgrade process from 4.1.1 to 4.1.2 (2042) may take much longer than previous releases; it depends on the amount of data stored on the MARS Appliance. For a MARS 200, it could double the normal upgrade time to two hours. To determine whether the script is still running, enter the following command and look for `patch_or_04_1_16.sh' anywhere in the output:

sysstatus -n 1 -b
Upgrade to 4.1.1

The following notes relate to changes in your system or configuration as a result of upgrading to MARS 4.1.1.

•Prior to the 4.1.1 release, CSA was identified by the device type name Cisco CSA 4.0. As part of an upgrade, any Cisco CSA 4.0 devices were renamed as Cisco CSA 4.x. This new name includes support for Cisco CSA 4.0 and 4.5.

•The new case management replaces the Escalate Incident functionality in MARS 3.4.4 and earlier. However, escalated incidents are not converted to cases during the upgrade process. Therefore, you must close all open escalations before upgrading to MARS 4.1.1 (CSCsb52057).

Determine the Required Upgrade Path

When upgrading from one software version to another, a prerequisite version is always required. This prerequisite version is the minimum level required to be running on the appliance before you can upgrade to the most recent version.

Table 6-1 identifies the upgrade path that you must follow to reach the prerequisite version that is eligible for a direct upgrade to most recent version.

Table 6-1 Upgrade Path Matrix for 4.x Releases

From Version

Upgrade To¹

Upgrade Package

releases prior to 2.5.6

Contact Cisco Support

n/a

2.5.6

3.1.1*

pn-3.1.1.pkg

3.1.1

3.2.1*

pn-3.2.1.pkg

3.2.1

3.2.2*

pn-3.2.2.pkg

3.2.2 or 3.3.2 Beta

3.3.3*

pn-3.3.3.pkg

3.3.3

3.3.4*

pn-3.3.4.pkg

3.3.4

3.3.5*

pn-3.3.5.pkg

3.3.5

3.4.1*

pn-3.4.1.pkg

3.4.1

3.4.2

pn-3.4.2.pkg

3.4.2

3.4.3

pn-3.4.3.pkg

3.4.3

3.4.4

pn-3.4.4.pkg

3.4.4

4.1.1

csmars-4.1.1.pkg

4.1.1

4.1.2 (2042) + script command

csmars-4.1.2.pkg²

4.1.2 (2040) without error

4.1.2 (2042)

csmars-4.1.2.pkg²

4.1.2 (2042)

4.1.3

csmars-4.1.3.pkg

4.1.3

4.1.4

csmars-4.1.4.pkg

4.1.4

4.1.5

csmars-4.1.5.pkg

4.1.5

4.2.1

csmars-4.2.1.pkg

4.2.1

4.2.2

csmars-4.2.2.pkg

4.2.2

4.2.3

csmars-4.2.3.pkg³

4.2.3

4.2.4 (2428)

csmars-4.2.4.pkg

4.2.4 (2428) or (2432)

4.2.5

csmars-4.2.5.pkg

4.2.5

4.2.6

csmars-4.2.6.pkg

4.2.6

4.2.7

csmars-4.2.7.pkg

4.2.7

4.2.8

csmars-4.2.8.pkg

¹An asterisk (*) next to a package name in this column identifies that this upgrade must be performed from the command line, as web interface support was lost with the closing of the upgrade.proteogonetwork.com website.

²To upgrade from 4.1.1 or 4.1.2 (2040) to 4.1.2(2042), please review the special upgrade notes in the Quick Install and Release Notes for Cisco Security MARS Appliance 4.1.2 (2042).

³The 4.2.3 upgrade package is approximately 1.6 GB due to the large number of signatures updated and due to the inclusion of a patch to the database software. Downloading the ISO image may take longer than previous packages.

Download the Upgrade Package from Cisco.com

Upgrade images and supporting software are found on the Cisco.com software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid Cisco.com account and that you have registered your SMARTnet contract number for your MARS Appliance.

•Top-level page: http://www.cisco.com/pcgi-bin/tablebuild.pl?topic=279644034

•Upgrade files: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars

•Recovery images: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars-recovery

•Supporting files: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-mars-misc

Note If you are upgrading from a version earlier than those posted on Cisco.com, please contact Cisco support for information on obtaining the required images. Do not attempt to skip versions along the upgrade path.

For information on obtaining a Cisco.com account, see the following URL:

• http://www.cisco.com/en/US/applicat/cdcrgstr/applications_overview.html

Specify the Proxy Settings for the Global Controller or Local Controller

If you know that your appliance cannot directly access the Internal Upgrade Server, you can specify the proxy settings. This procedure describes how to specify the proxy settings with the assumption that you will upgrade the appliance from the user interface associated with that appliance. For information on upgrading a Local Controller from within the Global Controller user interface, see Upgrading a Local Controller from the Global Controller.

Note This procedure is valid for versions 3.4.1 and later.

To specify proxy settings, follow these steps:

Step 1 Open the MARS user interface in your browser.

Step 2 Select Admin > System Parameters > Proxy Settings.

Step 3 In the Proxy Address and Proxy Port fields, enter the address and port used by the proxy server that sits between your appliance and the Internal Upgrade Server.

Step 4 In the Proxy User field, specify the username that the appliance must use to authenticate to the proxy server.

Note This username and password pair is neither the Cisco.com nor the Internal Upgrade Server login and password. MARS requires that proxy servers enforce inline user authentication.Therefore, you must specify a username and password pair to authenticate to the proxy server.

Step 5 In the Proxy Password field, specify the password associated with the username you just provided.

Step 6 Click Submit to save your changes.

Upgrade Global Controller or Local Controller from its User Interface

Note This procedure is valid for versions 3.4.1 and later.

To upgrade the appliance from the user interface, follow these steps:

Step 1 Open the MARS user interface in your browser.

Step 2 Select Admin > System Maintenance > Upgrade.

Step 3 In the IP Address field, enter the address of the server where the upgrade package files are stored.

Step 4 In the User Name and Password fields, enter your Internal Upgrade Server login information.

Note MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server.

Step 5 In the Path field, specify the path where the package file is stored, relative to the type of server access used.

Step 6 Select the appropriate protocol in the Server Type box.

You can download the install package using either HTTPS or FTP.

Step 7 In the Package Name field, specify the full name of the package file that you have downloaded.

Step 8 Click Download.

Result: Depending on the size of the package, this download can take some time. After the download is complete, the Install button becomes active.

Step 9 Click Install.

Result: After you click Install, the system needs some time to process the upgrade. After the upgrade is complete, the system reboots. During the upgrade, the user interface is also restarted.

Upgrade from the CLI

You can connect to the Internal Upgrade Server and complete the upgrade using HTTP or HTTPS, or you can download the upgrade package onto an FTP server and perform the upgrade. For more information on the upgrade command, see pnupgrade, page A-41.

To upgrade using the CLI, follow these steps:

Step 1 Log in to the appliance via the console port or SSH connection.

Step 2 Enter your MARS login name and password.

Step 3 To verify that the appliance is running the prerequisite version, run the CLI command:

version

The appliance must be running the supported prerequisite version.See Table 6-1 for the required prerequisite version. If it is not, you must follow the upgrade path to reach that version.

Step 4 Do one of the following:

Note MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server whether it is accessed via HTTP, HTTPS, or FTP. In addition, if you are passing through a proxy server, that server must also enforce inline authentication.

•To upgrade from a CD-ROM located in the appliance's DVD drive, run the CLI command:
pnupgrade cdrom://package/pn-ver.pkg
Where package is the path on the CD where you have stored the *.pkg file and where [ver] is the version number of the package file to which you want to upgrade, such as 3.3.4.

•To upgrade from an internal HTTP or HTTPS server, run the CLI command:
pnupgrade https://upgrade.myhttpserver.com/upgrade/packages/ 
pn-ver.pkg [user] [password]
— or —
pnupgrade http://upgrade.myhttpserver.com/upgrade/packages/ 
pn-ver.pkg [user] [password]
Where upgrade.myttpserver.com/upgrade/packages is the server name and path where you have downloaded the other *.pkg file, and where ver is the version number, such as 3.3.4, and [user] and [password] are your Internal Upgrade Server login name and password.

•To upgrade from your FTP server after you have downloaded the file, run the CLI command:
pnupgrade ftp://upgrade.myftpserver.com/upgrade/packages/ 
pn-ver.pkg [user] [password] 
Where upgrade.myftpserver.com/upgrade/packages is the server name and path where you have downloaded the other *.pkg file, and where [ver] is the version number, such as 3.3.4, [user] and [password] are your Internal Upgrade Server login name and password.

•To upgrade from the Internal Upgrade Server through a proxy server, run the CLI command:
pnupgrade proxyServerIP:proxyServerPort [proxyUser:proxyPassword] 
https://upgrade.myhttpserver.com/upgrade/packages/pn-ver.pkg [user] [password]
Where the variables are defined as follows:

•proxyServerIP:proxyServerPort identifies the IP address/port pair that connects to the proxy server residing between your appliance and the Internal Upgrade Server.

•proxyUser:proxyPassword identifies the username and password pair required for the appliance to authenticate to the proxy server.

•upgrade.myttpserver.com/upgrade/packages is the server name and path where you have downloaded the *.pkg file.

•ver is the version number, such as 3.3.4.

•[user] and [password] are your Internal Upgrade Server login name and password.

Result: A progress bar indicates the download percentage. After download is complete, the system takes some time to process the upgrade. After the upgrade is complete, the system reboots.

Upgrading a Local Controller from the Global Controller

When upgrading a Local Controller from within the Global Controller user interface, you need to determine whether the Local Controller resides behind a proxy server. If so, you must configure the proxy settings for the Local Controller within the Global Controller user interface. After you have specified the settings, you can upgrade the Local Controller as you normally would.

Note If Local Controller proxy information is not provided and you attempt to download an upgrade for that appliance, the Local Controller attempts to connect to Internal Upgrade Server and fails after a period of time.

When you upgrade a Global Controller and its monitored Local Controllers, you first upgrade Global Controller, which requires that you identify the Internal Upgrade Server information. The Global Controller then pushes this server information to all its selected Local Controllers, which allows the Local Controller to locate the Internal Upgrade Server and start the download and upgrade process. The Local Controller does not retrieve the upgrade package from the Global Controller.

Before You Begin

•This procedure is valid for versions 3.4.1 and later.

•Verify that each Local Controller is running the same software version that the Global Controller was running before its upgrade. Target Local Controllers must be running the prerequisite software version that the Global Controller was running before its upgrade.

Note If you upgrade a Global Controller/Local Controller pair, the Local Controller may appear offline for the first 10 minutes after the appliances reboot. The scheduler wakes up and re-syncs 10 minutes after startup.

If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface.

Specify the Proxy Settings in the Global Controller

To specify the proxy settings for a Local Controller in the Global Controller user interface, follow these steps:

Step 1 Open the MARS user interface in your browser.

Step 2 Select Admin > System Maintenance > Upgrade.

Step 3 Click Proxy Settings. next to the Local Controller that you want to upgrade.

Result: The Global Controller user interface loads the Proxy Information page (Admin > System Parameters > Proxy Settings) on the selected Local Controller.

Step 4 In the Proxy Address and Proxy Port fields, enter the address and port used by the proxy server that sits between your appliance and the Internal Upgrade Server.

Step 5 In the Proxy User field, specify the username that the appliance must use to authenticate to the proxy server.

Note This username and password pair is not the Internal Upgrade Server Login and Password. MARS requires that proxy servers enforce inline user authentication. Therefore, you must specify a username and password pair to authenticate to the proxy server.

Step 6 In the Proxy Password field, specify the password associated with the username you just provided.

Step 7 Click Submit to save your changes.

Upgrade Local Controller from the Global Controller User Interface

You can upgrade any Local Controllers that are managed by a Global Controller from within the Global Controller user interface. This enables you to work your way through the list of Local Controllers without connecting to each appliance individually.

Step 1 Open the MARS user interface in your browser.

Step 2 Select Admin > System Maintenance > Upgrade.

Result: The list of Local Controllers that can be selected to upgrade appears.

Step 3 In the Login and Password fields, enter the Internal Upgrade Server login and password that you have assigned to your Internal Upgrade Server.

Note MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must specify a username and password pair to authenticate to the server.

Step 4 Select the check box next to the Local Controller to upgrade, and click Download.

If you have specified proxy settings for the selected appliance, a popup window prompts you to verify the settings. After you verify the information, click OK. If you have forgotten to enter proxy information, click Cancel and then enter the proxy information for that Local Controller as described in Specify the Proxy Settings in the Global Controller.

Result: Depending on the size of the package, this download can take some time. After the download is complete, the Install button becomes active.

Step 5 Click Install.

Result: After you click Install, the remote system needs some time to process the upgrade. After the upgrade is complete, the remote system reboots. During the upgrade, the user interface is also restarted.

Configuring and Performing Appliance Data Backups

You can archive data from a MARS Appliance and use that data to restore the operating system (OS), system configuration settings, dynamic data (event data), or the complete system. The appliance archives and restores data to and from an external network-attached storage (NAS) system using the network file system (NFS) protocol. While you cannot schedule when the data backup occurs, the MARS Appliance performs a configuration backup every morning at 2:00 a.m. and events are a