| |||||
FeedbackIntroduction
This document provides an overview of the Cisco Intrusion Prevention System (IPS) Automatic Update feature and its operation.
The IPS Automatic Update feature was introduced in IPS version 6.1 and provides administrators with an easy way to update IPS signatures on a regularly scheduled interval.
Note: The content in this document was created by Justin Taliaferro, Todd Pula, and Sid Chandrachud, Cisco TAC Engineers.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
-
Signature updates require a valid Cisco Services for IPS subscription and license key. Go to http://www.cisco.com/go/license and click IPS Signature Subscription Service in order to apply for a license key.
-
A Cisco.com (CCO) user account that is associated with an active Cisco Services for IPS subscription
-
Privileges to download cryptographic software. Go to http://tools.cisco.com/legal/k9/controller/do/k9Check.x?eind=Y in order to check if you have access.
Components Used
The information in this document is based on the IPS version 6.1 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Network Requirements
-
The command and control interface of the IPS requires direct access to the Internet using HTTPS (TCP 443) and HTTP (TCP 80).
-
Network Address Translation (NAT) and Access Control Lists (ACL) on edge devices such as routers and firewalls need to be configured in order to permit the IPS connectivity to the Internet.
-
Exclude the command and control interface IP address from all content filters and network traffic shapers.
-
The Automatic Update feature does not support connectivity through proxy servers.
Signature Auto Update Process
This is the process:
-
IPS authenticates to the auto update server at 198.133.219.25 (pre-7.0.8) or 72.163.4.161 (7.0.8 and later) using HTTPS (TCP 443).
-
IPS sends a client manifest to the auto update server including the platform ID and an encrypted shared secret, which the server uses to verify authenticity of the Cisco IPS sensor.
-
Once authenticated, the update server responds with a server manifest containing a list of download file options associated with the platform ID. The data contained here includes information related to update version, download location, and supported file transfer protocols. Based on this data, the IPS auto update logic determines if any of the download options are valid and then selects the best update package for download. In preparation for the download, the server provides the IPS with a set of keys to be used to decrypt the update file.
-
The IPS establishes a new connection to the download server identified in the server manifest. The download server IP address varies, which is dependent on the location.
-
The IPS uses the file transfer protocol defined in the file download data URL learned in the server manifest (currently uses HTTP (TCP 80)). The IPS uses the previously downloaded keys to decrypt the update package and then applies the signature files to the sensor.
Configuration
The Automatic Update feature can be configured from IPS Device Manager (IDM) or IPS Manager Express (IME). Complete these steps:
-
From IDM/IME, choose Configuration > Sensor Management > Auto/Cisco.com Update.
-
Choose the Enable Signature and Engine Updates from Cisco.com check box on the right-hand pane, and click on the blue Cisco.com Server Settings title in order to drop down the configuration pane.
-
Enter the CCO username and password.
Note: Do not change the Cisco.com URL. It should not need to be changed from its default setting.
Prior to 7.0(8), it should look like this:
https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl
From 7.0(8) and 7.1(5) and later, it should look like this:
https://72.163.4.161//cgi-bin/front.x/ida/locator/locator.pl
Note: Please do not edit the URL. The // is intentional and not a typo.
-
Configure a start time and frequency in order to schedule the signature update. In this example, the time is set to 23:15:00. The frequency can be configured to support hourly or daily update attempts. Then click Apply in order to apply your configuration changes.
Note: It is recommended to set it to a random time that is not on the top of the hour, for example, 8:00, 13:00 and 15:00.
-
In order to verify that the Auto Update completed successfully, issue the show statistics host command from the IPS CLI as seen in this example:
IPS#show statistics host <Output truncated> Auto Update Statistics lastDirectoryReadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012 = Read directory: http://CCOUser@72.163.7.55//swc/esd/06/273556262/guest/ = Success lastDownloadAttempt = 16:55:03 GMT-06:00 Wed Jun 27 2012 = Download: http://CCOUser@72.163.7.55//swc/esd/06/273556262/guest/IPS-sig-S654-req-E4.pkg = Success nextAttempt = 17:55:00 GMT-06:00 Wed Jun 27 2012 lastInstallAttempt = 16:55:46 GMT-06:00 Wed Jun 27 2012 = Success <Output truncated>
Caveats
Some signature updates require the regular expression tables to be recompiled during which time the IPS can go into software bypass mode. For inline sensors with bypass mode set to Auto, the Analysis Engine is bypassed, which allows traffic to flow through the inline interfaces and inline VLAN pairs without inspection. If bypass mode is turned off, the inline sensor stops passing traffic while the update is applied.
Troubleshooting
After correct configuration of Auto Signature Update, complete these steps in order to isolate and correct commonly encountered issues:
-
For all IPS appliances and modules except for the AIM and IDSM, ensure that the command and control interface is connected to the local network, assigned a valid IP address/subnet mask/gateway, and has IP reachability to the Internet. For the AIM and IDSM modules, the virtual command and control interface are utilized as defined in the configuration. In order to confirm the operational status of the interface from the CLI, enter this show command:
IPS#show interfaces <Output truncated> MAC statistics from interface Management0/0 Interface function = Command-control interface Description = Media Type = TX Default Vlan = 0 Link Status = Up <--- <Output truncated>
-
To validate whether the CCO user account has necessary privileges to download signature update packages, open a web browser and login to Cisco.com with this same CCO account. Once authenticated, manually download the latest IPS signature package. The inability to manually download the package is likely due to the lack of association of the user account to a valid Cisco Services for IPS subscription.
-
Check if there is a proxy in place for Internet bound traffic. If the traffic from the command and control port goes through this proxy, the Auto Update feature does not work. Reconfigure the network so that the command and control port traffic is not filtered through a proxy and test again.
-
Check if there are any content filtering or traffic shaping applications or appliances along the path to the Internet. If present, configure an exclusion in order to allow the IP address of the command and control interface to access the Internet without restriction.
-
If ICMP traffic is permitted towards the Internet, open the CLI of the IPS sensor and try to ping a public IP address. This test can be used to verify if the necessary routing and NAT rules (if used) are configured correctly. If the ICMP test succeeds yet Auto Updates continue to fail, ensure that network devices such as routers and firewalls along the path permit the HTTPS and HTTP sessions from the IPS command and control interface IP. For example, if the command and control IP address is 10.1.1.1, a simple ACL entry on an ASA firewall can look like this example:
access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq www access-list INSIDE-TO-INTERNET extended permit tcp host 10.1.1.1 any eq https
-
The CCO username should not contain any special characters, for example, @ . Refer to Cisco bug ID CSCsq30139 for more information.
-
When signature auto-update failures are diagnosed, look at the HTTP error codes.
IPS#show statistics host Auto Update Statistics lastDirectoryReadAttempt = 19:31:09 CST Thu Nov 18 2010 = Read directory: https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.pl = Error: AutoUpdate exception: HTTP connection failed [1,110] <-- lastDownloadAttempt = 19:08:10 CST Thu Nov 18 2010 lastInstallAttempt = 19:08:44 CST Thu Nov 18 2010 nextAttempt = 19:35:00 CST Thu Nov 18 2010
Message Meaning Error: AutoUpdate exception: HTTP connection failed [1,110] Authentication failed. Check the username and password. status=false AutoUpdate exception: Receive HTTP response failed [3,212] The request to the Auto Update server timed out. Error: http error response: 400 Make sure the cisco-url setting is defaulted. If the CCO ID is greater than 32 characters in length, try a different CCO ID. This can be a limitation on the Cisco download server. Error: AutoUpdate exception: HTTP connection failed [1,0] Network issue prevented download or there is a potential issue with the download servers.
Upcoming Enhancements
These are enhancements:
-
Cisco bug ID CSCsv89560 (registered customers only) —Add proxy support for the Auto/Cisco.com update feature.
-
Cisco bug ID CSCtg94422 (registered customers only) —Add command in CLI to allow immediate AutoUpdate for signatures.
Cisco Support Community - Featured Conversations
Related Information
| Updated: Aug 17, 2012 | Document ID: 113674 |