Cisco Systems, Inc.
                   Cisco Intrusion Prevention System
                         IPS 7.1(6)E4 SERVICE PACK
                               


Copyright (C) 2012 Cisco Systems, Inc. All rights reserved.
Printed in the USA. Cisco, Cisco Systems, and the Cisco Systems logo
are registered trademarks of Cisco Systems, Inc. in the U.S. and
certain other countries. All other trademarks mentioned in this document
are the property of their registered owners.

========================================================================
                           Table Of Contents
========================================================================

SERVICE PACK NOTE

7.1(6)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS
  - MINIMUM REQUIREMENTS
  - FILE LIST
  - SUPPORTED PLATFORMS
  - INSTALLATION USING THE CLI
  - INSTALLATION CAVEATS
  - RESOLVED ISSUES FROM 7.1(5)E4 TO 7.1(6)E4
  - RESOLVED ISSUES FROM 7.1(4)E4 TO 7.1(5)E4
  - RELEVANT ISSUES NOT RESOLVED
  - NEW FEATURES
  - RESTRICTIONS
  - CSM CAVEATS -- CSM 4.2 SP1 and CSM 4.3
  - CSM UPDATE INSTRUCTIONS -- CSM 4.3 SP1

========================================================================

SERVICE PACK NOTE

WARNING: CISCO.COM IP ADDRESS CHANGE IN AUTO UPDATE CONFIGURATION
The 7.1(6)E4 service pack changes the default value of Cisco server IP address
from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. 
Firewall rules may need to be updated to allow sensor connectivity to this new
IP Address if Cisco.com Auto Updates have been configured on your sensor.


This Service pack addresses the issues described in the RESOLVED ISSUES FROM
7.1(5)E4 TO 7.1(6)E4 and RESOLVED ISSUES FROM 7.1(4)E4 TO 7.1(5)E4 sections
of this document.

This service pack is being used as a release vehicle to repair critical
sensor failures.

Specifically the 7.1(6)E4 service pack reverses the SMB protocol related
inspection enhancements delivered as part of 7.1(5)E4 release and also
addresses a Signature downgrade issue with SSM platforms.

Also this service pack is being used to add functionality described in
the NEW FEATURES section of this document. These NEW FEATURES are implemented
in 7.1(5)E4 service pack and carried forward to 7.1(6)E4 service pack release.

This service pack contains the S648 signature level, but preserves any
more recent signature levels installed on your sensor.

This service pack has been enhanced to support IPS-4510 and IPS-4520 platforms.
IPS-4510 and IPS-4520 has S664 signature level as default, but preserves any
more recent signature levels installed on your sensor

========================================================================

7.1(6)E4 SERVICE PACK UPDATE INSTRUCTIONS AND DETAILS

NOTE: You must have a valid maintenance contract per sensor to
receive and use software upgrades including signature updates from
Cisco.com.

MINIMUM REQUIREMENTS

To install the IPS-SSP_10-K9-7.1-6-E4.pkg, IPS-SSP_20-K9-7.1-6-E4.pkg, 
IPS-SSP_40-K9-7.1-6-E4.pkg, or IPS-SSP_60-K9-7.1-6-E4 service pack
version upgrade file on SSP platforms, you must be running IPS version
7.1(1)E4 or later on your sensor.

To install the IPS-4270_20-K9-7.1-6.pkg, IPS-4240-K9-7.1-6-E4.pkg,
IPS-4255-K9-7.1-6-E4.pkg, IPS-4260-K9-7.1-6-E4.pkg service pack
version upgrade file on 42xx platforms, you must be running IPS version
6.0(6) or later on your sensor.

To install the IPS-SSP_5512-K9-7.1-6-E4.pkg, IPS-SSP_5515-K9-7.1-6-E4.pkg,
IPS-SSP_5525-K9-7.1-6-E4.pkg, IPS-SSP_5545-K9-7.1-6-E4.pkg,
IPS-SSP_5555-K9-7.1-6-E4.pkg, IPS-4345-K9-7.1-6-E4.pkg, IPS-4360-K9-7.1-6-E4.pkg
service pack version upgrade file on 5500-x platforms, you must be running
IPS version 7.1(3)E4 or later on your sensor.

To install the IPS-SSM_10-K9-7.1-6-E4.pkg, IPS-SSM_20-K9-7.1-6-E4.pkg,
or IPS-SSM_40-K9-7.1-6-E4.pkg service pack version upgrade file on
SSM platforms, you must be running IPS version 6.0(6) or later on
your sensor.

To install the IPS-4510-K9-7.1-5.14-E4.pkg orIPS-4520-K9-7.1-5.14-E4.pkg, 
service pack version upgrade file on 45XX platforms, you must be running 
IPS version 7.1(4)E4 or later on your sensor.

To see what version the sensor is currently running, log in to the CLI
and execute the 'show version' command.

For detailed instructions on installing the service pack upgrade file,
refer to "Upgrading, Downgrading, and Installing System Images," in
Cisco Intrusion Prevention System CLI Configuration Guide for IPS 7.1
available at this URL: http://www.cisco.com/en/US/docs/security/ips/7.1/
configuration/guide/cli/cliguide71.html


FILE LIST

The following files are included as part of this release:
Readme
 - IPS-7-1-6-E4.readme.txt

Service Pack Upgrade Files
 - IPS-4240-K9-7.1-6-E4.pkg
 - IPS-4255-K9-7.1-6-E4.pkg
 - IPS-4260-K9-7.1-6-E4.pkg
 - IPS-4270_20-K9-7.1-6-E4.pkg
 - IPS-4345-K9-7.1-6-E4.pkg
 - IPS-4360-K9-7.1-6-E4.pkg
 - IPS-4510-K9-7.1-6-E4.pkg
 - IPS-4520-K9-7.1-6-E4.pkg
 - IPS-SSM_10-K9-7.1-6-E4.pkg
 - IPS-SSM_20-K9-7.1-6-E4.pkg
 - IPS-SSM_40-K9-7.1-6-E4.pkg
 - IPS-SSP_5512-K9-7.1-6-E4.pkg
 - IPS-SSP_5515-K9-7.1-6-E4.pkg
 - IPS-SSP_5525-K9-7.1-6-E4.pkg
 - IPS-SSP_5545-K9-7.1-6-E4.pkg
 - IPS-SSP_5555-K9-7.1-6-E4.pkg
 - IPS-SSP_10-K9-7.1-6-E4.pkg
 - IPS-SSP_20-K9-7.1-6-E4.pkg
 - IPS-SSP_40-K9-7.1-6-E4.pkg
 - IPS-SSP_60-K9-7.1-6-E4.pkg

System Image Files
 - IPS-4240-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-4255-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-4260-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-4270_20-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-4345-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-4360-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-4510-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-4520-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-SSM_10-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-SSM_20-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-SSM_40-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-SSP_5512-K9-sys-1.1-a-7.1-6-E4.aip
 - IPS-SSP_5515-K9-sys-1.1-a-7.1-6-E4.aip
 - IPS-SSP_5525-K9-sys-1.1-a-7.1-6-E4.aip
 - IPS-SSP_5545-K9-sys-1.1-a-7.1-6-E4.aip
 - IPS-SSP_5555-K9-sys-1.1-a-7.1-6-E4.aip
 - IPS-SSP_10-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-SSP_20-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-SSP_40-K9-sys-1.1-a-7.1-6-E4.img
 - IPS-SSP_60-K9-sys-1.1-a-7.1-6-E4.img

Recovery Image Files
 - IPS-4240-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-4255-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-4260-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-4270_20-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-4345-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-4360-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-4510-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-4520-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSM_10-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSM_20-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSM_40-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_5512-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_5515-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_5525-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_5545-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_5555-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_10-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_20-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_40-K9-r-1.1-a-7.1-6-E4.pkg
 - IPS-SSP_60-K9-r-1.1-a-7.1-6-E4.pkg


SUPPORTED PLATFORMS

Cisco IPS 7.1(6)E4 is supported on the following platforms:
 - IPS 4240
 - IPS 4255
 - IPS 4260
 - IPS 4270-20
 - IPS 4345
 - IPS 4345-DC
 - IPS 4360
 - IPS 4510
 - IPS 4520
 - ASA 5500 AIP SSM-10
 - ASA 5500 AIP SSM-20
 - ASA 5500 AIP SSM-40
 - ASA 5512-X IPS SSP
 - ASA 5515-X IPS SSP
 - ASA 5525-X IPS SSP
 - ASA 5545-X IPS SSP
 - ASA 5555-X IPS SSP
 - ASA 5585-X IPS SSP-10
 - ASA 5585-X IPS SSP-20
 - ASA 5585-X IPS SSP-40
 - ASA 5585-X IPS SSP-60

INSTALLATION USING THE CLI

NOTE: You must be logged on to Cisco.com using an account with
cryptographic privileges to access the download site, and you must have
a SMARTnet maintenance contract number to request software upgrades from
Cisco.com.

NOTE: This service pack requires an automatic reboot of the sensor to
apply the changes. Inline network traffic will be disrupted during the
reboot.

WARNING: CISCO.COM IP ADDRESS CHANGE IN AUTO UPDATE CONFIGURATION
The 7.1(6)E4 service pack changes the default value of Cisco server IP address
from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. 
Firewall rules may need to be updated to allow sensor connectivity to this new
IP Address if Cisco.com Auto Updates have been configured on your sensor.


To install the 7.1(6)E4 service pack using the CLI, follow these steps:
(The steps are an illustration for SSP_10, other platforms can be installed 
by downloading the correct package and following below steps for that package)

1.  Download the file IPS-SSP_10-K9-7.1-6-E4.pkg to a local server.

    Note: The SSP IPS devices require their own platform-specific
          package as listed above.

2.  Log in to the CLI using an account with administrator privileges.

3.  Type the following command to enter configuration mode:

    configure terminal

4.  Type the following command to upgrade the sensor:

    sensor(config)# upgrade [URL]/IPS-SSP_10-K9-7.1-6-E4.pkg

    where the [URL] is a uniform resource locator pointing to where
    the package is located. For example, to retrieve the update via
    SCP, type the following:

    sensor(config)# upgrade scp://<username>@<ip-address>//<directory>/
    IPS-SSP_10-K9-7.1-6-E4.pkg

    The available transport methods are SCP, FTP, HTTP, or HTTPS.

5.  Enter the appropriate password when prompted.

6.  To complete the upgrade, type yes when prompted.

7.  The sensor reboots to finish applying the changes.

To determine whether the 7.1(6)E4 service pack has successfully been
installed on a sensor, log in to the CLI and type 'show version' at the
command prompt. The sensor will report the version as 7.1(6)E4, and the
Upgrade History should include IPS-SSP_10-K9-7.1-6-E4.pkg.


INSTALLATION CAVEATS

The 7.1(6)E4 service pack cannot be uninstalled. You must re-image the
sensor using a system image file, which causes all configuration settings
to be lost. The install behavior of this service pack is that all
executables, libraries, and so forth are replaced but user configuration
is preserved. The reason for this upgrade behavior change is that this
service pack contains changes to libraries and drivers.

For the IPS 4270-20, an upgrade to 7.1(6)E4 Service Pack is not allowed
if its sensor license was generated for 6.0.x versions and earlier.
The upgrade fails and you receive the error message - Currently installed
License is not valid in 7.1(6). Install a license that is applicable for
'IPS versions 6.1 and above',

To obtain a new license for the IPS 4270-20, follow these steps:

1.  Log in to Cisco.com.
2.  Go to http://www.cisco.com/go/license.
3.  Under Licenses Not Requiring a PAK, click Demo and Evaluation licenses.
4.  Under Security Products/Cisco Services for IPS service license (Version
    6.1 and later), click All IPS Hardware Platforms.
5.  Fill in the required fields. Your license key will be sent to the email
    address you specified.
6.  You must have the correct IPS device serial number and product identifier(PID)
    because the license key only functions on the device with that number.


RESOLVED ISSUES FROM 7.1(5)E4 TO 7.1(6)E4

The following known issues have been resolved between 7.1(5)E4 release and
7.1(6)E4 release. Release notes can be viewed in Bug Navigator at the following
url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Identifier  Headline
----------  -------------------------------------------------------------
CSCub21482  IDS: ""errSystemError SMBA trapped bad outer loop"" msgs in main.log
CSCtz03125  SSM module gets reloaded on \"downgrade\" and gets into bypass


RESOLVED ISSUES FROM 7.1(4)E4 TO 7.1(5)E4

The following known issues have been resolved in the 7.1(5)E4 service pack
release. Release notes can be viewed in Bug Navigator at the following
url: http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

Identifier  Headline
----------  -------------------------------------------------------------
CSCty53045  sensorApp memory leak in GC network participation logic
CSCtx92869  4270 7.1(3) S623 sig update fails: Unable to create String XL signature
CSCty20170  Transmit control-plane cmgr messages as soon as possible from ips to asa
CSCtz05137  After IPS-SSP 7.1(4)E4 Update to S636, sensorApp hangs, int stat errors
CSCty26501  4270 not processing traffic post reboot until \"packet display\" is issued
CSCtw78334  SSM is unresponsive - TIPC kernel module failure
CSCty05171  sensorApp failure in StreamDispatchProcessor after update to S625/S626
CSCtj67834  inline-mode asym on promiscuous int prevents TCP stream reassembly
CSCtl03702  sensorApp aborts in SignatureProcessor processWithLocks
CSCtx90077  sensorApp fails with 'SpinLock not locked' after a reconfiguration
CSCtx48594  sensorApp fails with 'SpinLock not locked' during rgxMalloc
CSCty46104  mainApp fails during radius authentication in strlen/writeAbstractEvent
CSCtz91790  global correlation updates are not downloading correctly on SSM-40
CSCtr19702  CLI/IME connection to IPS going down due to CT issue for FlexLM license
CSCtr83959  copy from file to current-config fails if auto-upgrade user is in file
CSCts08725  IDCONF does not escape double quotes in signature names
CSCtt18382  ENH:  IDS Web Server Should Not Break Comm With RFC 5746 Clients
CSCtt41378  IDS: Evaluate if sensor software is vulnerable to CVE-2009-0159
CSCtt41381  IDS: Evaluate if sensor software is vulnerable to CVE-2011-1071
CSCtw90697  MSRPC signature continues to fire after disabled and retired
CSCtx19960  os fingerprinting (osfp) fails to detect some XP/2k3 conversations
CSCtx21544  Radius authentication for pwds with special characters fails with SSP
CSCtx98802  Broken Links in Chapter 17 of CLI Config Guide for IPS 7.1
CSCty05217  sensorApp core in abandonChanges with custom config and CSCtx92869
CSCty07510  rgxMalloc errors need to be summarized
CSCty07097  rgxMalloc and mmap failures prior to sensorApp hang
CSCty49128  Buffer allocation issue if strip-telnet-options is true w/string-xl
CSCty93188  IPS incorrectly acts as a proxy for TCP keepalives
CSCte74540  AIP-SSM deny-connection on GRE packet causes GRE tunnel to be denied
CSCtu10453  IPS-4GE-BP-INT should disable smartspeed to avoid unneeded downshift
CSCtg33102  IPS: Enh. to warn users when modifying TCP Normalizer signatures
CSCtf19088  Processing Load Percentage CLI output is inaccurate
CSCte63032  Processing Load should be changed to Inspection Load
CSCte46321  Need a means to view historical Processing Load
CSCto80933  IPS: Enabling Asymmetric Protection Mode should warn Anomaly Detect
CSCua07735  Saleen:  show inventory should show both serial numbers
CSCtl74475  CPU usage statistics are not relevant
CSCtj98418  IPS: Enhancement request to log an event when a user reboots the sensor.
CSCtg69012  IPS bypass logs should indicate reason for enabling bypass


RELEVANT ISSUE NOT RESOLVED

Identifier  Headline
----------  -------------------------------------------------------------
CSCty24588  missed packet percentage parameter is missing from Po0 interface in 55xx
CSCtz32230  CLI session terminates, cores on defaulting network-participation config
CSCty92038  GC not assigning score for alerts/denying packets from malicious IPs
CSCtz47509  LSI soft error observed during coverage testing
CSCua32785  Sig. Downgrade from S649 to S648,  retains Signature configs
CSCua34716  Network participation Connection Interval value is not fixed as configed
CSCtz03162  \"downgrade\" command gives incorrect version in warning and status event
CSCtz03202  show stats GC does not clear connection history and updates time
CSCtz03391  unable to login to radius user account with empty user role
CSCua40354  \"show statistics global\" does not show warning when UNLICENSED
CSCub67122   Interface link state remains down in by pass mode ON on changing state 
CSCub57756  Signature 1204 and 1208 firing with invalid info  for Fragmented Traffic
CSCuc86174  IPS: FreeBuffers Leak on SSM Processing Flagged Packets
CSCud36621  IPS: FreeBuffers Leak Can Result in Packet Drops
CSCuc51463  HTTP-advanced-decoding causes sensorApp to fail for deflate encoding
CSCuc74630  sensorApp process unresponsive with collectStatistics failed errors
CSCub41016  normalizer streams stuck in 'Closing' state
CSCud27892  4260 and SSM40 performance issues with long flows
CSCuc98879  FlexLM license can cause mainApp and sensorApp failures
CSCud12824  IPS 4270 reboots after changing bypass setting to ON

NEW FEATURES

The following new features are added as part of 7.1(6)E4 service pack release.

1. HTTP Advanced decoding

As part of this feature new evasion coverage is added while inspecting return web traffic.
HTTP Advanced decoding feature is turned OFF by default.
For detailed information about the HTTP Advanced decoding feature and how to configure it, 
refer the IDM help for IPS 7.1 available at this URL:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idmguide71.html

2. Signature threat profiles (Signature templates)


Signature threat profiles is a feature aimed at easily selecting and deploying
signatures that are relevant for a given deployment and threat scenarios.
The user will select from ONE of several pre-defined CISCO templates.
This choice is available in the IDM startup wizard. The feature is not available in
sensor's CLI or CSM tools. Upon selecting a threat profile from IDM user will be given
a warning that any of their current customizations will be overwritten.
The IDM wizard can be used at any time to select the templates, giving the warning
each time templates are applied. This feature is supported on platforms IPS 4345,
IPS 4360, ASA 5525-X IPS SSP, ASA 5545-X IPS SSP, ASA 5555-X IPS SSP,
and ASA 5585-X IPS SSP

For detailed information about the signature Config Templates feature and how to configure it, 
refer the IDM help for IPS 7.1 available at this URL:
http://www.cisco.com/en/US/docs/security/ips/7.1/configuration/guide/idm/idmguide71.html

3. New Platform Support

Six of the existing hardware platforms are supported in 7.1(6)E4 release. These include
IPS 4240, IPS 4255, IPS 4260, IPS SSM-10, IPS SSM-20, and IPS SSM-40. 

With this update IPS 4510 and IPS 4520 are also being supported in 7.1(6)E4 release.


RESTRICTIONS

Applying any Signature template will erase all of the existing Customer tunings associated
with the targeted Signature Definition File. The IPS 4240, IPS 4255, IPS 4260,
ASA 5500 AIP SSM, ASA 5512-X IPS SSP, and ASA 5515-X IPS SSP do not support signature
threat profiles (signature templates).

Enabling HTTP advanced decoding can have a significantly negative performance and memory
impact on the sensor

----------------------------------------------------------------------------------------------



CSM CAVEATS -- CSM 4.2 SP1 and CSM 4.3
--------------------------------------

CSM 4.2 SP1
-----------

1. CSM 4.2 SP1 cannot manage the following devices running the 7.1(6)E4 software.

- IPS 4240
- IPS 4255
- IPS 4260
- IPS 4345
- IPS 4345-DC
- IPS 4360
- IPS 4510
- IPS 4520
- ASA 5500 AIP SSM-10
- ASA 5500 AIP SSM-20
- ASA 5500 AIP SSM-40
- ASA 5512-X IPS SSP
- ASA 5515-X IPS SSP
- ASA 5525-X IPS SSP
- ASA 5545-X IPS SSP
- ASA 5555-X IPS SSP

The support for the above platforms, will be available in "CSM 4.3 SP1"

CAUTION: Do not attempt upgrade of the above to 7.1(6)E4 using CSM 4.2 SP1.

2. CSM 4.2 SP1 will be able to manage the following IPS platforms running 7.1(6)E4 IPS image.

- IPS 4270-20
- ASA 5585-X IPS SSP-10
- ASA 5585-X IPS SSP-20
- ASA 5585-X IPS SSP-40
- ASA 5585-X IPS SSP-60



CSM 4.3
---------

1. CSM 4.3 cannot currently manage the following devices running the 7.1(6)E4 software.

- IPS 4240
- IPS 4255
- IPS 4260
- ASA 5500 AIP SSM-10
- ASA 5500 AIP SSM-20
- ASA 5500 AIP SSM-40

The support for the above platforms, will be available in "CSM 4.3 SP1"

CAUTION: Do not attempt upgrade of the above to 7.1(6)E4 using CSM 4.3. 


2. CSM 4.3 will be able to manage the following IPS platforms running 7.1(6)E4 IPS image.

- IPS 4270-20
- IPS 4345
- IPS 4345-DC
- IPS 4360
- IPS 4510
- IPS 4520
- ASA 5585-X IPS SSP-10
- ASA 5585-X IPS SSP-20
- ASA 5585-X IPS SSP-40
- ASA 5585-X IPS SSP-60
- ASA 5512-X IPS SSP
- ASA 5515-X IPS SSP
- ASA 5525-X IPS SSP
- ASA 5545-X IPS SSP
- ASA 5555-X IPS SSP

To upgrade the platforms mentioned in point(2) to 7.1(6)E4, the following CSM Package 
should be downloaded

- IPS-CSM-K9-7.1-6-E4.zip 



CSM UPDATE INSTRUCTIONS -- CSM 4.3 SP1
--------------------------------------

(These instructions are valid on CSM 4.3 SP1, to be released soon)

CSM 4.3 SP1 will add support for managing and upgrading of the following IPS platforms:

- IPS 4240
- IPS 4255
- IPS 4260
- ASA 5500 AIP SSM-10
- ASA 5500 AIP SSM-20
- ASA 5500 AIP SSM-40


CSM 4.3 SP1 will add 7.1(6)E4 Upgrade support for the following IPS platforms:

- IPS 4270-20
- IPS 4345
- IPS 4345-DC
- IPS 4360
- IPS 4510
- IPS 4520
- ASA 5585-X IPS SSP-10
- ASA 5585-X IPS SSP-20
- ASA 5585-X IPS SSP-40
- ASA 5585-X IPS SSP-60
- ASA 5512-X IPS SSP
- ASA 5515-X IPS SSP
- ASA 5525-X IPS SSP
- ASA 5545-X IPS SSP
- ASA 5555-X IPS SSP

It is recommended that customers upgrade to CSM 4.3 SP1 (Service Pack 1) 
to manage IPS 7.1(6)E4.

To apply the 7.1(6)E4 service pack to sensor(s) using CSM 4.3 SP1 or
later, follow these steps:

1. Download the service pack ZIP file, IPS-CSM-K9-7.1-6-E4.zip, to
   the <CSM-install-dir>/MDC/ips/updates directory.

2. Launch IPS Update Wizard from Tools-->Apply IPS Update.

3. Select Sensor Updates from the drop down menu, and then select the
   IPS-CSM-K9-7.1-6-E4.zip file.

3. Click Next.

4. Select the device(s) to apply the service pack, then click Finish.

5. Create a deployment job and deploy to sensor(s) using Deployment
   Manager. Deployment Manager can be launched from 
   Tools-->Deployment Manager. 

6. Click Deploy in the popup and follow the instructions.


=========================================================================