Release Notes for Intrusion Prevention System 7.1(10)E4
Available Languages
Table of Contents
Release Notes for Cisco Intrusion Prevention System 7.1(10)E4
IPS Management and Event Viewers
AC Power Supply in the IPS4300 Series V01 and V02 Chassis
The Sensor and Jumbo Packet Frame Size
The ASA IPS Modules and Jumbo Packets
Applying IPS 7.1(10)E4 to sensors using CSM 4.3 SP2 or Later or CSM 4.4 SP2 or Later
Installing the IPS4240 and IPS4255 System Image
Installing the IPS4260 System Image
Installing the IPS4270-20 System Image
Installing the IPS4345 and IPS4360 System Image
Installing the IPS4510 and IPS4520 System Image
Installing the ASA 5500 AIP SSM System Image
Installing the ASA5500-X IPSSSP System Image
Installing the ASA 5585-X IPS SSP System Image
Obtaining a New License for the IPS4270-20
Licensing the ASA5500-X IPSSSP
Advanced Setup for the IPS Appliance
Advanced Setup for the ASA 5500 AIP SSM
Advanced Setup for the ASA5500-X IPSSSP
Advanced Setup for the ASA 5585-X IPSSSP
Installing or Upgrading the IME
Enabling Anomaly Detection Using the IDM or IME
Enabling Anomaly Detection Using the CLI
Disabling Anomaly Detection Using the IDM or IME
Disabling Anomaly Detection Using the CLI
Cisco Security Intelligence Operations
Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request
Contents
- IPS File List
- Supported Platforms
- Supported Servers
- ROMMON and TFTP
- IPS Management and Event Viewers
- New and Changed Information
- AC Power Supply in the IPS 4300 Series V01 and V02 Chassis
- The Sensor and Jumbo Packet Frame Size
- The ASA IPS Modules and Jumbo Packets
- Obtaining Software
- Upgrading to IPS 7.1(10)E4
- Reimaging the Sensor
- Licensing the Sensor
- Initializing the Sensor
- Logging In to the IDM
- Installing or Upgrading the IME
- Enabling Anomaly Detection
- Disabling Anomaly Detection
- Cisco Security Intelligence Operations
- Restrictions and Limitations
- Caveats
- Related Documentation
- Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request
IPS File List
The following files are part of Cisco IPS 7.1(10)E4:
–
IPS-4270_20-K9-7.1-10-E4.pkg
– IPS-SSP_5512-K9-7.1-10-E4.pkg
– IPS-SSP_5515-K9-7.1-10-E4.pkg
– IPS-SSP_5525-K9-7.1-10-E4.pkg
– IPS-SSP_5545-K9-7.1-10-E4.pkg
– IPS-SSP_5555-K9-7.1-10-E4.pkg
– IPS-4240-K9-sys-1.1-a-7.1-10-E4.img
– IPS-4255-K9-sys-1.1-a-7.1-10-E4.img
– IPS-4260-K9-sys-1.1-a-7.1-10-E4.img
– IPS-4270_20-K9-sys-1.1-a-7.1-10-E4.img
– IPS-4345-K9-sys-1.1-a-7.1-10-E4.img
– IPS-4360-K9-sys-1.1-a-7.1-10-E4.img
– IPS-4510-K9-sys-1.1-a-7.1-10-E4.img
– IPS-4520-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSM_10-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSM_20-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSM_40-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSP_10-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSP_20-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSP_40-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSP_60-K9-sys-1.1-a-7.1-10-E4.img
– IPS-SSP_5512-K9-sys-1.1-a-7.1-10-E4.aip
– IPS-SSP_5515-K9-sys-1.1-a-7.1-10-E4.aip
– IPS-SSP_5525-K9-sys-1.1-a-7.1-10-E4.aip
– IPS-SSP_5545-K9-sys-1.1-a-7.1-10-E4.aip
– IPS-SSP_5555-K9-sys-1.1-a-7.1-10-E4.aip
– IPS-4240-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-4255-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-4260-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-4270_20-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-4345-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-4360-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-4510-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-4520-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSM_10-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSM_20-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSM_40-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_10-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_20-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_40-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_60-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_5512-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_5515-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_5525-K9-r-1.1-a-7.1-10-E4.pkg
– IPS-SSP_5545-K9-r-1.1-a-7.1-10-E4.pkg
Supported Platforms
Cisco IPS 7.1(10)E4 is supported on the following platforms:
- IPS 4240
- IPS 4255
- IPS 4260
- IPS 4270-20
- IPS 4345
- IPS 4345-DC
- IPS 4360
- IPS 4510
- IPS 4520
- ASA 5500 AIP SSM-10
- ASA 5500 AIP SSM-20
- ASA 5500 AIP SSM-40
- ASA 5512-X IPS SSP
- ASA 5515-X IPS SSP
- ASA 5525-X IPS SSP
- ASA 5545-X IPS SSP
- ASA 5555-X IPS SSP
- ASA 5585-X IPS SSP-10
- ASA 5585-X IPS SSP-20
- ASA 5585-X IPS SSP-40
- ASA 5585-X IPS SSP-60
Supported Servers
The following FTP servers are supported for IPS software updates:
- WU-FTPD 2.6.2 (Linux)
- Solaris 2.8
- Sambar 6.0 (Windows 2000)
- Serv-U 5.0 (Windows 2000)
- MS IIS 5.0 (Windows 2000)
The following HTTP/HTTPS servers are supported for IPS software updates:
ROMMON and TFTP
ROMMON uses TFTP to download an image and launch it. TFTP does not address network issues such as latency or error recovery. It does implement a limited packet integrity check so that packets arriving in sequence with the correct integrity value have an extremely low probability of error. But TFTP does not offer pipelining so the total transfer time is equal to the number of packets to be transferred times the network average RTT. Because of this limitation, we recommend that the TFTP server be located on the same LAN segment as the sensor. Any network with an RTT less than a 100 milliseconds should provide reliable delivery of the image. Be aware that some TFTP servers limit the maximum file size that can be transferred to ~32 MB.
IPS Management and Event Viewers
Use the following tools for configuring Cisco IPS 7.1(10)E4 sensors:
IDM 7.1.10 is included within the IPS 7.1(10)E4 files.
IDM 7.1.10 is included within IME 7.2.4.50.
IDM 7.1.10 requires JRE 1.6 or later.
You can use IDM 7.1.10 to configure IPS 6.2, 7.0, and 7.1 sensors.
You can use IME 7.2.4.50 to configure IPS 6.1, 6.2, 7.0, and 7.1 sensors.
Use the following tools for monitoring Cisco IPS 7.1(10)E4 sensors:
- IDM 7.1.19
- IME 7.2.4.50 or later
- MARS minimum version 5.2 and latest version 6.0.5
- CSM 4.3 SP2or later and CSM 4.4 SP2 and later
You can use CSM to manage the following IPS sensors:
Note You may need to configure viewers that are already configured to monitor the earlier version sensors to accept a new SSL certificate for the Cisco IPS 7.1 sensors.
For the procedure to apply IPS 7.1(10)E4 to sensors using CSM 4.3 SP1 or later, see Applying IPS 7.1(10)E4 to sensors using CSM 4.3 SP2 or Later or CSM 4.4 SP2 or Later.
AC Power Supply in the IPS 4300 Series V01 and V02 Chassis
The Cisco IPS 4300 series sensors with the AC power supply can restore the previous power state of the system if AC power is lost. Earlier IPS 4300s (V01) require you to turn on the power with the power switch. Newer IPS 4300s (V02) automatically turn on when you plug in the power cable.
To determine your version, do one of the following:
- At the CLI, enter the show inventory command and look for V01 or V02 in the output.
- On the back of the chassis, look at the VID PID label for V01 or V02.
The V01 chassis has the following limitations (these limitations do not apply to the V02 chassis):
- The sensor requires 50 seconds from the time that AC power is applied before the power state can be updated and stored. This means that any changes to the power state within the first 50 seconds of applying AC power will not be observed if AC power is removed within that time.
- The sensor requires 10 seconds from the time it is placed into standby mode before the power state can be updated and stored. This means any changes to the power state within the first 10 seconds of entering standby mode (including the standby mode itself) will not be observed if AC power is removed within that time.
For information on the AC power supplies in the IPS 4300 series sensors, refer to Installing the IPS 4345 and IPS 4360.
The Sensor and Jumbo Packet Frame Size
For IPS standalone appliances with 1 G and 10 G fixed or add-on interfaces, the maximum jumbo frame size is 9216 bytes. For integrated IPS sensors, such as the ASA 5500-X and ASA 5585-X series, refer to the following URL for information:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp132886 9
Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS).
The ASA IPS Modules and Jumbo Packets
The jumbo packet count in the show interface command output from the lines Total Jumbo Packets Received and Total Jumbo Packets Transmitted for ASA IPS modules may be larger than expected due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS. This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted to the IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The ASA removes the added IPS header before the packet leaves the ASA.
Obtaining Software
You can find major and minor updates, service packs, signature and signature engine updates, system and recovery files, firmware upgrades, and Readmes on the Download Software site on Cisco.com. Signature updates are posted to Cisco.com approximately every week, more often if needed. Service packs are posted to Cisco.com in a release train format, a new release every three months. Major and minor updates are also posted periodically. Check Cisco.com regularly for the latest IPS software.
You must have an account with cryptographic access before you can download software. You set this account up the first time you download IPS software from the Download Software site.
Note You must be logged in to Cisco.com to download software. You must have an active IPS maintenance contract and a Cisco.com password to download software. You must have a sensor license to apply signature updates.
Downloading Cisco IPS Software
To download software on Cisco.com, follow these steps:
Step 1 Log in to Cisco.com.
Step 2 From the Support drop-down menu, choose Download Software.
Step 3 Under Select a Software Product Category, choose Security Software.
Step 4 Choose Intrusion Prevention System (IPS).
Step 5 Enter your username and password.
Step 6 In the Download Software window, choose IPS Appliances > Cisco Intrusion Prevention System and then click the version you want to download.
Note You must have an IPS subscription service license to download software.
Step 7 Click the type of software file you need. The available files appear in a list in the right side of the window. You can sort by file name, file size, memory, and release date. And you can access the Release Notes and other product documentation.
Step 8 Click the file you want to download. The file details appear.
Step 9 Verify that it is the correct file, and click Download.
Step 10 Click Agree to accept the software download rules. The File Download dialog box appears. The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software.
a. Fill out the form and click Submit. The Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy appears.
b. Read the policy and click I Accept. The Encryption Software Export/Distribution Form appears.
If you previously filled out the Encryption Software Export Distribution Authorization form, and read and accepted the Cisco Systems Inc. Encryption Software Usage Handling and Distribution Policy, these forms are not displayed again.
Step 11 Open the file or save it to your computer.
Step 12 Follow the instructions in the Readme or the Release Notes to install the update.
Upgrading to IPS 7.1(10)E4
This section describes how to upgrade the IPS 4240, IPS 4255, IPS 4260, IPS 4270-20, IPS 4345, IPS 4360, IPS 4510, IPS 4520, ASA 5500 AIP SSM series, ASA 5500-X IPS SSP series, and the ASA 5585-X IPS SSP series, and contains the following topics:
Upgrade Notes and Caveats
Pay attention to the following upgrade notes and caveats when upgrading to IPS 7.1(10)E4:
- You cannot upgrade to 7.1(10)E4 if the sensor license was generated for 6.0.x versions and earlier. The upgrade fails and the following message is displayed:
- If you are upgrading the IPS 4270-20 and you have a license for 6.0. x and earlier, you receive the following error message:
You must get a new license before upgrading your IPS 4270-20.
- Anomaly detection has been disabled by default. If you did not configure the operation mode manually before the upgrade, it defaults to inactive after you upgrade to IPS 7.1(10)E4. If you configured the operation mode to detect, learn, or inactive, the tuned value is preserved after the upgrade.
- You must have a valid maintenance contract per sensor to download software upgrades from Cisco.com.
- You must be running the following versions to upgrade the following platforms to IPS 7.1(10)E4:
– For the IPS 4200 series sensors, you must be running IPS 6.0(6)E4 or later.
– For the IPS 4300 series sensors and the ASA 5500-X IPS SSP series, you must be running IPS 7.1(3)E4 or later.
– For the IPS 4500 series sensors, you must be running IPS 7.1(4)E4 or later.
– For the ASA 5500 AIP SSM series, you must be running IPS 6.0(6)E4 or later.
– For the ASA 5585-X IPS SSP series, you must be running IPS 7.1(1)E4 or later.
- A generic upgrade package is no longer available for the IPS 4240, IPS 4255, IPS 4260, and ASA 5500 AIP SSM series. These platforms now have platform-specific filenames in accordance with the 7.1(x) format.
- This service pack automatically reboots the sensor to apply the changes. During reboot, inline network traffic is disrupted.
- You cannot uninstall 7.1(10)E4. To revert to a previous version, you must reimage the sensor using the appropriate system image file
- For the procedure to download software from Cisco.com, see Obtaining Software.
- For the procedure for using the upgrade command to upgrade the sensor, see Upgrading the Sensor.
- For the procedure for using ROMMON to restore the IPS 4240 and IPS 4255 system image, see Installing the IPS 4240 and IPS 4255 System Image.
- For the procedure for using ROMMON to restore the IPS 4260 system image, see Installing the IPS 4260 System Image.
- For the procedure for using ROMMON to restore the IPS 4270-20 system image, see Installing the IPS 4270-20 System Image.
- For the procedure for using ROMMON to restore the IPS 4510 and IPS 4520 system image, see Installing the IPS 4510 and IPS 4520 System Image.
- For the procedure for installing the ASA 5500 AIP SSM system image, see Installing the ASA 5500 AIP SSM System Image.
- For the procedure for installing the ASA 5500-X IPS SSP system image, see Installing the ASA 5500-X IPS SSP System Image.
- For the procedure for installing the ASA 5585-X IPS SSP system image, see Installing the ASA 5585-X IPS SSP System Image.
Upgrading the Sensor
Use the upgrade source-url command to apply service pack, signature update, engine update, minor version, major version, or recovery partition file upgrades.
– ftp:—Source URL for an FTP network server. The syntax for this prefix is:
ftp://[[username@]location][/relativeDirectory]/filename
ftp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password.
– scp:—Source URL for the SCP network server. The syntax for this prefix is:
scp://[[username@]location][/relativeDirectory]/filename
scp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password. You must add the remote host to the SSH known hosts list.
– http:—Source URL for the web server. The syntax for this prefix is:
http://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file.
– https:—Source URL for the web server. The syntax for this prefix is:
https://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.
To upgrade the sensor, follow these steps:
Step 1 Download the appropriate file to an FTP, SCP, HTTP, or HTTPS server that is accessible from your sensor.
Step 2 Log in to the CLI using an account with administrator privileges.
Step 3 Enter configuration mode.
The URL points to where the update file is located, for example, to retrieve the update using FTP, enter the following:
Step 5 Enter the password when prompted.
Step 6 Enter yes to complete the upgrade.
Note Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation.
Note The operating system is reimaged and all files that have been placed on the sensor through the service account are removed.
Step 7 Verify your new sensor version.
For a list of the specific IPS upgrade filenames, see IPS File List.
Applying IPS 7.1(10)E4 to sensors using CSM 4.3 SP2 or Later or CSM 4.4 SP2 or Later
Note We recommend that you upgrade to CSM 4.3 SP2 (Service Pack 2) or CSM 4.4 SP2 to manage sensors running IPS 7.1(10)E4.
To apply the 7.1(10)E4 service pack to sensors using CSM 4.3 SP2 or CSM 4.4 SP2, follow these steps:
Step 1 Download the service pack ZIP file, IPS-CSM-K9-7.1-10-E4.zip, to the <CSM-install-dir>/MDC/ips/updates directory.
Step 2 Launch the IPS Update Wizard from Tools > Apply IPS Update.
Step 3 Select Sensor Updates from the drop down menu, and then select the IPS-CSM-K9-7.1-10-E4.zip file.
Step 5 Select the device(s) to which you want to apply the service pack, then click Finish.
Step 6 Create a deployment job and deploy to sensor(s) using Deployment Manager. You can launch Deployment Manager from Tools > Deployment Manager.
Step 7 Click Deploy in the popup and follow the instructions.
Reimaging the Sensor
This section describes how to reimage the sensor using the system image, and contains the following topics:
- Installing the IPS 4240 and IPS 4255 System Image
- Installing the IPS 4260 System Image
- Installing the IPS 4270-20 System Image
- Installing the IPS 4345 and IPS 4360 System Image
- Installing the IPS 4510 and IPS 4520 System Image
- Installing the ASA 5500 AIP SSM System Image
- Installing the ASA 5500-X IPS SSP System Image
- Installing the ASA 5585-X IPS SSP System Image
Installing the IPS 4240 and IPS 4255 System Image
Note This procedure is for the IPS 4240, but is also applicable to the IPS 4255. The system image for the IPS 4255 has “4255” in the filename.
You can install the IPS 4240 and IPS 4255 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device.
To install the IPS 4240 and IPS 4255 system image, follow these steps:
Step 1 Download the IPS 4240 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4240.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your IPS 4240.
Step 3 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the space bar to begin boot immediately.
Note You have ten seconds to press Break or Esc.
The system enters ROMMON mode. The rommon> prompt appears.
Step 4 Check the current network settings.
The variables have the following definitions:
- Address—Local IP address of the IPS 4240
- Server—TFTP server IP address where the application image is stored
- Gateway—Gateway IP address used by the IPS 4240
- Port—Ethernet interface used for the IPS 4240 management
- VLAN—VLAN ID number (leave as untagged)
- Image—System image file/path name
- Config—Unused by these platforms
Note Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator.
Step 5 If necessary, change the interface used for the TFTP download.
Note The default interface used for TFTP downloads is Management 0/0, which corresponds to the MGMT interface of the IPS 4240.
Step 6 If necessary, assign an IP address for the local port on the IPS 4240.
Note Use the same IP address that is assigned to the IPS 4240.
Step 7 If necessary, assign the TFTP server IP address.
Step 8 If necessary, assign the gateway IP address.
Step 9 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands.
Step 10 If necessary define the path and filename on the TFTP file server from which you are downloading the image.
Make sure that you enter the
IMAGE command in all uppercase. You can enter the other ROMMON commands in either lower case or upper case, but the
IMAGE command specifically must be all uppercase.
Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification.
Step 11 Enter set and press Enter to verify the network settings.
Note You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON.
Step 12 Download and install the system image.
To avoid corrupting the system image, do not remove power from the IPS 4240 while the system image is being installed.
Note If the network settings are correct, the system downloads and boots the specified image on the IPS 4240. Be sure to use the IPS 4240 image.
Installing the IPS 4260 System Image
You can install the IPS 4260 system image by using the ROMMON on the appliance to TFTP the system image onto the flash device.
To install the IPS 4260 system image, follow these steps:
Step 1 Download the IPS 4260 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4260.
Make sure you can access the TFTP server location from the network connected to your IPS 4260 Ethernet port.
Step 3 Press Ctrl-R at the following prompt while the system is booting.
Note You have five seconds to press Ctrl-R.
Step 4 If necessary, change the port used for the TFTP download.
The port in use is listed just after the platform identification. In the example, port Management 0/0 is being used.
Note The default port used for TFTP downloads is Management 0/0, which corresponds with the command and control (MGMT) interface of the IPS 4260.
Note Ports Management 0/0 (MGMT) and GigabitEthernet 0/1 (GE 0/1) are labeled on the back of the chassis.
Step 5 Specify an IP address for the local port on the IPS 4260.
Note Use the same IP address that is assigned to the IPS 4260.
Step 6 Specify the TFTP server IP address.
Step 7 Specify the gateway IP address.
Step 8 Verify that you have access to the TFTP server by pinging it from the local Ethernet port.
Step 9 Specify the path and filename on the TFTP file server from which you are downloading the image.
Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located in the default tftpboot directory do not have any directory names or slashes in the file location.
Step 10 Download and install the system image.
Note The IPS 4260 reboots once during the reimaging process. Do not remove power from the IPS 4260 during the update process or the upgrade can become corrupted.
Installing the IPS 4270-20 System Image
You can install the IPS 4270-20 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device.
To install the IPS 4270-20 system image, follow these steps:
Step 1 Download the IPS 4270-20 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4270-20.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your IPS 4270-20.
Note The controller type errors are a known issue and can be disregarded.
Step 3 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the space bar to begin boot immediately.
Note You have ten seconds to press Break or Esc.
The system enters ROMMON mode. The rommon> prompt appears.
Step 4 Check the current network settings.
The variables have the following definitions:
- Address—Specifies the local IP address of the IPS 4270-20.
- Server—Specifies the TFTP server IP address where the application image is stored.
- Gateway—Specifies the gateway IP address used by the IPS 4270-20.
- Port—Specifies the Ethernet interface used for IPS 4270-20 management.
- VLAN—Specifies the VLAN ID number (leave as untagged).
- Image—Specifies the system image file/path name.
- Config—Unused by these platforms.
Note Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator.
Step 5 If necessary, assign an IP address for the local port on the IPS 4270-20.
Note Use the same IP address that is assigned to the IPS 4270-20.
Step 6 If necessary, assign the TFTP server IP address.
Step 7 If necessary, assign the gateway IP address.
Step 8 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands:
Step 9 If necessary define the path and filename on the TFTP file server from which you are downloading the image.
Note The path is relative to the UNIX TFTP server default tftpboot directory. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification.
Step 10 Enter set and press Enter to verify the network settings.
Note You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON.
Step 11 Download and install the system image.
To avoid corrupting the system image, do not remove power from the IPS 4270-20 while the system image is being installed.
Note If the network settings are correct, the system downloads and boots the specified image on the IPS 4270-20. Be sure to use the IPS 4270-20 image.
- For the procedure for locating software, see Obtaining Software.
- For a list of supported TFTP servers, see Supported Servers.
- For a list of the specific IPS software files, see IPS File List.
- For the procedure for initializing the sensor with the setup command, see Initializing the Sensor.
Installing the IPS 4345 and IPS 4360 System Image
You can install the IPS 4345 and IPS 4360 system image by using the ROMMON on the appliance to TFTP the system image on to the compact flash device.
Note This procedure is for IPS 4345, but is also applicable to IPS 4360. The system image for IPS 4360 has “4360” in the filename.
To install the IPS 4345 and IPS 4360 system image, follow these steps:
Step 1 Download the IPS 4345 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4345.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your IPS 4345.
Step 3 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the space bar to begin boot immediately.
Note You have ten seconds to press Break or Esc.
The system enters ROMMON mode. The rommon> prompt appears.
Step 4 Check the current network settings.
The variables have the following definitions:
- Address—Local IP address of the IPS 4345.
- Server—TFTP server IP address where the application image is stored.
- Gateway—Gateway IP address used by the IPS 4345.
- Port—Ethernet interface used for the IPS 4345 management.
- VLAN—VLAN ID number (leave as untagged).
- Image—System image file/path name.
- Config—Unused by these platforms.
Note Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator.
Step 5 If necessary, change the interface used for the TFTP download.
Note The default interface used for TFTP downloads is Management 0/0, which corresponds to the MGMT interface of the IPS 4345.
Step 6 If necessary, assign an IP address for the local port on the IPS 4345.
Note Use the same IP address that is assigned to the IPS 4345.
Step 7 Assign the TFTP server IP address.
Step 8 If necessary, assign the gateway IP address.
Step 9 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands:
Step 10 If necessary define the path and filename on the TFTP file server from which you are downloading the image.
Make sure that you enter the
IMAGE command in all uppercase. You can enter the other ROMMON commands in either lower case or upper case, but the
IMAGE command specifically must be all uppercase.
Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification.
Step 11 Enter set and press Enter to verify the network settings.
Note You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON.
Step 12 Download and install the system image.
To avoid corrupting the system image, do not remove power from the IPS 4345 while the system image is being installed.
Note If the network settings are correct, the system downloads and boots the specified image on the IPS 4345. Be sure to use the IPS 4345 image.
- For the procedure for locating software, see Obtaining Software.
- For a list of supported TFTP servers, see Supported Servers.
- For a list of the specific IPS software files, see IPS File List.
- For the procedure for initializing the sensor with the setup command, see Initializing the Sensor.
Installing the IPS 4510 and IPS 4520 System Image
You can install the IPS 4510 and IPS 4520 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device.
Note The following procedure references the IPS 4510 but it also refers to the IPS 4520.
To install the IPS 4510 system image, follow these steps:
Step 1 Download the IPS 4510 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4510.
Note Make sure you can access the TFTP server location from the network connected to the Management port of your IPS 4510.
Step 3 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the space bar to begin boot immediately.
Note You have ten seconds to press Break or Esc.
The system enters ROMMON mode. The rommon> prompt appears.
Step 4 Check the current network settings.
The variables have the following definitions:
- Address—Specifies the local IP address of the IPS 4510.
- Server—Specifies the TFTP server IP address where the application image is stored.
- Gateway—Specifies the gateway IP address used by the IPS 4510.
- Port—Specifies the Ethernet interface used for IPS 4510 management.
- VLAN—Specifies the VLAN ID number (leave as untagged).
- Image—Specifies the system image file/path name.
- Config—Unused by these platforms.
Note Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator.
Step 5 If necessary, assign an IP address for the local port on the IPS 4510.
Note Use the same IP address that is assigned to the IPS 4510.
Step 6 If necessary, assign the TFTP server IP address.
Step 7 If necessary, assign the gateway IP address.
Step 8 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands:
Step 9 If necessary define the path and filename on the TFTP file server from which you are downloading the image.
Note The path is relative to the UNIX TFTP server default tftpboot directory. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification.
Step 10 Enter set and press Enter to verify the network settings.
Note You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON.
Step 11 Download and install the system image.
To avoid corrupting the system image, do not remove power from the IPS 4510 while the system image is being installed.
Note If the network settings are correct, the system downloads and boots the specified image on the IPS 4510. Be sure to use the IPS 4510 image.
- For the procedure for locating software, see Obtaining Software.
- For a list of supported TFTP servers, see Supported Servers.
- For a list of the specific IPS software files, see IPS File List.
- For the procedure for initializing the sensor with the setup command, see Initializing the Sensor.
Installing the ASA 5500 AIP SSM System Image
Note Be sure the TFTP server that you specify can transfer files up to 60 MB in size.
Note This process can take approximately 15 minutes to complete, depending on your network and the size of the image.
If the ASA 5500 AIP SSM suffers a failure and the module application image cannot run, you can transfer application images from a TFTP server to the module using the adaptive security appliance CLI. The adaptive security appliance can communicate with the module ROMMON application to transfer the image.
To install the system image of the ASA 5500 AIP SSM, follow these steps:
Step 1 Download the system image file to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance.
Step 2 Log in to the adaptive security appliance.
Step 4 Configure the recovery settings for the ASA 5500 AIP SSM.
Note If you make an error in the recovery configuration, use the hw-module module 1 recover stop command to stop the system reimaging and then you can correct the configuration.
Step 5 Specify the TFTP URL for the system image.
Step 6 Specify the command and control interface of the ASA 5500 AIP SSM.
Note The port IP address is the management IP address of the ASA 5500 AIP SSM.
Step 7 Leave the VLAN ID at 0.
Step 8 Specify the default gateway of the ASA 5500 AIP SSM.
Step 9 Execute the recovery. This transfers the image from the TFTP server to the ASA 5500 AIP SSM.
Step 10 Periodically check the recovery until it is complete.
Note The status reads Recovery during recovery and reads Up when reimaging is complete.
Note The Status field in the output indicates the operational status of the ASA 5500 AIP SSM. An ASA 5500 AIP SSM operating normally shows a status of “Up.” While the adaptive security appliance transfers an application image to the ASA 5500 AIP SSM, the Status field in the output reads “Recover.” When the adaptive security appliance completes the image transfer and restarts the ASA 5500 AIP SSM, the newly transferred image is running.
Note To debug any errors that may happen in the recovery process, use the debug module-boot command to enable debugging of the system reimaging process.
Step 11 Session to the ASA 5500 AIP SSM and initialize it with the setup command.
Installing the ASA 5500-X IPS SSP System Image
Note Be sure the TFTP server that you specify can transfer files up to 60 MB in size.
To install the system image on the ASA 5500-X IPS SSP, follow these steps:
Step 1 Download the IPS system image file corresponding to your ASA platform to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of the adaptive security appliance.
Step 2 Log in to the adaptive security appliance.
Step 4 Copy the IPS image to the disk0 flash of the adaptive security appliance.
Step 5 Image the ASA 5500-X IPS SSP.
Step 6 Execute the recovery. This transfers the image from the TFTP server to the ASA 5500-X IPS SSP and restarts it.
Step 7 Periodically check the recovery until it is complete.
Note The Status field in the output indicates the operational status of the ASA 5500-X IPS SSP. An ASA 5500-X IPS SSP operating normally shows a status of “Up.” While the adaptive security appliance transfers an application image to the ASA 5500-X IPS SSP, the Status field in the output reads “Recover.” When the adaptive security appliance completes the image transfer and restarts the ASA 5500-X IPS SSP, the newly transferred image is running.
Note To debug any errors that may happen in the recovery process, use the debug module-boot command to enable debugging of the system reimaging process.
Step 8 Session to the ASA 5500-X IPS SSP and initialize it with the setup command.
- For the procedure for locating software, see Obtaining Software.
- For a list of supported TFTP servers, see Supported Servers.
- For a list of the specific IPS software files, see IPS File List.
- For the procedure for initializing the sensor with the setup command, see Initializing the Sensor.
Installing the ASA 5585-X IPS SSP System Image
This section describes how to install the ASA 5585-X IPS SSP system image using the hw-module command or ROMMON, and contains the following topics:
Using the hw-module Command
To install the system image, transfer the software image from a TFTP server to the ASA 5585-X IPS SSP using the adaptive security appliance CLI. The adaptive security appliance can communicate with the ROMMON application of the ASA 5585-X IPS SSP to transfer the image.
Note Be sure the TFTP server that you specify can transfer files up to 60 MB in size.
Note This process can take approximately 15 minutes to complete, depending on your network and the size of the image.
To install the ASA 5585-X IPS SSP software image, follow these steps:
Step 1 Download the ASA 5585-X IPS SSP system image file to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your adaptive security appliance.
Step 2 Log in to the adaptive security appliance.
Step 4 Configure the recovery settings for the ASA 5585-X IPS SSP.
Note If you make an error in the recovery configuration, use the hw-module module 1 recover stop command to stop the system reimaging and then you can correct the configuration.
Step 5 Specify the TFTP URL for the software image.
Step 6 Specify the command and control interface of the ASA 5585-X IPS SSP.
Note The port IP address is the management IP address of the ASA 5585-X IPS SSP.
Step 7 Leave the VLAN ID at 0.
Step 8 Specify the default gateway of the ASA 5585-X IPS SSP.
Step 9 Execute the recovery. This transfers the software image from the TFTP server to the ASA 5585-X IPS SSP and restarts it.
Step 10 Periodically check the recovery until it is complete.
Note The status reads Recovery during recovery and reads Up when installation is complete.
Note The Status field in the output indicates the operational status of the ASA 5585-X IPS SSP. An ASA 5585-X IPS SSP operating normally shows a status of “Up.” While the adaptive security appliance transfers the software image to the ASA 5585-X IPS SSP, the Status field in the output reads “Recover.” When the adaptive security appliance completes the software image transfer and restarts the ASA 5585-X IPS SSP, the newly transferred image is running.
Note To debug any errors that may happen during this process, use the debug module-boot command to enable debugging of the software installation process.
Step 11 Session to the ASA 5585-X IPS SSP.
Step 12 Enter cisco three times and your new password twice.
Step 13 Initialize the ASA 5585-X IPS SSP with the setup command.
- For the procedure for locating software, see Obtaining Software.
- For a list of supported TFTP servers, see Supported Servers.
- For a list of the specific IPS software files, see IPS File List.
- For the procedure for initializing the sensor with the setup command, see Initializing the Sensor.
Using ROMMON
You can install the ASA 5585-X IPS SSP system image by using the ROMMON on the adaptive security appliance to TFTP the system image onto the ASA 5585-X IPS SSP.
To install the ASA 5585-X IPS SSP system image, follow these steps:
Step 1 Download the ASA 5585-X IPS SSP system image file to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance.
Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your adaptive security appliance.
Step 2 Boot the ASA 5585-X IPS SSP.
Step 3 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the space bar to begin boot immediately.
Note You have ten seconds to press Break or Esc.
The system enters ROMMON mode. The rommon> prompt appears.
Step 4 Check the current network settings.
The variables have the following definitions:
- Address—Specifies the local IP address of the ASA 5585-X IPS SSP.
- Server—Specifies the TFTP server IP address where the application image is stored.
- Gateway—Specifies the gateway IP address used by the ASA 5585-X IPS SSP.
- Port—Specifies the Ethernet interface used for the ASA 5585-X IPS SSP management.
- VLAN—Specifies the VLAN ID number (leave as untagged).
- Image—Specifies the system image file/path name.
- Config—Specifies the unused by these platforms.
Note Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator.
Step 5 If necessary, change the interface used for the TFTP download.
Note The default interface used for TFTP downloads is Management 0/0, which corresponds to the management interface of the ASA 5585-X IPS SSP.
Step 6 If necessary, assign an IP address for the local port on the ASA 5585-X IPS SSP.
Note Use the same IP address that is assigned to the ASA 5585-X IPS SSP.
Step 7 If necessary, assign the TFTP server IP address.
Step 8 If necessary, assign the gateway IP address.
Step 9 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands.
Step 10 If necessary define the path and filename on the TFTP file server from which you are downloading the image.
Make sure that you enter the
IMAGE command in all uppercase. You can enter the other ROMMON commands in either lower case or upper case, but the
IMAGE command specifically must be all uppercase.
Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification.
Step 11 Enter set and press Enter to verify the network settings.
Note You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON.
Step 12 Download and install the system image.
Note If the network settings are correct, the system downloads and boots the specified image on the ASA 5585-X IPS SSP. Be sure to use the ASA 5585-X IPS SSP image.
To avoid corrupting the system image, do not remove power from the ASA 5585-X IPS SSP while the system image is being installed.
- For the procedure for locating software, see Obtaining Software.
- For a list of supported TFTP servers, see Supported Servers.
- For a list of the specific IPS software files, see IPS File List.
- For the procedure for initializing the sensor with the setup command, see Initializing the Sensor.
Licensing the Sensor
You can install the license key through the CLI, IDM, or IME. This section describes how to obtain and install the license key, and contains the following topics:
- Using the IDM or IME
- Using the CLI
- Obtaining a New License for the IPS 4270-20
- Licensing the ASA 5500-X IPS SSP
Using the IDM or IME
Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.
To obtain and install the license key, follow these steps:
Step 1 Log in to the IDM or the IME using an account with administrator privileges.
Step 2 For the IDM choose Configuration > Sensor Management > Licensing. For the IME choose Configuration > sensor_name > Sensor Management > Licensing.
Step 3 The Licensing pane displays the status of the current license. If you have already installed your license, you can click Download to save it if needed.
Step 4 Obtain a license key by doing one of the following:
- Click the Cisco.com radio button to obtain the license from Cisco.com. The IDM or the IME contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 5.
- Click the License File radio button to use a license file. To use this option, you must apply for a license key at this URL: www.cisco.com/go/license. The license key is sent to you in e-mail and you save it to a drive that the IDM or the IME can access. This option is useful if your computer cannot access Cisco.com. Go to Step 7.
Step 5 Click Update License, and in the Licensing dialog box, click Yes to continue. The Status dialog box informs you that the sensor is trying to connect to Cisco.com. An Information dialog box confirms that the license key has been updated.
Step 7 Log in to Cisco.com.
Step 8 Go to www.cisco.com/go/license.
Step 9 Fill in the required fields. Your license key will be sent to the e-mail address you specified.
You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.
Step 10 Save the license key to a hard-disk drive or a network drive that the client running the IDM or the IME can access.
Step 11 Log in to the IDM or the IME.
Step 12 For the IDM choose Configuration > Sensor Management > Licensing. For the IME choose Configuration > sensor_name > Sensor Management > Licensing.
Step 13 Under Update License, click the License File radio button.
Step 14 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.
Step 15 Browse to the license file and click Open.
Using the CLI
Note You cannot install an older license key over a newer license key.
Use the copy source-url license_file_name license-key command to copy the license key to your sensor.
- source-url —The location of the source file to be copied. It can be a URL or keyword.
- destination-url —The location of the destination file to be copied. It can be a URL or a keyword.
- license-key —The subscription license file.
- license_file_name —The name of the license file you receive.
The exact format of the source and destination URLs varies according to the file. Here are the valid types:
ftp://[[username@]location][/relativeDirectory]/filename
ftp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password.
scp://[[username@]location][/relativeDirectory]/filename
scp://[[username@]location][//absoluteDirectory]/filename
Note You are prompted for a password. You must add the remote host to the SSH known hosts list.
http://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file.
https://[[username@]location][/directory]/filename
Note The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.
To install the license key, follow these steps:
Step 1 Log in to Cisco.com.
Step 2 Apply for the license key at this URL: www.cisco.com/go/license.
Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.
Step 3 Fill in the required fields. Your Cisco IPS Signature Subscription Service license key will be sent by email to the e-mail address you specified.
Note You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.
Step 4 Save the license key to a system that has a Web server, FTP server, or SCP server.
Step 5 Log in to the CLI using an account with administrator privileges.
Step 6 Copy the license key to the sensor.
Step 7 Verify the sensor is licensed.
Obtaining a New License for the IPS 4270-20
If your IPS 4270-20 has a license that was generated for IPS 6.0. x versions or earlier, you need to get a new license.
To obtain a new license for your IPS 4270-20, follow these steps:
Step 1 Log in to Cisco.com.
Step 2 Go to www.cisco.com/go/license.
Step 3 Under Licenses Not Requiring a PAK, click Demo and Evaluation licenses.
Step 4 Under Security Products/Cisco Services for IPS service license (Version 6.1 and later), click All IPS Hardware Platforms.
Step 5 Fill in the required fields. Your license key will be sent to the email address you specified.
You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.
Step 6 Save the license key to a hard-disk drive or a network drive that the client running the IDM or the IME can access.
Step 7 Log in to the IDM or the IME.
Step 8 For the IDM choose Configuration > Sensor Management > Licensing. For the IME choose Configuration > sensor_name > Sensor Management > Licensing.
Step 9 Under Update License, click the License File radio button.
Step 10 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file.
Step 11 Browse to the license file and click Open.
Licensing the ASA 5500-X IPS SSP
For the ASA 5500-X series adaptive security appliances with the IPS SSP, the ASA requires the IPS Module license. To view your current ASA licenses, in ASDM choose Home > Device Dashboard > Device Information > Device License. For more information about ASA licenses, refer to the licensing chapter in the configuration guide. After you obtain the ASA IPS Module license, you can obtain and install the IPS license key.
- For more information about getting started using the ASA 5500-X IPS SSP, refer to the Cisco IPS Module on the ASA Quick Start Guide.
- For the procedures for obtaining and installing the IPS License key, see Licensing the Sensor.
Initializing the Sensor
This section describes how to initialize the sensor using the setup command, and contains the following sections:
- Understanding Initialization
- Simplified Setup Mode
- System Configuration Dialog
- Basic Sensor Setup
- Advanced Setup for the IPS Appliance
- Advanced Setup for the ASA 5500 AIP SSM
- Advanced Setup for the ASA 5500-X IPS SSP
- Advanced Setup for the ASA 5585-X IPS SSP
- Verifying Initialization
Understanding Initialization
Note You must be administrator to use the setup command.
After you install the sensor on your network, you must use the setup command to initialize it so that you can communicate with it over the network. You cannot use the IDM or the IME to configure the sensor until you initialize the sensor using the setup command.
With the setup command, you configure basic sensor settings, including the hostname, IP interfaces, access control lists, global correlation servers, and time settings. You can continue using advanced setup in the CLI to enable Telnet, configure the web server, and assign and enable virtual sensors and interfaces, or you can use the Startup Wizard in the IDM or the IME. After you configure the sensor with the setup command, you can change the network settings in the IDM or the IME.
You must have a valid sensor license for
global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.
Simplified Setup Mode
The sensor automatically calls the setup command when you connect to the sensor using a console cable and the sensor basic network settings have not yet been configured. The sensor does not call automatic setup under the following conditions:
- When initialization has already been successfully completed.
- If you have recovered or downgraded the sensor.
- If you have set the host configuration to default after successfully configuring the sensor using automatic setup.
When you enter the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process. The values shown in brackets next to each prompt are the default values last set.
System Configuration Dialog
When you enter the setup command, an interactive dialog called the System Configuration Dialog appears on the system console screen. The System Configuration Dialog guides you through the configuration process. The values shown in brackets next to each prompt are the current values.
You must go through the entire System Configuration Dialog until you come to the option that you want to change. To accept default settings for items that you do not want to change, press Enter.
To return to the EXEC prompt without making changes and without going through the entire System Configuration Dialog, press Ctrl-C. The System Configuration Dialog also provides help text for each prompt. To access the help text, enter ? at a prompt.
When you complete your changes, the System Configuration Dialog shows you the configuration that you created during the setup session. It also asks you if you want to use this configuration. If you enter yes, the configuration is saved. If you enter no, the configuration is not saved and the process begins again. There is no default for this prompt; you must enter either yes or no.
You can configure daylight savings time either in recurring mode or date mode. If you choose recurring mode, the start and end days are based on week, day, month, and time. If you choose date mode, the start and end days are based on month, day, year, and time. Choosing disable turns off daylight savings time.
Note You only need to set the date and time in the System Configuration Dialog if the system is an appliance and is NOT using NTP.
Note The System Configuration Dialog is an interactive dialog. The default settings are displayed.
Example 1 shows a sample System Configuration Dialog.
Example 1 Example System Configuration Dialog
Basic Sensor Setup
To perform basic sensor setup using the setup command, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Note Both the default username and password are cisco.
Step 2 The first time you log in to the sensor you are prompted to change the default password. Passwords must be at least eight characters long and be strong, that is, not be a dictionary word. After you change the password, basic setup begins.
Step 3 Enter the setup command. The System Configuration Dialog is displayed.
Step 4 Specify the hostname. The hostname is a case-sensitive character string up to 64 characters. Numbers, “_” and “-” are valid, but spaces are not acceptable. The default is sensor.
Step 5 Specify the IP interface. The IP interface is in the form of IP Address/Netmask,Gateway: X.X.X.X/nn, Y.Y.Y.Y, where X.X.X.X specifies the sensor IP address as a 32-bit address written as 4 octets separated by periods, nn specifies the number of bits in the netmask, and Y.Y.Y.Y specifies the default gateway as a 32-bit address written as 4 octets separated by periods.
Step 6 Enter yes to modify the network access list:
a. If you want to delete an entry, enter the number of the entry and press Enter, or press Enter to get to the Permit line.
b. Enter the IP address and netmask of the network you want to add to the access list.
Note For example, 10.0.0.0/8 permits all IP addresses on the 10.0.0.0 network (10.0.0.0-10.255.255.255) and 10.1.1.0/24 permits only the IP addresses on the 10.1.1.0 subnet (10.1.1.0-10.1.1.255). If you want to permit access to a single IP address than the entire network, use a 32-bit netmask. For example, 10.1.1.1/32 permits just the 10.1.1.1 address.
c. Repeat Step b until you have added all networks that you want to add to the access list, and then press Enter at a blank permit line to go to the next step.
Step 7 You must configure a DNS server or an HTTP proxy server for global correlation to operate:
a. Enter yes to add a DNS server, and then enter the DNS server IP address.
b. Enter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port number.
You must have a valid sensor license for
global correlation features to function. You can still configure and display statistics for the global correlation features, but the global correlation databases are cleared and no updates are attempted. Once you install a valid license, the global correlation features are reactivated.
Step 8 Enter yes to modify the system clock settings:
a. Enter yes to modify summertime settings.
Note Summertime is also known as DST. If your location does not use Summertime, go to Step m.
b. Enter yes to choose the USA summertime defaults, or enter no and choose recurring, date, or disable to specify how you want to configure summertime settings. The default is recurring.
c. If you chose recurring, specify the month you want to start summertime settings. Valid entries are january, february, march, april, may, june, july, august, september, october, november, and december. The default is march.
d. Specify the week you want to start summertime settings. Valid entries are first, second, third, fourth, fifth, and last. The default is second.
e. Specify the day you want to start summertime settings. Valid entries are sunday, monday, tuesday, wednesday, thursday, friday, and saturday. The default is sunday.
f. Specify the time you want to start summertime settings. The default is 02:00:00.
Note The default recurring summertime parameters are correct for time zones in the United States. The default values specify a start time of 2:00 a.m. on the second Sunday in March, and a stop time of 2:00 a.m. on the first Sunday in November. The default summertime offset is 60 minutes.
g. Specify the month you want summertime settings to end. Valid entries are january, february, march, april, may, june, july, august, september, october, november, and december. The default is november.
h. Specify the week you want the summertime settings to end. Valid entries are first, second, third, fourth, fifth, and last. The default is first.
i. Specify the day you want the summertime settings to end. Valid entries are sunday, monday, tuesday, wednesday, thursday, friday, and saturday. The default is sunday.
j. Specify the time you want summertime settings to end. The default is 02:00:00.
k. Specify the DST zone. The zone name is a character string up to 24 characters long in the pattern [A-Za-z0-9()+:,_/-]+$.
l. Specify the summertime offset. Specify the summertime offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 60.
m. Enter yes to modify the system time zone.
n. Specify the standard time zone name. The zone name is a character string up to 24 characters long.
o. Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 0.
p. Enter yes if you want to use NTP. To use authenticated NTP, you need the NTP server IP address, the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure NTP later. Otherwise, you can choose unauthenticated NTP.
Step 9 Enter off, partial, or full to participate in the SensorBase Network Participation:
- Off—No data is contributed to the SensorBase Network.
- Partial—Data is contributed to the SensorBase Network, but data considered potentially sensitive is filtered out and never sent.
- Full—All data is contributed to the SensorBase Network except the attacker/victim IP addresses that you exclude.
The SensorBase Network Participation disclaimer appears. It explains what is involved in participating in the SensorBase Network.
Step 10 Enter yes to participate in the SensorBase Network.
Step 11 Enter 2 to save the configuration (or 3 to continue with advanced setup using the CLI).
Step 12 If you changed the time setting, enter yes to reboot the sensor.
Advanced Setup for the IPS Appliance
Note The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
Note Adding new subinterfaces is a two-step process. You first organize the interfaces when you edit the virtual sensor configuration. You then choose which interfaces and subinterfaces are assigned to which virtual sensors.
To continue with advanced setup for the appliance, follow these steps:
Step 1 Log in to the appliance using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration and to see the current interface configuration.
Step 8 Enter 1 to edit the interface configuration.
Note The following options let you create and delete interfaces. You assign the interfaces to virtual sensors in the virtual sensor configuration. If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary.
Step 9 Enter 2 to add inline VLAN pairs and display the list of available interfaces.
Step 10 Enter 1 to add an inline VLAN pair to GigabitEthernet 0/0, for example.
Step 11 Enter a subinterface number and description.
Step 12 Enter numbers for VLAN 1 and 2.
Step 13 Press Enter to return to the available interfaces menu.
Note Entering a carriage return at a prompt without a value returns you to the previous menu.
Note At this point, you can configure another interface, for example, GigabitEthernet 0/1, for inline VLAN pair.
Step 14 Press Enter to return to the top-level interface editing menu.
Step 15 Enter 4 to add an inline interface pair and see these options.
Step 16 Enter the pair name, description, and which interfaces you want to pair.
Step 17 Press Enter to return to the top-level interface editing menu.
Step 18 Press Enter to return to the top-level editing menu.
Step 19 Enter 2 to edit the virtual sensor configuration.
Step 20 Enter 2 to modify the virtual sensor configuration, vs0.
Step 21 Enter 3 to add inline VLAN pair GigabitEthernet0/0:1.
Step 22 Enter 4 to add inline interface pair NewPair.
Step 23 Press Enter to return to the top-level virtual sensor menu.
Step 24 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Step 25 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Step 26 Enter yes to disable automatic threat prevention on all virtual sensors.
Step 27 Press Enter to exit the interface and virtual sensor configuration.
Step 28 Enter 2 to save the configuration.
Step 30 Enter yes to continue the reboot.
Step 31 Apply the most recent service pack and signature update. You are now ready to configure your appliance for intrusion prevention.
Advanced Setup for the ASA 5500 AIP SSM
To continue with advanced setup for the ASA 5500 AIP SSM, follow these steps:
Step 1 Session in to the ASA 5500 AIP SSM using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5500 AIP SSM. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500 AIP SSM than for other sensors.
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Step 10 Enter 2 to edit the virtual sensor configuration.
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Step 12 Enter 1 to add GigabitEthernet 0/1 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign GigabitEthernet 0/1. We recommend that you assign GigabitEthernet 0/1 to vs0, but you can assign it to another virtual sensor if you want to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Step 15 Enter a name and description for your virtual sensor.
Step 16 Enter 1 to use the existing anomaly detection configuration, ad0.
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig.
Step 19 Enter 1 to use the existing event-action-rules configuration, rules0.
Note If GigabitEthernet 0/1 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Step 21 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
Step 23 Enter 2 to save the configuration.
Step 24 Reboot the ASA 5500 AIP SSM.
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5500 AIP SSM with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure your ASA 5500 AIP SSM for intrusion prevention.
Advanced Setup for the ASA 5500-X IPS SSP
To continue with advanced setup for the ASA 5500-X IPS SSP, follow these steps:
Step 1 Session in to the IPS using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5500-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500-X IPS SSP than for other sensors.
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Step 10 Enter 2 to edit the virtual sensor configuration.
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Step 12 Enter 1 to add PortChannel 0/0 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Step 15 Enter a name and description for your virtual sensor.
Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0.
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig.
Step 19 Enter 1 to use the existing event-action-rules configuration, rules0.
Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Step 21 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
Step 23 Enter 2 to save the configuration.
Step 24 Reboot the ASA 5500-X IPS SSP.
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5500-X IPS SSP with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure the ASA 5500-X IPS SSP for intrusion prevention.
Advanced Setup for the ASA 5585-X IPS SSP
To continue with advanced setup for the ASA 5585-X IPS SSP, follow these steps:
Step 1 Session in to the ASA 5585-X IPS SSP using an account with administrator privileges.
Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup.
Step 3 Enter 3 to access advanced setup.
Step 4 Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled.
Step 5 Specify the SSHv1 fallback setting. The default is enabled.
Step 6 Specify the web server port. The web server port is the TCP port used by the web server (1 to 65535). The default is 443.
Note The web server is configured to use TLS/SSL encryption by default. Setting the port to 80 does not disable the encryption.
Step 7 Enter yes to modify the interface and virtual sensor configuration.
Step 8 Enter 1 to edit the interface configuration.
Note You do not need to configure interfaces on the ASA 5585-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5585-X IPS SSP than for other sensors.
Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Step 10 Enter 2 to edit the virtual sensor configuration.
Step 11 Enter 2 to modify the virtual sensor vs0 configuration.
Step 12 Enter 1 to add PortChannel 0/0 to virtual sensor vs0.
Note Multiple virtual sensors are supported. The adaptive security appliance can direct packets to specific virtual sensors or can send packets to be monitored by a default virtual sensor. The default virtual sensor is the virtual sensor to which you assign PortChannel 0/0. We recommend that you assign PortChannel 0/0 to vs0, but you can assign it to another virtual sensor if you want to.
Step 13 Press Enter to return to the main virtual sensor menu.
Step 14 Enter 3 to create a virtual sensor.
Step 15 Enter a name and description for your virtual sensor.
Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0.
Step 17 Enter 2 to create a signature-definition configuration file.
Step 18 Enter the signature-definition configuration name, newSig.
Step 19 Enter 1 to use the existing event action rules configuration, rules0.
Note If PortChannel 0/0 has not been assigned to vs0, you are prompted to assign it to the new virtual sensor.
Step 20 Press Enter to exit the interface and virtual sensor configuration menu.
Step 21 Enter yes if you want to modify the default threat prevention settings.
Note The sensor comes with a built-in override to add the deny packet event action to high risk rating alerts. If you do not want this protection, disable automatic threat prevention.
Step 22 Enter yes to disable automatic threat prevention on all virtual sensors.
Step 23 Enter 2 to save the configuration.
Step 24 Reboot the ASA 5585-X IPS SSP.
Step 25 Enter yes to continue the reboot.
Step 26 After reboot, log in to the sensor, and display the self-signed X.509 certificate (needed by TLS).
Step 27 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when using HTTPS to connect to this ASA 5585-X IPS SSP with a web browser.
Step 28 Apply the most recent service pack and signature update. You are now ready to configure your ASA 5585-X IPS SSP for intrusion prevention.
Verifying Initialization
Note The following show configuration output is an example of what your configuration may look like. It will not match exactly because of the optional setup choices.
To verify that you initialized your sensor, follow these steps:
Step 2 View your configuration.
Note You can also use the more current-config command to view your configuration.
Step 3 Display the self-signed X.509 certificate (needed by TLS).
Step 4 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when connecting to this sensor with a web browser.
Logging In to the IDM
The IDM is a web-based, Java Web Start application that enables you to configure and manage your sensor. The web server for the IDM resides on the sensor. You can access it through Internet Explorer or Firefox web browsers.
Note The IDM is already installed on the sensor.
To log in to the IDM, follow these steps:
Step 1 Open a web browser and enter the sensor IP address. A Security Alert dialog box appears.
Note The default IP address is 192.168.1.2/24,192.168.1.1, which you change to reflect your network environment when you initialize the sensor. When you change the web server port, you must specify the port in the URL address of your browser when you connect to the IDM in the format https://sensor_ip_address:port (for example, https://192.0.2.1:1040).
Step 2 Click Yes to accept the security certificate. The Cisco IPS Device Manager Version window appears.
Step 3 To launch the IDM, click Run IDM. The JAVA loading message box appears, and then the Warning - Security dialog box appears.
Step 4 To verify the security certificate, check the Always trust content from this publisher check box, and click Yes. The JAVA Web Start progress dialog box appears, and then the IDM on ip_address dialog box appears.
Step 5 To create a shortcut for the IDM, click Yes. The Cisco IDM Launcher dialog box appears.
Note You must have JRE 1.5 (JAVA 5) installed to create shortcuts for the IDM. If you have JRE 1.6 (JAVA 6) installed, the shortcut is created automatically.
Step 6 To authenticate the IDM, enter your username and password, and click OK. Both the default username and password are cisco. You were prompted to change the password during sensor initialization. The IDM begins to load. If you change panes from Home to Configuration or Monitoring before the IDM has completed initialization, a Status dialog box appears with the following message:
The main window of the IDM appears.
Note If you created a shortcut, you can launch the IDM by double-clicking the IDM shortcut icon. You can also close the The Cisco IPS Device Manager Version window. After you launch the IDM, it is not necessary for this window to remain open.
Installing or Upgrading the IME
This section describes how to install and upgrade the IME, and how to migrate data from IEV or a previous version of IME.
Cisco IEV, Cisco IOS IPS, and CSM
If you have a version of Cisco IPS Event Viewer installed, the Install wizard prompts you to remove it before installing the IME.
The IME event monitoring is also supported in IOS-IPS versions that support the Cisco IPS 5.x/6.x signature format. We recommend IOS-IPS 12.4(15)T4 if you intend to use the IME to monitor an IOS IPS device. Some of the new IME functionality including health monitoring is not supported.
Do not install the IME on top of existing installations of CSM. You must uninstall CSM before installing the IME.
Installation Notes and Caveats
Note If you are using Windows 7 or Windows Server 2008, and an IME version earlier than 7.1.1, uninstall IME before upgrading it. Otherwise, just upgrade from your current IME version.
Observe the following when installing or upgrading the IME:
- You can install the IME over all versions of the IME but not over IEV. All alert database and user settings are preserved.
- The IME detects previous versions of IEV and prompts you to manually remove the older version before installing the IME or to install the IME on another system. The installation program then stops.
- Make sure you close any open instances of the IME before upgrading to a new version of the IME.
- Disable any anti-virus or host-based intrusion detection software before beginning the installation, and close any open applications. The installer spawns a command shell application that may trigger your host-based detection software, which causes the installation to fail.
- You must be administrator to install the IME.
- The IME coexists with other instances of the MySQL database. If you have a MySQL database installed on your system, you do NOT have to uninstall it before installing the IME.
Installing or Upgrading the IME
To install the IME, follow these steps:
Step 1 From the Download Software site on Cisco.com, download the IME executable file to your computer, or start the IDM in a browser window, and under Cisco IPS Manager Express, click download to install the IME executable file. IME-7.2.2.exe is an example of what the IME executable file might look like.
Step 2 Double-click the executable file. The Cisco IPS Manager Express - InstallShield Wizard appears. You receive a warning if you have a previous version of Cisco IPS Event Viewer installed. Acknowledge the warning, and exit installation. Remove the older version of IEV, and then continue the IME installation
Step 3 Click Next to start the IME installation.
Step 4 Accept the license agreement and click Next.
Step 5 Click Next to choose the destination folder, click Install to install the IME, and then click Finish to exit the wizard. The Cisco IME and Cisco IME Demo icons are now on your desktop.
Note The first time you start the IME, you are prompted to set up a password.
To migrate IEV 5. x events to the IME, you must exit the installation and manually export the old events by using the IEV 5. x export function to move the data to local files. After installing the IME, you can import these files to the new IME system.
Note The IME does not support import and migration functions for IEV 4.x.
To export event data from IEV 5. x to a local file:
Step 1 From IEV 5. x, choose File > Database Administration > Export Database Tables.
Step 2 Enter the file name and select the table(s).
Step 3 Click OK. The events in the selected table(s) are exported to the specified local file.
Importing IEV Event Data In to IME
To import event data in to the IME, follow these steps:
Step 1 From the IME, choose File > Import.
Step 2 Select the file exported from IEV 5. x and click Open. The contents of the selected file are imported in to the IME.
For more information about the IME, refer to Cisco Intrusion Prevention System Manager Express Installation Guide for IPS 7.1.
Enabling Anomaly Detection
Note Anomaly detection is disabled by default in IPS 7.1(2)E4 and later. You must enable it to configure or apply an anomaly detection policy. Enabling anomaly detection results in a decrease in performance.
The following section explains how to enable anomaly detection through the IDM, IME, and the CLI. It contains the following topics:
Enabling Anomaly Detection Using the IDM or IME
To enable anomaly detection, follow these steps:
Step 1 Log in to the IDM or IME using an account with administrator or operator privileges.
Step 2 Choose Configuration > Policies > IPS Policies.
Step 3 Select the virtual sensor for which you want to turn on anomaly detection, and then click Edit.
Step 4 Under Anomaly Detection, choose an anomaly detection policy from the Anomaly Detection Policy drop-down list. Unless you want to use the default ad0, you must have already added a anomaly detection policy by choosing Configuration > Policies > Anomaly Detections > Add.
Step 5 Choose Detect as the anomaly detection mode from the AD Operational Mode drop-down list. The default is Inactive.
Tip To discard your changes and close the Edit Virtual Sensor dialog box, click Cancel.
Tip To discard your changes, click Reset.
Step 7 Click Apply to apply your changes and save the revised configuration.
For more detailed information about anomaly detection, refer to Configuring Anomaly Detection.
Enabling Anomaly Detection Using the CLI
To enable anomaly detection, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter analysis engine submode.
Step 3 Enter the virtual sensor name that contains the anomaly detection policy you want to enable.
Step 4 Enable anomaly detection operational mode.
Step 5 Exit analysis engine submode.
Step 6 Press Enter to apply your changes or enter no to discard them.
For more detailed information about anomaly detection, refer to Configuring Anomaly Detection.
Disabling Anomaly Detection
The following section explains how to disable anomaly detection through the IDM, IME, or the CLI. It contains the following topics:
Disabling Anomaly Detection Using the IDM or IME
To disable anomaly detection, follow these steps:
Step 1 Log in to IDM or IME using an account with administrator or operator privileges.
Step 2 Choose Configuration > Policies > IPS Policies.
Step 3 Select the virtual sensor for which you want to turn off anomaly detection, and then click Edit.
Step 4 Under Anomaly Detection, from the AD Operational Mode drop-down list, choose Inactive as the anomaly detection mode.
Tip To discard your changes and close the Edit Virtual Sensor dialog box, click Cancel.
Tip To discard your changes, click Reset.
Step 6 Click Apply to apply your changes and save the revised configuration.
For more detailed information about anomaly detection, refer to Configuring Anomaly Detection.
Disabling Anomaly Detection Using the CLI
If you have anomaly detection enabled and you have your sensor configured to see only one direction of traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires alerts.
To disable anomaly detection, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter analysis engine submode.
Step 3 Enter the virtual sensor name that contains the anomaly detection policy you want to disable.
Step 4 Disable anomaly detection operational mode.
Step 5 Exit analysis engine submode.
Step 6 Press Enter to apply your changes or enter no to discard them.
For more detailed information about anomaly detection, refer to Configuring Anomaly Detection.
Cisco Security Intelligence Operations
The Cisco Security Intelligence Operations site on Cisco.com provides intelligence reports about current vulnerabilities and security threats. It also has reports on other security topics that help you protect your network and deploy your security systems to reduce organizational risk.
You should be aware of the most recent security threats so that you can most effectively secure and manage your network. Cisco Security Intelligence Operations contains the top ten intelligence reports listed by date, severity, urgency, and whether there is a new signature available to deal with the threat.
Cisco Security Intelligence Operations contains a Security News section that lists security articles of interest. There are related security tools and links.
You can access Cisco Security Intelligence Operations at this URL:
http://tools.cisco.com/security/center/home.x
Cisco Security Intelligence Operations is also a repository of information for individual signatures, including signature ID, type, structure, and description.
You can search for security alerts and signatures at this URL:
Restrictions and Limitations
The following restrictions and limitations apply to Cisco IPS 7.1(10)E4 software and the products that run it:
- IME 7.2.4.50 is the only supported release for IPS 7.1(10)E4.
- The IPS 4345 and IPS 4360 do not support hardware bypass. Hardware bypass is currently only supported on the IPS 4270-20.
- The ASA 5500-X adaptive security appliances running version 9.1.2 and later may crash and reload while downgrading signatures on the IPS. This issue is seen only on the ASA 5500-X integrated platforms (5512-X, 5515-X, 5525-X, 5545-X, and 5555-X). The workaround is to remove the IPS service policy from the ASA configuration before performing the downgrade and to reattach the service policy when the downgrade is completed. This issue will be resolved once CSCuj63077 is fixed on the ASA 5500-X adaptive security appliance.
- The 4240, IPS 4255, IPS 4260, IPS 4270, ASA 5500 AIP SSM, ASA 5512-X IPS SSP, and the ASA 5515-X IPS SSP do not support the Regex accelerator card and the String XL engines.
- Applying any signature template erases any existing tunings associated with the targeted signature definition file. The IPS 4240, IPS 4255, IPS 4260, IPS 4270-20, ASA 5500 AIP SSM, ASA 5512-X IPS SSP, and ASA 5515-X IPS SSP do not support signature templates (signature threat profiles).
- The IPS 4240, IPS 4255, IPS 4260, IPS 4270-20, ASA 5500 AIP SSM, ASA 5512-X IPS SSP, and ASA 5515-X IPS SSP do not support HTTP advanced decoding.
- In IPS 7.1, rx/tx flow control is disabled on the IPS 4200 series sensors. This is a change from IPS 7.0 where rx/tx flow control is enabled by default.
- The fix for CSCun76930 has a Reassemble timeout of 10 seconds.
There are 1000 datagram slots, and with a reduced 10-second timeout, we can achieve 1000/10=100 dgrams/sec. Each datagram is at least 2 packets, and hence, with the revised fix for CSCun76930, the IPS should handle at least 200pps, assuming all fragments are reassembled. Based on lab testing, we observed that the IPS could comfortably handle up to 400pps.
Workaround: Depending on your network we have a configurable parameter that can be tuned from the service user prompt to handle up to 1000pps.
- Enabling HTTP advanced decoding can have a significantly negative performance and memory impact on the sensor.
- Use the show statistics virtual-sensor | include load command (CLI) or look at the statistics for the virtual sensor at Configuration > Sensor Monitoring > Support Information > Statistics (IDM/IME) to determine the load value over a longer period of time. The show statistics analysis-engine command (CLI) and the statistics for Analysis Engine show values over a shorter period of time. If you compare the output, the values will appear to be inconsistent due to the different time periods. To get an accurate comparison between them, compare the processing load percentage from the statistics for the virtual sensor and the one-minute averaged value from the statistics for Analysis Engine.CSCtq35258
- On IPS sensors with multiple processors (for example, the IPS 4260 and IPS 4270-20), packets may be captured out of order in the IP logs and by the packet command. Because the packets are not processed using a single processor, the packets can become out of sync when received from multiple processors.
- TACACS+ authentication is not supported in IPS 7.1(10)E4.
- The CLI timeout feature is applicable only for sessions established through SSH, Telnet, and the console. Service account logins are not affected.
- Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly detection processor.
- IPv6 does not support the following event actions: Request Block Host, Request Block Connection, or Request Rate Limit.
- Global correlation does not support IPv6.
- There is no support for IPv6 on the management (command and control) interface.
- ICMP signature engines do not support ICMPv6, they are IPv4-specific, for example, the Traffic ICMP signature engine. ICMPv6 is covered by the Atomic IP Advanced signature engine.
- CSM and MARS do not support IPv6.
- When deploying an IPS sensor monitoring two sides of a network device that does TCP sequence number randomization, we recommend using a virtual senor for each side of the device.
- For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported. If you remove the cisco account through the service account, the sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system image.
- After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest software features.
- The IDM does not support any non-English characters, such as the German umlaut or any other special language characters. If you enter such characters as a part of an object name through IDM, they are turned into something unrecognizable and you will not be able to delete or edit the resulting object through IDM or the CLI. This is true for any string that is used by the CLI as an identifier, for example, names of time periods, inspect maps, server and URL lists, and interfaces.
- When SensorApp is reconfigured, there is a short period when SensorApp is unable to respond to any queries. Wait a few minutes after reconfiguration is complete before querying SensorApp for additional information.
- The IDM and IME launch MySDN from the last browser window you opened, which is the default setting for Windows. To change this default behavior, in Internet Explorer, choose Tools > Internet Options, and then click the Advanced tab. Scroll down and uncheck the Reuse windows for launching shortcuts check box.
Caveats
This section lists the resolved and unresolved caveats, and contains the following topics:
Resolved Caveats
The following known issues have been resolved in the 7.1(10)E4 release. Release notes can be viewed in Bug Search tool at the following URL: https://tools.cisco.com/bugsearch/
- CSCul95220 IPS: Normalizer Engine Misfiring on Valid TCP Traffic, SIG 1330.14 Fires
- CSCul58230 ASA 5512-5555 Fails to Get IPS Module Unique Device Identifier
- CSCun76930 IPS: Fragment Reassembly Delay Can Trigger Sig 1208.0 and Drop Fragments
- CSCug87980 HTTP-advanced-decoding causes sensorApp to fail for gzip encoding
- CSCui67394 Cisco IPS Control-Plane MainApp Denial of Service Vulnerability
- CSCuj02243 local scp update timeout will cause mainApp failure
- CSCum78226 IPS: SensorApp crash with cored 'InspectorServiceP2PTCP' by P2P engine
- CSCun65079 IPS mainApp unresponsive due to failure in the control transaction comm
- CSCub75688 sig update sensorApp abort in libhoard dlmalloc
- CSCuo15489 signature update fails with out of memory message
- CSCup22652 Multiple Vulnerabilities in OpenSSL - June 2014
- CSCum94001 IPS: MainApp crash with multiple services monitoring the sensor
- CSCun03441 CLI config commands consume high memory
- CSCun17715 Sensor might hang when issuing show tech-support
- CSCub57756 Signature 1204 and 1208 firing with invalid info for Fragmented Traffic
- CSCul92594 Updater client does not verify server certificate
- CSCum12974 Invalid host-name characters including slash are allowed
- CSCuo52116 AnalysisEngine is temporarily unresponsive to user queries
- CSCuo63320 Sig 1300-0 fires for TCP keep-alive segments
- CSCuo96771 IPS : SNMP OID ifXtable missing after upgrade to 7.1.8 E4
- CSCum45940 IPS: mainApp not responding to due to _S_create exception
- CSCum55373 Old and new alerts fire even after custom signature changed
- CSCuq09346 IPS PAM RADIUS messages need to be summarized/throttled
- CSCul00697 ASA drops traffic in fail-close mode during SSM config change
- CSCuq20940 IPS 7.1(8) : Inspector string-tcp Engine might prevent Signature firing
- CSCup63718 A blocking host is removed in spite of using "No Timeout"
- CSCur00552 IPS evaluation for CVE-2014-6271 and CVE-2014-7169
- CSCuq39550 Cisco IPS MainApp Denial of Service Vulnerability
- CSCuq55857 SSH to the IPS fails after changing sshv1-fallback settings
- CSCur29000 IPS : evaluation of SSLv3 POODLE vulnerability
- CSCur79456 SNMP traps causing mainApp memory leak
- CSCur53244 IPS:10/15/14 OpenSSL PSIRT CVE-2014-3513 CVE-2014-3567 CVE-2014-3568
- CSCut14427 Evaluate June 2014 OpenSSL vulnerabilities in 7.1.9 webserver
- CSCus80502 IPS: Mismatch between "available memory" in "show ver" and Linux top
- CSCus42768 JANUARY 2015 OpenSSL Vulnerabilities
- CSCus27219 December 2014 - NTPd.org Vulnerabilities
- CSCus69646 Evaluation of glibc GHOST vulnerability - CVE-2015-0235
- CSCto48429 sensorApp in bypass briefly after uptime of 497 days or 49.7 days
- CSCur57428 IPS: Interface Counters/Statistics Incorrect on 4500-series Models
- CSCus79148 IPS: cidcli may not release memory even after CSCun03441 fix
- CSCur90751 AnalysisEngine NotRunning in updateTime function
- CSCut06820 Impact of June 2015 Super Leap Second
Unresolved Caveats
The following relevant issues are unresolved in IPS 7.1(10)E4:
- CSCuo85755 NotificationApp SnmpAgent Failure
- CSCui40980 high memory usage can cause sensorApp hang during signature update
- CSCuq54783 IPS mainApp failure while handling TLS message
- CSCup08917 IPS Sig auto-updates failing with an Error: invalid user name/password
- CSCtj37146 Error updating the database on the SSM
- CSCuq31617 IPS does not remove block when comm are recovered after temp disruption
- CSCuo27141 IPS Sig auto-updates and GC updates should not depend on nscd presence
- CSCuq23842 IPS on ASA crashes in HTTP advanced decoding
- CSCuq73213 HTTP-advanced-decoding can cause IPS crash
- CSCut67041 VSID getting reset during Fragmented traffic reassemble intermittently
- CSCuu59402 ASA-IPS Data Channel Communication Failure
Related Documentation
For a complete list of the Cisco IPS 7.1 documentation and where to find it, refer to the following URL:
http://www.cisco.com/en/US/docs/security/ips/7.1/roadmap/19889_01.html
For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the following URL:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)