Page 1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-18504-01...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Page 3: Table Of Contents
1-15 Deploying VLAN Groups 1-16 Supported Sensors 1-17 IPS Appliances 1-18 Introducing the IPS Appliance 1-18 Appliance Restrictions 1-19 Connecting an Appliance to a Terminal Server 1-19 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 4 Installing the IPS 4240-DC 2-10 Installing the IPS 4260 C H A P T E R Introducing the IPS 4260 Supported Interface Cards Hardware Bypass 4GE Bypass Interface Card Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 5 Installing the Cable Management Arm 4-28 Converting the Cable Management Arm 4-31 Installing the IPS 4270-20 4-35 Removing and Replacing the Chassis Cover 4-38 Accessing the Diagnostic Panel 4-41 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 6 Minimum Supported the IDSM2 Configurations Using the TCP Reset Interface Front Panel Features Installation and Removal Instructions Required Tools Slot Assignments Installing the IDSM2 Verifying Installation Removing the IDSM2 7-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 7 Sessioning In to the NME IPS 9-10 Logging In to the Sensor 9-11 Initializing the Sensor 10-1 C H A P T E R Understanding Initialization 10-1 Simplified Setup Mode 10-1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 8 Automatic Upgrades 12-6 auto-upgrade Command and Options 12-7 Using the auto-upgrade Command 12-8 Automatic Upgrade Examples 12-10 Downgrading the Sensor 12-11 Recovering the Application Partition 12-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 viii OL-18504-01...
Page 9 Recovering the Appliance Password Using the GRUB Menu Using ROMMON Recovering the AIM IPS Password A-10 Recovering the AIP SSM Password A-10 Recovering the IDSM2 Password A-13 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 10 Verifying ARC Connections are Active A-39 Device Access Issues A-41 Verifying the Interfaces and Directions on the Network Device A-43 Enabling SSH Connections to the Network Device A-43 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 11 Troubleshooting the AIM IPS and the NME IPS A-69 Interoperability With Other IPS Network Modules A-69 Gathering Information A-70 Health and Network Security Information A-70 Tech Support Information A-71 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 12 Clearing Events A-92 cidDump Script A-92 Uploading and Accessing Files on the Cisco FTP Site A-93 L O S S A R Y N D E X Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 13 Revised: April 4, 2012, OL-18504-01 Contents This guide describes how to install appliances and modules that support Cisco IPS 7.0. It includes a glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set for Cisco Intrusion Prevention System 7.0. Use this guide in conjunction with the documents listed in Related Documentation, page xvi.
Page 14 ¡Advertencia! La instalación del equipo debe cumplir con las normativas de electricidad locales y nacionales. Varning! Installation av utrustningen måste ske i enlighet med gällande elinstallationsföreskrifter. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 15 Commands and keywords and user-entered text appear in bold font. italic font Document titles, new or emphasized terms, and arguments for which you supply values are in italic font. Elements in square brackets are optional. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 16: Related Documentation
Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Related Documentation For more information on Cisco IPS, refer to the following documentation found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html Documentation Roadmap for Cisco Intrusion Prevention System •...
Page 17 Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 18 Preface Contents Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 xviii OL-18504-01...
Page 19: How The Sensor Functions
Figure 1-1 on page 1-2 shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 20 The command and control interface is always Ethernet. This interface has an assigned IP address, which allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and firewalls). Because this interface is visible on the network, you should use encryption to maintain data privacy.
Page 21: Your Network Topology
False positives are a by-product of all IPS devices, but they occur much less frequently in Cisco IPS devices since Cisco IPS devices are stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS signature actions based on risk rating.
Page 22: Sensor Interfaces
0, and the PCI expansion slots are numbered beginning with slot 1 for the bottom slot with the slot numbers increasing from bottom to top (except for the IPS 4270-20, where the Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 23: Command And Control Interface
Table 1-1 Command and Control Interfaces Sensor Command and Control Interface AIM IPS Management0/0 AIP SSM-10 GigabitEthernet0/0 AIP SSM-20 GigabitEthernet0/0 AIP SSM-40 GigabitEthernet0/0 IDSM2 GigabitEthernet0/2 IPS 4240 Management0/0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 24: Sensing Interfaces
AIP SSM-10 — GigabitEthernet0/1 by GigabitEthernet0/1 by security GigabitEthernet0/0 security context instead of context instead of VLAN pair VLAN pair or inline or inline interface pair interface pair Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 25 Slot 2 GigabitEthernet3/0 3/0<->3/1 GigabitEthernet3/1 3/2<->3/3 GigabitEthernet3/2 GigabitEthernet3/3 IPS 4260 GigabitEthernet0/1 All sensing ports can be paired Management0/0 together Slot 1 GigabitEthernet2/0 GigabitEthernet2/1 Slot 2 GigabitEthernet3/0 GigabitEthernet3/1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 26 4. To disable hardware bypass, pair the interfaces in any other combination (2/0<->2/2 and 2/1<->2/3, for example). 5. Reserved for future use. 6. Reserved for future use. 7. Reserved for future use. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 27: Tcp Reset Interfaces
Alternate TCP Reset Interface AIM IPS None AIP SSM-10 None AIP SSM-20 None AIP SSM-40 None IDSM2 System0/1 IPS 4240 Any sensing interface IPS 4255 Any sensing interface Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 28: Interface Restrictions
For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid – duplex setting is auto. The command and control interface cannot also serve as a sensing interface. – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-10 OL-18504-01...
Page 29 – You cannot add a VLAN to more than one group on each interface. You cannot add a VLAN group to multiple virtual sensors. – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-11 OL-18504-01...
Page 30: Interface Modes
VLAN pair subinterfaces of that interface from the interface configuration. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-12 OL-18504-01...
Page 31: Ipv6, Switches, And Lack Of Vacl Capture
The SPAN/Monitor configuration is valuable when you want to assign different IPS policies per VLAN Note or when you have more bandwidth to monitor than one interface can handle. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-13 OL-18504-01...
Page 32: Inline Interface Pair Mode
VLAN A Router Switch Sensor Host For More Information For a list of restrictions pertaining to IPS sensor interfaces, see Interface Restrictions, page 1-10. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-14 OL-18504-01...
Page 33: Inline Vlan Pair Mode
VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No VLAN can be a member of more than one VLAN group subinterface. Each VLAN group subinterface is identified by a number between 1 and 255. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-15 OL-18504-01...
Page 34: Deploying Vlan Groups
VLANs are carried over the inline interface pair, the VLANs can be divided into groups and each group can be assigned to a virtual sensor. The second variation does not apply to the IDSM2 because it cannot be connected in this way. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-16 OL-18504-01...
Page 35: Supported Sensors
Installing the most recent software on unsupported sensors may yield unpredictable results. We do not support software installed on unsupported platforms. Table 1-4 lists the sensors (IPS appliances and modules) that are supported by Cisco IPS 7.0. Table 1-4 Supported Sensors...
Page 36: Ips Appliances
• The WS-X6381, the IDSM, is a legacy model and is not supported in this document. Note For More Information For instructions on how to obtain the most recent Cisco IPS software, see Obtaining Cisco IPS Software, page 11-1. IPS Appliances...
Page 37: Appliance Restrictions
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...
Page 38: Ips Modules
Introducing the AIM IPS Cisco Intrusion Prevention System Advanced Integration Module (AIM IPS) integrates and bring inline Cisco IPS functionality to Cisco access routers. You can install the AIM IPS in Cisco 1841, 2800 series, and 3800 series routers. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 39 192.168.2.x/24 Threat The AIM IPS has its own operating system, Cisco IPS software, startup, and run-time configurations. You launch and configure the AIM IPS through the router by means of a configuration session on the module. After the session, you return to the router CLI and clear the session.
Page 40: Introducing The Aip Ssm
IPS. Introducing the AIP SSM The Cisco ASA Advanced Inspection and Prevention Security Services Module (AIP SSM) is the IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance software integrates firewall, VPN, and intrusion detection and prevention capabilities in a single platform.
Page 41 (outside) network. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server securely. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-23...
Page 42: Introducing The Idsm2
SSM. Introducing the IDSM2 The Cisco Catalyst 6500 Series Intrusion Detection System Services Module (IDSM2) is a switching module that performs intrusion prevention in the Catalyst 6500 series switch and 7600 series router. You can use the CLI or IDSM to configure the IDSM2. You can configure the IDSM2 for promiscuous or inline mode.
Page 43: Introducing The Nme Ips
Cisco Intrusion Prevention System Network Module (NME IPS) integrates and brings inline Cisco IPS functionality to Cisco access routers. You can install the NME IPS in any one of the network module slots in the 2800 and 3800 series router.
Page 44: Time Sources And The Sensor
NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. You can set up NTP during initialization or you can configure NTP through the CLI, IDM, IME, or ASDM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-26 OL-18504-01...
Page 45 AIM IPS and the NME IPS and the router. Use NTP—You can configure the AIM IPS and the NME IPS to get their time from an NTP time – synchronization source, such as a Cisco router, other than the parent router. • For the AIP SSM –...
Page 46: Synchronizing Ips Module System Clocks With The Parent Device System Clock
Verifying the Sensor is Synchronized with the NTP Server In Cisco IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key value or ID, to the sensor. If you try to apply an incorrect configuration, you receive an error message. To verify the NTP configuration, use the show statistics host command to gather sensor statistics.
Page 47: Correcting The Time On The Sensor
Regulatory Compliance and Safety Information for the Cisco Step 1 Intrusion Prevention System 4200 Series Appliance Sensor. To familiarize yourself with the IPS and related documentation and where to find it on Cisco.com, read Step 2 Documentation Roadmap for Cisco Intrusion Prevention System 7.0.
Page 48: Site And Safety Guidelines
Baffles can help to isolate exhaust air from intake air, which also helps to draw cooling air through the chassis. The best placement of the baffles depends on the airflow patterns in the rack. Experiment with different arrangements to position the baffles effectively. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-30 OL-18504-01...
Page 49: Electrical Safety Guidelines
• Install the sensor in compliance with local and national electrical codes as listed in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The sensor models equipped with AC-input power supplies are shipped with a 3-wire electrical cord •...
Page 50: Power Supply Guidelines
Use a static dissipative work surface and wrist strap. Step 2 Disposable wrist straps, typically those included with an upgrade part, are designed for one time Note use. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-32 OL-18504-01...
Page 51: Cable Pinouts
MGMT 10/100 Ethernet port. It contains the following topics: 10/100BaseT and 10/100/1000BaseT Connectors, page 1-34 • Console Port (RJ-45), page 1-35 • RJ-45 to DB-9 or DB-25, page 1-36 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-33 OL-18504-01...
Page 52: 10/100Baset And 10/100/1000Baset Connectors
Figure 1-12 shows the 10/100/1000BaseT (RJ-45) port pinouts. Figure 1-12 10/100/1000 Port Pinouts Label 4 5 6 7 8 TP0+ TP0- TP1+ TP2+ TP2- TP1- TP3+ TP3- Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-34 OL-18504-01...
Page 53: Console Port (Rj-45)
Straight-through • Cross-over • Rolled (console) • Cisco does not provide these cables; however, they are widely available from other sources. Note Figure 1-13 shows the RJ 45 cable. Figure 1-13 RJ-45 Cable 8 7 6 5 4 3 2 1...
Page 54: To Db-9 Or
RJ-45 to DB-9 or DB-25. Table 1-5 Cable Pinouts for RJ-45 to DB-9 or DB-25 Signal RJ-45 Pin DB-9 /DB-25 Pin Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-36 OL-18504-01...
Page 55: Introducing The Ips 4240 And The Ips 4255
Introducing the IPS 4240 and the IPS 4255, page 2-1 • Front and Back Panel Features, page 2-2 • Specifications, page 2-4 • Connecting the IPS 4240 to a Cisco 7200 Series Router, page 2-5 • • Accessories, page 2-5 • Important Safety Instructions, page 2-5 •...
Page 56: Front And Back Panel Features
Solid amber when the power-up diagnostics have failed. Flash Off when the compact flash device is not being accessed. Blinks green when the compact flash device is being accessed. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 57 Back Panel Indicators Indicator Color Description Left side Green solid Physical link Green blinking Network activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 58: Specifications
Nonoperating 0 to 15,000 ft (4750 m) Shock Operating 1.14 m/sec (45 in./sec) ½ sine input Nonoperating 30 G Vibration 0.41 Grms2 (3 to 500 Hz) random input Acoustic noise 60 dBa (maximum) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 59: Connecting The Ips 4240 To A Cisco 7200 Series Router
Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 60: Rack Mounting
The top hole on the left bracket is a banana jack you can use for ESD grounding purposes when Note you are servicing the system. You can use the two threaded holes to mount a ground lug to ground the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 61: Installing The Ips 4240 And The Ips 4255
Statement 1030 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 62 RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 63 Power on the appliance. Initialize the appliance. Step 9 Upgrade the appliance with the most recent Cisco IPS software. You are now ready to configure intrusion Step 10 prevention on the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 64: Installing The Ips 4240-Dc
For the procedure for using the setup command to initialize IPS 4250-DC, see Basic Sensor Setup, • page 10-4. For the procedure for updating IPS-4250-DC with the most recent cisco IPS software, see Obtaining • Cisco IPS Software, page 11-1.
Page 65 DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position. Remove the DC power supply plastic shield. Step 7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-11 OL-18504-01...
Page 66 Using the same method as for the ground wire, connect the negative wire and then the positive wire. – – Negative Negative Positive Positive Ground Ground On/Off Switch Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-12 OL-18504-01...
Page 67 For the procedure for using the setup command to initialize IPS 4250-DC, see Basic Sensor Setup, page 10-4. For the procedure for updating IPS 4250-DC with the most recent cisco IPS software, see Obtaining • Cisco IPS Software, page 11-1.
Page 68 Chapter 2 Installing the IPS 4240 and the IPS 4255 Installing the IPS 4240-DC Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-14 OL-18504-01...
Page 69: Introducing The Ips 4260
The BIOS on the IPS 4260 is specific to the IPS 4260 and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on the IPS 4260 voids the warranty.
Page 70: Supported Interface Cards
The IPS 4260 ships with one power supply, but it supports redundant power supplies. The IPS 4260 operates in load-sharing mode when the optional redundant power supply is installed. For More Information For more information on how to obtain instructions and BIOS files from the Cisco website, see • Obtaining Cisco IPS Software, page 11-1.
Page 71 10GE fiber interfaces. The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the IPS 4260. The 10GE interface card does not support hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 72: Hardware Bypass
To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and Note 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS. The following conditions apply to hardware bypass and software bypass: • When bypass is set to OFF, software bypass is not active.
Page 73: Hardware Bypass Configuration Restrictions
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 74: Hardware Bypass And Link Changes And Drops
There are three switches on the front panel of the IPS 4260: Power—Toggles the system power. • Reset—Resets the system. • ID—Toggles the system ID indicator. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 75 CONSOLE GE 0/1 MGMT (not supported) USB ports Management Console Power Power (not used) port supply 2 supply 1 Gigabit Video connector Ethernet 0/1 (not supported) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 76 OCP 12 V, OVP 12 V, or fan failed. Amber blinking Power supply warning events where the power supply continues to operate: high temperature, high power/high current, or slow fan. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 77: Specifications
The IPS 4260 accessories kit contains the following: DB25 connector • • DB9 connector • Rack mounting kit—screws, washers, and metal bracket • RJ45 console cable Two 6-ft Ethernet cables • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 78: Important Safety Instructions
RES ET C is co IP S 42 60 se ri POW ER FLA SH Int rus ion STA TUS Pre ve nti on Se ns Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-10 OL-18504-01...
Page 79 Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert Step 3 four thread covers over the four outer studs on each side. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-11 OL-18504-01...
Page 80 RES ET Ci sc o IP S 42 60 se rie POW ER FLA SH Int rus ion STA TUS Pre ven tio n Se nso r Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-12 OL-18504-01...
Page 81: Installing The Ips 4260 In A 2-Post Rack
Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert four thread covers over the four outer studs on each side. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-13...
Page 82 Step 4 RES ET Ci sc o IP S 42 60 se rie POW ER FLAS H Intr usi on STA TUS Pre ven tion Sen Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-14 OL-18504-01...
Page 83: Installing The Ips 4260
Statement 1030 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 84 RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-16...
Page 85 Management and console ports are privileged administrative ports. Connecting them to an untrusted Caution network can create security concerns. Power on the IPS 4260. Step 8 Initialize the IPS 4260. Step 9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-17 OL-18504-01...
Page 86: Removing And Replacing The Chassis Cover
Chapter 3 Installing the IPS 4260 Removing and Replacing the Chassis Cover Upgrade the IPS 4260 with the most recent Cisco IPS software. You are now ready to configure intrusion Step 10 prevention on the IPS 4260. For More Information...
Page 87 Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4260 does Note not require any special tools and does not create any radio frequency leaks.
Page 88: Installing And Removing Interface Cards
If rack-mounted, remove the IPS 4260 from the rack. Step 5 Make sure the IPS 4260 is in an ESD-controlled environment. Step 6 Remove the chassis cover. Step 7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-20 OL-18504-01...
Page 89 Reinstall the slot cover screw to hold the card to the carrier. If necessary, reinstall the card support at the Step 12 back of the card carrier. Step 13 Replace the card carrier in the chassis. Step 14 Replace the chassis cover. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-21 OL-18504-01...
Page 90: Installing And Removing The Power Supply
Step 4 Power supplies are hot-swappable. You can replace a power supply while the IPS 4260 is Note running, if you are replacing a redundant power supply. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-22 OL-18504-01...
Page 91 To remove the power supply, push down the green tab and pull out the power supply. Step 7 After installing or removing the power supply, replace the power cord and other cables. Step 8 Power on the IPS 4260. Step 9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-23 OL-18504-01...
Page 92 For the IDM procedure for resetting the IPS 4260, refer to Rebooting the Sensor; for the IME procedure for resetting the IPS 4260, refer to Rebooting the Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-24 OL-18504-01...
Page 93: Chapter 4 Installing The Ips 4270-20
Installing and Removing Interface Cards, page 4-41 • Installing and Removing the Power Supply, page 4-44 • Installing and Removing Fans, page 4-49 • Troubleshooting Loose Connections, page 4-51 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 94: Introducing The Ips 4270-20
The BIOS on the IPS 4270-20 is specific to the IPS 4270-20 and must only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on the IPS 4270-20 voids the warranty.
Page 95: Supported Interface Cards
The IPS 4270-20 operates in load-sharing mode when the redundant power supply is installed. For More Information • For more information on how to obtain instructions and BIOS files from the Cisco website, see Obtaining Cisco IPS Software, page 11-1. For more information on sensor interfaces, see Sensor Interfaces, page 1-4.
Page 96 10GE fiber interfaces. The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the IPS 4270-20. The 10GE interface card does not support hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 97: Hardware Bypass
To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and Note 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS. The following conditions apply to hardware bypass and software bypass: • When bypass is set to OFF, software bypass is not active.
Page 98: Hardware Bypass Configuration Restrictions
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 99: Hardware Bypass And Link Changes And Drops
This section describes the IPS 4270-20 front and back panel features and indicators. Figure 4-5 shows the front view of the IPS 4270-20. Figure 4-5 IPS 4270-20 Front View Switches/Indicators Cisco IPS 4270 SERIES Intrusion Prevention Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 100 Off—Power supply off • MGMT0/0 indicator Indicates the status of the management port: • Green—Linked to network • Flashing green—Linked with activity on the network Off—No network connection • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 101 2 expansion slots PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz Reserved Future Use CONSOLE MGMT0/0 Management0/0 Reserved Reserved Console port Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 102 Table 4-2 Ethernet Port Indicators Indicator Indicator (Green) Description Activity On or flashing Network activity No network activity Link Linked to network Not linked to network Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-10 OL-18504-01...
Page 103: Diagnostic Panel
Diagnostic Panel. Figure 4-9 Diagnostic Panel INTERLOCK POWER ERROR FAULT CPU BD FAN4 FAN6 MEMORY MEMORY FAN3 FAN5 PROC2 PROC1 FAN2 FAN1 PROC4 PROC3 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-11 OL-18504-01...
Page 104 For the location of the Diagnostic Panel in the IPS 4270-20 chassis, see Figure 4-10 on page 4-13. • • For information on how to access the Diagnostic Panel, see Accessing the Diagnostic Panel, page 4-41. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-12 OL-18504-01...
Page 105: Internal Components
Internal Components Internal Components Figure 4-10 IPS 4270-20 Internal Components Power Sensing interface Power supply expansion slots supply Cooling Cooling fans fans Diagnostic panel Cooling fans Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-13 OL-18504-01...
Page 106: Specifications
1. At sea level with an altitude derating of 1.8 F per every 1000 ft (1.0 C per every 3.0m) above sea level to a maximum of 10,000 ft (3050 m). no direct sustained sunlight. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-14 OL-18504-01...
Page 107: Accessories
• DB-9/RJ-45 console cable • Two Ethernet RJ-45 cables • Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention • System 4200 Series Appliance Sensor Documentation Roadmap for Cisco Intrusion Prevention System • Installing the Rail System Kit You can install the IPS 4270-20 in a 4-post rack.
Page 108: Rail System Kit Contents
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-16...
Page 109: Installing The Ips 4270-20 In The Rack
The tapered end of the chassis side rail should be at the back of the IPS 4270-20. The chassis Note side rail is held in place by the inner latch. Repeat Step 1 for each chassis side rail. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-17 OL-18504-01...
Page 110 To remove the chassis side rail, lift the latch, and slide the rail forward. Step 3 Cis co IPS 42 70 SER Int rus ion Pre ven tio n Se nso Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-18 OL-18504-01...
Page 111 If you are installing the IPS 4270-20 in a shallow rack, one that is less than 28.5 in. (72.39 cm), remove Step 4 the screw from the inside of the slide assembly before continuing with Step 5. < 2 8 . 5 ” Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-19 OL-18504-01...
Page 112 Repeat for each slide assembly. Make sure the slide assemblies line up with each other in the rack. Lift the spring latch to release the slide assembly if you need to reposition it. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-20...
Page 113 Remove the eight round- or square-hole studs on each slide assembly using a standard screwdriver. You may need a pair of pliers to hold the retaining nut. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-21 OL-18504-01...
Page 114 Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly. Repeat for each slide assembly. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-22 OL-18504-01...
Page 115 Chapter 4 Installing the IPS 4270-20 Installing the Rail System Kit Extend the slide assemblies out of the rack. Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-23 OL-18504-01...
Page 116 If you are using the cable management arm, install it before you connect and route any cables. Step 8 You may also need longer cables when the arm is installed (an extra length of around 3 feet is Note required). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-24 OL-18504-01...
Page 117: Extending The Ips 4270-20 From The Rack
Otherwise, you risk damage to the cables and a possible shock hazard if the power cables get caught between the chassis and the rack. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-25 OL-18504-01...
Page 118 Pre ven tio n Sen sor Step 2 After performing the installation or maintenance procedure, slide the IPS 4270-20 in to the rack by pressing the rail-release latches. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-26 OL-18504-01...
Page 119 IPS 4270-20, push the release tab in the middle of the slide assembly forward, and pull the IPS 4270-20 from the rack. Cis co IPS 427 0 SER Int rus ion Pre ven tio n Sen sor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-27 OL-18504-01...
Page 120: Installing The Cable Management Arm
PCI -E x4 PCI -E x8 PCI -E x4 PCI -E x8 PCI -E x4 PCI -X 100 Rese rved CON SOL Futu re MGM T 0/0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-28 OL-18504-01...
Page 121 Rese rved CON SOL Futu re MGM T 0/0 When properly installed, the cable management arm is attached to the IPS 4270-20 and the rack Note rail. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-29 OL-18504-01...
Page 122 CON SOL Futu re MGM T 0/0 Do not use the straps and zip ties to tie the two parts of the cable management arm together. Caution Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-30 OL-18504-01...
Page 123: Converting The Cable Management Arm
The cable management arm is designed for ambidextrous use. You can convert the cable management Note arm from a left-hand swing to a right-hand swing. Make sure to orient the management arm with the cable trough facing upward. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-31 OL-18504-01...
Page 124 To convert the cable management arm swing, follow these steps: Pull up the spring pin and slide the bracket off the cable management arm. Step 1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-32 OL-18504-01...
Page 125 Installing the IPS 4270-20 Installing the Rail System Kit Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-33 OL-18504-01...
Page 126 On the other side of the sliding bracket, align the spring pin with the studs and key holes, and slide until Step 3 the pin snaps in to place. The sliding bracket only fits one way because the hole for the spring pin is offset. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-34 OL-18504-01...
Page 127: Installing The Ips 4270-20
Installing the IPS 4270-20 Installing the IPS 4270-20 Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger.
Page 128 GigabitEthernetslot_number/port_number through GigabitEthernetslot_number/port_number are the expansion ports. Management and console ports are privileged administrative ports. Connecting them to an untrusted Caution network can create security concerns. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-36 OL-18504-01...
Page 129 Power on the IPS 4270-20. Step 7 Initialize the IPS 4270-20. Step 8 Upgrade the IPS 4270-20 with the most recent Cisco IPS software. You are now ready to configure Step 9 intrusion prevention on the IPS 4270-20. For More Information...
Page 130: Removing And Replacing The Chassis Cover
This unit might have more than one power supply connection. All connections must be removed to Warning de-energize the unit. Statement 1028 Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 Note does not require any special tools and does not create any radio frequency leaks.
Page 131 Lift up the cover latch on the top of the chassis. Step 8 Cis co IPS 42 70 SE RIE S Int ru sio n Pre ve nti on Se ns or Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-39 OL-18504-01...
Page 132 Installing the IPS 4270-20, • page 4-35. If you are reinstalling the IPS 4270-20 in a rack, see Installing the Rail System Kit, page 4-15. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-40 OL-18504-01...
Page 133: Accessing The Diagnostic Panel
Installing and Removing Interface Cards Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The IPS 4270-20 has nine expansion card slots. Slots 1 and 2 are PCI-X slots and are reserved for future use.
Page 134: Installing And Removing Interface Cards
If rack-mounted, extend the IPS 4270-20 from the rack. Step 5 Make sure the IPS 4270-20 is in an ESD-controlled environment. Step 6 Remove the chassis cover. Step 7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-42 OL-18504-01...
Page 135 Slide the server back in to the rack by pressing the server rail-release handles. Step 11 Step 12 Reconnect the power cables to the IPS 4270-20. Step 13 Power on the IPS 4270-20. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-43 OL-18504-01...
Page 136: Installing And Removing The Power Supply
Installing and Removing the Power Supply Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The IPS 4270-20 ships with two hot-pluggable power supplies, thus providing a redundant power supply configuration.
Page 137 P S 1 R e s e rv C O N S O fo r F u tu re U s e M G M T 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-45 OL-18504-01...
Page 138 Chapter 4 Installing the IPS 4270-20 Installing and Removing the Power Supply Remove the power supply by pulling it away from the chassis. Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-46 OL-18504-01...
Page 139 P S 1 R e s e rv C O N S O fo r F u tu re U s e M G M T 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-47 OL-18504-01...
Page 140 IME procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor. • For an illustration of the screwdriver and where it is located, see Figure 4-7 on page 4-9. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-48 OL-18504-01...
Page 141: Installing And Removing Fans
Identify the failed fan by locating an amber indicator on top of the failed fan or a lighted FAN X indicator Step 3 on the Diagnostic Panel. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-49 OL-18504-01...
Page 142 For more information about the Diagnostic Panel, see Diagnostic Panel, page 4-11. • For the procedure for removing the chassis cover, see Removing and Replacing the Chassis Cover, • page 4-38. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-50 OL-18504-01...
Page 143: Troubleshooting Loose Connections
Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent • pins or other damage. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-51 OL-18504-01...
Page 144 Chapter 4 Installing the IPS 4270-20 Troubleshooting Loose Connections Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-52 OL-18504-01...
Page 145: Specifications
–40° to +185°F (–40° to +85°C) Humidity 5% to 95% noncondensing Operating altitude 0 to 10,000 ft (0 to 3,000 m) Memory 1 GB eUSB 512 MB Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 146: Before Installing The Aim Ips
The router and the AIM IPS have the following software and hardware requirements: The router must be running Cisco IOS release 12.4(15)XY or 12.4(20)T or later. • Use the show version command in the router CLI to determine which Cisco IOS release Note your router is running.
Page 147: Interoperability With Other Ips Modules
You cannot upgrade an NM CIDS to an NME IPS. Caution The Cisco access routers only support one IDS/IPS module per router. If you have more than one IDS/IPS module installed, the most capable card is enabled. The most capable hierarchy is:...
Page 148: Hardware Interfaces
You need two IP addresses to configure the AIM IPS. The AIM IPS has a command and control IP address that you configure through the Cisco IPS CLI. You also assign an IP address to the router for its internal interface (IDS-Sensor 0/x) to the AIM IPS. This IP address belongs to the router itself and is used for routing traffic to the command and control interface of the AIM IPS.
Page 149: Installation And Removal Instructions
For instructions on how to install and remove the AIM IPS, refer to the following documents: • Cisco 1800 Series Hardware Installation Guide (Modular) For instructions, refer to “Installing and Upgrading Internal Modules in Cisco 1800 Series Routers (Modular).” •...
Page 150: Verifying Installation
NAME: "3825 chassis", DESCR: "3825 chassis" PID: CISCO3825 , VID: V01 , SN: FTX1009C3KT NAME: "Cisco Intrusion Prevention System AIM in AIM slot: 1", DESCR: "Cisco Intrusion Prevention" PID: AIM IPS-K9 , VID: V01 , SN: FOC11372M9X router# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 151: Specifications
Nonoperating temperature –40° to +167°F (–40° to +75°C) Humidity 10% to 90%, noncondensing 1. 2.70 lb for 45 c heatsink, approximately 3.00 lb for the 55c maximum Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 152: Memory Specifications
Table 6-3 AIP SSM Indicators Color State Description Green The system has power. STATUS Green Flashing The system is booting. Solid The system has passed power-up diagnostics. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 153: Installation And Removal Instructions
Store the slot cover in a safe place for future use. You must install slot covers on all empty slots. Note This prevents EMI, which can disrupt other equipment. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 154: Verifying The Status Of The Aip Ssm
—The system encountered an error communicating with the AIP SSM. • Unresponsive —The AIP SSM is reloading. • Reloading —The AIP SSM is shutting down. • Shutting Down Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 155: Removing The Aip Ssm
If you need to replace the existing the AIP SSM, insert the new AIP SSM through the slot opening. Step 8 Do not replace the AIP SSM with a different model. The the adaptive security appliance will not Note recognize it. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 156 Working in an ESD Environment, page 1-32. • • For the procedure for verifying whether the AIP SSM is properly installed, see Verifying the Status of the AIP SSM, page 6-4. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 157: Specifications
Minimum: 3 lb (1.36 kg) Maximum: 5 lb (2.27 kg) Operating temperature +32° to +104°F (+0° to +40°C) Nonoperating temperature –40° to +167°F (–40° to +75°C) Humidity 10% to 90%, noncondensing Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 158: Software And Hardware Requirements
• Cisco IOS software release 12.2(14)SY with Supervisor Engine 2 with MSFC2 • Cisco IOS software release 12.1(19)E or later with Supervisor Engine 2 with MSFC2 • Cisco IOS software release 12.1(19)E1 or later with Supervisor Engine 1A with MSFC2 •...
Page 159: Using The Tcp Reset Interface
VLAN, and the reset port must trunk all the VLANs being trunked by both the sensing ports. In Cisco IOS when the IDSM2 is in promiscuous mode, the IDSM2 ports are always dot1q Note trunk ports (even when monitoring only 1 VLAN), and the TCP reset port is automatically set to a trunk port and is not configurable.
Page 160: Installation And Removal Instructions
For more information about supervisor engines, refer to the Catalyst 6500 Series Switch Installation • Guide. For more information on handling ESD, see Working in an ESD Environment, page 1-32. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 161: Slot Assignments
Refer to your switch documentation for information about which slots are reserved for the supervisor engine or other modules. Remove the installation screws (use a screwdriver, if necessary) that secure the filler plate to the desired Step 3 slot. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 162 Hold the the IDSM2 with one hand, and place your other hand under the IDSM2 carrier to support it. Step 5 Caution Do not touch the printed circuit boards or connector pins on the IDSM2. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 163 Using the thumb and forefinger of each hand, simultaneously pivot in both ejector levers to fully seat the Step 8 IDSM2 in the backplane connector. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 164 Installing and Using Cisco Intrusion Prevention System Device Manager 7.0 – Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 – Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 165: Verifying Installation
48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD0401012S 48 port 10/100 mb RJ45 WS-X6348-RJ-45 SAL04483QBL SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAD073906GH SFM-capable 16 port 1000mb GBIC WS-X6516A-GBIC SAL0740MMYJ Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 166: Removing The Idsm2
During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not touch the Warning backplane with your hand or any metal tool, or you could shock yourself. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-10 OL-18504-01...
Page 167 If the slot is to remain empty, install a filler plate (part number 800-00292-01) to keep dust out of the Step 8 chassis and to maintain proper airflow through the module compartment. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-11 OL-18504-01...
Page 168: Enabling Full Memory Tests
When the IDSM2 initially boots, by default it runs a partial memory test. You can enable a full memory test in Catalyst software and Cisco IOS software. This section describes how to enable memory tests, and contains the following topics: Catalyst Software, page 7-12 •...
Page 169: Cisco Ios Software
Catalyst Software To reset the IDSM2 from the CLI, follow these steps: Log in to the console. Step 1 Enter privileged mode. Step 2 console> enable Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-13 OL-18504-01...
Page 170: Cisco Ios Software
8 reset Device BOOT variable for reset = Warning: Device list is not verified. Proceed with reload of module? [confirm] % reset issued for module 8 router# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-14 OL-18504-01...
Page 171: Powering The Idsm2 Up And Down
Step 3 Power up the IDSM2. console> (enable) set module power up module_number Power down the IDSM2. Step 4 console> (enable) set module power down module_number Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-15 OL-18504-01...
Page 172: Cisco Ios Software
Power up the IDSM2. Step 3 router(config)# power enable module module_number Power down the IDSM2. Step 4 router(config)# no power enable module module_number Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-16 OL-18504-01...
Page 173: Specifications
–40° to +185°F (–40° to +85°C) Humidity 5% to 95% noncondensing Operating altitude 0 to 10,000 ft (0 to 3,000 m) Memory 2 GB eUSB 512 MB Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 174: Before Installing The Nme Ips
The router and the NME IPS have the following software and hardware requirements: The router must be running Cisco IOS release 12.4(20)YA or 12.4(22)T or later. • Use the show version command in the router CLI to determine which Cisco IOS release Note your router is running.
Page 175: Interoperability With Other Ips Modules
You cannot upgrade an NM CIDS to an NME IPS. Caution The Cisco access routers only support one IDS/IPS module per router. If you have more than one IDS/IPS module installed, the most capable card is enabled. The most capable hierarchy is:...
Page 176: Hardware Interfaces
Figure 8-1 shows the router and the NME IPS interfaces used for internal and external communication. You can configure the router interfaces through the Cisco IOS CLI and the NME IPS interfaces through the IPS CLI, IDM, IME, or CSM.
Page 177: Installation And Removal Instructions
For the procedure for using the setup command to initialize the NME IPS, see Initializing the • Sensor, page 10-1. For more information about obtaining the most recent Cisco IPS software, see Obtaining Cisco IPS • Software, page 11-1. For the procedure to configure the NME IPS to receive IPS traffic, refer to Setting Up Interfaces on •...
Page 178: Verifying Installation
, VID: V01 , SN: FOC10164DAR NAME: "1000BASE-T SFP", DESCR: "1000BASE-T SFP" PID: SP7041 , VID: C , SN: 00000MTC101608RB NAME: "Cisco Intrusion Prevention System NM on Slot 2", DESCR: "Cisco Intrusion Prevention System NM" PID: NME IPS-K9 , VID: V01, SN: FHH1117001R router# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 179: Supported User Roles
This account is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation. ********************************************************************************** Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 180: Logging In To The Appliance
Note administrator privileges can edit the service account. For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no Note password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor.
Page 181: Connecting An Appliance To A Terminal Server
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...
Page 182: Logging In To The Aim Ips
AIM IPS, in which you can issue any IPS configuration commands. After completing work in the session and exiting the IPS CLI, you are returned to the Cisco IOS CLI. The session command starts a reverse Telnet connection using the IP address of the IDS-Sensor interface.
Page 183: Sessioning In To The Aim Ips
Mgmt TLS enabled: true router# Step 3 Open a session from the router to the AIM IPS. router# service-module ids-sensor 0/1 session Trying 10.89.148.196, 2322 ... Open Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 184: Logging In To Aip Ssm
Log in to the adaptive security appliance. Step 1 If the adaptive security appliance is operating in multi-mode, use the change system command Note to get to the system level prompt before continuing. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 185 If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 186: Logging In To The Idsm2
The default username and password are both cisco. You are prompted to change them the first Note time you log in to the IDSM2.You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 187: Logging In To The Nme Ips
NME IPS, in which you can issue any IPS configuration commands. After completing work in the session and exiting the IPS CLI, you are returned to the Cisco IOS CLI. The session command starts a reverse Telnet connection using the IP address of the IDS-Sensor interface.
Page 188: Sessioning In To The Nme Ips
Mgmt TLS enabled: true router# Step 3 Open a session from the router to the NME IPS. router# service-module ids-sensor 1/0 session Trying 10.89.148.195, 2322 ... Open Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-10 OL-18504-01...
Page 189: Logging In To The Sensor
To log in to the sensor over the network using SSH or Telnet. Step 1 ssh sensor_ip_address telnet sensor_ip_address Enter your username and password at the login prompt. Step 2 login: ****** Password: ****** ***NOTICE*** Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-11 OL-18504-01...
Page 190 If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 191: Understanding Initialization
If you have recovered or downgraded the sensor. • If you have set the host configuration to default after successfully configuring the sensor using • automatic setup. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-1 OL-18504-01...
Page 192: System Configuration Dialog
User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current time: Thu Jan 15 21:19:51 2009 Setup Configuration last modified: Enter host name[sensor]: Enter IP interface[192.168.1.2/24,192.168.1.1]: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-2 OL-18504-01...
Page 193 If you agree to participate in the SensorBase Network, Cisco will collect aggregated statistics about traffic sent to your IPS. This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances.
Page 194: Basic Sensor Setup
DNS server, and then enter the DNS server IP address. Enter to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port number. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-4 OL-18504-01...
Page 195 Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 0. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-5...
Page 196 02:00:00 exit exit ntp-option enabled ntp-keys 1 md5-key 8675309 ntp-servers 10.89.143.92 key-id 1 exit service global-correlation network-participation full exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-6 OL-18504-01...
Page 197: Advanced Setup
Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface – Advanced Setup This section describes how to continue with advanced setup in the CLI for the various Cisco IPS platforms. It contains the following sections: Advanced Setup for the Appliance, page 10-8 •...
Page 198: Advanced Setup For The Appliance
Virtual Sensor: vs2 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-8 OL-18504-01...
Page 199 At this point, you can configure another interface, for example, GigabitEthernet0/1, for inline Note VLAN pair. Press Enter to return to the top-level interface editing menu. Step 13 [1] Remove interface configurations. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-9 OL-18504-01...
Page 200 No Interfaces to remove. Unassigned: Promiscuous: [1] GigabitEthernet0/3 [2] GigabitEthernet0/0 Inline Vlan Pair: [3] GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: [4] newPair (GigabitEthernet0/1, GigabitEthernet0/2) Add Interface: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-10 OL-18504-01...
Page 201 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service interface Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-11 OL-18504-01...
Page 202 [1] Return back to the setup without saving this config. [2] Save this configuration and exit setup. Step 27 Enter to save the configuration. Enter your selection[2]: 2 Configuration Saved. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-12 OL-18504-01...
Page 203: Advanced Setup For The Aim Ips
– Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 – Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface – Advanced Setup for the AIM IPS To continue with advanced setup for the AIM IPS, follow these steps: Step 1 Session in to the AIM IPS using an account with administrator privileges.
Page 204 Press Enter to exit the interface and virtual sensor configuration menu. Step 10 Modify default threat prevention settings?[no]: Enter if you want to modify the default threat prevention settings. Step 11 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-14 OL-18504-01...
Page 205 AIM IPS# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: Enter to continue the reboot. Step 15 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-15 OL-18504-01...
Page 206: Advanced Setup For The Aip Ssm
– Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 – Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface – Advanced Setup for the AIP SSM To continue with advanced setup for the AIP SSM, follow these steps: Session in to the AIP SSM using an account with administrator privileges.
Page 207 Press Enter to return to the main virtual sensor menu. Step 12 Enter to create a virtual sensor. Step 13 Name[]: Step 14 Enter a name and description for your virtual sensor. Name[]: newVs Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-17 OL-18504-01...
Page 208 Press Enter to exit the interface and virtual sensor configuration menu. Modify default threat prevention settings?[no]: Enter if you want to modify the default threat prevention settings. Step 20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-18 OL-18504-01...
Page 209 [2] Save this configuration and exit setup. Enter to save the configuration. Step 22 Enter your selection[2]: 2 Configuration Saved. Reboot the AIP SSM. Step 23 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-19 OL-18504-01...
Page 210: Advanced Setup For The Idsm2
– Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 – Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface – Advanced Setup for the IDSM2 To continue with advanced setup for the IDSM2, follow these steps: Step 1 Session in to the IDSM2 using an account with administrator privileges.
Page 211 Select vlans: [1] All unassigned vlans. [2] Enter vlans range. Option: Enter to assign all unassigned VLANs to subinterface 10. Subinterface Number: Enter to add subinterface 9. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-21 OL-18504-01...
Page 212 (Vlans: 1-100) Add Interface: Step 15 Press Enter to return to the top-level virtual sensor configuration menu. Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-22 OL-18504-01...
Page 213 9 description Created via setup by user asmith vlans range 1-100 exit subinterface 10 description Created via setup by user asmith vlans unassigned exit exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-23 OL-18504-01...
Page 214 Installing and Using Cisco Intrusion Prevention System Device Manager 7.0 – Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 – Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-24 OL-18504-01...
Page 215: Advanced Setup For The Nme Ips
Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter to edit the virtual sensor vs0 configuration. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-25 OL-18504-01...
Page 216 192.168.1.2/24,192.168.1.1 host-name NME IPS telnet-option enabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-26 OL-18504-01...
Page 217 Installing and Using Cisco Intrusion Prevention System Device Manager 7.0 – Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 – Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-27...
Page 218: Verifying Initialization
-480 standard-time-zone-name PST exit exit ! ------------------------------ service logger exit ! ------------------------------ service network-access exit ! ------------------------------ service notification exit ! ------------------------------ service signature-definition sig0 exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-28 OL-18504-01...
Page 219 For More Information For the procedure for using HTTPS to log in to IDM, refer to Logging In to IDM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-29 OL-18504-01...
Page 220 Chapter 10 Initializing the Sensor Verifying Initialization Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-30 OL-18504-01...
Page 221: Chapter 11 Obtaining Software
• Obtaining a License Key From Cisco.com, page 11-10 The BIOS on Cisco IPS sensors is specific to Cisco IPS sensors and must only be upgraded under Caution instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on Cisco IPS sensors voids the warranty.
Page 222: Ips Software Versioning
Verify that it is the correct file, and click Download. Step 10 Click Agree to accept the software download rules. The first time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software.
Page 223 Upgrading to a newer patch does not require you to uninstall the old patch. For example, you can Note upgrade from patch 7.0(1p1) to 7.0(1p2) without first uninstalling 7.0(1p1). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-3 OL-18504-01...
Page 224 Figure 11-2 IPS Software File Name for Signature/Virus Updates, IPS-[sig]-[S]-req-E1.pkg Product line designator Package type Signature update Software version requirement designator Required engine version File extension Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-4 OL-18504-01...
Page 225 IPS Software File Name for Recovery and System Image Files IPS-K9-[mfq,sys,r,]-x.y-a- .img or pkg Product line/platform designator Strong crypto designator Package type Installer major version Installer minor version Application version designator Application version File extension Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-5 OL-18504-01...
Page 226: Software Release Examples
Obtaining Software Software Release Examples Software Release Examples Table 11-1 lists platform-independent Cisco IPS 7.x software release examples. Refer to the Readmes that accompany the software files for detailed instructions on how to install the files. Table 11-1 Platform-Independent Release Examples...
Page 227: Upgrading Cisco Ips Software To 7.0
(IPS-AIM-K9-7.0-1-E3.pkg), and the NME IPS upgrade file (IPS-NME-K9-7.0-1-E3) on the automatic update server so that the AIM IPS and the NME IPS can correctly detect which file Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-7...
Page 228 Installing the IDSM2 System Image, page 12-28. • For the procedure for restoring the NME IPS system image, see Installing the NME IPS System Image, page 12-40. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-8 OL-18504-01...
Page 229: Accessing Ips Documentation
Choose Products > Security > Intrusion Prevention System (IPS) > IPS Appliances > Cisco IPS Step 4 4200 Series Sensors. The Cisco IPS 4200 Series Sensors page appears. All of the most up-to-date IPS documentation is on this page. Note Although you will see references to other IPS documentation sites on Cisco.com, this is the site...
Page 230: Obtaining A License Key From Cisco.com
You can search for security alerts and signatures at this URL: http://tools.cisco.com/security/center/search.x Obtaining a License Key From Cisco.com This section describes how to obtain a license key from Cisco.com and how to install it using the CLI, IDM, or IME. It contains the following topics: Understanding Licensing, page 11-10 •...
Page 231: Service Programs For Ips Products
Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract.
Page 232 Click the Cisco.com radio button to obtain the license from Cisco.com. IDM or IME contacts the • license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 4.
Page 233: Obtaining And Installing The License Key Using The Cli
In addition to a valid Cisco.com username and password, you must also have a Cisco Services Note for IPS service contract before you can apply for a license key. Fill in the required fields. Your Cisco IPS Signature Subscription Service license key will be sent by Step 2 e-mail to the e-mail address you specified.
Page 234 Copy your license key from a sensor to a server to keep a backup copy of the license. Step 7 sensor# copy license-key scp://user@10.89.147.3://tftpboot/dev.lic Password: ******* sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-14 OL-18504-01...
Page 235 • Hosts, for IME refer to Adding Trusted Hosts, and for the CLI refer to Adding TLS Trusted Hosts For more information about obtaining a Cisco Services for IPS service contract, see Service • Programs for IPS Products, page 11-11.
Page 236 Chapter 11 Obtaining Software Obtaining a License Key From Cisco.com Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-16 OL-18504-01...
Page 237: Chapter 12 Upgrading, Downgrading, And Installing System Images
You cannot use the downgrade command to revert to a previous major or minor version, for example, Caution from Cisco IPS 7.0 to 6.2. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 6.2, you must reimage the sensor.
Page 238: Supported Ftp And Http/Https Servers
IPS 7.0 Upgrade Files The following files are part of Cisco IPS 7.0(1)E3: Readme • IPS-7.0-1-E3.readme.txt – Major Version Upgrade File • IPS-K9-7.0-1-E3.pkg – IPS-AIM-K9-7.0-1-E3.pkg – – IPS-NME-K9-7.0-1-E3.pkg Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-2 OL-18504-01...
Page 239: Upgrade Command And Options
You are prompted for a password. Note – http:—Source URL for the web server. The syntax for this prefix is: http:[[//username@] location]/directory] filename Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-3 OL-18504-01...
Page 240: Using The Upgrade Command
Note Using the upgrade Command Caution You must log in to Cisco.com using an account with cryptographic privileges to download software. The first time you download software on Cisco.com, you receive instructions for setting up an account with cryptographic privileges.
Page 241: Upgrading The Recovery Partition
For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 12-2. • For the procedure for locating software on Cisco.com and obtaining an account with cryptographic privileges, see Obtaining Cisco IPS Software, page 11-1. •...
Page 242: Configuring Automatic Upgrades
• Upgrade schedule • You must download the software upgrade from Cisco.com and copy it to the upgrade directory before the sensor can poll for automatic upgrades. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-6...
Page 243: Auto-Upgrade Command And Options
Cisco.com. cisco-url—The Cisco server locator service. • You do not need to change this unless the www.cisco.com IP address changes. default— Sets the value back to the system default setting. • directory— Directory where upgrade files are located on the file server.
Page 244: Using The Auto-Upgrade Command
198.133.219.243 port 80 to download the chosen package from a Cisco file server. The IP address may change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of the show statistics host command.
Page 245 Step 8 Exit automatic upgrade submode. sensor(config-hos-ena)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-9 OL-18504-01...
Page 246: Automatic Upgrade Examples
IPS-engine-E11-req-6.0-1.pkg • IPS-sig-S305-req-E11.pkg • IPS-sig-S307-req-E11.pkg • Case 4 IPS-engine-E11-req-5.1-6.pkg Cycle 1 installs IPS-engine-E11-req-5.1-6.pkg. • • 5.1(6) E10 S300 New version is 5.1(6) E11 S300. IPS-sig-S301-req-E10.pkg • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-10 OL-18504-01...
Page 247: Downgrading The Sensor
You cannot use the downgrade command to revert to a previous major or minor version, for example, from Cisco IPS 7.0 to 6.2. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 6.2, you must reimage the sensor.
Page 248: Recovering The Application Partition
Log in to the CLI using an account with administrator privileges. Enter configuration mode. Step 3 sensor# configure terminal Recover the application partition image. Step 4 sensor(config)# recover application-partition Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-12 OL-18504-01...
Page 249: Installing System Images
SSH to the sensor with the default username and password (cisco/cisco) and then initialize the sensor again with the setup command. You cannot use Telnet until you initialize the sensor because Telnet is disabled by default.
Page 250: Understanding Rommon
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...
Page 251: Installing The Ips 4240 And Ips 4255 System Images
Make sure you can access the TFTP server location from the network connected to the Ethernet Note port of your IPS 4240. Boot the IPS 4240. Step 2 Booting system, please wait... CISCO SYSTEMS Embedded BIOS Version 1.0(5)0 09/14/04 12:23:35.90 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-15 OL-18504-01...
Page 252 1209 Ethernet Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(5)0) #1: Tue Sep 14 12:20:30 PDT 2004 Platform IPS 4240-K9 Management0/0 MAC Address: 0000.c0ff.ee01 Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the Step 3 spacebar to begin boot immediately.
Page 253 Make sure that you enter the IMAGE command in all uppercase. You can enter the other ROMMON Caution commands in either lower case or upper case, but the IMAGE command specifically must be all uppercase. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-17 OL-18504-01...
Page 254: Installing The Ips 4260 System Image
TFTP server that is accessible from your IPS 4260. Make sure you can access the TFTP server location from the network connected to your IPS 4260 Ethernet port. Boot the IPS 4260. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-18 OL-18504-01...
Page 255 Evaluating Run Options... You have five seconds to press Ctrl-R. Note Assuming IPS 4260-K9 Platform 2 Ethernet Interfaces detected Cisco Systems ROMMON Version (1.0(11)1c) #26: Mon Mar 13 18:05:54 CST 2006 Platform IPS 4260-K9 Management0/0 Link is UP MAC Address: 0004.23cc.6047 Use ? for help.
Page 256: Installing The Ips 4270-20 System Image
Boot the IPS 4270-20. Step 2 Booting system, please wait... Cisco Systems ROMMON Version (1.0(12)10) #7: Thu Jun 21 13:50:04 CDT 2007 ft_id_update: Invalid ID-PROM Controller Type (0x5df) ft_id_update: Defaulting to Controller Type (0x5c2) The controller type errors are a known issue and can be disregarded.
Page 257 Use the same IP address that is assigned to the IPS 4270-20. Note If necessary, assign the TFTP server IP address. Step 6 rommon> SERVER=ip_address If necessary, assign the gateway IP address. Step 7 rommon> GATEWAY=ip_address Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-21 OL-18504-01...
Page 258 For a list of supported TFTP servers, see Supported TFTP Servers, page 12-14. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 11-1. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-22 OL-18504-01...
Page 259: Installing The Aim Ips System Image
Press Enter to session back to the AIM IPS. Step 9 Configure the bootloader. Step 10 ServicesEngine bootloader> config IP Address [10.89.148.188]> Subnet mask [255.255.255.0]> TFTP server [10.89.150.74]> Gateway [10.89.148.254]> Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-23 OL-18504-01...
Page 260 - Exit and reset card x - Exit Selection [123rx] Download recovery image via tftp and install on USB Drive TFTP server [10.1.9.1]> full pathname of recovery image []:IPS-AIM-K9-sys-1.1-7.0-1-E3.img Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-24 OL-18504-01...
Page 261: Installing The Aip Ssm System Image
This section describes how to install the AIP SSM system image, and contains the following topics: Reimaging the AIP SSM, page 12-26 • Reimaging the AIP SSM Using the recover configure/boot Command, page 12-26 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-25 OL-18504-01...
Page 262: Reimaging The Aip Ssm
Specify the TFTP URL for the system image. Step 4 Image URL [tftp://0.0.0.0/]: Example Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-26 OL-18504-01...
Page 263 AIP SSM, the Status field in the output reads “Recover.” When the adaptive security appliance completes the image transfer and restarts the AIP SSM, the newly transferred image is running. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-27 OL-18504-01...
Page 264: Installing The Idsm2 System Image
Download the IDSM2 system image file (IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.bin.gz) to the FTP root Step 1 directory of an FTP server that is accessible from your IDSM2. Log in to the switch CLI. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-28 OL-18504-01...
Page 265 Download the IDSM2 system image file (IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.bin.gz) to the FTP root Step 1 directory of an FTP server that is accessible from your IDSM2. Log in to the switch CLI. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-29 OL-18504-01...
Page 266 For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS • Servers, page 12-2. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 11-1. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-30 OL-18504-01...
Page 267: Configuring The Idsm2 Maintenance Partition For Catalyst Software
Step 6 guest@idsm2.localdomain# show ip IP address : 10.89.149.74 Subnet Mask : 255.255.255.128 IP Broadcast : 10.255.255.255 DNS Name : idsm2.localdomain Default Gateway : 10.89.149.126 Nameserver(s) guest@idsm2.localdomain# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-31 OL-18504-01...
Page 268 BIOS Vendor: Phoenix Technologies Ltd. BIOS Version: 4.0-Rel 6.0.9 Total available memory: 2012 MB Size of compact flash: 61 MB Size of hard disk: 19077 MB Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-32 OL-18504-01...
Page 269 Fri Mar 11 21:22:13 2005 : Device '/dev/hdc' verified for OK. Fri Mar 11 21:22:19 2005 : Created ext2 fileSystem on '/dev/hdc1'. Fri Mar 11 21:22:19 2005 : Directory '/mnt/hd/' created. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-33 OL-18504-01...
Page 270 The system is going down for system halt NOW !! console> (enable)# For More Information For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 12-2. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-34 OL-18504-01...
Page 271: Configuring The Idsm2 Maintenance Partition For Cisco Ios Software
IP address : 0.0.0.0 Subnet Mask : 0.0.0.0 IP Broadcast : 0.0.0.0 DNS Name : localhost.localdomain Default Gateway : 0.0.0.0 Nameserver(s) guest@localhost.localdomain# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-35 OL-18504-01...
Page 272 Step 10 guest@idsm2.localdomain# upgrade ftp://jsmith@10.89.146.11//RELEASES/Latest/6.2-1/IPS-IDSM2-K9-sys-1.1-a-6.2-1-E3.img Downloading the image. This may take several minutes... Password for jsmith@10.89.146.114: 500 'SIZE IPS-IDSM2-K9-sys-1.1-a-6.2-1.bin.gz': command not understood. ftp://jsmith@10.89.146.11//RELEASES/Latest/6.1-1/IPS-IDSM2-K9-sys-1.1-a-6.2-1-E3.img (unknown size) /tmp/upgrade.gz 28616K Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-36 OL-18504-01...
Page 273 Application image upgrade complete. You can boot the image now. Partition upgraded successfully guest@idsm2.localdomain# Clear the upgrade log. Step 13 guest@idsm2.localdomain# clear log upgrade Cleared log file successfully Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-37 OL-18504-01...
Page 274: Upgrading The Idsm2 Maintenance Partition For Catalyst Software
Session to the IDSM2 from the switch. Step 2 console>(enable) session slot_number Step 3 Log in to the IDSM2 CLI. Step 4 Enter configuration mode. idsm2# configure terminal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-38 OL-18504-01...
Page 275: Upgrading The Idsm2 Maintenance Partition For Cisco Ios Software
For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS • Servers, page 12-2. For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 11-1. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-39 OL-18504-01...
Page 276: Installing The Nme Ips System Image
Press Enter to session back to the NME IPS. Step 9 Configure the bootloader. Step 10 ServicesEngine bootloader> config IP Address [10.89.148.195]> Subnet mask [255.255.255.0]> TFTP server [10.89.150.74]> Gateway [10.89.148.254]> Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-40 OL-18504-01...
Page 277 1Gbs Half duplex, (port octeth0: Down 1Gbs Full duplex, (port octeth0: Up 1Gbs Full duplex, (port T T T T T T T T T ################################################################# ################################################################# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-41 OL-18504-01...
Page 278 From the router CLI, clear the session. router# service-module interface ids-sensor 1/0 session clear Step 15 Enable the heartbeat reset. router# service-module IDS-sensor 1/0 heartbeat-reset enable Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-42 OL-18504-01...
Page 279: Troubleshooting
Bug Groups, and also create persistent Alert Agents that can feed those groups with new defect alerts. You must be logged in to Cisco.com to access the Bug Toolkit. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 280: Preventive Maintenance
Chapter A Troubleshooting Preventive Maintenance If you are a registered Cisco.com user, you can view the Bug Toolkit at this URL: http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs To become a registered cisco.com user, go to this URL: http://tools.cisco.com/RPF/register/register.do Preventive Maintenance This section describes how to perform preventive maintenance for your sensor, and contains the...
Page 281: Creating And Using A Backup Configuration File
It can be a URL or keyword. • destination_url—The location of the destination file to be copied. It can be a URL or a keyword. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 282 Would you like to copy current-config to backup-config before proceeding? [yes]: Enter to copy the current configuration to a backup configuration. Step 3 100% |************************************************| 36124 00:00 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 283: Creating The Service Account
Analyze your situation to decide if you want a service account existing on the system. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01...
Page 284: Disaster Recovery
Troubleshooting Disaster Recovery For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no Note password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor.
Page 285: Recovering The Password
Recovering the Password When a disaster happens and you need to recover the sensor, try the following: Reimage the sensor. Log in to the sensor with the default user ID and password—cisco. You are prompted to change the cisco password. Note Initialize the sensor.
Page 286: Understanding Password Recovery
The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.
Page 287: Using Rommon
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17 Evaluating BIOS Options... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006 Platform IPS 4240-K9 Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately.
Page 288: Recovering The Aim Ips Password
You can then change the password. Recovering the AIP SSM Password You can reset the password to the default (cisco) for the AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Page 289 Note Use the hw-module module slot_number password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed: ERROR: the module in slot <n> does not support password recovery.
Page 290 This option does not appear in the menu if there is no IPS present. Note In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). Step 2 A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Page 291: Recovering The Idsm2 Password
If it does not, enter the following command from the switch: hw-module module module_number reset hdd:1 The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then Note change the password.
Page 292: Disabling Password Recovery
Clear the password. Step 9 ServicesEngine boot-loader# clear password The NME IPS reboots. The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password. Disabling Password Recovery If you try to recover the password on a sensor on which password recovery is disabled, the process Caution proceeds with no errors or warnings;...
Page 293: Verifying The State Of Password Recovery
. You can ignore this message. Only the will wipe out the contents on the storage media password is reset when you use the specified password recovery image. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-15 OL-18504-01...
Page 294: Time And The Sensor
AIM IPS and the NME IPS. The time zone and summertime settings are not synchronized between the parent router and the AIM IPS and the NME IPS. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-16 OL-18504-01...
Page 295: Synchronizing Ips Module Clocks With Parent Device Clocks
The AIP SSM automatically synchronizes its clock with the clock in the adaptive security appliance • in which it is installed. This is the default. Configure the AIP SSM to get its time from an NTP time synchronization source, such as a Cisco • router other than the parent router.
Page 296: Correcting Time On The Sensor
To avoid configuration problems on your sensor, make sure you understand the advantages and restrictions of virtualization on your sensor. The AIM IPS and the NME IPS do not support virtualization. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-18 OL-18504-01...
Page 297: Supported Mibs
Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN • tagging, which causes problems with VLAN groups. When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive – tagged packets even if it is configured for trunking.
Page 298: When To Disable Anomaly Detection
Chapter A Troubleshooting When to Disable Anomaly Detection CISCO-PROCESS-MIB is available on the sensor, but we do not support it. We know that some elements Note are not available. While you can use elements from CISCO-PROCESS-MIB, we do not guarantee that they all provide correct information.
Page 299: Analysis Engine Not Responding
Verify that Analysis Engine is not running: Step 2 sensor# show version ----- MainApp N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Running AnalysisEngine N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Not Running CLI N-2007_JUN_19_16_45 (Release) 2007-06-19T17:10:20-0500 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-21 OL-18504-01...
Page 300: Troubleshooting External Product Interfaces
The sensor must recognize each CSA MC host X.509 certificate. You must add them as a trusted host. You can configure a maximum of two external product devices. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-22 OL-18504-01...
Page 301: External Product Interfaces Troubleshooting Tips
Hardware Bypass and Link Changes and Drops, page A-24 • Troubleshooting Loose Connections, page A-24 • Analysis Engine is Busy, page A-25 • Connecting the IPS 4240 to a Cisco 7200 Series Router, page A-25 • • Communication Problems, page A-26 • SensorApp and Alerting, page A-30 •...
Page 302: Hardware Bypass And Link Changes And Drops
Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent • pins or other damage. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-24 OL-18504-01...
Page 303: Analysis Engine Is Busy
To connect correctly at speed 100 and duplex Full, set the interfaces of both the IPS 4240 and the router to speed Auto and duplex Auto. Also, if either interface is hard-coded, you must make the connection using a crossover cable. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-25 OL-18504-01...
Page 304: Communication Problems
Total Bytes Received = 83118358 Total Multicast Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 397633 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-26 OL-18504-01...
Page 305 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit --MORE-- If the workstation network address is permitted in the sensor access list, go to Step 6. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-27 OL-18504-01...
Page 306: Correcting A Misconfigured Access List
10.89.149.238/25,10.89.149.254 default: 10.1.9.201/24,10.1.9.1 host-name: sensor-238 default: sensor telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 3) ----------------------------------------------- network-address: 10.0.0.0/8 ----------------------------------------------- network-address: 64.0.0.0/8 ----------------------------------------------- network-address: 171.69.70.0/24 ----------------------------------------------- Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-28 OL-18504-01...
Page 307: Duplicate Ip Address Shuts Interface Down
Total Packets Received = 1822323 Total Bytes Received = 131098876 Total Multicast Packets Received = 20 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-29 OL-18504-01...
Page 308: Sensorapp And Alerting
2.4.30-IDS-smp-bigphys Platform: ASA-SSM-20 Serial Number: JAB0948035P License expired: 11-Apr-2008 UTC Sensor up-time is 7 days. Using 1018015744 out of 2093600768 bytes of available memory (48% usage) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-30 OL-18504-01...
Page 309 40.5M out of 68.5M bytes of available disk space (62% usage) MainApp M-2008_APR_24_19_16 (Release) 2008-04-24T19:49:05-0500 Running AnalysisEngine M-2008_APR_24_19_16 (Release) 2008-04-24T19:49:05-0500 Not Running M-2008_APR_24_19_16 (Release) 2008-04-24T19:49:05-0500 Upgrade History: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-31 OL-18504-01...
Page 310: Physical Connectivity, Span, Or Vacl Port Issue
Recovery Partition Version 1.1 - 7.0(1)E3 Host Certificate Valid from: 29-Jun-2008 to 30-Jun-2010 sensor# If you do not have the latest software updates, download them from Cisco.com. Read the Readme that accompanies the software upgrade for any known DDTS for SensorApp or Step 5 Analysis Engine.
Page 311: Unable To See Alerts
Step 4 Verify the interface configuration. Make sure you have the interfaces configured properly. Verify the SPAN and VACL capture port configuration on the Cisco switch. Refer to your switch documentation for the procedure. Step 5 Verify again that the interfaces are up and that the packet count is increasing.
Page 312 Total Bytes Transmitted = 3441000 Total Multicast Packets Transmitted = 0 Total Broadcast Packets Transmitted = 0 Total Jumbo Packets Transmitted = 0 Total Undersize Packets Transmitted = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-34 OL-18504-01...
Page 313: Sensor Not Seeing Packets
Total Transmit FIFO Overruns = 0 sensor# If the interfaces are not up, do the following: Step 3 Check the cabling. • Enable the interface. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-35 OL-18504-01...
Page 314 Total Transmit FIFO Overruns = 0 ... For More Information For the procedure for installing the sensor properly, refer to your sensor chapter in this document. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-36 OL-18504-01...
Page 315: Cleaning Up A Corrupted Sensorapp Configuration
Device Access Issues, page A-41 • Verifying the Interfaces and Directions on the Network Device, page A-43 • Enabling SSH Connections to the Network Device, page A-43 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-37 OL-18504-01...
Page 316: Verifying Arc Connections Are Active
Application Partition: Cisco Intrusion Prevention System, Version 7.0(1)E3 Host: Realm Keys key1.0 Signature Definition: Signature Update S388.0 2009-03-25 Virus Update V1.4 2007-03-02 OS Version: 2.4.30-IDS-smp-bigphys Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-38 OL-18504-01...
Page 317 Current Configuration LogAllBlockEventsAndSensors = true EnableNvramWrite = false EnableAclLogging = false AllowSensorBlock = false BlockMaxEntries = 250 MaxDeviceInterfaces = 250 NetDevice Type = Cisco Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-39 OL-18504-01...
Page 318 B-BEAU_2009_APR_18_08_00_7_0_1 (Release) 2009-04-18T08:05 :25-0500 Upgrade History: IPS-K9-7.0-1-E3 08:00:00 UTC Sat Apr 18 2009 Recovery Partition Version 1.1 - 7.0(1)E3 Host Certificate Valid from: 16-Apr-2009 to 17-Apr-2011 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-40 OL-18504-01...
Page 319: Device Access Issues
Chapter A Troubleshooting Troubleshooting the Appliance sensor# If you do not have the latest software updates, download them from Cisco.com. Note Read the Readme that accompanies the software upgrade for any known DDTS for ARC. Step 5 Make sure the configuration settings for each device are correct (the username, password, and IP Step 6 address).
Page 320 Make sure you can reach the device. Verify the username and password. Step 4 Verify that each interface and direction on each network device is correct. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-42 OL-18504-01...
Page 321: Verifying The Interfaces And Directions On The Network Device
To enable SSH connections to the network device, follow these steps: Log in to the CLI. Step 1 Enter configuration mode: Step 2 sensor# configure terminal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-43 OL-18504-01...
Page 322: Blocking Not Occurring For A Signature
----------------------------------------------- default-signatures-only ----------------------------------------------- specify-service-ports ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- specify-tcp-max-mss ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- specify-tcp-min-mss ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- --MORE-- Exit signature definition submode. Step 4 sensor(config-sig-sig-nor)# exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-44 OL-18504-01...
Page 323: Verifying The Master Blocking Sensor Configuration
Verify that the block shows up in the ARC statistics. Step 7 sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 100 State ShunEnable = true Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-45 OL-18504-01...
Page 324: Logging
If you enable individual zone control, each zone uses the level of logging that it is configured for. Otherwise, the same logging level is used for all zones. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-46...
Page 325: Enabling Debug Logging
Step 11 View the zone names. sensor(config-log)# show settings master-control ----------------------------------------------- enable-debug: false <defaulted> individual-zone-control: true default: false ----------------------------------------------- zone-control (min: 0, max: 999999999, current: 14) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-47 OL-18504-01...
Page 326 ----------------------------------------------- zone-control (min: 0, max: 999999999, current: 14) ----------------------------------------------- <protected entry> zone-name: AuthenticationApp severity: warning <defaulted> <protected entry> zone-name: Cid severity: debug <defaulted> <protected entry> Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-48 OL-18504-01...
Page 327 Cid severity: debug <defaulted> <protected entry> zone-name: Cli severity: warning <defaulted> <protected entry> zone-name: IdapiCtlTrans severity: warning <defaulted> <protected entry> zone-name: IdsEventStore severity: error default: warning Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-49 OL-18504-01...
Page 328: Zone Names
Anomaly Detection zone AuthenticationApp Authentication zone General logging zone CLI zone IdapiCtlTrans All control transactions zone IdsEventStore Event Store zone MpInstaller IDSM2 master partition installer zone Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-50 OL-18504-01...
Page 329: Directing Cidlog Messages To Syslog
The following example shows the logging configuration file: timemode=local ;timemode=utc [logApp] ;enabled=true ;-------- FIFO parameters -------- fifoName=logAppFifo fifoSizeInK=240 ;-------- logApp zone and drain parameters -------- zoneAndDrainName=logApp fileName=main.log fileMaxSizeInK=500 [zone/Cid] Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-51 OL-18504-01...
Page 330: Tcp Reset Not Occurring For A Signature
1000 0 sensor(config-sig-sig)# engine atomic-ip sensor(config-sig-sig-ato)# event-action reset-tcp-connection|produc-alert sensor(config-sig-sig-ato)# show settings atomic-ip ----------------------------------------------- event-action: produce-alert|reset-tcp-connection default: produce-alert fragment-status: any <defaulted> specify-l4-protocol ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-52 OL-18504-01...
Page 331: Software Upgrades
This section helps in troubleshooting software upgrades. It contains the following topics: Upgrading and Analysis Engine, page A-54 • Which Updates to Apply and Their Prerequisites, page A-54 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-53 OL-18504-01...
Page 332: Upgrading And Analysis Engine
Major versions require the previous major version. • For More Information To understand how to interpret the IPS software filenames, see IPS Software Versioning, page 11-2. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-54 OL-18504-01...
Page 333 To update the sensor with an update stored on the sensor, follow these steps: Log in to the service account. Step 1 Obtain the update package file from Cisco.com. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-55 OL-18504-01...
Page 334: Troubleshooting Idm
The result is that neither of these plug-ins will be used by default and each applet should use the correct plug-in. To clear the cache, follow these steps: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-56 OL-18504-01...
Page 335: Cannot Launch Idm-Analysis Engine Busy
At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-57 OL-18504-01...
Page 336: Signatures Not Producing Alerts
For the procedure for configuring event actions, refer to Assigning Actions to Signatures. • For the procedure for obtaining statistics about virtual sensor and Event Store, refer to Displaying Statistics. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-58 OL-18504-01...
Page 337: Troubleshooting Ime
This section pertains specifically to troubleshooting the IDSM2, and contains the following topics: Diagnosing IDSM2 Problems, page A-60 • Minimum Supported IDSM2 Configurations, page A-61 • Switch Commands for Troubleshooting, page A-61 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-59 OL-18504-01...
Page 338: Diagnosing Idsm2 Problems
Troubleshooting the Appliance, page A-23. For information about the Bug Toolkit and how to access it, see Bug Toolkit, page A-1. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-60 OL-18504-01...
Page 339: Minimum Supported Idsm2 Configurations
(Catalyst software) • show span (Catalyst software) • show security acl (Catalyst software) • show intrusion-detection module (Cisco IOS software) • show monitor (Cisco IOS software) • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-61 OL-18504-01...
Page 340: Status Led Off
5.0(0.30) Mod Sub-Type Sub-Model Sub-Serial Sub-Hw Sub-Sw --- ----------------------- ------------------- ----------- ------ ------ L3 Switching Engine WS-F6K-PFC SAD041303G6 1.1 IDS 2 accelerator board WS-SVC-IDSUPG console> (enable) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-62 OL-18504-01...
Page 341: Status Led On But The Idsm2 Does Not Come Online
If the status indicator is on, but the IDSM2 does not come online, try the following troubleshooting tips: • Reset the IDSM2. Make sure the IDSM2 is installed properly in the switch. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-63 OL-18504-01...
Page 342: Cannot Communicate With The Idsm2 Command And Control Port
* = Configured MAC Address # = 802.1X Authenticated Port Name. Port Name Status Vlan Duplex Speed Type ----- -------------------- ---------- ---------- ------ ----------- ------------ connected trunk full 1000 IDS Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-64 OL-18504-01...
Page 343 For the procedure for configuring the switch for command and control access to the IDSM2, refer to Configuring the Catalyst 6500 Series Switch for Command and Control Access to the IDSM2. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-65 OL-18504-01...
Page 344: Using The Tcp Reset Interface
VLAN, and the reset port must trunk all the VLANs being trunked by both the sensing ports. In Cisco IOS when the IDSM2 is in promiscuous mode, the IDSM2 ports are always dot1q Note trunk ports (even when monitoring only 1 VLAN), and the TCP reset port is automatically set to a trunk port and is not configurable.
Page 345 --- --------------------------------- ------------ ------------ --------------- 0 000b.fcf8.7bdc to 000b.fcf8.7be0 1.0(10)0 7.0(1) 1 000b.fcf8.0176 to 000b.fcf8.0176 1.0(10)0 5.1(0.1)S153.0 Mod Status --- ------------------ 0 Up Sys 1 Up asa(config)# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-67 OL-18504-01...
Page 346 Slot-1 157> TFTP failure: Packet verify failed after 20 retries Slot-1 158> Rebooting due to Autoboot error ... Slot-1 159> Rebooting..Slot-1 160> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005 Slot-1 161> Platform ASA-SSM-10 Slot-1 162> GigabitEthernet0/0 Slot-1 163>...
Page 347: The Aip Ssm And The Data Plane
You cannot upgrade an NM CIDS to an NME IPS. The Cisco access routers only support one IDS/IPS module per router. If you have more than one IDS/IPS module installed, the most capable card is enabled. The most capable hierarchy is:...
Page 348: Gathering Information
Show the health and security status of the sensor. Step 2 sensor# show health Overall Health Status Health Status for Failed Applications Green Health Status for Signature Updates Green Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-70 OL-18504-01...
Page 349: Tech Support Information
HTML and sent to the • destination that follows this command. If you use this keyword, the output is not displayed on the screen. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-71 OL-18504-01...
Page 350 This Report was generated on Wed Apr 8 21:42:39 2009. Output from show version Application Partition: Cisco Intrusion Prevention System, Version 7.0(1)E3 Host: Realm Keys key1.0 Signature Definition: Signature Update S383.0 2009-02-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-72 OL-18504-01...
Page 351 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 0 Total Bytes Transmitted = 0 Total Multicast Packets Transmitted = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-73 OL-18504-01...
Page 352: Version Information
Step 2 View version information. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.0(1)E3 Host: Realm Keys key1.0 Signature Definition: Signature Update S383.0 2009-02-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-74 OL-18504-01...
Page 353 Signature Update S383.0 2009-02-20 Virus Update V1.4 2007-03-02 ! ------------------------------ service interface exit ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-75 OL-18504-01...
Page 354: Statistics Information
The show statistics command is useful for examining the state of the sensor services. This section describes the show statistics command, and contains the following topics: Understanding the show statistics Command, page A-77 • Displaying Statistics, page A-77 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-76 OL-18504-01...
Page 355: Understanding The Show Statistics Command
Log in to the CLI. Step 1 Display the statistics for Analysis Engine. Step 2 sensor# show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 1421127 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-77 OL-18504-01...
Page 356 Learning - ON Next KB rotation at 10:00:00 UTC Sat Jan 18 2008 Internal Zone TCP Protocol UDP Protocol Other Protocol External Zone TCP Protocol UDP Protocol Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-78 OL-18504-01...
Page 357 Error events, warning = 67 Error events, error = 83 Error events, fatal = 0 Alert events, informational = 60 Alert events, low = 1 Alert events, medium = 60 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-79 OL-18504-01...
Page 358 Usage over last 5 minutes = 1 Memory Statistics Memory usage (bytes) = 500498432 Memory free (bytes) = 894976032 Auto Update Statistics lastDirectoryReadAttempt = 15:26:33 CDT Tue Jun 17 2008 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-80 OL-18504-01...
Page 359 NATAddr = 0.0.0.0 Communications = telnet NetDevice Type = Cisco IP = 10.89.150.158 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = out Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-81 OL-18504-01...
Page 360 BlockMinutes = Host IP = 21.21.12.12 Vlan = ActualIp = BlockMinutes = Host IP = 122.122.33.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-82 OL-18504-01...
Page 361 Total ARP packets processed since reset = 0 Total ISL encapsulated packets processed since reset = 0 Total 802.1q encapsulated packets processed since reset = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-83 OL-18504-01...
Page 362 Packets Modified = 0 Dropped packets from queue = 0 Dropped packets due to deny-connection = 0 Current Streams = 0 Current Streams Closed = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-84 OL-18504-01...
Page 363 Actions Filtered deny-attacker-inline = 0 deny-attacker-victim-pair-inline = 0 deny-attacker-service-pair-inline = 0 deny-connection-inline = 0 deny-packet-inline = 0 modify-packet-inline = 0 log-attacker-packets = 0 log-pair-packets = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-85 OL-18504-01...
Page 364 Verify that the statistics have been cleared. sensor# show statistics logger The number of Log interprocessor FIFO overruns = 0 The number of syslog messages received = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-86 OL-18504-01...
Page 365: Interfaces Information
Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/1 Media Type = backplane Missed Packet Percentage = 0 Inline Mode = Unpaired Pair Status = N/A Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-87 OL-18504-01...
Page 366: Events Information
Events remain in the Event Store until they are overwritten by newer events. There are five types of events: evAlert—Intrusion detection alerts • evError—Application errors • evStatus—Status changes, such as an IP log being created • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-88 OL-18504-01...
Page 367: Understanding The Show Events Command
Error events are generated by services when error conditions are • encountered. If no level is selected (warning, error, or fatal), all error events are displayed. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-89 OL-18504-01...
Page 368 NetworkAccessControllerApp appInstance: 654 time: 2008/02/09 10:33:31 2008/08/09 13:13:31 shunInfo: host: connectionShun=false srcAddr: 11.0.0.1 destAddr: srcPort: destPort: protocol: numericType=0 other timeoutMinutes: 40 evAlertRef: hostId=esendHost 123456789012345678 sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-90 OL-18504-01...
Page 369 64.101.182.101 appName: -cidcli appInstanceId: 2316 evStatus: eventId=1041526834774829056 vendor=Cisco originator: hostId: sensor appName: login(pam_unix) appInstanceId: 2315 time: 2008/01/08 02:41:00 2008/01/08 02:41:00 UTC Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-91 OL-18504-01...
Page 370: Clearing Events
Send the resulting HTML file to TAC or the IPS developers in case of a problem. Step 5 For More Information For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site, page A-93.
Page 371: Uploading And Accessing Files On The Cisco Ftp Site
Uploading and Accessing Files on the Cisco FTP Site You can upload large files, for example, cidDump.html, the show tech-support command output, and cores, to the ftp-sj server. To upload and access files on the Cisco FTP site, follow these steps: Log in to ftp-sj.cisco.com as anonymous.
Page 372 Chapter A Troubleshooting Gathering Information Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-94 OL-18504-01...
Page 373 It can also inspect FTP traffic and control the commands being issued. Advanced Integration Module. A type of IPS network module installed in Cisco routers. AIM IPS Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0...
Page 374 Glossary Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco AIP SSM ASA 5500 series adaptive security appliance. AIP-SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Page 375 Version information associated with a group of IDIOM default configuration settings. For example, aspect version Cisco Systems publishes the standard set of attack signatures as a collection of default settings with the S aspect. The S-aspect version number is displayed after the S in the signature update package file name.
Page 376 Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco CIDEE IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems. The header that is attached to each packet in the IPS system. It contains packet classification, packet CIDS header length, checksum results, timestamp, and the receive interface.
Page 377 Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA CSA MC agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.
Page 378 Glossary Cisco Security Monitoring, Analysis and Reporting System. The monitoring component of the Cisco CS-MARS Self-Defending Networks solution. CS-MARS is fully integrated with CS-Manager Common Vulnerabilities and Exposures. A list of standardized names for vulnerabilities and other information security exposures maintained at http://cve.mitre.org/.
Page 379 Dynamic Trunking Protocol. A Cisco proprietary protocol in the VLAN group used for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (ISL or 802.1q) to be used.
Page 380 The software component of CollaborationApp that obtains and installs updates to the local global global correlation correlation databases. client Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-8 OL-18504-01...
Page 381 IP packet processing. Documented in RFC 792. Denial of Service attack that sends a host more ICMP echo request (“ping”) packets than the protocol ICMP flood implementation can handle. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-9 OL-18504-01...
Page 382 Intrusion Prevention System. A system that alerts the user to the presence of an intrusion on the network through network traffic analysis techniques. Describes the messages transferred over the command and control interface between IPS applications. IPS data or message Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-10 OL-18504-01...
Page 383 A component of the IPS. Writes all the log messages of the application to the log file and the error Logger messages of the application to the Event Store. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-11 OL-18504-01...
Page 384 Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Page 385 Network Interface Card. Board that provides network communication capabilities to and from a computer system. Network Module Enhanced. An IPS module that you can install in any network module slot in the Cisco NME IPS 2800 and 3800 series integrated services routers.
Page 386 Port Aggregation Control Protocol. PAgP aids in the automatic creation of EtherChannel links by PAgP exchanging PAgP packets between LAN ports. It is a Cisco-proprietary protocol. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-14 OL-18504-01...
Page 387 OSI term for packet. See also BPDU and packet. Cisco Product Evolution Program. PEP is the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP provides hardware version and serial number visibility through electronic query, product labels, and shipping items.
Page 388 This risk is higher when more damage could be inflicted on your network. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-16...
Page 389 Glossary Return Materials Authorization. The Cisco program for returning faulty hardware and obtaining a replacement. Read-Only-Memory Monitor. ROMMON lets you TFTP system images onto the sensor for recovery ROMMON purposes. See RTT. round-trip time remote-procedure call. Technological foundation of client/server computing. RPCs are procedure calls that are built or specified by clients and are executed on servers, with the results returned over the network to the clients.
Page 390 Processes event actions. Event actions can be associated with an event risk rating threshold that must Signature Event Action Processor be surpassed for the actions to take place. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-18 OL-18504-01...
Page 391 Simple Mail Transfer Protocol. Internet protocol providing e-mail services. SMTP Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. Subnetwork Access Protocol. Internet protocol that operates between a network entity in the SNAP subnetwork and a network entity in the end system.
Page 392 The full IPS application and recovery image used for reimaging an entire sensor. system image A Cisco Technical Assistance Center. There are four TACs worldwide. Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to Terminal TACACS+ Access Controller Access Control System (TACACS). Provides additional support for authentication, authorization, and accounting.
Page 393 TCP resets. On the IDSM2 the TCP reset interface is designated as port 1 with Catalyst software, and is not visible to the user in Cisco IOS software. The TCP reset action is only appropriate as an action selection on those signatures that are associated with a TCP-based service.
Page 394 Adjusting signature parameters to modify an existing signature. tune Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM.
Page 395 Glossary Version identifier. Part of the UDI. Versatile Interface Processor. Interface card used in Cisco 7000 and Cisco 7500 series routers. The VIP provides multilayer switching and runs Cisco IOS. The most recent version of the VIP is VIP2. A logical grouping of sensing interfaces and the configuration policy for the signature engines and virtual sensor alarm filters to apply to them.
Page 396 Markup Language. Textual file format used for data interchange between heterogeneous hosts. A set of destination IP addresses sorted into an internal, illegal, or external zone used by Anomaly zone Detection. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-24 OL-18504-01...
Page 397 (illustration) removing module 1-21 requirements described 1-20 illustration resetting A-67 1-22 initializing resetting the password 10-13 A-11 installing session command setup command module 10-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-1 OL-18504-01...
Page 398 1-35 troubleshooting A-38 RJ-45 1-35 verifying device interfaces A-43 RJ-45 to DB-25 1-36 verifying status A-38 RJ-45 to DB-9 1-36 ASDM resetting passwords A-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-2 OL-18504-01...
Page 399 A-10, A-13 automatic upgrades 12-8 command and control interface maintenance partition described IDSM2 (Catalyst software) 12-31 Ethernet IDSM-2 (Cisco IOS software) 12-35 list upgrades 12-4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-3 OL-18504-01...
Page 400 4-41 health status A-70 external product interfaces password recovery setting issues A-15 A-22 statistics troubleshooting A-77 A-23 tech support information A-72 version A-74 downgrade command 12-11 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-4 OL-18504-01...
Page 401 (Cisco IOS software) 12-29, 12-30 logging in hardware bypass password recovery A-13 autonegotiation 3-5, 4-6 password recovery image file A-13 configuration restrictions 3-5, 4-6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-5 OL-18504-01...
Page 402 IPS 4260 12-18 initializing IPS 4270-20 12-20 AIM IPS 10-13 NME IPS 12-40 AIP SSM 10-16 interface cards appliances 10-8 IPS 4260 IDSM2 10-20 installing 3-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-6 OL-18504-01...
Page 403 IPS 4240 removing 3-19 accessories replacing 3-19 back panel described illustration Ethernet port indicators indicators expansion card slots 3-20, 3-22 described features features Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-7 OL-18504-01...
Page 404 4-1, 4-2 4-44 Diagnostic Panel reimaging 12-20 accessing removing 4-41 described 4-11 interface cards 4-42 illustration power supplies 4-11 4-44 sensing interfaces Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-8 OL-18504-01...
Page 405 7-1, 8-1, 9-1 IDSM2 1-24, 7-3, 7-4, 7-5, 7-10 logging in NME IPS 1-25 AIM IPS AIP SSM appliances IDSM2 Network Timing Protocol. See NTP. NME IPS 9-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-9 OL-18504-01...
Page 406 IPS 4260 cryptographic account 11-2 installing 3-22 IPS software 11-1 removing 3-22 IPS 4270-20 hot-pluggable 4-44 installing 4-44 password recovery redundant 4-44 AIM IPS A-10 removing 4-44 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-10 OL-18504-01...
Page 407 4-16 rail system kit reset not occurring for a signature A-52 cable management arm 4-28, 4-31 resetting contents 4-16 AIP SSM A-67 IPS 4270-20 4-15 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-11 OL-18504-01...
Page 408 Cisco Security Intelligence preventive maintenance Operations 11-9 process not running A-30 sensing interfaces rack configuration guidelines 1-30 described recovering the system image 11-8 interface cards Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-12 OL-18504-01...
Page 409 1-24 show events command A-89 port issues A-32 show health command A-70 specifications show interfaces command A-87 AIM IPS show inventory command 5-6, 8-6 AIP SSM Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-13 OL-18504-01...
Page 410 A-26 terminal server setup 1-19, 9-3, 12-14 corrupted SensorApp configuration A-37 testing fail-over 3-5, 4-6 debug logger zone names (table) A-50 debug logging A-46 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-14 OL-18504-01...
Page 411 A-71, A-72 sensor initialization 10-28 show version command A-74 sensor setup 10-28 software upgrades A-53 VLAN access control list. See VACL. SPAN port issue A-32 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-15 OL-18504-01...
Page 412 Index VLAN groups 802.1q encapsulation 1-16 configuration restrictions 1-11 deploying 1-16 described 1-15 switches 1-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-16 OL-18504-01...

This manual is also suitable for:

Ips 4255 Ips 4260 Ips 4270-20 Aip ssm-10 Aip ssm-20 Aip ssm-40 ... Show all

Cisco IPS-4255-K9 - Intrusion Protection Sys 4255 Installation Manual

CHAPTER 1 Introducing the Sensor1-1

CHAPTER 2 Installing the IPS 4240 and the IPS 42552-1

Front and Back Panel Features

Specifications

Accessories

Important Safety Instructions

Rack Mounting

Installing the IPS 4240 and the IPS 4255

Installing the IPS 4240-DC

CHAPTER 3 Installing the IPS 42603-1

Supported Interface Cards

Hardware Bypass

Front and Back Panel Features

Specifications

Accessories

Important Safety Instructions

Installing the IPS 4260

Rack Mounting

Chapter 4 Installing the IPS 4270-20

CHAPTER 5 Installing the AIM IPS5-1

Before Installing the AIM IPS

Software and Hardware Requirements

Interoperability with Other IPS Modules

Restrictions

Hardware Interfaces

Installation and Removal Instructions

Verifying Installation

Chapter 6 Installing the AIP SSM

CHAPTER 7 Installing the IDSM27-1

CHAPTER 8 Installing the NME IPS8-1

CHAPTER 9 Logging in to the Sensor9-1

CHAPTER 10 Initializing the Sensor10-1

Chapter 11 Obtaining Software

Chapter 12 Upgrading, Downgrading, and Installing System Images

APPENDIX A Troubleshooting A-1

Quick Links

Troubleshooting

Related Manuals for Cisco IPS-4255-K9 - Intrusion Protection Sys 4255

Summary of Contents for Cisco IPS-4255-K9 - Intrusion Protection Sys 4255