Page 1
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-24002-01...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Conventions Related Documentation xvii Where to Find Safety and Warning Information xvii Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request xviii Introducing the Sensor C H A P T E R Contents How the Sensor Functions...
Page 4
Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC 3-10 Installing the IPS 4260 C H A P T E R Contents Installation Notes and Caveats Product Overview Supported Interface Cards Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 5
Installing the IPS 4270-20 in the Rack 5-18 Extending the IPS 4270-20 from the Rack 5-26 Installing the Cable Management Arm 5-28 Converting the Cable Management Arm 5-32 Installing the IPS 4270-20 5-35 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 6
Product Overview Chassis Features Specifications Accessories 7-10 Memory Configurations 7-11 Power Supply Module Requirements 7-11 Supported SFP/SFP+ Modules 7-11 Installing the IPS 4510 and IPS 4520 7-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 7
Installation Notes and Caveats Introducing the ASA 5585-X IPS SSP Specifications Hardware and Software Requirements Front Panel Features Memory Requirements SFP/SFP+ Modules Installing the ASA 5585-X IPS SSP Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 8
Obtaining Cisco IPS Software IPS 7.1 Files IPS Software Versioning IPS Software Release Examples Accessing IPS Documentation Cisco Security Intelligence Operations Obtaining a License Key From Cisco.com Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 viii OL-24002-01...
Page 9
Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command D-25 Installing the ASA 5585-X IPS SSP System Image Using ROMMON D-27 Troubleshooting A P P E N D I X Contents Cisco Bug Search Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 10
Troubleshooting Loose Connections E-24 Analysis Engine is Busy E-24 Communication Problems E-25 Cannot Access the Sensor CLI Through Telnet or SSH E-25 Correcting a Misconfigured Access List E-27 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 11
Health and Status Information E-59 Failover Scenarios E-61 The ASA 5500 AIP SSM and the Normalizer Engine E-62 The ASA 5500 AIP SSM and the Data Plane E-63 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 12
Displaying Statistics E-92 Interfaces Information E-104 Understanding the show interfaces Command E-104 Interfaces Command Output E-104 Events Information E-105 Sensor Events E-105 Understanding the show events Command E-105 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 13
A P P E N D I X Contents 10/100BaseT and 10/100/1000BaseT Connectors Console Port (RJ-45) RJ-45 to DB-9 or DB-25 L O S S A R Y N D E X Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 xiii OL-24002-01...
Revised: November 9, 2013, OL-24002-01 Contents This guide describes how to install appliances and modules that support Cisco IPS 7.1. It includes a glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set for Cisco Intrusion Prevention System 7.1. Use this guide in conjunction with the documents listed in Related Documentation, page xvii.
A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks. font Terminal sessions and information the system displays appear in font. courier courier Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 -xvi OL-24002-01...
Related Documentation For a complete list of the Cisco IPS 7.1 documentation and where to find it, refer to the following URL: http://www.cisco.com/en/US/docs/security/ips/7.1/roadmap/19889_01.html For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the following URL: http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html...
What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Figure 1-1 on page 1-2 shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
The command and control interface is always Ethernet. This interface has an assigned IP address, which allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and firewalls). Because this interface is visible on the network, you should use encryption to maintain data privacy.
False positives are a by-product of all IPS devices, but they occur much less frequently in Cisco IPS devices since Cisco IPS devices are stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS signature actions based on risk rating.
IPS 4270-20, where the ports are numbered from top to bottom). Each physical interface can be divided in to VLAN group subinterfaces, each of which consists of a group of VLANs on that interface. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
GigabitEthernet 0/1 by GigabitEthernet 0/1 by GigabitEthernet 0/0 security context instead of security context instead of VLAN pair or inline VLAN pair or inline interface pair interface pair Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 27
GigabitEthernet 0/0 All sensing ports can be Management 0/0 paired together Management 0/1 GigabitEthernet 0/1 GigabitEthernet 0/2 GigabitEthernet 0/3 GigabitEthernet 0/4 GigabitEthernet 0/5 GigabitEthernet 0/6 GigabitEthernet 0/7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 28
4GE-BP, 2SX, and 10GE cards up to a total of either six cards, or sixteen total ports, which ever is reached first, but is limited to only two 10GE card in the mix of cards. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-10...
The following restrictions apply to configuring interfaces on the sensor: Physical Interfaces • In IPS 7.1, rx/tx flow control is disabled on the IPS 4200 series sensors. This is a change from – IPS 7.0 where rx/tx flow control is enabled by default.
Page 31
The command and control interface cannot serve as the alternate TCP reset interface for a – sensing interface. A sensing interface cannot serve as its own alternate TCP reset interface. – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-13 OL-24002-01...
The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-14...
Page 33
4/2 on dot1q 932 set trunk 4/3 on dot1q 960 set trunk 4/4 on dot1q 962 set span 930, 932, 960, 962 4/1-4 both Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-15 OL-24002-01...
The advantage is that now you can use a sensor with only a few interfaces as if it had many interfaces. You cannot divide physical interfaces that are in inline VLAN pairs into VLAN groups. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-17 OL-24002-01...
Supported Sensors Installing the most recent software on unsupported sensors may yield unpredictable results. We do not Caution support software installed on unsupported platforms. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-18 OL-24002-01...
Page 37
The currently supported IPS 7.1(x) versions are 7.1(1)E4, 7.1(2)E4, 7.1(3)E4, 7.1(4)E4, 7.1(5)E4, and IPS 7.1(6)E4. All IPS sensors are not supported in each 7.1(x) version. For a list of the specific IPS filenames and the IPS versions that each sensor supports, refer to the Release Notes for your IPS version found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html...
The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and Note later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
Cisco Systems prohibits using the appliance for anything other than operating Cisco IPS. • Cisco Systems prohibits modifying or installing any hardware or software in the appliance that is • not part of the normal operation of the Cisco IPS.
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...
Verifying the Sensor is Synchronized with the NTP Server In the Cisco IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key value or ID, to the sensor. If you try to apply an incorrect configuration, you receive an error message. To verify the NTP configuration, use the show statistics host command to gather sensor statistics.
To ensure the integrity of the time stamp on the event records, you must clear the event archive of the older events by using the clear events command. You cannot remove individual events. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-24 OL-24002-01...
Page 43
Chapter 1 Introducing the Sensor Time Sources and the Sensor For More Information For the procedure for clearing events, refer to Clearing Events from Event Store. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-25 OL-24002-01...
Page 44
Chapter 1 Introducing the Sensor Time Sources and the Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-26 OL-24002-01...
Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4500 • Series Sensor Appliance. To familiarize yourself with the IPS and related documentation and where to find it on Cisco.com, read Step 2 Documentation Roadmap for Cisco Intrusion Prevention System 7.1.
Removing the chassis cover to install a hardware component does not affect your Cisco warranty. Note Upgrading the appliance does not require any special tools and does not create any radio frequency leaks.
• For safety, periodically check the resistance value of the antistatic strap, which should be between 1 and 10 megohms (Mohms). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Always follow ESD-prevention procedures when removing, replacing, or repairing components. Caution If you are upgrading a component, do not remove the component from the ESD packaging until Note you are ready to install it. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Ensure that the chassis top panel is secure. The chassis is designed to allow cooling air to flow • effectively within it. An open chassis allows air leaks, which may interrupt and redirect the flow of cooling air from the internal components. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Baffles can help to isolate exhaust air from intake air, which also helps to draw cooling air through the chassis. The best placement of the baffles depends on the airflow patterns in the rack. Experiment with different arrangements to position the baffles effectively. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Only trained and qualified personnel should install, replace, or service this equipment Statement 49 Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Caution Detection and Prevention System 4200 Series Appliance Sensor document and follow proper safety procedures when performing the steps in this guide.
Note IPS 4255 look identical with the same front and back panel features and indicators. In IPS 7.1, rx/tx flow control is disabled on the IPS 4240 and the IPS 4255. This is a change from IPS Note 7.0 where rx/tx flow control is enabled by default.
FLASH LINK SPD LINK SPD LINK SPD LINK SPD Power USB ports Auxiliary Status (not used) connector port indicator (not used) Power Compact indicator flash device indicator Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
One chassis expansion slot (not used) Power Autoswitching 100V to 240V AC Frequency 47 to 63 Hz, single phase Operating current 3.0 A Steady state 150 W Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Statement 1071 SAVE THESE INSTRUCTIONS Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Warning Statement 1030 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
The top hole on the left bracket is a banana jack you can use for ESD grounding purposes when Note you are servicing the system. You can use the two threaded holes to mount a ground lug to ground the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Statement 1030 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 58
RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Step 8 Initialize the appliance. Step 9 Upgrade the appliance with the most recent Cisco IPS software. You are now ready to configure intrusion Step 10 prevention on the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
For the procedure for using the setup command to initialize the appliance, see Appendix B, • “Initializing the Sensor.” For the procedure for updating the appliance with the most recent cisco IPS software, see Obtaining • Cisco IPS Software, page C-1.
Page 61
Remove the DC power supply plastic shield. Step 7 Strip the ends of the wires for insertion into the power connect lugs on the IPS 4240-DC. Step 8 – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 3-11 OL-24002-01...
Page 62
Step 13 Initialize the IPS 4240-DC. Upgrade the IPS 4240-DC with the most recent Cisco IPS software. You are now ready to configure Step 14 intrusion prevention on the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 63
For the procedure for using the setup command to initialize the appliance, see Appendix B, • “Initializing the Sensor.” For the procedure for updating the appliance with the most recent cisco IPS software, see Obtaining • Cisco IPS Software, page C-1.
Page 64
Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 3-14 OL-24002-01...
Statement 49 Warning Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor document and follow proper safety procedures when performing the steps in this guide.
Chapter 4 Installing the IPS 4260 Product Overview In IPS 7.1, rx/tx flow control is disabled on the IPS 4260. This is a change from IPS 7.0 where rx/tx flow Note control is enabled by default. The BIOS on IPS 4260 is specific to IPS 4260 and must only be upgraded under instructions from Cisco Caution with BIOS files obtained from the Cisco website.
The 2SX card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor. The 2SX interface card does not support hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
4-21. This section contains the following topics: 4GE Bypass Interface Card, page 4-5 • Hardware Bypass Configuration Restrictions, page 4-5 • Hardware Bypass and Link Changes and Drops, page 4-6 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS. The following conditions apply to hardware bypass and software bypass: When bypass is set to OFF, software bypass is not active.
Make sure the interfaces of the connected devices are configured to match the interfaces of the • appliance for speed/duplex negotiation (auto/auto). Enable portfast on connected switchports to reduce spanning-tree forwarding delays. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Status (green/amber) Blinks green while the power-up diagnostics are running or the system is booting. Solid green when the system has passed power-up diagnostics. Solid amber when the power-up diagnostics have failed. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 72
Back Panel Indicators Indicator Color Description Left side Green solid Physical link Green blinking Network activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Relative humidity Operating 10% to 85% (noncondensing) Nonoperating 5% to 95% (noncondensing) Altitude Operating 0 to 9843 ft (3000 m) Nonoperating 0 to 15,000 ft (4750 m) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
IPS 4260 and contains the following topics: Installing the IPS 4260 in a 4-Post Rack, page 4-11 • Installing the IPS 4260 in a 2-Post Rack, page 4-14 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-10 OL-24002-01...
RES ET C is co IP S 42 60 se ri POW ER FLA SH Int rus ion STA TUS Pre ve nti on Se ns Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-11 OL-24002-01...
Page 76
Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert Step 3 four thread covers over the four outer studs on each side. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-12 OL-24002-01...
Page 77
RES ET Ci sc o IP S 42 60 se rie POW ER FLA SH Int rus ion STA TUS Pre ven tio n Se nso r Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-13 OL-24002-01...
Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert Step 2 four thread covers over the four outer studs on each side. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-14 OL-24002-01...
Page 79
Step 4 RES ET Ci sc o IP S 42 60 se rie POW ER FLAS H Intr usi on STA TUS Pre ven tion Sen Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-15 OL-24002-01...
Statement 1030 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 81
RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-17...
Page 82
Caution Management and console ports are privileged administrative ports. Connecting them to an untrusted network can create security concerns. Power on the IPS 4260. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-18 OL-24002-01...
Removing and Replacing the Chassis Cover Step 9 Initialize the IPS 4260. Upgrade the IPS 4260 with the most recent Cisco IPS software. You are now ready to configure intrusion Step 10 prevention on the IPS 4260. For More Information...
Page 84
Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4260 does Note not require any special tools and does not create any radio frequency leaks.
If rack-mounted, remove the IPS 4260 from the rack. Step 5 Make sure the IPS 4260 is in an ESD-controlled environment. Step 6 Remove the chassis cover. Step 7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-21 OL-24002-01...
Page 86
Reinstall the slot cover screw to hold the card to the carrier. If necessary, reinstall the card support at the Step 12 back of the card carrier. Step 13 Replace the card carrier in the chassis. Step 14 Replace the chassis cover. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-22 OL-24002-01...
Remove the power cable and other cables from the IPS 4260. Power supplies are hot-swappable. You can replace a power supply while the IPS 4260 is Note running, if you are replacing a redundant power supply. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-23 OL-24002-01...
Page 88
To remove the power supply, push down the green tab and pull out the power supply. Step 7 After installing or removing the power supply, replace the power cord and other cables. Step 8 Power on the IPS 4260. Step 9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-24 OL-24002-01...
Page 89
For More Information For the IDM procedure for resetting the IPS 4260, refer to Rebooting the Sensor; for the IME procedure, refer to Rebooting the Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-25 OL-24002-01...
Page 90
Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-26 OL-24002-01...
The BIOS on the IPS 4270-20 is specific to the IPS 4270-20 and must only be upgraded under Caution instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on the IPS 4270-20 voids the warranty. For more information on how to obtain...
Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 does not require any special tools and does not create any radio frequency leaks. In IPS 7.1, rx/tx flow control is disabled on the IPS 4270-20. This is a change from IPS 7.0 where rx/tx Note flow control is enabled by default.
Page 93
For more information on sensor interfaces, see Sensor Interfaces, page 1-4. • For more information on the supported interface cards, see Supported Interface Cards, page 5-4. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
The 2SX card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor. The 2SX interface card does not support hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
5-43. This section contains the following topics: 4GE Bypass Interface Card, page 5-6 • Hardware Bypass Configuration Restrictions, page 5-6 • Hardware Bypass and Link Changes and Drops, page 5-7 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS. The following conditions apply to hardware bypass and software bypass: When bypass is set to OFF, software bypass is not active.
Make sure the interfaces of the connected devices are configured to match the interfaces of the • appliance for speed/duplex negotiation (auto/auto). Enable portfast on connected switchports to reduce spanning-tree forwarding delays. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Figure 5-6 IPS 4270-20 Front Panel Switches and Indicators Management0/0 Power Management0/1 status (reserved for System future use) Power Cisco IPS 4270 SERIES Intrusion Prevention Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 99
Turns power on and off: indicator Amber—System has AC power and is in standby mode • Green—System has AC power and is turned on • Off—System has no AC power • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 100
2 expansion slots PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz Reserved Future Use CONSOLE MGMT0/0 Management0/0 Reserved Reserved Console port Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-10 OL-24002-01...
Page 101
Power Indicator 2 Description Amber Green No AC power to any power supply Flashing Power supply failure (over current) No AC power to this power supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-11 OL-24002-01...
Page 102
Front and Back Panel Features Table 5-3 Power Supply Indicators (continued) Fail Indicator 1 Power Indicator 2 Description Amber Green Flashing AC power present • Standby mode • Normal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-12 OL-24002-01...
Page 103
Figure 5-9 IPS 4270-20 Internal Components Power Power Sensing interface supply expansion slots supply Cooling Cooling fans fans Diagnostic panel Cooling fans Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-13 OL-24002-01...
System NMI switch Slot X Expansion slot CPU BD (interlock error) System board PPM X Processor power module 1A-32D DIMM Slot PROC X Processor FAN X Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-14 OL-24002-01...
1. At sea level with an altitude derating of 1.8 F per every 1000 ft (1.0 C per every 3.0m) above sea level to a maximum of 10,000 ft (3050 m). no direct sustained sunlight. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-15 OL-24002-01...
The tapered end of the chassis side rail should be at the back of the IPS 4270-20. The chassis Note side rail is held in place by the inner latch. Repeat Step 1 for each chassis side rail. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-18 OL-24002-01...
Page 109
To remove the chassis side rail, lift the latch, and slide the rail forward. Cis co IPS 42 70 SER Int rus ion Pre ven tio n Se nso Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-19 OL-24002-01...
Page 110
If you are installing the IPS 4270-20 in a shallow rack, one that is less than 28.5 in. (72.39 cm), remove the screw from the inside of the slide assembly before continuing with Step 5. < 2 8 . 5 ” Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-20 OL-24002-01...
Page 111
Repeat for each slide assembly. Make sure the slide assemblies line up with each other in the rack. Lift the spring latch to release the slide assembly if you need to reposition it. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-21...
Page 112
Remove the eight round- or square-hole studs on each slide assembly using a standard screwdriver. You may need a pair of pliers to hold the retaining nut. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-22 OL-24002-01...
Page 113
Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly. Repeat for each slide assembly. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-23 OL-24002-01...
Page 114
Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 6 Extend the slide assemblies out of the rack. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-24 OL-24002-01...
Page 115
If you are using the cable management arm, install it before you connect and route any cables. Step 8 You may also need longer cables when the arm is installed (an extra length of around 3 feet is Note required). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-25 OL-24002-01...
Otherwise, you risk damage to the cables and a possible shock hazard if the power cables get caught between the chassis and the rack. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-26 OL-24002-01...
Page 117
Pre ven tio n Sen sor Step 2 After performing the installation or maintenance procedure, slide the IPS 4270-20 in to the rack by pressing the rail-release latches. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-27 OL-24002-01...
Installing the Cable Management Arm To hinge the cable management arm on the back right-hand side of the rack, see Converting the Cable Note Management Arm, page 5-32. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-28 OL-24002-01...
Page 119
PCI -E x4 PCI -E x8 PCI -E x4 PCI -E x8 PCI -E x4 PCI -X 100 Rese rved CON SOL Futu re MGM T 0/0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-29 OL-24002-01...
Page 120
Rese rved CON SOL Futu re MGM T 0/0 When properly installed, the cable management arm is attached to the IPS 4270-20 and the rack Note rail. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-30 OL-24002-01...
Page 121
CON SOL Futu re MGM T 0/0 Do not use the straps and zip ties to tie the two parts of the cable management arm together. Caution Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-31 OL-24002-01...
The cable management arm is designed for ambidextrous use. You can convert the cable management Note arm from a left-hand swing to a right-hand swing. Make sure to orient the management arm with the cable trough facing upward. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-32 OL-24002-01...
Page 123
To convert the cable management arm swing, follow these steps: Pull up the spring pin and slide the bracket off the cable management arm. Step 1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-33 OL-24002-01...
Page 124
Installing the IPS 4270-20 Installing the Rail System Kit Step 2 Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-34 OL-24002-01...
The sliding bracket only fits one way because the hole for the spring pin is offset. Note Installing the IPS 4270-20 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger.
Page 126
RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-36...
Page 127
RJ-45 to DB-9 adapter Reserved Future Use CONSOLE MGMT 0/0 RJ-45 to Console DB-9 serial cable port (DB-9) (null-modem) Computer serial port DB-9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-37 OL-24002-01...
Page 128
Step 7 Initialize the IPS 4270-20. Step 8 Upgrade the IPS 4270-20 with the most recent Cisco IPS software. You are now ready to configure Step 9 intrusion prevention on the IPS 4270-20. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Removing and Replacing the Chassis Cover Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that Warning the protective device is rated not greater than 120 VAC, 20 A U.S.
Page 130
This unit might have more than one power supply connection. All connections must be removed to Warning de-energize the unit. Statement 1028 Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 Note does not require any special tools and does not create any radio frequency leaks.
Page 131
To replace the chassis cover, position it on top of the chassis and slide it on. Push down on the cover Step 10 latch to lock into place. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-41 OL-24002-01...
For the location of the Diagnostic Panel, see Figure 5-9 on page 5-13. • For information on what internal health information each indicator displays on the Diagnostic Panel, • Diagnostic Panel, page 5-14. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-42 OL-24002-01...
Installing and Removing Interface Cards Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The IPS 4270-20 has nine expansion card slots. Slots 1 and 2 are PCI-X slots and are reserved for future use.
Page 134
Slide the server back in to the rack by pressing the server rail-release handles. Step 11 Step 12 Reconnect the power cables to the IPS 4270-20. Step 13 Power on the IPS 4270-20. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-44 OL-24002-01...
Installing and Removing the Power Supply Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. IPS 4270-20 ships with two hot-pluggable power supplies, thus providing a redundant power supply configuration.
Page 136
P S 1 R e s e rv C O N S O fo r F u tu re U s e M G M T 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-46 OL-24002-01...
Page 137
Chapter 5 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 6 Remove the power supply by pulling it away from the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-47 OL-24002-01...
Page 138
P S 1 R e s e rv C O N S O fo r F u tu re U s e M G M T 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-48 OL-24002-01...
Page 139
IME procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor. • For an illustration of the screwdriver and where it is located, see Figure 5-9 on page 5-13. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-49 OL-24002-01...
Identify the failed fan by locating an amber indicator on top of the failed fan or a lighted FAN X indicator Step 3 on the Diagnostic Panel. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-50 OL-24002-01...
Page 141
For more information about the Diagnostic Panel, see Diagnostic Panel, page 5-14. • For the procedure for removing the chassis cover, see Removing and Replacing the Chassis Cover, • page 5-39. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-51 OL-24002-01...
Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent • pins or other damage. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-52 OL-24002-01...
C H A P T E R Installing the IPS 4345 and IPS 4360 Contents This chapter describes the Cisco IPS 4345 and the IPS 4360, and includes the following sections: • Installation Notes and Caveats, page 6-1 Product Overview, page 6-2 •...
The 500 Mbps performance for the IPS 4345 is based on multiple models of common traffic mixes based on common deployment scenarios while running IPS 7.1.(3)E4 software. The IPS 4360 monitors greater than 1 Gbps of aggregate network traffic on multiple sensing interfaces and is also inline ready.
500Hz with spectral break points of 0.0065G2/Hz at 10Hz and 100Hz 0.0065G2/Hz at 10Hz and 100Hz and 5dB/octave roll-off at each end and 5dB/octave roll-off at each end Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
IPS 4345 and IPS 4360. Figure 6-3 IPS 4345 and IPS 4360 Front Panel View Cisco IPS 4345 BOOT ALARM Intrusion ACTIVE Prevention Sensor Power button Indicators Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 148
• Green—System has passed power-up diagnostics. • Amber—Power-up diagnostics failed. • ACTIVE Indicates whether the system is off or on: Off—No power. • Green—System has power. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 149
2. GigabitEthernet interfaces from right to left and top to bottom—GigabitEthernet 0/0, 0/1, 0/2, and 0/3 and Gigabitethernet 1/0, 1/1, 1/2, and 1/3. 3. The serial console port uses 9600 baud, 8 data bits, 1 stop bit, and no parity. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 150
Management and Network Interface Indicators Indicator Description Left side Green Physical activity Flashing green Network activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Use the rack mount brackets to mount the IPS 4345. Use the slide rail mounting system to mount the Note IPS 4360. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Figure 6-9. After the brackets are secured to the chassis, you can rack-mount it. Figure 6-9 Installing the Brackets on the Back of the Chassis Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-10 OL-24002-01...
IPS 4345. For instructions for using the slide rail mounting system, refer to the Slide Rail Installation Instructions for Cisco IronPort C170, M170, and S170 Appliances and Cisco 5512-X, 5515-X, 5525-X, 5545-X, 5555-X Adaptive Security Appliances and Cisco IPS 4345 and 4360 found at this URL: http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/5500xspares/slide_rail_installation.ht Although slide rail mounting is preferred for the IPS 4360, in the case of two-rail racks where the slide rails will not fit, you can use the rack mounting brackets.
The baud rate must match the default baud rate (9600 baud) of the console port of the appliance. Set up the terminal as follows: 9600 baud (default), 8 data bits, no parity, 1 stop bits, and Flow Control (FC) = Hardware. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-12 OL-24002-01...
Page 155
Management 0/0, which is a GigabitEthernet interface with a dedicated port used only for traffic management. LNK SPD LNK SPD LNK SPD LNK SPD Management 0/0 port RJ-45 Ethernet cable Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-13 OL-24002-01...
Page 156
RJ-45 Ethernet ports RJ-45 connector Step 7 Attach the power cable to the appliance and plug the other end in to a power source (a UPS is recommended). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-14 OL-24002-01...
AC Power Supply in V01 and V02 Chassis The Cisco IPS 4300 series sensors with the AC power supply can restore the previous power state of the system if AC power is lost. Earlier IPS 4300s (V01) require you to turn on the power with the power switch.
12 V output and is used in a dual hot pluggable configuration. The DC power supply consumes a maximum of 500 W of input power. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-16 OL-24002-01...
Page 159
A power supply critical event has occurred, and the power supply has shut down. The critical event can be temperature, voltage, current, or fan operating outside the normal operating range. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-17 OL-24002-01...
If only one power supply is installed, make sure that it is installed in slot 0 (left slot) and that slot 1 (right Note slot) is covered with a slot cover. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-18 OL-24002-01...
Page 161
(Figure 6-13). Continue with Step 3. Figure 6-13 Removing the AC Power Supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-19 OL-24002-01...
Page 162
(Figure 6-15). Figure 6-15 Back Power Supply Indicators Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-20 OL-24002-01...
Make sure that the chassis ground is connected on the chassis before you begin installing the DC • power supply. For more information, see Working in an ESD Environment, page 2-4. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-21 OL-24002-01...
Page 164
If only one power supply is installed, make sure that it is installed in slot 0 (left slot) and that slot 1 (right Note slot) is covered with a slot cover. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-22 OL-24002-01...
Page 165
An exposed wire lead from a DC input power source can conduct harmful levels of electricity. Be sure Warning that no exposed portion of the DC input power source wire extends from the terminal block plug. Statement 122 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-23 OL-24002-01...
Page 166
Positive (+) lead wire (left) • • Negative (–) lead wire (right) Figure 6-19 Ground Wires Negative (–) lead wire Ground lead wire Positive (+) lead wire Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-24 OL-24002-01...
Page 167
Remove the tape (if any) from the circuit breaker switch handle, and move the circuit breaker switch Step 10 handle to the On position. The power supply indicators light up when power is supplied to the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-25 OL-24002-01...
(Figure 6-23). Figure 6-23 Removing the Wires from the DC Power Supply Gently pull the wires out of the power supply. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-26 OL-24002-01...
Page 169
Installing the DC Power Supply To connect the DC input power source wires, see Step 5 though Step 10 in Installing DC Input Power, Step 8 page 6-21. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-27 OL-24002-01...
Page 170
Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-28 OL-24002-01...
C H A P T E R Installing the IPS 4510 and IPS 4520 Contents This chapter describes the Cisco IPS 4510 and IPS 4520, and includes the following sections: • Installation Notes and Caveats, page 7-1 Product Overview, page 7-2 •...
IDM delivers security management and monitoring through an intuitive, easy-to-use web-based management interface. IDM is a Java Web Start application that enables you to configure and manage your IPS 4510 and IPS 4520. IDM is bundled with IPS 7.1. You can access it through Internet Explorer or Firefox web browsers.
RSS feed integration from the Cisco Security Intelligence Operations site. It monitors global correlation data, which you can view in events and reports. It monitors events and lets you sort views by filtering, grouping, and colorization.
Page 174
1. Hard disk drives are not supported at this time. The hard disk drive bays are empty. 2. Reserved for future use. 3. Reserved for future use. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 175
Major failure of hardware component or software module, temperature over the limit, power out of tolerance, or OIR is ready to remove the module. Not supported at this time. Not supported at this time. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 176
1. OIR is not available at this time. 2. The hard disk drive bays are reserved for future use. 3. The hard disk drive bays are reserved for future use. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 177
Figure 7-5 Power Supply Module Indicators Cisco ASA 1200W AC 100-240V 15.0/8.0.A 56/60Hz 1 IN OK FAN OK 3 OUT FAIL Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 178
Description Gigabit Ethernet (RJ45) Left side: • Green—Physical activity – Flashing green—Network activity – Right side: • Not lit—10 Mbps – Green—100 Mbps – – Amber—1000 Mbps Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
4520, ships with two power supply modules installed and two power cables. Screws • Cable management brackets • Front and rear rack-mount brackets • Slide rail kit hardware • Slide rail kit • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-10 OL-24002-01...
IPS 4510 and IPS 4520. You can purchase them separately. For 1 Gb, you need SFP. For 10Gb, you need SFP+. The interfaces are called TenGigabitEthernet 0/x whether they are 10 Gb-enabled or not. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-11...
Place the sensor on a flat, stable surface, or in a rack (if you are rack-mounting it). Step 1 Connect to the management interface, Management 0/0. Step 2 Locate an Ethernet cable, which has an RJ-45 connector on each end. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-12 OL-24002-01...
Page 183
SFP/SFP+ ports. If you are using the fiber ports, you need an SFP+ module for 10-Gigabit Ethernet or an SFP module for 1-Gigabit Ethernet (SFP or SFP+ modules are not included). S F P /S F Install the SFP/SFP+ module. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-13 OL-24002-01...
Page 184
100-240V 15.0/8.0.A 15.0/8.0.A 56/60Hz 56/60Hz Power supply module (PS0) Power supply module (PS1) Plug the power cable(s) in to a power source (we recommend a UPS). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-14 OL-24002-01...
Remove the power cable from the sensor. Step 5 From the front panel of the sensor, loosen the captive screws from the bottom slot. Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-15 OL-24002-01...
Page 186
Reconnect the power cable to the sensor. Step 12 Power on the sensor. Step 13 Verify that the PWR indicator on the front panel is green. Step 14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-16 OL-24002-01...
Power supply module screws supply module handle Remove the power supply module by grasping the handle and pulling the power supply module away Step 4 from the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-17 OL-24002-01...
Page 188
Check the PS0 and PS1 indicators on the front panel to make sure they are green. On the back panel of Step 9 the sensor, make sure the IN OK and the FAN OK indicators are green and the OUT FAIL indicator is off. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-18 OL-24002-01...
Fan module and fan module handle Fan module screws Power supply module Remove the fan module by grasping the handle and pulling the fan module away from the chassis. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-19 OL-24002-01...
Remove the cable management brackets from the front sides of the appliance. Remove the appliance from the rack. Remove the front brackets, left and right side brackets, and left and right rear brackets from the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-20 OL-24002-01...
IPS 4510 and IPS 4520, and contains the following sections: Package Contents, page 7-22 • Installing the Chassis in the Rack, page 7-22 • Removing the Chassis from the Rack, page 7-28 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-21 OL-24002-01...
The slide rails are labeled ‘left’ and ‘right.’ Install the left slide rail on the left side of the rack and the right slide rail on the right side of the rack. Figure 7-8 Press and Push to Install the Slide Rail Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-22 OL-24002-01...
Page 193
After installing the square or round studs into the rack post, verify that the locking clip is fully Note seated and secure against the rack rail. Figure 7-9 Square Studs for Square Hole Post Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-23 OL-24002-01...
Page 194
It is critical that the screws are installed and secured to the front and rear end of the slide rails. Caution Figure 7-10 Securing the Slide Rail to the Rack Post Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-24 OL-24002-01...
Page 195
The cage nut will be used later to secure the chassis to the rack post. For threaded hole racks, no additional hardware is needed. Figure 7-11 Installing the #10-32 Cage Nuts Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-25 OL-24002-01...
Page 196
Before installing the chassis, make sure that the slide rails are properly installed and that the perforated Caution holes on the outer slide rail align with the perforated holes on the chassis. Figure 7-12 Installing the Chassis on the Outer Rail Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-26 OL-24002-01...
Page 197
For threaded hole racks, secure the front of the chassis by installing the #10-32 screws into the rack threaded hole. Figure 7-13 Securing the Chassis to the Outer Rail Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-27 OL-24002-01...
Remove the screws from the front brackets of the rail post (Figure 7-14). Step 1 Figure 7-14 Removing the Screws from the Outer Rail Pull out the chassis to the locked position. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-28 OL-24002-01...
Page 199
Installing and Removing the Slide Rail Kit Step 3 Press down the release hook to remove the chassis from the rack (Figure 7-15). Figure 7-15 Pressing Down the Release Hook Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-29 OL-24002-01...
Step 1 sensor, do the following: Power off the sensor. • Remove the power cable from the sensor. • Remove the old sensor from the rack. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-30 OL-24002-01...
Page 201
The slide-mount brackets let you install the rear of the chassis to the rear rack rails. The brackets Note are designed to slide within the installed rear brackets and accommodate a range of rack depths. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-31 OL-24002-01...
Page 202
100-2 40V 15.0/8 .0.A 56/60 Hz 100-2 40V 15.0/8 .0.A 56/60 Hz Reattach the power cable to the sensor. Step 12 Power on the sensor. Step 13 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-32 OL-24002-01...
SFP 2 SFP 2 SFP 1 SFP 1 SFP 0 SFP 0 MG MT MG MT CO NSO LE RES ET CO NSO LE RES ET Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-33 OL-24002-01...
Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent • pins or other damage. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-34 OL-24002-01...
InterfaceApp, which updates the interface configuration for SwitchApp, which then forwards that configuration on to the switch. For More Information For detailed information about the IPS system architecture, refer to System Architecture. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-35 OL-24002-01...
Page 206
Chapter 7 Installing the IPS 4510 and IPS 4520 IPS 4500 Series Sensors and the SwitchApp Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-36 OL-24002-01...
Only trained and qualified personnel should install, replace, or service this equipment Statement 49 Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5500 Caution Series Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.
The Cisco ASA Advanced Inspection and Prevention Security Services Module (ASA 5500 AIP SSM) is the IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance software integrates firewall, VPN, and intrusion detection and prevention capabilities in a single platform.
Page 209
Installing the ASA 5500 AIP SSM, • page 8-5. For more information on configuring the ASA 5500 AIP SSM to receive IPS traffic, refer to • Configuring the ASA 5500 AIP SSM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
– ASA 5540 (ASA-SSM-AIP-20-K9) – • Cisco Adaptive Security Appliance Software 7.0 or later • Cisco Intrusion Prevention System Software 5.0(2) or later • DES or 3DES-enabled Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare Step 2 skin. Attach the other end to the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 212
Obtaining Cisco IPS Software, • page C-1. For the procedure for configuring the ASA 5500 AIP SSM to receive IPS traffic, refer to • Configuring the ASA 5500 AIP SSM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Press Enter to confirm. Step 2 Verify that the ASA 5500 AIP SSM is shut down by checking the indicators. Step 3 Power off the adaptive security appliance. Step 4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 214
For the procedure for verifying whether the ASA 5500 AIP SSM is properly installed, see Verifying • the Status of the ASA 5500 AIP SSM, page 8-7. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Installation Notes and Caveats Pay attention to the following installation notes and caveats before installing the ASA 5585-X IPS SSP: Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA • 5585-X Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.
The IDM is a Java Web Start application that enables you to configure and manage your ASA 5585-X IPS SSP. The IDM is bundled with IPS 7.1. You can access it through Internet Explorer or Firefox web browsers.
11.50 lb Temperature Operating 32 to 104°F (0 to 40°C) Nonoperating -40°F to 167°F (-40°C to 75°C) Relative humidity (noncondensing) Operating 10% to 90% Nonoperating 5% to 95% Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
The illustration shows IPS SSP-10, but it applies to both the -10 and -20 models. Note Figure 9-1 IPS SSP-10 Front Panel View RESET MGMT SFP1 SFP0 CONSOLE RESET MGMT SFP1 SFP0 CONSOLE CONSOLE 10 11 13 14 15 3 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 219
(GigabitEthernet RJ45) SSP (slot 0) 11 Management 1/0 (GigabitEthernet RJ45) SSP/ASA 5585-X IPS SSP removal screws 12 USB port Reserved bays for hard disk drives 13 USB port Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 220
Figure 9-3 ASA 5585-X IPS SSP Front Panel Indicators CONSOLE CONSOLE 1 PWR BOOT 3 ALARM 5 VPN 7 PS0 HDD1 9 HDD2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 221
HDD2 • 1. The Cisco ASA software does not support the ALARM indicator initially; support will be added at a later date. 2. OIR is not available at this time. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
To install the ASA 5585-X IPS SSP in the ASA 5585-X for the first time, follow these steps: Power off the ASA 5585-X. Step 1 Remove the power cable from the ASA 5585-X. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 224
ASA 5585-X IPS SSP is online using the show module 1 command. Initialize the ASA 5585-X IPS SSP. Step 10 Step 11 Configure the ASA 5585-X IPS SSP to receive IPS traffic. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-10 OL-24002-01...
Note Refer to the Release Notes for your ASA software version to verify that the network module is supported. Only SFP/SFP+ modules certified by Cisco are supported on the adaptive security appliance 5585-X. Note Protect your SFP/SFP+ modules by inserting clean dust plugs into the SFP/SFP+ modules after the Caution cables are extracted from them.
Shutting Down —The ASA 5585-X IPS SSP is shut down. • Down —The ASA 5585-X IPS SSP is attempting to download a recovery image. • Recover Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-12 OL-24002-01...
From the front panel of the ASA 5585-X, loosen the captive screws on the upper left and right of the Step 6 ASA 5585-X IPS SSP in slot 1. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-13 OL-24002-01...
Page 228
ASA 5585-X IPS SSP-10. Slide the ASA 5585-X IPS SSP in to the slot until it is seated, and push the ejection levers back in to Step 10 place. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-14 OL-24002-01...
Page 229
Verifying the Status of the ASA • 5585-X IPS SSP, page 9-12. For detailed information about the ASA 5585-X, refer to Cisco ASA 5585-X Adaptive Security • Appliance Hardware Installation Guide. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-15 OL-24002-01...
Page 230
Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-16 OL-24002-01...
The service role is a special role that allows you to bypass the CLI if needed. Only a user with Note administrator privileges can edit the service account. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Note the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices. You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps:...
The default username and password are both cisco. You are prompted to change them the first Note time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
The default username and password are both cisco. You are prompted to change them the first Note time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
The default username and password are both cisco. You are prompted to change them the first Note time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 237
If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 238
Appendix A Logging In to the Sensor Logging In to the Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Startup Wizard in the IDM or the IME. After you configure the sensor with the setup command, you can change the network settings in the IDM or the IME. You must be administrator to use the setup command. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
--- Basic Setup --- --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other sensitive business or personal information. All data is aggregated and sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals.
Repeat Step b until you have added all networks that you want to add to the access list, and then press Enter at a blank permit line to go to the next step. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Prime Meridian). The default is 60. Enter to modify the system time zone. Specify the standard time zone name. The zone name is a character string up to 24 characters long. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 244
02:00:00 exit end-summertime month november week-of-month first day-of-week sunday time-of-day 02:00:00 exit exit ntp-option enabled ntp-keys 1 md5-key 8675309 ntp-servers 10.10.1.2 key-id 1 exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
Page 246
If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary. [1] Remove interface configurations. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 248
NewPair. Step 22 Press Enter to return to the top-level virtual sensor menu. Step 23 Virtual Sensor: vs0 Anomaly Detection: ad0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-10 OL-24002-01...
Page 249
342 exit service interface physical-interfaces GigabitEthernet0/0 admin-state enabled subinterface-type inline-vlan-pair subinterface 1 description Created via setup by user asmith vlan1 200 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-11 OL-24002-01...
Page 250
Step 30 Apply the most recent service pack and signature update. You are now ready to configure your appliance Step 31 for intrusion prevention. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-12 OL-24002-01...
Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter to edit the interface configuration. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-13 OL-24002-01...
Page 252
Enter a name and description for your virtual sensor. Step 15 Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-14 OL-24002-01...
Page 253
Step 22 The following configuration was entered. service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name aip-ssm telnet-option disabled sshv1-fallback enabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-15 OL-24002-01...
Page 254
HTTPS to connect to this ASA 5500 AIP SSM with a web browser. Step 28 Apply the most recent service pack and signature update. You are now ready to configure your ASA 5500 AIP SSM for intrusion prevention. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-16 OL-24002-01...
Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter to edit the interface configuration. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-17 OL-24002-01...
Page 256
Enter a name and description for your virtual sensor. Step 15 Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-18 OL-24002-01...
Page 257
Step 22 The following configuration was entered. service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name asa-ips telnet-option disabled sshv1-fallback enabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-19 OL-24002-01...
Page 258
HTTPS to connect to this ASA 5500-X IPS SSP with a web browser. Step 28 Apply the most recent service pack and signature update. You are now ready to configure the ASA 5500-X IPS SSP for intrusion prevention. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-20 OL-24002-01...
Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter to edit the interface configuration. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-21 OL-24002-01...
Page 260
Enter a name and description for your virtual sensor. Step 15 Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-22 OL-24002-01...
Page 261
Step 22 The following configuration was entered. service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name ips-ssm telnet-option disabled sshv1-fallback enabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-23 OL-24002-01...
Page 262
ASA 5585-X IPS SSP for intrusion prevention. For More Information For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-24 OL-24002-01...
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To verify that you initialized your sensor, follow these steps: Log in to the sensor.
Page 264
You can also use the more current-config command to view your configuration. Step 3 Display the self-signed X.509 certificate (needed by TLS). sensor# show tls fingerprint MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01 SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-26 OL-24002-01...
Page 265
Step 4 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when connecting to this sensor with a web browser. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-27 OL-24002-01...
Page 266
Appendix B Initializing the Sensor Verifying Initialization Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-28 OL-24002-01...
Signature updates are posted to Cisco.com approximately every week, more often if needed. Service packs are posted to Cisco.com in a release train format, a new release every three months. Major and minor updates are also posted periodically. Check Cisco.com regularly for the latest IPS software.
Click Agree to accept the software download rules. The File Download dialog box appears. The first Step 10 time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software.
A major update contains new functionality or an architectural change in the product. For example, the Cisco IPS 7.1 base version includes everything (except deprecated features) since the previous major release (the minor update features, service pack fixes, and signature updates) plus any new changes.
Page 270
Appendix C Obtaining Software IPS Software Versioning R E V I E W D R A F T — C I S C O C O N F I D E N T I A L Figure C-1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases.
Page 271
Appendix C Obtaining Software IPS Software Versioning R E V I E W D R A F T — C I S C O C O N F I D E N T I A L Signature Engine Update A signature engine update is an executable file containing binary code to support new signature updates. Signature engine files require a specific service pack, which is also identified by the req designator.
R E V I E W D R A F T — C I S C O C O N F I D E N T I A L IPS Software Release Examples Table C-1 lists platform-independent Cisco IPS software release examples. Table C-1 Platform-Independent Release Examples...
Choose Products > Security > Intrusion Prevention System (IPS) > IPS Appliances > Cisco IPS Step 4 4200 Series Sensors. The Cisco IPS 4200 Series Sensors page appears. All of the most up-to-date IPS documentation is on this page. Book Title...
Obtaining a License Key From Cisco.com This section describes how to obtain a license key from Cisco.com and how to install it using the CLI, the IDM, or the IME. It contains the following topics: Understanding Licensing, page C-9 •...
Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract.
For example, if you purchase an ASA 5585-X and then later want to add IPS and purchase an ASA-IPS10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.
The IDM or the IME • contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 5. Click the License File radio button to use a license file. To use this option, you must apply for a •...
Page 278
IPS service contract before you can apply for a license key. Step 3 Fill in the required fields. Your Cisco IPS Signature Subscription Service license key will be sent by email to the e-mail address you specified. Book Title...
Page 279
Step 7 Note The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS 7.1 version you have installed. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.1(3)E4...
Step 3 Under Licenses Not Requiring a PAK, click Demo and Evaluation licenses. Step 4 Under Security Products/Cisco Services for IPS service license (Version 6.1 and later), click All IPS Hardware Platforms. Step 5 Fill in the required fields. Your license key will be sent to the email address you specified.
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. Use the erase license-key command to uninstall the license key on your sensor. This allows you to delete an installed license key from a sensor without restarting the sensor or logging into the sensor using the service account.
Page 282
Appendix C Obtaining Software Obtaining a License Key From Cisco.com R E V I E W D R A F T — C I S C O C O N F I D E N T I A L system is using 33.6M out of 160.0M bytes of available disk space (21% usage) application-data is using 70.5M out of 169.4M bytes of available disk space (44% usage)
Pay attention to the following upgrade notes and caveats when upgrading your sensor: • Anomaly detection has been disabled by default in IPS 7.1(2)E4 and later. If you did not configure the operation mode manually before the upgrade, it defaults to inactive after you upgrade to IPS 7.1(2)E4 or later.
You cannot use the downgrade command to revert to a previous major or minor version, for example, Caution from Cisco IPS 7.1 to 7.0. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 7.0, you must reimage the sensor.
• IPS 7.1 Upgrade Files The currently supported IPS 7.1(x) versions are 7.1(1)E4, 7.1(2)E4, 7.1(3)E4, 7.1(4)E4, and 7.1(6)E4. All IPS sensors are not supported in each 7.1(x) version. For a list of the specific IPS filenames and the IPS versions that each sensor supports, refer to the Release Notes for your IPS version found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html...
Caution You must log in to Cisco.com using an account with cryptographic privileges to download software. The first time you download software on Cisco.com, you receive instructions for setting up an account with cryptographic privileges.
Page 287
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To upgrade the sensor, follow these steps:...
Recovery partition images are generated for major and minor updates and only in rare situations for service packs or signature updates. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
This section describes how to configure the sensor to automatically look for upgrades in the upgrade directory. It contains the following topics: Understanding Automatic Upgrades, page D-8 • Automatically Upgrading the Sensor, page D-8 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 290
Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Understanding Automatic Upgrades In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from Caution 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Page 291
80 to download the chosen package from a Cisco file server. The IP address may change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of the show statistics host command.
Page 292
Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Step 3 Configure the sensor to automatically look for new upgrades either on Cisco.com or on your file server: On Cisco.com. Continue with Step 4. sensor(config-hos-aut)# cisco-server enabled From your server.
You cannot use the downgrade command to revert to a previous major or minor version, for example, Caution from Cisco IPS 7.1 to 7.0. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 7.0, you must reimage the sensor.
SSH to the sensor with the default username and password (cisco/cisco) and then initialize the sensor again with the setup command. You cannot use Telnet until you initialize the sensor because Telnet is disabled by default.
ROMMON Some Cisco sensors include a preboot CLI called ROMMON, which lets you boot images on sensors where the image on the primary device is missing, corrupt, or otherwise unable to boot the normal application.
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Step 1 Connect to a terminal server using one of the following methods: For terminal servers with RJ-45 connections, connect a rollover cable from the console port on the •...
The system enters ROMMON mode. The prompt appears. rommon> Check the current network settings. Step 4 rommon> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Management0/0 VLAN=untagged IMAGE= CONFIG= Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-15 OL-24002-01...
Page 298
The path is relative to the UNIX TFTP server default tftpboot directory. Images located in the Note default tftpboot directory do not have any directory names or slashes in the IMAGE specification. Windows Example rommon> IMAGE=\system_images\IPS-4270_20-K9-sys-1.1-a-7.1-3-E4.img Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-16 OL-24002-01...
Make sure you can access the TFTP server location from the network connected to the Ethernet Note port of your IPS 4345. Boot the IPS 4345. Step 2 Booting system, please wait... CISCO SYSTEMS Embedded BIOS Version 1.0(5)0 09/14/04 12:23:35.90 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-17 OL-24002-01...
Page 300
The system enters ROMMON mode. The prompt appears. rommon> Check the current network settings. Step 4 rommon> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Management0/0 VLAN=untagged IMAGE= CONFIG= Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-18 OL-24002-01...
Page 301
Make sure that you enter the IMAGE command in all uppercase. You can enter the other ROMMON Caution commands in either lower case or upper case, but the IMAGE command specifically must be all uppercase. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-19 OL-24002-01...
• Installing the IPS 4510 and IPS 4520 System Image The following procedure references the IPS 4510 but it also refers to the IPS 4520. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-20 OL-24002-01...
Page 303
Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-21 OL-24002-01...
Page 304
Step 11 rommon> tftp To avoid corrupting the system image, do not remove power from the IPS 4510 while the system image Caution is being installed. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-22 OL-24002-01...
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To install the system image on the ASA 5500-X IPS SSP, follow these steps:...
Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command, page D-25 • Installing the ASA 5585-X IPS SSP System Image Using ROMMON, page D-27 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-24 OL-24002-01...
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To install the system image, transfer the software image from a TFTP server to the ASA 5585-X IPS SSP using the adaptive security appliance CLI.
Page 308
ASA 5585-X IPS SSP, the newly transferred image is running. To debug any errors that may happen during this process, use the debug module-boot command Note to enable debugging of the software installation process. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-26 OL-24002-01...
Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the spacebar to begin boot immediately. Note You have ten seconds to press Break or Esc. Use BREAK or ESC to interrupt boot. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-27 OL-24002-01...
Page 310
Use the same IP address that is assigned to the ASA 5585-X IPS SSP. Note If necessary, assign the TFTP server IP address. Step 7 rommon> SERVER=ip_address If necessary, assign the gateway IP address. Step 8 rommon> GATEWAY=ip_address Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-28 OL-24002-01...
Page 311
• For the procedure for initializing the ASA 5585-X IPS SSP with the setup command, see Advanced Setup for the ASA 5585-X IPS SSP, page B-21. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-29 OL-24002-01...
Page 312
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-30 OL-24002-01...
The service has provision to filter bugs based on credentials to provide external and internal bug views for the search input. Check out Bug Search Tools & Resources on Cisco.com. For more details on the tool overview and functionalities, check out the help page, located at http://www.cisco.com/web/applicat/cbsshelp/help.html...
It can be a URL or a keyword. • current-config—The current running configuration. The configuration becomes persistent as the commands are entered. backup-config—The storage location for the configuration backup. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 316
Would you like to copy current-config to backup-config before proceeding? [yes]: Enter to copy the current configuration to a backup configuration. Step 3 100% |************************************************| 36124 00:00 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Analyze your situation to decide if you want a service account existing on the system. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Troubleshooting Disaster Recovery For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no Note password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor.
The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.
Press any key to pause the boot process. Step 2 Choose . The password is reset to cisco. Log in to the CLI with Step 3 2: Cisco IPS Clear Password (cisco) username cisco and password cisco. You can then change the password.
Recovering the ASA 5500-X IPS SSP Password You can reset the password to the default (cisco) for the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Page 323
Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
ASA 5585-X IPS SSP is not supported in ASA 8.3(x). You can reset the password to the default (cisco) for the ASA 5585-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
This option does not appear in the menu if there is no IPS present. Note In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). Step 2 A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Verify the state of password recovery by using the include keyword to show settings in a filtered output. Step 3 sensor(config-hos)# show settings | include password password-recovery: allowed <defaulted> sensor(config-hos)# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-14 OL-24002-01...
ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.
Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN • tagging, which causes problems with VLAN groups. When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive – tagged packets even if it is configured for trunking.
MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct. CISCO-PROCESS-MIB is available on the sensor, but we do not support it. We know that some elements Note are not available.
Make sure your sensor supports the global correlation features. • Make sure your IPS version supports the global correlation features. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-19 OL-24002-01...
Step 3 show tech-support Reboot the sensor. Step 4 Enter after the sensor has stabilized to see if the issue is resolved. Step 5 show version Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-20 OL-24002-01...
VLAN ID information. You can configure the sensor to ignore specified address ranges. • A host can be unreachable from the CSA MC because it is behind a firewall. You can exclude unreachable hosts. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-21 OL-24002-01...
Enable portfast on connected switchports to reduce spanning-tree forwarding delays. • For More Information For more information about the hardware bypass card on the IPS 4270-20, see Hardware Bypass, page 5-5. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-23 OL-24002-01...
Although the sensor has rebuilt the cache files, the virtual sensor is not finished initializing. sensor# show statistics virtual-sensor Error: getVirtualSensorStatistics : Analysis Engine is busy. sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-24 OL-24002-01...
Total Undersize Packets Transmitted = 0 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 MAC statistics from interface GigabitEthernet0/0 Media Type = TX Link Status = Up Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-25 OL-24002-01...
Page 338
User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-26 OL-24002-01...
Total Packets Received = 1822323 Total Bytes Received = 131098876 Total Multicast Packets Received = 20 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-28 OL-24002-01...
26.2M out of 160.0M bytes of available disk space (16% usage) application-data is using 69.7M out of 171.6M bytes of available disk space (43% usage) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-29 OL-24002-01...
Page 342
The date and time of the last restart is listed. In this example, the last restart was on 2-19-2004 at 7:34. If you do not have the latest software updates, download them from Cisco.com. Read the Readme that Step 4 accompanies the software upgrade for any known DDTS for the SensorApp or the Analysis Engine.
Page 343
Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 sensor# Step 3 If the Link Status is down, make sure the sensing port is connected properly. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-31 OL-24002-01...
Page 344
----------------------------------------------- enabled: true <defaulted> retired: false <defaulted> ----------------------------------------------- sensor(config-sig-sig-sta)# Make sure you have Produce Alert configured. Step 3 sensor# configure terminal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-32 OL-24002-01...
Page 345
Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Number of Alerts Output for further processing = 0alertDetails: Traffic Source: int0 ; Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-33 OL-24002-01...
Replace the virtual sensor file. cp /usr/cids/idsRoot/etc/defVirtualSensorConfig.xml /usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml Remove the cache files. Step 5 rm /usr/cids/idsRoot/var/virtualSensor/*.pmz Exit the service account. Step 6 Log in to the sensor CLI. Step 7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-35 OL-24002-01...
Verify that the ARC is connecting to the network devices. Verify that the Event Action is set to Block Host for specific signatures. Verify that the master blocking sensor is properly configured. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-36 OL-24002-01...
The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS 7.1 version you have installed. To verify that the ARC is running, use the show version command. If the MainApp is not running, the ARC cannot run.
Page 350
Step 3 sensor# show events error hh:mm:ss month day year | include : nac Example sensor# show events error 00:00:00 Apr 01 2011 | include : nac Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-38 OL-24002-01...
Page 351
Note If you do not have the latest software updates, download them from Cisco.com. Read the Readme that accompanies the software upgrade for any known DDTS for the ARC. Make sure the configuration settings for each device are correct (the username, password, and IP Step 5 address).
To make sure blocking is occurring for a specific signature, follow these steps: Log in to the CLI. Step 1 Enter signature definition submode. Step 2 sensor# configure terminal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-42 OL-24002-01...
Make sure that the forwarding sensor is set up as TLS trusted host if the remote master blocking sensor is using TLS for web access. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-43 OL-24002-01...
Page 356
ARC statistics. sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 250 MasterBlockingSensor SensorIp = 10.89.149.46 SensorPort = 443 UseTls = 1 State Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-44 OL-24002-01...
Locate the zone and CID section of the file and set the severity to debug. severity=debug Save the file, exit the vi editor, and exit the service account. Step 5 Log in to the CLI as administrator. Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-45 OL-24002-01...
2. The Control Plane is the transport communications layer used by Card Manager on the AIP SSM. 3. The CIDS servlet interface is the interface layer between the CIDS web server and the servlets. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-49 OL-24002-01...
LOG_DEBUG, debug LOG_INFO, timing LOG_WARNING, warning LOG_ERR, error LOG_CRIT fatal Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-50 OL-24002-01...
Exit signature definition submode. Step 3 sensor(config-sig-sig-ato)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-51 OL-24002-01...
Analysis Engine usually stays up and running. You can upgrade at this time. After the upgrade, add the interfaces back to the virtual sensor vs0 using the setup command. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-52...
Issues With Automatic Update Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
443 for the initial automatic update connection to www.cisco.com, and you need port 80 to download the chosen package from a Cisco file server. The IP address may change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of the show statistics host command.
Step 1 Close all browser windows. Step 2 If you have Java Plug-in 1.3.x installed: Click Start > Settings > Control Panel > Java Plug-in 1.3.x. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-55 OL-24002-01...
At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-56 OL-24002-01...
For the procedure for configuring event actions, refer to Assigning Actions to Signatures. • For the procedure for obtaining statistics about virtual sensor and Event Store, refer to Displaying • Statistics. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-57 OL-24002-01...
IOS IPS versions, but some functions, such as health information and integrated configuration, are not available. Upgrade to IPS 6.1 or later. Recommended Action Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-58 OL-24002-01...
The output shows that the ASA 5500 AIP SSM is up. If the status reads , you can reset the module Down using the hw-module module 1 reset command: asa# hw-module module 1 reset Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-59 OL-24002-01...
Page 372
Recover module in slot 1? [confirm] Recover issued for module in slot 1 asa(config)# Slot-1 140> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005 Slot-1 141> Platform ASA-SSM-10 Slot-1 142>...
ASA handles the packets. The following Normalizer engine signatures are not supported: 1300.0 • 1304.0 • 1305.0 • • 1307.0 • 1308.0 • 1309.0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-62 OL-24002-01...
Refer to the following URL for information about ASA 5500 AIP SSM jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1328 Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-63 OL-24002-01...
ASA adaptive appliances running an affected software version with an ASA IPS module (ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or later. The common cause for these messages is global correlation and/or signature updates occurring on the ASA IPS module that results in these messages being generated for some, but not necessarily all of the updates, which are attempted every five minutes.
SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5500-X IPS SSP that was previously the standby ASA 5500-X IPS SSP. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-65...
• 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 • For More Information For detailed information about the Normalizer engine, see Normalizer Engine. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-74 OL-24002-01...
IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The ASA removes the added IPS header before the packet leaves the ASA. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-75...
ASA adaptive appliances running an affected software version with an ASA IPS module (ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or later. The common cause for these messages is global correlation and/or signature updates occurring on the ASA IPS module that results in these messages being generated for some, but not necessarily all of the updates, which are attempted every five minutes.
SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5585-X IPS SSP that was previously the standby for the ASA 5585-X IPS SSP. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-77...
TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the Reset TCP Connection is selected. When Deny Packet Inline or Deny Connection Inline is selected, the ASA Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-82...
ASA adaptive appliances running an affected software version with an ASA IPS module Conditions (ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or later. The common cause for these messages is global correlation and/or signature updates occurring on the ASA IPS module that results in these messages being generated for some, but not necessarily all of the updates, which are attempted every five minutes.
This section describes the show tech-support command, and contains the following topics: Understanding the show tech-support Command, page E-85 • Displaying Tech Support Information, page E-85 • Tech Support Command Output, page E-86 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-84 OL-24002-01...
The maximum size of these varlog files is 200 KB. Once they cross the size limit the content is rotated. The content of varlog, varlog.1, and varlog.2 is displayed in the output of the show tech-support command. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-85 OL-24002-01...
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. The following is an example of the show tech-support command output:...
Page 399
Missed Packet Percentage = 0 Total Packets Received = 4285610 Total Bytes Received = 548558080 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-87 OL-24002-01...
Page 400
Number of SigEvents since reset = 0 Statistics for Actions executed on a SigEvent Number of Alerts written to the IdsEventStore = 0 Inspection Stats --MORE-- Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-88 OL-24002-01...
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To display the version and configuration, follow these steps: Log in to the CLI.
Page 402
! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings host-ip 192.168.1.2/24, 192.168.1.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 dns-primary-server disabled Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-90 OL-24002-01...
The show statistics command is useful for examining the state of the sensor services. This section describes the show statistics command, and contains the following topics: Understanding the show statistics Command, page E-92 • Displaying Statistics, page E-92 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-91 OL-24002-01...
Page 404
Step 1 Display the statistics for the Analysis Engine. Step 2 sensor# show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 431157 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-92 OL-24002-01...
Page 407
Denied Attackers and hit count for each. Denied Attackers and hit count for each. Statistics for Virtual Sensor vs0 Denied Attackers with percent denied and hit count for each. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-95 OL-24002-01...
Page 410
InterfaceName = ethernet0/1 InterfaceDirection = out InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in InterfacePreBlock = Pre_Acl_Test InterfacePostBlock = Post_Acl_Test NetDevice Type = CAT6000_VACL Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-98 OL-24002-01...
Page 411
BlockMinutes = Host IP = 203.0.113.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Network IP = 203.0.113.9 Mask = 255.255.0.0 BlockMinutes = sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-99 OL-24002-01...
Page 412
Total IPv6 packets processed since reset = 0 Total IPv6 AH packets processed since reset = 0 Total IPv6 ESP packets processed since reset = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-100 OL-24002-01...
Page 413
Number of fragments forwarded since reset = 0 Number of fragments dropped since last reset = 0 Number of fragments modified since last reset = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-101 OL-24002-01...
Page 414
= 64.101.182.167 session is persistent = no number of requests serviced on current connection = 1 last status code = 200 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-102 OL-24002-01...
Total Jumbo Packets Transmitted = 0 Total Undersize Packets Transmitted = 0 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 MAC statistics from interface GigabitEthernet0/0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-104 OL-24002-01...
Here are the parameters for the show events command: sensor# show events <cr> alert Display local system alerts. error Display error events. hh:mm[:ss] Display start time. Display log events. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-105 OL-24002-01...
Page 418
• The ARC is formerly known as NAC. This name change has not been completely Note implemented throughout the IDM, the IME, and the CLI for Cisco IPS 7.1. status—Displays status events. • past—Displays events starting in the past for the specified hours, minutes, and seconds.
Page 419
Step 5 Display alerts from the past 45 seconds. sensor# show events alert past 00:00:45 evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco originator: hostId: sensor appName: sensorApp Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-107 OL-24002-01...
Page 420
To clear events from the Event Store, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Clear the Event Store. sensor# clear events Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-108 OL-24002-01...
Page 421
Send the resulting HTML file to TAC or the IPS developers in case of a problem. Step 5 For More Information For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site, page E-109.
Page 422
Appendix E Troubleshooting Gathering Information Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-110 OL-24002-01...
100/1000Base-TX operations. You can use a Category 3 cable for 10Base-TX operations. Figure F-1 shows the 10/100BaseT (RJ-45) port pinouts. Figure F-1 10/100 Port Pinouts Label 4 5 6 7 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 424
To identify the RJ-45 cable type, hold the two ends of the cable next to each other so that you can see the colored wires inside the ends, as shown in Figure F-4. Figure F-4 RJ-45 Cable Identification Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 425
RJ-45 to DB-9 or DB-25 Table F-2 lists the cable pinouts for RJ-45 to DB-9. Table F-2 Cable Pinouts for RJ-45 to DB-9 Signal Console Port RJ-45 Pin DB-9 Pin Signal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 426
Appendix F Cable Pinouts RJ-45 to DB-9 or DB-25 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 427
ACLs are identified by number or by name. ACLs can be standard, enhanced, or extended. You can configure the sensor to manage ACLs. Cisco Access Control Server. A RADIUS security server that is the centralized control point for ACS server managing network users, network administrators, and network infrastructure resources.
Page 428
Glossary Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco ASA 5500 AIP SSM ASA 5500 series adaptive security appliance. The ASA 5500 AIP SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Page 429
Version information associated with a group of IDIOM default configuration settings. For example, aspect version Cisco Systems publishes the standard set of attack signatures as a collection of default settings with the S aspect. The S-aspect version number is displayed after the S in the signature update package file name.
Page 430
Certificate for one CA issued by another CA. CA certificate Cisco Express Forwarding. CEF is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.
Page 431
Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco CIDEE IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems. The header that is attached to each packet in the IPS system. It contains packet classification, packet CIDS header length, checksum results, timestamp, and the receive interface.
Page 432
Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA CSA MC agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.
Page 433
Dynamic Trunking Protocol. A Cisco proprietary protocol in the VLAN group used for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (ISL or 802.1q) to be used.
Page 434
File Transfer Protocol server. A server that uses the FTP protocol for transferring files between network FTP server nodes. Capability for simultaneous data transmission between a sending station and a receiving station. full duplex Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-8 OL-24002-01...
Page 435
BSC is an example of a half-duplex protocol. Sequence of messages exchanged between two or more network devices to ensure transmission handshake synchronization. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-9 OL-24002-01...
Page 436
A pair of physical interfaces configured so that the sensor forwards all traffic received on one interface inline interface out to the other interface in the pair. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-10 OL-24002-01...
Page 437
Java Network Launching Protocol. Defined in an XML file format specifying how Java Web Start JNLP applications are launched. JNLP consists of a set of rules defining how exactly the launching mechanism should be implemented. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-11 OL-24002-01...
Page 438
A remote sensor that controls one or more devices. Blocking forwarding sensors send blocking requests master blocking sensor to the master blocking sensor and the master blocking sensor executes the blocking requests. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-12 OL-24002-01...
Page 439
Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Page 440
Glossary Next Business Day. The arrival of replacement hardware according to Cisco service contracts. Protocol for IPv6. IPv6 nodes on the same link use Neighbor Discovery to discover each other’s Neighborhood Discovery presence, to determine each other’s link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.
Page 441
OSI term for packet. See also BPDU and packet. Cisco Product Evolution Program. PEP is the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP provides hardware version and serial number visibility through electronic query, product labels, and shipping items.
Page 442
Often used in IP networks to test the reachability of a network device. It works ping by sending ICMP echo request packets to the target host and listening for echo response replies. Private Internet Exchange Firewall. A Cisco network security device that can be programmed to PIX Firewall block/enable addresses and ports between networks.
Page 443
This risk is higher when more damage could be inflicted on your network. Return Materials Authorization. The Cisco program for returning faulty hardware and obtaining a replacement.
Page 444
Used for the release of defect fixes and for the support of new signature engines. Service packs contain service pack all of the defect fixes since the last base version (minor or major) and any new defects fixes. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-18 OL-24002-01...
Page 445
Server Message Block. File-system protocol used in LAN manager and similar NOSs to package data and exchange information with other systems. Simple Mail Transfer Protocol. Internet protocol providing e-mail services. SMTP Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-19 OL-24002-01...
Page 446
Glossary Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. Subnetwork Access Protocol. Internet protocol that operates between a network entity in the SNAP subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks.
Page 447
Tribe Flood Network 2000. A common type of DoS attack that can take advantage of forged or rapidly TFN2K changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-21 OL-24002-01...
Page 448
Public key upon which a user relies; especially a public key that can be used as the first public key in trusted key a certification path. Adjusting signature parameters to modify an existing signature. tune Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-22 OL-24002-01...
Page 449
Glossary Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM. UniDirectional Link Detection. Cisco proprietary protocol that allows devices connected through...
Page 450
LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. VLAN Trunking Protocol. Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis.
Page 451
Cross Packet Inspection. Technology used by TCP that allows searches across packets to achieve packet and payload reassembly. A set of destination IP addresses sorted into an internal, illegal, or external zone used by Anomaly zone Detection. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-25 OL-24002-01...
Page 452
Glossary Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-26 OL-24002-01...
Page 453
ASA 5500 AIP SSM terminal servers ASA 5585-X IPS SSP described 1-22, A-3, D-14 described setting up 1-22, A-3, D-14 time sources 1-23, E-15 upgrading recovery partition Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-1 OL-24002-01...
Page 454
E-75 9-13 memory usage values (table) E-75 ASA 5585-X SSP-10 with IPS SSP-10 Normalizer engine described E-74 password recovery memory requirements E-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-2 OL-24002-01...
Page 455
IPS 4345 CLI password recovery E-14 IPS 4360 command and control interface IPS 4510 described IPS 4520 Ethernet basic setup list blocking not occurring for signature E-42 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-3 OL-24002-01...
Page 456
E-86 connecting SFP/SFP+ modules 9-12 version E-89 converting cable management arm 5-33 downgrade command D-11 copy backup-config command downgrading sensors D-11 copy current-config command Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-4 OL-24002-01...
Page 458
1-13 IPS 4260 described 1-16 installing 4-21 illustration 1-16 removing 4-21 inline mode IPS 4270-20 interface cards installing 5-43 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-6 OL-24002-01...
Page 459
1-19 features modules 1-19 front panel tuning indicators IPS 4240 switches 7200 series router grounding lugs 4-17 back panel (illustration) hardware bypass back panel indicators Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-7 OL-24002-01...
Page 460
5-43 extending from a rack 5-26 T-15 Torx screwdriver 5-46 fan connector and indicator (illustration) IPS 4345 5-50 fan indicators AC power supply (V01) 5-50 6-15 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-8 OL-24002-01...
Page 461
6-16 7-10 power supplies(illustration) password recovery 6-17 E-8, E-9 power supply indicator 6-17 power module indicators reimaging described D-17 removing DC power supplies illustration 6-26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-9 OL-24002-01...
Page 462
7-20 IPS SSP-10 front panel features (illustration) installing system image IPS SSP-20 front panel features (illustration) D-21 Management 0/0 IPS SSP-40 front panel features (illustration) 7-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-10 OL-24002-01...
Page 463
5-52, 7-34, E-24 cryptographic account IPS software license key sensor license C-10 major updates described Management 0/0 port described not supported for modules 7-12 Management 0/1 described 7-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-11 OL-24002-01...
Page 464
SPAN ports 1-15 Management 0/1 7-12 TCP reset interfaces 1-11 7-13 VACL capture 1-15 SFP/SFP+ 9-12 power supplies described (IPS 4345) 6-16 describes (IPS 4360) 6-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-12 OL-24002-01...
Page 465
ASA 5585-X IPS SSP E-12 reimaging restoring the current configuration ASA 5500-X IPS SSP D-23 RJ-45 to DB-9 cable pinouts ASA 5585-X IPS SSP D-24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-13 OL-24002-01...
Page 466
E-54 ASA 5500 AIP SSM upgrading asymmetric traffic and disabling anomaly detection E-19 service account capturing traffic accessing command and control interfaces (list) cautions Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-14 OL-24002-01...
Page 467
E-24, E-92 show tech-support command described E-85 show version command SSP-20 E-89 signature engine update files described components signatures described TCP reset E-51 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-15 OL-24002-01...
Page 468
ASA 5500 AIP SSM commands E-59 service account debugging E-60 show tech-support command E-85 failover scenarios E-61 TCP reset interfaces recovering E-60 conditions 1-12 reset E-59 described 1-11 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-16 OL-24002-01...
Page 469
URLs for Cisco Security Intelligence Operations preventive maintenance using RADIUS debug logging E-45 attempt limit E-21 TCP reset interfaces 1-12 reset not occurring for a signature E-51 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-17 OL-24002-01...
Page 470
E-18 VLAN groups 802.1q encapsulation 1-18 configuration restrictions 1-14 deploying 1-18 described 1-17 switches 1-18 warning circuit breaker 6-21 exposed DC wire 6-23 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-18 OL-24002-01...
Need help?
Do you have a question about the IPS 7.1 and is the answer not in the manual?
Questions and answers