Cisco IPS-4255-K9 Installation Guide
Cisco IPS-4255-K9 - Intrusion Protection Sys 4255 Manual
UPC - 746320951096
View all Cisco IPS-4255-K9 manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco IPS-4255-K9 manual content summary:
- Cisco IPS-4255-K9 | Installation Guide - Page 1
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 2
included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 © 2010-2012 Cisco Systems, Inc. All rights reserved. - Cisco IPS-4255-K9 | Installation Guide - Page 3
1-15 VLAN Group Mode 1-15 Deploying VLAN Groups 1-16 Supported Sensors 1-17 IPS Appliances 1-18 Introducing the IPS Appliance 1-18 Appliance Restrictions 1-19 Connecting an Appliance to a Terminal Server 1-19 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 iii - Cisco IPS-4255-K9 | Installation Guide - Page 4
IPS 4240 and the IPS 4255 2-7 Installing the IPS 4240-DC 2-10 3 C H A P T E R Installing the IPS 4260 3-1 Introducing the IPS 4260 3-1 Supported Interface Cards 3-2 Hardware Bypass 3-4 4GE Bypass Interface Card 3-4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 5
IPS 4270-20 from the Rack 4-25 Installing the Cable Management Arm 4-28 Converting the Cable Management Arm 4-31 Installing the IPS 4270-20 4-35 Removing and Replacing the Chassis Cover 4-38 Accessing the Diagnostic Panel 4-41 Cisco Intrusion Prevention System Appliance and Module Installation Guide - Cisco IPS-4255-K9 | Installation Guide - Page 6
IDSM2 Configurations 7-2 Using the TCP Reset Interface 7-3 Front Panel Features 7-3 Installation and Removal Instructions 7-4 Required Tools 7-4 Slot Assignments 7-5 Installing the IDSM2 7-5 Verifying Installation 7-9 Removing the IDSM2 7-10 Cisco Intrusion Prevention System Appliance and Module - Cisco IPS-4255-K9 | Installation Guide - Page 7
Other IPS Modules 8-3 Restrictions 8-3 Hardware Interfaces 8-4 Installation and Removal Instructions 8-5 Verifying Installation 8-6 Logging In to the Sensor 9-1 Supported User Roles 9-1 Logging In to the Appliance 9-2 Connecting an Appliance to a Terminal Server 9-3 Logging In to the AIM IPS 9-4 The - Cisco IPS-4255-K9 | Installation Guide - Page 8
System Images 12-1 Supported FTP and HTTP/HTTPS Servers 12-2 Upgrading the Sensor 12-2 IPS 7.0 Upgrade Files 12-2 upgrade Command and Options 12-3 Using the upgrade Command 12-4 Upgrading the Recovery Partition 12-5 Configuring Automatic Upgrades 12-6 Automatic Upgrades 12-6 auto-upgrade Command and - Cisco IPS-4255-K9 | Installation Guide - Page 9
the Configuration File Using a Remote Server A-3 Creating the Service Account A-5 Disaster Recovery A-6 Recovering the Password A-7 Understanding Password Recovery A-8 Recovering the Appliance Password A-8 Using the GRUB Menu A-8 Using ROMMON A-9 Recovering the AIM IPS Password A-10 Recovering - Cisco IPS-4255-K9 | Installation Guide - Page 10
of Password Recovery A-15 Troubleshooting Password Recovery A-15 Time and the Sensor A-16 Time Sources and the Sensor A-16 Synchronizing IPS Module Clocks with Parent Device Clocks A-17 Verifying the Sensor is Synchronized with the NTP Server A-17 Correcting Time on the Sensor A-18 Advantages and - Cisco IPS-4255-K9 | Installation Guide - Page 11
A-69 Troubleshooting the AIM IPS and the NME IPS A-69 Interoperability With Other IPS Network Modules A-69 Gathering Information A-70 Health and Network Security Information A-70 Tech Support Information A-71 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 xi - Cisco IPS-4255-K9 | Installation Guide - Page 12
Information A-88 Sensor Events A-88 Understanding the show events Command A-89 Displaying Events A-89 Clearing Events A-92 cidDump Script A-92 Uploading and Accessing Files on the Cisco FTP Site A-93 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 xii OL - Cisco IPS-4255-K9 | Installation Guide - Page 13
, page xvi • Obtaining Documentation and Submitting a Service Request, page xvii Audience This guide is for experienced network security administrators who install and maintain Cisco IPS sensors, including the supported IPS appliances and modules. Comply with Local and National Electrical Codes - Cisco IPS-4255-K9 | Installation Guide - Page 14
. Aviso A instalação do equipamento tem de estar em conformidade com os códigos eléctricos locais e nacionais. ¡Advertencia! La ske i enlighet med gällande elinstallationsföreskrifter. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 xiv OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 15
NME IPS" "Logging In to the Sensor" "Initializing the Sensor" 11 "Obtaining Software" 12 "Upgrading, Downgrading, and Installing System Images" A "Troubleshooting" "Glossary" Description Describes IPS appliances and modules. Describes how to install the IPS 4240 and the IPS 4255. Describes - Cisco IPS-4255-K9 | Installation Guide - Page 16
as passwords are in angle brackets. Default Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface • Installling and Removing Interface Cards in Cisco IPS-4260 and IPS 4270-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 17
Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 xvii - Cisco IPS-4255-K9 | Installation Guide - Page 18
Contents Preface xviii Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 19
in either promiscuous or inline mode. Figure 1-1 on page 1-2 shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-1 - Cisco IPS-4255-K9 | Installation Guide - Page 20
session because of limitations in the TCP protocol. • Make ACL changes on switches, routers, and firewalls that the sensor manages. Note ACLs may block only future traffic, not current traffic. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-2 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 21
protection posture. The Cisco signature team has spent many hours on testing the defaults to give your sensor the highest protection. If you think that you have lost these defaults, you can restore them. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 22
in on the sensor motherboard are in slot 0, and the PCI expansion slots are numbered beginning with slot 1 for the bottom slot with the slot numbers increasing from bottom to top (except for the IPS 4270-20, where the Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 23
Sensor AIM IPS AIP SSM-10 AIP SSM-20 AIP SSM-40 IDSM2 IPS 4240 Command and Control Interface Management0/0 GigabitEthernet0/0 GigabitEthernet0/0 GigabitEthernet0/0 GigabitEthernet0/2 Management0/0 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 24
the interface support for appliances and modules running Cisco IPS. Table 1-2 Interface Support Base Chassis AIM IPS AIP SSM-10 Added Interface Cards - - Interfaces Supporting Inline VLAN Pairs (Sensing Ports) GigabitEthernet0/1 by ids-service-module command in the router configuration instead - Cisco IPS-4255-K9 | Installation Guide - Page 25
Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Base Chassis AIP SSM-20 AIP SSM-40 IDSM2 IPS 4240 IPS 4255 IPS 4260 IPS 4260 Added Interface Cards - - - - - - 4GE-BP Interfaces Supporting Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 26
IPS - GigabitEthernet0/1 by ids-service-module command in the router configuration instead of VLAN pair or inline interface pair GigabitEthernet0/1 by ids-service-module command in the router configuration . Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 - Cisco IPS-4255-K9 | Installation Guide - Page 27
TCP Reset Interfaces Sensor AIM IPS AIP SSM-10 AIP SSM-20 AIP SSM-40 IDSM2 IPS 4240 IPS 4255 Alternate TCP Reset Interface None None None None System0/11 Any sensing interface Any sensing interface OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 28
(copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid duplex setting is auto. - The command and control interface cannot also serve as a sensing interface. 1-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 29
of these modes is allowed. - You cannot add a VLAN to more than one group on each interface. - You cannot add a VLAN group to multiple virtual sensors. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-11 - Cisco IPS-4255-K9 | Installation Guide - Page 30
sensor. The sensor analyzes a copy of the monitored traffic rather than the actual forwarded packet. The advantage of operating in promiscuous mode is that the sensor the interface configuration. 1-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504- - Cisco IPS-4255-K9 | Installation Guide - Page 31
, 962 4/1-4 both Note The SPAN/Monitor configuration is valuable when you want to assign different IPS policies per VLAN or when you have more bandwidth to monitor than one interface can handle. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-13 - Cisco IPS-4255-K9 | Installation Guide - Page 32
through interface pair 253444 Router Sensor VLAN A Switch Host For More Information For a list of restrictions pertaining to IPS sensor interfaces, see Interface Restrictions, page 1-10. 1-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 33
supports multiple virtual sensors, each of which can monitor one or more of these interfaces. This lets you apply multiple policies to the same sensor. The advantage is that now you can use a sensor -18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-15 - Cisco IPS-4255-K9 | Installation Guide - Page 34
not specifically assigned is specified. If the default VLAN setting is 0, the Note You can configure a port on sensor. The second variation does not apply to the IDSM2 because it cannot be connected in this way. 1-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 35
modules) that are supported by Cisco IPS 7.0. Table 1-4 Supported Sensors Model Name Appliances IPS 4240 IPS 4255 IPS 4260 Part Number IPS 4240-K9 IPS 4240-DC-K91 IPS 4255-K9 IPS 4260-K9 Optional Interfaces - - - IPS-4GE-BP-INT= IPS-2SX-INT= IPS 4270-20 IPS 4260-4GE-BP-K9 IPS 4260-2SX-K9 IPS - Cisco IPS-4255-K9 | Installation Guide - Page 36
, is a legacy model and is not supported in this document. For More Information For instructions on how to obtain the most recent Cisco IPS software, see Obtaining Cisco IPS Software, page 11-1. IPS Appliances This section describes the Cisco 4200 series appliance, and contains the following topics - Cisco IPS-4255-K9 | Installation Guide - Page 37
optimized for specific data rates and are packaged in Ethernet, Fast Ethernet, and Gigabit Ethernet configurations. In switched environments, appliances must be connected to the SPAN port or VACL capture port of the switch. The Cisco IPS 4200 series appliances provide the following: • Protection of - Cisco IPS-4255-K9 | Installation Guide - Page 38
Advanced Integration Module (AIM IPS) integrates and bring inline Cisco IPS functionality to Cisco access routers. You can install the AIM IPS in Cisco 1841, 2800 series, and 3800 series routers. 1-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 39
includes all communications between applications, such as IDM, IME, CSM, and CS-MARS, and the servers on the module for exchange of IPS events, IP logs, configuration, and control messages. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-21 - Cisco IPS-4255-K9 | Installation Guide - Page 40
manager. There are three models of AIP SSM: • ASA-SSM-AIP-10-K9 - Supports 150 Mbps of IPS throughput when installed in ASA 5510 - Supports 225 Mbps of IPS throughput when installed in ASA 5520 1-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 41
a private (inside) network and a public (outside) network. The web server is on the DMZ interface, and HTTP clients from both the inside and outside networks can access the web server securely. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-23 - Cisco IPS-4255-K9 | Installation Guide - Page 42
IPS Modules Chapter 1 Introducing the Sensor Figure 1-8 DMZ Configuration HTTP client ASA security appliance 10.10.10.10 Inside 10.10.10.0 Outside 209.165.200.225 DMZ 10.30.30.0 Internet HTTP client HTTP client 148403 Web server 10.30.30.30 In Figure 1-8 an HTTP client (10.10.10.10) on - Cisco IPS-4255-K9 | Installation Guide - Page 43
includes all communications between applications, such as IDM, IME, CSM, and CS-MARS, and the servers on the module for exchange of IPS events, IP logs, configuration, and control messages. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-25 - Cisco IPS-4255-K9 | Installation Guide - Page 44
obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. You can set up NTP during initialization or you can configure NTP through the CLI, IDM, IME, or ASDM. 1-26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 45
AIP SSM and the adaptive security appliance. - Use NTP-You can configure the AIP SSM to get its time from an NTP time synchronization source, such as a Cisco router other than the parent router. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-27 - Cisco IPS-4255-K9 | Installation Guide - Page 46
000 0.001 offset jitter 37.975 33.465 0.000 0.001 If the status continues to read Not Synchronized, check with the NTP server administrator to make sure the NTP server is configured correctly. 1-28 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 47
sensor model. For More Information • For ESD guidelines, see Electrical Safety Guidelines, page 1-31. • For the procedure for working in an ESD environment, see Working in an ESD Environment, page 1-32. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 48
chassis. The best placement of the baffles depends on the airflow patterns in the rack. Experiment with different arrangements to position the baffles effectively. 1-30 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 49
from the system frame and chassis. Other DC power guidelines are listed in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-31 - Cisco IPS-4255-K9 | Installation Guide - Page 50
the Sensor Power Supply power supply: - Each DC-input power supply requires dedicated 15-amp service. - For DC power cables, we recommend a minimum of 14 AWG upgrade part, are designed for one time use. 1-32 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 51
Chapter 1 Introducing the Sensor Cable Pinouts Step 3 Attach the wrist strap to your wrist and to the terminal on the work Console Port (RJ-45), page 1-35 • RJ-45 to DB-9 or DB-25, page 1-36 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-33 - Cisco IPS-4255-K9 | Installation Guide - Page 52
for 10Base-TX operations. Note Some sensors support 10/100BaseT (IDS-4210, IDS-4215, and the optional 4FE card) while others support 10/100/1000BaseT (IDS-4235, IDS-4250-TX, IPS 4240, and IPS 4255). This only applies to the copper appliances. The fiber appliances support 1000Base-SX only. The 10 - Cisco IPS-4255-K9 | Installation Guide - Page 53
the Sensor Cable Pinouts Console Port (RJ-45) Cisco products use the following types of RJ-45 cables: • Straight-through • Cross-over • Rolled (console) Note Cisco does not end of the cable. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 1-35 - Cisco IPS-4255-K9 | Installation Guide - Page 54
-45 to DB-9 or DB-25 Signal RTS DTR TxD GND GND RxD DSR CTS RJ-45 Pin 8 7 6 5 4 3 2 1 DB-9 /DB-25 Pin 8 6 2 5 5 3 4 7 Chapter 1 Introducing the Sensor 1-36 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 55
the IPS 4255, page 2-1 • Front and Back Panel Features, page 2-2 • Specifications, page 2-4 • Connecting the IPS 4240 to a Cisco 7200 Series Router, page 2-5 • Accessories, page 2-5 • Important Safety Instructions, page 2-5 • Rack Mounting, page 2-6 • Installing the IPS 4240 and the IPS 4255, page - Cisco IPS-4255-K9 | Installation Guide - Page 56
the IPS 4240 and the IPS 4255. Figure 2-1 IPS 4240/IPS 4255 Front Panel Features PWR STATUS FLASH Cisco IPS 4240 series Intrusion Prevention Sensor 114003 Power device is being accessed. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-2 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 57
Figure 2-2 shows the back view of the IPS 4240 and the IPS 4255. Figure 2-2 IPS 4240 and IPS 4255 Back Panel Features GigabitEthernet0/0 External compact Serial Management0 100 Mbps 1000 Mbps OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-3 - Cisco IPS-4255-K9 | Installation Guide - Page 58
IPS 4240 and the IPS 4255 Specifications Table 2-3 lists the specifications for the IPS 4240 and the IPS 4255. Table 2-3 IPS 4240 and IPS 4255 Specifications Acoustic noise 60 dBa (maximum) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 59
that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-5 - Cisco IPS-4255-K9 | Installation Guide - Page 60
Sensor 114016 Note The top hole on the left bracket is a banana jack you can use for ESD grounding purposes when you are servicing the system. You can use the two threaded holes to mount a ground lug to ground the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide - Cisco IPS-4255-K9 | Installation Guide - Page 61
safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-7 - Cisco IPS-4255-K9 | Installation Guide - Page 62
connect the appliance to a port on a terminal server with RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-8 OL - Cisco IPS-4255-K9 | Installation Guide - Page 63
command and control port. appliance. Initialize the appliance. Upgrade the appliance with the most recent Cisco IPS software. You are now ready to configure intrusion prevention on the appliance. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 64
equipment is suitable for connection to intra-building wiring only. Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 2-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 65
that services the DC circuit, switch the circuit breaker to the OFF position, and tape the switch handle of the circuit breaker in the OFF position. Remove the DC power supply plastic shield. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-11 - Cisco IPS-4255-K9 | Installation Guide - Page 66
Chapter 2 Installing the IPS 4240 and the IPS 4255 Step 8 Strip the ends of the wires for insertion into the power connect lugs on the IPS 4240-DC. 148401 Switch Negative Positive Ground 2-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 67
Device Manager 7.0 - Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 - Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 2-13 - Cisco IPS-4255-K9 | Installation Guide - Page 68
Installing the IPS 4240-DC Chapter 2 Installing the IPS 4240 and the IPS 4255 2-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 69
subnets. The IPS 4260 is a purpose-built device that has support for both copper and fiber NIC environments thus providing flexibility of deployment in any environment. It replaces IDS-4250-XL. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-1 - Cisco IPS-4255-K9 | Installation Guide - Page 70
-T (4GE) monitoring interfaces. The IPS 4260 supports up to two 4GE bypass interfaces cards for a total of eight GE bypass interfaces. The 4GE bypass interface card supports hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-2 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 71
fiber interfaces. The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the IPS 4260. The 10GE interface card does not support hardware bypass. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-3 - Cisco IPS-4255-K9 | Installation Guide - Page 72
in each inline VLAN subinterface. For each inline interface on which hardware bypass is available, the component interfaces are set to standby mode. If the sensor is Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 73
problems. The sensor is only guaranteed to operate correctly with the switch if both of them are configured for identical speed and duplex, which means that the sensor must be set for autonegotiation too. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 74
Cisco IPS 4260 series Intrusion Prevention Sensor 153095 ID There are three switches on the front panel of the IPS 4260: • Power-Toggles the system power. • Reset-Resets the system. • ID-Toggles the system ID indicator. Cisco Intrusion Prevention System Appliance and Module Installation Guide - Cisco IPS-4255-K9 | Installation Guide - Page 75
(not supported) CONSOLE GE 0/1 MGMT Console Management port 0/0 USB ports (not used) Gigabit Ethernet 0/1 Video connector (not supported) 3 2 1 Power Power supply 2 supply 1 153094 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-7 - Cisco IPS-4255-K9 | Installation Guide - Page 76
only 5Vsb on (power supply off). No AC power to this power supply (for 1+1 configuration) or power supply critical event causing a shutdown: failure, fuse blown (1+1 only), OCP 12 , or slow fan. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-8 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 77
The IPS 4260 accessories kit contains the following: • DB25 connector • DB9 connector • Rack mounting kit-screws, washers, and metal bracket • RJ45 console cable • Two 6-ft Ethernet cables OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-9 - Cisco IPS-4255-K9 | Installation Guide - Page 78
steps: Step 1 Attach each inner rail to each side of the chassis with three 8-32x1/4" SEMS screws. RESET ID ID NIC POWER FLASH STATUS Cisco IPSInt4ru2si6on0Prseeverniteiosn Sensor 153314 3-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 79
Sensor 153315 Step 3 Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert four thread covers over the four outer studs on each side. 153316 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 80
Step 5 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail. RESET ID ID NIC POWER FLASH STATUS Cisco IPSInt4ru2si6on0Prseeverniteiosn Sensor 153318 3-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 81
Sensor 153320 Step 2 Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert four thread covers over the four outer studs on each side. 153321 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 82
Step 4 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail. RESET ID ID NIC POWER FLASH STATUS Cisco IPSInt4ru2si6on0Prseeverniteiosn Sensor 153323 3-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 83
procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-15 - Cisco IPS-4255-K9 | Installation Guide - Page 84
enter configuration appliance to a port on a terminal server with RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. 3-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 85
• Management0/0 (MGMT) is the command and control port. • GigabitEthernetslot_number/port_number through GigabitEthernetslot_number/port_number are the on the IPS 4260. Initialize the IPS 4260. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-17 - Cisco IPS-4255-K9 | Installation Guide - Page 86
, see Connecting an Appliance to a Terminal Server, page 1-19. • For the procedure for using the setup command to initialize the IPS 4260, see Initializing the Sensor, page 10-1. • For the procedure for obtaining and installing the most recent IPS software, see Obtaining Cisco IPS Software, page 11 - Cisco IPS-4255-K9 | Installation Guide - Page 87
the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Note Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4260 does not require any special tools and does not create - Cisco IPS-4255-K9 | Installation Guide - Page 88
Prepare the IPS 4260 to be powered off: sensor# reset powerdown IPS 4260. If rack-mounted, remove the IPS 4260 from the rack. Make sure the IPS 4260 is in an ESD-controlled environment. Remove the chassis cover. 3-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 89
slot cover screw to hold the card to the carrier. If necessary, reinstall the card support at the back of the card carrier. Replace the card carrier in the chassis. Replace the chassis cover. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-21 - Cisco IPS-4255-K9 | Installation Guide - Page 90
cable and other cables from the IPS 4260. Note Power supplies are hot-swappable. You can replace a power supply while the IPS 4260 is running, if you are replacing a redundant power supply. 3-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 91
Chapter 3 Installing the IPS 4260 Step 5 Squeeze the tabs to remove the filler plate. Installing and Removing the supply, replace the power cord and other cables. Step 9 Power on the IPS 4260. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 3-23 - Cisco IPS-4255-K9 | Installation Guide - Page 92
the IPS 4260 For More Information For the IDM procedure for resetting the IPS 4260, refer to Rebooting the Sensor; for the IME procedure for resetting the IPS 4260, refer to Rebooting the Sensor. 3-24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 93
• Installing and Removing Interface Cards, page 4-41 • Installing and Removing the Power Supply, page 4-44 • Installing and Removing Fans, page 4-49 • Troubleshooting Loose Connections, page 4-51 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-1 - Cisco IPS-4255-K9 | Installation Guide - Page 94
these ports. You receive the following error if you exceed the number of supported ports: The number of installed network interfaces exceeds the limit of 16. The excess interfaces are ignored. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-2 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 95
-T (4GE) monitoring interfaces. The IPS 4270-20 supports up to four 4GE bypass interface cards for a total of sixteen GE bypass interfaces. The 4GE bypass interface card supports hardware bypass. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-3 - Cisco IPS-4255-K9 | Installation Guide - Page 96
fiber interfaces. The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the IPS 4270-20. The 10GE interface card does not support hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 97
in each inline VLAN subinterface. For each inline interface on which hardware bypass is available, the component interfaces are set to standby mode. If the sensor is OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-5 - Cisco IPS-4255-K9 | Installation Guide - Page 98
any cabling problems. The sensor is only guaranteed to operate correctly with the switch if both of them are configured for identical speed and duplex, which means that the sensor must be set for autonegotiation too. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 99
of the IPS 4270-20. Figure 4-5 IPS 4270-20 Front View Switches/Indicators 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SYSTEPMWR SMTGAMTUTMS0GMT 1 250082 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-7 - Cisco IPS-4255-K9 | Installation Guide - Page 100
Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SYSTEPMWR SMTGAMTUTMS0GMT 1 250108 Table 4-1 describes the front panel switches and indicators on the IPS • Off-No network connection Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-8 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 101
has no AC power Figure 4-7 shows the back view of the IPS 4270-20. Figure 4-7 IPS 4270-20 Back Panel Features Power supply 2 Sensing interface expansion slots Power /0 Management0/0 250083 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-9 - Cisco IPS-4255-K9 | Installation Guide - Page 102
Front and Back Panel Features Chapter 4 Installing the IPS 4270-20 Figure 4-8 shows the built-in Ethernet port, which has two No network activity Linked to network Not linked to network 4-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 103
remove the chassis cover to view the Diagnostic Panel, leave the IPS 4270-20 powered on. Powering off the IPS 4270-20 clears the Diagnostic Panel indicators. Figure 4-9 shows PPM3 250250 PPM4 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-11 - Cisco IPS-4255-K9 | Installation Guide - Page 104
location of the Diagnostic Panel in the IPS 4270-20 chassis, see Figure 4-10 on page 4-13. • For information on how to access the Diagnostic Panel, see Accessing the Diagnostic Panel, page 4-41. 4-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 105
4-10 IPS 4270-20 Internal Components Power supply Sensing interface expansion slots Power supply Internal Components Cooling fans Cooling fans Diagnostic panel 250249 OL-18504-01 Cooling fans Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-13 - Cisco IPS-4255-K9 | Installation Guide - Page 106
Chapter 4 Installing the IPS 4270-20 Specifications Table 4-5 lists the specifications for the IPS 4270-20. Table 4-5 IPS 4270-20 Specifications Dimensions and Weight Height 6. sunlight. 4-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 107
Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor • Documentation Roadmap for Cisco Intrusion Prevention System Installing the Rail System Kit You can install the IPS OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-15 - Cisco IPS-4255-K9 | Installation Guide - Page 108
the security appliance in a threaded-whole rack. This rail system supports a parts (screws, and so forth) • One cable management arm stop bracket Space and Airflow Requirements To allow for servicing Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 109
The tapered end of the chassis side rail should be at the back of the IPS 4270-20. The chassis side rail is held in place by the inner latch. Step 2 Repeat Step 1 for each chassis side rail. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-17 - Cisco IPS-4255-K9 | Installation Guide - Page 110
Step 3 To remove the chassis side rail, lift the latch, and slide the rail forward. 1 2 3 4 5 6 7 8 CiscoInIPtrSu4si2o7n0PSrEeRvIeEnStion Sensor UID SYSTEPMWR SMTGATMUTMS0GMT 1 250221 2 1 4-18 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 111
are installing the IPS 4270-20 in a shallow rack, one that is less than 28.5 in. (72.39 cm), remove the screw from the inside of the slide assembly before continuing with Step 5. < 28.5" 250207 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-19 - Cisco IPS-4255-K9 | Installation Guide - Page 112
Installing the Rail System Kit Chapter 4 Installing the IPS 4270-20 Step 5 Attach the slide assemblies to the rack. For round- release the slide assembly if you need to reposition it. 250208 4-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 113
on each slide assembly using a standard screwdriver. Note You may need a pair of pliers to hold the retaining nut. 23 32 1 250209 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-21 - Cisco IPS-4255-K9 | Installation Guide - Page 114
the IPS 4270-20 b. Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly. 1 250210 c. Repeat for each slide assembly. 4-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 115
Chapter 4 Installing the IPS 4270-20 Step 6 Extend the slide assemblies out of the rack. Installing the Rail System Kit 250211 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-23 - Cisco IPS-4255-K9 | Installation Guide - Page 116
carefully push the IPS 4270-20 in to place. 1 2 3 4 5 6 7 8 CiscoInIPtrSu4si2o7n0PSrEeRvIeEnStion Sensor UID SYSTEPMWR SMTGATMUTMS0GMT 1 250212 Caution Keep the IPS 4270-20 is required). 4-24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 117
IPS 4270-20, see Installing the IPS 4270-20, page 4-35. Extending the IPS 4270-20 from the Rack You can extend the IPS 4270-20 from the rack for service or removal. Caution You can only extend the IPS -01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-25 - Cisco IPS-4255-K9 | Installation Guide - Page 118
of the IPS 4270-20 Sensor UID SYSTEPMWR SMTGATMUMTSG0MT 1 250222 Step 2 After performing the installation or maintenance procedure, slide the IPS 4270-20 in to the rack by pressing the rail-release latches. 4-26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 119
tab in the middle of the slide assembly forward, and pull the IPS 4270-20 from the rack. 1 2 3 4 5 6 7 8 CiscoInIPtrSu4si2o7n0PSrEeRvIeEnStion Sensor UID SYSTEPMWR SMTGATMUMTSG0MT 1 250223 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-27 - Cisco IPS-4255-K9 | Installation Guide - Page 120
on the cable management arm with the stud on the back of the IPS 4270-20 and align the two studs at the back of the chassis 100 MHz 1 PS1 CONSOLE Reserved for Future Use MGMT10/0 250214 4-28 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 121
it in to place. Caution Make sure the metal tab is on the outside of the upper part of the cable management arm. PS2 UID PCI-E x4 9 8 PCI-E x8 7 PCI-E x4 to the IPS 4270-20 and the rack rail. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-29 - Cisco IPS-4255-K9 | Installation Guide - Page 122
through the cable management arm, make sure the cables are not pulled tight when the IPS 4270-20 is fully extended. PS2 UID PCI-E x4 9 8 PCI-E x8 7 PCI parts of the cable management arm together. 4-30 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 123
Chapter 4 Installing the IPS 4270-20 Installing the Rail System Kit Step 4 Attach the cable management arm stop Note Make sure to orient the management arm with the cable trough facing upward. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-31 - Cisco IPS-4255-K9 | Installation Guide - Page 124
Chapter 4 Installing the IPS 4270-20 To convert the cable management arm swing, follow these steps: Step 1 Pull up the spring pin and slide the bracket off the cable management arm. 250218 4-32 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 125
Chapter 4 Installing the IPS 4270-20 Installing the Rail System Kit Step 2 Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs. 250219 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-33 - Cisco IPS-4255-K9 | Installation Guide - Page 126
Installing the Rail System Kit Chapter 4 Installing the IPS 4270-20 Step 3 On the other side of the sliding bracket, align the one way because the hole for the spring pin is offset. 250220 4-34 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 127
IPS 4270-20 Installing the IPS 4270-20 Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Warning IMPORTANT SAFETY INSTRUCTIONS - Cisco IPS-4255-K9 | Installation Guide - Page 128
: • Management0/0 (MGMT0/0) is the command and control port. • GigabitEthernetslot_number/port_number through GigabitEthernetslot_number/port_number are the can create security concerns. 4-36 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 129
the instructions for setting up a terminal server, see Connecting an Appliance to a Terminal Server, page 1-19. • For the procedure for using the setup command to initialize the IPS 4270-20, see Initializing the Sensor, page 10-1. • For the procedure for obtaining the most recent Cisco IPS software - Cisco IPS-4255-K9 | Installation Guide - Page 130
in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than 120 VAC - Cisco IPS-4255-K9 | Installation Guide - Page 131
of a turn counterclockwise to unlock it. Lift up the cover latch on the top of the chassis. 1 2 3 4 5 6 7 8 CiscoInIPtrSu4si2o7n0PSrEeRvIeEnStion Sensor UID SYSTEPMWR SMTGATMUMTSG0MT 1 250123 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-39 - Cisco IPS-4255-K9 | Installation Guide - Page 132
for installing the power cables on the IPS 4270-20, see Installing the IPS 4270-20, page 4-35. • If you are reinstalling the IPS 4270-20 in a rack, see Installing the Rail System Kit, page 4-15. 4-40 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 133
supported six slots (slots 3 to 8). Caution To prevent damage to the IPS 4270-20 or the expansion cards, power down the IPS 4270-20 and remove all AC power cables before removing or installing expansion cards. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide - Cisco IPS-4255-K9 | Installation Guide - Page 134
the IPS 4270-20 to be powered off: sensor# reset IPS 4270-20. If rack-mounted, extend the IPS 4270-20 from the rack. Make sure the IPS 4270-20 is in an ESD-controlled environment. Remove the chassis cover. 4-42 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 135
12 Step 13 Replace the chassis cover. Slide the server back in to the rack by pressing the server rail-release handles. Reconnect the power cables to the IPS 4270-20. Power on the IPS 4270-20. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-43 - Cisco IPS-4255-K9 | Installation Guide - Page 136
warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The IPS 4270-20 ships with two hot-pluggable power supplies, thus providing a redundant power supply configuration. You can install or replace either power supply without - Cisco IPS-4255-K9 | Installation Guide - Page 137
the IPS 4270-20 to remove the shipping screw. The T-15 Torx screwdriver is located to the right of power supply. PCI-E x4 4 3 PCI-X 2 100 MHz 1 PS1 CONSOLE Reserved for Future Use MGMT 0/0 250118 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 138
Installing and Removing the Power Supply Chapter 4 Installing the IPS 4270-20 Step 6 Remove the power supply by pulling it away from the chassis. 250219 4-46 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 139
open and slide the power supply into the bay. PCI-E x4 4 3 PCI-X 2 100 MHz 1 PS1 CONSOLE Reserved for Future Use MGMT 0/0 250119 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-47 - Cisco IPS-4255-K9 | Installation Guide - Page 140
Rebooting the Sensor; for the IME procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor. • For an illustration of the screwdriver and where it is located, see Figure 4-7 on page 4-9. 4-48 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 141
Extend the server from the rack. Remove the chassis cover. Identify the failed fan by locating an amber indicator on top of the failed fan or a lighted FAN X indicator on the Diagnostic Panel. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-49 - Cisco IPS-4255-K9 | Installation Guide - Page 142
Diagnostic Panel, see Diagnostic Panel, page 4-11. • For the procedure for removing the chassis cover, see Removing and Replacing the Chassis Cover, page 4-38. 4-50 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 143
indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent pins or other damage. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 4-51 - Cisco IPS-4255-K9 | Installation Guide - Page 144
Troubleshooting Loose Connections Chapter 4 Installing the IPS 4270-20 4-52 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 145
° to +104°F (+0° to +40°C) -40° to +185°F (-40° to +85°C) 5% to 95% noncondensing 0 to 10,000 ft (0 to 3,000 m) 1 GB 512 MB OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 5-1 - Cisco IPS-4255-K9 | Installation Guide - Page 146
in the module CLI. • Supported routers: - Cisco 1841 and 2801 - Cisco 2800 series (2811, 2821, and 2851) - Cisco 3800 series (3825 and 3845) Note The Cisco routers support up to one AIM IPS per platform. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 5-2 OL - Cisco IPS-4255-K9 | Installation Guide - Page 147
Modules • Supported Cisco IOS Feature Sets: - Cisco IOS Advanced Security - Cisco IOS Advanced IP Services - Cisco IOS Advanced Enterprise Services Interoperability With Other IPS Modules Caution You cannot upgrade an NM CIDS to an NME IPS. The Cisco access routers only support one IDS/IPS module - Cisco IPS-4255-K9 | Installation Guide - Page 148
itself and is used for routing traffic to the command and control interface of the AIM IPS. It is used as the default router IP address when you set up the AIM IPS command and control interface. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 5-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 149
and remove the AIM IPS, refer to the following documents: • Cisco 1800 Series Hardware Installation Guide (Modular) For instructions, refer to "Installing and Upgrading Internal Modules in Cisco 1800 Series Routers (Modular)." • Cisco 2800 Series Hardware Installation For instructions, refer to - Cisco IPS-4255-K9 | Installation Guide - Page 150
" PID: CISCO3825 , VID: V01 , SN: FTX1009C3KT NAME: "Cisco Intrusion Prevention System AIM in AIM slot: 1", DESCR: "Cisco Intrusion Prevention" PID: AIM IPS-K9 , VID: V01 , SN: FOC11372M9X router# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 5-6 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 151
Removal Instructions, page 6-3 Specifications Table 6-1 lists the specifications for the AIP SSM: Table 6-1 AIP SSM Specifications Specification Description Dimensions for the 55c maximum OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 6-1 - Cisco IPS-4255-K9 | Installation Guide - Page 152
Color State 1 PWR Green On 2 STATUS Green Flashing Solid Description The system has power. The system is booting. The system has passed power-up diagnostics. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 6-2 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 153
. There is network activity. There is network activity. Installation and Removal Instructions This section describes how to install and remove the AIP SSM, and which can disrupt other equipment. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 6-3 - Cisco IPS-4255-K9 | Installation Guide - Page 154
SSM is online using the show module 1 command. Initialize the AIP SSM. Install the most recent Cisco IPS software. Configure the AIP SSM to receive IPS traffic. For The AIP SSM is shutting down. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 6-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 155
to download a recovery image. To verify the status of the AIP SSM, follow these steps: Step 1 Step 2 Log in to the adaptive security appliance. Verify the status of the AIP SSM: asa# show module 1 Mod Card Type Model Serial No. 1 ASA 5500 Series Security Services Module-20 ASA-SSM - Cisco IPS-4255-K9 | Installation Guide - Page 156
ESD Environment, page 1-32. • For the procedure for verifying whether the AIP SSM is properly installed, see Verifying the Status of the AIP SSM, page 6-4. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 6-6 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 157
the following sections: • Specifications, page 7-1 • Software and Hardware Requirements, page 7-2 • Minimum Supported the IDSM2 Configurations, page 7-2 • Using the TCP Reset Interface, page 7-3 • Front Panel Features, page 7-3 • Installation and Removal Instructions, page 7-4 • Enabling Full - Cisco IPS-4255-K9 | Installation Guide - Page 158
Engine 720 • Cisco IDS software release 4.0 or later • Any Catalyst 6500 series switch chassis or 7600 router Minimum Supported the IDSM2 Configurations Note The following .2(18)SXF4 12.2(18)SXF4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-2 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 159
the Shutdown button on the faceplate and wait for the Status indicator to turn amber. The shutdown procedure may take several minutes. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-3 - Cisco IPS-4255-K9 | Installation Guide - Page 160
• For more information about supervisor engines, refer to the Catalyst 6500 Series Switch Installation Guide. • For more information on handling ESD, see Working in an ESD Environment, page 1-32. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 161
Instructions IDSM2 in the Catalyst 6500 series switch, follow these steps: modules. Step 3 Remove the installation screws (use a screwdriver, if necessary) that secure the filler plate to the desired slot. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 162
Installation and Removal Instructions Step 4 Remove the filler plate by prying it out carefully. 1 2 3 4 carrier to support it. Caution Do not touch the printed circuit boards or connector pins on the IDSM2. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-6 - Cisco IPS-4255-K9 | Installation Guide - Page 163
Removal Instructions Step 6 Place the IDSM2 in the slot by aligning the notch on the sides of the IDSM2 carrier with the groove in the slot. WS-SVC-IDSM2 STATUS INTRUSION DETECTION MODULE 1 . OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-7 - Cisco IPS-4255-K9 | Installation Guide - Page 164
Device Manager 7.0 - Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 - Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-8 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 165
48 port 10/100/1000mb RJ45 WS-X6548-GE-TX SAD073906GH 6 16 SFM-capable 16 port 1000mb GBIC WS-X6516A-GBIC SAL0740MMYJ OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-9 - Cisco IPS-4255-K9 | Installation Guide - Page 166
IDSM2 from the Catalyst 6500 series switch. Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030 you could shock yourself. 7-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 167
, place one hand under the carrier to support it. Caution Do not touch the printed part number 800-00292-01) to keep dust out of the chassis and to maintain proper airflow through the module compartment. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 168
the IDSM2 initially boots, by default it runs a partial memory test. You can enable a full memory test in Catalyst software and Cisco IOS software. This section describes . console> (enable) 7-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 169
, page 7-13 • Cisco IOS Software, page 7-14 Catalyst Software To reset the IDSM2 from the CLI, follow these steps: Step 1 Step 2 Log in to the console. Enter privileged mode. console> enable OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 7-13 - Cisco IPS-4255-K9 | Installation Guide - Page 170
. Example router# hw-module module 8 reset Device BOOT variable for reset = Warning: Device list is not verified. Proceed with reload of module? [confirm] % reset issued for module 8 router# 7-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 171
sections: • Catalyst Software, page 7-15 • Cisco IOS Software, page 7-16 Catalyst Software Once module power up module_number Power down the IDSM2. console> (enable) set module power down module_number OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 172
terminal mode. router# configure terminal Power up the IDSM2. router(config)# power enable module module_number Power down the IDSM2. router(config)# no power enable module module_number 7-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 173
° to +104°F (+0° to +40°C) -40° to +185°F (-40° to +85°C) 5% to 95% noncondensing 0 to 10,000 ft (0 to 3,000 m) 2 GB 512 MB OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 8-1 - Cisco IPS-4255-K9 | Installation Guide - Page 174
command in the module CLI. • Supported routers: - Cisco 2800 series (2811, 2821, and 2851) - Cisco 3800 series (3825 and 3845) Note The Cisco routers support up to one NME IPS per platform. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 8-2 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 175
Modules • Supported Cisco IOS Feature Sets: - Cisco IOS Advanced Security - Cisco IOS Advanced IP Services - Cisco IOS Advanced Enterprise Services Interoperability With Other IPS Modules Caution You cannot upgrade an NM CIDS to an NME IPS. The Cisco access routers only support one IDS/IPS module - Cisco IPS-4255-K9 | Installation Guide - Page 176
as inline or promiscuous using the Cisco IOS CLI. 4 The NME IPS interface to external link (Management0/1) Configure the command and control interface using the IPS CLI, IDM, IME, or CSM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 8-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 177
Device Manager 7.0 - Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 - Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 8-5 - Cisco IPS-4255-K9 | Installation Guide - Page 178
, VID: C , SN: 00000MTC101608RB NAME: "Cisco Intrusion Prevention System NM on Slot 2", DESCR: "Cisco Intrusion Prevention System NM" PID: NME IPS-K9 , VID: V01, SN: FHH1117001R router# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 8-6 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 179
is intended to be used for support and troubleshooting purposes only. Unauthorized modifications are not supported and will require this device to be re-imaged to guarantee proper operation OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-1 - Cisco IPS-4255-K9 | Installation Guide - Page 180
laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-2 OL - Cisco IPS-4255-K9 | Installation Guide - Page 181
Chapter 9 Logging In to the Sensor Connecting an Appliance to a Terminal Server ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. IPS 4240# For More Information • For the procedure for - Cisco IPS-4255-K9 | Installation Guide - Page 182
that the speed is set to 115200/bps. For More Information For the procedure for configuring an unnumbered IP address interface for the AIM IPS, refer to Using an Unnumbered IP Address Interface. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-4 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 183
.196 Mgmt web ports: 443 Mgmt TLS enabled: true Step 3 router# Open a session from the router to the AIM IPS. router# service-module ids-sensor 0/1 session Trying 10.89.148.196, 2322 ... Open OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-5 - Cisco IPS-4255-K9 | Installation Guide - Page 184
1 Log in to the adaptive security appliance. Note If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-6 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 185
the procedure for using the setup command to initialize the AIP SSM, see Advanced Setup for the AIP SSM, page 10-16. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-7 - Cisco IPS-4255-K9 | Installation Guide - Page 186
www.cisco.com/go/license to obtain a new license or install a license. IDSM2# For More Information For the procedure for using the setup command to initialize the IDSM2, see Advanced Setup for the IDSM2, page 10-20. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 187
. When you issue the service-module ids-sensor slot/port session command, you create a console session with the NME IPS, in which you can issue any IPS configuration commands. After completing work in the session and exiting the IPS CLI, you are returned to the Cisco IOS CLI. The session command - Cisco IPS-4255-K9 | Installation Guide - Page 188
.195 Mgmt web ports: 443 Mgmt TLS enabled: true Step 3 router# Open a session from the router to the NME IPS. router# service-module ids-sensor 1/0 session Trying 10.89.148.195, 2322 ... Open 9-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 189
the sensor over the network using SSH or Telnet. ssh sensor_ip_address telnet sensor_ip_address Enter your username and password at the login prompt. login: ****** Password: ****** ***NOTICE*** OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 9-11 - Cisco IPS-4255-K9 | Installation Guide - Page 190
email to [email protected]. ***LICENSE NOTICE*** There is no license key installed on the system. Please go to http://www.cisco.com/go/license to obtain a new license or install a license. sensor# 9-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 191
successfully completed. • If you have recovered or downgraded the sensor. • If you have set the host configuration to default after successfully configuring the sensor using automatic setup. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-1 - Cisco IPS-4255-K9 | Installation Guide - Page 192
prompt. Default settings are in square brackets '[]'. Current time: Thu Jan 15 21:19:51 2009 Setup Configuration last modified: Enter host name[sensor]: Enter IP interface[192.168.1.2/24,192.168.1.1]: 10-2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 193
Level = "Full" additionally includes: * Type of Data: Victim IP Address and port Purpose: Detect threat behavioral patterns Do you agree to participate in the SensorBase Network?[no]: OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-3 - Cisco IPS-4255-K9 | Installation Guide - Page 194
to operate. a. Enter yes to add a DNS server, and then enter the DNS server IP address. b. Enter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port number. 10-4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 195
the Sensor Basic Sensor Setup Caution You must have a valid sensor license for Global Correlation features to function. You can still configure and of the Prime Meridian). The default is 0. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-5 - Cisco IPS-4255-K9 | Installation Guide - Page 196
day-of-week sunday time-of-day 02:00:00 exit exit ntp-option enabled ntp-keys 1 md5-key 8675309 ntp-servers 10.89.143.92 key-id 1 exit service global-correlation network-participation full exit 10-6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 197
connect to this appliance with a web browser. Apply the most recent service pack and signature update. You are now ready to configure your sensor for intrusion prevention. For More Information • For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page 11 - Cisco IPS-4255-K9 | Installation Guide - Page 198
Virtual Sensor: vs2 Anomaly Detection: ad0 Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: 10-8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 199
can configure another interface, for example, GigabitEthernet0/1, for inline VLAN pair. Step 13 Press Enter to return to the top-level interface editing menu. [1] Remove interface configurations. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10 - Cisco IPS-4255-K9 | Installation Guide - Page 200
default-vlan. Option: Step 17 Press Enter to return to the top-level editing menu. [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Interface: 10-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 201
300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service interface OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-11 - Cisco IPS-4255-K9 | Installation Guide - Page 202
service analysis-engine virtual-sensor newVs description Created via setup by user cisco configuration and exit setup. Step 27 Enter 2 to save the configuration. Enter your selection[2]: 2 Configuration Saved. 10-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 203
5 sensor login: cisco Password: ******** Enter the setup command. The System Configuration Dialog is displayed. Enter 3 to access advanced setup. Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled. Specify the web server port. The web server port - Cisco IPS-4255-K9 | Installation Guide - Page 204
to exit the interface and virtual sensor configuration menu. Modify default threat prevention settings?[no]: Step 11 Enter yes if you want to modify the default threat prevention settings. 10-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 205
2 Configuration Saved. Step 14 Reboot the AIM IPS. AIM IPS# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? []: Step 15 Enter yes to continue the reboot. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation - Cisco IPS-4255-K9 | Installation Guide - Page 206
Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter 1 to edit the interface configuration. 10-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 207
. Step 12 Press Enter to return to the main virtual sensor menu. Step 13 Enter 3 to create a virtual sensor. Name[]: Step 14 Enter a name and description for your virtual sensor. Name[]: newVs OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-17 - Cisco IPS-4255-K9 | Installation Guide - Page 208
to exit the interface and virtual sensor configuration menu. Modify default threat prevention settings?[no]: Step 20 Enter yes if you want to modify the default threat prevention settings. 10-18 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 209
without saving this config. [2] Save this configuration and exit setup. Step 22 Enter 2 to save the configuration. Enter your selection[2]: 2 Configuration Saved. Step 23 Reboot the AIP SSM. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-19 - Cisco IPS-4255-K9 | Installation Guide - Page 210
80 does not disable the encryption. Step 6 Enter yes to modify the interface and virtual sensor configuration. Current interface configuration Command control: GigabitEthernet0/2 Unassigned: 10-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 211
: [1] All unassigned vlans. [2] Enter vlans range. Option: b. Enter 1 to assign all unassigned VLANs to subinterface 10. Subinterface Number: c. Enter 9 to add subinterface 9. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-21 - Cisco IPS-4255-K9 | Installation Guide - Page 212
/8:9 (Vlans: 1-100) Add Interface: Step 15 Press Enter to return to the top-level virtual sensor configuration menu. Virtual Sensor: vs0 Anomaly Detection: ad0 Event Action Rules: rules0 10-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 213
configuration was entered. service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name IDSM2 telnet-option disabled ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server - Cisco IPS-4255-K9 | Installation Guide - Page 214
Device Manager 7.0 - Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 - Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0 10-24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 215
5 sensor login: cisco Password: ******** Enter the setup command. The System Configuration Dialog is displayed. Enter 3 to access advanced setup. Specify the Telnet server status. You can disable or enable Telnet services. The default is disabled. Specify the web server port. The web server port - Cisco IPS-4255-K9 | Installation Guide - Page 216
sensors; otherwise, press Enter to accept the default of no. The following configuration was entered. service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name NME IPS disabled 10-26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 217
Device Manager 7.0 - Installing and Using Cisco Intrusion Prevention System Manager Express 7.0 - Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface 7.0 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-27 - Cisco IPS-4255-K9 | Installation Guide - Page 218
offset -480 standard-time-zone-name PST exit exit service logger exit service network-access exit service notification exit service signature-definition sig0 exit 10-28 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 219
the authenticity of the certificate when connecting to this sensor with a web browser. For More Information For the procedure for using HTTPS to log in to IDM, refer to Logging In to IDM. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 10-29 - Cisco IPS-4255-K9 | Installation Guide - Page 220
Verifying Initialization Chapter 10 Initializing the Sensor 10-30 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 221
only be upgraded under instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on Cisco IPS sensors voids the warranty. Obtaining Cisco IPS Software Note You must be logged in to Cisco.com and have an IPS subscription service license to - Cisco IPS-4255-K9 | Installation Guide - Page 222
features, service pack fixes, and signature updates) plus any new changes. Major update 7.0(1) requires 5.1(6) and later. With each major update there are corresponding system and recovery packages. 11-2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 223
7.0(1). Note Upgrading to a newer patch does not require you to uninstall the old patch. For example, you can upgrade from patch 7.0(1p1) to 7.0(1p2) without first uninstalling 7.0(1p1). OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-3 - Cisco IPS-4255-K9 | Installation Guide - Page 224
Signature/Virus Updates, IPS-[sig]-[S]-req-E1.pkg Product line designator Package type Signature update Software version requirement designator Required engine version File extension 191014 11-4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 225
crypto designator Package type Installer major version Installer minor version Application version designator Application version File extension IPS-K9-[mfq,sys,r,]-x.y-a-*.img or pkg 191015 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-5 - Cisco IPS-4255-K9 | Installation Guide - Page 226
Identifier sys Maintenance Annually mp partition image2 Supported Platform Example Filename Separate file IPS 4240-K9-sys-1.1-a-7.0-1-E3.img for each sensor platform IDSM2 c6svc-mp.2-1-2.bin.gz 11-6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 227
IPS 4240 series IPS 4255 series IPS 4260 series IPS 4270-20 series IDS module for Catalyst 6K IPS network module adaptive security appliance modules Identifier 4240 4255 4260 4270_20 IDSM2 AIM NME SSM_10 SSM_20 SSM_40 For More Information For instructions on how to access these files on Cisco.com - Cisco IPS-4255-K9 | Installation Guide - Page 228
AIP SSM, reimage from the adaptive security appliance using the hw-module module 1 recover configure/boot command. Caution When you install the system image for your sensor, all accounts are removed and the default account and password are reset to cisco. For More Information • For the procedure for - Cisco IPS-4255-K9 | Installation Guide - Page 229
Upgrade-Contains hardware installation and regulatory guides. • Configure-Contains configuration guides for IPS CLI, IDM, and IME. • Troubleshoot and Alerts-Contains TAC tech notes and field notices. Cisco Security Intelligence Operations The Cisco Security Intelligence Operations site on Cisco.com - Cisco IPS-4255-K9 | Installation Guide - Page 230
and password Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing. You can obtain a license key from the Cisco.com licensing server, which - Cisco IPS-4255-K9 | Installation Guide - Page 231
the License Key Using IDM or IME Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11 - Cisco IPS-4255-K9 | Installation Guide - Page 232
and click Open. Click Update License. For More Information For more information about obtaining a Cisco Services for IPS service contract, see Service Programs for IPS Products, page 11-11. 11-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 233
before you can apply for a license key. Step 2 Fill in the required fields. Your Cisco IPS Signature Subscription Service license key will be sent by e-mail to the e-mail address you specified. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 11-13 - Cisco IPS-4255-K9 | Installation Guide - Page 234
-Apr-2010 sensor# Copy your license key from a sensor to a server to keep a backup copy of the license. sensor# copy license-key scp://[email protected]://tftpboot/dev.lic Password: ******* sensor# 11-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 235
Obtaining a License Key From Cisco.com For More Information • For the procedure for adding a remote host to Cisco Services for IPS service contract, see Service Programs for IPS Products, page 11-11. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 236
Obtaining a License Key From Cisco.com Chapter 11 Obtaining Software 11-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 237
reset to use the default password cisco. After installing the system image, you must initialize the sensor again. After you reimage and initialize your sensor, upgrade your sensor with the most recent service pack, signature update, signature engine update, minor update, major update, and recovery - Cisco IPS-4255-K9 | Installation Guide - Page 238
IPS 7.0 Upgrade Files The following files are part of Cisco IPS 7.0(1)E3: • Readme - IPS-7.0-1-E3.readme.txt • Major Version Upgrade File - IPS-K9-7.0-1-E3.pkg - IPS-AIM-K9-7.0-1-E3.pkg - IPS-NME-K9-7.0-1-E3.pkg 12-2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 239
]//absoluteDirectory]/filename Note You are prompted for a password. - http:-Source URL for the web server. The syntax for this prefix is: http:[[//username@] location]/directory] filename OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-3 - Cisco IPS-4255-K9 | Installation Guide - Page 240
, enter the following: sensor(config)# upgrade ftp://username@ip_address//directory/IPS-K9-7.0-1-E3.pkg Enter the password when prompted. Enter password: ******** Enter yes to complete the upgrade. 12-4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 241
the recovery partition. Step 2 Step 3 Step 4 Log in to the CLI using an account with administrator privileges. Enter configuration mode. sensor# configure terminal Upgrade the recovery partition. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 242
/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 12-2. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 11-1. • For the procedure for using the recover command, see Using the recover Command, page 12-12. Configuring Automatic Upgrades This - Cisco IPS-4255-K9 | Installation Guide - Page 243
host submode to configure automatic upgrades. The following options apply: • cisco-server-Enables automatic signature and engine updates from Cisco.com. • cisco-url-The Cisco server locator service. You do not need to change this unless the www.cisco.com IP address changes. • default- Sets the value - Cisco IPS-4255-K9 | Installation Guide - Page 244
-hos-ena)# file-copy-protocol ftp Note If you use SCP, you must use the ssh host-key command to add the server to the SSH known hosts list so the sensor can communicate with it through SSH. 12-8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 245
ftp default: scp sensor(config-hos-ena)# Exit automatic upgrade submode. sensor(config-hos-ena)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type no to discard them. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide - Cisco IPS-4255-K9 | Installation Guide - Page 246
Configuring Automatic Upgrades Chapter 12 Upgrading, Downgrading, and Installing System Images For More Information • For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 12-2. • For the procedure for adding a remote host to the trusted hosts list, for - Cisco IPS-4255-K9 | Installation Guide - Page 247
mode. sensor# configure terminal If there is no recently applied service pack or signature update, the downgrade command is not available. sensor(config)# downgrade No downgrade available. sensor(config)# OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 248
are installed at remote locations. Note When you reconnect to the sensor after recovery, you must log in with the default username and password cisco. For More Information For the procedure for upgrading the recovery partition to the most recent version, see Upgrading the Recovery Partition, page 12 - Cisco IPS-4255-K9 | Installation Guide - Page 249
trying to recover the sensor by installing the system image, try to recover by using the recover application-partition command or by selecting the recovery partition during sensor bootup. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-13 - Cisco IPS-4255-K9 | Installation Guide - Page 250
, a Cisco-standard asynchronous RS-232C DTE available in an RJ-45F connector on the sensor chassis. The serial port is configured for 9600 baud, 8 data bits, 1 stop bit, no parity, and no flow control. For More Information For the procedure for using a terminal server, see Connecting an Appliance to - Cisco IPS-4255-K9 | Installation Guide - Page 251
ROMMON on the appliance to TFTP the system image onto the compact flash device. To install the IPS 4240 and IPS 4255 system image, follow these steps: Step 1 Download the IPS 4240 system image file (IPS 4240-K9-sys-1.1-a-6.27.0-1-E3.img) to the tftp root directory of a TFTP server that is accessible - Cisco IPS-4255-K9 | Installation Guide - Page 252
02 8086 25A3 IDE Controller 11 00 1F Cisco Systems ROMMON Version (1.0(5)0) #1: Tue Sep 14 12:20:30 PDT 2004 Platform IPS 4240-K9 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Management0/0 VLAN=untagged IMAGE= CONFIG= 12-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 253
enter the IMAGE command in all uppercase. You can enter the other ROMMON commands in either lower case or upper case, but the IMAGE command specifically must be all uppercase. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-17 - Cisco IPS-4255-K9 | Installation Guide - Page 254
K9-sys-1.1-a-7.0-1-E3.img) to the tftp root directory of a TFTP server that is accessible from your IPS 4260. Make sure you can access the TFTP server location from the network connected to your IPS 4260 Ethernet port. Boot the IPS 4260. 12-18 Cisco Intrusion Prevention System Appliance and Module - Cisco IPS-4255-K9 | Installation Guide - Page 255
Ethernet port. rommon> ping server_ip_address rommon> ping server Specify the path and filename on the TFTP file server from which you are downloading the image. rommon> file path/filename OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-19 - Cisco IPS-4255-K9 | Installation Guide - Page 256
:04 CDT 2007 ft_id_update: Invalid ID-PROM Controller Type (0x5df) ft_id_update: Defaulting to Controller Type (0x5c2) Note The controller type errors are a known issue and can be disregarded. 12-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 257
assigned to the IPS 4270-20. Step 6 Step 7 If necessary, assign the TFTP server IP address. rommon> SERVER=ip_address If necessary, assign the gateway IP address. rommon> GATEWAY=ip_address OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-21 - Cisco IPS-4255-K9 | Installation Guide - Page 258
Information • For a list of supported TFTP servers, see Supported TFTP Servers, page 12-14. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 11-1. 12-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 259
to operate as a TFTP server. router# copy tftp: flash: router# configure terminal router(config)# tftp-server flash:IPS-AIM-K9-sys-1.1-7.0-1-E3.img router(config)# exit router# Disable the heartbeat reset. router# service-module IDS-Sensor 0/slot_number heartbeat-reset disable Note Disabling the - Cisco IPS-4255-K9 | Installation Guide - Page 260
Exit and reset card x - Exit Selection [123rx] Download recovery image via tftp and install on USB Drive TFTP server [10.1.9.1]> full pathname of recovery image []:IPS-AIM-K9-sys-1.1-7.0-1-E3.img 12-24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 261
the heartbeat reset. router# service-module IDS-sensor 0/slot_number heartbeat-reset enable For More Information • For a list of supported TFTP servers, see Supported TFTP Servers, page 12-14. • For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page - Cisco IPS-4255-K9 | Installation Guide - Page 262
hw-module module 1 recover stop command to stop the system reimaging and then you can correct the configuration. Step 4 Specify the TFTP URL for the system image. Image URL [tftp://0.0.0.0/]: Example 12-26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 263
it is complete. Note The status reads Recovery during recovery and reads Up when reimaging is complete. asa# show module 1 Mod Card Type Model Serial No. 0 ASA 5540 Adaptive Security Appliance ASA5540 P2B00000019 1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 P1D000004F4 Mod - Cisco IPS-4255-K9 | Installation Guide - Page 264
1 Step 2 Download the IDSM2 system image file (IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.bin.gz) to the FTP root directory of an FTP server that is accessible from your IDSM2. Log in to the switch CLI. 12-28 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 265
to the maintenance partition CLI. login: guest Password: cisco Note You must configure the maintenance partition on the IDSM2. Step 5 Install the system image. [email protected]# upgrade ftp://user@ftp server IP/directory path/IPS-IDSM2-K9-sys-1.1-a-7.0-1-E3.bin.gz Step 6 Specify the - Cisco IPS-4255-K9 | Installation Guide - Page 266
a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 12-2. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 11-1. 12-30 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 267
ip IP address : 10.89.149.74 Subnet Mask : 255.255.255.128 IP Broadcast : 10.255.255.255 DNS Name : idsm2.localdomain Default Gateway : 10.89.149.126 Nameserver(s) : [email protected]# OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 268
of Pentium-class Processors : 2 BIOS Vendor: Phoenix Technologies Ltd. BIOS Version: 4.0-Rel 6.0.9 Total available memory: 2012 MB Size of compact flash: 61 MB Size of hard disk: 19077 MB 12-32 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 269
This may take several minutes... Password for [email protected]: 500 'IPS-IDSM2-K9-sys-1.1-a-6.2-1-E3.bin.gz': command not understood. ftp://[email protected]//RELEASES/Latest/6.2-1/IPS-IDSM2-K9-sys-1.1-a-6.2-1-E3.bin.gz (unknown size) /tmp/upgrade.gz [|] 28616K 29303086 bytes transferred - Cisco IPS-4255-K9 | Installation Guide - Page 270
The system is going down for system halt NOW !! console> (enable)# For More Information For a list of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 12-2. 12-34 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 271
# show ip IP address : 0.0.0.0 Subnet Mask : 0.0.0.0 IP Broadcast : 0.0.0.0 DNS Name : localhost.localdomain Default Gateway : 0.0.0.0 Nameserver(s) : [email protected]# OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12 - Cisco IPS-4255-K9 | Installation Guide - Page 272
Password for [email protected]: 500 'SIZE IPS-IDSM2-K9-sys-1.1-a-6.2-1.bin.gz': command not understood. ftp://[email protected]//RELEASES/Latest/6.1-1/IPS-IDSM2-K9-sys-1.1-a-6.2-1-E3.img (unknown size) /tmp/upgrade.gz [|] 28616K 12-36 Cisco Intrusion Prevention System Appliance and Module - Cisco IPS-4255-K9 | Installation Guide - Page 273
. You can boot the image now. Partition upgraded successfully [email protected]# Step 13 Clear the upgrade log. [email protected]# clear log upgrade Cleared log file successfully OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12-37 - Cisco IPS-4255-K9 | Installation Guide - Page 274
an FTP server that is accessible from your IDSM2. Session to the IDSM2 from the switch. console>(enable) session slot_number Log in to the IDSM2 CLI. Enter configuration mode. idsm2# configure terminal 12-38 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 275
of supported FTP and HTTP/HTTPS servers, see Supported FTP and HTTP/HTTPS Servers, page 12-2. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page 11-1. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 12 - Cisco IPS-4255-K9 | Installation Guide - Page 276
to operate as a TFTP server. router# copy tftp: flash: router# configure terminal router(config)# tftp-server flash:IPS-NME-K9-sys-1.1-7.0-1-E3.img router(config)# exit router# Disable the heartbeat reset. router# service-module ids-sensor 1/0 heartbeat-reset disable Note Disabling the heartbeat - Cisco IPS-4255-K9 | Installation Guide - Page 277
.89.148.195]> Subnet mask [255.255.255.0]> TFTP server [10.89.150.74]> Gateway [10.89.148.254]> Default boot [disk]> Number cores [2]> ServicesEngine boot-loader > upgrade Cisco Systems, Inc. Services engine upgrade utility for NM-IPS ----- Main menu 1 - Download application image and write to - Cisco IPS-4255-K9 | Installation Guide - Page 278
router CLI, clear the session. router# service-module interface ids-sensor 1/0 session clear Step 15 Enable the heartbeat reset. router# service-module IDS-sensor 1/0 heartbeat-reset enable 12-42 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 279
Maintenance, page A-2 • Disaster Recovery, page A-6 • Recovering the Password, page A-7 • Time and the Sensor, page A-16 • Advantages and Restrictions of Virtualization, page A-18 • Supported MIBs, page A-19 • When to Disable Anomaly Detection, page A-20 • Troubleshooting Global Correlation, page - Cisco IPS-4255-K9 | Installation Guide - Page 280
the a configuration file, see Backing Up and Restoring the Configuration File Using a Remote Server, page A-3. • For more information about the service account, see Creating the Service Account, page A-5. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-2 OL - Cisco IPS-4255-K9 | Installation Guide - Page 281
• Overwrite the current configuration with the backup configuration. sensor# copy /erase backup-config current-config Backing Up and Restoring the Configuration File Using a Remote Server Note We recommend copying the current configuration file to a remote server before upgrading. Use the copy - Cisco IPS-4255-K9 | Installation Guide - Page 282
a password. If you use SCP protocol, you must also add the remote host to the SSH known hosts list. • http:-Source URL for the web server. current configuration to a backup configuration. cfg 100 36124 00:00 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 - Cisco IPS-4255-K9 | Installation Guide - Page 283
. However, you can use the service account to create a password if the administrator password is lost. Analyze your situation to decide if you want a service account existing on the system. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-5 - Cisco IPS-4255-K9 | Installation Guide - Page 284
copied configuration only to a sensor of the same version. • You also need the list of user IDs that have been used on that sensor. The list of user IDs and passwords are not saved in the configuration. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-6 OL - Cisco IPS-4255-K9 | Installation Guide - Page 285
, try the following: 1. Reimage the sensor. 2. Log in to the sensor with the default user ID and password-cisco. Note You are prompted to change the cisco password. 3. Initialize the sensor. 4. Upgrade the sensor to the IPS software version it had when the configuration was last saved and copied - Cisco IPS-4255-K9 | Installation Guide - Page 286
the GRUB menu appears, press any key to pause the boot process. Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-8 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 287
Chapter A Troubleshooting Recovering the Password To recover the password on appliances, follow these steps: Step 1 Reboot the appliance to see the GRUB menu. GNU GRUB version 0.94 (632K lower / 523264K upper memory 0: Cisco IPS 1: Cisco IPS Recovery 2: Cisco IPS Clear Password (cisco Use - Cisco IPS-4255-K9 | Installation Guide - Page 288
AIP SSM Password You can reset the password to the default (cisco) for the AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot. A-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 289
A Troubleshooting Recovering the Password Note To reset the password, you must have ASA 7.2.2 or later. Use the hw-module module slot_number password-reset command to reset the password to the default cisco. If the module in the specified slot has an IPS version that does not support password - Cisco IPS-4255-K9 | Installation Guide - Page 290
displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions. Click Close to close the dialog box. The sensor reboots. A-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 291
IPS 7.x, download WS-SVC-IDSM2-K9-a-7.0-password-recovery.bin.gz. FTP is the only supported protocol for image installations, so make sure you put the password recovery image file on an FTP server that is accessible to the switch. You must have administrative access to the Cisco 6500 series switch - Cisco IPS-4255-K9 | Installation Guide - Page 292
privileges. Enter global configuration mode. sensor# configure terminal Enter host mode. sensor(config)# service host Disable password recovery. sensor(config-hos)# password-recovery disallowed A-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 293
see the following message: Upgrading will wipe out the contents on the storage media. You can ignore this message. Only the password is reset when you use the specified password recovery image. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-15 - Cisco IPS-4255-K9 | Installation Guide - Page 294
the default. The UTC time is synchronized between the parent router and the AIM IPS and the NME IPS. The time zone and summertime settings are not synchronized between the parent router and the AIM IPS and the NME IPS. A-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide - Cisco IPS-4255-K9 | Installation Guide - Page 295
are synchronized to an external NTP server. If only the module clock or only the parent chassis clock is synchronized to an NTP server, the time drift occurs. Verifying the Sensor is Synchronized with the NTP Server In IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key - Cisco IPS-4255-K9 | Installation Guide - Page 296
To avoid configuration problems on your sensor, make sure you understand the advantages and restrictions of virtualization on your sensor. Note The AIM IPS and the NME IPS do not support virtualization. A-18 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 297
IPS 4240 • IPS 4255 • IPS 4260 • IPS 4270-20 • AIP SSM • IDSM2 (with the exception of VLAN groups on inline interface pairs) Supported MIBs To avoid problems with configuring SNMP, be aware of the MIBs that are supported on the sensor. The following private MIBs are supported on the sensor: • CISCO - Cisco IPS-4255-K9 | Installation Guide - Page 298
through the sensor management interface, firewalls must allow port 443/80 traffic. • You must have an HTTP proxy server or a DNS server configured to allow global correlation features to function. A-20 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 299
HTTP Proxy server to support global correlation, for IDM refer to Configuring Network Settings, for IME refer to Configuring Network Settings, and for the CLI, refer to Configuring the DNS and Proxy Servers for Global Correlation. • For the procedure for obtaining and installing the IPS license key - Cisco IPS-4255-K9 | Installation Guide - Page 300
see the quarantined hosts. • The sensor must recognize each CSA MC host X.509 certificate. You must add them as a trusted host. • You can configure a maximum of two external product devices. A-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 301
to troubleshoot the appliance. It contains the following topics: • Hardware Bypass and Link Changes and Drops, page A-24 • Troubleshooting Loose Connections, page A-24 • Analysis Engine is Busy, page A-25 • Connecting the IPS 4240 to a Cisco 7200 Series Router, page A-25 • Communication Problems - Cisco IPS-4255-K9 | Installation Guide - Page 302
A Troubleshooting Hardware Bypass and Link Changes and Drops Note Hardware bypass is available on the 4GE bypass interface card, which is supported on IPS 4260 and IPS 4270-20. Properly configuring and deploying hardware bypass protects against complete link failure if the IPS appliance experiences - Cisco IPS-4255-K9 | Installation Guide - Page 303
before trying to make configuration changes. Use the show statistics virtual-sensor command to find out when Analysis Engine is available again. Connecting the IPS 4240 to a Cisco 7200 Series Router When an IPS 4240 is connected directly to a 7200 series router and both the IPS 4240 and the router - Cisco IPS-4255-K9 | Installation Guide - Page 304
Troubleshooting the Appliance Chapter A Troubleshooting Communication Problems This section helps you troubleshoot communication problems with the 4200 series sensor. It contains the following topics: • Cannot Access the Sensor CLI Through Telnet or SSH, page A-26 • Correcting a Misconfigured - Cisco IPS-4255-K9 | Installation Guide - Page 305
.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit --MORE-- If the workstation network address is permitted in the sensor access list, go to Step 6. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 306
-name: sensor-238 default: sensor telnet-option: enabled default: disabled access-list (min: 0, max: 512, current: 3 network-address: 10.0.0.0/8 network-address: 64.0.0.0/8 network-address: 171.69.70.0/24 A-28 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 307
: - Cisco IPS-4255-K9 | Installation Guide - Page 308
Platform: ASA-SSM-20 Serial Number: JAB0948035P License expired: 11-Apr-2008 UTC Sensor up-time is 7 days. Using 1018015744 out of 2093600768 bytes of available memory (48% usage) A-30 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 309
Upgrade History: IPS-K9-7.0-1-E3 01:16:00 UTC Fri Apr 25 2008 Recovery Partition Version 1.1 - 7.0(1)E3 Host Certificate Valid from: 29-Jun-2008 to 30-Jun-2010 sensor -0500 Upgrade History: OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-31 - Cisco IPS-4255-K9 | Installation Guide - Page 310
Troubleshooting the Appliance Chapter A Troubleshooting Step 5 IPS-K9-7.0-1-E3 01:16:00 UTC Fri Apr 25 2008 Recovery Partition Version 1.1 - 7.0(1)E3 Host Certificate Valid from: 29-Jun-2008 to 30-Jun-2010 sensor# If you do not have the latest software updates, download them from Cisco.com. Read - Cisco IPS-4255-K9 | Installation Guide - Page 311
time you configure a signature, the new configuration overwrites the old one, so make sure you have configured all the event actions you want for each signature. • Make sure the sensor is seeing packets OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 312
Total Bytes Transmitted = 3441000 Total Multicast Packets Transmitted = 0 Total Broadcast Packets Transmitted = 0 Total Jumbo Packets Transmitted = 0 Total Undersize Packets Transmitted = 0 A-34 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 313
Undersize Packets Transmitted = 0 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 sensor# If the interfaces are not up, do the following: • Check the cabling. • Enable the interface. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-35 - Cisco IPS-4255-K9 | Installation Guide - Page 314
Troubleshooting the Appliance Chapter A Troubleshooting Step 4 sensor# configure terminal sensor(config)# service interface sensor(config-int)# physical-interfaces GigabitEthernet0/1 sensor(config-int-phy)# admin-state enabled sensor(config-int-phy)# show settings name: - Cisco IPS-4255-K9 | Installation Guide - Page 315
, page A-41 • Verifying the Interfaces and Directions on the Network Device, page A-43 • Enabling SSH Connections to the Network Device, page A-43 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-37 - Cisco IPS-4255-K9 | Installation Guide - Page 316
the Appliance Chapter A Troubleshooting • Blocking Not Occurring for a Signature, page A-44 • Verifying the Master Blocking Sensor Configuration, page A-45 Troubleshooting Blocking Note ARC was formerly known as Network Access Controller. Although the name has been changed since IPS 5.1, it - Cisco IPS-4255-K9 | Installation Guide - Page 317
Current Configuration LogAllBlockEventsAndSensors = true EnableNvramWrite = false EnableAclLogging = false AllowSensorBlock = false BlockMaxEntries = 250 MaxDeviceInterfaces = 250 NetDevice Type = Cisco OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 318
-04-18T08:05 2009-04-18T08:05 Upgrade History: IPS-K9-7.0-1-E3 08:00:00 UTC Sat Apr 18 2009 Recovery Partition Version 1.1 - 7.0(1)E3 Host Certificate Valid from: 16-Apr-2009 to 17-Apr-2011 A-40 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 319
allow-sensor-block: false block-enable: true block-max-entries: 250 max-interfaces: 250 master-blocking-sensors (min: 0, max: 100, current: 0) OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 320
device to verify the configuration. c. Make sure you can reach the device. d. Verify the username and password. Verify that each interface and direction on each network device is correct. A-42 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 321
sensor# configure terminal sensor(config)# service network-access sensor(config-net)# general Start the manual block of the bogus host IP address. sensor configuration mode: sensor# configure terminal OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 - Cisco IPS-4255-K9 | Installation Guide - Page 322
edit-default-sigs-only default-signatures-only specify-service-ports no specify-tcp-max-mss no specify-tcp-min-mss no MORE-- Exit signature definition submode. sensor(config-sig-sig-nor)# exit A-44 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 323
them. Verify that the block shows up in the ARC statistics. sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 100 State ShunEnable = true OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-45 - Cisco IPS-4255-K9 | Installation Guide - Page 324
By default, debug logging is not turned on. If you enable individual zone control, each zone uses the level of logging that it is configured for. Otherwise, the same logging level is used for all zones. A-46 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 325
the zone names. sensor(config-log)# show settings master-control enable-debug: false individual-zone-control: true default: false zone-control (min: 0, max: 999999999, current: 14) OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-47 - Cisco IPS-4255-K9 | Installation Guide - Page 326
zone-control (min: 0, max: 999999999, current: 14 protected entry> zone-name: AuthenticationApp severity: warning zone-name: Cid severity: debug A-48 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 327
zone-name: Cli severity: warning zone-name: IdapiCtlTrans severity: warning zone-name: IdsEventStore severity: error default: warning OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-49 - Cisco IPS-4255-K9 | Installation Guide - Page 328
MpInstaller Description Anomaly Detection zone Authentication zone General logging zone CLI zone All control transactions zone Event Store zone IDSM2 master partition installer zone A-50 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 329
between modules in the chassis. 2. The Control Plane is the transport communications layer used by Card Manager on the AIP SSM. 3. The CIDS servlet interface is the interface layer between the CIDS web server and the servlets. For More Information To learn more about the IPS Logger service, refer - Cisco IPS-4255-K9 | Installation Guide - Page 330
|produc-alert sensor(config-sig-sig-ato)# show settings atomic-ip event-action: produce-alert|reset-tcp-connection default: produce-alert fragment-status: any specify-l4-protocol no A-52 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 331
Upgrades This section helps in troubleshooting software upgrades. It contains the following topics: • Upgrading and Analysis Engine, page A-54 • Which Updates to Apply and Their Prerequisites, page A-54 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 332
with the Update Stored on the Sensor, page A-55 Upgrading and Analysis Engine If you try to upgrade an IPS sensor, you may receive an error that Analysis Engine is not running: sensor# upgrade scp://[email protected]/upgrades/IPS-K9-7.0-1-E3.pkg Password: ******** Warning: Executing this command will - Cisco IPS-4255-K9 | Installation Guide - Page 333
there if you need to. To update the sensor with an update stored on the sensor, follow these steps: Step 1 Step 2 Log in to the service account. Obtain the update package file from Cisco.com. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-55 - Cisco IPS-4255-K9 | Installation Guide - Page 334
Upgrade the sensor. sensor(config)# upgrade scp://service@sensor_ip_address/upgrade/ips_package_file_name Enter password: ***** Re-enter password: ***** For More Information For the procedure for obtaining Cisco IPS software, see Obtaining Cisco IPS Software, page 11-1. Troubleshooting - Cisco IPS-4255-K9 | Installation Guide - Page 335
: sensor# setup --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide - Cisco IPS-4255-K9 | Installation Guide - Page 336
procedure for configuring event actions, refer to Assigning Actions to Signatures. • For the procedure for obtaining statistics about virtual sensor and Event Store, refer to Displaying Statistics. A-58 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 337
to troubleshooting the IDSM2, and contains the following topics: • Diagnosing IDSM2 Problems, page A-60 • Minimum Supported IDSM2 Configurations, page A-61 • Switch Commands for Troubleshooting, page A-61 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 338
4200 series sensors. You can use the same troubleshooting tools as outlined in Troubleshooting the Appliance, page A-23. • For information about the Bug Toolkit and how to access it, see Bug Toolkit, page A-1. A-60 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 339
show trunk (Catalyst software) • show span (Catalyst software) • show security acl (Catalyst software) • show intrusion-detection module (Cisco IOS software) • show monitor (Cisco IOS software) OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-61 - Cisco IPS-4255-K9 | Installation Guide - Page 340
Verify that the IDSM2 is online. • Catalyst Software console> enable Enter password: console> (enable) show module Mod Slot Ports Module-Type Model Sub Status . 2.0 console> (enable) A-62 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 341
Not Come Online If the status indicator is on, but the IDSM2 does not come online, try the following troubleshooting tips: • Reset the IDSM2. • Make sure the IDSM2 is installed properly in the switch. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 342
software console> (enable) show port 6/8 * = Configured MAC Address # = 802.1X Authenticated Port Name. Port Name Status Vlan Duplex Speed Type 6/8 connected trunk full 1000 IDS A-64 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 343
For the procedure for configuring the switch for command and control access to the IDSM2, refer to Configuring the Catalyst 6500 Series Switch for Command and Control Access to the IDSM2. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-65 - Cisco IPS-4255-K9 | Installation Guide - Page 344
section contains information for troubleshooting the AIP SSM, and contains the following topics: • Health and Status Information, page A-67 • The AIP SSM and the Data Plane, page A-69 • A-66 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 345
down before resetting it or loss of configuration may occur. Reset module in slot 1? [confirm] Reset issued for module in slot 1 asa(config)# show module Mod Card Type Model Serial No. 0 ASA 5520 Adaptive Security Appliance ASA5520 P2A00000014 1 ASA 5500 Series Security Services Module-10 - Cisco IPS-4255-K9 | Installation Guide - Page 346
IMAGE=IPS-SSM-K9-sys-1.1-a-5.1-0.1.img Slot-1 172> CONFIG= Slot-1 173> LINKTIMEOUT=20 Slot-1 174> PKTTIMEOUT=4 Slot-1 175> RETRY=20 Slot-1 176> tftp [email protected] via 10.89.149.254 A-68 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 347
information for troubleshooting the IPS network modules, the AIM IPS and the NME IPS. It contains the following section: • Interoperability With Other IPS Network Modules, page A-69 Interoperability With Other IPS Network Modules Caution You cannot upgrade an NM CIDS to an NME IPS. The Cisco access - Cisco IPS-4255-K9 | Installation Guide - Page 348
the CLI. Show the health and security status of the sensor. sensor# show health Overall Health Status Health Status for Failed Applications Health Status for Signature Updates Red Green Green A-70 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 349
and sent to the destination that follows this command. If you use this keyword, the output is not displayed on the screen. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-71 - Cisco IPS-4255-K9 | Installation Guide - Page 350
show version Application Partition: 8 21:42:39 2009. Cisco Intrusion Prevention System, Version 7.0(1)E3 Host: Realm Keys Signature Definition: Signature Update key1.0 S383.0 2009-02-20 A-72 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 351
Troubleshooting Gathering Information OL-18504-01 Virus Update V1.4 2007-03-02 OS Version: 2.4.30-IDS-smp-bigphys Platform: IPS 4240-K9 Serial Number: JMX1013K020 No license present Sensor = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-73 - Cisco IPS-4255-K9 | Installation Guide - Page 352
version information. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.0(1)E3 Host: Realm Keys Signature Definition: Signature Update key1.0 S383.0 2009-02-20 A-74 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 353
: ! Signature Update S383.0 2009-02-20 ! Virus Update V1.4 2007-03-02 service interface exit service authentication exit service event-action-rules rules0 exit OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-75 - Cisco IPS-4255-K9 | Installation Guide - Page 354
of the sensor services. This section describes the show statistics command, and contains the following topics: • Understanding the show statistics Command, page A-77 • Displaying Statistics, page A-77 A-76 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 355
Step 1 Step 2 Log in to the CLI. Display the statistics for Analysis Engine. sensor# show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 1421127 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-77 - Cisco IPS-4255-K9 | Installation Guide - Page 356
Troubleshooting Sensor vs1 No attack Detection - ON Learning - ON Next KB rotation at 10:00:00 UTC Sat Jan 18 2008 Internal Zone TCP Protocol UDP Protocol Other Protocol External Zone TCP Protocol UDP Protocol A-78 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 357
sensor# Display the statistics for Event Server. sensor# show statistics event-server General openSubscriptions = 0 blockedSubscriptions = 0 Subscriptions sensor# Display the statistics for Event Store. sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-79 - Cisco IPS-4255-K9 | Installation Guide - Page 358
last 5 minutes = 1 Memory Statistics Memory usage (bytes) = 500498432 Memory free (bytes) = 894976032 Auto Update Statistics lastDirectoryReadAttempt = 15:26:33 CDT Tue Jun 17 2008 A-80 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 359
NATAddr = 0.0.0.0 Communications = telnet NetDevice Type = Cisco IP = 10.89.150.158 NATAddr = 0.0.0.0 Communications = telnet BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = out OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-81 - Cisco IPS-4255-K9 | Installation Guide - Page 360
Vlan = ActualIp = BlockMinutes = Host IP = 21.21.12.12 Vlan = ActualIp = BlockMinutes = Host IP = 122.122.33.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 A-82 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 Chapter A Troubleshooting OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 361
, or ICMP processed since reset = Total ARP packets processed since reset = 0 Total ISL encapsulated packets processed since reset = 0 Total 802.1q encapsulated packets processed since reset = 0 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-83 - Cisco IPS-4255-K9 | Installation Guide - Page 362
0 TCP Normalizer stage statistics Packets Input = 0 Packets Modified = 0 Dropped packets from queue = 0 Dropped packets due to deny-connection = 0 Current Streams = 0 Current Streams Closed = 0 A-84 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 363
Chapter A Troubleshooting Gathering Information OL-18504-01 Current service-pair-inline = 0 deny-connection-inline = 0 deny-packet-inline = 0 modify-packet-inline = 0 log-attacker-packets = 0 log-pair-packets = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 364
retrieved and cleared. Verify that the statistics have been cleared. sensor# show statistics logger The number of Log interprocessor FIFO overruns = 0 The number of syslog messages received = 0 A-86 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 365
A Troubleshooting Gathering = 0 Unknown Severity = 0 TOTAL = 0 sensor# The statistics all begin from 0. Interfaces Information The the sensing and command and control interfaces. This section describes the -01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 - Cisco IPS-4255-K9 | Installation Guide - Page 366
Gathering Information Chapter A Troubleshooting Link Status = Up Transmit Errors = 0 Total Transmit FIFO Overruns = 0 sensor# Events Information You can use the show events command an IP log being created A-88 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 - Cisco IPS-4255-K9 | Installation Guide - Page 367
. • error-Displays error events. Error events are generated by services when error conditions are encountered. If no level is selected (warning, error, or fatal), all error events are displayed. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-89 - Cisco IPS-4255-K9 | Installation Guide - Page 368
Troubleshooting • NAC-Displays ARC (block) requests. Note ARC is formerly known as NAC. This name change has not been completely implemented throughout IDM, IME, and the CLI for Cisco IPS sensor# A-90 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 369
appInstanceId: 2316 evStatus: eventId=1041526834774829056 vendor=Cisco originator: hostId: sensor appName: login(pam_unix) appInstanceId: 2315 time: 2008/01/08 02:41:00 2008/01/08 02:41:00 UTC OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-91 - Cisco IPS-4255-K9 | Installation Guide - Page 370
TAC or the IPS developers in case of a problem. For More Information For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site, page A-93. A-92 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504 - Cisco IPS-4255-K9 | Installation Guide - Page 371
. Use the put command to upload the files. Make sure to use the binary transfer type. To access uploaded files, log in to an ECS-supported host. Change to the /auto/ftp/incoming directory. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 A-93 - Cisco IPS-4255-K9 | Installation Guide - Page 372
Gathering Information Chapter A Troubleshooting A-94 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 373
applications, such as gotomypc. It can also inspect FTP traffic and control the commands being issued. Advanced Integration Module. A type of IPS network module installed in Cisco routers. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-1 - Cisco IPS-4255-K9 | Installation Guide - Page 374
in RFC 826. ASDM Adaptive Security Device Manager. A web-based application that lets you configure and manage your adaptive security device. ASN.1 Abstract Syntax Notation 1. Standard for data presentation. GL-2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 375
fired correctly, but the source of the traffic is nonmalicious. Basic Input/Output System. The program that starts the sensor and communicates between the devices in the sensor and the system. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-3 - Cisco IPS-4255-K9 | Installation Guide - Page 376
be supported by Cisco IPS systems. The header that is attached to each packet in the IPS system. It contains packet classification, packet length, checksum results, timestamp, and the receive interface. GL-4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL - Cisco IPS-4255-K9 | Installation Guide - Page 377
Transaction A component of the IPS. Waits for control transactions directed to remote applications, forwards the Source control transactions to the remote node, and returns the response to the initiator. cookie A piece of information sent by a web server to a web browser that the browser is - Cisco IPS-4255-K9 | Installation Guide - Page 378
D darknets A virtual private network where users connect IP addresses needed for network packets. DoS Denial of Service. An attack whose goal is just to disrupt the operation of a specific system or network. GL-6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS - Cisco IPS-4255-K9 | Installation Guide - Page 379
specific algorithm to data to alter the appearance of the data making it incomprehensible to those who are not authorized to see the information. engine A component of the sensor designed to support -01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-7 - Cisco IPS-4255-K9 | Installation Guide - Page 380
to improve the combined efficacy of all devices. The software component of CollaborationApp that obtains and installs updates to the local global correlation databases. GL-8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 381
information relevant to IP packet processing. Documented in RFC 792. Denial of Service attack that sends a host more ICMP echo request ("ping") packets than the protocol implementation can handle. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL - Cisco IPS-4255-K9 | Installation Guide - Page 382
systems and the operational messages that are used to configure and control intrusion detection systems. IDM IPS Device Manager. A web-based application that lets you configure and manage your sensor. The web server for IDM resides on the sensor. You can access it through Internet Explorer or - Cisco IPS-4255-K9 | Installation Guide - Page 383
them from the processing path. Logger A component of the IPS. Writes all the log messages of the application to the log file and the error messages of the application to the Event Store. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-11 - Cisco IPS-4255-K9 | Installation Guide - Page 384
is defined in RFC 2045. A minor version that contains minor enhancements to the product line. Minor updates are incremental to the major version, and are also base versions for service packs. GL-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 385
to and from a computer system. NME IPS Network Module Enhanced. An IPS module that you can install in any network module slot in the Cisco 2800 and 3800 series integrated services routers. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-13 - Cisco IPS-4255-K9 | Installation Guide - Page 386
circles. Port Aggregation Control Protocol. PAgP aids in the automatic creation of EtherChannel links by exchanging PAgP packets between LAN ports. It is a Cisco-proprietary protocol. GL-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 387
from which ARC should read the ACL entries, and where it places entries before any deny entries for the addresses being blocked. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-15 - Cisco IPS-4255-K9 | Installation Guide - Page 388
of the attack, but not any response or mitigation actions. This risk is higher when more damage could be inflicted on your network. GL-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 389
onto the sensor for recovery purposes. See RTT. remote-procedure call. Technological foundation of client/server computing. RPCs are procedure calls that are built or specified by clients and are executed on servers, with the results returned over the network to the clients. Router Switch Module - Cisco IPS-4255-K9 | Installation Guide - Page 390
collect packets from the network interfaces on the sensor. SensorApp is the standalone executable that runs Analysis Engine. Service engine Deals with specific protocols, such as DNS, FTP, H255 GL-18 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 391
constant refreshing, like DRAM. Secure Shell. A utility that uses strong authentication and secure communications to log in to another computer over a network. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-19 - Cisco IPS-4255-K9 | Installation Guide - Page 392
full IPS application and recovery image used for reimaging an entire sensor. T TAC A Cisco Technical Assistance Center. There are four TACs worldwide. TACACS+ Terminal Access Controller Access Control System Plus. Proprietary Cisco enhancement to Terminal Access Controller Access Control System - Cisco IPS-4255-K9 | Installation Guide - Page 393
servers can be used to remotely manage network equipment, including sensors. TFN Tribe Flood Network. A common type of DoS attack that can take advantage of forged or rapidly changing source IP -18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-21 - Cisco IPS-4255-K9 | Installation Guide - Page 394
VLAN ACL. An ACL that filters all packets (both within a VLAN and between VLANs) that pass through a switch. Also known as security ACLs. GL-22 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 395
that serves users across a broad geographic area and often uses transmission devices provided by common carriers. Frame Relay, SMDS, and X.25 are examples of WANs. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 GL-23 - Cisco IPS-4255-K9 | Installation Guide - Page 396
file format used for data interchange between heterogeneous hosts. Z zone A set of destination IP addresses sorted into an internal, illegal, or external zone used by Anomaly Detection. GL-24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 397
engine A-69 password recovery A-10 recovering A-68 reimaging 12-26 removing module 6-5 requirements 6-2 resetting A-67 resetting the password A-11 session command 9-6 setup command 10-16 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-1 - Cisco IPS-4255-K9 | Installation Guide - Page 398
updates troubleshooting A-55 automatic upgrade examples 12-10 information required 12-6 autonegotiation for hardware bypass 3-5, 4-6 auto-upgrade-option command 12-6 B backing up configuration A-3 current configuration A-4, A-5 back panel features IPS 4240 2-3 IPS 4255 2-3 IPS 4260 3-7 IPS 4270 - Cisco IPS-4255-K9 | Installation Guide - Page 399
control interface described 1-5 Ethernet 1-2 list 1-5 commands auto-upgrade-option 12-6 clear events 1-29, A-18, A-92 clear password A-10, A-13 copy backup-config A-3 copy current-config A-3 copy license-key 11-13 debug module-boot A-68 downgrade 12-11 hw-module module 1 reset A-67 hw-module module - Cisco IPS-4255-K9 | Installation Guide - Page 400
the sensor 1-29, A-18 creating the service account A-6 cryptographic account Encryption Software Export Distribution Authorization from 11-2 obtaining 11-2 current configuration back up A-3 D DC power supply for IPS 4240 2-10 debug logging enable A-47 debug-module-boot command A-68 defaults password - Cisco IPS-4255-K9 | Installation Guide - Page 401
4-49 files Cisco IPS 12-2 IDSM2 password recovery A-13 finding the serial number 5-6, 8-6 front panel indicators IPS 4240 2-2 IPS 4255 2-2 IPS 4260 3-7 IPS 4270-20 4-8 front panel switches IPS 4260 3-6 IPS 4270-20 4-8 FTP servers supported 12-2 G global correlation license 10-5 troubleshooting A-20 - Cisco IPS-4255-K9 | Installation Guide - Page 402
-26 IDSM2 (Catalyst software) 12-28 IDSM2 (Cisco IOS software) 12-29, 12-30 IPS 4240 12-15 IPS 4255 12-15 IPS 4260 12-18 IPS 4270-20 12-20 NME IPS 12-40 interface cards IPS 4260 installing 3-20 IN-6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 403
25 IPS restrictions 1-19 supported appliances 1-17 modules 1-17 tuning 1-3 IPS 4240 accessories 2-5 back panel illustration 2-3 indicators 2-3 described 2-1 features 2-2 front panel illustration 2-2 indicators 2-2 installation 2-8 installing DC power supply 2-10 system image 12-15 password recovery - Cisco IPS-4255-K9 | Installation Guide - Page 404
cards 3-20 power supply 3-22 sensing interfaces 3-2 specifications 3-9 supported interface cards 3-2, 3-3 IPS 4270-20 4GE bypass interface card 4-2 accessories kit 4-44 sensing interfaces 4-2 IN-8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 405
number 11-10 Licensing pane configuring 11-12 described 11-10 limitations for concurrent CLI sessions 2-1, 3-1, 4-1, 5-1, 6-1, 7-1, 8-1, 9-1 logging in AIM IPS 9-5 AIP SSM 9-6 appliances 9-2 IDSM2 9-8 NME IPS 9-10 sensors SSH 9-11 Telnet 9-11 service role 9-2 terminal servers 1-19, 9-3, 12-14 - Cisco IPS-4255-K9 | Installation Guide - Page 406
cryptographic account 11-2 IPS software 11-1 P password recovery AIM IPS A-10 AIP SSM A-10 appliances A-8 CLI A-14 described A-8 disabling A-14 GRUB menu A-8 IDSM2 A-13 IPS 4240 A-9 IPS 4255 A-9 IPS-4260 A-9 IPS 4270-20 A-9 NME IPS A-13 platforms A-8 ROMMON A-9 troubleshooting A-15 verifying A-15 - Cisco IPS-4255-K9 | Installation Guide - Page 407
12-5 reimaging AIP SSM 12-26 appliances 12-12 described 12-1 IDSM2 12-28 IPS 4240 12-15 IPS 4255 12-15 IPS 4260 12-18 IPS 4270-20 12-20 NME IPS 12-40 sensors 11-8, 12-1 removing AIM IPS 5-5 AIP SSM 6-5 chassis cover IPS 4260 3-19 IPS 4270-20 4-39 last applied service pack 12-11 signature update 12 - Cisco IPS-4255-K9 | Installation Guide - Page 408
12-14 IPS 4240 12-15 IPS 4255 12-15 IPS 4260 12-18 IPS 4270-20 12-18, 12-20 password recovery A-9 remote sensors 12-14 serial console port 12-14 TFTP 12-14 round-trip time. See RTT. RTT described 12-14 TFTP limitation 12-14 S scheduling automatic upgrades 12-8 security information on Cisco Security - Cisco IPS-4255-K9 | Installation Guide - Page 409
AIM IPS 5-2 NME IPS 8-2 software updates supported FTP servers 12-2 supported HTTP/HTTPS servers 12-2 SPAN appliances 1-19 IDSM2 1-24 port issues A-32 specifications AIM IPS 5-1 AIP SSM 6-1 OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN - Cisco IPS-4255-K9 | Installation Guide - Page 410
A-55 cannot access sensor A-26 cidDump A-92 cidLog messages to syslog A-51 communication A-26 corrupted SensorApp configuration A-37 debug logger zone names (table) A-50 debug logging A-46 IN-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01 - Cisco IPS-4255-K9 | Installation Guide - Page 411
1-24 verifying IDSM2 installation 7-9 NME IPS installation 8-6 NTP configuration 1-28 password recovery A-15 sensor initialization 10-28 sensor setup 10-28 VLAN access control list. See VACL. OL-18504-01 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 IN-15 - Cisco IPS-4255-K9 | Installation Guide - Page 412
Index VLAN groups 802.1q encapsulation 1-16 configuration restrictions 1-11 deploying 1-16 described 1-15 switches 1-16 IN-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.0 OL-18504-01
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco Intrusion Prevention System
Appliance and Module Installation Guide
for IPS 7.0
Text Part Number: OL-18504-01