manualshive.com logo in svg

Cisco IPS 7.1, Installation Manual

The Cisco IPS 7.1 is a cutting-edge intrusion prevention system designed to protect networks from various cyber threats. Our installation manual is available for free download at manualshive.com, providing step-by-step instructions on how to efficiently set up and optimize this powerful security solution.

Share
Download
background image

   

E-50

Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1

OL-24002-01

Appendix E      Troubleshooting

  Troubleshooting the Appliance

For More Information 

To learn more about the IPS Logger service, refer to 

Logger

.

Directing cidLog Messages to SysLog

It might be useful to direct cidLog messages to syslog.

To direct cidLog messages to syslog, follow these steps:

Step 1

Go to the idsRoot/etc/log.conf file.

Step 2

Make the following changes:

a.

Set [logApp] 

enabled=false

 

Comment out the 

enabled=true

 because 

enabled=false

 is the default. 

b.

Set [drain/main] 

type=syslog

 

The following example shows the logging configuration file:

timemode=local

;timemode=utc

 

[logApp]

;enabled=true

;-------- FIFO parameters --------

fifoName=logAppFifo

fifoSizeInK=240

;-------- logApp zone and drain parameters --------

zoneAndDrainName=logApp

fileName=main.log

fileMaxSizeInK=500

 

[zone/Cid]

severity=warning

drain=main

 

[zone/IdsEventStore]

severity=debug

drain=main

 

[drain/main]

type=syslog

The syslog output is sent to the syslog facility local6 with the following correspondence to syslog 
message priorities:    

LOG_DEBUG,        //   debug

LOG_INFO,             //    timing

LOG_WARNING,   //    warning

LOG_ERR,             //    error

LOG_CRIT             //     fatal

Note

Make sure that your /etc/syslog.conf has that facility enabled at the proper priority. 

Summary of Contents for IPS 7.1

Page 1: ...Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 Text Part Number OL 24002 01 ...

Page 2: ...e encouraged to try to correct the interference by using one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between the equipment and receiver Connect the equipment into an outlet on a circuit different from that to which the receiver is connected Consult the dealer or an experienced radio TV technician for help Modifications to this product no...

Page 3: ...w the Sensor Functions 1 1 Capturing Network Traffic 1 1 Your Network Topology 1 3 Correctly Deploying the Sensor 1 3 Tuning the IPS 1 3 Sensor Interfaces 1 4 Understanding Sensor Interfaces 1 4 Command and Control Interface 1 5 Sensing Interfaces 1 6 Interface Support 1 6 TCP Reset Interfaces 1 11 Interface Restrictions 1 12 Interface Modes 1 14 Promiscuous Mode 1 14 IPv6 Switches and Lack of VAC...

Page 4: ...lectricity Safety Guidelines 2 2 Preventing Electrostatic Discharge Damage 2 3 Working in an ESD Environment 2 4 General Site Requirements 2 5 Site Environment 2 5 Preventive Site Configuration 2 5 Power Supply Considerations 2 6 Configuring Equipment Racks 2 6 C H A P T E R 3 Installing the IPS 4240 and IPS 4255 3 1 Contents 3 1 Installation Notes and Caveats 3 1 Product Overview 3 2 Front and Ba...

Page 5: ...ng and Removing the Power Supply 4 23 C H A P T E R 5 Installing the IPS 4270 20 5 1 Contents 5 1 Installation Notes and Caveats 5 1 Product Overview 5 2 Supported Interface Cards 5 4 Hardware Bypass 5 5 4GE Bypass Interface Card 5 6 Hardware Bypass Configuration Restrictions 5 6 Hardware Bypass and Link Changes and Drops 5 7 Front and Back Panel Features 5 8 Diagnostic Panel 5 14 Specifications 5...

Page 6: ...9 Rack Mounting Guidelines 6 9 Installing the IPS 4345 in a Rack 6 10 Mounting the IPS 4345 and IPS 4360 in a Rack with the Slide Rail Mounting System 6 11 Installing the Appliance on the Network 6 12 Removing and Installing the Power Supply 6 15 AC Power Supply in V01 and V02 Chassis 6 15 Understanding the Power Supplies 6 16 Removing and Installing the AC Power Supply 6 18 Installing DC Input Po...

Page 7: ...Connections 7 34 IPS 4500 Series Sensors and the SwitchApp 7 35 C H A P T E R 8 Installing and Removing the ASA 5500 AIP SSM 8 1 Contents 8 1 Installation Notes and Caveats 8 1 Product Overview 8 2 Specifications 8 4 Memory Specifications 8 4 Hardware and Software Requirements 8 4 Indicators 8 5 Installation and Removal Instructions 8 5 Installing the ASA 5500 AIP SSM 8 5 Verifying the Status of t...

Page 8: ...IPS SSP A 6 Logging In to the Sensor A 7 A P P E N D I X B Initializing the Sensor B 1 Contents B 1 Understanding Initialization B 1 Simplified Setup Mode B 2 System Configuration Dialog B 2 Basic Sensor Setup B 4 Advanced Setup B 7 Advanced Setup for the Appliance B 7 Advanced Setup for the ASA 5500 AIP SSM B 13 Advanced Setup for the ASA 5500 X IPS SSP B 17 Advanced Setup for the ASA 5585 X IPS ...

Page 9: ...s D 3 Upgrade Notes and Caveats D 4 Manually Upgrading the Sensor D 4 Upgrading the Recovery Partition D 6 Configuring Automatic Upgrades D 7 Understanding Automatic Upgrades D 8 Automatically Upgrading the Sensor D 8 Downgrading the Sensor D 11 Recovering the Application Partition D 12 Installing System Images D 13 ROMMON D 13 TFTP Servers D 14 Connecting an Appliance to a Terminal Server D 14 In...

Page 10: ...Time Sources and the Sensor E 15 Time Sources and the Sensor E 15 Synchronizing IPS Module Clocks with Parent Device Clocks E 16 Verifying the Sensor is Synchronized with the NTP Server E 16 Correcting Time on the Sensor E 17 Advantages and Restrictions of Virtualization E 17 Supported MIBs E 18 When to Disable Anomaly Detection E 19 Troubleshooting Global Correlation E 19 Analysis Engine Not Resp...

Page 11: ...abling Debug Logging E 45 Zone Names E 49 Directing cidLog Messages to SysLog E 50 TCP Reset Not Occurring for a Signature E 51 Software Upgrades E 52 Upgrading and Analysis Engine E 52 Which Updates to Apply and Their Prerequisites E 53 Issues With Automatic Update E 53 Updating a Sensor with the Update Stored on the Sensor E 54 Troubleshooting the IDM E 55 Cannot Launch IDM Loading Java Applet F...

Page 12: ...585 X IPS SSP E 76 Failover Scenarios E 77 Traffic Flow Stopped on IPS Switchports E 78 Health and Status Information E 78 The ASA 5585 X IPS SSP and the Normalizer Engine E 81 The ASA 5585 X IPS SSP and Jumbo Packet Frame Size E 82 The ASA 5585 X IPS SSP and Jumbo Packets E 82 IPS Reloading Messages E 83 Gathering Information E 83 Health and Network Security Information E 84 Tech Support Informat...

Page 13: ...4002 01 Displaying Events E 106 Clearing Events E 108 cidDump Script E 109 Uploading and Accessing Files on the Cisco FTP Site E 109 A P P E N D I X F Cable Pinouts F 1 Contents F 1 10 100BaseT and 10 100 1000BaseT Connectors F 1 Console Port RJ 45 F 2 RJ 45 to DB 9 or DB 25 F 3 G L O S S A R Y I N D E X ...

Page 14: ...Contents xiv Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 ...

Page 15: ...t for Cisco Intrusion Prevention System 7 1 Use this guide in conjunction with the documents listed in Related Documentation page xvii This preface contains the following topics Audience page xv Organization page xvi Conventions page xvi Related Documentation page xvii Where to Find Safety and Warning Information page xvii Obtaining Documentation Using the Cisco Bug Search Tool and Submitting a Se...

Page 16: ...he setup command to initialize sensors C Obtaining Software Describes where to go to get the latest IPS software and describes the naming conventions D Upgrading Downgrading and Installing System Images Describes how to upgrade sensors and reimage the various sensors E Troubleshooting Contains troubleshooting tips for IPS hardware and software F Cable Pinouts Describes the appliance cable pinouts ...

Page 17: ...500 series documentation and where to find it refer to the following URL http www cisco com en US docs security asa roadmap asaroadmap html Where to Find Safety and Warning Information Before installing IPS sensors read the regulatory compliance and safety information documents These documents contain important safety information such as the international agency compliance and safety information f...

Page 18: ... using the Cisco Bug Search Tool BST submitting a service request and gathering additional information see What s New in Cisco Product Documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to What s New in Cisco Product Documentation which lists all new and revised Cisco technical documentation as an RSS feed and deliver content directly to your desktop using a re...

Page 19: ...g sections How the Sensor Functions page 1 1 Supported Sensors page 1 18 IPS Appliances page 1 20 Time Sources and the Sensor page 1 22 How the Sensor Functions This section describes how the sensor functions and contains the following topics Capturing Network Traffic page 1 1 Your Network Topology page 1 3 Correctly Deploying the Sensor page 1 3 Tuning the IPS page 1 3 Sensor Interfaces page 1 4 ...

Page 20: ...t TCP resets via the sensing interface Note You should select the TCP reset action only on signatures associated with a TCP based service If selected as an action on non TCP based services no action is taken Additionally TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol Make ACL changes on switches routers and firewalls that the sensor manag...

Page 21: ... single scan and attempted attack even if they have no significance to your network implementation You will receive hundreds thousands or even millions of alerts in a large enterprise environment that are not really critical or actionable in your environment Analyzing this type of data is time consuming and costly Tuning the IPS Tuning the IPS ensures that the alerts you see reflect true actionabl...

Page 22: ...ting For information on Cisco signatures for the IDM and IME refer to Defining Signatures and for the CLI refer to Defining Signatures For detailed information on event action overrides for the IDM and IME refer to Configuring Event Action Overrides and for the CLI refer to Configuring Event Action Overrides Sensor Interfaces This section describes the sensor interfaces and contains the following ...

Page 23: ...20 no interface related configurations are allowed when the SensorApp is down Command and Control Interface The command and control interface has an IP address and is used for configuring the sensor It receives security and status events from the sensor and queries the sensor for statistics The command and control interface is permanently enabled It is permanently mapped to a specific physical int...

Page 24: ...the assignment of promiscuous and inline interfaces to the Analysis Engine is not deleted from the Analysis Engine configuration but is ignored until those cards are reinserted and you create the inline interface pairs again Interface Support Table 1 2 describes the interface support for appliances and modules running Cisco IPS IPS 4260 Management 0 0 IPS 4270 20 Management 0 0 IPS 4345 Management...

Page 25: ... IPS SSP PortChannel 0 0 by security context instead of VLAN pair or inline interface pair PortChannel 0 0 by security context instead of VLAN pair or inline interface pair Management 0 0 ASA 5585 X IPS SSP 10 PortChannel 0 0 by security context instead of VLAN pair or inline interface pair PortChannel 0 0 by security context instead of VLAN pair or inline interface pair Management 0 0 ASA 5585 X ...

Page 26: ...260 2SX Slot 1 Slot 2 GigabitEthernet 0 1 GigabitEthernet 2 0 GigabitEthernet 2 1 GigabitEthernet 3 0 GigabitEthernet 3 1 All sensing ports can be paired together Management 0 0 IPS 4260 10GE Slot 1 GigabitEthernet 0 1 TenGigabitEthernet 2 0 TenGigabitEthernet 2 1 2 0 2 12 Management 0 0 IPS 4270 20 N A Management 0 0 Management 0 13 IPS 4270 20 4GE BP Slot 1 Slot 2 GigabitEthernet 3 0 GigabitEthe...

Page 27: ...agement 0 14 IPS 4345 GigabitEthernet 0 0 GigabitEthernet 0 1 GigabitEthernet 0 2 GigabitEthernet 0 3 GigabitEthernet 0 4 GigabitEthernet 0 5 Gigabitethernet 0 6 GigabitEthernet 0 7 All sensing ports can be paired together Management 0 0 Management 0 15 IPS 4360 GigabitEthernet 0 0 GigabitEthernet 0 1 GigabitEthernet 0 2 GigabitEthernet 0 3 GigabitEthernet 0 4 GigabitEthernet 0 5 GigabitEthernet 0...

Page 28: ...0 TX GigabitEthernet 0 0 GigabitEthernet 0 1 GigabitEthernet 0 2 GigabitEthernet 0 3 GigabitEthernet 0 4 GigabitEthernet 0 5 TenGigabitEthernet 0 6 TenGigabitEthernet 0 7 TenGigabitEthernet 0 8 TenGigabitEthernet 0 9 All sensing ports can be paired together Management 0 0 Management 0 16 1 To disable hardware bypass pair the interfaces in any other combination 2 0 2 2 and 2 1 2 3 for example 2 To ...

Page 29: ...ing interface with an alternate TCP reset interface and any TCP resets that would otherwise be sent on the sensing interface when it is operating in promiscuous mode are instead sent out on the associated alternate TCP reset interface If a sensing interface is associated with an alternate TCP reset interface that association applies when the sensor is configured for promiscuous mode but is ignored...

Page 30: ...sensor Caution You can only assign a sensing interface as an alternate TCP reset interface You cannot configure the management interface as an alternate TCP reset interface Interface Restrictions The following restrictions apply to configuring interfaces on the sensor Physical Interfaces In IPS 7 1 rx tx flow control is disabled on the IPS 4200 series sensors This is a change from IPS 7 0 where rx...

Page 31: ...odules ASA 5500 AIP SSM ASA 5500 X IPS SSP and ASA 5585 X IPS SSP to operate inline even though they have only one sensing interface Inline VLAN Pairs You cannot pair a VLAN with itself You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair For a given sensing interface a VLAN can be a member of only one inline VLAN pair However a given VLAN can be a member of an inline ...

Page 32: ...groups The CLI IDM and IME prompt you to remove any dangling references You can leave the dangling references and continue editing the configuration The CLI IDM and IME do not allow configuration changes in Analysis Engine that conflict with the interface configuration The CLI allows configuration changes in the interface configuration that cause conflicts in the Analysis Engine configuration The ...

Page 33: ...2 illustrates promiscuous mode Figure 1 2 Promiscuous Mode IPv6 Switches and Lack of VACL Capture VACLs on Catalyst switches do not have IPv6 support The most common method for copying traffic to a sensor configured in promiscuous mode is to use VACL capture If you want to have IPv6 support you can use SPAN ports However you can only configure up to two monitor sessions on a switch unless you use ...

Page 34: ...ded attacks Layers 3 to 7 This deeper analysis lets the system identify and stop and or block attacks that would normally pass through a traditional firewall device In inline interface pair mode a packet comes in through the first interface of the pair on the sensor and out the second interface of the pair The packet is sent to the second interface of the pair unless that packet is being denied or...

Page 35: ...ach sensing interface The sensor replaces the VLAN ID field in the 802 1q header of each received packet with the ID of the egress VLAN on which the sensor forwards the packet The sensor drops all packets received on any VLANs that are not assigned to inline VLAN pairs Note You cannot use the default VLAN as one of the paired VLANs in an inline VLAN pair Figure 1 4 illustrates inline VLAN pair mod...

Page 36: ...as either an access port or a trunk port On an access port all traffic is in a single VLAN is called the access VLAN On a trunk port multiple VLANs can be carried over the port and each packet has a special header attached called the 802 1q header that contains the VLAN ID This header is commonly referred as the VLAN tag However a trunk port has a special VLAN called the native VLAN Packets in the...

Page 37: ...odules that are supported by Cisco IPS Table 1 4 Supported Sensors Model Name Part Number Optional Interfaces Appliances IPS 4240 IPS 4240 K9 IPS 4240 DC K91 IPS 4255 IPS 4255 K9 IPS 4260 IPS 4260 K9 IPS 4260 4GE BP K9 IPS 4260 2SX K9 IPS 4260 2X10GE SR K9 IPS 4GE BP INT IPS 2SX INT IPS 2X10GE SR INT IPS 4270 20 IPS 4270 K9 IPS 4270 4GE BP K9 IPS 4270 2SX K9 IPS 4270 2X10GE SR K9 IPS 4GE BP INT IP...

Page 38: ...4510 and IPS 4520 IPS 7 1 4 and later The IPS appliance is a high performance plug and play device The appliance is a component of the IPS a network based real time intrusion prevention system You can use the IPS CLI IDM IME ASDM or CSM to configure the appliance For a list of IPS documents and how to access them refer to Documentation Roadmap for Cisco Intrusion Prevention System 7 1 ASA 5525 X A...

Page 39: ...s appliances must be connected to the SPAN port or VACL capture port of the switch The Cisco IPS appliances provide the following Protection of multiple network subnets through the use of up to eight interfaces Simultaneous dual operation in both promiscuous and inline modes A wide array of performance options from 80 Mbps to multiple gigabits Embedded web based management solutions packaged with ...

Page 40: ...to be configured config t line login transport input all stopbits 1 flowcontrol hardware speed 9600 exit exit wr mem Step 3 Be sure to properly close a terminal session to avoid unauthorized access to the appliance If a terminal session is not stopped properly that is if it does not receive an exit 0 signal from the application that initiated the session the terminal session can remain open When t...

Page 41: ... and IPS 4520 IPS 7 1 4 and later The ASA IPS Modules The ASA 5500 X IPS SSP and ASA 5585 X IPS SSP automatically synchronize their clocks with the clock in the adaptive security appliance in which they are installed This is the default Configure them to get their time from an NTP time synchronization source such as a Cisco router other than the parent router Synchronizing IPS Module System Clocks...

Page 42: ...s continues to read Not Synchronized check with the NTP server administrator to make sure the NTP server is configured correctly Correcting the Time on the Sensor If you set the time incorrectly your stored events will have the incorrect time because they are stamped with the time the event was created The Event Store time stamp is always based on UTC time If during the original sensor setup you s...

Page 43: ... System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 1 Introducing the Sensor Time Sources and the Sensor For More Information For the procedure for clearing events refer to Clearing Events from Event Store ...

Page 44: ...1 26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 1 Introducing the Sensor Time Sources and the Sensor ...

Page 45: ... Appliances and the Intrusion Prevention System 4300 Series Appliances Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4500 Series Sensor Appliance Step 2 To familiarize yourself with the IPS and related documentation and where to find it on Cisco com read the Documentation Roadmap for Cisco Intrusion Prevention System 7 1 Step 3 Before proceeding with applia...

Page 46: ...king environment so be alert and exercise good judgement at all times Note Removing the chassis cover to install a hardware component does not affect your Cisco warranty Upgrading the appliance does not require any special tools and does not create any radio frequency leaks The safety guidelines are as follows Keep the chassis area clear and dust free before during and after installation Keep tool...

Page 47: ...Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor Regulatory Compliance and Safety Information for the Cisco ASA 5500 X Series Adaptive Security Appliances and the Intrusion Prevention System 4300 Series Appliances Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4500 Series Sensor Appliance The...

Page 48: ...ble wrist straps typically those included with an upgrade part are designed for one time use Step 3 Attach the wrist strap to your wrist and to the terminal on the work surface If you are using a disposable wrist strap connect the wrist strap directly to an unpainted metal surface of the chassis Step 4 Connect the work surface to the chassis using a grounding cable and alligator clip Caution Alway...

Page 49: ...nt generates heat Ambient air temperature might not be adequate to cool equipment to acceptable operating temperatures without adequate circulation Make sure that the room in which you operate your system has adequate air circulation Always follow the ESD prevention procedures to avoid damage to equipment Damage from static discharge can cause immediate or intermittent equipment failure Make sure ...

Page 50: ... UPS for your site Install proper site grounding facilities to guard against damage from lightning or power surges Configuring Equipment Racks The following tips help you plan an acceptable equipment rack configuration Enclosed racks must have adequate ventilation Ensure that the rack is not overly congested because each chassis generates heat An enclosed rack should have louvered sides and a fan ...

Page 51: ...age 3 6 Installing the IPS 4240 and IPS 4255 page 3 7 Installing the IPS 4240 DC page 3 10 Installation Notes and Caveats Pay attention to the following installation notes and caveats before installing the IPS 4240 or the IPS 4255 Note Read through the entire guide before beginning any of the installation procedures Warning Only trained and qualified personnel should install replace or service thi...

Page 52: ... a compact flash device for storage rather than the hard disk drives used in other sensor models Note The IPS 4240 and the IPS 4255 do not support redundant power supplies The IPS 4240 replaces the IDS 4235 There are four 10 100 1000 copper sensing interfaces The IPS 4240 is available with either AC or DC power It monitors up to 250 Mbps of aggregate network traffic on multiple sensing interfaces ...

Page 53: ...l Features 114003 PWR STATUS FLASH Cisco IPS 4240 series Intrusion Prevention Sensor Power Flash Status Table 3 1 Front Panel Indicators Indicator Description Power Off indicates no power Green when the power supply is running Status Blinks green while the power up diagnostics are running or the system is booting Solid green when the system has passed power up diagnostics Solid amber when the powe...

Page 54: ...2 USB1 LNK SPD 3 LNK SPD 2 LNK SPD 1 LNK SPD 0 MGMT Indicators Table 3 2 Back Panel Indicators Indicator Color Description Left side Green solid Green blinking Physical link Network activity Right side Not lit Green Amber 10 Mbps 100 Mbps 1000 Mbps Table 3 3 IPS 4240 and IPS 4255 Specifications Dimensions and Weight Height 1 75 in 4 45 cm Width 17 5 in 44 45 cm Depth 14 5 in 36 83 cm Weight 20 0 l...

Page 55: ...S This warning symbol means danger You are in a situation that could cause bodily injury Before you work on any equipment be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device Stat...

Page 56: ...onsole cable Two 6 ft Ethernet cables Rack Mounting To rack mount the IPS 4240 and IPS 4255 follow these steps Step 1 Attach the bracket to the appliance using the supplied screws You can attach the brackets to the holes near the front of the appliance Note The top hole on the left bracket is a banana jack you can use for ESD grounding purposes when you are servicing the system You can use the two...

Page 57: ... screws that attach the appliance to the rack and then remove the appliance Installing the IPS 4240 and IPS 4255 Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Int...

Page 58: ...e the appliance in a rack if you are rack mounting it Step 4 Attach the power cord to the appliance and plug it in to a power source a UPS is recommended Step 5 Connect the cable as shown in Step 6 so that you have either a DB 9 or DB 25 connector on one end as required by the serial port for your computer and the other end is the RJ 45 connector Note Use the console port to connect to a computer ...

Page 59: ... left are sensing ports Management0 0 is the command and control port Caution Management and console ports are privileged administrative ports Connecting them to an untrusted network can create security concerns Step 8 Power on the appliance Step 9 Initialize the appliance Step 10 Upgrade the appliance with the most recent Cisco IPS software You are now ready to configure intrusion prevention on t...

Page 60: ...nager Configuration Guide for IPS 7 1 Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7 1 Installing the IPS 4240 DC The IPS 4240 DC K9 NEBS compliant model equipped with DC input power supply must be terminated with the DC input wiring on a DC source capable of supplying at least 15 amps A 1...

Page 61: ...ed with the appliance Step 3 Place the appliance in a rack if you are rack mounting it Step 4 Terminate the DC input wiring on a DC source capable of supplying at least 15 amps A 15 amp circuit breaker is required at the 48 VDC facility power source An easily accessible disconnect device should be incorporated into the facility wiring Step 5 Locate the DC input terminal box Step 6 Power off the IP...

Page 62: ... After wiring the DC power supply remove the tape from the circuit breaker switch handle and reinstate power by moving the handle of the circuit breaker to the ON position Step 11 Replace the DC power supply plastic shield Step 12 Power on the IPS 4240 DC from the switch at the back of the chassis Note If you need to power cycle the IPS 4240 DC wait at least 5 seconds between powering it off and p...

Page 63: ...liance in a rack see Rack Mounting page 3 6 For the procedure for using the setup command to initialize the appliance see Appendix B Initializing the Sensor For the procedure for updating the appliance with the most recent cisco IPS software see Obtaining Cisco IPS Software page C 1 For the procedure for using HTTPS to log in to IDM refer to Logging In to IDM For the procedures for configuring int...

Page 64: ...3 14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240 DC ...

Page 65: ...acing the Chassis Cover page 4 19 Installing and Removing Interface Cards page 4 21 Installing and Removing the Power Supply page 4 23 Installation Notes and Caveats Pay attention to the following installation notes and caveats before installing the IPS 4260 Note Read through the entire guide before beginning any of the installation procedures Warning Only trained and qualified personnel should in...

Page 66: ...IC environments thus providing flexibility of deployment in any environment The IPS 4260 has two built in Gigabit Ethernet network ports and six expansion slots The network port numbers increase from right to left and the expansion slot numbers increase from bottom to top and from right to left as shown in Figure 4 5 on page 4 8 Slots 2 and 3 are PCI Express connectors and the other expansion slot...

Page 67: ...ard 4GE Bypass Interface Card The 4GE bypass interface card part numbers IPS 4GE BP INT and IPS 4GE BP INT provides four 10 100 1000BASE T 4GE monitoring interfaces The IPS 4260 supports up to two 4GE bypass interfaces cards for a total of eight GE bypass interfaces The 4GE bypass interface card supports hardware bypass Figure 4 1 shows the 4GE bypass interface card Figure 4 1 4GE Bypass Interface...

Page 68: ...erface card does not support hardware bypass Figure 4 3 shows the 10GE interface card Figure 4 3 10GE Interface Card GigabitEthernetslot_number port_number is the expansion card interface naming convention for IPS 4260 The slot number is shown to the right of the slot in the chassis and the port number is numbered from right to left starting with 0 Hardware Bypass This section describes the 4GE by...

Page 69: ... If the sensor is powered off reset or if the NIC interfaces fail or are unloaded those paired interfaces enter fail open state in hardware traffic flows unimpeded through inline interface Any other inline interfaces enter fail closed state When bypass is set to AUTO traffic flows without inspection software bypass is activated if SensorApp fails For each inline interface on which hardware bypass ...

Page 70: ...ly with the switch if both of them are configured for identical speed and duplex which means that the sensor must be set for autonegotiation too Hardware Bypass and Link Changes and Drops Properly configuring and deploying hardware bypass protects against complete link failure if the IPS appliance experiences a power loss critical hardware failure or is rebooted however a link status change still ...

Page 71: ...Sensor POWER STATUS FLASH ID NIC Power Flash Status ID NIC RESET ID 153095 POWER RESET ID Table 4 1 Front Panel Indicators Indicator Description ID blue Continuously lit when activated by the front panel ID switch NIC green Indicates activity on either the GigabitEthernetO 1 or MGMT interfaces Power green When continuously lit indicates DC power The indicator is off when power is turned off or the...

Page 72: ...e connector not supported Keyboard connector not supported Sensing interface expansion slots Video connector not supported 3 2 1 6 5 4 Power connector Indicator light Power supply 2 Power supply 1 GE 0 1 CONSOLE MGMT Console port Management 0 0 Gigabit Ethernet 0 1 153308 6 5 4 SPD indicator Link ACT indicator GE 0 1 CONSOLE MGMT SPD LNK SPD LNK SPD indicator SPD Link ACT indicator LINK Diagnostic...

Page 73: ... or fan failed Amber blinking Power supply warning events where the power supply continues to operate high temperature high power high current or slow fan Table 4 4 IPS 4260 Specifications Dimensions and Weight Height 3 45 in 87 6 cm Width 17 14 in 435 3 cm Depth 20 in 508 cm Weight 20 0 lb 9 07 kg Form factor 2 RU standard 19 inch rack mountable Power Autoswitching 100V to 240V AC Frequency 47 to...

Page 74: ...e Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 The IPS 4260 accessories kit contains the following DB25 connector DB9 connector Rack mounting kit screws washers and metal bracket RJ45 console cable Two 6 ft Ethernet cables Rack Mounting You can rack mount the IPS 4260 in a 2 or 4 po...

Page 75: ...alling the IPS 4260 Rack Mounting Installing the IPS 4260 in a 4 Post Rack To rack mount the IPS 4260 in a 4 post rack follow these steps Step 1 Attach each inner rail to each side of the chassis with three 8 32x1 4 SEMS screws 153314 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID ...

Page 76: ... bracket to the chassis with two 8 32x1 4 SEMS screws You can flip the bracket to push the system forward in the rack Step 3 Using the four inner studs install the mounting brackets to the outer rail with four 8 32 KEPS nuts Insert four thread covers over the four outer studs on each side 153315 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID 153316 ...

Page 77: ... four bar nuts if necessary Adjust the mounting brackets based on rack depth Step 5 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail Step 6 Install two 10 32x1 2 SEMS screws to hold the front tab mounting bracket to the rail 153317 153318 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID Cisco IPS 4260 series Intrusion Pr...

Page 78: ...the IPS 4260 in a 2 post rack follow these steps Step 1 Attach the inner rail to each side of the chassis with three 8 32x1 4 SEMS screws Step 2 Using the four inner studs install the mounting brackets to the outer rail with four 8 32 KEPS nuts Insert four thread covers over the four outer studs on each side 153320 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET I...

Page 79: ...two outer rail subassemblies in the rack using twelve 10 32x1 2 SEMS screws or whatever rack hardware is necessary Adjust the mounting brackets based on the rack channel depth Step 4 Slide the IPS 4260 into the rack making sure the inner rail is aligned with the outer rail 153322 153323 Cisco IPS 4260 series Intrusion Prevention Sensor POWER STATUS FLASH ID NIC RESET ID ...

Page 80: ...to the inner rail Installing the IPS 4260 Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor 153324 Cisco IPS ...

Page 81: ...4260 in a rack if you are rack mounting it Step 4 Attach the power cord to the IPS 4260 and plug it in to a power source a UPS is recommended Step 5 Connect the cable as shown in Step 6 so that you have either a DB 9 or DB 25 connector on one end as required by the serial port for your computer and the other end is the RJ 45 connector Note Use the console port to connect to a computer to enter con...

Page 82: ... command and control port GigabitEthernetslot_number port_number through GigabitEthernetslot_number port_number are the additional expansion port slots Caution Management and console ports are privileged administrative ports Connecting them to an untrusted network can create security concerns Step 8 Power on the IPS 4260 153309 RJ 45 to DB 9 or DB 25 serial cable null modem Computer serial port DB...

Page 83: ...stem Device Manager Configuration Guide for IPS 7 1 Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7 1 Removing and Replacing the Chassis Cover Warning This product relies on the building s installation for short circuit overcurrent protection Ensure that the protective device is rated not g...

Page 84: ...off Wait for the power down message before continuing with Step 3 sensor reset powerdown Note You can also power off the IPS 4260 using the IDM or the IME Step 3 Power off the IPS 4260 Step 4 Remove the power cord and other cables from IPS 4260 Step 5 If rack mounted remove the IPS 4260 from the rack Step 6 Make sure the IPS 4260 is in an ESD controlled environment Step 7 Press the blue button on ...

Page 85: ...tall the optional network interface cards in the two top full height slots slots 2 and 3 IPS 4260 supports up to two network interface cards Note The IPS 4260 supports only one 10GE fiber interface card which you can install in either of the supported slots slots 2 and 3 Note We recommend that you install the 4GE bypass interface card in slot 2 if you are installing only one 4GE bypass card This i...

Page 86: ... cover by pressing on it from inside the chassis If the card is full length use a screw driver to remove the blue thumb screw from the card support at the back of the card carrier Step 11 Carefully align the interface card with the PCI Express connector and alignment grooves for the appropriate slot Apply firm even pressure until the card is fully seated in the connector Step 12 Reinstall the slot...

Page 87: ...unting page 4 10 For more information on ESD controlled environments see Safety Recommendations page 2 2 For the procedure for removing the chassis cover see Removing and Replacing the Chassis Cover page 4 19 Installing and Removing the Power Supply The IPS 4260 ships with one power supply but you can order it with two power supplies so that you have a redundant power supply To install and remove ...

Page 88: ...60 Installing and Removing the Power Supply Step 5 Squeeze the tabs to remove the filler plate Step 6 Install the power supply Step 7 To remove the power supply push down the green tab and pull out the power supply Step 8 After installing or removing the power supply replace the power cord and other cables Step 9 Power on the IPS 4260 ...

Page 89: ...allation Guide for IPS 7 1 OL 24002 01 Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply For More Information For the IDM procedure for resetting the IPS 4260 refer to Rebooting the Sensor for the IME procedure refer to Rebooting the Sensor ...

Page 90: ...4 26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply ...

Page 91: ...ing the Chassis Cover page 5 39 Accessing the Diagnostic Panel page 5 42 Installing and Removing Interface Cards page 5 43 Installing and Removing the Power Supply page 5 45 Installing and Removing Fans page 5 50 Troubleshooting Loose Connections page 5 52 Installation Notes and Caveats Pay attention to the following installation notes and caveats before installing the IPS 4270 20 Caution The BIOS...

Page 92: ...power supply connection All connections must be removed to de energize the unit Statement 1028 Note Removing the appliance chassis cover does not affect your Cisco warranty Upgrading the IPS 4270 20 does not require any special tools and does not create any radio frequency leaks Note In IPS 7 1 rx tx flow control is disabled on the IPS 4270 20 This is a change from IPS 7 0 where rx tx flow control...

Page 93: ... directly to the additional monitoring interfaces without needing to SPAN the traffic through a switch For improved reliability the IPS 4270 20 uses a compact flash device for storage rather than a hard disk drive The IPS 4270 20 supports two optional network interface cards the 2SX interface card with fiber optic ports and the 4GE bypass interface card with copper ports that contains the hardware...

Page 94: ... part numbers IPS 4GE BP INT and IPS 4GE BP INT provides four 10 100 1000BASE T 4GE monitoring interfaces The IPS 4270 20 supports up to four 4GE bypass interface cards for a total of sixteen GE bypass interfaces The 4GE bypass interface card supports hardware bypass Figure 5 2 shows the 4GE bypass interface card Figure 5 2 4GE Bypass Interface Card 2SX Interface Card The 2SX interface card part n...

Page 95: ... 10GE interface card does not support hardware bypass Figure 5 4 shows the 10GE interface card Figure 5 4 10GE Interface Card GigabitEthernet slot_number port_number is the expansion card interface naming convention for the IPS 4270 20 The slot number is shown above the slot in the chassis and the port number is numbered from top to bottom starting with 0 Hardware Bypass This section describes the...

Page 96: ...ode If the sensor is powered off reset or if the NIC interfaces fail or are unloaded those paired interfaces enter fail open state in hardware traffic flows unimpeded through inline interface Any other inline interfaces enter fail closed state When bypass is set to AUTO traffic flows without inspection software bypass is activated if SensorApp fails For each inline interface on which hardware bypa...

Page 97: ...rrectly with the switch if both of them are configured for identical speed and duplex which means that the sensor must be set for autonegotiation too Hardware Bypass and Link Changes and Drops Properly configuring and deploying hardware bypass protects against complete link failure if the IPS appliance experiences a power loss critical hardware failure or is rebooted however a link status change s...

Page 98: ...igure 5 5 shows the front view of the IPS 4270 20 Figure 5 5 IPS 4270 20 Front View Figure 5 6 shows the front panel switches and indicators Figure 5 6 IPS 4270 20 Front Panel Switches and Indicators 1 2 3 4 5 6 7 8 250082 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SYSTEM PW R STATUS MGMT 0 MGMT 1 Switches Indicators 250108 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SYSTEM PW...

Page 99: ...ernal system health indicator Indicates internal system health Green System on Flashing amber System health degraded Flashing red System health critical Off System off Power status indicator Indicates the power supply status Green Power supply on Flashing amber Power supply health degraded Flashing red Power supply health critical Off Power supply off MGMT0 0 indicator Indicates the status of the ...

Page 100: ...ures Figure 5 7 shows the back view of the IPS 4270 20 Figure 5 7 IPS 4270 20 Back Panel Features 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 100 MHz PS2 PS1 UID Reserved for Future Use CONSOLE MGMT0 0 250083 Console port Sensing interface expansion slots Management0 0 Reserved Reserved T 15 Torx screwdriver Power supply 2 Power supply 1 ...

Page 101: ...ply indicators 1 2 3 4 PCI E x4 PCI X 100 MHz PS1 Reserved for Future Use CONSOLE MGMT 0 0 250085 Activity indicator Link indicator Power supply indicators Activity indicator Link indicator Table 5 2 Ethernet Port Indicators Indicator Indicator Green Description Activity On or flashing Off Network activity No network activity Link On Off Linked to network Not linked to network Table 5 3 Power Supp...

Page 102: ...allation Guide for IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Front and Back Panel Features Off Flashing AC power present Standby mode Off On Normal Table 5 3 Power Supply Indicators continued Fail Indicator 1 Amber Power Indicator 2 Green Description ...

Page 103: ...7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Front and Back Panel Features Figure 5 9 shows the internal components Figure 5 9 IPS 4270 20 Internal Components 250249 Cooling fans Sensing interface expansion slots Power supply Power supply Cooling fans Diagnostic panel Cooling fans ...

Page 104: ...dicators Figure 5 10 shows the Diagnostic Panel Figure 5 10 Diagnostic Panel Table 5 4 lists the indicators that display health status for each component PROC1 FAN5 FAN6 FAN3 FAN4 FAN1 FAN2 PROC2 PROC3 PROC4 POWER FAULT PS1 PS2 CPU BD I O BD NMI INTERLOCK ERROR CPU BD 9A 10A 11B 12B 13C 14C 15D 16D 25A 26A 27B 28B 29C 30C 31D 32D PPM2 PPM4 PPM1 PPM3 8D 7D 6C 5C 4B 3B 2A 1A 24D 23D 22C 21C 20B 19B ...

Page 105: ...o 127 VAC 200 to 240 VAC Rated input frequency 50 to 60 Hz Rated input power 1161W 100 VAC 1598W 200 VAC Rated input current 12A 100 VAC 8A 200 VAC Maximum heat dissipation 3960 BTU hr 100 VAC 5450 BTU hr 200 VAC Power supply output 910 W low line 1300 W high line Environment Temperature Operating 50 to 95 F 10 to 35 C 1 Nonoperating 40 F to 158 F 40 C to 70 C 1 At sea level with an altitude derat...

Page 106: ...ing sections Understanding the Rail System Kit page 5 16 Rail System Kit Contents page 5 17 Space and Airflow Requirements page 5 17 Installing the IPS 4270 20 in the Rack page 5 18 Extending the IPS 4270 20 from the Rack page 5 26 Installing the Cable Management Arm page 5 28 Converting the Cable Management Arm page 5 32 Understanding the Rail System Kit This rail system supports a variety of pro...

Page 107: ...s Two slide assemblies Two chassis rails Four Velcro straps Six zip ties One cable management arm A package of miscellaneous parts screws and so forth One cable management arm stop bracket Space and Airflow Requirements To allow for servicing and adequate airflow follow these space and airflow requirements when choosing where to place a rack Leave a minimum clearance of 25 in 63 5 cm in front of t...

Page 108: ...f the chassis side rail should be at the back of the IPS 4270 20 The chassis side rail is held in place by the inner latch Step 2 Repeat Step 1 for each chassis side rail Warning To prevent bodily injury when mounting or servicing this unit in a rack you must take special precautions to ensure that the system remains stable The following guidelines are provided to ensure your safety This unit shou...

Page 109: ... IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing the Rail System Kit Step 3 To remove the chassis side rail lift the latch and slide the rail forward 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SY ST EM PW RST AT US MGMT0 MGMT1 1 2 250221 ...

Page 110: ...PS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing the Rail System Kit Step 4 If you are installing the IPS 4270 20 in a shallow rack one that is less than 28 5 in 72 39 cm remove the screw from the inside of the slide assembly before continuing with Step 5 250207 28 5 ...

Page 111: ...d square hole racks a Line up the studs on the slide assembly with the holes on the inside of the rack and snap in to place b Adjust the slide assembly lengthwise to fit the rack The spring latch locks the slide assembly into position c Repeat for each slide assembly Make sure the slide assemblies line up with each other in the rack d Lift the spring latch to release the slide assembly if you need...

Page 112: ...PS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing the Rail System Kit For threaded hole racks a Remove the eight round or square hole studs on each slide assembly using a standard screwdriver Note You may need a pair of pliers to hold the retaining nut 250209 1 2 3 2 3 ...

Page 113: ...n Guide for IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing the Rail System Kit b Line up the bracket on the slide assembly with the rack holes install two screws top and bottom on each end of the slide assembly c Repeat for each slide assembly 250210 1 ...

Page 114: ...trusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing the Rail System Kit Step 6 Extend the slide assemblies out of the rack 250211 ...

Page 115: ... or pushing the tab back and carefully push the IPS 4270 20 in to place Caution Keep the IPS 4270 20 parallel to the floor as you slide it into the rails Tilting the IPS 4270 20 up or down can damage the slide rails Step 8 If you are using the cable management arm install it before you connect and route any cables Note You may also need longer cables when the arm is installed an extra length of ar...

Page 116: ...5 35 Extending the IPS 4270 20 from the Rack You can extend the IPS 4270 20 from the rack for service or removal Caution You can only extend the IPS 4270 20 from the rack if the cable management arm is correctly installed with the cables routed through it or if all cables are disconnected from the back of the chassis Otherwise you risk damage to the cables and a possible shock hazard if the power ...

Page 117: ...ach side of the front bezel of the IPS 4270 20 to release it from the rack and extend it on the rack rails until the rail release latches engage Note The release latches lock in to place when the rails are fully extended Step 2 After performing the installation or maintenance procedure slide the IPS 4270 20 in to the rack by pressing the rail release latches 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES I...

Page 118: ...connect the cables from the back of the IPS 4270 20 push the release tab in the middle of the slide assembly forward and pull the IPS 4270 20 from the rack Installing the Cable Management Arm Note To hinge the cable management arm on the back right hand side of the rack see Converting the Cable Management Arm page 5 32 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SY ST EM ...

Page 119: ...he cable management arm follow these steps Step 1 Align the slide bracket on the cable management arm with the stud on the back of the IPS 4270 20 and align the two studs at the back of the chassis side rail then slide down and lock in to place 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 100 MHz PS2 PS1 UID Reserv ed for Future Use CONSO LE MGMT 0 0 250214 ...

Page 120: ...tal tab on the cable management arm in to the slide assembly then lifting the spring pin to lock it in to place Caution Make sure the metal tab is on the outside of the upper part of the cable management arm Note When properly installed the cable management arm is attached to the IPS 4270 20 and the rack rail 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 100 MHz PS2 PS1 UI...

Page 121: ... cables with the Velcro straps and black tie wraps Note After you route the cables through the cable management arm make sure the cables are not pulled tight when the IPS 4270 20 is fully extended Caution Do not use the straps and zip ties to tie the two parts of the cable management arm together 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X 100 MHz PS2 PS1 UID Reserved fo...

Page 122: ...inserting the stop bracket into the cable management arm bracket Converting the Cable Management Arm Note The cable management arm is designed for ambidextrous use You can convert the cable management arm from a left hand swing to a right hand swing Note Make sure to orient the management arm with the cable trough facing upward 1 1 2 3 4 5 6 7 8 9 PCI E x4 PCI E x8 PCI E x4 PCI E x8 PCI E x4 PCI X...

Page 123: ... Installation Guide for IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing the Rail System Kit To convert the cable management arm swing follow these steps Step 1 Pull up the spring pin and slide the bracket off the cable management arm 250218 ...

Page 124: ...Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing the Rail System Kit Step 2 Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs 250219 ...

Page 125: ...ts one way because the hole for the spring pin is offset Installing the IPS 4270 20 Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger You are in a situation that...

Page 126: ...n the IPS 4270 20 on the network Step 2 Install the IPS 4270 20 in a rack if you are rack mounting it Step 3 Connect the cable as shown in Step 4 so that you have either a DB 9 connector on one end as required by the serial port for your computer and the other end is the RJ 45 connector Note Use the console port to connect to a computer to enter configuration commands Locate the serial cable from ...

Page 127: ...PS 4270 20 Installing the IPS 4270 20 Step 4 Connect the RJ 45 to DB 9 adapter connector to the console port and connect the other end to the DB 9 connector on your computer Computer serial port DB 9 250084 1 PS1 Reserved for Future Use CONSOLE MGMT 0 0 RJ 45 to DB 9 serial cable null modem Console port DB 9 RJ 45 to DB 9 adapter ...

Page 128: ...dministrative ports Connecting them to an untrusted network can create security concerns Step 6 Attach the power cables there are two power supplies to the IPS 4270 20 and plug them in to a power source a UPS is recommended Step 7 Power on the IPS 4270 20 Step 8 Initialize the IPS 4270 20 Step 9 Upgrade the IPS 4270 20 with the most recent Cisco IPS software You are now ready to configure intrusio...

Page 129: ... 1 Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7 1 Removing and Replacing the Chassis Cover Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Ser...

Page 130: ...rating it in this manner results in improper airflow and improper cooling that can lead to thermal damage To remove and replace the chassis cover follow these steps Step 1 Log in to the CLI Step 2 Prepare the IPS 4270 20 to be powered off Wait for the power down message before continuing with Step 3 sensor reset powerdown Note You can also power off the IPS 4270 20 using the IDM or the IME Step 3 ...

Page 131: ...t the chassis cover installed The chassis cover protects the internal components prevents electrical shorts and provides proper air flow for cooling the electronic components Step 10 To replace the chassis cover position it on top of the chassis and slide it on Push down on the cover latch to lock into place 250123 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor UID SYSTE M PWRST...

Page 132: ... procedure for installing the power cables on the IPS 4270 20 see Installing the IPS 4270 20 page 5 35 If you are reinstalling the IPS 4270 20 in a rack see Installing the Rail System Kit page 5 16 Accessing the Diagnostic Panel Note When you remove the chassis cover to view the Diagnostic Panel leave the IPS 4270 20 powered on Powering off the IPS 4270 20 clears the Diagnostic Panel indicators To...

Page 133: ...wo 10GE fiber interface cards which you can install in any of the supported six slots slots 3 to 8 Caution To prevent damage to the IPS 4270 20 or the expansion cards power down the IPS 4270 20 and remove all AC power cables before removing or installing expansion cards Caution To prevent improper cooling and thermal damage do not operate the IPS 4270 20 unless all expansion slots have a cover or ...

Page 134: ...its connector lines up over the socket on the mother board and push the card down in to the socket Press down on the outer edge of the blue tab to lock the card in to place Note To remove full length expansion cards unlock the retaining clip To install full length expansion cards lock the retaining clip Step 10 Replace the chassis cover Step 11 Slide the server back in to the rack by pressing the ...

Page 135: ...ty warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor IPS 4270 20 ships with two hot pluggable power supplies thus providing a redundant power supply configuration You can install or replace either power supply without powering down the IPS 4270 20 as long as one power supply is active and functioning correctly Caution If...

Page 136: ...nstalling the IPS 4270 20 Installing and Removing the Power Supply Step 5 Use the T 15 Torx screwdriver that shipped with the IPS 4270 20 to remove the shipping screw The T 15 Torx screwdriver is located to the right of power supply 1 2 3 4 PCI E x4 PCI X 100 MHz Reserved for Future Use CONSOLE MGMT 0 0 PS1 250118 ...

Page 137: ...ntion System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing and Removing the Power Supply Step 6 Remove the power supply by pulling it away from the chassis 250219 ...

Page 138: ...r IPS 7 1 OL 24002 01 Chapter 5 Installing the IPS 4270 20 Installing and Removing the Power Supply Step 7 Install the power supply Make sure the handle is open and slide the power supply into the bay 1 2 3 4 PCI E x4 PCI X 100 MHz Reserved for Future Use CONSOLE MGMT 0 0 PS1 250119 ...

Page 139: ...tor is green Note Make sure the two power supplies are powered by separate AC power sources so that the IPS 4270 20 is always available Step 10 Power on the IPS 4270 20 For More Information For the IDM procedure for powering down the IPS 4270 20 refer to Rebooting the Sensor for the IME procedure for powering down the IPS 4270 20 refer to Rebooting the Sensor For an illustration of the screwdriver...

Page 140: ...n to provide proper airflow Figure 5 12 shows the fan its connector and its indicator Figure 5 12 Fan Connector and Indicator The fan indicators provide the following information Green Operating normally Amber Failed Off No power To install and remove fans in the IPS 4270 20 follow these steps Step 1 Extend the server from the rack Step 2 Remove the chassis cover Step 3 Identify the failed fan by ...

Page 141: ...dicator on each fan is green Note If the front panel internal system health indicator is not green after you install a fan reseat the fan Step 7 Replace the chassis cover Step 8 Slide the IPS 4270 20 back in to the rack by pressing the rail release handles Step 9 Power on the IPS 4270 20 For More Information For the fan locations see Figure 5 9 on page 5 13 For the procedure for extending the IPS ...

Page 142: ...re all cables are properly aligned and securely connected for all external and internal components Remove and check all data and power cables for damage Make sure no cables have bent pins or damaged connectors Make sure each device is properly seated If a device has latches make sure they are completely closed and locked Check any interlock or interconnect indicators that indicate a component is n...

Page 143: ... the Appliance on the Network page 6 12 Removing and Installing the Power Supply page 6 15 Installation Notes and Caveats Pay attention to the following notes and caveats before installing the IPS 4345 and the IPS 4360 Note Read through the entire guide before beginning any of the installation procedures Warning Only trained and qualified personnel should install replace or service this equipment ...

Page 144: ...work traffic on multiple sensing interfaces and is also inline ready It supports both copper and fiber interfaces The 500 Mbps performance is traffic combined from all sensing interfaces The 500 Mbps performance for the IPS 4345 is based on multiple models of common traffic mixes based on common deployment scenarios while running IPS 7 1 3 E4 software The IPS 4360 monitors greater than 1 Gbps of a...

Page 145: ...g 0 to 10 000 ft 0 to 3048 m Nonoperating 0 to 15 000 ft 0 to 4572 m Operating 0 to 10 000 ft 0 to 3048 m Nonoperating 0 to 15 000 ft 0 to 4572 m Acoustic noise Operating 64 2 Nonoperating 70G 4 22m s Operating 67 9 Nonoperating 70G 4 22m s Shock 50G 2ms 50G 2ms Vibration Operating 0 41Grms 3Hz to 500Hz with spectral break points of 0 0005G2 Hz at 10Hz and 200Hz and 5dB octave roll off at each end...

Page 146: ... the contents of the sensor packing box which contains the items you need to install the sensor Figure 6 1 IPS 4345 Packing Box Contents 1 Sensor chassis 2 Yellow Ethernet cable 3 Power cord 4 4 10 32 Phillips screws 5 4 12 24 Phillips screws 6 Blue console cable PC terminal adapter 7 Power cord retainer 8 Documentation 1 3 2 6 8 7 334563 4 5 Documentation Roadmap for the Cisco Intrusion Preventio...

Page 147: ...ck panel features and indicators Figure 6 3 shows the front view of the IPS 4345 and IPS 4360 Figure 6 3 IPS 4345 and IPS 4360 Front Panel View 1 Sensor chassis one power supply shown 2 Yellow Ethernet cable 3 Power cord 4 Blue console cable PC terminal adapter 5 Power cord retainer 6 Documentation Not shown Slide rail kit 1 3 2 4 6 5 334562 Documentation Roadmap for the Cisco Intrusion Prevention...

Page 148: ...rs for the IPS 4360 These indicators are also found on the back panel of the IPS 4360 Figure 6 5 IPS 4360 Indicators Table 6 2 describes the indicators on the IPS 4345 and IPS 4360 331624 331623 Table 6 2 IPS 4345 and IPS 4360 Indicators Indicator Description BOOT Indicates how the power up diagnostics are proceeding Flashing green Power up diagnostics are running or the system is booting Green Sy...

Page 149: ...or failed ALARM Indicates whether a component has failed Off No alarm Flashing yellow Critical alarm Major failure of hardware component or software module temperature over the limit power out of tolerance or OIR is ready to remove the module HD1 N A HD2 N A Table 6 2 IPS 4345 and IPS 4360 Indicators continued Indicator Description 1 Reserved for future use 2 Chassis cover removal screw 3 Manageme...

Page 150: ...nterface that supports FastEthernet and is designed for management traffic only 4 Network interface ports2 2 GigabitEthernet interfaces from right to left and top to bottom GigabitEthernet 0 0 0 1 0 2 and 0 3 and Gigabitethernet 1 0 1 1 1 2 and 1 3 5 Power supply modules 6 USB ports 7 Serial console port3 3 The serial console port uses 9600 baud 8 data bits 1 stop bit and no parity 8 Indicators 33...

Page 151: ...om to the top with the heaviest component at the bottom of the rack If the rack is provided with stabilizing devices install the stabilizers before mounting or servicing the unit in the rack Statement 1006 Pay attention to the following guidelines before rack mounting your appliance Allow clearance around the rack for maintenance If the rack contains stabilizing devices install the stabilizers pri...

Page 152: ... to the back of the chassis To rack mount the chassis perform the following steps Step 1 If you are keeping the front rack mount brackets go to Step 4 If you want to move the front rack mount brackets to the back of the chassis go to Step 2 Step 2 Remove the rack mount brackets from the chassis as shown in Figure 6 8 Figure 6 8 Removing the Brackets from the Front of the Chassis Step 3 Install the...

Page 153: ...use the slide rail mounting system with the IPS 4345 For instructions for using the slide rail mounting system refer to the Slide Rail Installation Instructions for Cisco IronPort C170 M170 and S170 Appliances and Cisco 5512 X 5515 X 5525 X 5545 X 5555 X Adaptive Security Appliances and Cisco IPS 4345 and 4360 found at this URL http www cisco com en US docs security asa hw maintenance 5500xspares ...

Page 154: ... of each warning to locate its translation in the translated safety warnings that accompanied this device Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install replace or service this equipment Statement 1030 To install the appliance on the network follow these steps Step 1 Position the appliance on the network Step 2 Install the appliance...

Page 155: ... port Connect one RJ 45 connector to the management port and connect the other end to the management port on your computer or network device The appliance has a dedicated management interface referred to as Management 0 0 which is a GigabitEthernet interface with a dedicated port used only for traffic management 1 Management 0 0 port 2 RJ 45 Ethernet cable USB2 USB1 LNK SPD 3 LNK SPD 2 LNK SPD 1 L...

Page 156: ...nnect the other end of the cable the DB 9 connector to the console port on your computer Step 6 Connect to the Ethernet ports Connect the RJ 45 connector to the Ethernet port and connect the other end of the RJ 45 connector to your network device such as a router switch or hub Step 7 Attach the power cable to the appliance and plug the other end in to a power source a UPS is recommended 1 RJ 45 co...

Page 157: ...r Supply This section describes the AC and DC power supplies and how to install and remove them It contains the following topics AC Power Supply in V01 and V02 Chassis page 6 15 Understanding the Power Supplies page 6 16 Removing and Installing the AC Power Supply page 6 18 Installing DC Input Power page 6 21 Removing and Installing the DC Power Supply page 6 26 AC Power Supply in V01 and V02 Chas...

Page 158: ...alled do not remove the power supply unless the appliance has been powered off Removing the only operational power supply causes an immediate power loss Note The IPS 4360 can support two AC or two DC power supplies Do not mix AC and DC power supply units in the same chassis The power supplies each provide 400 W of output power and are used in a 1 1 redundant configuration There is no input switch ...

Page 159: ... indicator 2 DC power supply positive connection 3 DC power supply neutral connection 4 DC power supply negative connection 1 1 2 3 4 333056 Table 6 4 AC and DC Power Supply Indicator Indicator Color and State Description Solid green Power output is on and within the normal operating range Blinking green at the rate of one blink per second Input power that is within the normal operating range is b...

Page 160: ...102 Warning This product relies on the building s installation for short circuit overcurrent protection Ensure that the protective device is rated not greater than 120 VAC 20A U S 240 VAC 10A international Statement 1005 Note This procedure applies only to the appliances with a removable AC power supply IPS 4360 Note If only one power supply is installed make sure that it is installed in slot 0 le...

Page 161: ...e of the slot cover and pull it away from the chassis Figure 6 12 Save the slot cover for future use Continue with Step 3 Figure 6 12 Removing the Slot Cover Step 2 If you are replacing a power supply follow these steps a Power off the appliance b From the back panel of the appliance unplug the power supply cable c Push the lever on the power supply to the left and remove the power supply by grasp...

Page 162: ...6 14 Figure 6 14 Installing the AC Power Supply Step 4 Connect the power cable If you are installing two power supplies for a redundant configuration plug each one into a power source we recommend a UPS Step 5 Power on the appliance if you powered it off to replace the only power supply Step 6 Check the PS0 and PS1 indicators on the front panel to make sure they are green On the back panel of the ...

Page 163: ...ection Ensure that the protective device is rated not greater than 80 VAC 20A Statement 1005 The DC power supply is shipped installed in the chassis either one or two power supplies depending on which configuration you ordered You must connect the power supply wires This section describes how to install the DC power supply ground leads and input power leads to the appliance DC input power supply B...

Page 164: ...shows the back panel of the IPS 4345 with the DC power supply Figure 6 16 IPS 4345 Back Panel Figure 6 17 shows the back panel of the IPS 4360 with two DC power supplies Figure 6 17 IPS 4360 Back Panel Note If only one power supply is installed make sure that it is installed in slot 0 left slot and that slot 1 right slot is covered with a slot cover 1 Fixed fan 2 Fixed DC power supply 333226 1 2 3...

Page 165: ...circuit breaker switch handle to the Off position and apply tape to hold it in the Off position Step 5 Use a 10 gauge wire stripping tool to strip each of the three wires coming from the DC input power source Strip the wires to 0 27 inch 7 mm 0 02 inch 0 5 mm Do not strip more than the recommended length of wire because doing so could leave the wire exposed from the DC power supply connection Figu...

Page 166: ...and Installing the Power Supply Step 6 Identify the positive negative and ground feed positions for the DC power supply connection The recommended wiring sequence is as follows Figure 6 19 Ground lead wire middle Positive lead wire left Negative lead wire right Figure 6 19 Ground Wires 1 Negative lead wire 2 Ground lead wire 3 Positive lead wire 333057 1 2 3 ...

Page 167: ...rom the DC power supply Step 8 Repeat Step 5 through Step 7 for the remaining two DC input power source wires the positive lead wire and the negative lead wire Step 9 Use a tie wrap to secure the wires coming from the power supply to the rack so that the wires cannot be pulled from the power supply by casual contact Make sure the tie wrap allows for some slack in the ground wire Figure 6 21 shows ...

Page 168: ... the appliance place the Standby switch into the Standby position Step 4 Move the circuit breaker switch handle to the Off position and apply tape to hold it in the Off position Step 5 If you are adding an additional power supply from the back of the appliance push the lever on the slot cover to the left to release it grasp the handle of the slot cover and pull it away from the chassis Figure 6 22...

Page 169: ...ing the power supply out of the chassis while supporting it from beneath with the other hand Figure 6 24 Figure 6 24 Removing the DC Power Supply Step 7 Install the new power supply by lining it up with the power supply bay and pushing it into place until it is seated while supporting it from beneath with the other hand Figure 6 25 Figure 6 25 Installing the DC Power Supply Step 8 To connect the D...

Page 170: ...6 28 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply ...

Page 171: ...S 4510 and IPS 4520 page 7 12 Removing and Installing the Core IPS SSP page 7 15 Removing and Installing the Power Supply Module page 7 17 Removing and Installing the Fan Module page 7 19 Installing the Slide Rail Kit Hardware page 7 20 Installing and Removing the Slide Rail Kit page 7 21 Rack Mounting the Chassis Using the Fixed Rack Mount page 7 30 Installing the Cable Management Brackets page 7...

Page 172: ...s 5 Gbps of intrusion prevention performance You can use the IPS 4520 to protect multi Gigabit networks and aggregated traffic traversing switches from multiple subnets The IPS 4520 is a purpose built device that has support for both copper and fiber NIC environments thus providing flexibility of deployment in any environment The IPS 4520 ships with two power supply modules but optional redundant ...

Page 173: ...nts and reports It monitors events and lets you sort views by filtering grouping and colorization IME also supports tools such as ping trace route DNS lookup and whois lookup for selected events It contains a flexible reporting network It embeds the IDM configuration component to allow for a seamless integration between the monitoring and configuration of IPS devices Within IME you can set up your...

Page 174: ...es 4 TenGigabitEthernet 0 8 1 Gb and 10 Gb fiber SFP SFP modules 5 TenGigabitEthernet 0 7 1 Gb and 10 Gb fiber SFP SFP modules 6 TenGigabitEthernet 0 6 1 Gb and 10 Gb fiber SFP SFP modules 7 GigabitEthernet 0 0 through 0 5 from right to left 1 Gb copper RJ45 8 Management 0 12 GigabitEthernet RJ45 2 Reserved for future use 9 Management 0 0 GigabitEthernet RJ45 10 USB port 11 USB port 12 Front panel...

Page 175: ...0 1 AUX CONSOLE PW R BOOT ALARM ACT VPN PS1 HDD1 PS0 HDD0 USB 0 1 AUX CONSOLE 253904 1 2 3 4 5 6 7 8 9 Table 7 1 Front Panel Indicators Indicator Description PWR Indicates whether the system is off or on Off No power Green System has power BOOT Indicates how the power up diagnostics are proceeding Flashing green Power up diagnostics are running or the system is booting Green System has passed powe...

Page 176: ...when facing the back panel Off No power supply module present or no AC input Green Power supply module present on and good Amber Power or fan module off or failed HDD12 Indicates activity on the hard disk drive Off No hard disk drive present Flashing green Hard disk drive activity Amber Hard disk drive failure HDD23 Indicates activity on the hard disk drive Off No hard disk drive present Flashing ...

Page 177: ...dicators 1 Power supply module corresponds to PS1 indicator 2 Power supply module fan module removal screws 3 Power supply module plug 4 Toggle On Off switch for power supply module 5 Power supply module indicators 6 Power supply module or fan module handle 7 Fan module 8 Fan module indicator Cisco ASA 1200W AC 100 240V 15 0 8 0 A 56 60Hz I N O K F A N O K O U T F A I L Cisco ASA FAN 2 4 3 5 6 2 1...

Page 178: ...er supply module Off No AC power cord connected or AC power switch off Green AC power cord connected and AC power switch on FAN OK Indicates status of fan module Off Fan module failure or AC power switch off Green AC power cord connected AC power switch on and internal fan is running OUT FAIL Red Output voltage failure1 1 The power supply module has three output voltages 3 3V 12V and 50V Table 7 3...

Page 179: ...ng green1 Network activity Management port Left side Green Physical activity Flashing green Network activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps 1 Flashing is in proportion to the percentage of number of packets or bytes received Table 7 3 Ethernet Port Indicators continued Indicator Description Table 7 4 IPS 4510 and IPS 4520 Specifications Dimensions and Weight Height 3 47 ...

Page 180: ... power cables Screws Cable management brackets Front and rear rack mount brackets Slide rail kit hardware Slide rail kit Maximum heat dissipation 3960 BTU hr 100 VAC 5450 BTU hr 200 VAC Power supply output steady state Maximum peak 1200W 1200W Environment Temperature Operating 32 F to 104 F 0 C to 40 C Nonoperating 40 F to 158 F 40 C to 70 C Airflow Front to back Relative humidity noncondensing Op...

Page 181: ...pable input output device that plugs into the SFP SFP ports and provides Gigabit Ethernet connectivity The SFP and SFP modules are optional and not included with the IPS 4510 and IPS 4520 You can purchase them separately For 1 Gb you need SFP For 10Gb you need SFP The interfaces are called TenGigabitEthernet 0 x whether they are 10 Gb enabled or not Table 7 5 Memory Configurations Model Memory IPS...

Page 182: ...520 cables to the network interfaces follow these steps Step 1 Place the sensor on a flat stable surface or in a rack if you are rack mounting it Step 2 Connect to the management interface Management 0 0 a Locate an Ethernet cable which has an RJ 45 connector on each end Table 7 7 SFP SFP Modules 1G SFP Module GLC SX MM 1000 Base SX SFP module GLC SX MMD 1000BASE SX short wavelength with DOM GLC L...

Page 183: ...enter configuration commands a Before connecting a computer or terminal to any ports determine the baud rate of the serial port The baud rate of the computer or terminal must match the default baud rate 9600 baud of the console port of the adaptive security appliance Set up the terminal as follows 9600 baud default 8 data bits no parity 1 stop bits and Flow Control FC Hardware b Connect the RJ 45 ...

Page 184: ...odule on the back of the sensor b If you have redundant power supply modules you must connect both power cables to the back of the sensor c Plug the power cable s in to a power source we recommend a UPS 9 8 SFP SFP 7 6 253907 Cisco ASA 1200W AC 100 240V 15 0 8 0 A 56 60Hz IN OK FAN OK OUT FAIL Cisco ASA 1200W AC 100 240V 15 0 8 0 A 56 60Hz IN OK FAN OK OUT FAIL 253972 INPUT OUTPUT FAN Cisco ASA FA...

Page 185: ... FAN OK indicators are green and the OUT FAIL indicator is off For More Information For a list of the supported SFP SFP modules see Supported SFP SFP Modules page 7 11 Removing and Installing the Core IPS SSP You can uninstall the core IPS SSP in the IPS 4510 and IPS 4520 for example if you need to move it to a different chassis or replace it To remove and install the core IPS SSP in the IPS 4510 ...

Page 186: ... and push the ejection levers back into place Step 11 Tighten the screws Step 12 Reconnect the power cable to the sensor Step 13 Power on the sensor Step 14 Verify that the PWR indicator on the front panel is green 1 Module 2 Ejection levers 1 Module 2 Ejection levers PWR BOOT ALARM ACT VPN PS1 HDD1 PS0 HDD0 USB RESET 0 SFP1 SFP0 1 0 1 2 3 4 5 6 7 MGMT 0 1 AUX CONSOLE PWR BOOT ALARM ACT VPN PS1 HD...

Page 187: ...or as long as one power supply module is active and functioning correctly If only one power supply module is installed do not remove the power supply module unless the sensor has been powered off Removing the only operational power supply module causes an immediate power loss Caution If you remove a power supply or fan module replace it immediately to prevent disruption of service Caution If the a...

Page 188: ...r because you are removing and replacing the only power supply module power it back on Step 9 Check the PS0 and PS1 indicators on the front panel to make sure they are green On the back panel of the sensor make sure the IN OK and the FAN OK indicators are green and the OUT FAIL indicator is off 1 Power supply module and power supply module handle 2 Power supply module screws INPUT OUTPUT FAN Cisco...

Page 189: ...active and functioning correctly To maintain airflow both bays must be populated by either a power supply module and a fan module or two power supply modules Note A power supply module is required for the system to operate Caution If you remove a power supply or fan module replace it immediately to prevent disruption of service To remove and install the fan module follow these steps Step 1 From th...

Page 190: ...ide rail kit you must install the slide rail kit hardware To install the slide rail kit hardware on the IPS 4510 and IPS 4520 follow these steps Step 1 Power off the appliance Step 2 Remove the power cable from the appliance Step 3 If your appliance has the fixed cable management brackets do the following a Remove the cable management brackets from the front sides of the appliance b Remove the app...

Page 191: ...ail kit Figure 7 7 shows all of the brackets you need to install on the appliance Figure 7 7 Brackets for the Slide Rail Kit Installing and Removing the Slide Rail Kit After you have installed the slide rail kit hardware you can install the slide rail kit This section describes how to install and remove the slide rail kit for the IPS 4510 and IPS 4520 and contains the following sections Package Co...

Page 192: ...o 10 32 cage nuts Installing the Chassis in the Rack To install the chassis in the rack using the slide rail kit follow these steps Step 1 Press the latch on the end of the slide rail and push forward to engage the pins in the rack until the clip clicks and locks around the rack post Figure 7 8 Note The slide rails are labeled left and right Install the left slide rail on the left side of the rack...

Page 193: ...or square hole posts square studs must be attached fully inside the square hole on the rack rail For threaded hole posts the round stud must fully enter inside the threaded hole rack rail Figure 7 9 Note After installing the square or round studs into the rack post verify that the locking clip is fully seated and secure against the rack rail Figure 7 9 Square Studs for Square Hole Post 330561 ...

Page 194: ...e rail to the rack post with the provided 10 32 screws by tightening the screws at the front and rear end of the slide rail to the rack post Figure 7 10 Both front and rear rack posts must be secured with the screws before you install the chassis Caution It is critical that the screws are installed and secured to the front and rear end of the slide rails Figure 7 10 Securing the Slide Rail to the ...

Page 195: ...g and Removing the Slide Rail Kit Step 3 For square hole racks install one 10 32 cage nut on each side of the rack rail Figure 7 11 Leave one square hole spacing above the slide rail The cage nut will be used later to secure the chassis to the rack post For threaded hole racks no additional hardware is needed Figure 7 11 Installing the 10 32 Cage Nuts 332656 ...

Page 196: ...Install the chassis on the outer rail Make sure that the U bars are aligned to the outer rail evenly then push the chassis into the rack Figure 7 12 Caution Before installing the chassis make sure that the slide rails are properly installed and that the perforated holes on the outer slide rail align with the perforated holes on the chassis Figure 7 12 Installing the Chassis on the Outer Rail 33056...

Page 197: ... screws to secure the chassis to the rack Figure 7 13 Use the upper hole to secure the chassis to the rack a For square hole racks secure the chassis to the rack by installing the 10 32 screw into the cage nut that you installed in Step 3 b For threaded hole racks secure the front of the chassis by installing the 10 32 screws into the rack threaded hole Figure 7 13 Securing the Chassis to the Oute...

Page 198: ...10 and IPS 4520 Installing and Removing the Slide Rail Kit Removing the Chassis from the Rack To remove the chassis from the rack follow these steps Step 1 Remove the screws from the front brackets of the rail post Figure 7 14 Figure 7 14 Removing the Screws from the Outer Rail Step 2 Pull out the chassis to the locked position 330599 ...

Page 199: ...stallation Guide for IPS 7 1 OL 24002 01 Chapter 7 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 3 Press down the release hook to remove the chassis from the rack Figure 7 15 Figure 7 15 Pressing Down the Release Hook 330564 ...

Page 200: ...ount If you are not able to use the slide rail kit in your rack installation an optional fixed rack mount solution is available You can install fixed front and rear rack mount brackets on the ASA 5585 X so that you can easily mount it in a rack The IPS 4510 and the IPS 4520 ship with front rack mount brackets so that you can easily mount them in a rack To install the rack mount brackets on the sen...

Page 201: ...onal Repeat the procedure to attach the second bracket to the other side of the chassis Step 8 Optional Measure the distance between the front and rear rack rails and select the proper slide mount brackets Note The slide mount brackets let you install the rear of the chassis to the rear rack rails The brackets are designed to slide within the installed rear brackets and accommodate a range of rack...

Page 202: ... slide brackets to the corresponding holes in the rear rack rail using the screws provided Step 12 Reattach the power cable to the sensor Step 13 Power on the sensor 331822 PW R BO OT AL AR M AC T VP N PS 1 HD D1 PS 0 HD D0 USB RESET 0 SFP1 SFP0 1 0 1 2 3 4 5 6 7 MGMT 0 1 AUX CONSOLE PW R BO OT AL AR M AC T VP N PS 1 HD D1 PS 0 HD D0 USB RESET 0 SFP3 SFP2 SFP1 SFP0 1 0 1 2 3 4 5 MGMT 0 1 AUX CONSO...

Page 203: ...Step 2 Remove the power cable from the sensor Step 3 Position the cable management brackets on the front side of the sensor and line up the bracket screws with the screw holes on the sensor Figure 7 17 shows the cable management bracket for the fixed rack mount and Figure 7 18 on page 7 34 shows the cable management bracket for the slide rail Figure 7 17 Cable Management Brackets for the Fixed Rac...

Page 204: ...rm the following actions to troubleshoot loose connections on sensors Make sure all power cords are securely connected Make sure all cables are properly aligned and securely connected for all external and internal components Remove and check all data and power cables for damage Make sure no cables have bent pins or damaged connectors Make sure each device is properly seated If a device has latches...

Page 205: ... communicate with the SwitchApp Additionally the SwitchApp implements the following Detects bypass When the SensorApp is not monitoring the SwitchApp places the switch in bypass mode and then back to inspection mode once the SensorApp is up and running normally Collects port statistics The SwitchApp monitors the switch and collects statistics on the external interfaces of the switch for reporting ...

Page 206: ...7 36 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 7 Installing the IPS 4510 and IPS 4520 IPS 4500 Series Sensors and the SwitchApp ...

Page 207: ...ndicators page 8 5 Installation and Removal Instructions page 8 5 Installation Notes and Caveats Pay attention to the following installation notes and caveats before installing the ASA 5500 AIP SSM Note Read through the entire guide before beginning any of the installation procedures Warning Only trained and qualified personnel should install replace or service this equipment Statement 49 Caution ...

Page 208: ...acking host log the incident and send an alert to the device manager There are three models of the ASA 5500 AIP SSM ASA SSM AIP 10 K9 Supports 150 Mbps of IPS throughput when installed in ASA 5510 Supports 225 Mbps of IPS throughput when installed in ASA 5520 ASA SSM AIP 20 K9 Supports 375 Mbps of IPS throughput when installed in ASA 5520 Supports 500 Mbps of IPS throughput when installed in ASA 5...

Page 209: ...server securely Figure 8 2 DMZ Configuration In Figure 8 2 an HTTP client 10 10 10 10 on the inside network initiates HTTP communications with the DMZ web server 30 30 30 30 HTTP access to the DMZ web server is provided for all clients on the Internet all other communications are denied The network is configured to use an IP pool a range of IP addresses available to the DMZ interface of addresses ...

Page 210: ...P 10 K9 ASA 5520 ASA SSM AIP 10 K9 and ASA SSM AIP 20 K9 ASA 5540 ASA SSM AIP 20 K9 Cisco Adaptive Security Appliance Software 7 0 or later Cisco Intrusion Prevention System Software 5 0 2 or later DES or 3DES enabled Table 8 1 ASA 5500 AIP SSM Specifications Specification Description Dimensions H x W x D 1 70 x 6 80 x 11 00 inches Weight Minimum 2 50 lb Maximum 3 00 lb1 1 2 70 lb for 45 c heatsin...

Page 211: ...ASA 5500 AIP SSM page 8 7 Installing the ASA 5500 AIP SSM To install the ASA 5500 AIP SSM for the first time follow these steps Step 1 Power off the adaptive security appliance Step 2 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin Attach the other end to the chassis 148402 P W R S T A T U S S P E E D L I N K A C T 1 2 3 4 Table 8 3 ...

Page 212: ...ine using the show module 1 command Step 8 Initialize the ASA 5500 AIP SSM Step 9 Install the most recent Cisco IPS software Step 10 Configure the ASA 5500 AIP SSM to receive IPS traffic For More Information For more information about ESD see Working in an ESD Environment page 2 4 For the procedure for verifying that the ASA 5500 AIP SSM is properly installed see Verifying the Status of the ASA 55...

Page 213: ... 5500 AIP SSM is shutting down Down The ASA 5500 AIP SSM is shut down Recover The ASA 5500 AIP SSM is attempting to download a recovery image To verify the status of the ASA 5500 AIP SSM follow these steps Step 1 Log in to the adaptive security appliance Step 2 Verify the status of ASA 5500 AIP SSM If the status reads Up the ASA 5500 AIP SSM has been properly installed asa show module 1 Mod Card T...

Page 214: ...sert the new ASA 5500 AIP SSM through the slot opening Note Do not replace the ASA 5500 AIP SSM with a different model The the adaptive security appliance will not recognize it Step 9 Attach the screws to secure the ASA 5500 AIP SSM to the chassis Step 10 Power on the adaptive security appliance Step 11 Reset the ASA 5500 AIP SSM asa hw module module 1 reset Reset module in slot 1 confirm Step 12 ...

Page 215: ... 5585 X IPS SSP page 9 13 Warning Only trained and qualified personnel should install replace or service this equipment Statement 49 Installation Notes and Caveats Pay attention to the following installation notes and caveats before installing the ASA 5585 X IPS SSP Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5585 X Adaptive Security Appliance doc...

Page 216: ...y management and monitoring through an intuitive easy to use web based management interface The IDM is a Java Web Start application that enables you to configure and manage your ASA 5585 X IPS SSP The IDM is bundled with IPS 7 1 You can access it through Internet Explorer or Firefox web browsers IME The Intrusion Prevention System Manager Express IME 7 1 also supports the ASA 5585 X IPS SSP The IM...

Page 217: ...supply configuration The SSP 40 with IPS SSP 40 has four CPUs 12 DIMM modules six embedded crypto accelerators and four dual port 10 GB uplinks for the SFP SFP interfaces ASA 5585 X SSP 60 With IPS SSP 60 The ASA 5585 X SSP 60 with IPS SSP 60 provides firewall VPN support intrusion prevention system protection and 20 interfaces 4 SFP SFP and 16 copper Gigabit Ethernet The SSP 60 with IPS SSP 60 sh...

Page 218: ...This section describes the front features and indicators of the ASA 5585 X IPS SSP The SFP and SFP modules are optional and not included with the ASA 5585 X IPS SSP You can purchase them separately For 10 Gb you need SFP For 1 Gb you need SFP The two ports are the same but you can only use 10 Gb if you buy a license Otherwise the ports are restricted to 1 Gb The ports are always 10 GB enabled for ...

Page 219: ...indicators 5 TenGigabitEthernet 0 1 10 Gb fiber SFP or SFP 13 Auxiliary port RJ45 6 TenGigabitEthernet 0 0 1 Gb fiber SFP or SFP 14 Console port RJ45 7 GigabitEthernet 1 0 through 1 7 from right to left 1 Gb copper RJ45 15 Eject2 2 Reserved for future use for OIR 8 Management 0 1 GigabitEthernet RJ45 1 ASA 5585 X IPS SSP slot 1 10 Management 1 1 GigabitEthernet RJ45 2 SSP slot 0 11 Management 1 0 ...

Page 220: ... 1 7 10 Gb fiber SFP or SFP 16 Console port RJ45 8 TenGigabitEthernet 0 6 SSP in slot 2 TenGigabitEthernet 1 6 ASA 5585 X IPS SSP in slot 1 1 Gb fiber SFP or SFP 17 Eject2 9 GigabitEthernet 0 0 through 0 5 SSP in slot 2 GigabitEthernet 1 0 through 1 5 ASA 5585 X IPS SSP in slot 1 from right to left 1 Gb copper RJ45 1 Hard disk drives are not supported at this time The hard disk drive bays are empt...

Page 221: ...d at a later date Indicates whether a component has failed Off No alarm Flashing yellow Critical alarm Major failure of hardware component or software module temperature over the limit power out of tolerance or OIR is ready to remove the module 2 2 OIR is not available at this time ACT Indicates the status of an HA pair Green Status of an HA pair VPN Indicates whether a VPN tunnel has been establi...

Page 222: ...th IPS SSP 60 72 GB DRAM Table 9 3 Ethernet Port Indicators Indicator Description Gigabit Ethernet RJ45 Left side Green Physical activity Flashing green Network activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps 10 Gigabit Ethernet Fiber SFP 1 Gigabit Ethernet Fiber SFP Left side Off No 10 Gigabit Ethernet physical link Green 10 Gigabit Ethernet physical link Flashing green1 Networ...

Page 223: ...mple if you have the ASA 5585 X with SSP 10 you can only install the IPS SSP 10 The ASA 5585 X IPS SSP will not run without the core SSP installed You must install the ASA 5585 X IPS SSP in the upper slot slot 1 and the core SSP in the bottom slot slot 0 You must power off the ASA 5585 X to remove and install SSPs The SSPs are not hot swappable To install the ASA 5585 X IPS SSP in the ASA 5585 X f...

Page 224: ...e the ASA 5585 X IPS SSP in to the slot until it is seated and push the ejection levers back in to place Step 6 Tighten the screws Step 7 Reconnect the power cable to the ASA 5585 X Step 8 Power on the ASA 5585 X Step 9 Verify that the PWR indicator on the front panel is green You can also verify that the ASA 5585 X IPS SSP is online using the show module 1 command Step 10 Initialize the ASA 5585 ...

Page 225: ...e four SFP SFP ports If you are using the fiber ports you need an SFP module for 10 Gigabit Ethernet a license may be required or an SFP module for 1 Gigabit Ethernet SFP or SFP modules are not included Note Make sure the ASA software version that is installed on your ASA 5585 X supports the network module Refer to the Release Notes for your ASA software version to verify that the network module i...

Page 226: ...FP Modules page 9 9 Verifying the Status of the ASA 5585 X IPS SSP You can use the show module 1 command to verify that the ASA 5585 X IPS SSP is up and running The following values are valid for the Status field Initializing The ASA 5585 X IPS SSP is being detected and the control communication is being initialized by the system Up The ASA 5585 X IPS SSP has completed initialization by the system...

Page 227: ...0c 1 0 2 0 7 0 7 1 3 E4 Mod SSM Application Name Status SSM Application Version 1 IPS Up 7 1 3 E4 Mod Status Data Plane Status Compatibility 1 Up Up If the status reads Up the ASA 5585 X IPS SSP has been properly installed Removing and Replacing the ASA 5585 X IPS SSP To remove and replace the ASA 5585 X IPS SSP in the ASA 5585 X follow these steps Step 1 Shut down the ASA 5585 X IPS SSP asa hw mo...

Page 228: ...tall it by lining it up with the module slot making sure the ejection levers are extended Note The ASA 5585 X IPS SSP must be at the same level as the ASA 5585 X SSP model for example if you have the ASA 5585 X SSP 10 you can only install the ASA 5585 X IPS SSP 10 Step 10 Slide the ASA 5585 X IPS SSP in to the slot until it is seated and push the ejection levers back in to place 1 ASA 5585 X IPS S...

Page 229: ...to the ASA 5585 X Step 13 Power on the ASA 5585 X Step 14 Verify that the PWR indicator on the front panel is green You can also verify that the ASA 5585 X IPS SSP is online using the show module 1 command For More Information For the procedure for using the show module 1 command see Verifying the Status of the ASA 5585 X IPS SSP page 9 12 For detailed information about the ASA 5585 X refer to Cis...

Page 230: ...16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Chapter 9 Installing and Removing the ASA 5585 X IPS SSP Removing and Replacing the ASA 5585 X IPS SSP ...

Page 231: ...vice The service role does not have direct access to the CLI Service account users are logged directly into a bash shell Use this account for support and troubleshooting purposes only Unauthorized modifications are not supported and will require the sensor to be reimaged to guarantee proper operation You can create only one user with the service role When you log in to the service account you rece...

Page 232: ...ssword twice login cisco Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local c...

Page 233: ...le port on the appliance to a port on the terminal server Step 2 Configure the line and port on the terminal server In enable mode enter the following configuration where is the line number of the port to be configured config t line login transport input all stopbits 1 flowcontrol hardware speed 9600 exit exit wr mem Step 3 Be sure to properly close a terminal session to avoid unauthorized access ...

Page 234: ... login cisco Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws ...

Page 235: ...login cisco Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws B...

Page 236: ...re prompted to change them the first time you log in to the module You must first enter the UNIX password which is cisco Then you must enter the new password twice login cisco Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party...

Page 237: ... Password NOTICE This product contains cryptographic features and is subject to United States and local country laws governing import export transfer and use Delivery of Cisco cryptographic products does not imply third party authority to import export distribute or use encryption Importers exporters distributors and users are responsible for compliance with U S and local country laws By using thi...

Page 238: ...A 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Appendix A Logging In to the Sensor Logging In to the Sensor ...

Page 239: ...ust use the setup command to initialize it so that you can communicate with it over the network You cannot use the IDM or the IME to configure the sensor until you initialize the sensor using the setup command With the setup command you configure basic sensor settings including the hostname IP interfaces access control lists global correlation servers and time settings You can continue using advan...

Page 240: ...to the option that you want to change To accept default settings for items that you do not want to change press Enter To return to the EXEC prompt without making changes and without going through the entire System Configuration Dialog press Ctrl C The System Configuration Dialog also provides help text for each prompt To access the help text enter at a prompt When you complete your changes the Sys...

Page 241: ...D 1 NTP Key Value 8675309 Participation in the SensorBase Network allows Cisco to collect aggregated statistics about traffic sent to your IPS SensorBase Network Participation level off full If you agree to participate in the SensorBase Network Cisco will collect aggregated statistics about traffic sent to your IPS This includes summary data on the Cisco IPS network traffic properties and how this...

Page 242: ...s not be a dictionary word After you change the password basic setup begins Step 3 Enter the setup command The System Configuration Dialog is displayed Step 4 Specify the hostname The hostname is a case sensitive character string up to 64 characters Numbers _ and are valid but spaces are not acceptable The default is sensor Step 5 Specify the IP interface The IP interface is in the form of IP Addr...

Page 243: ...tings Valid entries are first second third fourth fifth and last The default is second e Specify the day you want to start summertime settings Valid entries are sunday monday tuesday wednesday thursday friday and saturday The default is sunday f Specify the time you want to start summertime settings The default is 02 00 00 Note The default recurring summertime parameters are correct for time zones...

Page 244: ...to the SensorBase Network except the attacker victim IP addresses that you exclude The SensorBase Network Participation disclaimer appears It explains what is involved in participating in the SensorBase Network Step 10 Enter yes to participate in the SensorBase Network The following configuration was entered service host network settings host ip 192 168 1 2 24 192 168 1 1 host name sensor telnet o...

Page 245: ... Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7 1 Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7 1 Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7 1 Advanced Setup This section describes how to continue with Advanced Setup in the CLI for the various Cisco IPS platforms It contains the following sections Adv...

Page 246: ...ption by default Setting the port to 80 does not disable the encryption Step 7 Enter yes to modify the interface and virtual sensor configuration and to see the current interface configuration Current interface configuration Command control Management0 0 Unassigned Promiscuous GigabitEthernet0 0 GigabitEthernet0 1 GigabitEthernet0 2 GigabitEthernet0 3 Virtual Sensor vs0 Anomaly Detection ad0 Event...

Page 247: ...or example Inline Vlan Pairs for GigabitEthernet0 0 None Step 11 Enter a subinterface number and description Subinterface Number Description Created via setup by user asmith Step 12 Enter numbers for VLAN 1 and 2 Vlan1 200 Vlan2 300 Step 13 Press Enter to return to the available interfaces menu Note Entering a carriage return at a prompt without a value returns you to the previous menu 1 GigabitEt...

Page 248: ...ups 6 Modify interface default vlan Option Step 18 Press Enter to return to the top level editing menu 1 Edit Interface Configuration 2 Edit Virtual Sensor Configuration 3 Display configuration Option Step 19 Enter 2 to edit the virtual sensor configuration 1 Remove virtual sensor 2 Modify vs0 virtual sensor configuration 3 Create new virtual sensor Option Step 20 Enter 2 to modify the virtual sen...

Page 249: ...rating alerts If you do not want this protection disable automatic threat prevention Virtual sensor newVs is configured to prevent high risk threats in inline mode Risk Rating 90 100 Virtual sensor vs0 is configured to prevent high risk threats in inline mode Risk Rating 90 100 Do you want to disable automatic threat prevention on all virtual sensors no Step 26 Enter yes to disable automatic threa...

Page 250: ...y detection name ad0 operational mode inactive exit physical interface GigabitEthernet0 0 exit virtual sensor vs0 physical interface GigabitEthernet0 0 subinterface number 1 logical interface newPair service event action rules rules0 overrides deny packet inline override item status Disabled risk rating range 90 100 exit exit 0 Go to the command prompt without saving this config 1 Return back to t...

Page 251: ...unt with administrator privileges asa session 1 Step 2 Enter the setup command The System Configuration Dialog is displayed Press Enter or the spacebar to skip to the menu to access advanced setup Step 3 Enter 3 to access advanced setup Step 4 Specify the Telnet server status You can disable or enable Telnet services The default is disabled Step 5 Specify the SSHv1 fallback setting The default is ...

Page 252: ...to modify the virtual sensor vs0 configuration Virtual Sensor vs0 Anomaly Detection ad0 Event Action Rules rules0 Signature Definitions sig0 No Interfaces to remove Unassigned Monitored 1 GigabitEthernet0 1 Add Interface Step 12 Enter 1 to add GigabitEthernet 0 1 to virtual sensor vs0 Note Multiple virtual sensors are supported The adaptive security appliance can direct packets to specific virtual...

Page 253: ... virtual sensor 2 Modify newVs virtual sensor configuration 3 Modify vs0 virtual sensor configuration 4 Create new virtual sensor Option Step 20 Press Enter to exit the interface and virtual sensor configuration menu Modify default threat prevention settings no Step 21 Enter yes if you want to modify the default threat prevention settings Note The sensor comes with a built in override to add the d...

Page 254: ...eturn back to the setup without saving this config 2 Save this configuration and exit setup Step 23 Enter 2 to save the configuration Enter your selection 2 2 Configuration Saved Step 24 Reboot the ASA 5500 AIP SSM aip ssm reset Warning Executing this command will stop all applications and reboot the node Continue with reset Step 25 Enter yes to continue the reboot Step 26 After reboot log in to t...

Page 255: ...with administrator privileges asa session ips Step 2 Enter the setup command The System Configuration Dialog is displayed Press Enter or the spacebar to skip to the menu to access advanced setup Step 3 Enter 3 to access advanced setup Step 4 Specify the Telnet server status You can disable or enable Telnet services The default is disabled Step 5 Specify the SSHv1 fallback setting The default is en...

Page 256: ...1 Enter 2 to modify the virtual sensor vs0 configuration Virtual Sensor vs0 Anomaly Detection ad0 Event Action Rules rules0 Signature Definitions sig0 No Interfaces to remove Unassigned Monitored 1 PortChannel 0 0 Add Interface Step 12 Enter 1 to add PortChannel 0 0 to virtual sensor vs0 Note Multiple virtual sensors are supported The adaptive security appliance can direct packets to specific virt...

Page 257: ...al sensor 2 Modify newVs virtual sensor configuration 3 Modify vs0 virtual sensor configuration 4 Create new virtual sensor Option Step 20 Press Enter to exit the interface and virtual sensor configuration menu Modify default threat prevention settings no Step 21 Enter yes if you want to modify the default threat prevention settings Note The sensor comes with a built in override to add the deny pa...

Page 258: ...n back to the setup without saving this config 2 Save this configuration and exit setup Step 23 Enter 2 to save the configuration Enter your selection 2 2 Configuration Saved Step 24 Reboot the ASA 5500 X IPS SSP asa ips reset Warning Executing this command will stop all applications and reboot the node Continue with reset Step 25 Enter yes to continue the reboot Step 26 After reboot log in to the...

Page 259: ... account with administrator privileges asa session 1 Step 2 Enter the setup command The System Configuration Dialog is displayed Press Enter or the spacebar to skip to the menu to access advanced setup Step 3 Enter 3 to access advanced setup Step 4 Specify the Telnet server status You can disable or enable Telnet services The default is disabled Step 5 Specify the SSHv1 fallback setting The defaul...

Page 260: ...1 Enter 2 to modify the virtual sensor vs0 configuration Virtual Sensor vs0 Anomaly Detection ad0 Event Action Rules rules0 Signature Definitions sig0 No Interfaces to remove Unassigned Monitored 1 PortChannel0 0 Add Interface Step 12 Enter 1 to add PortChannel 0 0 to virtual sensor vs0 Note Multiple virtual sensors are supported The adaptive security appliance can direct packets to specific virtu...

Page 261: ...tual sensor 2 Modify newVs virtual sensor configuration 3 Modify vs0 virtual sensor configuration 4 Create new virtual sensor Option Step 20 Press Enter to exit the interface and virtual sensor configuration menu Modify default threat prevention settings no Step 21 Enter yes if you want to modify the default threat prevention settings Note The sensor comes with a built in override to add the deny ...

Page 262: ...this configuration and exit setup Step 23 Enter 2 to save the configuration Enter your selection 2 2 Configuration Saved Step 24 Reboot the ASA 5585 X IPS SSP ips ssp reset Warning Executing this command will stop all applications and reboot the node Continue with reset Step 25 Enter yes to continue the reboot Step 26 After reboot log in to the sensor and display the self signed X 509 certificate ...

Page 263: ...urrent configuration last modified Tue Nov 01 10 40 39 2011 Version 7 1 3 Host Realm Keys key1 0 Signature Definition Signature Update S581 0 2011 07 11 service interface exit service authentication permit packet logging true exit service event action rules rules0 exit service host network settings host ip 192 168 1 2 24 192 168 1 1 host name sensor telnet option enabled access list 0 0 0 0 0 dns ...

Page 264: ...5122675278103455 02382074147081976580477367448761372704018006749147530115354456086472735887860780 20923203565649165402391893192805445031000304938986412742328940379711869015427 exit exit service trusted certificates exit service web server exit service anomaly detection ad0 exit service external product interface exit service health monitor exit service global correlation exit service aaa exit serv...

Page 265: ...allation Guide for IPS 7 1 OL 24002 01 Appendix B Initializing the Sensor Verifying Initialization Step 4 Write down the certificate fingerprints You need the fingerprints to check the authenticity of the certificate when connecting to this sensor with a web browser ...

Page 266: ...B 28 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Appendix B Initializing the Sensor Verifying Initialization ...

Page 267: ...wnload Software site on Cisco com Signature updates are posted to Cisco com approximately every week more often if needed Service packs are posted to Cisco com in a release train format a new release every three months Major and minor updates are also posted periodically Check Cisco com regularly for the latest IPS software You must have an account with cryptographic access before you can download...

Page 268: ...n Authorization form before you can download the software a Fill out the form and click Submit The Cisco Systems Inc Encryption Software Usage Handling and Distribution Policy appears b Read the policy and click I Accept The Encryption Software Export Distribution Form appears If you previously filled out the Encryption Software Export Distribution Authorization form and read and accepted the Cisc...

Page 269: ...ates on the previous major or minor version and often even on earlier versions The minimum supported version needed to upgrade to the newest minor version is listed in the Readme that accompanies the minor update With each minor update there are corresponding system and recovery packages Service Pack A service packs is cumulative following a base version release minor or major Service packs are re...

Page 270: ...ture updates on the new version and the next oldest version for a period of at least six months Signature updates are dependent on a required signature engine version Because of this a req designator lists the signature engine required to support a particular signature update Figure C 3 illustrates what each part of the IPS software file represents for signature updates Figure C 2 IPS Software Fil...

Page 271: ...hanges to the image installer for example switching from tar to rpm or changing kernels The minor version can be incremented by any one of the following Minor change to the installer for example a user prompt added Repackages require the installer minor version to be incremented by one if the image file must be repackaged to address a defect or problem with the installer Figure C 4 illustrates wha...

Page 272: ...es and or minor version functionality Annually 7 1 1 IPS identifier K9 7 1 2 E4 pkg Major version update5 5 Major versions include new major version functionality or new architecture Annually 8 0 1 IPS identifier K9 8 0 1 E4 pkg Patch release6 6 Patch releases are for interim fixes As needed patch 7 2 1p1 IPS identifier K9 patch 7 2 1pl E4 pkg Recovery package7 7 The r 1 1 can be revised to r 1 2 ...

Page 273: ...Cisco com follow these steps Step 1 Log in to Cisco com Step 2 Click Support Step 3 Under Support at the bottom of the page click Documentation Step 4 Choose Products Security Intrusion Prevention System IPS IPS Appliances Cisco IPS 4200 Series Sensors The Cisco IPS 4200 Series Sensors page appears All of the most up to date IPS documentation is on this page Table C 3 Platform Identifiers Sensor F...

Page 274: ...o has reports on other security topics that help you protect your network and deploy your security systems to reduce organizational risk You should be aware of the most recent security threats so that you can most effectively secure and manage your network Cisco Security Intelligence Operations contains the top ten intelligence reports listed by date severity urgency and whether there is a new sig...

Page 275: ...ded in a local file Go to http www cisco com go license and click IPS Signature Subscription Service to apply for a license key You can view the status of the license key in these places The IDM Home window Licensing section on the Health tab The IDM Licensing pane Configuration Licensing The IME Home page in the Device Details section on the Licensing tab License Notice at CLI login Whenever you ...

Page 276: ... for IPS provides IPS signature updates operating system updates access to Cisco com access to TAC and hardware replacement NBD on site For example if you purchase an ASA 5585 X and then later want to add IPS and purchase an ASA IPS10 K9 you must now purchase the Cisco Services for IPS service contract After you have the Cisco Services for IPS service contract you must also have your product seria...

Page 277: ...to connect to Cisco com An Information dialog box confirms that the license key has been updated Step 6 Click OK Step 7 Log in to Cisco com Step 8 Go to www cisco com go license Step 9 Fill in the required fields Your license key will be sent to the e mail address you specified Caution You must have the correct IPS device serial number and product identifier PID because the license key only functi...

Page 278: ...he syntax for this prefix is scp username location relativeDirectory filename scp username location absoluteDirectory filename Note You are prompted for a password You must add the remote host to the SSH known hosts list http Source URL for the web server The syntax for this prefix is http username location directory filename Note The directory specification should be an absolute path to the desir...

Page 279: ...tem Version 7 1 3 E4 Host Realm Keys key1 0 Signature Definition Signature Update S605 0 2011 10 25 OS Version 2 6 29 1 Platform ASA5585 SSP IPS10 Serial Number 123456789AB No license present Sensor up time is 12 days Using 4395M out of 5839M bytes of available memory 75 usage system is using 26 2M out of 160 0M bytes of available disk space 16 usage application data is using 69 6M out of 171 6M b...

Page 280: ...your IPS 4270 20 follow these steps Step 1 Log in to Cisco com Step 2 Go to www cisco com go license Step 3 Under Licenses Not Requiring a PAK click Demo and Evaluation licenses Step 4 Under Security Products Cisco Services for IPS service license Version 6 1 and later click All IPS Hardware Platforms Step 5 Fill in the required fields Your license key will be sent to the email address you specifi...

Page 281: ...ue to the optional setup choices sensor model and IPS 7 1 version you have installed Use the erase license key command to uninstall the license key on your sensor This allows you to delete an installed license key from a sensor without restarting the sensor or logging into the sensor using the service account Uninstalling the license key is supported in IPS 7 1 3 E4 and later To uninstall the lice...

Page 282: ...ce 94 usage application log is using 494 0M out of 513 0M bytes of available disk space 96 usage MainApp S 2012_APR_26_07_45_7_1_4_68 Release 2012 04 26T07 48 4 3 0500 Running AnalysisEngine S 2012_APR_26_07_45_7_1_4_68 Release 2012 04 26T07 48 4 3 0500 Running CollaborationApp S 2012_APR_26_07_45_7_1_4_68 Release 2012 04 26T07 48 4 3 0500 Running CLI S 2012_APR_26_07_45_7_1_4_68 Release 2012 04 2...

Page 283: ...veats when upgrading your sensor Anomaly detection has been disabled by default in IPS 7 1 2 E4 and later If you did not configure the operation mode manually before the upgrade it defaults to inactive after you upgrade to IPS 7 1 2 E4 or later If you configured the operation mode to detect learn or inactive the tuned value is preserved after the upgrade You must have a valid maintenance contract ...

Page 284: ...reimage the sensor Note You cannot downgrade the sensor using the recovery partition To downgrade to an earlier version you must install the appropriate system image file img file Note During a signature upgrade all signature configurations are retained both the signature tunings as well as the custom signatures During a signature downgrade the current signature configuration is replaced with the ...

Page 285: ...guring automatic updates see Configuring Automatic Upgrades page D 7 Upgrading the Sensor This section explains how to use the upgrade command to upgrade the software on the sensor It contains the following topics IPS 7 1 Upgrade Files page D 3 Upgrade Notes and Caveats page D 4 Manually Upgrading the Sensor page D 4 Upgrading the Recovery Partition page D 6 IPS 7 1 Upgrade Files The currently sup...

Page 286: ... time you download software on Cisco com you receive instructions for setting up an account with cryptographic privileges Note Do not change the filename You must preserve the original filename for the sensor to accept the update Use the upgrade source url command to apply service pack signature update engine update minor version major version or recovery partition file upgrades The following opti...

Page 287: ...count with administrator privileges Step 3 Enter configuration mode sensor configure terminal Step 4 Upgrade the sensor sensor config upgrade url IPS SSP_10 K9 7 1 3 E4 pkg The URL points to where the update file is located for example to retrieve the update using FTP enter the following sensor config upgrade ftp username ip_address directory IPS SSP_10 K9 7 1 3 E4 pkg Step 5 Enter the password wh...

Page 288: ... CLI S 2011_NOV_16_00_20_7_1_3_46 Release 2011 11 16T00 23 0 6 0600 Upgrade History IPS K9 7 1 3 E4 00 30 07 UTC Wed Nov 16 2011 Recovery Partition Version 1 1 7 1 3 E4 Host Certificate Valid from 16 Nov 2011 to 16 Nov 2013 sensor For More Information For a list of supported FTP and HTTP HTTPS servers see Supported FTP and HTTP HTTPS Servers page D 3 For the procedure for locating software on Cisc...

Page 289: ... upgrade_path IPS SSP_10 K9 r 1 1 a 7 1 3 E4 pkg sensor config upgrade ftp user server_ipaddress upgrade_path IPS SSP_10 K9 r 1 1 a 7 1 3 E4 pkg Step 5 Enter the server password The upgrade process begins Note This procedure only reimages the recovery partition The application partition is not modified by this upgrade To reimage the application partition after the recovery partition use the recove...

Page 290: ...password Upgrade schedule You must download the software upgrade from Cisco com and copy it to the upgrade directory before the sensor can poll for automatic upgrades For More Information For the procedure for locating software on Cisco com see Obtaining Cisco IPS Software page C 1 Automatically Upgrading the Sensor Use the auto upgrade option enabled command in the service host submode to configu...

Page 291: ...e Specifies the username for server authentication user server Enables automatic upgrades from a user defined server Configuring Automatic Upgrades If you get an unauthorized error message while configuring an automatic update make sure you have the correct ports open on any firewalls between the sensor and Cisco com For example you need port 443 for the initial automatic update connection to www ...

Page 292: ...e ssh host key command to add the server to the SSH known hosts list so the sensor can communicate with it through SSH Step 4 Specify the username for authentication sensor config hos ena user name tester Step 5 Specify the password of the user sensor config hos ena password Enter password Re enter password Step 6 Specify the scheduling a For calendar scheduling starts upgrades at specific times o...

Page 293: ...grading the Sensor Caution You cannot use the downgrade command to revert to a previous major or minor version for example from Cisco IPS 7 1 to 7 0 You can only use the downgrade command to downgrade from the latest signature update or signature engine update To revert to 7 0 you must reimage the sensor Note You cannot downgrade the sensor using the recovery partition To downgrade to an earlier v...

Page 294: ...teps Step 1 Download the recovery partition image file to an FTP HTTP or HTTPS server that is accessible from your sensor Step 2 Log in to the CLI using an account with administrator privileges Step 3 Enter configuration mode sensor configure terminal Note To upgrade the recovery partition the sensor must already be running IPS 7 1 3 E4 Step 4 Recover the application partition image sensor config ...

Page 295: ...alling the IPS 4510 and IPS 4520 System Image page D 20 Installing the ASA 5500 X IPS SSP System Image page D 23 Installing the ASA 5585 X IPS SSP System Image page D 24 Caution All user configuration settings are lost when you install the system image Before trying to recover the sensor by installing the system image try to recover by using the recover application partition command or by selectin...

Page 296: ... servers to remotely manage network equipment including appliances To set up a Cisco terminal server with RJ 45 or hydra cable assembly connections follow these steps Step 1 Connect to a terminal server using one of the following methods For terminal servers with RJ 45 connections connect a rollover cable from the console port on the appliance to a port on the terminal server For hydra cable assem...

Page 297: ...S 4270 20 Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your IPS 4270 20 Step 2 Boot the IPS 4270 20 Booting system please wait Cisco Systems ROMMON Version 1 0 12 10 7 Thu Jun 21 13 50 04 CDT 2007 ft_id_update Invalid ID PROM Controller Type 0x5df ft_id_update Defaulting to Controller Type 0x5c2 Note The controller type errors are a know...

Page 298: ... local environment contact your system administrator Step 5 If necessary assign an IP address for the local port on the IPS 4270 20 rommon ADDRESS ip_address Note Use the same IP address that is assigned to the IPS 4270 20 Step 6 If necessary assign the TFTP server IP address rommon SERVER ip_address Step 7 If necessary assign the gateway IP address rommon GATEWAY ip_address Step 8 Verify that you...

Page 299: ...the IPS 4270 20 image For More Information For a list of supported TFTP servers see TFTP Servers page D 14 For the procedure for locating software on Cisco com see Obtaining Cisco IPS Software page C 1 Installing the IPS 4345 and IPS 4360 System Images Note This procedure is for IPS 4345 but is also applicable to IPS 4360 The system image for IPS 4360 has 4360 in the filename You can install the I...

Page 300: ... Audio 5 02 01 00 8086 1075 Ethernet 11 03 01 00 177D 0003 Encrypt Decrypt 9 03 02 00 8086 1079 Ethernet 9 03 02 01 8086 1079 Ethernet 9 03 03 00 8086 1079 Ethernet 9 03 03 01 8086 1079 Ethernet 9 04 02 00 8086 1209 Ethernet 11 04 03 00 8086 1209 Ethernet 5 Evaluating BIOS Options Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version 1 0 5 0 1 Tue Sep 14 12 20 30 PDT 2004 Platform IPS...

Page 301: ...terface used for the TFTP download Note The default interface used for TFTP downloads is Management 0 0 which corresponds to the MGMT interface of the IPS 4345 rommon PORT interface_name Step 6 If necessary assign an IP address for the local port on the IPS 4345 rommon ADDRESS ip_address Note Use the same IP address that is assigned to the IPS 4345 Step 7 Assign the TFTP server IP address rommon S...

Page 302: ...n use the sync command to store these settings in NVRAM so they are maintained across boots Otherwise you must enter this information each time you want to boot an image from ROMMON Step 12 Download and install the system image rommon tftp Caution To avoid corrupting the system image do not remove power from the IPS 4345 while the system image is being installed Note If the network settings are co...

Page 303: ...onds to press Break or Esc Use BREAK or ESC to interrupt boot Use SPACE to begin boot immediately The system enters ROMMON mode The rommon prompt appears Step 4 Check the current network settings rommon set ROMMON Variable Settings ADDRESS 0 0 0 0 SERVER 0 0 0 0 GATEWAY 0 0 0 0 PORT Management0 0 VLAN untagged IMAGE CONFIG LINKTIMEOUT 20 PKTTIMEOUT 2 RETRY 20 The variables have the following defin...

Page 304: ... define the path and filename on the TFTP file server from which you are downloading the image rommon IMAGE path file_name UNIX Example rommon IMAGE system_images IPS 4510 K9 sys 1 1 a 7 1 4 E4 img Note The path is relative to the UNIX TFTP server default tftpboot directory Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification Window...

Page 305: ...choices sensor model and IPS 7 1 version you have installed To install the system image on the ASA 5500 X IPS SSP follow these steps Step 1 Download the IPS system image file corresponding to your ASA platform to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance Note Make sure you can access the TFTP server location from the network connected to the ...

Page 306: ...While the adaptive security appliance transfers an application image to the ASA 5500 X IPS SSP the Status field in the output reads Recover When the adaptive security appliance completes the image transfer and restarts the ASA 5500 X IPS SSP the newly transferred image is running Note To debug any errors that may happen in the recovery process use the debug module boot command to enable debugging ...

Page 307: ... to transfer the image To install the ASA 5585 X IPS SSP software image follow these steps Step 1 Download the ASA 5585 X IPS SSP system image file to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your adaptive security appliance Step 2 Log i...

Page 308: ...del ASA5585 SSP IPS40 Hardware version 1 0 Serial Number JAF1350ABSL Firmware version 2 0 1 3 Software version 7 1 3 E4 MAC Address Range 8843 e12f 5414 to 8843 e12f 541f App name IPS App Status Up App Status Desc Normal Operation App version 7 1 3 E4 Data plane Status Up Status Up Mgmt IP addr 192 0 2 0 Mgmt Network mask 255 255 255 0 Mgmt Gateway 10 89 148 254 Mgmt Access List 10 0 0 0 8 Mgmt Ac...

Page 309: ...X IPS SSP system image file to the tftp root directory of a TFTP server that is accessible from your adaptive security appliance Note Make sure you can access the TFTP server location from the network connected to the Ethernet port of your adaptive security appliance Step 2 Boot the ASA 5585 X IPS SSP Booting system please wait CISCO SYSTEMS Embedded BIOS Version 0 0 2 10 11 16 38 04 15 10 Com Kbd...

Page 310: ...e used for the ASA 5585 X IPS SSP management VLAN Specifies the VLAN ID number leave as untagged Image Specifies the system image file path name Config Specifies the unused by these platforms Note Not all values are required to establish network connectivity The address server gateway and image values are required If you are not sure of the settings needed for your local environment contact your s...

Page 311: ...the UNIX TFTP server Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification Windows Example rommon IMAGE system_images IPS SSP_10 K9 sys 1 1 a 7 1 3 E4 img Step 11 Enter set and press Enter to verify the network settings Note You can use the sync command to store these settings in NVRAM so they are maintained across boots Otherwise yo...

Page 312: ...D 30 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Appendix D Upgrading Downgrading and Installing System Images Installing System Images ...

Page 313: ...r page E 15 Advantages and Restrictions of Virtualization page E 17 Supported MIBs page E 18 When to Disable Anomaly Detection page E 19 Troubleshooting Global Correlation page E 19 Analysis Engine Not Responding page E 20 Troubleshooting RADIUS Authentication page E 21 Troubleshooting External Product Interfaces page E 21 Troubleshooting the Appliance page E 22 Troubleshooting the IDM page E 55 T...

Page 314: ...estoring the Configuration File Using a Remote Server page E 3 Creating the Service Account page E 5 Understanding Preventive Maintenance The following actions will help you maintain your sensor Back up a good configuration If your current configuration becomes unusable you can replace it with the backup version Save your backup configuration to a remote system Always back up your configuration be...

Page 315: ...py backup config current config Overwrite the current configuration with the backup configuration sensor copy erase backup config current config Backing Up and Restoring the Configuration File Using a Remote Server Note We recommend copying the current configuration file to a remote server before upgrading Use the copy erase source_url destination_url keyword command to copy the configuration file...

Page 316: ...location directory filename https Source URL for the web server The syntax for this prefix is https username location directory filename Note HTTP and HTTPS prompt for a password if a username is required to access the website If you use HTTPS protocol the remote host must be a TLS trusted host Caution Copying a configuration file from another sensor may result in errors if the sensing interfaces ...

Page 317: ...ation has been restored For More Information For a list of supported HTTP HTTPS servers see Supported FTP and HTTP HTTPS Servers page D 3 Creating the Service Account You can create a service account for TAC to use during troubleshooting Although more than one user can have access to the sensor only one user can have service privileges on a sensor The service account is for support purposes only T...

Page 318: ...rvice Step 4 Specify a password when prompted A valid password is 8 to 32 characters long All characters except space are allowed If a service account already exists for this sensor the following error is displayed and no service account is created Error Only one service account may exist Step 5 Exit configuration mode sensor config exit sensor When you use the service account to log in to the CLI...

Page 319: ...Downgrading and Installing System Images For the procedure for using the setup command to initialize the sensor see Appendix B Initializing the Sensor For more information on obtaining IPS software and how to install it see Obtaining Cisco IPS Software page C 1 For the procedure for using a remote server to copy and restore the a configuration file see Backing Up and Restoring the Configuration Fi...

Page 320: ...cover the password for appliances It contains the following topics Using the GRUB Menu page E 8 Using ROMMON page E 9 Using the GRUB Menu Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password For the IPS 4270 20 IPS 4345 IPS 4360 IPS 4510 and IPS 4520 appliances the password recovery is found in the GRUB menu which appears du...

Page 321: ...o upgrade the sensor the upgrade fails because when the sensor reboots it goes to password recovery confreg 0x7 rather than to the upgrade option To recover the password using the ROMMON CLI follow these steps Step 1 Reboot the appliance Step 2 To interrupt the boot process press ESC or Control R terminal server or send a BREAK command direct connection The boot code either pauses for 10 seconds o...

Page 322: ...ule in slot n does not support password recovery To reset the password on the ASA 5500 X IPS SSP follow these steps Step 1 Log into the adaptive security appliance and enter the following command asa sw module module ips password reset Reset the password on module ips confirm Step 2 Press Enter to confirm Password Reset issued for module ips Step 3 Verify the status of the module Once the status r...

Page 323: ...icable laws and regulations If you are unable to comply with U S and local laws return this product immediately A summary of U S laws governing Cisco cryptographic products may be found at http www cisco com wwl export crypto tool stqrg html If you require further assistance please contact us by sending email to export cisco com LICENSE NOTICE There is no license key installed on this IPS platform...

Page 324: ...w these steps Step 1 Log into the adaptive security appliance and enter the following command asa hw module module 1 password reset Reset the password on module in slot 1 confirm Step 2 Press Enter to confirm Password Reset issued for slot 1 Step 3 Verify the status of the module Once the status reads Up you can session to the ASA 5585 X IPS SSP asa show module 1 Mod Card Type Model Serial No 1 AS...

Page 325: ...port cisco com LICENSE NOTICE There is no license key installed on this IPS platform The system will continue to operate with the currently installed signature set A valid license must be obtained in order to apply signature updates Please go to http www cisco com go license to obtain a new license or install a license ips_ssp Using the ASDM To reset the password in the ASDM follow these steps Ste...

Page 326: ...sing the IDM or IME To disable password recovery in the IDM or IME follow these steps Step 1 Log in to the IDM or IME using an account with administrator privileges Step 2 Choose Configuration sensor_name Sensor Setup Network Step 3 To disable password recovery uncheck the Allow Password Recovery check box Verifying the State of Password Recovery Use the show settings include password command to v...

Page 327: ...Sensor page E 15 Synchronizing IPS Module Clocks with Parent Device Clocks page E 16 Verifying the Sensor is Synchronized with the NTP Server page E 16 Correcting Time on the Sensor page E 17 Time Sources and the Sensor Note We recommend that you use an NTP server to regulate time on your sensor You can use authenticated or unauthenticated NTP For authenticated NTP you must obtain the NTP server I...

Page 328: ...erver the time drift occurs Verifying the Sensor is Synchronized with the NTP Server In IPS you cannot apply an incorrect NTP configuration such as an invalid NTP key value or ID to the sensor If you try to apply an incorrect configuration you receive an error message To verify the NTP configuration use the show statistics host command to gather sensor statistics The NTP statistics section provide...

Page 329: ... Because the offset from UTC has not changed it requires that the UTC time now be 14 01 33 UTC which creates the time stamp problem To ensure the integrity of the time stamp on the event records you must clear the event archive of the older events by using the clear events command Note You cannot remove individual events For More Information For the procedure for clearing events see Clearing Event...

Page 330: ...e sensor CISCO CIDS MIB The CISCO CIDS MIB has been updated to include SNMP health data in IPS 7 1 3 E4 and later CISCO ENHANCED MEMPOOL MIB CISCO ENTITY ALARM MIB You can obtain these private Cisco MIBs under the heading SNMP v2 MIBs at this URL http www cisco com public sw center netmgmt cmtk mibs shtml Note MIB II is available on the sensor but we do not support it We know that some elements ar...

Page 331: ...detection operational mode sensor config ana vir anomaly detection sensor config ana vir ano operational mode inactive sensor config ana vir ano Step 5 Exit analysis engine submode sensor config ana vir ano exit sensor config ana vir exit sensor config ana exit Apply Changes yes Step 6 Press Enter to apply your changes or enter no to discard them For More Information For more information about Wor...

Page 332: ...ed Io ClientPipe failed Error Message Output from show statistics anomaly detection Error getAnomalyDetectionStatistics ct sensorApp 424 not responding please check system processes The connect to the specified Io ClientPipe failed Error Message Output from show statistics denied attackers Error getDeniedAttackersStatistics ct sensorApp 424 not responding please check system processes The connect ...

Page 333: ...eshooting tips For more information on external product interfaces refer to Configuring External Product Interfaces This section contains the following topics External Product Interfaces Issues page E 21 External Product Interfaces Troubleshooting Tips page E 22 External Product Interfaces Issues When the external product interface receives host posture and quarantine events the following issues c...

Page 334: ...t external product interfaces check the following Make sure the interface is active by checking the output from the show statistics external product interface command in the CLI or choose Monitoring Sensor Monitoring Support Information Statistics in the IDM and check the Interface state line in the response or choose Configuration sensor_name Sensor Monitoring Support Information Statistics in th...

Page 335: ... complete link failure if the IPS appliance experiences a power loss critical hardware failure or is rebooted however a link status change still occurs when hardware bypass engages and again when it disengages During engagement the interface card disconnects both physical connections from itself and bridges them together The interfaces of the connected devices can then negotiate the link and traff...

Page 336: ...ceive the following error message if the Analysis Engine is busy sensor show statistics virtual sensor Error getVirtualSensorStatistics Analysis Engine is busy rebuilding regex tables This may take a while sensor When the Analysis Engine is busy rebuilding Regex tables you receive an error message if you try to update a configuration for example enabling or retiring a signature sensor configure te...

Page 337: ... that the sensor management interface is enabled The management interface is the interface in the list with the status line Media Type TX If the Link Status is Down go to Step 3 If the Link Status is Up go to Step 5 sensor show interfaces Interface Statistics Total Packets Received 0 Total Bytes Received 0 Missed Packet Percentage 0 Current Bypass Mode Auto_off MAC statistics from interface Gigabi...

Page 338: ... are in square brackets Current Configuration service host network settings host ip 192 168 1 2 24 192 168 1 1 host name sensor telnet option enabled access list 0 0 0 0 0 ftp timeout 300 no login banner text exit MORE Step 4 Make sure the management port is connected to an active network connection If the management port is not connected to an active network connection the management interface do...

Page 339: ... IP address changing the access list and enabling and disabling Telnet refer to Configuring Network Settings For the various ways to open a CLI session directly on the sensor see Appendix A Logging In to the Sensor Correcting a Misconfigured Access List To correct a misconfigured access list follow these steps Step 1 Log in to the CLI Step 2 View your configuration to see the access list sensor sh...

Page 340: ...es Interface Statistics Total Packets Received 0 Total Bytes Received 0 Missed Packet Percentage 0 Current Bypass Mode Auto_off MAC statistics from interface GigabitEthernet0 1 Media Type backplane Missed Packet Percentage 0 Inline Mode Unpaired Pair Status N A Link Status Up Link Speed Auto_1000 Link Duplex Auto_Full Total Packets Received 0 Total Bytes Received 0 Total Multicast Packets Received...

Page 341: ...Alerts page E 32 Sensor Not Seeing Packets page E 34 Cleaning Up a Corrupted SensorApp Configuration page E 35 The SensorApp Is Not Running The sensing process SensorApp should always be running If it is not you do not receive any alerts The SensorApp is part of the Analysis Engine so you must make sure the Analysis Engine is running To make sure the Analysis Engine is running follow these steps S...

Page 342: ... 13 00 00 include AnalysisEngine evError eventId 1077219258696330005 severity warning originator hostId sensor appName sensorApp appInstanceId 1045 time 2004 02 19 19 34 20 2004 02 19 19 34 20 UTC errorMessage name errUnclassified Generating new Analysis Engine configuration file Note The date and time of the last restart is listed In this example the last restart was on 2 19 2004 at 7 34 Step 4 I...

Page 343: ...Full Total Packets Received 0 Total Bytes Received 0 Total Multicast Packets Received 0 Total Broadcast Packets Received 0 Total Jumbo Packets Received 0 Total Undersize Packets Received 0 Total Receive Errors 0 Total Receive FIFO Overruns 0 Total Packets Transmitted 0 Total Bytes Transmitted 0 Total Multicast Packets Transmitted 0 Total Broadcast Packets Transmitted 0 Total Jumbo Packets Transmit...

Page 344: ...nabled Make sure the signature is not retired Make sure that you have Produce Alert configured as an action Note If you choose Produce Alert but come back later and add another event action and do not add Produce Alert to the new configuration alerts are not sent to the Event Store Every time you configure a signature the new configuration overwrites the old one so make sure you have configured al...

Page 345: ... Received 267581 Total Bytes Received 24886471 Total Multicast Packets Received 0 Total Broadcast Packets Received 0 Total Jumbo Packets Received 0 Total Undersize Packets Received 0 Total Receive Errors 0 Total Receive FIFO Overruns 0 Total Packets Transmitted 57301 Total Bytes Transmitted 3441000 Total Multicast Packets Transmitted 0 Total Broadcast Packets Transmitted 0 Total Jumbo Packets Tran...

Page 346: ...kets Received 0 Total Broadcast Packets Received 0 Total Jumbo Packets Received 0 Total Undersize Packets Received 0 Total Receive Errors 0 Total Receive FIFO Overruns 0 Total Packets Transmitted 0 Total Bytes Transmitted 0 Total Multicast Packets Transmitted 0 Total Broadcast Packets Transmitted 0 Total Jumbo Packets Transmitted 0 Total Undersize Packets Transmitted 0 Total Transmit Errors 0 Tota...

Page 347: ...ticast Packets Transmitted 0 Total Broadcast Packets Transmitted 0 Total Jumbo Packets Transmitted 0 Total Undersize Packets Transmitted 0 Total Transmit Errors 0 Total Transmit FIFO Overruns 0 For More Information For the procedure for installing the sensor properly refer to your sensor chapter in this document Cleaning Up a Corrupted SensorApp Configuration If the SensorApp configuration has bec...

Page 348: ...ccess Issues page E 40 Verifying the Interfaces and Directions on the Network Device page E 41 Enabling SSH Connections to the Network Device page E 42 Blocking Not Occurring for a Signature page E 42 Verifying the Master Blocking Sensor Configuration page E 43 Troubleshooting Blocking After you have configured the ARC you can verify if it is running properly by using the show version command To v...

Page 349: ...nd If the MainApp is not running the ARC cannot run The ARC is part of the MainApp To verify that the ARC is running follow these steps Step 1 Log in to the CLI Step 2 Verify that the MainApp is running sensor show version Application Partition Cisco Intrusion Prevention System Version 7 1 3 E4 Host Realm Keys key1 0 Signature Definition Signature Update S605 0 2011 10 25 OS Version 2 6 29 1 Platf...

Page 350: ...s Active in the statistics follow these steps Step 1 Log in to the CLI Step 2 Verify that the ARC is connecting Check the State section of the output to verify that all devices are connecting sensor show statistics network access Current Configuration LogAllBlockEventsAndSensors true EnableNvramWrite false EnableAclLogging false AllowSensorBlock false BlockMaxEntries 250 MaxDeviceInterfaces 250 Ne...

Page 351: ...able disk space 96 usage MainApp S 2011_NOV_16_00_20_7_1_3_46 Release 2011 11 16T00 23 0 6 0600 Running AnalysisEngine S 2011_NOV_16_00_20_7_1_3_46 Release 2011 11 16T00 23 0 6 0600 Running CollaborationApp S 2011_NOV_16_00_20_7_1_3_46 Release 2011 11 16T00 23 0 6 0600 Running CLI S 2011_NOV_16_00_20_7_1_3_46 Release 2011 11 16T00 23 0 6 0600 Upgrade History IPS K9 7 1 3 E4 00 30 07 UTC Wed Nov 16...

Page 352: ...dress and username and password for the managed devices and the correct interface and direction configured Note SSH devices must support SSH 1 5 The sensor does not support SSH 2 0 To troubleshoot device access issues follow these steps Step 1 Log in to the CLI Step 2 Verify the IP address for the managed devices sensor configure terminal sensor config service network access sensor config net show...

Page 353: ...nsor a Log in to the service account b Telnet or SSH to the network device to verify the configuration c Make sure you can reach the device d Verify the username and password Step 4 Verify that each interface and direction on each network device is correct For More Information For the procedure for verifying the interfaces and directions for each network device see Verifying the Interfaces and Dir...

Page 354: ... the procedure Step 6 Remove the manual block by repeating Steps 1 through 4 except in Step 2 place no in front of the command sensor config net gen no block hosts 10 16 0 0 Enabling SSH Connections to the Network Device If you are using SSH 3DES as the communication protocol for the network device you must make sure you have enabled it on the device To enable SSH 3DES connections to the network d...

Page 355: ...er event action produce alert request block host default produce alert deny connection inline edit default sigs only default signatures only specify service ports no specify tcp max mss no specify tcp min mss no MORE Step 4 Exit signature definition submode sensor config sig sig nor exit sensor config sig sig exit sensor config sig exit Apply Changes yes Step 5 Press Enter to apply the changes or ...

Page 356: ...s to make sure the master blocking sensor is initiating blocks sensor configure terminal sensor config service network access sensor config net general sensor config net gen block hosts 10 16 0 0 Step 5 Exit network access general submode sensor config net gen exit sensor config net exit Apply Changes yes Step 6 Press Enter to apply the changes or type no to discard them Step 7 Verify that the blo...

Page 357: ...ing severity for different logging zones By default debug logging is not turned on If you enable individual zone control each zone uses the level of logging that it is configured for Otherwise the same logging level is used for all zones This section contains the following topics Enabling Debug Logging page E 45 Zone Names page E 49 Directing cidLog Messages to SysLog page E 50 Enabling Debug Logg...

Page 358: ...s master control enable debug true default false individual zone control true default false sensor config log mas Step 10 Exit master zone control sensor config log mas exit Step 11 View the zone names sensor config log show settings master control enable debug false defaulted individual zone control true default false zone control min 0 max 999999999 current 14 protected entry zone name Authentic...

Page 359: ...onfig log zone control IdsEventStore severity error sensor config log show settings master control enable debug true default false individual zone control true default false zone control min 0 max 999999999 current 14 protected entry zone name AuthenticationApp severity warning defaulted protected entry zone name Cid severity debug defaulted protected entry zone name Cli severity warning defaulted...

Page 360: ... max 999999999 current 14 protected entry zone name AuthenticationApp severity warning defaulted protected entry zone name Cid severity debug defaulted protected entry zone name Cli severity warning defaulted protected entry zone name IdapiCtlTrans severity warning defaulted protected entry zone name IdsEventStore severity error default warning protected entry zone name MpInstaller severity warnin...

Page 361: ...ne AuthenticationApp Authentication zone Cid General logging zone Cli CLI zone IdapiCtlTrans All control transactions zone IdsEventStore Event Store zone MpInstaller IDSM 2 master partition installer zone cmgr Card Manager service zone1 1 The Card Manager service is used on the AIP SSM to exchange control and state information between modules in the chassis cplane Control Plane zone2 2 The Control...

Page 362: ...rue because enabled false is the default b Set drain main type syslog The following example shows the logging configuration file timemode local timemode utc logApp enabled true FIFO parameters fifoName logAppFifo fifoSizeInK 240 logApp zone and drain parameters zoneAndDrainName logApp fileName main log fileMaxSizeInK 500 zone Cid severity warning drain main zone IdsEventStore severity debug drain ...

Page 363: ...not occurring for a specific signature follow these steps Step 1 Log in to the CLI Step 2 Make sure the event action is set to TCP reset sensor configure terminal sensor config service signature definition sig0 sensor config sig signatures 1000 0 sensor config sig sig engine atomic ip sensor config sig sig ato event action reset tcp connection produc alert sensor config sig sig ato show settings a...

Page 364: ...6 171 19 32770 172 16 171 13 telnet R 80 80 0 ack 62 win 0 Software Upgrades This section helps in troubleshooting software upgrades It contains the following topics Upgrading and Analysis Engine page E 52 Which Updates to Apply and Their Prerequisites page E 53 Issues With Automatic Update page E 53 Updating a Sensor with the Update Stored on the Sensor page E 54 Upgrading and Analysis Engine Whe...

Page 365: ...version Minor versions require the correct major version Major versions require the previous major version For More Information To understand how to interpret the IPS software filenames see IPS Software Versioning page C 3 Issues With Automatic Update Caution In IPS 7 1 5 E4 and later the default value of the Cisco server IP address has been changed from 198 133 219 25 to 72 163 4 161 in the Auto ...

Page 366: ...sor ultimately rejects the file because the name has changed If necessary run TCPDUMP on automatic update You can compare the successful manual update with the unsuccessful automatic update and troubleshoot from there For More Information For the procedure for creating the service account see Creating the Service Account page E 5 For the procedure for reimaging your sensor see Chapter D Upgrading ...

Page 367: ...llowing topics Cannot Launch IDM Loading Java Applet Failed page E 55 Cannot Launch the IDM the Analysis Engine Busy page E 56 The IDM Remote Manager or Sensing Interfaces Cannot Access the Sensor page E 56 Signatures Not Producing Alerts page E 57 Cannot Launch IDM Loading Java Applet Failed Symptom The browser displays Loading Cisco IDM Please wait At the bottom left corner of the window Loading...

Page 368: ...the Analysis Engine Busy Error Message Error connecting to sensor Failed to load sensor errNotAvailable Analysis Engine is busy Exiting IDM Possible Cause This condition can occur if the Analysis Engine in the sensor is busy getting ready to perform a task and so does not respond to the IDM Recommended Action Wait for a while and try again to connect The IDM Remote Manager or Sensing Interfaces Ca...

Page 369: ...g Telnet on the sensor and configuring the web server refer to Changing Network Settings Signatures Not Producing Alerts Caution You cannot add other actions each time you configure the event actions You are actually replacing the list of event actions every time you configure it so make sure you choose Produce Alert every time you configure event actions If you are not seeing any alerts when sign...

Page 370: ...s for the time synchronization and warns you to correct it if is in wrong The IME also displays a clock warning in Home Devices Device List to warn you about problems with synchronization Recommended Action Change the time settings on the sensor or the IME local server In most cases the time change is required for the sensor because it is configured with the incorrect or default time For More Info...

Page 371: ...t are specific to troubleshooting ASA 5500 AIP SSM Health and Status Information page E 59 Failover Scenarios page E 61 The ASA 5500 AIP SSM and the Normalizer Engine page E 62 The ASA 5500 AIP SSM and the Data Plane page E 63 The ASA 5500 AIP SSM and Jumbo Packet Frame Size page E 63 The ASA 5500 AIP SSM and Jumbo Packets page E 64 TCP Reset Differences Between IPS Appliances and ASA IPS Modules ...

Page 372: ...0 0 7 0 4 1 000b fcf8 0176 to 000b fcf8 0176 0 2 1 0 10 0 5 1 0 1 S153 0 Mod Status 0 Up Sys 1 Up asa config If you have problems with reimaging the ASA 5500 AIP SSM use the debug module boot command to see the output as the module boots Make sure you have the correct IP address for the TFTP server and you have the correct file on the TFTP server Then use the hw module module 1 recover command aga...

Page 373: ...s 1 1 a 5 1 0 1 img Slot 1 172 CONFIG Slot 1 173 LINKTIMEOUT 20 Slot 1 174 PKTTIMEOUT 4 Slot 1 175 RETRY 20 Slot 1 176 tftp IPS SSM K9 sys 1 1 a 5 1 0 1 img 10 89 146 1 via 10 89 149 254 Failover Scenarios The following failover scenarios apply to the ASA in the event of configuration changes signature signature engine updates service packs and SensorApp crashes on the ASA 5500 AIP SSM Single ASA ...

Page 374: ...e pack upgrade failover is triggered and traffic passes through the module that was previously the standby for the ASA 5500 AIP SSM Configuration Examples Use the following configuration for the primary ASA interface GigabitEthernet0 7 description LAN Failover Interface failover failover lan unit primary failover lan interface folink GigabitEthernet0 7 failover interface ip folink 172 27 48 1 255 ...

Page 375: ...nature updates You can check the ASA 5500 AIP SSM data plane status by using the show module command during signature updates Possible Cause Bypass mode is set to off The issue is seen when updating signatures and when you use either CSM or IDM to apply signature updates This issue is not seen when upgrading IPS system software The ASA 5500 AIP SSM and Jumbo Packet Frame Size Refer to the followin...

Page 376: ...ection Inline is selected the ASA sends the TCP reset packet to either the attacker or victim depending on the configuration of the signature Signatures configured to swap the attacker and victim when reporting the alert can cause the ASA to send the TCP reset packet to the attacker For More Information For detailed information about event actions refer to Event Actions IPS Reloading Messages Symp...

Page 377: ... 5500 X IPS SSP and the ASA 5500 X IPS SSP experiences a configuration change or signature signature engine update traffic is passed through the ASA without being inspected If the ASA is configured in fail open mode for the ASA 5500 X IPS SSP and the ASA 5500 X IPS SSP experiences a SensorApp crash or a service pack upgrade traffic is passed through the ASA without being inspected Single ASA 5500 ...

Page 378: ...it primary failover lan interface folink GigabitEthernet0 7 failover interface ip folink 172 27 48 1 255 255 255 0 standby 172 27 48 2 Use the following configuration for the secondary ASA interface GigabitEthernet0 7 description LAN Failover Interface failover failover lan unit secondary failover lan interface folink GigabitEthernet0 7 failover interface ip folink 172 27 48 1 255 255 255 0 standb...

Page 379: ... A disabled Mod ips 238 e1000 0000 00 06 0 PCI INT A disabled Mod ips 239 e1000 0000 00 05 0 PCI INT A disabled Mod ips 240 Restarting system Mod ips 241 machine restart Mod ips 242 IVSHMEM addr 4093640704 size 67108864 Mod ips 243 Booting Cisco IPS Mod ips 244 root hd0 0 Mod ips 245 Filesystem type is ext2fs partition type 0x83 Mod ips 246 kernel ips 2 6 ld ro initfsDev dev hda1 init loader run r...

Page 380: ...000c000 Mod ips 293 5 000000c000 0000011000 PGTABLE 000000c000 0000011000 Mod ips 294 found SMP MP table at ffff8800000f8920 000f8920 Mod ips 295 Zone PFN ranges Mod ips 296 DMA 0x00000000 0x00001000 Mod ips 297 DMA32 0x00001000 0x00100000 Mod ips 298 Normal 0x00100000 0x00201400 Mod ips 299 Movable zone start PFN for each node Mod ips 300 early_node_map 3 active PFN ranges Mod ips 301 0 0x0000000...

Page 381: ...s 352 ACPI Core revision 20081204 Mod ips 353 Setting APIC routing to flat Mod ips 354 TIMER vector 0x30 apic1 0 pin1 0 apic2 1 pin2 1 Mod ips 355 CPU0 Intel QEMU Virtual CPU version 0 12 5 stepping 03 Mod ips 356 Booting processor 1 APIC 0x1 ip 0x6000 Mod ips 357 Initializing CPU 1 Mod ips 358 Calibrating delay using timer specific routine 5585 16 BogoMIPS lpj 2792581 Mod ips 359 CPU L1 I cache 3...

Page 382: ...pci 0000 00 01 3 quirk region b100 b10f claimed by PIIX4 SMB Mod ips 414 IVSHMEM addr 4093640704 size 67108864 Mod ips 415 ACPI PCI Interrupt Link LNKA IRQs 5 10 11 Mod ips 416 ACPI PCI Interrupt Link LNKB IRQs 5 10 11 Mod ips 417 ACPI PCI Interrupt Link LNKC IRQs 5 10 11 Mod ips 418 ACPI PCI Interrupt Link LNKD IRQs 5 10 11 Mod ips 419 SCSI subsystem initialized Mod ips 420 usbcore registered new...

Page 383: ...cpiphp Slot 26 registered Mod ips 478 acpiphp Slot 27 registered Mod ips 479 acpiphp Slot 28 registered Mod ips 480 acpiphp Slot 29 registered Mod ips 481 acpiphp Slot 30 registered Mod ips 482 acpiphp Slot 31 registered Mod ips 483 shpchp Standard Hot Plug PCI Controller Driver version 0 4 Mod ips 484 fakephp Fake PCI Hot Plug Controller Driver Mod ips 485 fakephp pci_hp_register failed with erro...

Page 384: ... 539 ehci_hcd USB 2 0 Enhanced Host Controller EHCI Driver Mod ips 540 ohci_hcd USB 1 1 Open Host Controller OHCI Driver Mod ips 541 uhci_hcd USB Universal Host Controller Interface driver Mod ips 542 Initializing USB Mass Storage driver Mod ips 543 usbcore registered new interface driver usb storage Mod ips 544 USB Mass Storage support registered Mod ips 545 PNP PS 2 Controller PNP0303 KBD PNP0f1...

Page 385: ...er_kvm 0000 00 04 0 PCI INT A Link LNKD GSI 11 level high IRQ Mod ips 597 11 Mod ips 598 Detected cpp_user_kvm device with 33554432 bytes of shared memory Mod ips 599 Device 0 model LCPX8640 cpc T2005 cpe0 None cpe1 None Mod ips 600 Load cidmodcap Mod ips 601 Create node Mod ips 602 ln etc modprobe conf File exists Mod ips 603 Shutting down network ifconfig lo down Mod ips 604 ifconfig lo down Mod...

Page 386: ... normalization Packets on the ASA IPS modules go through a special path in the Normalizer that only reassembles fragments and puts packets in the right order for the TCP stream The Normalizer does not do any of the normalization that is done on an inline IPS appliance because that causes problems in the way the ASA handles the packets The following Normalizer engine signatures are not supported 13...

Page 387: ... Jumbo Packet Frame Size Refer to the following URL for information about ASA 5500 X IPS SSP jumbo packet frame size http www cisco com en US docs security asa asa84 configuration guide interface_start html wp1328 869 Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes including Layer 2 header and FCS The ASA 5500 X IPS SSP and Jumbo Packets The jumbo pa...

Page 388: ...slog messages similar to the following are observed and the root cause of the message is not clear ASA 1 505013 ASA SSM 10 Module in slot 1 application reloading IPS version 7 1 6 E4 Config Change ASA 1 505013 ASA5585 SSP IPS10 Module in slot 1 application reloading IPS version 7 1 1 E4 Config Change These messages occur once an hour for sensors not actively being configured or more often for sens...

Page 389: ... is configured in fail close mode for the ASA 5585 X IPS SSP and the ASA 5585 X IPS SSP experiences a configuration change or a signature signature engine update traffic is stopped from passing through the ASA If the ASA is configured in fail close mode for the ASA 5585 X IPS SSP and the ASA 5585 X IPS SSP experiences a SensorApp crash or a service pack upgrade traffic is stopped from passing thro...

Page 390: ...all traffic through these ports regardless of whether or not the traffic would have been monitored by the IPS The link on the ports will link down when the ASA 5585 X IPS SSP is reset or shut down Possible Cause Using the ports located on the ASA 5585 X IPS SSP 1 x and resetting or shutting it down via any mechanism Solution Use the ports on the adaptive security appliance 0 x instead because thos...

Page 391: ...us Not Applicable Status Shutting Down asa show module 1 details Getting details from the Service Module please wait Unable to read details from slot 1 ASA 5585 X IPS Security Services Processor 20 with 8GE Model ASA5585 SSP IPS20 Hardware version 1 0 Serial Number ABC1234DEFG Firmware version 2 0 7 0 Software version 7 1 1 E4 MAC Address Range 5475 d029 7f9c to 5475 d029 7fa7 App name IPS App Sta...

Page 392: ... 0 2 3 Mgmt Network mask 255 255 255 0 Mgmt Gateway 192 0 2 254 Mgmt Access List 0 0 0 0 0 Mgmt web ports 443 Mgmt TLS enabled true asa If you have problems with reimaging the ASA 5585 X IPS SSP use the debug module boot command to see the output as it boots Make sure you have the correct IP address for the TFTP server and you have the correct file on the TFTP server Then use the hw module module ...

Page 393: ...AC Address 000b fcf8 0176 Slot 1 165 ROMMON Variable Settings Slot 1 166 ADDRESS 192 0 2 3 Slot 1 167 SERVER 192 0 2 15 Slot 1 168 GATEWAY 192 0 2 254 Slot 1 169 PORT GigabitEthernet0 0 Slot 1 170 VLAN untagged Slot 1 171 IMAGE IPS SSP_10 K9 sys 1 1 a 7 1 0 1 img Slot 1 172 CONFIG Slot 1 173 LINKTIMEOUT 20 Slot 1 174 PKTTIMEOUT 4 Slot 1 175 RETRY 20 Slot 1 176 tftp IPS SSP_10 K9 sys 1 1 a 7 1 0 1 ...

Page 394: ...dules may be larger than expected due to some packets that were almost jumbo size on the wire being counted as jumbo size by the IPS This miscount is a result of header bytes added to the packet by the ASA before the packet is transmitted to the IPS For IPv4 58 bytes of header data are added For IPv6 78 bytes of header data are added The ASA removes the added IPS header before the packet leaves th...

Page 395: ...unning IPS 7 1 or later The common cause for these messages is global correlation and or signature updates occurring on the ASA IPS module that results in these messages being generated for some but not necessarily all of the updates which are attempted every five minutes Workaround None The cause of these messages can be confirmed on the sensor module by reviewing the show events status past comm...

Page 396: ...these steps Step 1 Log in to the CLI Step 2 Show the health and security status of the sensor sensor show health Overall Health Status Red Health Status for Failed Applications Green Health Status for Signature Updates Green Health Status for License Key Expiration Red Health Status for Running in Bypass Mode Green Health Status for Interfaces Being Down Red Health Status for the Inspection Load G...

Page 397: ...ay the next line of output or use the spacebar to display the next page of information destination url Indicates the information should be formatted as HTML and sent to the destination that follows this command If you use this keyword the output is not displayed on the screen destination_url Indicates the information should be formatted as HTML The URL specifies where the information should be sen...

Page 398: ...password for this user account The Generating report message is displayed Tech Support Command Output Note This output example shows the first part of the command and lists the information for the interfaces authentication and the Analysis Engine Note The CLI output is an example of what your configuration may look like It will not match exactly due to the optional setup choices sensor model and I...

Page 399: ...e Statistics Total Packets Received 4285610 Total Bytes Received 548558080 Missed Packet Percentage 0 MAC statistics from interface Management0 0 Interface function Command control interface Description Media Type TX Default Vlan 0 Link Status Up Link Speed Auto_100 Link Duplex Auto_Full Total Packets Received 9584350 Total Bytes Received 986355666 Total Multicast Packets Received 0 Total Receive ...

Page 400: ...n 0 1 1 1 1 1 1 1 2 1 1 1 Average 1 1 1 The rate of TCP connections tracked per second 0 The rate of packets per second 0 The rate of bytes per second 0 Receiver Statistics Total number of packets processed since reset 0 Total number of IP packets processed since reset 0 Transmitter Statistics Total number of packets transmitted 4285631 Total number of packets denied 0 Total number of packets rese...

Page 401: ... information from IME choose Configuration sensor_name Sensor Monitoring Support Information Diagnostics Report Displaying Version Information Use the show version command to display version information for all installed operating system packages signature packages and IPS processes running on the system To view the configuration for the entire system use the more current config command Note The C...

Page 402: ... Running CLI S 2011_NOV_16_00_20_7_1_3_46 Release 2011 11 16T00 23 0 6 0600 Upgrade History IPS K9 7 1 3 E4 00 30 07 UTC Wed Nov 16 2011 Recovery Partition Version 1 1 7 1 3 E4 Host Certificate Valid from 16 Nov 2011 to 16 Nov 2013 sensor Note If the MORE prompt is displayed press the spacebar to see more information or Ctrl C to cancel the output and get back to the CLI prompt Step 3 View configu...

Page 403: ...e trusted certificates exit service web server exit service anomaly detection ad0 exit service external product interface exit service health monitor exit service global correlation exit service aaa exit service analysis engine sensor Statistics Information The show statistics command is useful for examining the state of the sensor services This section describes the show statistics command and co...

Page 404: ...e the show statistics analysis engine anomaly detection authentication denied attackers event server event store external product interface global correlation host logger network access notification os identification sdee server transaction server virtual sensor web server clear command to display statistics for each sensor application Use the show statistics anomaly detection denied attackers os ...

Page 405: ...ntly in the closing state 0 TCP streams currently in the system 0 TCP Packets currently queued for reassembly 0 The Signature Database Statistics Total nodes active 0 TCP nodes keyed on both IP addresses and both ports 0 UDP nodes keyed on both IP addresses and both ports 0 IP nodes keyed on both IP addresses 0 Statistics for Signature Events Number of SigEvents since reset 0 Statistics for Action...

Page 406: ...ilterHitsGlobalCorrelation 0 SimulatedReputationFilterPacketsInput 0 SimulatedReputationFilterRuleMatch 0 SimulatedDenyFilterInsert 0 SimulatedDenyFilterPacketsInput 0 SimulatedDenyFilterRuleMatch 0 TcpDeniesDueToGlobalCorrelation 0 TcpDeniesDueToOverride 0 TcpDeniesDueToOverlap 0 TcpDeniesDueToOther 0 SimulatedTcpDeniesDueToGlobalCorrelation 0 SimulatedTcpDeniesDueToOverride 0 SimulatedTcpDeniesD...

Page 407: ...Protocol UDP Protocol Other Protocol Illegal Zone TCP Protocol UDP Protocol Other Protocol Statistics for Virtual Sensor vs1 No attack Detection ON Learning ON Next KB rotation at 10 00 00 UTC Sat Jan 18 2008 Internal Zone TCP Protocol UDP Protocol Other Protocol External Zone TCP Protocol UDP Protocol Other Protocol Illegal Zone TCP Protocol UDP Protocol Other Protocol sensor Step 4 Display the s...

Page 408: ... of filtered events not written to the event store 850763 The number of queries issued 0 The number of times the event store circular buffer has wrapped 0 Number of events of each type currently stored Status events 4257 Shun request events 0 Error events warning 669 Error events error 8 Error events fatal 0 Alert events informational 0 Alert events low 0 Alert events medium 0 Alert events high 0 ...

Page 409: ...Statistics Last Change To Host Config UTC 25 Jan 2012 02 59 18 Command Control Port Device Management0 0 Network Statistics ma0_0 Link encap Ethernet HWaddr 00 04 23 D5 A1 8D inet addr 10 89 130 98 Bcast 10 89 131 255 Mask 255 255 254 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 1688325 errors 0 dropped 0 overruns 0 frame 0 TX packets 38546 errors 0 dropped 0 overruns 0 carrier 0 ...

Page 410: ...ebug Severity 31522 Unknown Severity 7 TOTAL 31928 sensor Step 11 Display the statistics for the ARC sensor show statistics network access Current Configuration LogAllBlockEventsAndSensors true EnableNvramWrite false EnableAclLogging false AllowSensorBlock false BlockMaxEntries 11 MaxDeviceInterfaces 250 NetDevice Type PIX IP 10 89 150 171 NATAddr 0 0 0 0 Communications ssh 3des NetDevice Type PIX...

Page 411: ...sion 6 3 State Active Firewall type PIX NetDevice IP 192 0 2 7 AclSupport Does not use ACLs Version 7 0 State Active Firewall type ASA NetDevice IP 102 0 2 8 AclSupport Does not use ACLs Version 2 2 State Active Firewall type FWSM NetDevice IP 192 0 2 9 AclSupport uses Named ACLs Version 12 2 State Active NetDevice IP 192 0 2 10 AclSupport Uses VACLs Version 8 4 State Active BlockedAddr Host IP 20...

Page 412: ...ed Nov 30 2011 Last Read Time nanoseconds 1322697256078549000 sensor Step 15 Display the statistics for the transaction server sensor show statistics transaction server General totalControlTransactions 35 failedControlTransactions 0 sensor Step 16 Display the statistics for a virtual sensor sensor show statistics virtual sensor vs0 Statistics for Virtual Sensor vs0 Name of current Signature Defint...

Page 413: ...0 Denied Address Information Number of Active Denied Attackers 0 Number of Denied Attackers Inserted 0 Number of Denied Attacker Victim Pairs Inserted 0 Number of Denied Attacker Service Pairs Inserted 0 Number of Denied Attackers Total Hits 0 Number of times max denied attackers limited creation of new entry 0 Number of exec Clear commands during uptime 0 Denied Attackers and hit count for each D...

Page 414: ...P Stream Reassembly Unit Current Statistics for the TCP Stream Reassembly Unit TCP streams currently in the embryonic state 0 TCP streams currently in the established state 0 TCP streams currently in the closing state 0 TCP streams currently in the system 0 TCP Packets currently queued for reassembly 0 Cumulative Statistics for the TCP Stream Reassembly Unit since reset TCP streams that have been ...

Page 415: ...69 crypto library version 6 2 1 0 sensor Step 18 Clear the statistics for an application for example the logging application The statistics are retrieved and cleared sensor show statistics logger clear The number of Log interprocessor FIFO overruns 0 The number of syslog messages received 141 The number of evError events written to the event store by severity Fatal Severity 0 Error Severity 14 War...

Page 416: ...s to display statistics for the command and control interface show interfaces command_control_interface_name the sensing interface show interfaces interface_name Interfaces Command Output The following example shows the output from the show interfaces command sensor show interfaces Interface Statistics Total Packets Received 0 Total Bytes Received 0 Missed Packet Percentage 0 Current Bypass Mode A...

Page 417: ...ge E 106 Clearing Events page E 108 Sensor Events There are five types of events evAlert Intrusion detection alerts evError Application errors evStatus Status changes such as an IP log being created evLogTransaction Record of control transactions processed by each sensor application evShunRqst Block requests Events remain in the Event Store until they are overwritten by newer events Understanding ...

Page 418: ...d by the Analysis Engine whenever a signature is triggered by network activity If no level is selected informational low medium or high all alert events are displayed include traits Displays alerts that have the specified traits exclude traits Does not display alerts that have the specified traits traits Specifies the trait bit position in decimal 0 to 15 min threat rating Displays events with a t...

Page 419: ... handshake incomplete Step 3 Display the block requests beginning at 10 00 a m on February 9 2011 sensor show events NAC 10 00 00 Feb 9 2011 evShunRqst eventId 1106837332219222281 vendor Cisco originator deviceName Sensor1 appName NetworkAccessControllerApp appInstance 654 time 2011 02 09 10 33 31 2011 08 09 13 13 31 shunInfo host connectionShun false srcAddr 11 0 0 1 destAddr srcPort destPort pro...

Page 420: ...ents past 00 00 30 evStatus eventId 1041526834774829055 vendor Cisco originator hostId sensor appName mainApp appInstanceId 2215 time 2011 01 08 02 41 00 2011 01 08 02 41 00 UTC controlTransaction command getVersion successful true description Control transaction response requestor user cids application hostId 64 101 182 101 appName cidcli appInstanceId 2316 evStatus eventId 1041526834774829056 ve...

Page 421: ...r service account Step 2 Su to root using the service account password Step 3 Enter the following command usr cids idsRoot bin cidDump Step 4 Enter the following command to compress the resulting usr cids idsRoot log cidDump html file gzip usr cids idsRoot log cidDump html Step 5 Send the resulting HTML file to TAC or the IPS developers in case of a problem For More Information For the procedure f...

Page 422: ...E 110 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Appendix E Troubleshooting Gathering Information ...

Page 423: ...opics 10 100BaseT and 10 100 1000BaseT Connectors page F 1 Console Port RJ 45 page F 2 RJ 45 to DB 9 or DB 25 page F 3 10 100BaseT and 10 100 1000BaseT Connectors The ASA 5585 Xappliance supports 10 100 1000BaseT ports You must use at least a Category 5 cable for 100 1000Base TX operations You can use a Category 3 cable for 10Base TX operations Figure F 1 shows the 10 100BaseT RJ 45 port pinouts F...

Page 424: ...0 100 1000 Port Pinouts Console Port RJ 45 Figure F 3 shows the RJ 45 cable Figure F 3 RJ 45 Cable To identify the RJ 45 cable type hold the two ends of the cable next to each other so that you can see the colored wires inside the ends as shown in Figure F 4 Figure F 4 RJ 45 Cable Identification 148410 2 3 1 4 5 6 7 8 Pin Label 1 2 3 4 5 6 7 8 TP0 TP0 TP1 TP2 TP2 TP1 TP3 TP3 148418 87654321 RJ 45 ...

Page 425: ...of the cable is the third colored wire at the other end of the cable Roll over The colored wires are in the opposite sequence at either end of the cable Table F 1 lists the roll over console cable pinouts for RJ 45 RJ 45 to DB 9 or DB 25 Table F 2 lists the cable pinouts for RJ 45 to DB 9 Table F 1 RJ 45 Roll Over Console Cable Pinouts Pin Pin 1 8 2 7 3 6 4 5 5 4 6 3 7 2 8 1 Table F 2 Cable Pinout...

Page 426: ...F 4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 Appendix F Cable Pinouts RJ 45 to DB 9 or DB 25 ...

Page 427: ... per direction can be active at a time ACLs are identified by number or by name ACLs can be standard enhanced or extended You can configure the sensor to manage ACLs ACS server Cisco Access Control Server A RADIUS security server that is the centralized control point for managing network users network administrators and network infrastructure resources action The response of the sensor to an event...

Page 428: ...processes all signature events generated by the inspectors Its primary function is to generate alerts for each event it receives alert Specifically an IPS event type it is written to the Event Store as an evidsAlert In general an alert is an IPS message that indicates a network exploit in progress or a potential security problem occurrence Also known as an alarm Analysis Engine The IPS software mo...

Page 429: ...RP protocol attack An assault on system security that derives from an intelligent threat that is an intelligent act that is a deliberate attempt especially in the sense of method or technique to evade security services and violate the security policy of a system attack relevance rating ARR A weight associated with the relevancy of the targeted OS The attack relevance rating is a derived value rele...

Page 430: ...pact flash or external USB flash which loads and runs the IPS application For the AIM IPS it boots the module from the network and assists in software installation and upgrades disaster recovery and other operations when the module cannot access its software Botnets A collection of software robots or bots that run autonomously and automatically The term is often associated with malicious software ...

Page 431: ...pp A component of the IPS Shares information with other devices through a global correlation database to improve the combined efficacy of all the devices command and control interface The interface on the sensor that communicates with the IPS manager and other network devices This interface has an assigned IP address community In SNMP a logical group of managed devices and NMSs in the same adminis...

Page 432: ...is most often used specifically for file sharing networks Darknet can be used to refer collectively to all covert communication networks Database Processor A processor in the IPS Maintains the signature state and flow databases datagram Logical grouping of information sent as a network layer unit over a transmission medium without prior establishment of a virtual circuit IP datagrams are the prima...

Page 433: ...ween two devices and for negotiating the type of trunking encapsulation ISL or 802 1q to be used E ECLB Ether Channel Load Balancing Lets a Catalyst switch split traffic flows over different physical paths egress Traffic leaving the network encryption Application of a specific algorithm to data to alter the appearance of the data making it incomprehensible to those who are not authorized to see th...

Page 434: ...this technique firewall Router or access server or several routers or access servers designated as a buffer between any connected public networks and a private network A firewall router uses access lists and other methods to ensure the security of the private network Flood engine Detects ICMP and UDP floods directed at hosts and networks flooding Traffic passing technique used by switches and brid...

Page 435: ...ces global correlation client The software component of CollaborationApp that obtains and installs updates to the local global correlation databases global correlation database The collective information obtained from and shared with collaborative devices such as IPS sensors GMT Greenwich Mean Time Time zone at zero degrees longitude Now called Coordinated Universal Time UTC GRUB Grand Unified Boo...

Page 436: ...ites event data and provides a mechanism for control transactions IDCONF Intrusion Detection Configuration A data format standard that defines operational messages that are used to configure intrusion detection and prevention systems IDENT Ident protocol specified in RFC 1413 is an Internet protocol that helps identify the user of a particular TCP connection IDIOM Intrusion Detection Interchange a...

Page 437: ...ress Iplogs are created when the log Event Action is selected for a signature Iplogs are stored in a libpcap format which can be read by WireShark and TCPDUMP IP spoofing IP spoofing attack occurs when an attacker outside your network pretends to be a trusted user either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address t...

Page 438: ... access back door Trojan ICMP tunneling software When the computer is infected the malicious code creates an ICMP tunnel that can be used to send small payload ICMP replies M MainApp The main application in the IPS The first application to start on the sensor after the operating system has booted Reads the configuration and starts applications handles starting and stopping of applications and node...

Page 439: ...udio or video data MIME is defined in RFC 2045 minor update A minor version that contains minor enhancements to the product line Minor updates are incremental to the major version and are also base versions for service packs module A removable card in a switch router or security appliance chassis The ASA 5500 AIP SSM and ASA 5585 X IPS SSP are IPS modules monitoring interface See sensing interface...

Page 440: ...ful and well equipped computer such as an engineering workstation NMSs communicate with agents to help keep track of network statistics and resources node A physical communicating element on the command and control network For example an appliance or a router Normalizer engine Configures how the IP and TCP normalizer functions and provides configuration for signature events related to the IP and T...

Page 441: ...erprinting Act of determining the OS or services available on a system from passive observation of network interactions Passive OS Fingerprinting The sensor determines host operating systems by inspecting characteristics of the packets exchanged on the network PASV Port Spoof An attempt to open connections through a firewall to a protected FTP server to a non FTP port This happens when the firewal...

Page 442: ...on Modules See PAM POST Power On Self Test Set of hardware diagnostics that runs on a hardware device when that device is powered up Post ACL Designates an ACL from which ARC should read the ACL entries and where it places entries after all deny entries for the addresses being blocked Pre ACL Designates an ACL from which ARC should read the ACL entries and where it places entries before any deny e...

Page 443: ...atching regular expressions allow a succinct description of any arbitrary pattern Remote Authentication Dial In User Service See RADIUS repackage release A release that addresses defects in the packaging or the installer reputation Similar to human social interaction reputation is an opinion toward a device on the Internet It enables the installed base of IPS sensors in the field to collaborate us...

Page 444: ...router through a Transmission Control Protocol TCP application security context You can partition a single adaptive security appliance into multiple virtual devices known as security contexts Each context is an independent device with its own security policy interfaces and administrators Multiple contexts are similar to having multiple standalone devices Many features are supported in multiple con...

Page 445: ...nature ID addresses and risk rating The input to the Signature Event Action Filter is the signature event with actions possibly added by the Signature Event Action Override Signature Event Action Handler Performs the requested actions The output from Signature Event Action Handler is the actions being performed and possibly an evIdsAlert written to the Event Store Signature Event Action Override A...

Page 446: ...he monitoring abilities of existing network analyzers into a switched Ethernet environment SPAN mirrors the traffic at one switched segment onto a predefined SPAN port A network analyzer attached to the SPAN port can monitor traffic from any other Catalyst switched port spanning tree Loop free subset of a network topology SQL Structured Query Language International standard language for defining a...

Page 447: ... support for authentication authorization and accounting target value rating TVR A weight associated with the perceived value of the target Target value rating is a user configurable value zero low medium high or mission critical that identifies the importance of a network asset through its IP address TCP Transmission Control Protocol Connection oriented transport layer protocol that provides reli...

Page 448: ...in an enterprise networking structure TPKT Transport Packet RFC 1006 defined method of demarking messages in a packet The protocol uses ISO transport services on top of TCP traceroute Program available on many systems that traces the path a packet takes to a destination It is used mostly to debug routing problems between hosts A traceroute protocol is also defined in RFC 1393 traffic analysis Infe...

Page 449: ...erfaces and the entire interfaces can be associated with at most one virtual sensor UPS Uninterruptable Power Source UTC Coordinated Universal Time Time zone at zero degrees longitude Formerly called Greenwich Mean Time GMT and Zulu time UTF 8 8 bit Unicode Transformation Format A variable length character encoding for Unicode UTF 8 can represent every character in the Unicode character set and is...

Page 450: ...er an IP based internet with POTS like functionality reliability and voice quality VoIP enables a router to carry voice traffic for example telephone calls and faxes over an IP network In VoIP the DSP segments the voice signal into frames which then are coupled in groups of two and stored in voice packets These voice packets are transported using IP in compliance with ITU T specification H 323 VPN...

Page 451: ...onstructed stream of a TCP session For more information see http www wireshark org worm A computer program that can run independently can propagate a complete working version of itself onto other hosts on a network and can consume computer resources destructively X X 509 Standard that defines information contained in a certificate XML eXtensible Markup Language Textual file format used for data in...

Page 452: ...Glossary GL 26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7 1 OL 24002 01 ...

Page 453: ...iple packet drop 1 3 TCP reset 1 2 adaptive security appliance ASA 5500 AIP SSM 8 2 ASA 5585 X IPS SSP 9 2 described 8 2 models 9 2 alternate TCP reset interface configuration restrictions 1 13 designating 1 12 restrictions 1 5 Analysis Engine error messages E 24 errors E 52 IDM exits E 56 sensing interfaces 1 6 verify it is running E 20 anomaly detection disabling E 19 appliance cable pinouts 10B...

Page 454: ...PS SSP initializing B 17 IPS reloading messages E 64 E 76 E 83 logging in A 5 memory usage E 75 memory usage values table E 75 Normalizer engine E 74 password recovery E 10 resetting the password E 10 session command A 5 sessioning in A 5 setup command B 17 time soruces 1 23 E 16 ASA 5585 X cable pinouts 10BaseT F 1 slide rail kit hardware installation 7 20 ASA 5585 X IPS SSP adaptive security app...

Page 455: ...configuration E 3 current configuration E 4 back panel features IPS 4260 4 8 IPS 4270 20 5 10 IPS 4345 6 7 IPS 4360 6 8 IPS 4510 7 7 IPS 4520 7 7 basic setup B 4 blocking not occurring for signature E 42 C cable management arm converting 5 33 described 5 32 installing 5 29 cable pinouts RJ 45 to DB 9 F 3 cannot access sensor E 25 cidDump obtaining information E 109 circuit breaker warning 6 21 cis...

Page 456: ...interfaces 1 12 physical interfaces 1 12 VLAN groups 1 14 configuring automatic upgrades D 9 upgrades D 5 connecting SFP SFP modules 9 12 converting cable management arm 5 33 copy backup config command E 3 copy current config command E 3 copy license key command C 12 correcting time on the sensor 1 24 E 17 creating the service account E 6 cryptographic account Encryption Software Export Distributi...

Page 457: ...r IPv6 support 1 15 System Configuration Dialog B 2 expansion cards interface naming conventions IPS 4260 4 4 interface naming conventions IPS 4270 20 5 5 slots IPS 4260 4 21 slots IPS 4270 20 5 43 external product interfaces issues E 21 troubleshooting E 22 F fail over testing 4 5 5 6 false positives filtering 1 4 tuning IPS 1 3 fan indicators IPS 4270 20 5 50 fans IPS 4270 20 5 50 files Cisco IP...

Page 458: ...B 17 ASA 5585 X IPS SSP B 21 sensors B 1 B 4 user roles B 1 verifying B 25 inline interface pair mode configuration restrictions 1 13 described 1 16 illustration 1 16 inline mode interface cards 1 6 pairing interfaces 1 6 inline VLAN pair mode configuration restrictions 1 13 described 1 17 illustration 1 17 supported sensors 1 17 installation preparation 2 1 installer major version C 5 installer m...

Page 459: ...ention System Manager Express See IME 7 3 IPS restrictions 1 21 supported appliances 1 19 modules 1 19 tuning 1 3 IPS 4240 7200 series router 3 5 back panel illustration 3 3 back panel indicators 3 4 described 3 1 3 2 features 3 3 front panel illustration 3 3 indicators 3 3 installation 3 8 installing DC power supply 3 10 rack mounting 3 6 specifications 3 4 IPS 4240 DC described 3 10 installing 3...

Page 460: ...escribed 5 11 illustration 5 11 expansion card slots 5 43 extending from a rack 5 26 fan connector and indicator illustration 5 50 fan indicators 5 50 fans 5 50 features 5 8 front panel indicators 5 9 switches 5 9 front view illustration 5 8 hardware bypass 5 6 hot pluggable power supplies 5 45 installation 5 36 installing cable management arm 5 29 fans 5 50 in a rack 5 18 interface cards 5 43 pow...

Page 461: ...talling DC power supplies 6 26 installing system image D 17 packing box contents 6 4 password recovery E 8 E 9 power supplies 6 16 power supplies illustration 6 17 power supply indicator 6 17 reimaging D 17 removing DC power supplies 6 26 specifications 6 2 V01 power supply limitations 6 15 IPS 4510 back panel features 7 7 back panel features illustration 7 7 cable management brackets described 7 ...

Page 462: ... kit hardware 7 20 installing system image D 21 Management 0 0 7 12 management port described 7 12 memory requirements 7 11 OIR fan supply modules 7 2 not supported 7 2 power supply modules 7 2 SFP SFP 7 2 packing box contents 7 10 password recovery E 8 E 9 power module indicators described 7 8 illustration 7 7 power supply modules installing 7 17 removing 7 17 requirements 7 11 rack mounting 7 30...

Page 463: ...r role A 1 loose connections on sensors 5 52 7 34 E 24 M major updates described C 3 Management 0 0 port described 7 12 Management 0 1 described 7 12 manual block to bogus host E 42 master blocking sensor not set up properly E 43 verifying configuration E 44 merging configuration files E 3 MIBs supported E 18 minor updates described C 3 modes IDS 1 1 inline interface pair 1 16 inline VLAN pair 1 1...

Page 464: ...iguration restrictions 1 12 ports Management 0 0 7 12 Management 0 1 7 12 SFP 7 13 SFP SFP 9 12 power supplies described IPS 4345 6 16 describes IPS 4360 6 16 illustration IPS 4345 6 17 illustration IPS 4560 6 17 IPS 4260 installing 4 23 removing 4 23 IPS 4270 20 hot pluggable 5 45 installing 5 45 redundant 5 45 removing 5 45 power supply guidelines 2 6 power supply indicator IPS 4345 6 17 IPS 436...

Page 465: ...ecovering the application partition image D 12 recovery partition upgrade D 7 reimaging ASA 5500 X IPS SSP D 23 ASA 5585 X IPS SSP D 24 described D 2 IPS 4270 20 D 15 IPS 4345 D 17 IPS 4360 D 17 IPS 4510 D 21 IPS 4520 D 21 sensors D 2 D 12 removing ASA 5500 AIP SSM 8 7 ASA 5585 X IPS SSP 9 13 chassis cover IPS 4260 4 20 chassis cover IPS 4270 20 5 40 DC power supply IPS 4360 6 26 last applied serv...

Page 466: ...detection E 19 capturing traffic 1 1 command and control interfaces list 1 5 comprehensive deployment 1 1 Comprehensive Deployment Solutions illustration 1 1 corrupted SensorApp configuration E 35 disaster recovery E 6 downgrading D 11 electrical guidelines 2 3 IDS mode 1 1 incorrect NTP configuration 1 23 E 16 initializing B 1 B 4 interface support 1 6 IP address conflicts E 28 IPS mode 1 1 IPS t...

Page 467: ...9 E 66 E 78 show settings command E 14 show statistics command E 92 show statistics virtual sensor command E 24 E 92 show tech support command E 85 show version command E 89 signature engine update files described C 5 signatures TCP reset E 51 update files C 4 site guidelines for sensor installation 2 5 SNMP supported MIBs E 18 software bypass supported configurations 4 5 5 6 with hardware bypass ...

Page 468: ...46 TAC service account E 5 show tech support command E 85 TCP reset interfaces conditions 1 12 described 1 11 list 1 11 promiscuous mode 1 11 switches 1 12 TCP resets not occurring E 51 signature actions 1 2 tech support information display E 86 terminal server setup 1 22 A 3 D 14 testing fail over 4 5 5 6 TFTP servers recommended UNIX D 14 Windows D 14 RTT D 14 time correction on the sensor 1 24 ...

Page 469: ... E 57 NTP E 51 password recovery E 15 physical connectivity issues E 31 preventive maintenance E 2 RADIUS attempt limit E 21 reset not occurring for a signature E 51 sensing process not running E 29 sensor events E 105 sensor loose connections 5 52 7 34 E 24 sensor not seeing packets E 34 sensor software upgrade E 54 service account E 5 show events command E 105 show interfaces command E 104 show ...

Page 470: ...word recovery E 14 sensor initialization B 25 sensor setup B 25 version display E 89 viewing license key status C 9 virtualization advantages E 17 restrictions E 17 supported sensors E 18 traffic capture requirements E 18 VLAN groups 802 1q encapsulation 1 18 configuration restrictions 1 14 deploying 1 18 described 1 17 switches 1 18 W warning circuit breaker 6 21 exposed DC wire 6 23 ...

Reviews:

No comments

Related manuals for IPS 7.1

ABB RELION REF615R Manual preview
RELION REF615R
Brand: ABB Pages: 66
Maco Standard Fitting Instructions Manual preview
Standard
Brand: Maco Pages: 38
Samsung AllShare Cast Dongle Quick Start Manual preview
AllShare Cast Dongle
Brand: Samsung Pages: 2
D-Link DSL-2750U Setup preview
DSL-2750U
Brand: D-Link Pages: 14
D-Link DVG-7022S Quick Installation Manual preview
DVG-7022S
Brand: D-Link Pages: 7
D-Link DIR-878 Quick Installation Manual preview
DIR-878
Brand: D-Link Pages: 41
3Com TokenLink 3C359B Release Note preview
TokenLink 3C359B
Brand: 3Com Pages: 4
3Com TokenLink 3C359B Quick Start Manual preview
TokenLink 3C359B
Brand: 3Com Pages: 8
3Com TokenLink 3C339 Release Note preview
TokenLink 3C339
Brand: 3Com Pages: 2
3Com EtherLink 3C985B-SX Installation And User Manual preview
EtherLink 3C985B-SX
Brand: 3Com Pages: 44
3Com 3CR990 Administration Manual preview
3CR990
Brand: 3Com Pages: 88
3Com 3C16080 Important Information preview
3C16080
Brand: 3Com Pages: 2
3Com 3C905C-TX-M User Manual preview
3C905C-TX-M
Brand: 3Com Pages: 111
3Com TokenLink 3C359 Release Note preview
TokenLink 3C359
Brand: 3Com Pages: 4
3Com 3C421600A Quick Setup Manual preview
3C421600A
Brand: 3Com Pages: 74
3Com 3C421600A Installation Manual preview
3C421600A
Brand: 3Com Pages: 6
LaCie d2 Network 2 Quick Install Manual preview
d2 Network 2
Brand: LaCie Pages: 44
LaCie LaCie Ethernet Disk Datasheet preview
LaCie Ethernet Disk
Brand: LaCie Pages: 2

Brands by name

Popular brands

Load more brands