Page 1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-24002-01...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Page 3: Table Of Contents
Conventions Related Documentation xvii Where to Find Safety and Warning Information xvii Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request xviii Introducing the Sensor C H A P T E R Contents How the Sensor Functions...
Page 4 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC 3-10 Installing the IPS 4260 C H A P T E R Contents Installation Notes and Caveats Product Overview Supported Interface Cards Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 5 Installing the IPS 4270-20 in the Rack 5-18 Extending the IPS 4270-20 from the Rack 5-26 Installing the Cable Management Arm 5-28 Converting the Cable Management Arm 5-32 Installing the IPS 4270-20 5-35 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 6 Product Overview Chassis Features Specifications Accessories 7-10 Memory Configurations 7-11 Power Supply Module Requirements 7-11 Supported SFP/SFP+ Modules 7-11 Installing the IPS 4510 and IPS 4520 7-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 7 Installation Notes and Caveats Introducing the ASA 5585-X IPS SSP Specifications Hardware and Software Requirements Front Panel Features Memory Requirements SFP/SFP+ Modules Installing the ASA 5585-X IPS SSP Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 8 Obtaining Cisco IPS Software IPS 7.1 Files IPS Software Versioning IPS Software Release Examples Accessing IPS Documentation Cisco Security Intelligence Operations Obtaining a License Key From Cisco.com Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 viii OL-24002-01...
Page 9 Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command D-25 Installing the ASA 5585-X IPS SSP System Image Using ROMMON D-27 Troubleshooting A P P E N D I X Contents Cisco Bug Search Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 10 Troubleshooting Loose Connections E-24 Analysis Engine is Busy E-24 Communication Problems E-25 Cannot Access the Sensor CLI Through Telnet or SSH E-25 Correcting a Misconfigured Access List E-27 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 11 Health and Status Information E-59 Failover Scenarios E-61 The ASA 5500 AIP SSM and the Normalizer Engine E-62 The ASA 5500 AIP SSM and the Data Plane E-63 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 12 Displaying Statistics E-92 Interfaces Information E-104 Understanding the show interfaces Command E-104 Interfaces Command Output E-104 Events Information E-105 Sensor Events E-105 Understanding the show events Command E-105 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 13 A P P E N D I X Contents 10/100BaseT and 10/100/1000BaseT Connectors Console Port (RJ-45) RJ-45 to DB-9 or DB-25 L O S S A R Y N D E X Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 xiii OL-24002-01...
Page 14: Cisco Intrusion Prevention System Appliance And Module Installation Guide For Ips
Contents Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 15: Contents
Revised: November 9, 2013, OL-24002-01 Contents This guide describes how to install appliances and modules that support Cisco IPS 7.1. It includes a glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set for Cisco Intrusion Prevention System 7.1. Use this guide in conjunction with the documents listed in Related Documentation, page xvii.
Page 16: Organization
A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks. font Terminal sessions and information the system displays appear in font. courier courier Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 -xvi OL-24002-01...
Page 17: Related Documentation
Related Documentation For a complete list of the Cisco IPS 7.1 documentation and where to find it, refer to the following URL: http://www.cisco.com/en/US/docs/security/ips/7.1/roadmap/19889_01.html For a complete list of the Cisco ASA 5500 series documentation and where to find it, refer to the following URL: http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html...
Page 18: Obtaining Documentation, Using The Cisco Bug Search Tool, And Submitting A Service Request
What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Page 19: Contents
Figure 1-1 on page 1-2 shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 20: Chapter 1 Introducing The Sensor
The command and control interface is always Ethernet. This interface has an assigned IP address, which allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and firewalls). Because this interface is visible on the network, you should use encryption to maintain data privacy.
Page 21: Your Network Topology
False positives are a by-product of all IPS devices, but they occur much less frequently in Cisco IPS devices since Cisco IPS devices are stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS signature actions based on risk rating.
Page 22: Sensor Interfaces
IPS 4270-20, where the ports are numbered from top to bottom). Each physical interface can be divided in to VLAN group subinterfaces, each of which consists of a group of VLANs on that interface. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 23: Command And Control Interface
Management 0/0 ASA 5585-X IPS SSP-20 Management 0/0 ASA 5585-X IPS SSP-40 Management 0/0 ASA 5585-X IPS SSP-60 Management 0/0 IPS 4240 Management 0/0 IPS 4255 Management 0/0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 24: Sensing Interfaces
GigabitEthernet 0/1 by GigabitEthernet 0/1 by GigabitEthernet 0/0 security context instead of security context instead of VLAN pair or inline VLAN pair or inline interface pair interface pair Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 25 IPS 4240 — GigabitEthernet 0/0 0/0<->0/1 Management 0/0 GigabitEthernet 0/1 0/0<->0/2 GigabitEthernet 0/2 0/0<->0/3 GigabitEthernet 0/3 0/1<->0/2 0/1<->0/3 0/2<->0/3 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 26 Management 0/0 Management 0/1 Slot 1 GigabitEthernet 3/0 3/0<->3/1 GigabitEthernet 3/1 3/2<->3/3 GigabitEthernet 3/2 GigabitEthernet 3/3 Slot 2 GigabitEthernet 4/0 4/0<->4/1 GigabitEthernet 4/1 4/2<->4/3 GigabitEthernet 4/2 GigabitEthernet 4/3 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 27 GigabitEthernet 0/0 All sensing ports can be Management 0/0 paired together Management 0/1 GigabitEthernet 0/1 GigabitEthernet 0/2 GigabitEthernet 0/3 GigabitEthernet 0/4 GigabitEthernet 0/5 GigabitEthernet 0/6 GigabitEthernet 0/7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 28 4GE-BP, 2SX, and 10GE cards up to a total of either six cards, or sixteen total ports, which ever is reached first, but is limited to only two 10GE card in the mix of cards. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-10...
Page 29: Tcp Reset Interfaces
None ASA 5555-X IPS SSP None ASA 5585-X IPS SSP-10 None ASA 5585-X IPS SSP-20 None ASA 5585-X IPS SSP-40 None ASA 5585-X IPS SSP-60 None Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-11 OL-24002-01...
Page 30: Interface Restrictions
The following restrictions apply to configuring interfaces on the sensor: Physical Interfaces • In IPS 7.1, rx/tx flow control is disabled on the IPS 4200 series sensors. This is a change from – IPS 7.0 where rx/tx flow control is enabled by default.
Page 31 The command and control interface cannot serve as the alternate TCP reset interface for a – sensing interface. A sensing interface cannot serve as its own alternate TCP reset interface. – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-13 OL-24002-01...
Page 32: Interface Modes
The disadvantage of operating in promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-14...
Page 33 4/2 on dot1q 932 set trunk 4/3 on dot1q 960 set trunk 4/4 on dot1q 962 set span 930, 932, 960, 962 4/1-4 both Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-15 OL-24002-01...
Page 34: Inline Interface Pair Mode
Inline VLAN Pair Mode The ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not Note support inline VLAN pairs. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-16 OL-24002-01...
Page 35: Vlan Group Mode
The advantage is that now you can use a sensor with only a few interfaces as if it had many interfaces. You cannot divide physical interfaces that are in inline VLAN pairs into VLAN groups. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-17 OL-24002-01...
Page 36: Deploying Vlan Groups
Supported Sensors Installing the most recent software on unsupported sensors may yield unpredictable results. We do not Caution support software installed on unsupported platforms. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-18 OL-24002-01...
Page 37 The currently supported IPS 7.1(x) versions are 7.1(1)E4, 7.1(2)E4, 7.1(3)E4, 7.1(4)E4, 7.1(5)E4, and IPS 7.1(6)E4. All IPS sensors are not supported in each 7.1(x) version. For a list of the specific IPS filenames and the IPS versions that each sensor supports, refer to the Release Notes for your IPS version found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html...
Page 38: Ips Appliances
The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and Note later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
Page 39: Appliance Restrictions
Cisco Systems prohibits using the appliance for anything other than operating Cisco IPS. • Cisco Systems prohibits modifying or installing any hardware or software in the appliance that is • not part of the normal operation of the Cisco IPS.
Page 40: Connecting An Appliance To A Terminal Server
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Connect to a terminal server using one of the following methods:...
Page 41: The Sensor And Time Sources
Verifying the Sensor is Synchronized with the NTP Server In the Cisco IPS, you cannot apply an incorrect NTP configuration, such as an invalid NTP key value or ID, to the sensor. If you try to apply an incorrect configuration, you receive an error message. To verify the NTP configuration, use the show statistics host command to gather sensor statistics.
Page 42: Correcting The Time On The Sensor
To ensure the integrity of the time stamp on the event records, you must clear the event archive of the older events by using the clear events command. You cannot remove individual events. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-24 OL-24002-01...
Page 43 Chapter 1 Introducing the Sensor Time Sources and the Sensor For More Information For the procedure for clearing events, refer to Clearing Events from Event Store. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-25 OL-24002-01...
Page 44 Chapter 1 Introducing the Sensor Time Sources and the Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 1-26 OL-24002-01...
Page 45: Chapter 2 Preparing The Appliance For Installation
Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4500 • Series Sensor Appliance. To familiarize yourself with the IPS and related documentation and where to find it on Cisco.com, read Step 2 Documentation Roadmap for Cisco Intrusion Prevention System 7.1.
Page 46: Safety Recommendations
Removing the chassis cover to install a hardware component does not affect your Cisco warranty. Note Upgrading the appliance does not require any special tools and does not create any radio frequency leaks.
Page 47: Preventing Electrostatic Discharge Damage
• For safety, periodically check the resistance value of the antistatic strap, which should be between 1 and 10 megohms (Mohms). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 48: Working In An Esd Environment
Always follow ESD-prevention procedures when removing, replacing, or repairing components. Caution If you are upgrading a component, do not remove the component from the ESD packaging until Note you are ready to install it. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 49: General Site Requirements
Ensure that the chassis top panel is secure. The chassis is designed to allow cooling air to flow • effectively within it. An open chassis allows air leaks, which may interrupt and redirect the flow of cooling air from the internal components. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 50: Power Supply Considerations
Baffles can help to isolate exhaust air from intake air, which also helps to draw cooling air through the chassis. The best placement of the baffles depends on the airflow patterns in the rack. Experiment with different arrangements to position the baffles effectively. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 51: Contents
Only trained and qualified personnel should install, replace, or service this equipment Statement 49 Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Caution Detection and Prevention System 4200 Series Appliance Sensor document and follow proper safety procedures when performing the steps in this guide.
Page 52: Product Overview
Note IPS 4255 look identical with the same front and back panel features and indicators. In IPS 7.1, rx/tx flow control is disabled on the IPS 4240 and the IPS 4255. This is a change from IPS Note 7.0 where rx/tx flow control is enabled by default.
Page 53: Front And Back Panel Features
FLASH LINK SPD LINK SPD LINK SPD LINK SPD Power USB ports Auxiliary Status (not used) connector port indicator (not used) Power Compact indicator flash device indicator Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 54: Specifications
One chassis expansion slot (not used) Power Autoswitching 100V to 240V AC Frequency 47 to 63 Hz, single phase Operating current 3.0 A Steady state 150 W Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 55: Connecting The Ips 4240 To A Cisco 7200 Series Router
Statement 1071 SAVE THESE INSTRUCTIONS Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Warning Statement 1030 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 56: Rack Mounting
The top hole on the left bracket is a banana jack you can use for ESD grounding purposes when Note you are servicing the system. You can use the two threaded holes to mount a ground lug to ground the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 57: Installing The Ips 4240 And Ips 4255
Statement 1030 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 58 RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 59: Console Port (Rj
Step 8 Initialize the appliance. Step 9 Upgrade the appliance with the most recent Cisco IPS software. You are now ready to configure intrusion Step 10 prevention on the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 60: Installing The Ips 4240-Dc
For the procedure for using the setup command to initialize the appliance, see Appendix B, • “Initializing the Sensor.” For the procedure for updating the appliance with the most recent cisco IPS software, see Obtaining • Cisco IPS Software, page C-1.
Page 61 Remove the DC power supply plastic shield. Step 7 Strip the ends of the wires for insertion into the power connect lugs on the IPS 4240-DC. Step 8 – Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 3-11 OL-24002-01...
Page 62 Step 13 Initialize the IPS 4240-DC. Upgrade the IPS 4240-DC with the most recent Cisco IPS software. You are now ready to configure Step 14 intrusion prevention on the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 63 For the procedure for using the setup command to initialize the appliance, see Appendix B, • “Initializing the Sensor.” For the procedure for updating the appliance with the most recent cisco IPS software, see Obtaining • Cisco IPS Software, page C-1.
Page 64 Chapter 3 Installing the IPS 4240 and IPS 4255 Installing the IPS 4240-DC Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 3-14 OL-24002-01...
Page 65: Contents
Statement 49 Warning Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor document and follow proper safety procedures when performing the steps in this guide.
Page 66: Product Overview
Chapter 4 Installing the IPS 4260 Product Overview In IPS 7.1, rx/tx flow control is disabled on the IPS 4260. This is a change from IPS 7.0 where rx/tx flow Note control is enabled by default. The BIOS on IPS 4260 is specific to IPS 4260 and must only be upgraded under instructions from Cisco Caution with BIOS files obtained from the Cisco website.
Page 67: Supported Interface Cards
The 2SX card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor. The 2SX interface card does not support hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 68: Hardware Bypass
4-21. This section contains the following topics: 4GE Bypass Interface Card, page 4-5 • Hardware Bypass Configuration Restrictions, page 4-5 • Hardware Bypass and Link Changes and Drops, page 4-6 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 69: 4Ge Bypass Interface Card
To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS. The following conditions apply to hardware bypass and software bypass: When bypass is set to OFF, software bypass is not active.
Page 70: Hardware Bypass And Link Changes And Drops
Make sure the interfaces of the connected devices are configured to match the interfaces of the • appliance for speed/duplex negotiation (auto/auto). Enable portfast on connected switchports to reduce spanning-tree forwarding delays. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 71: Front And Back Panel Features
Status (green/amber) Blinks green while the power-up diagnostics are running or the system is booting. Solid green when the system has passed power-up diagnostics. Solid amber when the power-up diagnostics have failed. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 72 Back Panel Indicators Indicator Color Description Left side Green solid Physical link Green blinking Network activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 73: Specifications
Relative humidity Operating 10% to 85% (noncondensing) Nonoperating 5% to 95% (noncondensing) Altitude Operating 0 to 9843 ft (3000 m) Nonoperating 0 to 15,000 ft (4750 m) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 74: Accessories
IPS 4260 and contains the following topics: Installing the IPS 4260 in a 4-Post Rack, page 4-11 • Installing the IPS 4260 in a 2-Post Rack, page 4-14 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-10 OL-24002-01...
Page 75: Installing The Ips 4260 In A 4-Post Rack
RES ET C is co IP S 42 60 se ri POW ER FLA SH Int rus ion STA TUS Pre ve nti on Se ns Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-11 OL-24002-01...
Page 76 Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert Step 3 four thread covers over the four outer studs on each side. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-12 OL-24002-01...
Page 77 RES ET Ci sc o IP S 42 60 se rie POW ER FLA SH Int rus ion STA TUS Pre ven tio n Se nso r Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-13 OL-24002-01...
Page 78: Installing The Ips 4260 In A 2-Post Rack
Using the four inner studs, install the mounting brackets to the outer rail with four 8-32 KEPS nuts. Insert Step 2 four thread covers over the four outer studs on each side. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-14 OL-24002-01...
Page 79 Step 4 RES ET Ci sc o IP S 42 60 se rie POW ER FLAS H Intr usi on STA TUS Pre ven tion Sen Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-15 OL-24002-01...
Page 80: Installing The Ips 4260
Statement 1030 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 81 RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-17...
Page 82 Caution Management and console ports are privileged administrative ports. Connecting them to an untrusted network can create security concerns. Power on the IPS 4260. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-18 OL-24002-01...
Page 83: Removing And Replacing The Chassis Cover
Removing and Replacing the Chassis Cover Step 9 Initialize the IPS 4260. Upgrade the IPS 4260 with the most recent Cisco IPS software. You are now ready to configure intrusion Step 10 prevention on the IPS 4260. For More Information...
Page 84 Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4260 does Note not require any special tools and does not create any radio frequency leaks.
Page 85: Installing And Removing Interface Cards
If rack-mounted, remove the IPS 4260 from the rack. Step 5 Make sure the IPS 4260 is in an ESD-controlled environment. Step 6 Remove the chassis cover. Step 7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-21 OL-24002-01...
Page 86 Reinstall the slot cover screw to hold the card to the carrier. If necessary, reinstall the card support at the Step 12 back of the card carrier. Step 13 Replace the card carrier in the chassis. Step 14 Replace the chassis cover. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-22 OL-24002-01...
Page 87: Installing And Removing The Power Supply
Remove the power cable and other cables from the IPS 4260. Power supplies are hot-swappable. You can replace a power supply while the IPS 4260 is Note running, if you are replacing a redundant power supply. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-23 OL-24002-01...
Page 88 To remove the power supply, push down the green tab and pull out the power supply. Step 7 After installing or removing the power supply, replace the power cord and other cables. Step 8 Power on the IPS 4260. Step 9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-24 OL-24002-01...
Page 89 For More Information For the IDM procedure for resetting the IPS 4260, refer to Rebooting the Sensor; for the IME procedure, refer to Rebooting the Sensor. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-25 OL-24002-01...
Page 90 Chapter 4 Installing the IPS 4260 Installing and Removing the Power Supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 4-26 OL-24002-01...
Page 91: Chapter 5 Installing The Ips 4270-20
The BIOS on the IPS 4270-20 is specific to the IPS 4270-20 and must only be upgraded under Caution instructions from Cisco with BIOS files obtained from the Cisco website. Installing a non-Cisco or third-party BIOS on the IPS 4270-20 voids the warranty. For more information on how to obtain...
Page 92: Product Overview
Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 does not require any special tools and does not create any radio frequency leaks. In IPS 7.1, rx/tx flow control is disabled on the IPS 4270-20. This is a change from IPS 7.0 where rx/tx Note flow control is enabled by default.
Page 93 For more information on sensor interfaces, see Sensor Interfaces, page 1-4. • For more information on the supported interface cards, see Supported Interface Cards, page 5-4. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 94: Supported Interface Cards
The 2SX card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the sensor. The 2SX interface card does not support hardware bypass. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 95: Hardware Bypass
5-43. This section contains the following topics: 4GE Bypass Interface Card, page 5-6 • Hardware Bypass Configuration Restrictions, page 5-6 • Hardware Bypass and Link Changes and Drops, page 5-7 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 96: 4Ge Bypass Interface Card
To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS. The following conditions apply to hardware bypass and software bypass: When bypass is set to OFF, software bypass is not active.
Page 97: Hardware Bypass And Link Changes And Drops
Make sure the interfaces of the connected devices are configured to match the interfaces of the • appliance for speed/duplex negotiation (auto/auto). Enable portfast on connected switchports to reduce spanning-tree forwarding delays. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 98: Front And Back Panel Features
Figure 5-6 IPS 4270-20 Front Panel Switches and Indicators Management0/0 Power Management0/1 status (reserved for System future use) Power Cisco IPS 4270 SERIES Intrusion Prevention Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 99 Turns power on and off: indicator Amber—System has AC power and is in standby mode • Green—System has AC power and is turned on • Off—System has no AC power • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 100 2 expansion slots PCI-E x4 PCI-E x8 PCI-E x4 PCI-E x8 PCI-E x4 PCI-X 100 MHz Reserved Future Use CONSOLE MGMT0/0 Management0/0 Reserved Reserved Console port Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-10 OL-24002-01...
Page 101 Power Indicator 2 Description Amber Green No AC power to any power supply Flashing Power supply failure (over current) No AC power to this power supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-11 OL-24002-01...
Page 102 Front and Back Panel Features Table 5-3 Power Supply Indicators (continued) Fail Indicator 1 Power Indicator 2 Description Amber Green Flashing AC power present • Standby mode • Normal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-12 OL-24002-01...
Page 103 Figure 5-9 IPS 4270-20 Internal Components Power Power Sensing interface supply expansion slots supply Cooling Cooling fans fans Diagnostic panel Cooling fans Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-13 OL-24002-01...
Page 104: Diagnostic Panel
System NMI switch Slot X Expansion slot CPU BD (interlock error) System board PPM X Processor power module 1A-32D DIMM Slot PROC X Processor FAN X Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-14 OL-24002-01...
Page 105: Specifications
1. At sea level with an altitude derating of 1.8 F per every 1000 ft (1.0 C per every 3.0m) above sea level to a maximum of 10,000 ft (3050 m). no direct sustained sunlight. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-15 OL-24002-01...
Page 106: Accessories
Round-, Square-, and Threaded-Hole Racks Round-hole racks Square-hole racks Threaded-hole racks No tools required No tools required Tools required: standard screwdriver, Phillips screwdriver, or T-25 Torx driver Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-16 OL-24002-01...
Page 107: Rail System Kit Contents
Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-17...
Page 108: Installing The Ips 4270-20 In The Rack
The tapered end of the chassis side rail should be at the back of the IPS 4270-20. The chassis Note side rail is held in place by the inner latch. Repeat Step 1 for each chassis side rail. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-18 OL-24002-01...
Page 109 To remove the chassis side rail, lift the latch, and slide the rail forward. Cis co IPS 42 70 SER Int rus ion Pre ven tio n Se nso Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-19 OL-24002-01...
Page 110 If you are installing the IPS 4270-20 in a shallow rack, one that is less than 28.5 in. (72.39 cm), remove the screw from the inside of the slide assembly before continuing with Step 5. < 2 8 . 5 ” Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-20 OL-24002-01...
Page 111 Repeat for each slide assembly. Make sure the slide assemblies line up with each other in the rack. Lift the spring latch to release the slide assembly if you need to reposition it. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-21...
Page 112 Remove the eight round- or square-hole studs on each slide assembly using a standard screwdriver. You may need a pair of pliers to hold the retaining nut. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-22 OL-24002-01...
Page 113 Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly. Repeat for each slide assembly. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-23 OL-24002-01...
Page 114 Chapter 5 Installing the IPS 4270-20 Installing the Rail System Kit Step 6 Extend the slide assemblies out of the rack. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-24 OL-24002-01...
Page 115 If you are using the cable management arm, install it before you connect and route any cables. Step 8 You may also need longer cables when the arm is installed (an extra length of around 3 feet is Note required). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-25 OL-24002-01...
Page 116: Extending The Ips 4270-20 From The Rack
Otherwise, you risk damage to the cables and a possible shock hazard if the power cables get caught between the chassis and the rack. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-26 OL-24002-01...
Page 117 Pre ven tio n Sen sor Step 2 After performing the installation or maintenance procedure, slide the IPS 4270-20 in to the rack by pressing the rail-release latches. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-27 OL-24002-01...
Page 118: Installing The Cable Management Arm
Installing the Cable Management Arm To hinge the cable management arm on the back right-hand side of the rack, see Converting the Cable Note Management Arm, page 5-32. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-28 OL-24002-01...
Page 119 PCI -E x4 PCI -E x8 PCI -E x4 PCI -E x8 PCI -E x4 PCI -X 100 Rese rved CON SOL Futu re MGM T 0/0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-29 OL-24002-01...
Page 120 Rese rved CON SOL Futu re MGM T 0/0 When properly installed, the cable management arm is attached to the IPS 4270-20 and the rack Note rail. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-30 OL-24002-01...
Page 121 CON SOL Futu re MGM T 0/0 Do not use the straps and zip ties to tie the two parts of the cable management arm together. Caution Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-31 OL-24002-01...
Page 122: Converting The Cable Management Arm
The cable management arm is designed for ambidextrous use. You can convert the cable management Note arm from a left-hand swing to a right-hand swing. Make sure to orient the management arm with the cable trough facing upward. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-32 OL-24002-01...
Page 123 To convert the cable management arm swing, follow these steps: Pull up the spring pin and slide the bracket off the cable management arm. Step 1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-33 OL-24002-01...
Page 124 Installing the IPS 4270-20 Installing the Rail System Kit Step 2 Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-34 OL-24002-01...
Page 125: Installing The Ips 4270-20
The sliding bracket only fits one way because the hole for the spring pin is offset. Note Installing the IPS 4270-20 Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger.
Page 126 RJ-45 or hydra cable assembly connections. Connect the appropriate cable from the console port on the appliance to a port on the terminal server. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-36...
Page 127 RJ-45 to DB-9 adapter Reserved Future Use CONSOLE MGMT 0/0 RJ-45 to Console DB-9 serial cable port (DB-9) (null-modem) Computer serial port DB-9 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-37 OL-24002-01...
Page 128 Step 7 Initialize the IPS 4270-20. Step 8 Upgrade the IPS 4270-20 with the most recent Cisco IPS software. You are now ready to configure Step 9 intrusion prevention on the IPS 4270-20. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 129: Removing And Replacing The Chassis Cover
Removing and Replacing the Chassis Cover Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that Warning the protective device is rated not greater than 120 VAC, 20 A U.S.
Page 130 This unit might have more than one power supply connection. All connections must be removed to Warning de-energize the unit. Statement 1028 Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 Note does not require any special tools and does not create any radio frequency leaks.
Page 131 To replace the chassis cover, position it on top of the chassis and slide it on. Push down on the cover Step 10 latch to lock into place. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-41 OL-24002-01...
Page 132: Accessing The Diagnostic Panel
For the location of the Diagnostic Panel, see Figure 5-9 on page 5-13. • For information on what internal health information each indicator displays on the Diagnostic Panel, • Diagnostic Panel, page 5-14. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-42 OL-24002-01...
Page 133: Installing And Removing Interface Cards
Installing and Removing Interface Cards Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The IPS 4270-20 has nine expansion card slots. Slots 1 and 2 are PCI-X slots and are reserved for future use.
Page 134 Slide the server back in to the rack by pressing the server rail-release handles. Step 11 Step 12 Reconnect the power cables to the IPS 4270-20. Step 13 Power on the IPS 4270-20. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-44 OL-24002-01...
Page 135: Installing And Removing The Power Supply
Installing and Removing the Power Supply Follow proper safety procedures when performing these steps by reading the safety warnings in Caution Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. IPS 4270-20 ships with two hot-pluggable power supplies, thus providing a redundant power supply configuration.
Page 136 P S 1 R e s e rv C O N S O fo r F u tu re U s e M G M T 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-46 OL-24002-01...
Page 137 Chapter 5 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 6 Remove the power supply by pulling it away from the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-47 OL-24002-01...
Page 138 P S 1 R e s e rv C O N S O fo r F u tu re U s e M G M T 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-48 OL-24002-01...
Page 139 IME procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor. • For an illustration of the screwdriver and where it is located, see Figure 5-9 on page 5-13. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-49 OL-24002-01...
Page 140: Installing And Removing Fans
Identify the failed fan by locating an amber indicator on top of the failed fan or a lighted FAN X indicator Step 3 on the Diagnostic Panel. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-50 OL-24002-01...
Page 141 For more information about the Diagnostic Panel, see Diagnostic Panel, page 5-14. • For the procedure for removing the chassis cover, see Removing and Replacing the Chassis Cover, • page 5-39. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-51 OL-24002-01...
Page 142: Troubleshooting Loose Connections
Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent • pins or other damage. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 5-52 OL-24002-01...
Page 143: Contents
C H A P T E R Installing the IPS 4345 and IPS 4360 Contents This chapter describes the Cisco IPS 4345 and the IPS 4360, and includes the following sections: • Installation Notes and Caveats, page 6-1 Product Overview, page 6-2 •...
Page 144: Product Overview
The 500 Mbps performance for the IPS 4345 is based on multiple models of common traffic mixes based on common deployment scenarios while running IPS 7.1.(3)E4 software. The IPS 4360 monitors greater than 1 Gbps of aggregate network traffic on multiple sensing interfaces and is also inline ready.
Page 145: Specifications
500Hz with spectral break points of 0.0065G2/Hz at 10Hz and 100Hz 0.0065G2/Hz at 10Hz and 100Hz and 5dB/octave roll-off at each end and 5dB/octave roll-off at each end Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 146: Accessories
IPS 4345 Packing Box Contents Sensor chassis Yellow Ethernet cable Power cord 4 10-32 Phillips screws 4 12-24 Phillips screws Blue console cable PC terminal adapter Power cord retainer Documentation Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 147: Front And Back Panel Features
IPS 4345 and IPS 4360. Figure 6-3 IPS 4345 and IPS 4360 Front Panel View Cisco IPS 4345 BOOT ALARM Intrusion ACTIVE Prevention Sensor Power button Indicators Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 148 • Green—System has passed power-up diagnostics. • Amber—Power-up diagnostics failed. • ACTIVE Indicates whether the system is off or on: Off—No power. • Green—System has power. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 149 2. GigabitEthernet interfaces from right to left and top to bottom—GigabitEthernet 0/0, 0/1, 0/2, and 0/3 and Gigabitethernet 1/0, 1/1, 1/2, and 1/3. 3. The serial console port uses 9600 baud, 8 data bits, 1 stop bit, and no parity. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 150 Management and Network Interface Indicators Indicator Description Left side Green Physical activity Flashing green Network activity Right side Not lit 10 Mbps Green 100 Mbps Amber 1000 Mbps Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 151: Rack Mount Installation
Use the rack mount brackets to mount the IPS 4345. Use the slide rail mounting system to mount the Note IPS 4360. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 152: Installing The Ips 4345 In A Rack
Figure 6-9. After the brackets are secured to the chassis, you can rack-mount it. Figure 6-9 Installing the Brackets on the Back of the Chassis Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-10 OL-24002-01...
Page 153: Mounting The Ips 4345 And Ips 4360 In A Rack With The Slide Rail Mounting System
IPS 4345. For instructions for using the slide rail mounting system, refer to the Slide Rail Installation Instructions for Cisco IronPort C170, M170, and S170 Appliances and Cisco 5512-X, 5515-X, 5525-X, 5545-X, 5555-X Adaptive Security Appliances and Cisco IPS 4345 and 4360 found at this URL: http://www.cisco.com/en/US/docs/security/asa/hw/maintenance/5500xspares/slide_rail_installation.ht Although slide rail mounting is preferred for the IPS 4360, in the case of two-rail racks where the slide rails will not fit, you can use the rack mounting brackets.
Page 154: Installing The Appliance On The Network
The baud rate must match the default baud rate (9600 baud) of the console port of the appliance. Set up the terminal as follows: 9600 baud (default), 8 data bits, no parity, 1 stop bits, and Flow Control (FC) = Hardware. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-12 OL-24002-01...
Page 155 Management 0/0, which is a GigabitEthernet interface with a dedicated port used only for traffic management. LNK SPD LNK SPD LNK SPD LNK SPD Management 0/0 port RJ-45 Ethernet cable Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-13 OL-24002-01...
Page 156 RJ-45 Ethernet ports RJ-45 connector Step 7 Attach the power cable to the appliance and plug the other end in to a power source (a UPS is recommended). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-14 OL-24002-01...
Page 157: Removing And Installing The Power Supply
AC Power Supply in V01 and V02 Chassis The Cisco IPS 4300 series sensors with the AC power supply can restore the previous power state of the system if AC power is lost. Earlier IPS 4300s (V01) require you to turn on the power with the power switch.
Page 158: Understanding The Power Supplies
12 V output and is used in a dual hot pluggable configuration. The DC power supply consumes a maximum of 500 W of input power. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-16 OL-24002-01...
Page 159 A power supply critical event has occurred, and the power supply has shut down. The critical event can be temperature, voltage, current, or fan operating outside the normal operating range. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-17 OL-24002-01...
Page 160: Removing And Installing The Ac Power Supply
If only one power supply is installed, make sure that it is installed in slot 0 (left slot) and that slot 1 (right Note slot) is covered with a slot cover. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-18 OL-24002-01...
Page 161 (Figure 6-13). Continue with Step 3. Figure 6-13 Removing the AC Power Supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-19 OL-24002-01...
Page 162 (Figure 6-15). Figure 6-15 Back Power Supply Indicators Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-20 OL-24002-01...
Page 163: Installing Dc Input Power
Make sure that the chassis ground is connected on the chassis before you begin installing the DC • power supply. For more information, see Working in an ESD Environment, page 2-4. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-21 OL-24002-01...
Page 164 If only one power supply is installed, make sure that it is installed in slot 0 (left slot) and that slot 1 (right Note slot) is covered with a slot cover. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-22 OL-24002-01...
Page 165 An exposed wire lead from a DC input power source can conduct harmful levels of electricity. Be sure Warning that no exposed portion of the DC input power source wire extends from the terminal block plug. Statement 122 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-23 OL-24002-01...
Page 166 Positive (+) lead wire (left) • • Negative (–) lead wire (right) Figure 6-19 Ground Wires Negative (–) lead wire Ground lead wire Positive (+) lead wire Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-24 OL-24002-01...
Page 167 Remove the tape (if any) from the circuit breaker switch handle, and move the circuit breaker switch Step 10 handle to the On position. The power supply indicators light up when power is supplied to the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-25 OL-24002-01...
Page 168: Removing And Installing The Dc Power Supply
(Figure 6-23). Figure 6-23 Removing the Wires from the DC Power Supply Gently pull the wires out of the power supply. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-26 OL-24002-01...
Page 169 Installing the DC Power Supply To connect the DC input power source wires, see Step 5 though Step 10 in Installing DC Input Power, Step 8 page 6-21. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-27 OL-24002-01...
Page 170 Chapter 6 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 6-28 OL-24002-01...
Page 171: Contents
C H A P T E R Installing the IPS 4510 and IPS 4520 Contents This chapter describes the Cisco IPS 4510 and IPS 4520, and includes the following sections: • Installation Notes and Caveats, page 7-1 Product Overview, page 7-2 •...
Page 172: Product Overview
IDM delivers security management and monitoring through an intuitive, easy-to-use web-based management interface. IDM is a Java Web Start application that enables you to configure and manage your IPS 4510 and IPS 4520. IDM is bundled with IPS 7.1. You can access it through Internet Explorer or Firefox web browsers.
Page 173: Chassis Features
RSS feed integration from the Cisco Security Intelligence Operations site. It monitors global correlation data, which you can view in events and reports. It monitors events and lets you sort views by filtering, grouping, and colorization.
Page 174 1. Hard disk drives are not supported at this time. The hard disk drive bays are empty. 2. Reserved for future use. 3. Reserved for future use. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 175 Major failure of hardware component or software module, temperature over the limit, power out of tolerance, or OIR is ready to remove the module. Not supported at this time. Not supported at this time. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 176 1. OIR is not available at this time. 2. The hard disk drive bays are reserved for future use. 3. The hard disk drive bays are reserved for future use. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 177 Figure 7-5 Power Supply Module Indicators Cisco ASA 1200W AC 100-240V 15.0/8.0.A 56/60Hz 1 IN OK FAN OK 3 OUT FAIL Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 178 Description Gigabit Ethernet (RJ45) Left side: • Green—Physical activity – Flashing green—Network activity – Right side: • Not lit—10 Mbps – Green—100 Mbps – – Amber—1000 Mbps Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 179: Specifications
Rated input frequency 50 to 60 Hz Rated input power 1465W @ 100 VAC 1465W @ 200 VAC Rated input current 12A (100 VAC) 8A (200 VAC) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 180: Accessories
4520, ships with two power supply modules installed and two power cables. Screws • Cable management brackets • Front and rear rack-mount brackets • Slide rail kit hardware • Slide rail kit • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-10 OL-24002-01...
Page 181: Memory Configurations
IPS 4510 and IPS 4520. You can purchase them separately. For 1 Gb, you need SFP. For 10Gb, you need SFP+. The interfaces are called TenGigabitEthernet 0/x whether they are 10 Gb-enabled or not. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-11...
Page 182: Installing The Ips 4510 And Ips 4520
Place the sensor on a flat, stable surface, or in a rack (if you are rack-mounting it). Step 1 Connect to the management interface, Management 0/0. Step 2 Locate an Ethernet cable, which has an RJ-45 connector on each end. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-12 OL-24002-01...
Page 183 SFP/SFP+ ports. If you are using the fiber ports, you need an SFP+ module for 10-Gigabit Ethernet or an SFP module for 1-Gigabit Ethernet (SFP or SFP+ modules are not included). S F P /S F Install the SFP/SFP+ module. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-13 OL-24002-01...
Page 184 100-240V 15.0/8.0.A 15.0/8.0.A 56/60Hz 56/60Hz Power supply module (PS0) Power supply module (PS1) Plug the power cable(s) in to a power source (we recommend a UPS). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-14 OL-24002-01...
Page 185: Removing And Installing The Core Ips Ssp
Remove the power cable from the sensor. Step 5 From the front panel of the sensor, loosen the captive screws from the bottom slot. Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-15 OL-24002-01...
Page 186 Reconnect the power cable to the sensor. Step 12 Power on the sensor. Step 13 Verify that the PWR indicator on the front panel is green. Step 14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-16 OL-24002-01...
Page 187: Removing And Installing The Power Supply Module
Power supply module screws supply module handle Remove the power supply module by grasping the handle and pulling the power supply module away Step 4 from the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-17 OL-24002-01...
Page 188 Check the PS0 and PS1 indicators on the front panel to make sure they are green. On the back panel of Step 9 the sensor, make sure the IN OK and the FAN OK indicators are green and the OUT FAIL indicator is off. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-18 OL-24002-01...
Page 189: Removing And Installing The Fan Module
Fan module and fan module handle Fan module screws Power supply module Remove the fan module by grasping the handle and pulling the fan module away from the chassis. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-19 OL-24002-01...
Page 190: Installing The Slide Rail Kit Hardware
Remove the cable management brackets from the front sides of the appliance. Remove the appliance from the rack. Remove the front brackets, left and right side brackets, and left and right rear brackets from the appliance. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-20 OL-24002-01...
Page 191: Installing And Removing The Slide Rail Kit
IPS 4510 and IPS 4520, and contains the following sections: Package Contents, page 7-22 • Installing the Chassis in the Rack, page 7-22 • Removing the Chassis from the Rack, page 7-28 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-21 OL-24002-01...
Page 192: Package Contents
The slide rails are labeled ‘left’ and ‘right.’ Install the left slide rail on the left side of the rack and the right slide rail on the right side of the rack. Figure 7-8 Press and Push to Install the Slide Rail Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-22 OL-24002-01...
Page 193 After installing the square or round studs into the rack post, verify that the locking clip is fully Note seated and secure against the rack rail. Figure 7-9 Square Studs for Square Hole Post Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-23 OL-24002-01...
Page 194 It is critical that the screws are installed and secured to the front and rear end of the slide rails. Caution Figure 7-10 Securing the Slide Rail to the Rack Post Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-24 OL-24002-01...
Page 195 The cage nut will be used later to secure the chassis to the rack post. For threaded hole racks, no additional hardware is needed. Figure 7-11 Installing the #10-32 Cage Nuts Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-25 OL-24002-01...
Page 196 Before installing the chassis, make sure that the slide rails are properly installed and that the perforated Caution holes on the outer slide rail align with the perforated holes on the chassis. Figure 7-12 Installing the Chassis on the Outer Rail Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-26 OL-24002-01...
Page 197 For threaded hole racks, secure the front of the chassis by installing the #10-32 screws into the rack threaded hole. Figure 7-13 Securing the Chassis to the Outer Rail Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-27 OL-24002-01...
Page 198: Removing The Chassis From The Rack
Remove the screws from the front brackets of the rail post (Figure 7-14). Step 1 Figure 7-14 Removing the Screws from the Outer Rail Pull out the chassis to the locked position. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-28 OL-24002-01...
Page 199 Installing and Removing the Slide Rail Kit Step 3 Press down the release hook to remove the chassis from the rack (Figure 7-15). Figure 7-15 Pressing Down the Release Hook Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-29 OL-24002-01...
Page 200: Rack-Mounting The Chassis Using The Fixed Rack Mount
Step 1 sensor, do the following: Power off the sensor. • Remove the power cable from the sensor. • Remove the old sensor from the rack. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-30 OL-24002-01...
Page 201 The slide-mount brackets let you install the rear of the chassis to the rear rack rails. The brackets Note are designed to slide within the installed rear brackets and accommodate a range of rack depths. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-31 OL-24002-01...
Page 202 100-2 40V 15.0/8 .0.A 56/60 Hz 100-2 40V 15.0/8 .0.A 56/60 Hz Reattach the power cable to the sensor. Step 12 Power on the sensor. Step 13 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-32 OL-24002-01...
Page 203: Installing The Cable Management Brackets
SFP 2 SFP 2 SFP 1 SFP 1 SFP 0 SFP 0 MG MT MG MT CO NSO LE RES ET CO NSO LE RES ET Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-33 OL-24002-01...
Page 204: Troubleshooting Loose Connections
Check any interlock or interconnect indicators that indicate a component is not connected properly. • If problems continue, remove and reinstall each device, checking the connectors and sockets for bent • pins or other damage. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-34 OL-24002-01...
Page 205: Ips 4500 Series Sensors And The Switchapp
InterfaceApp, which updates the interface configuration for SwitchApp, which then forwards that configuration on to the switch. For More Information For detailed information about the IPS system architecture, refer to System Architecture. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-35 OL-24002-01...
Page 206 Chapter 7 Installing the IPS 4510 and IPS 4520 IPS 4500 Series Sensors and the SwitchApp Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 7-36 OL-24002-01...
Page 207: Contents
Only trained and qualified personnel should install, replace, or service this equipment Statement 49 Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA 5500 Caution Series Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.
Page 208: Chapter 8 Installing And Removing The Asa 5500 Aip Ssm
The Cisco ASA Advanced Inspection and Prevention Security Services Module (ASA 5500 AIP SSM) is the IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance software integrates firewall, VPN, and intrusion detection and prevention capabilities in a single platform.
Page 209 Installing the ASA 5500 AIP SSM, • page 8-5. For more information on configuring the ASA 5500 AIP SSM to receive IPS traffic, refer to • Configuring the ASA 5500 AIP SSM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 210: Specifications
– ASA 5540 (ASA-SSM-AIP-20-K9) – • Cisco Adaptive Security Appliance Software 7.0 or later • Cisco Intrusion Prevention System Software 5.0(2) or later • DES or 3DES-enabled Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 211: Indicators
Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare Step 2 skin. Attach the other end to the chassis. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 212 Obtaining Cisco IPS Software, • page C-1. For the procedure for configuring the ASA 5500 AIP SSM to receive IPS traffic, refer to • Configuring the ASA 5500 AIP SSM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 213: Verifying The Status Of The Asa 5500 Aip Ssm
Press Enter to confirm. Step 2 Verify that the ASA 5500 AIP SSM is shut down by checking the indicators. Step 3 Power off the adaptive security appliance. Step 4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 214 For the procedure for verifying whether the ASA 5500 AIP SSM is properly installed, see Verifying • the Status of the ASA 5500 AIP SSM, page 8-7. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 215: Contents
Installation Notes and Caveats Pay attention to the following installation notes and caveats before installing the ASA 5585-X IPS SSP: Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco ASA • 5585-X Adaptive Security Appliance document and follow proper safety procedures when performing the steps in this guide.
Page 216: Chapter 9 Installing And Removing The Asa 5585-X Ip Ssp
The IDM is a Java Web Start application that enables you to configure and manage your ASA 5585-X IPS SSP. The IDM is bundled with IPS 7.1. You can access it through Internet Explorer or Firefox web browsers.
Page 217: Specifications
11.50 lb Temperature Operating 32 to 104°F (0 to 40°C) Nonoperating -40°F to 167°F (-40°C to 75°C) Relative humidity (noncondensing) Operating 10% to 90% Nonoperating 5% to 95% Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 218: Hardware And Software Requirements
The illustration shows IPS SSP-10, but it applies to both the -10 and -20 models. Note Figure 9-1 IPS SSP-10 Front Panel View RESET MGMT SFP1 SFP0 CONSOLE RESET MGMT SFP1 SFP0 CONSOLE CONSOLE 10 11 13 14 15 3 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 219 (GigabitEthernet RJ45) SSP (slot 0) 11 Management 1/0 (GigabitEthernet RJ45) SSP/ASA 5585-X IPS SSP removal screws 12 USB port Reserved bays for hard disk drives 13 USB port Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 220 Figure 9-3 ASA 5585-X IPS SSP Front Panel Indicators CONSOLE CONSOLE 1 PWR BOOT 3 ALARM 5 VPN 7 PS0 HDD1 9 HDD2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 221 HDD2 • 1. The Cisco ASA software does not support the ALARM indicator initially; support will be added at a later date. 2. OIR is not available at this time. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1...
Page 222: Memory Requirements
ASA 5585-X SSP-10 with IPS SSP-10—12-GB DRAM. • ASA 5585-X SSP-20 with IPS SSP-20—24-GB DRAM. • ASA 5585-X SSP-40 with IPS SSP-40—36-GB DRAM. • • ASA 5585-X SSP-60 with IPS SSP-60—72-GB DRAM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 223: Sfp/Sfp+ Modules
To install the ASA 5585-X IPS SSP in the ASA 5585-X for the first time, follow these steps: Power off the ASA 5585-X. Step 1 Remove the power cable from the ASA 5585-X. Step 2 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 224 ASA 5585-X IPS SSP is online using the show module 1 command. Initialize the ASA 5585-X IPS SSP. Step 10 Step 11 Configure the ASA 5585-X IPS SSP to receive IPS traffic. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-10 OL-24002-01...
Page 225: Installing Sfp/Sfp+ Modules
Note Refer to the Release Notes for your ASA software version to verify that the network module is supported. Only SFP/SFP+ modules certified by Cisco are supported on the adaptive security appliance 5585-X. Note Protect your SFP/SFP+ modules by inserting clean dust plugs into the SFP/SFP+ modules after the Caution cables are extracted from them.
Page 226: Verifying The Status Of The Asa 5585-X Ips Ssp
Shutting Down —The ASA 5585-X IPS SSP is shut down. • Down —The ASA 5585-X IPS SSP is attempting to download a recovery image. • Recover Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-12 OL-24002-01...
Page 227: Removing And Replacing The Asa 5585-X Ips Ssp
From the front panel of the ASA 5585-X, loosen the captive screws on the upper left and right of the Step 6 ASA 5585-X IPS SSP in slot 1. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-13 OL-24002-01...
Page 228 ASA 5585-X IPS SSP-10. Slide the ASA 5585-X IPS SSP in to the slot until it is seated, and push the ejection levers back in to Step 10 place. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-14 OL-24002-01...
Page 229 Verifying the Status of the ASA • 5585-X IPS SSP, page 9-12. For detailed information about the ASA 5585-X, refer to Cisco ASA 5585-X Adaptive Security • Appliance Hardware Installation Guide. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-15 OL-24002-01...
Page 230 Chapter 9 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 9-16 OL-24002-01...
Page 231: Appendix
The service role is a special role that allows you to bypass the CLI if needed. Only a user with Note administrator privileges can edit the service account. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 232: Appendix A Logging In To The Sensor
Note the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
Page 233: Connecting An Appliance To A Terminal Server
A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices. You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps:...
Page 234: Logging In To The Asa 5500 Aip Ssp
The default username and password are both cisco. You are prompted to change them the first Note time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 235: Logging In To The Asa 5500-X Ips Ssp
The default username and password are both cisco. You are prompted to change them the first Note time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 236: Logging In To The Asa 5585-X Ips Ssp
The default username and password are both cisco. You are prompted to change them the first Note time you log in to the module. You must first enter the UNIX password, which is cisco. Then you must enter the new password twice.
Page 237 If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export@cisco.com.
Page 238 Appendix A Logging In to the Sensor Logging In to the Sensor Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 239: Appendix
Startup Wizard in the IDM or the IME. After you configure the sensor with the setup command, you can change the network settings in the IDM or the IME. You must be administrator to use the setup command. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 240: Simplified Setup Mode
--- Basic Setup --- --- System Configuration Dialog --- At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 241: Contents
This includes summary data on the Cisco IPS network traffic properties and how this traffic was handled by the Cisco appliances. We do not collect the data content of traffic or other sensitive business or personal information. All data is aggregated and sent via secure HTTP to the Cisco SensorBase Network servers in periodic intervals.
Page 242: Basic Sensor Setup
Repeat Step b until you have added all networks that you want to add to the access list, and then press Enter at a blank permit line to go to the next step. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 243: Basic Sensor Setup
Prime Meridian). The default is 60. Enter to modify the system time zone. Specify the standard time zone name. The zone name is a character string up to 24 characters long. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 244 02:00:00 exit end-summertime month november week-of-month first day-of-week sunday time-of-day 02:00:00 exit exit ntp-option enabled ntp-keys 1 md5-key 8675309 ntp-servers 10.10.1.2 key-id 1 exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 245: Advanced Setup
The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.1(3) and later], and IPS 4510 and IPS 4520 [IPS 7.1(4) and later].
Page 246 If you are using promiscuous mode for your interfaces and are not subdividing them by VLAN, no additional configuration is necessary. [1] Remove interface configurations. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 247 [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan. Option: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 248 NewPair. Step 22 Press Enter to return to the top-level virtual sensor menu. Step 23 Virtual Sensor: vs0 Anomaly Detection: ad0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-10 OL-24002-01...
Page 249 342 exit service interface physical-interfaces GigabitEthernet0/0 admin-state enabled subinterface-type inline-vlan-pair subinterface 1 description Created via setup by user asmith vlan1 200 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-11 OL-24002-01...
Page 250 Step 30 Apply the most recent service pack and signature update. You are now ready to configure your appliance Step 31 for intrusion prevention. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-12 OL-24002-01...
Page 251: Advanced Setup For The Asa 5500 Aip Ssm
Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter to edit the interface configuration. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-13 OL-24002-01...
Page 252 Enter a name and description for your virtual sensor. Step 15 Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-14 OL-24002-01...
Page 253 Step 22 The following configuration was entered. service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name aip-ssm telnet-option disabled sshv1-fallback enabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-15 OL-24002-01...
Page 254 HTTPS to connect to this ASA 5500 AIP SSM with a web browser. Step 28 Apply the most recent service pack and signature update. You are now ready to configure your ASA 5500 AIP SSM for intrusion prevention. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-16 OL-24002-01...
Page 255: Advanced Setup For The Asa 5500-X Ips Ssp
Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter to edit the interface configuration. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-17 OL-24002-01...
Page 256 Enter a name and description for your virtual sensor. Step 15 Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-18 OL-24002-01...
Page 257 Step 22 The following configuration was entered. service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name asa-ips telnet-option disabled sshv1-fallback enabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-19 OL-24002-01...
Page 258 HTTPS to connect to this ASA 5500-X IPS SSP with a web browser. Step 28 Apply the most recent service pack and signature update. You are now ready to configure the ASA 5500-X IPS SSP for intrusion prevention. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-20 OL-24002-01...
Page 259: Advanced Setup For The Asa 5585-X Ips Ssp
Event Action Rules: rules0 Signature Definitions: sig0 [1] Edit Interface Configuration [2] Edit Virtual Sensor Configuration [3] Display configuration Option: Enter to edit the interface configuration. Step 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-21 OL-24002-01...
Page 260 Enter a name and description for your virtual sensor. Step 15 Name[]: newVs Description[Created via setup by user cisco]: New Sensor Anomaly Detection Configuration [1] ad0 [2] Create a new anomaly detection configuration Option[2]: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-22 OL-24002-01...
Page 261 Step 22 The following configuration was entered. service host network-settings host-ip 10.1.9.201/24,10.1.9.1 host-name ips-ssm telnet-option disabled sshv1-fallback enabled access-list 10.0.0.0/8 access-list 64.0.0.0/8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-23 OL-24002-01...
Page 262 ASA 5585-X IPS SSP for intrusion prevention. For More Information For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-24 OL-24002-01...
Page 263: Verifying Initialization
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To verify that you initialized your sensor, follow these steps: Log in to the sensor.
Page 264 You can also use the more current-config command to view your configuration. Step 3 Display the self-signed X.509 certificate (needed by TLS). sensor# show tls fingerprint MD5: C4:BC:F2:92:C2:E2:4D:EB:92:0F:E4:86:53:6A:C6:01 SHA1: 64:9B:AC:DE:21:62:0C:D3:57:2E:9B:E5:3D:04:8F:A7:FD:CD:6F:27 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-26 OL-24002-01...
Page 265 Step 4 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when connecting to this sensor with a web browser. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-27 OL-24002-01...
Page 266 Appendix B Initializing the Sensor Verifying Initialization Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 B-28 OL-24002-01...
Page 267: Appendix
Signature updates are posted to Cisco.com approximately every week, more often if needed. Service packs are posted to Cisco.com in a release train format, a new release every three months. Major and minor updates are also posted periodically. Check Cisco.com regularly for the latest IPS software.
Page 268: Appendix C Obtaining Software
Click Agree to accept the software download rules. The File Download dialog box appears. The first Step 10 time you download a file from Cisco.com, you must fill in the Encryption Software Export Distribution Authorization form before you can download the software.
Page 269: Ips Software Versioning
A major update contains new functionality or an architectural change in the product. For example, the Cisco IPS 7.1 base version includes everything (except deprecated features) since the previous major release (the minor update features, service pack fixes, and signature updates) plus any new changes.
Page 270 Appendix C Obtaining Software IPS Software Versioning R E V I E W D R A F T — C I S C O C O N F I D E N T I A L Figure C-1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases.
Page 271 Appendix C Obtaining Software IPS Software Versioning R E V I E W D R A F T — C I S C O C O N F I D E N T I A L Signature Engine Update A signature engine update is an executable file containing binary code to support new signature updates. Signature engine files require a specific service pack, which is also identified by the req designator.
Page 272: Ips Software Release Examples
R E V I E W D R A F T — C I S C O C O N F I D E N T I A L IPS Software Release Examples Table C-1 lists platform-independent Cisco IPS software release examples. Table C-1 Platform-Independent Release Examples...
Page 273: Accessing Ips Documentation
Choose Products > Security > Intrusion Prevention System (IPS) > IPS Appliances > Cisco IPS Step 4 4200 Series Sensors. The Cisco IPS 4200 Series Sensors page appears. All of the most up-to-date IPS documentation is on this page. Book Title...
Page 274: Cisco Security Intelligence Operations
Obtaining a License Key From Cisco.com This section describes how to obtain a license key from Cisco.com and how to install it using the CLI, the IDM, or the IME. It contains the following topics: Understanding Licensing, page C-9 •...
Page 275: Understanding Licensing
Service Programs for IPS Products You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract.
Page 276: Obtaining And Installing The License Key Using The Idm Or The Ime
For example, if you purchase an ASA 5585-X and then later want to add IPS and purchase an ASA-IPS10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.
Page 277: Obtaining And Installing The License Key Using The Cli
The IDM or the IME • contacts the license server on Cisco.com and sends the server the serial number to obtain the license key. This is the default method. Go to Step 5. Click the License File radio button to use a license file. To use this option, you must apply for a •...
Page 278 IPS service contract before you can apply for a license key. Step 3 Fill in the required fields. Your Cisco IPS Signature Subscription Service license key will be sent by email to the e-mail address you specified. Book Title...
Page 279 Step 7 Note The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS 7.1 version you have installed. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.1(3)E4...
Page 280: Obtaining A License For The Ips 4270-20
Step 3 Under Licenses Not Requiring a PAK, click Demo and Evaluation licenses. Step 4 Under Security Products/Cisco Services for IPS service license (Version 6.1 and later), click All IPS Hardware Platforms. Step 5 Fill in the required fields. Your license key will be sent to the email address you specified.
Page 281: Licensing The Asa 5500-X Ips Ssp
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. Use the erase license-key command to uninstall the license key on your sensor. This allows you to delete an installed license key from a sensor without restarting the sensor or logging into the sensor using the service account.
Page 282 Appendix C Obtaining Software Obtaining a License Key From Cisco.com R E V I E W D R A F T — C I S C O C O N F I D E N T I A L system is using 33.6M out of 160.0M bytes of available disk space (21% usage) application-data is using 70.5M out of 169.4M bytes of available disk space (44% usage)
Page 283: Appendix
Pay attention to the following upgrade notes and caveats when upgrading your sensor: • Anomaly detection has been disabled by default in IPS 7.1(2)E4 and later. If you did not configure the operation mode manually before the upgrade, it defaults to inactive after you upgrade to IPS 7.1(2)E4 or later.
Page 284: A P P E N D I X D Upgrading, Downgrading, And Installing System Images
You cannot use the downgrade command to revert to a previous major or minor version, for example, Caution from Cisco IPS 7.1 to 7.0. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 7.0, you must reimage the sensor.
Page 285: Supported Ftp And Http/Https Servers
• IPS 7.1 Upgrade Files The currently supported IPS 7.1(x) versions are 7.1(1)E4, 7.1(2)E4, 7.1(3)E4, 7.1(4)E4, and 7.1(6)E4. All IPS sensors are not supported in each 7.1(x) version. For a list of the specific IPS filenames and the IPS versions that each sensor supports, refer to the Release Notes for your IPS version found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html...
Page 286: Upgrade Notes And Caveats
Caution You must log in to Cisco.com using an account with cryptographic privileges to download software. The first time you download software on Cisco.com, you receive instructions for setting up an account with cryptographic privileges.
Page 287 The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To upgrade the sensor, follow these steps:...
Page 288: Upgrading The Recovery Partition
Recovery partition images are generated for major and minor updates and only in rare situations for service packs or signature updates. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 289: Configuring Automatic Upgrades
This section describes how to configure the sensor to automatically look for upgrades in the upgrade directory. It contains the following topics: Understanding Automatic Upgrades, page D-8 • Automatically Upgrading the Sensor, page D-8 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 290 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Understanding Automatic Upgrades In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from Caution 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Page 291 80 to download the chosen package from a Cisco file server. The IP address may change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of the show statistics host command.
Page 292 Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Step 3 Configure the sensor to automatically look for new upgrades either on Cisco.com or on your file server: On Cisco.com. Continue with Step 4. sensor(config-hos-aut)# cisco-server enabled From your server.
Page 293: Downgrading The Sensor
You cannot use the downgrade command to revert to a previous major or minor version, for example, Caution from Cisco IPS 7.1 to 7.0. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 7.0, you must reimage the sensor.
Page 294: Recovering The Application Partition
SSH to the sensor with the default username and password (cisco/cisco) and then initialize the sensor again with the setup command. You cannot use Telnet until you initialize the sensor because Telnet is disabled by default.
Page 295: Installing System Images
ROMMON Some Cisco sensors include a preboot CLI called ROMMON, which lets you boot images on sensors where the image on the primary device is missing, corrupt, or otherwise unable to boot the normal application.
Page 296: Tftp Servers
You can use terminal servers to remotely manage network equipment, including appliances. To set up a Cisco terminal server with RJ-45 or hydra cable assembly connections, follow these steps: Step 1 Connect to a terminal server using one of the following methods: For terminal servers with RJ-45 connections, connect a rollover cable from the console port on the •...
Page 297: Installing The Ips 4270-20 System Image
The system enters ROMMON mode. The prompt appears. rommon> Check the current network settings. Step 4 rommon> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Management0/0 VLAN=untagged IMAGE= CONFIG= Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-15 OL-24002-01...
Page 298 The path is relative to the UNIX TFTP server default tftpboot directory. Images located in the Note default tftpboot directory do not have any directory names or slashes in the IMAGE specification. Windows Example rommon> IMAGE=\system_images\IPS-4270_20-K9-sys-1.1-a-7.1-3-E4.img Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-16 OL-24002-01...
Page 299: Installing The Ips 4345 And Ips 4360 System Images
Make sure you can access the TFTP server location from the network connected to the Ethernet Note port of your IPS 4345. Boot the IPS 4345. Step 2 Booting system, please wait... CISCO SYSTEMS Embedded BIOS Version 1.0(5)0 09/14/04 12:23:35.90 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-17 OL-24002-01...
Page 300 The system enters ROMMON mode. The prompt appears. rommon> Check the current network settings. Step 4 rommon> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.0 PORT=Management0/0 VLAN=untagged IMAGE= CONFIG= Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-18 OL-24002-01...
Page 301 Make sure that you enter the IMAGE command in all uppercase. You can enter the other ROMMON Caution commands in either lower case or upper case, but the IMAGE command specifically must be all uppercase. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-19 OL-24002-01...
Page 302: Installing The Ips 4510 And Ips 4520 System Image
• Installing the IPS 4510 and IPS 4520 System Image The following procedure references the IPS 4510 but it also refers to the IPS 4520. Note Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-20 OL-24002-01...
Page 303 Not all values are required to establish network connectivity. The address, server, gateway, and image values are required. If you are not sure of the settings needed for your local environment, contact your system administrator. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-21 OL-24002-01...
Page 304 Step 11 rommon> tftp To avoid corrupting the system image, do not remove power from the IPS 4510 while the system image Caution is being installed. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-22 OL-24002-01...
Page 305: Installing The Asa 5500-X Ips Ssp System Image
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To install the system image on the ASA 5500-X IPS SSP, follow these steps:...
Page 306: Installing The Asa 5585-X Ips Ssp System Image
Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command, page D-25 • Installing the ASA 5585-X IPS SSP System Image Using ROMMON, page D-27 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-24 OL-24002-01...
Page 307: Installing The Asa 5585-X Ips Ssp System Image Using The Hw-Module Command
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To install the system image, transfer the software image from a TFTP server to the ASA 5585-X IPS SSP using the adaptive security appliance CLI.
Page 308 ASA 5585-X IPS SSP, the newly transferred image is running. To debug any errors that may happen during this process, use the debug module-boot command Note to enable debugging of the software installation process. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-26 OL-24002-01...
Page 309: Installing The Asa 5585-X Ips Ssp System Image Using Rommon
Press Break or Esc at the following prompt while the system is booting to interrupt boot. Press the spacebar to begin boot immediately. Note You have ten seconds to press Break or Esc. Use BREAK or ESC to interrupt boot. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-27 OL-24002-01...
Page 310 Use the same IP address that is assigned to the ASA 5585-X IPS SSP. Note If necessary, assign the TFTP server IP address. Step 7 rommon> SERVER=ip_address If necessary, assign the gateway IP address. Step 8 rommon> GATEWAY=ip_address Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-28 OL-24002-01...
Page 311 • For the procedure for initializing the ASA 5585-X IPS SSP with the setup command, see Advanced Setup for the ASA 5585-X IPS SSP, page B-21. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-29 OL-24002-01...
Page 312 Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 D-30 OL-24002-01...
Page 313: Appendix
Troubleshooting the ASA 5500 AIP SSM, page E-59 • Troubleshooting the ASA 5500-X IPS SSP, page E-65 • Troubleshooting the ASA 5585-X IPS SSP, page E-76 Gathering Information, page E-83 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 314: Understanding Preventive Maintenance
The service has provision to filter bugs based on credentials to provide external and internal bug views for the search input. Check out Bug Search Tools & Resources on Cisco.com. For more details on the tool overview and functionalities, check out the help page, located at http://www.cisco.com/web/applicat/cbsshelp/help.html...
Page 315: Appendix E Troubleshooting
It can be a URL or a keyword. • current-config—The current running configuration. The configuration becomes persistent as the commands are entered. backup-config—The storage location for the configuration backup. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 316 Would you like to copy current-config to backup-config before proceeding? [yes]: Enter to copy the current configuration to a backup configuration. Step 3 100% |************************************************| 36124 00:00 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 317: Creating The Service Account
Analyze your situation to decide if you want a service account existing on the system. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 318: Disaster Recovery
Troubleshooting Disaster Recovery For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no Note password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor.
Page 319: Recovering The Password
Recovering the ASA 5500-X IPS SSP Password, page E-10 • • Recovering the ASA 5585-X IPS SSP Password, page E-12 Disabling Password Recovery, page E-13 • • Verifying the State of Password Recovery, page E-14 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 320: Understanding Password Recovery
The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to cisco and must be changed after the next login.
Page 321: Using Rommon
Press any key to pause the boot process. Step 2 Choose . The password is reset to cisco. Log in to the CLI with Step 3 2: Cisco IPS Clear Password (cisco) username cisco and password cisco. You can then change the password.
Page 322: Recovering The Asa 5500-X Ips Ssp Password
Recovering the ASA 5500-X IPS SSP Password You can reset the password to the default (cisco) for the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Page 323 Step 2 In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Page 324: Recovering The Asa 5585-X Ips Ssp Password
ASA 5585-X IPS SSP is not supported in ASA 8.3(x). You can reset the password to the default (cisco) for the ASA 5585-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Page 325: Disabling Password Recovery
This option does not appear in the menu if there is no IPS present. Note In the IPS Password Reset confirmation dialog box, click OK to reset the password to the default (cisco). Step 2 A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Page 326: Verifying The State Of Password Recovery
Verify the state of password recovery by using the include keyword to show settings in a filtered output. Step 3 sensor(config-hos)# show settings | include password password-recovery: allowed <defaulted> sensor(config-hos)# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-14 OL-24002-01...
Page 327: Troubleshooting Password Recovery
ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.
Page 328: Synchronizing Ips Module Clocks With Parent Device Clocks
This is the default. Configure them to get their time from an NTP time synchronization source, such as a Cisco router • other than the parent router.
Page 329: Correcting Time On The Sensor
Using VACL capture or SPAN (promiscuous monitoring) is inconsistent with regard to VLAN • tagging, which causes problems with VLAN groups. When using Cisco IOS software, a VACL capture port or a SPAN target does not always receive – tagged packets even if it is configured for trunking.
Page 330: Supported Mibs
MIB II, we do not guarantee that they all provide correct information. We fully support the other listed MIBs and their output is correct. CISCO-PROCESS-MIB is available on the sensor, but we do not support it. We know that some elements Note are not available.
Page 331: When To Disable Anomaly Detection
Make sure your sensor supports the global correlation features. • Make sure your IPS version supports the global correlation features. • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-19 OL-24002-01...
Page 332: Analysis Engine Not Responding
Step 3 show tech-support Reboot the sensor. Step 4 Enter after the sensor has stabilized to see if the issue is resolved. Step 5 show version Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-20 OL-24002-01...
Page 333: Troubleshooting Radius Authentication
VLAN ID information. You can configure the sensor to ignore specified address ranges. • A host can be unreachable from the CSA MC because it is behind a firewall. You can exclude unreachable hosts. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-21 OL-24002-01...
Page 334: External Product Interfaces Troubleshooting Tips
Hardware Bypass and Link Changes and Drops, page E-23 • • Troubleshooting Loose Connections, page E-24 • Analysis Engine is Busy, page E-24 • Communication Problems, page E-25 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-22 OL-24002-01...
Page 335: Hardware Bypass And Link Changes And Drops
Enable portfast on connected switchports to reduce spanning-tree forwarding delays. • For More Information For more information about the hardware bypass card on the IPS 4270-20, see Hardware Bypass, page 5-5. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-23 OL-24002-01...
Page 336: Analysis Engine Is Busy
Although the sensor has rebuilt the cache files, the virtual sensor is not finished initializing. sensor# show statistics virtual-sensor Error: getVirtualSensorStatistics : Analysis Engine is busy. sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-24 OL-24002-01...
Page 337: Communication Problems
Total Undersize Packets Transmitted = 0 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 MAC statistics from interface GigabitEthernet0/0 Media Type = TX Link Status = Up Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-25 OL-24002-01...
Page 338 User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Current Configuration: service host network-settings host-ip 192.168.1.2/24,192.168.1.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-26 OL-24002-01...
Page 339: Correcting A Misconfigured Access List
(min: 0, max: 512, current: 3) ----------------------------------------------- network-address: 10.0.0.0/8 ----------------------------------------------- network-address: 64.0.0.0/8 ----------------------------------------------- network-address: 171.69.70.0/24 ----------------------------------------------- ----------------------------------------------- Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-27 OL-24002-01...
Page 340: Duplicate Ip Address Shuts Interface Down
Total Packets Received = 1822323 Total Bytes Received = 131098876 Total Multicast Packets Received = 20 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-28 OL-24002-01...
Page 341: The Sensorapp And Alerting
26.2M out of 160.0M bytes of available disk space (16% usage) application-data is using 69.7M out of 171.6M bytes of available disk space (43% usage) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-29 OL-24002-01...
Page 342 The date and time of the last restart is listed. In this example, the last restart was on 2-19-2004 at 7:34. If you do not have the latest software updates, download them from Cisco.com. Read the Readme that Step 4 accompanies the software upgrade for any known DDTS for the SensorApp or the Analysis Engine.
Page 343 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 sensor# Step 3 If the Link Status is down, make sure the sensing port is connected properly. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-31 OL-24002-01...
Page 344 ----------------------------------------------- enabled: true <defaulted> retired: false <defaulted> ----------------------------------------------- sensor(config-sig-sig-sta)# Make sure you have Produce Alert configured. Step 3 sensor# configure terminal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-32 OL-24002-01...
Page 345 Number of Summary Intermediate Alerts Number of Regular Summary Final Alerts Number of Global Summary Final Alerts Number of Alerts Output for further processing = 0alertDetails: Traffic Source: int0 ; Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-33 OL-24002-01...
Page 346: Sensor Not Seeing Packets
GigabitEthernet0/1 ----------------------------------------------- media-type: tx <protected> description: <defaulted> admin-state: enabled default: disabled duplex: auto <defaulted> speed: auto <defaulted> alt-tcp-reset-interface ----------------------------------------------- none ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- sensor(config-int-phy)# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-34 OL-24002-01...
Page 347: Cleaning Up A Corrupted Sensorapp Configuration
Replace the virtual sensor file. cp /usr/cids/idsRoot/etc/defVirtualSensorConfig.xml /usr/cids/idsRoot/etc/VS-Config/virtualSensor.xml Remove the cache files. Step 5 rm /usr/cids/idsRoot/var/virtualSensor/*.pmz Exit the service account. Step 6 Log in to the sensor CLI. Step 7 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-35 OL-24002-01...
Page 348: Blocking
Verify that the ARC is connecting to the network devices. Verify that the Event Action is set to Block Host for specific signatures. Verify that the master blocking sensor is properly configured. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-36 OL-24002-01...
Page 349: Verifying Arc Is Running
The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS 7.1 version you have installed. To verify that the ARC is running, use the show version command. If the MainApp is not running, the ARC cannot run.
Page 350 Step 3 sensor# show events error hh:mm:ss month day year | include : nac Example sensor# show events error 00:00:00 Apr 01 2011 | include : nac Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-38 OL-24002-01...
Page 351 Note If you do not have the latest software updates, download them from Cisco.com. Read the Readme that accompanies the software upgrade for any known DDTS for the ARC. Make sure the configuration settings for each device are correct (the username, password, and IP Step 5 address).
Page 352: Device Access Issues
(min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- block-networks (min: 0, max: 250, current: 0) ----------------------------------------------- ----------------------------------------------- ----------------------------------------------- user-profiles (min: 0, max: 250, current: 1) ----------------------------------------------- profile-name: r7200 ----------------------------------------------- enable-password: <hidden> Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-40 OL-24002-01...
Page 353: Verifying The Interfaces And Directions On The Network Device
To perform a manual block using IDM, choose Monitoring > Sensor Monitoring > Time-Based Actions > Host Blocks. To perform a manual block using IME, choose Configuration > sensor_name > Sensor Monitoring > Time-Based Actions > Host Blocks. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-41 OL-24002-01...
Page 354: Blocking Not Occurring For A Signature
To make sure blocking is occurring for a specific signature, follow these steps: Log in to the CLI. Step 1 Enter signature definition submode. Step 2 sensor# configure terminal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-42 OL-24002-01...
Page 355: Verifying The Master Blocking Sensor Configuration
Make sure that the forwarding sensor is set up as TLS trusted host if the remote master blocking sensor is using TLS for web access. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-43 OL-24002-01...
Page 356 ARC statistics. sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 250 MasterBlockingSensor SensorIp = 10.89.149.46 SensorPort = 443 UseTls = 1 State Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-44 OL-24002-01...
Page 357: Logging
Locate the zone and CID section of the file and set the severity to debug. severity=debug Save the file, exit the vi editor, and exit the service account. Step 5 Log in to the CLI as administrator. Step 6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-45 OL-24002-01...
Page 358 <defaulted> <protected entry> zone-name: IdsEventStore severity: warning <defaulted> <protected entry> zone-name: MpInstaller severity: warning <defaulted> <protected entry> zone-name: cmgr severity: warning <defaulted> <protected entry> zone-name: cplane Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-46 OL-24002-01...
Page 359 <defaulted> <protected entry> zone-name: cplane severity: warning <defaulted> <protected entry> zone-name: csi severity: warning <defaulted> <protected entry> zone-name: ctlTransSource severity: warning <defaulted> <protected entry> Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-47 OL-24002-01...
Page 360 <defaulted> <protected entry> zone-name: intfc severity: warning <defaulted> <protected entry> zone-name: nac severity: debug default: warning <protected entry> zone-name: sensorApp severity: warning <defaulted> Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-48 OL-24002-01...
Page 361: Zone Names
2. The Control Plane is the transport communications layer used by Card Manager on the AIP SSM. 3. The CIDS servlet interface is the interface layer between the CIDS web server and the servlets. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-49 OL-24002-01...
Page 362: Directing Cidlog Messages To Syslog
LOG_DEBUG, debug LOG_INFO, timing LOG_WARNING, warning LOG_ERR, error LOG_CRIT fatal Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-50 OL-24002-01...
Page 363: Tcp Reset Not Occurring For A Signature
Exit signature definition submode. Step 3 sensor(config-sig-sig-ato)# exit sensor(config-sig-sig)# exit sensor(config-sig)# exit Apply Changes:?[yes]: Press Enter to apply the changes or type to discard them. Step 4 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-51 OL-24002-01...
Page 364: Software Upgrades
Analysis Engine usually stays up and running. You can upgrade at this time. After the upgrade, add the interfaces back to the virtual sensor vs0 using the setup command. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-52...
Page 365: Which Updates To Apply And Their Prerequisites
Issues With Automatic Update Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Page 366: Updating A Sensor With The Update Stored On The Sensor
443 for the initial automatic update connection to www.cisco.com, and you need port 80 to download the chosen package from a Cisco file server. The IP address may change for the Cisco file server, but you can find it in the lastDownloadAttempt section in the output of the show statistics host command.
Page 367: Troubleshooting The Idm
Step 1 Close all browser windows. Step 2 If you have Java Plug-in 1.3.x installed: Click Start > Settings > Control Panel > Java Plug-in 1.3.x. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-55 OL-24002-01...
Page 368: Cannot Launch The Idm-The Analysis Engine Busy
At any point you may enter a question mark '?' for help. User ctrl-c to abort configuration dialog at any prompt. Default settings are in square brackets '[]'. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-56 OL-24002-01...
Page 369: Signatures Not Producing Alerts
For the procedure for configuring event actions, refer to Assigning Actions to Signatures. • For the procedure for obtaining statistics about virtual sensor and Event Store, refer to Displaying • Statistics. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-57 OL-24002-01...
Page 370: Troubleshooting The Ime
IOS IPS versions, but some functions, such as health information and integrated configuration, are not available. Upgrade to IPS 6.1 or later. Recommended Action Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-58 OL-24002-01...
Page 371: Installation Error
The output shows that the ASA 5500 AIP SSM is up. If the status reads , you can reset the module Down using the hw-module module 1 reset command: asa# hw-module module 1 reset Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-59 OL-24002-01...
Page 372 Recover module in slot 1? [confirm] Recover issued for module in slot 1 asa(config)# Slot-1 140> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005 Slot-1 141> Platform ASA-SSM-10 Slot-1 142>...
Page 373: Failover Scenarios
Slot-1 157> TFTP failure: Packet verify failed after 20 retries Slot-1 158> Rebooting due to Autoboot error ... Slot-1 159> Rebooting..Slot-1 160> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2005 Slot-1 161> Platform ASA-SSM-10 Slot-1 162> GigabitEthernet0/0 Slot-1 163>...
Page 374: The Asa 5500 Aip Ssm And The Normalizer Engine
ASA handles the packets. The following Normalizer engine signatures are not supported: 1300.0 • 1304.0 • 1305.0 • • 1307.0 • 1308.0 • 1309.0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-62 OL-24002-01...
Page 375: The Asa 5500 Aip Ssm And The Data Plane
Refer to the following URL for information about ASA 5500 AIP SSM jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1328 Note A jumbo frame is an Ethernet packet that is larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS). Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-63 OL-24002-01...
Page 376: The Asa 5500 Aip Ssm And Jumbo Packets
ASA adaptive appliances running an affected software version with an ASA IPS module (ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or later. The common cause for these messages is global correlation and/or signature updates occurring on the ASA IPS module that results in these messages being generated for some, but not necessarily all of the updates, which are attempted every five minutes.
Page 377: Troubleshooting The Asa 5500-X Ips Ssp
SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5500-X IPS SSP that was previously the standby ASA 5500-X IPS SSP. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-65...
Page 378: Health And Status Information
Data Plane Status: Status: License: IPS Module Enabled perpetual Mgmt IP addr: 192.168.1.2 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.168.1.1 Mgmt web ports: Mgmt TLS enabled: true asa# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-66 OL-24002-01...
Page 379 BIOS-e820: 0000000000100000 - 00000000dfffd000 (usable) Mod-ips 263> BIOS-e820: 00000000dfffd000 - 00000000e0000000 (reserved) Mod-ips 264> BIOS-e820: 00000000fffbc000 - 0000000100000000 (reserved) Mod-ips 265> BIOS-e820: 0000000100000000 - 0000000201400000 (usable) Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-67 OL-24002-01...
Page 380 Mod-ips 324> Policy zone: Normal Mod-ips 325> Kernel command line: ro initfsDev=/dev/hda1 init=loader.run rootrw=/dev/hda2 initf Mod-ips 326> s=runtime-image.cpio.bz2 hda=nodma console=ttyS0 plat=saleen htlblow=1 hugepages=3 Mod-ips 327> 223 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-68 OL-24002-01...
Page 381 Mod-ips 381> Initializing CPU#4 Mod-ips 382> Calibrating delay using timer specific routine.. 5585.15 BogoMIPS (lpj=2792579) Mod-ips 383> CPU: L1 I cache: 32K, L1 D cache: 32K Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-69 OL-24002-01...
Page 382 Mod-ips 442> io scheduler deadline registered Mod-ips 443> io scheduler cfq registered (default) Mod-ips 444> pci 0000:00:00.0: Limiting direct PCI/PCI transfers Mod-ips 445> pci 0000:00:01.0: PIIX3: Enabling Passive Release Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-70 OL-24002-01...
Page 383 Mod-ips 507> Copyright (C) 2004 MontaVista Software - IPMI Powerdown via sys_reboot. Mod-ips 508> Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled Mod-ips 509> ?serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-71 OL-24002-01...
Page 384 Mod-ips 568> kjournald starting. Commit interval 5 seconds Mod-ips 569> EXT3-fs: mounted filesystem with ordered data mode. Mod-ips 570> input: ImExPS/2 Generic Explorer Mouse as /class/input/input1 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-72 OL-24002-01...
Page 385 Mod-ips 627> Initializing access list Mod-ips 628> MGMT_INTFC_CIDS_NAME Management0/0 Mod-ips 629> MGMT_INTFC_OS_NAME ma0_0 Mod-ips 630> SYSTEM_PCI_IDS 0x0030,0x0028 Mod-ips 631> Load rebootkom: Mod-ips 632> root: Starting SSM controlplane Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-73 OL-24002-01...
Page 386: The Asa 5500-X Ips Ssp And The Normalizer Engine
• 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 • For More Information For detailed information about the Normalizer engine, see Normalizer Engine. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-74 OL-24002-01...
Page 387: The Asa 5500-X Ips Ssp And Memory Usage
IPS. For IPv4, 58 bytes of header data are added. For IPv6, 78 bytes of header data are added. The ASA removes the added IPS header before the packet leaves the ASA. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-75...
Page 388: Tcp Reset Differences Between Ips Appliances And Asa Ips Modules
ASA adaptive appliances running an affected software version with an ASA IPS module (ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or later. The common cause for these messages is global correlation and/or signature updates occurring on the ASA IPS module that results in these messages being generated for some, but not necessarily all of the updates, which are attempted every five minutes.
Page 389: Failover Scenarios
SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5585-X IPS SSP that was previously the standby for the ASA 5585-X IPS SSP. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-77...
Page 390: Health And Status Information
Data plane Status: Status: Mgmt IP addr: 192.0.2.3 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 10.0.0.0/8 Mgmt Access List: 64.0.0.0/8 Mgmt web ports: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-78 OL-24002-01...
Page 391 Init asa# show module 1 details Getting details from the Service Module, please wait... ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-79 OL-24002-01...
Page 392 Recover module in slot 1? [confirm] Recover issued for module in slot 1 asa(config)# Slot-1 140> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2010 Slot-1 141> Platform ASA5585-SSP-IPS20 Slot-1 142>...
Page 393: The Asa 5585-X Ips Ssp And The Normalizer Engine
Slot-1 157> TFTP failure: Packet verify failed after 20 retries Slot-1 158> Rebooting due to Autoboot error ... Slot-1 159> Rebooting..Slot-1 160> Cisco Systems ROMMON Version (1.0(10)0) #0: Fri Mar 25 23:02:10 PST 2010 Slot-1 161> Platform ASA5585-SSP-IPS20 Slot-1 162> GigabitEthernet0/0 Slot-1 163>...
Page 394: The Asa 5585-X Ips Ssp And Jumbo Packet Frame Size
TCP reset packets. The ASA sends TCP reset packets to both the attacker and victim when the Reset TCP Connection is selected. When Deny Packet Inline or Deny Connection Inline is selected, the ASA Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-82...
Page 395: Ips Reloading Messages
ASA adaptive appliances running an affected software version with an ASA IPS module Conditions (ASA 5500 AIP SSMASA 5500-X IPS SSPASA 5585-X IPS SSP) installed that is running IPS 7.1 or later. The common cause for these messages is global correlation and/or signature updates occurring on the ASA IPS module that results in these messages being generated for some, but not necessarily all of the updates, which are attempted every five minutes.
Page 396: Understanding The Show Tech-Support Command
This section describes the show tech-support command, and contains the following topics: Understanding the show tech-support Command, page E-85 • Displaying Tech Support Information, page E-85 • Tech Support Command Output, page E-86 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-84 OL-24002-01...
Page 397: Displaying Tech Support Information
The maximum size of these varlog files is 200 KB. Once they cross the size limit the content is rotated. The content of varlog, varlog.1, and varlog.2 is displayed in the output of the show tech-support command. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-85 OL-24002-01...
Page 398: Tech Support Command Output
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. The following is an example of the show tech-support command output:...
Page 399 Missed Packet Percentage = 0 Total Packets Received = 4285610 Total Bytes Received = 548558080 Total Multicast Packets Received = 0 Total Broadcast Packets Received = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-87 OL-24002-01...
Page 400 Number of SigEvents since reset = 0 Statistics for Actions executed on a SigEvent Number of Alerts written to the IdsEventStore = 0 Inspection Stats --MORE-- Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-88 OL-24002-01...
Page 401: Version Information
The CLI output is an example of what your configuration may look like. It will not match exactly due to Note the optional setup choices, sensor model, and IPS 7.1 version you have installed. To display the version and configuration, follow these steps: Log in to the CLI.
Page 402 ! ------------------------------ service authentication exit ! ------------------------------ service event-action-rules rules0 exit ! ------------------------------ service host network-settings host-ip 192.168.1.2/24, 192.168.1.1 host-name sensor telnet-option enabled access-list 0.0.0.0/0 dns-primary-server disabled Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-90 OL-24002-01...
Page 403: Statistics Information
The show statistics command is useful for examining the state of the sensor services. This section describes the show statistics command, and contains the following topics: Understanding the show statistics Command, page E-92 • Displaying Statistics, page E-92 • Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-91 OL-24002-01...
Page 404 Step 1 Display the statistics for the Analysis Engine. Step 2 sensor# show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 431157 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-92 OL-24002-01...
Page 405 ServiceHttp ServiceNtp 3682 3176 3176 ServiceP2PTCP ServiceRpcUDP 1841 ServiceRpcTCP ServiceSMBAdvanced ServiceSnmp 1841 ServiceTNS String SweepUDP 1808 1555 1555 SweepTCP SweepOtherTcp TrojanBO2K TrojanUdp 1808 1555 1555 GlobalCorrelationStats Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-93 OL-24002-01...
Page 406 Devices = 1 Agents = 12 Flows = 7 Channels = 0 SubmittedJobs = 4968 CompletedJobs = 4968 SubmittedBytes = 72258005 CompletedBytes = 168 TCPFlowsWithoutLCB = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-94 OL-24002-01...
Page 407 Denied Attackers and hit count for each. Denied Attackers and hit count for each. Statistics for Virtual Sensor vs0 Denied Attackers with percent denied and hit count for each. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-95 OL-24002-01...
Page 408 Alert events, threat rating 21-40 = 0 Alert events, threat rating 41-60 = 0 Alert events, threat rating 61-80 = 0 Alert events, threat rating 81-100 = 0 sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-96 OL-24002-01...
Page 409 Memory Statistics Memory usage (bytes) = 1889357824 Memory free (bytes) = 2210988032 Auto Update Statistics lastDirectoryReadAttempt = N/A lastDownloadAttempt = N/A lastInstallAttempt = N/A nextAttempt = N/A Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-97 OL-24002-01...
Page 410 InterfaceName = ethernet0/1 InterfaceDirection = out InterfacePostBlock = Post_Acl_Test BlockInterface InterfaceName = ethernet0/1 InterfaceDirection = in InterfacePreBlock = Pre_Acl_Test InterfacePostBlock = Post_Acl_Test NetDevice Type = CAT6000_VACL Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-98 OL-24002-01...
Page 411 BlockMinutes = Host IP = 203.0.113.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Network IP = 203.0.113.9 Mask = 255.255.0.0 BlockMinutes = sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-99 OL-24002-01...
Page 412 Total IPv6 packets processed since reset = 0 Total IPv6 AH packets processed since reset = 0 Total IPv6 ESP packets processed since reset = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-100 OL-24002-01...
Page 413 Number of fragments forwarded since reset = 0 Number of fragments dropped since last reset = 0 Number of fragments modified since last reset = 0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-101 OL-24002-01...
Page 414 = 64.101.182.167 session is persistent = no number of requests serviced on current connection = 1 last status code = 200 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-102 OL-24002-01...
Page 415 Fatal Severity = 0 Error Severity = 0 Warning Severity = 0 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 0 TOTAL = 0 sensor# Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-103 OL-24002-01...
Page 416: Interfaces Information
Total Jumbo Packets Transmitted = 0 Total Undersize Packets Transmitted = 0 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 MAC statistics from interface GigabitEthernet0/0 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-104 OL-24002-01...
Page 417: Events Information
Here are the parameters for the show events command: sensor# show events <cr> alert Display local system alerts. error Display error events. hh:mm[:ss] Display start time. Display log events. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-105 OL-24002-01...
Page 418 • The ARC is formerly known as NAC. This name change has not been completely Note implemented throughout the IDM, the IME, and the CLI for Cisco IPS 7.1. status—Displays status events. • past—Displays events starting in the past for the specified hours, minutes, and seconds.
Page 419 Step 5 Display alerts from the past 45 seconds. sensor# show events alert past 00:00:45 evIdsAlert: eventId=1109695939102805307 severity=medium vendor=Cisco originator: hostId: sensor appName: sensorApp Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-107 OL-24002-01...
Page 420 To clear events from the Event Store, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Clear the Event Store. sensor# clear events Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-108 OL-24002-01...
Page 421 Send the resulting HTML file to TAC or the IPS developers in case of a problem. Step 5 For More Information For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site, page E-109.
Page 422 Appendix E Troubleshooting Gathering Information Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 E-110 OL-24002-01...
Page 423: Cable Pinouts
100/1000Base-TX operations. You can use a Category 3 cable for 10Base-TX operations. Figure F-1 shows the 10/100BaseT (RJ-45) port pinouts. Figure F-1 10/100 Port Pinouts Label 4 5 6 7 8 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 424 To identify the RJ-45 cable type, hold the two ends of the cable next to each other so that you can see the colored wires inside the ends, as shown in Figure F-4. Figure F-4 RJ-45 Cable Identification Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 425 RJ-45 to DB-9 or DB-25 Table F-2 lists the cable pinouts for RJ-45 to DB-9. Table F-2 Cable Pinouts for RJ-45 to DB-9 Signal Console Port RJ-45 Pin DB-9 Pin Signal Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 426 Appendix F Cable Pinouts RJ-45 to DB-9 or DB-25 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 OL-24002-01...
Page 427 ACLs are identified by number or by name. ACLs can be standard, enhanced, or extended. You can configure the sensor to manage ACLs. Cisco Access Control Server. A RADIUS security server that is the centralized control point for ACS server managing network users, network administrators, and network infrastructure resources.
Page 428 Glossary Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco ASA 5500 AIP SSM ASA 5500 series adaptive security appliance. The ASA 5500 AIP SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Page 429 Version information associated with a group of IDIOM default configuration settings. For example, aspect version Cisco Systems publishes the standard set of attack signatures as a collection of default settings with the S aspect. The S-aspect version number is displayed after the S in the signature update package file name.
Page 430 Certificate for one CA issued by another CA. CA certificate Cisco Express Forwarding. CEF is advanced, Layer 3 IP switching technology. CEF optimizes network performance and scalability for networks with large and dynamic traffic patterns, such as the Internet, on networks characterized by intensive Web-based applications, or interactive sessions.
Page 431 Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco CIDEE IPS systems. The CIDEE standard specifies all possible extensions that may be supported by Cisco IPS systems. The header that is attached to each packet in the IPS system. It contains packet classification, packet CIDS header length, checksum results, timestamp, and the receive interface.
Page 432 Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA CSA MC agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.
Page 433 Dynamic Trunking Protocol. A Cisco proprietary protocol in the VLAN group used for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (ISL or 802.1q) to be used.
Page 434 File Transfer Protocol server. A server that uses the FTP protocol for transferring files between network FTP server nodes. Capability for simultaneous data transmission between a sending station and a receiving station. full duplex Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-8 OL-24002-01...
Page 435 BSC is an example of a half-duplex protocol. Sequence of messages exchanged between two or more network devices to ensure transmission handshake synchronization. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-9 OL-24002-01...
Page 436 A pair of physical interfaces configured so that the sensor forwards all traffic received on one interface inline interface out to the other interface in the pair. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-10 OL-24002-01...
Page 437 Java Network Launching Protocol. Defined in an XML file format specifying how Java Web Start JNLP applications are launched. JNLP consists of a set of rules defining how exactly the launching mechanism should be implemented. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-11 OL-24002-01...
Page 438 A remote sensor that controls one or more devices. Blocking forwarding sensors send blocking requests master blocking sensor to the master blocking sensor and the master blocking sensor executes the blocking requests. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-12 OL-24002-01...
Page 439 Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Page 440 Glossary Next Business Day. The arrival of replacement hardware according to Cisco service contracts. Protocol for IPv6. IPv6 nodes on the same link use Neighbor Discovery to discover each other’s Neighborhood Discovery presence, to determine each other’s link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.
Page 441 OSI term for packet. See also BPDU and packet. Cisco Product Evolution Program. PEP is the UDI information that consists of the PID, the VID, and the SN of your sensor. PEP provides hardware version and serial number visibility through electronic query, product labels, and shipping items.
Page 442 Often used in IP networks to test the reachability of a network device. It works ping by sending ICMP echo request packets to the target host and listening for echo response replies. Private Internet Exchange Firewall. A Cisco network security device that can be programmed to PIX Firewall block/enable addresses and ports between networks.
Page 443 This risk is higher when more damage could be inflicted on your network. Return Materials Authorization. The Cisco program for returning faulty hardware and obtaining a replacement.
Page 444 Used for the release of defect fixes and for the support of new signature engines. Service packs contain service pack all of the defect fixes since the last base version (minor or major) and any new defects fixes. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-18 OL-24002-01...
Page 445 Server Message Block. File-system protocol used in LAN manager and similar NOSs to package data and exchange information with other systems. Simple Mail Transfer Protocol. Internet protocol providing e-mail services. SMTP Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-19 OL-24002-01...
Page 446 Glossary Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. Subnetwork Access Protocol. Internet protocol that operates between a network entity in the SNAP subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks.
Page 447 Tribe Flood Network 2000. A common type of DoS attack that can take advantage of forged or rapidly TFN2K changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-21 OL-24002-01...
Page 448 Public key upon which a user relies; especially a public key that can be used as the first public key in trusted key a certification path. Adjusting signature parameters to modify an existing signature. tune Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-22 OL-24002-01...
Page 449 Glossary Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM. UniDirectional Link Detection. Cisco proprietary protocol that allows devices connected through...
Page 450 LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible. VLAN Trunking Protocol. Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis.
Page 451 Cross Packet Inspection. Technology used by TCP that allows searches across packets to achieve packet and payload reassembly. A set of destination IP addresses sorted into an internal, illegal, or external zone used by Anomaly zone Detection. Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-25 OL-24002-01...
Page 452 Glossary Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 GL-26 OL-24002-01...
Page 453 ASA 5500 AIP SSM terminal servers ASA 5585-X IPS SSP described 1-22, A-3, D-14 described setting up 1-22, A-3, D-14 time sources 1-23, E-15 upgrading recovery partition Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-1 OL-24002-01...
Page 454 E-75 9-13 memory usage values (table) E-75 ASA 5585-X SSP-10 with IPS SSP-10 Normalizer engine described E-74 password recovery memory requirements E-10 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-2 OL-24002-01...
Page 455 IPS 4345 CLI password recovery E-14 IPS 4360 command and control interface IPS 4510 described IPS 4520 Ethernet basic setup list blocking not occurring for signature E-42 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-3 OL-24002-01...
Page 456 E-86 connecting SFP/SFP+ modules 9-12 version E-89 converting cable management arm 5-33 downgrade command D-11 copy backup-config command downgrading sensors D-11 copy current-config command Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-4 OL-24002-01...
Page 457 (IPS 4260) 4-21 slots (IPS 4270-20) 5-43 external product interfaces issues E-21 hardware bypass troubleshooting E-22 autonegotiation 4-6, 5-7 configuration restrictions 4-5, 5-6 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-5 OL-24002-01...
Page 458 1-13 IPS 4260 described 1-16 installing 4-21 illustration 1-16 removing 4-21 inline mode IPS 4270-20 interface cards installing 5-43 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-6 OL-24002-01...
Page 459 1-19 features modules 1-19 front panel tuning indicators IPS 4240 switches 7200 series router grounding lugs 4-17 back panel (illustration) hardware bypass back panel indicators Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-7 OL-24002-01...
Page 460 5-43 extending from a rack 5-26 T-15 Torx screwdriver 5-46 fan connector and indicator (illustration) IPS 4345 5-50 fan indicators AC power supply (V01) 5-50 6-15 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-8 OL-24002-01...
Page 461 6-16 7-10 power supplies(illustration) password recovery 6-17 E-8, E-9 power supply indicator 6-17 power module indicators reimaging described D-17 removing DC power supplies illustration 6-26 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-9 OL-24002-01...
Page 462 7-20 IPS SSP-10 front panel features (illustration) installing system image IPS SSP-20 front panel features (illustration) D-21 Management 0/0 IPS SSP-40 front panel features (illustration) 7-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-10 OL-24002-01...
Page 463 5-52, 7-34, E-24 cryptographic account IPS software license key sensor license C-10 major updates described Management 0/0 port described not supported for modules 7-12 Management 0/1 described 7-12 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-11 OL-24002-01...
Page 464 SPAN ports 1-15 Management 0/1 7-12 TCP reset interfaces 1-11 7-13 VACL capture 1-15 SFP/SFP+ 9-12 power supplies described (IPS 4345) 6-16 describes (IPS 4360) 6-16 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-12 OL-24002-01...
Page 465 ASA 5585-X IPS SSP E-12 reimaging restoring the current configuration ASA 5500-X IPS SSP D-23 RJ-45 to DB-9 cable pinouts ASA 5585-X IPS SSP D-24 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-13 OL-24002-01...
Page 466 E-54 ASA 5500 AIP SSM upgrading asymmetric traffic and disabling anomaly detection E-19 service account capturing traffic accessing command and control interfaces (list) cautions Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-14 OL-24002-01...
Page 467 E-24, E-92 show tech-support command described E-85 show version command SSP-20 E-89 signature engine update files described components signatures described TCP reset E-51 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-15 OL-24002-01...
Page 468 ASA 5500 AIP SSM commands E-59 service account debugging E-60 show tech-support command E-85 failover scenarios E-61 TCP reset interfaces recovering E-60 conditions 1-12 reset E-59 described 1-11 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-16 OL-24002-01...
Page 469 URLs for Cisco Security Intelligence Operations preventive maintenance using RADIUS debug logging E-45 attempt limit E-21 TCP reset interfaces 1-12 reset not occurring for a signature E-51 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-17 OL-24002-01...
Page 470 E-18 VLAN groups 802.1q encapsulation 1-18 configuration restrictions 1-14 deploying 1-18 described 1-17 switches 1-18 warning circuit breaker 6-21 exposed DC wire 6-23 Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 IN-18 OL-24002-01...

Cisco IPS 7.1 Installation Manual

About this Guide

Chapter 1 Introducing the Sensor

Chapter 2 Preparing the Appliance for Installation

CHAPTER 3 Installing the IPS 4240 and IPS 42553-1

CHAPTER 4 Installing the IPS 4260 4-1

Chapter 5 Installing the IPS 4270-20

CHAPTER 6 Installing the IPS 4345 and IPS 43606-1

CHAPTER 7 Installing the IPS 4510 and IPS 45207-1

Chapter 8 Installing and Removing the ASA 5500 AIP SSM

Chapter 9 Installing and Removing the ASA 5585-X IP SSP

Appendix

Logging in to the Sensor

Appendix A Logging in to the Sensor

Appendix

Initializing the Sensor

Appendix B Initializing the Sensor

Contents

Appendix

Obtaining Software

Appendix C Obtaining Software

Appendix

Upgrading, Downgrading, and Installing System Images

Contents

Appendix

Troubleshooting

Quick Links

Troubleshooting

Related Manuals for Cisco IPS 7.1

Summary of Contents for Cisco IPS 7.1