Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1 - Managing the Sensor [Cisco IPS 4200 Series Sensors] - Cisco
Cisco Intrusion Prevention System Manager Express Configuration Guide for IPS 7.1
Book Contents
Book Contents
Chapter: Managing the Sensor
Chapter Contents
Managing the Sensor
This chapter describes how to manage your sensor, for example, how to set passwords, obtain and install license keys, set up IP logging variables, update your sensor with the latest software, restore sensor defaults, reboot the sensor, and shut down the sensor. This chapter contains the following sections:
This section describes how to set up passwords for users on the sensor, and contains the following topics:
As sensor administrator, you can configure how passwords are created in the Passwords pane. All user-created passwords must conform to the policy that you set in the Passwords pane.
Caution If the
password policy includes minimum numbers of character sets, such as upper case or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.
The following fields are found in the Passwords pane:
Attempt Limit—Lets you lock accounts so that users cannot keep trying to log in after a certain number of failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.
Size Range—Specifies the range for the minimum and maximum allowed size for a password. The valid range is 6 to 64 characters.
Minimum Digit Characters—Specifies the minimum number of numeric digits that you specify must be in a password.
Minimum Upper Case Characters—Specifies the maximum number of upper-case alphabet characters that you specify must be in a password.
Minimum Lower Case Characters—Specifies the minimum number of lower-case alphabet characters that you specify must be in a password.
Minimum Other Characters—Specifies the minimum number of non-alphanumeric printable characters that you specify must be in a password.
Number of Historical Passwords—Specifies the number of historical passwords you want the sensor to remember for each account. Any attempt to change the password of an account fails if the new password matches any of the remembered passwords. When this value is 0, no previous passwords are remembered.
For More Information
For the procedures for recovering passwords for the various sensors, see .
To configure password requirements, follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration &
sensor_name
& Sensor Management & Passwords .
Step 3 In the Attempt Limit field, enter how many attempts a user has to enter the correct password.
Note The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.
Step 4 In the Size Range field, enter how long the password can be. The valid range is 6 to 64.
Step 5 In the Minimum Digit Characters field, enter the minimum number of numeric digits a password can have.
Step 6 In the Minimum Upper Case Characters field, enter the least number of upper case characters the password can have.
Step 7 In the Minimum Lower Case Characters field, enter the least number of lower case characters the password can have.
Caution If the
password policy includes minimum numbers of character sets, such as upper case or number characters, the sum of the minimum number of required character sets cannot exceed the minimum password size. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.
Step 8 In the Minimum Other Characters field, enter the least number of other characters the password can have.
Step 9 In the Number of Historical Passwords field, enter the number of historical passwords you want the sensor to remember for each account.
Tip To discard your changes, click Reset.
Step 10 Click
Apply to apply your changes and save the revised configuration.
Note Packet logging is supported in IPS 7.1(3)E4 and later.
Note Make sure that the user is configured with the appropriate Cisco av-pair on the RADIUS server. This pair would be in the form “permit-packet-logging=true/false.”
On the Packet Logging pane, you can restrict the use of packet capture-related commands—packet capture/display, IP logging—for local and AAA RADIUS users. RADIUS users with the correct av-pair are authorized to execute packet capture, packet display, and IP logging commands. Local users with the correct permissions can use the packet capture and IP log commands. To restrict all users from executing packet capture and IP log commands, uncheck the
Permit packet capture and iplog commands checkbox. To allow AAA RADIUS users with the correct av-pair and local users with the correct privilege levels to execute all packet capture and IP log commands, check the
Permit packet capture and iplog commands checkbox. The default is to permit packet capture and IP log commands.
When you modify the permit packet capture and IP log command option, you receive the following warning:
Modified packet settings would take effect only for new sessions, existing sessions will continue with previous settings.
The IP Logging pane ( Sensor Management & Time-Based Actions & IP Logging ) reflects the packet capture command restriction. The current user is verified for the appropriate permissions to add, edit, download, or stop IP logging. Once the user is verified, IP logging is enabled. If the user does not have the appropriate permissions, the following error message is displayed:
You do not have sufficient permissions to perform this action. Packet and IP logging have been restricted for this user.
For More Information
For more information about IP logging, see .
For detailed information about AAA RADIUS authentication, see .
For most IPS platforms, you can now recover the password on the sensor rather than using the service account or reimaging the sensor. This section describes how to recover the password on the various platforms, and contains the following topics:
Note Administrators may need to disable the password recovery feature for security reasons.
Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI. The cisco user password reverts to
cisco and must be changed after the next login.
lists the password recovery methods according to platform.
Table 20-1 Password Recovery Methods According to Platform
4200 series sensors 4300 series sensors 4500 series sensors
Standalone IPS appliances
GRUB prompt or ROMMON
ASA 5500 AIP SSM ASA 5500-X IPS SSP ASA 5585-X IPS SSP
ASA 5500 series adaptive security appliance IPS modules
Adaptive security appliance CLI command
For More Information
For the procedure for disabling password recovery, see .
There are two ways to recover the password for appliances—using the GRUB menu or ROMMON. This section describes how to recover the password on appliances, and contains the following topics:
Note You must have a terminal server or direct serial connection to the appliance to use the GRUB menu to recover the password.
For the IPS 4270-20, IPS 4355, IPS 4360, IPS 4510, and IPS 4520 appliances, the password recovery is found in the GRUB menu, which appears during bootup. When the GRUB menu appears, press any key to pause the boot process. To recover the password on appliances, follow these steps:
Reboot the appliance to see the GRUB menu.
GNU GRUB version 0.94 (632K lower / 523264K upper memory)
-------------------------------------------
0: Cisco IPS
1: Cisco IPS Recovery
2: Cisco IPS Clear Password (cisco)
-------------------------------------------
Use the ^ and v keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the
Commands before booting, or 'c' for a command-line.
Highlighted entry is 0:
Step 2 Press any key to pause the boot process.
Step 3 Choose
2: Cisco IPS Clear Password (cisco) . The password is reset to
cisco . Log in to the CLI with username
cisco and password
cisco . You can then change the password.
For More Information
For the procedure for connecting an appliance t a terminal server, see .
For the IPS 4240, IPS 4255, IPS 4345, IPS 4360, IPS 4510, and IPS 4520, you can use the ROMMON to recover the password. To access the ROMMON CLI, reboot the sensor from a terminal server or direct connection and interrupt the boot process.
Note After recovering the password, you must reset the confreg to 0, otherwise, when you try to upgrade the sensor, the upgrade fails because when the sensor reboots, it goes to password recovery (confreg 0x7) rather than to the upgrade option.
To recover the password using the ROMMON CLI, follow these steps:
Reboot the appliance.
Step 2 To interrupt the boot process, press
Control-R (terminal server) or send a
BREAK command (direct connection). The boot code either pauses for 10 seconds or displays something similar to one of the following:
Evaluating boot options
Use BREAK or ESC to interrupt boot
Step 3 Enter the following commands to reset the password:
confreg 0x7
Sample ROMMON session:
Booting system, please wait...
CISCO SYSTEMS
Embedded BIOS Version 1.0(11)2 01/25/06 13:21:26.17
Evaluating BIOS Options...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006
Platform IPS-4360-K9
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
Management0/0
Link is UP
MAC Address:000b.fcfa.d155
Use ? for help.
rommon #0& confreg 0x7
Update Config Register (0x7) in NVRAM...
rommon #1& boot
Step 4 Enter the following command to reset the confreg value to 0:
For More Information
For the procedure for connecting an appliance t a terminal server, see .
Note To reset the password, you must have ASA 7.2.2 or later.
You can reset the password to the default ( cisco ) for the ASA 5500 AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
hw-module module
slot_number
password-reset command to reset the password to the default
cisco . If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:
ERROR: the module in slot &n& does not support password recovery.
Resetting the Password Using the CLI
To reset the password on the ASA 5500 AIP SSM, follow these steps:
Log into the adaptive security appliance and enter the following command to verify the module slot number:
asa# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX
1 ASA 5500 Series Security Services Module-40 ASA-SSM-40 JAF1214AMRL
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 001b.d5e8.e0c8 to 001b.d5e8.e0cc 2.0 1.0(11)2 8.4(3)
1 001e.f737.205f to 001e.f737.205f 1.0 1.0(14)5 7.1(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.1(7)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
Step 2 Reset the password for module 1.
asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
Step 3 Press
Enter to confirm.
Password-Reset issued for slot 1.
Step 4 Verify the status of the module. Once the status reads Up, you can session to the ASA 5500 AIP SSM.
asa# show module 1
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
1 ASA 5500 Series Security Services Module-40 ASA-SSM-40 JAF1214AMRL
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
1 001e.f737.205f to 001e.f737.205f 1.0 1.0(14)5 7.1(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.1(7)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
Step 5 Session to the ASA 5500 AIP SSM.
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 6 Enter the default username ( cisco)
and password ( cisco)
at the login prompt.
login: cisco
Password: cisco
You are required to change your password immediately (password aged)
Changing password for cisco.
(current) password: cisco
Step 7 Enter your new password twice.
New password: new password
Retype new password: new password
***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: /wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to .
***LICENSE NOTICE***
There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to /go/license to obtain a new license or install a license.
Using the ASDM
To reset the password in the ASDM, follow these steps:
Step 1 From the ASDM menu bar, choose
Tools & IPS Password Reset .
Note This option does not appear in the menu if there is no IPS present.
Step 2 In the IPS Password Reset confirmation dialog box, click
OK to reset the password to the default ( cisco ). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Step 3 Click
Close to close the dialog box. The sensor reboots.
You can reset the password to the default ( cisco ) for the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Note To reset the password, you must have ASA 8.6.1 or later.
sw-module module ips password-reset
command to reset the password to the default
cisco . If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:
ERROR: the module in slot &n& does not support password recovery.
To reset the password on the ASA 5500-X IPS SSP, follow these steps:
Step 1 Log into the adaptive security appliance and enter the following command:
asa# sw-module module ips password-reset
Reset the password on module ips? [confirm]
Step 2 Press
Enter to confirm.
Password-Reset issued for module ips.
Step 3 Verify the status of the module. Once the status reads
Up , you can session to the ASA 5500-X IPS SSP.
asa# show module ips
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
ips ASA 5555-X IPS Security Services Processor ASA5555-IPS FCH151070GR
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
ips 503d.e59c.7c4c to 503d.e59c.7c4c N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
Mod License Name License Status Time Remaining
--- -------------- --------------- ---------------
ips IPS Module Enabled 210 days
Step 4 Session to the ASA 5500-X IPS SSP.
asa# session ips
Opening command session with module ips.
Connected to module ips. Escape character sequence is 'CTRL-^X'.
Step 5 Enter the default username ( cisco)
and password ( cisco)
at the login prompt.
login: cisco
Password: cisco
You are required to change your password immediately (password aged)
Changing password for cisco.
(current) password: cisco
Step 6 Enter your new password twice.
New password: new password
Retype new password: new password
***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: /wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to .
***LICENSE NOTICE***
There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to /go/license to obtain a new license or install a license.
Using the ASDM
To reset the password in the ASDM, follow these steps:
Step 1 From the ASDM menu bar, choose
Tools & IPS Password Reset .
Note This option does not appear in the menu if there is no IPS present.
Step 2 In the IPS Password Reset confirmation dialog box, click
OK to reset the password to the default ( cisco ). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Step 3 Click
Close to close the dialog box. The sensor reboots.
Note To reset the password, you must have ASA 7.2.2 or later.
You can reset the password to the default ( cisco ) for the ASA 5500 AIP SSM using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
hw-module module
slot_number
password-reset command to reset the password to the default
cisco . If the module in the specified slot has an IPS version that does not support password recovery, the following error message is displayed:
ERROR: the module in slot &n& does not support password recovery.
Resetting the Password Using the CLI
To reset the password on the ASA 5500 AIP SSM, follow these steps:
Log into the adaptive security appliance and enter the following command to verify the module slot number:
asa# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5510 Adaptive Security Appliance ASA5510 JMX
1 ASA 5500 Series Security Services Module-40 ASA-SSM-40 JAF1214AMRL
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 001b.d5e8.e0c8 to 001b.d5e8.e0cc 2.0 1.0(11)2 8.4(3)
1 001e.f737.205f to 001e.f737.205f 1.0 1.0(14)5 7.1(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.1(7)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
Step 2 Reset the password for module 1.
asa# hw-module module 1 password-reset
Reset the password on module in slot 1? [confirm]
Step 3 Press
Enter to confirm.
Password-Reset issued for slot 1.
Step 4 Verify the status of the module. Once the status reads Up, you can session to the ASA 5500 AIP SSM.
asa# show module 1
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
1 ASA 5500 Series Security Services Module-40 ASA-SSM-40 JAF1214AMRL
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
1 001e.f737.205f to 001e.f737.205f 1.0 1.0(14)5 7.1(7)E4
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 7.1(7)E4
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
Step 5 Session to the ASA 5500 AIP SSM.
asa# session 1
Opening command session with slot 1.
Connected to slot 1. Escape character sequence is 'CTRL-^X'.
Step 6 Enter the default username ( cisco)
and password ( cisco)
at the login prompt.
login: cisco
Password: cisco
You are required to change your password immediately (password aged)
Changing password for cisco.
(current) password: cisco
Step 7 Enter your new password twice.
New password: new password
Retype new password: new password
***NOTICE***
This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at: /wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to .
***LICENSE NOTICE***
There is no license key installed on this IPS platform. The system will continue to operate with the currently installed signature set. A valid license must be obtained in order to apply signature updates. Please go to /go/license to obtain a new license or install a license.
Using the ASDM
To reset the password in the ASDM, follow these steps:
Step 1 From the ASDM menu bar, choose
Tools & IPS Password Reset .
Note This option does not appear in the menu if there is no IPS present.
Step 2 In the IPS Password Reset confirmation dialog box, click
OK to reset the password to the default ( cisco ). A dialog box displays the success or failure of the password reset. If the reset fails, make sure you have the correct ASA and IPS software versions.
Step 3 Click
Close to close the dialog box. The sensor reboots.
Caution If you try to recover the password on a sensor on which password recovery is disabled, the process proceeds with n however, the password is not reset. If you cannot log in to the sensor because you have forgotten the password, and password recovery is set to disabled, you must reimage your sensor.
Password recovery is enabled by default. You can disable password recovery through the CLI or IME.
Disabling Password Recovery Using the CLI
To disable password recovery in the CLI, follow these steps:
Log in to the CLI using an account with administrator privileges.
Step 2 Enter global configuration mode.
sensor# configure terminal
Step 3 Enter host mode.
sensor(config)# service host
Step 4 Disable password recovery.
sensor(config-hos)# password-recovery disallowed
Disabling Password Recovery Using the IME
To disable password recovery in the IME, follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration &
sensor_name
& Sensor Setup & Network .
Step 3 To disable password recovery, uncheck the
Allow Password Recovery check box.
When you troubleshoot password recovery, pay attention to the following:
You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to
cisco . The only option is to reimage the sensor.
You can disable password recovery in the host configuration. For the platforms that use external mechanisms, such as ROMMON, although you can run commands to clear the password, if password recovery is disabled in the IPS, the IPS detects that password recovery is not allowed and rejects the external request.
To check the state of password recovery, use the
show settings | include password command.
show settings |
include password command to verify whether password recovery is enabled.
To verify whether password recovery is enabled, follow these steps:
Log in to the CLI.
Step 2 Enter service host submode.
sensor# configure terminal
sensor (config)# service host
sensor (config-hos)#
Step 3 Verify the state of password recovery by using the
include keyword to show settings in a filtered output.
sensor(config-hos)# show settings | include password
password-recovery: allowed &defaulted&
sensor(config-hos)#
This section describes how to obtain and install the license key, and contains the following topics:
Note You must be administrator to view license information in the Licensing pane and to install the sensor license key.
In the Licensing pane, you can obtain and install the sensor license key. The Licensing pane displays the status of the current license.
Although the sensor functions without the license key, you must have a license key to obtain signature updates and use the global correlation features. To obtain a license key, you must have the following:
Cisco Service for IPS service contract—Contact your reseller, Cisco service or product sales to purchase a contract.
Your IPS device serial number—To find the IPS device serial number in the IME, choose
Configuration &
sensor_name
& Sensor Management & Licensing , or in the CLI use the
show version command.
username and password.
Trial license keys are also available. If you cannot get your sensor licensed because of problems with your contract, you can obtain a 60-day trial license that supports signature updates that require licensing.
You can obtain a license key from
licensing server, which is then delivered to the sensor. Or, you can update the license key from a license key provided in a local file. Go to
IPS Signature Subscription Service
to apply for a license key.
You can view the status of the license key in these places:
The IME Home page in the Device Details section on the Licensing tab
License Notice at CLI login
Whenever you start the IME or the CLI, you are informed of your license status—whether you have a trial, invalid, or expired license key. With no license key, an invalid license key, or an expired license key, you can continue to use the IME and the CLI, but you cannot download signature updates.
If you already have a valid license on the sensor, you can click
Download on the License pane to download a copy of your license key to the computer that the IME is running on and save it to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have reimaged the sensor.
You must have a Cisco Services for IPS service contract for any IPS product so that you can download a license key and obtain the latest IPS signature updates. If you have a direct relationship with Cisco Systems, contact your account manager or service account manager to purchase the Cisco Services for IPS service contract. If you do not have a direct relationship with Cisco Systems, you can purchase the service account from a one-tier or two-tier partner.
When you purchase the following IPS products you must also purchase a Cisco Services for IPS service contract:
IPS 4270-20
When you purchase an ASA 5500 series adaptive security appliance product that does not contain IPS, you must purchase a SMARTnet contract.
Note SMARTnet provides operating system updates, access , access to TAC, and hardware replacement NBD on site.
When you purchase an ASA 5500 series adaptive security appliance product that ships with an IPS module installed, or if you purchase one to add to your ASA 5500 series adaptive security appliance product, you must purchase the Cisco Services for IPS service contract.
Note Cisco Services for IPS provides IPS signature updates, operating system updates, access , access to TAC, and hardware replacement NBD on site.
For example, if you purchase an ASA 5585-X and then later want to add IPS and purchase an ASA-IPS10-K9, you must now purchase the Cisco Services for IPS service contract. After you have the Cisco Services for IPS service contract, you must also have your product serial number to apply for the license key.
Caution If you ever send your product for RMA, the serial number changes. You must then get a new license key for the new serial number.
The following fields are found in the Licensing pane:
Current License—Provides the status of the current license:
– License Status—Displays the current license status of the sensor.
– Expiration Date—Displays the date when the license key expires (or has expired). If the key is invalid, no date is displayed.
– Serial Number—Displays the serial number of the sensor.
– Product ID—Displays the product ID of your sensor.
Update License—Specifies from where to obtain the new license key:
– —Contacts the license server
for a license key.
– License File—Specifies that a license file be used.
– Local File Path—Indicates where the local file is that contains the license key.
Note In addition to a
username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key.
To obtain and install the license key, follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration &
sensor_name
& Sensor Management & Licensing .
Step 3 The Licensing pane displays the status of the current license. If you have already installed your license, you can click
Download to save it if needed.
Step 4 Obtain a license key by doing one of the following:
radio button to obtain the license . the IME contacts the license server
and sends the server the serial number to obtain the license key. This is the default method. Go to Step 5.
License File radio button to use a license file. To use this option, you must apply for a license key at this URL:
. The license key is sent to you in e-mail and you save it to a drive that the IME can access. This option is useful if your computer cannot . Go to Step 7.
Step 5 Click
Update License , and in the Licensing dialog box, click
Yes to continue. The Status dialog box informs you that the sensor is trying to connect . An Information dialog box confirms that the license key has been updated.
Step 6 Click
Step 7 Log in to
Step 8 Go to
Step 9 Fill in the required fields. Your license key will be sent to the e-mail address you specified.
Caution You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.
Step 10 Save the license key to a hard-disk drive or a network drive that the client running the IME can access.
Step 11 Log in to the IME.
Step 12 Choose
Configuration &
sensor_name
& Sensor Management & Licensing.
Step 13 Under Update License, click the
License File radio button.
Step 14 In the Local File Path field, specify the path to the license file or click
Browse Local
to browse to the file.
Step 15 Browse to the license file and click
Step 16 Click
Update License .
If your IPS 4270-20 has a license that was generated for IPS 6.0. x versions or earlier, you need to get a new license.
To obtain a new license for your IPS 4270-20, follow these steps:
Step 2 Go to
Step 3 Under Licenses Not Requiring a PAK, click
Demo and Evaluation licenses .
Step 4 Under Security Products/Cisco Services for IPS service license (Version 6.1 and later), click
All IPS Hardware Platforms .
Step 5 Fill in the required fields. Your license key will be sent to the email address you specified.
Caution You must have the correct IPS device serial number and product identifier (PID) because the license key only functions on the device with that number.
Step 6 Save the license key to a hard-disk drive or a network drive that the client running the IME can access.
Step 7 Log in to the IME.
Step 8 Choose
Configuration &
sensor_name
& Sensor Management & Licensing.
Step 9 Under Update License, click the
License File radio button.
Step 10 In the Local File Path field, specify the path to the license file or click
Browse Local
to browse to the file.
Step 11 Browse to the license file and click
Step 12 Click
Update License .
For the ASA 5500-X series adaptive security appliances with the IPS SSP, the ASA requires the IPS Module license. To view your current ASA licenses, in ASDM choose
Home & Device Dashboard & Device Information & Device License . For more information about ASA licenses, refer to the licensing chapter in the configuration guide. After you obtain the ASA IPS Module license, you can obtain and install the IPS license key.
For More Information
For more information about getting started using the ASA 5500-X IPS SSP, refer to the
For the procedures for obtaining and installing the IPS License key, see .
license-key
command to uninstall the license key on your sensor. This allows you to delete an installed license key from a sensor without restarting the sensor or logging into the sensor using the service account. Uninstalling the license key is supported in IPS 7.1(3)E4 and later.
To uninstall the license key, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Uninstall the license key on the sensor.
sensor# erase license-key
Warning: Executing this command will remove the license key installed on the sensor.
You must have a valid license key installed on the sensor to apply the Signature Updates and use the Global Correlation features.
Continue? []: yes
Step 3 Verify the sensor key has been uninstalled.
sensor# show version
Application Partition:
Cisco Intrusion Prevention System, Version 7.1(5)E4
Realm Keys key1.0
Signature Definition:
Signature Update S615.0
OS Version: 2.6.29.1
Platform: IPS-4345-K9
Serial Number: FCH1445V00N
No license present
Sensor up-time is 5 days.
Using 5318M out of 7864M bytes of available memory (67% usage)
system is using 33.6M out of 160.0M bytes of available disk space (21% usage)
application-data is using 70.5M out of 169.4M bytes of available disk space (44% usage)
boot is using 62.5M out of 70.1M bytes of available disk space (94% usage)
application-log is using 494.0M out of 513.0M bytes of available disk space (96% usage)
MainApp S-2012_APR_26_07_45_7_1_4_68 (Release) T07:48:4
3-0500 Running
AnalysisEngine S-2012_APR_26_07_45_7_1_4_68 (Release) T07:48:4
3-0500 Running
CollaborationApp S-2012_APR_26_07_45_7_1_4_68 (Release) T07:48:4
3-0500 Running
CLI S-2012_APR_26_07_45_7_1_4_68 (Release) T07:48:4
Upgrade History:
IPS-K9-7.1-5-E4 08:05:07 UTC Thu Apr 26 2012
Recovery Partition Version 1.1 - 7.1(5)E4
Host Certificate Valid from: 25-Apr-2012 to 26-Apr-2014
Note You must be administrator to configure sensor health metrics.
In the Sensor Health pane, you can configure the metrics that are used to determine the health and network security status of the IPS. The results show up in the Home pane in the various gadgets. If you do not select a metric by checking the check box, it does not show up in the health and network security status results. You can accept the default configuration or edit the values.
The overall health is set to the most critical settings of any of the metrics. For instance, if all the selected metrics are green except for one that is red, the overall health becomes red. The IPS produces a health and security status event when the overall health status of the IPS changes.
The security status of the sensor is determined for each virtual sensor using the threat ratings of events detected by the virtual sensors. The security status of the virtual sensor is raised when the virtual sensor detects an event with a threat rating that exceeds the threshold for that virtual sensor. Once a threshold has been exceeded, the security status remains at a critical level until the configured amount of time has passed with no more events being detected at the higher level.
ASA 5500-X IPS SSP and Memory Usage
For the ASA 5500-X IPS SSP, the memory usage is 93%. The default health thresholds for the sensor are 80% for yellow and 91% for red, so the sensor health will be shown as red on these platforms even for normal operating conditions. You can tune the threshold percentage for memory usage so that it reads more accurately for these platforms by configuring the Memory Usage option in the sensor health metrics.
Note Make sure you have the Memory Usage option in the sensor health metrics enabled.
lists the Yellow Threshold and the Red Threshold health values.
Table 20-2 ASA 5500-X IPS SSP Memory Usage Values
ASA 5512-X IPS SSP
ASA 5515-X IPS SSP
ASA 5525-X IPS SSP
ASA 5545-X IPS SSP
ASA 5555-X IPS SSP
Field Definitions
The following fields are found in the Sensor Health pane:
Inspection Load—Lets you set a threshold for inspection load and whether this metric is applied to the overall sensor health rating.
Missed Packet—Lets you set a threshold percentage for missed packets and whether this metric is applied to the overall sensor health rating.
Memory Usage—Lets you set a threshold percentage for memory usage and whether this metric is applied to the overall sensor health rating.
Signature Update—Lets you set a threshold for when the last signature update was applied and whether this metric is applied to the overall sensor health rating.
License Expiration—Lets you set a threshold for when the license expires and whether this metric is applied to the overall sensor health rating.
Event Retrieval—Lets you set a threshold for when the last event was retrieved and whether this metric is applied to the overall sensor health rating.
Note The event retrieval metric keeps track of when the last event was retrieved by an external monitoring application such as the IME. Disable Event Retrieval if you are not doing external event monitoring.
Network Participation—Lets you choose whether the network participation health metrics contribute to the overall sensor health rating.
Global Correlation—Let you choose whether the global correlation health metrics contribute to the overall sensor health rating.
Application Failure—Lets you choose to have an application failure applied to the overall sensor health rating.
IPS in Bypass Mode—Let you choose to know if bypass mode is active and have that apply to the overall sensor health rating.
One or More Active Interfaces Down—Lets you choose to know if one or more enabled interfaces are down and have that apply to the overall sensor health rating.
Yellow Threshold—Lets you set the lowest threshold in percentage, days, seconds, or failures for yellow.
Red Threshold—Lets you set the lowest threshold in percentage, days, seconds, or failures for red.
For More Information
For more detailed information on IME gadgets, see .
For a description of the IME Home pane, see .
Note You must be administrator to configure the IP logging variable.
You can configure the IP logging variable, Maximum Open IP Log Files, which applies to the general operation of the sensor.
Field Definitions
The following field is found in the IP Logging Variables pane:
Maximum Open IP Log Files—Specifies the maximum number of concurrently open IP log files. The valid range is from 20 to 100. The default is 20.
This section describes how to configure your sensor for automatic software updates, and contains the following topics:
Note You must be administrator to view the Auto Update pane and to configure automatic updates.
Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Caution Automatic updates do not work with
Windows FTP servers configured with DOS-style paths. Make sure the server configuration has the UNIX-style path option enabled rather than DOS-style paths.
You can configure the sensor to automatically download signature and signature engine updates
and from a local server. When you enable automatic updates, the sensor logs in
and checks for signature and signature engine updates. When an update is available, the sensor downloads the update and installs it. You must have
user account with cryptographic privileges to download Cisco IPS signature and signature engine updates . The first time you download Cisco software you set up an account with cryptographic privileges.
Caution The sensor does not support communication
through nontransparent proxy servers.
For More Information
For the procedure for obtaining software and an account with cryptographic privileges, see .
The following FTP servers are supported for IPS software updates:
WU-FTPD 2.6.2 (Linux)
Solaris 2.8
Sambar 6.0 (Windows 2000)
Serv-U 5.0 (Windows 2000)
MS IIS 5.0 (Windows 2000)
The following HTTP/HTTPS servers are supported for IPS software updates:
CSM - Apache Server (Tomcat)
CSM - Apache Server (JRun)
To configure automatic update using an FTP server, the FTP server must provide directory listing responses in UNIX style. MS-DOS style directory listing is not supported by the sensor automatic update feature.
Note If the server supplies MS-DOS style directory listings, the sensor cannot parse the directory listing and does not know that there is a new update available.
To change Microsoft IIS to use UNIX-style directory listings, follow these steps:
Start & Program Files & Administrative Tools .
Step 2 Click the
Home Directory tab.
Step 3 Click the
UNIX directory listings style radio button.
There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.
When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.
If a signature update only adds one or two new signatures on a high-end platform, the recompile can be as fast as a few seconds.
The recompile takes several minutes and even up to a half hour under the following conditions:
When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.
When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.
During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.
Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.
For More Information
For more information on bypass mode, see .
The following fields are found in the
Update pane:
Enable Auto Update From a Remote Server—Lets the sensor install updates stored on a remote server.
Note If Enable Auto Update From a Remote Server is not checked, all fields are disabled and cleared. You cannot toggle this on or off without losing all other settings.
Remote Server Settings—Lets you specify the following options for the remote server:
– IP Address—Identifies the IP address of the remote server.
– File Copy Protocol—Specifies whether to use FTP or SCP.
– Directory—Identifies the path to the update on the remote server.
– Username—Identifies the username corresponding to the user account on the remote server.
– Password—Identifies the password for the user account on the remote server.
– Confirm Password—Confirms the password by forcing you to retype the remote server password.
Enable Signature and Engine Updates —Lets the sensor go
to download signature and engine updates.
Server Settings—Lets you specify the following options for
– Username—Identifies the username corresponding to the user account .
URL—Automatically populated with the correct URL when you check the
Enable Signature and Engine Updates
check box.
– Password—Identifies the password for the user account .
– Confirm Password—Confirms the password by forcing you to retype
Schedule—Lets you specify the following schedule options:
– Start Time—Identifies the time to start the update process. This is the time when the sensor will contact the remote server and search for an available update.
– Frequency—Specifies whether to perform updates on an hourly or weekly basis.
– Hourly—Specifies to check for an update every n hours.
– Daily—Specifies the days of the week to perform the updates.
Auto Update Info—Displays information about automatic update attempts:
– Last Directory Read Attempt—Displays the last time the sensor accessed the automatic update directory to check for new updates.
– Last Download Attempt—Displays the last time the sensor tried to download updates.
– Last Install Attempt—Displays the last time the sensor tried to install updates.
– Next Attempt—Displays the next time the sensor will try to download updates.
Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
To configure automatic updates from a remote server , follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration &
sensor_name
& Sensor Management &
Step 3 To enable automatic updates from a remote server, check the
Enable Auto Update from a Remote Server
check box:
a. In the IP Address field, enter the IP address of the remote server where you have downloaded and stored updates.
b. To identify the protocol used to connect to the remote server, from the File Copy Protocol drop-down list, choose either FTP or SCP.
c. In the Directory field, enter the path to the directory on the remote server where the updates are located. A valid value for the path is 1 to 128 characters.
d. In the Username field, enter the username to use when logging in to the remote server. A valid value for the username is 1 to 2047 characters.
e. In the Password field, enter the username password on the remote server. A valid value for the password is 1 to 2047 characters.
f. In the Confirm Password field, enter the password to confirm it.
g. For hourly updates, check the
Hourly check box, and follow these steps:
In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.
In the Every_hours field, enter the hour interval at which you want every update to occur. The valid value is 1 to 8760.
For example, if you enter 5, every 5 hours the sensor looks at the directory of files on the server. If there is an available update candidate, it is downloaded and installed. Only one update is installed per cycle even if there are multiple available candidates. The sensor determines the most recent update that can be installed and installs that file.
h. For weekly updates, check the
check box, and follow these steps:
In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.
In the Days field, check the day(s) you want the sensor to check for and download available updates.
Step 4 To enable signature and engine updates , check the
Enable Signature and Engine Updates
check box:
a. In the Username field, enter the username to use when logging in . A valid value for the username is 1 to 2047 characters.
b. In the Password field, enter the username password . A valid value for the password is 1 to 2047 characters.
c. In the Confirm Password field, enter the password to confirm it.
d. For hourly updates, check the
Hourly check box, and follow these steps:
In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.
In the Every_hours field, enter the hour interval at which you want every update to occur. The valid value is 1 to 8760.
For example, if you enter 5, every 5 hours the sensor looks at the directory of files on the server. If there is an available update candidate, it is downloaded and installed. Only one update is installed per cycle even if there are multiple available candidates. The sensor determines the most recent update that can be installed and installs that file.
e. For weekly updates, check the
check box, and follow these steps:
In the Start Time field, enter the time you want the updates to start. The valid value is hh:mm:ss.
In the Days field, check the day(s) you want the sensor to check for and download available updates.
Tip To discard your changes, click Reset.
Step 5 Click
to save your changes.
This section describes how to manually update the sensor, and contains the following topics:
Note You must be administrator to view the Update Sensor pane and to update the sensor with service packs and signature updates.
In the Update Sensor pane, you can immediately apply service pack and signature updates. Sensor upgrade/update package filenames have the .pkg extension.
Note To manually update the sensor, you must download the service pack and signature updates
to your FTP server, and then configure the sensor to download them from your FTP server.
Caution You cannot apply system image files on the Update Sensor pane. You must follow the procedures for reimaging your sensor. System image filenames have the .img or .aip extension.
For More Information
For information on signature updates and how long it can take to install them, see .
For the procedure for obtaining software files , see .
The following fields are found in the Update Sensor pane:
Update is located on a remote server and is accessible by the sensor—Lets you specify the following options:
– URL—Identifies the type of server where the update is located. Specify whether to use FTP, HTTP, HTTPS, or SCP.
– ://—Identifies the path to the update on the remote server.
– Username—Identifies the username corresponding to the user account on the remote server.
– Password—Identifies the password for the user account on the remote server.
Update is located on this client—Lets you specify the following options:
– Local File Path—Identifies the path to the update file on this local client.
– Browse Local—Opens the Browse dialog box for the file system on this local client. From this dialog box, you can navigate to the update file.
Note To manually update the sensor, you must download the service pack and signature updates
to your FTP server, and then configure the sensor to download them from your FTP server.
To immediately apply a service pack and signature update, follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration &
sensor_name
& Sensor Management & Update Sensor .
Step 3 To pull an update down from a remote server and install it on the sensor, follow these steps:
a. Check the Update is located on a remote server and is accessible by the sensor check box.
b. In the URL field, enter the URL where the update can be found.
Note You must have already downloaded the update
and put it on the FTP server.
The following URL types are supported:
FTP:—Source URL for an FTP network server.
The syntax for this prefix is the following:
ftp://location/relative_directory/filename
ftp://location//absolute_directory/filename
HTTPS:—Source URL for a web server.
Note Before using the HTTPS protocol, set up a TLS trusted host.
The syntax for this prefix is the following:
https://location/directory/filename
SCP:—Source URL for a SCP network server.
The syntax for this prefix is the following:
scp://location/relative_directory/filename
scp://location/absolute_directory/filename
HTTP:—Source URL for a web server.
The syntax for this prefix is the following:
http://location/directory/filename
The following example shows the FTP protocol:
ftp://user@ip_address/UPDATES/file_name.rpm.pkg
c. In the Username field, enter the username for an account on the remote server.
d. In the Password field, enter the password associated with this account on the remote server.
Step 4 To push from the local client and install it on the sensor, follow these steps:
a. Check the Update is located on this client check box.
b. Specify the path to the update file on the local client or click Browse Local to navigate through the files on the local client.
Step 5 Click
Update Sensor . The Update Sensor dialog box tells you that if you want to update, you will lose your connection to the sensor and you must log in again.
Step 6 Click OK to update the sensor.
Note The IME and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.
Tip To discard your changes and close the dialog box, click Cancel.
For More Information
For the procedure for obtaining software files , see .
Note You must be administrator to view the Restore Defaults pane and to restore the sensor defaults.
On the Restore Defaults pane, you can restore the default configuration at any time to your sensor.
Warning Restoring the defaults removes the current application settings and restores the default settings. Your network settings also return to the defaults and you immediately lose connection to the sensor.
To restore the default configuration, follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration &
sensor_name
& Sensor Management & Restore Defaults .
Step 3 To restore the default configuration, click
Restore Defaults .
Step 4 In the Restore Defaults dialog box, click OK.
Note Restoring defaults resets the IP address, netmask, default gateway, and access list. The password and time are not reset. Manual and automatic blocks also remain in effect. You must manually reboot your sensor.
Note You must be administrator to see the Reboot Sensor pane and to reboot the sensor.
You can shut down and restart the sensor from the Reboot Sensor pane.
To reboot the sensor, follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration & Sensor Management & Reboot Sensor , and then
click Reboot Sensor.
Step 3 To shut down and restart the sensor, click OK. The sensor applications shut down and then the sensor reboots. After the reboot, you must log back in.
Note There is a 30-second delay during which users who are logged in to the CLI are notified that the sensor applications are going to shut down.
Note You must be administrator to view the Shut Down Sensor pane and to shut down the sensor.
You can shut down the IPS applications and then put the sensor in a state in which it is safe to power it off.
To shut down the sensor, follow these steps:
Log in to the IME using an account with administrator privileges.
Step 2 Choose
Configuration &
sensor_name
& Sensor Management & Shut Down Sensor , and then
click Shut Down Sensor.
Step 3 In the Shut Down Sensor dialog box, click OK. The sensor applications shut down and any open connections to the sensor are closed.
Note There is a 30-second delay during which users who are logged in to the CLI are notified that the sensor applications are going to shut down.
Was this Document Helpful?
Let Us Help
(Requires a )
Related Support Community Discussions}