Cisco Intrusion Prevention System Appliance and Module Installation Guide for IPS 7.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
CONTENTS About This Guide xiii Contents xiii Audience xiii Organization xiv Conventions xiv Related Documentation xv Where to Find Safety and Warning Information xv Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request CHAPTER 1 Introducing the Sensor Contents xvi 1-1 1-1 How the Sensor Functions 1-1 Capturing Network Traffic 1-1 Your Network Topology 1-3 Correctly Deploying the Sensor 1-3 Tuning the IPS 1-3 Sensor Interfaces 1-4 Understanding Senso
Contents Appliance Restrictions 1-21 Connecting an Appliance to a Terminal Server 1-22 Time Sources and the Sensor 1-22 The Sensor and Time Sources 1-23 Synchronizing IPS Module System Clocks with the Parent Device System Clock Verifying the Sensor is Synchronized with the NTP Server 1-23 Correcting the Time on the Sensor 1-24 CHAPTER 2 Preparing the Appliance for Installation Installation Preparation 2-1 2-1 Safety Recommendations 2-2 Safety Guidelines 2-2 Electricity Safety Guidelines 2-2 Prevent
Contents Installing the IPS 4270-20 in the Rack 3-18 Extending the IPS 4270-20 from the Rack 3-26 Installing the Cable Management Arm 3-28 Converting the Cable Management Arm 3-32 Installing the IPS 4270-20 3-35 Removing and Replacing the Chassis Cover Accessing the Diagnostic Panel 3-42 Installing and Removing Interface Cards Installing and Removing the Power Supply Installing and Removing Fans 4 Installing the IPS 4345 and IPS 4360 Contents 3-43 3-45 3-50 Troubleshooting Loose Connections CHAPT
Contents Accessories 5-10 Memory Configurations 5-11 Power Supply Module Requirements Supported SFP/SFP+ Modules 5-11 5-11 Installing the IPS 4510 and IPS 4520 5-12 Removing and Installing the Core IPS SSP 5-15 Removing and Installing the Power Supply Module Removing and Installing the Fan Module Installing the Slide Rail Kit Hardware 5-17 5-19 5-20 Installing and Removing the Slide Rail Kit 5-21 Package Contents 5-22 Installing the Chassis in the Rack 5-22 Removing the Chassis from the Rack
Contents Hardware and Software Requirements Front Panel Features 7-4 Memory Requirements SFP/SFP+ Modules 7-4 7-8 7-9 Installing the ASA 5585-X IPS SSP Installing SFP/SFP+ Modules 7-9 7-11 Verifying the Status of the ASA 5585-X IPS SSP 7-12 Removing and Replacing the ASA 5585-X IPS SSP APPENDIX A Logging In to the Sensor Contents A-1 A-1 Supported User Roles A-1 Logging In to the Appliance A-2 Connecting an Appliance to a Terminal Server Logging In to the ASA 5500 AIP SSP B A-5 Logg
Contents IPS Software Versioning C-3 IPS Software Release Examples Accessing IPS Documentation C-5 C-7 Cisco Security Intelligence Operations C-7 Obtaining a License Key From Cisco.
Contents Installing the ASA 5585-X IPS SSP System Image Using ROMMON APPENDIX E Troubleshooting Contents D-27 E-1 E-1 Cisco Bug Search E-2 Preventive Maintenance E-2 Understanding Preventive Maintenance E-2 Creating and Using a Backup Configuration File E-3 Backing Up and Restoring the Configuration File Using a Remote Server Creating the Service Account E-5 Disaster Recovery E-3 E-6 Recovering the Password E-7 Understanding Password Recovery E-8 Recovering the Password for the Appliance E-8 Us
Contents Troubleshooting Loose Connections E-24 Analysis Engine is Busy E-24 Communication Problems E-25 Cannot Access the Sensor CLI Through Telnet or SSH E-25 Correcting a Misconfigured Access List E-27 Duplicate IP Address Shuts Interface Down E-28 The SensorApp and Alerting E-29 The SensorApp Is Not Running E-29 Physical Connectivity, SPAN, or VACL Port Issue E-31 Unable to See Alerts E-32 Sensor Not Seeing Packets E-34 Cleaning Up a Corrupted SensorApp Configuration E-35 Blocking E-36 Troubleshooting
Contents Troubleshooting the ASA 5500 AIP SSM E-59 Health and Status Information E-59 Failover Scenarios E-61 The ASA 5500 AIP SSM and the Normalizer Engine E-62 The ASA 5500 AIP SSM and the Data Plane E-63 The ASA 5500 AIP SSM and Jumbo Packet Frame Size E-63 The ASA 5500 AIP SSM and Jumbo Packets E-63 TCP Reset Differences Between IPS Appliances and ASA IPS Modules IPS Reloading Messages E-64 Troubleshooting the ASA 5500-X IPS SSP E-64 Failover Scenarios E-65 Health and Status Information E-66 The ASA 55
Contents Interfaces Information E-97 Understanding the show interfaces Command E-97 Interfaces Command Output E-98 Events Information E-98 Sensor Events E-99 Understanding the show events Command E-99 Displaying Events E-99 Clearing Events E-102 cidDump Script E-102 Uploading and Accessing Files on the Cisco FTP Site E-103 APPENDIX F Cable Pinouts Contents F-1 F-1 10/100BaseT and 10/100/1000BaseT Connectors Console Port (RJ-45) F-1 F-2 RJ-45 to DB-9 or DB-25 F-3 GLOSSARY INDEX Cisco Intrusion P
About This Guide Published: March 31, 2010 Revised: October 17, 2014, OL-24002-01 Contents This guide describes how to install appliances and modules that support Cisco IPS 7.1. It includes a glossary that contains expanded acronyms and pertinent IPS terms. It is part of the documentation set for Cisco Intrusion Prevention System 7.1. Use this guide in conjunction with the documents listed in Related Documentation, page xv.
Chapter Contents Organization This guide includes the following sections: Section Title Description 1 “Introducing the Sensor” Describes IPS appliances and modules. 2 “Preparing the Appliance for Installation” Describes how to prepare to install appliances. 3 “Installing the IPS 4270-20” Describes how to install the IPS 4270-20. 4 “Installing the IPS 4345 and IPS 4360” Describes how to install the IPS 4345 and the IPS 4360.
Chapter Contents < > Nonprinting characters such as passwords are in angle brackets. [ ] Default responses to system prompts are in square brackets. !, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. Note Means reader take note. Tip Means the following information will help you solve a problem. Caution Timesaver Warning Means reader be careful.
Chapter Contents Obtaining Documentation, Using the Cisco Bug Search Tool, and Submitting a Service Request For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
CH APT ER 1 Introducing the Sensor Contents This chapter introduces the sensor and provides information you should know before you install the sensor. In this guide, the term sensor refers to all models unless noted otherwise. For a complete list of supported sensors and their model numbers, see Supported Sensors, page 1-18.
Chapter 1 Introducing the Sensor How the Sensor Functions Figure 1-1 Comprehensive Deployment Solutions Public services segment Multiple IPS sensors deliver a highly scalable, load-balanced solution via Cisco Etherchannel technology on Cisco Catalyst Switches Attacker Sensor deployed in IDS mode Sensor deployed in IPS mode Main campus Internet Sensor deployed in IPS mode Sensor deployed in IPS mode Campus core 148416 Service provider, partner, or branch office network Sensor deployed in hybrid
Chapter 1 Introducing the Sensor How the Sensor Functions • Generate IP session logs, session replay, and trigger packets display. IP session logs are used to gather information about unauthorized use. IP log files are written when events occur that you have configured the appliance to look for. • Implement multiple packet drop actions to stop worms and viruses.
Chapter 1 Introducing the Sensor How the Sensor Functions • Filter out known false positives caused by specialized software, such as vulnerability scanner and load balancers by one of the following methods: – You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load balancer. – You can configure the sensor to allow these alerts and then use the IME to filter out the false positives. • Filter the Informational alerts.
Chapter 1 Introducing the Sensor How the Sensor Functions There are three interface roles: • Command and control • Sensing • Alternate TCP reset There are restrictions on which roles you can assign to specific interfaces and some interfaces have multiple roles. You can configure any sensing interface to any other sensing interface as its TCP reset interface. The TCP reset interface can also serve as an IDS (promiscuous) sensing interface at the same time.
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-1 Command and Control Interfaces (continued) Sensor Command and Control Interface IPS 4260 Management 0/0 IPS 4270-20 Management 0/0 IPS 4345 Management 0/0 IPS 4360 Management 0/0 IPS 4510 Management 0/01 IPS 4520 Management 0/01 1. The 4500 series sensors have two management ports, Management 0/0 and Management 0/1, but Management 0/1 is reserved for future use.
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Interfaces Not Supporting Inline (Command and Control Port) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) Combinations Supporting Inline Interface Pairs ASA 5500 AIP SSM-40 — GigabitEthernet 0/1 by security context instead of VLAN pair or inline interface pair GigabitEthernet 0/1 by security context instead of VLAN pair or inline interface pair ASA 5512-
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Interfaces Not Supporting Inline (Command and Control Port) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) IPS 4255 — GigabitEthernet 0/0 GigabitEthernet 0/1 GigabitEthernet 0/2 GigabitEthernet 0/3 0/0<->0/1 0/0<->0/2 0/0<->0/3 0/1<->0/2 0/1<->0/3 0/2<->0/3 Management 0/0 IPS 4260 — GigabitEthernet 0/1 N/A Management 0/0 IPS 4260 4GE-BP GigabitEth
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Base Chassis Added Interface Cards IPS 4270-20 2SX IPS 4270-20 IPS 4345 Interfaces Supporting Inline VLAN Pairs (Sensing Ports) Slot 1 GigabitEthernet 3/0 GigabitEthernet 3/1 Slot 2 GigabitEthernet 4/0 GigabitEthernet 4/1 10GE Slot 1 TenGigabitEthernet 5/0 TenGigabitEthernet 5/1 Slot 2 TenGigabitEthernet 7/0 TenGigabitEthernet 7/1 — GigabitEthernet 0/0 GigabitEthernet 0/1 Combinations Suppo
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-2 Interface Support (continued) Base Chassis Added Interface Cards Interfaces Supporting Inline VLAN Pairs (Sensing Ports) IPS 4510 — GigabitEthernet 0/0 GigabitEthernet 0/1 Combinations Supporting Inline Interface Pairs Interfaces Not Supporting Inline (Command and Control Port) All sensing ports can be paired together Management 0/0 Management 0/16 All sensing ports can be paired together Management 0/0 Management 0/16 Giga
Chapter 1 Introducing the Sensor How the Sensor Functions TCP Reset Interfaces This section explains the TCP reset interfaces and when to use them. It contains the following topics: • Understanding Alternate TCP Reset Interfaces, page 1-11 • Designating the Alternate TCP Reset Interface, page 1-12 Understanding Alternate TCP Reset Interfaces Note The alternate TCP reset interface setting is ignored in inline interface or inline VLAN pair mode, because resets are sent inline in these modes.
Chapter 1 Introducing the Sensor How the Sensor Functions Table 1-3 Alternate TCP Reset Interfaces (continued) Sensor Alternate TCP Reset Interface IPS 4240 Any sensing interface IPS 4255 Any sensing interface IPS 4260 Any sensing interface IPS 4270-20 Any sensing interface IPS 4345 Any sensing interface IPS 4360 Any sensing interface IPS 4510 Any sensing interface IPS 4520 Any sensing interface Designating the Alternate TCP Reset Interface Note There is only one sensing interface o
Chapter 1 Introducing the Sensor How the Sensor Functions – For Gigabit copper interfaces (1000-TX on the IPS 4240, IPS 4255, IPS 4260, IPS 4270-20,, IPS 4345, IPS 4360, IPS 4510, and IPS 4520), valid speed settings are 10 Mbps, 100 Mbps, 1000 Mbps, and auto. Valid duplex settings are full, half, and auto. – For Gigabit (copper or fiber) interfaces, if the speed is configured for 1000 Mbps, the only valid duplex setting is auto.
Chapter 1 Introducing the Sensor How the Sensor Functions – You can only configure interfaces that are capable of TCP resets as alternate TCP reset interfaces. – There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset interface.
Chapter 1 Introducing the Sensor How the Sensor Functions intended target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous sensor devices are post-event responses and often require assistance from other networking devices, for example, routers and firewalls, to respond to an attack.
Chapter 1 Introducing the Sensor How the Sensor Functions Note The SPAN/Monitor configuration is valuable when you want to assign different IPS policies per VLAN or when you have more bandwidth to monitor than one interface can handle. For More Information For more information on promiscuous mode, see Promiscuous Mode, page 1-14.
Chapter 1 Introducing the Sensor How the Sensor Functions Note For the IPS 4510 and IPS 4520, the maximum number of inline VLAN pairs you can create systemwide is 150. On all other platforms, the limit is 255 per interface. You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair.
Chapter 1 Introducing the Sensor Supported Sensors VLAN group subinterfaces associate a set of VLANs with a physical or inline interface. No VLAN can be a member of more than one VLAN group subinterface. Each VLAN group subinterface is identified by a number between 1 and 255. Subinterface 0 is a reserved subinterface number used to represent the entire unvirtualized physical or logical interface. You cannot create, delete, or modify subinterface 0 and no statistics are reported for it.
Chapter 1 Introducing the Sensor Supported Sensors The currently supported IPS 7.1(x) versions are 7.1(1)E4, 7.1(2)E4, 7.1(3)E4, 7.1(4)E4, 7.1(5)E4, and IPS 7.1(6)E4. All IPS sensors are not supported in each 7.1(x) version. For a list of the specific IPS filenames and the IPS versions that each sensor supports, refer to the Release Notes for your IPS version found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.
Chapter 1 Introducing the Sensor IPS Appliances Table 1-4 Supported Sensors (continued) Model Name Part Number Optional Interfaces ASA 5525-X ASA5525-K7 ASA5525-K8 ASA5525-K9 ASA5525-DC ASA-IC-6GE-CU-B= ASA-IC-6GE-SFP-B= ASA 5545-X ASA5545-K7 ASA5545-K8 ASA5545-K9 ASA5545-DC-K8 ASA5545-CU-2AC-K9 ASA-IC-6GE-CU-C= ASA-IC-6GE-SFP-C= ASA 5555-X ASA5555-K8 ASA5555-CU-2AC-K9 ASA-IC-6GE-CU-C= ASA-IC-6GE-SFP-C= ASA 5585-X IPS SSP-10 ASA-SSP-IPS10-K9 — ASA 5585-X IPS SSP-20 ASA-SSP-IPS20-K9 —
Chapter 1 Introducing the Sensor IPS Appliances You can configure the appliance to respond to recognized signatures as it captures and analyzes network traffic. These responses include logging the event, forwarding the event to the manager, performing a TCP reset, generating an IP log, capturing the alert trigger packet, and reconfiguring a router.
Chapter 1 Introducing the Sensor Time Sources and the Sensor Connecting an Appliance to a Terminal Server A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices. You can use terminal servers to remotely manage network equipment, including appliances.
Chapter 1 Introducing the Sensor Time Sources and the Sensor • Correcting the Time on the Sensor, page 1-24 The Sensor and Time Sources Note We recommend that you use an NTP server to regulate time on your sensor. You can use authenticated or unauthenticated NTP. For authenticated NTP, you must obtain the NTP server IP address, NTP server key ID, and the key value from the NTP server. You can set up NTP during initialization or you can configure NTP through the CLI, IDM, IME, or ASDM.
Chapter 1 Introducing the Sensor Time Sources and the Sensor To verify the NTP configuration, follow these steps: Step 1 Log in to the sensor. Step 2 Generate the host statistics. sensor# show statistics host ... NTP Statistics remote refid st t when poll reach 11.22.33.44 CHU_AUDIO(1) 8 u 36 64 1 LOCAL(0) 73.78.73.84 5 l 35 64 1 ind assID status conf reach auth condition last_event 1 10372 f014 yes yes ok reject reachable 2 10373 9014 yes yes none reject reachable status = Not Synchronized ...
Chapter 1 Introducing the Sensor Time Sources and the Sensor For More Information For the procedure for clearing events, refer to Clearing Events from Event Store. Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 1 Introducing the Sensor Time Sources and the Sensor Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
CH APT ER 2 Preparing the Appliance for Installation This chapter describes the steps to follow before installing new hardware or performing hardware upgrades, and includes the following sections: • Installation Preparation, page 2-1 • Safety Recommendations, page 2-2 • General Site Requirements, page 2-5 Installation Preparation To prepare for installing an appliance, follow these steps: Step 1 Review the safety precautions outlined in one of the following safety documents: • Regulatory Complianc
Chapter 2 Preparing the Appliance for Installation Safety Recommendations For More Information • For ESD guidelines, see Electricity Safety Guidelines, page 2-2. • For the procedure for working in an ESD environment, see Working in an ESD Environment, page 2-4.
Chapter 2 Preparing the Appliance for Installation Safety Recommendations Follow these guidelines when working on equipment powered by electricity: • Before beginning procedures that require access to the interior of the chassis, locate the emergency power-off switch for the room in which you are working. Then, if an electrical accident occurs, you can act quickly to turn off the power. • Do not work alone if potentially hazardous conditions exist anywhere in your work space.
Chapter 2 Preparing the Appliance for Installation Safety Recommendations Working in an ESD Environment Work on ESD-sensitive parts only at an approved static-safe station on a grounded static dissipative work surface, for example, an ESD workbench or static dissipative mat. To remove and replace components in a sensor, follow these steps: Step 1 Remove all static-generating items from your work area. Step 2 Use a static dissipative work surface and wrist strap.
Chapter 2 Preparing the Appliance for Installation General Site Requirements General Site Requirements This section describes the requirements your site must meet for safe installation and operation of your IPS appliance. This section includes the following topics: • Site Environment, page 2-5 • Preventive Site Configuration, page 2-5 • Power Supply Considerations, page 2-6 • Configuring Equipment Racks, page 2-6 Site Environment Place the appliance on a desktop or mount it in a rack.
Chapter 2 Preparing the Appliance for Installation General Site Requirements Power Supply Considerations The IPS 4270-20 has an AC power supply. The IPS 4345, IPS 4360, IPS 4510, and IPS 4520 have either an AC or DC power supply. Follow these guidelines for power supplies: • Check the power at the site before installing the chassis to ensure that the power is free of spikes and noise. Install a power conditioner if necessary, to ensure proper voltages and power levels in the source voltage.
CH APT ER 3 Installing the IPS 4270-20 Contents This chapter describes the IPS 4270-20, and includes the following sections: • Installation Notes and Caveats, page 3-1 • Product Overview, page 3-2 • Supported Interface Cards, page 3-4 • Hardware Bypass, page 3-5 • Front and Back Panel Features, page 3-8 • Diagnostic Panel, page 3-14 • Specifications, page 3-15 • Accessories, page 3-16 • Installing the Rail System Kit, page 3-16 • Installing the IPS 4270-20, page 3-35 • Removing and Re
Chapter 3 Installing the IPS 4270-20 Product Overview Warning This product relies on the building’s installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than 120 VAC, 20 A U.S. (240 VAC, 16-20 A International). Statement 1005 Warning This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor.
Chapter 3 Installing the IPS 4270-20 Product Overview Media-rich environments are characterized by content, such as that seen on popular websites with video and file transfer. Transactional environments are characterized by connections, such as E-commerce, instant messaging, and voice. Figure 3-1 demonstrates the spectrum of media-rich and transactional environments. Figure 3-1 Media-rich and Transactional Environments Gaming Commerce Voice Collaborative Workspaces WWW Data Replication Web 2.
Chapter 3 Installing the IPS 4270-20 Supported Interface Cards • For more information on the 4GE bypass interface card, see Hardware Bypass, page 3-5. • For more information about the power supplies, see Installing and Removing the Power Supply, page 3-45. Supported Interface Cards The IPS 4270-20 supports three interface cards: the 4GE bypass interface card, the 2SX interface card, and the 10GE interface card.
Chapter 3 Installing the IPS 4270-20 Hardware Bypass Figure 3-3 shows the 2SX interface card. 2SX Interface Card 190474 Figure 3-3 10GE Interface Card The 10GE interface card (part numbers IPS-2X10GE-SR-INT and IPS-2X10GE-SR-INT=) provides two 10000 Base-SX (fiber) interfaces. The IPS 4270-20 supports up to two 10GE interface cards for a total of four 10GE fiber interfaces. The card ports require a multi-mode fiber cable with an LC connector to connect to the SX interface of the IPS 4270-20.
Chapter 3 Installing the IPS 4270-20 Hardware Bypass 4GE Bypass Interface Card The IPS 4270-20 supports the 4-port GigabitEthernet card (part number IPS-4GE-BP-INT=) with hardware bypass. This 4GE bypass interface card supports hardware bypass only between ports 0 and 1 and between ports 2 and 3. Note To disable hardware bypass, pair the interfaces in any other combination, for example 2/0<->2/2 and 2/1<->2/3. Hardware bypass complements the existing software bypass feature in Cisco IPS.
Chapter 3 Installing the IPS 4270-20 Hardware Bypass The following configuration restrictions apply to hardware bypass: • The 4-port bypass card is only supported on the IPS 4270-20. • Fail-open hardware bypass only works on inline interfaces (interface pairs), not on inline VLAN pairs. • Fail-open hardware bypass is available on an inline interface if all of the following conditions are met: – Both of the physical interfaces support hardware bypass.
Chapter 3 Installing the IPS 4270-20 Front and Back Panel Features Front and Back Panel Features This section describes the IPS 4270-20 front and back panel features, indicators, and internal components. Figure 3-5 shows the front view of the IPS 4270-20. Figure 3-5 IPS 4270-20 Front View Switches/Indicators 1 2 3 4 5 6 7 8 Cisco IPS 4270 SERIES Intrusion Prevention Sensor 250082 US AT EM ST T 0 T 1 ST R M M UID SY PW MG MG Figure 3-6 shows the front panel switches and indicators.
Chapter 3 Installing the IPS 4270-20 Front and Back Panel Features Table 3-1 describes the front panel switches and indicators on the IPS 4270-20.
Chapter 3 Installing the IPS 4270-20 Front and Back Panel Features Figure 3-7 shows the back view of the IPS 4270-20.
Chapter 3 Installing the IPS 4270-20 Front and Back Panel Features Figure 3-8 shows the built-in Ethernet port, which has two indicators per port, and the power supply indicators. Figure 3-8 Ethernet Port Indicators Activity Link indicator indicator PCI-E x4 4 3 PS1 PCI-X 100 MHz 1 2 Power supply indicators Reserved for Future Use CONSOLE Activity indicator Link indicator 250085 MGMT 0/0 Table 3-2 describes the Ethernet port indicators.
Chapter 3 Installing the IPS 4270-20 Front and Back Panel Features Table 3-3 Power Supply Indicators (continued) Fail Indicator 1 Amber Power Indicator 2 Green Off Flashing Off On Description • AC power present • Standby mode Normal Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Front and Back Panel Features Figure 3-9 shows the internal components. Figure 3-9 IPS 4270-20 Internal Components Power supply Sensing interface expansion slots Cooling fans Power supply Cooling fans 250249 Diagnostic panel Cooling fans Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Diagnostic Panel Diagnostic Panel The front panel health indicators only indicate the current hardware status. The Diagnostic Panel indicators identify components experiencing an error, event, or failure. All indicators are off unless one of the component fails. Note When you remove the chassis cover to view the Diagnostic Panel, leave the IPS 4270-20 powered on. Powering off the IPS 4270-20 clears the Diagnostic Panel indicators.
Chapter 3 Installing the IPS 4270-20 Specifications For More Information • For the location of the Diagnostic Panel in the IPS 4270-20 chassis, see Figure 3-9 on page 3-13. • For information on how to access the Diagnostic Panel, see Accessing the Diagnostic Panel, page 3-42. Specifications Table 3-5 lists the specifications for the IPS 4270-20. Table 3-5 IPS 4270-20 Specifications Dimensions and Weight Height 6.94 in. (17.6 cm) Width 19.0 in. (46.3 cm) Depth 26.5 in. (67.
Chapter 3 Installing the IPS 4270-20 Accessories Accessories The IPS 4270-20 accessories kit contains the following: • DB-9 connector • DB-9/RJ-45 console cable • Two Ethernet RJ-45 cables • Regulatory Compliance and Safety Information for the Cisco Intrusion Detection and Prevention System 4200 Series Appliance Sensor • Documentation Roadmap for Cisco Intrusion Prevention System Installing the Rail System Kit You can install the IPS 4270-20 in a 4-post rack.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit No tools are required for the round- and square-hole racks. You may need screws that fit the threaded-hole rack and a driver for those screws.You need a standard screwdriver to remove the roundand square-hole studs from the slide assemblies when you install the security appliance in a threaded-whole rack. This rail system supports a minimum rack depth of 24 in. (60.96 cm) and a maximum rack depth of 36.5 in. (92.71 cm).
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Installing the IPS 4270-20 in the Rack To prevent bodily injury when mounting or servicing this unit in a rack, you must take special precautions to ensure that the system remains stable. The following guidelines are provided to ensure your safety: Warning • This unit should be mounted at the bottom of the rack if it is the only unit in the rack.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 3 To remove the chassis side rail, lift the latch, and slide the rail forward. 1 2 3 4 5 6 7 8 Cisco IPS 4270 Intrusion SERIES Preventio n Sensor 250221 US EM STAT 0 1 UID SYST R MT MT PW MG MG 2 1 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 4 If you are installing the IPS 4270-20 in a shallow rack, one that is less than 28.5 in. (72.39 cm), remove the screw from the inside of the slide assembly before continuing with Step 5. 250207 < 28.5” Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 5 Attach the slide assemblies to the rack. For round- and square-hole racks: a. Line up the studs on the slide assembly with the holes on the inside of the rack and snap in to place. b. Adjust the slide assembly lengthwise to fit the rack. The spring latch locks the slide assembly into position. 2 3 1 250208 1 c. Repeat for each slide assembly. Make sure the slide assemblies line up with each other in the rack. d.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit For threaded-hole racks: Remove the eight round- or square-hole studs on each slide assembly using a standard screwdriver. Note You may need a pair of pliers to hold the retaining nut. 2 3 3 2 1 250209 a. Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit b. Line up the bracket on the slide assembly with the rack holes, install two screws (top and bottom) on each end of the slide assembly. 250210 1 c. Repeat for each slide assembly. Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Extend the slide assemblies out of the rack. 250211 Step 6 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 7 1 2 3 4 5 6 7 Align the chassis side rails on the IPS 4270-20 with the slide assembly on both sides of the rack, release the blue slide tab (by either pulling the tab forward or pushing the tab back), and carefully push the IPS 4270-20 in to place.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 9 Install the electrical cables at the back of the IPS 4270-20.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit To extend the IPS 4270-20 from the rack, follow these steps: Step 1 Pull the quick-release levers on each side of the front bezel of the IPS 4270-20 to release it from the rack and extend it on the rack rails until the rail-release latches engage. Note The release latches lock in to place when the rails are fully extended.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit To completely remove the IPS 4270-20 from the rack, disconnect the cables from the back of the IPS 4270-20, push the release tab in the middle of the slide assembly forward, and pull the IPS 4270-20 from the rack.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit To install the cable management arm, follow these steps: Step 1 Align the slide bracket on the cable management arm with the stud on the back of the IPS 4270-20 and align the two studs at the back of the chassis side rail, then slide down and lock in to place.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 2 Caution Attach the cable trough to the back of the rack by pushing the lower metal tab on the cable management arm in to the slide assembly, then lifting the spring pin to lock it in to place. Make sure the metal tab is on the outside of the upper part of the cable management arm.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 3 Route the cables through the cable trough and secure the cables with the Velcro straps and black tie wraps. Note After you route the cables through the cable management arm, make sure the cables are not pulled tight when the IPS 4270-20 is fully extended.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Step 4 Attach the cable management arm stop bracket to the ride side of the back of the rack by inserting the stop bracket into the cable management arm bracket. PS2 PCI-E x4 9 8 PCI-E x8 7 PCI-E x4 PCI-E x8 6 5 4 PCI-E x4 3 PCI-X 100 MHz 2 1 PS1 UID CONSOLE Reserved for Future Use 250217 MGMT10/0 Converting the Cable Management Arm Note The cable management arm is designed for ambidextrous use.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit To convert the cable management arm swing, follow these steps: Pull up the spring pin and slide the bracket off the cable management arm. 250218 Step 1 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the Rail System Kit Remove the bottom sliding bracket and flip it over to the top of the bracket aligning the studs. 250219 Step 2 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the IPS 4270-20 Step 3 On the other side of the sliding bracket, align the spring pin with the studs and key holes, and slide until the pin snaps in to place. The sliding bracket only fits one way because the hole for the spring pin is offset.
Chapter 3 Installing the IPS 4270-20 Installing the IPS 4270-20 with standard practices for preventing accidents. Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment.
Chapter 3 Installing the IPS 4270-20 Installing the IPS 4270-20 Step 4 Connect the RJ-45 to DB-9 adapter connector to the console port and connect the other end to the DB-9 connector on your computer. PS1 RJ-45 to DB-9 adapter CONSOLE RJ-45 to DB-9 serial cable (null-modem) Reserved for Future Use MGMT 0/0 250084 1 Console port (DB-9) Computer serial port DB-9 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing the IPS 4270-20 Attach the network cables. Power connector PS2 Power connector Sensing interfaces PCI-E x4 9 PCI-E x8 8 7 PCI-E x4 PCI-E x8 6 5 PCI-E x4 4 3 PS1 PCI-X 100 MHz 1 2 CONSOLE UID Reserved Reserved Console port Reserved for Future Use MGMT10/0 250109 Step 5 Management0/0 The IPS 4270-20 has the following interfaces: Caution • Management 0/0 (MGMT0/0) is the command and control port.
Chapter 3 Installing the IPS 4270-20 Removing and Replacing the Chassis Cover For More Information • For more information on working with electrical power and in an ESD environment, see Safety Recommendations, page 2-2. • For more information on the best place to position your sensor on the network, see Your Network Topology, page 1-3. • For the procedure for installing the IPS 4270-20 in a rack, see Installing the IPS 4270-20 in the Rack, page 3-18.
Chapter 3 Installing the IPS 4270-20 Removing and Replacing the Chassis Cover Warning This unit might have more than one power supply connection. All connections must be removed to de-energize the unit. Statement 1028 Note Removing the appliance chassis cover does not affect your Cisco warranty. Upgrading the IPS 4270-20 does not require any special tools and does not create any radio frequency leaks. Caution Do not operate the IPS 4270-20 for long periods with the chassis cover open or removed.
Chapter 3 Installing the IPS 4270-20 Removing and Replacing the Chassis Cover Step 8 Lift up the cover latch on the top of the chassis. 1 2 3 4 5 6 7 8 250123 Cisco IPS 4270 Intrusio SERIES n Preventi on Sensor S TU M TE STA 0 1 UID SYS WR MT MT P MG MG Step 9 Slide the chassis cover back and up to remove it.
Chapter 3 Installing the IPS 4270-20 Accessing the Diagnostic Panel Note Make sure the chassis cover is securely locked in to place before powering up the IPS 4270-20. Step 11 Reattach the power cables to the IPS 4270-20. Step 12 Reinstall the IPS 4270-20 in a rack, on a desktop, or on a table, or extend it back in to the rack. Step 13 Power on the IPS 4270-20.
Chapter 3 Installing the IPS 4270-20 Installing and Removing Interface Cards Installing and Removing Interface Cards Caution Follow proper safety procedures when performing these steps by reading the safety warnings in Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4200 Series Appliance Sensor. The IPS 4270-20 has nine expansion card slots. Slots 1 and 2 are PCI-X slots and are reserved for future use. Slots 3 through 9 are PCI-Express slots.
Chapter 3 Installing the IPS 4270-20 Installing and Removing Interface Cards Step 8 To unlock the expansion card slot, push down on the center part of the blue tab and open the latch. PS2 8 PCI-E x8 7 PCI-E x4 PCI-E x8 6 5 4 PCI-E x4 3 P 250204 PCI-E x4 9 UID Step 9 To uninstall a card, lift the card out of the socket. To install a card, position the card so that its connector lines up over the socket on the mother board and push the card down in to the socket.
Chapter 3 Installing the IPS 4270-20 Installing and Removing the Power Supply For More Information • For an illustration of the expansion card slots, see Figure 3-7 on page 3-10. • For an illustration of the supported interface cards, see Supported Interface Cards, page 3-4. • For the IDM procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor; for the IME procedure for powering down the IPS 4270-20, refer to Rebooting the Sensor.
Chapter 3 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 5 Use the T-15 Torx screwdriver that shipped with the IPS 4270-20 to remove the shipping screw. The T-15 Torx screwdriver is located to the right of power supply. PCI-E x4 4 3 PCI-X 10 0 MHz 2 1 CONSO LE Reserve d for Future Use MGMT 0/ 0 250118 PS1 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing and Removing the Power Supply Remove the power supply by pulling it away from the chassis. 250219 Step 6 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 7 Install the power supply. Make sure the handle is open and slide the power supply into the bay. PCI-E x4 4 3 PCI-X 10 0 MHz 2 1 CONSO LE Reserve d for Future Use MGMT 0/ 0 250119 PS1 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 3 Installing the IPS 4270-20 Installing and Removing the Power Supply Step 8 Lock the power supply handle. PCI-E x4 4 3 PCI-X 10 0 MHz 2 1 CONSO LE Reserve d for Future Use MGMT 0/ 0 250164 PS1 Step 9 Reconnect the power cables. Be sure that the power supply indicator is green and the front panel health indicator is green. Note Make sure the two power supplies are powered by separate AC power sources so that the IPS 4270-20 is always available. Step 10 Power on the IPS 4270-20.
Chapter 3 Installing the IPS 4270-20 Installing and Removing Fans Installing and Removing Fans There are six fans in the IPS 4270-20. The IPS 4270-20 supports redundant hot-pluggable fans in a 5 + 1 configuration to provide proper airflow. Figure 3-12 shows the fan, its connector, and its indicator.
Chapter 3 Installing the IPS 4270-20 Installing and Removing Fans Step 4 Remove the failed fan by grasping the red plastic handle and pulling up. Note Remove and replace one fan at a time. If the IPS 4270-20 detects two failed fans, it shuts down to avoid thermal damage.
Chapter 3 Installing the IPS 4270-20 Troubleshooting Loose Connections Troubleshooting Loose Connections Perform the following actions to troubleshoot loose connections on sensors: • Make sure all power cords are securely connected. • Make sure all cables are properly aligned and securely connected for all external and internal components. • Remove and check all data and power cables for damage. Make sure no cables have bent pins or damaged connectors. • Make sure each device is properly seated.
CH APT ER 4 Installing the IPS 4345 and IPS 4360 Contents This chapter describes the Cisco IPS 4345 and the IPS 4360, and includes the following sections: • Installation Notes and Caveats, page 4-1 • Product Overview, page 4-2 • Specifications, page 4-2 • Accessories, page 4-4 • Front and Back Panel Features, page 4-5 • Rack Mount Installation, page 4-9 • Installing the Appliance on the Network, page 4-12 • Removing and Installing the Power Supply, page 4-15 Installation Notes and Caveats
Chapter 4 Installing the IPS 4345 and IPS 4360 Product Overview Product Overview The IPS 4345 delivers 500 Megabits of intrusion prevention performance. You can use the IPS 4345 to protect both half Gigabit subnets and aggregated traffic traversing switches from multiple subnets. The IPS 4345 is a purpose-built device that has support for both copper and fiber NIC environments thus providing flexibility of deployment in any environment. It replaces the IPS 4240 and the IPS 4255.
Chapter 4 Installing the IPS 4345 and IPS 4360 Specifications Table 4-1 IPS 4345 and IPS 4360 Specifications (continued) Operating power Steady state/maximum 372W 382W Total heat dissipation 730 BTU/hr 730 BTU/hr Output hold-up time 20mS 12mS Inrush current 40A 40A Temperature Operating: 23°F to 49°F (-5°C to 45°C) Nonoperating: -13°F to -94°F (-25°C to -70°C) Operating: 23°F to 49°F (-5°C to 45°C) Nonoperating: -13°F to -94°F (25°C to -70°C) Airflow Front to back Front to back Relativ
Chapter 4 Installing the IPS 4345 and IPS 4360 Accessories Accessories Figure 4-1 and Figure 4-2 display the contents of the sensor packing box, which contains the items you need to install the sensor.
Chapter 4 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features Figure 4-2 IPS 4360 Packing Box Contents 2 1 4 3 6 Documentation Roadmap for the Cisco Intrusion Prevention System 334562 5 1 Sensor chassis (one power supply shown) 2 Yellow Ethernet cable 3 Power cord 4 Blue console cable PC terminal adapter 5 Power cord retainer 6 Documentation Not shown: Slide rail kit Front and Back Panel Features This section describes the IPS 4345 and IPS 4360 front and back panel fea
Chapter 4 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features Figure 4-4 shows the indicators for the IPS 4345. These indicators are also found on the back panel of the IPS 4345. IPS 4345 Indicators 331624 Figure 4-4 Figure 4-5 shows the indicators for the IPS 4360. These indicators are also found on the back panel of the IPS 4360. IPS 4360 Indicators 331623 Figure 4-5 Table 4-2 describes the indicators on the IPS 4345 and IPS 4360.
Chapter 4 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features Table 4-2 IPS 4345 and IPS 4360 Indicators (continued) Indicator Description PS1 Indicates the state of the power supply module installed on the right when facing the back panel: PS0 • Off—No power supply module present or no AC input. • Green—Power supply module present, on, and good. • Amber—Power or fan module off or failed.
Chapter 4 Installing the IPS 4345 and IPS 4360 Front and Back Panel Features 1. The Management 0/0 interface is a GigabitEthernet interface that supports FastEthernet and is designed for management traffic only. 2. The serial console port uses 9600 baud, 8 data bits, 1 stop bit, and no parity. Figure 4-7 shows the back panel features of the IPS 4360.
Chapter 4 Installing the IPS 4345 and IPS 4360 Rack Mount Installation Rack Mount Installation This section describes how to rack mount the 4300 series chassis, and contains the following topics: • Rack-Mounting Guidelines, page 4-9 • Installing the IPS 4345 in a Rack, page 4-10 • Mounting the IPS 4345 and IPS 4360 in a Rack with the Slide Rail Mounting System, page 4-11 Rack-Mounting Guidelines Warning Warning To prevent bodily injury when mounting or servicing this unit in a rack, you must take s
Chapter 4 Installing the IPS 4345 and IPS 4360 Rack Mount Installation Installing the IPS 4345 in a Rack The IPS 4345 ships with the rack mount brackets installed on the front of the chassis. Use these brackets to mount the chassis to the front of the rack. If you want to mount the chassis on the back of the rack, you can move the brackets from the front to the back of the chassis.
Chapter 4 Installing the IPS 4345 and IPS 4360 Rack Mount Installation Step 4 Attach the chassis to the rack using the supplied screws (Figure 4-10). Rack-Mounting the Chassis 334639 Figure 4-10 Step 5 To remove the chassis from the rack, remove the screws that attach the chassis to the rack, and then remove the chassis.
Chapter 4 Installing the IPS 4345 and IPS 4360 Installing the Appliance on the Network Installing the Appliance on the Network Warning IMPORTANT SAFETY INSTRUCTIONS This warning symbol means danger. You are in a situation that could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.
Chapter 4 Installing the IPS 4345 and IPS 4360 Installing the Appliance on the Network Step 4 Connect to the management port. Connect one RJ-45 connector to the management port and connect the other end to the management port on your computer or network device. The appliance has a dedicated management interface referred to as Management 0/0, which is a GigabitEthernet interface with a dedicated port used only for traffic management.
Chapter 4 Installing the IPS 4345 and IPS 4360 Installing the Appliance on the Network Step 5 Connect to the console port. The console cable has a DB-9 connector on one end for the serial port on your computer, and the other end is an RJ-45 connector. Connect the RJ-45 connector to the console port on the appliance, and connect the other end of the cable, the DB-9 connector, to the console port on your computer.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Step 8 Power on the appliance. Step 9 Initialize the appliance. Step 10 Install the most recent Cisco IPS software. You are now ready to configure intrusion prevention on the appliance. For More Information • For more information about ESD, see Preventing Electrostatic Discharge Damage, page 2-3.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply • The sensor requires 10 seconds from the time it is placed into standby mode before the power state can be updated and stored. This means any changes to the power state within the first 10 seconds of entering standby mode (including the standby mode itself) will not be observed if AC power is removed within that time.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Figure 4-11 shows both the removable AC (on the left) and DC (on the right) power supplies for the IPS 4360. AC Power Supply and DC Power Supply 333056 Figure 4-11 1 1 2 3 4 1 Power supply indicator 2 DC power supply positive connection 3 DC power supply neutral connection 4 DC power supply negative connection Table 4-4 describes the power supply indicator.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Table 4-4 AC and DC Power Supply Indicator Indicator Color and State Description Blinking amber, at the rate of one blink per second A power supply warning event has occurred, but the power supply can continue to operate. The warning event can be temperature, voltage, current, or fan operating outside the normal operating range. Off The power supply is shut down.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply To remove and install the AC power supply, follow these steps: Step 1 If you are adding an additional power supply, from the back of the appliance, push the lever on the slot cover to the left to release it, grasp the handle of the slot cover and pull it away from the chassis (Figure 4-12). Save the slot cover for future use. Continue with Step 3.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Step 3 Install the new power supply by aligning it with the power supply bay and pushing it into place until it is seated while supporting it from beneath with the other hand (Figure 4-14). Installing the AC Power Supply 331086 Figure 4-14 Step 4 Connect the power cable. If you are installing two power supplies for a redundant configuration, plug each one into a power source (we recommend a UPS).
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Installing DC Input Power Warning The covers are an integral part of the safety design of the product. Do not operate the unit without the covers installed. Statement 1077 Warning When you install the unit, the ground connection must always be made first and disconnected last. Statement 1046 Warning Before performing any of the following procedures, ensure that power is removed from the DC circuit.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Figure 4-16 shows the back panel of the IPS 4345 with the DC power supply. IPS 4345 Back Panel 333226 Figure 4-16 1 1 2 Fixed fan 2 Fixed DC power supply Figure 4-17 shows the back panel of the IPS 4360 with two DC power supplies.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply To connect the DC power supply on the appliance, follow these steps: Step 1 Make sure that the chassis ground is connected on the chassis before you begin installing the DC power supply. Step 2 Turn off the circuit breaker to the power supply. Step 3 From the front of the appliance, verify that the power switch is in the Standby position.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Step 6 Identify the positive, negative, and ground feed positions for the DC power supply connection.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Figure 4-20 shows the DC power supply with lead wires. DC Power Supply with Lead Wires 333060 Figure 4-20 Step 7 Insert the exposed end of one of the ground wires into the inlet on the DC power supply. After you push in the wires, they are held in place with a spring, which makes the physical contact. Make sure that you cannot see any wire lead. Only wires with insulation should extend from the DC power supply.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Removing and Installing the DC Power Supply Note This procedure applies only to the appliances with a removable DC power supply (IPS 4360). To remove and install a DC power supply, follow these steps: Step 1 Make sure that the chassis ground is connected on the chassis before you begin installing the DC power supply, as described in Working in an ESD Environment, page 2-4.
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply c. Push the lever on the power supply to the left and remove the power supply by grasping the handle and then pulling the power supply out of the chassis while supporting it from beneath with the other hand (Figure 4-24).
Chapter 4 Installing the IPS 4345 and IPS 4360 Removing and Installing the Power Supply Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
CH APT ER 5 Installing the IPS 4510 and IPS 4520 Contents This chapter describes the Cisco IPS 4510 and IPS 4520, and includes the following sections: • Installation Notes and Caveats, page 5-1 • Product Overview, page 5-2 • Chassis Features, page 5-3 • Specifications, page 5-9 • Accessories, page 5-10 • Memory Configurations, page 5-11 • Power Supply Module Requirements, page 5-11 • Supported SFP/SFP+ Modules, page 5-11 • Installing the IPS 4510 and IPS 4520, page 5-12 • Removing and I
Chapter 5 Installing the IPS 4510 and IPS 4520 Product Overview Warning Only trained and qualified personnel should install, replace, or service this equipment. Statement 49 Caution Read the safety warnings in the Regulatory Compliance and Safety Information for the Cisco Intrusion Prevention System 4500 Series Sensor Appliance document and follow proper safety procedures when performing the steps in this guide.
Chapter 5 Installing the IPS 4510 and IPS 4520 Chassis Features IME The Intrusion Prevention System Manager Express (IME) 7.2.3 and later also support the IPS 4510 and IPS 4520. IME is a network management application that provides system health, events, and collaboration monitoring in addition to reporting and configuration for up to ten sensors.
Chapter 5 Installing the IPS 4510 and IPS 4520 Chassis Features Figure 5-2 shows the front view of the IPS 4510 and IPS 4520.
Chapter 5 Installing the IPS 4510 and IPS 4520 Chassis Features Figure 5-3 shows the front panel indicators. Figure 5-3 Front Panel Indicators 1 USB R PW M OT AR BO AL 1 T AC 3 N VP 1 PS 5 2 4 0 PS D1 HD 7 6 1 PWR 2 BOOT 3 ALARM 4 ACT1 5 VPN2 6 PS1 7 PS0 8 HDD13 D0 HD AUX CONSOLE 253904 0 9 8 9 HDD24 1. Not supported at this time. 2. Not supported at this time. 3. Not supported at this time. 4. Not supported at this time.
Chapter 5 Installing the IPS 4510 and IPS 4520 Chassis Features Table 5-1 Front Panel Indicators (continued) Indicator Description PS1 Indicates the state of the power supply module installed on the right when facing the back panel: PS0 HDD1 HDD2 • Off—No power supply module present or no AC input. • Green—Power supply module present, on, and good. • Amber—Power or fan module off or failed.
Chapter 5 Installing the IPS 4510 and IPS 4520 Chassis Features Figure 5-4 shows the back panel features. Figure 5-4 Back Panel Features 3 1 2 7 4 6 Cisco-ASA-FAN O FA UT IL F O AN K 100-240V 15.0/8.0.
Chapter 5 Installing the IPS 4510 and IPS 4520 Chassis Features Table 5-2 describes the power supply module and fan module indicators. Table 5-2 Power Supply Module and Fan Module Indicators Indicator Description IN OK Indicates status of power supply module: FAN OK • Off—No AC power cord connected or AC power switch off. • Green—AC power cord connected and AC power switch on. Indicates status of fan module OUT FAIL • Off—Fan module failure or AC power switch off.
Chapter 5 Installing the IPS 4510 and IPS 4520 Specifications Table 5-3 Ethernet Port Indicators (continued) Indicator Description 10-Gigabit Ethernet Fiber (SFP+)/1-Gigabit Ethernet Fiber (SFP) • Left side: – Off—No 10-Gigabit Ethernet physical link – Green—10-Gigabit Ethernet physical link – Flashing green1—Network activity • Right side: – Off—No 1-Gigabit Ethernet physical link – Green—1-Gigabit Ethernet physical link – Flashing green1—Network activity Management port • Left side: – Green—Ph
Chapter 5 Installing the IPS 4510 and IPS 4520 Accessories Table 5-4 IPS 4510 and IPS 4520 Specifications (continued) Maximum heat dissipation 3960 BTU/hr (100 VAC) 5450 BTU/hr (200 VAC) Power supply output steady state 1200W Maximum peak 1200W Environment Temperature Operating 32°F to 104°F (0°C to 40°C) Nonoperating -40°F to 158°F (-40°C to 70°C) Airflow Front to back Relative humidity (noncondensing) Operating 10% to 90% Nonoperating 5% to 95% Altitude Operating 0 to 3000 ft (9843 ft) Non
Chapter 5 Installing the IPS 4510 and IPS 4520 Memory Configurations Memory Configurations The IPS 4510 and IPS 4520 have up to 6 DIMM modules per CPU. DIMM population is platform-dependent. Table 5-5 shows the memory configurations. Table 5-5 Memory Configurations Model Memory IPS 4510 24-GB DRAM IPS 4520 48-GB DRAM Power Supply Module Requirements Table 5-6 lists the power supply module requirements. Table 5-6 Power Supply Module Requirements 50 V 12 V 3.3 V_STBY Maximum 52.0 V 12.2.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing the IPS 4510 and IPS 4520 Table 5-7 lists the SFP/SFP+ modules that the IPS 4510 and IPS 4520 support.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing the IPS 4510 and IPS 4520 Connect one RJ-45 connector to the Management 0/0 interface. 7 6 5 4 3 2 1 0 0 1 MGMT 0 1 USB c. 253908 b. Connect the other end of the Ethernet cable to the Ethernet port on your computer or to your management network. Caution Management and console ports are privileged administrative ports. Connecting them to an untrusted network can create security concerns.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing the IPS 4510 and IPS 4520 Connect one end of the LC cable to the SFP/SFP+ module. 9 8 7 6 253907 b. SFP/SFP + c. Step 5 Connect the other end of the LC cable to a network device, such as a router or switch. Install the electrical cables. a. Attach the power cable to the power supply module on the back of the sensor. Cisco AS A 1200W AC Cisco-A SA Cisco AS -FAN A 1200W AC IN K FAN UT O OK O AIL 253972 100-240 V 15.0/8.0 .
Chapter 5 Installing the IPS 4510 and IPS 4520 Removing and Installing the Core IPS SSP Step 6 Power on the sensor. Caution If the appliance is subjected to environmental overheating, it shuts down and you must manually power cycle it to turn it on again. Step 7 Check the PWR indicator on the front panel of the sensor to verify power socket connectivity. It should be green. To verify power supply operation, check the PS0 and PS1 indicators on the front panel. They should be green.
Chapter 5 Installing the IPS 4510 and IPS 4520 Removing and Installing the Core IPS SSP Step 7 Grasp the ejection levers at the left and right bottom of the designated slot and pull them out. SFP31 SFP20 SFP17 SFP60 5 4 3 2 4520 331818 Cisco IPS 1 0 0 1 MGMT 0 USB 1 R PW 2 OT BO M AR T AL AC N VP 1 PS 0 PS D1 HD D0 HD AUX CONSOL E RESET 1 2 1 2 Module Ejection levers Step 8 Grasp the sides of the module and pull it all the way out of the chassis.
Chapter 5 Installing the IPS 4510 and IPS 4520 Removing and Installing the Power Supply Module Removing and Installing the Power Supply Module The IPS 4510 ships with one power supply module and one fan module installed, and the IPS 4520 ships with two power supply modules installed in a load balancing/sharing configuration. This configuration ensures that if one power supply module fails, the other power supply module assumes the full load until the failed power supply module is replaced.
Chapter 5 Installing the IPS 4510 and IPS 4520 Removing and Installing the Power Supply Module Step 5 Install the new power supply module by aligning it with the power supply module bay and pushing it into place until it is seated. 2 Cisco AS A 1200W AC Cisco-A SA 253971 Cisco AS -FAN A 1200W AC 100-240V IN K 15.0/8.0. A O 56/60Hz INP N FA K OUT IL O FA UT FAN OUTPUT 100-240V 15.0/8.0.
Chapter 5 Installing the IPS 4510 and IPS 4520 Removing and Installing the Fan Module Removing and Installing the Fan Module The IPS 4510 ships with one power supply module and one fan module installed, and the IPS 4520 ships with two power supply modules instead of a power supply module and a fan module. You can replace the fan module in the IPS 4510 if necessary. The fan module is hot-pluggable.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing the Slide Rail Kit Hardware Step 3 Install the new fan module by aligning it with the fan module bay and pushing it into place until it is seated. 2 Cisco AS A 1200W AC Ci Cisc sco-A o-ASA SA-FA -FANN 100-240 V 15.0/8.0 .A 56/60Hz 253910 IN K FAN UT O OK O FAIL 3 1 2 1 Fan module and fan handle 3 Power supply module 2 Fan module screw Step 4 Tighten the captive screws.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Figure 5-6 shows all of the brackets that can be removed for the fixed rack mount.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Package Contents The slide rail kit package contains the following items: • Left and right slide rails • Six #10-32 screws • Two #10-32 cage nuts Installing the Chassis in the Rack To install the chassis in the rack using the slide rail kit, follow these steps: Step 1 Press the latch on the end of the slide rail and push forward to engage the pins in the rack until the clip clicks and locks around the rack po
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit For square hole posts, square studs must be attached fully inside the square hole on the rack rail. For threaded hole posts, the round stud must fully enter inside the threaded hole rack rail (Figure 5-9). Note After installing the square or round studs into the rack post, verify that the locking clip is fully seated and secure against the rack rail.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 2 Caution Secure the slide rail to the rack post with the provided #10-32 screws by tightening the screws at the front and rear end of the slide rail to the rack post (Figure 5-10). Both front and rear rack posts must be secured with the screws before you install the chassis. It is critical that the screws are installed and secured to the front and rear end of the slide rails.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 3 For square hole racks, install one #10-32 cage nut on each side of the rack rail (Figure 5-11). Leave one square hole spacing above the slide rail. The cage nut will be used later to secure the chassis to the rack post. For threaded hole racks, no additional hardware is needed.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 4 Install the chassis on the outer rail. Make sure that the U-bars are aligned to the outer rail evenly, then push the chassis into the rack (Figure 5-12). Caution Before installing the chassis, make sure that the slide rails are properly installed and that the perforated holes on the outer slide rail align with the perforated holes on the chassis.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 5 Tighten the screws to secure the chassis to the rack (Figure 5-13). Use the upper hole to secure the chassis to the rack. a. For square hole racks, secure the chassis to the rack by installing the #10-32 screw into the cage nut that you installed in Step 3. b. For threaded hole racks, secure the front of the chassis by installing the #10-32 screws into the rack threaded hole.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Removing the Chassis from the Rack To remove the chassis from the rack, follow these steps: Step 1 Remove the screws from the front brackets of the rail post (Figure 5-14). Removing the Screws from the Outer Rail 330599 Figure 5-14 Step 2 Pull out the chassis to the locked position. Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing and Removing the Slide Rail Kit Step 3 Press down the release hook to remove the chassis from the rack (Figure 5-15). Pressing Down the Release Hook 330564 Figure 5-15 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Chapter 5 Installing the IPS 4510 and IPS 4520 Rack-Mounting the Chassis Using the Fixed Rack Mount Step 4 Remove the two screws from the front and rear of the rack that are securing the slide rail, and release the latch and pull out the rails (Figure 5-16). Releasing the Latch to Pull Out the Rails 330565 Figure 5-16 Rack-Mounting the Chassis Using the Fixed Rack Mount If you are not able to use the slide rail kit in your rack installation, an optional fixed rack mount solution is available.
Chapter 5 Installing the IPS 4510 and IPS 4520 Rack-Mounting the Chassis Using the Fixed Rack Mount Position the front bracket on the side of the sensor and line up the bracket screws with the screw holes on the sensor.
Chapter 5 Installing the IPS 4510 and IPS 4520 Rack-Mounting the Chassis Using the Fixed Rack Mount (Optional) Install the proper slide-mount brackets on to the rear bracket on the chassis.
Chapter 5 Installing the IPS 4510 and IPS 4520 Installing the Cable Management Brackets Installing the Cable Management Brackets The IPS 4510 and IPS 4520 ship with two cable management brackets that you can use to organize the cables connected to the sensor. To install the cable management brackets on the sensor, follow these steps: Step 1 Power off the sensor. Step 2 Remove the power cable from the sensor.
Chapter 5 Installing the IPS 4510 and IPS 4520 Troubleshooting Loose Connections Cable Management Brackets for the Slide Rail 333053 Figure 5-18 Step 4 Tighten the screws in to the rack. Step 5 Reattach the power cable to the sensor. Step 6 Organize the cables through the cable management brackets on the sensor. Step 7 Power on the sensor.
Chapter 5 Installing the IPS 4510 and IPS 4520 IPS 4500 Series Sensors and the SwitchApp IPS 4500 Series Sensors and the SwitchApp The 4500 series sensors have a built in switch that provides the external monitoring interfaces of the sensor. The SwitchApp is part of the IPS 4500 series design that enables the InterfaceApp and sensor initialization scripts to communicate and control the switch. Any application that needs to get or set information on the switch must communicate with the SwitchApp.
Chapter 5 Installing the IPS 4510 and IPS 4520 IPS 4500 Series Sensors and the SwitchApp Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
CH APT ER 6 Installing and Removing the ASA 5500 AIP SSM Contents This chapter describes the ASA 5500 AIP SSM and contains the following sections: • Installation Notes and Caveats, page 6-1 • Product Overview, page 6-2 • Specifications, page 6-4 • Memory Specifications, page 6-4 • Hardware and Software Requirements, page 6-4 • Indicators, page 6-5 • Installation and Removal Instructions, page 6-5 Installation Notes and Caveats Pay attention to the following installation notes and caveats bef
Chapter 6 Installing and Removing the ASA 5500 AIP SSM Product Overview Product Overview The Cisco ASA Advanced Inspection and Prevention Security Services Module (ASA 5500 AIP SSM) is the IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The adaptive security appliance software integrates firewall, VPN, and intrusion detection and prevention capabilities in a single platform.
Chapter 6 Installing and Removing the ASA 5500 AIP SSM Product Overview In promiscuous mode, the IPS receives packets over the GigabitEthernet interface, examines them for intrusive behavior, and generates alerts based on a positive result of the examination. In inline mode, there is the additional step of sending all packets, which did not result in an intrusion, back out the GigabitEthernet interface.
Chapter 6 Installing and Removing the ASA 5500 AIP SSM Specifications Specifications Table 6-1 lists the specifications for the ASA 5500 AIP SSM: Table 6-1 ASA 5500 AIP SSM Specifications Specification Description Dimensions (H x W x D) 1.70 x 6.80 x 11.00 inches Weight Minimum: 2.50 lb Maximum: 3.00 lb1 Operating temperature +32° to +104°F (+0° to +40°C) Nonoperating temperature –40° to +167°F (–40° to +75°C) Humidity 10% to 90%, noncondensing 1. 2.70 lb for 45 c heatsink, approximately 3.
Chapter 6 Installing and Removing the ASA 5500 AIP SSM Indicators Indicators Figure 6-3 shows the ASA 5500 AIP SSM indicators. ASA 5500 AIP SSM Indicators D EE PW R ST AT U S 148402 SP LI NK /A CT Figure 6-3 1 2 3 4 Table 6-3 describes the ASA 5500 AIP SSM indicators. Table 6-3 ASA 5500 AIP SSM Indicators LED Color State Description 1 PWR Green On The system has power. 2 STATUS Green Flashing The system is booting. Solid The system has passed power-up diagnostics.
Chapter 6 Installing and Removing the ASA 5500 AIP SSM Installation and Removal Instructions Step 3 Remove the two screws at the left back end of the chassis, and remove the slot cover. MGMT USB2 USB1 Note Step 4 FLASH W PO ER U AT ST S TIV AC E VP N A FL 250246 LINK SPD LIN K SPD 3 LINK 2 SPD LIN K SPD 1 0 SH Store the slot cover in a safe place for future use. You must install slot covers on all empty slots. This prevents EMI, which can disrupt other equipment.
Chapter 6 Installing and Removing the ASA 5500 AIP SSM Installation and Removal Instructions • For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. Verifying the Status of the ASA 5500 AIP SSM You can use the show module 1 command to verify that the ASA 5500 AIP SSM is up and running. The following values are valid for the Status field: • Initializing—The ASA 5500 AIP SSM is being detected and the control communication is being initialized by the system.
Chapter 6 Installing and Removing the ASA 5500 AIP SSM Installation and Removal Instructions Step 5 Locate the grounding strap from the accessory kit and fasten it to your wrist so that it contacts your bare skin. Attach the other end to the chassis. Step 6 Remove the two screws at the left back end of the chassis. Step 7 Remove the ASA 5500 AIP SSM and set it aside. Note Step 8 If you are not replacing the ASA 5500 AIP SSM immediately, install the blank slot cover.
CH APT ER 7 Installing and Removing the ASA 5585-X IPS SSP Contents This chapter describes the Cisco ASA 5585-X IPS SSP, and contains the following sections: Warning • Installation Notes and Caveats, page 7-1 • Introducing the ASA 5585-X IPS SSP, page 7-2 • Specifications, page 7-3 • Hardware and Software Requirements, page 7-4 • Front Panel Features, page 7-4 • Memory Requirements, page 7-8 • SFP/SFP+ Modules, page 7-9 • Installing the ASA 5585-X IPS SSP, page 7-9 • Installing SFP/SFP+
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Introducing the ASA 5585-X IPS SSP Introducing the ASA 5585-X IPS SSP You can install the Cisco Intrusion Prevention System Security Services Processor (ASA 5585-X IPS SSP) in the ASA-5585-X adaptive security appliance. The ASA 5585-X is a 2RU, two-slot chassis. The Security Services Processor (ASA 5585-X SSP) resides in slot 0 (the bottom slot) and the ASA 5585-X IPS SSP resides in slot 1 (the top slot).
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Specifications another power supply module for a redundant power supply configuration. The SSP-10 with IPS SSP-10 has two CPUs, six DIMM modules, two embedded crypto accelerator, and two dual-port 10-GB uplinks for the SFP/SFP+ interfaces. ASA 5585-X SSP-20 With IPS SSP-20 The ASA 5585-X SSP-20 with IPS SSP-20 provides firewall, VPN support, intrusion prevention system protection, and 20 interfaces (2 SFP/SFP+ and 18 copper Gigabit Ethernet).
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Hardware and Software Requirements Hardware and Software Requirements The ASA 5585-X IPS SSP has the following hardware and software requirements: • Cisco ASA 5585-X adaptive security appliance – ASA 5585-X SSP-10 with IPS SSP-10 – ASA 5585-X SSP-20 with IPS SSP-20 – ASA 5585-X SSP-40 with IPS SSP-40 – ASA 5585-X SSP-60 with IPS SSP-60 • Cisco Adaptive Security Appliance Software ASA 8.2(4.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Front Panel Features 1 ASA 5585-X IPS SSP (Slot 1) 9 2 SSP (Slot 0) 10 USB port 3 SSP/ASA 5585-X IPS SSP Removal Screws 11 USB port 4 Reserved bays for hard disk drives1 12 Front panel indicators 5 TenGigabitEthernet 0/1 (10-Gb fiber, SFP, or SFP+) 13 Auxiliary port (RJ45) 6 TenGigabitEthernet 0/0 (1-Gb fiber, SFP, or SFP+) 14 Console port (RJ45) 7 GigabitEthernet 1/0 through 1/7, from 15 Eject2 right to left (1-Gb copper, RJ45)
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Front Panel Features 5 TenGigabitEthernet 1/9 ( (10-Gb fiber, SFP, or SFP+) 14 Front panel indicators 6 TenGigabitEthernet 1/8 (1-Gb fiber, SFP, or SFP+) 15 Auxiliary port (RJ45) 7 TenGigabitEthernet 1/7 (10-Gb fiber, SFP, or SFP+) 16 Console port (RJ45) 8 TenGigabitEthernet 0/6 (SSP in slot 2) TenGigabitEthernet 1/6 (ASA 5585-X IPS SSP in slot 1) (1-Gb fiber, SFP, or SFP+) 17 Eject2 9 GigabitEthernet 0/0 through 0/5 (SSP in slot 2) Gi
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Front Panel Features Table 7-2 describes the front panel indicators on the ASA 5585-X IPS SSP. Table 7-2 ASA 5585-X IPS SSP Front Panel Indicators Indicator Description PWR Indicates whether the system is off or on: BOOT ALARM • Off—No power. • Green—System has power. Indicates how the power-up diagnostics are proceeding: 1 • Flashing green—Power-up diagnostics are running or the system is booting.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Memory Requirements Table 7-3 shows the Ethernet port indicators.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP SFP/SFP+ Modules SFP/SFP+ Modules The SFP/SFP+ module is a hot-swappable input/output device that plugs into the SFP/SFP+ ports and provides Gigabit Ethernet connectivity. The SFP and SFP+ modules are optional and not included with the ASA 5585-X IPS SSP. You can purchase them separately. For 1 Gb, you need SFP. For 10Gb, you need SFP+. The interfaces are called TenGigabitEthernet 0/x whether they are 10 Gb-enabled or not.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Installing the ASA 5585-X IPS SSP From the front panel of the ASA 5585-X, loosen the captive screws on the upper left and right of the slot tray (slot 1), and remove it. Store it in a safe place for future use. SFP1 SFP0 7 6 5 4 3 2 1 254861 You must install slot trays in all empty slots to maintain the proper air flow. This prevents EMI, which can disrupt other equipment.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Installing SFP/SFP+ Modules For More Information • For more information about ESD, see Preventing Electrostatic Discharge Damage, page 2-3. • For the procedure for verifying that the ASA 5585-X IPS SSP is properly installed, see Verifying the Status of the ASA 5585-X IPS SSP, page 7-12. • For the procedure for using the setup command to initialize the ASA 5585-X IPS SSP, see Appendix B, “Initializing the Sensor.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Verifying the Status of the ASA 5585-X IPS SSP To connect to the SFP/SFP+ port if you are using fiber ports, follow these steps: Install the SFP/SFP+ module. 9 7 6 253906 8 SFP/SFP + Step 2 Connect one end of the LC cable to the SFP/SFP+. 9 8 7 6 SFP/SFP + Step 3 253907 Step 1 Connect the other end of the LC cable to a network device, such as a router or switch.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP To verify the status of the ASA 5585-X IPS SSP, follow these steps: Step 1 Log in to the adaptive security appliance. Step 2 Verify the status of the ASA 5585-X IPS SSP: asa# show module 1 Mod Card Type Model Serial No.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Grasp the ejection levers at the left and right bottom of the module slot and pull them out.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Step 11 Replace the screws. Step 12 Reconnect the power cable to the ASA 5585-X. Step 13 Power on the ASA 5585-X. Step 14 Verify that the PWR indicator on the front panel is green. You can also verify that the ASA 5585-X IPS SSP is online using the show module 1 command.
Chapter 7 Installing and Removing the ASA 5585-X IPS SSP Removing and Replacing the ASA 5585-X IPS SSP Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
A P P E N D I X A Logging In to the Sensor Contents This chapter explains how to log in to the sensor. All IPS platforms allow ten concurrent log in sessions.
Appendix A Logging In to the Sensor Logging In to the Appliance For More Information For the procedure for creating the service account, refer to Creating the Service Account, page E-5. Logging In to the Appliance Note You can log in to the appliance from a console port. The currently supported Cisco IPS appliances are the IPS 4240, IPS 4255, and IPS 4260 [IPS 7.0(x) and later and IPS 7.1(5) and later], IPS 4270-20 [IPS 7.1(3) and later], IPS 4345 and IPS 4360 [IPS 7.
Appendix A Logging In to the Sensor Connecting an Appliance to a Terminal Server Connecting an Appliance to a Terminal Server A terminal server is a router with multiple, low speed, asynchronous ports that are connected to other serial devices. You can use terminal servers to remotely manage network equipment, including appliances.
Appendix A Logging In to the Sensor Logging In to the ASA 5500 AIP SSP Logging In to the ASA 5500 AIP SSP You log in to the ASA 5500 AIP SSM from the adaptive security appliance. To session in to the ASA 5500 AIP SSM from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance. Note Step 2 If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing.
Appendix A Logging In to the Sensor Logging In to the ASA 5500-X IPS SSP Logging In to the ASA 5500-X IPS SSP You log in to the ASA 5500-X IPS SSP from the adaptive security appliance. To session in to the ASA 5500-X IPS SSP from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance. Note Step 2 If the adaptive security appliance is operating in multi-mode, use the change system command to get to the system level prompt before continuing.
Appendix A Logging In to the Sensor Logging In to the ASA 5585-X IPS SSP For More Information For the procedure for using the setup command to initialize the ASA 5500-X IPS SSP, see Advanced Setup for the ASA 5500-X IPS SSP, page B-17 Logging In to the ASA 5585-X IPS SSP You log in to the ASA 5585-X IPS SSP from the adaptive security appliance. To session in to the ASA 5585-X IPS SSP from the adaptive security appliance, follow these steps: Step 1 Log in to the adaptive security appliance.
Appendix A Logging In to the Sensor Logging In to the Sensor For More Information For the procedure for initializing the ASA 5585-X IPS SSP using the setup command, see Advanced Setup for the ASA 5585-X IPS SSP, page B-21. Logging In to the Sensor Note After you have initialized the sensor using the setup command and enabled Telnet, you can use SSH or Telnet to log in to the sensor.
Appendix A Logging In to the Sensor Logging In to the Sensor Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
A P P E N D I X B Initializing the Sensor Contents This chapter describes how to use the setup command to initialize the sensor, and contains the following sections: • Understanding Initialization, page B-1 • Simplified Setup Mode, page B-2 • System Configuration Dialog, page B-2 • Basic Sensor Setup, page B-4 • Advanced Setup, page B-7 • Verifying Initialization, page B-25 Understanding Initialization After you install the sensor on your network, you must use the setup command to initialize i
Appendix B Initializing the Sensor Simplified Setup Mode Simplified Setup Mode The sensor automatically calls the setup command when you connect to the sensor using a console cable and the sensor basic network settings have not yet been configured. The sensor does not call automatic setup under the following conditions: • When initialization has already been successfully completed. • If you have recovered or downgraded the sensor.
Appendix B Initializing the Sensor System Configuration Dialog Default settings are in square brackets '[]'. Current time: Wed Nov 11 21:19:51 2009 Setup Configuration last modified: Enter host name[sensor]: Enter IP interface[192.168.1.2/24,192.168.1.1]: Modify current access list?[no]: Current access list entries: [1] 0.0.0.0/0 Delete: Permit: Use DNS server for Global Correlation?[no]: DNS server IP address[171.68.226.
Appendix B Initializing the Sensor Basic Sensor Setup Purpose: Tracks product efficacy Participation Level = "Full" additionally includes: * Type of Data: Victim IP Address and port Purpose: Detect threat behavioral patterns Do you agree to participate in the SensorBase Network?[no]: For More Information For detailed information on the global correlationfeatures, for the IDM refer to Configuring Global Correlation, for the IME refer to Configuring Global Correlation, and for the CLI, refer to Configuri
Appendix B Initializing the Sensor Basic Sensor Setup Step 7 Caution Step 8 You must configure a DNS server or an HTTP proxy server for global correlation to operate: a. Enter yes to add a DNS server, and then enter the DNS server IP address. b. Enter yes to add an HTTP proxy server, and then enter the HTTP proxy server IP address and port number. You must have a valid sensor license for global correlation features to function.
Appendix B Initializing the Sensor Basic Sensor Setup Step 9 o. Specify the standard time zone offset. Specify the standard time zone offset from UTC in minutes (negative numbers represent time zones west of the Prime Meridian). The default is 0. p. Enter yes if you want to use NTP. To use authenticated NTP, you need the NTP server IP address, the NTP key ID, and the NTP key value. If you do not have those at this time, you can configure NTP later. Otherwise, you can choose unauthenticated NTP.
Appendix B Initializing the Sensor Advanced Setup service global-correlation network-participation full exit [0] [1] [2] [3] Step 11 Go to the command prompt without saving this config. Return to setup without saving this config. Save this configuration and exit setup. Continue to Advanced setup. Enter 2 to save the configuration (or 3 to continue with advanced setup using the CLI). Enter your selection[2]: 2 Configuration Saved.
Appendix B Initializing the Sensor Advanced Setup The interfaces change according to the appliance model, but the prompts are the same for all models. To continue with advanced setup for the appliance, follow these steps: Step 1 Log in to the appliance using an account with administrator privileges. Step 2 Enter the setup command. The System Configuration Dialog is displayed. Press Enter or the spacebar to skip to the menu to access advanced setup. Step 3 Enter 3 to access advanced setup.
Appendix B Initializing the Sensor Advanced Setup [2] Add/Modify Inline Vlan Pairs. [3] Add/Modify Promiscuous Vlan Groups. [4] Add/Modify Inline Interface Pairs. [5] Add/Modify Inline Interface Pair Vlan Groups. [6] Modify interface default-vlan. Option: Step 9 Caution Enter 2 to add inline VLAN pairs and display the list of available interfaces. The new VLAN pair is not automatically added to a virtual sensor.
Appendix B Initializing the Sensor Advanced Setup Step 15 Enter 4 to add an inline interface pair and see these options. Available Interfaces GigabitEthernet0/1 GigabitEthernet0/2 GigabitEthernet0/3 Step 16 Enter the pair name, description, and which interfaces you want to pair. Pair name: newPair Description[Created via setup by user asmith: Interface1[]: GigabitEthernet0/1 Interface2[]: GigabitEthernet0/2 Pair name: Step 17 Press Enter to return to the top-level interface editing menu.
Appendix B Initializing the Sensor Advanced Setup Event Action Rules: rules0 Signature Definitions: sig0 Inline Vlan Pair: GigabitEthernet0/0:1 (Vlans: 200, 300) Inline Interface Pair: newPair (GigabitEthernet0/1, GigabitEthernet0/2) [1] Remove virtual sensor. [2] Modify "vs0" virtual sensor configuration. [3] Create new virtual sensor. Option: GigabitEthernet0/1, GigabitEthernet0/2) Add Interface: Step 24 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Appendix B Initializing the Sensor Advanced Setup vlan2 300 exit exit exit physical-interfaces GigabitEthernet0/1 admin-state enabled exit physical-interfaces GigabitEthernet0/2 admin-state enabled exit physical-interfaces GigabitEthernet0/0 admin-state enabled exit inline-interfaces newPair description Created via setup by user asmith interface1 GigabitEthernet0/1 interface2 GigabitEthernet0/2 exit exit service analysis-engine virtual-sensor newVs description Created via setup by user cisco signature-de
Appendix B Initializing the Sensor Advanced Setup For More Information • For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page C-1. • For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. • For the procedures for configuring intrusion prevention on your sensor, refer to the following guides: – Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.
Appendix B Initializing the Sensor Advanced Setup Note You do not need to configure interfaces on the ASA 5500 AIP SSM. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500 AIP SSM than for other sensors. [1] Modify interface default-vlan. Option: Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Appendix B Initializing the Sensor Advanced Setup Step 16 Enter 1 to use the existing anomaly detection configuration, ad0. Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]: Step 17 Enter 2 to create a signature-definition configuration file. Step 18 Enter the signature-definition configuration name, newSig.
Appendix B Initializing the Sensor Advanced Setup ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces GigabitEthernet0/1 exit exit service event-action-rules rules0 overrides deny-p
Appendix B Initializing the Sensor Advanced Setup For More Information • For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page C-1. • For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. • For the procedures for configuring intrusion prevention on your sensor, refer to the following guides: – Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.
Appendix B Initializing the Sensor Advanced Setup Note You do not need to configure interfaces on the ASA 5500-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5500-X IPS SSP than for other sensors. [1] Modify interface default-vlan. Option: Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Appendix B Initializing the Sensor Advanced Setup Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0. Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]: Step 17 Enter 2 to create a signature-definition configuration file. Step 18 Enter the signature-definition configuration name, newSig.
Appendix B Initializing the Sensor Advanced Setup ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packe
Appendix B Initializing the Sensor Advanced Setup For More Information • For the procedure for obtaining the most recent IPS software, see Obtaining Cisco IPS Software, page C-1. • For the procedure for using HTTPS to log in to the IDM, refer to Logging In to the IDM. • For the procedures for configuring intrusion prevention on your sensor, refer to the following guides: – Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 7.
Appendix B Initializing the Sensor Advanced Setup Note You do not need to configure interfaces on the ASA 5585-X IPS SSP. You should ignore the modify interface default VLAN setting. The separation of traffic across virtual sensors is configured differently for the ASA 5585-X IPS SSP than for other sensors. [1] Modify interface default-vlan. Option: Step 9 Press Enter to return to the top-level interface and virtual sensor configuration menu.
Appendix B Initializing the Sensor Advanced Setup Step 16 Enter 1 to use the existing anomaly-detection configuration, ad0. Signature Definition Configuration [1] sig0 [2] Create a new signature definition configuration Option[2]: Step 17 Enter 2 to create a signature-definition configuration file. Step 18 Enter the signature-definition configuration name, newSig.
Appendix B Initializing the Sensor Advanced Setup ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 342 exit service analysis-engine virtual-sensor newVs description New Sensor signature-definition newSig event-action-rules rules0 anomaly-detection anomaly-detection-name ad0 exit physical-interfaces PortChannel0/0 exit exit service event-action-rules rules0 overrides deny-packe
Appendix B Initializing the Sensor Verifying Initialization Verifying Initialization Note The CLI output is an example of what your configuration may look like. It will not match exactly due to the optional setup choices, sensor model, and IPS 7.1 version you have installed. To verify that you initialized your sensor, follow these steps: Step 1 Log in to the sensor. Step 2 View your configuration.
Appendix B Initializing the Sensor Verifying Initialization exit exit status enabled true exit exit signatures 2004 0 alert-frequency summary-mode fire-all exit exit status enabled true exit exit exit ! -----------------------------service ssh-known-hosts rsa1-keys 10.89.146.
Appendix B Initializing the Sensor Verifying Initialization Step 4 Write down the certificate fingerprints. You need the fingerprints to check the authenticity of the certificate when connecting to this sensor with a web browser. Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Appendix B Initializing the Sensor Verifying Initialization Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
A P P E N D I X C Obtaining Software Contents This chapter provides information on obtaining Cisco IPS software for the sensor. It contains the following sections: • Obtaining Cisco IPS Software, page C-1 • IPS 7.1 Files, page C-2 • IPS Software Versioning, page C-3 • IPS Software Release Examples, page C-5 • Accessing IPS Documentation, page C-7 • Cisco Security Intelligence Operations, page C-7 • Obtaining a License Key From Cisco.
Appendix C Obtaining Software IPS 7.1 Files Step 3 Under Select a Software Product Category, choose Security Software. Step 4 Choose Intrusion Prevention System (IPS). Step 5 Enter your username and password. Step 6 In the Download Software window, choose IPS Appliances > Cisco Intrusion Prevention System and then click the version you want to download. Note You must have an IPS subscription service license to download software. Step 7 Click the type of software file you need.
Appendix C Obtaining Software IPS Software Versioning IPS Software Versioning When you download IPS software images from Cisco.com, you should understand the versioning scheme so that you know which files are base files, which are cumulative, and which are incremental. This section describes the various IPS software files. Major Update A major update contains new functionality or an architectural change in the product. For example, the Cisco IPS 7.
Appendix C Obtaining Software IPS Software Versioning Figure C-1 illustrates what each part of the IPS software file represents for major and minor updates, service packs, and patch releases. Figure C-1 IPS Software File Name for Major and Minor Updates, Service Packs, and Patch Releases IPS-identifier-K9-x.y-z[a or p1]-E1.
Appendix C Obtaining Software IPS Software Release Examples Recovery and System Image Files Recovery and system image files contain separate versions for the installer and the underlying application. The installer version contains a major and minor version field. The major version is incremented by one of any major changes to the image installer, for example, switching from .tar to rpm or changing kernels.
Appendix C Obtaining Software IPS Software Release Examples Release Target Frequency Identifier Example Version Example Filename Recovery package6 Annually or as needed r 1.1-7.2(1) IPS-identifier-K9-r-1.1-a-7.2-1-E4.pkg System image7 Annually sys Separate file IPS-SSP_60-K9-sys-1.1-a-7.1-2-E4.img per sensor IPS-4345-K9-sys-1.1-a-7.1-2-E4.img platform IPS-SSP_5545-K9-sys-1.1-a-7.1-2-E4.aip IPS-4510-K9-sys-1.1-a-7.1-4-E4.img 1. Signature updates include the latest cumulative IPS signatures.
Appendix C Obtaining Software Accessing IPS Documentation Accessing IPS Documentation You can find IPS documentation at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/tsd_products_support_series_home.html Or to access IPS documentation from Cisco.com, follow these steps: Step 1 Log in to Cisco.com. Step 2 Click Support. Step 3 Under Support at the bottom of the page, click Documentation.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Cisco Security Intelligence Operations is also a repository of information for individual signatures, including signature ID, type, structure, and description. You can search for security alerts and signatures at this URL: http://tools.cisco.com/security/center/search.x Obtaining a License Key From Cisco.com This section describes how to obtain a license key from Cisco.com and how to install it using the CLI, the IDM, or the IME.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com If you already have a valid license on the sensor, you can click Download on the License pane to download a copy of your license key to the computer that the IDM or IME is running on and save it to a local file. You can then replace a lost or corrupted license, or reinstall your license after you have reimaged the sensor.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Obtaining and Installing the License Key Using the IDM or the IME Note In addition to a valid Cisco.com username and password, you must also have a Cisco Services for IPS service contract before you can apply for a license key. To obtain and install the license key, follow these steps: Step 1 Log in to the IDM or the IME using an account with administrator privileges.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com For More Information For more information about obtaining a Cisco Services for IPS service contract, see Service Programs for IPS Products, page C-9. Obtaining and Installing the License Key Using the CLI Note You cannot install an older license key over a newer license key. Use the copy source-url license_file_name license-key command to copy the license key to your sensor.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host.Installing the License Key To install the license key, follow these steps: Step 1 Log in to Cisco.com. Step 2 Apply for the license key at this URL: www.cisco.com/go/license. Note Step 3 In addition to a valid Cisco.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com CollaborationApp 6-0600 Running CLI 6-0600 S-2011_NOV_16_00_20_7_1_3_46 (Release) 2011-11-16T00:23:0 S-2011_NOV_16_00_20_7_1_3_46 (Release) 2011-11-16T00:23:0 Upgrade History: IPS-K9-7.1-3-E4 00:30:07 UTC Wed Nov 16 2011 Recovery Partition Version 1.1 - 7.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Step 10 In the Local File Path field, specify the path to the license file or click Browse Local to browse to the file. Step 11 Browse to the license file and click Open. Step 12 Click Update License. Licensing the ASA 5500-X IPS SSP For the ASA 5500-X series adaptive security appliances with the IPS SSP, the ASA requires the IPS Module license.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Realm Keys key1.0 Signature Definition: Signature Update S615.0 2012-01-03 OS Version: 2.6.29.1 Platform: IPS-4345-K9 Serial Number: FCH1445V00N No license present Sensor up-time is 5 days. Using 5318M out of 7864M bytes of available memory (67% usage) system is using 33.6M out of 160.0M bytes of available disk space (21% usage) application-data is using 70.5M out of 169.4M bytes of available disk space (44% usage) boot is using 62.
Appendix C Obtaining Software Obtaining a License Key From Cisco.com Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
A P P E N D I X D Upgrading, Downgrading, and Installing System Images Contents This chapter describes how to upgrade, downgrade, and install system images.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrades, Downgrades, and System Images • You cannot use the downgrade command to revert to a previous major or minor version, for example, from Cisco IPS 7.1 to 7.0. You can only use the downgrade command to downgrade from the latest signature update or signature engine update. To revert to 7.0, you must reimage the sensor. • You cannot downgrade the sensor using the recovery partition.
Appendix D Upgrading, Downgrading, and Installing System Images Supported FTP and HTTP/HTTPS Servers Supported FTP and HTTP/HTTPS Servers The following FTP servers are supported for IPS software updates: • WU-FTPD 2.6.2 (Linux) • Solaris 2.8 • Sambar 6.0 (Windows 2000) • Serv-U 5.0 (Windows 2000) • MS IIS 5.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Upgrade Notes and Caveats For a list of the upgrade notes and caveats for each IPS version, refer to the Release Notes for your IPS version found at this URL: http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/prod_release_notes_list.html Manually Upgrading the Sensor Note During a signature upgrade all signature configurations are retained, both the signature tunings as well as the custom signatures.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrading the Sensor – https:—Source URL for the web server. The syntax for this prefix is: https://[[username@]location][/directory]/filename The directory specification should be an absolute path to the desired file. The remote host must be a TLS trusted host. Upgrading the Sensor Note The CLI output is an example of what your configuration may look like.
Appendix D Upgrading, Downgrading, and Installing System Images Upgrading the Sensor Serial Number: 123456789AB No license present Sensor up-time is 11 days. Using 4395M out of 5839M bytes of available memory (75% usage) system is using 26.2M out of 160.0M bytes of available disk space (16% usage) application-data is using 69.6M out of 171.6M bytes of available disk space (43% usage) boot is using 57.3M out of 70.5M bytes of available disk space (86% usage) application-log is using 494.0M out of 513.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades To upgrade the recovery partition on your sensor, follow these steps: Step 1 Caution Download the appropriate recovery partition image file to an FTP, SCP, HTTP, or HTTPS server that is accessible from your sensor. Some browsers add an extension to the filename. The filename of the saved file must match what is displayed on the download page or you cannot use it to upgrade the recovery partition.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Understanding Automatic Upgrades Caution In IPS 7.1(5)E4 and later the default value of the Cisco server IP address has been changed from 198.133.219.25 to 72.163.4.161 in the Auto Update URL configuration. If you have automatic update configured on your sensor, you may need to update firewall rules to allow the sensor to connect to this new IP address.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades • schedule-option—Specifies the schedules for when Cisco server automatic upgrades occur. Calendar scheduling starts upgrades at specific times on specific days. Periodic scheduling starts upgrades at specific periodic intervals. – calendar-schedule—Configures the days of the week and times of day that automatic upgrades will be performed.
Appendix D Upgrading, Downgrading, and Installing System Images Configuring Automatic Upgrades Step 3 Configure the sensor to automatically look for new upgrades either on Cisco.com or on your file server: a. On Cisco.com. Continue with Step 4. sensor(config-hos-aut)# cisco-server enabled b. From your server. sensor(config-hos-aut)# user-server enabled c. Specify the IP address of the file server. sensor(config-hos-ena)# ip-address 10.1.1.1 d.
Appendix D Upgrading, Downgrading, and Installing System Images Downgrading the Sensor user-name: tester password: file-copy-protocol: ftp default: scp ----------------------------------------------sensor(config-hos-ena)# Step 8 Exit automatic upgrade submode. sensor(config-hos-ena)# exit sensor(config-hos)# exit Apply Changes:?[yes]: Step 9 Press Enter to apply the changes or type no to discard them.
Appendix D Upgrading, Downgrading, and Installing System Images Recovering the Application Partition Recovering the Application Partition You can recover the application partition image for the sensor if it becomes unusable. Some network configuration information is retained when you use this method, which lets you have network access after the recovery is performed.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images For More Information • For the procedure for upgrading the recovery partition to the most recent version, see Upgrading the Recovery Partition, page D-6. • For a list of supported TFTP servers, see TFTP Servers, page D-14. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page C-1. • For the procedure for using the setup command, see Appendix B, “Initializing the Sensor.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images TFTP Servers ROMMON uses TFTP to download an image and launch it. TFTP does not address network issues such as latency or error recovery. It does implement a limited packet integrity check so that packets arriving in sequence with the correct integrity value have an extremely low probability of error.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Caution If a connection is dropped or terminated by accident, you should reestablish the connection and exit normally to prevent unauthorized access to the appliance. Installing the IPS 4270-20 System Image You can install the IPS 4270-20 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images LINKTIMEOUT=20 PKTTIMEOUT=2 RETRY=20 The variables have the following definitions: • Address—Specifies the local IP address of the IPS 4270-20. • Server—Specifies the TFTP server IP address where the application image is stored. • Gateway—Specifies the gateway IP address used by the IPS 4270-20. • Port—Specifies the Ethernet interface used for IPS 4270-20 management.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 10 Enter set and press Enter to verify the network settings. Note Step 11 You can use the sync command to store these settings in NVRAM so they are maintained across boots. Otherwise, you must enter this information each time you want to boot an image from ROMMON. Download and install the system image.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Low Memory: 631 KB High Memory: 2048 MB PCI Device Table.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images The variables have the following definitions: • Address—Local IP address of the IPS 4345. • Server—TFTP server IP address where the application image is stored. • Gateway—Gateway IP address used by the IPS 4345. • Port—Ethernet interface used for the IPS 4345 management. • VLAN—VLAN ID number (leave as untagged). • Image—System image file/path name. • Config—Unused by these platforms.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images UNIX Example rommon> IMAGE=system_images/IPS-4345-K9-sys-1.1-a-7.1-3-E4.img Note The path is relative to the default tftpboot directory of the UNIX TFTP server. Images located in the default tftpboot directory do not have any directory names or slashes in the IMAGE specification. Windows Example rommon> IMAGE=system_images/IPS-4345-K9-sys-1.1-a-7.1-3-E4.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images You can install the IPS 4510 and IPS 4520 system image by using the ROMMON on the appliance to TFTP the system image onto the compact flash device. To install the IPS 4510 system image, follow these steps: Step 1 Download the IPS 4510 system image file to the tftp root directory of a TFTP server that is accessible from your IPS 4510.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 5 If necessary, assign an IP address for the local port on the IPS 4510. rommon> ADDRESS=ip_address Note Step 6 Use the same IP address that is assigned to the IPS 4510. If necessary, assign the TFTP server IP address. rommon> SERVER=ip_address Step 7 If necessary, assign the gateway IP address.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Note If the network settings are correct, the system downloads and boots the specified image on the IPS 4510. Be sure to use the IPS 4510 image. For More Information • For a list of supported TFTP servers, see TFTP Servers, page D-14. • For the procedure for locating software on Cisco.com, see Obtaining Cisco IPS Software, page C-1.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 7 Periodically check the recovery until it is complete. asa# show module Mod --0 1 Card Type -------------------------------------------Cisco ASA 5545 Appliance with 8 GE ports, 1 IPS 5545 Intrusion Protection System Mod --0 ips MAC Address Range --------------------------------503d.e59c.6dc1 to 503d.e59c.6dca 503d.e59c.6dcb to 503d.e59c.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Installing the ASA 5585-X IPS SSP System Image Using the hw-module Command Note Be sure the TFTP server that you specify can transfer files up to 60 MB in size. Note This process can take approximately 15 minutes to complete, depending on your network and the size of the image. Note The CLI output is an example of what your configuration may look like.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Example Port IP Address [0.0.0.0]: 10.89.149.231 Step 7 Leave the VLAN ID at 0. VLAN ID [0]: Step 8 Specify the default gateway of the ASA 5585-X IPS SSP. Gateway IP Address [0.0.0.0]: Example Gateway IP Address [0.0.0.0]: 10.89.149.254 Step 9 Execute the recovery. This transfers the software image from the TFTP server to the ASA 5585-X IPS SSP and restarts it.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 11 Session to the ASA 5585-X IPS SSP. Step 12 Enter cisco three times and your new password twice. Step 13 Initialize the ASA 5585-X IPS SSP with the setup command. For More Information • For a list of recommended TFTP servers, see TFTP Servers, page D-14. • For the procedure for initializing the ASA 5585-X IPS SSP with the setup command, see Advanced Setup for the ASA 5585-X IPS SSP, page B-21.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Use SPACE to begin boot immediately. The system enters ROMMON mode. The rommon> prompt appears. Step 4 Check the current network settings. rommon #0> set ROMMON Variable Settings: ADDRESS=0.0.0.0 SERVER=0.0.0.0 GATEWAY=0.0.0.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Step 9 Verify that you have access to the TFTP server by pinging it from your local Ethernet port with one of the following commands. rommon> ping server_ip_address rommon> ping server Step 10 If necessary define the path and filename on the TFTP file server from which you are downloading the image. rommon> IMAGE=path/file_name Caution Make sure that you enter the IMAGE command in all uppercase.
Appendix D Upgrading, Downgrading, and Installing System Images Installing System Images Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
A P P E N D I X E Troubleshooting Contents This appendix contains troubleshooting tips and procedures for sensors and software.
Appendix E Troubleshooting Cisco Bug Search Cisco Bug Search Bug Search Tool (BST), the online successor to Bug Toolkit, is designed to improve your effectiveness in network risk management and device troubleshooting. BST allows partners and customers to search for software bugs based on product, release, and keyword, and aggregates key data such as bug details, product, and version.
Appendix E Troubleshooting Preventive Maintenance Creating and Using a Backup Configuration File To protect your configuration, you can back up the current configuration and then display it to confirm that is the configuration you want to save. If you need to restore this configuration, you can merge the backup configuration file with the current configuration or overwrite the current configuration file with the backup configuration file.
Appendix E Troubleshooting Preventive Maintenance The exact format of the source and destination URLs varies according to the file. Here are the valid types: • ftp:—Source or destination URL for an FTP network server. The syntax for this prefix is: ftp://[[username@] location]/relativeDirectory]/filename ftp://[[username@]location]//absoluteDirectory]/filename • scp:—Source or destination URL for the SCP network server.
Appendix E Troubleshooting Preventive Maintenance Restoring the Current Configuration From a Backup File To restore your current configuration from a backup file, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Back up the current configuration to the remote server. sensor# copy scp://user@192.0.2.0//configuration/cfg current-config Password: ******** Warning: Copying over the current configuration may leave the box in an unstable state.
Appendix E Troubleshooting Disaster Recovery Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no password cisco command, but you cannot remove it. To use the no password cisco command, there must be another administrator account on the sensor. Removing the cisco account through the service account is not supported.
Appendix E Troubleshooting Recovering the Password 2. Log in to the sensor with the default user ID and password—cisco. Note Warning You are prompted to change the cisco password. 3. Initialize the sensor. 4. Upgrade the sensor to the IPS software version it had when the configuration was last saved and copied. Trying to copy the saved configuration without getting the sensor back to the same IPS software version it had before the disaster can cause configuration errors. 5.
Appendix E Troubleshooting Recovering the Password • Troubleshooting Password Recovery, page E-15 Understanding Password Recovery Note Administrators may need to disable the password recovery feature for security reasons. Password recovery implementations vary according to IPS platform requirements. Password recovery is implemented only for the cisco administrative account and is enabled by default. The IPS administrator can then recover user passwords for other accounts using the CLI.
Appendix E Troubleshooting Recovering the Password Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the Commands before booting, or 'c' for a command-line. Highlighted entry is 0: Step 2 Press any key to pause the boot process. Step 3 Choose 2: Cisco IPS Clear Password (cisco). The password is reset to cisco. Log in to the CLI with username cisco and password cisco. You can then change the password.
Appendix E Troubleshooting Recovering the Password rommon #1> boot Step 4 Enter the following command to reset the confreg value to 0: confreg 0 Recovering the ASA 5500-X IPS SSP Password You can reset the password to the default (cisco) for the ASA 5500-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot. Note To reset the password, you must have ASA 8.6.1 or later.
Appendix E Troubleshooting Recovering the Password Connected to module ips. Escape character sequence is 'CTRL-^X'. Step 5 Enter the default username (cisco) and password (cisco) at the login prompt. login: cisco Password: cisco You are required to change your password immediately (password aged) Changing password for cisco. (current) password: cisco Step 6 Enter your new password twice.
Appendix E Troubleshooting Recovering the Password Recovering the ASA 5585-X IPS SSP Password Note To reset the password, you must have ASA 8.2.(4.4) or later or ASA 8.4.2 or later. The ASA 5585-X IPS SSP is not supported in ASA 8.3(x). You can reset the password to the default (cisco) for the ASA 5585-X IPS SSP using the CLI or the ASDM. Resetting the password causes it to reboot. IPS services are not available during a reboot.
Appendix E Troubleshooting Recovering the Password Step 6 Enter your new password twice. New password: new password Retype new password: new password ***NOTICE*** This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption.
Appendix E Troubleshooting Recovering the Password Password recovery is enabled by default. You can disable password recovery through the CLI, IDM, or IME. Disabling Password Recovery Using the CLI To disable password recovery in the CLI, follow these steps: Step 1 Log in to the CLI using an account with administrator privileges. Step 2 Enter global configuration mode. sensor# configure terminal Step 3 Enter host mode. sensor(config)# service host Step 4 Disable password recovery.
Appendix E Troubleshooting Time Sources and the Sensor Troubleshooting Password Recovery When you troubleshoot password recovery, pay attention to the following: • You cannot determine whether password recovery has been disabled in the sensor configuration from the ROMMON prompt, GRUB menu, switch CLI, or router CLI. If you attempt password recovery, it always appears to succeed. If it has been disabled, the password is not reset to cisco. The only option is to reimage the sensor.
Appendix E Troubleshooting Time Sources and the Sensor The ASA IPS Modules • The ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP automatically synchronize their clocks with the clock in the adaptive security appliance in which they are installed. This is the default. • Configure them to get their time from an NTP time synchronization source, such as a Cisco router other than the parent router. For More Information For the procedure for configuring NTP, refer to Configuring NTP.
Appendix E Troubleshooting Advantages and Restrictions of Virtualization status = Synchronized Step 4 If the status continues to read Not Synchronized, check with the NTP server administrator to make sure the NTP server is configured correctly. Correcting Time on the Sensor If you set the time incorrectly, your stored events will have the incorrect time because they are stamped with the time the event was created. The Event Store time stamp is always based on UTC time.
Appendix E Troubleshooting Supported MIBs • Persistent store is limited. Virtualization has the following traffic capture requirements: • The virtual sensor must receive traffic that has 802.1q headers (other than traffic on the native VLAN of the capture port). • The sensor must see both directions of traffic in the same VLAN group in the same virtual sensor for any given sensor.
Appendix E Troubleshooting When to Disable Anomaly Detection When to Disable Anomaly Detection If you have anomaly detection enabled and you have your sensor configured to see only one direction of traffic, you should disable anomaly detection. Otherwise, you will receive many alerts, because anomaly detection sees asymmetric traffic as having incomplete connections, that is, like worm scanners, and fires alerts.
Appendix E Troubleshooting Analysis Engine Not Responding For More Information • For detailed information about Global Correlation features and how to configure them, for IDM refer to Configuring Global Correlation, for IME refer to Configuring Global Correlation, and for the CLI refer to Configuring Global Correlation.
Appendix E Troubleshooting Troubleshooting RADIUS Authentication Step 6 If the Analysis Engine still reads Not Running, contact TAC with the original show tech support command output. Troubleshooting RADIUS Authentication Symptom Attempt limit configured on the IPS sensor may not be enforced for a RADIUS user. Conditions Applicable for RADIUS users only. The RADIUS user must have logged in to the sensor at least once after RADIUS authentication is enabled or after the sensor is reset or rebooted.
Appendix E Troubleshooting Troubleshooting the Appliance • The CSA MC event server allows up to ten open subscriptions by default. You can change this value. You must have an administrative account and password to open subscriptions. • CSA data is not virtualized; it is treated globally by the sensor. • Host posture OS and IP addresses are integrated into passive OS fingerprinting storage. You can view them as imported OS profiles. • You cannot see the quarantined hosts.
Appendix E Troubleshooting Troubleshooting the Appliance Tip • Communication Problems, page E-25 • The SensorApp and Alerting, page E-29 • Blocking, page E-36 • Logging, page E-45 • TCP Reset Not Occurring for a Signature, page E-51 • Software Upgrades, page E-52 Before troubleshooting the appliance, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue.
Appendix E Troubleshooting Troubleshooting the Appliance Troubleshooting Loose Connections Perform the following actions to troubleshoot loose connections on sensors: • Make sure all power cords are securely connected. • Make sure all cables are properly aligned and securely connected for all external and internal components. • Remove and check all data and power cables for damage. Make sure no cables have bent pins or damaged connectors. • Make sure each device is properly seated.
Appendix E Troubleshooting Troubleshooting the Appliance When you receive the errors that the Analysis Engine is busy, wait a while before trying to make configuration changes. Use the show statistics virtual-sensor command to find out when the Analysis Engine is available again. Communication Problems This section helps you troubleshoot communication problems with the sensor.
Appendix E Troubleshooting Troubleshooting the Appliance Link Speed = Auto_100 Link Duplex = Auto_Full Total Packets Received = 944333 Total Bytes Received = 83118358 Total Multicast Packets Received = 0 Total Receive Errors = 0 Total Receive FIFO Overruns = 0 Total Packets Transmitted = 397633 Total Bytes Transmitted = 435730956 Total Transmit Errors = 0 Total Transmit FIFO Overruns = 0 sensor# Step 3 Make sure the sensor IP address is unique.
Appendix E Troubleshooting Troubleshooting the Appliance --MORE-- Step 6 Add a permit entry for the workstation network address, save the configuration, and try to connect again. Step 7 Make sure the network configuration allows the workstation to connect to the sensor. If the sensor is protected behind a firewall and the workstation is in front of the firewall, make sure the firewall is configured to allow the workstation to access the sensor.
Appendix E Troubleshooting Troubleshooting the Appliance ftp-timeout: 300 seconds login-banner-text: ----------------------------------------------sensor(config-hos-net)# Duplicate IP Address Shuts Interface Down If you have two newly imaged sensors with the same IP address that come up on the same network at the same time, the interface shuts down. Linux prevents the command and control interface from activating if it detects an address conflict with another host.
Appendix E Troubleshooting Troubleshooting the Appliance Total Total Total Total sensor# Packets Transmitted = 219260 Bytes Transmitted = 103668610 Transmit Errors = 0 Transmit FIFO Overruns = 0 Step 3 Make sure the sensor cabling is correct. Step 4 Make sure the IP address is correct. For More Information • To make sure the sensor cabling is correct, refer to the chapter for your sensor in this document.
Appendix E Troubleshooting Troubleshooting the Appliance boot is using 57.3M out of 70.5M bytes of available disk space (86% usage) application-log is using 494.0M out of 513.
Appendix E Troubleshooting Troubleshooting the Appliance Physical Connectivity, SPAN, or VACL Port Issue If the sensor is not connected properly, you do not receive any alerts. To make sure the sensor is connected properly, follow these steps: Step 1 Log in to the CLI. Step 2 Make sure the interfaces are up and that the packet count is increasing.
Appendix E Troubleshooting Troubleshooting the Appliance Step 4 Verify the interface configuration: • Make sure you have the interfaces configured properly. • Verify the SPAN and VACL capture port configuration on the Cisco switch. Refer to your switch documentation for the procedure. Step 5 Verify again that the interfaces are up and that the packet count is increasing.
Appendix E Troubleshooting Troubleshooting the Appliance sensor(config)# service signature-definition sig0 sensor(config-sig)# signatures 1300 0 sensor(config-sig-sig)# engine ? normalizer Signature engine sensor(config-sig-sig)# engine normalizer sensor(config-sig-sig-nor)# event-action produce-alert sensor(config-sig-sig-nor)# show settings normalizer ----------------------------------------------event-action: produce-alert default: produce-alert|deny-connection-inline edit-default-sigs-only -----------
Appendix E Troubleshooting Troubleshooting the Appliance Sensor Not Seeing Packets If the sensor is not seeing any packets on the network, you could have the interfaces set up incorrectly. If the sensor is not seeing packets, follow these steps: Step 1 Log in to the CLI. Step 2 Make sure the interfaces are up and receiving packets.
Appendix E Troubleshooting Troubleshooting the Appliance Step 4 Check to see that the interface is up and receiving packets.
Appendix E Troubleshooting Troubleshooting the Appliance Step 8 Start the IPS services. sensor# cids start Step 9 Log in to an account with administrator privileges. Step 10 Reboot the sensor. sensor# reset Warning: Executing this command will stop all applications and reboot the node. Continue with reset? [yes]:yes Request Succeeded. sensor# For More Information For more information on IPS system architecture, refer to System Architecture.
Appendix E Troubleshooting Troubleshooting the Appliance For More Information • For the procedure to verify that ARC is running, see Verifying ARC is Running, page E-37. • For the procedure to verify that ARC is connecting, see Verifying ARC Connections are Active, page E-38. • For the procedure to verify that the Event Action is set to Block Host, see Blocking Not Occurring for a Signature, page E-42.
Appendix E Troubleshooting Troubleshooting the Appliance Upgrade History: IPS-K9-7.1-3-E4 00:30:07 UTC Wed Nov 16 2011 Recovery Partition Version 1.1 - 7.1(3)E4 Host Certificate Valid from: 16-Nov-2011 to 16-Nov-2013 sensor# Step 3 If the MainApp displays Not Running, the ARC has failed. Contact TAC. For More Information For more information on IPS system architecture, refer to System Architecture.
Appendix E Troubleshooting Troubleshooting the Appliance Step 4 Make sure you have the latest software updates. sensor# show version Application Partition: Cisco Intrusion Prevention System, Version 7.1(3)E4 Host: Realm Keys key1.0 Signature Definition: Signature Update S605.0 2011-10-25 OS Version: 2.6.29.1 Platform: ASA5585-SSP-IPS10 Serial Number: 123456789AB No license present Sensor up-time is 13 days. Using 4395M out of 5839M bytes of available memory (75% usage) system is using 26.2M out of 160.
Appendix E Troubleshooting Troubleshooting the Appliance For More Information • For the procedure for obtaining the latest Cisco IPS software, see Obtaining Cisco IPS Software, page C-1. • For more information about configuring devices, see Device Access Issues, page E-40. • For the procedure for verifying the interfaces and directions for each network device, see Verifying the Interfaces and Directions on the Network Device, page E-41.
Appendix E Troubleshooting Troubleshooting the Appliance password: username: netrangr default: --------------------------------------------------------------------------------------------cat6k-devices (min: 0, max: 250, current: 0) --------------------------------------------------------------------------------------------router-devices (min: 0, max: 250, current: 1) ----------------------------------------------ip-address: 10.89.147.
Appendix E Troubleshooting Troubleshooting the Appliance To initiate a manual block to a bogus host, follow these steps: Step 1 Enter ARC general submode. sensor# configure terminal sensor(config)# service network-access sensor(config-net)# general Step 2 Start the manual block of the bogus host IP address. sensor(config-net-gen)# block-hosts 10.16.0.0 Step 3 Exit general submode.
Appendix E Troubleshooting Troubleshooting the Appliance sensor(config)# service signature-definition sig0 sensor(config-sig)# Step 3 Make sure the event action is set to block the host. Note If you want to receive alerts, you must always add produce-alert any time you configure the event actions.
Appendix E Troubleshooting Troubleshooting the Appliance To verify a master blocking sensor configuration, follow these steps: Step 1 Log in to the CLI. Step 2 View the ARC statistics and verify that the master blocking sensor entries are in the statistics. sensor# show statistics network-access Current Configuration AllowSensorShun = false ShunMaxEntries = 250 MasterBlockingSensor SensorIp = 10.89.149.46 SensorPort = 443 UseTls = 1 State ShunEnable = true ShunnedAddr Host IP = 122.122.122.
Appendix E Troubleshooting Troubleshooting the Appliance ShunEnable = true ShunnedAddr Host IP = 10.16.0.0 ShunMinutes = 60 MinutesRemaining = 59 Step 9 If the remote master blocking sensor is using TLS for web access, make sure the forwarding sensor is configured as a TLS host.
Appendix E Troubleshooting Troubleshooting the Appliance Step 7 Enter master control submode. sensor# configure terminal sensor(config)# service logger sensor(config-log)# master-control Step 8 Enable debug logging for all zones.
Appendix E Troubleshooting Troubleshooting the Appliance severity: warning zone-name: csi severity: warning zone-name: ctlTransSource severity: warning zone-name: intfc severity: warning zone-name: nac severity: warning zone-name: sensorApp severity: warning zone-name: tls severity: warning --------------------------
Appendix E Troubleshooting Troubleshooting the Appliance zone-name: intfc severity: warning zone-name: nac severity: warning zone-name: sensorApp severity: warning zone-name: tls severity: warning ----------------------------------------------sensor(config-log)# Step 13 Turn on debugging for a particular zone.
Appendix E Troubleshooting Troubleshooting the Appliance zone-name: tls severity: warning ----------------------------------------------sensor(config-log)# Step 14 Exit the logger submode. sensor(config-log)# exit Apply Changes:?[yes]: Step 15 Press Enter to apply changes or type no to discard them: For More Information For a list of what each zone name refers to, see Zone Names, page E-49.
Appendix E Troubleshooting Troubleshooting the Appliance For More Information To learn more about the IPS Logger service, refer to Logger. Directing cidLog Messages to SysLog It might be useful to direct cidLog messages to syslog. To direct cidLog messages to syslog, follow these steps: Step 1 Go to the idsRoot/etc/log.conf file. Step 2 Make the following changes: a. Set [logApp] enabled=false Comment out the enabled=true because enabled=false is the default. b.
Appendix E Troubleshooting Troubleshooting the Appliance Caution The syslog is much slower than logApp (about 50 messages per second as opposed to 1000 or so). We recommend that you enable debug severity on one zone at a time. TCP Reset Not Occurring for a Signature If you do not have the event action set to reset, the TCP reset does not occur for a specific signature. Note TCP Resets are not supported over MPLS links or the following tunnels: GRE, IPv4 in IPv4, IPv6 in IPv4, or IPv4 in IPv6.
Appendix E Troubleshooting Troubleshooting the Appliance Step 5 Make sure the correct alarms are being generated. sensor# show events alert evAlert: eventId=1047575239898467370 severity=medium originator: hostId: sj_4250_40 appName: sensorApp appInstanceId: 1004 signature: sigId=20000 sigName=STRING.TCP subSigId=0 version=Unknown addr: locality=OUT 172.16.171.19 port: 32771 victim: addr: locality=OUT 172.16.171.
Appendix E Troubleshooting Troubleshooting the Appliance Or you can use the system image file to reimage the sensor directly to the version you want. You can reimage a sensor and avoid the error because the reimage process does not check to see if the Analysis Engine is running. Caution Reimaging using the system image file restores all configuration defaults. For More Information • For more information on running the setup command, see Appendix B, “Initializing the Sensor.
Appendix E Troubleshooting Troubleshooting the Appliance • If you are using SCP, make sure you have added the SSH host key to the known hosts list. • If you get an unauthorized error message while configuring an automatic update, make sure you have the correct ports open on any firewalls between the sensor and Cisco.com. For example, you need port 443 for the initial automatic update connection to www.cisco.com, and you need port 80 to download the chosen package from a Cisco file server.
Appendix E Troubleshooting Troubleshooting the IDM Step 8 Upgrade the sensor. sensor(config)# upgrade scp://service@sensor_ip_address/upgrade/ips_package_file_name Enter password: ***** Re-enter password: ***** For More Information For the procedure for obtaining Cisco IPS software, see Obtaining Cisco IPS Software, page C-1. Troubleshooting the IDM Note These procedures also apply to the IPS section of ASDM.
Appendix E Troubleshooting Troubleshooting the IDM Step 3 Step 4 d. Click the Cache tab. e. Click Clear. If you have Java Plug-in 1.4.x installed: a. Click Start > Settings > Control Panel > Java Plug-in 1.4.x. b. Click the Advanced tab. c. Under Java Runtime Environment, select JRE 1.3.x from the drop-down menu. d. Click the Cache tab. e. Click the Browser tab. f. Deselect all browser check boxes. g. Click Clear Cache. Delete the temp files and clear the history in the browser.
Appendix E Troubleshooting Troubleshooting the IME telnet-option enabled access-list 0.0.0.0/0 ftp-timeout 300 no login-banner-text exit time-zone-settings offset 0 standard-time-zone-name UTC exit summertime-option disabled ntp-option disabled exit service web-server port 443 exit Step 2 If network devices, such as routers, switches, or firewalls, are between the sensor and the workstation, make sure these devices are configured to allow the workstation to access the sensor web server port.
Appendix E Troubleshooting Troubleshooting the IME Time Synchronization on the IME and the Sensor Symptom The IME displays No Data Available on the Events dashboard. A historical query does not return any events; however, events are coming in to the IME and they appear in the real-time event viewer. Possible Cause The time is not synchronized between the sensor and the IME local server. The IME dashboards use a time relative to the IME local time.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM Troubleshooting the ASA 5500 AIP SSM Tip Before troubleshooting the ASA 5500 AIP SSM, check the Caveats section of the Readme for the software version you have installed on your sensor to see if you are dealing with a known issue.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM Mod Status --- -----------------0 Up Sys 1 Shutting Down **************************************************** asa(config)# show module Mod --0 1 Card Type -------------------------------------------ASA 5520 Adaptive Security Appliance ASA 5500 Series Security Services Module-10 Mod --0 1 MAC Address Range --------------------------------000b.fcf8.7bdc to 000b.fcf8.7be0 000b.fcf8.0176 to 000b.fcf8.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 161> 162> 163> 164> 165> 166> 167> 168> 169> 170> 171> 172> 173> 174> 175> 176> Platform ASA-SSM-10 GigabitEthernet0/0 Link is UP MAC Address: 000b.fcf8.0176 ROMMON Variable Settings: ADDRESS=10.89.150.227 SERVER=10.89.146.1 GATEWAY=10.89.149.254 PORT=GigabitEthernet0/0 VLAN=untagged IMAGE=IPS-SSM-K9-sys-1.1-a-5.1-0.1.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM • If the ASAs are configured in fail-close mode, and if the ASA 5500 AIP SSM on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the module that was previously the standby for the ASA 5500 AIP SSM.
Appendix E Troubleshooting Troubleshooting the ASA 5500 AIP SSM • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 For More Information For detailed information about the Normalizer engine, see Normalizer Engine. The ASA 5500 AIP SSM and the Data Plane Symptom The ASA 5500 AIP SSM data plane is kept in the Up state while applying signature updates. You can check the ASA 5500 AIP SSM data plane status by using the show module command during signature updates.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP TCP Reset Differences Between IPS Appliances and ASA IPS Modules The IPS appliance sends TCP reset packets to both the attacker and victim when Reset TCP Connection is selected.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP This section contains troubleshooting information specific to the ASA 5500-X IPS SSP, and contains the following topics: • Failover Scenarios, page E-65 • Health and Status Information, page E-66 • The ASA 5500-X IPS SSP and the Normalizer Engine, page E-67 • The ASA 5500-X IPS SSP and Memory Usage, page E-68 • The ASA 5500-X IPS SSP and Jumbo Packet Frame Size, page E-69 • The ASA 5500-X IPS SSP and Jumbo Packets, page E-69 •
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP • If the ASAs are configured in fail-close mode, and if the ASA 5500-X IPS SSP on the active ASA experiences a SensorApp crash or a service pack upgrade, failover is triggered and traffic passes through the ASA 5500-X IPS SSP that was previously the standby for the ASA 5500-X IPS SSP.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP asa-ips# sw-module module ips recover configure image disk0:/IPS-SSP_5555-K9-sys-1.1-a-7.1-3-E4.aip Image URL [tftp://192.0.2.1/IPS-5545-K9-sys-1.1-a-7.1-3-E4.aip]: Port IP Address [192.0.2.226]: VLAN ID [0]: Gateway IP Address [192.0.2.254]: asa-ips# debug module-boot debug module-boot enabled at level 1 asa-ips# sw-module module ips reload Reload module ips? [confirm] Reload issued for module ips.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP • 1307.0 • 1308.0 • 1309.0 • 1311.0 • 1315.0 • 1316.0 • 1317.0 • 1330.0 • 1330.1 • 1330.2 • 1330.9 • 1330.10 • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 For More Information For detailed information about the Normalizer engine, see Normalizer Engine. The ASA 5500-X IPS SSP and Memory Usage For the ASA 5500-X IPS SSP, the memory usage is 93%.
Appendix E Troubleshooting Troubleshooting the ASA 5500-X IPS SSP Table E-3 ASA 5500-X IPS SSP Memory Usage Values Platform Yellow Red Memory Used ASA 5545-X IPS SSP 93% 96% 13% ASA 5555-X IPS SSP 95% 98% 17% The ASA 5500-X IPS SSP and Jumbo Packet Frame Size Refer to the following URL for information about ASA 5500-X IPS SSP jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP IPS Reloading Messages Symptom ASA syslog messages similar to the following are observed and the root cause of the message is not clear: %ASA-1-505013: ASA-SSM-10 Module in slot 1, application reloading "IPS", version "7.1(6)E4" Config Change %ASA-1-505013: ASA5585-SSP-IPS10 Module in slot 1, application reloading "IPS", version "7.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP • The ASA 5585-X IPS SSP and the Normalizer Engine, page E-75 • The ASA 5585-X IPS SSP and Jumbo Packet Frame Size, page E-76 • The ASA 5585-X IPS SSP and Jumbo Packets, page E-76 • IPS Reloading Messages, page E-77 Failover Scenarios The following failover scenarios apply to the ASA 5585-X in the event of configuration changes, signature/signature engine updates, service packs, and SensorApp crashes on the ASA 5585-X IPS SSP.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP failover lan unit primary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2 Use the following configuration for the secondary ASA: interface GigabitEthernet0/7 description LAN Failover Interface failover failover lan unit secondary failover lan interface folink GigabitEthernet0/7 failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP The module in slot 1 should be shut down before resetting it or loss of configuration may occur. Reset module in slot 1? [confirm] Reset issued for module in slot 1 asa# show module 1 details Getting details from the Service Module, please wait... Unable to read details from slot 1 ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.0 Serial Number: ABC1234DEFG Firmware version: 2.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP App. version: 7.1(1)E4 Data plane Status: Down Status: Up Mgmt IP addr: 192.0.2.3 Mgmt Network mask: 255.255.255.0 Mgmt Gateway: 192.0.2.254 Mgmt Access List: 0.0.0.0/0 Mgmt web ports: 443 Mgmt TLS enabled: true asa# show module 1 details Getting details from the Service Module, please wait... ASA 5585-X IPS Security Services Processor-20 with 8GE Model: ASA5585-SSP-IPS20 Hardware version: 1.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 Slot-1 152> 153> 154> 155> 156> 157> 158> 159> 160> 161> 162> 163> 164> 165> 166> 167> 168> 169> 170> 171> 172> 173> 174> 175> 176> CONFIG= LINKTIMEOUT=20 PKTTIMEOUT=4 RETRY=20 tftp IPS-SSP_10-K9-sys-1.1-a-7.1-0.1.img@192.0.2.15 via 192.0.2.
Appendix E Troubleshooting Troubleshooting the ASA 5585-X IPS SSP • 1330.12 • 1330.14 • 1330.15 • 1330.16 • 1330.17 • 1330.18 For More Information For detailed information about the Normalizer engine, see Normalizer Engine. The ASA 5585-X IPS SSP and Jumbo Packet Frame Size Refer to the following URL for information about ASA 5585-X IPS SSP jumbo packet frame size: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.
Appendix E Troubleshooting Gathering Information IPS Reloading Messages Symptom ASA syslog messages similar to the following are observed and the root cause of the message is not clear: %ASA-1-505013: ASA-SSM-10 Module in slot 1, application reloading "IPS", version "7.1(6)E4" Config Change %ASA-1-505013: ASA5585-SSP-IPS10 Module in slot 1, application reloading "IPS", version "7.
Appendix E Troubleshooting Gathering Information Note The ASA 5500-X IPS SSP and the ASA 5585-X IPS SSP do not support bypass mode. The adaptive security appliance will either fail open, fail close, or fail over depending on the configuration of the adaptive security appliance and the type of activity being done on the IPS. Use the show health command in privileged EXEC mode to display the overall health status information of the sensor.
Appendix E Troubleshooting Gathering Information Displaying Tech Support Information Note The show tech-support command now displays historical interface data for each interface for the past 72 hours. Use the show tech-support [page] [destination-url destination_url] command to display system information on the screen or have it sent to a specific URL. You can use the information as a troubleshooting tool with the TAC.
Appendix E Troubleshooting Gathering Information sensor# show tech support dest ftp://csidsuser@10.2.1.2//absolute/reports/sensor1Report.html b. Enter the password for this user account. The Generating report: message is displayed. Tech Support Command Output Note This output example shows the first part of the command and lists the information for the interfaces, authentication, and the Analysis Engine. Note The CLI output is an example of what your configuration may look like.
Appendix E Troubleshooting Gathering Information Host Certificate Valid from: 16-Nov-2011 to 16-Nov-2013 Output from show interfaces Interface Statistics Total Packets Received = 4285610 Total Bytes Received = 548558080 Missed Packet Percentage = 0 MAC statistics from interface Management0/0 Interface function = Command-control interface Description = Media Type = TX Default Vlan = 0 Link Status = Up Link Speed = Auto_100 Link Duplex = Auto_Full Total Packets Received = 9584350 Total Bytes Received = 986
Appendix E Troubleshooting Gathering Information Output from show statistics analysis-engine Analysis Engine Statistics Number of seconds since service started = 1150851 Processing Load Percentage Thread 5 sec 1 min 5 min 0 1 1 1 1 1 1 1 2 1 1 1 Average 1 1 1 The rate of TCP connections tracked per second = 0 The rate of packets per second = 0 The rate of bytes per second = 0 Receiver Statistics Total number of packets processed since reset = 0 Total number of IP packets processed since reset = 0 Transmi
Appendix E Troubleshooting Gathering Information Note • Disk and memory usage • Upgrade history of the applications To get the same information from IDM, choose Monitoring > Sensor Monitoring > Support Information > Diagnostics Report. To get the same information from IME, choose Configuration > sensor_name > Sensor Monitoring > Support Information > Diagnostics Report.
Appendix E Troubleshooting Gathering Information IPS-K9-7.1-3-E4 00:30:07 UTC Wed Nov 16 2011 Recovery Partition Version 1.1 - 7.1(3)E4 Host Certificate Valid from: 16-Nov-2011 to 16-Nov-2013 sensor# Note Step 3 If the —-MORE-— prompt is displayed, press the spacebar to see more information or Ctrl-C to cancel the output and get back to the CLI prompt. View configuration information. Note You can use the more current-config or show configuration commands.
Appendix E Troubleshooting Gathering Information exit ! -----------------------------service web-server exit ! -----------------------------service anomaly-detection ad0 exit ! -----------------------------service external-product-interface exit ! -----------------------------service health-monitor exit ! -----------------------------service global-correlation exit ! -----------------------------service aaa exit ! -----------------------------service analysis-engine sensor# Statistics Information The sho
Appendix E Troubleshooting Gathering Information Note • Virtual Sensor • Web Server To get the same information from IDM, choose Monitoring > Sensor Monitoring > Support Information > Statistics. To get the same information from IME, choose Configuration > sensor_name > Sensor Monitoring > Support Information >Statistics.
Appendix E Troubleshooting Gathering Information TCP streams currently in the established state = 0 TCP streams currently in the closing state = 0 TCP streams currently in the system = 0 TCP Packets currently queued for reassembly = 0 The Signature Database Statistics.
Appendix E Troubleshooting Gathering Information SimulatedReputationFilterPacketsInput = 0 SimulatedReputationFilterRuleMatch = 0 SimulatedDenyFilterInsert = 0 SimulatedDenyFilterPacketsInput = 0 SimulatedDenyFilterRuleMatch = 0 TcpDeniesDueToGlobalCorrelation = 0 TcpDeniesDueToOverride = 0 TcpDeniesDueToOverlap = 0 TcpDeniesDueToOther = 0 SimulatedTcpDeniesDueToGlobalCorrelation = 0 SimulatedTcpDeniesDueToOverride = 0 SimulatedTcpDeniesDueToOverlap = 0 SimulatedTcpDeniesDueToOther = 0 LateStageDenyDueTo
Appendix E Troubleshooting Gathering Information TCP Protocol UDP Protocol Other Protocol Statistics for Virtual Sensor vs1 No attack Detection - ON Learning - ON Next KB rotation at 10:00:00 UTC Sat Jan 18 2008 Internal Zone TCP Protocol UDP Protocol Other Protocol External Zone TCP Protocol UDP Protocol Other Protocol Illegal Zone TCP Protocol UDP Protocol Other Protocol sensor# Step 4 Display the statistics for authentication.
Appendix E Troubleshooting Gathering Information The current number of open subscriptions = 2 The number of events lost by subscriptions and queries = 0 The number of filtered events not written to the event store = 850763 The number of queries issued = 0 The number of times the event store circular buffer has wrapped = 0 Number of events of each type currently stored Status events = 4257 Shun request events = 0 Error events, warning = 669 Error events, error = 8 Error events, fatal = 0 Alert events, inf
Appendix E Troubleshooting Gathering Information sensor# show statistics host General Statistics Last Change To Host Config (UTC) = 25-Jan-2012 02:59:18 Command Control Port Device = Management0/0 Network Statistics = ma0_0 Link encap:Ethernet HWaddr 00:04:23:D5:A1:8D = inet addr:10.89.130.98 Bcast:10.89.131.255 Mask:255.255.254.
Appendix E Troubleshooting Gathering Information EnableNvramWrite = false EnableAclLogging = false AllowSensorBlock = false BlockMaxEntries = 11 MaxDeviceInterfaces = 250 NetDevice Type = PIX IP = 10.89.150.171 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.0.2.4 NATAddr = 0.0.0.0 Communications = ssh-3des NetDevice Type = PIX IP = 192.0.2.5 NATAddr = 0.0.0.0 Communications = telnet NetDevice Type = Cisco IP = 192.0.2.6 NATAddr = 0.0.0.
Appendix E Troubleshooting Gathering Information Firewall-type = FWSM NetDevice IP = 192.0.2.9 AclSupport = uses Named ACLs Version = 12.2 State = Active NetDevice IP = 192.0.2.10 AclSupport = Uses VACLs Version = 8.4 State = Active BlockedAddr Host IP = 203.0.113.1 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.2 Vlan = ActualIp = BlockMinutes = Host IP = 203.0.113.4 Vlan = ActualIp = BlockMinutes = 60 MinutesRemaining = 24 Network IP = 203.0.113.9 Mask = 255.255.0.
Appendix E Troubleshooting Gathering Information Last Read Time = 23:54:16 UTC Wed Nov 30 2011 Last Read Time (nanoseconds) = 1322697256078549000 sensor# Step 15 Display the statistics for the transaction server. sensor# show statistics transaction-server General totalControlTransactions = 35 failedControlTransactions = 0 sensor# Step 16 Display the statistics for a virtual sensor.
Appendix E Troubleshooting Gathering Information Number of Denied Attacker Service Pairs Inserted = 0 Number of Denied Attackers Total Hits = 0 Number of times max-denied-attackers limited creation of new entry = 0 Number of exec Clear commands during uptime = 0 Denied Attackers and hit count for each. Denied Attackers with percent denied and hit count for each. The Signature Database Statistics.
Appendix E Troubleshooting Gathering Information TCP streams currently in the established state = 0 TCP streams currently in the closing state = 0 TCP streams currently in the system = 0 TCP Packets currently queued for reassembly = 0 Cumulative Statistics for the TCP Stream Reassembly Unit since reset TCP streams that have been tracked since last reset = 0 TCP streams that had a gap in the sequence jumped = 0 TCP streams that was abandoned due to a gap in the sequence = 0 TCP packets that arrived out of
Appendix E Troubleshooting Gathering Information Warning Severity = 142 TOTAL = 156 The number of log messages written to the message log by severity Fatal Severity = 0 Error Severity = 14 Warning Severity = 1 Timing Severity = 0 Debug Severity = 0 Unknown Severity = 28 TOTAL = 43 Step 19 Verify that the statistics have been cleared. The statistics now all begin from 0.
Appendix E Troubleshooting Gathering Information Interfaces Command Output The following example shows the output from the show interfaces command: sensor# show interfaces Interface Statistics Total Packets Received = 0 Total Bytes Received = 0 Missed Packet Percentage = 0 Current Bypass Mode = Auto_off MAC statistics from interface GigabitEthernet0/1 Media Type = backplane Missed Packet Percentage = 0 Inline Mode = Unpaired Pair Status = N/A Link Status = Up Link Speed = Auto_1000 Link Duplex = Auto_Ful
Appendix E Troubleshooting Gathering Information • Displaying Events, page E-99 • Clearing Events, page E-102 Sensor Events There are five types of events: • evAlert—Intrusion detection alerts • evError—Application errors • evStatus—Status changes, such as an IP log being created • evLogTransaction—Record of control transactions processed by each sensor application • evShunRqst—Block requests Events remain in the Event Store until they are overwritten by newer events.
Appendix E Troubleshooting Gathering Information The following options apply: • alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a signature is triggered by network activity. If no level is selected (informational, low, medium, or high), all alert events are displayed. • include-traits—Displays alerts that have the specified traits.
Appendix E Troubleshooting Gathering Information Step 3 Display the block requests beginning at 10:00 a.m. on February 9, 2011. sensor# show events NAC 10:00:00 Feb 9 2011 evShunRqst: eventId=1106837332219222281 vendor=Cisco originator: deviceName: Sensor1 appName: NetworkAccessControllerApp appInstance: 654 time: 2011/02/09 10:33:31 2011/08/09 13:13:31 shunInfo: host: connectionShun=false srcAddr: 11.0.0.
Appendix E Troubleshooting Gathering Information originator: hostId: sensor appName: mainApp appInstanceId: 2215 time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC controlTransaction: command=getVersion successful=true description: Control transaction response. requestor: user: cids application: hostId: 64.101.182.
Appendix E Troubleshooting Gathering Information Step 3 Enter the following command. /usr/cids/idsRoot/bin/cidDump Step 4 Enter the following command to compress the resulting /usr/cids/idsRoot/log/cidDump.html file. gzip /usr/cids/idsRoot/log/cidDump.html Step 5 Send the resulting HTML file to TAC or the IPS developers in case of a problem. For More Information For the procedure for putting a file on the Cisco FTP site, see Uploading and Accessing Files on the Cisco FTP Site, page E-103.
Appendix E Troubleshooting Gathering Information Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
F A P P E N D I X Cable Pinouts Contents This appendix describes pinout information for 10/100/1000BaseT, console, and RJ 45 to DB 9 ports, and the MGMT 10/100 Ethernet port. It contains the following topics: • 10/100BaseT and 10/100/1000BaseT Connectors, page F-1 • Console Port (RJ-45), page F-2 • RJ-45 to DB-9 or DB-25, page F-3 10/100BaseT and 10/100/1000BaseT Connectors The ASA 5585-Xappliance supports 10/100/1000BaseT ports.
Appendix F Cable Pinouts Console Port (RJ-45) Figure F-2 shows the 10/100/1000BaseT (RJ-45) port pinouts. 10/100/1000 Port Pinouts Pin Label 1 TP0+ 2 TP0- 3 TP1+ 4 TP2+ 5 TP2- 6 TP1- 7 TP3+ 8 TP3- 1 2 3 4 5 6 7 8 148410 Figure F-2 Console Port (RJ-45) Figure F-3 shows the RJ 45 cable.
Appendix F Cable Pinouts RJ-45 to DB-9 or DB-25 Examine the sequence of colored wires to determine the type of RJ-45 cable, as follows: • Straight-through—The colored wires are in the same sequence at both ends of the cable. • Cross-over—The first (far left) colored wire at one end of the cable is the third colored wire at the other end of the cable. • Roll-over—The colored wires are in the opposite sequence at either end of the cable. Table F-1 lists the roll-over (console) cable pinouts for RJ-45.
Appendix F Cable Pinouts RJ-45 to DB-9 or DB-25 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
GLOSSARY Revised: September 30, 2014 Numerals 3DES Triple Data Encryption Standard. A stronger version of DES, which is the default encryption method for SSH version 1.5. Used when establishing an SSH session with the sensor. It can be used when the sensor is managing a device. 802.x A set of IEEE standards for the definition of LAN protocols. A AAA authentication, authorization, and accounting. Pronounced “triple a.” The primary and recommended method for access control in Cisco devices.
Glossary ASA 5500 AIP SSM Advanced Inspection and Prevention Security Services Module. The IPS plug-in module in the Cisco ASA 5500 series adaptive security appliance. The ASA 5500 AIP SSM is an IPS services module that monitors and performs real-time analysis of network traffic by looking for anomalies and misuse based on an extensive, embedded signature library.
Glossary architecture The overall structure of a computer or communication system. The architecture influences the capabilities and limitations of the system. ARP Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Defined in RFC 826. ASDM Adaptive Security Device Manager. A web-based application that lets you configure and manage your adaptive security device. ASN.1 Abstract Syntax Notation 1. Standard for data presentation.
Glossary B backplane The physical connection between an interface processor or card and the data buses and the power distribution buses inside a chassis. base version A software release that must be installed before a follow-up release, such as a service pack or signature update, can be installed. Major and minor updates are base version releases. benign trigger A situation in which a signature is fired correctly, but the source of the traffic is nonmalicious. BIOS Basic Input/Output System.
Glossary certificate Digital representation of user or device attributes, including a public key, that is signed with an authoritative private key. cidDump A script that captures a large amount of information including the IPS processes list, log files, OS information, directory listings, package information, and configuration files. CIDEE Cisco Intrusion Detection Event Exchange. Specifies the extensions to SDEE that are used by Cisco IPS systems.
Glossary cookie A piece of information sent by a web server to a web browser that the browser is expected to save and send back to the web server whenever the browser makes additional requests of the web server. CSA MC Cisco Security Agent Management Center. CSA MC receives host posture information from the CSA agents it manages. It also maintains a watch list of IP addresses that it has determined should be quarantined from the network.
Glossary DES Data Encryption Standard. A strong encryption method where the strength lies in a 56-bit key rather than an algorithm. destination address Address of a network device that is receiving data. DIMM Dual In-line Memory Modules. DMZ demilitarized zone. A separate network located in the neutral zone between a private (inside) network and a public (outside) network. DNS Domain Name System. An Internet-wide hostname to IP address mapping.
Glossary F fail closed Blocks traffic on the device after a hardware failure. fail open Lets traffic pass through the device after a hardware failure. false negative A signature is not fired when offending traffic is detected. false positive Normal traffic or a benign action causes a signature to fire. Fast Ethernet Any of a number of 100-Mbps Ethernet specifications.
Glossary FQDN Fully Qualified Domain Name.A domain name that specifies its exact location in the tree hierarchy of the DNS. It specifies all domain levels, including the top-level domain, relative to the root domain. A fully qualified domain name is distinguished by this absoluteness in the name space. FWSM Firewall Security Module. A module that can be installed in a Catalyst 6500 series switch. It uses the shun command to block. You can configure the FWSM in either single mode or multi-mode.
Glossary hardware bypass A specialized interface card that pairs physical interfaces so that when a software error is detected, a bypass mechanism is engaged that directly connects the physical interfaces and allows traffic to flow through the pair. Hardware bypass passes traffic at the network interface, does not pass it to the IPS system. host block ARC blocks all traffic from a given IP address. HTTP Hypertext Transfer Protocol.
Glossary InterfaceApp A component of the IPS. Handles bypass and physical settings and defines paired interfaces. Physical settings are speed, duplex, and administrative state. intrusion detection system IDS. A security service that monitors and analyzes system events to find and provide real-time or near real-time warning of attempts to access system resources in an unauthorized manner. IP address 32-bit address assigned to hosts using TCP/IP.
Glossary KB Knowledge Base. The sets of thresholds learned by Anomaly Detection and used for worm virus detection. Knowledge Base See KB. L LACP Link Aggregation Control Protocol. LACP aids in the automatic creation of EtherChannel links by exchanging LACP packets between LAN ports. This protocol is defined in IEEE 802.3ad. LAN Local Area Network. Refers to the Layer 2 network domain local to a given host. Packets exchanged between two hosts on the same LAN do not require Layer 3 routing.
Glossary MD5 Message Digest 5. A one-way hashing algorithm that produces a 128-bit hash. Both MD5 and Secure Hash Algorithm (SHA) are variations on MD4 and strengthen the security of the MD4 hashing algorithm. Cisco uses hashes for authentication within the IPSec framework. Also used for message authentication in SNMP v.2. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.
Glossary NBD Next Business Day. The arrival of replacement hardware according to Cisco service contracts. Neighborhood Discovery Protocol for IPv6. IPv6 nodes on the same link use Neighbor Discovery to discover each other’s presence, to determine each other’s link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. Network Access ID See NAS-ID. network device A device that controls IP traffic on a network and can block an attacking host.
Glossary O OIR online insertion and removal. Feature that permits you to add, replace, or remove cards without interrupting the system power, entering console commands, or causing other software or interfaces to shutdown. OPS Outbreak Prevention Service. P P2P Peer-to-Peer. P2P networks use nodes that can simultaneously function as both client and server for the purpose of file sharing.
Glossary PER packed encoding rules. Instead of using a generic style of encoding that encodes all types in a uniform way, PER specializes the encoding based on the date type to generate much more compact representations. PFC Policy Feature Card. An optional card on a Catalyst 6000 supervisor engine that supports VACL packet filtering. PID Product Identifier. The orderable product identifier that is one of the three parts of the UDI. The UDI is part of the PEP policy. ping packet internet groper.
Glossary RAM random-access memory. Volatile memory that can be read and written by a microprocessor. RAS Registration, Admission, and Status Protocol. Protocol that is used between endpoints and the gatekeeper to perform management functions. RAS signaling function performs registration, admissions, bandwidth changes, status, and disengage procedures between the VoIP gateway and the gatekeeper. RBCP Router Blade Control Protocol.
Glossary RTP Real-Time Transport Protocol. Commonly used with IP networks. RTP is designed to provide end-to-end network transport functions for applications transmitting real-time data, such as audio, video, or simulation data, over multicast or unicast network services. RTP provides such services as payload type identification, sequence numbering, time stamping, and delivery monitoring to real-time applications. RTT round-trip time.
Glossary session command Command used on routers and switches to provide either Telnet or console access to a module in the router or switch. SFP Small Form-factor Pluggable. Often refers to a fiber optic transceiver that adapts optical cabling to fiber interfaces. See GBIC for more information. shared secret A piece of data known only to the parties involved in a secure communication. The shared secret can be a password, a passphrase, a big number, or an array of randomly chosen bytes.
Glossary SN Serial Number. Part of the UDI. The SN is the serial number of your Cisco product. SNAP Subnetwork Access Protocol. Internet protocol that operates between a network entity in the subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks.
Glossary subsignature A more granular representation of a general signature. It typically further defines a broad scope signature. surface mounting Refers to attaching rubber feet to the bottom of a sensor when it is installed on a flat surface. The rubber feet allow proper airflow around the sensor and they also absorb vibration so that the hard-disk drive is less impacted. switch Network device that filters, forwards, and floods frames based on the destination address of each frame.
Glossary TFTP Trivial File Transfer Protocol. Simplified version of FTP that lets files be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password). threat rating TR. A threat rating is a value between 0 and 100 that represents a numerical decrease of the risk rating of an attack based on the response action that depicts the threat of an alert on the monitored network.
Glossary U UDI Unique Device Identifier. Provides a unique identity for every Cisco product. The UDI is composed of the PID, VID, and SN. The UDI is stored in the Cisco IPS ID PROM. UDLD UniDirectional Link Detection. Cisco proprietary protocol that allows devices connected through fiber-optic or copper Ethernet cables connected to LAN ports to monitor the physical configuration of the cables and detect when a unidirectional link exists.
Glossary virus Hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting—that is, inserting a copy of itself into and becoming part of—another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. VLAN Virtual Local Area Network.
Glossary Wireshark Wireshark is a free network protocol analyzer for UNIX and Windows. It lets you examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. For more information, see http://www.wireshark.org.
Glossary Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
INDEX alternate TCP reset interface Numerics configuration restrictions 10BaseT cable pinouts appliance F-1 ASA 5585-X F-1 designating 1-12 restrictions 1-5 Analysis Engine 2SX card error messages described 3-4 illustration errors 3-5 E-56 sensing interfaces configuration restrictions 3-6 verify it is running 3-4, 3-6 illustration E-24 E-52 IDM exits 4GE bypass interface card described 1-13 1-6 E-20 anomaly detection disabling 3-4 E-19 appliance 802.
Index applying software updates session command E-53 ARC sessioning in blocking not occurring for signature device access issues enabling SSH E-42 inactive state E-38 E-42 E-41 indicators described installing B-13 interfaces D-25 7-2, 7-3 7-2 logging in E-62 6-7 6-4 E-59 session command sessioning in A-4 setup command show module 1 command specifications E-12 reimaging D-24 removing 7-9, 7-13 7-4 sessioning in E-12 A-6 A-6 setup command 6-7 ASA 5500-X IPS SSP B-21 sho
Index ASA 5585-X SSP-20 with IPS SSP-20 described C 7-3 memory requirements cable management arm 7-8 converting ASA 5585-X SSP-40 with IPS SSP-40 described 7-3 memory requirements 7-8 described 3-32 installing 3-29 cable pinouts ASA 5585-X SSP-60 with IPS SSP-60 described 3-33 RJ-45 to DB-9 7-3 memory requirements F-3 cannot access sensor 7-8 E-25 cidDump obtaining information ASA IPS modules jumbo packet count circuit breaker warning E-63, E-69, E-76 ASDM resetting passwords
Index commands copy license-key command auto-upgrade-option clear events correcting time on the sensor D-8 E-3 copy current-config E-3 copy license-key downgrade Encryption Software Export Distribution Authorization from C-2 obtaining E-60 E-59 hw-module module slot_number password-reset D E-12 DC power supply B-1, B-4, B-8, B-13, B-17, B-21 show events E-99 show health E-78 connecting (IPS 4360) debug logging enable show module 1 details show settings show statistics virtual-sensor s
Index fan indicators (IPS 4270-20) E fans (IPS 4270-20) electrical safety guidelines enabling debug logging 2-3 described C-2 5-4 IPS 4520 5-4 ASA 5585-X IPS SSP erase license-key command errors (Analysis Engine) C-14 IPS 4270-20 E-52 ESD environment working in 2-4 Ethernet port indicators IPS 4345 4-6 IPS 4360 4-6 7-6 3-9 front panel switches 3-11 IPS 4270-20 events 3-9 FTP servers and software updates clearing E-100 G E-99 Event Store global correlation clearing E-102
Index HTTP/HTTPS servers supported installer minor version D-3 hw-module module 1 reset command E-59 hw-module module slot_number password-reset command E-12 C-5 installing ASA 5500 AIP SSM 6-5 cable management arm 3-29 DC power supply (IPS 4360) fans (IPS 4270-20) I IPS 4270-20 IDM Analysis Engine is busy described E-56 5-2, 7-2 web browsers will not load 5-2, 7-2 E-55 4-12 IPS 4360 4-12 IPS 4510 5-12 IPS 4520 5-12 C-12 sensor license 10 devices described 5-3, 7-2 C-10 SFP/SFP
Index ASA 5585-X IPS SSP IPS 4270-20 fan indicators 7-2 fans 3-2 3-50 IPS 4345 4-2 features IPS 4360 4-2 front panel IPS 4510 5-2 indicators IPS 4520 5-2 switches IPS appliances Intrusion Prevention System Manager Express. See IME. 7-2 Intrusion Prevention System Manager Express. See IME.
Index IPS 4345 reimaging AC power supply (V01) back panel features removing DC power supplies 4-15 specifications 4-7 back panel features (illustration) described V01 power supply limitations 4-6 4-15 5-7 back panel features (illustration) 5-7 cable management brackets 4-12 installing system image packing box contents password recovery power supplies D-17 5-33 installing 5-33 described power supply indicator 5-3 connecting cables E-8, E-9 4-16 rack mounting described chassis fea
Index described installing system image 5-8 illustration Management 0/0 5-7 power supply modules 5-12 management port described installing 5-17 memory requirements removing 5-17 OIR requirements rack mounting reimaging not supported 5-30 SFP/SFP+ 5-15 5-20 supported SFP+ modules supported SFP modules 5-7 power supply modules 5-12, 7-9 5-35 IPS 4520 back panel features installing 5-17 removing 5-17 requirements 5-7 back panel features (illustration) cable management brackets
Index IPS SSP-40 front panel features (illustration) 7-5 Management 0/1 described 5-12 IPS SSP-60 front panel features (illustration) 7-5 manual block to bogus host E-42 IPS SSP in the ASA 5585-X master blocking sensor 7-2 not set up properly IPv6 SPAN ports switches E-43 verifying configuration 1-15 E-44 merging configuration files 1-15 MIBs supported E-18 minor updates described L E-3 C-3 modes IDS license key 1-1 installing C-12 inline interface pair obtaining C-8 inline
Index supported fan modules 5-2 power supply modules SFP/SFP+ illustration (IPS 4345) 4-17 illustration (IPS 4560) 4-17 IPS 4270-20 5-2 hot-pluggable 5-2 online insertion and removal. See OIR.
Index rack-mounting sensors IPS 4270-20 D-2, D-12 removing extension ASA 5500 AIP SSM 3-26 installation ASA 5585-X IPS SSP 3-18 requirements 6-7 7-13 chassis cover (IPS 4270-20) 3-17 3-40 IPS 4510 5-30 DC power supply (IPS 4360) IPS 4520 5-30 last applied service pack racks airflow requirements space requirements D-11 signature update 3-17 4-26 D-11 replacing 3-17 chassis cover RADIUS attempt limit IPS 4270-20 E-21 rail system 3-40 requirements maximum rack depth 3-17
Index remote sensors serial console port TFTP initializing D-13 B-1, B-4 interface support D-13 IP address conflicts D-14 round-trip time. See RTT.
Index sessioning in signature/virus updates (illustration) ASA 5500 AIP SSM system image (illustration) A-4 ASA 5500-X IPS SSP A-5 ASA 5585-X IPS SSP A-6 platform identifiers 1-22, A-3, D-14 platform-independent setting up terminal servers C-4 C-5 software release examples setup C-6 C-5 software updates automatic B-2 supported FTP servers command B-1, B-4, B-8, B-13, B-17, B-21 supported HTTP/HTTPS servers simplified mode 7-12 SFP+ modules port issues E-31 IPS 4270-20 7-4 SF
Index sw-module module slot_number password-reset command E-10 System Configuration Dialog described example time correction on the sensor sensors B-2 1-24, E-17 1-23, E-15 time sources B-2 appliances system images installing ASA 5500-X IPS SSP D-23 ASA 5585-X IPS SSP D-24 IPS 4270-20 D-15 IPS 4345 D-17 IPS 4360 D-17 IPS 4510 D-21 IPS 4520 D-21 1-23, E-15 ASA 5500-X IPS SSP 1-23, E-16 ASA 5585-X IPS SSP 1-23, E-16 trial license key C-8 troubleshooting E-1 Analysis Engine busy
Index Diagnostic Panel (IPS 4270-20) disaster recovery verifying ARC status E-6 duplicate sensor IP addresses enabling debug logging gathering information global correlation E-22 E-37 IPS 1-3 tips 1-3 E-77 E-19 U IDM cannot access sensor will not load E-56 unassigned VLAN groups described E-55 unauthenticated NTP IME installation error E-58 upgrade command IME time synchronization E-58 misconfigured access list no alerts application partition E-27 latest version sensors E-15 pre
Index supported sensors E-18 traffic capture requirements E-18 VLAN groups 802.1q encapsulation 1-18 configuration restrictions deploying 1-18 described 1-17 switches 1-14 1-18 W warning circuit breaker 4-21 exposed DC wire 4-23 Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
Index Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.
