AIP - SSM upgrade procedure
Hello world!
I have version 8.2 ASA5520 (1) with module AIP-SSM-20
and I want to put AIP-SSM-20 software version 3,0000 E3 to E4 2.0000
I go to the download site and see the following list:
Intrusion Prevention System (IPS) recovery software:
- IPS-K9-r-1.1-a-7.0-2-E4.pkg
Release date: March 29, 2010
IPS Recovery Image File
Intrusion Prevention System (IPS) Signature Update:
- IPS-GIS-S481-req - E4.pkg
Release date: March 31, 2010
E4 Signature Update S481
Intrusion Prevention System (IPS) system software:
- IPS-SSM_20-K9-sys-1.1-a-7.0-2-E4.img
Release date: March 29, 2010
Image system IPS-SSM_20 file
Improved Intrusion Prevention System (IPS) systems
- IPS-K9-7, 0-2 - E4.pkg
Release date: March 29, 2010
File upgrade 7.0 Major of IPS (all supported except AIM - IPS and NME - IPS platforms)
- IPS-engine-E4-req-7.0-2.pkg
Release date: March 29, 2010
The IPS E4 engine update
I'm a little confused by the number of files and you want to ask what the procedure/sequence I should follow to upgrade?
This is the file that you want to use to upgrade:
Improved Intrusion Prevention System (IPS) systems
IPS-K9-7, 0-2 - E4.pkg
Upgrade:
(1) download the file 'IPS-K9-7, 0-2 - E4.pkg' through IDM
(2) IDM--> Configuration--> sensor--> sensor update management--> choose update is located on the client--> choose file 'IPS-K9-7, 0-2 - E4.pkg'--> hit the button "Update".
It will take some time (about 20 minutes) to upgrade the sensor, so don't panic if it does not return to the top 'UP' status immediately.
Hope that helps.
Tags: Cisco Security
Similar Questions
-
AIP - SSM upgrade for ASA active / active
Hello world!
I need help on improving the aip - ssm modules to E4 on two s asa who are active/active state. I'll be able to do this without downtime? What are the considerations?
AIPs are independent of the resumption of the SAA, however, the SAA can consider the status of the AIP in passage of failover, which means it can failover
If it detects a module AIP descending on the active device.
The best method for upgrading in this situation will be the status of active failover Setup for all groups on the SAA primary, then upgrade the AIP of the ASA high school.
Once the agreement in principle of the school is completely updated and functional, then set all groups to be active with the ASA failover secondary.
Then the primary AIP.
Once the primary AIP is completely level and working, you can then restore the status of the ASAs failover, by setting the active failover for the Group on the ASAs specific you want them to be active on...
Kind regards
-
Try to upgrade an AIP-SSM-20.
We have 2 ASA in a failover configuration, upgrade on the AIP-SSM-20 secondary has been a success.
On the primary AIP-SSM-20, we get the following error when you try to upgrade via FTP from the same server that we have updated the secondary SSM module of:
execUpgradeSoftware: permission denied
The current version is 1,0000 E1, tyring 4,0000 E1 upgrade
We tried when the module is active and when it's not... same error in both directions. Doesn't seem to be a user FTP error since we get a different when error deliberately hits the user or password.
Our SSM user has administrator privileges (cisco default user) and we tried to restart the SSM... no luck
Anyone has any idea on this?
Thank you
John Stemke
I don't know if the error is generated by the sensor itself, or from the ftp server.
To discover the try running a sniffer of packages on the ftp server or the 'package' command on the CLI for the command of the probe and control interface.
Run the command to upgrade and see if a ftp connection is still attempted by the sensor.
If no ftp connection is attempted, then the error would be to the sensor itself, and it would seem that the user doesn't have permissions admin (which doesn't seem to be your case by what you wrote).
If the ftp connection is attempted, then the error is probably coming from the ftp server. Look at the packages that you have captured and see if an error is coming from the ftp server. The problem may be a permissions issue on the file on the ftp server. The ftp directory or the file itself may not have read permission for the file.
You can also try a ftp from your own desktop to the same ftp server by using the same user and password used for the sensor and see if you can download it on your own desktop.
As a work around to get your updated sensor to update and work on this authorization the problem is later to copy the upgrade on your desktop.
Run IDM and use IDM to repel the upgrade of your desktop directly on the sensor.
-
I have an AIP-SSM-10 (IPS - K9 - 6.0 - 5 - E2) running inside an ASA (active failover mode / standby). I tried to put a signature update today (version S447, first time) and he said I need engine lvl 3 to update the signature and I am currently at lvl 2.
Here's my question, what are the versions can I go to? I'm stuck with the versions of level 2 of the engine when using the AIP - SSM or can I put on until the next major release of 2.0000 E3. And is it really a good idea or not. What would you suggest?
Also, I guess I would need to install the release .pkg file. Is this good?
Thanks in advance!
You can switch to the 5,0000 E3, 6,0000 E3 or one of the E3 7.0 images (x). You want the .pkg file.
Mount the sensor in the CLI:
conf t
Update ftp://user:password@/ upgradefilename.pkg
When the sensor complaines on the upgrade, just say 'yes' to go ahead in any case. This is a known bug, do not believe that the CLI.
-
Updated AIP-SSM-10 on ASA 5510
Hello
I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.
- What is the version of the software on the question of the ASA?
- When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
- AFAIK redefinition to wipe the device so I just reload the config after, right?
- I guess I can apply any update after going to E4?
- Can you give me links for this upgrade?
see you soon
Let me give some clarification on a few points:
2. There is no need to recreate the image on the device using the .img file. You can improve the mechanism of maintenance of your existing configuration using the .pkg file. It is the recommended method for upgrading to Cisco IPS devices/modules. The .img file to recreate the image should only be used to restore the default device.
5 here are links for the upgrade of the probe using a .pkg file. For updates through the IDM user interface:
For upgrades via the CLI:
Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):
6.2 (3) E4
7.0 (4) E4
You can go directly to each output.
Scott
-
Hello
I am trying to upgrade the AIP - SSM software file 'IPS - K9 - 6.0 - 6 - E4' in 'IPS-engine-E4-req-7.0-2 '. But it is not allow.
"Could not pass the software on the sensor.
Level the current signature is S698. The current level of the signature must be less than S480 for this installation package. »
So I tried to update the signature file less than S480, "IPS-GIS-S460-req-E3".
"Can not upgrade the sensor software be"
This update can be installed on the sensor with and the version of the 3 engine.The currently installed engine version is 4.
There is no signature file in cisco downloads less S480 in version 4 engine.
See the version
AIP - SSM # sho version
Application partition:
Cisco Intrusion Prevention System, Version 6,0000 E4
Host:
Domain keys key1.0
Definition of signature:
Update of the signature S698.0 2013-02-19
OS version: 2.4.30 - IDS-smp-bigphys
Platform: ASA-SSM-40
Serial number:
License expires: November 3, 2013 UTC
Sensor time is 3 days.
Using 4203216896 bytes of available memory (24% of use) 1045143552
application data using 41.4 M off 167.8 M bytes of disk space available (26% of use)
startup is using 37.8 M off 70.5 M bytes of disk space available (57% of use)
MainApp N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500 Running
AnalysisEngine NO-NUBRA_E4_2010_MAR_24_22_44_6_0_6 (Ipsbuild) 2010-03 - 24 T 22: 47:53 - 0500 Running
CLI N-NUBRA_2009_JUL_15_01_10_6_0_5_57 (Ipsbuild) 2009-07 - 15 T 01: 15:08 - 0500
Upgrade history:
* IPS - K9 - 6.0 - 6 - E4 21:14:06 UTC Wednesday, March 24, 2010
IPS-GIS-S698-req - E4.pkg 15:44:43 UTC Sunday, February 24, 2013
Version 1.1 - 6, 0000 E4 recovery partition
____________________________________________________________________________
Any help will be much appreciated... Thanks in advance.
Liénard
If you try the software version Upgrade, try to use the IPS-K9-7, 0-2 - E4.pkg instead of the engine update package.
-
Downgrade IPS on AIP - SSM to 6.1.1 6.0.2
Need to know how to return to v602 once a v611 upgrade was carried out.
The recovery partition is also v611.
Two methods as well as a comment. The comment is that you will want to come back to 6.0 (4), not 6.0 (2) for operational use.
[edit] The following works of generically on autonomous sensors... I missed that this is a question for the AIP - SSM. It should still work on the AIP - SSM with adjustments for the input/output "foreigner in the area.
To recover, a reimage using one of the tftp-able images (or a CD boot if you have a sensor 4235/4250) is the gold standard to go backward. You will lose your configuration when do you and you need to re-run the installation program.
The other way and officially it is not supported for "damages", but it works 98% of the time, is to load the recovery image - r (IPS-K9-r-1.1-a-6.0-4-E1.pkg) and then make an application partition 'recover' the level of the "conf t". This reimage your sensor and preserve the installation of the base system. You will still lose the customizations of signature and passwords will be reset to factory default, but the network configuration is preserved, so you can do it remotely.
-
Hi all
I need help. I'm setting up my 3.1 CSM to apply the update on my IPS AIP - SSM.
I went to the FPS tab apply and choose Update cisco.com. But it's still as treatment for a long time.
I tried to enter my username and password for the sensors or account of the BCC but still no improvement. Anyone know how to configure it. I tried to read the user guide there is no examples.
Thank you
The two IPS - K9 - 5.1 - 8.pkg abd IPS-SSM_10-K9-sys-1.1-a-5.1-8-E3.img will recreate the image on the partition recovery and the application partition.
The System Image will erase everything before starting the imaging process.
The Service Pack Upgrade file will first of all take the current configuration and convert it to work with the new version and save off the coast. Also several other special folders on the sensor (for example, the license file) will be saved off the coast. The imaging process will run and then the saved to the large files will be automatically applied to the probe.
-
installation of update of signature for JOINT-2 AIP - SSM
Hi every one, im not sure about this issue but I think its beter ask you experts.i want to know that if I update the signature for example for my JOINT-2 can I install this update of GIS on my AIP - SSM--> assume that software IPS on both devices are same and I also installed the license key valid on AIP - SSM.now can I do this or not? and I know that if you do not license installed on JOINT-2 you cannot install any point of GIS on JOINT-2 but this topic AIP - SSM? I want to say I can install updated GIS on AIP - SSM without installed the license key valid on AIP - SSM? Thank you
There are 3 main types of Signature updates.
(1) IPS sensor Signature Update
(2) updates of Signature CSM for IPS sensors
(3) signing IOS IPS updates
The IPS Signature Update file name is in the form: IPS-GIS-Sxxx-req - Ey.pkg
That's probably what you are referrnig to in your message. This file can be installed on ANY device IDS/IPS or Module.
Here, the requirement is not the platform but rather the level of the engine. The part "req - Ey" in the file name indicates that the sensor has already run the 'y' the software engine level.
If a file IPS-GIS-S436-req - E3.pkg can be installed on any IDS/IPS device or Module as long as the software on this sensor is a version of the 'E3 '.
The CSM updates are updates of signature for the Cisco Security Manager. They contain special files that SCM uses to update, and then also included in the JLC update is the update of real sensor described above. CSM unpackages the CSM update, updates and then uses this file embedded to upgrade the actual sensor.
The third type of file is for routers IOS loaded with the special IOS software that has the distinction of IOS IPS where the router itself (instead of a separate module of the IDS/IPS) keeps track of the signature.
These updates to the signing IOS IPS settle on the real router and are not installed on the Modules or the sensor IDS/IPS devices.
So to answer your question, yes the same Signature Update for your JOINT-2 is the exact same Signature Update for your SSM modules.
The same exact file is available through several different paths on cisco.com. But no matter which way cisco.com you have downloaded the file, you can always install it on all the Modules and the IDS/IPS Appliances.
With respect to licensing, the license works the same on all Modules and the IDS/IPS Appliances. A license must be on the sensor for the Signature Update to apply.
NOTE: A trial license is available at cisco.com for new sensors to allow you to get everything set up properly for your sensor to be covered by a service contract and get the standard license for the service contract.
-
Hello
I recently confgured my module AIP-SSM-40 in my firewall that is configured in HA(Active/Standby). It was working fine. Then, I upgraded the version of the image to IPS, 2.0000 E3.
It worked fine for a week. Then I found that the secondary firewall was in a State of secondary failure. My AIP - SSM in the secondary firewall fails.
I couldn't connect the AIP - SSM with command session 1. Display the order watch module
Model serial number of map mod
--- -------------------------------------------- ------------------ -----------
0 ASA 5520 Adaptive Security Appliance, ASA55201. ASA 5500 Series Security Services Module-40 ASA-SSM-40
MAC mod Fw Sw Version Version Version Hw address range
--- --------------------------------- ------------ ------------ ---------------
0 0021.a09a.d1bb for 0021.a09a.d1bf 2.0 1.0 (11) 5 8.0 (4)
1 0023.5e15.f6c8 to 0023.5e15.f6c8 1.0 1.0 (14) 5The Application name of the SSM status Version of the Application of SSM mod
--- ------------------------------ ---------------- --------------------------Data on the State of mod aircraft compatibility status
--- ------------------ --------------------- -------------
0 to Sys does not apply
1 does not not Applicableat the end of the failover see command shows
Slot 1: ASA-SSM-40 rev hw/sw (1.0 /) status (does not/high)
I suspect module SSM is having the problem. Is it possible to recover.
Try to stop and reset the module using this command from the ASA:
HW-module module 1 reset
-
Hello
I have a client who has the run of the ASA 2 that each filled with AIP - SSM. The IPS has 6.1 (1) E3 software and I would like to upgrade to the latest.
I'm looking through the sections to download and read the minimum requirements of 7.0 (7) E4 but cannot find the file to download to AIP - SSM.
NOTE: The IPS-AIM-K9-7.0-7-E4.pkg upgrade file can only be used to upgrade AIM-IPS sensors. The IPS-NME-K9-7.0-7-E4.pkg upgrade file can only be used to upgrade NME-IPS sensors. For all other supported sensors, use the IPS-K9-7.0-7-E4.pkg upgrade file.
Each updated image that I look for E4 has only IPS-K9-version and the description says all supported except AIM - IPS and NME - IPS platforms. Can someone help me to find the right image for upgrade?
This is where I am currently looking:
Intrusion Prevention System (IPS) system upgrades - 7.0 (2) E4
Hello
Please use your AIP - SSM IPS - K9 - 7, 0-7 - E4.pkg. This version is supported on all IPS platforms except two modules for the cisco ISR routers: AIM - IPS and NME - IPS.
Thank you
Alla
-
Dear all,
I'm in the process of implantation of the product above of title to one of the clients.
I am very familiar with the configuration of the firewall, but the module AIP - SSM is than I do the first time.
Please I need your help to do the configuration.
Is it possible by using ASDM to configure, if yes please give me the steps and procedures to complete the work
Thanks in advance
Swamy
Hi S,
Very easy:
Connect to the ASA, activate mode and then connect to the IPS via the command "session 1".
You are then connected to the console of the IPS. Enter the user name "cisco" and the password "cisco" and run the Setup program for the basic config (address IP etc). After that, you can either connect directly on IP addresses via a web browser or through ASDM.
Then I recommend you read the setup guide for IP addresses that it can be very intense (configuration/tweaking signatures etc.)
I hope this helps!
See you soon
JC
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
Getting started: ASA5520 w / AIP - SSM
I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.
I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.
Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?
Thank you
Jeff
In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.
Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm
Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926
There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.
Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.
I hope this helps. Remember messages useful rate. Thank you!
-
I have two questions about the AIP - SSM.
(1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?
2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
(3) should then the management interface serve as a gateway for the SSM?
interface GigabitEthernet0/0
nameif outside
security-level 0
IP address 65.x.x.1 255.255.255.0 watch 65.x.x.2
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
IP address 172.16.x.1 255.255.255.0 watch 172.16.x.2
!
interface GigabitEthernet0/2
nameif inside
security-level 100
IP address 255.255.255.0 192.168.x.1 watch 192.168.x.2
!
interface GigabitEthernet0/3
STATE/LAN failover Interface Description
!
interface Management0/0
Speed 100
full duplex
nameif management
security-level 100
IP address 10.0.x.1 255.255.255.0 watch 10.0.x.2
management only
Here are the answers to your questions-
(1) is the ACL in AIP - SSM has any type of relations to the ASA ACL?
No of years) ACL on SSM is completely independent of the ACLs on the ASA.
2) our four interfaces are all used. Is it possible to assign the SSM an IP address in the same subnet as the management interface?
VNA) absolutely. You can assign the SSM management port IP address in the same subnet as your managemnet interface. In this way, all management traffic will remain independent of normal DATA traffic.
(3) should then the management interface serve as a gateway for the SSM?
VNA) you're right... :-)
Hope that helps.
Kind regards
Maryse.
Maybe you are looking for
-
How can I change Skype instant chat language on kindle fire hd?
Please somebody guide me.
-
Qosmio E10: Question about PX1211E-1TVD Toshiba DVB - T USB Tuner
Hey all,.While the analog TV tuner that is inside my Qomsio E10 is OK for now, I'm looking forward to get a Digital Tv Tuner USB from Toshiba adapter. HTTP://UK.COMPUTERS.TOSHIBA-EUROPE.COM/CGI-BIN/TOSHIBACSG/INDIVIDUAL_OPTIONS_PAGE.JSP?SERVICE=UK&AC
-
Satellite P100-240: touchpad that displays the icons of backlight?
Hi alljust bought a computer laptop p100-240 its excelentbut I have 1 question This model has the touchpad that displays the icons in backlight, I can't find anything about this or I look in vain Thanks for any helpShaun
-
Wi - Fi disabled after waking from sleep - G9-591-70VM
A few days after the awakening of the laptop from sleep, the WiFi has been disabled. Only the ethernet with a red 'X' icon was present. Troubleshooting and looking in the network settings of the Control Panel, it was as if a Wi - Fi connection did no
-
Error thrown when activating disk checking on RHEL 5. 6
The /home/bb/bbc1.9i-btf/tmp file system is FULL Any ideas what might be causing this error as soon as the client has been started? There is no shortage of disk or quotas.