IPS Inline vlan pair

Similar Questions

• IPS inline & port interface port trunk Switch

  Hello

  Is it possible to configure the IP addresses as the topology below? SW1 and SW2 SPI connection ports is in trunk mode. I would like to configure the IPS in inline mode pairing interface. (not the vlan pairing mode)

  SW1 - IPS - SW2

  Kind regards.

  Yes, this method is fully supported.

  If you want to control all the VLANS with a single virtual sensor, then assign the pair inline interface to the virtual sensor.

  If you want to monitor the VLANS with different virtual sensors, we support groups vlan on this pair of inline interface.

  Do not confuse "inline-pair of vlan" with the "groups of vlan inline on a pair of inline interface.

  The "pair of vlan inline" will pair 2 VLANS on the same interface. When a package arrives in the sensor it will be sent back the same interface with its header vlan has changed.

  The "groups of vlan" on a pair of inline interface don't change headers for VLANs.

  They are only used for virtual local networks, so that the Group of VLAN can then be assigned to a specific virtual sensor.

  You could then take a group of VLANs for your office network employees and assign them to vs0 and take a second group of VLAN for your DMZ and assign them to vs1.

  You can place a vlan unique within each vlan, or you can place several VLANs within each group vlan.

  But it only made sense to have 4 groups of vlan, because you have only 4 virtual sensors on most devices (a bit like the 4215 have 1 virutal sensor so you can make groups of vlan on the 4215).

  I also recommend that you change your virtual sensor and set the Inline TCP Session tracking mode on "Interface and Vlan. In this way the sensor will separately monitor connections on each vlan. This is necessary if a router can route traffic between several VLANs. Without this setting, the sensor will become confused if it sees the same connection of multiple VLANs.

• IPS mode vlan inline and VLAN 1

  I am installing a 4255 IPS in pair mode for the vlan inline, but I encountered a problem.

  The thing is that we have a network with multiple VLANs. Some of the servers as well as some users are connected to VLAN 1. The servers are connected to a separate switch.

  I would like to isolate the servers behind the IP addresses.

  I created a new vlan 90, paired with the VLAN 1 on the IPS and placed the server in the new VLAN 90. But this doesn't seem to work.

  I have tryied to put the trunk of the IPS on the main switch on the switch where the servers are located, but in both cases, it did not work.

  I noticed that this configuration seems to work with VLAN different VLAN 1 but I can't make it work with the VLAN 1.

  Does anyone have an idea what could be the problem?

  Thank you.

  VLAN 1 is by default the Vlan for the trunk port native.

  Traffic vlan native out of the port trunk will not have a header vlan.

  So when the sensor receives the traffic it cannot change the header VLANs for vlan 90.

  The sensor will not add a header vlan for packets that do not contain not one.

  If you have two options.

  Either use a vlan different from 1.

  Or the easier method is to change your switch configuration so that a vlan different is defined as the Vlan for the trunk port native.

  Each switch may be different in order to designate the vlan for the trunk port native.

  For the Cat 6K running IOS is "switchport trunk vlan native.

  http://www.Cisco.com/en/us/partner/docs/switches/LAN/catalyst6500/IOS/12.2Sx/configuration/guide/Layer2.html#wp1034721

• IPS Inline Mode span configuration

  In Inline Mode IPS V5, the second interface (where a package goes out) a paired interface must be configured as a span port or a regular port? Where can I find more information about it? Thank you.

  Need more information about your configuration set. Generally speaking, the answer is "regular shipping". Your use of "span" leads me to believe that you are being implemented in a switch. In this case, be advised that if you try to loop in the same switch that you originally, you will need to have this second port in a vlan different. The sensor does not spread, it is a "virtual" thread

• The switch configuration of 6500 catalyst for IPS Inline the METHOD works

  I understand how to configure the switch Catalyst 6500 so that the monitoring of ports are access ports in two VLAN separate operation online.

  However, I don't see any document that describes how the desired VLAN traffic gets forced through the IPS.

  "Promiscuous" mode, you can use copy/capture VACL and forwards traffic wished the METHOD of analysis. I don't see how to get traffic desired through the IPS.

  Note that the 6500 host is running native SXE IOS 12.2 (18).

  Thanks for any help.

  A transparent firewall is a pretty good comparison.

  Say you have vlan 10 with 100 PCs and 1 router for the network.

  If you want to apply a transparent firewall on this vlan you can put not just the Firewall interface on vlan 10. Nothing would go through the firewall.

  Instead, you need to create a new vlan, say 1010. Now you place the Firewall interface on vlan 10 and the other on the vlan 1010. Nothing is still going through the firewall. So now move you that router from vlan 10 to vlan 1010. Everything you do is to change the vlan, IP address and the mask of the router remain the same.

  The firewall transparent bridge vlan 10 and vlan 1010. The SCP on the vlan 10 ae is able to communicate and through the router, but must go through the transparent firewall to do.

  The firewall is transparent because there no IP Route between 2 VLANS, instead, the same IP subnet is on the VLAN and the transparent firewall ensuring the beidges between the 2 VLANS.

  The transparent firewall can do firewall between the SCP on the vlan 10 and the router on vlan 1010. But PC has vlan 10 talks for PC B on vlan 10, then the transparent firewall does not see and cannot block this traffic.

  An InLine sensor is very similar to the transparent firewall and will fill between the 2 VLANS. And similarly an InLine sensor is able to monitor InLine between PCs traffic on vlan 10 and the router on vlan 1010, but will not be able to monitor the traffic between 2 PCs on vlan 10.

  Now the PC on the other vlan and the router on a virtual LAN is a classic deployment for the sensors online, but your VLAN need not be divided in this way. You can choose to place some servers in one vlan and desktop to another vlan. You subdivide them VLAN to whatever the logical method for your deployment.

  Now for the surveillance of several VLANs the same principle still applies. You can't control traffic between machines on the same vlan. So for each the VLAN that you want to analyze, you will need to create a new vlan and divide the machines between the 2 VLANS.

  In your case with Native IOS, you are limited to only 1 pair of VLAN for InLine followed, but your desired deployment would require 20 pairs of vlan.

  The IPS 5.1 software now has the ability to manage the 20 pairs, but the native IOS software doesn't have the ability to send the 40 VLAN (20 pairs) to the JOINT-2.

  Changes in native IOS are in testing right now, but I have not heard a release date for these changes.

  Now cat BONES has already made these changes. So here is a breakdown of basic of what you could do in the BONE of cat and you can use to prepare for a deployment native IOS when it came out.

  For VLAN 10-20 and 300-310, you want monitored, you will need to break each of those VLANs in VLAN 2.

  Let's say that keep us it simple and add 500 to each vlan in order to create the new VLAN for each pair.

  Therefore, the following pairs:

  10/510, 511/11, 12/512, etc...

  300/800, 801/301, 302/802, etc...

  You configure the port to probe trunk all 40 VLAN:

  set the trunk 5/7 10-20 300-310 510-520 800-810

  (And then clear all other vlans off this trunk to clean things up)

  In the configuration of JOINT-2 create the 20 pairs of vlan inline on interface GigabitEthernet0/7

  NW on each of VLAN original 20 leave the default router for each LAN virtual vlan original to the vlan 500 +.

  At this point, you should be good to go. The JOINT-2 will not track traffic that remains inside each of the 20 VLAN original, but would monitor the traffic is routed in and out of each of the 20 VLAN.

  Due to a bug of switch, you may need to have an extra PC moved to the same vlan as the router if the switch/MSFC is used as the router and that you deploy with a JOINT-2.

• IPS Inline Mode Interface - you can use a port channel?

  Hello

  I am trying to determine if you have a 2-gig Layer 3 Port channel through a 4260 IPS appliance. See the attached diagram. Is this possible?

  The customer, I work with would prefer not to enter this cost equal to Port-Channel 1 gig of links (I don't think that there is a difference in performance...) However, I think that if they want the device inline, as the diagram shows - they will have to break the port-channel. Is this a correct assumption?

  Thank you

  Brad

  Asymmetric traffic will prevent the sensor works best, he is capable. There is a configuration that can be done to allow the detector deployed in an asymmetrical environment, BUT it can affect the ability of the sensor to detect attacks, allows through evasions which would have been prevented and will not affect general performance of the sensor.

  If running in unbalanced mode should be avoided if possible. BT in cases where it cannot then the sensor always allows with degraded functionality.

  Traffic spikes above what the sensor can manipulate at will cause ignored packets. There is no help for too much traffic.

  The relief you talk I guess is the bypass function. The bypass feature does not affect during the subscription of the sensor. The bypass feature will only kick if the analytical engine crashes due to a bug.

• Cisco IPS inline or promiscuity

  Hello

  Is there a way or the command to type so that she can tell u that this IPS is inline or promiscuity?

  in a Word how to check how my IPS is running?

  Thank you

  Its simple... you need two interfaces for inline mode...

  in cli device sh short interfaces clearly will tell u if interfaces has been matched or not and also the interfaces sattus.

  If you use idm/csm, you can find it easily by seeing the intrface Summary tab

• IDSM2 on the inline 6500 IOS mode support?

  Hello

  I have a JOINT-2 running IPS5.1 (1 d) (recently updated to 4.x) software that sits on a 6500 IOS.

  The IPS Device Manager shows gi0/7 and gi0/8 as well in Promiscuous mode. There is no option to change the inline mode and pair them up.

  Is it so that JOINT-2 currently supports only Promiscuous mode?

  If so, this module is always as IDS despite the execution of IPS5.1. Is it not? What is the advantage that I get after upgrade from 4.x to 5.1?

  -Vasanth

  There are 2 pieces of the puzzle.

  There is the JOINT-2 version and it takes in charge, but also the native IOS of Cat 6 K version and that it supports.

  Supports the v5.1 (1 d) JOINT-2

  (a) promiscuous mode.

  (b) mode InLine Interface pair (2 interfaces are matched to online tracking) and also

  (c) pair online mode of Vlan (2 VLANS on a single interface is matched for online tracking, you will also see it called inline-on-a-stick)

  But for these features to be used, the code switch must also support the configuration on the side of the switch of the JOINT-2 for each of these 3 features.

  Native versions of IOS prior to 12.2 (18) SXE will only support the Promiscuous on JOINT-2 mode.

  12.2 (18) SXE and later versions support Interface InLine mode on JOINT-2 pair.

  No native IOS version does currently support InLine Vlan pair on JOINT-2 mode (a new versions native IOS with this support is currently in development).

  For inlining (IPS), you need to run a Native IOS version 12.2 (18) SXE and later and on the JOINT-2 run IPS versions 5.1 (or even older 5.0).

  (NOTE: Cat OS 8.5 (1) takes in charge the 3 modes of JOINT-2.) Therefore, if you use cat instead of the native IOS OS, then run version 8.5 (1) to have access to all the features of IPS 5.1 (1) on the JOINT-2)

  If you run a Native IOS version prior to 12.2 (18) SXE and the JOINT-2 then it can run in "Promiscuous" mode even if 5.1 (1) is responsible for the JOINT-2.

  However, even in "Promiscuous" mode the IPS 5.1 (1) software has a few advantages.

  There are several engines and engine parameters are only supported in version 5.1 and not the version 4.0. (So there are several signatures that are either one) not yet created for sensors 4.x, or b) signature 4.x is not as precise as the signature of 5.x in new engines.

  (These new engines are proved invaluable in writing signatures to detect some of the new attacks that came out last year).

  There are of course other benefits:

  For example:

  (1) risk of note to best aid priority to alerts.

  (2) fitlering more flexible mechanism for alerts that allows individual actions of fitlering

  The 2 features above are only 2 of the new features that have been added in 5.0 and 5.1 that apply both of promiscuity and online modes.

• IDSM2 in inline mode

  Hi all

  There are 2 VLANS configured in the switch of 7600 namely 200 and 300. In order to make the switch to pass these traffic vlan by JOINT (IPS inline mode), the following was configured.intrusion - detection module 2 ports data 1 trunk allowed - vlan 200 300. Apart from that, are there any requirements for the same thing. The IOS in the 7600 switch is 12.2 (18) SXF4.

  Thanking you

  Anantha Subramanian Natarajan

  You can have up to 255 pairs of vlan on Gig0/7 (date-port 1) and a 255 vlan pairs on concert 0/8 (data-port 2).

  But be aware that with version 5.0/5.1 on JOINT 2 JOINT-2 will deal with all these pairs as if they were on the same network. This can lead to confusion on the sensor if the packets are routed and run through 2 or more pairs of vlan inline.

  So if you are going to deploy in situations where routing could cause packets go through more than one pair of vlan inline then I recommend you to run the IPS version 6.0.

  IPS 6.0 can support up to 4 virtual devices. You can have a different configuration of the peg and filter in each virtual sensor.

  If a single deployment of 4 pairs of vlan online you can place a pair of vlan inline in each of the 4 virtual sensors.

  If you deployed more than 4 virtual probe, there was also an additional feature added to IPS 6.0 help manipulate it.

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids13/cliguide/clianeng.htm#wp1038004

  You must set the Session TCP tracking Mode "Vlan only" or "Interface and Vlan" and say this track JOINT-2 the TCP Sessions only by pair of vlan inline and avoid the problem with 5.0/5.1.

  Pair Interface InLine mode is very similar to the pair of Vlan InLine. It will pair 2 VLANS.

  The difference is in how to obtain VLAN paired.

  Mode Inline Interface pair you would 0/7 and 8/0 (data port 1 and 2) to access the ports. Each port would be for just a single vlan. Place you 0/7 on a vlan of the pair and place of 0/8 on the second VLAN of the pair. The JOINT-2 would then monitor the traffic between the 2 VLAN just as it does InLine Vlan pair mode. But instead of passed back and forth on 2 VLAN of a single trunk port, they went back between the 2 access ports.

  Since it's access ports, you are limited to only one set of VLANS when you InLine Interface pair mode. While InLine Vlan pair gives you up to 510 vlan pairs.

  So I do not recommend using InLine Interface on JOINT-2 pair Mode.

  FYI: even if it has an advantage when running on a device. And the device can connect between 2 switches (a JOINT-2 can not because it is inside the switch). In this respect between the 2 switches trunk can carry 4094 VLANS. So place a device pair InLine INterface mode between 2 switches in a trunk port has some advantages.

• Cisco JOINT and IPS hardware bypass

  Hi all

  I have a question about the Cisco JOINT, ASA - AIP - SSM (IPS) and material of the IPS 4200 bypass unit series. Please let me know if the material fails in both cases how to cross traffic. Is there any circumvention of integrated equipment built in the same

  Concerning

  Ankur

  Sorry for the late reply. I've been on vacation for a week.

  ByPass hardware is not available for the JOINT-2 no matter if you use inline vlan pairs or couples inline interface.

  For devices need special interface cards or a hardware bypass switch separate, and none of them are available on the JOINT-2.

  You must configure your network so that there is a second way around the JOINT 2 JOINT-2 failure.

  This can be done with a standard network cable.

  Suppose you have your JOINT-2 configured for inline vlan VLAN 10 matching and 20.

  Configure a standard switchport as an access port on vlan 10.

  Set up an another standard switchport as an access port on vlan 20.

  Now using a standard network cable connect these 2 all switch ports.

  Stop your JOINT-2 and traffic should now be passed through this network cable and your network connectivity must be maintained.

  Bring your JOINT-2 backup, and now spanning tree runs and will choose the JOINT-2 or the network as the main way and the other cable will set in a State of block.

  Run ' show vlan spanning-tree 10 ' and ' show vlan spanning tree 20 "to determine if the cable ports or port JOINT-2 is in a BLK State.»

  If the cable ports are in a State BLK, then you don't need to modify the spanning tree.

  If the JOINT-2 port is in a State BLK, then you need to change the spanning tree cost and/or priority for JOINT-2 port by using the following commands:

  -[No] port-channel channel_number-STP intrusion detection doesn't cost port_cost

  Defines the cost of port tree covering for the data port on the specified module. Without the option restore shipping tree covering for the data port on the module specified in the default value.

  -[not] port-channel channel_number spanning tree priority priority intrusion detection

  Sets the priority of the port spanning tree for the data port on the specified module. Without the option restores the priority of port spanning tree for the data port on the module specified in the default value.

  To learn more about spanning-tree and how these parameters interact with spanning tree you can look through this section of the user guide for the switch or to search cisco.com for documentation of spanning tree:

  http://www.Cisco.com/en/us/partner/docs/switches/LAN/catalyst6500/IOS/12.2Sx/configuration/guide/spantree.html

  NOTE: Your switch must be configured for rapid PVST for failover more rapid. Work with your administrator to switch to determine which spanning tree Protocol is used on your switch. The JOINT-2 does not work with STDS to ensure that STD is not used.

• IPS 4260 sensor - NETWORK ports

  The IPS 4260 only comes with 1 port NIC, is what it means he cannot run in promisicious mode and must purchase additional NETWORK card interfaces to run inline?

  It comes with a single command and control NICS and NIC monitoring.

  Followed NIC can be used for monitoring promiscuity or InLine Vlan pair of surveillance.

  With InLine Vlan pair followed you plug changing the port on a switch and do a 2 trunk port VLAN.

  The configuration of the sensor inside match you 2 VLANS.

  Packets entering Vlan A will be analyzed and passed on Vlan B.

  Packets entering Vlan B will be analysed and transmitted on A Vlan.

  Then InLine Vlan pairs is like an InLine sensor interface is connected to A Vlan, and the other interface connected to Vlan B; but he is able to do using a single interface.

  For the monitoring of traditional InLine Interface pair, yes you will need to purchase an additional NIC

  The 4260 supports 3 additional types of network cards: 10/100/1000 TX 1000 SX and 10 Gbps SX.

• Mode Inline JOINT-2

  Hello

  I work with the JOINT-2, we have Cisco 6509 with CSM and FWSM, we plan JOINT-2 in Inline mode and now I want to track the traffic that arrives through Interface from outside the context of FW (which is nothing but a VLAN A, B VLAN, Vlan C. on MSFC)

  Data flow: JOINT - ISP RTR - internal RTR - FWSM - MSFC CSM.

  JOINT version is 5.1 (4) S257.0,.

  It will support only two VLANS (IN and OUT) on the access mode.

  My problem is that I don't know how to analyze the traffic of 3 numbers of VLANS (A, B, C).

  Cisco 6509 - Version 12.2 (18) SXF7,.

  You can use the mode to pair for the VLAN inline to monitor traffic entering on VLAN specific. For example

  You have VLAN 100 200 and 300 on MSFC that you want to watch inline.

  You must configure the VLAN 101 201 and 301 (L2 only) and send the VLAN 100-101 200-201 300-301 to JOINT-2.

  You then create pairs VLAN on JOINT-2 module as below

  1 pair of VLAN 100-101-1

  2 pair of VLAN 200-201-2

  3 - VLAN 300-301 - pair 3

  Then set over three pairs of virtual sensor and will monitor this traffic for online operation.

  Inline VLAN pair mode is based on VLANs, so it doesn't really matter if them VLANS are behind or front of the FWSM.

  See you soon,.

  Vinod

• Newbie Qustions

  I just got a project which includes the installation and configuration of devices IPS-4240. I used the IPS modules in the ASA devices in the past, but the dedicated devices are new for me. So I really have a few basic questions

  1 are these devices purely IPS, or they perform tasks of IDS so if configured correctly?

  2 - where in the path of data should they be placed, my solution is web hosting with a firewall, load ballancer and IPS?

  3 do not operate devices IPS to L2 or L3?

  The IPS-4240 can be used in conjunction with a derivation of NetOptics or ShoreMicro switch.

  The ByPass switch would be connected inbetween 2 network devices (typically between a firewall or router and a switch).

  Then, there are 2 additional ports on the bypass switch that are then connected to 2 ports of the sensor.

  2 sensor ports must be configured as a pair of InLine Interface.

  If the sensor is in the way of traffic, then traffic from the firewall in the bypass switch will be sent to the probe on the 1st port. The sensor analyzes the packets and transfers on the 2nd port on the bypass switch. The bypass switch passes on the main switch.

  The same for traffic from the main switch.

  The bypass switch transmits packets at the 2nd port of the sensor. Packet is parsed and passed through the 1 port. The bypass switch then passes the packet on the firewall.

  However, if the probe stops passing traffic (sensor loses connection, sensor is turned off or sensor stops just processing for some reason any), then the bypass switch will detect that the traffic to and from the sensor has stopped.

  The bypass switch will then connect the firewall and switch directly to each other and as you say it, it acts like a cable transmission.

  The same happens also if the bypass switch power is lost.

  So for the IPS 4215 IPS-4235, IPS-4250, IPS-4240, IPS-4255 it requires a switch of derivation of NetOptics or ShoreMicro for this feature.

  The IPS-4260 and IPS-4270, however, have this functionality integrated directly into their 4 port copper TX NIC GE so a bypass switch it is not necessary when using these cards. (Ignore the switch always needed for 2 network interface cards GE fiber ports)

  We call the function above material ByPass where avoidance can happen even with loss of power on the sensor.

  The sensor also supports a feature we call SOFTWARE ByPass. With software ByPass the driver for the CARD itself will pass through even the analytical engine should stop analysis for some reason any.

  In most situations the sensor still has the power and the software bypass road takes care to pass traffic through and it is basically just power failure or sensor reboot of the situations in which a hardware bypass feature is used.

  All the sensor platforms are supported by the features of circumvention software.

  Also understand that the sensor supports 3 types of InLine monitoring mode.

  (1) in mode InLine Interface pair where 2 interfaces are paired together for the follow-up online. Hardware bypass switches (or the NIC of ByPass of material in the IPS-4260 and IPS-4270) can be used in mode InLine Interface pair.

  (2) the InLine Vlan pair mode where 2 VLANS on a single interface is paired together for the follow-up online. Because only a single NETWORK adapter is used there is no ByPass material support for InLine Vlan pair mode.

  (3) designated chassis mode InLine for Modules. For our PURPOSE - IPS (module to the router) and AIP - SSM (module for the SAA), it is the chassis configuration (router or ASA) that determines whether a package can be monitored online or not.

  There is no ByPass hardware support for modules.

  HOWEVER, the router and the ASA supported by a configuration "rescue" where if the sensor module fails then the router / ASA is able to continue the traffic passing through even if the sensor module has failed. If the configuration of 'rescue' can be considered the equivalent of the sensor module of the function of derivation of material for devices.

  In all 3 modes of monitoring online above, IPS software does support the functionality of circumvention software.

• display of packets on WS-SVC-IDS2-BUN-K9 module

  Hi all!

  I try to use CLI command 'package display' WS-SVC-IDS2-BUN-K9 module.

  If I put only the name of the interface as an argument to the command:

  display packages gigabitEthernet0/7

  I'm having a lot of packages. It is ok.

  But if I add expression argument I get nothing even with necessary traffic on the wire:

  package display expression gigabitEthernet0/7 ip proto \icmp

  package display gigabitEthernet0/7 expression verbose dst host IP

  package display gigabitEthernet0/7 expression verbose dst port SOME PORT

  I tested the problem on 5.0 (2) and 1.0000 E3. Results were almost the same.

  On IPS-4255. all mentioned above command produces the expected results.

  I searched Cisco bug-tool and found nothing.

  Can someone check to reproduce? Has anyone seen it?

  Or maybe it is not a bug, but a feature. But I wasn't able to find his description.

  Wait for a response.

  Kind regards

  Maxim

  The order of packages use tpcdump under the covers. Thus, the expression must be a valid expression for that tcpdump will understand.

  If packets are standard IP packets, then the expression can be applied directly (which is probably what you see on your IPS-4255).

  BUT if the packages have a 802. 1 q header (header of vlan), then a special statement should be added in the expression for tcpdump to find out how to apply the rest of the expression. With the JOINT-2 he found in most JOINT-2 deployment packages will have 802. 1 q headers. The same problem will be seen on devices running inline vlan pair configurations.

  The key word "vlan" must be added to the expression, so he knows he has to analyze the 802. 1 q header before seeking the rest of the expression.

  If you want to try something like:

  package display gigabitethernet0/7 expression vlan ip proto \icmp

  NOTE: Several VLANs can also be added after the key word of VLANs to restrict the output of tcpdump for traffic to a single VLAN.

• The process of JOINT-2 upgrade issues.

  Hello

  I started a new job and have been responsible for research in what we can do with the JOINT-2 module that we have in our 6509. The company has not used the module so it has not been updated in a few years. I don't have a current license, so I know not I can't install new updates of signature, but what I want to do is to upgrade the software to release 7.0 (5 a) E4. Once I've upgraded, I want to set it up in our environment and then see to obtain a license from signature.

  I have a few questions about the upgrade process and could use some assistance.

  First METHOD is running version 3,0000 S256.0. What I've read I don't think I can go directly to 7,0 E4 (5A), so my planned upgrade path is: 5.1 (3) S256.0-> 8,0000 E3-> 7.0 E4 (5A).

  I am able to update in this way, or is there another recommended method, I have to do this upgrade?

  Files I have for this are lower, will they be enough or have I missed one?

  I apply in the listed order?

  Can I apply all of these files from the IDM interface?

  IPS - K9 - 5.1 - 8 - E3.pkg

  IPS-engine-E3-req-5.1-8.pkg<--- is="" this="" included="" in="" the="" above="">

  IPS-K9-r-1.1-a-5.1-8-E3.pkg

  IPS-K9-7, 0-5 a - E4.pkg

  IPS-K9-r-1.1-a-7.0-5A-E4.pkg

  I intend to save first my setup just in case, but it should have no effect on the configuration?

  I have also seen that the upgrade will convert the configuration, so should I save a second time between 8,0000 E3 and 7.0 (5 a) E4 step?

  Will there be effects on traffic network or downtime during this process?

  Is there something else I need to know or miss me?

  Thanks in advance,

  Will be

  Hi Will. As you have indicated that this sensor has not been in use, it would be faster/more easier to simply recreate the image directly on the desired version (7.0(5a) E4). Additional benefits to achieve are the file system of the probe will be created clean, BONE / binary properly installed, without the potential problems of conversion of config, etc..

  Instructions step by step to achieve this can be found here.

  And the system recovery Image file, you will need ("IPS-IDSM2-K9-sys-1.1-a-7.0-5a-E4.bin.gz") can be downloaded here.

  Will there be any effect on network traffic or downtime during this process?

  It depends on if the sensor is configured in Promiscuous Mode or Inline [VLAN pair]. You can determine this from the catalyst config. If the sensor is installed in Inline Mode [VLAN pair], certainly recreate it the image (and even simply upgrade) could be traffic-one impact (if there is no backup/alternative for traffic to take path), as in both scenarios, the sensor is rebooted and unavailable for 10 minutes (during this time, he wouldn't be transfer traffic (if it was installed in line)). In addition, given that the redefinition of the results in a clean configuration / by default, if the sensor was configured online, this part of the configuration should be reintroduce post-reimage the sensor know to forward traffic accordingly again. Details on the modes can be found here.