What can I downgrade AIP-SSM-10 of 2.0000 E4 to 2.0000 E3?
Hello
I have an AIP-SSM-10 (IPS - K9 - 6.1 - 2 - E3) running inside an ASA (active failover mode / standby).
My license status is 'not expired until 12,2010."
When I switch to 2.0000 E4 (because he said I needed engine E4 to the signature update) my license changed to expired.
Here's my question, what are the versions can I go to?
I made a mistake? Can I go down to 2.0000 E3 and how?
Thank you
Try to remove the license from first service account, and then update the license via cisco.com:
(1) create a user with the service account name: service of privilege for the user name password
(2) then SSH to the IP addresses with the service account user name and password created earlier.
Then by following the steps below:
'su' to root (same as svc acct PW PW)
-Remove all the files in the/usr/cids/idsRoot/shared/directory, * EXCEPT host.conf file *.
-run "/etc/init.d/cids restart" to restart the IPS apps (or reset the sensor)
(3) from IDM - apply the real license by choosing to update the license via cisco.com.
Hope that solves this problem.
Tags: Cisco Security
Similar Questions
-
transparent mode with AIP-SSM-20
I currently have an ASA5510 routed with AIP-SSM-20 mode.
It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE. This section should present no problems.
However, this will remove the IPS device, and I always want to use IPS.
So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network. The ASA transparent would be strictly works in the form of an IPS appliance.
The installation program should look like this:
Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN
The AIP - SSM can always perform with the ASA in transparent mode IPS?
Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?
I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.
Kind regards.
AFAIR, it is no installation AIP in a transparent firewall problem.
"The SAA in transparent mode can execute an agreement in principle. In the event that the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744
What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.
http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html
HTH,
Marcin
-
To access the AIP-SSM-10 through the ACS
Hye,
Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.
Thank you
IPS module does not support authentication to the ACS server.
Please find the only authentication method for IPS in the following document:
http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html
Hope that answers your question.
-
Downgrade IPS on AIP - SSM to 6.1.1 6.0.2
Need to know how to return to v602 once a v611 upgrade was carried out.
The recovery partition is also v611.
Two methods as well as a comment. The comment is that you will want to come back to 6.0 (4), not 6.0 (2) for operational use.
[edit] The following works of generically on autonomous sensors... I missed that this is a question for the AIP - SSM. It should still work on the AIP - SSM with adjustments for the input/output "foreigner in the area.
To recover, a reimage using one of the tftp-able images (or a CD boot if you have a sensor 4235/4250) is the gold standard to go backward. You will lose your configuration when do you and you need to re-run the installation program.
The other way and officially it is not supported for "damages", but it works 98% of the time, is to load the recovery image - r (IPS-K9-r-1.1-a-6.0-4-E1.pkg) and then make an application partition 'recover' the level of the "conf t". This reimage your sensor and preserve the installation of the base system. You will still lose the customizations of signature and passwords will be reset to factory default, but the network configuration is preserved, so you can do it remotely.
-
What are different between the IPS and AIP - SSC and AIP - SSM?
Dear all,
I'm not clear about the IPS, AIP - SSC and AIP - SSM module which are different?
Then, when we can use IP addresses?
When we use the AIP - SSC?
When we can use AIP - SSM?
Thus, a different IPS and AIP - SSC and AIP - SSM material or the same material?
Best regards
Rechard
AIP - SSM is an IPS Firewall ASA module.
IPS is available in different flavors:
-Device of the IPS 4200 series
AIP - SSM - module IPS Firewall ASA
-IDSM2 - IPS module on 6500 series switch
AIM - IPS - map IPS on router IOS
Please rate and mark post useful.
-
Updated AIP-SSM-10 on ASA 5510
Hello
I want to upgrade the IPS module in an ASA 5510, and I have a few questions. The AIP - SSM is running E3 479.0 1.0000 and I have a valid account of the ORC etc for this.
- What is the version of the software on the question of the ASA?
- When I look in the software downloads< ips="" there="" are="" .pkg="" and="" .img="" files.="" i="" want="" to="" upgrade="" to="" 6.3(3)e4.="" do="" i="" have="" to="" re-image="" the="" ips="">
- AFAIK redefinition to wipe the device so I just reload the config after, right?
- I guess I can apply any update after going to E4?
- Can you give me links for this upgrade?
see you soon
Let me give some clarification on a few points:
2. There is no need to recreate the image on the device using the .img file. You can improve the mechanism of maintenance of your existing configuration using the .pkg file. It is the recommended method for upgrading to Cisco IPS devices/modules. The .img file to recreate the image should only be used to restore the default device.
5 here are links for the upgrade of the probe using a .pkg file. For updates through the IDM user interface:
For upgrades via the CLI:
Another point of clarification; current releases of IPS software supported on the AIP-SSM-10 are (taking into account you are currently running 6.2 (1) E3):
6.2 (3) E4
7.0 (4) E4
You can go directly to each output.
Scott
-
Cisco ASA 5510 + license + AIP - SSM
Hello.
I have this box.
I have a few questions about it.
(1) I'll be able to update the firmware (from 8.2 to 8.3 or greater for example) without smarnet for ASA 5510? And what can not do without smartnet?
(2) I have only AIP-SSM-10 module this ASA 5510. is there a smartnet, too? And when I buy only one module is it build in a subscription for 1 year for the signatures of the IPS?
(3) if I have the Cisco ASA 5510 base license, my IPS on AIP-SSM-10 will work?
(4) as I foresee in a purchase of the year a 5510 more with the same module and mount ther of failover. I really need license Security more than failover (active / standby)? For active/active, I know I need one, Yes?
Please help me.
(1) you must Smartnet in order to download the software from the download from cisco.com site.
(2) Yes, there is also a smartnet for the AIP module. Module AIP does not come with one year subscription, but you can ask for a demo license.
(3) Yes, the basic license is OK for the AIP module.
(4) Yes, you would need license security more on the two ASA to be able to run any type of failover on ASA5510.
Hope that answers your questions.
-
Getting started: ASA5520 w / AIP - SSM
I'm trying to deploy an ASA5520 to a customer. I have no problem with the piece of implementing firewall, but I don't know where to start with the piece of IPS.
I searched a bit on the ASA55XX & AIP - SSM, but can't seem to find much on what to do with the AIP - SSM beyond the initial Setup.
Can someone point me to some beginners IPS documentation that focuses on the AIP - SSM?
Thank you
Jeff
In my view, there is a lack of documentation on how to get the IPS module to work with the ASA. It would be nice if there was a single document on how to get IPS working module with the ASA.
Start with the documentation of the IPS. It's just on how to configure the IPS himself module. Assign an IP address for management, set the admin password, etc..
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids12/index.htm
Then go to the documentation of the SAA on how to configure ASA to send traffic to IP addresses (via a service-policy):
http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids11/cliguide/clissm.htm#wp1033926
There is a free viewer of IPS Cisco event offering to monitor events on the IPS. It can be downloaded from the download page of the Cisco IPS software.
Finally, read the whitepaper SAFE on the deployment of the IPS and the setting.
I hope this helps. Remember messages useful rate. Thank you!
-
AIP - SSM 10 Signature Update license?
Hi every one.we had an AIP - SSM 10 for our asa5520.actually it is bundle asa5520 + AIP-SSM10. (part number ASA5520-AIP10-K9 =)
(1) I want to know that if we want to improve our signature aip - ssm we get the Services Cisco IPS download signatures or not with this number of pürt we get it too!
(2) in the case and we must get the Cisco IPS services separately so where can I find a reference number for the services of this?
(3) what license that must be installed on the sensor activation? If we get the Cisco Services for FPS then we receive license activation for installation on sensor too? or not if not, can we install signatures on a sensor that it has not been activated yet? guess we can get a few signatures how! (I know JOINT-2 we cannot install any license until the license is installed on the sensor.) Thank you
CON-SU1-AS2A10K9 would be the correct contract to put all the pieces of the boot under the maintenance contract.
CON-SU1-ASIP10K9, this is what is used when the AIP-SSM-10 are purchased as spare.
I don't know if yes or no this Service Cisco IPS contract can be used to cover only the AIP-SSM-10 if it was purchased as part of a package instead of a spare part. You will need to ask your reseller or Cisco sales representative.
-
Hello
Scenario of
2 networks
outside the network ALL
inside the 192.168.1.0 network
How can I simulate the work of AIP - SSM at the back of the firewall?
My version.
test access extended list permits all ip 192.168.1.0 255.255.255.0
the class map test
match name of group-access test
the policy-map test
the class test
IPS inline help
Expected that all comments
Thank you
Leo
My expertise lies in the IPS and not the firewall. My knowledge of the firewall is quite limited in what it takes to get the packages to the SSM.
SO I'm not sure what the ACL are applied before the decryption or after decryption.
If you want to know at what stage the ACL are applied, you need post a message on the forum of firewall.
I was just trying to show that all firewall features (whatever they are) would be on the package before sending it to the SSM with the exception of encryption and the final drive.
-
Try to upgrade an AIP-SSM-20.
We have 2 ASA in a failover configuration, upgrade on the AIP-SSM-20 secondary has been a success.
On the primary AIP-SSM-20, we get the following error when you try to upgrade via FTP from the same server that we have updated the secondary SSM module of:
execUpgradeSoftware: permission denied
The current version is 1,0000 E1, tyring 4,0000 E1 upgrade
We tried when the module is active and when it's not... same error in both directions. Doesn't seem to be a user FTP error since we get a different when error deliberately hits the user or password.
Our SSM user has administrator privileges (cisco default user) and we tried to restart the SSM... no luck
Anyone has any idea on this?
Thank you
John Stemke
I don't know if the error is generated by the sensor itself, or from the ftp server.
To discover the try running a sniffer of packages on the ftp server or the 'package' command on the CLI for the command of the probe and control interface.
Run the command to upgrade and see if a ftp connection is still attempted by the sensor.
If no ftp connection is attempted, then the error would be to the sensor itself, and it would seem that the user doesn't have permissions admin (which doesn't seem to be your case by what you wrote).
If the ftp connection is attempted, then the error is probably coming from the ftp server. Look at the packages that you have captured and see if an error is coming from the ftp server. The problem may be a permissions issue on the file on the ftp server. The ftp directory or the file itself may not have read permission for the file.
You can also try a ftp from your own desktop to the same ftp server by using the same user and password used for the sensor and see if you can download it on your own desktop.
As a work around to get your updated sensor to update and work on this authorization the problem is later to copy the upgrade on your desktop.
Run IDM and use IDM to repel the upgrade of your desktop directly on the sensor.
-
AIP - SSM recreate the image in secondary ASA 5500 (failover) with virtual contexts
Hello guys,.
The scenario is as follows:
2 ASA 5500 with virtual contexts for failover.
The ASA elementary school has the work of the AIP-SSM20.
ASA school (which is in active / standby) has its SSM20 AIP to work now and everything is in production.
Someone tried to configure this 2nd AIP - SSM, changed the password and lost, so I tried to re - the image (without authorized passage recovery), but the connection fails on the TFTP server, where is the image of the AIP - SSM.
Now questions, documentation Cisco re-imaging view orders under ASA #.
but as this scenario has several virtual contexts the ASA # shell contains no IP address as you know (which I suppose is the reason why the ASA cannot download the image from the TFTP server) and switch to another context (ASA / admin #) re-imaging commands do not work (hw-module module 1... etc...).
What is the solution? Is there documentation for it (with security contexts)?
Thank you very much for reading ;) comment on possible solutions.
Yes,
Some things to keep in mind.
(1) run 'debug module start' on the SAA before running the command "hw-module module 1 recover boot. This will show you the ROMMON of the MSS output as it tries to make the new image and you can look for any errors.
(2) before trying to download from the SSM, first use a machine separate download tftp from your laptop. This will ensure the TFTP on your laptop works and confirm what directory (if any) that you can use as the file location.
(3) if the tftp download does not SSM, then the SSM is unable to properly connect to your laptop. You need a crossover cable to connect your laptop to the SSM. If you have a crossover cable, then you could try to connect the MSS and your laptop to a small hub, or configure a new vlan on your switch with only 2 ports and connect the MSS and your computer laptop this vlan 2 port.
(4) also try the download first at the end of the gateway to 0.0.0.0 since your laptop and the SSM will be on the same subnet. If this does not work then you can try a non-existent 30.0.0.4 address as gateway.
(5) understand that the IP address that you specify for the MSS using the command "configure the hw-module module 1 recover" is just temporary for download. Once an image is installed, then sitting at the module and run the "setup" command in order to configure the permanent address you want ure on external port of the SSM. This address in the "setup" command can the same as that used in the command 'get the 1 hw-module module configure' or a completely new (as in your case). Just make sure that you connect to the network just to what address you give.
-
I just put in place a module AIP SSM in an ASA 5520 with a unique security context.
Do I need to configure virtual devices in this case? or I can use the VS0 default? In the documentation of the IPS, he says "You can't change the definition of signature, rules of action event or anomaly detection policies." for the default virtual sensor (VS0), which is the only virtual sensore I.
Can someone clarify what this means? It somehow restrict the usefulness of the IPS if I do not set up a separate VS?
Thank you very much.
A single sensor vs0 virual is very good, especially when only a single surveillance security context.
The statement do not change the definition of signature, event actions or policies of anomaly detection rules can be a little misleading.
What he's trying to say, is that you cannot create ad1, regles1, and any new polcies sig1 and try to apply them to vs0. The vs0 default must use sig0, rules0 and ad0.
If you have created a new vs1, then you can apply the new policies like sig1 and regles1 ad1 to this new vs1.
This does NOT mean that you cannot make changes to config in sig0, rules0 and ad0.
So feel free to make configuration changes to sig0, rules0 and ad0 to fine-tune how your vs0 should handle the traffic.
It's just the names of politicians who cannot be changed when you use vs0.
-
installation of update of signature for JOINT-2 AIP - SSM
Hi every one, im not sure about this issue but I think its beter ask you experts.i want to know that if I update the signature for example for my JOINT-2 can I install this update of GIS on my AIP - SSM--> assume that software IPS on both devices are same and I also installed the license key valid on AIP - SSM.now can I do this or not? and I know that if you do not license installed on JOINT-2 you cannot install any point of GIS on JOINT-2 but this topic AIP - SSM? I want to say I can install updated GIS on AIP - SSM without installed the license key valid on AIP - SSM? Thank you
There are 3 main types of Signature updates.
(1) IPS sensor Signature Update
(2) updates of Signature CSM for IPS sensors
(3) signing IOS IPS updates
The IPS Signature Update file name is in the form: IPS-GIS-Sxxx-req - Ey.pkg
That's probably what you are referrnig to in your message. This file can be installed on ANY device IDS/IPS or Module.
Here, the requirement is not the platform but rather the level of the engine. The part "req - Ey" in the file name indicates that the sensor has already run the 'y' the software engine level.
If a file IPS-GIS-S436-req - E3.pkg can be installed on any IDS/IPS device or Module as long as the software on this sensor is a version of the 'E3 '.
The CSM updates are updates of signature for the Cisco Security Manager. They contain special files that SCM uses to update, and then also included in the JLC update is the update of real sensor described above. CSM unpackages the CSM update, updates and then uses this file embedded to upgrade the actual sensor.
The third type of file is for routers IOS loaded with the special IOS software that has the distinction of IOS IPS where the router itself (instead of a separate module of the IDS/IPS) keeps track of the signature.
These updates to the signing IOS IPS settle on the real router and are not installed on the Modules or the sensor IDS/IPS devices.
So to answer your question, yes the same Signature Update for your JOINT-2 is the exact same Signature Update for your SSM modules.
The same exact file is available through several different paths on cisco.com. But no matter which way cisco.com you have downloaded the file, you can always install it on all the Modules and the IDS/IPS Appliances.
With respect to licensing, the license works the same on all Modules and the IDS/IPS Appliances. A license must be on the sensor for the Signature Update to apply.
NOTE: A trial license is available at cisco.com for new sensors to allow you to get everything set up properly for your sensor to be covered by a service contract and get the standard license for the service contract.
-
I have an AIP-SSM-10 (IPS - K9 - 6.0 - 5 - E2) running inside an ASA (active failover mode / standby). I tried to put a signature update today (version S447, first time) and he said I need engine lvl 3 to update the signature and I am currently at lvl 2.
Here's my question, what are the versions can I go to? I'm stuck with the versions of level 2 of the engine when using the AIP - SSM or can I put on until the next major release of 2.0000 E3. And is it really a good idea or not. What would you suggest?
Also, I guess I would need to install the release .pkg file. Is this good?
Thanks in advance!
You can switch to the 5,0000 E3, 6,0000 E3 or one of the E3 7.0 images (x). You want the .pkg file.
Mount the sensor in the CLI:
conf t
Update ftp://user:password@/ upgradefilename.pkg
When the sensor complaines on the upgrade, just say 'yes' to go ahead in any case. This is a known bug, do not believe that the CLI.
Maybe you are looking for
-
I'm in Korea business and do not speak the language. I am an American and all my settings on my computer and the browser reflect this. However, whenever I type in www.google.com I'm automatically redirected to http://www.google.co.kr/. When I do a se
-
Satellite X 200 recent overheating
Hi all I am have a 200 X - 20F for 10 months and recently, I find that the temperature are thermal Strawberry (95 ° for the processor) and 85/90 for the gpu to Burns before I ever above the 70/75 ° I think that the fan are too slow, because until I h
-
Then try to scan to the computer it says try scan of the computer.
Original title: DeviceHPSD110a all-in-one won't scan to computer any ideas? When I sciongac scan to the computer it says try scan of the computer.
-
Http, https, ftp with error code 12007 problems.
The problem started after a virus attached. I use wifi on a series of mini laptop 1011 dell with Windows XP. I worked this problem via the internet with little or no help. I used Malwarebytes to clean up. I can't uninstall microsoft essentials. I
-
will not complete the download
How can I me KB (definition 915597 1.187.12 to complete the download.) He said his download and 40 minutes more later no chance!