Reg. IPS Upgradation

Answered Question
Apr 23rd, 2008

Hi

I need to upgrade the IPS 5.1 Version (with the below details) to IPS 6.0.

a)Cisco Intrusion Prevention System, Version 5.1(5)E1

b) Signature Definition:

Signature Update S288.0

Virus Update V1.2

c)

OS Version: 2.4.26-IDS-smp-bigphys

Platform: IPS-4240-K9

Serial Number: JMX1010K08U

Please let me know which software release version should i download from the below one to upgrade to 6.0

1) 6.0(1)

2) 6.0(2)E1

3) 6.0(3)E1

4) 6.0(4)E1

5) 6.0(4a)E1

Regards

Ankur

I have this problem too.
0 votes
Correct Answer by jamesand about 8 years 5 months ago

It looks like you may have been trying to "upgrade" the sensor using an image file (.img). The .img files are for re-imaging the sensor from rommon (during bootup) - you would lose all of your config doing this. If you are trying to get to the latest 6.x version I would recommend upgrading using one of the following packages:

IPS-K9-6.0-5-E2.pkg

OR

IPS-K9-6.1-1-E2.pkg

under the link "Latest Upgrades" in the "Version 6.x" section of webpage:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

NOTE: You do not need to use the engine upgrade pkg (e.g. IPS-engine-E2-req-6.0-4.pkg) unless you were already running 6.0.4 and wanted to remain at 6.0.4 (6.0.4E1 -> 6.0.4E2). The engine package updates the E version (and siglevel) only, whereas the service pack packages, I listed above, will take you directly to the latest service pack version AND E2 engine version.

Correct Answer by marcabal about 8 years 7 months ago

You can go directly to 6.0(4a) from any 5.0, 5.1, or earlier 6.0 version.

The number inside the parentheses is what we call the service pack level.

On initial release of a major.minor version the service pack level is set to "1" (there is never a "0").

As bugs are fixed that number gets higher and higher. A letter may be added if we needed to fix something in the installation script, but the content of the update has not changed.

So the first thing to determine is what major.minor version you want to run. Then find the highest service pack level for that major.minor and upgrade straight to that highest service pack level.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ankurs2008 Wed, 04/23/2008 - 07:24

Hi

Can i directly go for that or i need to go for earlier 6.0 versions and then the latest?

Regards

Ankur

Correct Answer
marcabal Wed, 04/23/2008 - 07:38

You can go directly to 6.0(4a) from any 5.0, 5.1, or earlier 6.0 version.

The number inside the parentheses is what we call the service pack level.

On initial release of a major.minor version the service pack level is set to "1" (there is never a "0").

As bugs are fixed that number gets higher and higher. A letter may be added if we needed to fix something in the installation script, but the content of the update has not changed.

So the first thing to determine is what major.minor version you want to run. Then find the highest service pack level for that major.minor and upgrade straight to that highest service pack level.

ankurs2008 Sat, 06/28/2008 - 21:24

Hi marcabal

This was one particular conversation which we were discussing few days back. I would like to have your views on the following

We are having IPS 5.0(2) module in ASA firewall and this IPS software version doesnot have Engine E1 and hence cann't be updated with latest signature updates. Also since engine E2 has also released recently , iwould like this version to be upgraded to the latest one . Hence , can you please let me know if 5.0(2) can be directly upgraded to 6.x(x)E1 or 6.x(x)E2

Regards

Ankur

Farrukh Haroon Sun, 06/29/2008 - 02:10

This is from the E2 update readme:

"The sensor must report its version as 5.1(7)E1, 6.0(4)E1, or 6.1(1)E1

before you can apply the E2 Engine Update package appropriate to your

version. To determine the current sensor version, log in to the CLI and

type the following command at the prompt:

show version

If a Service Pack is required to update your sensor to one of the

supported releases, consider installing the 5.1(8)E2 or 6.0(5)E2 Service

Pack or the 6.1(1)E2 Minor Update. This will eliminate the need for the

E2 Engine Upgrade, as the functionality is built-in to those, and later,

updates."

Regards

Farrukh

ankurs2008 Mon, 06/30/2008 - 01:13

hi happs

thanks for the update .i would also like to know that i have set bypass mode to "Auto" and whether during upgradation only the analysis engine will be down and traffic will continue to flow smoothly (without being inspected) ?.The reason as to why i am asking the same is to confirm that during upgradation the normal network traffic will flow unhindered

Also let me know if i can put the IPS into promiscous mode as an additional precaution ; thereby ensuring that in case of hardware (sensor box) down the traffic will continue to flow smoothly

Regards

Ankur

Farrukh Haroon Mon, 06/30/2008 - 02:02

I 'think' the Auto should do the trick. But the upgrade would need a restart, so you need to schedule a downtime anyway. So the question is? Does the 'Auto' really help in your case?

Regards

Farrukh

ankurs2008 Mon, 06/30/2008 - 02:24

hi

I would like to ask if setting the ASA traffic to IPS can be set to Promiscous mode so that the chances of traffic getting diverted to IPS is removed completely and network flow is smooth

After upgradation , we can put back "ASA to IPS packet flow" to Inline .Please suggest

Ankur

Farrukh Haroon Mon, 06/30/2008 - 03:16

Oh its an ASA AIP here, then I think you can use this approach to be on the 'safe side'.

Regards

Farrukh

ankurs2008 Sat, 07/05/2008 - 08:16

hi happs

i tried updating with the version you have mentioned i.e 5.0(2) to E1 ;however it gave an error (attached).Please let me know the exact meaning of the same

Regards

Ankur

Attachment: 
ankurs2008 Tue, 07/08/2008 - 01:57

hi happs

i am trying to upgrade to 5.1(7) first ,also attached is the snapshot in the previous mail

Ankur

Correct Answer
jamesand Tue, 07/08/2008 - 08:51

It looks like you may have been trying to "upgrade" the sensor using an image file (.img). The .img files are for re-imaging the sensor from rommon (during bootup) - you would lose all of your config doing this. If you are trying to get to the latest 6.x version I would recommend upgrading using one of the following packages:

IPS-K9-6.0-5-E2.pkg

OR

IPS-K9-6.1-1-E2.pkg

under the link "Latest Upgrades" in the "Version 6.x" section of webpage:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

NOTE: You do not need to use the engine upgrade pkg (e.g. IPS-engine-E2-req-6.0-4.pkg) unless you were already running 6.0.4 and wanted to remain at 6.0.4 (6.0.4E1 -> 6.0.4E2). The engine package updates the E version (and siglevel) only, whereas the service pack packages, I listed above, will take you directly to the latest service pack version AND E2 engine version.

Actions

This Discussion