Reg. IPS Upgradation

Answered Question
Apr 23rd, 2008
User Badges:


Hi


I need to upgrade the IPS 5.1 Version (with the below details) to IPS 6.0.


a)Cisco Intrusion Prevention System, Version 5.1(5)E1


b) Signature Definition:


Signature Update S288.0

Virus Update V1.2


c)

OS Version: 2.4.26-IDS-smp-bigphys

Platform: IPS-4240-K9

Serial Number: JMX1010K08U


Please let me know which software release version should i download from the below one to upgrade to 6.0


1) 6.0(1)

2) 6.0(2)E1

3) 6.0(3)E1

4) 6.0(4)E1

5) 6.0(4a)E1



Regards

Ankur

Correct Answer by jamesand about 8 years 9 months ago

It looks like you may have been trying to "upgrade" the sensor using an image file (.img). The .img files are for re-imaging the sensor from rommon (during bootup) - you would lose all of your config doing this. If you are trying to get to the latest 6.x version I would recommend upgrading using one of the following packages:


IPS-K9-6.0-5-E2.pkg

OR

IPS-K9-6.1-1-E2.pkg


under the link "Latest Upgrades" in the "Version 6.x" section of webpage:


http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml


NOTE: You do not need to use the engine upgrade pkg (e.g. IPS-engine-E2-req-6.0-4.pkg) unless you were already running 6.0.4 and wanted to remain at 6.0.4 (6.0.4E1 -> 6.0.4E2). The engine package updates the E version (and siglevel) only, whereas the service pack packages, I listed above, will take you directly to the latest service pack version AND E2 engine version.

Correct Answer by marcabal about 9 years 6 days ago

You can go directly to 6.0(4a) from any 5.0, 5.1, or earlier 6.0 version.


The number inside the parentheses is what we call the service pack level.

On initial release of a major.minor version the service pack level is set to "1" (there is never a "0").

As bugs are fixed that number gets higher and higher. A letter may be added if we needed to fix something in the installation script, but the content of the update has not changed.


So the first thing to determine is what major.minor version you want to run. Then find the highest service pack level for that major.minor and upgrade straight to that highest service pack level.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ankurs2008 Wed, 04/23/2008 - 07:24
User Badges:

Hi


Can i directly go for that or i need to go for earlier 6.0 versions and then the latest?


Regards

Ankur

Correct Answer
marcabal Wed, 04/23/2008 - 07:38
User Badges:
  • Cisco Employee,

You can go directly to 6.0(4a) from any 5.0, 5.1, or earlier 6.0 version.


The number inside the parentheses is what we call the service pack level.

On initial release of a major.minor version the service pack level is set to "1" (there is never a "0").

As bugs are fixed that number gets higher and higher. A letter may be added if we needed to fix something in the installation script, but the content of the update has not changed.


So the first thing to determine is what major.minor version you want to run. Then find the highest service pack level for that major.minor and upgrade straight to that highest service pack level.


ankurs2008 Sat, 06/28/2008 - 21:24
User Badges:

Hi marcabal


This was one particular conversation which we were discussing few days back. I would like to have your views on the following


We are having IPS 5.0(2) module in ASA firewall and this IPS software version doesnot have Engine E1 and hence cann't be updated with latest signature updates. Also since engine E2 has also released recently , iwould like this version to be upgraded to the latest one . Hence , can you please let me know if 5.0(2) can be directly upgraded to 6.x(x)E1 or 6.x(x)E2


Regards

Ankur



Farrukh Haroon Sun, 06/29/2008 - 02:10
User Badges:
  • Red, 2250 points or more

This is from the E2 update readme:


"The sensor must report its version as 5.1(7)E1, 6.0(4)E1, or 6.1(1)E1

before you can apply the E2 Engine Update package appropriate to your

version. To determine the current sensor version, log in to the CLI and

type the following command at the prompt:


show version


If a Service Pack is required to update your sensor to one of the

supported releases, consider installing the 5.1(8)E2 or 6.0(5)E2 Service

Pack or the 6.1(1)E2 Minor Update. This will eliminate the need for the

E2 Engine Upgrade, as the functionality is built-in to those, and later,

updates."


Regards


Farrukh

ankurs2008 Mon, 06/30/2008 - 01:13
User Badges:

hi happs


thanks for the update .i would also like to know that i have set bypass mode to "Auto" and whether during upgradation only the analysis engine will be down and traffic will continue to flow smoothly (without being inspected) ?.The reason as to why i am asking the same is to confirm that during upgradation the normal network traffic will flow unhindered


Also let me know if i can put the IPS into promiscous mode as an additional precaution ; thereby ensuring that in case of hardware (sensor box) down the traffic will continue to flow smoothly


Regards

Ankur

Farrukh Haroon Mon, 06/30/2008 - 02:02
User Badges:
  • Red, 2250 points or more

I 'think' the Auto should do the trick. But the upgrade would need a restart, so you need to schedule a downtime anyway. So the question is? Does the 'Auto' really help in your case?


Regards


Farrukh

ankurs2008 Mon, 06/30/2008 - 02:24
User Badges:

hi


I would like to ask if setting the ASA traffic to IPS can be set to Promiscous mode so that the chances of traffic getting diverted to IPS is removed completely and network flow is smooth


After upgradation , we can put back "ASA to IPS packet flow" to Inline .Please suggest


Ankur

Farrukh Haroon Mon, 06/30/2008 - 03:16
User Badges:
  • Red, 2250 points or more

Oh its an ASA AIP here, then I think you can use this approach to be on the 'safe side'.


Regards


Farrukh

ankurs2008 Sat, 07/05/2008 - 08:16
User Badges:

hi happs


i tried updating with the version you have mentioned i.e 5.0(2) to E1 ;however it gave an error (attached).Please let me know the exact meaning of the same


Regards

Ankur



Attachment: 
Farrukh Haroon Sun, 07/06/2008 - 03:14
User Badges:
  • Red, 2250 points or more

Which image exactly are you trying?


Regards


Farrukh

ankurs2008 Tue, 07/08/2008 - 01:57
User Badges:

hi happs


i am trying to upgrade to 5.1(7) first ,also attached is the snapshot in the previous mail


Ankur

Correct Answer
jamesand Tue, 07/08/2008 - 08:51
User Badges:
  • Cisco Employee,

It looks like you may have been trying to "upgrade" the sensor using an image file (.img). The .img files are for re-imaging the sensor from rommon (during bootup) - you would lose all of your config doing this. If you are trying to get to the latest 6.x version I would recommend upgrading using one of the following packages:


IPS-K9-6.0-5-E2.pkg

OR

IPS-K9-6.1-1-E2.pkg


under the link "Latest Upgrades" in the "Version 6.x" section of webpage:


http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml


NOTE: You do not need to use the engine upgrade pkg (e.g. IPS-engine-E2-req-6.0-4.pkg) unless you were already running 6.0.4 and wanted to remain at 6.0.4 (6.0.4E1 -> 6.0.4E2). The engine package updates the E version (and siglevel) only, whereas the service pack packages, I listed above, will take you directly to the latest service pack version AND E2 engine version.

Actions

This Discussion