Solved: Reg. IPS Upgradation

ankurs2008 · ‎04-23-2008

Hi

I need to upgrade the IPS 5.1 Version (with the below details) to IPS 6.0.

a)Cisco Intrusion Prevention System, Version 5.1(5)E1

b) Signature Definition:

Signature Update S288.0

Virus Update V1.2

c)

OS Version: 2.4.26-IDS-smp-bigphys

Platform: IPS-4240-K9

Serial Number: JMX1010K08U

Please let me know which software release version should i download from the below one to upgrade to 6.0

1) 6.0(1)

2) 6.0(2)E1

3) 6.0(3)E1

4) 6.0(4)E1

5) 6.0(4a)E1

Regards

Ankur

marcabal · ‎04-23-2008

You can go directly to 6.0(4a) from any 5.0, 5.1, or earlier 6.0 version.

The number inside the parentheses is what we call the service pack level.

On initial release of a major.minor version the service pack level is set to "1" (there is never a "0").

As bugs are fixed that number gets higher and higher. A letter may be added if we needed to fix something in the installation script, but the content of the update has not changed.

So the first thing to determine is what major.minor version you want to run. Then find the highest service pack level for that major.minor and upgrade straight to that highest service pack level.

View solution in original post

jamesand · ‎07-08-2008

It looks like you may have been trying to "upgrade" the sensor using an image file (.img). The .img files are for re-imaging the sensor from rommon (during bootup) - you would lose all of your config doing this. If you are trying to get to the latest 6.x version I would recommend upgrading using one of the following packages:

IPS-K9-6.0-5-E2.pkg

OR

IPS-K9-6.1-1-E2.pkg

under the link "Latest Upgrades" in the "Version 6.x" section of webpage:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

NOTE: You do not need to use the engine upgrade pkg (e.g. IPS-engine-E2-req-6.0-4.pkg) unless you were already running 6.0.4 and wanted to remain at 6.0.4 (6.0.4E1 -> 6.0.4E2). The engine package updates the E version (and siglevel) only, whereas the service pack packages, I listed above, will take you directly to the latest service pack version AND E2 engine version.

View solution in original post

scothrel · ‎04-23-2008

6.0(4a)E1

ankurs2008 · ‎04-23-2008

Hi

Can i directly go for that or i need to go for earlier 6.0 versions and then the latest?

Regards

Ankur

marcabal · ‎04-23-2008

You can go directly to 6.0(4a) from any 5.0, 5.1, or earlier 6.0 version.

The number inside the parentheses is what we call the service pack level.

On initial release of a major.minor version the service pack level is set to "1" (there is never a "0").

As bugs are fixed that number gets higher and higher. A letter may be added if we needed to fix something in the installation script, but the content of the update has not changed.

So the first thing to determine is what major.minor version you want to run. Then find the highest service pack level for that major.minor and upgrade straight to that highest service pack level.

chickman · ‎04-23-2008

Just to add on to what these guys are saying, be very aware of the listed bugs. You may find something that requires you from moving forward in the service packs until it gets fixed.

Other than that, these two guys hit it on the head. Update and be happy!

ankurs2008 · ‎06-28-2008

Hi marcabal

This was one particular conversation which we were discussing few days back. I would like to have your views on the following

We are having IPS 5.0(2) module in ASA firewall and this IPS software version doesnot have Engine E1 and hence cann't be updated with latest signature updates. Also since engine E2 has also released recently , iwould like this version to be upgraded to the latest one . Hence , can you please let me know if 5.0(2) can be directly upgraded to 6.x(x)E1 or 6.x(x)E2

Regards

Ankur

Farrukh Haroon · ‎06-29-2008

This is from the E2 update readme:

"The sensor must report its version as 5.1(7)E1, 6.0(4)E1, or 6.1(1)E1

before you can apply the E2 Engine Update package appropriate to your

version. To determine the current sensor version, log in to the CLI and

type the following command at the prompt:

show version

If a Service Pack is required to update your sensor to one of the

supported releases, consider installing the 5.1(8)E2 or 6.0(5)E2 Service

Pack or the 6.1(1)E2 Minor Update. This will eliminate the need for the

E2 Engine Upgrade, as the functionality is built-in to those, and later,

updates."

Regards

Farrukh

ankurs2008 · ‎06-30-2008

hi happs

thanks for the update .i would also like to know that i have set bypass mode to "Auto" and whether during upgradation only the analysis engine will be down and traffic will continue to flow smoothly (without being inspected) ?.The reason as to why i am asking the same is to confirm that during upgradation the normal network traffic will flow unhindered

Also let me know if i can put the IPS into promiscous mode as an additional precaution ; thereby ensuring that in case of hardware (sensor box) down the traffic will continue to flow smoothly

Regards

Ankur

Farrukh Haroon · ‎06-30-2008

I 'think' the Auto should do the trick. But the upgrade would need a restart, so you need to schedule a downtime anyway. So the question is? Does the 'Auto' really help in your case?

Regards

Farrukh

ankurs2008 · ‎06-30-2008

hi

I would like to ask if setting the ASA traffic to IPS can be set to Promiscous mode so that the chances of traffic getting diverted to IPS is removed completely and network flow is smooth

After upgradation , we can put back "ASA to IPS packet flow" to Inline .Please suggest

Ankur

Farrukh Haroon · ‎06-30-2008

Oh its an ASA AIP here, then I think you can use this approach to be on the 'safe side'.

Regards

Farrukh

ankurs2008 · ‎07-05-2008

hi happs

i tried updating with the version you have mentioned i.e 5.0(2) to E1 ;however it gave an error (attached).Please let me know the exact meaning of the same

Regards

Ankur

Farrukh Haroon · ‎07-06-2008

Which image exactly are you trying?

Regards

Farrukh

ankurs2008 · ‎07-08-2008

hi happs

i am trying to upgrade to 5.1(7) first ,also attached is the snapshot in the previous mail

Ankur

jamesand · ‎07-08-2008

It looks like you may have been trying to "upgrade" the sensor using an image file (.img). The .img files are for re-imaging the sensor from rommon (during bootup) - you would lose all of your config doing this. If you are trying to get to the latest 6.x version I would recommend upgrading using one of the following packages:

IPS-K9-6.0-5-E2.pkg

OR

IPS-K9-6.1-1-E2.pkg

under the link "Latest Upgrades" in the "Version 6.x" section of webpage:

http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/index.shtml

NOTE: You do not need to use the engine upgrade pkg (e.g. IPS-engine-E2-req-6.0-4.pkg) unless you were already running 6.0.4 and wanted to remain at 6.0.4 (6.0.4E1 -> 6.0.4E2). The engine package updates the E version (and siglevel) only, whereas the service pack packages, I listed above, will take you directly to the latest service pack version AND E2 engine version.