cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
576
Views
5
Helpful
6
Replies

Upgade IDSM-2 from 6.0(3)E1 to 6.1(1)E1

cmhcsecurity
Level 1
Level 1

Question, Should I upgrade to 6.0(4)E1 or 6.1(1)E1. If I go directly to 6.1(1)E1 do we need to load 6.0(4)E1 before ?

Thanks,

1 Accepted Solution

Accepted Solutions

You are correct.

IME is more of a next generation of IEV rather than a CSM replacement.

It has several new event viewer features over what the older IEV had. And these are the biggest advantages of what IME provides.

But from a configuration aspect it is not a replacement of CSM, and does not have comparable features to CSM.

The configuration in IME is just the existing IDM screens built into IME. This way you can configure up to 5 sensors in the one window instead of having to open up 5 different IDM windows.

So IME is just to make configuration a little bit more easy for customers who were previously using IDM for configuration, and was not intended as a replacement for customers already enjoying the additional features of CSM.

So for true multi-sensor configuration you would want to stay with CSM.

However, using CSM in conjunction with IME is something that some users are trying out.

They use IME for event monitoring.

And use CSM for configuration management.

They may not use the IDM screens in IME for configuration management, but they do still take advantage of the IDM screens. The IDM screens in IME also offer better access to the dynamic data on the sensor (like deny lists, shun lists, and ip logs). They can also use it for trying out different temporary config settings when doing trouble shooting before making the final change in CSM and applying it to multiple sensors.

Also keep in mind that IME is not a replacement for MARS either. MARS is also an event viewer, but has many more features and capabilities than IME. But we are hearing of some customers who are considering using both MARS AND IME in order to take advatange of both tools features.

View solution in original post

6 Replies 6

marcabal
Cisco Employee
Cisco Employee

At this point and time the choice between 6.0 and 6.1 is just a personal decision.

The primary difference between 6.0 and 6.1 is that 6.1 has full support for configuration through IME. Both can be monitored by IME, but only 6.1 can be configured through IME.

IME is the Intrusion prevention Manager Express. IME is new with the release of 6.1, and replaces the older IEV for alart viewing, but can also do sensor configuration.

So if you will be using IME, then 6.1 is what I would recommend.

But if you will NOT be using IME for configuration, then 6.0 should work just fine as well.

I assume you are currently running a 5.0 or 5.1 version? In which case you can go directly to 6.0(4)E1, or directly to 6.1(1)E1. To get to 6.1(1)E1 does Not require going to 6.0(4)E1 first, you Can go directly from any 5.0 or 5.1 version to 6.1(1)E1.

NOTE: If running a version 5.1(3) or earlier sensor, then you will get a warning about the file type not being recognized. But you can ignore that message. The filenames changed format after 5.1(4). But it is just a warning message and can safely be ignored, the file Will be able to be installed correctly.

If you happen to still be running a 4.1 version, then you have to go to 5.0(1e) before going to 6.1(1)E1 or 6.0(4)E1.

Oops, I Should have read your original message closer.

You already said you are at 6.0(3)E1.

So yes you can upgrade directly to 6.1(1)E1 without having to install 6.0(40E1.

Thanks for the info.

So if I am using IDM 6.0 device Manager in combination with CSM server 3.1.1 for centralized management of my sensors, there is now advantage for me jump to 6.1 if I don't intend to utilize the new IME.

Does IME substitute the CSM server if we intend to manage lest then 6 Sensors? Does IME have the same features then CSM server in a smaller format ?

Thanks,

IMHO IME is more of a monitoring tool than a configuration tool. If you add multiple sensors in IME, you will have to configure each of them separately (from each individual tab). For example one of our customers runs Four IDSM blades, if I have to tune a particular signature, I still have to browse the signature configuration of each IDSM individually, and there is nothing like a 'Batch Config', this can be done in CSM AFAIK. If I got this wrong, I would be glad if somebody could correct me on this. IME is something still under exploration.

However you can use IME to view events from all sensors (upto five) in a single window, which is pretty nice. IME is more of a replacement of the old IDS Event Viewer and not the CSM.

Regards

Farrukh

Btw, you can find whatever changed in 6.1 on the following link:

http://www.cisco.com/en/US/docs/security/ips/6.1/release/notes/17173_01.html#wp1161779

Regards

Farrukh

You are correct.

IME is more of a next generation of IEV rather than a CSM replacement.

It has several new event viewer features over what the older IEV had. And these are the biggest advantages of what IME provides.

But from a configuration aspect it is not a replacement of CSM, and does not have comparable features to CSM.

The configuration in IME is just the existing IDM screens built into IME. This way you can configure up to 5 sensors in the one window instead of having to open up 5 different IDM windows.

So IME is just to make configuration a little bit more easy for customers who were previously using IDM for configuration, and was not intended as a replacement for customers already enjoying the additional features of CSM.

So for true multi-sensor configuration you would want to stay with CSM.

However, using CSM in conjunction with IME is something that some users are trying out.

They use IME for event monitoring.

And use CSM for configuration management.

They may not use the IDM screens in IME for configuration management, but they do still take advantage of the IDM screens. The IDM screens in IME also offer better access to the dynamic data on the sensor (like deny lists, shun lists, and ip logs). They can also use it for trying out different temporary config settings when doing trouble shooting before making the final change in CSM and applying it to multiple sensors.

Also keep in mind that IME is not a replacement for MARS either. MARS is also an event viewer, but has many more features and capabilities than IME. But we are hearing of some customers who are considering using both MARS AND IME in order to take advatange of both tools features.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: