Auto update IPS feature

Unanswered Question
Jan 18th, 2009

I have an ASA-SSM10. Does Cisco still allows autoupdate. I heard from my vendor told me that cisco has stopped auto update feature.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
marcabal Tue, 01/20/2009 - 07:29

There has been no change to the auto update feature of the sensors, and ASA-SSM-10 is still fully supported.

There are 2 types of auto update features supported on the sensors:

1) Auto update from cisco.com. This feature is supported in IPS version 6.1 and higher. Both signature and engine updates can be auto updated from cisco.com using this feature.

This feature will NOT auto update Service Packs, Minor Updates, or Major Updates. These types of updates will require a sensor reboot and should only be done on inline sensors during scheduled network downtimes.

2) Auto Update from user's own server. This feature is supported in all IPS versions. User's download the update from cisco.com and place them on their own ftp or scp server. The sensor can then be configured to download the updates from the user's ftp or scp server on a scheduled basis. ALL updates are supported using this method.

The CSM (Cisco Security Manager) also supports auto update from cisco.com. CSM is able to automatically pull down ALL update types and automatically push them to the managed sensors.

There is no intention to remove any of these auto udpate features.

There have periodically been situations where the auto update from cisco.com was not functioning for a short period of time, but these would not have been intentional, and were corrected as soon as possible after being discovered.

As for ASA-SSM-10 the product is fully supported and being sold. No End of Sale/End of Life notice has been created for the ASA-SSM-10.

leo_zidane Wed, 01/21/2009 - 01:38

Mine is a IPS version 5 so if i configure auto update from ftp server meaning i need to download the updates from cisco.com and then placed it in my ftp server so that the IPS can auto pull from the server. AM i right to say that?

I have a CSM 3.1 so if i download from cisco.com what will the CSM download? All the signatures or service packs too? If my sensor is in a older version will the CSM just push down the new version without even checking whether my IPS can support it?

Is a safer to do it manually or using CSM?

marcabal Wed, 01/21/2009 - 06:58

Correct, An IPS version 5.x sensor CAN auto download updates from your ftp server similar to what you described. You just configure the sensor to know the ftp server's ip address, username, password, and directory location for the updates you downloaded and put on your ftp server.

NOTE1: Be sure to keep the filenames exactly as they were on cisco.com. The sensor's auto update feature will read in the filenames in order to determine what updates to try and install.

NOTE2: The auto update feature can not predetermine whether an update file will be able to be installed on the specific sensor platform you have. So if you have an older platform not supported in the latest update it will generate an error that the platform is not supported. You would need to remove that update from your ftp server in order to allow the sensor to check other update files. For example the IDS-4235 is not supported in IPS 6.1, but is still supported in both IPS 5.1 and IPS 6.0. If an IPS 6.1 file is placed in the ftp server the sensor will try to install it and generate an error. If the IPS 6.1 file is not removed, then the next scheduled update time the same file will again be attempted and fail. So the IPS 6.1 file should be removed so the sensor can check to see if there are IPS 5.1 or 6.0 files it can install.

As for CSM, I am not familiar enough with CSM to know exactly how it works. I know it will auto download new updates as they are put on cisco.com, but I am not sure about updates that were already on cisco.com when CSM got installed at your site. I would recommend just installing and configuring CSM for auto updates from cisco.com and see what files it downloads. (NOTE: It is separate steps to get CSM to get the files from cisco.com, than to push those files to the sensors. So you can get them from cisco.com without auto pushing them to the sensors.)

Each sensor update file is also separately packaged as a CSM update file. The CSM update file contains both the sensor update file as well as a few other files that CSM itself needs in order to know how to configure a sensor with that version. It is these CSM update files that CSM will auto download from cisco.com. Since it contains the sensor update file, it can then push the sensor update file to the sensor.

CSM should be able to download the service packs, signature updates, as well as the major and minor updates that it is able to configure. (NOTE: New major and minor updates will require newer versions of CSM).

I am not completely sure, but I believe CSM is able to determine which updates can be pushed to which sensors. So as in my above example, I don't think CSM will try to push an IPS 6.1 file to an IDS-4235.

However, it has been awhile since I've used CSM and I could be wrong.

As for whether to the updates manually or using CSM. If you are going to use CSM for configuration, then I would suggest trying to do the sensor updates using CSM.

Updating the sensor without using CSM can cause CSM to be confused about what version is loaded on the sensor.

So when using CSM it is best to use CSM for both configuration management as well as updating of the sensor.

miguelbazmartinez Thu, 01/22/2009 - 08:28

Hi

We are having trouble with auto-updating the signatures from a cisco.com

We filled the check box "enable signatures and engine updates from cisco.com" but the IPS still does not update like it is supposed to.

The customer is not having any issues to download the signatures from cisco.com

Can you please help us with this situation?

Sincerely,

Miguel Baz

Actions

This Discussion