IPS Subscription info

Answered Question
Mar 15th, 2010

We have several ASA-5520s with IPS modules (ASA-SSM-20).

We have never updated the signature files on these devices – for various reasons.

I would like to update the signature files to the latest version but seems I need an IPS subscription license of some sort.

If I am able to download the signature files via our Cisco contract #, is there anything else needed?

This is what I see after logging into Cisco.com for the latest IPS DOWNLOAD:

Release Date: 12/Mar/2010
E3 Signature Update S477
Size: 416.92 KB  (426920 bytes)

Am I good to go????



I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

It will not allow you to update the signature files unless you have a valid IPS subscription license.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
Jennifer Halim Wed, 03/17/2010 - 06:36

It will not allow you to update the signature files unless you have a valid IPS subscription license.

fsebera Wed, 03/17/2010 - 10:15


Also, I see from reading the detailed Cisco docs that you must register your IPS serial number to obtain a valid license.

Without a valid license, having the new signature files does no good as the IPS will not accept the new signature file.

If you want to use the latest signatures, only option is to upgrade the IPS IOS , however the new signatures are "NEW CODE" and you are running the risk of denying good traffic or possible permitting bad, all without alerts.


Jennifer Halim Wed, 03/17/2010 - 14:58

yes, you are absolutely right. The IPS subscription ties into the serial# of the IPS. You can still upgrade the IPS software to the latest, however, can't update the signature files to the latest without the IPS subscription.

desaijaimin Mon, 10/03/2011 - 03:20

Hi, We have 2 x standalone IPS and 1 x module.. We have recently purchased the subscription. Will it cover all 3 devices or we need a separate one for each one? 

Can IPS update the subscriptions automatically like Anti-virus sw? 


Jennifer Halim Mon, 10/03/2011 - 03:39

You would need to purchase 3 x subscription for each of the devices as it ties to the serial# of the device.

Yes, you can configure auto update for the IPS signature update.

desaijaimin Mon, 10/03/2011 - 06:06

Thanks Jennifer.  Can you please give me any pointers about an automatic update?  Would automatic updates not cause problems such a increased false positives? 

If you get a chance would you please look at couple of my other queries that I posted last week? Any documents that I could read about step-by-step planning and implementation of the IPS in a real world scenario. I have access to the exam books etc but I am not able to find the info. that I really need in them.

Thanks. Regards.

Jennifer Halim Wed, 10/05/2011 - 05:45

Automatic updates only update the signature to the latest signature pack. Some signatures gets enabled by default, and some doesn't, however, it will have the latest signature within your IPS. In regards to false positive, it doesn't really matter whether you update your signature or not, you would still need to monitor the logs to decrease the number of false positive because every network environment is difference hence false positive for one organization might not be the same for another organization's network.

In regards to planning, IPS can be deployed in 2 mode: monitor mode and in-line mode. I would suggest that you start with monitor mode first as it will not block anything but just monitor it, and you can tweak the signature accordingly once you have deployed the IPS for a couple of months. Once you are happy with that, if you would like to deploy it to in-line mode, then it is ok and will prevent things getting blocked due to false positive.

desaijaimin Thu, 10/06/2011 - 04:33

Hi Jennifer, Thank you for your reply.

Is monitor mode different to "alerts only" mode?

Is it possible to setup new signatures for "alerts only" so that once the automatic update is performed, new signatures will generate alert only and won't drop packets in inline mode.

Or is that what happens with all the signatures by default.  It would only drop packets if setup explicitly to do so?

With regards to false positives. Is there a good reference resource where I could get more info about the alerts that I am getting.  Especially the one about "TCP window size variation" confuses me a great deal. 

Thanks. Regards


This Discussion