I recently installed IPS licences on two SA520W's. On the first one I tried the evaluation licence then installed a 1 year licence. On the second one I installed the 1 year licence directly. I use the SA520 simply as a security device directly on a ADSL line, to prevent users of the Wifi network to spread trojans or start P2P networks. Besides lots of problems with a dropped WAN link, a few observations:
- There seems to be only one signature file (SBIPS000001) it is also the only one that I can find on the cisco site. For an evaluation this looks OK but after the upgrade of the eval version strange things happen. Alter some days, suddenly the file was upgraded to SBIPS000003, although I can not find it on the site. The new end date does not show on the status, so no way to see what is actually in place.
- On the blank SA520 installing the permanent licence shows SBIPS000001. But the end date shows OK.
- Validate the PAK number for a second time : message failure.
- No list of (valid) PAK numbers or licences in the device. Just the last one in the renew screen (even if it fails).
- URL References in the logfile to signatures on the Cisco site show broken links. Example: http://tools.cisco.com/security/center/viewIpsLiteSignature.x?signatureId=2009-000259. Try to find the number in the security center site: no result.
- Lots of log entries that look serious but no clue what to do with it.
- The signature update shows your cisco user credentials (including PW) in plain text in the log. Not very nice. (command is /pfrm2.0/bin/ida_test_query Paluijn01 **mypassword** 0). I replaced the password of course......
- CPU performance. I have the feeling that the SA520W is very busy with starting up al kind of things. Before everything is in place (time, firewall, Wireless, updates) 10-15 minutes is a safe time to start checking results of your reboot. IPS looks like one of the CPU intensive tasks. Today it took the second device more that 3 hours to drop below 10% load. Even that is high, compared to the other one <2% and no users on the network...
- Sometimes it all stops..... After reconfiguration the Internet connection stops. At first I accused the modem and provider, but the diagnose screen shows a very nice working ping to the Cisco, or any site or IP adres. The firewall : default policy outside allow all. Kill the IPS: no direct result, reboot, no succes. Suddenly : It works! Reinstate the IPS: everything works, but for how long ??
I think the SA520 is a perfect standoff device for small user groups, but these issues should be solved. I also bought the protect link licence. I do not dare to install it.
Please adress these issues soon.