Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco IPS 4200 Signature update

We are in process of evaluating and implementing Cisco IPS solution for our security needs.

Our vendor told us that 'online' signature updates of Cisco IPS is not possible- it is a manual process and we need to reload the appliance if we wish to update the files.

Somehow, it defies logic. Surely, I beleive, that any IPS should have the ability to get its signatures updated 'online'.

I apologise since this question is too elementary in nature. But could someone shed more light on this?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Cisco IPS 4200 Signature update

You have auto update feature in Cisco IPS version 6.0, take a look at the attached picture.

When updating signatures it is *recommended* that you reload the signatures (reboot the sensor), although this is not mandatory.

Our IPS hasn't been rebooted for over two months now and everything is running ok.

Auto Update

Auto Update

Auto Update

3 REPLIES
Community Member

Re: Cisco IPS 4200 Signature update

You have auto update feature in Cisco IPS version 6.0, take a look at the attached picture.

When updating signatures it is *recommended* that you reload the signatures (reboot the sensor), although this is not mandatory.

Our IPS hasn't been rebooted for over two months now and everything is running ok.

Auto Update

Auto Update

Auto Update

Community Member

Re: Cisco IPS 4200 Signature update

Thanks rnaydenov !

Cisco Employee

Re: Cisco IPS 4200 Signature update

Just to add a little bit to this conversation.

There are 3 main types of updates for the sensor:

1) Signature Updates - the updates just update the sensor with the new signatures that Cisco has created. These updates have been designed such that they can be applied to a running sensor. However, these updates can take a little bit of time for the sensor to process the update during which it will not analyze packets. This can be a concern for a sensor deployed inline (packets passing through the sensor). To address this the sensor has a feature known as Software ByPass. By default ByPass is configured for "auto". When the sensor is processing the signature update and not analyzing the packets, the Software ByPass will "auto"matically turn on and start passing the packets through the sensor without analysis. This way your network will not experience a downtime while the signatures are being updated. As soon as the new signature are processed the sensor will begin analyzing the packets again.

NOTE: On Low End Sensors like the IDS-4215, there is a problem being reported that the sensor runs out of memory while trying to process the new signatures. In the case of a bug like this, then the sensor needs to be rebooted to get it working again. So signature updates are designed to not require a reboot, but if a bug happens then a reboot may be necessary to get the sensor analyzing again.

2) Enging Updates - These updates are larger and will replace the binary (sensorApp) that analyzes the packets as well as applying new signatures. Once again the Software ByPass will automatically kick in when the old sensorApp is stopped, the new sensorApp started, and new signature applied. So with Software ByPass this update can be applied to running sensors without a reboot.

3) Major, Minor, or Service Pack updates - these updates will replace the entire operating system, install new sensor files, and carry forward the older version config to work with the new sensor version.

As there is a complete replacement of the operating system the sensor will be rebooted. In fact it reboots twice during this update. For these types of updates it is recommend that they be done during scheduled network down times.

As for auto update capability.

The sensor does have the ability to auto update itself from a local server on your network. The sensor will not auto update from cisco.com. This means you will need to manualy download the update from cisco.com and place it on your own internal server, and then configure the sensor to auto update from that internal server.

However CSM (Cisco Security Manager) which is the multi-sensor configuration tool does have the ability to automatically pull new updates from cisco.com.

So if you want to have the update automatically pulled from cisco.com and applied to the sensors, then you will need to purchase CSM 3.1.

808
Views
5
Helpful
3
Replies
CreatePlease to create content