What is the recommended way to maintain all incremental IPS signature files created from periodic signature updates? I noticed my small 880 series routers (yeah, I use the cheap IOS IPS) restarts IPS engine for each and every incremental file available; since each restart takes close to a minute, it takes forever to return a router to its working state after any extended power outage, when you have, let's say, a couple months worth of signature updates (from S638 to S725).
Should I clear the IPS and restart it from scratch using the latest pkg/zip combo as found on SDM, just use the pkg file via CLI, or is there any command I could use to maybe merge all those incremental files?
The problem is not staying on the latest version - which is what I do. The problem, actually, is I am avoiding a "reinstall" of IPS feature. As said, there are 50+ "iosips-sig-default-SXXX.xmz" incremental files on my flash:ips/ folder. Since last year updating via SDM was the only available option; by S648 Cisco stopped publishing new .pkgs and at that time I had plenty of dead routers, literally out of any recovery, because of the combo IOS 15.0M and auto-updates (please read http://tools.cisco.com/security/center/viewBulletin.x?bId=464&year=2012). I have recently open a new TAC and, after some internal testing, they resumed publishing .pkg files again.
Auto signature update is not an option since then, so the only way to be back on track was using SDM. That and a manual change control process helped, but again, it is a freakin' time consuming process, not only to deploy signatures but also to recover routers back after power loss. Hence my latest TAC.
Having said that, I was wondering if, by applying the latest .pkg via CLI ("copy IOS-SXXX-CLI.pkg idconf") I could get rid of all those "iosips-sig-default-SXXX.xmz" files and reduce my effective reload times back to less than an hour. If there is no other way to reuse currently deployed sig files, I guess I should plan to clear and reapply IPS feature from the current .pkg file. That will be fun... *sigh*
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :