Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

IPS Subscription info

We have several ASA-5520s with IPS modules (ASA-SSM-20).

We have never updated the signature files on these devices – for various reasons.

I would like to update the signature files to the latest version but seems I need an IPS subscription license of some sort.

If I am able to download the signature files via our Cisco contract #, is there anything else needed?

This is what I see after logging into Cisco.com for the latest IPS DOWNLOAD:

IPS-sig-S477-req-E3.pkg
Release Date: 12/Mar/2010
E3 Signature Update S477
Size: 416.92 KB  (426920 bytes)


Am I good to go????

Tks

Frank

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPS Subscription info

It will not allow you to update the signature files unless you have a valid IPS subscription license.

8 REPLIES
Cisco Employee

Re: IPS Subscription info

It will not allow you to update the signature files unless you have a valid IPS subscription license.

Bronze

Re: IPS Subscription info

Thanks!

Also, I see from reading the detailed Cisco docs that you must register your IPS serial number to obtain a valid license.

Without a valid license, having the new signature files does no good as the IPS will not accept the new signature file.

If you want to use the latest signatures, only option is to upgrade the IPS IOS , however the new signatures are "NEW CODE" and you are running the risk of denying good traffic or possible permitting bad, all without alerts.

Frank

Cisco Employee

Re: IPS Subscription info

yes, you are absolutely right. The IPS subscription ties into the serial# of the IPS. You can still upgrade the IPS software to the latest, however, can't update the signature files to the latest without the IPS subscription.

New Member

Re: IPS Subscription info

Hi, We have 2 x standalone IPS and 1 x module.. We have recently purchased the subscription. Will it cover all 3 devices or we need a separate one for each one? 

Can IPS update the subscriptions automatically like Anti-virus sw? 

Regards.

Cisco Employee

IPS Subscription info

You would need to purchase 3 x subscription for each of the devices as it ties to the serial# of the device.

Yes, you can configure auto update for the IPS signature update.

New Member

IPS Subscription info

Thanks Jennifer.  Can you please give me any pointers about an automatic update?  Would automatic updates not cause problems such a increased false positives? 

If you get a chance would you please look at couple of my other queries that I posted last week? Any documents that I could read about step-by-step planning and implementation of the IPS in a real world scenario. I have access to the exam books etc but I am not able to find the info. that I really need in them.

Thanks. Regards.

Cisco Employee

Re: IPS Subscription info

Automatic updates only update the signature to the latest signature pack. Some signatures gets enabled by default, and some doesn't, however, it will have the latest signature within your IPS. In regards to false positive, it doesn't really matter whether you update your signature or not, you would still need to monitor the logs to decrease the number of false positive because every network environment is difference hence false positive for one organization might not be the same for another organization's network.

In regards to planning, IPS can be deployed in 2 mode: monitor mode and in-line mode. I would suggest that you start with monitor mode first as it will not block anything but just monitor it, and you can tweak the signature accordingly once you have deployed the IPS for a couple of months. Once you are happy with that, if you would like to deploy it to in-line mode, then it is ok and will prevent things getting blocked due to false positive.

New Member

IPS Subscription info

Hi Jennifer, Thank you for your reply.

Is monitor mode different to "alerts only" mode?

Is it possible to setup new signatures for "alerts only" so that once the automatic update is performed, new signatures will generate alert only and won't drop packets in inline mode.

Or is that what happens with all the signatures by default.  It would only drop packets if setup explicitly to do so?

With regards to false positives. Is there a good reference resource where I could get more info about the alerts that I am getting.  Especially the one about "TCP window size variation" confuses me a great deal. 

Thanks. Regards

896
Views
0
Helpful
8
Replies
CreatePlease to create content