Also, I see from reading the detailed Cisco docs that you must register your IPS serial number to obtain a valid license.
Without a valid license, having the new signature files does no good as the IPS will not accept the new signature file.
If you want to use the latest signatures, only option is to upgrade the IPS IOS , however the new signatures are "NEW CODE" and you are running the risk of denying good traffic or possible permitting bad, all without alerts.
yes, you are absolutely right. The IPS subscription ties into the serial# of the IPS. You can still upgrade the IPS software to the latest, however, can't update the signature files to the latest without the IPS subscription.
Thanks Jennifer. Can you please give me any pointers about an automatic update? Would automatic updates not cause problems such a increased false positives?
If you get a chance would you please look at couple of my other queries that I posted last week? Any documents that I could read about step-by-step planning and implementation of the IPS in a real world scenario. I have access to the exam books etc but I am not able to find the info. that I really need in them.
Automatic updates only update the signature to the latest signature pack. Some signatures gets enabled by default, and some doesn't, however, it will have the latest signature within your IPS. In regards to false positive, it doesn't really matter whether you update your signature or not, you would still need to monitor the logs to decrease the number of false positive because every network environment is difference hence false positive for one organization might not be the same for another organization's network.
In regards to planning, IPS can be deployed in 2 mode: monitor mode and in-line mode. I would suggest that you start with monitor mode first as it will not block anything but just monitor it, and you can tweak the signature accordingly once you have deployed the IPS for a couple of months. Once you are happy with that, if you would like to deploy it to in-line mode, then it is ok and will prevent things getting blocked due to false positive.
Is it possible to setup new signatures for "alerts only" so that once the automatic update is performed, new signatures will generate alert only and won't drop packets in inline mode.
Or is that what happens with all the signatures by default. It would only drop packets if setup explicitly to do so?
With regards to false positives. Is there a good reference resource where I could get more info about the alerts that I am getting. Especially the one about "TCP window size variation" confuses me a great deal.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :