Lesson 11

Maintaining the Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-1

Upgrading and Recovering
the Sensor Image

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-2

 Sensor Image Types

There are three types of sensor images:

• Application image
• System image
• Recovery image

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-3

 Upgrading the Sensor

• You can use the upgrade command to apply image upgrades,

service packs, and signature updates to your sensor.
• The upgrade command upgrades the sensor’s application and
recovery images.
• You can use the upgrade command to upgrade from software
version 4.x to version 5.0.
• To upgrade from 4.x to 5.0, the sensor must already be running
IDS 4.1(1) or higher.
• Using the upgrade command to apply the IPS 5.0 major upgrade
file retains your configuration, including signature settings.
• The IPS 5.0 major upgrade file is the same for all sensor
appliances and contains the major upgrade identifier maj.
Example: IPS-K9-maj-5.0-1-S149.rpm.pkg

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-4

 upgrade Command

sensor(config)#upgrade source-url
• Upgrades the sensor image via an FTP or SCP 
server

sensor(config)#upgrade
ftp://administator@10.0.1.12/IPS-K9-maj-5.0-
1-S149.rpm.pkg
• Upgrades the application and recovery image to 
IPS software version 5.0(1)

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-5

 Full System Reimage

• A full system reimage is a means of upgrading or

recovering both the application image and the
recovery image.
• The method of performing a full system reimage
varies among sensor platforms.
• To perform a full system reimage, you must use
the system image file specific to your sensor
platform.
• You lose all your configuration settings when you
perform a full system reimage.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-6

 Full System Reimage: 4210, 4235, and 4250

• You can perform a full system reimage of the

following sensors by using the CIDS 5.0(1)
Recovery CD:
– 4210
– 4235
– 4250
• Complete the following steps to perform a full
system reimage:
1. Connect to the sensor with a keyboard and
monitor or a serial connection.
2. Place the CD in the sensor.
3. Boot the sensor from the CD.
4. Follow the instructions to reimage the sensor
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-7
 Full System Reimage: 4215, 4240, and 4255

• You can use ROMMON, a boot utility on the sensor,

to transfer system images onto the following
sensors:
– 4215
– 4240
– 4255
• IPS 5.0 system image files contain the sys identifier.
Example: IPS-4240-K9-sys-1.1-a-5.0-1.img

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-8

 Using ROMMON for Full System Reimage
Complete the following steps to perform a full system
reimage over the network:
1. Place the system image file for your sensor platform on a
TFTP server.
2. Verify that you can access the TFTP server from the
network connected to your sensor Ethernet port.
3. Reboot the sensor.
4. Escape the boot sequence.
5. Change the interface port number if necessary.
6. Specify the IP address of the sensor.
7. Specify the IP address of the TFTP server.
8. Specify the IP address of the sensor default gateway.
9. Specify the path and filename on the TFTP server.
10. Begin the TFTP download.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-9
 Recovering the Sensor Appliance Image

You can use either of the following methods

to recover your sensor appliance’s
application image, both of which retain your
network settings.
• Use the recover command.
• Select the recovery image from the boot menu
during bootup.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-10

 recover Command

sensor(config)# recover application-partition

• Performs an application reimage on the sensor

sensor(config)# recover application-partition

Warning: Executing this command will stop all
applications and re-image the node to version
5.0(1)S149. All configuration changes except for
network settings will be reset to default.
Continue with recovery?:yes
Request Succeeded
sensor(config)#

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-11

 Booting the Recovery Image
You can use the boot menu to perform an application
reimage on the following sensors:
• 4210
• 4215
• 4235
• 4240
• 4250
• 4255

Cisco IPS Recovery

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-12

 The Recovery Image File

• You can upgrade the recovery image on your sensor

with the most recent version so that it is ready if you
need to recover the application image.
• Recovery images are only generated for major and
minor software releases, not for service packs or
signature updates.
• The recovery image file can be recognized by the r
identifier in its name.
Example: IPS-K9-r-1.1-a-5.0-1.pkg
• You can use the IPS 5.0 recovery image file to
upgrade the recovery image of all sensor platforms,
including the NM-CIDS.
• The recovery image can be applied to the sensor by
using the upgrade command.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-13
Service Pack and
Signature Updates

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-14

 Software Updates Overview

• IPS software updates provide the latest signature

and intrusion prevention improvements.
• New IPS signatures are released as signature
updates.
• IPS improvements are released as service packs.
• The most recent update can be uninstalled to
return the IPS software to the previous version.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-15

 Software Update Guidelines

The following are guidelines for installing IPS

software updates:
• Obtain a license for downloading signature
updates.
• Obtain a Cisco.com password for accessing the
Software Center.
• Check Cisco.com regularly for the latest service
packs and signature updates.
• Read the release notes to verify that the sensor
meets the requirements.
• Download updates to an FTP, SCP, HTTP, or
HTTPS server for application to your sensor.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-16
 Sensor Licensing

Configuration

Licensing

Cisco
Connection
Online

License File Update

License

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-17

 Service Pack Files

Major Minor Service

Version Version Pack
Level Level Level

IPS-K9–type–w.x-y-.pkg

Update Extension
Type

Example: IPS-K9-sp-5.0-2-.pkg

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-18

 Signature Update Files

Signature Major Minor Service

Update Version Version Pack
Version Level Level Level

IPS-sig–Sx-minreq-w.x-y.pkg

Minimum Extension
Update Type
Requirement
Designator

Example: IPS-sig-S150-minreq-5.0-1.pkg

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-19

 Applying Updates to the Sensor

Configuration

URL

Update Username
Sensor
Password

Update is
located on a
remote server… Browse
Local File Local
Path
Update is Update
located on this Sensor
client

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-20

 Configuring Automatic Updates

Configuration

Enable Auto
Update

Auto Update

Schedule

Remote
Server
Settings Hourly

Daily

Apply

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-21

Resetting, Powering Down,
and Restoring the Default
Configuration

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-22

 Restoring the Default Configuration

Configuration

Restore
Defaults

Restore
Defaults

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-23

 Rebooting

Configuration

Reboot Sensor

Reboot Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-24

 Shutting Down

Configuration

Shut Down
Sensor

Shut
Down
Sensor

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-25

Summary

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-26

 Summary

• You can use the CLI upgrade command to apply the

IPS 5.0 major upgrade file and retain your
configuration.
• You can upgrade or recover the sensor image by
applying a platform-specific system image.
• You can use transfer to transfer a system image
over the network and install it on your sensor.
• You can use the recovery image to recover the
sensor’s application image in case it becomes
corrupted.
• You must have a license to download signature
updates.
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-27
 Summary (Cont.)

• You can manually apply service pack and

signature updates or have them applied
automatically.
• You must download an update to an FTP or SCP
server for it to be automatically applied.
• You can use the IDM to restore the default
configuration to your sensor.
• You can use the IDM to reboot or shut down your
sensor.

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-28

Lab Exercise

© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-29

 Lab Visual Objective

Web
FTP
.50
172.26.26.0
.150
172.30.P.0 .1 .1 172.30.Q.0
.2 .2
RBB
prP prQ
172.16.Q.0
172.16.P.0 .1 .1
.4 .4

sensorP sensorQ
.2 .2
rP rQ

10.0.P.0 .2 .2 10.0.Q.0
.100
.100

RTS
RTS

Student PC Student PC
10.0.P.12 10.0.Q.12
© 2005 Cisco Systems, Inc. All rights reserved. IPS v5.0—11-30