https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043403#M54706 <HTML><HEAD></HEAD><BODY><P>IPS would enter in Bypass state when a signature update is happening. Bypass will get triggered during an upgrade as well.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml#caveats">http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml#caveats</A></P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Sat, 01 Sep 2012 02:53:01 GMT sawgupta 2012-09-01T02:53:01Z https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043400#M54703 <P>Hey all thanks for reading my post. </P><P>Can someone either tell me or point me to a doc that tells me 100% for sure what upgrades in regards to the ips are disruptive. IE: Signatures, Engine, Software.</P><P></P><P>Thanks guys for all your help.</P><P></P><P>Rodney</P><P></P><P>Sent from Cisco Technical Support iPad App</P> Sun, 10 Mar 2019 12:45:51 GMT https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043400#M54703 Rodney Mothersbaugh 2019-03-10T12:45:51Z https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043401#M54704 <HTML><HEAD></HEAD><BODY><P>Rodney,</P><P></P><P>Your answer lies within the Cisco Intrusion Prevention System Device Manager Configuration Guide for your particular version of IPS. </P><P></P><P>Here is the link to version 7.0. </P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html">http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html</A></P></BODY></HTML> Thu, 30 Aug 2012 15:06:55 GMT https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043401#M54704 turnera 2012-08-30T15:06:55Z https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043402#M54705 <HTML><HEAD></HEAD><BODY><P>Turnera,</P><P></P><P>Thanks for the info however i still dotn see anywhere that is states that it will be disruptive or it will not be disrutptive during a sugnature and or engine update. I did however see this which i already knew.</P><P></P><P></P><P>Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation.</P><P></P><P></P><P>Still unanswered. But again thanks for the help.</P></BODY></HTML> Sat, 01 Sep 2012 01:04:02 GMT https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043402#M54705 Rodney Mothersbaugh 2012-09-01T01:04:02Z https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043403#M54706 <HTML><HEAD></HEAD><BODY><P>IPS would enter in Bypass state when a signature update is happening. Bypass will get triggered during an upgrade as well.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml#caveats">http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd008f.shtml#caveats</A></P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Sat, 01 Sep 2012 02:53:01 GMT https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043403#M54706 sawgupta 2012-09-01T02:53:01Z https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043404#M54707 <HTML><HEAD></HEAD><BODY><P><EM><STRONG>For Signature-Updates:</STRONG></EM> (from the conf-guide, same link that turnera posted):</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016113">http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wp2016113</A></P><P></P><P></P><H3 style="font-size: 13px; color: #336666; font-family: Arial, Helvetica, sans-serif; margin: 14px 0em 7px -0.1in; background-color: #ffffff;">Signature Updates and Installation Time</H3><P> <A name="wp2221687" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A><A name="wpmkr2221686" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.</P><P> <A name="wp2221688" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.</P><P> <A name="wp2221689" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">If a signature update only adds one or two new signatures on a high-end platform, for example, IPS 4255 or IPS 4260, the recompile can be as fast as a few seconds.</P><P> <A name="wp2221690" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">The recompile takes several minutes and even up to a half hour under the following conditions:</P><P> <A name="wp2221691" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 0px 0em 7px 0.25in; text-indent: -0.25in; background-color: #ffffff;">•<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.</P><P> <A name="wp2221692" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 0px 0em 7px 0.25in; text-indent: -0.25in; background-color: #ffffff;">•<IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="19" />When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.</P><P> <A name="wp2221693" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.</P><P style="margin: 0px 0em -10px -0.25in; text-indent: -0.5em; color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"><IMG src="http://www.cisco.com/en/US/i/templates/note.gif" /></P><HR style="margin-left: 0in; margin-right: 0em; margin-top: 5px; text-align: right; border-style: solid; border-color: #808080; background-color: #aaaaaa; color: #000000; font-family: Arial, Helvetica, sans-serif;" /><P> <A name="wp2221694" style="color: #000000; font-family: Arial, Helvetica, sans-serif; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 3px 0em 3px 0in; text-indent: -0.3in; background-color: #ffffff;"><STRONG>Note </STRONG><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="1" />Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.</P><P></P><P></P><P></P><P><EM><STRONG>And this is for all other updates:</STRONG></EM></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 0px 0em 0px 0.88in; text-indent: -0.46in; background-color: #ffffff;"><STRONG>Note </STRONG><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" width="6" />The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.</P><P></P><P></P><P></P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Sat, 01 Sep 2012 08:24:16 GMT https://community.cisco.com/t5/network-security/ips-disruption-in-service/m-p/2043404#M54707 Karsten Iwen 2012-09-01T08:24:16Z