08-30-2012 06:58 AM - edited 03-10-2019 05:45 AM
Hey all thanks for reading my post.
Can someone either tell me or point me to a doc that tells me 100% for sure what upgrades in regards to the ips are disruptive. IE: Signatures, Engine, Software.
Thanks guys for all your help.
Rodney
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
08-31-2012 07:53 PM
IPS would enter in Bypass state when a signature update is happening. Bypass will get triggered during an upgrade as well.
Regards,
Sawan Gupta
09-01-2012 01:24 AM
For Signature-Updates: (from the conf-guide, same link that turnera posted):
There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.
When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.
If a signature update only adds one or two new signatures on a high-end platform, for example, IPS 4255 or IPS 4260, the recompile can be as fast as a few seconds.
The recompile takes several minutes and even up to a half hour under the following conditions:
•When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.
•When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.
During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.
Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.
And this is for all other updates:
Note The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-30-2012 08:06 AM
Rodney,
Your answer lies within the Cisco Intrusion Prevention System Device Manager Configuration Guide for your particular version of IPS.
Here is the link to version 7.0.
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idmguide7.html
08-31-2012 06:04 PM
Turnera,
Thanks for the info however i still dotn see anywhere that is states that it will be disruptive or it will not be disrutptive during a sugnature and or engine update. I did however see this which i already knew.
Major updates, minor updates, and service packs may force a restart of the IPS processes or even force a reboot of the sensor to complete installation.
Still unanswered. But again thanks for the help.
08-31-2012 07:53 PM
IPS would enter in Bypass state when a signature update is happening. Bypass will get triggered during an upgrade as well.
Regards,
Sawan Gupta
09-01-2012 01:24 AM
For Signature-Updates: (from the conf-guide, same link that turnera posted):
There is a short period of time that traffic is not inspected while you are performing signature updates. However, traffic continues to flow if you have bypass enabled.
When a signature update adds or modifies signatures that contain regular expressions, the regular expression cache tables used by SensorApp have to be recompiled. The amount of recompile time varies by platform, number of signatures modified and/or added, and type of signatures modified and/or added.
If a signature update only adds one or two new signatures on a high-end platform, for example, IPS 4255 or IPS 4260, the recompile can be as fast as a few seconds.
The recompile takes several minutes and even up to a half hour under the following conditions:
•When a signature update adds a large number of signatures, for example, when you are skipping several signature levels to install a newer one, for example, installing S258 on top of S240.
•When a signature update modifies a large number of signatures, for example when a large number of older signatures is disabled and/or retired.
During the recompile, SensorApp stops monitoring packets. The interface driver detects this when the packet buffers begin filling up on the way to SensorApp and the driver stops receiving packets from SensorApp. If the sensor is in inline mode, the driver either turns on bypass if the bypass option is set to Auto, or brings down the interface links if bypass is set to Off.
Note Some packets can be dropped before the bypass setting begins operating. Once SensorApp completes the recompile of the regular expression cache files, SensorApp reconnects to the driver and begins monitoring again, and the driver begins passing packets to SensorApp for analysis, and if necessary, also brings the interface links back up.
And this is for all other updates:
Note The IDM and CLI connections are lost during the following updates: service pack, minor, major, and engineering patch. If you are applying one of these updates, the installer restarts the IPS applications. A reboot of the sensor is possible. You do not lose the connection when applying signature updates and you do not need to reboot the system.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide