IPS 4240 USB Interfaces

Similar Messages

• IPS 4240 management interface MAC address

  Hi All,
  I am using DHCP in my network. And i need to reserve one IP for the Management Interface of the IPS.
  I tried to get the MAC but couldn't. It is not even on the Show tech-support.
  Can any please tell me how to get the MAC of Management interface of IPS?

  If the show interface output is not giving you this information, you can logon via service account and run the 'ifconfig -a' command. Just make sure you do a 'su -' otherwise this command won't be available.
  Please rate if helpful :)
  Regards
  Farrukh

• IDS-4210 picks up what IPS-4240 misses, strange duplex/interface problems

  I just installed a IPS-4240 inline on our primary internet inbound connection. I decided to leave the 4210 in place for a week or two while I tuned the signatures. It is receiving a span of the same traffic that the 4240 is receiving.
  I noticed today that the 4210 is picking up sig 3250 and the 4240 is no. The first thing I checked to make sure that the 4240 has this signature enabled, and it is. Anyone have any thoughts? BTW, All sensors are on the same version 5.1.1 and running s211 and managed through VMS.
  I would also like to mention that I had issues on the 4240 and its interfaces. Management only runs at half duplex and the interfaces that connect to our PIX. I ended up having to put a switch between the 4240 and the Pix 515e to solve the duplex issues.
  Anyone have any thoughts on this part

  I had the same duplex problem with my 4240 sensor connecting to my PIX. The only way I could get it to work without errors is to set both the sensor and the PIX interfaces to auto/auto. I worked with Cisco on this problem. No resolution, just the workaround. As far as sig 3250, IPS and IDS signatures may be a little different. I assume you span from the inside and run your in-line outside your firewall? If this is the case, then the 4240 sensor may see different traffic than the 4210.

• TCP RESET - CISCO IPS 4240 in IDS Mode - Block Teamviewer

  I would like to block teamviewer in my network. we are using CISCO IPS 4240 in IDS Mode. I found that there are signatures for teamviewer in latest Signatures.
  We have only configured promiscuous interface, I read that we can issue TCP resets thru promiscuous interface as well (recommended is dedicated tcp reset interface).
  However in my case, I found that Signatures for teamviewer is not getting fired even after getting successful teamviewer connections.
  I am a beginner is IPS, Any inputs will be valuable for me.

  We're talking about sigs 15002-0, -1, -2 here. They are by default shipped disabled and retired, so you'll want to enable and activate them.
  For these, the signature settings are not hidden and what they look for is pretty clearly documented in the sig description.
  -0 looks for some specific DNS requests on TeamViewer's startup. TCP resets will have no effect on this.
  -1 looks for specific traffic to tcp port 5938 which would indicate Teamviewer's direct-connection method
  -2 looks for traffic indicating use over http when teamviewer is configured to use a proxy
  TCP resets are a best effort response, they aren't going to be a 100% effective stop

• IPS 4240 software 6.2(3)E4

  Hello!
  I have a sensor IPS-4240 which holds IPS software 6.2(3)E4. Right now we havn't got a license.
  With the device wh have almost 100% cpu usage all the time:
  show statistics host
  General Statistics
     Last Change To Host Config (UTC) = 27-Dec-2010 14:51:19
     Command Control Port Device = Management0/0
  Network Statistics
  Memory Usage
     usedBytes = 1426128896
     freeBytes = 558419968
     totalBytes = 1984548864
  Summertime Statistics
     start = 02:00:00 UTC Sun Mar 27 2011
     end = 03:00:00 UTC Sun Oct 30 2011
  CPU Statistics
     Usage over last 5 seconds = 100
     Usage over last minute = 100
     Usage over last 5 minutes = 100
  Memory Statistics
     Memory usage (bytes) = 1426128896
     Memory free (bytes) = 558419968
  From service accont I see that only one process eats CPU - mainApp.
  I even created addition virtual sensor vs1 where I have disabled all signatures. It gave me no result.
  Situation can be changed for a while after the sensor's reboot, but not for long time.
  show interfaces doesn't show a lot of input traffic too.
  Event log contains only following warnings:
  evError: eventId=1293461883161643337 severity=warning vendor=Cisco
    originator:
      hostId: XXXXXX
      appName: notification
      appInstanceId: 409
    time: 2011/01/19 15:22:56 2011/01/19 21:22:56 GMT+06:00
    errorMessage: name=errWarning - the subscription lost data [IdsEventStore::readSubscription()]
  What can be a problem? How can I reduce CPU usage?
  With hope to resolve the issue

  It would be difficult to pin point what the exact issue is with the high CPU just by the information provided in the post. It seems that the mainApp is causing the high CPU, however, it is worth investigating further. I would suggest that you log a Cisco TAC case so further investigation can be performed.
  Alternatively, you can try to upgrade the software to the latest version of 7.0.4(E4) which has engine improvement.

• New to IPS 4240 - What else can I use to manage it?

  I have just purchased a Cisco IPS 4240 and have it up and running. Have been using the IEV to view IPS information and that works ok. The VMS 2.2 that came included with the IPS will not work with the current Cisco works (LMS 2.5) installation that we have.
  My question is, is there any other tool besides the IEV and the VMS 2.2 that I can use to mange/monitor my IPS? the IEV seems so limited.
  I have downloaded the newer VMS from the Cisco site and am planning to test that this comming week, but wanted to know ahead of time if I needed to waste my time with this tool or not.
  Thanks!

  The latest CSMARS release is promising and honestly the netforensics solution offered by Cisco probably wouldn't be a good fit for the op, but I think Cisco needs to rething pushing the MARS in leui of everything else. As a previous customer of netforensics, and now a user of CSMARS...there are definitely many things that netforensics does better than CSMARS.
  My biggest beef with CSMARS is the seemingly casual way in which it treats time and "raw messages". IMHO, these should be sacred to any SIM. I can elaborate, but for the sake of brevity I'll just give a couple examples:
  The signature name reported in the "raw message" that MARS makes available is not always correct. Also, custom signature events report as "unknown" in the "raw message". Clearly this is not a "raw message" by any reasonable interpretation...MARS is writing bits that never existed in the original message.
  the event contextual information is very often truncated. If you rely on this a great deal, the MARS probably isn't for you. There's also no interface for decoding it, requiring a cut-and-paste into your favorite decoder.
  Believe me, I could go on. On the bright side, the MARS is showing promise...I was able to cross off my list quite a few issues after the latest upgrade.
  Matt

• Unable to load IPS 4240 IOS from Rom Mode

  Hi Experts,
  Kindl asist me in load the IPS IOS on the IPS 4240 from rommon mode.
  Note: I can only access the IPS via rommon only becuase the existing ios is cuppted and formatted.
  The rommon output is give bellow:
  rommon #2> set
  ROMMON Variable Settings:
    ADDRESS=192.168.2.16
    SERVER=192.168.2.58
    GATEWAY=192.168.2.1
    PORT=Management0/0
    VLAN=untagged
    IMAGE=C:\IOS\Tftpd32\IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
    CONFIG=
    LINKTIMEOUT=20
    PKTTIMEOUT=4
    RETRY=20
  rommon #14> ping 192.168.2.16
  Sending 20, 100-byte ICMP Echoes to 192.168.2.16, timeout is 4 seconds:
  Success rate is 0 percent (0/20)
  rommon #15> ping 192.168.2.58
  Sending 20, 100-byte ICMP Echoes to 192.168.2.58, timeout is 4 seconds:
  Success rate is 95 percent (19/20)
  rommon #0> ping 192.168.2.1
  Sending 20, 100-byte ICMP Echoes to 192.168.2.1, timeout is 4 seconds:
  Success rate is 100 percent (20/20)
  rommon #1> ping 192.168.2.16
  Sending 20, 100-byte ICMP Echoes to 192.168.2.16, timeout is 4 seconds:
  Success rate is 0 percent (0/20)
  rommon #2>
  The major problem is that i cannot ping the ips interface address  192.168.2.16) while i can ping all the others.
  Thanks in anticipation!
  Regards

  Hi,
  From the error message the file was not found on the tftp server.
  I see that you have:
    IMAGE=C:\IOS\Tftpd32\IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
  I am guessing that this should be:
    IMAGE=IPS-4240-k9-sys-1.1-a-6.1-1-E2.img
  as the tftp daemon on your machine probably is using  C:\IOS\Tftpd32\ as the 'root' directory of the files it is serving.
  You can check this in the settings of the tftp daemon.
  Best regards, Peter

• IPS 4240 Design Question

  I have two IPS 4240s that may be placed between our internal network and our extranet firewall. The firewall set is your standard ASA-5520 active/failover pair connected to two switches.
  Q1 - If I am not worried about atomic attacks, is there any other benefit to having the IPS inline over promiscuous?
  Q2 - Whether inline or promiscuous, is it necessary to connect the single IPS to both switches in order to receive packets when an ASA failover occurs? If so, is it done physically or via RSPAN?
  Q3 - If the IPS fails and it is configured inline, do the interfaces fail open (traffic continues to pass) or closed (traffic is dropped)? I could not find that on Cisco's site.
  Thanks!

  A1 - There are a few things that in-line mode can clean up by deafult, but that can also bite you. Check out some of the other forum posts on having ssh dropped without alerts. Since you have reduntant 4240s the realibility of the IPS sensors in-line shouldn't affect you as much. Just don't update them at the same time.
  A2 - Only the signatures that need state will be effected by a failover. Hopefully failovers do not happen frequently enough for missing a few potential hits to be an issue. If you are really performing good analysis and tuning out your false positives, then you might want to connect both sensors to both switches.
  A3 - You can configure the 4240s to fail-open (pass the traffic thru the sensor when it fails) or fail-closed (do not pass traffic during sensor failure). Since you have dual firewalls, switches and sensors, you can fail closed and force the traffic thru the running sensor and firewall. If one sensor is standby, you may want to make him fail open, so that you can still pass traffic in the event both sensors are down.

• IPS 4240.. and hardware bypass

  Hi everyone.. please kindly help. We are using 4240 as a IDS at the moment and are looking to enable the IPS capability in near future.   However we only have one IPS on our site. For resiliancy we have 2 entry/exit points with 1 asa at each entry point as a firewall. 
  My concern is that if we enable IPS capabilites in inline mode and IPS falls over due to hw problem we will end up with primary link failure.  Is there some sort of module available for 4240 to enable the hardware bypass?   Thanks Regards.

  Thank you Bob... I think you are refering to this document. http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047718  I read it and I think I am now clear about the issue of 2 separate vlans..  However I still have some confusion about my own setup.
  Currently there is one vlan -  Vlan 100 between ASA and our internal router.  If I place the IPS with inline interface pair configured between ASA and our internal router, I am not sure if I need any special configuration with reagrds to vlans..  As far as I can see I will have vlan 100 between ASA and IPS and vlan 100 again between IPS and internal router.  But I have a feeling that my assumption is incorrect and when IPS receives the packets on one interface from the internal router, it will not forward it out of the paired interface as IPS may not understand the Vlan tag.   Unfortunately I am not in position to try this on a live IPS device as our IPS is already in a production environment but being used as an IDS. 
  Would I be better off adding a switch to the mix between the internal router and the ASA and then follow the "inline vlan pair"  route?.  Bit similar to diagram below.

• IPS 4240 -email arlert configuration and Which mode

  hi
  My topology
  1)
  Internet-router(2ISP terminated in Single Router-two different Firewall-(ASA5510 and PIX 515e)-->inside interface connected in IPS4240--->From IPS to L33750 Switch.
  Is right place to put IPS4240 and tell me IPS in which mode(inline or Promiscous).
  2) I am able to see log in IPS 4240, i want to configure IPS alert to my mail id , where i need to start the configuration.? pl advise
  thanks
  Karthik

  Email alert configuration is not supported in IPS/IDS.
  I think you can configure in promiscuous mode as Customers requiring promiscuous mode (non-inline) deployments are encouraged to migrate to the Cisco IPS 4240 Sensor, which supports up to 250 Mbps of IPS throughput.
  The below URL helps to configure IPS 4240 in promiscuous mode:
  http://www.cisco.com/en/US/docs/security/ips/5.1/configuration/guide/cli/cliInter.html#wp1033699

• IPS 4240 - additional card

  Hi,
  Does anybody know, when will be available 4xFE cards for IPS 4240 (for total 8 interfaces)?
  Regards,
  Krzysztof

  Cisco IDS 4250 is supported in version 5.0 Inline if the 4FE, Gig TX PCI card, two of the SX PCI cards, or the XL card is installed. Cisco IPS 4240 is supported in version 5.0, Inline supported (it has four sensing interfaces). IPS 4255 is supported in version 5.0, Inline is supported (it has four sensing interfaces). IDSM-2 is supported in version 5.0, Inline supported (it has two sensing interfaces).
  http://www.cisco.com/en/US/netsol/ns498/netqa0900aecd8029e8de.html

• IPS 4240 Inline deployment.

  Hi,
  I am trying to deploy IPS 4240 with Software version 4.1. My query is, will this version support inline prevention? If yes, what are the deployment & sensor interface configuration considerations. I believe the new 5.0 version supports this feature. But the documentation on v4.x is not clear.
  Thanks in advance.
  Ajay Dand

  Inline is implemented in software version 5.0.
  The upgrade image is available at:
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  All IPS software is available at:
  http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/

• Management Interaface IPS 4240

  The management interface of IPS 4240 is disabled by default can anyone tell me how to enable this interface.
  I hv just done the basic setup and not able to access the IPS through Web browser

  management interfaces are disabled by default and they always are
  on the cisco ips run
  setup and once you setup an Ip for the ips you will be able to connect to the web interface
  here is a example of how a command-control should look like
  ex:
  name: FastEthernet0/1
  media-type: tx
  description:
  admin-state: disabled
  duplex: full default: auto
  speed: auto
  alt-tcp-reset-interface
  none
  subinterface-type
  none
  command-control: FastEthernet0/1
  bypass-mode: auto
  interface-notifications
  missed-percentage-threshold: 0 percent
  notification-interval: 30 seconds
  idle-interface-delay: 30 seconds
  as you see they are "protected" so you cannot change the state from disable to enable

• Deployment of Cisco IPS 4240 devices

  I can't seem to find any information regarding mass rollouts of Cisco IPS 4240 devices. I have 6 devices I intend to roll out to several remote offices and tie into a centralized Cisco MARS appliance. Without using any CSM/LMS software, is there an quick and dirty way to pull this off? I'm thinking to configure a single IPS device then pull and distribute its configuration file to the remaining devices. Would like to see how others have accomplished this...

  If all of your sensors are the same type (all 4240s in your situation) and will all run the extact same configuration, then the copy command will help you out.
  There was a new feature added into the copy command in IPS 6.1 that will help you in copying config from one sensor to another.
  You full configure one sensor (use IME, IDM, or CLI). When you are happy with the configuration then use the copy command to copy it TO an SCP server.
  Now bringup a second sensor and configure the basic networking parameters through setup (ip address, gateway, etc...).
  Now use the copy command on the second to copy the first sensors configuration FROM the SCP server into the running config of the second sensor.
  It will prompt you whether to overwrite the second sensor's networking parameters.
  Answer NO.
  The rest of the first sensor's configuration will copied into the second sensor.
  The second sensor will keep it's own unique IP but will gain the rest of the configuration from the first sensor's config.
  Continue doing this with any additional sensors.
  The process can then be repeated anytime additional changes are made to the first sensor.
  Keep in mind though that this only works if the sensor's configuration will be exactly duplicated (including what interfaces would be monitored and how).
  If each sensor will have some unique tunings then you will need to either manage each sensor on it's own, or purchase CSM that can be used to share only certain portions of the configuration across multiple sensors.

• Monitoring IPS 4240 for positives

  A customer has purchased from us a IPS 4240 box.
  I recently configured the box. It will monitor the customers Network in the following configuration:
  1 Inline Interface pair created from G0/0 and G0/1. Traffic from the customers edge moves in on the IN (G0/0) interface and then in turn exits out to our Outside Perimeter Firewall which guards the customer DMZ.
  We have scheduled the Inline Interfaces to be connected this evening.
  I have a question regarding this installation:
  1) We have the default "vs0" Virtual Sensor assigned to the Inline Interface Pair. If in fact any Positives are identified, where in IDM would I be able to see what is happening...(very important as in case of False Positives, I have to be able to get traffic moving again.
  Kevin Melton

  The sensor has a limited size event store that will wrap around when it fills up and overwrite previous alerts. SecMon was intended to be the long term storage for the alerts. In looking at the summary numbers, SecMon always has more alerts than the IDM. You can login using CLI and use command "show events alerts".