Cisco Cisco IPS 4255 Sensor
26
Release Notes for Cisco Intrusion Prevention System 7.0(4)E4
OL-22789-01
Restrictions and Limitations
–
Enabling RADIUS authentication on the sensor does not disconnect already established
connections. RADIUS authentication is only enforced for new connections to the sensor.
Existing CLI, the IDM, and the IME connections remain established with the login credentials
used prior to configuring RADIUS authentication. To force disconnection of these established
connections, you must reset the sensor after RADIUS is configured.
connections. RADIUS authentication is only enforced for new connections to the sensor.
Existing CLI, the IDM, and the IME connections remain established with the login credentials
used prior to configuring RADIUS authentication. To force disconnection of these established
connections, you must reset the sensor after RADIUS is configured.
–
When you configure account locking, local authentication, as well as RADIUS authentication,
is affected. After a specified number of failed attempts to log in locally or in to a RADIUS
account, the account is locked locally on the sensor. For local accounts, you can reset the
password or use the unlock user username command to unlock the account. For RADIUS user
accounts, you must use the unlock user username command to unlock the account.
is affected. After a specified number of failed attempts to log in locally or in to a RADIUS
account, the account is locked locally on the sensor. For local accounts, you can reset the
password or use the unlock user username command to unlock the account. For RADIUS user
accounts, you must use the unlock user username command to unlock the account.
–
For RADIUS users, the attempt limit feature is enforced only after the RADIUS user’s first
successful login to the sensor.
successful login to the sensor.
•
Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly
detection processor.
detection processor.
•
IPv6 does not support the following event actions: Request Block Host, Request Block Connection,
or Request Rate Limit.
or Request Rate Limit.
•
The AIM IPS and the NME IPS do not support the IPv6 features, because the routers in which they
are installed do not send them IPv6 data. IPv6 inspection may work on the IDSM2, but we do not
officially support it. There is no support for IPv6 on the management (command and control)
interface. With ASA 8.2(1), the AIP SSM supports IPv6 features.
are installed do not send them IPv6 data. IPv6 inspection may work on the IDSM2, but we do not
officially support it. There is no support for IPv6 on the management (command and control)
interface. With ASA 8.2(1), the AIP SSM supports IPv6 features.
•
VACLs on Catalyst switches do not have IPv6 support. The most common method for copying traffic
to a sensor configured in promiscuous mode is to use VACL capture. If you want to have IPv6
support, you can use SPAN ports.
to a sensor configured in promiscuous mode is to use VACL capture. If you want to have IPv6
support, you can use SPAN ports.
•
ICMP signature engines do not support ICMPv6, they are IPv4-specific, for example, the Traffic
ICMP signature engine. ICMPv6 is covered by the Atomic IP Advanced signature engine.
ICMP signature engine. ICMPv6 is covered by the Atomic IP Advanced signature engine.
•
CSM and MARS do not support IPv6.
•
The AIM IPS and the NME IPS do not support virtualization.
•
When you reload the router, the AIM IPS and the NME IPS also reload. To ensure that there is no
loss of data on the AIM IPS or the NME IPS, make sure you shut down the module using the
shutdown command before you use the reload command to reboot the router.
loss of data on the AIM IPS or the NME IPS, make sure you shut down the module using the
shutdown command before you use the reload command to reboot the router.
•
Do not deploy IOS IPS and the AIM IPS and the NME IPS at the same time.
•
When the AIM IPS and the NME IPS are used with an IOS firewall, make sure SYN flood
prevention is done by the IOS firewall.
prevention is done by the IOS firewall.
The AIM IPS and the NME IPS and the IOS firewall complement abilities of each other to create
security zones in the network and inspect traffic in those zones. Because the AIM IPS and the
NME IPS and the IOS firewall operate independently, sometimes they are unaware of the activities
of the other. In this situation, the IOS firewall is the best defense against a SYN flood attack.
security zones in the network and inspect traffic in those zones. Because the AIM IPS and the
NME IPS and the IOS firewall operate independently, sometimes they are unaware of the activities
of the other. In this situation, the IOS firewall is the best defense against a SYN flood attack.
•
Cisco access routers only support one IDS/IPS per router.
•
On IPS sensors with multiple processors (for example, the IPS 4260 and IPS 4270-20), packets may
be captured out of order in the IP logs and by the packet command. Because the packets are not
processed using a single processor, the packets can become out of sync when received from multiple
processors.
be captured out of order in the IP logs and by the packet command. Because the packets are not
processed using a single processor, the packets can become out of sync when received from multiple
processors.
•
An IPS appliance can support both promiscuous and inline monitoring at the same time; however
you must configure each physical interface in either promiscuous or inline mode. The sensor must
contain at least two physical sensing interfaces to perform both promiscuous and inline monitoring.
The exceptions to this are the AIP SSM-10, the AIP SSM-20, and the AIP SSM-40. The AIP SSM
you must configure each physical interface in either promiscuous or inline mode. The sensor must
contain at least two physical sensing interfaces to perform both promiscuous and inline monitoring.
The exceptions to this are the AIP SSM-10, the AIP SSM-20, and the AIP SSM-40. The AIP SSM