Cisco Cisco IPS 4345 Sensor
5
Release Notes for Cisco Intrusion Prevention System 7.1(3)E4
OL-25881-01
New and Changed Information
New and Changed Information
Cisco IPS 7.1(3)E4 contains the following new and changed information:
•
Support for the IPS 4345, IPS 4360, and the ASA 5500-X IPS SSP series.
•
Although IME 7.2.1 supports the new platforms (IPS 4345, IPS 4360, and ASA 5500-X IPS SSP),
the online help does not reference them.
the online help does not reference them.
•
Contains signature update S605.
•
Adds support for the IPS 4270-20 in addition to continuing support for the ASA 5585-X IPS SSP.
•
Adds AAA RADIUS support to IPS 7.1(3)E4 and later.
You can configure the IPS to use remote RADIUS servers to manage user accounts. This feature
simplifies the operation of large IPS deployments.
simplifies the operation of large IPS deployments.
•
Adds the CLI idle timeout feature—You can now configure a CLI idle timeout feature, which times
out the CLI if the session is inactive for more than the configured value.
out the CLI if the session is inactive for more than the configured value.
The CLI idle timeout feature enhances the security of the IPS. The CLI timeout feature is applicable
only for sessions established through SSH, Telnet, and the console. Service account logins are not
affected.
only for sessions established through SSH, Telnet, and the console. Service account logins are not
affected.
•
Adds packet command restriction—You can configure packet command restriction for local and
AAA RADIUS users.
AAA RADIUS users.
This feature is used to prevent users from arbitrarily executing packet capture/display and iplog
commands. You configure the packet capture/display and iplog restrictions for AAA RADIUS users
using a Cisco av-pair (permit-packet-logging=true/false) and for local users using a CLI
configuration. By default there is no restriction to the commands. Only users with an administrator
role can change the settings of the packet command restriction feature.
commands. You configure the packet capture/display and iplog restrictions for AAA RADIUS users
using a Cisco av-pair (permit-packet-logging=true/false) and for local users using a CLI
configuration. By default there is no restriction to the commands. Only users with an administrator
role can change the settings of the packet command restriction feature.
•
Adds SNMP health monitoring—SNMP can now get health and security-related data.
You can configure the sensor to send trap-related information for various health metrics. To receive
sensor health information through SNMP, you must have sensor health metrics enabled.
sensor health information through SNMP, you must have sensor health metrics enabled.
•
On systems that have both ASA and IPS, additional data is transferred along with the packets. In
some cases, this causes the count of jumbo packets to be inflated by the backplane interfaces as
viewed by the IPS. For the appropriate jumbo packet counts, refer to the ASA packet counts.
some cases, this causes the count of jumbo packets to be inflated by the backplane interfaces as
viewed by the IPS. For the appropriate jumbo packet counts, refer to the ASA packet counts.
For More Information
•
For more information about AAA RADIUS authentication, for the IDM see
, for the IME see
, and for the CLI
see
.
•
For more information about SNMP, for the IDM see
, for the IME see
, and for the CLI see