Cisco Cisco IPS 4255 Sensor Notas de publicación
51
Release Notes for Cisco Intrusion Prevention System 7.3(5)E4
OL-32050-01
Restrictions and Limitations
Cisco Security Intelligence Operations is also a repository of information for individual signatures,
including signature ID, type, structure, and description.
including signature ID, type, structure, and description.
You can search for security alerts and signatures at this URL:
Restrictions and Limitations
The following restrictions and limitations apply to the Cisco IPS 7.3(5)E4 software and the products that
run it:
run it:
•
IME 7.2.7 is the only supported IME release for IPS 7.3(5)E4.
•
After upgrading to 7.3(5)E4, you cannot create a hostname that contains '/'(slash) character.
•
Due to a limitation in IPS, you only need to configure the primary DNS IP address and to avoid
configuring secondary/tertiary DNS IP addresses. In a scenario where only the primary DNS IP
address is configured either with a working or non-working DNS IP address, IPS works smoothly
with the working DNS IP address and doesn't work with non-working DNS IP address as expected.
If a secondary/tertiary DNS IP address is configured on IPS, then you need to disable the
secondary/tertiary DNS IP addresses through the CLI first and then perform /etc/init.d/cids restart
on the IPS device to configure Auto Update.
configuring secondary/tertiary DNS IP addresses. In a scenario where only the primary DNS IP
address is configured either with a working or non-working DNS IP address, IPS works smoothly
with the working DNS IP address and doesn't work with non-working DNS IP address as expected.
If a secondary/tertiary DNS IP address is configured on IPS, then you need to disable the
secondary/tertiary DNS IP addresses through the CLI first and then perform /etc/init.d/cids restart
on the IPS device to configure Auto Update.
•
Reassemble timeout of 10 seconds:
There are 1000 datagram slots, and with the reduced 10 second timeout, 1000/10=100 dgrams/sec
can be achieved. Each datagram is at least 2 packets, and hence, with the revised fix for CSCun76930
IPS should handle at least 200pps, assuming all fragments are reassembled.
can be achieved. Each datagram is at least 2 packets, and hence, with the revised fix for CSCun76930
IPS should handle at least 200pps, assuming all fragments are reassembled.
Workaround: Depending on the your network, you can tune a parameter from the service user
prompt to handle up to 1000pps.
prompt to handle up to 1000pps.
File to be modified: sensorApp.conf
Path: /usr/cids/idsRoot/etc
To add:
[FragProcessorSettings]
ReAssembleTimeOut=1
•
Based on lab testing, We observed that the IPS could comfortably handle upto 400pps.The IDM has
been built and tested with JAVA 7 Update 45 and earlier. The IDM is not compatible with JAVA 7
Update 51. For IDM to function, you must use the older version of Java. Refer to CSCum55433 if
you must use Java 7u51 and there is no option to use earlier versions.
been built and tested with JAVA 7 Update 45 and earlier. The IDM is not compatible with JAVA 7
Update 51. For IDM to function, you must use the older version of Java. Refer to CSCum55433 if
you must use Java 7u51 and there is no option to use earlier versions.
•
While executing the autoupgradenow command, you cannot use the IDM, IME or the CLI or start
any new sessions until the upgrade is complete.
any new sessions until the upgrade is complete.
•
IPS 7.3(5)E4 supports TLS 1.0 and later. If the peer uses an older SSL version, the connection
cannot be established. All management applications using the IPS Web server, such as the IDM or
CSM, are affected by this change. If the management application does not support TLS1.0 or later,
the management connectivity is lost after upgrading to IPS 7.3(5) because it does not support TLS
versions earlier than TLS1.0.
cannot be established. All management applications using the IPS Web server, such as the IDM or
CSM, are affected by this change. If the management application does not support TLS1.0 or later,
the management connectivity is lost after upgrading to IPS 7.3(5) because it does not support TLS
versions earlier than TLS1.0.
•
If the client does not support SSHv2 or if SSHv2 is disabled, the management connectivity is lost
after upgrading from IPS 7.1(x)E4 to IPS 7.3(5)E4 because SSHv1 is disabled by default in IPS
7.3(5) and later.
after upgrading from IPS 7.1(x)E4 to IPS 7.3(5)E4 because SSHv1 is disabled by default in IPS
7.3(5) and later.