Cisco Cisco IPS 4255 Sensor
52
Release Notes for Cisco Intrusion Prevention System 7.3(2)E4
OL-32050-01
Restrictions and Limitations
Cisco Security Intelligence Operations is also a repository of information for individual signatures,
including signature ID, type, structure, and description.
including signature ID, type, structure, and description.
You can search for security alerts and signatures at this URL:
Restrictions and Limitations
The following restrictions and limitations apply to the Cisco IPS 7.3(2)E4 software and the products that
run it:
run it:
•
IME 7.2.7 is the only supported IME release for IPS 7.3(2)E4.
•
After upgrading to 7.3(2)E4, you cannot create a hostname that contains '/'(slash) character.
•
The IDM has been built and tested with JAVA 7 Update 45 and earlier. The IDM is not compatible
with JAVA 7 Update 51. For IDM to function, you must use the older version of Java. Refer to
CSCum55433 if you must use Java 7u51 and there is no option to use earlier versions.
with JAVA 7 Update 51. For IDM to function, you must use the older version of Java. Refer to
CSCum55433 if you must use Java 7u51 and there is no option to use earlier versions.
•
While executing the autoupgradenow command, you cannot use the IDM, IME or the CLI or start
any new sessions until the upgrade is complete.
any new sessions until the upgrade is complete.
•
IPS 7.3(2)E4 supports TLS 1.0 and later. If the peer uses an older SSL version, the connection
cannot be established. All management applications using the IPS Web server, such as the IDM or
CSM, are affected by this change. If the management application does not support TLS1.0 or later,
the management connectivity is lost after upgrading to IPS 7.3(2) because it does not support TLS
versions earlier than TLS1.0.
cannot be established. All management applications using the IPS Web server, such as the IDM or
CSM, are affected by this change. If the management application does not support TLS1.0 or later,
the management connectivity is lost after upgrading to IPS 7.3(2) because it does not support TLS
versions earlier than TLS1.0.
•
If the client does not support SSHv2 or if SSHv2 is disabled, the management connectivity is lost
after upgrading from IPS 7.1(x)E4 to IPS 7.3(2)E4 because SSHv1 is disabled by default in IPS
7.3(2) and later.
after upgrading from IPS 7.1(x)E4 to IPS 7.3(2)E4 because SSHv1 is disabled by default in IPS
7.3(2) and later.
•
LACP has been tested only on the IPS sensor and the Nexus 7000 switch and the Catalyst 6000
switch. Other combinations of IPS sensors and switches have not been tested. It is unknown if the
solution will work as expected with other switches. Also, VPC/VSS configurations are NOT
supported.
switch. Other combinations of IPS sensors and switches have not been tested. It is unknown if the
solution will work as expected with other switches. Also, VPC/VSS configurations are NOT
supported.
•
Link state mirroring applies to the inline interface pair configuration only. Detecting that the peer
interface is up or down and setting the state of the link may take up to 3.5 seconds.
interface is up or down and setting the state of the link may take up to 3.5 seconds.
•
The IPS 4520 is the only platform that supports the dual configuration. You can add another 4520
module to an existing 4520 or you can order the 4520-XL with two modules already installed.
Mixing 4510s and 4520s is not a valid configuration.
module to an existing 4520 or you can order the 4520-XL with two modules already installed.
Mixing 4510s and 4520s is not a valid configuration.
•
To support the immediate automatic update feature, a default update schedule with a start time of
00:00:00 and interval of 24 hours has been set. You must enable the automatic update settings before
issuing an immediate automatic update. Disable the automatic update schedule if you do not want
to use the default scheduled update.
00:00:00 and interval of 24 hours has been set. You must enable the automatic update settings before
issuing an immediate automatic update. Disable the automatic update schedule if you do not want
to use the default scheduled update.
•
The ASA 5512-X IPS SSP and the ASA 5515-X IPS SSP do not support the Regex accelerator card
and the String XL engines.
and the String XL engines.
•
Applying any signature template erases any existing tunings associated with the targeted signature
definition file. The ASA 5512-X IPS SSP and ASA 5515-X IPS SSP do not support signature
templates (signature threat profiles).
definition file. The ASA 5512-X IPS SSP and ASA 5515-X IPS SSP do not support signature
templates (signature threat profiles).
•
The ASA 5512-X IPS SSP and ASA 5515-X IPS SSP do not support HTTP advanced decoding.
•
Enabling HTTP advanced decoding can have a significantly negative performance and memory
impact on the sensor.
impact on the sensor.