Cisco Cisco IPS 4255 Sensor
24
Release Notes for Cisco Intrusion Prevention System 6.1(1)E1
OL-17173-01
Restrictions and Limitations
Restrictions and Limitations
The following restrictions and limitations apply to Cisco IPS 6.1(1)E1 software and the products that
run 6.1(1)E1:
run 6.1(1)E1:
•
For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no
password cisco command, but you cannot remove it. To use the no password cisco command, there
must be another administrator account on the sensor. Removing the cisco account through the
service account is not supported. If you remove the cisco account through the service account, the
sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system
image.
password cisco command, but you cannot remove it. To use the no password cisco command, there
must be another administrator account on the sensor. Removing the cisco account through the
service account is not supported. If you remove the cisco account through the service account, the
sensor most likely will not boot up, so to recover the sensor you must reinstall the sensor system
image.
•
The AIM IPS does not support virtualization.
•
When you reload the router, the AIM IPS also reloads. To ensure that there is no loss of data on the
AIM IPS, make sure you shut down the module using the shutdown command before you use the
reload command to reboot the router.
AIM IPS, make sure you shut down the module using the shutdown command before you use the
reload command to reboot the router.
•
Do not deploy IOS IPS and the AIM IPS at the same time.
•
When the AIM IPS is used with an IOS firewall, make sure SYN flood prevention is done by the
IOS firewall.
IOS firewall.
The AIM IPS and the IOS firewall complement abilities of each other to create security zones in the
network and inspect traffic in those zones. Because the AIM IPS and the IOS firewall operate
independently, sometimes they are unaware of the activities of the other. In this situation, the IOS
firewall is the best defense against a SYN flood attack.
network and inspect traffic in those zones. Because the AIM IPS and the IOS firewall operate
independently, sometimes they are unaware of the activities of the other. In this situation, the IOS
firewall is the best defense against a SYN flood attack.
•
Cisco access routers only support one IDS/IPS per router.
•
On IPS sensors with multiple processors (for example, the IPS 4260 and IPS 4270-20), packets may
be captured out of order in the IP logs and by the packet command. Because the packets are not
processed using a single processor, the packets can become out of sync when received from multiple
processors.
be captured out of order in the IP logs and by the packet command. Because the packets are not
processed using a single processor, the packets can become out of sync when received from multiple
processors.
•
An IPS appliance can support both promiscuous and inline monitoring at the same time; however
you must configure each physical interface in either promiscuous or inline mode. The sensor must
contain at least two physical sensing interfaces to perform both promiscuous and inline monitoring.
The exceptions to this are AIP SSM-10, AIP SSM-20, and AIP SSM-40. The AIP SSM can support
both promiscuous and inline monitoring on its single physical back plane interface inside the
adaptive security appliance. The configuration on the main adaptive security appliance can be used
to designate which packets/connections should be monitored by the AIP SSM as either promiscuous
or inline.
you must configure each physical interface in either promiscuous or inline mode. The sensor must
contain at least two physical sensing interfaces to perform both promiscuous and inline monitoring.
The exceptions to this are AIP SSM-10, AIP SSM-20, and AIP SSM-40. The AIP SSM can support
both promiscuous and inline monitoring on its single physical back plane interface inside the
adaptive security appliance. The configuration on the main adaptive security appliance can be used
to designate which packets/connections should be monitored by the AIP SSM as either promiscuous
or inline.
•
When deploying an IPS sensor monitoring two sides of a network device that does TCP sequence
number randomization, we recommend using a virtual senor for each side of the device.
number randomization, we recommend using a virtual senor for each side of the device.
•
After you upgrade any IPS software on your sensor, you must restart the IDM to see the latest
software features.
software features.
•
IDM does not support any non-English characters, such as the German umlaut or any other special
language characters. If you enter such characters as a part of an object name through IDM, they are
turned in to something unrecognizable and you will not be able to delete or edit the resulting object
through IDM or the CLI.
language characters. If you enter such characters as a part of an object name through IDM, they are
turned in to something unrecognizable and you will not be able to delete or edit the resulting object
through IDM or the CLI.
This is true for any string that is used by CLI as an identifier, for example, names of time periods,
inspect maps, server and URL lists, and interfaces.
inspect maps, server and URL lists, and interfaces.
•
You can only install eight IDSM2s per switch chassis.