Cisco Cisco IPS 4255 Sensor
53
Release Notes for Cisco Intrusion Prevention System 7.2(2)E4
OL-27710-01
Restrictions and Limitations
Restrictions and Limitations
The following restrictions and limitations apply to Cisco IPS 7.2(2)E4 software and the products that
run it:
run it:
•
IME 7.2.6 is the only supported IME release for IPS 7.2(2)E4.
•
After upgrading to 7.2(2)E4, you cannot automatically update the sensor to IPS 7.3(1) E4 using the
CLI, IDM, or IME, because SNMPv3 support is not available in IPS 7.3(1)E4. You can however,
manually update to 7.3(1)E4 using the CLI, which warns you that the SNMP configuration will be
removed from the sensor.
CLI, IDM, or IME, because SNMPv3 support is not available in IPS 7.3(1)E4. You can however,
manually update to 7.3(1)E4 using the CLI, which warns you that the SNMP configuration will be
removed from the sensor.
•
For IPS 7.2(1)E4, while executing an immediate upgrade, you cannot use the IDM, IME, or CLI, or
start any new sessions until the upgrade is complete. For IPS 7.2(2)E4 and later, you can use the
IDM, IME, and CLI immediately after you begin an automatic update because the automatic update
is now executed as background process.
start any new sessions until the upgrade is complete. For IPS 7.2(2)E4 and later, you can use the
IDM, IME, and CLI immediately after you begin an automatic update because the automatic update
is now executed as background process.
•
If a client connecting to a sensor that is using SSH does not support SSHv2, or if SSHv2 is disabled,
the management connectivity is lost after upgrading to IPS 7.2(2)E4 from any 7.1(x) version because
SSHv1 is disabled by default in IPS 7.2(2)E4.
the management connectivity is lost after upgrading to IPS 7.2(2)E4 from any 7.1(x) version because
SSHv1 is disabled by default in IPS 7.2(2)E4.
•
IPS 7.2(2)E4 supports TLS 1.0 and later. If the peer uses an older SSL version, the connection
cannot be established.
cannot be established.
•
To support the immediate automatic update feature, a default update schedule with a start time of
00:00:00 and interval of 24 hours has been set. You must enable the automatic update settings before
issuing an immediate automatic update. Disable the automatic update schedule if you do not want
to use the default scheduled update.
00:00:00 and interval of 24 hours has been set. You must enable the automatic update settings before
issuing an immediate automatic update. Disable the automatic update schedule if you do not want
to use the default scheduled update.
•
The dual module configuration is available only for the IPS 4520. You can install another IPS 4520
module in an existing 4520 or you can order the IPS 4520-XL, which has the two-module
configuration.
module in an existing 4520 or you can order the IPS 4520-XL, which has the two-module
configuration.
•
The ASA 5512-X IPS SSP and the ASA 5515-X IPS SSP do not support the Regex accelerator card
and the String XL engines.
and the String XL engines.
•
Applying any signature template erases any existing tunings associated with the targeted signature
definition file. The ASA 5512-X IPS SSP and ASA 5515-X IPS SSP do not support signature
templates (signature threat profiles).
definition file. The ASA 5512-X IPS SSP and ASA 5515-X IPS SSP do not support signature
templates (signature threat profiles).
•
The ASA 5512-X IPS SSP and ASA 5515-X IPS SSP do not support HTTP advanced decoding.
•
Enabling HTTP advanced decoding can have a significantly negative performance and memory
impact on the sensor.
impact on the sensor.
•
Use the show statistics virtual-sensor | include load command (CLI) or look at the statistics for
the virtual sensor at Configuration > Sensor Monitoring > Support Information > Statistics
(IDM/IME) to determine the load value over a longer period of time. The show statistics
analysis-engine command (CLI) and the statistics for the Analysis Engine show values over a
shorter period of time. If you compare the output, the values will appear to be inconsistent due to
the different time periods. To get an accurate comparison between them, compare the processing
load percentage from the statistics for the virtual sensor and the one-minute averaged value from the
statistics for the Analysis Engine.
the virtual sensor at Configuration > Sensor Monitoring > Support Information > Statistics
(IDM/IME) to determine the load value over a longer period of time. The show statistics
analysis-engine command (CLI) and the statistics for the Analysis Engine show values over a
shorter period of time. If you compare the output, the values will appear to be inconsistent due to
the different time periods. To get an accurate comparison between them, compare the processing
load percentage from the statistics for the virtual sensor and the one-minute averaged value from the
statistics for the Analysis Engine.
•
TACACS+ authentication is not supported in IPS 7.2(2)E4.
•
The CLI timeout feature is applicable only for sessions established through SSH, Telnet, and the
console. Service account logins are not affected.
console. Service account logins are not affected.
•
Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly
detection processor.
detection processor.