This section delves into some of commonly seen problems that you may experience and ways to resolve them.
How can I upgrade my IDS/IPS sensor using IDS/IPS MC from version 3.x to 4.x?
Refer to the following link for a detailed procedure: http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_chapter09186a008018d985.html#894197
Is IPS 5.0 version on sensor supported by IDS/IPS MC?
Yes, IPS 5.0 is supported on version IDS/IPS MC version 2.1. For additional details, refer to the following link:
Can I change the IP address of the VMS server running IDS/IPS MC?
Yes you can, but this is not recommended by Cisco Systems, Inc. Refer to "Changing the VMS Server IP Address" under the section entitled "Important Procedures and Techniques." You must also be sure to allow this host or network address of the VMS server to the allowed host table of the sensor (see "Adding Allowed Hosts on the Sensor" under the "Important Procedures and Techniques" section).
How can I validate the Apache Certificate? If the certificate is bad or expired, can I regenerate it?
Yes, you can verify the validity of the Apache certificate and can regenerate it if invalid. For verification, refer to "Verifying That the IDS/IPS MC (Apache) Certificate Is Valid" and for regeneration of the certificate refer to "Regenerating IDS/IPS MC (Apache) Certificate" under the section entitled "Important Procedures and Techniques."
How can I delete pending jobs in IDS/IPS MC?
First make sure whether you have pending job or not by going to the Admin > System Configuration > View Current Locks. To delete the pending job, go to the Configuration tab > Pending, and check the relevant jobs and click the Delete button.
Where does IDS/IPS MC store configuration files?
Configuration goes into the following locations:
- <installdir >/mdc/etc/ids/xml/SystemConfig.xml.
The content of SystemConfig.xml files in the three different locations are exactly the same and are changed at install/uninstall time.
The sensor configuration files generated by IDS/IPS MC are temporarily stored in C:\Document and Settings\username\Local Settings\Temp\deploy\sensors. The format of the sensor directory name is ipAddress-xxxx.tmp, where ipAddress is the sensor's IP address, and xxxx is a unique number. These files are generated at the start of deployment and removed at the end of deployment. However, if you want IDS/IPS MC to leave files after deployment, you can change the <CleanupTempFiles> true</CleanupTempFiles> to <CleanupTempFiles>false</CleanupTempFiles> in the <INSTALL_DIR>/MDC/etc/ids/xml/DeploymentConfig.xml file. You must restart the IDS_DeployDaemon for this change to take effect. Note that this also leaves imported config files from the sensor.
How does the IDS/IPS MC push the configuration to the sensor?
If you are running sensor version 4.x and above and IDS/IPS MC 1.x, then IDS/IPS MC connects with the sensor using SSH and then sends the configuration command by command to the CLI of the sensor to write the configuration. However, if you are running version IDS/IPS MC 2.x, then the IDS/IPS MC creates the configuration file (xml format) and pushes the configuration file to the sensor using RDEP communication protocol (SSL/TLS). Because of this, in IDS/IPS MC 2.x configuration deployment is much faster.
What is the severity mapping between IDS/IPS MC and sensor?
The following is the severity mapping between the IDS/IPS MC and sensor (as of the writing this book. In the future this may change):
- 1 = Info
- 2 = Low
- 3 = Medium
- 4 = High
Can Sybase Database be installed and run on a separate machine for reporting, to ease DBA support such as database (DB) backups?
Yes, you can install Sybase database for IDS/IPS MC/Security Monitor on a different mounted drive. RAID disks are a better choice. Everything becomes Input/Output (I/O) bound in high volumes. You can schedule a prune and load the pruned data into another database (Sybase, Oracle, etc.). You can also do a backup and load the IDS/IPS database into a Sybase installed on a different machine. This requires you to purchase an additional license for Sybase. The Security Monitor application uses the Sybase database shipped with VMS. There is no plugable replacement. To use the data on another database, you must somehow replicate it to that database. You can use the command line tools or any other means to do so.
What is the Overwrite button used for in the Advanced > Not Supported window?
The Overwrite button is used to overwrite the settings inherited from the parents. The button is not used to overwrite the setting on the sensor. What is added in the window is just added at the end of the configuration file.
If I edit the configuration file in the IDS/IPS MC going to Advanced > Not Supported Window, how does the IDS/IPS MC parser treat the changes?
This window is used for adding configurations not supported by IDS/IPS MC. The configuration you add here will be appended to the end of the file in the sensor. If the configuration entered is already present in the configuration, the sensor will have this information twice, and the last entry will be taken from the daemon.
There is a check box on IDS/IPS MC for the sensor identification page that says Use Existing Keys. What does this do and why would I want to use it?
If you want tighter security on your system, you can check this option of the sensor identification page on IDS/IPS MC. Normally with SSH, you can use the standard username and password for the connection. You can also use pre-shared keys that are set up on the sensor and on the MC. This check box allows you to use existing pre-shared keys from the IDS/IPS MC server memory. For more details look at the section entitled "Using SSH in IDS/IPS MC and Security Monitor" in the following link: http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mgt_ids/idsmc20/ug/ch04.htm
Can you back up IDS/IPS MC and restore it on a different machine with a different hostname or IP address?
Yes, you can.
What applications have interoperability issues with VMS/IDS/IPS MC?
Microsoft IIS Web Server and Microsoft Terminal Services have interoperability issues with VMS/IDS/IPS MC.
How can I eliminate the two windows that pop up once I click on every window after enabling SSL?
Go to Server configuration > Administration > Security Management > Create Self Signed Certificates. Use the same IP address or name you will use to access the server. Then go to VPN/Security Management Solution > Administration > Configuration > Certificate and set it to use the CiscoWorks certificate. Then, restart the Daemon Manager and the browser. You will not be prompted for the certificate any more. It is however important to note that in IDS/IPS MC 2.0 and 2.0.1, using a CiscoWorks certificate causes signature update failure. So, it is better to avoid this in IDS/IPS MC version 2.0 and 2.0.1.
Does VMS support access through a Web proxy server?
This is not officially listed as supported, but it works.
Where can I download the latest versions and patches for IDS/IPS MC?
You must have cisco.com login privileges and can download the software from the following location: http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-app.
Where can I download the latest IDS/IPS sensor updates?
The latest IDS/IPS sensor updates are available in the following location: http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-ids4updates
Updates are for the following:
- Update IDS/IPS sensors using IDS/IPS MC.
- Update IDS/IPS MC.
- Update Security Monitor.
IDS/IPS MC updates the Security Monitor automatically if it resides on the same server.
How can I receive e-mail notifications when a new IDS/IPS sensor update is available?
You can receive e-mail notifications for new updates and the latest product news by subscribing at:
Are both IDS/IPS sensor versions 3.x and 4.x supported by the IDS/IPS MC?
Yes, IDS/IPS MC version 1.1 supports both IDS/IPS sensor Version 3, which uses PostOffice Protocol and the newer Version 4.x, which supports Remote Data Exchange Protocol (RDEP) sensors.
What IDS/IPS sensor hardware and software versions does IDS/IPS MC support?
Refer to the following link for the updated version of sensor versions supported by IDS/IPS MC: http://www.cisco.com/en/US/products/sw/cscowork/ps3992/products_device_support_tables_list.html.
Can I import IOS IPS configuration into the IDS/IPS MC?
If you are running the IPS feature on the Cisco IOS Router and IDS/IPS MC version less than 2.0, then this is not possible. However, you can manage IOS IPS configuration with IDS/IPS MC 2.0.
I am managing my sensor using CSPM. How can I migrate to IDS/IPS MC?
You cannot migrate the CSPM database to IDS/IPS MC. However, you can import the configuration from the sensor to the IDS/IPS MC.