Field Notice: FN - 64099 - IPS Sensors - Software Upgrade Required in Order to Enable SHA-2 Support for IPS Global Correlation - Software Upgrade Recommended

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.0	01-Feb-16	Initial Release
10.0	11-Oct-17	Migration to new field notice system
10.1	07-Feb-19	Fixed Broken Image Link

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	Intrusion Prevention System (IPS) System Software	E4	7.0(2)E4,7.0(3)E4,7.0(4)E4,7.0(5)E4,7.0(5a)E4,7.0(6)E4,7.0(7)E4,7.0(8)E4,7.0(9)E4,7.2(1)E4,7.2(2)E4,7.3(1)E4,7.3(2)E4,7.3(3)E4,7.3(4)E4,7.3(5)E4,7.1(1)E4,7.1(10)E4,7.1(11)E4,7.1(2)E4,7.1(3)E4,7.1(4)E4,7.1(5)E4,7.1(6)E4,7.1(7)E4,7.1(8)E4,7.1(9)E4

Defect Information

Defect ID	Headline
CSCvf34445	There were no defects filed with this field notice at the time of publication.

Problem Description

Customers that use the Global Correlation feature are required to upgrade their Intrusion Prevention System (IPS) software. This upgrade is required in order to provide compatibility with the SHA-2 certificate that is deployed on the Cisco Global Correlation servers.

Background

Customers that use IPS depend on continuous Global Correlation updates from Cisco for up-to-date protection of their network.

Customers that subscribe to Global Correlation updates are required to upgrade their IPS software in order to provide compatibility with the SHA-2 certificates that are deployed on the Cisco Global Correlation servers. This change affects IPS sensors that run 7.0, 7.1, 7.2 and 7.3 code versions configured for the Global Correlation feature.

Customers that use these IPS software versions must upgrade before March 5, 2016 in order to provide compatibility with the Cisco Global Correlation servers.

Problem Symptom

Customers should upgrade their IPS software to version 7.1(11)E4 or 7.3(5)E4 prior to March 5, 2016 in order to ensure they receive Global Correlation updates and protect themselves against future threats.

Workaround/Solution

Use one of these procedures in order to upgrade the IPS software to version 7.1(11)E4 or 7.3(5)E4. In order to guarantee that you continue to receive Global Correlation updates from Cisco for up-to-date network protection, complete one of these two procedures by March 5, 2016.

Note: The IPS is required to have a DNS server or HTTP proxy configured in order to support automatic signature updates from Cisco in version 7.1(11)E4 and 7.3(5)E4.

For customers that use IPS 7.0 - Cisco Global Correlation updates for these older versions will no longer work once the SHA-2 certificates are deployed.

For customers that use IPS 7.1 - Upgrade to version 7.1(11)E4 or later (see the upgrade procedures in this section).

For customers that use IPS 7.2 or IPS 7.3 - Upgrade to version 7.3(5)E4 or later (see the upgrade procedures in this section).

Procedure #1: Upgrade the IPS Software with the CLI

Both IPS version 7.1(11)E4 and 7.3(5)E4 use the same installation process. For example, in order to install the 7.1(11)E4 release for the IPS 4510 with the CLI, complete these steps:

1. Download the model appropriate package file (for example, IPS-4510-K9-7.1-11-E4.pkg) to a local server.
2. Log into the CLI with an account that has administrator privileges.
3. Type this command in order to enter Configuration mode:

   configure terminal

4. Type this command in order to upgrade the sensor:

   sensor(config)# upgrade [URL]/IPS-4510-K9-7.1-11-E4.pkg

   In this example, [URL] is a uniform resource locator that points to where the package is located. For example, in order to retrieve the IPS 4510 update via FTP, type this command:

   sensor(config)# upgrade ftp://username@ip-address//directory/IPS-4510-K9-7.1-11-E4.pkg

   The available transport methods are SCP, FTP, HTTP, or HTTPS.

5. Enter the sensor password when prompted.
6. In order to complete the upgrade, type yes when prompted. The sensor reboots and applies the changes.

In order to determine if 7.1(11)E4 has successfully been installed on the sensor, log into the CLI and type show version at the command prompt. The sensor reports the version as 7.1(11)E4 and the Upgrade History should include IPS-4510-K9-7.1-11-E4.pkg.

Note: You must run these versions in order to upgrade these platforms to IPS 7.1(11)E4:

• For the IPS 42XX and SSM series sensors, you must run IPS 6.0(6) or later.
• For the IPS 43XX series sensors and the ASA 5500-X IPS SSP series, you must run IPS 7.1(3)E4 or later.
• For the IPS 45XX series sensors, you must run IPS 7.1(4)E4 or later.
• For the ASA 5585-X IPS SSP series, you must run IPS 7.1(1)E4 or later.

Procedure #2: Update the IPS Software with IDM/IME

1. Choose Configuration > Sensor Management > Update Sensor.
2. Click the appropriate upgrade package location and transfer method, if needed. For example, if you will install the upgrade package from the system where you run IDM/IME, click the Update is located on this client radio button and choose the Local File Path of the upgrade package as shown here:

   

3. Click Update Sensor in order to apply the update to the sensor.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

• Open a service request on Cisco.com
• By email
• By telephone

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.