6 Replies Latest reply on Nov 26, 2008 7:34 AM by TanDaBoss

    Intrushield IPS & ISM update path

      Hi all,

      it's my first post here and it's a pleasure to discover this forum.

      I'm running an ISM and two I3000 sensors and I would like to update them from:

      ISM to
      I3000 to

      Can I update my sensors and my ISM directly?
      I didn't find any update between and for my I3000.



        • 1. RE: Intrushield IPS & ISM update path
          Hi Tan,

          the latest available versions are:


          For the ISM, the upgrade path is:

          ISM: --> --> -->

          For the Sensor, you run into trouble as the several images you need are not available for download from the menshen site. So either you are lucky and they are alread on your ISM, or I would recommend you to netboot the sensors. Another option is to open a case with McAfee support as they can provide the images.

          For the netboot process, please consult document ID 614385 at http://knowledge.mcafee.com
          Also, for future references, I would recommend you to read the release notes for the different version released. You can find them at the McAfee Knowledge Base:

          1/ Browse to http://knowledge.mcafee.com
          2/ Under the 'Useful Links' section click on 'Product Documentation'. A pop-up window will open.
          3/ Click on Intrushield Manager Software --> Intrushield Manager Software 4.1

          On the relase notes look for the point 'Installation, upgrade, and usage best practices', which will indicate you the minimum version required to upgrade.


          • 2. Many Thanks dsf_v
            Hi dsf_v

            Many thanks for your detailed answer.

            In fact I succeeded to upgrade my ISM following the upgrade path: --> -->
            Then I tried to upgrade one of my sensor following this path: --> --> -->

            Then it was the nightmare !!!
            Why you will ask me!
            Because I was stupid enough to think that the version I found was closed enough to the to upgrade to!!!
            Don't laugh too loud please, I've got a headache right now :p

            In fact the correct upgrade path is --> --> -->

            Then I tried to downgrade directly to Big big mistake sad (again!).
            The nightmare became more intensive! All my ports B went down, no fail open any more except when I shutdown the appliance.

            Many thanks dsf_v for the link to the netboot procedure but I still have some questions:

            In fact I have a cluster of IPS. The Active one is working fine and the passive one is shutdown. The passive one is the "victim" of my stupidity :D.

            My ISM is running I think the manager is correct and I don't want to suffer by downgrading it.

            Is my configuration can run correctly with my ISM in and my sensors in
            I'm pretty sure that I have to netboot my passive IPS but what is the best way to proceed?

            Stay in or move directly with the netboot to
            Will my ISM in and my sensors in work fine together?

            McAfee's Support told me that if I can't find the version on menshen.intruvert.com, I won't find it anywhere :(.

            Do I have to netboot my passive IPS first and then my active one or the reverse order???

            Many thanks for your great input.


            • 3. :)
              Hi Tan,

              I can see you are having fun!! ;)

              The ISM on the managing sensors on should not be a problem at all. However I would really recommend you to netboot the sensor to

              As you can see on the documentation, ISM and IPS are designed to work together.

              Regarding the response you got from McAfee Support, it is obviously the ISM admin's job to keep up to date. I know they could provide them versions but in your case you don't really need them. Netboot the sensors.

              1/ Netboot secondary sensor to
              2/ Redirect traffic to secondary sensor
              3/ Netboot primary sensor
              4/ You are up to date on supported versions.
              5/ Start looking at the 5.1 documentation :)

              I am sure this will work ;)

              • 4. no failopen anymore

                I just wanted to add.... make sure your sensors are on 'layer2 mode on'. Any software problem they will go into layer2 bypass mode that should save you a lot of trouble...

                You can send the sensor to layer2 mode with the command:

                layer2 mode assert

                To ga back to 'normal mode':

                layer2 mode deassert

                • 5. great discussion :)

                  hopefully you are member of this forum!!
                  I'm quite disappointed by the McAfee's support. I just had one guy on the phone and he told me "it should be fine if you upgrade directly from to"! :eek:
                  I've never worked with a support closing tickets so fast and providing so few answers!!!:mad:

                  I am more confident in your advices than in the vendor's ones. :cool:

                  By now my "defective" sensor is shut (failopen mode). I will do the netboot process this saturday.

                  It is really strange when I power up my sensor and when the software is loaded, I have really weird issues. Trafic that shouldn't pass through the IPS is impacted !!!

                  I let you know when I will have the force to fix up everything :D


                  • 6. bypass switch

                    in fact, I was able to identify the cause of our problem.
                    The Giga Optical Bypass switch failed so we are waiting for McAfee to change it. I'm pretty sure they won't be able to respect the SLA!

                    Anyway, Netboot procedure is very easy to follow as long as you test it once.