6 Replies Latest reply on Nov 26, 2008 7:34 AM by TanDaBoss

    Intrushield IPS & ISM update path

      Hi all,

      it's my first post here and it's a pleasure to discover this forum.

      I'm running an ISM and two I3000 sensors and I would like to update them from:

      ISM 4.1.3.7 to 4.1.5.7
      I3000 4.1.1.21 to 4.1.5.7

      Can I update my sensors and my ISM directly?
      I didn't find any update between 4.1.1.21 and 4.1.5.7 for my I3000.

      Thanks

      Cheers,

      Tan
        • 1. RE: Intrushield IPS & ISM update path
          Hi Tan,

          the latest available versions are:

          ISM: 4.1.7.5
          Sensor: 4.1.5.27

          For the ISM, the upgrade path is:

          ISM: 4.1.3.7 --> 4.1.3.19 --> 4.1.5.4 --> 4.1.7.5


          For the Sensor, you run into trouble as the several images you need are not available for download from the menshen site. So either you are lucky and they are alread on your ISM, or I would recommend you to netboot the sensors. Another option is to open a case with McAfee support as they can provide the images.

          For the netboot process, please consult document ID 614385 at http://knowledge.mcafee.com
          Also, for future references, I would recommend you to read the release notes for the different version released. You can find them at the McAfee Knowledge Base:

          1/ Browse to http://knowledge.mcafee.com
          2/ Under the 'Useful Links' section click on 'Product Documentation'. A pop-up window will open.
          3/ Click on Intrushield Manager Software --> Intrushield Manager Software 4.1

          On the relase notes look for the point 'Installation, upgrade, and usage best practices', which will indicate you the minimum version required to upgrade.

          HTH.

          Regards,
          dsf_v
          • 2. Many Thanks dsf_v
            Hi dsf_v

            Many thanks for your detailed answer.

            In fact I succeeded to upgrade my ISM following the upgrade path: 4.1.3.7 --> 4.1.3.19 --> 4.1.5.4
            Then I tried to upgrade one of my sensor following this path: 4.1.1.21 --> 4.1.1.49 --> 4.1.1.79 --> 4.1.5.7

            Then it was the nightmare !!!
            Why you will ask me!
            Because I was stupid enough to think that the 4.1.1.79 version I found was closed enough to the 4.1.1.81 to upgrade to 4.1.5.7!!!
            Don't laugh too loud please, I've got a headache right now :p

            In fact the correct upgrade path is 4.1.1.21 --> 4.1.1.49 --> 4.1.1.81 --> 4.1.5.7

            Then I tried to downgrade directly to 4.1.1.21. Big big mistake sad (again!).
            The nightmare became more intensive! All my ports B went down, no fail open any more except when I shutdown the appliance.

            Many thanks dsf_v for the link to the netboot procedure but I still have some questions:

            In fact I have a cluster of IPS. The Active one is working fine and the passive one is shutdown. The passive one is the "victim" of my stupidity :D.

            My ISM is running 4.1.5.4. I think the manager is correct and I don't want to suffer by downgrading it.

            Is my configuration can run correctly with my ISM in 4.1.5.4 and my sensors in 4.1.1.21???
            I'm pretty sure that I have to netboot my passive IPS but what is the best way to proceed?

            Stay in 4.1.1.21 or move directly with the netboot to 4.1.5.7?
            Will my ISM in 4.1.5.4 and my sensors in 4.1.5.7 work fine together?

            McAfee's Support told me that if I can't find the 4.1.1.81 version on menshen.intruvert.com, I won't find it anywhere :(.

            Do I have to netboot my passive IPS first and then my active one or the reverse order???

            Many thanks for your great input.

            Cheers,

            Tan
            • 3. :)
              Hi Tan,

              I can see you are having fun!! ;)

              The ISM on the 4.1.5.4 managing sensors on 4.1.1.21 should not be a problem at all. However I would really recommend you to netboot the sensor to 4.1.5.7.

              As you can see on the documentation, ISM 4.1.5.4. and IPS 4.1.5.7 are designed to work together.

              Regarding the response you got from McAfee Support, it is obviously the ISM admin's job to keep up to date. I know they could provide them versions but in your case you don't really need them. Netboot the sensors.

              1/ Netboot secondary sensor to 4.1.5.7
              2/ Redirect traffic to secondary sensor
              3/ Netboot primary sensor
              4/ You are up to date on supported versions.
              5/ Start looking at the 5.1 documentation :)

              I am sure this will work ;)

              Regards,
              dsf_v
              • 4. no failopen anymore
                Hey,

                I just wanted to add.... make sure your sensors are on 'layer2 mode on'. Any software problem they will go into layer2 bypass mode that should save you a lot of trouble...

                You can send the sensor to layer2 mode with the command:

                layer2 mode assert

                To ga back to 'normal mode':

                layer2 mode deassert

                regards,
                dsf_v
                • 5. great discussion :)
                  dsf_v

                  hopefully you are member of this forum!!
                  I'm quite disappointed by the McAfee's support. I just had one guy on the phone and he told me "it should be fine if you upgrade directly from 4.1.1.21 to 4.1.5.7"! :eek:
                  I've never worked with a support closing tickets so fast and providing so few answers!!!:mad:

                  I am more confident in your advices than in the vendor's ones. :cool:

                  By now my "defective" sensor is shut (failopen mode). I will do the netboot process this saturday.

                  It is really strange when I power up my sensor and when the software is loaded, I have really weird issues. Trafic that shouldn't pass through the IPS is impacted !!!

                  I let you know when I will have the force to fix up everything :D

                  Cheers

                  Tan
                  • 6. bypass switch
                    Hi,

                    in fact, I was able to identify the cause of our problem.
                    The Giga Optical Bypass switch failed so we are waiting for McAfee to change it. I'm pretty sure they won't be able to respect the SLA!

                    Anyway, Netboot procedure is very easy to follow as long as you test it once.

                    Cheers,

                    Tan