Académique Documents
Professionnel Documents
Culture Documents
Legal and notice information 2010 Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided as is without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. TippingPoint, the TippingPoint logo, and Digital Vaccine are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation. Oracle is a registered U.S. trademark of Oracle Corporation, Redwood City, California. UNIX is a registered trademark of The Open Group. Printed in the US.
Table of Contents
Overview Important Notices Documentation Support Special Restrictions Upgrades Requirements Memory Requirements SMS Client Requirements SMS Replication Bandwidth Requirements Patches Migration Migration Considerations Updating the SMS Updating the Digital Vaccine Migration Clarifications Whats New Active Response Admin CLI Devices Events External Interface Profiles Reports 1 1 2 2 3 3 3 3 4 4 5 5 7 8 9 11 11 11 12 12 13 14 14 16
Clarifications Database Restore Devices: Expired Licenses Devices: Port Health Graphs Devices: SSL Appliance Logs Device Snapshot: Reputation Entries Reputation Database SMS Backup: Auxiliary Digital Vaccines SMS Backup: Restoring a Backup SMS FIPS SNMPv1 Support Virtual Segments VLAN Translation Known Issues Active Response Backups Devices Digital Vaccine Events External Database External Interface - API Info High Availability Interface IPv6 Management IP Address Changes MySQL NFS Profiles SMS Health SMS Snapshot TMC Virtual Ports Virtual Segments
17 17 17 17 17 17 17 17 17 18 18 18 18 19 19 19 19 20 21 22 22 22 22 23 23 23 23 24 25 25 25 26 26
Important Notices
If you are upgrading from a previous major release to a newer major release, consult the release notes for any interim releases. Before attempting an upgrade, read and follow the information in Upgrades Requirements on page 3.
Important Notices
Documentation
For help with features, refer to the SMS online help available through the help area of the product interface. For complete documentation for major releases, refer to the following publications available from the TippingPoint Threat Management Center (TMC) at http://tmc.tippingpoint.com: Quick Start TippingPoint SMS Appliance SMS Installation and Configuration Guide Security Management System Users Guide SMS Safety and Compliance Guide SMS Deployment Notes SMS External Interface Guide TippingPoint Event Taxonomy
Log on to the TippingPoint Threat Management Center (TMC) at http://tmc.tippingpoint.com. Select the Documentation tab and then choose Product Documentation. Select the SMS Product Documentation folder and open the most recent version of the SMS documentation. Select the document to view the guide or the download link to download a copy of the guide.
2. 3.
4.
Support
For additional information or assistance, contact TippingPoint Customer Support:
Telephone
North America: +1 866 681 8324 International: +1 512 681 8324 For a list of international toll-free contact numbers, consult one of the following web pages: https://tmc.tippingpoint.com/TMC/Content/support/Support_Contacts http://www.tippingpoint.com/support.html
E-mail
tippingpoint.support@hp.com
Special Restrictions
Special Restrictions
Upgrades Requirements
Before upgrading to v. 3.2 , the SMS must be installed with SMS v. 2.5 or later. For more information, see SMS v. 2.5 Release Notes, available from the TMC. Upgrades from SMS 2.5.0.5182 and newer are supported. Note: Before upgrading from SMS 3.1.1.7943, the latest patch should be installed.
Memory Requirements
The v. 3.2 requires an SMS device with a minimum of 2 Gigabytes of memory to operate correctly. In order to determine if your SMS has the proper amount of memory you should execute the following v. 3.2 from the CLI:
sms11 SMS=> get health.memInfo Memory info (health.memInfo) = 2120323072 2053787648 66535424 153018368 199217152
The CLI command returns the above sample results with the first value being the total memory in bytes. If the first number is less than 2GB, contact TippingPoint TAC for memory upgrade instructions.
One of the fowllowing browsers: Microsoft Internet Explorer, version 6.0 or higher Firefox Safari
Patches
WAN Deployments
When an SMS HA pair is connected over a WAN link: Encapsulation overhead introduced by the WAN link may affect the required bandwidth. Fragmentation may occur if the MTU on the WAN link is smaller than Ethernet or going over a VPN. Latency of the WAN link will impact throughput.
Patches
The SMS provides easy and direct methods to install an SMS patch either directly from the TMC or from a local or network file. When a new patch becomes available, an alert message is displayed. Patches provide updates for SMS server and client software. Note: Before installing a patch, you may need to update the base SMS release associated with the patch. See Updating the SMS on page 7. For complete instructions, refer to the Admin section of the SMS online help or the TippingPoint SMS Users Guide.
Migration
Migration
Migration Considerations on page 5 Updating the SMS on page 7 Updating the Digital Vaccine on page 8 Migration Clarifications on page 9
This section details the migration instructions for updating to SMS v. 3.2 . Note: Migration information does not apply to Beta Releases.
Migration Considerations
This section contains important migration information. TippingPoint recommends that you read through the entire Migration section before attempting to migrate to SMS v. 3.2 . Before you begin your migration, review the following items: Image Size on page 5 Upgrade CD on page 5 High Availability on page 5 Reputation on page 6 Quarantine Host List on page 6 SMS Migration Steps on page 6 Time Estimate on page 6
Image Size
The SMS v. 3.2 contains a significant system upgrade from some of the previous versions. When upgrading using the full version, the image size is approximately 700MB.
Upgrade CD
This image is available for download through the TMC. However, due to the increased file size, TippingPoint is also making this upgrade available on CD. Upgrade instructions are included with the Upgrade CD. For an Upgrade CD, contact TippingPoint TAC.
High Availability
Before doing an SMS upgrade, you must disable High Availability (HA). The process for upgrading an HA cluster is to break down the cluster, upgrade each SMS individually, and then re-establish the cluster.
Migration
Reputation
Before Starting migration: Verify that the Reputation Task queue is empty. Disable automatic download of Rep DV and scheduled Profile distributions.
From a browser, log on to the TMC (https://tmc.tippingpoint.com). Download and Install an SMS Software Update: on page 7. Download and Install an SMS Client Update: on page 7
Time Estimate
Upgrading to SMS v. 3.2 varies in time required. Further steps for updating the Digital Vaccine takes varying times. Prior to any upgrade, be sure to backup your SMS.The SMS v. 3.2 upgrade takes, on average, a total time of 25 minutes. Your system automatically reboots twice during the upgrade. During this upgrade the SMS is only accessible during the first step of the upgrade process. During the remainder of the upgrade, the SMS is not be accessible. The steps in the Time Estimates table describe each operation and duration for a typical SMS upgrade using a software package downloaded from TMC. These times are general estimates based on average system hardware configuration and data. Depending on your system and the data it contains, times may be slightly faster or slower than documented. IMPORTANT: Do not reboot or power cycle the system, doing so may cause the upgrade to fail and leave your system in an unusable state.
Table 1 - 1: Time Estimates - SMS Update Step 1 2 3 4 Task Import or download from TMC Extract image and prepare system Reboot. Upgrade software and OS Reboot. Migrate the database. Manual or Automatic Manual Automatic Automatic Automatic Estimated Time varies * 5 minutes 15 minutes 5 minutes Link Status Up Up Down Down
Migration
Table 1 - 1: Time Estimates - SMS Update Step Task Upgrade Completed 5 SMS Startup Automatic 1 - 2 minutes Up Manual or Automatic Estimated Time Link Status
* See Image Size on page 5. Note: During the SMS upgrade, SMS client access is not available. However you can view detailed upgrade status from the local VGA console
Login to the SMS Client. Open the Admin - General screen. Click Download. A dialog box displays with the download progress. The system automatically downloads the latest available version directly from the TMC. Click Install.
3.
Access the SMS server website. Depending on settings, you may need to login with your account. In the Address field of your web browser, enter:
https://<smsipaddr>
On the SMS home page, click the Install the Client link under SMS Client Software.
Migration
3.
Select the Windows or Linux version. For Windows, in the Download Complete dialog, click Open to start the SMS Client installer. For Linux, from the directory containing the installer, run
chmod 755 SMSInstall.sh; ./SMSInstall.sh
4.
Follow the instructions for the installer. The installation wizard begins with a scan of your system. If the system does not have a previous SMS Client installed, it indicates steps and actions to install the application. If the system has a previous SMS Client installed, it informs you that a version is detected and provides an option to continue and upgrade the current version or change directories retaining the older version. The installation wizard continues with messages and information regarding the new client and locations for shortcuts. Each step may include further options and progress indicators. The wizard prompts you to accept a license agreement to proceed.
5.
When complete, you can access the client using the desktop icon. Start the client by doubleclicking the TippingPoint SMS Client icon on your desktop.
3.2.0
After installing and updating the SMS, verify that you have the most recent version of the Digital Vaccine package downloaded and installed on your system. For detailed steps and other important related information, see the TippingPoint Security Management System Users Guide. See also Digital Vaccine on page 20.
Migration
Migration Clarifications
For further information on migration notices, continue reading the following sections: Active Response Policies: Escalate an IPS Quarantine on page 9 Dashboard View Migration on page 9 External Database on page 9 Profiles on page 9 Quarantine Action Sets on page 10 Reputation on page 10 Scheduled Back-up Migration on page 10 SNMP Trap Actions on page 10 Memory Requirements on page 3
External Database
After migration, the external database may not be accessible. See External Database on page 22. SMS migration does not support external replication because the external slave server is not controlled by the SMS. After the SMS is migrated to higher version, external replication users must create a snapshot and download the snapshot from SMS to re-populate the slave MySql server. For instructions on how to create and download a snapshot and how to populate the slave server, see the SMS Deployment Note: External Database available from TippingPoint Threat Management Center (TMC) at http://tmc.tippingpoint.com.
Profiles
If any of your previous profiles contain the < or > character, you may encounter errors exporting the profiles or editing the details. Prior to upgrading, TippingPoint recommends that you use the Save As option on the profile inventory screen to make a new copy of the profile with a new name that does not contain the < or > characters.
Migration
Reputation
When migrating to SMS v. 3.2 from an SMS v2.7 or v3.0 without patch 3, you must reactive the current DV (if the current DV supports reputation and flow management) to use the reputation feature.
10
Whats New
Whats New
This section includes the following topics: Active Response on page 11 Admin on page 11 CLI on page 12 Devices on page 12 Events on page 13 External Interface on page 14 Profiles on page 14 Reports on page 16
For more information on new features or changes, see the Whats New section of the corresponding chapter of the SMS Users Guide.
Active Response
Reputation Entry Action
The Reputation Entry action is a new response action type that generates an entry in the Reputation Database. You can configure the response action with values for any Reputation Database tag categories defined in the SMS at the time that the action is created. You can also specify when the SMS Active Response service will add the entries to the Reputation Database (either immediately or aggregating and committing the entries every 60 minutes). You can use the Reputation Entry action to specify untagged (blacklist) entries or tagged entries for the Reputation Database. The Reputation Entry action becomes effective when added to an Active Response Policy applied in a Reputation Filter and a match to the defined category occurs
Admin
Admin Database: Backup and Restore
Beginning with SMS version 3.2, SMS supports restoring a backup taken with a previous version of SMS. For example, you can restore a backup taken with SMS 3.1 and restore it to an SMS 3.2 server. When you restore a previous-version backup, SMS not only restores the database but properly migrates the data and data structures to match the version of SMS currently running on your SMS server.
General - System and Port Health: Statistics Shown for Passive SMS Server
When SMS is configured for high availability (HA), the SMS environment is comprised of two SMS servers, one operating in an active role and one in a passive role. SMS now shows health statistics not only for the active SMS server; it now shows the same statistics for the passive SMS server.
11
Whats New
CLI
High Availability
The following attribute was added to the CLI: HA attribute returns the detailed status for the Passive and Active systems in the SMS HA cluster.
ha.cluster-info
Devices
Editing Multiple Devices on the SMS
The SMS supports selecting and edit multiple devices. Through the SMS, you can apply the device configuration settings to multiple devices or device groups at one time.
Import /Export
The SMS provides export and import functions of device settings. Through the Devices > All Devices screen and from a device group member screen, the following new options are available: Export the device configuration to a setting file from a selected device using the Export Configuration button. Import a device settings file to one or more devices using the Import Configuration button. The options are also available from the main edit menu and by right-clicking on a device.
Packet Trace
Through the Devices (All Devices) screen, the following right-click packet trace options are available: Save and Download to SMS.
12
Whats New
System Snapshot
The System Snapshot feature was reworked and includes the following functionality: New Snapshot creates a new system snapshot and places it on the device. Archive Snapshot archives a device snapshot on the SMS. Snapshots for N-Platform devices have the option to includes LSM create Reputation Entries as well as Reputation DV and SMS created Entries.
TP 10/110/330 Devices
TippingPoint 10/110/330 devices that are new or that are upgraded to TippingPoint Operating System version 3.1.4 or above have increased functionality and include many of the same features that are included in N-Platform devices. To manage these new or upgraded devices, the SMS must be version 3.2 or later. For more information about these devices or upgrades to these devices, refer to the documentation for the specific device or the documentation for TOS version 3.1.4 and above.
TP SecBlade 1200N
The TippingPoint SecBlade 1200N IPS, an industry-leading Intrusion Prevention Systems (IPS) product developed by TippingPoint, is compatible with the H3C S7500E series switches. You can add multiple TP SecBlade 1200N modules to an H3C S7500E switch for service expansion. The TP SecBlade can be installed in H3C S7500E series switches and inspects up to 1.3 Gbps of traffic.
TippingPoint vController
You can access the TippingPoint vController from the SMS. The TippingPoint vController secures network traffic in virtualized environments and is part of the TippingPoint Secure Virtualization Framework (SVF). Access to the TippingPoint vController management interface is available from the SMS.
Events
Custom Queries
The SMS allows you to customize a query expression. You may modify the expression to use different operators such as AND and OR, or change the order of operations using parenthesis.
Packet Trace
This release adds the ability to request multiple packet trace files from multiple events or all packet traces on a specific device.
13
Whats New
Reputation Events
When an Events entry represents a reputation event, a tool tip displays for the Filter Name column of the Events screen. You can view extended information by pressing F2 when the tool tip is displayed. This expanded information is also displayed in the Event Details dialog in the Description field for reputation events. The following information is included: Criteria for the filter that created the event. Tag values for the matching entry from the reputation database. This includes both Reputation DV and user-defined tags.
External Interface
Packet Trace
For SMS v3.2, API support was added for device and event-based packet trace.
Profiles
Custom Shield Writer/Digital Vaccine Toolkit
The Custom Shield Writer (CSW) was renamed to Digital Vaccine Toolkit (DVT).
Deployment Mode
Digital Vaccines contain deployment settings for filters that address specific types of deployments, such as perimeter, core, datacenter, etc.). For 3.2 and above, the Deployment Mode setting for profiles replaces a similar functionality provided in the following TippingPoint preloaded DV-based profiles: TippingPoint Enhanced Security Perimeter Profile TippingPoint Recommended Core Profile TippingPoint Enhanced Security Server Protection Profile
14
Whats New
Updates to TippingPoint Preloaded Profiles are not supported for SMS v3.2 and above. To replace this functionality, use the Deployment Mode option.
Profile Inheritance
Profiles can be set up with a hierarchy and profile attributes can be inherited. For each profile in the hierarchy, the following items can be inherited from the profile in the next level up: Application and Infrastructure Restrictions/Exceptions Performance Protection Restrictions Reputation Exceptions Category settings Filters from the DV, Auxiliary DV and Custom Packages Advanced DDoS filters Traffic Thresholds filters Reputation filters Traffic Management filters
Profile Import/Export
The import/export profile function was extended to allow import and export directly into or out of another SMS.
Reputation DV
SMS supports Reputation Digital Vaccine (DV) is a subscription-based service that identifies and delivers suspect IP and DNS addresses to subscribers.
15
Whats New
Search
The Search function was moved to the new Reputation Database Search screen and can be accessed from the left navigational menu. The Search function has the following new search options: Include User Entries Include Reputation DV Entries These entries are displayed in a separate column on the search results table.
Reports
Reputation Report Templates
SMS supports the following Reputation reports for the devices that support the Reputation feature: Reputation: All Reports Reputation: Specific Reports Reputation: Top Reports
16
Clarifications
Clarifications
Database Restore
For SMS v. 3.2, patches should be reapplied after a database restore if the database and system versions do not match.
Reputation Database
The SMS limits the number of user-provided reputation entries to a maximum of six million. The actual maximum that can be processed may be lower depending on the number of CIDRs used, the number of addresses each CIDR specifies, and whether or not each CIDR overlaps with other CIDRs. The SMS limits the number of tag categories to a maximum of six. This includes any tags provided by the Reputation DV which currently has three.
17
Clarifications
SMS FIPS
Full-FIPS Mode Preparations
When preparing the SMS for Full-FIPS Mode, we recommend that you: Perform an SMS backup and archive the backup on a separate system. Disable telnet and http services on the SMS. The https services may still be enabled.
FIPS Key
When installing a FIPS key with the SMS Web Page to complete the Full FIPS configuration it is possible to inadvertently skip the key installation. When this occurs the SMS must be rebooted and the Password Recovery procedure executed to restore the SMS to functionality. The Full FIPS configuration process will then need to be re-executed. When installing a FIPS key to complete the configuration of your SMS from FIPS key transition mode to Full FIPS mode make sure that the FIPS key imported has the appropriate FIPS key for your SMS and managed devices.
SNMPv1 Support
SMS v. 3.1 and above does not support SNMPv1.
Virtual Segments
Only IPS-N devices support 4095 as an ID for virtual segments. All other IPS devices do not support 4095 as a ID for Virtual Segments.
VLAN Translation
For VLAN Translation, Spanning Tree Protocol (STP) is not supported on the links attached to the IPS.
18
Known Issues
Known Issues
Active Response on page 19 Backups on page 19 Devices on page 19 Segment Names on page 20 Digital Vaccine on page 20 Events on page 21 External Database on page 22 Interface on page 22 IPv6 on page 23 Management IP Address Changes on page 23 MySQL on page 23 NFS on page 23 Profiles on page 24 SMS Health on page 25 SMS Snapshot on page 25 TMC on page 25 Virtual Ports on page 26 Virtual Segments on page 26
Active Response
SSH
SSH is currently not a supported Active Response communication option for network devices.
Backups
Restoring Backups
After restoring a backup, the SMS may need to be restarted in order to view new available SMS software.
Devices
Core Controller
Adding a Core Controller to the SMS
Before the process of adding a Core Controller to the SMS is complete, the SMS system log may display an error message indicating hardware notifications from an unknown device. When the process completes, a subsequent system log message indicates that the Core Controller was successfully added.
19
Known Issues
Snapshot
Snapshot for Core Controller using spaces in the name fails.
Tool Tips
The tool tip for the Port Heath Graphs does not show data for both input and output. The tool tip only shows the data for input. The tool tip shows two numbers: First number time in seconds from the beginning of the graph Second number input data.
Device Replace
The device replace feature is not supported for Core Controllers.
Device Groups
If you launch the Segment Details - Edit dialog from the Network Summary panel on a device group, and change the segment group assignment of the segment you are editing, you must click Refresh to display the new segment group assignment.
IPS-N Devices
These devices only support Digital Vaccine version 2.5.2.7577 and higher. Distributing any prior DV version fails.
Segment Names
Special characters in a segment name on a 3.1+ IPS can cause SMS to fail to manage the device. Recent updates to device TOS 3.1 & 3.2 are causing an issue when special characters are used in a segment name on the device. The SMS may fail to manage a device with these special characters. Also, in the case where a device is already managed by the SMS, the SMS will begin to show errors in the audit log and debug logs related to the device, and the device may not show the correct up-to-date information in the SMS Client. To work around the issue, use the LSM on the device to change the segment name to include only alpha-numeric characters and then re-manage the device with the SMS.
Digital Vaccine
The 3.2 Digital Vaccine can only be used on 3.2 TOS versions. The 2.5 and later Digital Vaccine cannot be used on a 2.2 or earlier TOS versions. 2.2 Digital Vaccines cannot be used on a 2.5 and later X-Family or IPS device. The SMS can use either 2.2, 2.5 or 3.2 Digital Vaccines. When switching between 2.2 and 2.5 and later Digital Vaccines, log off the SMS Client and log on again to refresh the screens. For 2.2 and 2.5 and later Digital Vaccines, the last number in the version is important. The two types of Digital Vaccines are equivalent if the last version number is the same. For Example, Digital Vaccines 2.2.0.7084 is the 2.2 version of Digital Vaccine 2.5.0.7084. They are not the same Digital Vaccine package, but they are functionally equivalent.
20
Known Issues
DV Filter Settings
New DVs possesses a platform-specific recommended setting for a set of filters. If you select default recommended settings, those filters that have the platform-specific recommendations are enabled but are not displayed as enabled on the SMS. The LSM correctly displays the filter status on that platform.
Events
Event Search
Event search does not apply network source/destintation address criteria correctly. Applying search criteria to the events view in the SMS does not search correctly when using multiple address/cidr criteria in the Src Addr(s) or Dst Addr(s) network criteria fields.
Searching Events
When searching for events, it may not be possible to query for records using certain criteria under the following circumstances: Events were generated from IPS devices that have not had a profile distributed to them by the SMS Segments were deleted from the SMS.
21
Known Issues
External Database
If you migrate from V 3.0 you should apply patch 3. Otherwise, the external database may not be accessible. To make the database accessible:
1. 2. 3. 4. 5. 6.
From the Admin Navigation menu, select Database. In the External Database Settings section, click Edit. The Edit External Database Settings wizard displays. Turn off external access/external replication. Turn on external access/external replication. Reboot the SMS.
High Availability
When the active SMS cannot communicate with the passive SMS, the SMS health does not display.
Interface
SMS Interface Input Fields
Many fields in the SMS are validated as the user enters a value. The validation is a textual analysis only. A value may be displayed as valid (that is, without the red underline). The information is properly formatted, but may not accurately reflect a valid address. For example, in an IP address field, the value 1.1.1.1 is displayed as valid when there is no such address. Or, an email address may be displayed as a valid RFC822 value, but messages to that address can not be delivered because of the local SMTP server configuration.
22
Known Issues
IPv6
High Availability
High Availability (HA) is not supported with IPv6. If the SMS is IPv6 only, the HA configuration button will display an error when selected.
IPv4 Hardware
When an SMS Client is connected to the server using IPv6 protocol, and the IPv6 traffic is being tunneled through IPv4 hardware, the SMS audit logs, system logs, and active sessions table will show 0.0.0.0 as the client's IP Address.
Network Management
If you are editing the Network Management configuration and want to disable IPv4, use IPv6 to manage the network BEFORE you disable IPv4. If you are editing the Network Management configuration and want to disable IPv6, use IPv4 to manage the network BEFORE you disable IPv6.
SMS Backups
SMS backups to IPv6 NFS destinations are not supported. SMB, sFTP and SCP backups can be done to servers with an IPv6 address.
TMC
The TMC does not support IPv6. An SMS operating in IPv6-only mode will not be able to contact the TMC, unless the SMS IP address is NAT-ed or uses a proxy that has NAT configured.
MySQL
The SMS supports versions 5.0 and above of MySQL.
NFS
The SMS must have write permission for the anonymous user on the directory exported by the specified NFS server for the following NFS export cases: export backup export profile export report
23
Known Issues
Profiles
Action Sets
When working within SMS v. 3.2 , you are unable to successfully modify a previously unmodified action set. If the action set has never been modified, changes made within the SMS are displayed but those changes will not be successfully pushed to the IPS. If the action set had been altered before then, subsequent changes made will be successfully pushed to the IPS.
External Replication
For external replication, The SMS HA and the external replication rely on MySQL replication technology. At times, the HA configuration is in conflict with external replication. TippingPoint does NOT recommend using SMS HA and external replication at the same time.
Filter Locks
The locked settings are not retained during the import-export cycle if the locked filter: Is using category settings or Doesnt have any exceptions or AFC settings have not been changed
Filter Resets
After an IPS device completes a successful filter reset, the sms resets the profile iteration ID during the rediscovery process. During this time, the filter and profile IDs may be out of sync and generate a warning.
Profile Import/Export
When an SMS is in Full FIPS Mode, importing or exporting a profile to or from another SMS is currently not supported.
24
Known Issues
SMS Health
System Health Thresholds
SMS System Health Thresholds are view-only. Threshold setting are indicated on the interface. When the system exceeds a threshold setting, the color of the associated indicator changes.
SMS Snapshot
For N-Platform IPS devices with TOS 3.1 and below, the SMS interface incorrectly displays the option to include Manual Reputation DV entries when performing a snapshot of the system. Selecting this option will result in an error.
TMC
Authenticated TMC Proxy Server
For client proxy authentication, some servers support multiple schemes for authenticating users. Because only one authentication scheme may be used at a time, the SMS proxy client must choose which scheme to use. By default, the SMS uses the following order of preference to select the correct authentication scheme: NTML, Digest, Basic. If your proxy server encounters authentication issues with the SMS, you may need to create a rule in the proxy server for the IP address of the SMS to bypass authentication. For more information on how to configure an authenticated TMC Proxy Server, see the Admin section in the online help or User's Guide. The most recent documentation is available from the TippingPoint Threat Management Center (TMC), https://tmc.tippingpoint.com. The TMC does not support IPv6. An SMS operating in IPv6-only mode will not be able to contact the TMC, unless the SMS IP address is NAT-ed or uses a proxy that has NAT configured.
25
Known Issues
Virtual Ports
When a TippingPoint device is added to the SMS, any unused virtual ports (those that are not in a virtual segment in a profile) will be deleted by the SMS. In order to keep any such virtual ports, put them into a virtual segment as SMS valid combinations before adding the TippingPoint device.
Virtual Segments
The SMS does not add a TippingPoint device if the device has virtual segments that are invalid for the SMS. Invalid virtual segments include cases where all VLAN IDs do not match each other on both the incoming and outgoing zones or where the same port is used for both incoming and outgoing zones. You can identify these segments on the IPS device by examining the IPS System Log for a message similar to Suspicious in/out combination: no traffic will ever match name1-name2. Please examine your virtual ports and profiles configuration. The following example would cause the SMS to not add a TippingPoint device:
Port 1 VLAN ID 10,20,30-Port 2 VLAN ID 20,30,40 Port 1 VLAN ID 88-Port 2 VLAN ID 99 Port 1 VLAN ID 1000-Port 1 VLAN ID 1000
If this occurs, remove the profile or correct the virtual segment on the TippingPoint device before you attempt to re-add the device to the SMS.
26