Guest

Cisco Services Modules

Release Note for the Cisco Anomaly Guard Module (Software Version 6.1.x)

  • Viewing Options

  • PDF (191.9 KB)
  • Feedback

Table Of Contents

Release Note for the Cisco Anomaly Guard Module

Contents

New Features in Software Version 6.1(2)

Upgrading to Software Version 6.1(x) from a Software Version Prior to 5.1(4)

Upgrading Module Bandwidth from 1 Gbps to 3 Gbps

Ordering and Installing a Software License Key for Software Version 6.1(x)

Ordering a 6.1(x) Software License Key

Installing the XG Software License Key

Maximum Number of Modules Supported in a Switch or Router

Operating Considerations

MultiDevice Manager Commands Omitted from the Configuration Guide

mdm logging trap Command

mdm restore Command

show mdm Command

Software Version 6.1(6) Resolved and Open Caveats

Software Version 6.1(6) Resolved Caveats

Software Version 6.1(6) Open Caveats

Software Version 6.1(5) Resolved and Open Caveats

Software Version 6.1(5) Resolved Caveats

Software Version 6.1(5) Open Caveats

Software Version 6.1(2) Resolved and Open Caveats

Software Version 6.1(2) Resolved Caveats

Software Version 6.1(2) Open Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request


Release Note for the Cisco Anomaly Guard Module


October 30, 2009


Note The most current Cisco documentation for released products is available on Cisco.com.


Contents

This release note applies to software versions 6.1(2), 6.1(5), and 6.1(6) for the Cisco Anomaly Guard Module (Guard module). The Cisco Catalyst 6500 series switch and the 7600 series router support the Guard module. You must have the following to support the Guard module:

The Catalyst 6500 series switch requires one of the following:

IOS 12.2(18)SXD3 or later and a SUP720 or a SUP2 with an MSFC2

IOS 12.2(33)SXH1 or later and a Sup720-10GE

The 7600 series router requires one of the following:

IOS 12.2(18)SXE or later and a SUP720

IOS 12.2(33)SRC or later and RSP720

This release note contains the following sections:

New Features in Software Version 6.1(2)

Upgrading to Software Version 6.1(x) from a Software Version Prior to 5.1(4)

Upgrading Module Bandwidth from 1 Gbps to 3 Gbps

Ordering and Installing a Software License Key for Software Version 6.1(x)

Maximum Number of Modules Supported in a Switch or Router

Operating Considerations

MultiDevice Manager Commands Omitted from the Configuration Guide

Software Version 6.1(6) Resolved and Open Caveats

Software Version 6.1(5) Resolved and Open Caveats

Software Version 6.1(2) Resolved and Open Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request

New Features in Software Version 6.1(2)

The following new features are available in software version 6.1(2):

New policies for persistent low rate attacker

Traffic IP summarization

SIP protection in a NAT/PAT environment

Report on AS proxy address utilization

Disable VLANs if physical interface is down

Add zone name to capture file name

Configurable log capacity

Implicit Write Memory for router mode

Restrict user access to management interface only (for the non-XG Guard software version)

Interfaces display order

Monitoring system resources from the Web-Based Manager (WBM)

Enhanced AAA support in WBM

Upgrading to Software Version 6.1(x) from a Software Version Prior to 5.1(4)

During the upgrade process, the Guard module changes two parameters that may affect your configuration. The following information describes the two parameters:

In software versions prior to 6.0(5), the Guard module supported loopback interfaces. In software version 6.0(5) or later, the Guard module no longer supports loopback interfaces and deletes all loopback interface configurations during the upgrade process.

In software version 4.x, the Guard module allowed you to configure illegal subnet masks. In software version 5.1(4), the Guard module checks to ensure that subnet masks are legal. When you upgrade from a software version prior to 5.1(4) to 6.1(x), the Guard module corrupts all zone configurations that contain an illegal subnet mask. To prevent the module from corrupting a zone configuration that contains an illegal subnet mask, configure the zone configuration with a legal subnet mask by performing the following steps before upgrading the software:

1. Use the no ip address command to delete the subnet mask.

2. Use the ip address command to configure the subnet mask with a legal subnet.

For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Cisco Anomaly Guard Module Configuration Guide. Software upgrade instructions are located in the "Upgrading the Guard Module Software" section in the Cisco Anomaly Guard Module Configuration Guide.

Upgrading Module Bandwidth from 1 Gbps to 3 Gbps

If your Guard module currently operates with a maximum bandwidth of 1 Gbps, you can upgrade the bandwidth performance to 3 Gbps by installing the XG version of the software and corresponding software license key. The software license key activates the installed XG software. When you install the XG software, the Guard module is not operational until you install the corresponding software license and make the necessary configuration modifications that are required for the 3-Gbps operation. Those configuration changes include the following items:

Update existing port and interface configurations—Configure the new interfaces on the supervisor engine and on the Guard module with IP addresses and VLANs. For configuration information, see the "Updating Existing Port and Interface Configurations for 3-Gbps Operation" section in the Cisco Anomaly Guard Module Configuration Guide.

Configure proxies on the interfaces—Configure the new interfaces on the Guard module with proxies. For configuration information, see the "Configuring Proxies On the Interfaces for 3-Gbps Operation" section in the Cisco Anomaly Guard Module Configuration Guide.

Regenerate the SSL certificates—Generate new SSL certificates on the Guard module and any associated Detectors. For configuration information, see the "Regenerating the SSL Certificates for the 3-Gbps Operation" section in the Cisco Anomaly Guard Module Configuration Guide.

Installing the XG software and license does not affect the following Guard module functions:

Zone configurations—Existing zone configuration information.

Management access—During the upgrade process, configuration parameters configured on eth1 (the management port designator) for the 1-Gbps operation are automatically assigned to giga1 for the 3-Gbps operation. This configuration change does not affect management access.

For complete information on ordering and installing the XG license key, see the "Performing Maintenance Tasks" chapter in the Cisco Anomaly Guard Module Configuration Guide.

Ordering and Installing a Software License Key for Software Version 6.1(x)

When you order software version 6.1(x) as a spare and install it in an existing Guard module, you must enter a software license key to activate the software. This section contains the following topics that describe how to order and install a software license key:

Ordering a 6.1(x) Software License Key

Installing the XG Software License Key

Ordering a 6.1(x) Software License Key

The software license key that is required to activate the XG software is associated with the MAC address (Media Access Control) of the Guard module where the XG software resides. This section describes the process that you use to order the XG software license key.

You must have the XG version of the 6.1(x) operating software loaded on your Guard module before ordering and installing the corresponding license. To verify the version of software currently loaded on your Guard module, use the show version command. When the XG software is loaded, the software version number has an -XG suffix (for example, version 6.1-XG).

To order the 3-Gbps license, perform the following steps:


Step 1 From the Guard module, enter the show license-key unique-identifier command (this command requires the admin privilege level) to view the Guard module MAC address.

Step 2 Record the MAC address information because you will need this information when placing your order for the 3-Gbps operation license.

Step 3 Order the lic-agm-3g-k9 license using any of the available Cisco ordering tools on Cisco.com.

When you receive the Software License Claim Certificate from Cisco, complete the instructions that direct you to the following Cisco.com website: http://www.cisco.com/go/license. Then complete the installation procedure as described in the "Installing the XG Software License Key" section.


Installing the XG Software License Key

To install the 3-Gbps license, perform the following steps:


Step 1 When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct you to the following Cisco.com website: http://www.cisco.com/go/license

Step 2 Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as your proof of purchase.

Step 3 Provide all the requested information to generate a license key.

After the system generates the license key, you will receive a license key e-mail with an attached license file and installation instructions. Save the license key e-mail in a safe place in case you need it in the future.

Step 4 Open the license key file using a text editor and copy its contents into your desktop computer's clipboard.

Step 5 From the Guard module, enter the license-key add command in configuration mode. The CLI prompts you to enter the key lines.

Step 6 Paste the contents of your desktop computer's clipboard (containing the license key) and press the Enter key.

Step 7 Enter an empty line and press Enter. If the Guard module contains a previously installed license, a confirmation message displays that asks if you want to install the new license.

Step 8 Type y (yes). The XG software is now active and ready for 3-Gbps operation.

Step 9 (Optional) Enter the show license-key command to verify that the key loaded properly and is valid.


Maximum Number of Modules Supported in a Switch or Router

A switch or router 9-slot chassis supports a combined maximum of eight Anomaly Guard modules and Traffic Anomaly Detector modules. You can install a maximum of eight Guard modules or a maximum of four Detector modules in a single chassis in any combination for a total of eight modules.

A switch or router 13-slot chassis supports a combined maximum of 10 Anomaly Guard modules and Traffic Anomaly Detector modules. You can install a maximum of eight Guard modules or a maximum of four Detector modules in a single chassis in any combination for a total of 10 modules.

Operating Considerations

The following operating considerations apply to the Guard module:

The copy ftp command supports active mode only.

The Guard module operates using a self-protection configuration to protect itself from DDoS attacks on the network. Cisco configures the self-protection configuration with a set of default parameter values, which you can modify.

When upgrading the Guard module to software version 6.1(x) from a version previous to 5.1(5), the existing self-protection configuration is overwritten by the new configuration contained in the upgrade. If you had modified the self-protection configuration of the previously installed software, you need to make the same modifications to the new self-protection configuration. Do not copy your original self-protection configuration to the Guard module because the original configuration will block access to one or both of the following ports when attempting to access the module through an inline interface:

Ports 3220 and 1334 if you upgrade from version prior to 5.1(5). Port 3220 was added to software version 5.0(x) and 5.1(x). Port 1334 was added to software version 5.1(5).

If you upgrade from software version 5.1(5) or later after modifying the self-protection configuration, your changes to the configuration remain intact. Upgrading from software version 5.1(5) to software version 5.1(x) or later will also leave your modified self-protection configuration intact.

The Guard module must be running software version 6.1(x) to operate with the Cisco MultiDevice Manager software version 1.5(1).

Downgrading software versions is not supported.

MultiDevice Manager Commands Omitted from the Configuration Guide

Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Guard module were introduced in software version 5.1(5), but were omitted from the Cisco Anomaly Guard Module Configuration Guide. The following sections describe these commands:

mdm logging trap Command

mdm restore Command

show mdm Command

mdm logging trap Command

To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.

The syntax for this command is as follows:

mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}

The following table describes the keywords for the mdm logging trap command:

alerts

Immediate action needed (severity=1).

critical

Critical conditions (severity=2).

debugging

Debugging messages (severity=7).

emergencies

System is unusable (severity=0). This is the default.

errors

Error conditions (severity=3).

informational

Informational messages (severity=6).

notifications

Normal but significant conditions (severity=5).

warnings

Warning conditions (severity=4).


For example, to capture and log informational messages, use the mdm logging trap informational command in global configuration mode as follows:

user@GUARD# configure 
user@GUARD-conf# mdm logging trap informational
 
 

mdm restore Command

When you enable the MDM service on the Guard module to allow you to manage the device using the MDM, the MDM upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.

When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.

Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.

The syntax for this command is as follows:

mdm restore

For example:

user@GUARD# configure 
user@GUARD-conf# mdm restore
 
 

show mdm Command

To check the status of MDM connections and settings, use the show mdm command in EXEC mode.

The syntax for this command is as follows:

show mdm

For example:

user@GUARD# show mdm 
 
 

The following table describes the fields in the show mdm display:

Field
Description

MDM service state

Operating state of the MDM service: enabled or disabled.

MDM servers

List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.

Connected managers

MDM server currently connected to and managing the device.

MDM syslog level

Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.


Software Version 6.1(6) Resolved and Open Caveats

The following sections contain the resolved and open in software version 6.1(6):

Software Version 6.1(6) Resolved Caveats

Software Version 6.1(6) Open Caveats

Software Version 6.1(6) Resolved Caveats

The following caveats were resolved in software version 6.1(6) for the 1G and 3G Guard modules except where noted.

CSCsx07192—When a command times out during execution, the CLI may not synchronize correctly and displays the error message "can't write to socket"; however, the command operation does succeed. This condition may occur while the following commands are executing: protect learning, learning accept, and no learning accept. Workaround: Exit the CLI and log in again.

CSCsx69115—When the Web-Based Manager (WBM) is used heavily for extended periods of time, it experiences memory issues that can result in failures with some of the GUI windows. Workaround: Monitor the Guard module memory usage (Diagnostics > Device Resources) every 10 minutes during heavy use of WBM. If memory usage exceeds its allowable limit, WBM restarts (no user intervention is required) and the Guard module creates a log indicating that the WBM service was restarted due to a lack of memory.

CSCsz32590—When you insert a long flex-content filter that contains a large number of ".*" strings, the filter fails and the Guard issues the following error message:

Internal system error during Flex-Content filter configuration. Error adding 
flex-content-filter
 
 

This error condition causes a memory corruption error and may cause a general accelerator card failure. Workaround: Insert a shorter flex-content filter. When this error condition occurs, reload the device manually.

Software Version 6.1(6) Open Caveats

The list of open caveats for software version 6.1(6) is the same as the open caveat list for software version 6.1(5). See the "Software Version 6.1(5) Open Caveats" section.

Software Version 6.1(5) Resolved and Open Caveats

The following sections contain the resolved and open in software version 6.1(5):

Software Version 6.1(5) Resolved Caveats

Software Version 6.1(5) Open Caveats

Software Version 6.1(5) Resolved Caveats

The following caveats were resolved in software version 6.1(5) for the 1G and 3G Guard modules except where noted.

CSCso30607—This caveat applies to the WBM. The following sequence of events causes the Guard module to incorrectly measure the traffic rate of a policy and produce dynamic filters even though the traffic rate does not exceed the policy threshold and there is no attack on the zone:

a. You modify a specific policy using the WBM Config Policy screen.

b. You activate zone protection.

c. The device detects traffic packets associated with the modified policy.

CSCsq63421—CM subsystem failure and reload of the guard.

CSCsu33377 and CSCso41927—Disk becomes full, different show commands stop working, and logs are not written.

CSCsu33387—When the Guard module processes malformed DNS replies, the watchdog reloads the module due to an accelerator card failure.

CSCsu49999 and CSCsu49963—These caveats only apply to the 3G Guard module. Packet dump is sampling traffic from only one of three ports.

Software Version 6.1(5) Open Caveats

The following caveats are open in software version 6.1(5):

CSCrh01198—After you reload the Guard module, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the module. Workaround: Use a static route instead of a default gateway.

CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone > Configuration > General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as Drop, the Flexible Filter Count value displays the number of dropped packets. When the value is Count, the Flexible Filter Count value displays the number of counted packets.

Workaround: None.

CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard module. Workaround: Use another activation interface.

CSCsb07081—The flex-content filter cannot find a pattern in SYN packets. Workaround: None.

CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the popup window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result or issue the no service wbm CLI command in configuration mode.

CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in different zones. Workaround: Assign unique names to manual packet dumps.

CSCsc05116—The Guard module may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory being used by the Guard module. Reducing the number of active zones may free up memory.

CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 6.0(x). Workaround: Renumber loopback interfaces before upgrading the Guard module to software version 6.0(x).

CSCsc51207—The Guard module does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based element (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard module does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.

CSCsc69508—After you import an HTML file to serve as the login banner, some SSH clients may not be able to connect to the product. Workaround: None.

CSCsd83077—The Guard module responds to a larger size packet than the MTU value set for its network interfaces. Workaround: None.

CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command. Workaround: None.

CSCse19834—Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included). Workaround: None.

CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.

CSCse31042—A zone configuration that contains ip_scan or port_scan policies cannot be imported into the Guard module. Workaround: None.

CSCsf06487—This caveat applies to the 6.0-XG (3 Gbps) Guard module only. A zone that is directly connected to the Guard module does not receive traffic without an explicit injection configuration. Workaround: Create an injection configuration for the required zone.

CSCsg42338—The Guard module CPU usage may reach 100 percent. Workaround: Reboot the Guard module.

CSCsh36537—This caveat applies to the 6.1-XG (3 Gbps) Guard module only. The rate limit defined on a zone or a user filter is multiplied by three. Workaround: If the traffic is equally balanced between the Guard module ports, define the rate limit as 1/3 of the desired limit. If not, there is no workaround.

CSCuk54606—When you activate a zone by issuing the protect or the learning commands, the Guard module displays the following error message even when the configuration is correct and traffic diversion is working properly:

no injection path 
 
 

The Guard module may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard module, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.

Software Version 6.1(2) Resolved and Open Caveats

The following sections contain the resolved and open caveats in software version 6.1(2):

Software Version 6.1(2) Resolved Caveats

Software Version 6.1(2) Open Caveats

Software Version 6.1(2) Resolved Caveats

The following caveats were resolved in software version 6.1(2):

CSCsg76448—Multiple vulnerabilities exist in the OpenSSL library. The vulnerabilities described in the Cisco Security Response are present in Guard and Detector sensor software, in versions 5.0(3) and later. See the Cisco Security Response at http://www.cisco.com/en/US/products/products_security_response09186a008077af1b.html

CSCsg94911—When a physical interface goes down, the virtual interfaces that use the physical interface are not brought down, which results in black-holing the traffic.

CSCsh92933—After you enter the tacacs authorization exec tacacs+ command, the show running-config command does not display the tacacs authorization exec tacacs command in the configuration output.

CSCsi18583—The Guard module drops the last TCP ACK on the outgoing traffic.

CSCsi21984—When you use the WBM to browse to a zone page, the response time is slow when the zone has been active for a long time and the zone logs have become extremely long.

CSCsi57942—After you upgrade the Guard module software to version 6.0-XG, SSH and WBM connectivity to the module may be lost.

CSCsi61341—The Guard module leaves the TCP timestamp option in the SYN ACK reply.

CSCsj27292—The Guard module does not count bypass filters correctly, which may cause the watchdog to reload the module.

CSCsk40023—The policy snapshot time that is shown in the WBM or Central Manager (CM) is incorrect after an upgrade from version 5.1.

CSCsk51827—The zone list in the WBM is empty when there are recommendations on at least one of the zones.

CSCsl07921—All reports may be removed during the log rotation procedure.

CSCsl49552—Zone activation fails when four active zones with automatic packet-dump capture are enabled.

Software Version 6.1(2) Open Caveats

The following caveats are open in software version 6.1(2):

CSCrh01198—After you reload the Guard module, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the module. Workaround: Use a static route instead of a default gateway.

CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone > Configuration > General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as Drop, the Flexible Filter Count value displays the number of dropped packets. When the value is displayed as Count, the Flexible Filter Count value displays the number of counted packets.

Workaround: None.

CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard module. Workaround: Use another activation interface.

CSCsb07081—The flex-content filter cannot find a pattern in SYN packets. Workaround: None.

CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result or issue the no service wbm CLI command in configuration mode.

CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in different zones. Workaround: Assign unique names to manual packet dumps.

CSCsc05116—The Guard module may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory being used by the Guard module. Reducing the number of active zones may free up memory.

CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 6.0(x). Workaround: Renumber loopback interfaces before upgrading the Guard module to software version 6.0(x).

CSCsc51207—The Guard module does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based element (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard module does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.

CSCsc69508—After you import an HTML file to serve as the login banner, some SSH clients may not be able to connect to the product. Workaround: None.

CSCsd83077—The Guard module responds to a larger size packet than the MTU value set for its network interfaces. Workaround: None.

CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command. Workaround: None.

CSCse19834—Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included). Workaround: None.

CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.

CSCse31042—A zone configuration that contains ip_scan or port_scan policies cannot be imported into the Guard module. Workaround: None.

CSCsf06487—This caveat applies to the 6.0-XG (3 Gbps) Guard module only. A zone that is directly connected to the Guard module does not receive traffic without an explicit injection configuration. Workaround: Create an injection configuration for the required zone.

CSCsg42338—The Guard module CPU usage may reach 100 percent. Workaround: Reboot the Guard module.

CSCsh36537—This caveat applies to the 6.1-XG (3 Gbps) Guard module only. The rate limit defined on a zone or a user filter is multiplied by three. Workaround: If the traffic is equally balanced between the Guard module ports, define the rate limit as 1/3 of the desired limit. If not, there is no workaround.

CSCso30607—This caveat applies to the WBM. The following sequence of events causes the Guard module to incorrectly measure the traffic rate of a policy and produce dynamic filters even though the traffic rate does not exceed the policy threshold and there is no attack on the zone:

a. You modify a specific policy using the WBM Config Policy screen.

b. You activate zone protection.

c. The device detects traffic packets associated with the modified policy.

Workaround: If you can apply the policy change to more than one policy, configure the policies using the WBM Config Policy Group screen, which you access by selecting multiple policies to configure. If you need to apply the change to one policy only, use the device CLI.

If the problem exists already, use the one of the following methods to correct it:

Use the device CLI to export the zone configuration and then import it back under a different zone name (do not use the "copy-from" operation).

Use the WBM or device CLI to remove the service associated with the policy and then add it back to the zone configuration. For example, if the problem exists with the http/80/analisys/syns/src_ip policy, remove the http/80 service and then add it back to the zone configuration. After you add the service, you must allow the device to perform the threshold tuning phase of the learning process. This method does not work for services that are built in, such as the tcp_services/any and dns_udp/53 services, because these services cannot be removed.

CSCuk54606—When you activate a zone by issuing the protect or the learning commands, the Guard module displays the following error message even when the configuration is correct and traffic diversion is working properly:

no injection path 
 
 

The Guard module may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard module, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.

Related Documentation

The following documentation is available for the Cisco Anomaly Guard Module:

Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note

Cisco Anomaly Guard Module Configuration Guide

Cisco Anomaly Guard Module Web-Based Manager Configuration Guide

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.

© 2009 Cisco Systems, Inc. All rights reserved.