Table Of Contents
Cisco PIX 500 Security Appliance Release Notes Version 7.0(8)
This document includes the following sections:
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.
The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network, with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation, and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewall and inspection services, VPN services, network integration, high-availability services, and management/monitoring.
For more information on all the new features, see New Features.
Additionally, the security appliance software supports ASDM. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.
The sections that follow list the system requirements for operating a security appliance.
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade the system memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists flash memory requirements for Version 7.0.
Table 1 Flash Memory Requirements
Security Appliance Model Flash Memory Required in Version 7.0
For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.
Version 7.0(8) requires the following:
1. The minimum software version required before performing an upgrade to PIX Version 7.0 is PIX Version 6.2. If you are running a PIX release prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.
To upgrade your PIX software image, go to the following website:
2. For information on specific licenses supported on each model of the security appliance, go to the following website:
3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See the "Upgrading to a New Software Release" section for new installation requirements.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.0(8). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.0(8). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.
While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as the write terminal and show running-config commands
•Failover (the configuration synchronization time)
•During a system reload
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Determining the Software Version
Use the show version command to verify the software version installed on your security appliance.
Upgrading to a New Software Release
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
Version 7.0(8) includes several caveat resolutions and the following features:
The capture asp type asp-drop all command will capture all packets that the security appliance drops.
Enhancement—failover timeout Command
The failover timeout command no longer requires a failover license for use with the static nailed feature.
The fragment command was enhanced with the reassembly full keywords to enable full reassembly for fragments that are routed through the device. Fragments that terminate at the device are always fully reassembled.
Enhancement—show access-list Output
Expanded access list output is indented to make it easier to read.
Enhancement—show arp Output
In transparent firewall mode, you might need to know whether an ARP entry is statically configured or dynamically learned. ARP inspection drops ARP replies from a legitimate host if a dynamic ARP entry has already been learned. ARP inspection only works with static ARP entries. The show arp command shows each entry with its age if it is dynamic, or no age if it is static.
Enhancement—show asp drop Output
The show asp drop command output includes a timestamp indicating when the counters were last cleared (see the clear asp drop command). It also displays the drop reason keywords next to the description, so you can easily use the capture asp-drop command using the keyword.
Enhancement—show asp table classify Command
An enhancement was made to the show asp table classify command to only show rules that have a hits value not equal to zero. The enhanced show asp table classify hits command, enables a quick review of which rules are being hit, particularly because since a simple configuration may result in hundreds of entries in the show asp table classify command.
Enhancement—show asp table counters Command
This enhancement adds a timestamp indicating when the show asp table counters were cleared. This keeps track of the time that the user executed the command and who executed the command, allowing the user to know how long it had been since the counters were last cleared.
Enhancement—show conn Command Syntax
The syntax was simplified to use source and destination concepts instead of "local" and "foreign." In the new syntax, the source address is the first address entered, and the destination is the second address. The old syntax used keywords such as foreign and port to determine the destination address and port.
Enhancement—show perfmon Command
This enhancement added the following rate outputs: TCP Intercept Connections Established, TCP Intercept Attempts, TCP Embryonic Connections Timeout, and Valid Connections Rate in TCP Intercept.
Enhancement—static Command Error Message
An error message is generated if an actual interface IP address is used instead of the interface keyword when configuring static PAT.
Ethertype ACL MAC Enhancement
EtherType ACLs have been enhanced to allow non-standard MACs. Existing default rules are retained, but no new ones need to be added.
Local Address Pool Edit
Address pools can be edited without affecting the desired connection. If an address in use is not being eliminated from the pool, the connection is not affected. However, if the address in use is being eliminated from the pool, the connection is brought down.
New—clear asp table Command
The clear asp table command has been added to clear the hits output displayed by the show asp table commands.
New—clear conn Command
The clear conn command lets you clear connections, including a specific connection between hosts on particular ports. The existing clear local-host command clears all connections between two IP addresses (on all ports), so the new clear conn command offers greater control.
New—memory tracking Commands
The following new commands are introduced in this release:
•memory tracking enable-This command enables the tracking of heap memory requests.
•no memory tracking enable-This command disables the tracking of heap memory requests, cleans up all currently gathered information, and returns all heap memory used by the tool itself to the system.
•clear memory tracking-This command clears all currently gathered information, but continues to track further memory requests.
•show memory tracking-This command shows currently allocated memory tracked by the tool, divided by the topmost caller function address.
•show memory tracking address-This command shows currently allocated memory divided by each individual piece of memory. The output lists the size, location, and topmost caller function of each currently allocated piece memory tracked by the tool.
•show memory tracking dump-This command shows the size, location, partial callstack, and a memory dump of the given memory address.
•show memory tracking detail-This command shows various internal details to be used in gaining insight into the internal behavior of the tool.
In addition to updated syslogs for failover, SNMP, and IPSec, the following new syslogs were added: syslog for cleared TCP urgent flag, and syslog for aggressive mode aborted when spoofed.
This section lists important notes related to Version 7.0(8).
Common Criteria EAL4+
For information about common criteria EAL4+, see the Installation and Configuration for Common Criteria EAL4 Evaluated Cisco Adaptive Security Appliance, Version 7.0(6) document.
Maximum Security Contexts and VLANs Supported
The maximum security contexts supported in release Version 7.0(8) for the PIX 535 are 50 tiers. The maximum number of VLANs supported are 150. For more information on the feature support for each platform license, see the "Platform Feature Licenses" section in the Cisco Security Appliance Command Line Configuration Guide.
IKE syslog messages for Delete-with-Reason do not include the reason text unless the clients support this feature. Currently, the VPN 3002 Version 4.7 and PIX 501 Version 6.3(4) hardware clients do not support this feature.
Note The PIX 501 security appliance is not supported in software Version 7.0.
User Upgrade Guide
Before upgrading to Version 7.0(8), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide also includes information about deprecated features and other changes in Cisco PIX Software Version7.0. For a list of deprecated features and user upgrade information, go to the following URL:
Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, because this configuration is not supported and Version 7.0(8) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.0(8) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration settings related to the regular traffic interface will be lost after the upgrade. The lost configurationsettings may prevent you from connecting to the security appliance over the network.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The security appliance Outbound/Conduit Conversion tool assists in converting configurations with the outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefits:
•ACE insertion capability—System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete, or modify individual ACEs.
•Outbound ACLs and Time-based ACLs—Gives administrators improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.
•Enabling/Disabling of ACL Entries—Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs, without the need to remove and replace ACL entries.
Features not Supported in Version 7.0
The following features are not supported in Version 7.0(8):
•L2TP over IPSec
For information on MIB Support, go to the following URL:
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode.
For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caution Do not load a previous version of software if your PIX security appliance is running PIX Version 7.0 or later. Loading a software image from monitor mode on a PIX security appliance that has a PIX Version 7.0 file system results in unpredictable behavior and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.
The following sections describe the caveats for Version 7.0(8).
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences, because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
Open Caveats - Version 7.0(8)
Table 2 lists the open caveats for Version 7.0(8).
Resolved Caveats - Version 7.0(8)
Table 3 lists the resolved caveats for Version 7.0(8).
Use this document in conjunction with the security appliance and Cisco VPN client Version 3.x documentation at the following websites:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0805R)
© 2008 Cisco Systems, Inc.
All rights reserved.