First Published: November 11, 2009 Last Updated: March 26, 2015
These release notes are for use with the Cisco Security Manager (Security Manager), Release 3.3.1.
Release 3.3.1 is now available. Registered SMARTnet users can obtain release 3.3.1 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software in the Support box.
Note Do not use this version of Security Manager to manage ASA 8.3 devices. This version of Security Manager configures ASA 8.3 devices in downward-compatibility mode, meaning that the device configuration does not use the new features introduced in version 8.3. Because of the extensive changes introduced with version 8.3, it is not downwardly-compatible with older ASA releases. If you want to manage ASA 8.3 devices with Security Manager, you must upgrade to Security Manager 4.0 or later.
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
Cisco Security Manager 3.3.1 (including Service Packs 1, 2, 3, and 4) —Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
Auto Update Server 3.3.1 —The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
Performance Monitor 3.3.1 —Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.
Note Before using Cisco Security Manager 3.3.1, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes section, the “Upgrade Notes” section, and the Installation Guide for Cisco Security Manager 3.3.1 before installing or upgrading to Cisco Security Manager 3.3.1.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 3.3.1.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Cisco Security Manager
Auto Update Server
CiscoWorks Common Services
Resource Manager Essentials (RME)
Cisco Security Agent
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
Cisco Secure Access Control Server (ACS) for Windows
Note Cisco Secure ACS Solution Engine 4.1(4) is also supported.
4.1(3, 4), 4.2(0)
Cisco Configuration Engine
Cisco Security Manager 3.3.1 Service Packs 1, 2, 3, and 4
Security Manager 3.3.1 Service Packs 1, 2, 3, and 4 provide fixes for various problems. The service packs are cumulative, so applying a service pack will include all updates from earlier services packs. For more information about the problems fixed in each service pack, see the following:
Security Manager 3.3.1 Service Packs 2, 3, and 4 also add support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
As part of Cisco Security Manager 3.3.1 Service Pack 1, 2, 3, or 4 installation, Apache will be upgraded from version 1.3.41 to 2.2.10.
Warning There are several CiscoWorks Common Services 3.2 patches available that address problems with Apache 1.3.41. These patches are NOT compatible with Security Manager 3.3.1 with Service Pack 1, 2, 3, or 4 installed.
Note Several patches for CiscoWorks Common Services 3.2 are currently available. We recommend that you install these updates on the Security Manager server after applying Security Manager 3.3.1 Service Pack 1, Service Pack 2, Service Pack 3, or Service Pack 4. To download the CiscoWorks Common Services 3.2 patches:
2. Click Download Software > CiscoWorks Common Services Software 3.2 > Windows > 3.2.0.
3. Download and install the following patches:
Warning Do not install cwcs32-win-CSCtd01597-K9.zip and cwcs32-win-CSCtb70407-K9.zip as these patches are for Apache 1.3.41 and are not comaptible with Security Manager 3.3.1 with Service Pack 1, Service Pack 2, Service Pack 3, or Service Pack 4 installed.
Cisco Security Manager 3.3.1
In addition to resolved caveats, this release includes the following new features and enhancements:
There is a new administrative setting for deploying ACLs generated from firewall access rules. You can elect to share ACLs. If you assign the same ACL to multiple interfaces, Security Manager can now create a single ACL and share it among the interfaces, rather than create a duplicate ACL for each interface. Sharing can occur only if you do not specify ACL names or require that Security Manager preserve existing names; your naming requirements are a higher priority than ACL sharing. The new property is on the Tools > Security Manager Administration > Deployment page.
The following new integrated services router series are supported: 19xx, 29xx, 39xx. You can configure these devices in Security Manager and monitor them using Performance Monitor.
The following new integrated services routers are supported: 866, 886SRST, 887M, 887Vdsl2.
The Cisco IAD880 Series Integrated Access Devices are supported.
If you use AUS to deploy configurations, Security Manager now includes the HTTP user name and password as well as the enable password when adding the device to AUS. This allows you to perform immediate auto updates (Update Now) actions on these devices when you are using local or TACACS+ authentication on your devices.
If you use ACS to control access to Security Manager, users are now notified if authorization fails because all ACS servers are unavailable. An e-mail message is also sent to the Security Manager server administrator indicating that all ACS servers are unavailable and that users cannot log into the Security Manager server.
Cisco IPS 7.0.2 is supported.
The User Accounts page and related interface elements give you the capability of user management for IPS devices. Specifically, you can discover local users from the IPS device, create users, modify user credentials or privileges, delete user accounts, and perform other user management tasks.
TCP State Bypass is now available on FWSM 3.2+ and ASA 8.2+ devices. TCP packets that match existing connections in the fast path can pass through the appliance without every aspect of the security policy being rechecked. This feature maximizes performance.
Multiple IP addresses now can be specified in static route destinations, and in IGMP multicast group networks.
You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
Before you can successfully upgrade to Security Manager 3.3.1 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
Be aware of the following important points before you upgrade:
If you upgrade from a release earlier than 3.3 to Security Manager 3.3 or higher, and you use Cisco Configuration Engine, you must upgrade Configuration Engine to 3.0 at the same time. Security Manager 3.3 and higher does not work with older versions of Configuration Engine.
If you install RME on the same server as Security Manager 3.3.1, do not apply the MDF.zip file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.
Service Pack 4 Download and Installation Instructions
Service pack 4 is a cumulative update that also includes the updates that were found in service packs 1, 2, and 3. You can apply Cisco Security Manager 3.3.1 Service Pack 4 to a Cisco Security Manager 3.3.1 installation whether that installation has an earlier service pack installed or not.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager (CSM) Software, expand the 3.3 folder under All Releases, and then click 3.3.1sp4.
Step 4 Download the file fcs-csm-331-sp4-win-k9.exe.
Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 6 Manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 7 Run the fcs-csm-331-sp4-win-k9.exe file that you previously downloaded.
Step 8 In the Install Cisco Security Manager 3.3.1 Service Pack 4 dialog box, click Next and then click Install in the next screen.
Note If you have not already installed Security Manager 3.3.1 Service Pack 1, 2, or 3, Apache will be upgraded from version 1.3.41 to 2.2.10 as part of the Service Pack 4 installation.
Warning There are several CiscoWorks Common Services 3.2 patches available that address problems with Apache 1.3.41. These patches are NOT compatible with Security Manager 3.3.1 with Service Pack 1, Service Pack 2, Service Pack 3, or Service Pack 4 installed.
Step 9 After the updated files have been installed, click Finish to complete the installation.
Step 10 If you have not already installed Service Pack 3, and you are using Cisco Security Manager 3.3.1 in a high availability (HA) or disaster recovery (DR) configuration with clustering, copy the perl script from <NMSROOT>\MDC\athena\ha\agent\online.pl to <VCS_HOME>\bin\CSManager\online.pl after installing Service Pack 4.
Step 11 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. Manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to “Download Service Pack”.
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 12 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
The following notes apply to the Security Manager 3.3.1 release:
You can use IPv4 addresses only in Security Manager. Although some of the device software Security Manager supports allows you to use IPv6 addresses on commands, Security Manager does not support IPv6 addresses directly. If you want to configure IPv6 features using Security Manager, you can use FlexConfig policies.
If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x appliances, Catalyst and ASA service modules, and router network modules.
Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
Do not run SQL queries against the database.
If an online help page displays blank in your browser view, refresh the browser.
With the release of the S227 signature update on May 12, 2006, the minimum required version for 5.x signature updates was incremented from IPS version 5.0(5) to 5.0(6). Sensors running IPS 5.x software versions earlier than the minimum required version will fail until the sensor is upgraded to the supported level. Note that the minimum required version for 5.x signature updates is generally set to the latest available service pack within 30 to 45 days of that service pack’s release.
If you did not set Category CLI commands on your IOS IPS device to select a subset of IPS signatures that the device will attempt to compile, Security Manager will push CLI commands to enable the IOS IPS Basic category to prevent the device resources from being overloaded. These CLI commands are not managed by Security Manager after they are deployed. You can change these manually on the device to select another set of signatures to compile.
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco’s Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the example provided, the known problem could be listed in either the “Device Management, Discovery, and Deployment Caveats” table or the “ASA and PIX Firewall Devices Caveats” table.
CSM: EDS & dependent processes not coming up in HA/DR failover scenario.
Note If you are using Cisco Security Manager in an HA/DR configuration with clustering, as part of the fix for CSCtg60036, you must copy the perl script from <NMSROOT>\MDC\athena\ha\agent\online.pl to <VCS_HOME>\bin\CSManager\online.pl after installing Cisco Security Manager 3.3.1 Service Pack 3.
Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 3.3.1.
For the complete list of documents supporting this release, see the release-specific document roadmap:
Guide to User Documentation for Cisco Security Manager
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.