Note Use this document in conjunction with the documents identified in Obtaining Documentation and Submitting a Service Request. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product.
This document contains release note information for the following:
Cisco Security Manager 4.12 —Cisco Security Manager enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, Catalyst 6500 and 7600 Series ASA Services Modules (ASA-SM), and several other services modules for Catalyst switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
Auto Update Server 4.12 —The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
Note Before using Cisco Security Manager 4.12, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.12 before installing Cisco Security Manager 4.12.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.12.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Cisco Security Manager
Auto Update Server
CiscoWorks Common Services
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
Cisco Secure Access Control Server (ACS) for Windows
Cisco Secure ACS Solution Engine 4.1(4) is also supported.
Cisco Secure ACS 5.x is supported for authentication.
You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.
Cisco Configuration Engine
Cisco Security Manager 4.12
In addition to resolved caveats, this release includes the following new features and enhancements:
Support for ASA 9.6(2) version
Remote Access VPN for ASA Multi-Context devices—Number of additional policies are now supported by Security Manager for multi-context ASA devices running the software version 9.6(2) or later. For all the supported policies, see the Cisco Security Manager 4.12 User Guide. Also, beginning with Security Manager version 4.12, for ASA version 9.6(2) devices, remote access VPN on multi-context devices supports flash virtualization. Within a multi-context structure, each user context can have a private storage space and a shared storage space based on the total flash that is available.
Image Manager changes for Remote Access VPN for ASA Multi-Context devices—Beginning with version 4.12, the Image Manager application displays System context, Admin context and all the User contexts available in the multi-context firewall devices running the ASA software version 9.6(2) or later. You can select a User context and view the storage-url information of the selected context on the Storage tab.
Common Criteria Certification
– Reference Identifier—Beginning with version 4.12, Security Manager enables you to configure Reference Identity policy objects for Secure Syslog Server connections on devices running the ASA software version 9.6(2) or later. This object enables support for Common Criteria requirements. Reference identities are configured as one or more identifiers to be compared to the presented identifiers in the server certificate. Identifiers are specific instances of the four identifier types specified in RFC 6125.
– IPsec/ESP Transport Mode support for IKEv2 between ASA and any other peer device that supports it. This feature is supported in Hub and Spoke, Point to Point, Full Mesh and Extranet topologies under regular IPSEC and Ikev2 only.
– Certificate Map—Using the HTTP configuration feature, you can add or edit a host or network that will be allowed to access the HTTP server on the device via a specific interface. Beginning with version 4.12, you can use Certificate Maps that you configure in the device under Remote Access VPN > Certificate to Connection Profile Maps > Rules. The newly added certificate map will be evaluated for the certificate received.
– IPsec routing—Security Manager now enables per packet routing lookups for the IPsec inner packets.
Connection holddown timeout for route convergence—Beginning with Cisco Security Manager 4.12, you can configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can now reduce the holddown timer to make route convergence happen more quickly.
Changes in TCP Option handling—With Cisco Security Manager 4.12, you can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header when configuring a TCP map. In addition, the default handling of the MSS, timestamp, window-size, and selective-ack options has changed. Previously, these options were allowed, even if there were more than one option of a given type in the header. Now, packets are dropped by default if they contain more than one option of a given type. For example, previously a packet with 2 timestamp options would be allowed, now it will be dropped.You can configure a TCP map to allow multiple options of the same type for MD5, MSS, selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to clear the option, whereas the default now is to allow it. You can also drop packets that contain the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map (per traffic class). The default for all other TCP options remains the same: they are cleared.
Bidirectional Forwarding Detection Support—Beginning with version 4.12, Security Manager supports Bidirectional Forwarding Detection (BFD). BFD is a detection protocol designed to provide fast forwarding path failure detection times for all media types, encapsulations, topologies, and routing protocols.
DHCPv6 Prefix Delegation Support—DHCPv6 prefix delegation is a mechanism to accept the prefix sent by the Internet Service Provider and distribute the same prefix via Stateless Address Auto configuration (SLAAC) to the hosts or routers in the corresponding customer network. There are other configuration parameters, which are required by SLAAC host like domain name and DNS list. SLAAC host fetches these stateless configuration parameters by running through a DHCPv6 information-request exchange. Cisco Security Manager 4.12 supports DHCPv6 prefix delegation on ASA 9.6.2 and above standalone devices in the routed mode.
DNS over TCP inspection—Beginning with Cisco Security Manager 4.12, you can inspect DNS over TCP traffic (TCP/53).
MTP3 User Adaptation (M3UA) inspection—With Cisco Security Manager 4.12, you can inspect M3UA traffic and also apply actions based on point code, service indicator, and message class and type.
Session Traversal Utilities for NAT (STUN) inspection—Cisco Security Manager 4.12 supports inspection of STUN traffic for WebRTC applications including Cisco Spark. Inspection opens pinholes required for return traffic.
Flow Control—Cisco Security Manager 4.12 supports the Pause Frame for Flow control option. When a network interface gets over loaded, flow control allows it to send PAUSE requests to the devices sending it data to allow the over loaded condition to clear.
Support for ASA 9.6(1) version
Flow Offload Support—Select traffic can be identified and offloaded to a super-fast path; here traffic is switched and processed in the NIC instead of the ASA. Offloading helps improve performance for data-intensive applications such as large file transfers. Beginning with 4.12, Security Manager supports flow offload on the Firepower 9000/4000 device series.
Support for Flow Offload and Flow Offload Statistics on Health and Performance Monitor—Beginning with version 4.12, Security Manager’s Health and Performance Monitor displays Flow Offload information and statistics through two tabs. The Flow Offload tab displays basic information about the offload engine, the load percentage on offload cores and information on active offloaded flows- the number of offloaded flows created, the offloaded active flows, their rewrite rules and data. The Flow- offload Statistics tab displays the counts for transmitted, received and dropped packets and statistics for the virtual NIC used.
Other Enhancements in Cisco Security Manager 4.12
IPv6 addresses in Remote Access VPN—Security Manager now supports IPv6 addresses for SSL Clientless VPN. IPv6 address support is provided for the following SSL Clientless VPN features:
– http-proxy, https-proxy
– smart-tunnel [auto-signon | network]
– VDI Server
IPv6 addresses for SSL AnyConnect—Security Manager now supports IPv6 addresses for SSL AnyConnect VPN. IPv6 address support is provided for the following SSL AnyConnect VPN features:
– DNS servers
– VPN Load Balancing
– Cisco AAA Attribute
– TCP UDP Port
– Port Forwarding
– VPN IPv6 Address Pool
– VPN Interface Specific IPv6 Address Pool
– Group Policy IPv6 Address Pool
Beginning with version 4.12, Security Manager allows you to use the following additional special characters when naming policy objects in the Policy Object Manager tool:
– exclamation mark (!),
– at sign (@),
– hash sign (#),
– percent sign (%),
– ampersand sign (&), and,
– parentheses or round brackets ().
Security Manager does not support the following characters:
– caret character (^)
– dollar character ($)
IPv6 address support for device communication—Security Manager now supports communication from Security Manager server to the managed devices over either IPv6 address or IPv4 address. This feature is available only for firewall devices, that is, those devices where the OS type is either ASA or FWSM. The communication between Security Manager server and client is over IPv4 address only. IPv6 address is not supported for server to client communication. To enable communication over IPv6 addresses, you must first enable IPv6 address on the Security Manager server.
Support for TLS 1.2 protocol for Security Manager client and server communication.
SNMP Engine ID (for SNMP v3 only)—Security Manager 4.12 provides support for SNMP Engine ID, a unique identifier used for authentication in v3.
SNMP Host Group and User List—Beginning with version 4.12, Security Manager enables you to add and edit the Host Group entries for SNMP users. Also it enables you to add a User List containing multiple SNMP users.
Please refer to the Installation Guide for Cisco Security Manager 4.12 for specific installation instructions and for important information about client and server requirements. Before installing Cisco Security Manager 4.12, it is critical that you read the notes listed in this section and the Important Notes.
The “Licensing” chapter in the installation guide enables you to determine which license you need. (The license you need depends upon whether you are performing a new installation or upgrading from one of several previous versions.) It also describes the various licenses available, such as standard, professional, and evaluation.
The STD-TO-PRO upgrade converts an ST25 license to a PRO50 license and will result in support for 50 devices. If additional devices need to be supported, you need to buy the necessary incremental licenses.
Beginning with Version 4.7 of Security Manager, a temporary license for the API is available from Cisco.
Beginning with Version 4.7 of Security Manager, you can apply incremental licenses to the evaluation version of the Security Manager license.
Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:
– Logging in to the web server
– Logging in to the client
– Performing successful backups of all databases
Supported operating systems for the server machine are the following:
– Microsoft Windows Server 2012 R2 Standard—64-bit
– Microsoft Windows Server 2012 Standard—64-bit
– Microsoft Windows Server 2012 R2 Datacenter—64-bit
– Microsoft Windows Server 2012 Datacenter—64-bit
Supported operating systems for the client machine are the following:
– Microsoft Windows 7 SP1 Enterprise—64-bit and 32-bit
– Microsoft Windows 8.1 Enterprise Edition—64-bit and 32-bit
– Microsoft Windows Server 2008 R2 with SP1 Enterprise—64-bit
– Microsoft Windows Server 2012 R2 Standard—64-bit
– Microsoft Windows Server 2012 Standard—64-bit
– Microsoft Windows Server 2012 R2 Datacenter—64-bit
– Microsoft Windows Server 2012 Datacenter—64-bit
Supported browsers are the following for both the server machine and the client machine:
– Internet Explorer 8.x, 9.x, 10.x, or 11.x, but only in Compatibility View
– Firefox 15.0.1 and above supported and recommended
You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager 4.12 explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
Before you can successfully upgrade to Security Manager 4.12 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager 4.12 contains complete instructions on the steps required for preparing the database for upgrade.
We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
Be aware of the following important points before you upgrade:
– Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco’s attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
If you log in to a Security Manager server that is running a higher version than your client, a notification will be displayed and you will have the option of downloading the matching client version.
Beginning with Security Manager 4.4, AUS and the Security Manager client are installed in parallel to improve installation time.
CiscoWorks Common Services 4.2.2 is installed automatically when you install Security Manager or AUS.
An error message will pop up if there is any database migration error; this will be at a point where installation can be taken forward without stopping.
It is recommended to do disk defragmentation for every 50 GB increase in the disk size for optimal performance.
Caution Frequent defragmentation will also contribute to bad sectors, eventually leading to disk failure.
Beginning with Version 4.4, Security Manager includes a Windows Firewall configuration script in the server installer. This script automates the process of opening and closing the ports necessary for Windows Firewall to work correctly and securely; its purpose is to harden your Security Manager server.
The following notes apply to the Security Manager 4.12 release:
For remote access VPN in multi-context ASA devices running the software version 9.6(2) or later, the device modifies the storage-url configured with flash:/ directory into disk0:/. Since the device modifies the configuration, Security Manager negates the device configuration and pushes the configuration into the device again. This is a limitation of Security Manager version 4.12.
In Policy Object Manager > Access Control List > Unified ACL, if you right-click the ACL which is used in any of the device configuration and select “Find Usage”, the Find Usage option does not show the list of devices that are configured with the Unified Access List.
Beginning with version 4.9, Security Manager does not support the Secure Sockets Layer version 3.0 (SSLv3) security protocol.
Security Manager sends only the delta configuration to the Configuration Engine, where the particular device retrieves it. The full configuration is not pushed to the device. Therefore, the following behaviors are encountered for OSPF, VLAN, and failover for devices.
– OSPF for IOS routers—Security Manager supports OSPF policy for routers running the IOS Software version 12.2 and later. However, Security Manager does not support OSPF policy for Catalyst devices. Therefore when you configure the OSPF policy in a Catalyst device and perform the discovery in Security Manager, the latter removes the ‘no passive-interface <interface number>’ command from the full configuration. Therefore you will see a difference in the Security Manager-generated configuration and the configuration on the device.
– VLAN—Security Manager supports discovery of VLAN command in IOS devices but does not support dynamic behavior of the VLAN command. If there are user driven changes in VLAN policy, Security Manager generates the command in delta and full configuration. In other words, in normal preview or deployment, Security Manager does not generate VLAN command in full configuration. Therefore you will see a difference in the Security Manager-generated configuration and the configuration on the device.
– Failover policy for firewall devices, such as ASA and FWSM, and IOS devices—Security Manager does not support dynamic behavior of failover devices. That is, the primary unit in HA has ‘failover lan unit primary’ command and secondary unit has ‘failover lan unit secondary’ command. When there is a switchover, Security Manager tries to compare with the ‘failover lan unit primary’ and generates the delta configuration. This leads to a failure in deployment.
Note Security Manager does not support ‘dynamic’ CLI commands. If the syntax of a CLI command is modified, for example, the ‘primary’ keyword is changed to ‘secondary’; it will not be supported by Security Manager.
The following ASA policies are supported in Security Manager version 4.8 and higher:
Therefore these policies are managed by default in a fresh 4.8 version, or higher, installation. However, if you are upgrading Security Manager from version 4.7 to 4.8, or from version 4.7 to 4.9, by default the said policies will be unmanaged for both inline and remotely upgraded servers.
If you are upgrading from Security Manager 4.7 to 4.9, in addition to the SSL and EIGRP ASA policies, the following ASA policies will also be unmanaged:
– CLI Prompt
– Virtual Access
– AAA Exec Authorization
If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
Note If a route-map is configured on the ASA and the same route-map is used in OSPF policy, after upgrading to Security Manager 4.9 from Security Manager 4.7, the OSPF page will show a red-banner. To overcome this issue, you must rediscover the ASA.
If you upgrade an ASA managed by Security Manager to release 8.3(x) or higher from 8.2(x) or lower, you must rediscover the NAT policies using the NAT Rediscovery option (right-click on the device, select Discover Policies on Device(s), and then select NAT Policies as the only policy type to discover). This option will update the Security Manager configuration so that it matches the device configuration while preserving any existing shared policies, inheritance, flex-configs, and so on.
You can also use the rule converter for the other firewall rules like access rules, AAA rules, and inspection rules if you want to manage these policies in unified firewall rules format.
If you upgrade a device that you are already managing in Security Manager from 8.x to 9.0(1) or higher, you must rediscover the device inventory so that Security Manager starts interpreting the device as a 9.x device and then you must rediscover the policies on the device to ensure that Security Manager looks for and discovers the appropriate policy types. Alternatively, you can delete the device from Security Manager and then add the device again.
If you perform one of the following upgrades to a device that you are already managing in Security Manager:
—from 7.x to 8.x
—from any lower version to 8.3(1) or higher
—from 8.3(x) to 8.4(2) or higher
you must rediscover the device in Security Manager. This is required due to significant policy changes between the two releases.
For detailed information on these scenarios, refer to the section titled “Validating a Proposed Image Update on a Device” in the User Guide for Cisco Security Manager 4.12 at the following URL:
ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
For ASA devices in cluster mode, Security Manager treats the entire cluster as a single node and manages the cluster using the main cluster IP address. The main cluster IP address is a fixed address for the cluster that always belongs to the current master unit. If the master node changes, the SNMP engine ID for the cluster also changes. In such a case, Security Manager will regenerate the CLI for all SNMP Server Users that are configured with a Clear Text password. Security Manager will not regenerate the CLI for users that are configured using an Encrypted password.
You can use the Get SNMP Engine ID button on the SNMP page to retrieve the engine ID from the device currently functioning as the cluster master unit.
You cannot use Security Manager to manage an IOS or ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
Device and Credential Repository (DCR) functionality within Common Services is not supported in Security Manager 4.8 and later versions.
LACP configuration is not supported for the IPS 4500 device series.
A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
Do not run SQL queries against the database.
If an online help page displays blank in your browser view, refresh the browser.
Beginning with version 4.9, Security Manager only supports Cisco Secure ACS 5.x for authentication. ACS 4.1(3), 4.1(4), or 4.2(0) is required for authentication and authorization.
If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT \MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [ $NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files (x86)\CSCOpx).]
The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from Cisco.com or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.
The “License Management” link on the CiscoWorks Common Services home page has been removed.
CsmReportServer and CsmHPMServer are now supported with 64-bit JRE.
The “rsh” service has been changed to manual start mode. You can start it manually if you need it.
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.