Table Of Contents
Cisco Security Manager New Features by Release
Published: September 23, 2011
This document lists new features by release and contains the following sections:
What's New in Cisco Security Manager 4.2
In addition to resolved caveats, this release includes the following new features and enhancements:
•Support for ISR ScanSafe integration, a cloud-based SaaS (Software As A Service) feature, which can transparently redirect selected traffic for content scanning and malware protection. You can use ScanSafe Web Security to provide differentiated services to particular users, user groups, and IPs.
•Support for the Cisco Catalyst 6500 Series ASA Services Module running ASA Software Release 8.5(1). Event Viewer and Report Manager work with this new service module. However, the service module does not support VPN configuration, so reports related to VPN are not applicable.
•Support for ASA Software release 8.4(2), including the following features:
–Identity-aware firewall, allowing you to create ACL rules that are sensitive to the Active Directory (AD) username or user group membership of the person sending traffic through the ASA. Additionally, you can use fully-qualified domain names (FQDN) for source or destination rather than IP addresses. There are new policy objects for Identity User Group and FQDN network/host objects, and all device policies that allow identity-aware ACLs are supported: AAA rules, access rules (IPv4 and IPv6), inspection rules, Botnet Traffic Filter classification, and service policy rules. A new policy, Identity Options, identifies the AD servers, AD agents, and other identity-related settings.
–PAT Pool, Round Robin, No Proxy ARP, and Route Lookup features have been added to Manual NAT rules. With PAT Pool, you can define a pool of IP addresses specifically for PAT, and you can select a "round robin" algorithm for port allocation during PAT.
–Event Viewer includes new columns for user name and FQDN information in syslog messages that include them. There are new syslog messages related to identity-aware firewall: 746001-746019.
–Support for IPv6 addresses for DNS servers.
–You can now configure an ASA to permit or deny VPN connections from endpoints with an AnyConnect Essentials license on a per-dynamic access policy (DAP) basis. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod versions 2.5.x and AnyConnect for Android versions 2.4.x. It is not required to enable CSD to configure these specific attributes.
–Support for a new policy pushed down to the AnyConnect Secure Mobility Client for resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.
–Auto Update Server and Performance Monitor support.
•Support for Cisco IOS Software Release 15.2(1)T on 88x, 89x, 19xx, 29xx, and 39xx routers only. ScanSafe is the only supported new feature in this version.
•Support for IPS modules on ASA 5585 with Cisco ASA 5585 IPS Security Services Card.
•A new generic router support model. If an Integrated Service Router (ISR) or Aggregation Services Router (ASR) model is not explicitly supported, you can manage the device as a generic router. Available features are based on the software version running on the device.
•You can now choose between client and server file systems when performing the following file operations:
–Installing Security Manager license files
–Importing/exporting device inventory files
–Importing/exporting shared policies
–Creating the following file objects: Cisco Secure Desktop Package, Plug-In, AnyConnect Profile, AnyConnect Image, Hostscan Image
What's New in Cisco Security Manager 4.1
In addition to resolved caveats, this release includes the following new features and enhancements:
•Enterprise-class integrated Firewall, IPS, and VPN reporting functionality for improved visibility into security devices. Custom reports can be created using advanced filters, and reports can be viewed on-demand and scheduled for email delivery.
•Support for IPv6 addressing in some policies and features for ASA devices in router mode (release 7.0+) and transparent mode (8.2+) and FWSM in router mode (3.1+). Note that you must configure an IPv4 management address for devices that use IPv6 addressing; Security Manager uses IPv4 for all communications with managed devices. The following configuration and features support IPv6 addressing:
–Policy Objects—A new IPv6 network/host object for IPv6 addresses, and support for ICMP6 services in the services object.
–Firewall Services—New policies for IPv6 access rules and IPv6 access control settings. The hit count and find and replace tools also work with the IPv6 access rules policy. There are new FlexConfig system variables to identify the IPv6 ACLs configured on a device.
–ASA/FWSM platform policies—The interfaces policy lets you configure IPv6 addresses for interfaces. New bridging policies are IPv6 Neighbor Cache and Management Address (IPv6).
–Event Viewer—IPv6 events are now fully parsed, and IPv6 addresses can appear in the Source, Destination, and IPLog Address columns. The following columns are deprecated: Source (IPv6), Destination (IPv6), IPLog Address (IPv6)
•Advanced troubleshooting of operational issues using Packet Capture, ping, traceroute, and other tools, in addition to Event-to-Policy linkages and Cisco Packet Tracer tools.
•A simplified method for defining an Extranet that is a point-to-point regular IPsec VPN to a device outside your management scope (such as one in the service provider's network, to a non-Cisco device, or to a device in a part of your network that you do not manage) has been added to the Site to Site VPN Manager.
•There are new import and export features that are available from the File menu:
–You can now export shared policies, including the policy objects used in the policies, and import them into another Security Manager server. This can help you maintain a consistent set of policies when using more than one Security Manager server.
–You can now export devices with all policies, policy objects, certificates, Configuration Archive data, and associated VPN topologies, and import them into another Security Manager server. This simplifies the process of splitting a single server into two or more servers without having to rediscover policies. The export includes all shared policies and assignments, so the imported devices maintain shared-policy relationships.
–Note that the existing device export feature (export to CSV file) has been moved to File > Export. In previous releases, the command was Tools > Export Inventory. The Export to CSV feature has not been changed; you can still export to CSV and add the devices through the New Device wizard.
•Support for latest ASA 8.4 feature set, including the following features:
–You can configure Kerberos Constrained Delegation to allow users to gain access to Kerberos-protected resources after they use non-Kerberos methods to log into a remote access VPN.
–You can configure IKE version 2 (IKEv2) for regular IPsec site-to-site VPNs and remote access IPSec VPNs. When using IKEv2 in a remote access IPSec VPN, you must use the AnyConnect 3.0 VPN client. The configuration for IKEv2 is in many cases significantly different from the configuration of IKEv1. For example, when configuring a remote access IPSec VPN for IKEv2, you must also configure several policies that used to be specific to SSL VPNs, such as the SSL VPN Access policy. Review the documentation carefully before implementing IKEv2.
–You can define up to 48 logical EtherChannel interfaces, each of which consists of between zero and eight active Fast Ethernet, Gigabit Ethernet, or Ten-Gigabit Ethernet ports. Also called a "port-channel" interface, this provides increased bandwidth and fault tolerance over the individual links. An EtherChannel interface is configured and used in the same manner as a physical interface.
–A number of additional Simple Network Management Protocol (SNMP) traps are available for these ASAs. Specific traps include Fan Failure, CPU Temperature, Power-Supply Failure, NAT Packet Discard, and Memory Threshold.
•Operating system support as follows:
–Strongly Recommended: Windows 2008 R2 Enterprise Server—64-bit.
–Alternate operating system that also is supported: Windows 2008 Enterprise Server (Service Pack 2)—64-bit only.
•Beginning with the ASA 8.4.1 and FWSM 3.1, operating in transparent mode, you can increase the number of interfaces available to a device or context through use of bridge groups. You can configure up to eight bridge groups—on an FWSM each group can contain two interfaces; on an ASA each group can contain four interfaces.
•Maximum number of virtual contexts supported on ASA 5550 and 5580 devices increased from 50 to 100 on the 5550, and from 50 to 250 on the 5580. Note that from a licensing standpoint, each context is considered to be a separate device; be sure you have enough licenses to support the intended number of contexts.
Increasing the number of virtual contexts supported requires also increasing the number of VLANs supported. Thus, the maximum number of VLANs supported increased from 256 to 400 on the 5550, and from 256 to 1024 on the 5580.
•Support for Configuration Engine 3.5 and 3.5(1).
•Support for Cisco 1900 Series Integrated Services Routers models 1905 and 1921.
•Support for Cisco IOS XE Software release 3.1.x on ASRs. This release is mapped to 15.0(1)S in Security Manager.
•The following enhancements are available in the Event Viewer application in addition to IPv6 support:
–Supports for the following new syslog messages: Etherchannel 426001-426003; SNMP NAT MIB 202010; additional SNMP traps 321005-321006; IKEv1 713001-713259, 714001-714011, 715001-715080; IKEv2 743001-743009, 744001-744016, 745001-745016.
–You can now use Event Viewer with FWSM running software releases 3.1.17+, 3.2.17+, 4.0.10+, and 4.1.1+.
–You can configure an extended event storage area on directly-attached storage, such as SAN storage connected through fiber channel. Event Viewer automatically copies data to extended storage and retrieves it whenever an event query includes events that are in extended storage.
–The status bar now shows the current events per second (EPS) rate and a color-coded icon that indicates the health of the system. Clicking the icon provides statistics for the past five minutes and system alerts concerning packet drops or other critical situations that require your attention.
–There are new ACS privileges to control access to Event Viewer and for selecting or deselecting devices for monitoring.
–You can now view host object names instead of IP addresses as the source and destination of events.
–You can now view IP logs for IPS Alert events using an external packet analyzer tool.
•Activity or Configuration Session Change reports now include changes to VPN topologies and remote access VPN policies.
•During remote access VPN policy discovery, Security Manager now discovers the default tunnel groups (connection profiles) for IPSec and SSL connections, including the default group policy: DefaultRAGroup, DefaultWEBVPNGroup, and DfltGrpPolicy. You can now manage these default objects through Security Manager.
•You can now use Smart Tunnel Auto Sign-on lists when configuring Clientless SSL VPN on ASA 5500 devices running software version 7.1(1) and later.
•You can now upload Hostscan packages to an ASA device.
•You can now manage IPS certificates using Security Manager. You can ensure that Security Manager has the correct certificates to communicate using HTTPS (SSL) and regenerate certificates before or after they expire. Select Manage > IPS > IPS Certificates in Configuration Manager.
•The IPS license management feature has been modified so that license updates are performed without obtaining a lock on the device. Also, automated license update job configuration has been simplified, and you can now configure the job to provide e-mail notifications of pending license expirations and the results of the daily license update job.
Note If you upgrade from 4.0.1 to 4.1, and you have an automatic license update job configured, that job configuration is converted to a daily job at midnight, checking for licenses that expire on the same day. You should reconfigure the job to meet your requirements and to add e-mail addresses for notification purposes.
•Improvements in problem resolution, including:
–Added details to system messages that instruct you to contact the Cisco Technical Assistance Center (TAC).
–The partial_backup.pl command for generating partial database backups for use by Cisco TAC. These backups are not usable as a normal database backup.
–The ability to create deployment and discovery reports that you can send to Cisco TAC for problem analysis.
•Some actions that can take a long time to complete now have more informative status dialog boxes to show you the current status of the actions. Affected actions include activity validation, activity submission, activity approval, and preview configuration.
•The User Interface has been reorganized in some areas, specifically:
–You can now directly open the Configuration Manager, Event Viewer, or Report Manager applications from the Windows start menu. You can also open each of these applications from within any application. In previous versions of Security Manager, there was a single client view; the traditional client is now called Configuration Manager.
–There are new toolbar buttons available for selection in Configuration Manager. To add them to the toolbar, select View > Customized Toolbar.
–Some commands on the Tools menu have been moved to other menus, including two new menus, Manage and Launch. Some other commands have been renamed. Table 1 shows the old and new commands.
What's New in Cisco Security Manager 4.0.1
Cisco Security Manager 4.0.1 Service Pack 1
Security Manager 4.0.1 Service Pack 1 enables support for ASA Software Release 8.2(3) on all ASA platforms.
Security Manager 4.0.1 Service Pack 1 also provides fixes for various problems.
Cisco Security Manager 4.0.1
In addition to resolved caveats, this release includes the following new features and enhancements:
•Support for these new Cisco ASA-5500 Series Adaptive Security Appliance models: 5585-X, all models.
•Support for ASA Software release 8.2(3) on the ASA 5585-X platform.
Note Security Manager 4.0.1 Service Pack 1 enables support for ASA Software Release 8.2(3) on all ASA platforms.
•Support for these Cisco 3800 Series Integrated Services Routers: 3825 NOVPN, 3845 NOVPN. You cannot configure VPN policies or other policies that require encryption on these devices.
•Support for these Cisco 3900 Series Integrated Services Routers: 3925E, 3945E.
•Support for Cisco IOS Software release 15.1(1)T.
•Support for Cisco IOS XE Software releases 2.5 and 2.6. These releases are known as 12.2(33)XNE and 12.2(33)XNF, respectively, in Security Manager. The only new feature supported in these releases is for DMVPN phase 3, which allows direct communication between spokes. Otherwise, software support is equivalent to release 2.4 (known as 12.2(33)XND).
•Support for Cisco ASA 5585 IPS Security Services Processor.
•Support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
•You can now configure AAA access control using a RADIUS server for IPS devices running IPS Software release 7.0(4).
•A new device property, License Supports Failover, for ASA 5505 and 5510 devices that indicates whether an optional failover license is available on the device. The property is set when you discover device policies, or you can manually set the property. Failover policies are deployed to these devices only if the property indicates that the device has a failover license installed. This helps eliminate deployment failures due to failover licensing issues.
•Performance Monitor adds support for Cisco ASA-5500 Series Adaptive Security Appliance model 5585-X, and Cisco 3900 Series Integrated Services Routers 3925E and 3945E.
•IPS signature tuning has been enhanced. If you modify a signature policy with more than one tuning contexts, Security Manager can copy the policy to other contexts when appropriate and with your permission.
What's New in Cisco Security Manager 4.0
Cisco Security Manager 4.0 Service Pack 1
Security Manager 4.0 Service Pack 1 provides support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
Security Manager 4.0 Service Pack 1also provides fixes for various problems.
Cisco Security Manager 4.0
In addition to resolved caveats, this release includes the following new features and enhancements:
•New Event Viewer feature enables you to selectively monitor, search, view, and examine events from ASA and IPS devices. You can filter the stream of events to quickly select the view--or even the particular event or value--you require at the moment. Further, the view criteria you select can be saved and recalled as needed.
•The applications now require CiscoWorks Common Services 3.3, which is included in the Security Manager installation program.
•The Security Manager installation program no longer performs a mandatory backup. Although you are provided the option of performing a backup during installation, we recommend that you perform the backup before running the installation program, and verify that the backup completed successfully.
•Support for ASA Software version 8.3. If you upgrade a device to ASA 8.3, ensure that you delete it from the Security Manager inventory and then add it back in so that newly-converted policies are discovered correctly.
•ASA 8.3 support includes features that can help when converting from Checkpoint to ASA:
–Global access rules—Instead of creating access rules for each interface, you can create global rules once. These rules are applied to every interface and are processed after any interface-specific access rules.
–Object group search—Available as a firewall access control setting, object group search optimizes ACL performance without expanding object groups. However, you should use this only on memory constrained devices. You also cannot use the hit count tool if you configure object group search.
•The release of ASA version 8.3 provides a simplified approach to configuring network address translation (NAT), as compared to earlier ASA versions and other devices. All NAT rules on the device—static NAT, dynamic PAT, and dynamic NAT—are presented in a single table, and the same dialog box is used to configure all NAT rules. The NAT rules are interface independent (that is, interfaces are optional), meaning the rules are independent of security levels also.
•ASA 8.3+ includes new features for network and service objects that contain single values. You can also use the network objects to configure NAT. Security Manager supports these features as follows:
–The network/host policy object now has four types: group, host, network, address range. The group object is the same as the network/host object that exists in all Security Manager 3.x releases. The host, network, and address range types allow single values (of the appropriate type), and also allow NAT configuration. Although these objects are designed for use with ASA 8.3+, you can use them with all operating systems; any NAT configuration is ignored for non-ASA-8.3+ devices.
–The service policy object now has two types: group and object. The group object is the same as the service object in Security Manager 3.x releases. The service "object" allows a single service designation. As with the network/host object, you can use the new service object on any operating system; how it is provisioned to the device simply differs for ASA 8.3 devices.
•Support for FWSM Software versions 4.1(1), 4.0(7-11), 3.1(16, 17), 3.2(14-17).
•Support for the 1002 Fixed Router model of the Cisco ASR 1000 Series Aggregation Services Routers.
•Support for ASR Version 2.4 software, called Cisco IOS Software version 12.2(33)XND.
•Support for shared port adapters (SPAs) in Cisco ASR 1000 Series Aggregation Services Routers. Support includes all Ethernet (all speeds, including Ten Gigabit Ethernet), Serial, ATM, and Packet over Sonet (POS) SPAs, but not services SPAs. If you configured ATM, PVC, or dialer related policies on ASRs you managed with previous versions of Security Manager, you should rediscover policies on those devices to bring these policies into Security Manager.
•The IPS Event Viewer application is no longer included in the Security Manager package. When you upgrade to Security Manager 4.0, any installation of the IPS Event Viewer that was installed by previous versions of Security Manager is removed. To view IPS events, use the event viewer integrated into Security Manager 4.0.
•Activity lock messages now include the username and activity name that has obtained a lock that prevents you from performing an action.
•You can now delete more than one device at a time.
•You can now rediscovery policies on more than one device at a time.
•You can now detect whether devices have out of band changes (changes to the device configuration made outside of Security Manager) before you deploy configurations. This gives you the opportunity to update the device policies in Security Manager to recreate those changes.
Note Out-of-band change detection is not available for IPS appliances.
•In previous releases, you could select which types of policy to manage on Cisco IOS routers. You can now also select which policies to manage on ASA, PIX, and FWSM firewall devices.
•Packet tracer allows you to troubleshoot active policies running on ASA and PIX firewall devices running 7.2.1 and higher that are not operating in transparent mode.
•ASA 8.3 devices use the original, or real, IP address when evaluating traffic in firewall rules (such as access rules) rather than NAT-translated addresses. Ensure that you use the original address when configuring firewall rules for ASA 8.3 devices.
•You can now automatically block blacklisted traffic based on the threat level using the Botnet Traffic Filter on ASA 8.2(2)+ devices. You can also treat greylisted traffic as blacklisted traffic for action purposes.
•You can now inspect IP options in inspection rules on ASA 8.2(2)+ devices. IP options inspection allows you to pass IP packets that have end of options list, no operation, or router alert options configured in the IP packet header.
•You can now configure or use the following features for Group Encrypted Transport (GET) VPNs: fail-close mode to protect VPN traffic prior to successful group member registration; passive mode configured on group members; RSA key generation and synchronization among the key servers.
•You can now explicitly configure DMVPN phase 2 connections between spokes, so that spoke to spoke connections go through regional hubs, and routing protocol updates from hubs to spokes are not summarized.
•Support for Cisco Secure Access Control Server (ACS) 4.2.
•The Security Manager online help and user guide have been reorganized into parts with smaller chapters, and reference information has been moved along side of conceptual and procedural information. Large sections of the document have been rewritten and simplified, with more examples added.
•Security Manager now discovers and deploys object groups for devices running Cisco IOS Software release 12.4(20)T and higher. In previous releases, object groups were supported only for ASA, PIX, and FWSM.
What's New in Cisco Security Manager 3.3.1
Cisco Security Manager 3.3.1 Service Packs 1, 2, and 3
Security Manager 3.3.1 Service Packs 1, 2, and 3 provide fixes for various problems. The service packs are cumulative, so applying a service pack will include all updates from earlier services packs.
Security Manager 3.3.1 Service Pack 2 and Service Pack 3 also add support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
As part of Cisco Security Manager 3.3.1 Service Pack 1, 2, or 3 installation, Apache will be upgraded from version 1.3.41 to 2.2.10.
Warning There are several CiscoWorks Common Services 3.2 patches available that address problems with Apache 1.3.41. These patches are NOT compatible with Security Manager 3.3.1 with Service Pack 1, 2, or 3 installed.
Note Several patches for CiscoWorks Common Services 3.2 are currently available. We recommend that you install these updates on the Security Manager server after applying Security Manager 3.3.1 Service Pack 1, Service Pack 2, or Service Pack 3. To download the CiscoWorks Common Services 3.2 patches:
2. Click Download Software.
3. Click Products [selected by default] > CiscoWorks Common Services Software [selected by default] > CiscoWorks Common Services Software 3.2.
4. Click LMS Common Services Patches.
5. Click Windows.
6. Download and install the following patches:
Warning Do not install cwcs32-win-CSCtd01597-K9.zip and cwcs32-win-CSCtb70407-K9.zip as these patches are for Apache 1.3.41 and are not comaptible with Security Manager 3.3.1 with Service Pack 1, Service Pack 2, or Service Pack 3 installed.
Cisco Security Manager 3.3.1
In addition to resolved caveats, this release includes the following new features and enhancements:
•There is a new administrative setting for deploying ACLs generated from firewall access rules. You can elect to share ACLs. If you assign the same ACL to multiple interfaces, Security Manager can now create a single ACL and share it among the interfaces, rather than create a duplicate ACL for each interface. Sharing can occur only if you do not specify ACL names or require that Security Manager preserve existing names; your naming requirements are a higher priority than ACL sharing. The new property is on the Tools > Security Manager Administration > Deployment page.
•The following FWSM releases are supported in downward compatibility mode: 3.1(15-17), 3.2(5-16), 4.0(2-10). For more information, see Supported Devices and Software Versions for Cisco Security Manager 3.3.1.
•Cisco IOS Software release 15.0(1)M is supported.
•The following new integrated services router series are supported: 19xx, 29xx, 39xx. You can configure these devices in Security Manager and monitor them using Performance Monitor.
•The following new integrated services routers are supported: 866, 886SRST, 887M, 887Vdsl2.
•The Cisco IAD880 Series Integrated Access Devices are supported.
•If you use AUS to deploy configurations, Security Manager now includes the HTTP user name and password as well as the enable password when adding the device to AUS. This allows you to perform immediate auto updates (Update Now) actions on these devices when you are using local or TACACS+ authentication on your devices.
•If you use ACS to control access to Security Manager, users are now notified if authorization fails because all ACS servers are unavailable. An e-mail message is also sent to the Security Manager server administrator indicating that all ACS servers are unavailable and that users cannot log into the Security Manager server.
•Cisco IPS 7.0.2 is supported.
•The User Accounts page and related interface elements give you the capability of user management for IPS devices. Specifically, you can discover local users from the IPS device, create users, modify user credentials or privileges, delete user accounts, and perform other user management tasks.
•TCP State Bypass is now available on FWSM 3.2+ and ASA 8.2+ devices. TCP packets that match existing connections in the fast path can pass through the appliance without every aspect of the security policy being rechecked. This feature maximizes performance.
•Multiple IP addresses now can be specified in static route destinations, and in IGMP multicast group networks.
What's New in Cisco Security Manager 3.3
Cisco Security Manager 3.3 Service Pack 2
Security Manager 3.3 Service Pack 2 provides support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
Additionally, Security Manager 3.3 Service Pack 2 provides fixes for various problems.
Cisco Security Manager 3.3 Service Pack 1
Security Manager 3.3 Service Pack 1 provides fixes for various problems.
Cisco Security Manager 3.3
The following changes have been made for Security Manager 3.3:
•Support added for IPS 6.2 and 7.0. However, Security Manager does not support IPv6 capabilities. For more information, see the User Guide for Cisco Security Manager 3.3 or the Security Manager online help.
•Support for the following Cisco IOS Software releases: 12.4(15)T, 12.4(20)T, 12.4(22)T, 12.4(24)T.
•Support added for the following ASA software releases: 8.1(2), and 8.2(1).
•Support added for the following FWSM software releases: 3.1(9-14), 3.2(4-10), and 4.0(2-4).
Note For complete device support information, including new releases supported in downward compatability mode, see Supported Devices and Software Versions for Cisco Security Manager 3.3.
•Support added for the Cisco Intrusion Prevention System Network Module (NME), which can be used in select integrated services routers. The router policy used to configure this module and the related Cisco Intrusion Prevention System Advanced Integration Module (AIM) has been renamed the IPS Module interface settings policy (in previous releases it was named the AIM-IPS interface settings policy).
•Support added for the Cisco ASA Advanced Inspection and Prevention Security Services Card SSC-5 (for use with ASA 5505 devices only).
•Support added for the Cisco Catalyst 6500 Series VPN Services Port Adapter (VSPA). This includes support for Cisco IOS Software release 12.2(33)SXI.
•Support added for the following Cisco 800 Series Integrated Services Routers: 861, 861W, 881, 887, 888SRST, 891, 892.
•Support added for the Cisco ASR 1000 Series Aggregation Services Routers, models 1002, 1004, and 1006, and the Cisco IOS Software versions they run: 12.2(33)XNA, XNB, and XNC. Support is limited to the following Cisco IOS XE Software consolidated packages: Advanced IP Services, Advanced Enterprise Services. The IP Base packages are not supported.
•Support added for Cisco Configuration Engine 3.0, which you can use for managing configuration deployments. You can no longer use lower versions of Configuration Engine.
•You can now export information to a comma-separated values file for the following IPS policies and features: signature policies, event action filters, event action overrides, and IPS licenses.
•Botnet Traffic Filter supported on ASA version 8.2+, providing monitoring of network ports for rogue activity and detection of infected internal endpoints sending command and control traffic to external hosts.
•You can now configure zone-based firewall policies for IOS devices running 12.4(6)T or higher. With zone-based firewalls, you can configure drop, pass, inspect, and web-filtering actions based on security zones, which are groups of interfaces, rather than configuring policies for each interface.
•You can now configure Cisco Express Forwarding (CEF) using the CEF interface settings policy for routers.
•The Advanced Settings interface settings policy for routers now allows you to configure the following features:
–Interface throughput delay, which some routing protocols can use to determine the best path.
–Maintenance Operation Protocol (MOP).
–Unicast reverse path forwarding (RFP), which can be used to prevent denial of service (DoS) attacks.
•IKE Proposal objects now allow you to configure Diffie-Hellman groups 14, 15, and 16.
•You can now do the following with deployment schedules:
–You can discard schedules in non-Workflow mode. In either Workflow or non-Workflow mode, discarded schedules are immediately removed from the table rather than staying until the purge date has passed.
–You can now edit active schedules in Workflow mode (something you can already do in non-Workflow mode). In Workflow mode, and edited schedule changes to the Edit status, and you must resubmit and approve it.
–Configuring an end date is now optional. You can define a schedule that runs indefinitely.
•When you create deployment jobs, changed devices are now organized in the device groups you have configured, if any, and you can select devices by selecting the group rather than individual devices. This makes it easier for you to select subsets of devices for a deployment job when you are managing a large number of devices and you want to create smaller deployment jobs to target specific groups of devices.
•A new inventory file comma-separated values (CSV) format is available for importing and exporting the device inventory. The new format, Cisco Security Manager, is equivalent to the CiscoWorks Common Services Device Credential Repository (DCR) format with some additional fields. The additional fields allow you to import the inventory without doing device discovery, so that you can add devices that are not currently active on the network.
•A Perl command is now available for importing or exporting network/host, service, and port list policy objects. The exported information includes device-level overrides for the objects.
•Security Manager backups are now automatically compressed, reducing the space used by backup files.
•Support for the Crypto Connect Alternate feature on Catalyst 6500/7600 devices running Catalyst OS 12.2(33)SXH or higher.
•Support for the following features on ASA 8.2: Double Authentication, SSL VPN Shared Licenses, and AnyConnect SSL VPN Client.
•Support for Dynamic Virtual Template Infrastructure (DVTI) in a hub-and-spoke Easy VPN topology on routers running IOS version 12.4(2)T and later, except 7600 devices.
•Support for Group Encrypted Transport VPN (GET VPN), which introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing.
•Support for Generic Routing Encapsulation (GRE) tunneling protocol, which encapsulates a variety of protocol packet types inside IP tunnels, creating a virtual point-to-point connection to devices at remote points over an IP network. GRE can be configured on Cisco IOS security routers and Catalyst 6500/7600 devices in hub-and-spoke, point-to-point, and full mesh VPN topologies.
•When configuring IPS update servers, you can configure the proxy server to use NT LAN Manager (NTLM) V2 authentication as well as the already supported basic, digest, and NT LAN Manager (NTLM) V1 authentication. NTLM V2 is the most secure scheme.
What's New in Security Manager 3.2.2 (Including SP1, SP2, SP3, and SP4)
Cisco Security Manager 3.2.2 Service Pack 4
Security Manager 3.2.2 Service Pack 4provides support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
Security Manager 3.2.2 Service Pack 4also provides fixes for various problems.
Cisco Security Manager 3.2.2 Service Pack 3
The following changes have been made for Security Manager 3.2.2 Service Pack 3:
•Support for TLSv1 and SSLv3 communication protocols.
•Security Manager 3.2.2 Service Pack 3 provides fixes for various problems.
Note A service pack is also available for Cisco Performance Monitor 3.2.2. For more information, see http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/performance_monitor/3.2.2/installation/guide/pm322irn.html.
Cisco Security Manager 3.2.2 Service Pack 2
The following changes have been made for Security Manager 3.2.2 Service Pack 2:
•Support for AIM-IPS on 12.4(20).
•Security Manager 3.2.2 Service Pack 2 provides fixes for various problems.
Cisco Security Manager 3.2.2 Service Pack 1
The following changes have been made for Security Manager 3.2.2 Service Pack 1:
•10 gigabit interface support for IPS Sensor 4260, 4270.
•Sybase 3813 EBF is integrated with the SP1 installation.
•CSTM patch is available from Common Services and is integrated into Installation.
•Cisco Configuration Engine 3.0 support.
•Security Manager 3.2.2 Service Pack 1 provides fixes for various problems.
Cisco Security Manager 3.2.2
The following changes have been made for Security Manager 3.2.2:
•Support added for FWSM 4.0(1) and IPS 6.1.
•Trusted Flow Acceleration available on the FWSM 4.0(1)+ in routed firewall mode, for single and multiple contexts.
•Logical "redundant" interfaces can now be configured on security devices. This feature is separate from device-level failover, but you can configure both if desired.
•Upgrade of included applications: CiscoWorks Common Services 3.2, RME 4.2, CSA 5.2, AUS 3.2.2, and Performance Monitor 3.2.2.
Note With the introduction of AUS 3.2.2, CNS Event Gateway is no longer supported.
•New Deployment administrative settings for masking passwords and keys when viewing.
•Support for non-English, non-ASCII languages in SSL VPN Bookmarks and SSL VPN Customization policy objects for use on ASA 8.x devices.
•Retention of client preferences.
What's New in Security Manager 3.2.1
•Support for ASA 8.0 and 8.1 SSL VPN configurations. Support for SSL VPN on ASA 7.x is removed in Security Manager 3.2.1. The Security Manager 3.2.1 installer provides a warning if any ASA 7.x SSL VPN configurations are detected in the case of an upgrade.
•New File Policy Object to support SSL VPN files.
•ASA 7.2.4 and FWSM 3.1(9), 3.2(4) are now supported. The following software is also supported, but is treated as the indicated software version:
–FWSM 3.2(5) is treated as 3.2(4).
–IPS 6.1.1 is treated as 6.0. Features unique to 6.1.1 are not supported.
•ACL name preservation is now supported in additional IOS and ASA/PIX policies.
–IOS policies now include: VTY, Console, HTTP, QoS, NAC, SNMP, Advanced Interface Settings, Dialer, VLAN ACL, IPS AIM, IPS Interface RulesClient Connection Characteristics for Easy VPN,User Group Policy for Easy VPN and for Remote Access VPN, Protected Network for IPsec VPN.
–ASA/PIX policies now include: RIP, Dynamic Access under Remote Access VPN; User Group Policy for Easy VPN and for Remote Access VPN (ASA, PIX 7.x, PIX 6.3); Protected Network for IPsec VPN.
•Support for the 881 and 888 Integrated Services Routers.
•Support for policy object name validation using special leading characters.
•Support of AIP SSM-40--Cisco Security Manager 3.2.1 supports the Cisco Adaptive Security Appliance (ASA) 5500 Series Advanced Inspection and Prevention Security Services Module 40 (AIP SSM-40) in the ASA5520 and 5540. It has the same software feature set as the AIP SSM-10 and the AIP SSM-10. It requires ASA 8.0.3 and IPS 6.0(4).
•Security Manager <> CS MARS Linkage Enhancements (requires CS MARS 6.0.1)
–Linkage support for virtual sensors
–Ability to use a CS-MARS global controller for linkage to Security Manager
–Support for ASA 8.1 netflow events
•You can now use CS-MARS global controllers to integrate CS-MARS and Security Manager.
•Modification to Services policy objects.
•Service object group discovery.
•Remote access VPN policy TOC redesign.
•Easy VPN enhancements.
•Upgrade of included applications: Common Services 3.1.1, RME 4.1.1, AUS 3.2.1, Performance Monitor 3.2.1, CSA 220.127.116.113.
•Support for running Security Manager in VMware ESX Server 3.5.
•Client support for Windows XP SP3 and Windows Vista SP1.
What's New in Security Manager 3.2
•In Service Pack 2, support for the Cisco IPS E2 Engine Update. After E2 is released, all new Cisco IPS signature releases will require E2.
•Improved integration between Cisco Security Manager and CS MARS (requires CS MARS version 4.3.4, 5.3.4, or a later release).
–Security Manager now supports integration with multiple instances of CS MARS.
–Support for connection establishment and teardown syslog messages for policy lookup from MARS events and events lookup from Security Manager policies.
–The Signature Summary table in Security Manager 3.2 (IPS > Signatures > Signatures) enables navigation to MARS to view the realtime or historical events detected by the selected signature. You can also select multiple signatures from the Signatures policy table and view events generated by them.
–The Access Rules page in Security Manager 3.2 (Firewall > Access Rules) enables you to select an ACE and navigate to the realtime and historical events generated by the ACE in MARS. For events matching a rule, only events generated by access rules are displayed. However, for events matching a flow, events generated by connection setup/teardown are also displayed in addition to those generated by firewall access rules in the Query page of MARS. You can also look up historical and realtime events matching the source or destination address of an ACE.
–The Query Results and Incident Details pages in MARS enable you to look up and modify the access rule in Security Manager that generated the event. Using MARS, you can also navigate from events that are generated during the establishment or tearing down of a TCP, UDP, or ICMP connection to the permit ACE in Security Manager for that specific event. You can start the Security Manager client from the read-only policy lookup table in MARS and modify the matching rules, without having to open the client in a separate session.
–The Query Results and Incident Details pages in MARS enable you to look up and modify the signature in Security Manager that generated the event on IPS and IOS IPS devices. For IPS events, MARS displays the read-only popup window from which you can click Edit Signature to navigate to the Signatures policy page in Security Manager and modify the matching IPS signature. You can also click Event Action Filter from the read-only popup window to configure a filter on the basis of signature categories to remove one or more actions from the signature event.
•Support for FWSM 3.2(2) and 3.2(3).
•Support for ASA 7.2.2, 7.2.3, and 7.2.4.
•ASA 8.0/8.1 Support:
–Firewall, Firewall Settings, and Platform support for all features that are backwards-compatible with 7.2.2 features.
–Support for Netflow logging.
•Support for ASA 5580-20 and 5580-40.
•Support for 3200 Series routers.
•Support for 2600XM routers.
•Support for 1861 ISR router.
•Support for configuration of RACLs, Interfaces, VLANs, Port Security, and FlexConfigs on Catalyst 3550, 3560, 3560E, 3750. 3750E, 3750 Metro, 4500 Series, 4948, and 4948 10GE switches.
•Support for IOS 12.2(33) SRA and SRB on the 7600 platform.
•Cisco Security Manager 3.2 supports the Cisco Intrusion Prevention System Advanced Integration Module (AIM-IPS). You can install AIM-IPS in Cisco 1841, 2800 series, and 3800 series routers.
•Notification for expiring rules.
•Enhancements to the Copy Policies feature.
•Improved inventory import/export support.
•Enhancements to email notifications.
•Display of inheritance information for policies.
•Windows Vista support for Cisco Security Manager client.
•Support for Internet Explorer 7.x and Firefox 2.x.
•High-availability support for IEV.
•Cisco Security Manager 3.2 supports the Cisco IPS 4270-20 Sensor.
What's New in Security Manager 3.1.1
•Upgrade from Security Manager 3.0.2 and 3.1.
•Ability to cross-launch ASDM 5.0(7) from Security Manager for ASA 7.0(1) through ASA 7.0(7) and PIX 7.0(1) through PIX 7.0(6).
•Ability to cross-launch the following most recently released device managers from Security Manager for the OS versions running on a device (Reference CSCsj51974).
–ASDM 5.2(3) support for ASA and PIX 7.2.
–PDM 4.1(5) support for FWSM 2.x.
–ASDM 5.2(2)F support for FWSM 3.x.
–SDM 2.4.1 support for the most recent and previous releases of Cisco IOS software running on your Cisco router.
•Cisco Security Manager 3.1.1 Service Pack 1 problem resolutions and additional device support:
Cisco IPS 4270 Sensor - http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html
•Cisco Security Manager 3.1.1 Service Pack 2 problem resolutions.
•Support for Windows 2003 Server SP2.
•The ability to start the device manager from Security Manager for security appliances even if the HTTPS port number on the device is changed to any port number other than the default value of 443. In Security Manager 3.1, you could start the device manager from Security Manager only if the HTTPS port number on the device was retained at the default value.
If you started the device manager for a device with a different HTTPS port number than the currently configured value, the changed port number does not take effect for the first instance of device manager launch. This failure occurs because Security Manager attempts to establish a connection with a device with the cached port number, based on the connection timeout and retry count values specified in the Device Communication page. However, subsequent attempts to start the device manager are successful because Security Manager connects to the device using the changed port number.
•A new export utility, which runs from the command line, that you can use to generate and export a device inventory report in csv format.
•The option to control whether devices are automatically preselected for deployment.
•Improvements to activity approval notifications. Only users who are viewing data that has been updated by another user are prompted to refresh their view of the data.
What's New in Security Manager 3.1
•Upgrade from Security Manager 3.0 and 3.0.1.
•Integrated IPS features. While Security Manager 3.0 allowed you to cross-launch the IPS Management Center to access IPS functionality, Security Manager 3.1 provides fully integrated IPS features.
•Native integrated Catalyst 6500/Cisco 7600 Router and VACL management.
•Ability to cross-launch IPS Event Viewer 5.2 to monitor IPS sensors.
•Ability to test the communication between Security Manager and devices that have been or are being added to the inventory.
•Ability to discover site-to-site and remote access VPNs.
•Ability to discover IOS router configurations.
•Ability to preserve user-defined ACL names.
•Embedded read-only access to SDM, ASDM, IDM, and IEV for monitoring of individual devices.
•Navigation to access rule policy for ACL-related syslog messages from the real-time syslog viewer of SDM 2.3.4 and ASDM 5.2.2.
•Navigation to IPS signature policy for IPS events from IEV Realtime Dashboard and Views tab.
•Enhanced reporting features, including device-centric policy report and inventory report.
•Device, interface, and VPN up/down status reported in inventory report.
•Detailed activity report for firewall and IDS devices.
•Ability to configure SSL VPN on IOS and ASA 7.1/7.2 devices.
•Cross-launch of RME SWIM for OS management.
•Ability to use Security Manager user login credentials to connect to devices.
•Ability to use Telnet as a transport protocol to communicate with IOS and Catalyst 6500/7600 devices.
•Enhanced device certificate retrieval support including bulk retrieval through CLIs.
•Support for the following additional features on IOS devices:
–Additional Easy VPN features
–Comprehensive AAA support
–QoS TAC enhancements
–Authentication proxy enhancements
–Additional interface settings, such as IP redirect, IP reply, virtual reassembly, and others
–Additional firewall features, such as support for IM blocking, java list, DOS settings, and voice service inspection
–Additional IPSec VPN features, such as large-scale DMVPN, AIM III
•Support for the following additional features on FWSM 3.1:
–More than one pair of layer 2 interfaces
–FTP authentication challenge
–Destination NAT for multicast
–4K global statements
•Support for the following features on ASA 7.2 devices:
–Easy VPN HW client parity with PIX 501/506/VPN3002
–Dual ISP support
–Home/Business VLAN support
–Enhanced auto-update support
–HA - sub-second failover
–Virtualization - resource manager
–Extended usage of DNS domain names
–Generic input rate limiting
–MPF-based regular expression classification map
–N2H2 HTTPS/FTP filtering support
•Support for the following features on FWSM 3.2:
–TACACS+ command enhancements
–Xlate table bypass
–H323 GUP support
–Cut through proxy enhancements
•Support for AIM III (IPSec/SSL VPN)
•Support for IPS 5.1/6.0 and IOS IPS in IOS 12.4(11)Tx
•Support for the following features on IPS 6.0 devices:
–Passive OS fingerprinting
–Simplified custom signature creation
–Signature update wizard, preview and tuning of new signatures
–IPS signature update license management
–External product interface (linkage of IPS sensor with CSA MC)
What's New in Security Manager 3.0.2
•Ability to generate a table of changes to devices, shared policies, and building blocks within a given activity (Workflow Mode) or configuration session (nonWorkflow Mode).
•You can elect to retain user-defined ACL names instead of having Security Manager generate ACL names.
•Ability to enter no value when defining network policy objects that are to be overridden at the device level.
•Tool for locating unreferenced policy objects.
•Option to control whether parent object values can be overridden at the device level for certain devices.
•Option to control whether devices are preselected during deployment.
•Ability to optimize network policy objects when you generate configurations for PIX, FWSM, and ASA devices for deployment. Optimization merges adjacent networks and removes redundant network entries.
•Improvements to activity approval notifications. Only users who are viewing data that has been updated by another user will be prompted to refresh their view of the data.
•Security Manager 3.0.2 includes an export utility, run from the command line, that you can use to generate and export a device inventory report in csv format.
What's New in Security Manager 3.0.1
•Support for Cisco IPSec VPN Shared Port Adapter (VPN SPA) on Catalyst 6500/7600 devices. VPN feature support for the VPN SPA is the same as for VPNSM.
•Support for FWSM 3.1. Firewall feature support includes features supported on PIX 7.0 devices, plus the following new high-end features:
–Support for 250 contexts
–Mixed L2 and L3 firewalls per blade
–Asymmetric routing support
•Support for PIX/ASA 7.1 and ASA 5550. Support for all equivalent PIX 7.0 features. SSL VPN will be supported in a later release.
•Router ACL (RACL) on Catalyst 6500/7600 devices.
•Syslog configuration on IOS routers.
•NTP configuration on IOS routers.
•Ability to launch CS-MARS from the Cisco Security Manager Suite home page.
•Qualification of the following software releases:
–IOS 12.4(4)T and IOS 12.4(6)T on IOS routers (except 7600 devices)
–IOS 12.2(18) SXE4 and IOS 12.2(18) SXF2 on Catalyst 6500/7600 devices.
–Common Services 3.0.4
•Cisco Security Agent 5.1
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2011 Cisco Systems, Inc. All rights reserved.