Table Of Contents
Release Note for the Cisco Anomaly Guard Module
Contents
New Features in Software Version 5.0(1)
Maximum Number of Modules Supported in a Catalyst 6500 Chassis
Operating Considerations
Software Version 5.0(x) Open Caveats
Software Version 5.0(3) Resolved Caveats
Related Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Note for the Cisco Anomaly Guard Module
July 31, 2006
Note 
The most current Cisco documentation for released products is also available on Cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were released.
Contents
This release note applies to software versions 5.0(x) and 5.0(3) for the Cisco Anomaly Guard Module (Guard module). The Cisco Catalyst 6500 Series Switch and the 7600 Series Router support the Guard module.
•The Catalyst 6500 requires IOS 12.2(18)SXD3 or later and a SUP720 or a SUP2 with an MSFC2 to support the Guard module.
•The 7600 Series Router require IOS 12.2(18)SXE or later and a SUP720 to support the Guard module.
This release note contains the following sections:
•New Features in Software Version 5.0(1)
•Maximum Number of Modules Supported in a Catalyst 6500 Chassis
•Operating Considerations
•Software Version 5.0(x) Open Caveats
•Software Version 5.0(3) Resolved Caveats
•Related Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
New Features in Software Version 5.0(1)
The following new features are available in software version 5.0(1):
•24x7 Protection and Learning
–Simultaneous detection and learning
–Detector learns for Guard
–New handling of snapshots
–New Detector-to-Guard communication protocols
•Traffic Analysis
–DDoS-optimized peace vs. attack traffic analyzer
•Signature Extraction
•Content-based filter
•New activation interfaces
–Protect by IP
–Protect by packet
–New handling of sub-zones
•Internal improvements to DNS anti-spoofing mechanism
•No reload required on most network reconfigurations
•Improved hard drive failure handling
•Worm Detection (TCP policies only)
•Improved attack start and stop timing
•Handling of new attack sub-types
•Secure FTP support for various file exports
Maximum Number of Modules Supported in a Catalyst 6500 Chassis
The Catalyst 6500 9-slot chassis supports a combined maximum of eight Anomaly Guard modules and Traffic Anomaly Detector modules. You can install a maximum of eight Guard modules or a maximum of four Detector modules in a single chassis in any combination for a total of eight modules.
A Catalyst 6500 13-slot chassis supports a combined maximum of 10 Anomaly Guard modules and Traffic Anomaly Detector modules. You can install a maximum of eight Guard modules or a maximum of four Detector modules in a single chassis in any combination for a total of 10 modules.
Operating Considerations
The following operating considerations apply to the Cisco Anomaly Guard Module.
•Caution when upgrading the software - Do not press Ctrl-C during the upgrade process or the upgrade may fail.
•The copy ftp command only supports active mode.
Software Version 5.0(x) Open Caveats
The following caveats are open software version 5.0(x):
•CSCrh01198—After you reload the Guard module, it erases the default gateway if the gateway is on the same subnet as one of the Guard module's configured VLAN interfaces. Workaround: Use a static route instead of a default gateway.
•CSCsb07081—The Flex-Content filter cannot find a pattern in SYN packets.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm command.
•CSCsb29077—The WBM does not allow you to add IP addresses to a threshold list. Using the WBM to add IP addresses to the threshold list of a policy results in wrong IP addresses in the list. Workaround: Only use the CLI to add IP addresses to a threshold list.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCuk52975—The Guard module does not report the install new-version and reload commands to the accounting server.
•CSCsa64914 - The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop - the Flexible Filter Count value displays the number of dropped packets
–Count - the Flexible Filter Count value displays the number of counted packets
Software Version 5.0(3) Resolved Caveats
The following caveats were resolved in software version 5.0(3):
•CSCsb46255 - The Guard module may erroneously report millions of concurrent connections.
•CSCsb50696 - The Guard module uses the root username when importing configurations using SFTP.
•CSCsb55055 - The Guard module does not properly upgrade zones that contain a hyphen ( - ) or a period ( . ) in the zone name.
Related Documentation
The following documentation is available for the Cisco Anomaly Guard Module:
•Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note
•Cisco Anomaly Guard Module Configuration Guide
•Cisco Anomaly Guard Module Web-Based Manager Configuration Guide
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
