Table Of Contents
Release Note for the Cisco Guard
Contents
New Features in Software Release 3.1(2)
Rate Limiter Enhancement
Displaying the BIOS Log
New Features in Software Release 3.1(0.12)
Enhanced TACACS+ Access Control Support
Exporting Reports in XML Format
Enhanced Web-Based Management Screens
New SNMP OID
Tab Completion for Interface Names
Operating Considerations
Software Version 3.1(2) Open Caveats and Resolved Caveats
Software Version 3.1(2) Open Caveats
Software Version 3.1(2) Resolved Caveats
Software Version 3.1(0.12) Open Caveats and Resolved Caveats
Software Version 3.1(0.12) Open Caveats
Software Version 3.1(0.12) Resolved Caveats
Related Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Note for the Cisco Guard
July 31, 2006
Note 
The most current Cisco documentation for released products is also available on Cisco.com. The online documents may contain updates and modifications made after the hardcopy documents were released.
Contents
This release note applies to software versions 3.1(2) and 3.1(0.12) for the Cisco Guard (Guard). This release note contains the following sections:
•New Features in Software Release 3.1(2)
•New Features in Software Release 3.1(0.12)
•Operating Considerations
•Software Version 3.1(2) Open Caveats and Resolved Caveats
•Software Version 3.1(0.12) Open Caveats and Resolved Caveats
•Related Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
New Features in Software Release 3.1(2)
The following new features have been added in software release 3.1(2):
•Rate Limiter Enhancement
•Displaying the BIOS Log
Rate Limiter Enhancement
The Rate Limiter drops traffic intended for the zone that exceeds the rate that is defined by the global rate limiter configuration or by the User filter rate limiter configuration.
The Guard applies the Rate Limiter to zone traffic after the Recognition module samples it. This enhancement enables the Guard to detect anomalies on traffic that the Rate Limiter mitigation mechanism drops, and thus block the anomaly flows using dynamic drop filters.
Displaying the BIOS Log
The BIOS log provides system messages related to the BIOS and messages related to hardware events such as power off and restart.
To view the Guard BIOS log, use the show log bios command.
For example:
admin@GUARD# show log bios
To clear the BIOS log, use the clear log bios command at the configuration prompt.
New Features in Software Release 3.1(0.12)
The following new features have been added in software release 3.1(0.12):
•Enhanced TACACS+ Access Control Support
•Exporting Reports in XML Format
•Enhanced Web-Based Management Screens
•New SNMP OID
•Tab Completion for Interface Names
Enhanced TACACS+ Access Control Support
Software release 3.1(0.12) enhances TACACS+ support. You can configure the Guard as a client of a TACACS+ server to provide a method of authorization and accounting of configuration and non configuration commands, in addition to authentication of users.
The Guard supports two kinds of TACACS+ authorization:
•Exec authorization—Determines the user privilege level when the user is authenticated
•Command authorization—Consults a TACACS+ server to get authorization for commands once the user enters them.
The TACACS+ configuration applies for both the CLI and WBM management connections.
Exporting Reports in XML Format
You can export reports in Extensible Markup Language (XML) format in addition to text format. You can export a summarized or detailed report. To enable easy automation for exporting zone reports using external scripts, you can now export all reports in detail.
You can export the following reports:
•A comprehensive report of attacks detailing attacks on all zones
•A comprehensive report listing attacks on a specific zone
Enhanced Web-Based Management Screens
Several WBM screens have been redesigned to enable greater flexibility. The new screens are listed below:
•Policies statistics—This screen appears under the zone diagnostics menu. It provides statistical information, similar to the show policies statistics CLI command.
•Drop statistics—This screen appears under the zone diagnostics menu. It provides statistical information, similar to the show drop-statistics CLI command.
•Add service—This screen appears under the zone configuration menu. Use this screen to manually add policies for a specific service under a policy template.
•Remove service—This screen appears under the zone configuration menu. Use this screen to manually remove policies for a specific service from a policy template.
•About—A new screen that shows the software version of the Guard.
New SNMP OID
A new SNMP OID, rhNEChassisSerialNumber, describing the Chassis serial number has been added. You can also view this information by issuing the show version command.
Tab Completion for Interface Names
You can now view the interface names when issuing the interface command. Enter the command and press TAB twice or enter ?.
Operating Considerations
The following operating considerations apply to the Cisco Guard.
•Caution when upgrading the software - Do not press Ctrl-C during the upgrade process or the upgrade may fail.
•The copy ftp command only supports active mode.
Software Version 3.1(2) Open Caveats and Resolved Caveats
The following sections contain the open caveats and resolved caveats in software version 3.1(2):
•Software Version 3.1(2) Open Caveats
•Software Version 3.1(2) Resolved Caveats
Software Version 3.1(2) Open Caveats
The following caveats are open in software version 3.1(2):
•CSCrh00789—All proxy up or down status IP addresses are directly linked to Giga1 status. If you shut down the Giga1 interface, all proxy IP addresses are disabled. Workaround: Use Giga1 as the primary interface. Always deactivate the Guard protection before shutdown.
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the Guard configured VLAN interfaces. Workaround: Use a static route instead of a default gateway.
•CSCrh01574—The Guard does not clear the User-filter counters after you enter the renumber command. This may lead to erroneous filter counter display. Workaround: Disregard rate information for a maximum of 20 seconds after filter re-enumeration.
•CSCuk51045—The upgrade process from software release 3.05 to software release 3.1(2) does not repartition the hard disk. To perform an upgrade, you must first upgrade to software release 3.07, and then upgrade to 3.1(2).
•CSCuk51099, CSCuk51368—The Guard may stop responding during a reload if it receives network traffic over a virtual interface (VLAN or tunnel) while it is reloading. Workaround: Reload the Guard.
•CSCuk52900—After you enter the reload command, the Guard may report a failure to start the Cisco proprietary accelerator card. If you enter additional commands, the following error message appears:
Cannot connect to management system, System not operational
Workaround: Re-enter the reload command.
•CSCuk52975—The Guard does not report the install new-version and reload commands to the accounting server.
•CSCuk54606—When activating a zone (issuing the protect or the learning commands), the Guard displays the following error message even if the configuration is correct and the Guard diversion is working properly:
The Guard could display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address. For example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25. Workaround: Configure a default injection route for the Guard or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses to be the same.
•CSCuk55666—When you enter the show running-config command, the Guard displays multiple TACACS+ accounting commands in its configuration.
•CSCuk55671—When you import a configuration to a newly installed Guard (installed from base) using the copy ftp running-config command, the Guard does not import the TACACS+ server configuration.
•CSCsa64914 - The name of the Flexible Filter Drop Count counter in the Web-Based Management Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the flex-filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop - the Flexible Filter Count value displays the number of dropped packets
–Count - the Flexible Filter Count value displays the number of counted packets
Software Version 3.1(2) Resolved Caveats
The following caveats were resolved in software version 3.1(2):
•CSCuk52712—SNMP interface indexes in ifAdEnIfindex are changed during reload and stop being correlated with iftable indexes.
•CSCuk52018—On some occasions the Guard watchdog reported an irrelevant hardware Error about unavailable LED information.
•CSCuk52396—When issuing the protect command for a specific IP address in the zone (protect zone-name ip-address), if the original zone name is longer than or equal to 30 characters, the name of newly created zone is incorrect and it cannot be removed.
•CSCuk51373—Adding an ssh-dsa key longer than 1024 bytes causes the CLI to crash when issuing the show running-config command. The key remove command fails to remove the key.
•CSCuk52710—After setting the date to a date in the past using the date command, SNMP may display cached information rather than updated information.
•CSCuk53037—In case of a zombie attack on several zones, the list of the reported zombie IP addresses of one zone may include zombie IP addresses from another zone.
•CsCuk54499—Using the protect zone-name ip-address command extensively causes the Recognition module to fail when loading newly created zones.
•CSCuk55076—The upgrade process may fail when managing from the inband interface.
•CSCuk55114—When issuing the no shutdown command for a loopback interface, the Guard displays the status of the interface as shutdown.
•CSCuk54898—The copy debug-core command fails when exporting to a Windows FTP server.
•CSCuk55806—DNS queries with additional resource records are considered malformed and are therefore dropped.
•CSCeg57556—You must enter the reload command for an NTP configuration change to take effect.
•CSCuk55584—When you compare the zone policies in the CLI using the diff command, and in the WBM by selecting Configuration > Compare policies from the zone main menu, the results are different.
•CSCuk55755—Inconsistency in password length restriction between CLI and WBM.
•CSCuk55721—TCP and UDP fragmented packets with zeros at the beginning of payload, are identified as zero-port traffic and are dropped.
Software Version 3.1(0.12) Open Caveats and Resolved Caveats
The following sections contain the open caveats and resolved caveats in software version 3.1(0.12):
•Software Version 3.1(0.12) Open Caveats
•Software Version 3.1(0.12) Resolved Caveats
Software Version 3.1(0.12) Open Caveats
The following caveats are open in software version 3.1(0.12):
•CSCuk55076—The upgrade process may fail when managing from the inband interface. Workaround: We highly recommend that you do not perform the upgrade from the inband interface. Connect to the serial console or the physical console to perform the upgrade. If these are not available, connect to the out of band interface.
•CSCrh00789—All proxy up or down status IP addresses are directly linked to the Giga1 interface status. If you shut down the Giga1 interface, all proxy IP addresses are disabled. Workaround: Use Giga1 as the primary interface. Always deactivate the Guard protection before shutdown.
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the Guard configured VLAN interfaces. Workaround: Use a static route instead of a default gateway.
•CSCrh01574—The Guard does not clear the User-filter counters after you enter the renumber command. This may lead to erroneous filter counter display. Workaround: Disregard rate information for a maximum of 20 seconds after filter re-enumeration.
•CSCuk51045—The upgrade process from software release 3.05 to software release 3.1(0.12) does not repartition the hard disk. To perform an upgrade, you must first upgrade to software release 3.07, and then upgrade to 3.1(0.12).
•CSCuk51099, CSCuk51368—The Guard may stop responding during a reload if it receives network traffic over a virtual interface (VLAN or tunnel) while it is reloading. Workaround: Perform a power cycle.
•CSCuk52900—After you enter the reload command, the Guard may report a failure to start the Cisco proprietary accelerator card. If you enter additional commands, the following error message appears:
Cannot connect to management system, System not operational
Workaround: Re-enter the reload command.
•CSCuk53196—When you enter protect command, you may not receive an error message if a route injection path for the zone does not exist. Workaround: Reload the Guard.
•CSCuk52975—The Guard does not report the install new-version and reload commands to the accounting server.
•CSCuk53037—In case of a zombie attack on several zones, the list of the reported zombie IP addresses of one zone may include zombie IP addresses from another zone.
•CSCuk54606—When activating a zone (issuing the protect or the learning commands), the Guard displays the following error message even if the configuration is correct and the Guard diversion is working properly:
The Guard could display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address. For example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25. Workaround: Configure a default injection route for the Guard or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses to be the same.
Software Version 3.1(0.12) Resolved Caveats
The following caveats were resolved in software version 3.1(0.12):
•CSCuk52712—The SNMP interface indexes in ifAdEnIfindex are changed during reload and stop being correlated with iftable indexes.
•CSCuk52018—On some occasions the Guard watchdog reported an irrelevant hardware Error about unavailable LED information.
•CSCuk52396—When issuing the protect command for a specific IP address in the zone (protect zone-name ip-address), if the original zone name is longer than or equal to 30 characters, the name of newly created zone is incorrect and it cannot be removed.
•CSCuk51373—Adding an ssh-dsa key longer than 1024 bytes causes the CLI to crash when issuing the show running-config command. The key remove command fails to remove the key.
•CSCuk52710—After setting the date to a date in the past using the date command, SNMP may display cached information rather than updated information.
•CsCuk54499—Using the protect zone-name ip-address command extensively causes the Recognition module to fail when loading newly created zones.
Related Documentation
The following Guard documents are available:
•Cisco Guard User Guide
•Cisco Guard Web-Based Management User Guide
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
