Guest

Cisco Guard DDoS Mitigation Appliances

Release Note for the Cisco Guard Appliance (Software Version 6.0(x))

 Feedback

Table Of Contents

Release Note for the Cisco Guard Appliance

Contents

New Features in Software Version 6.0(5)

Upgrading to Software Version 6.0(x)

Operating Considerations

MultiDevice Manager Commands Omitted from the Configuration Guide

mdm logging trap Command

mdm restore Command

show mdm Command

Software Version 6.0(10) Open and Resolved Caveats

Software Version 6.0(10) Open Caveats

Software Version 6.0(10) Resolved Caveats

Software Version 6.0(5) Open and Resolved Caveats

Software Version 6.0(5) Open Caveats

Software Version 6.0(5) Resolved Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Note for the Cisco Guard Appliance


July 16, 2007


Note The most current Cisco documentation for released products is available on Cisco.com.


Contents

This release note applies to software versions 6.0(10) and 6.0(5) for the Cisco Guard appliance (Guard). This release note contains the following sections:

New Features in Software Version 6.0(5)

Upgrading to Software Version 6.0(x)

Operating Considerations

MultiDevice Manager Commands Omitted from the Configuration Guide

Software Version 6.0(10) Open and Resolved Caveats

Software Version 6.0(5) Open and Resolved Caveats

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

New Features in Software Version 6.0(5)

The following new features are available in software version 6.0(5):

Support for the 2007 daylight saving time (DST) change.

Ability to set the TACACS+ sever port.

Ability to set the TACACS+ encryption key.

Upgrading to Software Version 6.0(x)

In software version 4.x, the Guard allowed you to configure illegal subnet masks. In software version 5.1(4), the Guard checks to ensure that subnet masks are legal. When you upgrade from a software version prior to 5.1(4) to version 6.0(x), the Guard corrupts all zone configurations that contain an illegal subnet mask. To prevent the Guard from corrupting a zone configuration that contains an illegal subnet mask, configure the zone configuration with a legal subnet mask by performing the following steps prior to upgrading the software:


Step 1 Use the no ip address command to delete the subnet mask.

Step 2 Use the ip address command to configure the subnet mask with a legal subnet.


For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Cisco Guard Configuration Guide.

Software upgrade instructions are located in the "Upgrading the Guard Software Version" section in the the Cisco Guard Configuration Guide.

Operating Considerations

The following operating considerations apply to the Cisco Guard:

The Guard operates using a self-protection configuration to protect itself from DDoS attacks on the network. Cisco configures the self-protection configuration with a set of default parameter values, which you can modify.

When upgrading the Guard to software version 6.0(x) from a version previous to 5.1(5), the existing self-protection configuration is overwritten by the new configuration contained in the upgrade. If you had modified the self-protection configuration of the previously installed software, you need to make the same modifications to the new self-protection configuration. Do not copy your original self-protection configuration to the Guard as the original configuration will block access to one or both of the following ports when attempting to access the Guard through an inline interface:

Ports 3220 and 1334 if you upgrade from a software version prior to 5.1(5). Port 3220 was added to versions 5.0(x) and 5.1(x). Port 1334 was added to version 5.1(5).

Note that if you reinstall software version 5.1(5) or higher after modifying the self-protection configuration, your changes to the configuration remain intact. Upgrading from software version 5.1(5) to a higher version will also leave your modified self-protection configuration intact.

The copy ftp command supports active mode only.

MultiDevice Manager Commands Omitted from the Configuration Guide

Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Guard were introduced in software version 5.1(5), but were omitted from the Cisco Guard User Guide. The following sections describe these commands:

mdm logging trap Command

mdm restore Command

show mdm Command

mdm logging trap Command

To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.

The syntax for this command is as follows:

mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}

The following table describes the keywords for the mdm logging trap command.

alerts

Immediate action needed (severity=1).

critical

Critical conditions (severity=2).

debugging

Debugging messages (severity=7).

emergencies

System is unusable (severity=0). This is the default.

errors

Error conditions (severity=3).

informational

Informational messages (severity=6).

notifications

Normal but significant conditions (severity=5).

warnings

Warning conditions (severity=4).


For example, to capture and log informational messages, use the mdm logging trap informational command in global configuration mode.

user@GUARD# configure 
user@GUARD-conf# mdm logging trap informational

mdm restore Command

When you enable the MDM service on the Guard to allow you to manage the device using the MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.

When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.

Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.

The syntax for this command is as follows:

mdm restore

For example:

user@GUARD# configure 
user@GUARD-conf# mdm restore

show mdm Command

To check the status of MDM connections and settings, use the show mdm command in EXEC mode.

The syntax for this command is as follows:

show mdm

For example:

user@GUARD# show mdm 

The following table describes the fields in the show mdm display.

Field
Description

MDM service state

Operating state of the MDM service: enabled or disabled.

MDM servers

List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.

Connected managers

MDM server currently connected to and managing the device.

MDM syslog level

Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.


Software Version 6.0(10) Open and Resolved Caveats

The following sections contain the open and resolved caveats in software version 6.0(10):

Software Version 6.0(10) Open Caveats

Software Version 6.0(10) Resolved Caveats

Software Version 6.0(10) Open Caveats

The following caveats are open in software version 6.0(10):

CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.

CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:

Drop, the Flexible Filter Count value displays the number of dropped packets

Count, the Flexible Filter Count value displays the number of counted packets

CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use a different activation interface.

CSCsb07081—The flex-content filter cannot find a pattern in SYN packets.

CSCsb20206—The WBM remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.

CSCsb26519—If you configure the protect-by-packet activation method on one of the zones, the Guard fails to handle several thousands of dynamic routes injected. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.

CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in different zones. Workaround: Assign unique names to manual packet dumps.

CSCsc05116—The Guard may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Guard. Reducing the number of active zones may free up memory.

CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(4) or higher. Workaround: Renumber loopback interfaces before upgrading the Guard from a version prior to 5.1(4) to version 6.0(x).

CSCsc49737—The accelerator card may fail to load on the first attempt during the reload or bootup process. The Guard issues and logs an error message. The Guard attempts two additional loads.

CSCsc51207—The Guard does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.

CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the Guard. Workaround: Remove the login banner.

CSCsc77155—After a Guard reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Guard.

CSCsd39569—After several hundred consecutive reloads, the Guard may automatically reboot. Workaround: None.

CSCsd59648—A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring a keepalive on the tunnel.

CSCsd59673—The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on its GRE interface.

CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.

CSCsd83077—The Guard responds to a larger size packet than the MTU value set for its network interfaces.

CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command.

CSCse19834—Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included).

CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.

CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.

CSCse43115—A BGP error message is displayed when malformed BGP related packets are sent directly to the Guard IP address. Workaround: None.

CSCsg42338—The Guard CPU usage may reach 100%. Workaround: Reboot the Guard.

CSCsg94911—When a physical interface goes down, the virtual interfaces that use the physical interface are not brought down, which results in black-holing the traffic. Workaround: Manually deactivate the relevant zones on the Guard.

CSCsi07283—The Web-Based Manager (WBM) does not reflect changes to the TimeZone definition until after the Guard is rebooted. Workaround: Reboot the Guard.

CSCsi18583—The Guard drops the last TCP ACK on the outgoing traffic. Workaround: Create a bypass filter for the source IP address that is experiencing authentication problems.

CSCsi21984—When using the WBM, browsing to a zone page is very slow after the zone has been active for a long time and the zone logs become extremely long. Workaround: Export the zone logs to an external server and then clear the log files from the Guard database.

CSCsi50185—When synchronizing time with an NTP server, the Guard intermittently detects a major clock change (16 seconds or more) and issues a log message. Workaround: None.

CSCsi61341—The Guard leaves the TCP timestamp option in the SYN ACK reply. Workaround: None.

CSCsj27292—The Guard does not count bypass filters correctly, which may cause the watchdog to reload the Guard. Workaround: Remove all bypass filters that are not needed.

CSCuk54606—When activating a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and traffic diversion is working properly:

no injection path

The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.

Software Version 6.0(10) Resolved Caveats

The following caveats were resolved in software version 6.0(10):

CSCsh92933—After entering the tacacs authorization exec tacacs+ command, the show running-config command does not display the tacacs authorization exec tacacs command in the configuration output.

CSCsi2905, CSCsi17169 —When accepting the thresholds during the learning process, the Guard intermittently encounters an error when accepting some of the thresholds.

CSCsi23637—When using the WBM, TACACS+ login authentication falls back to local authentication even if the TACACS+ server rejects the authentication.

CSCsi65071—A flex-content filter with a single byte tcpdump expression may not detect the byte in the zone traffic.

CSCsi67008—A flex-content filter tcpdump expression does not examine the last byte of a packet.

CSCsi70650—The watchdog process intermittently becomes stuck on one of the child processes.

CSCsi78741—The internal watchdog constantly reloads the Guard and the accelerator card is unresponsive. The log contains many "cannot read counters" errors.

CSCsi89346—The Guard stops processing traffic. Traffic is not diverted to the Guard.

Software Version 6.0(5) Open and Resolved Caveats

The following sections contain the open and resolved caveats in software version 6.0(5):

Software Version 6.0(5) Open Caveats

Software Version 6.0(5) Resolved Caveats

Software Version 6.0(5) Open Caveats

The following caveats are open in software version 6.0(5):

CSCrh01198After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.

CSCsa64914The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:

Drop, the Flexible Filter Count value displays the number of dropped packets

Count, the Flexible Filter Count value displays the number of counted packets

CSCsa78440The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use another activation interface.

CSCsb07081The flex-content filter cannot find a pattern in SYN packets.

CSCsb20206The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.

CSCsb26519The Guard fails to handle several thousands of dynamic routes injected if you configure the protect-by-packet activation method on one of the zones. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.

CSCsb29083You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.

CSCsc05116The Guard may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Guard. Reducing the number of active zones may free up memory.

CSCsc36095Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(4) or higher. Workaround: Renumber loopback interfaces before upgrading the Guard from a version prior to 5.1(4) to version 6.0(5).

CSCsc49737The accelerator card may fail to load on the first attempt during the reload or bootup process. The Guard issues an error message and shows it in the logs. The Guard attempts two additional loads.

CSCsc51207The Guard does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.

CSCsc69508After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the Guard. Workaround: Remove the login banner.

CSCsc77155After a Guard reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Guard.

CSCsd39569After several hundred consecutive reloads, the Guard may automatically reboot. Workaround: None.

CSCsd59648A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring keepalive on the tunnel.

CSCsd59673The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on the Guard GRE interface.

CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.

CSCsd83077The Guard responds to a bigger size packet than the MTU value set for its network interfaces.

CSCse08139The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command.

CSCse19834Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included).

CSCse27876When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.

CSCse31042A zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.

CSCse43115A BGP error message is displayed when malformed BGP related packets are sent directly to the Guard's IP address. Workaround: None.

CSCuk54606When activating a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and traffic diversion is working properly:

no injection path

The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.

Software Version 6.0(5) Resolved Caveats

The following caveats were resolved in software version 6.0(5):

CSCsb33259— The graphs for the show counters history, show rates history, and the WBM traffic rates only show current rates. The graphs do not show logs for the zone. This occurs when the zone is active, but there is no activity (that is, there is no traffic) on it.

CSCsc85020—The graph interpolates the end of an attack curve with current time instead of the real end of attack time.

CSCse64988—When you use the WBM to add a service to a zone, service thresholds are set to zero and are not tuned.

CSCsf01438—A vulnerability in the Cisco Guard may enable an attacker to send a web browser client to a malicious website with the use of Cross Site Scripting (XSS) when the Guard is providing anti-spoofing services between the web browser client and a web server. The attacker may exploit this by providing a malicious URL for the web browser client to go to, often in email, followed off of a malicious website, or in an instant message. This issue may occur even if the protected website does not allow XSS. A software upgrade is required to fix this vulnerability. There is a workaround available to mitigate the effects of the vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml

CSCsf02506—When you use the WMB to show zone general information, the error message may appear on the first try: "Unexpected error".

CSCsg22709—When you add a service in a WBM comparison screen, the service is not added to the zone. This occurs when you compare a zone with a snapshot.

CSCsg53101—When you use the WBM excessively, the RAM disk becomes filled with logs before the logrotate policy removes old logs. This situation may cause the Guard to become unstable and inaccessible.

Related Documentation

The following Guard documents are available:

Cisco Guard and Traffic Anomaly Detector Hardware Installation and Configuration Note

Cisco Guard Configuration Guide

Cisco Guard Web-Based Manager Configuration Guide

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html