Table Of Contents
Release Notes for Cisco Security Manager 4.0.1
Published: September 17, 2010
Revised: September 30, 2011
These release notes are for use with Cisco Security Manager 4.0.1.
Release 4.0.1 is now available. Registered SMARTnet users can obtain release 4.0.1 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software in the Support box.
This chapter contains the following topics:
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
•Cisco Security Manager 4.0.1 (Including Service Packs 1 and 2)—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
•Auto Update Server 4.0.1—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
•Performance Monitor 4.0.1—Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.
Note Before using Cisco Security Manager 4.0.1, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.0.1 before installing or upgrading to Cisco Security Manager 4.0.1.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.0.1.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Cisco Security Manager 4.0.1 Service Pack 2
Security Manager 4.0.1 Service Pack 2 provides fixes for various problems. For more information, see Resolved Caveats—Release 4.0.1 Service Pack 2.
Cisco Security Manager 4.0.1 Service Pack 1
Security Manager 4.0.1 Service Pack 1 enables support for ASA Software Release 8.2(3) on all ASA platforms.
Security Manager 4.0.1 Service Pack 1 also provides fixes for various problems. For more information, see Resolved Caveats—Release 4.0.1 Service Pack 1.
Cisco Security Manager 4.0.1
In addition to resolved caveats, this release includes the following new features and enhancements:
•Support for these new Cisco ASA-5500 Series Adaptive Security Appliance models: 5585-X, all models.
•Support for ASA Software release 8.2(3) on the ASA 5585-X platform.
Note Security Manager 4.0.1 Service Pack 1 enables support for ASA Software Release 8.2(3) on all ASA platforms.
•Support for these Cisco 3800 Series Integrated Services Routers: 3825 NOVPN, 3845 NOVPN. You cannot configure VPN policies or other policies that require encryption on these devices.
•Support for these Cisco 3900 Series Integrated Services Routers: 3925E, 3945E.
•Support for Cisco IOS Software release 15.1(1)T.
•Support for Cisco IOS XE Software releases 2.5 and 2.6. These releases are known as 12.2(33)XNE and 12.2(33)XNF, respectively, in Security Manager. The only new feature supported in these releases is for DMVPN phase 3, which allows direct communication between spokes. Otherwise, software support is equivalent to release 2.4 (known as 12.2(33)XND).
•Support for Cisco ASA 5585 IPS Security Services Processor.
•Support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
•You can now configure AAA access control using a RADIUS server for IPS devices running IPS Software release 7.0(4).
•A new device property, License Supports Failover, for ASA 5505 and 5510 devices that indicates whether an optional failover license is available on the device. The property is set when you discover device policies, or you can manually set the property. Failover policies are deployed to these devices only if the property indicates that the device has a failover license installed. This helps eliminate deployment failures due to failover licensing issues.
•Performance Monitor adds support for Cisco ASA-5500 Series Adaptive Security Appliance model 5585-X, and Cisco 3900 Series Integrated Services Routers 3925E and 3945E.
•IPS signature tuning has been enhanced. If you modify a signature policy with more than one tuning contexts, Security Manager can copy the policy to other contexts when appropriate and with your permission.
Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:
•Logging in to the web server
•Logging in to the client
•Performing successful backups of all databases
Internet Explorer 8 is supported, but only in Compatibility View. To use Compatibility View, open Internet Explorer 8, go to Tools > Compatibility View Settings, and add the Security Manager server as a "website to be displayed in Compatibility View."
You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
Before you can successfully upgrade to Security Manager 4.0.1 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
For the Installation Guide for Cisco Security Manager 4.0.1, go to the list of Cisco Security Manager installation and upgrade guides on Cisco.com.
Be aware of the following important points before you upgrade:
•Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco's attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
•If you install RME on the same server as Security Manager, do not apply the MDF.zip file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.
•Security Manager 3.x users cannot upgrade directly to Security Manager 4.0.1. They must first upgrade to 4.0 and then to 4.0.1.
Service Pack 2 Download and Installation Instructions
Service pack 2 is a cumulative update that also includes the updates that were found in service pack 1. You can apply Cisco Security Manager 4.0.1 Service Pack 2 to a Cisco Security Manager 4.0.1 installation whether that installation has an earlier service pack installed or not.
To download and install service pack 2, follow these steps:
Note You must install the Cisco Security Manager 4.0.1 FCS build on your server before you can apply this service pack.
Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software under the Support heading on the right side of the screen.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager (CSM) Software, expand the 4.0 folder under All Releases, and then click 4.0.1sp2.
Step 4 Download the file fcs-csm-401-sp2-win-k9.exe.
Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 6 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 7 Run the fcs-csm-401-sp2-win-k9.exe file that you previously downloaded.
Step 8 In the Install Cisco Security Manager 4.0.1 Service Pack 2 dialog box, click Next and then click Install in the next screen.
Step 9 After the updated files have been installed, click Finish to complete the installation.
Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to "Download Service Pack".
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
The following notes apply to the Security Manager 4.0.1 release:
•You can use IPv4 addresses only in Security Manager. Although some of the device software Security Manager supports allows you to use IPv6 addresses on commands, Security Manager does not support IPv6 addresses directly. If you want to configure IPv6 features using Security Manager, you can use FlexConfig policies.
•You cannot use Security Manager to manage an ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
•ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
•The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
•Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
•Do not run SQL queries against the database.
•If an online help page displays blank in your browser view, refresh the browser.
•Cisco Secure ACS 5.0 is not supported by Security Manager 4.0.1, even though ACS 5.0 is supported by Common Services 3.3.
•If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT\MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [$NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
This section contains the following topics:
Open Caveats—Release 4.0.1
The following caveats affect this release and are part of Security Manager 4.0.1.
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the example provided, the known problem could be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.
Table 4 Cisco Catalyst 6000 Device Support Caveats
Reference Number Description
Deployment fails when allowed VLAN ID is modified on IDSM capture port
Deploy fails if you change access to trunk mode & enable DTP negotiation
Table 10 FlexConfig Caveats
Reference Number Description
CSM 4.0 Move Up and Move Down buttons delete FlexConfig lines
Resolved Caveats—Release 4.0.1 Service Pack 2
The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.0.1 Service Pack 2.
Resolved Caveats—Release 4.0.1 Service Pack 1
The following customer found or previously release-noted caveats have been resolved in Cisco Security Manager 4.0.1 Service Pack 1.
Reference Number Description
"ip local pool" DDP doesn't translate name assigned to ip addr ranges
CSM 3.2.1 SP 1 unable to use local user password of length 17-31 charact
ZBF: Activity validation does not consider BB override
CSM Deploy fails if removing web-type ACL that is applied to mult DAPs
Network/Service BB objects should retain the order
UE: Deployment Devices Dialog - provide option to expand nodes
CSM will not recognize new AAA syntax from IOS 12.4(22)T
Some of the old event data folder is not getting deleted
View creation fails though view with same name not present
Object deletion of large number of objects leads to Sybase jConnect err
CSM deploys crypto enroll after importing device with existing cert
CSM 4.0 discovers ASA 8.3 interfaces with uppercase fails deployment
CSM re-orders rules wrongly, and it causes rules deleted wrongly
Move section up/down is not working
Re-Deploy w/o changes - set peer cli negated on ASA
CSM - Query window pop-up is not appearing
CSM - selected object does not expand completely
CSM - switching back to access rule is very slow if filter is applied
users are allowed to create duplicate static routes
RAVPN:CSM needs to support CSD 3.5.1077
RAVPN: Need support for 'Windows 7' OS version in DAP entry
CSM: IPS signature registration fails with out of memory errors
BB caching is shutdown causing performance degradation
Object NAT: intf name with non lowercase does not show up in Object NAT
8.2.3 validation check disabling
CSM: IPS event viewer doesn't display events when connection is stuck
CSM pushes incorrect config for DAP Policy for Symantec personal FW
Static NAT and PAT rules are not always added back to the configuration
CSM generates incorrect DAP LUA expressions for Process checks
Preview Fails --> Deployment failed due to an internal error in plugin
CSM: 8.3 destination nat displayed incorrectly
Save in predefined view not working
CSM does not generate LUA expression for Device category attributes
VPN config - ASANAT configuration causes deployment error
CSM 4.0 LDAP attribute map customer map value does not support space
CSM 3.3(1) - variables in FlexConfig script not correcty populated
DAP-Logical operation 'Match-All' for Personal FW are not saved properly
auto update failing for IPS
Beta: Error populating time slider for some of the historical queries
Eventing: 'idx' folder not Getting Deleted
Net Admin not able to deploy even if deployment approval is disabled.
CSM dirties system defined service obj when created frm within ruletable
CSM policy object manager content sorting not working
IPS download: Unnecessary URL conn made before checking MD5 and closed
CSM removes existing NAT0 ACL and creates new one per interface
Group Policy, Cert Map, DAP , Address Pool Discovery
Unable to view all the Events in EV after a query + navigation operation
CSM pushes incorrect DAP type for Device criteria-OS service pack
Detect/notify if server patch is not matching with client patch after CP
CSM ignore the first device in 2,3,.. N jobs of autodownload
CSM creating multiple deployment job at a same time.
CSM use wrong cmd syntax when disabling "log with interval" option
Change report shows passwords in clear text
While enabling Do not translate vpn traffic delta seen after deployment
LDAP attribute maps not editable after migration to 4.1
Resolved Caveats—Release 4.0.1
The following customer found or previously release-noted caveats have been resolved in this release.
Resolved Caveats—Releases Prior to 4.0.1
For the list of caveats resolved in releases prior to this one, see the following documents:
Where to Go Next
If you want to: Do this:
Install Security Manager server or client software.
Understand the basics.
See the interactive JumpStart guide that opens automatically when you start Security Manager.
Get up and running with the product quickly.
See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.0.1.
Complete the product configuration.
See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.0.1.
Manage user authentication and authorization.
See the following topics in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.0.1.
•Setting Up User Permissions
•Integrating Security Manager with Cisco Secure ACS
Bootstrap your devices.
See "Preparing Devices for Management" in the online help, or see Chapter 5 of User Guide for Cisco Security Manager 4.0.1.
Install entitlement applications.
Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 4.0.1.
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Guide to User Documentation for Cisco Security Manager
Lists document set that supports the Security Manager release and summarizes contents of each document.
•For general product information, see:
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.