Table Of Contents
Release Notes for Cisco Security Manager 4.0
Introduction
Supported Component Versions and Related Software
What's New
Installation Notes
Service Pack 1 Download and Installation Instructions
Important Notes
Caveats
Open Caveats—Release 4.0
Resolved Caveats—Release 4.0 Service Pack 1
Resolved Caveats—Release 4.0
Resolved Caveats—Releases Prior to 4.0
Where to Go Next
Product Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco Security Manager 4.0
Published: June 17, 2010
Revised: October 6, 2010
These release notes are for use with the Cisco Security Manager (Security Manager), Release 4.0.
Release 4.0 is now available. Registered SMARTnet users can obtain release 4.0 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software in the Support box.
This chapter contains the following topics:
•
Introduction
•Supported Component Versions and Related Software
•What's New
•Installation Notes
•Service Pack 1 Download and Installation Instructions
•Important Notes
•Caveats
•Where to Go Next
•Product Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Introduction
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
•Cisco Security Manager 4.0 (Including Service Pack 1)—Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
•Auto Update Server 4.0—The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
•Performance Monitor 4.0—Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.
Note Before using Cisco Security Manager 4.0, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.0 before installing or upgrading to Cisco Security Manager 4.0.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.0.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Application
|
Support Releases
|
Component Applications
|
Cisco Security Manager
|
4.0
|
Auto Update Server
|
4.0
|
Performance Monitor
|
4.0
|
CiscoWorks Common Services
|
3.3
|
Resource Manager Essentials (RME)
|
4.3
|
Cisco Security Agent
|
5.2
|
Related Applications
|
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
|
6.0.5, 6.0.6
|
Cisco Secure Access Control Server (ACS) for Windows
Note Cisco Secure ACS Solution Engine 4.1(4) is also supported.
|
4.1(3, 4), 4.2(0)
|
Cisco Configuration Engine
|
3.0
|
What's New
Cisco Security Manager 4.0 Service Pack 1
Security Manager 4.0 Service Pack 1 provides support for changes to the mechanism used for downloading sensor and signature updates from Cisco.com.
Security Manager 4.0 Service Pack 1also provides fixes for various problems. For more information, see Resolved Caveats—Release 4.0 Service Pack 1.
Cisco Security Manager 4.0
In addition to resolved caveats, this release includes the following new features and enhancements:
•New Event Viewer feature enables you to selectively monitor, search, view, and examine events from ASA and IPS devices. You can filter the stream of events to quickly select the view--or even the particular event or value--you require at the moment. Further, the view criteria you select can be saved and recalled as needed.
•The applications now require CiscoWorks Common Services 3.3, which is included in the Security Manager installation program.
•The Security Manager installation program no longer performs a mandatory backup. Although you are provided the option of performing a backup during installation, we recommend that you perform the backup before running the installation program, and verify that the backup completed successfully.
•Support for ASA Software version 8.3. If you upgrade a device to ASA 8.3, ensure that you delete it from the Security Manager inventory and then add it back in so that newly-converted policies are discovered correctly.
•ASA 8.3 support includes features that can help when converting from Checkpoint to ASA:
–Global access rules—Instead of creating access rules for each interface, you can create global rules once. These rules are applied to every interface and are processed after any interface-specific access rules.
–Object group search—Available as a firewall access control setting, object group search optimizes ACL performance without expanding object groups. However, you should use this only on memory constrained devices. You also cannot use the hit count tool if you configure object group search.
•The release of ASA version 8.3 provides a simplified approach to configuring network address translation (NAT), as compared to earlier ASA versions and other devices. All NAT rules on the device—static NAT, dynamic PAT, and dynamic NAT—are presented in a single table, and the same dialog box is used to configure all NAT rules. The NAT rules are interface independent (that is, interfaces are optional), meaning the rules are independent of security levels also.
•ASA 8.3+ includes new features for network and service objects that contain single values. You can also use the network objects to configure NAT. Security Manager supports these features as follows:
–The network/host policy object now has four types: group, host, network, address range. The group object is the same as the network/host object that exists in all Security Manager 3.x releases. The host, network, and address range types allow single values (of the appropriate type), and also allow NAT configuration. Although these objects are designed for use with ASA 8.3+, you can use them with all operating systems; any NAT configuration is ignored for non-ASA-8.3+ devices.
–The service policy object now has two types: group and object. The group object is the same as the service object in Security Manager 3.x releases. The service "object" allows a single service designation. As with the network/host object, you can use the new service object on any operating system; how it is provisioned to the device simply differs for ASA 8.3 devices.
•Support for FWSM Software versions 4.1(1), 4.0(7-11), 3.1(16, 17), 3.2(14-17).
•Support for the 1002 Fixed Router model of the Cisco ASR 1000 Series Aggregation Services Routers.
•Support for ASR Version 2.4 software, called Cisco IOS Software version 12.2(33)XND.
•Support for shared port adapters (SPAs) in Cisco ASR 1000 Series Aggregation Services Routers. Support includes all Ethernet (all speeds, including Ten Gigabit Ethernet), Serial, ATM, and Packet over Sonet (POS) SPAs, but not services SPAs. If you configured ATM, PVC, or dialer related policies on ASRs you managed with previous versions of Security Manager, you should rediscover policies on those devices to bring these policies into Security Manager.
•The IPS Event Viewer application is no longer included in the Security Manager package. When you upgrade to Security Manager 4.0, any installation of the IPS Event Viewer that was installed by previous versions of Security Manager is removed. To view IPS events, use the event viewer integrated into Security Manager 4.0.
•Activity lock messages now include the username and activity name that has obtained a lock that prevents you from performing an action.
•You can now delete more than one device at a time.
•You can now rediscovery policies on more than one device at a time.
•You can now detect whether devices have out of band changes (changes to the device configuration made outside of Security Manager) before you deploy configurations. This gives you the opportunity to update the device policies in Security Manager to recreate those changes.
Note Out-of-band change detection is not available for IPS appliances.
•In previous releases, you could select which types of policy to manage on Cisco IOS routers. You can now also select which policies to manage on ASA, PIX, and FWSM firewall devices.
•Packet tracer allows you to troubleshoot active policies running on ASA and PIX firewall devices running 7.2.1 and higher that are not operating in transparent mode.
•ASA 8.3 devices use the original, or real, IP address when evaluating traffic in firewall rules (such as access rules) rather than NAT-translated addresses. Ensure that you use the original address when configuring firewall rules for ASA 8.3 devices.
•You can now automatically block blacklisted traffic based on the threat level using the Botnet Traffic Filter on ASA 8.2(2)+ devices. You can also treat greylisted traffic as blacklisted traffic for action purposes.
•You can now inspect IP options in inspection rules on ASA 8.2(2)+ devices. IP options inspection allows you to pass IP packets that have end of options list, no operation, or router alert options configured in the IP packet header.
•You can now configure or use the following features for Group Encrypted Transport (GET) VPNs: fail-close mode to protect VPN traffic prior to successful group member registration; passive mode configured on group members; RSA key generation and synchronization among the key servers.
•You can now explicitly configure DMVPN phase 2 connections between spokes, so that spoke to spoke connections go through regional hubs, and routing protocol updates from hubs to spokes are not summarized.
•Support for Cisco Secure Access Control Server (ACS) 4.2.
•The Security Manager online help and user guide have been reorganized into parts with smaller chapters, and reference information has been moved along side of conceptual and procedural information. Large sections of the document have been rewritten and simplified, with more examples added.
•Security Manager now discovers and deploys object groups for devices running Cisco IOS Software release 12.4(20)T and higher. In previous releases, object groups were supported only for ASA, PIX, and FWSM.
Installation Notes
All customers need to procure a new license (or licenses) for Security Manager 4.0 irrespective of whether they have a valid license for any of the (older) Security Manager 3.x releases. With the exception of incremental licenses, existing Security Manager 3.x licenses are not valid for Security Manager 4.0.
Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:
•Logging in to the web server
•Logging in to the client
•Performing successful backups of all databases
Internet Explorer 8 is supported, but only in Compatibility View. To use Compatibility View, open Internet Explorer 8, go to Tools > Compatibility View Settings, and add the Security Manager server as a "website to be displayed in Compatibility View."
You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
Before you can successfully upgrade to Security Manager 4.0 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
For the Installation Guide for Cisco Security Manager 4.0, go to the list of Cisco Security Manager installation and upgrade guides on Cisco.com.
Be aware of the following important points before you upgrade:
•Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco's attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
•If you upgrade from a release earlier than 3.3 to Security Manager 3.3 or higher, and you use Cisco Configuration Engine, you must upgrade Configuration Engine to 3.0 at the same time. Security Manager 3.3 and higher does not work with older versions of Configuration Engine.
•If you install RME on the same server as Security Manager, do not apply the MDF.zip file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.
Service Pack 1 Download and Installation Instructions
To download and install service pack 1, follow these steps:
Note You must install the Cisco Security Manager 4.0 FCS build on your server before you can apply this service pack.
Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software in the Support box on the right side of the screen.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager (CSM) Software, expand the 4.0 folder under All Releases, and then click 4.0sp1.
Step 4 Download the file fcs-csm-40-sp1-win-k9.exe.
Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 6 Manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 7 Run the fcs-csm-40-sp1-win-k9.exe file that you previously downloaded.
Step 8 In the Install Cisco Security Manager 4.0 Service Pack 1dialog box, click Next and then click Install in the next screen.
Step 9 After the updated files have been installed, click Finish to complete the installation.
Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. Manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to "Download Service Pack".
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
Important Notes
The following notes apply to the Security Manager 4.0 release:
•You can use IPv4 addresses only in Security Manager. Although some of the device software Security Manager supports allows you to use IPv6 addresses on commands, Security Manager does not support IPv6 addresses directly. If you want to configure IPv6 features using Security Manager, you can use FlexConfig policies.
•You cannot use Security Manager to manage an ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
•ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
•The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
•If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
•A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
•Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
•Do not run SQL queries against the database.
•If an online help page displays blank in your browser view, refresh the browser.
•Cisco Secure ACS 5.0 is not supported by Security Manager 4.0, even though ACS 5.0 is supported by Common Services 3.3.
•If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT\MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [$NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
Caveats
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/support/bugtools
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
This section contains the following topics:
•Open Caveats—Release 4.0
•Resolved Caveats—Release 4.0 Service Pack 1
•Resolved Caveats—Release 4.0
•Resolved Caveats—Releases Prior to 4.0
Open Caveats—Release 4.0
This section contains information about the problems known to exist in Cisco Security Manager 4.0. The caveats are arranged into the following tables:
•ASA, PIX, and FWSM Firewall Devices Caveats
•CSM Client and Server Install Caveats
•Cisco Catalyst 6000 Device Support Caveats
•Cisco IOS Router Devices Caveats
•Cisco IPS and IOS IPS Devices Caveats
•Device Management, Discovery, and Deployment Caveats
•Event Viewer Caveats
•Firewall Services Caveats
•Miscellaneous Caveats
•VPN Device and Configuration Support Caveats
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the example provided, the known problem could be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.
Table 2 ASA, PIX, and FWSM Firewall Devices Caveats
Reference Number
|
Description
|
CSCse51450
|
OSPF validations are not adequate
|
CSCsh20731
|
FAILOVER - Active/Active deploys to Standby unit and returns errors
|
CSCsi24397
|
SLA: Interface roles assigned to an SLA Monitor not validated
|
CSCsi34972
|
OSPF Discovery: Deployment of incomplete OSPF policy invalid
|
CSCsi42889
|
Swapping interface names causes deployment failure
|
CSCsi44546
|
RIP configuration commands in PIX/ASA 7.2(1) cannot be fully managed
|
CSCsl51451
|
Enable DHCPD auto configuration with interface option not discovered
|
CSCsm82107
|
Discovery of a multi-mode ASA added to CSM as a new device fails
|
CSCsr17662
|
Deployment of ips command truncated if containing class map is changed
|
CSCtd60804
|
CSM managing A/A FWSM will not use configured management ip of context
|
CSCth13856
|
CSM doesn't deploy "no management-only" to management interfaces
|
Table 3 CSM Client and Server Install Caveats
Reference Number
|
Description
|
CSCte49471
|
CSM installer should check for supported SP during install
|
CSCte56524
|
Not able to launch the CSM client after upgrade (CSM3.3SP1 to CSM4.0)
|
CSCtf01120
|
CSM: Upgrade from 3.3.0 to 3.3.1 Does Not Update All Files
|
CSCtf78013
|
CSM 3.3.1 client cannot launch due to MICE.jar file corruption
|
Table 4 Cisco Catalyst 6000 Device Support Caveats
Reference Number
|
Description
|
CSCsi17608
|
Deployment fails when allowed VLAN ID is modified on IDSM capture port
|
CSCsi24091
|
Deploy fails if you change access to trunk mode & enable DTP negotiation
|
Table 5 Cisco IOS Router Devices Caveats
Reference Number
|
Description
|
CSCsf09088
|
PPP policy does not support if-needed and local-case keywords for AAA
|
CSCsh18926
|
NetFlow deployment fails on subinterfaces
|
CSCsi20458
|
802.1x-Number of retries command not generated correctly
|
CSCsi25845
|
PPP-No validation for multilink support on device
|
CSCsi45142
|
AAA - source intf disc from global cmd instead of aaa subcommand
|
CSCsi45204
|
QoS policy not discovered when WRED is enabled
|
CSCsr14267
|
Discovery failure with target os 12.3(9) does not exist
|
CSCsr45265
|
Negation is not getting generated for policies using nonexistent ACL
|
CSCsz79334
|
Deployment fails on changing VTY authentication method frm AAA to local.
|
CSCta73192
|
NTP Authentication key is not negated for Xformer router of type 3945
|
CSCta84886
|
RIP-Deployments fails for RIP policy but CLI are pushed into the device
|
CSCta84894
|
BGP-Unassign bgp pol+Deploy,Deployment fails for 861 Router for 15.0 ima
|
CSCta84907
|
Xformer:Dep BGP+Change AS no. & Dep+Unassign BGP,Deployment fails
|
CSCtf08622
|
CSM will not recognize new AAA syntax from IOS 12.4(22)T
|
Table 6 Cisco IPS and IOS IPS Devices Caveats
Reference Number
|
Description
|
CSCse95933
|
IPS related policies should be listed in device properties page
|
CSCsg25899
|
IPS 6.x pol. should not be listed for 5.x devices in copy & share policy
|
CSCsg38052
|
VLAN groups need to display "unassigned" VLANS
|
CSCsg51052
|
After Abort, progress bar continues to 100% and Status remains = Started
|
CSCsg78129
|
Copy policies betn devices with VS as src only shows VS's as destn
|
CSCsg80289
|
Warning message is displayed during blocking policy deployment.
|
CSCsh02407
|
Autoupdate setting value for a device should be same in device tree.
|
CSCsh36604
|
IPS EAO: After editing a row, the ed. row is displayed as the last row
|
CSCsh52484
|
IPS Licensing Date varies between sensor CLI and sensor
|
CSCsh53265
|
On IPS Update page, checkbox for shared sig. policy can be incorrect
|
CSCsh67506
|
Dynamic IP address IOS router imported by CNS cannot be discovered
|
CSCsh77105
|
During deployment, signatures removed from current.xml
|
CSCsh86189
|
Sig update fails when using HTTP if console logging is on
|
CSCsi01650
|
EAF: Show content option in context menu for victim addr is not working
|
CSCsi26525
|
OOB OPACL changes not resynced after successful deploy
|
CSCsi39380
|
Deployment of NTP policy with policy objects sometimes fails
|
CSCsi44605
|
IPS variable names cannot contain special characters.
|
CSCsi47289
|
Policy object overridden at VS level is not deployed correctly
|
CSCsj60530
|
Inventory alone discovery fails for IPS 6.x device for submit operation
|
CSCsl70245
|
Licensing: Repeated clicking of refresh button shows duplicate entries
|
CSCsm32616
|
CSM - Needs a way to remove old IPS metadata
|
CSCsm72033
|
Deployment Failed error on Event Action Rules
|
CSCso11145
|
CSM daily autodownload every 2 days should start from the present date
|
CSCso11482
|
MultiContext not handled in ApplyIPSUpdate wizard upon SigEditParams
|
CSCso17575
|
Intf Policy copy betn same IPS models but diff interface cards fails
|
CSCsr19163
|
OS Id.'s ->Restrict to these IP address field should not map to pol. obj
|
CSCsr31140
|
Err loading pg if NTP policy from 6.1 dev is copied to 6.0/5.1 dev
|
CSCsv24797
|
CSM shows incorrectly "non retrievable" in the ips license field
|
CSCsv44809
|
Rules and AD profile name changes with multiple vs profile config
|
CSCsv57621
|
IPS Incorrect Interfaces discovery (removed from VS or disabled)
|
CSCsv85664
|
Security Manager swaps names of policies while deploying to device
|
CSCsv91055
|
Security Manager Deployment UI shows OOB for unsupported commands
|
CSCsx72883
|
Link for Interface help for SSC is redirected to Product Overview
|
CSCsx98868
|
IOS IPS: Cannot deploy custom signature for "normalizer" engine
|
CSCsy03168
|
IOS IPS: SDEE properties cannot be discovered if SDEE is disabled
|
CSCsy47123
|
Unable to unshared a shared policy for un-supported platform in dev view
|
CSCsy51377
|
Package download fails with error msg Download not enough space on disk
|
CSCsy56978
|
IOS IPS version should be updated with changes in IOS version
|
CSCsy60393
|
Security Manager does not push "category ios_ips basic" command properly
|
CSCsy89865
|
Not able to do signature update on IPS-4260 running 5.1(8)E2.9S342.0
|
CSCsz33707
|
Licenses are not shown in IPS tab post ACS Integration without refresh
|
CSCsz35545
|
Pre-ACS integrated devices are shown in IPS updates page
|
CSCta90115
|
Cannot deploy service module policy in IOS
|
CSCta93482
|
Deployment fails- shared sig policy with new custom sig to older version
|
CSCtb16577
|
on applying sig pkg to the device, New sig(s) is not listed on sig page
|
CSCtb40828
|
Signature deploy failed with "category ios_ips default" command
|
CSCtb55176
|
Sensor update fails on applying sensor pkg manually with OOB change
|
CSCtc57010
|
No validation for incorrect speed/duplex setting for 10G Interface
|
CSCtc81519
|
IPS Validation warnings still show up after unassigning shared policies
|
CSCte61977
|
Delta shown for user profiles(no conf chng)after remote upgrade ( 3.3.1)
|
CSCte62412
|
Sig package pushed by CSM causing trouble for particular sigs
|
CSCtf32502
|
Deployment changes IPS WEBPORT setting to Default
|
CSCtf40838
|
License Refresh functionality is broken when navigating between tabs
|
CSCtg23806
|
CSM discovery fail when Signature ID 50000 or later is modified
|
CSCtg47573
|
Event Action Filter variable problem
|
CSCtg49034
|
Migration log: IPS backward compatible devices are not reported
|
CSCtg86699
|
Fails to apply a license to IPS
|
CSCtg95401
|
Null Pointer Exception when trying to unassign an IPS signature policy
|
CSCth02638
|
sig 2158.0 remains enabled when updated from CSM
|
CSCth14454
|
CSM Policy view does not save settings when DNS servers are added.
|
CSCth19929
|
CSM 3.3.1: No option for bypass mode configuration for AIP-SSM module.
|
Table 7 Device Management, Discovery, and Deployment Caveats
Reference Number
|
Description
|
CSCsh63248
|
Add field in DM to specify whether device is Admin Context or not
|
CSCsi18673
|
Security Manager deployment may trigger ObjectGroup name warnings.
|
CSCsi18678
|
Security Manager deployment may trigger interface name warnings
|
CSCsk59843
|
DCS to monitor the Admin context CLI
|
CSCsq32343
|
HitCount -- Internal Failure
|
CSCsy98103
|
Config-diff shows diff between two configs though they are exactly same.
|
CSCta39358
|
[Rollback]Rollback is not working properly with ASA
|
CSCtb31451
|
In 3.2.2, database corruption in device_dirty_status table
|
CSCtc77997
|
Missing information in the FQ logic.
|
CSCte65524
|
Failover: Deployment takes a long time
|
CSCtf32208
|
Deployment fails with ACE edit in ACL BB
|
CSCtf51909
|
CSM does not deploy crypto related configuration to AUS
|
CSCtf78036
|
Deployment summary shows successful though deployment not done.
|
CSCtg65526
|
CSM - ace is removed without any reason during the deployment
|
CSCth16062
|
shared credential policy does not modify the CSM used credentials
|
Table 8 Event Viewer Caveats
Reference Number
|
Description
|
CSCtd27974
|
Floating view minimized by default.
|
CSCtd33930
|
Real-time event row selection not retaining
|
CSCtd49651
|
Select all in custom filter with filter criteria not correct.
|
CSCtd59852
|
Custom filter does not remember values when some filter is applied.
|
CSCtd71393
|
Event Viewer must provide the ability to filter in a signature ID
|
CSCtd74239
|
"Backplane" & "physical" interface fields are always blank for events
|
CSCtd80726
|
Time slider doesn't show correct trend for view with long duration.
|
CSCte18239
|
Continue showing 'Navigating to.' dialog even if crosslaunch is canceled
|
CSCte37331
|
Internal error thrown on opening view having BB which is deleted.
|
CSCte37802
|
Custom filters using BB should have view option to see BB contents.
|
CSCte90167
|
[SSL VPN] Explanation and recommended action not displayed correctly.
|
CSCte92834
|
Need to modify format of "IP Log Id" values under "Displayed Fields" tab
|
CSCtf07664
|
No warning if event data store size is reduced than actual stored events
|
CSCtf21124
|
Some of the old event data folder is not getting deleted
|
CSCtf44733
|
EPS statistics not correct for ASA and IPS in Time-slider.
|
CSCtf61897
|
Unselecting a sigId should unselect it under all Signature Categories
|
CSCtf79977
|
Setting log level to SEVERE for Event management logs debug messages
|
CSCtg17154
|
Floating window goes invisible on clicking Cancel Close
|
CSCtg17383
|
Real time events with sort on non-default columns shows empty rows
|
CSCtg34811
|
View creation fails though view with same name not present.
|
CSCtg35646
|
Closing pre-defined view with filter changes should ask for save as.
|
CSCtg45140
|
Custom Filter shows Empty Categories for Syslog and Signature
|
CSCtg46517
|
ASA Eventing: Incorrect event names for some syslogs
|
CSCtg46522
|
ASA Eventing: Partial/Complete parsing issues
|
CSCtg54222
|
Eventing Restore: Restore failing or partially succeeding in some cases
|
CSCtg57676
|
Internal error thrown when portlist is used in service object filter.
|
CSCtg57745
|
Filtering does not work when only protocol name is used in service obj.
|
CSCtg57839
|
Results not correct when network obj with non-contiguous mask is used.
|
CSCtg75129
|
VmsEventServer doesn't come up after CSM DB restore.
|
CSCtg78128
|
Save required after device/BB is deleted and custom view is launched.
|
CSCth04745
|
Event Data Store Location change is not working
|
Table 9 Firewall Services Caveats
Reference Number
|
Description
|
CSCsc22934
|
ACL limitations for Layer 2 interfaces on IOS ISR devices
|
CSCsh68101
|
Activity Report: Issues with access rules table change report
|
CSCsh94210
|
Problems matching interface name when reusing AAA policy objects
|
CSCsi18871
|
Inspect Map: PIX 7.1 gtp-map subcommand order is not preserved
|
CSCsk33350
|
Discovery of PAM Mappings with Inspection Rules is incorrect
|
CSCsk46057
|
Changes to csm.properties files lost during Security Manager upgrade
|
CSCsq75974
|
Static Rules ACL with source interface are not discovered
|
CSCsr25786
|
AAA server object: no error issued when interface not specified
|
CSCsz53354
|
MAC Exempt list cannot be ordered
|
CSCtb00116
|
Wrong error message after sorting the Access control by ACL name
|
CSCtb03821
|
Failover: Deployment fails with subinterface as failover Interface
|
CSCtb51491
|
Delta generated for Object-groups
|
CSCtc43031
|
preview configuration failing network object non-contiguous mask
|
CSCtc43845
|
Failover: ASA license-related deployment failure
|
CSCtc44562
|
DES: Unmanaged policy-map configs removed after discovery
|
CSCtc56731
|
Cannot edit device overrides in nested ACL objects
|
CSCtc77998
|
SNMP Policy: Port field is applicable to only the admin context.
|
CSCtd46245
|
Security Level changes when name of interface changed
|
CSCtd71241
|
Unassign of translation rules should remove object nat rules also
|
CSCte08355
|
Auto NAT: Ordering of Auto NAT rules is not correct.
|
CSCte44602
|
Bottom align single row column headers if other headers are on 2 rows
|
CSCte60495
|
AUS 3.3SP1 'no monitor-interface' ASA base license auto-update failure
|
CSCte68245
|
Duplicate AAA Server Building Blocks.
|
CSCtf08441
|
ZBF:No validation message for protocols unsupported with IOS versions
|
CSCtf32103
|
ACL BB renames if remark is used
|
CSCtf68128
|
Proposed Performance optimization in NAT (translation and simplified)
|
CSCtf71882
|
Deployment failure when Static Route policy uses "all interfaces" role
|
CSCtf86613
|
Generates the duplicate port-map commands with ZBF port-map config
|
CSCtg08943
|
Deployment fails because of duplicate entries in the NAT address pool.
|
CSCtg21437
|
Discovery fails if IOS config contains OGs with name larger than 64 char
|
CSCtg33456
|
Inspection rule with HTTP map - Deploy fails
|
CSCtg44613
|
Interface role added in CLI, while configuring TFTP for system context
|
CSCtg48075
|
Simplified NAT: Additional validation required in Activity Validation
|
CSCtg60293
|
<NAT Rule> select Edit Source, not displaying BB selector Dialog
|
CSCtg64802
|
Edit BB throws Exception, After select OK button,If same name BB present
|
CSCtg67285
|
Simplified NAT: Edit Source not properly changing the Source
|
CSCtg67869
|
DNS cli not generated for 2nd row onwards and double negation cli
|
CSCtg73323
|
Add Singleton network object (host/network) takes more time than groups
|
CSCtg84393
|
Fail to Removing un-reference object-groups leads to deployment fails
|
CSCtg87338
|
CSM 3.3.1 SP1 wrong deployment of ACLs to ISR running 12.4(24)T code
|
CSCtg89541
|
Discovery of asr-group in ASA 8.3.1 on CSM is not displayed
|
CSCtg91677
|
CLI for object generated even when it was not referred
|
CSCth21226
|
CSM ASA discovery fail with exception 'PixF1SystemInterfaceCardType'
|
Table 10 Miscellaneous Caveats
Reference Number
|
Description
|
CSCsi08390
|
IEV installation fails on systems without C: drive
|
CSCsk11268
|
A User Can Open Multiple Sessions in Non-Workflow Mode
|
CSCsk78778
|
Error not shown for unavailable ACE during MARS events lookup
|
CSCsk94278
|
Read-only policy page in MARS is blank after starting Security Manager
|
CSCsm50836
|
MARS credentials retained in cache after changing authentication option
|
CSCsm68564
|
Disabled rules not shown as inactive in read-only policy page in MARS
|
CSCsy30953
|
CSM 3.2.2 does not release feature locks on a discarded activity
|
CSCsy31573
|
Sometimes CSM client hangs on launch
|
CSCsz81607
|
Last run entry not seen in Deployment Schedule on page refresh.
|
CSCta17924
|
MCP: Tunnel packet counters not updated for P2P S2S VPN on VSPA.
|
CSCtb42436
|
Changes made within Security Mgr cannot be saved or applied to device
|
CSCtb81848
|
Security Manager - Server does not start - regdaemon.xml corrupted
|
CSCtc59526
|
Security Manager client performance upgrade
|
CSCtd87603
|
Performance Monitor not generating e-mail alerts
|
CSCte37778
|
Manual NAT: Incomplete display of menu bar
|
CSCtg10817
|
CSM with ACS integration with WF db loaded takes 15 mins to login
|
CSCtg35295
|
failed login attempts don't get logged in the audit log
|
CSCth07721
|
CSM is not prompting for license again when invalid license is given
|
CSCth10625
|
Pro- Time Bound license is behaving like pro- permanent license
|
CSCth15163
|
MCP:Packet In and Out Counters not updated for a device in DMVPN topology
|
Table 11 VPN Device and Configuration Support Caveats
Reference Number
|
Description
|
CSCse94752
|
Support for IOS version 12.2(33)SRA on 7600 devices
|
CSCsg70526
|
EzVPN - default tunnel-groups are not handled by Security Manager
|
CSCsh14709
|
Deployment fails on ASA 5505/PIX 6.3 Easy VPN remote client
|
CSCsh79282
|
Cat6k-SPA GRE+Multicast - unsupported
|
CSCso63006
|
IPSEC VPN import failed when crypto ACL contains intf in source/dest
|
CSCsq66815
|
Side-effects due to missing Protected Network's assignment usage info.
|
CSCsr23893
|
Remote Access VPN - Activity validation reports error for http-form
|
CSCsy83931
|
VPN policy discovery fails when tunnel source defined with IP address.
|
CSCsz79453
|
CS Mgr discovery fails when NAT IP address is configured with LPIT.
|
CSCta92510
|
Regular ipsec discovery - Preshared key Aggressive mode not discovered
|
CSCtc18700
|
CS Mgr 3.3 not showing modified DfltGrpPolicy in RA VPN
|
CSCtd44879
|
CSM Deploy fails if removing web-type ACL that is applied to mult DAPs
|
CSCtd71798
|
CSM: ASA VPN creation/discovery failure if interface ip is not static
|
CSCtg26926
|
CSM - add incomplete smart-tunnel CLI
|
CSCtg98391
|
L2L cannot be discovered if RA was already discovered
|
CSCtg98419
|
CSM removes L2L if RA is discovered after
|
CSCth00332
|
SSLVPN: Full customization file is not copied on to the device
|
CSCth05090
|
VPN on ASA cannot be discovered when infinite keyword is used for DPD
|
Resolved Caveats—Release 4.0 Service Pack 1
The following customer found or previously release noted caveats have been resolved in Cisco Security Maanger 4.0 Service Pack 1.
Reference Number
|
Description
|
CSCtd44879
|
CSM Deploy fails if removing web-type ACL that is applied to mult DAPs
|
CSCtf88750
|
CS admin "logged in users" page shows only one logged in user account
|
CSCtf89506
|
Tacacs+ fallback authentication failure in Security Mgr in non-ACS mode
|
CSCtg06207
|
SSLVPN: Full customization feature is not working.
|
CSCtg98391
|
Lan-to-lan cannot be discovered if RA VPN was already discovered
|
CSCtg98419
|
Discovering RA VPN causes discovered Lan-to-Lan config to be removed
|
CSCth96869
|
Unable to configure Failover
|
CSCti34911
|
NAT Pool error in Security Manager
|
CSCti58861
|
CSM 4.0 discovers ASA 8.3 interfaces with uppercase fails deployment
|
CSCti74087
|
Dynamic NAT: Incorrect Delta generation
|
Resolved Caveats—Release 4.0
The following customer found or previously release noted caveats have been resolved in this release.
Reference Number
|
Description
|
CSCsi11419
|
Rollback sometimes fails with LAN Failover enabled
|
CSCsm93970
|
Green field device Preview config does not show IPS pull down option
|
CSCsq87565
|
certificate-to-connection-profile map policy does not support map name
|
CSCsr46030
|
Copy Interface & VS policy from a 6.1(1)E2 to 6.1(1)E2 fails
|
CSCsr54842
|
The upgrade of IPS device from 3.0.2 to 3.2 is not correct in CCO doc.
|
CSCsv15135
|
CSM: Deleting / re-adding IPS device caused DB integrity issue
|
CSCsv59057
|
Sigupdate failed to an IOS device with NME module
|
CSCsv98168
|
Static routing option on DMVPN generates incorrect routes on hub
|
CSCsw38628
|
SSLVPN - No validation for Access Interface > Max Session Limit
|
CSCsw44997
|
ZBFW: ActRpt - Create Map, Overrride - not shown correctly
|
CSCsx20448
|
IPS 6.2 unsupported devices should not be shown for Update
|
CSCsx52318
|
IPS Editing service ports for signatures throws error
|
CSCsz43257
|
Cannot do "no dns server-group DefaultDNS"
|
CSCsz46172
|
CSM Client stuck in Initializing
|
CSCsz60736
|
CS Mgr not generating a workable configuration with unique tunnel source
|
CSCsz63632
|
CSM: UserID containing \a and \b are unable to generate activity reports
|
CSCsz72524
|
DMVPN does not work even though spoke connectivity is selected.
|
CSCsz74628
|
Performance Monitor: Packet counters not updated in RA-VPN device page.
|
CSCta33520
|
long job names causing MDCSupport.exe to fail
|
CSCta62903
|
CSM incorrectly marks services like 'tcp/1234' as invalid format
|
CSCta76862
|
Deployment fails when an access rule is added, edited or deleted
|
CSCta86315
|
DMVPN-Discovery+deploy - NHRP auth value changed
|
CSCta92949
|
QoS-CSM pushes incorrect cli for Queue limit option if no option is def
|
CSCtb04099
|
Deployment fails when configuring numbered ACL for QOS policy
|
CSCtb10469
|
NAT: Negation of CLI is not generated for "nat-control"
|
CSCtb10579
|
Multiline AuthProxy Banners lead to Deployment Failures
|
CSCtb20773
|
Discover does not work correctly
|
CSCtb25669
|
Edit Signature Parameter of New E4 engines gives strange errors
|
CSCtb34158
|
Global correlation policies show up blank after major ver sensor update
|
CSCtb34238
|
Bookmark is displayed empty during discovery for group policy.
|
CSCtb40971
|
CSM: IOS-IPS Signature Deployment fails
|
CSCtb43369
|
Deployment fails when deleting redundant interface assigned to ACL
|
CSCtb75312
|
Hit Count - Hit Count Internal Failure error
|
CSCtb77960
|
Qos: Cannot save changes for default class for an ASR
|
CSCtb81245
|
No Entry in Config Archive when deploy includes User Accounts Policy
|
CSCtb81691
|
Deploy/discovery of IPS Appliances fail with "cannot identify user" error
|
CSCtb97623
|
FWSM contexts not shown correctly in MCP
|
CSCtb97789
|
View tab in "managing devices" in MCP not working
|
CSCtc01735
|
IpsSensorUpdate policy locks device; device cannot be deleted
|
CSCtc17882
|
Activity Validation causes MOP error on interface
|
CSCtc29327
|
In 3.3, Sensors with Policy or Assignment Locked
|
CSCtc29610
|
After policies copied to an ASA 5580, validation takes more than 3.5 hrs
|
CSCtc30623
|
Global Settings - Save button does not work
|
CSCtc35113
|
Space in notification e-mail causes deployment error
|
CSCtc36711
|
CSM 3.x - Intermittent activity report PDF creation failure
|
CSCtc43399
|
Ability to add RDP2 plugin to ASA not supported
|
CSCtc49458
|
IOS Inspection rule with port number >6000 generated incorrectly
|
CSCtc49550
|
Stack overflow error with network BB override option- Router
|
CSCtc51619
|
Deployment failed for ISR G2 with IOS 15.0 FCS build
|
CSCtc53906
|
crl configure - policy value always set to both
|
CSCtc53977
|
Banner is added two times to the full config during discovery
|
CSCtc54330
|
Cannot duplicate Service object that has override values
|
CSCtc55570
|
Upgrade of CSM HA setup does not check proper perl file replacement
|
CSCtc59058
|
MCP does not retain changes for multi-context FWSM contexts overnight
|
CSCtc63141
|
Security Manager: fail to launch packet capture tool
|
CSCtc66901
|
Upgrade to 7.0.2(E3) fails in deployment
|
CSCtc70513
|
Deployment failing with unmanaged plug-ins
|
CSCtc76822
|
SSL VPN discovery fails because of CSD package size
|
CSCtc79621
|
CSM client installation "Could not create the Java virtual machine."
|
CSCtc81240
|
CSM negates IP Pool if its associated to ISAKMP Pol
|
CSCtc81467
|
Client unresponsive when move back and next in add new device window
|
CSCtc82027
|
CSM: Doc bug in User Guide, does not provide steps to restore database
|
CSCtc84865
|
CSM ACL generation issue with nested service object-groups
|
CSCtc85407
|
CSM generates unnecessary delta with ip reordered for network object
|
CSCtc90943
|
CSM Can no associate more than 91 subinterface on an IPS Virtual Sensor
|
CSCtc93470
|
CSM install should exit if cu is installing CSM on non En/Ja Local
|
CSCtd04149
|
CSM will not parse the output of "copy startup tftp:" command properly
|
CSCtd05878
|
CSM doesn't push DMVPN Phase 2 configuration
|
CSCtd07260
|
Deployment fails citing error userAccount policy after upgrade to 3.3.1
|
CSCtd16208
|
Un-sharing of Logging Setup Policies not working under Policy View
|
CSCtd21108
|
Deployment Manager shows job failed, transcript shows job successful
|
CSCtd34189
|
CSM3.3.1: VACLPlugin throws exception/failure during config deployment
|
CSCtd35839
|
CSM - IPS 7.x editHasNoEffect received after config change
|
CSCtd43885
|
CSM not taking into account device override for PIX 6.3 aaa settings
|
CSCtd44879
|
CSM Deploy fails if removing web-type ACL that is applied to mult DAPs
|
CSCtd45488
|
CSM Does not support LOCAL-CASE for PPP Authentication
|
CSCtd46152
|
CSM inserting "inspect dns maximum-length 0" for default value on FWSM
|
CSCtd60636
|
CSM - crypto ca certificate map is not negated when deleted from CSM
|
CSCtd60716
|
CSM trying to negate remarks coming from another firewall ACL
|
CSCtd66177
|
DMVPN discovery fails if the OSPF area is in dot-decimal form
|
CSCtd68888
|
CSM - HitCount - java exception if "hitcount=*"
|
CSCtd83082
|
CSM: Discovering devices may fail after installing CSM
|
CSCtd85260
|
Performance can be improved by optimizing NetworkBBValidator.validate
|
CSCte01104
|
Deployment failed due to an internal error in plugin RaVpnServicePlugin
|
CSCte01154
|
CSM 3.3 might not remove ZBF ACL although it is not referenced in config
|
CSCte02948
|
CSM - support for File Transfer via xLaunch ASDM
|
CSCte12616
|
CSM - ASA QOS - wrong cli generated
|
CSCte13300
|
CSM Deploys "isakmp am-disable" Command at Every Deployment
|
CSCte27865
|
CSM delivers corrupted clear config to AUS
|
CSCte29186
|
Credentials for AUS deployment must avoid special characters
|
CSCte29323
|
CSM autoupdate job creates 2 activities instead of one
|
CSCte36775
|
CSM 3.3.x - sending incorrect AAA accounting default priv 0 config
|
CSCte40414
|
CSM/FWSM displays static routes with FALSE keyword in tunneled column
|
CSCte47079
|
CSM 3.3.1 and ASA Static NAT Rules
|
CSCte63231
|
CSM not generating delta for NAT after NAT rules and global pool removed
|
CSCte66136
|
ASDM real-time log viewer not working if launched from CSM
|
CSCte68254
|
"IPS, QOS and Connection Rules" policy generates large policy map name.
|
CSCte81069
|
CSM incorrectly handles nested service object groups
|
CSCte81211
|
CSM: Network Object Import Does Not Correctly Handle Network Range
|
CSCte83219
|
CSM - preview gives error in set trustpoint after VPN creation
|
CSCte83575
|
CSM: Network Object Import Does Not Correctly Import Nested Objects
|
CSCte92704
|
DDP not generating delta when all the dynamic nat rules are deleted
|
CSCtf00371
|
Split tunnel ACL generated with missing "standard" keyword
|
CSCtf09901
|
CSM generates wrong CLI for Hub-Spoke VPN on ASA
|
CSCtf15421
|
Apache crashes with ap_ctx_get()+9 byte(s). Frequently with multi-user
|
CSCtf19972
|
CSM adds unnecessary static route for GRE-IPSEC config
|
CSCtf21033
|
CSM: Use of space in src network causes ACL deletion
|
CSCtf24320
|
AAA serial console sometimes not showing
|
CSCtf30527
|
CSM: Import Script Case Sensitivity is Inconsistent
|
CSCtf36203
|
Cannot import a PIX running 6.3 into MCP.
|
CSCtf70104
|
SSL VPN Customization file size grow with every deployment in CSM
|
CSCtf75961
|
DOC: CSM serial deployment knob for FWSM contexts needs documenting
|
CSCtf94768
|
IPS license act validation takes a long time if sensor unreachable
|
CSCtg02063
|
CSM 3.3.0: Assigning shared policy to "Allowed Hosts" fails deployment
|
CSCtg60036
|
CSM: EDS & dependent processes not coming up in HA/DR failover scenario
|
CSCtg80784
|
CSM package registration causing Out of memory
|
Resolved Caveats—Releases Prior to 4.0
For the list of caveats resolved in releases prior to this one, see the following documents:
•http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html
Where to Go Next
If you want to:
|
Do this:
|
Install Security Manager server or client software.
|
See Installation Guide for Cisco Security Manager 4.0.
|
Understand the basics.
|
See the interactive JumpStart guide that opens automatically when you start Security Manager.
|
Get up and running with the product quickly.
|
See "Getting Started with Security Manager" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.0.
|
Complete the product configuration.
|
See "Completing the Initial Security Manager Configuration" in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.0.
|
Manage user authentication and authorization.
|
See the following topics in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.0.
•Setting Up User Permissions
•Integrating Security Manager with Cisco Secure ACS
|
Bootstrap your devices.
|
See "Preparing Devices for Management" in the online help, or see Chapter 5 of User Guide for Cisco Security Manager 4.0.
|
Install entitlement applications.
|
Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 4.0.
|
Product Documentation
For the complete list of documents supporting this release, see the release-specific document roadmap:
•Guide to User Documentation for Cisco Security Manager
http://www.cisco.com/en/US/products/ps6498/products_documentation_roadmaps_list.html
Lists document set that supports the Security Manager release and summarizes contents of each document.
•For general product information, see:
http://www.cisco.com/go/csmanager
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Product Documentation" section.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.
Feedback
