Cisco Cyber Threat Defense

Cisco Cyber Threat Defense 1.1.2 Release Notes

  • Viewing Options

  • PDF (274.2 KB)
  • Feedback


This document contains the following sections:


New Features, Supported Hardware and Software


Related Documentation


The Cisco® Cyber Threat Defense Solution (CTD) combines the following elements to improve the detection and remediation of advanced cyber threats within the Cisco network:

Unique interior network traffic telemetry using the scalable unsampled NetFlow capabilities of Cisco Catalyst® switches, Cisco routers, and Cisco NetFlow Generation Appliances (NGAs), as well as NetFlow Security Event Logging (NSEL) from Cisco ASA 5500 Series Adaptive Security Appliances.

Network traffic analysis capabilities provided by the Lancope StealthWatch products. (Cisco has partnered with Lancope to jointly develop and offer the Cisco Cyber Threat Defense Solution.)

Contextual information including user and device identity from the Cisco Identity Services Engine (ISE), Network Address Translation (NAT) from ASA firewalls, and Network-Based Application Recognition (NBAR) from Cisco routers.

The CTD solution is published as a Cisco Validated Design. More information about the Validated Design program can be found by visiting

New Features, Supported Hardware and Software

Highlights of New Features in StealthWatch 6.5

New capabilities added to the CTD solution in StealthWatch 6.5 include:

Introduction of a web-based user interface for threat visibility, including a global threats map, new security alarm indicators, new views (host list and user list), and simplified customization of the display

Job management display for flow queries

Ability to run and save flow queries for later reuse

Expanded ability to define custom security events

Redesigned online help facility

Please refer to the Lancope StealthWatch 6.5.0 Release Notes for details on the new features and fixes introduced in this release.

New Cisco Platforms Validated in Cyber Threat Defense 1.1.2

In addition to Lancope StealthWatch 6.5 software, Cyber Threat Defense 1.1.2 adds support for the Cisco Catalyst Series 3850 Series Switches. It also updates the Cisco ISE integration how-to document in the Cisco Validated Design.

Cisco Hardware and Software Components of Cyber Threat Defense 1.1.2

Version 1.1.2 of the Cyber Threat Defense was validated against the specific combinations of hardware and software shown in the tables below. Table 1 shows the Cisco Catalyst switch series that incorporate hardware support for line-rate unsampled NetFlow export. Table 2 shows other Cisco hardware platforms included in this Cisco Validated Design release.

Table 1. Cisco Catalyst Switches Capable of Line-Rate Unsampled NetFlow


Hardware Required

Recommended Software Release

Catalyst 3560-X and 3750-X

Cisco service module

Cisco IOS 15.0.2SE4

Catalyst 3850 Series


Cisco IOS XE 3.3.0SE

Catalyst 4500 Series

Supervisor Engine 7-E, 7L-E, or 8-E

Cisco IOS XE 3.3.0SG

Catalyst 6500 Series

Supervisor Engine 2T

Cisco IOS 15.0.1SY1

Additional information regarding Cisco Catalyst switches and Cisco IOS NetFlow can be found at and

Table 2. Cisco Router, ASA 5500, ISE, and NGA Software Recommendations


Recommended Software Version

Cisco Integrated Services Router (ISR) G2

Cisco IOS 15.3.2T

Cisco ASR 1000 Series Aggregation Services Routers

Cisco IOS XE 3.9S

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco ASA Software Release 8.4.5 or
Cisco ASA Software Release 9.1.2

Cisco Identity Services Engine (ISE)

Cisco ISE Release 1.2.1

Cisco NetFlow Generation Appliance (NGA)

Cisco NGA Release 1.0.2


Open Caveats

Table 3 contains open caveats that are known to apply to this Validated Design at the time of release, with Cisco and Lancope defect-tracking numbers where applicable.

Table 3. Open Caveats

Cisco ID

Lancope ID



SWD-4627, LSQ-1352

500 error on web GUI for specific username


SWD-4582, LSQ-1321

HTML not escaped in saved query description



ISE deprioritizes authentication syslog messages under heavy load, possibly leading to incomplete identity information in SMC



SMC shows duplicate identities under certain situations

Resolved Caveats

Table 4 contains caveats that affected previous versions of this Cisco Validated Design and are resolved in this release.

Table 4. Resolved Caveats

Cisco ID

Lancope ID




Response time of ISE RESTful API degrades with large numbers of endpoints

Release Notes for Component Products

Please consult the product release notes listed in Table 5 for product-specific caveats regarding any Cisco products integrated with the Cyber Threat Defense Solution. Note that a account may be necessary to view these documents.

Table 5. Release Notes for Component Products


Release Notes

Cisco Catalyst 3560-X or 3750-X with Catalyst 3K-X 10G Service Module

Cisco Catalyst 4500 with Supervisor Engine 7-E, 7L-E, or 8-E

Cisco Catalyst 6500 with Supervisor Engine 2T-10GE

Cisco Catalyst 3850 Series

Cisco Integrated Services Routers G2

Cisco ASR 1000 Series Aggregation Services Routers

Cisco ASA 5500-X Series Adaptive Security Appliances

Cisco Identity Services Engine

Cisco NetFlow Generation Appliance

Related Documentation

Design and implementation guides and other reference materials are available at