These release notes are for use with Cisco Security Manager 4.2.
Security Manager 4.2 is now available. Registered SMARTnet users can obtain release 4.2 from the Cisco support website by going to http://www.cisco.com/go/csmanager and clicking Download Software in the Support box.
Note Use this document in conjunction with the documents identified in Product Documentation. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product. For more information about specific changes, please see Where to Go Next.
This document contains release note information for the following:
Cisco Security Manager 4.2 (Including Service Pack 1) —Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, VPN, and IPS services across IOS routers, PIX and ASA security appliances, IPS sensors and modules, and some services modules for Catalyst 6500 switches and some routers. (You can find complete device support information under Cisco Security Manager Compatibility Information on Cisco.com.) Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and such.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
Auto Update Server 4.2 —The Auto Update Server (AUS) is a tool for upgrading PIX security appliance software images, ASA software images, PIX Device Manager (PDM) images, Adaptive Security Device Manager (ASDM) images, and PIX security appliance and ASA configuration files. Security appliances with dynamic IP addresses that use the auto update feature connect to AUS periodically to upgrade device configuration files and to pass device and status information.
Performance Monitor 4.2 —Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability. Supported service types are remote-access VPN, site-to-site VPN, firewall, Web server load-balancing, and proxied SSL.
Note Before using Cisco Security Manager 4.2, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.2 before installing or upgrading to Cisco Security Manager 4.2.
This document lists the ID numbers and headlines for issues that may affect your operation of the product. This document also includes a list of resolved problems. If you accessed this document from Cisco.com, you can click any ID number, which takes you to the appropriate release note enclosure in the Bug Toolkit. The release note enclosure contains symptoms, conditions, and workaround information.
Supported Component Versions and Related Software
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.2.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Table 1 Supported Versions for Components and Related Applications
Cisco Security Manager
Auto Update Server
CiscoWorks Common Services
Resource Manager Essentials (RME)
Cisco Security Monitoring, Analysis and Response System (CS-MARS)
Cisco Secure Access Control Server (ACS) for Windows
Cisco Secure ACS Solution Engine 4.1(4) is also supported.
You can use other versions of Cisco Secure ACS if you configure them as non-ACS TACACS+ servers. A non-ACS configuration does not provide the granular control possible when you configure the server in ACS mode.
In addition to resolved caveats, this release includes the following new features and enhancements:
Support for ISR ScanSafe integration, a cloud-based SaaS (Software As A Service) feature, which can transparently redirect selected traffic for content scanning and malware protection. You can use ScanSafe Web Security to provide differentiated services to particular users, user groups, and IPs.
Support for the Cisco Catalyst 6500 Series ASA Services Module running ASA Software Release 8.5(1). Event Viewer and Report Manager work with this new service module. However, the service module does not support VPN configuration, so reports related to VPN are not applicable.
Support for ASA Software release 8.4(2), including the following features:
– Identity-aware firewall, allowing you to create ACL rules that are sensitive to the Active Directory (AD) username or user group membership of the person sending traffic through the ASA. Additionally, you can use fully-qualified domain names (FQDN) for source or destination rather than IP addresses. There are new policy objects for Identity User Group and FQDN network/host objects, and all device policies that allow identity-aware ACLs are supported: AAA rules, access rules (IPv4 and IPv6), inspection rules, Botnet Traffic Filter classification, and service policy rules. A new policy, Identity Options, identifies the AD servers, AD agents, and other identity-related settings.
– PAT Pool, Round Robin, No Proxy ARP, and Route Lookup features have been added to Manual NAT rules. With PAT Pool, you can define a pool of IP addresses specifically for PAT, and you can select a “round robin” algorithm for port allocation during PAT.
– Event Viewer includes new columns for user name and FQDN information in syslog messages that include them. There are new syslog messages related to identity-aware firewall: 746001-746019.
– Support for IPv6 addresses for DNS servers.
– You can now configure an ASA to permit or deny VPN connections from endpoints with an AnyConnect Essentials license on a per-dynamic access policy (DAP) basis. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod versions 2.5.x and AnyConnect for Android versions 2.4.x. It is not required to enable CSD to configure these specific attributes.
– Support for a new policy pushed down to the AnyConnect Secure Mobility Client for resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.
– Auto Update Server and Performance Monitor support.
Support for Cisco IOS Software Release 15.2(1)T on 88x, 89x, 19xx, 29xx, and 39xx routers only. ScanSafe is the only supported new feature in this version.
Support for IPS modules on ASA 5585 with Cisco ASA 5585 IPS Security Services Card.
A new generic router support model. If an Integrated Service Router (ISR) or Aggregation Services Router (ASR) model is not explicitly supported, you can manage the device as a generic router. Available features are based on the software version running on the device.
You can now choose between client and server file systems when performing the following file operations:
– Installing Security Manager license files
– Importing/exporting device inventory files
– Importing/exporting shared policies
– Creating the following file objects: Cisco Secure Desktop Package, Plug-In, AnyConnect Profile, AnyConnect Image, Hostscan Image
VMware ESX 4.1 and VMware ESXi 4.1 are supported with this release of Security Manager.
AUS 4.2 is supported with this release of Security Manager.
Performance Monitor 4.2 is supported with this release of Security Manager.
Do not modify casuser (the default service account) or directory permissions that are established during the installation of the product. Doing so can lead to problems with your being able to do the following:
– Logging in to the web server
– Logging in to the client
– Performing successful backups of all databases
You can install Security Manager server software directly, or you can upgrade the software on a server where Security Manager is installed. The Installation Guide for Cisco Security Manager for this release of the product explains which previous Security Manager releases are supported for upgrade and provides important information regarding server requirements, server configuration, and post-installation tasks.
Before you can successfully upgrade to Security Manager 4.2 from a prior version of Security Manager, you must make sure that the Security Manager database does not contain any pending data, in other words, data that has not been committed to the database. If the Security Manager database contains pending data, you must commit or discard all uncommitted changes, then back up your database before you perform the upgrade. The Installation Guide for Cisco Security Manager for this release contains complete instructions on the steps required for preparing the database for upgrade.
We do not support installation of Security Manager on a server that is running any other web server or database server (for example, IIS or MS-SQL). Doing so might cause unexpected problems that may prevent you from logging into or using Cisco Security Manager.
Be aware of the following important points before you upgrade:
– Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco’s attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
– If you install RME on the same server as Security Manager, do not apply the MDF.zip file available with the RME IDU patch. Applying this file will damage the device support files in Security Manager, and you will need to contact Cisco Technical Support to correct the problem. If you install RME on a server separate from Cisco Security Manager, this restriction does not apply.
– If you upgrade to Security Manager 4.2 from Security Manager 3.3.x, you may experience large delta configurations due to changes that were implemented after Security Manager 3.3.1. For more information, please see CSCta56918 and CSCth52454.
Service Pack 1 Download and Installation Instructions
To download and install service pack 1, follow these steps:
Note You must install the Cisco Security Manager 4.2 FCS build on your server before you can apply this service pack.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager (CSM) Software, expand the 4.2 folder under All Releases, and then click 4.2sp1.
Step 4 Download the file fcs-csm-42-sp1-win-k9.exe.
Step 5 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 6 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 7 Run the fcs-csm-42-sp1-win-k9.exe file that you previously downloaded.
Step 8 In the Install Cisco Security Manager 4.2 Service Pack 1 dialog box, click Next and then click Install in the next screen.
Step 9 After the updated files have been installed, click Finish to complete the installation.
Step 10 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to “Download Service Pack”.
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 11 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
Cisco IPS 7.1(4)E4 Service Pack Download and Installation Instructions
This section describes how to download and apply the IPS 7.1(4)E4 service pack to sensors using Cisco Security Manager 4.2 Service Pack 1, or a later release.
Cisco IPS 7.1(4)E4 is supported on the following platforms:
ASA 5585-X IPS SSP-10
ASA 5585-X IPS SSP-20
ASA 5585-X IPS SSP-40
ASA 5585-X IPS SSP-60
Note Before you can manage IPS 7.1(4)E4 in Cisco Security Manager, you must upgrade to Cisco Security Manager 4.2 Service Pack 1, or a later release.
To apply IPS 7.1(4)E4 to a sensor using Security Manager 4.2 Service Pack 1, or a later release, follow these steps:
Step 1 Download the service pack ZIP file, IPS-CSM-K9-7.1-4-E4.zip, to the <CSM-install-dir>/MDC/ips/updates directory.
Step 2 Launch the IPS Update Wizard from Tools > Apply IPS Update.
Step 3 Select Sensor Updates from the drop-down menu, select the IPS-CSM-K9-7.1-4-E4.zip file, and then click Next.
Step 4 Select the device(s) to which you want to apply the service pack, then click Finish.
Step 5 Deploy these changes to the affected sensors using Deployment Manager. Deployment Manager can be launched from Manage > Deployments.
The following notes apply to the Security Manager 4.2 release:
You cannot use Security Manager to manage an ASA 8.3+ device if you enable password encryption using the password encryption aes command. You must turn off password encryption before you can add the device to the Security Manager inventory.
If you upgrade an ASA to release 8.3(x) or higher from 8.2(x) or lower, you must delete the device from the Security Manager inventory and add it back again for the policies to work correctly.
ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During upgrade, rules are converted to use the real IP address. All other device types, and older ASA versions, used the NAT address in ACLs.
The device memory requirements for ASA 8.3 are higher than the requirements for older ASA releases. Ensure that the device meets the minimum memory requirement, as explained in the ASA documentation, before upgrade. Security Manager blocks deployment to devices that do not meet the minimum requirement.
The dynamic behavior of the failover devices such as ASA and IOS, is not supported in Cisco Security Manager. This is because, CSM does not identify the failover LAN unit as primary or secondary. However, after an HA switchover on ASA, the CSM continues to manage the secondary unit with active IP.
If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
A Cisco Services for IPS service license is required for the installation of signature updates on IPS 5.x+ appliances, Catalyst and ASA service modules, and router network modules.
Do not connect to the database directly, because doing so can cause performance reductions and unexpected system behavior.
Do not run SQL queries against the database.
If an online help page displays blank in your browser view, refresh the browser.
Cisco Secure ACS 5.0 is not supported by Security Manager 4.2.
If you do not manage IPS devices, consider taking the following performance tuning step. In $NMSROOT \MDC\ips\etc\sensorupdate.properties, change the value of packageMonitorInterval from its initial default value of 30,000 milliseconds to a less-frequent value of 600,000 milliseconds. Taking this step will improve performance somewhat. [ $NMSROOT is the full pathname of the Common Services installation directory (the default is C:\Program Files\CSCOpx).]
The IPS packages included with Security Manager do not include the package files that are required for updating IPS devices. You must download IPS packages from Cisco.com or your local update server before you can apply any updates. The downloaded versions include all required package files and replace the partial files that are included in the Security Manager initial installation.
This section describes the open and resolved caveats with respect to this release.
For your convenience in locating caveats in Cisco’s Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
Note In some instances, a known problem might apply to more than one area, for example, a PIX device might encounter a problem during deployment. If you are unable to locate a particular problem within a table, expand your search to include other tables. In the foregoing example, the known problem might be listed in either the Deployment table or the PIX/ASA/FWSM Configuration table.
Table 2 ASA, PIX, and FWSM Firewall Devices Caveats
Your Security Manager license grants you the right to install certain other applications—including specific releases of RME and Performance Monitor—that are not installed when you install Security Manager. You can install these applications at any time. See the Introduction to Component Applications section in Chapter 1 of Installation Guide for Cisco Security Manager 4.2.
For the complete list of documents supporting this release, see the release-specific document roadmap:
Guide to User Documentation for Cisco Security Manager
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.