Table Of Contents
Release Note for the Cisco Guard Appliance
Contents
New Features in Software Version 6.0(5)
Upgrading to Software Version 6.0(x)
Operating Considerations
MultiDevice Manager Commands Omitted from the Configuration Guide
mdm logging trap Command
mdm restore Command
show mdm Command
Software Version 6.0(10) Open and Resolved Caveats
Software Version 6.0(10) Open Caveats
Software Version 6.0(10) Resolved Caveats
Software Version 6.0(5) Open and Resolved Caveats
Software Version 6.0(5) Open Caveats
Software Version 6.0(5) Resolved Caveats
Related Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Note for the Cisco Guard Appliance
July 16, 2007
Note 
The most current Cisco documentation for released products is available on Cisco.com.
Contents
This release note applies to software versions 6.0(10) and 6.0(5) for the Cisco Guard appliance (Guard). This release note contains the following sections:
•New Features in Software Version 6.0(5)
•Upgrading to Software Version 6.0(x)
•Operating Considerations
•MultiDevice Manager Commands Omitted from the Configuration Guide
•Software Version 6.0(10) Open and Resolved Caveats
•Software Version 6.0(5) Open and Resolved Caveats
•Related Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
New Features in Software Version 6.0(5)
The following new features are available in software version 6.0(5):
•Support for the 2007 daylight saving time (DST) change.
•Ability to set the TACACS+ sever port.
•Ability to set the TACACS+ encryption key.
Upgrading to Software Version 6.0(x)
In software version 4.x, the Guard allowed you to configure illegal subnet masks. In software version 5.1(4), the Guard checks to ensure that subnet masks are legal. When you upgrade from a software version prior to 5.1(4) to version 6.0(x), the Guard corrupts all zone configurations that contain an illegal subnet mask. To prevent the Guard from corrupting a zone configuration that contains an illegal subnet mask, configure the zone configuration with a legal subnet mask by performing the following steps prior to upgrading the software:
Step 1 Use the no ip address command to delete the subnet mask.
Step 2 Use the ip address command to configure the subnet mask with a legal subnet.
For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Cisco Guard Configuration Guide.
Software upgrade instructions are located in the "Upgrading the Guard Software Version" section in the the Cisco Guard Configuration Guide.
Operating Considerations
The following operating considerations apply to the Cisco Guard:
•The Guard operates using a self-protection configuration to protect itself from DDoS attacks on the network. Cisco configures the self-protection configuration with a set of default parameter values, which you can modify.
When upgrading the Guard to software version 6.0(x) from a version previous to 5.1(5), the existing self-protection configuration is overwritten by the new configuration contained in the upgrade. If you had modified the self-protection configuration of the previously installed software, you need to make the same modifications to the new self-protection configuration. Do not copy your original self-protection configuration to the Guard as the original configuration will block access to one or both of the following ports when attempting to access the Guard through an inline interface:
–Ports 3220 and 1334 if you upgrade from a software version prior to 5.1(5). Port 3220 was added to versions 5.0(x) and 5.1(x). Port 1334 was added to version 5.1(5).
Note that if you reinstall software version 5.1(5) or higher after modifying the self-protection configuration, your changes to the configuration remain intact. Upgrading from software version 5.1(5) to a higher version will also leave your modified self-protection configuration intact.
•The copy ftp command supports active mode only.
MultiDevice Manager Commands Omitted from the Configuration Guide
Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Guard were introduced in software version 5.1(5), but were omitted from the Cisco Guard User Guide. The following sections describe these commands:
•mdm logging trap Command
•mdm restore Command
•show mdm Command
mdm logging trap Command
To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.
The syntax for this command is as follows:
mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}
The following table describes the keywords for the mdm logging trap command.
alerts
|
Immediate action needed (severity=1).
|
critical
|
Critical conditions (severity=2).
|
debugging
|
Debugging messages (severity=7).
|
emergencies
|
System is unusable (severity=0). This is the default.
|
errors
|
Error conditions (severity=3).
|
informational
|
Informational messages (severity=6).
|
notifications
|
Normal but significant conditions (severity=5).
|
warnings
|
Warning conditions (severity=4).
|
For example, to capture and log informational messages, use the mdm logging trap informational command in global configuration mode.
user@GUARD# configure
user@GUARD-conf# mdm logging trap informational
mdm restore Command
When you enable the MDM service on the Guard to allow you to manage the device using the MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.
When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.
Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.
The syntax for this command is as follows:
mdm restore
For example:
user@GUARD# configure
user@GUARD-conf# mdm restore
show mdm Command
To check the status of MDM connections and settings, use the show mdm command in EXEC mode.
The syntax for this command is as follows:
show mdm
For example:
The following table describes the fields in the show mdm display.
Field
|
Description
|
MDM service state
|
Operating state of the MDM service: enabled or disabled.
|
MDM servers
|
List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.
|
Connected managers
|
MDM server currently connected to and managing the device.
|
MDM syslog level
|
Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.
|
Software Version 6.0(10) Open and Resolved Caveats
The following sections contain the open and resolved caveats in software version 6.0(10):
•Software Version 6.0(10) Open Caveats
•Software Version 6.0(10) Resolved Caveats
Software Version 6.0(10) Open Caveats
The following caveats are open in software version 6.0(10):
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.
•CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop, the Flexible Filter Count value displays the number of dropped packets
–Count, the Flexible Filter Count value displays the number of counted packets
•CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use a different activation interface.
•CSCsb07081—The flex-content filter cannot find a pattern in SYN packets.
•CSCsb20206—The WBM remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.
•CSCsb26519—If you configure the protect-by-packet activation method on one of the zones, the Guard fails to handle several thousands of dynamic routes injected. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.
•CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc05116—The Guard may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Guard. Reducing the number of active zones may free up memory.
•CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(4) or higher. Workaround: Renumber loopback interfaces before upgrading the Guard from a version prior to 5.1(4) to version 6.0(x).
•CSCsc49737—The accelerator card may fail to load on the first attempt during the reload or bootup process. The Guard issues and logs an error message. The Guard attempts two additional loads.
•CSCsc51207—The Guard does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the Guard. Workaround: Remove the login banner.
•CSCsc77155—After a Guard reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Guard.
•CSCsd39569—After several hundred consecutive reloads, the Guard may automatically reboot. Workaround: None.
•CSCsd59648—A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring a keepalive on the tunnel.
•CSCsd59673—The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on its GRE interface.
•CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.
•CSCsd83077—The Guard responds to a larger size packet than the MTU value set for its network interfaces.
•CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command.
•CSCse19834—Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included).
•CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.
•CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.
•CSCse43115—A BGP error message is displayed when malformed BGP related packets are sent directly to the Guard IP address. Workaround: None.
•CSCsg42338—The Guard CPU usage may reach 100%. Workaround: Reboot the Guard.
•CSCsg94911—When a physical interface goes down, the virtual interfaces that use the physical interface are not brought down, which results in black-holing the traffic. Workaround: Manually deactivate the relevant zones on the Guard.
•CSCsi07283—The Web-Based Manager (WBM) does not reflect changes to the TimeZone definition until after the Guard is rebooted. Workaround: Reboot the Guard.
•CSCsi18583—The Guard drops the last TCP ACK on the outgoing traffic. Workaround: Create a bypass filter for the source IP address that is experiencing authentication problems.
•CSCsi21984—When using the WBM, browsing to a zone page is very slow after the zone has been active for a long time and the zone logs become extremely long. Workaround: Export the zone logs to an external server and then clear the log files from the Guard database.
•CSCsi50185—When synchronizing time with an NTP server, the Guard intermittently detects a major clock change (16 seconds or more) and issues a log message. Workaround: None.
•CSCsi61341—The Guard leaves the TCP timestamp option in the SYN ACK reply. Workaround: None.
•CSCsj27292—The Guard does not count bypass filters correctly, which may cause the watchdog to reload the Guard. Workaround: Remove all bypass filters that are not needed.
•CSCuk54606—When activating a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and traffic diversion is working properly:
no injection path
The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.
Software Version 6.0(10) Resolved Caveats
The following caveats were resolved in software version 6.0(10):
•CSCsh92933—After entering the tacacs authorization exec tacacs+ command, the show running-config command does not display the tacacs authorization exec tacacs command in the configuration output.
•CSCsi2905, CSCsi17169 —When accepting the thresholds during the learning process, the Guard intermittently encounters an error when accepting some of the thresholds.
•CSCsi23637—When using the WBM, TACACS+ login authentication falls back to local authentication even if the TACACS+ server rejects the authentication.
•CSCsi65071—A flex-content filter with a single byte tcpdump expression may not detect the byte in the zone traffic.
•CSCsi67008—A flex-content filter tcpdump expression does not examine the last byte of a packet.
•CSCsi70650—The watchdog process intermittently becomes stuck on one of the child processes.
•CSCsi78741—The internal watchdog constantly reloads the Guard and the accelerator card is unresponsive. The log contains many "cannot read counters" errors.
•CSCsi89346—The Guard stops processing traffic. Traffic is not diverted to the Guard.
Software Version 6.0(5) Open and Resolved Caveats
The following sections contain the open and resolved caveats in software version 6.0(5):
•Software Version 6.0(5) Open Caveats
•Software Version 6.0(5) Resolved Caveats
Software Version 6.0(5) Open Caveats
The following caveats are open in software version 6.0(5):
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.
•CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop, the Flexible Filter Count value displays the number of dropped packets
–Count, the Flexible Filter Count value displays the number of counted packets
•CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use another activation interface.
•CSCsb07081—The flex-content filter cannot find a pattern in SYN packets.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.
•CSCsb26519—The Guard fails to handle several thousands of dynamic routes injected if you configure the protect-by-packet activation method on one of the zones. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc05116—The Guard may stop functioning or start logging errors after reaching 100% anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Guard. Reducing the number of active zones may free up memory.
•CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(4) or higher. Workaround: Renumber loopback interfaces before upgrading the Guard from a version prior to 5.1(4) to version 6.0(5).
•CSCsc49737—The accelerator card may fail to load on the first attempt during the reload or bootup process. The Guard issues an error message and shows it in the logs. The Guard attempts two additional loads.
•CSCsc51207—The Guard does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the Guard. Workaround: Remove the login banner.
•CSCsc77155—After a Guard reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the Guard.
•CSCsd39569—After several hundred consecutive reloads, the Guard may automatically reboot. Workaround: None.
•CSCsd59648—A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring keepalive on the tunnel.
•CSCsd59673—The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on the Guard GRE interface.
•CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.
•CSCsd83077—The Guard responds to a bigger size packet than the MTU value set for its network interfaces.
•CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command.
•CSCse19834—Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included).
•CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.
•CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.
•CSCse43115—A BGP error message is displayed when malformed BGP related packets are sent directly to the Guard's IP address. Workaround: None.
•CSCuk54606—When activating a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and traffic diversion is working properly:
no injection path
The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.
Software Version 6.0(5) Resolved Caveats
The following caveats were resolved in software version 6.0(5):
•CSCsb33259— The graphs for the show counters history, show rates history, and the WBM traffic rates only show current rates. The graphs do not show logs for the zone. This occurs when the zone is active, but there is no activity (that is, there is no traffic) on it.
•CSCsc85020—The graph interpolates the end of an attack curve with current time instead of the real end of attack time.
•CSCse64988—When you use the WBM to add a service to a zone, service thresholds are set to zero and are not tuned.
•CSCsf01438—A vulnerability in the Cisco Guard may enable an attacker to send a web browser client to a malicious website with the use of Cross Site Scripting (XSS) when the Guard is providing anti-spoofing services between the web browser client and a web server. The attacker may exploit this by providing a malicious URL for the web browser client to go to, often in email, followed off of a malicious website, or in an instant message. This issue may occur even if the protected website does not allow XSS. A software upgrade is required to fix this vulnerability. There is a workaround available to mitigate the effects of the vulnerability. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml
•CSCsf02506—When you use the WMB to show zone general information, the error message may appear on the first try: "Unexpected error".
•CSCsg22709—When you add a service in a WBM comparison screen, the service is not added to the zone. This occurs when you compare a zone with a snapshot.
•CSCsg53101—When you use the WBM excessively, the RAM disk becomes filled with logs before the logrotate policy removes old logs. This situation may cause the Guard to become unstable and inaccessible.
Related Documentation
The following Guard documents are available:
•Cisco Guard and Traffic Anomaly Detector Hardware Installation and Configuration Note
•Cisco Guard Configuration Guide
•Cisco Guard Web-Based Manager Configuration Guide
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Feedback
