Release Notes for Cisco Security Manager 4.11
Supported Component Versions and Related Software
Service Pack 1 Download and Installation Instructions
Service Pack 2 Download and Installation Instructions
Obtain Documentation and Submit a Service Request
Note Use this document in conjunction with the documents identified in Obtain Documentation and Submit a Service Request. The online versions of the user documentation are also occasionally updated after the initial release. As a result, the information contained in the Cisco Security Manager end-user guides on Cisco.com supersedes any information contained in the context-sensitive help included with the product.
This document contains release note information for the following:
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of device grouping capabilities and objects and policies that can be shared.
Note Before using Cisco Security Manager 4.11, we recommend that you read this entire document. In addition, it is critical that you read the Important Notes, the Installation Notes, and the Installation Guide for Cisco Security Manager 4.11 before installing Cisco Security Manager 4.11.
The Cisco Security Management Suite of applications includes several component applications plus a group of related applications that you can use in conjunction with them. The following table lists the components and related applications, and the versions of those applications that you can use together for this release of the suite. For a description of these applications, see the Installation Guide for Cisco Security Manager 4.11.
Note For information on the supported software and hardware that you can manage with Cisco Security Manager, see the Supported Devices and Software Versions for Cisco Security Manager online document under Cisco Security Manager Compatibility Information on Cisco.com.
Cisco Security Manager 4.11 Service Pack 1
In addition to resolved caveats, this release includes the following new features and enhancements:
In addition to resolved caveats, this release includes the following new features and enhancements:
Support for ASA 9.6(1) version
Support for Cisco Firepower 4000 Series appliances has been added in Security Manager version 4.11. The following devices are supported:
Other Enhancements in Cisco Security Manager 4.11
Security Manager now supports high-availability on VMware based solutions using ESXi 6.0.
Please refer to the Installation Guide for Cisco Security Manager 4.11 for specific installation instructions and for important information about client and server requirements. Before installing Cisco Security Manager 4.11, it is critical that you read the notes listed in this section and the Important Notes.
– Logging in to the web server
– Performing successful backups of all databases
– Microsoft Windows Server 2012 R2 Standard—64-bit
– Microsoft Windows Server 2012 Standard—64-bit
– Microsoft Windows Server 2012 R2 Datacenter—64-bit
– Microsoft Windows Server 2012 Datacenter—64-bit
– Microsoft Windows 7 SP1 Enterprise—64-bit and 32-bit
– Microsoft Windows 8.1 Enterprise Edition—64-bit and 32-bit
– Microsoft Windows Server 2008 R2 with SP1 Enterprise—64-bit
– Microsoft Windows Server 2012 R2 Standard—64-bit
– Microsoft Windows Server 2012 Standard—64-bit
– Microsoft Windows Server 2012 R2 Datacenter—64-bit
– Microsoft Windows Server 2012 Datacenter—64-bit
– Internet Explorer 8.x, 9.x, 10.x, or 11.x, but only in Compatibility View
– Firefox 15.0.1 and above supported and recommended
– Ensure that all applications that you are upgrading are currently functioning correctly, and that you can create valid backups (that is, the backup process completes without error). If an application is not functioning correctly before an upgrade, the upgrade process might not result in a correctly functioning application.
Note It has come to Cisco’s attention that some users make undocumented and unsupported modifications to the system so that the backup process does not back up all installed CiscoWorks applications. The upgrade process documented in the installation guide assumes that you have not subverted the intended functioning of the system. If you are creating backups that back up less than all of the data, you are responsible for ensuring you have all backup data that you require before performing an update. We strongly suggest that you undo these unsupported modifications. Otherwise, you should probably not attempt to do an inline upgrade, where you install the product on the same server as the older version; instead, install the updated applications on a new, clean server and restore your database backups.
To download and install Security Manager 4.11 service pack 1, follow these steps:
Note You must install the Cisco Security Manager 4.11 FCS build on your server before you can apply this service pack.
Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software for this Product under the Support heading on the right side of the screen.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager 4.11 in the rightmost column.
Step 4 Click Security Manager (CSM) Software and then click 4.11sp1 under Latest.
Step 5 Download the file CSM4.11.0Service_Pack1.exe.
Step 6 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 7 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 8 Run the CSM4.11.0Service_Pack1.exe file that you previously downloaded.
Step 9 In the Install Cisco Security Manager 4.11 Service Pack 1 dialog box, click Next and then click Install in the next screen.
Step 10 After the updated files have been installed, click Finish to complete the installation.
Step 11 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to “Download Service Pack”.
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 12 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
Step 13 (Optional) Configure SSL Certificates or self-signed certificates for Open SSL:
a. Stop the CSM Daemon service [net stop crmdmgtd]
b. If you have your own SSL certificates configured, you can reconfigure the certificates as per the steps outlined in the link below:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/ciscoworks_lan_management_solution/4-2/user/guide/admin/admin/appendixcli.html#wp1016314
c. For self-signed certificates, from the command prompt navigate to the <CSCOpx>\MDC\Apache directory, and then execute the gencert.bat file.
(where <CSCOpx> is your installation directory)
To download and install Security Manager 4.11 service pack 2, follow these steps:
Note You must install the Cisco Security Manager 4.11 FCS build on your server before you can apply this service pack.
Step 1 Go to http://www.cisco.com/go/csmanager, and then click Download Software for this Product under the Support heading on the right side of the screen.
Step 2 Enter your user name and password to log in to Cisco.com.
Step 3 Click Security Manager 4.11 in the rightmost column.
Step 4 Click Security Manager (CSM) Software and then click 4.11sp2 under Latest.
Step 5 Download the file CSM4.11.0Service_Pack2.exe.
Step 6 To install the service pack, close all open applications, including the Cisco Security Manager Client.
Step 7 If Cisco Security Agent is installed on your server, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
Step 8 Run the CSM4.11.0Service_Pack2.exe file that you previously downloaded.
Step 9 In the Install Cisco Security Manager 4.11 Service Pack 2 dialog box, click Next and then click Install in the next screen.
Step 10 After the updated files have been installed, click Finish to complete the installation.
Step 11 On each client machine that is used to connect to the Security Manager server, you must perform the following steps to apply the service pack before you can connect to the server using that client:
a. If Cisco Security Agent is installed on the client, manually stop the Cisco Security Agent service from Start > Settings > Control Panel > Administrative Tools > Services.
b. Launch the Security Manager client.
You will be prompted to “Download Service Pack”.
c. Download the service pack and then launch the downloaded file to apply the service pack.
Step 12 (Optional) Go to the client installation directory and clear the cache, for example, <Client Install Directory>/cache.
Step 13 (Optional) Configure SSL Certificates or self-signed certificates for Open SSL:
a. Stop the CSM Daemon service [net stop crmdmgtd]
b. If you have your own SSL certificates configured, you can reconfigure the certificates as per the steps outlined in the link below:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/ciscoworks_lan_management_solution/4-2/user/guide/admin/admin/appendixcli.html#wp1016314
c. For self-signed certificates, from the command prompt navigate to the <CSCOpx>\MDC\Apache directory, and then execute the gencert.bat file.
(where <CSCOpx> is your installation directory)
The following notes apply to the Security Manager 4.11 release:
– OSPF for IOS routers—Security Manager supports OSPF policy for routers running the IOS Software version 12.2 and later. However, Security Manager does not support OSPF policy for Catalyst devices. Therefore when you configure the OSPF policy in a Catalyst device and perform the discovery in Security Manager, the latter removes the ‘no passive-interface <interface number>’ command from the full configuration. Therefore you will see a difference in the Security Manager-generated configuration and the configuration on the device.
– VLAN—Security Manager supports discovery of VLAN command in IOS devices but does not support dynamic behavior of the VLAN command. If there are user driven changes in VLAN policy, Security Manager generates the command in delta and full configuration. In other words, in normal preview or deployment, Security Manager does not generate VLAN command in full configuration. Therefore you will see a difference in the Security Manager-generated configuration and the configuration on the device.
– The dynamic behavior of the failover devices such as ASA and IOS, is not supported in Cisco Security Manager. This is because, CSM does not identify the failover LAN unit as primary or secondary. However, after an HA switchover on ASA, the CSM continues to manage the secondary unit with active IP.
Therefore these policies are managed by default in a fresh 4.8 version, or higher, installation. However, if you are upgrading Security Manager from version 4.7 to 4.8, or from version 4.7 to 4.9, by default the said policies will be unmanaged for both inline and remotely upgraded servers.
If you are upgrading from Security Manager 4.7 to 4.9, in addition to the SSL and EIGRP ASA policies, the following ASA policies will also be unmanaged:
If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to this version of Security Manager. If you deploy back to the device, these commands are removed from the device because they are not part of the target policies configured in Security Manager. We recommend that you set the correct values for the newly added attributes in Security Manager so that the next deployment will correctly provision these commands. You can also rediscover the platform settings from the device; however, you will need to take necessary steps to save and restore any shared Security Manager policies that are assigned to the device.
Note If a route-map is configured on the ASA and the same route-map is used in OSPF policy, after upgrading to Security Manager 4.9 from Security Manager 4.7, the OSPF page will show a red-banner. To overcome this issue, you must rediscover the ASA.
When upgrading an ASA device from 8.4.x to 9.0.1, the device policies will be converted to the unified format. You can rediscover the unified NAT rules using the NAT Rediscovery option or you can convert the existing NAT policies to unified NAT policies with the help of the rule converter in Security Manager. For more information, see http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-6/user/guide/CSMUserGuide/porules.html#pgfId-161507 or the “Converting IPv4 Rules to Unified Rules” topic in the online help.
You can also use the rule converter for the other firewall rules like access rules, AAA rules, and inspection rules if you want to manage these policies in unified firewall rules format.
—from any lower version to 8.3(1) or higher
—from 8.3(x) to 8.4(2) or higher
you must rediscover the device in Security Manager. This is required due to significant policy changes between the two releases.
For detailed information on these scenarios, refer to the section titled “Validating a Proposed Image Update on a Device” in the User Guide for Cisco Security Manager 4.11 at the following URL:
http://www.cisco.com/c/en/us/support/security/security-manager/products-user-guide-list.html
You can use the Get SNMP Engine ID button on the SNMP page to retrieve the engine ID from the device currently functioning as the cluster master unit.
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
All open bugs severity 3 and higher for version 4.11 are included in the following search:
– CSCuz39846 —CSM 4.11 SP1 client installation issue on 32 bit server
All resolved caveats for each version are included in the following searches:
For the list of caveats resolved in releases prior to this one, see the following documents:
http://www.cisco.com/c/en/us/support/security/security-manager/products-release-notes-list.html
See the interactive JumpStart guide that opens automatically when you start Security Manager. |
|
See “Getting Started with Security Manager” in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.11. |
|
See “Completing the Initial Security Manager Configuration” in the online help, or see Chapter 1 of User Guide for Cisco Security Manager 4.11. |
|
See the following topics in the online help, or see Chapter 7 of Installation Guide for Cisco Security Manager 4.11. |
|
See “Preparing Devices for Management” in the online help, or see Chapter 2 of User Guide for Cisco Security Manager 4.11. |
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.