Table of Contents
Release Notes for Cisco Security Manager Version 1.1
October 5, 1999
These release notes pertain to Cisco Security Manager Version 1.1.
Cisco Security Manager is a scalable, comprehensive security policy management system for Policy Enforcement Points (PEPs), specifically PIX Firewalls. With Cisco Security Manager, Cisco Systems customers can define, distribute, enforce, and audit multiple distributed firewall security policies from a central location. As the management cornerstone of the Cisco end-to-end security product line and a fundamental element of CiscoAssure Policy Networking, Cisco Security Manager can dramatically simplify firewall management.
This section describes the significant changes in a feature or functionality found in Cisco Security Manager. However, this section does not address the caveats resolved as part of the ongoing maintenance and development of this product.
New or improved features and functionality in Cisco Security Manager improve your experience and provide enhanced support for managing your network security. The following list identifies such features and functionality:
- Topology Wizard. (new) This wizard enables you to add easily any gateway object, such as a PEP, and all network objects that are required to successfully install that gateway object.
- SSL Support. (new) A session between a web browser and the reporting agent can be encrypted using the Secure Sockets Layer (SSL) protocol. For information on configuring your web browser to use SSL, refer to Chapter 7, "Maintaining Cisco Security Manager," in Cisco Security Manager Tutorial.
- Route Generation. (improved) Routes are now generated for arbitrary network topologies. The route generation is no longer restricted to simple network topologies that involve network shortcuts.
- What's This? Help. (new) Field-level context help can be accessed by right-clicking on a label or control within the user interface.
Deprecated features are those features and functionality that will be removed from Cisco Security Manager in an upcoming release. You should avoid becoming dependent on these features and familiarize yourself with those features that replace the deprecated ones. You should consider the following features, found in Cisco Security Manager Version 1.0 and Version 1.1, deprecated:
- Network Wizard. This wizard's functionality is replaced by three features:
- You can add a Cisco Security Manager host to the Network Topology tree by defining the network on which that server resides and then defining a new host node under that network. You are prompted to specify whether you want to add the Cisco Security Manager host, which is automatically populated, or define another host manually.
- The General panel on the Network Topology node enables you to remove required and previously defined network objects.
- The Topology Wizard enables you define and discover the settings for gateway objects.
- Interface Wizard. The Topology Wizard enables you to manually define or automatically discover the interface settings on a PEP, such as a PIX Firewall.
You can install Cisco Security Manager on any computer that meets the minimum hardware requirements and that runs Microsoft Windows NT Server version 4.0 or Windows NT Workstation version 4.0 using an NTFS file partition. You can also install the user interface for Cisco Security Manager on a computer that runs Windows NT 4.0, Windows 95, or Windows 98. The demo version also runs on Windows NT 4.0, Windows 95, or Windows 98.
Cisco Security Manager also requires several pieces of requisite software to operate as intended, including the following:
- The server must be partitioned using NTFS---not FAT
- Service Pack 4 for Windows NT (to update files in the operating system)
- Microsoft Internet Explorer version 4.01 (for displaying generated system reports)
- HTML Help version 1.22 support (for viewing online HTML-based Help topics)
You must also have the TCP/IP protocol stack installed and operating correctly on each computer before you begin installation. The Autostart utility makes fulfilling the software requirements easy by checking the target computer for all requisites and then allowing you to install any missing requisites before continuing with the setup program. You cannot proceed with the setup program unless you install all requisite software.
The computer or computers on which you install Cisco Security Manager must meet the minimum hardware requirements; otherwise, we cannot guarantee the integrity and functionality of the system that you install. To ensure optimal performance, though, you should install Cisco Security Manager on computers that meet or exceed these recommended hardware requirements.
Note You should define the virtual memory settings for your Windows NT computer to be at least two times the physical memory installed in the computer. To reduce fragmented memory allocation and improve efficiency, you should also specify the same value for the Initial Size and Maximum Size boxes in the Virtual Memory dialog box, which you can access from the Performance panel of the My Computer property sheet.
- 200 MHz Pentium processor
- 96 MB of RAM memory
- 2 GB free hard drive space
- 1 or more properly configured network adapter cards
- 1024 x 768 video adapter card capable of at least 64K color
- SVGA color monitor
- CD-ROM drive (preferably Autorun-enabled)
- Modem (optional for pager notifications)
- Mouse
- 400 MHz Pentium II processor or greater
- 128 MB of RAM memory or greater
- 4 GB free hard drive space or greater
- 1 or more properly configured network adapter cards
- 1024 x 768 video adapter card capable of at least 64K color
- Sound card with speakers/headphones (optional for audio support in training videos)
- SVGA color monitor
- CD-ROM drive (Autorun-enabled)
- Modem (optional for pager notifications)
- Mouse
This section identifies the PEPs, such as PIX Firewalls, currently supported by Cisco Security Manager. Cisco Security Manager supports Ethernet, Token Ring, and FDDI interfaces installed in the PIX Firewalls.
Cisco Security Manager Version 1.1 supports PIX Firewall 10000, 510, 515, and 520 models running software version 4.2.4, 4.2.5, 4.4.1, and 4.4.2.
The following software either is known to conflict with Cisco Security Manager or has not been extensively tested with this product:
- CSCdk95263: Cisco Security Manager only supports specific PIX Firewall software versions
- Currently, the only supported versions of PIX Firewall software are versions 4.2.4, 4.2.5, 4.4.1, and 4.4.2.
- CSCdm35411, CSCdm35416, CSCdm35421, CSCdm35427, CSCdm35430: GUI only supports the U.S. version of Windows NT
- Currently, the only supported operating system is the U.S. version of Windows NT 4.0, running Service Pack 4. This product has not been tested with non-U.S. versions of the operating system.
- Cisco Security Manager has not been tested with Microsoft Internet Explorer 5.0
- This product has not been tested with the final release of Internet Explorer 5.0. At this time, no known issues exist; however, running Cisco Security Manager on a host with Internet Explorer 5.0 is not supported, nor is it supported on a workstation used for remote administration of Cisco Security Manager.
- Cisco Security Manager has not been tested with Windows NT Service Pack 5
- This product has not been tested with Windows NT Service Pack 5. As a result, you cannot install Cisco Security Manager on a host that is running Service Pack 5.
- CSCdm93310: CHC does not respond to service manager on exit before 01/01/1999
- Cisco Security Manager operates from 01/01/1999 through 12/31/2035. If you attempt to run the Cisco Controlled Host Component outside this time range, it may stop responding to the Windows NT Service Control Manager (SCM) and you may get an application event that states the service hung on starting. The only way to get the service working properly again is to change the date to a valid date (within the operational period specified above) and reboot the computer.
- CSCdk95012: Incompatible Software
- The preview release of Internet Explorer 5.0 causes the toolbars to appear improperly (they are very small boxes) in the GUI. It also affects the navigation toolbar within the embedded HTML viewer accessed through View Reports on the Tools menu of the GUI.
- The final release of Microsoft Visual Studio version 6.0 prevents HTML Help from working correctly. This problem affects the Help systems provided with the setup program, Installation Manager, and the GUI.
- The pre-releases of Microsoft Visual InterDev version 6.0 and Visual J++ version 6.0 cause the GUI to crash when you try to access the embedded Microsoft HTML Help control from View Reports on the Tools menu and from Product Information on the Help menu.
- The uncompiled HTML documentation does not work with Netscape Navigator version 4.04 or earlier. This incompatibility is due to the use of style sheets and DHTML.
For instructions about managing your installed Cisco Security Manager server, refer to Appendix B, "Upgrading, Downgrading, Reinstalling, and Uninstalling" of the Cisco Security Manager Installation Guide document.
The following note applies to installing any release or install type of Cisco Security Manager:
- Demo installation requirements
- To install the Demo, your computer only needs Internet Explorer 3.02 or later. However, the CD-ROM does not include this version of Internet Explorer. It only includes Internet Explorer 4.01 as part of the Windows NT SP4 setup.
- CSCdp07697: Gravy.cpm file not included in demo install
- The demo file,
gravy.cpm, was removed from Cisco Security Manager 1.1. However, the shortcut used by the demo program was not updated to reflect this change. To start the demo, edit the shortcut to reference the TwoPixExample.cpm file.
The following list identifies where to locate the license disk that is required to install Cisco Security Manager, as well as identifies the limitations and password associated with the license.
- Location: The license disk is located in the root folder of the provided CD-ROM disc in the file named
license.dsk.
- License Restrictions: The key supports only one PEP, and it is valid indefinitely.
- Password: quarter horse
The license key provided on the CD-ROM installation media for Cisco Security Manager only supports one PIX Firewall.
Network shortcuts are not fully supported in this release. This issue may prevent you from creating multiple instances of the same network under the Network Topology tree. In other words, you may not be able to define a topology where two firewalls protect the same network in complex topologies.
You can construct network topologies for which you should not use automatic command distribution. The problem lies in the order that command sets are downloaded to the various PEPs. The problem occurs when a Cisco Security Manager server (CSM Server) attempts to publish command sets to an external firewall from behind an internal firewall that translates the server's real address. In some cases, the automatically downloaded command sets can fail and prevent the download of generated command sets to some PIX Firewalls in the topology.
For example, assume that you have a network topology in which you have defined three PIX Firewalls (called outside, middle, and inside in this example) and that the CSM Server that distributes command sets to the each of these firewalls resides behind the inside firewall. Now assume that you have defined a mapping rule on the middle or inside firewall that hides the CSM Server address from the outside firewall. In this case, if you distribute the commands to the inside or middle firewalls before you distribute them to the outside firewall, the outside firewall becomes unreachable by the CSM Server. Even though the command set generated for the outside firewall understands the address hiding rule, the command set to be replaced does not. Therefore, the outside firewall does not know to allow administrative updates from the translated CSM Server's address.
Note The automatic command distribution to the outside firewall fails only when a change to the mapping rules occurs on the inside or middle firewall. In other words, it can occur when you add, delete, or modify an existing mapping rule for the CSM Server. Once you use the manual distribution method to change the mapping rules, you can return to the automatic distribution method until a similar change occurs.
If the address of the CSM Server is not translated on any of the firewalls or it is translated only on the outside firewall, automatic updates would work fine, because in that case order does not matter.
This section identifies caveats and issues for Cisco Security Manager.
Refer to "Release Notes for the PIX Firewall" for information about hardware caveats that might affect Cisco Security Manager. You can access these release notes online at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pixrn420.htm
This section identifies known caveats and issues with Cisco Security Manager Version 1.1.
- CSCdm93829: Policy Database crashes when you perform a Save and Update operation immediately following the import of a large *.cpm file
- After you import a large *.cpm file, you should perform a Save operation and allow that operation to complete before you perform a Save and Update operation.
- CSCdm94143: Policy Database can crash while the PIX Firewall control agent generates device-specific commands due to overlapping Save and Update operations
- After you perform a Save and Update operation, you should allow the device-specific command set to generate completely before you perform another Save and Update operation.
- CSCdm10789: It takes five minutes or longer to perform a Save operation
- In a distributed installation scenario that has a large number of secondary servers (four or more), the Save operation is not optimized. Therefore, Save operations can take five minutes or longer.
- CSCdm14477: Policy Database dies under heavy load of PIX Firewall Syslog messages
- The following maximum threshold values exist for the specified hardware configurations:
- Quad Processor Computer with 1 GB memory: 160 messages per second
- Recommended Configuration: 80 messages per second
- Minimum Configuration: 50 messages per second
- When the system is under high stress, frequently saving or requesting reports (every 10 minutes) may disable the system. Error messages similar to the following appear in the Windows NT Event Viewer when this error occurs:
- Krs error 28772: Database terminating with message: Failed to map page.
- Krs error 28801: The process cannot access the file because another process has locked a portion of the file. Failed to create file mapping for backing file d:\csm\data\memory\memfrm1730.mmf.
- CSCdm19934: Policy Database cannot recover after running out of hard disk space
- The Policy Database does not auto detect when another application consumes too much disk space. In other words, if another application begins consuming too much disk space, the Policy Database cannot recover from system crashes that result because it does not have enough disk space to perform the recovery operation. You should back up your Policy Database often to ensure that you can recover from such incidents.
- CSCdm30221: Log files consume all disk space on a secondary server
- You must define the disk space settings for the Policy Database on all primary and secondary server panels (hosts running components of Cisco Security Manager). In addition, this setting must be less than the total available disk space on the host. If you fail to define these settings, the system can become unusable.
- CSCdm29290: Service summary report about secondary servers is not available
- If you attempt to generate a network service activity report about a secondary Cisco Security Manager server, no data is available about that activity. Currently, no workaround exists.
- CSCdm44365: Save and Update always publishes generated command sets
- Each time you perform a Save and Update operation, a new copy of the generated command set is published to each PEP installed on your network, even if the generated command set did not change from the set currently published to the PEPs. Currently, no workaround exists for this issue.
- CSCdm12877: You cannot define an address translation rule for the same network object in the Mapping panel of two different PIX Firewall nodes
- The case, referred to as nested network address translation (NAT), is not currently supported. It typically seems plausible in a nested PIX Firewall scenario. You cannot nest any forms of address translation within the defined topology.
- CSCdm92145: Generated logging host commands point to incorrect interface
- When Cisco Security Manager generates the logging host commands for the PIX Firewall, some of the commands may point the syslog stream out an interface where the host does not reside (for example, the statement could read
logging host outside when the actual syslog server resides somewhere off the inside interface). This problem is caused by a routing discrepancy that only affects the syslog servers and Policy Monitor Points. Depending upon your network topology, this caveat can increase network traffic as the syslog data is sent out the wrong interface.
- The workaround involves two steps:
Step 1 Using the Enforcement panel on the PIX Firewall node in the GUI, disable the PIX Firewall from sending its syslog data stream to that particular host.
Step 2 In the Epilogue box of the Command panel on the same PIX Firewall node, type the logging host command and specify the correct interface information.
- This workaround prevents syslog traffic from being sent over the incorrect interface.
- CSCdm19070: Duplicate opposing conduits created
- When Cisco Security Manager generates conduit commands allowing network access, it generates a duplicate set of conduit commands that deny the same network access. These deny commands are generated immediately following the permit commands. Although this doesn't harm the usability of the config (because conduits are processed in order), it does take up config memory. This problem occurs quite frequently, but it is harmless.
- CSCdm26876: Outbound commands display the port twice
- When you define a network service that has only one port (such as Telnet), the outbound command generated by Cisco Security Manager uses the port-port format (for Telnet, it generates 23-23). This command entry format is acceptable to the PIX Firewall. Therefore, you can safely ignore entries with two ports.
- CSCdm77487: Renaming the PIX Firewall node does not generate hostname command
- If you change the name of a PIX Firewall node in the GUI, a corresponding hostname command is not distributed to that PIX Firewall. Instead, you must use either the Epilogue or Prologue command set in the Command panel to manually specify the hostname for that PIX Firewall.
- CSCdm63845: Renaming the PIX Firewall node does not update in reports
- When you rename the PIX Firewall node, the network service activity reports use the old name until the Cisco Security Manager server that is monitoring that PIX Firewall is rebooted. To work around this problem, exit the GUI (saving your changes first) and then restart it.
- CSCdk95364: AAA servers are not supported by Cisco Security Manager
- AAA must be configured outside Cisco Security Manager. It is not supported in Version 1.0 or Version 1.1.
- CSCdm78017: Import *.cpm file operation guidelines
- After you import a *.cpm file, you must perform a Save operation and allow that operation to complete before you perform a Save and Update operation. This order of operations is necessary to generate the device-specific command sets correctly. The first operation stores the new data in the Policy Database, and the second operation generates the command sets.
- CSCdm88089: Imported *.cpm file can disrupt distributed installations
- In a distributed installation scenario, if you import a *.cpm file that alters the Policy Distribution Point, Cisco Security Manager may not be able to distribute the generated command sets. To prevent this problem, perform a Reset operation on the File menu. Next, remove all network objects in the General panel of the Network Topology node, and save your changes to the Policy Database before you import the *.cpm file.
- CSCdk95157: Changing the PIX Firewall interface address can drop existing connections
- If you change the IP address of the inside interface of a PIX Firewall, the administrative connection used by Cisco Security Manager is reset. Therefore, you must reestablish this connection by performing another Save and Update.
- CSCdm63390: Cannot define a Service Bundle with ICMP Echo Reply and ICMP Echo Request
- Currently, the GUI prevents you from defining a bundle that contains both the echo reply and echo request services based on the ICMP protocol. To work around this problem, you can define a security policy abstract that contains a condition to test for each service. For example, you can define a compound condition that states "If Service is ICMP Echo Reply or If Service is ICMP Echo Request, then Accept, Else Reject."
- CSCdm13319: Service Wizard pull-down lists are not populated
- When the Service Wizard is used to define a new network service, the list controls under Session Settings do not "drop down" to allow selection of options even though a default value exists. Two workarounds exist for this problem: You can click on the box and use the UP ARROW and DOWN ARROW keys to scroll through the options, or you can modify the definition by editing the resulting network service definition under the Network Services branch of the Tools and Services tree. This appears to be a problem in the MFC library.
- CSCdm42286: GUI displays old PIX Firewall commands
- When you approve the PIX Firewall commands and they are being distributed to the PIX Firewall, a period of time exists before the newest command set appears in the Command panel. You must click Refresh to see these new commands; however, this button will not be available until the new command set has been published to the firewall. Otherwise, you are reviewing the commands that were already enforced by the PIX Firewall before you made changes and generated the new command set.
- CSCdk95265: GUI requires IP address for disabled interface
- Each interface in a PIX Firewall must have an associated IP address regardless of whether it is enabled or not. This restriction is required for discovery to work properly.
- CSCdk95444: Policy Database > Backup command does not display status of backups
- Backing up the Policy Database can take a long time, depending on the size of the database. You should be patient during backups because feedback is not provided about the progress of the backup.
- CSCdk95158, CSCdm10652: Changing the PIX password
- Currently, you cannot directly use the GUI to change the enable password for a PIX Firewall. However, two workarounds exist: Use the PIX Firewall Setup Wizard to change the password during initial configuration of the PIX Firewall, or use the Pending command box in the GUI.
Note For commands that you only want to publish once, such a changing the enable password, we recommend that you edit the pending command set and publish it. By doing so, you do not have to go back and remove the command from the epilogue or prologue command set.
To use the Pending command box to change the enable password, perform the following task:
Step 1 To generate a new set of pending commands, click Save and Update on the File menu.
Result: A new set of pending commands is generated for all PEPs residing on your network.
Step 2 To view the Network Topology tree alone, click Network Topology on the Navigator toolbar.
Result: The Network Topology tree appears in the Navigator pane.
Step 3 To find the PIX Firewall for which you want to specify the enable password, expand the Network Topology tree until you view that PIX Firewall node in the Navigator pane.
You can expand or collapse the tree structure in one of two ways:
- click the plus icon (+) or the minus icon (-) next to the tree or branch that you want to expand or collapse.
- double-click the tree or branch icon or name that you want to expand or collapse.
Step 4 To access the shortcut menu, right-click the PIX Firewall icon for which you want to specify the enable password.
Step 5 To view the Command panel, point to Properties, and then click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 6 To specify that you want to edit the Pending command set, click Pending under Command Review/Edit.
Result: The Pending command set appears in the Command/Messages box.
Step 7 To change the enable password, use the following format to type that password as part of the Pending command set in the Command/Messages box:
enable password <new_password>
Step 8 To publish the new command set to the PIX Firewall and change the existing password to the password that you just specified, return to the Command panel on the PIX Firewall node, and then click Approve Now.
Result: The pending command set is published to the selected PIX Firewall. The next time that Cisco Security Manager accesses the PIX Firewall, it will use the enable password that you specified in the command above. Verify that you have specified this new password in the Enable password box in the Enforcement panel of the selected PIX Firewall node.
Note Once you perform a Approve Now operation successfully, you must specify the new enable password in the Enable password box in the Enforcement panel so that future command sets can be published.
- CSCdm25550: Reports in GUI show file system
- If a primary server is not configured within the Network Topology branch and you attempt to view reports using the View Reports command on the Tools menu, the embedded web browser will display the reports folder under the Cisco Security Manager root directory. This behavior is correct and expected.
- CSCdk95265: Inconsistent reporting values
- The GUI and the web browser interface (HTML-based) for on-demand and scheduled reports provide different options for selecting the times for reviewing selected audit events. The GUI delineates time on the basis of hours, minutes, and seconds, while the web browser interface delineates time in days, hours, minutes, and seconds.
- CSCdk95377: Reports in GUI use cached copy
- When accessing a generated report from the GUI, the web browser caches the first report that is viewed. If you regenerate the report, you will still see the first one until you click Refresh. You can ensure current reports are seen by changing the browser settings for Internet Explorer so that you reload each page for all requests.
- To verify that your pages are reloaded on each page visit, perform the following task:
Step 1 To access the shortcut menu, right-click the Internet Explorer icon on your desktop.
Step 2 To view the Internet Explorer Properties dialog box, click Properties on the shortcut menu.
Step 3 To specify that the pages are reloaded each time, click Settings under Temporary Internet Files in the General panel.
Step 4 Under Check for newer versions of stored pages, click Every visit to the page.
Step 5 To save your changes and close the Settings dialog box, click OK.
Step 6 To apply your changes and close the Internet Explorer Properties box, click OK in the General panel.
- If you use Netscape Navigator, you may also experience this problem. You can configure Netscape Navigator with similar settings to resolve this problem.
- CSCdm19875: The Installation Manager utility does not have descriptive help
- Under "What do I need to do?" in the Advanced options panel of the Setup program and when using the Installation Manager utility, no descriptive help is provided.
The following documents directly support Cisco Security Manager:
- Cisco Security Manager Installation Guide
- Cisco Security Manager Tutorial
In addition to these two documents, an extensive Help system is provided with the GUI, the user interface that configures Cisco Security Manager.
The following documents provide information about configuring the PIX Firewall hardware and provide references to the command sets that can be specified in the Command panel associated with each PIX Firewall node defined under the Network Topology tree of the GUI.
- Configuration Guide for the PIX Firewall
- Quick Installation Guide for the PIX Firewall
- Regulatory Compliance and Safety Information for the PIX Firewall
- System Log Messages for the PIX Firewall
All these documents, including these release notes, apply to all PIX Firewall hardware versions, including the PIX Firewall, PIX 10000, PIX 510, and PIX 520 models.
Cisco provides PIX Firewall technical tips at
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
- If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback on the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Tue Oct 5 15:33:47 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.
