Table Of Contents
Release Note for the Cisco Guard Appliance
Contents
New Features in Software Version 5.1(4)
Operating Considerations
Prior To Upgrading to Software Version 5.1(4)
Documentation Enhancements and Corrections
Software Version 5.1(6) Open and Resolved Caveats
Software Version 5.1(6) Open Caveats
Software Version 5.1(6) Resolved Caveats
Software Version 5.1(5) Open Caveats, Resolved Caveats, and Documentation Corrections
Software Version 5.1(5) Open Caveats
Software Version 5.1(5) Resolved Caveats
MultiDevice Manager Commands Omitted from the Configuration Guide
mdm logging trap Command
mdm restore Command
show mdm Command
Software Version 5.1(4) Open Caveats, Resolved Caveats, and Command Changes
Software Version 5.1(4) Open Caveats
Software Version 5.1(4) Resolved Caveats
Software Version 5.1(4) Command Changes
Related Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Note for the Cisco Guard Appliance
April 16, 2007
Note 
The most current Cisco documentation for released products is available on www.cisco.com.
Contents
This release note applies to software version 5.1(4), 5.1(5), and 5.1(6) for the Cisco Guard appliance (Guard). This release note contains the following sections:
•New Features in Software Version 5.1(4)
•Operating Considerations
•Prior To Upgrading to Software Version 5.1(4)
•Documentation Enhancements and Corrections
•Software Version 5.1(6) Open and Resolved Caveats
•Software Version 5.1(5) Open Caveats, Resolved Caveats, and Documentation Corrections
•Software Version 5.1(4) Open Caveats, Resolved Caveats, and Command Changes
•Related Documentation
•Obtaining Documentation, Obtaining Support, and Security Guidelines
New Features in Software Version 5.1(4)
The following new features are available in software version 5.1(4):
•Voice over IP (VoIP) antispoofing support
•Resource tracking enhancements, such as the ability to display CPU utilization and the number of active dynamic filters
•Security enhancements:
–Configurable login banner for the CLI and the WBM
–Configurable session idle timeout for the CLI
–Ability to move between user privilege levels in the WBM
•TACACS+ security enhancements:
–Ability to limit tab completion of zone names in the CLI
–TACACS+ password expiration warning in the CLI and the WBM
–Ability to change a TACACS+ password when the password expires if the TACACS+ server supports a password change
•Configurable IP addresses to exclude from the zone IP address range
•Ability to customize the WMB logo
•Secure Copy protocol (SCP) support for importing and exporting files
•Configurable file server name and attributes that can be used in the import and export commands
•Support for clearing counters
•Proxy IP addresses are no longer dependant on the giga1 interface
Operating Considerations
The following operating considerations apply to the Cisco Guard.
•Caution when upgrading the software - Do not press Ctrl-C during the upgrade process or the upgrade may fail.
•The copy ftp command supports active mode only.
•You can configure the Cisco Guard to export attack reports and packet-dump capture files in XML format. The XML schema is described in the Capture.xsd file and the ExportedReports.xsd file. You can download these .xsd files from the Software Center at: http://www.cisco.com/public/sw-center/. The following .xsd files are available:
–Capture—describes XML schema of the packet-dump capture files
–ExportedReports—describes the XML schema of the attack reports
•The Guard operates using a self-protection configuration that protects the Guard from DDoS attacks on the network. Cisco configures the self-protection configuration with a set of default parameter values, which you can modify. The version 5.1(5) software upgrade includes the addition of port 1334 to the Flex-Content and User filters, which are included in the software upgrade's self-protection configuration. Adding port 1334 potentially allows inline access to the Guard for future services.
When upgrading the Guard from a previous software release to the version 5.1(5), the existing self-protection configuration is overwritten by the new configuration contained in the upgrade. If you had modified the self-protection configuration of the previously installed software, you need to make the same modifications to the new self-protection configuration. Do not copy your original self-protection configuration to the Guard as the original configuration will block access to one or both of the following ports when attempting to access the Guard through an inline interface:
–Port 1334 if you upgrade from software versions 5.0(x) or 5.1(x) to version 5.1.5.
–Ports 3220 and 1334 if you upgrade from software version 3.1(x) to version 5.1(5). Port 3220 was added to software versions 5.0(x) and 5.1(x).
Note that if you reinstall software version 5.1(5) after modifying the self-protection configuration, your changes to the configuration remain intact. Upgrading from software version 5.1(5) to any future release of software version 5.1(x) will also leave your modified self-protection configuration intact.
Prior To Upgrading to Software Version 5.1(4)
During the upgrade process, the Guard changes three parameters that may affect your configuration. The following information describes the three parameters and provides instructions for preventing the Guard from changing your configuration.
•In software versions prior to 5.1(4), the Guard allowed you to configure a loopback interface to a value greater than 100. In software version 5.1(4), the Guard no longer supports loopback interfaces greater than 100. During an upgrade to 5.1(4), the Guard deletes all loopback interfaces that have a value greater than 100. To prevent the Guard from deleting these loopback interface:
1. Use the no interface command to delete the loopback interface.
2. Use the interface command to create a loopback interface and assign an integer between 0 and 99 to it.
For details on configuring loopback interfaces, see the "Configuring a Loopback Interface" section in the "Initializing the Guard" chapter.
•The Guard deletes loopback interfaces that are not active. To prevent the Guard from deleting a loopback interface that is not active:
1. Use the no interface command to delete the loopback interface.
2. Use the interface command to create a loopback interface and assign an integer between 0 and 99 to it. In software version 5.1.0, the Guard activates the new interface automatically.
For details on configuring loopback interfaces, see the "Configuring a Loopback Interface" section in the "Initializing the Guard" chapter.
•In software version 3.x, the Guard allowed you to configure illegal subnet masks. In software version 5.1(4), the Guard checks to ensure that subnet masks are legal. When you upgrade to software version 5.1(4), the Guard corrupts all zone configurations that contain an illegal subnet mask. To prevent the Guard from corrupting a zone configuration that contains an illegal subnet mask:
1. Use the no ip address command to delete the subnet mask.
2. Use the ip address command to configure the subnet mask with a legal subnet.
For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Configuring Zones" chapter.
Software upgrade instructions are located in the "Upgrading the Guard Software Version" section in the "Performing Maintenance Tasks" chapter in the Cisco Guard Configuration Guide.
Documentation Enhancements and Corrections
The following enhancements and corrections apply to the 5.1 documentation set.
•CSCse18399—The Guard supports the following MIBs:
–Riverhead private MIB
–MIB2 (RFC1213-MIB)—All of the MIB groups with the exceptions of the EGP and transmission MIB groups
–UCDAVIS (UCD-SNMP-MIB)—Only the following MIB groups: memory, latable, systemStats, version, and snmperrs
•Correction to Chapter 11, "Using Attack Reports" in the Cisco Guard User Guide. In Table 11-9, Types of Malformed Packets, the attack type field malformed_packets/src ip = dst ip is incorrect. The correct listing for this attack type is malformed_packets/src_ip_equals_dst_ip.
•CSCsg09162—Sequential Authentication List. The Cisco Guard Configuration Guide contains incomplete information for configuring the Guard to use the local and TACACS+ server methods to authenticate a user.
Issue—The following text in Chapter 3, "Configuring the Guard", section "Configuring Access Control Using AAA" does not clearly describe how the Guard performs user authentication when using a distributed authentication scheme.
"You can configure a distributed authentication scheme and define users in several authentication databases. The Guard uses the first TACACS+ server to authenticate users. If the authentication returns a rejection, the Guard scans the TACACS+ server list and the alternative authentication method (local), if one exists. Authentication fails only if all the authentication methods on the list fail. This option is valid only if you do not configure the first-hit option."
Correction—Refer to the revised text below for information on configuring the Guard to use local and TACACS+ server methods to authenticate a user.
You can configure the Guard to use one or both of the user authentication methods (local or TACACS+ server). When using the TACACS+ authentication method, you can define multiple TACACS+ servers. Defining more than one authentication method provides a backup in the event the initial method fail due to a communication error.
The Guard authenticates a user by using each of the authentication methods that you define and in the order in which you define them on the Guard. The Guard attempts to authenticate the user using the first method on the list. If the first authentication method does not respond, the Guard sequentially selects the next authentication method on the list until it finds one that responds.
You can configure the action the Guard executes when it receives a response from the first TACACS+ server using the tacacs-server first-hit command. If you enable the first-hit option, the Guard accepts as the final decision the authentication response (reject or accept) of the first TACACS+ server to respond. If you disable the first-hit option using the no tacacs-server first-hit command and the first server rejects the authentication, the Guard sequentially scans the other TACACS+ servers in an attempt to find one that accepts the authentication. User authentication using the TACACS+ servers fails when none of the defined TACACS+ servers accept the authentication or the Guard cannot communicate with any of the servers. You can configure the Guard to use its local database for user authentication when the Guard cannot communicate with the TACACS+ servers. By default, the first-hit option is disabled.
•CSCsg70257—Add SCP/SFTP debug-core copy to user guide. To copy debug information to a remote server, the Cisco Guard Configuration Guide, Chapter 12, "Using Guard Diagnostics Tools", in the "Obtaining Debug Information" section currently describes the syntax for the copy debug-core command as shown below. This syntax description indicates that File Transfer Protocol (FTP) is the only transfer protocol that you can use to copy a debug-core file to a remote server. In addition to using FTP, you can also use Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP). The current syntax is as follows:
copy debug-core time ftp server full-file-name [login [password]]
The correct syntax for describing the transfer protocol options of the copy debug-core command is as follows:
copy debug-core time {ftp | scp | sftp} server full-file-name [login [password]]
•The Cisco Guard Configuration Guide, Chapter 3, "Configuring the Guard", section "Configuring Authentication" incorrectly states that if you access the Guard from a console session, it uses the local user database for authentication regardless of the defined authentication method. The correct explanation is that a console session will use the authentication method that you define.
•CSCsg65761—Sensitivity for zone protection packet example not global. The following command prompt example on page 9-10 is incorrect: user@Guard-conf-zone-scannet#. The command prompt should be: user@Guard-conf#.
•The Cisco Guard Configuration Guide, Chapter 9, "Protecting Zones, page 9-8, shows an incorrect configuration example for the protect-packet activation-sensitivity command. This example implies that the command can be configured on a per zone basis. However, the command can only be configured on a global basis. The incorrect syntax example appears as:
user@GUARD-conf-zone-scannet# protect-packet activation-sensitivity 10
The correct sytax example should be:
user@GUARD-conf# protect-packet activation-sensitivity 10
Software Version 5.1(6) Open and Resolved Caveats
The following sections contain the open and resolved caveats in software version 5.1(6):
•Software Version 5.1(6) Open Caveats
•Software Version 5.1(6) Resolved Caveats
Software Version 5.1(6) Open Caveats
The following caveats are open in software version 5.1(6):
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.
•CSCsb07081—The Flex-Content filter cannot find a pattern in SYN packets.
•CSCsc05116—The Anomaly Detection Engine may not function correctly after reaching 100% memory utilization.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm command.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(6). Workaround: Renumber loopback interfaces prior to upgrading the Guard to software version 5.1(6).
•CSCuk54606—When activating a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and the Guard diversion is working properly:
The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses to be the same.
•CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop, the Flexible Filter Count value displays the number of dropped packets
–Count, the Flexible Filter Count value displays the number of counted packets
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the product.
•CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use another activation interface.
•CSCse27876—When pressing Ctrl-C during import of new version or configuration the CLI session might get disconnected. Workaround: Avoid interrupting the import process with Ctrl-C.
•CSCsd83077—The Guard responds to a bigger size packet than the MTU value set for its network interfaces.
•CSCse08139—When pressing Ctrl-Z several times after issuing the more 0 command, the CLI session terminates.
•CSCse19834—Activating a zone with a combination of a lot of subnets and excluded subnets might take a long time.
•CSCsc49737—The accelerator card sometimes fail to load at the first try during the reload or bootup process. The Guard issues an error message and shows it in the logs. The Guard attempts two additional loads.
•CSCsc51207—The Guard does not evaluate all conditions defined in the Flex-Content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.
•CSCsd59648—A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring keepalive on the tunnel.
•CSCsb26519—The Guard appliance fails to handle several thousands of dynamic routes injected if you configure the protect-by-packet activation method on one of the zones. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.
•CSCsc77155—After a Guard reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the guard.
•CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.
•CSCse31042—Zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.
•CSCsd59673—The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on the Guard GRE interface.
•CSCsd39569—After several hundreds consecutive reloads, the appliance may reboot itself. Workaround: None.
Software Version 5.1(6) Resolved Caveats
The following caveats were resolved in software version 5.1(6):
•CSCsf01438—A vulnerability in the Cisco Guard may enable an attacker to send a web browser client to a malicious website with the use of Cross Site Scripting (XSS) when the Guard is providing anti-spoofing services between the web browser client and a webserver. The attacker may exploit this by providing a malicious URL for the web browser client to go to, often in email, followed off of a malicious website, or in an instant message. This issue may occur even if the protected website does not allow XSS. A software upgrade is required to fix this vulnerability. There is a workaround available to mitigate the effects of the vulnerability.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20060920-guardxss.shtml
•CSCsb33259—The show counters history and show rates history CLI commands and the WBM traffic rates graphs only show the current rate; there are no logs for the zone. This condition occurs when you activate the zone and there is no zone traffic.
Software Version 5.1(5) Open Caveats, Resolved Caveats, and Documentation Corrections
The following sections contain the open caveats, resolved caveats, and documentation corrections in software version 5.1(5):
•Software Version 5.1(5) Open Caveats
•Software Version 5.1(5) Resolved Caveats
•MultiDevice Manager Commands Omitted from the Configuration Guide
Software Version 5.1(5) Open Caveats
The following caveats are open in software version 5.1(5):
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.
•CSCsb07081—The Flex-Content filter cannot find a pattern in SYN packets.
•CSCsc05116—The Anomaly Detection Engine may not function correctly after reaching 100% memory utilization.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm command.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(4). Workaround: Renumber loopback interfaces prior to upgrading the Guard to software version 5.1(4).
•CSCuk54606—When activating a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and the Guard diversion is working properly:
The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses to be the same.
•CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop, the Flexible Filter Count value displays the number of dropped packets
–Count, the Flexible Filter Count value displays the number of counted packets
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the product.
•CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use another activation interface.
•CSCse27876—When pressing Ctrl-C during import of new version or configuration the CLI session might get disconnected. Workaround: Avoid interrupting the import process with Ctrl-C.
•CSCsd83077—The Guard responds to a bigger size packet than the MTU value set for its network interfaces.
•CSCse08139—When pressing Ctrl-Z several times after issuing the more 0 command, the CLI session terminates.
•CSCse19834—Activating a zone with a combination of a lot of subnets and excluded subnets might take a long time.
•CSCsc49737—The accelerator card sometimes fail to load at the first try during the reload or bootup process. The Guard issues an error message and shows it in the logs. The Guard attempts two additional loads.
•CSCsc51207—The Guard does not evaluate all conditions defined in the Flex-Content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.
•CSCsd59648—A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring keepalive on the tunnel.
•CSCsb26519—The Guard appliance fails to handle several thousands of dynamic routes injected if you configure the protect-by-packet activation method on one of the zones. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.
•CSCsc77155—After a Guard reloads 1,024 consecutive times, it cannot be accessed from the network. Workaround: Reboot the guard.
•CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.
•CSCse31042—Zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.
•CSCsd59673—The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on the Guard GRE interface.
•CSCsd39569—After several hundreds consecutive reloads, the appliance may reboot itself. Workaround: None.
Software Version 5.1(5) Resolved Caveats
The following caveats were resolved in software version 5.1(5):
•CSCrh00828—The Guard allows you to define only 10 proxy IP addresses.
•CSCsa74815—The Guard sends ARP requests with zero sender source MAC address.
•CSCsb50772—Sometimes during zone activation, an error in accessing the counters/current report in the WBM is reported.
•CSCsb87316—You cannot change the protection-end-timer to never when using the WBM.
•CSCsc61378—The Guard does not stop diversion during reload.
•CSCsc79115—Configuration synchronization success/failure is not logged.
•CSCsc84790—The list of counters in WBM counters graph does not change.
•CSCsd22723—A user with show privileges is authorized to stop learning.
•CSCsd22968—History settings are not saved in upgrade and are not cleared when clearing the configuration.
•CSCsd23102—The TACACS+ host key is not imported to the Guard.
•CSCsd27480—The comment parameter in SSH public key after removing key.
•CSCsd28775—The Flex-Content filter in the zone is upgraded incorrectly from software release 3.0 to 5.0.
•CSCsd28961—The default protect-ip-state method in the LINK_XXXX templates is not as recommended.
•CSCsd31785—A large report may cause the reporting module to fail.
•CSCsd34930—Exporting XML reports to a predefined server exports text instead of XML.
•CSCsd34937—Changing file server definition does not change automatic export.
•CSCsd39608, CSCsd46177—The Guard may stop responding after a reboot.
•CSCsd44828—Setting policy interactive status from the WBM does not work in the Detector.
•CSCsd49132—The Guard displays the wrong error message when there are no host keys to display.
•CSCsd54999—You cannot get policy statistics from the WBM during detection of GUARD_XXX zone.
•CSCsd58106—The number of pending dynamic filters in the WBM is not always correct.
•CSCsd58390—A static route through the GRE tunnel disappears after a tunnel flap.
•CSCsd59895—SNMP traps are sent with wrong agent address in SNMP payload.
•CSCsd61177—A bad checksum occurs in an ICMP code 3 type 4 response (GRE).
•CSCsd66610—The routing engine incorrectly recognizes high prefix-list sequence.
•CSCsd71016—The show log command does not display all logs.
•CSCsd74241—Zone excluded IP addresses are not shown in SNMP.
•CSCsd78199—BGP advertisement-interval is 30 seconds by default.
•CSCsd82058—The watchdog does not check the reporting module.
•CSCsd82191—The BGP daemon will not respond when you configure the advertisement-interval option to 0.
•CSCsd82222—Automatic Export reports are missing the complete type of events.
•CSCsd97276—The SNMP Enhancement:Interface Index (ifIndex) must be persistent.
•CSCsd97443—Learning auto-accept weeks are not displayed with the show running-config command.
•CSCse01332—The Guard looses allmultiflag on the gigabit interface.
•CSCse03815—Configured interface speed and duplex are not displayed by the show running-config command.
•CSCse19745—An empty Flex-Content filter expression or pattern causes the Guard to stop functioning.
•CSCse21170—Events are not shown on the Guard when a zone is inactive.
•CSCse28303—You cannot show more than 130 subnets related entries per zone in SNMP.
•CSCse30525—Excluded IP addresses are synchronized with sync.
•CSCse30965—Clearing counters while two or more zones are active causes failure to operate.
•CSCse30973—You cannot clear counters while one of the zones is in Policy Construction.
•CSCse30976—The BGP daemon exits after it receives a special extended community string.
•CSCse33483—The Guard might stop functioning when the protection-end-timer is expired.
•CSCse34917—Failure occurs after configuring a snapshot with underscore in name.
•CSCse42543—The no reports * command fails to delete reports.
•CSCuk52975—Some commands are not logged when AAA accounting is enabled.
MultiDevice Manager Commands Omitted from the Configuration Guide
Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Guard were introduced in software version 5.1(5), but were omitted from the Cisco Guard User Guide. The following sections describe these commands:
•mdm logging trap Command
•mdm restore Command
•show mdm Command
mdm logging trap Command
To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.
The syntax for this command is as follows:
mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}
The following table describes the keywords for the mdm logging trap command.
alerts
|
Immediate action needed (severity=1).
|
critical
|
Critical conditions (severity=2).
|
debugging
|
Debugging messages (severity=7).
|
emergencies
|
System is unusable (severity=0). This is the default.
|
errors
|
Error conditions (severity=3).
|
informational
|
Informational messages (severity=6).
|
notifications
|
Normal but significant conditions (severity=5).
|
warnings
|
Warning conditions (severity=4).
|
For example, to capture and log informational messages, use the mdm logging trap informational command in global configuration mode.
user@GUARD# configure
user@GUARD-conf# mdm logging trap informational
mdm restore Command
When you enable the MDM service on the Guard to allow you to manage the device using the MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.
When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.
Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.
The syntax for this command is as follows:
mdm restore
For example:
user@GUARD# configure
user@GUARD-conf# mdm restore
show mdm Command
To check the status of MDM connections and settings, use the show mdm command in EXEC mode.
The syntax for this command is as follows:
show mdm
For example:
The following table describes the fields in the show mdm display.
Field
|
Description
|
MDM service state
|
Operating state of the MDM service: enabled or disabled.
|
MDM servers
|
List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.
|
Connected managers
|
MDM server currently connected to and managing the device.
|
MDM syslog level
|
Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.
|
Software Version 5.1(4) Open Caveats, Resolved Caveats, and Command Changes
The following sections contain the open caveats, resolved caveats, and command changes in software version 5.1(4):
•Software Version 5.1(4) Open Caveats
•Software Version 5.1(4) Resolved Caveats
•Software Version 5.1(4) Command Changes
Software Version 5.1(4) Open Caveats
The following caveats are open in software version 5.1(4):
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the Guard configured VLAN interfaces. Workaround: Use a static route instead of a default gateway.
•CSCsb07081—The Flex-Content filter cannot find a pattern in SYN packets.
•CSCsc05116—The Anomaly Detection Engine may not function correctly after reaching 100% memory utilization.
•CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm command.
•CSCsb29083—You cannot use the same name to create packet dumps in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1.0. Workaround: Renumber loopback interfaces prior to upgrading the Guard to software version 5.1.0.
•CSCuk52975—Some commands are not logged when AAA accounting is enabled.
•CSCuk54606—When activating a zone (that is, issuing the protect or the learning commands), the Guard displays the following error message even if the configuration is correct and the Guard diversion is working properly: no injection path
The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses to be the same.
•CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop - the Flexible Filter Count value displays the number of dropped packets
–Count - the Flexible Filter Count value displays the number of counted packets
•CSCsc69508—After importing an HTML file to serve as login banner, some SSH clients may not be able to connect to the product.
•CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use another activation interface.
•CSCuk52975—Some commands are not logged when AAA accounting is enabled.
Software Version 5.1(4) Resolved Caveats
The following caveats were resolved in software version 5.1(4):
•CSCrh00789—All proxy up or down status IP addresses are directly linked to Giga1 status. If you shut down the Giga1 interface, all proxy IP addresses are disabled. Workaround: Use Giga1 as the primary interface. Always deactivate the Guard protection before shutdown.
•CSCsb29077—The WBM does not allow you to add IP addresses to a threshold list. Using the WBM to add IP addresses to the threshold list of a policy results in wrong IP addresses in the list. Workaround: Only use the CLI to add IP addresses to a threshold list.
•CSCsc39381—Upgrading the Guard to software version 5.1.0 may cause a loss of zone reports.
•CSCsa62365—The CLI stops responding when the TACACS+ connection times out.
•CSCsa70234—The Save as option for a zone on the WBM does not inherit the operation mode.
•CSCeg82126—The Guard event log sorts only on month/day, not on the year.
Software Version 5.1(4) Command Changes
Table 1 lists the new commands in software version 5.1(4). Table 2 describes the commands that were changed in software version 5.1(4). Table 3 describes the commands that were removed from software version 5.1(4).
Table 1 New Commands in Software Version 5.1(4)
Mode
|
Command and Syntax
|
Description
|
Zone Configuration
|
activation-interface {packet [divert] | ip-address | packet-or-ip-address [divert] | zone-name-only}
|
The divert keyword specifies that the Guard sends a Border Gateway Protocol (BGP) announcement to the adjacent router to divert the zone traffic from the original path to the Guard. Use the divert keyword when a Cisco Traffic Anomaly Detector activates zone protection on the Guard using BGP.
For more information on this command, see the "Configuring Zones" chapter in the Cisco Guard User Guide.
|
Configuration
|
aaa authorization commands zone-completion tacacs+
no aaa authorization commands zone-completion tacacs+
|
Disables tab completion of zone names, which limits access to zone configuration to authorized users. This setting applies to all commands in which you specify the zone name.
Use the no form of the command to enable tab completion of zone names.
For more information on this command, see the "Configuring the Guard" chapter in the Cisco Guard User Guide.
|
Configuration
|
clear counters
|
Clears the Guard counters. For more information on this command, see the "Using the Guard Diagnostics Tools" chapter in the Cisco Guard User Guide.
|
Interface Configuration
|
clear counters
|
Clears the interface counters. For more information on this command, see the "Initializing the Guard" chapter in the Cisco Guard User Guide.
|
Zone Configuration
|
clear counters
|
Clears the zone counters. For more information on this command, see the "Using the Guard Diagnostics Tools" chapter in the Cisco Guard User Guide.
|
Global
|
copy [zone zone-name] running-config file-server-name dest-file-name
|
Exports a configuration file (running-config) to a network server. The keywords and arguments are:
•zone zone-name—(Optional) The zone name. If you specify the zone name, the Guard exports the zone configuration file. The default is to export the Guard configuration file.
•running-config—Exports the complete Guard configuration, or the configuration of the specified zone.
•file-server-name—The name of a network server to which you export the configuration file. Configure the file-server name by using the file-server command.
•destination-file-name—The name of the configuration file on the network server. The Guard saves the configuration file on the network server using the destination filename, in the directory that you defined for the network server by using the file-server command.
For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Guard User Guide.
|
Configuration
|
copy ftp login-banner server full-file-name [login [password]]
copy {sftp | scp} login-banner server full-file-name login
|
Imports the login banner from a network server and replaces the current login banner. The keywords and arguments are:
•ftp—Imports the login banner file from an FTP network server.
•sftp—Imports the login banner file from a SFTP network server.
•scp—Imports the login banner file from a SCP network server.
•server—The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
•full-file-name—The complete name of the file. If you do not specify a path, the server copies the file from your home directory.
•login—The server login name. The login argument is optional when you define an FTP server. If you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
•password—(Optional) The password for the remote FTP server. If you do not insert the password, the Guard prompts you for it.
For more information on this command, see the "Configuring the Guard" chapter in the Cisco Guard User Guide.
|
Configuration
|
copy ftp wbm-logo server full-file-name [login [password]]
copy {sftp | scp} wbm-logo server full-file-name login
|
Customizes your end-user interface by adding a company logo or a customized logo to the WBM web pages. The keywords and arguments are:
•ftp—Imports the WBM logo file from an FTP network server.
•sftp—Imports the WBM logo file from a SFTP network server.
•scp—Imports the WBM logo file from a SCP network server.
•server—The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
•full-file-name—The complete name of the file including the GIF file extension. If you do not specify a path, the server copies the file from your home directory.
•login—The server login name. The login argument is optional when you define an FTP server. If you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
•password—(Optional) The password for the remote FTP server. If you do not insert the password, the Guard prompts you for it.
For more information on this command, see the "Configuring the Guard" chapter in the Cisco Guard User Guide.
|
Global
|
copy file-server-name running-config source-file-name
|
Imports the Guard configuration file or a zone configuration file (running-config) from a network server. The keywords and arguments are:
•file-server-name—The name of a network server from which to import the configuration file. Configure the file-server name by using the file-server command.
•running-config—Imports the complete Guard configuration, or the configuration of the specified zone.
•source-file-name—The name of the configuration file on the network server. The Guard copies the configuration file from the directory that you defined on the network server by using the file-server command.
For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Guard User Guide.
|
Global
|
copy file-server-name zone zone-name packet-dump captures capture-name
|
Imports the packet-dump capture files from a network server. The keywords and arguments are:
•file-server-name—The name of a network server. Configure the file-server name by using the file-server command.
•zone zone-name —The name of an existing zone for which the packet-dump capture files are imported.
•packet-dump captures—Imports packet-dump capture files.
•capture-name—The name of the file to import. The Guard appends the name of the file to the path that you defined on the network server by using the file-server command.
For more information on this command, see the "Using the Guard Diagnostics Tools" chapter in the Cisco Guard User Guide.
|
Global
|
copy reports [details] [xml] file-server-name dest-file-name
|
Exports attack reports of all zones. The keywords and arguments are:
•details—(Optional) Export details of flow and attacking source IP addresses.
•xml—(Optional) Export the report in XML format. See the.xsd file released with the version for a description of the XML schema. By default, the Guard exports reports in text format.
Reports in XML format include all details. If you include the xml option, it is not necessary to include the details option.
•file-server-name—The name of a network server. Configure the file-server name by using the file-server command.
•dest-file-name—The name of the file. The Guard appends the name of the file to the path that you defined for the network server by using the file-server command.
For more information on this command, see the "Understanding Attack Reports" chapter in the Cisco Guard User Guide.
|
Global
|
copy zone zone-name reports [current | report-id] [xml] [details] file-server-name dest-file-name
|
Exports the zone attack reports to a network server. The keywords and arguments are:
•zone zone-name—The name of an existing zone.
•current—(Optional) Export an ongoing attack report (if applicable). The default is to export all zone reports.
•report-id—(Optional) The ID of an existing report. The Guard exports the report with the specified ID number. To view the details of the zone attack reports, use the show zone reports command. The default is to export all zone reports.
•details—(Optional) Export details of flow and attacking source IP addresses.
•xml—(Optional) Export the report in XML format. See the.xsd file released with the version for a description of the XML schema. By default, the Guard exports the reports in text format.
Reports in XML format include all details. If you include the xml option, you do not need to include the details option.
•file-server-name—The name of a network server. Configure the file-server name by using the file-server command.
•dest-file-name—The name of the file. The Guard appends the name of the file to the path that you defined on the network server by using the file-server command.
For more information on this command, see the "Understanding Attack Reports" chapter in the Cisco Guard User Guide.
|
Configuration
|
file-server file-server-name description [ftp | sftp | scp] server remote-path login [password]
no file-server [file-server-name | *]
|
Configures a network server to use to import or export files. Configuring a network server allows you to configure server attributes, such as the IP address and the login details, and then use the name of the network server in subsequent operations without specifying the server attributes.
The keywords and arguments are:
•file-server-name—A name for the network server on which to save files. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain spaces.
•description—A string to describe the network server. The maximum string length is 80 characters. If you use spaces in the description, enclose the description in quotation marks (" ").
•ftp—Defines an FTP server.
•sftp—Defines an SFTP server.
•scp—Defines an SCP server.
•server—The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).
•remote-path—The complete path of the directory where you save files or from which you import files.
•login—The login name for the network server.
•password—The password for the network server.
This option is valid only for an FTP server. The Guard authenticates SFTP and SCP servers using a public key.
Use the no form of the command to delete a network server.
For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Guard User Guide.
|
Configuration
|
login-banner banner-str
|
Configures a single or a multiple message banner. The banner-str argument specifies the banner text. The maximum string length is 255 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").
To delete the login banner, use the no login-banner command. To display the login banner, use the show login-banner command.
For more information on this command, see the "Configuring the Guard" chapter in the Cisco Guard User Guide.
|
Configuration
|
no login-banner
|
Removes the login banner. For more information on this command, see the "Configuring the Guard" chapter in the Cisco Guard User Guide.
|
Configuration
|
no wbm-logo
|
Removes the WBM logo. For more information on this command, see the "Configuring the Guard" chapter in the Cisco Guard User Guide.
|
Configuration
|
session-timeout timeout-val
no session-timeout
|
Configures the amount of time that a session remains active when there is no activity. The timeout-val argument specifies the number of minutes until the Guard disconnects an idle session. Valid values are 1 to 1440 minutes (one day). To delete the session timeout, use the no session-timeout command.
For more information on this command, see the "Configuring the Guard" chapter in the Cisco Guard User Guide.
|
Global
Configuration
|
show file-servers
|
Displays the list of network servers to which the Guard exports files or from which the Guard imports files. For more information on this command, see the "Performing Maintenance Tasks" chapter in the Cisco Guard User Guide.
|
Table 2 describes the commands that were changed in software version 5.1(4).
Table 2 Changed Commands in Software Version 5.1(4)
Mode
|
Command and Syntax
|
Description
|
Configuration
|
export packet-dump file-server-name
|
You now configure the file server to which you export packet-dump capture files by using a file-server name. Configure the file-server-name argument by using the file-server command. This command replaces the export packet-dump ftp command and the export packet-dump sftp command.
For more information on this command, see the "Using the Guard Diagnostics Tools" chapter in the Cisco Guard User Guide.
|
Configuration
|
export reports file-server-name
|
You now configure the file server to which you export attack reports by using a file-server name. Configure the file-server-name argument by using the file-server command. This command replaces the export reports ftp command and the export reports sftp command.
For more information on this command, see the "Understanding Attack Reports" chapter in the Cisco Guard User Gui |
