Table Of Contents
Release Note for the Cisco Guard Appliance
Contents
New Features in Software Version 6.1(2)
Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
Operating Considerations
MultiDevice Manager Commands Omitted from the Configuration Guide
mdm logging trap Command
mdm restore Command
show mdm Command
Software Version 6.1(5) Resolved and Open Caveats
Software Version 6.1(5) Resolved Caveats
Software Version 6.1(5) Open Caveats
Software Version 6.1(2) Resolved and Open Caveats
Software Version 6.1(2) Resolved Caveats
Software Version 6.1(2) Open Caveats
Related Documentation
Obtaining Documentation and Submitting a Service Request
Release Note for the Cisco Guard Appliance
October 20, 2008
Note 
The most current Cisco documentation for released products is available on Cisco.com.
Contents
This release note applies to software versions 6.1(2) and 6.1(5) for the Cisco Guard appliance (Guard). This release note contains the following sections:
•New Features in Software Version 6.1(2)
•Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
•Operating Considerations
•MultiDevice Manager Commands Omitted from the Configuration Guide
•Software Version 6.1(5) Resolved and Open Caveats
•Software Version 6.1(2) Resolved and Open Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
New Features in Software Version 6.1(2)
The following new features are available in software version 6.1(2):
•New policies for persistent low rate attacker
•Traffic IP summarization
•SIP protection in a NAT/PAT environment
•Report on AS proxy address utilization
•Disable VLANs if physical interface is down
•Add zone name to capture file name
•Configurable log capacity
•Implicit Write Memory for router mode
•Restrict user access to management interface only
•Interfaces display order
•Monitoring system resources from the Web-Based manager (WBM)
•Enhanced AAA support in WBM
Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
In software version 4.x, the Guard allowed you to configure illegal subnet masks. In software version 5.1(4), the Guard checks to ensure that subnet masks are legal. When you upgrade from a software version prior to 5.1(4) to version 6.1(x), the Guard corrupts all zone configurations that contain an illegal subnet mask. To prevent the Guard from corrupting a zone configuration that contains an illegal subnet mask, configure the zone configuration with a legal subnet mask by performing the following steps prior to upgrading the software:
Step 1 Use the no ip address command to delete the subnet mask.
Step 2 Use the ip address command to configure the subnet mask with a legal subnet.
For details on configuring zone IP addresses, see the "Configuring the Zone IP address Range" section in the Cisco Guard Configuration Guide.
Software upgrade instructions are located in the "Upgrading the Guard Software Version" section in the the Cisco Guard Configuration Guide.
Operating Considerations
The following operating considerations apply to the Cisco Guard:
•The Guard operates using a self-protection configuration to protect itself from DDoS attacks on the network. Cisco configures the self-protection configuration with a set of default parameter values, which you can modify.
When upgrading the Guard to software version 6.1(x) from a version previous to 5.1(5), the existing self-protection configuration is overwritten by the new configuration contained in the upgrade. If you had modified the self-protection configuration of the previously installed software, you need to make the same modifications to the new self-protection configuration. Do not copy your original self-protection configuration to the Guard as the original configuration will block access to one or both of the following ports when attempting to access the Guard through an inline interface:
–Ports 3220 and 1334 if you upgrade from a software version prior to 5.1(5). Port 3220 was added to versions 5.0(x) and 5.1(x). Port 1334 was added to version 5.1(5).
Note that if you reinstall software version 5.1(5) or higher after modifying the self-protection configuration, your changes to the configuration remain intact. Upgrading from software version 5.1(5) to a higher version will also leave your modified self-protection configuration intact.
•The copy ftp command supports active mode only.
•The Guard must be running a minimum of software version 6.1(x) to operate with the Cisco MultiDevice Manager software version 1.5(1).
•Downgrading software versions is not supported.
MultiDevice Manager Commands Omitted from the Configuration Guide
Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the Guard were introduced in software version 5.1(5), but were omitted from the Cisco Guard Configuration Guide. The following sections describe these commands:
•mdm logging trap Command
•mdm restore Command
•show mdm Command
mdm logging trap Command
To configure traps for MDM logging, use the mdm logging trap command in global configuration mode. To disable logging functions, use the no form of this command.
The syntax for this command is as follows:
mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications | warnings}
The following table describes the keywords for the mdm logging trap command.
alerts
|
Immediate action needed (severity=1).
|
critical
|
Critical conditions (severity=2).
|
debugging
|
Debugging messages (severity=7).
|
emergencies
|
System is unusable (severity=0). This is the default.
|
errors
|
Error conditions (severity=3).
|
informational
|
Informational messages (severity=6).
|
notifications
|
Normal but significant conditions (severity=5).
|
warnings
|
Warning conditions (severity=4).
|
For example, to capture and log informational messages, use the mdm logging trap informational command.
user@GUARD# configure
user@GUARD-conf# mdm logging trap informational
mdm restore Command
When you enable the MDM service on the Guard to allow you to manage the device using the MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM as Initializing. The state changes to Connected when the RA upgrade is complete.
When a device appears to be constantly in a state of initialization, it may indicate that the MDM is attempting to upgrade the device RA but cannot do so.
Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version, use the mdm restore command in global configuration mode.
The syntax for this command is as follows:
mdm restore
For example:
user@GUARD# configure
user@GUARD-conf# mdm restore
show mdm Command
To check the status of MDM connections and settings, use the show mdm command in EXEC mode.
The syntax for this command is as follows:
show mdm
For example:
The following table describes the fields in the show mdm display.
Field
|
Description
|
MDM service state
|
Operating state of the MDM service: enabled or disabled.
|
MDM servers
|
List of MDM servers that you define on the device (permitting them to access the device) and the state of the key exchange process with each of the servers: key exchange is complete or key exchange is required.
|
Connected managers
|
MDM server currently connected to and managing the device.
|
MDM syslog level
|
Setting of the syslog server logging level: alerts, critical, debugging, emergencies, errors, informational, notifications, warnings.
|
Software Version 6.1(5) Resolved and Open Caveats
The following sections contain the resolved and open caveats in software version 6.1(5):
•Software Version 6.1(5) Resolved Caveats
•Software Version 6.1(5) Open Caveats
Software Version 6.1(5) Resolved Caveats
The following caveats were resolved in software version 6.1(5):
•CSCsd59648—A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring a keepalive on it.
•CSCsi07283—The Web-Based Manager (WBM) does not reflect changes to the TimeZone definition until after the Guard is rebooted. Workaround: Reboot the Guard.
•CSCso30607—This caveat applies to the WBM. The following sequence of events causes the Guard to incorrectly measure the traffic rate of a policy and produce dynamic filters even though the traffic rate does not exceed the policy threshold and there is no attack on the zone:
a. You modify a specific policy using the WBM Config Policy screen.
b. You activate zone protection.
c. The device detects traffic packets associated with the modified policy.
•CSCsq63421—CM subsystem failure and reload of the guard.
•CSCsu33377 and CSCso41927—Disk becomes full, different show commands stop working, and logs are not written.
•CSCsu33387—When guard processes malformed DNS replies, watchdog reloads the guard due to accelerator card failure.
Software Version 6.1(5) Open Caveats
The following caveats are open in software version 6.1(5):
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.
•CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop, the Flexible Filter Count value displays the number of dropped packets
–Count, the Flexible Filter Count value displays the number of counted packets
Workaround: None.
•CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use a different activation interface.
•CSCsb07081—The flex-content filter cannot find a pattern in SYN packets. Workaround: None.
•CSCsb20206—The WBM remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.
•CSCsb26519—If you configure the protect-by-packet activation method on one of the zones, the Guard fails to handle several thousands of dynamic routes injected. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.
•CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc05116—The Guard may stop functioning or start logging errors after reaching 100 percent anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Guard. Reducing the number of active zones may free up memory.
•CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(4) or higher. Workaround: Renumber loopback interfaces before upgrading the Guard from a version prior to 5.1(4) to version 6.0(x).
•CSCsc49737—If the Detector issues and logs an error message and then attempts two additional loads, the accelerator card may fail to load on the first attempt during the reload or bootup process. Workaround: None.
•CSCsc51207—The Guard does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.
•CSCsc69508—After you import an HTML file to serve as login banner, some SSH clients may not be able to connect to the Guard. Workaround: Remove the login banner.
•CSCsc77155—After a Guard reloads 1,024 consecutive times, you cannot access it from the network. Workaround: Reboot the Guard.
•CSCsd39569—After several hundred consecutive reloads, the Guard may automatically reboot. Workaround: None.
•CSCsd59673—The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on its GRE interface. Workaround: None.
•CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.
•CSCsd83077—The Guard responds to a larger size packet than the MTU value set for its network interfaces. Workaround: None.
•CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command. Workaround: None.
•CSCse19834—Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included). Workaround: None.
•CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.
•CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.
•CSCse39173—The Guard does not establish a new BGP session while activating Anti Spoofing as a result of being attacked. Workaround: Configure a bypass filter for the BGP session peering router.
•CSCse43115—A BGP error message is displayed when malformed BGP related packets are sent directly to the Guard IP address. Workaround: None.
•CSCsg42338—The Guard CPU usage may reach 100 percent. Workaround: Reboot the Guard.
•CSCsm34086—The Guard does not establish an OSPF adjacency over the GRE tunnel. Workaround: Change the OSPF network type from Point-to-Point to Broadcast.
•CSCsm36943—The OSPF network type configuration is not saved on the GRE interface. Workaround: None.
•CSCuk54606—When you activate a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and traffic diversion is working properly:
no injection path
The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.
Software Version 6.1(2) Resolved and Open Caveats
The following sections contain the resolved and open caveats in software version 6.1(2):
•Software Version 6.1(2) Resolved Caveats
•Software Version 6.1(2) Open Caveats
Software Version 6.1(2) Resolved Caveats
The following caveats were resolved in software version 6.1(2):
•CSCsg76448—Multiple vulnerabilities exist in the OpenSSL library. The vulnerabilities described in the Cisco Security Response are present in Guard and Detector sensor software, in versions 5.0(3) and higher. See the Cisco Security Response at http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
•CSCsg94911—When a physical interface goes down, the virtual interfaces that use the physical interface are not brought down, which results in black-holing the traffic.
•CSCsi18583—The Guard drops the last TCP ACK on the outgoing traffic.
•CSCsi21984—When you use the WBM to browse to a zone page, the response time is slow when the zone has been active for a long time and the zone logs have become extremely long.
•CSCsi50185—When synchronizing time with an NTP server, the Guard intermittently detects a major clock change (16 seconds or more) and issues a log message.
•CSCsi61341—The Guard leaves the TCP timestamp option in the SYN ACK reply.
•CSCsj27292—The Guard does not count bypass filters correctly, which may cause the watchdog to reload the Guard.
•CSCsk40023—The policy snapshot time that is shown in the WBM or Central Manager (CM) is incorrect after an upgrade from version 5.1.
•CSCsk51827—The zone list in the WBM is empty when there are recommendations on at least one of the zones.
•CSCsl07921—All reports may be removed during the log rotation procedure.
•CSCsl49552—Zone activation fails when four active zones with automatic packet-dump capture are enabled.
Software Version 6.1(2) Open Caveats
The following caveats are open in software version 6.1(2):
•CSCrh01198—After you reload the Guard, it erases the default gateway if the gateway is on the same subnet as one of the configured VLAN interfaces on the Guard. Workaround: Use a static route instead of a default gateway.
•CSCsa64914—The name of the Flexible Filter Drop Count counter in the WBM Zone>Configuration>General menu should be Flexible Filter Drop Rate. This counter accurately displays the drop rate of the Flex-Content filter. The General menu also contains the Flexible Filter Action and Flexible Filter Count fields. When the Flexible Filter Action value is displayed as:
–Drop, the Flexible Filter Count value displays the number of dropped packets
–Count, the Flexible Filter Count value displays the number of counted packets
Workaround: None.
•CSCsa78440—The protect-by-packet activation interface does not apply to zones that are on the same subnet as the Guard. Workaround: Use a different activation interface.
•CSCsb07081—The flex-content filter cannot find a pattern in SYN packets. Workaround: None.
•CSCsb20206—The WBM remains unresponsive while the pop up window waits for results from the signature generation process. Even if you close the pop up window manually, the WBM remains unresponsive while signature generation is in progress. Workaround: Wait until the pop up window receives a result, or issue the no service wbm CLI command in configuration mode.
•CSCsb26519—If you configure the protect-by-packet activation method on one of the zones, the Guard fails to handle several thousands of dynamic routes injected. Workaround: Either deactivate the protect-by-packet or limit the number of incoming dynamic routes not to exceed 16,000.
•CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in different zones. Workaround: Assign unique names to manual packet dumps.
•CSCsc05116—The Guard may stop functioning or start logging errors after reaching 100 percent anomaly detection engine memory utilization. Workaround: Use the show resources command in global mode to view the amount of anomaly detection engine memory currently being used by the Guard. Reducing the number of active zones may free up memory.
•CSCsc36095—Loopback interfaces 100 and higher disappear or become proxy interfaces when you upgrade from previous software versions to software version 5.1(4) or higher. Workaround: Renumber loopback interfaces before upgrading the Guard from a version prior to 5.1(4) to version 6.0(x).
•CSCsc49737—If the Detector issues and logs an error message and then attempts two additional loads, the accelerator card may fail to load on the first attempt during the reload or bootup process. Workaround: None.
•CSCsc51207—The Guard does not evaluate all conditions defined in the flex-content filter when the filter is built from more than one offset-based elements (for example, udp[64:4]=0x1234) with "or" between them. If one of the elements has an offset beyond the packet end, the Guard does not evaluate the rest of elements. Workaround: Build the filter in a form in which its elements are ordered by an offset.
•CSCsc69508—After you import an HTML file to serve as login banner, some SSH clients may not be able to connect to the Guard. Workaround: Remove the login banner.
•CSCsc77155—After a Guard reloads 1,024 consecutive times, you cannot access it from the network. Workaround: Reboot the Guard.
•CSCsd39569—After several hundred consecutive reloads, the Guard may automatically reboot. Workaround: None.
•CSCsd59648—A GRE keepalive does not work if you configure it before there is connectivity on a GRE tunnel. Workaround: Make sure the GRE tunnel is up and connected before configuring a keepalive on it.
•CSCsd59673—The Guard does not respond to incoming GRE keepalive messages unless the keepalive is configured on its GRE interface. Workaround: None.
•CSCsd82140—The Guard black-holes traffic when you configure floating static (redundant) routes and the network interface of the best route is shut down and then restarted. Workaround: Either reload the Guard or manually update the routes within router configuration mode.
•CSCsd83077—The Guard responds to a larger size packet than the MTU value set for its network interfaces. Workaround: None.
•CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the more 0 command. Workaround: None.
•CSCse19834—Activating a zone with a combination of a large number of subnets and excluded subnets may take a few seconds to several minutes, depending on the number of subnets (excluded or included). Workaround: None.
•CSCse27876—When you press Ctrl-C during an import of a new software version or configuration, you interrupt the import process and the CLI session may get disconnected. Workaround: Do not press Ctrl-C during the import process.
•CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the Guard. Workaround: None.
•CSCse39173—The Guard does not establish a new BGP session while activating Anti Spoofing as a result of being attacked. Workaround: Configure a bypass filter for the BGP session peering router.
•CSCse43115—A BGP error message is displayed when malformed BGP related packets are sent directly to the Guard IP address. Workaround: None.
•CSCsg42338—The Guard CPU usage may reach 100 percent. Workaround: Reboot the Guard.
•CSCsi07283—The Web-Based Manager (WBM) does not reflect changes to the TimeZone definition until after the Guard is rebooted. Workaround: Reboot the Guard.
•CSCsm34086—The Guard does not establish an OSPF adjacency over the GRE tunnel. Workaround: Change the OSPF network type from Point-to-Point to Broadcast.
•CSCsm36943—The OSPF network type configuration is not saved on the GRE interface. Workaround: None.
•CSCso30607—This caveat applies to the WBM. The following sequence of events causes the Guard to incorrectly measure the traffic rate of a policy and produce dynamic filters even though the traffic rate does not exceed the policy threshold and there is no attack on the zone:
a. You modify a specific policy using the WBM Config Policy screen.
b. You activate zone protection.
c. The device detects traffic packets associated with the modified policy.
Workaround: If you can apply the policy change to more than one policy, configure the policies using the WBM Config Policy Group screen, which you access by selecting multiple policies to configure. If you need to apply the change to one policy only, use the device CLI.
If the problem exists already, use the one of the following methods to correct it:
–Use the device CLI to export the zone configuration and then import it back under a different zone name (do not use the "copy-from" operation).
–Use the WBM or device CLI to remove the service associated with the policy and then add it back to the zone configuration. For example, if the problem exists with the http/80/analisys/syns/src_ip policy, remove the http/80 service and then add it back to the zone configuration. After you add the service, you must allow the device to perform the threshold tuning phase of the learning process. This method does not work for services that are built in, such as the tcp_services/any and dns_udp/53 services, because these services cannot be removed.
•CSCuk54606—When you activate a zone by issuing the protect or the learning commands, the Guard displays the following error message even when the configuration is correct and traffic diversion is working properly:
no injection path
The Guard may display this message if it does not have a default injection route and the zone injection definition consists of two or more injection routes with an IP address that does not match the zone IP address (for example, a zone IP address of 192.168.254.0/24 and zone injection routes of 192.168.254.0/25 and 192.168.254.128/25). Workaround: Configure a default injection route for the Guard, or configure the zone injection routes to match the zone IP addresses. For example, if you configure the injection routes to be 192.168.254.0/25 and 192.168.254.128/25, configure the zone IP addresses as 192.168.254.0/25 and 192.168.254.128/25.
Related Documentation
The following Guard documents are available:
•Cisco Guard and Traffic Anomaly Detector Hardware Installation and Configuration Note
•Cisco Guard Configuration Guide
•Cisco Guard Web-Based Manager Configuration Guide
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
