Cisco Cisco Security Manager 4.6 Release Notes
9
Release Notes for Cisco Security Manager 4.6
OL-31288-01
Important Notes
•
You cannot use Security Manager to manage an IOS or ASA 8.3+ device if you enable password
encryption using the password encryption aes command. You must turn off password encryption
before you can add the device to the Security Manager inventory.
encryption using the password encryption aes command. You must turn off password encryption
before you can add the device to the Security Manager inventory.
•
If you upgrade an ASA managed by Security Manager to release 8.3(x) or higher from 8.2(x) or
lower, you must rediscover the NAT policies using the NAT Rediscovery option (right-click on the
device, select Discover Policies on Device(s), and then select NAT Policies as the only policy type
to discover). This option will update the Security Manager configuration so that it matches the
device configuration while preserving any existing shared policies, inheritance, flex-configs, and
so on.
lower, you must rediscover the NAT policies using the NAT Rediscovery option (right-click on the
device, select Discover Policies on Device(s), and then select NAT Policies as the only policy type
to discover). This option will update the Security Manager configuration so that it matches the
device configuration while preserving any existing shared policies, inheritance, flex-configs, and
so on.
When upgrading an ASA device from 8.4.x to 9.0.1, the device policies will be converted to the
unified format. You can rediscover the unified NAT rules using the NAT Rediscovery option or you
can convert the existing NAT policies to unified NAT policies with the help of the rule converter in
Security Manager. For more information, see
unified format. You can rediscover the unified NAT rules using the NAT Rediscovery option or you
can convert the existing NAT policies to unified NAT policies with the help of the rule converter in
Security Manager. For more information, see
or the “Converting IPv4
Rules to Unified Rules” topic in the online help.
You can also use the rule converter for the other firewall rules like access rules, AAA rules, and
inspection rules if you want to manage these policies in unified firewall rules format.
inspection rules if you want to manage these policies in unified firewall rules format.
•
ASA 8.3 ACLs use the real IP address of a device, rather than the translated (NAT) address. During
upgrade, rules are converted to use the real IP address. All other device types, and older ASA
versions, used the NAT address in ACLs.
upgrade, rules are converted to use the real IP address. All other device types, and older ASA
versions, used the NAT address in ACLs.
•
The device memory requirements for ASA 8.3 are higher than for older ASA releases. Ensure that
the device meets the minimum memory requirement, as explained in the ASA documentation, before
upgrade. Security Manager blocks deployment to devices that do not meet the minimum
requirement.
the device meets the minimum memory requirement, as explained in the ASA documentation, before
upgrade. Security Manager blocks deployment to devices that do not meet the minimum
requirement.
•
If you have a device that uses commands that were unsupported in previous versions of Security
Manager, these commands are not automatically populated into Security Manager as part of the
upgrade to this version of Security Manager. If you deploy back to the device, these commands are
removed from the device because they are not part of the target policies configured in Security
Manager. We recommend that you set the correct values for the newly added attributes in Security
Manager so that the next deployment will correctly provision these commands. You can also
rediscover the platform settings from the device; however, you will need to take necessary steps to
save and restore any shared Security Manager policies that are assigned to the device.
Manager, these commands are not automatically populated into Security Manager as part of the
upgrade to this version of Security Manager. If you deploy back to the device, these commands are
removed from the device because they are not part of the target policies configured in Security
Manager. We recommend that you set the correct values for the newly added attributes in Security
Manager so that the next deployment will correctly provision these commands. You can also
rediscover the platform settings from the device; however, you will need to take necessary steps to
save and restore any shared Security Manager policies that are assigned to the device.
•
Device and Credential Repository (DCR) functionality within Common Services is not supported in
Security Manager 4.6.
Security Manager 4.6.
•
LACP configuration is not supported for the IPS 4500 device series.
•
A Cisco Services for IPS service license is required for the installation of signature updates on IPS
5.x+ appliances, Catalyst and ASA service modules, and router network modules.
5.x+ appliances, Catalyst and ASA service modules, and router network modules.
•
Do not connect to the database directly, because doing so can cause performance reductions and
unexpected system behavior.
unexpected system behavior.
•
Do not run SQL queries against the database.
•
If an online help page displays blank in your browser view, refresh the browser.
•
Security Manager 4.6 only supports Cisco Secure ACS 5.x for authentication. ACS 4.1(3), 4.1(4),
or 4.2(0) is required for authentication and authorization.
or 4.2(0) is required for authentication and authorization.