Cisco Cisco Security Manager 4.10 Notas de publicación
10
Release Notes for Cisco Security Manager 4.10
Important Notes
b.
If you have your own SSL certificates configured, you can reconfigure the certificates as per the
steps outlined in the link below:
steps outlined in the link below:
c.
For self-signed certificates, from the command prompt navigate to the <CSCOpx>\MDC\Apache
directory, and then execute the gencert.bat file.
(where <CSCOpx> is your installation directory)
directory, and then execute the gencert.bat file.
(where <CSCOpx> is your installation directory)
d.
Start the CSM Daemon service [net start crmdmgtd]
Important Notes
The following notes apply to the Security Manager 4.10 release:
•
In Policy Object Manager > Access Control List > Unified ACL, if you right-click the ACL which
is used in any of the device configuration and select “Find Usage”, the Find Usage option does not
show the list of devices that are configured with the Unified Access List.
is used in any of the device configuration and select “Find Usage”, the Find Usage option does not
show the list of devices that are configured with the Unified Access List.
•
Beginning with version 4.9, Security Manager does not support the Secure Sockets Layer version
3.0 (SSLv3) security protocol.
3.0 (SSLv3) security protocol.
•
Security Manager sends only the delta configuration to the Configuration Engine, where the
particular device retrieves it. The full configuration is not pushed to the device. Therefore, the
following behaviors are encountered for OSPF, VLAN, and failover for devices.
particular device retrieves it. The full configuration is not pushed to the device. Therefore, the
following behaviors are encountered for OSPF, VLAN, and failover for devices.
–
OSPF for IOS routers—Security Manager supports OSPF policy for routers running the IOS
Software version 12.2 and later. However, Security Manager does not support OSPF policy for
Catalyst devices. Therefore when you configure the OSPF policy in a Catalyst device and
perform the discovery in Security Manager, the latter removes the ‘no passive-interface
<interface number>’ command from the full configuration. Therefore you will see a difference
in the Security Manager-generated configuration and the configuration on the device.
Software version 12.2 and later. However, Security Manager does not support OSPF policy for
Catalyst devices. Therefore when you configure the OSPF policy in a Catalyst device and
perform the discovery in Security Manager, the latter removes the ‘no passive-interface
<interface number>’ command from the full configuration. Therefore you will see a difference
in the Security Manager-generated configuration and the configuration on the device.
–
VLAN—Security Manager supports discovery of VLAN command in IOS devices but does not
support dynamic behavior of the VLAN command. If there are user driven changes in VLAN
policy, Security Manager generates the command in delta and full configuration. In other words,
in normal preview or deployment, Security Manager does not generate VLAN command in full
configuration. Therefore you will see a difference in the Security Manager-generated
configuration and the configuration on the device.
support dynamic behavior of the VLAN command. If there are user driven changes in VLAN
policy, Security Manager generates the command in delta and full configuration. In other words,
in normal preview or deployment, Security Manager does not generate VLAN command in full
configuration. Therefore you will see a difference in the Security Manager-generated
configuration and the configuration on the device.
–
Failover policy for firewall devices, such as ASA and FWSM, and IOS devices—Security
Manager does not support dynamic behavior of failover devices. That is, the primary unit in HA
has ‘failover lan unit primary’ command and secondary unit has ‘failover lan unit secondary’
command. When there is a switchover, Security Manager tries to compare with the ‘failover lan
unit primary’ and generates the delta configuration. This leads to a failure in deployment.
Manager does not support dynamic behavior of failover devices. That is, the primary unit in HA
has ‘failover lan unit primary’ command and secondary unit has ‘failover lan unit secondary’
command. When there is a switchover, Security Manager tries to compare with the ‘failover lan
unit primary’ and generates the delta configuration. This leads to a failure in deployment.
Note
Security Manager does not support ‘dynamic’ CLI commands. If the syntax of a CLI
command is modified, for example, the ‘primary’ keyword is changed to ‘secondary’; it
will not be supported by Security Manager.
command is modified, for example, the ‘primary’ keyword is changed to ‘secondary’; it
will not be supported by Security Manager.
•
The following ASA policies are newly supported in Security Manager 4.8:
–
SSL
–
EIGRP