Tons of new platform support plus performance boosts
Last week Cisco posted the 3.3 version of its enterprise class Cisco Security Manager (CSM) product. All sorts of new features were introduced, most especially are performance improvements throughout, ASA 8.2 support, IPS 7.0 support, ASR router support, and finally full support for IOS zone-based firewall. Another notable feature is the bulk import/export functionality. This allows you to work with objects, devices, and device overrides in bulk instead of the previous per device method. Here is a list of all the new features added (according to release notes):
• Support for Cisco Firewall Services Module (FWSM) Version 3.1.(13), 3.1(14), 3.2(9), 3.2(10), 4.0(3), and 4.0(4) • Support for Cisco ASA Software Releases 7.2.5, 8.0.5, and 8.1.2 • Support for new Cisco ASA Software Release 8.2-related features, such as Botnet Traffic Filter, SSL VPN AnyConnect Essentials, and SSL VPN RAS shared license • Support for Cisco 861, 861W, 887, 888SRST, 891, and 892 Integrated Services Router platforms • Support for Cisco 1002, 1004, and 1006 Aggregation Services Router platforms • Support for Zone-Based Firewall (ZBF) on Cisco integrated services routers and aggregated services routers • Support for Group Encrypted Transport VPN (GET VPN) on Cisco integrated services routers and aggregated services routers • Support for Cisco IPS Sensor Software Version 6.2 (IPv4 only) and Version 7.0 on Cisco IPS 4200 Series Sensors • Support for Cisco IPS Sensor Software Version 7.0 global correlation features, including network participation and reputation subscription • Support for the Cisco Advanced Inspection and Prevention Security Services Card 5 (AIP-SSC-05) on the ASA 5500 Series platform • Support for Cisco IPS Network Module (NME IPS) on the integrated services router platforms • Support for Cisco IOS® Software Release 12.4(15)T, 12.4(20)T, and 12.4(22)T on the integrated services router platforms • Support for Cisco IOS Software Release 12.2(33)XNA, 12.2(33)XNB, and 12.2(33)XNC on the aggregated services router platforms • Support for Cisco IOS Software Release 12.2(33)SXI on Cisco Catalyst® switches • Support for content filtering for Cisco IOS Software-based platforms • Support for Cisco NT LAN Manager (NTLMv2)-based authentication • Bulk import/export of policy objects • Bulk add for offline devices • Bulk import for device-level overrides • Performance enhancements for policy navigation and policy object managerFor a minor release this is a notable list of new functionality added to CSM 3.3. Here are some tips for using the bulk Policy Object import/export Perl Script: • File type is common CSV format. A CSV file can only contain a single object type. Object type can be one of the following: Network, Service or Portlist • Security Manager creates only new objects, it does not update existing objects when you do a bulk policy object import Watch out for an awkward CSM caveat that exists when upgrading to 3.3 from a previous release. As stated in the Cisco release notes, “If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to Security Manager 3.3. If you deploy back to the device, these commands are removed from the device because the commands are not part of the target policies configured in Security Manager.”
So in a nutshell if you have configured non-natively supported commands on your gear and those commands now become supported in CSM 3.3 then they will be deleted by CSM if you don’t first add them to your CSM policy. You can either manually add them into your CSM 3.3 device policy or re-import your device into CSM. Some newly supported features you should plan for might be:
- Zone-based FW configs on existing CSM managed IOS devices
- Get-VPN configs on existing CSM managed IOS devices
- Any ASA 8.2 features you might have configured
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco’s new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google’s Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*




