Release Notes for ASA CX and Cisco Prime Security Manager 9.3

Document technical information

Format pdf
Size 352.6 kB
First found Nov 13, 2015

Document content analysis

not defined
no text concepts found


John Doe (musician)
John Doe (musician)

wikipedia, lookup




Release Notes for ASA CX and
Cisco Prime Security Manager 9.3
Published: June 30, 2014
Last Updated: December 19, 2014
For ASA Version 9.3(2), 9.2(3), 9.1(5.21) and later, only ASA CX Version 9.3(2.1) and later is
supported. When upgrading your ASA, first upgrade the ASA CX software; otherwise the ASA CX
module will become unresponsive.
CX and Cisco Prime Security Manager (PRSM, pronounced “prism”) are closely related. They share the
same user interface, so that your experience in directly managing a CX device is easy to translate into
managing multiple devices in Cisco Prime Security Manager.
Thus, these release notes and the product documentation cover both the CX platform and the Cisco Prime
Security Manager device management software, as well as ASA device configuration to the extent that
you can configure the ASA in PRSM. When reading the release notes and the product documentation,
keep the following in mind:
PRSM Multiple Device mode refers to the multi-device management application, which you can use
to manage more than one CX device and ASA devices. Where a feature applies to this platform only,
we explicitly state that it is for Multiple Device mode.
ASA CX (or CX) only, Single Device mode, or PRSM Single Device mode refers to the management
application that is hosted on the CX device itself. You can use this application to configure that
single device only. Thus, functions that relate to managing multiple devices, such as the device
inventory, do not appear.
Cisco Systems, Inc.
Supported Versions of Related Software
Supported Versions of Related Software
CX and PRSM can interact with other applications in your network. The following table lists the
applications and the minimum versions required.
You can find the CDA software on on the following path on the Download Software page:
Downloads Home > Products > Security > Firewalls > Adaptive Security Appliances (ASA) > Cisco
ASA 5500 Series Adaptive Security Appliances > Cisco ASA 5580 Adaptive Security Appliance >
Adaptive Security Appliance (ASA) Software. The table includes a direct link to the pages.
Table 1
Minimum Versions for Related Software
Related Software
Minimum Version
Cisco AnyConnect Secure Mobility Client
Cisco ASA Software
ASA Software Release 9.1(5)
(Including the ASDM version compatible with the For PRSM, ASA Software Release 9.x (starting
ASA release.)
with 9.0(1)) for devices that do not include a CX
Cisco Context Directory Agent (CDA)
You can use this application as a replacement for
Cisco AD Agent. Although the agent
configuration differs, the method for identifying
the agent in PRSM or CX is identical to
identifying the AD agent.
(Download software...)
Microsoft Active Directory
VMware (for PRSM only)
Web browsers based on client platform (minimum
Windows Server 2008 R2
Windows Server 2003 R2
Version 2.4.21 or later.
VMware vSphere Hypervisor (ESXi) 5.0 or
4.1 Update 2
VMware vCenter Server 5.0 or 4.1
VMware vSphere Client 5.0 or 4.1
Windows 7, Mac OS X—Google Chrome 28
Windows 7, Mac OS X—Mozilla Firefox 22
Windows 7—Windows Internet Explorer 9
Mac OS X—Safari
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
Applications that Support Integration with PRSM
Applications that Support Integration with PRSM
You can share information between Cisco Prime Security Manager and some other applications. The
following table lists the supported applications and the type of integration available.
If supported, Cisco Prime Security Manager allows you to configure a single-sign-on (SSO) relationship
between PRSM and other applications. An SSO relationship allows you to log into the other application,
then directly access PRSM from within that application without needing to log into PRSM. Your
username/password for the other application suffices for PRSM authentication.
Use the following steps to configure this relationship:
Identify the application’s SSO directory to PRSM.
Add users defined in the SSO directory to PRSM.
See the PRSM user guide or online help for detailed information. See the documentation for these
products for information on their SSO server and PRSM cross-launch access points.
Table 2
Applications that support integration with PRSM 9.3(x)
Feature Notes
Cisco Security Manager 4.5
Single sign-on cross launching.
Export network, network group, service, and service group objects for import
into PRSM.
Cross-launch, but not single sign-on or object import, is supported in
Cisco Security Manager 4.4.
Dashboard and Report Data Calculations
The “Top N” dashboards are limited to a certain number of data points. If there are more data points than
the limit in a 5 minute bucket, only the data points within the limit are counted; data points outside the
limit are ignored (although the events for these items persist).
Thus, as data is aggregated from the 5 minute buckets, items that appear in the top N in one bucket, but
not in another, will have incomplete metrics. For example, consider the Top Users report. During the first
5 minute window, user John Doe is in the Top N users. During the next 5 minute bucket, John Doe is still
generating some network traffic, but he is not in the Top N for that time window. Then, when the hourly
summary is calculated from the twelve 5-minute buckets that comprise that hour, the entry for user John
Doe in that summary will include the data from the first 5-minutes, but it will not include anything of
John Doe's traffic from the second 5-minutes because John Doe was not in the Top-N for that time period.
The number of data points used in the Top N dashboards is 50.
Sites Supported for Safe Search
You can enforce Safe Search settings on certain web sites. By enforcing Safe Search, you prevent users
from relaxing search results to include inappropriate or explicit materials. If you enable an access policy
to enforce Safe Search, search URLs are rewritten to ensure strict Safe Search settings. If CX does not
support rewrite for a search engine, that engine is blocked for any traffic flows that match an access
policy that enforces Safe Search.
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
Changing the Language for the Web Interface
The following sites are supported for enforcing Safe Search:
Bing, MSN
Changing the Language for the Web Interface
You can view the web interface in English and Japanese. To get Japanese, change the preferred language
setting in the browser to Japanese. You will get English for all other language settings, although dates
and times might be formatted based on the selected language.
You cannot change the language or date/time format directly in the web interface.
Heartbleed Bug
The Heartbleed bug (CVE-2014-0160) is an OpenSSL vulnerability that uses invalid TLS heartbeats to
gain inappropriate access to data on a device. ASA CX 9.3.x and PRSM 9.3.x are not vulnerable to the
heartbleed bug. However, CX devices do not prevent invalid heartbeats from passing through the device
as traffic between other endpoints. Ensure that you patch your vulnerable endpoints with the required
You can learn more about this bug at or other resources on the Internet.
Warning Policy Restrictions for HTTPS
Do not use Warning policies with decrypted traffic. Users who click Continue on the warning for
decrypted traffic sometimes will get a bad redirection URL, which results in a 404 Page Not Found error.
The combination of the Warn and Decrypt actions effectively blocks access to these sites.
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
IPv6 Restrictions
For the most part, you can use IPv6 addresses in CX and ASA policies and configuration settings.
However, in the following cases, the ASA will allow IPv6 addresses, but you cannot configure or use
them with PRSM:
ASA management address—You cannot import an ASA that uses an IPv6 address for the
management interface.
Bridge groups—An IPv6 address for a bridge group interface is not supported. If you configure an
IPv6 address, it will be ignored and left unmanaged.
ASA Service Policy Object Restrictions
PRSM does not support the following service object commands. If you use these commands on the ASA,
you will not be able to add the ASA to the PRSM inventory.
object-group service {tcp | udp | tcp-udp | icmp-type | protocol}
To manage the ASA, you must first convert all of these unsupported commands to use the object service
or object-group service (without qualifier) commands.
Your other option is to import the ASA in monitor-only mode. In monitor-only mode, PRSM does not
discover the ASA configuration, nor does it manage it. You will not be able change the configuration
through PRSM. Monitor-only mode is a good option if you want to use other applications to configure
the ASA, such as ASDM or Cisco Security Manager.
Cisco provides an off-line tool that will convert the unsupported service object commands, and the ACLs
that use them, to the required style. You can use the tool to convert an ASA configuration, then verify it
yourself before you manually apply the changes to the ASA. You can then add the device to the PRSM
inventory. The tool is called CSM to PRSM Migration Tool and is available as a download from the Cisco
Prime Security Manager software download page. The readme file in the download includes instructions
on using the tool.
ASA Object Deployment Restrictions
Objects are deployed to an ASA only if they are used in policies assigned to the ASA. This restriction
includes objects that were discovered from an ASA: if the object is in the configuration, but not used by
a policy, it is not redeployed when you commit changes to the ASA.
This can result in odd behavior if you repeatedly add and remove an ASA from the inventory. Unused
objects might be renamed during device discovery, but the objects under the new name will not get
recreated on the ASA when you commit the device to the inventory. Because objects are not deleted from
PRSM when you remove a device, those objects under the new name remain in the database.
To avoid such issues, ensure that every object in the ASA configuration is actually used.
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
New Features
New Features
New Features in 9.3(2.1) Build 9
Released: October 14, 2014
This release includes fixes to the following customer-found bugs, in addition to other bug fixes:
CSCuj11380 ASA CX Unable to block Application Skype 6.13 and earlier
CSCur01959 ASA CX evaluation for CVE-2014-6271 and CVE-2014-7169
CSCuq68660 Fix deprecated entry handling in the NBAR-2-AVC map table
CSCuq40823 PRSM fails to display data for AD users with Cyrillic symbols
CSCuq16643 CX: HTTPS sites not accessible when only server supports EC ciphers
CSCup72496 Microsoft/Windows updates fail through ASA CX
CSCup67575 Rate limit not being applied for apps detected by NBAR beyond first pkt
CSCup57870 ASACX: Transparent active authentication fails after some time
CSCup45414 CX Stops listening on port 3799 when network between them is slow
CSCup15907 CX Event viewer does not display Web Reputation Events
CSCup15282 ASA CX: Cyrillic symbols are not displayed in PRSM report
CSCup13016 ADI may use null ldap context, causing assertions and cores
CSCup10501 core.dp_smp on CX: spinlock issue in tmatch_lookup_domain_all
CSCuo89254 TLS proxy exits due to DecisionEngineException
CSCuo44447 Race condition on variable enable_decryption_enable_mutex.
CSCuo03143 CX does not Rate-Limit traffic
CSCun82205 CX Vimeo App doesn't permit videos when denying Streaming Video below
CSCun56954 CX: Virtual CX modules may reload in some situations
CSCun26705 PDTS registration failure leading to critical recovery process
CSCum89069 TLS Proxy might be double notify'ing data-plane with DATA_COMPLETE
CSCum13037 TLS crash observed in customer CX with fcs build
CSCul78967 CX OpenSSH CBC Mode Information Disclosure Vulnerability CVE-2008-5161
CSCul73921 VDI core if group in policy has more than 10 nested groups as members
CSCul24372 PRSM:Dashboard user name getting cluttered when shown in the title bar
CSCuj67406 Monocle dumps core while reading invalid segment
CSCui95306 ASA identity object are getting duplicated when we re discover the ASA.
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
New Features
New Features in 9.3(1.1) Build 112
Released: June 30, 2014
In addition to bug fixes, this release includes the following changes:
You can now use time range objects in CX access policies to implement time-sensitive access
The list of well-known root Certificate Authority (CA) root certificates is now periodically updated
through the same updater service that is used to download new signatures and other components.
The names of the components listed in the Updates page are now more meaningful. Also, message
indicate whether the particular updates are down-level.
You can now configure CX devices to export events to syslog servers. The syslog settings for ASA
and CX devices are combined on the new Syslog Settings policy.
You can now create access policies that match uncategorized applications or application types.
You can now create URL filtering policies for uncategorized URLs.
You can now have more than one Active Directory realm per CX device, and import these realms
into PRSM. However, you can use NTLM, Kerberos, or Advanced active authentication with a single
AD realm, and the CX device will bind to that realm. You can use basic, form, and passive
authentication with any realm.
You can now create identity policies that prompt for active authentication using a browser form that
you customize.
You can identify users who fail active authentication as guest users, and write access policies to
provide special treatment for guest users.
You can now create application filtering policies based on cloud services tags. There is a new
dashboard for monitoring cloud services applications.
There is now a page that lists the web categories and their descriptions. From this page, you can also
look up the category for a web site, or its reputation.
You can now configure a secondary Context Directory Agent (CDA) to provide a high-availability
Support for YouTube for Schools. You can create an access policy that inserts your school or district
ID into the appropriate HTTP Request header to limit YouTube access to educational videos. Use
the Header Injection field in the access policy, and the header-injection profile object, to implement
your policy.
The HTTP proxy now works for network participation in addition to component updates.
The implementation of the “do not decrypt” action in CX decryption policies has been improved so
that clients (e.g. Web browsers) experience fewer connection failures on the first attempt to connect
to a server using TLS or SSL.
Improved application classification of decrypted traffic.
The decryption engine now supports Elliptic Curve Cryptography (ECC) cipher suites.
New or changed CLI commands:
– config advanced crashinfo
– config clear-truststore
– show crashinfo
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
Installation Notes
– show opdata policy table now shows whether time-based policies are currently active or
– All show commands now allow you to pipe output to filtering commands, grep, include,
exclude, begin, with additional options to control output.
– The setup and config ntp commands now allow you to configure authenticated NTP.
Installation Notes
Upgrading to 9.3(x)
Use the web interface or the system upgrade command to apply the 9.3(x) upgrade to a system running
9.1(x), 9.2(x), or 9.3(x). Specific instructions are in the documentation cited in Installation Instructions,
page 10.
You might be prevented from upgrading between specific builds of older releases to a specific 9.3 build.
As a general rule, if you are running a build that was released chronologically after a given 9.3 build,
you cannot upgrade to that 9.3 build; wait for a new build. For example, you cannot upgrade from
9.2(1.4)-5 to 9.3(1.1)-112, but you can from 9.2(1.4)-5 to 9.3(2.1)-9, although upgrade from 9.2 is
generally supported.
In addition, consider the following restrictions when upgrading Cisco Prime Security Manager to 9.3(x)
from 9.1(x) releases:
Any pending changes will be deleted, so ensure that you commit changes prior to applying an
upgrade. This restriction also applies to upgrades for the CX module.
Starting with 9.2(1.1), CX and PRSM enforces correct masks for network specifications in all types
of network object. When upgrading to 9.3(x) from 9.1(x), the network addresses will be corrected
automatically based on the mask/prefix. Thus, your system’s policies will be enforced the same way
they were prior to upgrade, and the CX device will not drop traffic.
If you upgrade from a 9.1(x) release, any ASAs that you are managing will be placed into
monitor-only mode. If you want to continue managing the ASA configuration with PRSM, open the
device inventory by selecting Device > Configuration and go to the Repository view. On the
Overview tab, look for the information icon in the Last Deployed column; click the icon and then
click the Import link to import the device’s configuration. For information on the general steps, see
Upgrading from 9.1(x) to 9.3(x), page 9.
Because 9.3(x) recognizes devices configured for high availability (HA), whereas older 9.1(x)
releases did not, you must first delete any devices that are configured for HA from the PRSM
inventory prior to upgrade. After upgrade, you can add these back. For information on the general
steps, see Upgrading HA Devices from 9.1(x) to 9.3(x), page 9.
For information on the supported upgrade paths, see Cisco CX and Cisco Prime Security Manager
Compatibility at
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
Installation Notes
To obtain the upgrade package, click the Download Software link from the following pages on and select the appropriate System Software package. There are separate packages for each
system type.
Cisco Prime Security
Upgrading from 9.1(x) to 9.3(x)
Release 9.2 added configuration support for many ASA features, support that is continued in 9.3. Thus,
if you upgrade to 9.3 from 9.1(x), existing ASAs in the PRSM inventory are put into monitor-only mode.
To move them to managed mode, you need to click the link in the inventory to import the ASA
If you use another application, such as Cisco Security Manager, to configure the ASA, leave it in
monitor-only mode. In managed mode, PRSM will consider itself the owner of supported features, and
overwrite changes made by your other application. In general, you should use a single application to
manage a device.
When upgrading from 9.1(x) to 9.3, follow this general procedure.
Step 1
Upgrade the PRSM server using the 9.3 system software upgrade package.
Step 2
Upgrade the ASAs to the minimum required ASA Software release, 9.1(5).
Step 3
Upgrade the CX devices using the 9.3 system software upgrade package.
Step 4
Go to the inventory page in PRSM (select Configurations > Policies/Settings, go to Repository view,
and select the Overview tab).
Look for an information icon in the Last Deployed column for the device and click the icon. A popup
message explains the state of the device. If the message includes an Import link, you can convert this
device to managed mode by clicking the link and following the wizard.
After importing the configuration, the ASA and CX versions should be correct.
Upgrading HA Devices from 9.1(x) to 9.3(x)
If you upgrade to 9.3 from a 9.2 release, this section does not apply to you.
Release 9.2(1.1) introduced management of high availability (HA) devices. In 9.1, PRSM did not know
if an ASA, and subsequently, its CX device, was configured as part of an active/standby pair with another
device. Thus, to manage the CXs, you would import them both to PRSM separately.
Because PRSM 9.3, like 9.2, treats HA devices as a unit, you should first remove these devices from the
PRSM inventory prior to upgrading to 9.3 directly from a 9.1(x) build. (This is not necessary if you
upgrade from 9.2(x).) You can them add them back to the inventory. Following are the general steps.
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
Documentation Updates
Step 1
Delete both ASA devices from the 9.1(x) PRSM inventory.
Log into the CX web interface on both CX devices to verify they were put into Single Device mode.
Step 2
Upgrade the PRSM server using the 9.3 system software upgrade package.
Step 3
Upgrade the ASAs to the minimum required ASA Software release, 9.1(5).
Step 4
Upgrade the CX devices using the 9.3 system software upgrade package.
Step 5
Go to the inventory page in PRSM (select Configurations > Policies/Settings, go to Repository view,
and select the Overview tab).
Click the Add Device link, and specify the information for the active ASA and follow the wizard
prompts. PRSM will detect the HA configuration and add both ASA and CX devices as a single HA unit.
Installation Instructions
For information on installing the ASA CX Security Services Processor, see:
Quick Start Guide—Cisco ASA CX Module Quick Start Guide
Hardware Installation (5585-X)—Cisco ASA 5585-X Hardware Installation Guide
Hardware Installation (5500-X)—Cisco ASA 5500-X Hardware Installation Guide
RCSI (5585-X)—Regulatory Compliance and Safety Information for the Cisco ASA 5585-X
Adaptive Security Appliance
RCSI (5500-X)—Regulatory Compliance and Safety Information for the Cisco ASA 5500-X Series
Appliances and the Intrusion Prevention System 4300 Series Appliances
For information on installing ASA CX software and Cisco Prime Security Manager, see:
ASA CX and PRSM—User Guide for ASA CX and Cisco Prime Security Manager 9.2, in the
“Installing Software” chapter:
PRSM—Installation Guide for Cisco Prime Security Manager 9.2, on the product media and on at:
Documentation Updates
There are no updates for the published documentation for this release.
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
Related Documentation
Related Documentation
The product’s web interface includes online help that explains how to use the web interface and the
command line interface (CLI). You can also find documents on using Finding ASA CX and
Cisco Prime Security Manager Documentation at:
For changes to the Application Visibility and Control (AVC) signatures, you can look at Release Notes
for Application Visibility and Control Signatures, Release 1.1.0.x at the following URL. Although these
notes are written for the Cisco Web Security Appliance (WSA) product, these products use the same
AVC signatures, so the facts about signature changes also apply to PRSM and CX. Note that these notes
refer to behaviors as “granular controls.”
Reading the Documentation on your Smart Phone or Tablet
The CX/PRSM documentation is available in the ePub and Mobi formats.
You can download these guides to your smart phone or tablet and read them using an ePub reader, such
as iBooks, Bluefire, NeoSoar, and so forth, or a Mobi reader such as the Kindle. There are many readers,
both free and paid, that you can download from the app stores for iOS and Android devices.
These documents are available from the following locations:
Cisco Tech Docs application—You can download this free app from the Apple App Store or the
Android store. In the app, look for the documents under “ASA Next-Gen Firewall Services.” This
app will link to the documents for the most current release.
Open in your browser—You can find the documents at Technical Documentation >
Security > ASA Next-Generation Firewall Services. This site will link to documents for the most
current release.
Open the links mentioned in Finding ASA CX and Cisco Prime Security Manager
Documentation—You can download the ePub and Mobi versions of these documents from their
home pages. You can find the documentation roadmap with the URLs at:
Open Source Licenses
These products use some open source code. You can find open source license information on the
following pages:
Release Notes for ASA CX and Cisco Prime Security Manager 9.3
If you are a registered user, you can find open, resolved, and terminated caveats using the Bug
Search tool at the following web site:
To find the bugs for these products, fill in the Search Bugs form as follows:
Product—Select Cisco ASA 5500 Series Enterprise Firewall Edition, both of which include CX
and Cisco Prime Security Manager bugs. You can use CX and PRSM as keywords to help narrow
the search.
Refine search options—You can narrow your search by selecting a specific release, entering
keywords, or by adjusting the severity, status, and other custom filtering options.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a
service request, and gathering additional information, see What’s New in Cisco Product Documentation
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised
Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a
reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2012-2014 Cisco Systems, Inc. All rights reserved.
Release Notes for ASA CX and Cisco Prime Security Manager 9.3

Similar documents


Report this document