Release Notes
4
Release Notes for Cisco Security Manager 4.0
OL-21744-02
What’s New
–
Object group search—Available as a firewall access control setting, object group search
optimizes ACL performance without expanding object groups. However, you should use this
only on memory constrained devices. You also cannot use the hit count tool if you configure
object group search.
• The release of ASA version 8.3 provides a simplified approach to configuring network address
translation (NAT), as compared to earlier ASA versions and other devices. All NAT rules on the
device—static NAT, dynamic PAT, and dynamic NAT—are presented in a single table, and the same
dialog box is used to configure all NAT rules. The NAT rules are interface independent (that is,
interfaces are optional), meaning the rules are independent of security levels also.
• ASA 8.3+ includes new features for network and service objects that contain single values. You can
also use the network objects to configure NAT. Security Manager supports these features as follows:
–
The network/host policy object now has four types: group, host, network, address range. The
group object is the same as the network/host object that exists in all Security Manager 3.x
releases. The host, network, and address range types allow single values (of the appropriate
type), and also allow NAT configuration. Although these objects are designed for use with ASA
8.3+, you can use them with all operating systems; any NAT configuration is ignored for
non-ASA-8.3+ devices.
–
The service policy object now has two types: group and object. The group object is the same as
the service object in Security Manager 3.x releases. The service “object” allows a single service
designation. As with the network/host object, you can use the new service object on any
operating system; how it is provisioned to the device simply differs for ASA 8.3 devices.
• Support for FWSM Software versions 4.1(1), 4.0(7-11), 3.1(16, 17), 3.2(14-17).
• Support for the 1002 Fixed Router model of the Cisco ASR 1000 Series Aggregation Services
Routers.
• Support for ASR Version 2.4 software, called Cisco IOS Software version 12.2(33)XND.
• Support for shared port adapters (SPAs) in Cisco ASR 1000 Series Aggregation Services Routers.
Support includes all Ethernet (all speeds, including Ten Gigabit Ethernet), Serial, ATM, and Packet
over Sonet (POS) SPAs, but not services SPAs. If you configured ATM, PVC, or dialer related
policies on ASRs you managed with previous versions of Security Manager, you should rediscover
policies on those devices to bring these policies into Security Manager.
• The IPS Event Viewer application is no longer included in the Security Manager package. When you
upgrade to Security Manager 4.0, any installation of the IPS Event Viewer that was installed by
previous versions of Security Manager is removed. To view IPS events, use the event viewer
integrated into Security Manager 4.0.
• Activity lock messages now include the username and activity name that has obtained a lock that
prevents you from performing an action.
• You can now delete more than one device at a time.
• You can now rediscovery policies on more than one device at a time.
• You can now detect whether devices have out of band changes (changes to the device configuration
made outside of Security Manager) before you deploy configurations. This gives you the
opportunity to update the device policies in Security Manager to recreate those changes.
Note Out-of-band change detection is not available for IPS appliances.
• In previous releases, you could select which types of policy to manage on Cisco IOS routers. You
can now also select which policies to manage on ASA, PIX, and FWSM firewall devices.