stealthwatch release notes v7.0...stealthwatch release notes v7.0.2 author: cisco systems, inc. -...

Cisco StealthwatchReleaseNotes 7.0.2

Table of ContentsIntroduction 4

Overview 4

Terminology 4

Before You Update 4

Software Version 4

3rd Party Applications 5

Hardware 5

Browsers 5

Alternative Access 5

Hardware 5

Virtual Machines 6

Additional Option 6

Enabling SSH in Central Management 6

Open SSH 6

Enable SSH 7

Enabling SSH in Appliance Admin Interface 7

After You Update 7

What's New 8

Response Management Syslog, Email, and CEF Updates 8

Custom Security Events/Host Lock Violations Descriptions 8

Translated Host IP 8

Source Port 8

ISE SGT Tags 8

New Alarms 8

UDP Director System Alarms 8

UDP Director Degradation 8

UDP Director Stopped 9

Copyright © 2019 Cisco Systems, Inc. All rights reserved. - 2 -

UDP Director RAID Failure 9

UDP Director RAID Rebuilding 9

Exporter Alarms 9

IPv6 Hostnames 9

Installing the Stealthwatch Desktop Client 9

Install the Desktop Client Using Windows 10

Change the memory size 10

Install the Desktop Client Using macOS 11

Change the memory size 12

Contacting support 13

What's Been Fixed 14

Version 7.0.2 14

Version 7.0.0 18

Known Issues 29

Release Support Information 35


IntroductionOverviewThis document provides information on new features and improvements, bug fixes, andknown issues for the Stealthwatch System v7.0.2 release. For additional informationabout the Stealthwatch System, go to Cisco.com. For all features included in Stealth-watch v7.0, refer to the release notes for each previous version: v7.0.0.

TerminologyThis guide uses the term “appliance” for any Stealthwatch product, including virtual productssuch as theStealthwatch Flow Sensor Virtual Edition (VE).

A "cluster" is your group of Stealthwatch appliances that are managed by the Stealth-watch Management Console (SMC).

Most appliances are managed by the SMC. If an appliance is not managed by the SMC,such as an Endpoint Concentrator, it is described as a "stand-alone appliance."

Before You UpdateBefore you begin the update process, review the update guide for your current Stealth-watch version:

l v6.10.x: Please review the Stealthwatch® Update Guide v6.10.x to v7.0.2.l v7.0.0: Please review the Stealthwatch® Update Guide v7.0.0 to v7.0.2.

Software VersionTo update the appliance software to version 7.x, the appliance must have 6.10.2, or laterversion of 6.10.x, or 7.0.0 installed. It is also important to note the following:

l Patches: Make sure you install the latest patches on your appliances before youupgrade. For details, log in to the Stealthwatch Download and License Center athttps://stealthwatch.flexnetoperations.com.

l Update your appliance software versions incrementally. For example, if youhave Stealthwatch v6.9.x, make sure you update each appliance from v6.9.x tov6.10.x., and then update from 6.10.x to 7.0.x. Each update guide is available onCisco.com.


Introduction

https://www.cisco.com/c/en/us/support/security/stealthwatch/tsd-products-support-series-home.html

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_7_0_0_Release_Notes_DV_1_5.pdf

https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html


https://stealthwatch.flexnetoperations.com/


l Downgrades:Version downgrades are not supported becauseof update changes indata structures and configurations that are required to support new features installed dur-ing the update.

l TLS: Stealthwatch requires TLS v1.1 or later.

l For increased security, we recommend updating the IDentity 1000/1100 appli-ance to v3.3.0.x to take advantage of the new openSSL version with TLS 1.2.

3rd Party ApplicationsStealthwatch does not support installing 3rd party applications on appliances.

HardwareTo view the supported hardwareplatforms for each system version, refer to theHardware andVersion Support Matrix.

Browsers

l Compatible Browsers: Stealthwatch supports the latest version of Chrome, Fire-fox, and Edge.

l Microsoft Edge: There may be a file size limitation with Microsoft Edge. We donot recommend using Microsoft Edge to upload the software update files (SWU).

l Shortcuts: If you use browser shortcuts to access the Appliance Admin interfacefor any of your Stealthwatch appliances, the shortcuts may not work after theupdate process is complete. In this case, delete the shortcuts and recreate them.

Alternative AccessUse the following instructions to enable an alternative method to access your Stealth-watch appliances for any future service needs.

It is important to enable an alternative method to access your Stealthwatchappliances for any future service needs, using one of the following methods foryour hardware or virtual machine.

Hardware

l Console (serial connection to console port): Refer to the latest StealthwatchHardware Installation Guide to connect to the appliance using a laptop or a key-board and monitor. https://www.-cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html


Introduction

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/SW_7_0_0_Hardware_Software_Matrix_DV_1_0.pdf

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/SW_7_0_0_Hardware_Software_Matrix_DV_1_0.pdf






l iDRAC Enterprise (Dell appliances): Refer to the latest documentation for yourplatform at www.dell.com. iDRAC Enterprise requires a license, and iDRACExpress does not allow console access. If you do not have iDRAC Enterprise, dir-ect console or SSH can be used.

l CIMC (UCS appliances): Refer to the latest Cisco UCSguide for your platform at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html

Virtual Machines

l Console (serial connection to console port): Refer to the latest KVM orVMware documentation for your appliance installation.

l For example, for KVM, see the Virtual Manager documentation athttps://virt-manager.org/

l For VMware, see the vCenter Server Appliance Management Interfacedocumentation for vSphere at https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html

Additional OptionIf you cannot log in to the appliance using the virtual or hardware methods, you canenable SSH on the appliance network interface temporarily.

When SSH is enabled, the system’s risk of compromise increases. It is import-ant to enable SSH only when you need it. When you are finished using SSH,disable it.

Enabling SSH in CentralManagement

Open SSHUse the following instructions to open SSH for a selected appliance.

1. Open Central Management > Appliance Manager.2. Click Actionsmenu for the appliance.3. Select Edit Appliance Configuration.4. Select the Appliance tab.


Introduction

http://www.dell.com/

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html



https://virt-manager.org/

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.vcsa.doc/GUID-223C2821-BD98-4C7A-936B-7DBE96291BA4.html



Enable SSH

1. Locate the SSH section.2. Select whether to enable SSH access only or to also enable root access.

l Enable SSH: To allow SSH access on the appliance, check the check box.

l Enable Root SSH Access: To allow root access on the appliance, check thecheck box.

3. Click Apply Settings.4. Follow the on-screen prompts.


Enabling SSH in Appliance Admin InterfaceUse the following instructions to open SSH for a selected appliance through the Appli-ance Admin Interface.

1. Log in to the Appliance Admin interface.2. Click Configuration > Services.3. Check the Enable SSH check box to allow access to SSH.4. Check the Enable Root SSH Access check box to also allow access to root.5. Click Apply.


After You UpdateAfter updating your appliances, please install the required patches:

l patch-smc-ROLLUP003-7.0.2-02.swu

Review the patch readme files on the Stealthwatch Download and License Center fordetails.


Introduction

https://stealthwatch.flexnetoperations.com/

What's NewThese are the new features and improvements for the Stealthwatch System v7.0.2release:

Response Management Syslog, Email, and CEF UpdatesCustomSecurity Events/Host Lock Violations DescriptionsThe description provided when creating Custom Security Events and Host Lock Viola-tions can now be included in response management notifications (LSQ-2966).

Translated Host IPThe source, destination, and NAT IP can now be in response management notifications(LSQ-3620).

Source PortThe source port used for communication can now be included in response managementnotifications (LSQ-3602).

ISE SGT TagsThe SGT name and ID tags from ISE can now be included in response management noti-fications (LSQ-3671).

New AlarmsUDP Director SystemAlarmsAdded four new UDP Director System Alarms to help with monitoring the appliance(LSQ3386).

UDP Director DegradationIndicates the UDP Director is experiencing degradation for one of the following reasons:

l Overloaded: triggered when the UDP Director is continuously using 90% of CPUover a 5 min period

l Oversubscribed: triggered when the UDP Director's input rates over a 5 minuteperiod exceed published numbers

l Remedy: Adjust inputs to the recommended numbers


What's New

l Engine error: triggered when the UDP Director experiences an internal error

l Remedy: Restart immediately

l Low Memory: triggered when the UDP Director is using 90% or more of its totalmemory

l Remedy: Update memory

l Packet loss: triggered when the appliance is low on resources and is unable to pro-cess all packets it is receiving

l Remedy: Update resources

UDP Director StoppedIndicates when 1 or more UDP Director processes has stopped working.

l Remedy: Restart immediately

UDP Director RAID FailureIndicates that a failure has been detected in the RAID configuration of the StealthwatchUDP Director within the last hour.

UDP Director RAID RebuildingIndicates that a RAID drive has started the process of rebuilding after a RAID failureoccurred on a Stealthwatch UDP Director.

Exporter AlarmsAdded a Flow Collector Longest Export Exceeded alarm to help identify misconfiguredexporters (LSQ-3372). This alarm is triggered when the flow duration from an exporterhas exceeded the threshold setting. If not remedied, inaccurate flow and interface statswill be generated.

You can enable/disable this alarm on the Flow Collector Properties dialog.

IPv6 HostnamesOn the Stealthwatch Web App, hostnames are now shown for IPv6 addresses (LSQ-3934).

Installing the Stealthwatch Desktop ClientAs of Stealthwatch v7.0, Oracle Java will no longer be used to install and open Stealth-watch Desktop Client.

Use the following instructions to install the Stealthwatch Desktop Client using Windowsor macOS. Note the following:


What's New

l You can locally install different versions of Stealthwatch Desktop Client.

l If you want to access multiple versions of Stealthwatch Desktop Client, you willneed a different executable file for each SMC.

l If you are using both a primary and a secondary SMC, you will need to log off oneSMC before you can log in to the other SMC.

l You can have different versions of Stealthwatch Desktop Client open sim-ultaneously.

l When you update to a later version of Stealthwatch, you will need to install thenew version of Stealthwatch Desktop Client.

l If you have Stealthwatch Desktop Client and update to 7.0.x or later, you can nolonger use Oracle Java with Stealthwatch Desktop Client.

Install the Desktop Client UsingWindows

l You must have sufficient rights to install Stealthwatch Desktop Client.

l Stealthwatch Desktop Client requires a 64-bit operating system. It can-not run on a 32-bit operating system or Linux.

1. Click Desktop Client in the upper right corner of any page in theStealthwatch Web App.

2. Click the .exe file to begin the installation process.

3. Follow the steps in the wizard to install the Stealthwatch Desktop Client.

4. On your desktop, click the Stealthwatch Desktop Client icon .5. Enter the SMC user name and password.

6. Enter the SMC server name or IP address (IPv4 or IPv6).

7. Follow the on-screen prompts to open the Desktop Client and trust the applianceidentity certificate.

Change thememory sizeYou can change how much Random Access Memory (RAM) to allocate on your clientcomputer to run the Stealthwatch Desktop Client interface. Consider a larger memoryallocation if you work with many open documents or large data sets (such as flow quer-ies with over 100k records).

1. In Windows Explorer, go to your home directory.

2. Open these folders: AppData > Roaming > Stealthwatch.


What's New

You may need to search "Stealthwatch" if the folder is hidden.

3. In the Stealthwatch directory, open the folder that contains the desiredStealthwatch version.

4. Open the application.vmoptions file using an appropriate editing application tobegin editing. (This file is created after you open the Stealthwatch Desktop Clientfor the first time.)

Minimum Memory Size (Xms): We recommend that you allocate no less than512 MB. This number is listed in the third line of the file.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the minimummemory size.

Maximum Memory (Xmx): You can allocate up to half the size of your computer'sRAM for the maximum memory size. This number is listed in the fourth line of thefile.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the maximummemory size.

Use whole numbers. For example, enter Xmx512m, not Xmx0.5m.

l If you notice that the Stealthwatch Desktop Client appears to "hang" fre-quently, try increasing the memory size.

l If you receive an error message involving Java, try selecting a lowermemory allocation.

Install the Desktop Client UsingmacOS

l You must have sufficient rights to install Stealthwatch Desktop Client.

l Stealthwatch Desktop Client requires a 64-bit operating system. It can-not run on a 32-bit operating system or Linux.


What's New

1. Click Desktop Client in the upper right corner of any page in theStealthwatch Web App.

2. Click the .dmg file to begin the installation process.

An icon and folder are displayed on your monitor, as shown below.

3. Drag the Stealthwatch Desktop Client icon ( ) into the Application folder.

The icon is added to the Launchpad.

4. On your desktop, click the Stealthwatch Desktop Client icon .5. Enter the SMC user name and password.

6. Enter the SMC server name or IP address (IPv4 or IPv6).

7. Follow the on-screen prompts to open the Desktop Client and trust the applianceidentity certificate.

Change thememory sizeYou can change how much Random Access Memory (RAM) to allocate on your clientcomputer to run the Stealthwatch Desktop Client interface. Consider a larger memoryallocation if you work with many open documents or large data sets (such as flow quer-ies with over 100k records).

1. In Finder, go to your home directory.

2. Open the Stealthwatch folder.

3. In the Stealthwatch directory, open the folder that contains thedesired Stealthwatch version.

4. Open the application.vmoptions file using an appropriate editing application tobegin editing. (This file is created after you open the Stealthwatch Desktop Clientfor the first time.)

Minimum Memory Size (Xms):We recommend that you allocate no less than


What's New

512 MB. This number is listed in the third line of the file.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the minimummemory size.

Maximum Memory Size (Xmx): You can allocate up to half the size of your com-puter's RAM for the maximum memory size. This number is listed in the fourth lineof the file.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the maximummemory size.

Use whole numbers. For example, enter Xmx512m, not Xmx0.5m.

Contacting supportIf you need technical support, please do one of the following:

l Contact your local Cisco Partner

l Contact Cisco Stealthwatch Supporto To open a case by web: http://www.-cisco.com/c/en/us/support/index.html

o To open a case by email: [email protected] For phone support: 1-800-553-2447 (U.S.)o For worldwide support numbers: www.-cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html


What's New

http://www.cisco.com/c/en/us/support/index.html

http://www.cisco.com/c/en/us/support/index.html

http://[email protected]/

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

What's Been FixedThis section summarizes fixes made in this release for issues (bugs/defects) reported bycustomers in previous releases. The Stealthwatch Defect (SWD or LSQ) number isprovided for reference.

Version 7.0.2

Defect Description

LVA-625Updated files and directory permissions to be more restrictive.(LSQ-3719)

LVA-634Removed storage of authentication credentials in smc.log files.(LSQ-3735)

SWD-11673Corrected several object types from String to Integer in SNMPMIB and added handling of the variables in newly installed sys-tems. (LSQ-3694)

SWD-11839Fixed the Inbound/Outbound direction filter for Top Host Report.(LSQ-3677)

SWD-11961

Added an Advanced Setting to only allow the first NBAR applic-ation ID to be set into the flow to prevent multiple fake applic-ation alarms. To disable, set allow_nbar_app_id_migration to 1on your Flow Collectors. (LSQ-3789)

SWD-11991Fixed an issue where previously created Response ManagementRules could not be edited. (LSQ-3847)

SWD-12014Fixed an issue that caused the following message: SMC Fail-overSession resync failed: 504 Gateway Time-out on sendSnap-shot. (LSQ-3853/4218)

SWD-12044

Enhanced the engine to make use of the port definitions inapplication_definitions.xml, which includes Custom Applic-ations. If you have Custom Applications defined using port defin-itions, the engine now utilizes those definitions in determiningthe client/server relationship in flows. (LSQ-3824)


What's Been Fixed

Defect Description

SWD-12074Fixed an issue where users were unable to edit forwarding ruleson a UDP Director. (LSQ-4184)

SWD-12078Corrected an issue that showed flow duration for more than 34days when "start_time" was unchanged in flow records. (LSQ-3734)

SWD-12150Removed scaled value of 1000 for flow related alarm. (LSQ-3948)

SWD-12234Time out values in nginx had been increased in order to handlelong duration queries.

SWD-12291

Added extra pointer validation checks around the area that it wasseen crashing and added a feature to save a copy of the SLICfeed file being processed when the engine crashes during theSLIC feed update. The file will be included in a diagnostic packand can then be analyzed by Cisco to determine if it is the datain the SLIC feed itself causing the crash.

SWD-12303Changed the baselining code to re-baseline all hosts every timethe engine is restarted. (LSQ-3955)

SWD-12337Fixed an issue where Active Directory configuration would notaccept more than one Domain Controller. (LSQ-4122/4161/4175)

SWD-12341Fixed an error that caused all archived folders before "today" tobe deleted after a Flow Collector engine restart. (LSQ-3864)

SWD-12412Fix provided in FC to launch the home page after "RefreshingData" on IE browser. (LSQ-4013)

SWD-12419Fixed a problem where the traffic for each host was not beingarchived properly into the traffic trends files. (LSQ-3988)

SWD-12421Fix provided to restrict below files and directories to any webusers in 6.10x version. From 7.0, the only users that have


What's Been Fixed

Defect Description

access to these files are "Master Admin." All others are denied.(LSQ-4018)

SWD-12460Truncated and rounded off the decimal part of bytes with pre-defined filter available. (LSQ-3868)

SWD-12481 Geodata library was updated to support IPV6. (LSQ-3861)

SWD-12491

Flow Collector engine should set "hasMore" to be true as long asthe "total" combined records from both memory and DB exceedsthe requested number set in limit to show "more records avail-able" message in security events transaction report (LSQ-3995).

SWD-12497Provided a fix for failure scenario when we have two or morehostgroups with unknown hostgroup combination. (LSQ-4056)

SWD-12504Corrected an issue where stopping packet capture failed andshows "error processing request". (LSQ-4032 )

SWD-12575Upgrade process was fixed the issue that caused Juniper Flowto go to "0% decode" after a 6.8.3 to 6.10.4 upgrade. (LSQ-4084)

SWD-12607Fixed an issue where Host Group mapping for countries was notdisplayed in Flow Searches. (LSQ-4068).

SWD-12648Corrected an issue causing data being to be written to the DB(daily) with invalid time stamps. (LSQ-4057)

SWD-12661An issue was corrected where Undefined TCP records wereappearing in a search of ICMP flow. (LSQ-4089)

SWD-12670 MAC violation alarms are now properly generated. (LSQ-4062)

SWD-12679The SNMP trap now uses the correct MIB for "FlowCollector Data-base Channel Down". (LSQ-4051)

SWD-12682 Added validation to not check duplicate names when trying to


What's Been Fixed

Defect Description

edit archive hours. (LSQ- 4105)

SWD-12689Truncated and rounded off the decimal part of bytes with pre-defined filter available. (LSQ-3868)

SWD-12710Fixed an issue with Flow Sensor 4k timeout handling. (LSQ-4107)

SWD-12724Fixed an error where the Flow Collector engine writes malformed"username" field values in security_event, and causes Verticaparsing errors. (LSQ-4117)

SWD-12822Fixed RAID management errors that occurred after upgrade.(LSQ-3946)

SWD-12825Fixed an error in the Top Reports where "Total+Client" or"Total+Server" generates a syntax error at or near "select" at char-acter 20XX. (LSQ-4133)

SWD-12844Corrected an issue where users were unable to print from the injava desktop. (LSQ-4149)

SWD-12883Updated OpenDNS to Umbrella in the External Lookup con-figuration. (LSQ-4147)

SWD-12989Fixed an issue where downloading a larger SMC configurationbackup file failed. (LSQ-4132)

SWD-12996Added new docker services to filter and display in the EndpointConcentrator Admin UI. (LSQ-4165)

SWD-12997Fixed an issue where Active Directory user data was not beingfetched properly. (LSQ-4196)

SWD-13000Fixed an error where the Stealthwatch Desktop Client wasn'tcommunicating with the Flow Collector and secondary SMC forlicensing. (LSQ-4129)


What's Been Fixed

Defect Description

SWD-13021The SMC Rollup005 patch is now properly removed after beinginstalled on Secondary SMC2210 (M5 Hardware). (LSQ-4204)

SWD-13025Fixed an issue with the pre-swu when upgrading from 6.10.2.(LSQ-4083)

SWD-13058Corrected an issue in the previous rollup (003) that caused HostGroup Management in the Web UI to be unusable. (LSQ-4193)

SWD-13112Fixed an issue where the "CallOSAxsD UpdateSystem <file-name>" call returns False when the file does not exist. (LSQ-4247)

SWD-13126Fixed an issue where the Flow Sensor network card stops work-ing after upgrade. (LSQ-4249)

SWD-13169Fixed an issue with proxy authentication after upgrading from6.10.3. (LSQ-4220)

SWD-13311Fixed an issue where you were unable to Export All con-figuration for a domain. (LSQ-4422)

Version 7.0.0

Defect Description LSQ

SWD-7700

The Flow Collection Trend chart hadgaps due to TextCopyHandler failing toread files at /lancope/var/smc/tmpfolder.

Resolved an issue where scheduledreports would terminate existing SMCdata loading processes under certainconditions.

LSQ-2727

SWD-8115Multiple instances of the process "acpi_pad" was causing the system to become LSQ-2836


What's Been Fixed


non-responsive.

We blacklisted the "acpi_pad" processto fix this issue.

SWD-8142

The Database backup is generatingerrors at the final stage of the process.

Improvements have been added torepeat the Vertica backup process incase of resync errors.

LSQ-2838

SWD-8773Upgraded mongodb from v2.6.8 tov3.10.15 to take advantage of per-formance improvements.

LSQ-3012

SWD-9128

Temporary files for flow stats weredeleted when disk space was less than75%.

This code was removed in order to letthe code that checks disk usage handleany necessary file removals.

LSQ-3123

SWD-9138

"String index out of range" error in Off-line Activation dialog.

Improved exception handling to addressthe error and added an additional con-dition to verify the presence of a dashsymbol.

LSQ-3124

SWD-9258

The Flow Collector Engine failed to con-nect a router mitigation device whenusing SSH.

Updated the engine code responsiblefor building and maintaining SSH mit-igation sessions.

LSQ-3141


What's Been Fixed


SWD-9444

The Flow Collector engine had aSIGSEGV error at pool_exit in process_message.

A memory leak was found and fixedrelated to the deletion of exporters, andextra protection was put into place inthe handling of the Service Bandwidthdata structures.

LSQ-3196

SWD-9445Updated the Flow Sensor 1010 specsheet.

LSQ-3176

SWD-9446

A quotation mark in the applicationdetail column caused an error whenexporting a flow table to a CSV file.

The application detail fields wereupdated to handle quotation marks.

LSQ-3086

SWD-9490

The export button was cut off on theFlow Search page.

Updated the UI to handle resizing thebrowser window.

LSQ-3223

SWD-9502

The "more details" link on the UDP Dir-ector admin page disappeared once thepage loaded.

Fixed the hyperlink to be consistent dur-ing and after page load.

LSQ-3224

SWD-9503The SMC 1000 was running out ofmemory which caused Vertica to crash.

Fixed the memory leak.LSQ-3228

SWD-9515The Flow Collector 5020 failed to loadthe 10G driver.

LSQ-3235


What's Been Fixed


Modified the grub configuration files toallow the Intel 10G network card to workwith the Jessie kernel.

SWD-9520

Log rotation for vertica.log was not work-ing.

Added a daily cron job to cleanup anybackup vertica logs in the target dir-ectory that haven't changed in 30 days.

LSQ-3346

SWD-9524

The UDP Director device informationcolumn was not populating when theManagement Channel Down alarmtriggered.

Added the device type to the system_alarm table.

LSQ-3207

SWD-9559

The Flow Collector engine had aSIGSEGV error at search_threat_host.

Reworked threat feed code to minimizethe locking time of the processingthreads.

LSQ-3208

SWD-9564

The Proxy Log Configuration Guide hada graphic error in the Configure theUpload Client section.

The port number was corrected in thegraphic.

LSQ-3237

SWD-9568

Vertica hung at "SafetyShutdown".

Added code to monitor vertica andrestart it if the process is up but the DBis not responsive.

LSQ-3228

SWD-9577 The hostname field was missing from LSQ-3209


What's Been Fixed


the HostAlarm structure in the MIB.

Added the missing field.

SWD-9607Added the "Peer Host Groups" option tothe Manage Columns menu for the TopConversations table.

LSQ-3266

SWD-9692

Fixed the Traffic by Peer Host Group dis-play that was using the wrongtimestamp for some archive hour set-tings.

LSQ-3277

SWD-9702

Modified the Flow Collector engine tohandle ICMP type and code sent in theNetFlow source port field instead of des-tination port.

LSQ-3175

SWD-9732

No indication when the SMC serverfailed to load because of an invalidsmc_failover.xml file.

Added the appropriate log to the SMClog file.

LSQ-3228

SWD-9873

The alarm count was mismatched fromthe Alarming Hosts component on theSecurity Insight Dashboard and thealarms on the host list view.

Updated the help text pop-up to explainthat the number in the Alarming Hostcomponent displays the number ofhosts receiving alarms since the lastreset hour. Clicking on the alarm num-ber will navigate to a host list view withan alarm category filter applied. Thesetwo numbers can be different.

LSQ-3330


What's Been Fixed


SWD-9913Updated the Cognitive Analytics integ-ration to work with trial licenses.

LSQ-3675

SWD-9934

Queries for security events failed with aVertica error.

Updated the code to finish installing Ver-tica default packages.

LSQ-3578

SWD-9983

The database storage "Worst Case"value for "capacity in days" and "remain-ing days" was incorrect.

Fixed the code so that the values are nolonger negative.

LSQ-3367

SWD-9996

The “Not Matched” field in the out-put.log did not increment when thesource/destination IP address mis-matched the forwarding rules con-figuration on the UDP Director.

A fix has been provided to increase the“Not Matched” count.

LSQ-3370

SWD-10008

The "Interface Service Traffic" graphwas missing data.

Adjusted the query for the graph to fix aVertica database issue.

LSQ-3335

SWD-10101

The SMC did not have enough memoryallocated for Tomcat.

Separated the JVM settings so that Tom-cat memory allocation varies dependingon the appliance.

LSQ-3305

LSQ-3453

SWD-10119Host_group_application_traffic had anoverflow for BPS values.

LSQ-3397

LSQ-3433


What's Been Fixed


Fixed the case where the SMC wasinserting too many or too few primarydata points, which caused the originalconsolidation value to record wrong val-ues in Vertica.

SWD-10129

Associated flows information was incor-rect.

Updated SETI and the SMC Web Appinterface online help to have the correctassociated flows information.

LSQ-3415

SWD-10147 Updated packet query logging. LSQ-3418

SWD-10202

Flow information was not showing upwhen using a Cisco 3504 Wireless LANController.

Previously, the engine automaticallyassigned Interface #1 to flows missingInput and Output SNMP Interface IDs.Because of potential conflicts with anactual Interface #1, we decided to useINT_MAX for this assignment.

LSQ-3432

SWD-10239

DBNodeRetentionManager was not wait-ing long enough between partitiondrops which caused all partitions to bedropped.

A back-off algorithm was implementedin the retention code to allow enoughtime for the disk space to be freedbetween partition drops.

LSQ-3444

SWD-10284The Flow Collector 5000 engine hadSIGSEGV error at various functions.

LSQ-3454


What's Been Fixed


Added more data input validation onInformation Elements so the engineemits decode errors instead of crashing.

SWD-10329Updated Security Group Tags (SGT)information in the SMC Web App infer-face online help.

LSQ-3461

SWD-10348

UDP Director failed to update ARPstatus for a host.

Added a ping from the UDP Director tocheck disabled hosts in order to updatethe ARP status.

LSQ-3407

SWD-10387Increased the default buffer length forthe UDP Director to reduce "LastDropped" counts.

LSQ-3463

SWD-10391

Added a script to set the ethX rx buffersto the maximum allowed value (typically4096) on physical UDP Directors toimprove performance.

LSQ-3463

SWD-10423

The Admin Interface UI hangs after click-ing "Test" on the Remote File Systempage.

Added better error handling for theAdmin UI.

LSQ-3483

SWD-10436

The Flow Collector diagnostic packstored too many log files.

Updated the diagnostic pack to only con-tain the vertica.log.

NA

SWD-10444

SWD-10519Updated the database queries to useAVG function to avoid the sum overflow LSQ-3487


What's Been Fixed


problems.

SWD-10561

The engine had a SIGSEGV error inupdate_app_definitions.

Ensured that all resource memory pooldeletions are followed by setting thevariable using the memory to NULL.

LSQ-3529

SWD-10570

The Flow Collector engine had an over-flow when calculating BPS values.

Bytes and packets value handling wasmodified to perform data validation andensure the average packet size is 65535bytes or less.

LSQ-3424

LSQ-3433

LSQ-3397

SWD-10593

The unlicensed feature message wasbeing displayed for the Flow Sensor.

Changed the default setting for the mes-sage to show the appropriate status.

LSQ-3486

SWD-10647

Top Peers flipping the client/serverwhen selecting "Flows".

Modified the code to snow swap hostswhen creating a flow filter from TopPeers.

LSQ-3554

SWD-10658Removed "Inbound" from the legend fortwo charts on the Interface Traffic Dash-board.

LSQ-3335

SWD-10779

User authentication failed due to loginfile descriptors not being closed.

Updated the code to close the filedescriptors after a user logs out.

LSQ-3579


What's Been Fixed


SWD-10893

The engined crashed with the error"Thread interrupted" while processingflows.

Updated the engine to handle situationswhere the flow classification threadsget backed up temporarily.

LSQ-3600

SWD-11065Improvements were made in the cal-culations of data byte counts in the per-minute flow statistics.

LSQ-3582

SWD-11123

DBNodeRetentionManager was not drop-ping the large partitions causing newflow data to not be inserted.

Modified retention code to drop anyinvalid partitions (those with datesbefore 1980) at each retention check.Any drops of these partitions will belogged with a warning "Dropped invalidpartition for <table name>". The codealso drops up to 5 partitions each reten-tion period when over the disk usagethreshold. Disk space is checked aftereach drop and when usage drops backbelow threshold, no more partitions aredropped for that period.

LSQ-3623

SWD-11124

Vertica was inserting data when thedatabase disk space was full, causingthe system to crash.

Modified the Flow Collector 5000engine code to query Vertica for diskusage over the database channel. Thisallows the engine to stop databaseinserts when disk usage reaches the crit-ical level on the database node even if

LSQ-3623


What's Been Fixed


the communication channel is down.

SWD-11197

The Flow Collector 5200 engine wasrunning out of memory.

The fix is to limit the number of pro-cessing threads based on the availablememory. The calculated process_instance_count will be limited to 13 ona Flow Collector 5200 series appliance.This value can still be manually set inlc_thresholds.txt.

LSQ-3600

SWD-11198

Multiple errors causing the Flow Col-lector engine to crash.

Fixed an out of bounds array referencethat could corrupt memory and lead to acrash.

LSQ-3600

SWD-11243

Exporter flows could not be processedby the engine due to changes in thetemplate.

Removed support the old Flow SensorInitiator field "Information Element 68".

LSQ-3647

SWD-11480

Removed the code to swap SecurityGroup Tag IDs when client and serverwere swapped in the engine (LSQ-3650).

LSQ-3650

SWD-11650

SWD-11722

The Flow Sensor was missing flow-sensor.xml after install.

Updated the start_fs process so that itwill write out a default flowsensor.xmlwhen the service is started.

LSQ-3725

LSQ-3729


What's Been Fixed

Known IssuesThis section summarizes issues (bugs) that are known to exist in this release. Wherepossible, workarounds are included. The defect number is provided for reference.

DefectNumber Description Workaround

SWD-7627

If you reboot your Flow Collector, itdeletes all alarm history; however, if youreplace your Flow Collector, the new FlowCollector retains the alarm history fromthe old Flow Collector instead of deletingit. Since the alarming host widgets (whichdisplay the number of hosts receivingalarms since the last reset hour for a spe-cific category) on the Security InsightDashboard and Host Group page then donot update until the next reset hour, youmay see a discrepancy between these val-ues and the alarm values in the Hoststable on the Host List View.

None currently available.

SWD-7655

The generation of a diagnostics pack mayfail in large systems as a result of timingout.

To overcome this, open theSSH console for the appli-ance and run this command:doDiagPack. This will allowthe generation of the dia-gnostic pack without timingout. The diagnostic pack canbe downloaded using BrowseFile in the /admin/diagnosticsfolder, and it can be copiedoff the box using SCP.

SWD-8197

The Flow Sensor was not detectingenough applications.

To provide more accurateapplication classification, weupdated the third-party lib-


Known Issues


rary for Application Iden-tification. Due to this update,some traffic will no longer beclassified as it was in priorversions and support hasbeen removed for a variety ofapplications. Updates to theapplications supported aredependent on future releasesfrom the third-party library.

SWD-8673

SystemConfig special character fonts lookbad when using the SecureCRT client inANSI mode.

To overcome this, disableANSI Color when connectingor use a different client toview the SystemConfigscript.

SWD-9052

Offline license activation failing or "Stor-age Binding Break" error

This error may occur if youmoved a virtual machine,uploaded a license more thanonce, or if the license is cor-rupted. Please contactStealthwatch Customer Com-munity for assistance.

SWD-9563

When you log in to the Stealthwatch WebApp using Internet Explorer v11 and atany point you refresh the Home page, theDesktop Client drop-down arrow and thethree navigation icons to the left of thislist (top right corner of page) disappear.These three icons include the following:

• Search (magnifying glass icon)• Help (person icon)• Global Settings (geer icon)

Close the browser and log inagain.


Known Issues

https://lancope.force.com/Customer/CustomerCommLogin

https://lancope.force.com/Customer/CustomerCommLogin


Additionally, the fonts look different fromhow they appear when displayed usingother browsers.

SWD-11822(LVA-664)

Stealthwatch has made a modification tointerface API encoding that takes effectbeginning with v7.0. When configuring aquery parameter for the related endpoints,you can no longer use un-escaped char-acters within the URI.

In order for your integrationwith this API to function cor-rectly, you must do the fol-lowing:

For all endpoints related tothe following:

/tenants/{tenantId}/devices/{deviceId}/exporters/{export-erIp}/interfaces/{inter-faceId}

Filters such as start or endtime need to be formatted asthis:

filter%5bstartTime%5d

Not this:

filter[startTime]

SWD-11929

The SMC desktop client does not launchover IPv6 on Mac.


SWD-12141

When installing the pre-SWU patch usingthe SMC System Management page, theUpdate Status may continue to show"Waiting to install."

The message might not clear,but it does not block theupdate. Check the log to con-firm the pre-SWU patch wasinstalled successfully. Makesure you follow the Finalizeprocedure in the Stealth-watch Update Guide.


Known Issues

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/update_guides/SW_6_10_x_to_7_0_0_Stealthwatch_Update_Guide_DV_1_0.pdf

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/update_guides/SW_6_10_x_to_7_0_0_Stealthwatch_Update_Guide_DV_1_0.pdf


SWD-13089

Changing the appliance IP address, hostname, or network domain name may fail.

Before you change an appli-ance IP address, host name,or network domain nameusing the Appliance SetupTool or System Config,review the instructions inStealthwatch Online Help.

You will remove the appli-ance from Central Man-agement as part of theprocedure.

Also, confirm the following:

l Before you remove theappliance from CentralManagement, makesure the ApplianceStatus is shown as Up.

l Check the other appli-ance trust stores in yourcluster. If the applianceidentity certificate (ofthe appliance you arechanging) is saved toother appliance truststores, delete it.

l After you change theappliance IP address,host name, or networkdomain name, use theAppliance Setup Tool toadd the appliance toCentral Management.


Known Issues


SWD-13181

The Flow Collector database and engineprivate network IP addresses cannot bechanged. Changing these IP addresseswill break communications.

The Flow Collector databaseand engine use private net-work IP addresses to com-municate. The privatenetwork IP addresses are asfollows:

Engine: 169.254.42.100

Database: 169.254.42.101

If you've changed theseIP addresses, change themback to the defaults or con-tact Cisco Stealthwatch Sup-port before you start theupdate.

SWD-13531

The following Central Management helppages include incorrect information:Backup Configuration, SSL/TLS ApplianceIdentity and Additional SSL/TLS ClientIdentities (SSL/TLS Identities), and TrustStore.

Fixed in patch-smc-ROLLUP002-7.0.2-02.swu.

CHOPIN-25314

If a Stealthwatch user has their privilegeslifted or demoted (ex. Read Only toRead/Write or vice versa), it will take up to30 minutes to propagate the change tothe Cognitive Analytics system.


NAOn the Flow Sensor VE, “Export Applic-ation Identification” is off by default.

To enable application iden-tification, this advanced set-ting will need to be manuallyselected.

NA Due to changes in the cipher suite prop- Improved audit capabilitiesfor TLS v1.3 will be added in


Known Issues


erties from TLS v1.2 to TLS v1.3, the KeyExchange and Authentication Algorithmproperties will display as N/A in the FlowSearch.

a future release.

NAIf a user log ins to multiple Stealthwatchsystems, they can't log in to the secondsystem within Cognitive Analytics.

To overcome this:

l Wait 30 minutes for thefirst login to expire

l Log out of CognitiveAnalytics on the firstsystem


Known Issues

Release Support InformationOfficial General Availability (GA) date for Release 7.0 is Jan. 30th, 2019.

For support timeline information regarding general software maintenance support,patches, general maintenance releases, or other information regarding Cisco Stealth-watch Release Support lifecycle, please refer to Cisco Stealthwatch® SoftwareRelease Model and Release Support Timeline Product Bulletin.


Release Support Information

https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/bulletin-c25-742163.html

https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/bulletin-c25-742163.html

Copyright InformationCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affil-iates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned arethe property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)

Copyright © 2019 Cisco Systems, Inc.

All rights reserved.

https://www.cisco.com/go/trademarks

stealthwatch release notes v7.0...stealthwatch release notes v7.0.2 author: cisco systems, inc. -...

Documents