STEALTHWATCH SYSTEM VERSION RELEASE NOTES

Transcription

1 STEALTHWATCH SYSTEM VERSION RELEASE NOTES This document provides the following information: What's New What's Been Fixed summarizes fixes made for issues reported by customers: o Version o Version Known Issues in this release. For all features included in Stealthwatch v6.10, refer to the release notes for each previous version: v For a list of alarm types and their IDs, access the Alarm IDs file. You can also access this document via the Alarm List topic in the SMC Client Interface online help. For additional information about the Stealthwatch System, go to the Customer Community. Important: For enhanced security, before you add a Flow Collector or Flow Sensor in the System Setup Tool, you must have first created a management channel between the Flow Collector and/or Flow Sensor and the Stealthwatch Management Console (SMC). If you have not done this, you will receive an error message when you try to add either appliance in the System Setup Tool. The specific instructions are on page 43 in the Stealthwatch Management Console VE and Flow Collector VE Installation and Configuration Guide or page 15 in the Hardware Configuration Guide. If your Stealthwatch System is v6.9.0 or v6.9.1, install the latest/any required rollup patch files on Stealthwatch's Download and License Center, before upgrading. If your Stealthwatch System is v6.9.2 or later, the rollup patch is not required to upgrade to v6.10. If FIPS mode was enabled in an earlier version of software (prior to v6.10), disable FIPS mode before you update the software to v6.10. The following non-admin access modifications have been made: o For any versions prior to v6.10, a non-admin user without an assigned function role can access the SMC Web App but cannot access the SMC client 2018 Cisco Systems, Inc. All Rights Reserved. 1

2 interface. Once an admin user assigns a non-admin user a function role, that user will also be able to access the SMC client interface. o Beginning with v6.10, a non-admin user cannot access the SMC client interface or the SMC Web App until assigned a function role. For increased security, we recommend updating the IDentity 1000/1100 appliance to v3.3.0.x to take advantage of the new openssl version with TLS 1.2. WARNING! It is important to enable an alternative method to access your Stealthwatch appliances for any future service needs, using one of the following: Hardware* Console (serial connection to console port): Refer to the latest Stealthwatch Hardware Installation Guide to connect to the appliance using a laptop or a keyboard and monitor. idrac Enterprise (Dell appliances): Refer to the latest documentation for your platform at idrac Enterprise requires a license, and idrac Express does not allow console access. If you do not have idrac Enterprise, direct console or SSH can be used. CIMC (UCS appliances): Refer to the latest Cisco UCS guide for your platform at computing/ucs/c/sw/cli/config/guide/b_cisco_cimc_cli_configuration_ Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html Virtual Machines* Console (serial connection to console port): Refer to the latest KVM or VMware documentation for your appliance installation. For example, for KVM, see the Virtual Manager documentation at For VMware, see the vcenter Server Appliance Management Interface documentation for vsphere at vsphere/6.0/com.vmware.vsphere.vcsa.doc/guid-223c2821-bd98-4c7a- 936B-7DBE96291BA4.html *If you cannot log in to the appliance using these methods, you can enable SSH on the appliance network interface temporarily Cisco Systems, Inc. All Rights Reserved.

3 WARNING! When SSH is enabled, the system s risk of compromise increases. It is important to enable SSH only when you need it. When you are finished using SSH, disable it. 1. Log in to the Appliance Admin interface. SMC: Log in to the SMC. Click the Settings icon > Administer Appliance. 2. Click Configuration > Services. 3. Check the Enable SSH check box to enable SSH. To allow the root user SSH access, check the Enable Root SSH Access check box. 4. Click Apply. Notes: This document uses the term "appliance" for any Stealthwatch product, including virtual editions (VEs) such as the Flow Collector VE. Stealthwatch does not support installing 3rd party applications on appliances. Stealthwatch requires Java Version 8 Update 161 (v1.8.0_161) or later. Stealthwatch requires TLS v1.1 or later. Stealthwatch supports the latest version of Chrome, Firefox, and Edge, and Internet Explorer v11. Where once the setting "disabled" for a security event disabled the event, now disabling will disable the alarm. To view the supported hardware platforms for each system version, refer to the Hardware and Version Support Matrix on the Customer Community. What's New These are the new features and improvements for the Stealthwatch System v release: Stealthwatch Cloud Dashboard Cognitive Analytics Enhancements Stealthwatch Cloud Dashboard The Stealthwatch Cloud Dashboard integrates Stealthwatch Cloud with the SMC Web Application interface. After setting up your cloud environment, you can use this page to view 2018 Cisco Systems, Inc. All Rights Reserved. 3

4 alerts, network activity, and the highlighted observation summary from Stealthwatch Cloud. For more information, go to the Stealthwatch Cloud website. Sign Up Steps Note: You must be an Admin user to sign up for a Stealthwatch Cloud Account. To sign up for a Stealthwatch Cloud Account, complete the following steps: 1. Click Sign Me Up on the Stealthwatch Cloud Dashboard page. 2. Fill out the form, then click Start My Free Trial Cisco Systems, Inc. All Rights Reserved.

5 3. Once you receive the with your account information, set up your cloud account including all of the Stealthwatch users you want to use the Cloud Dashboard. Setting up your account in Stealthwatch To set up your cloud account, complete the following steps: 1. Click Enter Account Info on the Stealthwatch Cloud Dashboard. 2. Enter or edit the URL for your account, then click Save Cisco Systems, Inc. All Rights Reserved. 5

6 Note: Only Admin users can edit the SWC URL. When setting up your account, do not include any characters after ".com" for the SWC URL. For example, you would change to 3. Enter your SWC Username. 4. Enter your SWC API Key. Click Go Get It to go to the Cloud Settings page where your API key is located. 5. Click Save. Note: You can access the Stealthwatch Cloud Account Setup tool by going to Deploy > Stealthwatch Cloud. Disabling your account Note: You must be an Admin user to disable your Stealthwatch Cloud Account. To disable your cloud account, complete the following steps: 1. Go to Deploy > Stealthwatch Cloud. 2. Delete the SWC URL. 3. Click Save. Dashboard Components Alerts This component displays a summary of the open alerts, sorted by last updated, for your cloud environment. Use the chart to view the following: Number of open alerts. Alert name, the source, the date last updated, the number of comments, and the assigned user. From this component you can access the following information: Alert details, which provides in-depth information about the alert. To view this information, click on the alert name. List of open alerts in your Stealthwatch Cloud Account. To view this information, click Open in the top right of the component. List of alerts assigned to you. To view this information, click Assigned To You in the top right of the component Cisco Systems, Inc. All Rights Reserved.

7 Context menu, which provides the option to view the Alerts or Observations associated with the applicable source. To view the context menu, click the ellipsis next to the applicable Source information. Network Activity This component displays traffic in bytes and traffic in connections for the last 24 hours. Use the graph to view the following: How much data transferred to and from your network. How many bidirectional connections (number of hosts) in your network. Alerts. Open alerts are designated by a red triangle with an exclamation point (!) on the point in time when the network activity that triggered the alert occurred. Closed alerts are designated by a green circle with a check mark. From this component you can access the following information: Type, date, time, and source of the alert. To view this information, click on the alert tag. Alert details, which provides in-depth information about the alert. To view this information, click on the link from the alert tag context menu Cisco Systems, Inc. All Rights Reserved. 7

8 Highlighted Observation Summary This component displays the highlighted observations summary and quantity for the last seven days. The highlighted observations are not necessarily security threats - just records of activity considered remarkable by Stealthwatch Cloud's models and algorithms. Once combinations of observations represent a security concern, an alert is generated. Click on the observation name to pivot to all observations for that category. Cognitive Analytics Enhancements Note: To see the full list of enhancements for the Cognitive engine, refer to the Cognitive Analytics Release Notes Cisco Systems, Inc. All Rights Reserved.

9 Cognitive Analytics has added support for: Read-Only roles. Stealthwatch users with read-only roles can now view the Cognitive Analytics components in the SMC web application. Reset to Factory Defaults (RFD). If you need to RFD your Flow Collector or SMC, your Cognitive Analytics account will stay active. ETA Test incidents The Cognitive engine can detect ETA test incidents using specific test site domains. To generate these test incidents, browse to one of the following test sites using a host where the HTTPS session is passing through an ETA enabled switch and router: Malware: Botnet: Phishing: Note: The detection may initially show up as a risk rating of 5. The risk rating can increase with additional bad or repetitive behavior, such as going to multiple of the above URLs or repeatedly visiting the same URL. TOR detection: Download and install the TOR browser from Launch the browser and go to a few websites. Note: The TOR detection will display as "TOR relay" or "Possibly Unwanted Application" with a risk rating of 4. Following is an example of the phishing test incident appearing on the Cognitive Analytics component on the SMC Dashboard: 2018 Cisco Systems, Inc. All Rights Reserved. 9

10 Following is an example of the phishing test incident appearing on the Cognitive Analytics component on the SMC Host Report: Contacting support If you need technical support, please do one of the following: Contact your local Cisco Partner Contact Cisco Stealthwatch Support o To open a case by web: o To open a case by tac@cisco.com o For phone support: (U.S.) o For worldwide support numbers: worldwide_contacts.html Cisco Systems, Inc. All Rights Reserved.

11 What's Been Fixed This section summarizes fixes made in this release for issues (bugs/defects) reported by customers in previous releases. The Stealthwatch Defect (SWD or LSQ) number is provided for reference. Version Defect Description LSQ SWD-8225 Updated SETI version. NA SWD-9122 The SMC was not getting ISE sessions. Removed the Kafka service. NA SWD-9559 SWD-9873 SWD-9875 SWD-9902 SWD-9983 The Flow Collector engine had a SIGSEGV error at search_threat_host. Reworked threat feed code to minimize the locking time of the processing threads. The alarm count was mismatched from the Alarming Hosts component on the Security Insight Dashboard and the alarms on the host list view. Updated the help text pop-up to explain that the number in the Alarming Host component displays the number of hosts receiving alarms since the last reset hour. Clicking on the alarm number will navigate to a host list view with an alarm category filter applied. These two numbers can be different. The Flow Sensor 3000 system memory was running low. The packet buffer size for the flowsensor process was decreased to free up approximately 1G on 16G platforms. SMC triggered "Cisco ISE Management Channel Down" false alarm. Updated the alarm to use the svc-ise-client microservice to ascertain status of configured ISE clusters. The database storage "Worst Case" value for "capacity in days" and "remaining days" was incorrect. Fixed the code so that the values are no longer negative. LSQ-3208 LSQ-3330 LSQ-3344 LSQ-3319 LSQ Cisco Systems, Inc. All Rights Reserved. 11

12 Defect Description LSQ SWD-9996 SWD The Not Matched field in the output.log did not increment when the source/destination IP address mismatched the forwarding rules configuration on the UDP Director. A fix has been provided to increase the Not Matched count. The SMC and Flow Collector did not have enough memory allocated for Tomcat. Separated the JVM settings for each appliance so that Tomcat memory allocation varies depending on the appliance. LSQ-3370 LSQ-3305 LSQ-3453 SWD Improved packet query logging. LSQ-3418 SWD The Update Progress window showed a negative number. Changed the logic that's used for determining the total expected file size so that it can support values greater than 2GB. LSQ-3424 SWD SWD Updated Security Group Tags (SGT) information in the SMC Web App inferface online help. Increased the default buffer length for the UDP Director to reduce "Last Dropped" counts. LSQ-3461 LSQ-3463 Version Defect Description LSQ LVA-221 STE-84 Vim did not properly validate values for tree length when handling a spell file, which may have resulted in an integer overflow at a memory allocation site and a resultant buffer overflow. Port number for the server and protocol information have been added to the Response. STE-97 Updated Support Contact information within Stealthwatch. NA SWD-7143 The lc_profiles process on the Flow Collector was very slow. Revamped the host group lookup functionality to fix a bottleneck. NA NA LSQ-2713 SWD-7540 SWD-7688 The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. LSQ Cisco Systems, Inc. All Rights Reserved.

13 Defect Description LSQ SWD-7549 The flow traffic on the Flow Sensor 4010 showed no utilization with non-zero inbound traffic. We fixed the SMC detection of the Flow Sensor fiber port interface speeds used in utilization calculations. LSQ-2649 SWD-7599 SWD-7615 SWD-7621 SWD-7643 SWD-7644 There was a database backup return error on system configuration. Updated the backup routines to handle file copies to CIFS destinations differently. The Hardware Configuration Guide had an error in the Configure Primary UDP Director section. The guide was updated with the correct information. The Top Conversations Report was not returning all results when a host filter was used. The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report. The delete option for an SSL Client certificate did not work on a secondary SMC. The fix was to allow the add/delete function for SSL client certificates in a secondary SMC. The Top Conversations transaction report was showing incorrect values. A fix has been provided to avoid duplicate values and show the appropriate number of records for each Flow Collector in the transaction report. LSQ-2621 LSQ-2572 LSQ-2674 LSQ-2679 LSQ-2593 LSQ-2626 LSQ-2593 SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1. LSQ-2712 SWD-7676 SWD-7689 The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC. Users could not create a diagnostics pack for an appliance. The fix corrected an exception in the audit log when creating a diagnostics pack. The CPU average load calculation, on the SMC client interface dashboard, was incorrect. The CPU average load has been updated to reflect the updated appliances. LSQ-2692 LSQ Cisco Systems, Inc. All Rights Reserved. 13

14 Defect Description LSQ SWD-7692 The Top Conversations Report did not return all results when filtering hosts. In the Top Conversations report, the problem was in generating reports if more than one Flow Collector was configured. The fix corrects the query to collect all required data from data base for all required Flow Collectors. LSQ-2593 SWD-7700 SWD-7708 SWD-8137 SWD-7765 SWD-7787 SWD-7824 SWD-7862 SWD-7865 The Flow Collection Trend chart had gaps due to TextCopyHandler failing to read files at /lancope/var/smc/tmp folder. Resolved an issue where scheduled reports would terminate existing SMC data loading processes under certain conditions. Users could not import of DAR and XML files to Document Builder. This patch fixes issue with launching a new report from document builder that has several pages that are named alphabetically. Flow data queries across multiple flow collectors do not return consistent ordering. The fix is to order the records returned for a flow query by flowid when a specific ordering is not requested. This prevents different invocations of this method from returning different results. The Flow Table Service Summary and Service Port columns had mismatched port addresses. Fixed an issue where the service summary port was not updated to match the server port for certain flows. Flow query was failing for IPv6 IP address range 0000-FFFF. The flow query filter has been corrected to recognize and search IPv6 input values. Associated flow table carried previous advanced filter values. The Flow Table retain filter option has been excluded from the associated flow table. Stealthwatch Management Console had high memory usage for uwsgi appliance update process. Implemented a mechanism designed to prevent memory usage exceeding 4 GB by the uwsgi UPServ application. LSQ-2727 LSQ-2738 LSQ-2652 LSQ-2710 LSQ-2613 LSQ-2709 LSQ Cisco Systems, Inc. All Rights Reserved.

15 Defect Description LSQ SWD-7963 The client interface help was not showing topics when using the search tab. Fixed encoding error caused by a tomcat update. NA SWD-7971 SWD-8072 SWD-8089 SWD-8107 SWD-8136 SWD-8142 SWD-8153 SWD-8182 On the SMC Web app, Error retrieving host snapshot to build host entity view constantly received on Host Search. We updated the SMC Web app and the Vertica query to accommodate large numbers and overflow. Top Reports returns more records than the set limit when there are two or more Flow Collectors (LSQ-2822). The Top Reports queries have been updated to split the amount of records evenly between Flow Collectors. The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. notifications for scheduled documents were not being logged properly. We fixed the log base path location from pointing to the incorrect directory. The Flow Collector changed models after upgrade. Updated the model.xml file to not change a system's memory size during upgrade. The Database backup was generating errors at the final stage of the process. Improvements have been added to repeat the Vertica backup process in case of resync errors. Flows were not being associated with all Host Groups that contained the associated IP address. The flow table was updated to allow a larger character limit (65,000) in the client and server host group strings, and we now allow 256 host groups per IP address. UDP Director 2010 could not boot after upgrade. Fixed an issue with the kernel upgrading process. LSQ-2773 LSQ-2822 LSQ-2652 LSQ-2834 LSQ-2845 LSQ-2838 LSQ-2846 LSQ Cisco Systems, Inc. All Rights Reserved. 15

16 Defect Description LSQ SWD-8200 A Flow search with too many characters for a IP address range caused Vertica to crash. Changed the logic around constructing IP range searches. LSQ-2869 SWD-8210 SWD-8239 SWD-8271 SWD-8314 SWD-8317 ISE "devicetype" field was empty. Provided value to "devicetype" from the "endpoint Policy" pxgrid field. Error when creating and configuring Custom Applications. A new java constructor has been added to avoid a bad request error when adding multiple custom application rules in the SMC. The Flow Sensor Management Channel Down alarm, triggered in the client interface, did not go inactive after one hour. Resolved an issue where certain alarms would fail to go inactive on the primary node of an SMC failover pair. The Flow Collector was not processing a non-zero DSCP field. Added support for the DSCP field. External Lookup failed with a 500 internal server error. Fixed the null pointer error when loading the External Lookup configuration page. LSQ-2880 LSQ-2765 LSQ-2829 LSQ-2865 LSQ-2893 LSQ-2859 LSQ-2911 LSQ-2912 SWD-8323 The SMC was utilizing a high amount of memory. LSQ-2904 SWD-8438 SWD-8477 We refactored the SMC client interface code to improve UI responsiveness. The Flow Collector saved flow records from one source ID and discarded records with the other source ID. Added observation domain binding to the exporter stats in the cases where more than one exporting engine is exporting from a single exporter IP address using different source ID values. Vertica MergeOut process was very slow for the flow_stats table. Added several Vertica database tuning parameters to remedy the ROS container backup problems. LSQ-2557 LSQ-2935 LSQ Cisco Systems, Inc. All Rights Reserved.

17 Defect Description LSQ SWD-8540 Unable to create and save maps when logged in as a non-admin user. Updated the error message to be more meaningful when a non-admin user creates a map without the proper permissions. LSQ-2956 SWD-8542 SWD-8559 SWD-8590 SWD-8591 SWD-8598 SWD-8608 SWD-8629 SWD-8635 SWD-8636 SWD-8661 Security Event details were missing in web application interface. Fixed an issue where Security Event details were always empty. The Online Help referred to an incorrect alarm name. Updated the help to refer to "Ping Oversized Packet" instead of "Long Ping". Tor traffic with no packets from server were alarming as "Successful". The alarm was updated to "Attempted". The Flow Sensor eth4 log was showing an invalid pointer error. Fixed the code to output the log message correctly. The Flow Sensor 3000 was not processing packets with multilayer VLAN tags. The engine has been modified to handle up to 4096 layered tags. The SMC document builder was not saving filter criteria. Fixed the document builder to retain appropriate input values in the common filter criteria. The SMC client interface was missing the "user management" menu. Users with "SMC manager" rights now have access to the "user management" menu. Cisco Senderbase links were incorrect on the External Lookup configuration page. Fixed broken links. The Traffic by Peer Host Group component was not displaying flow information. Updated the component to display flow data correctly. Updated the flow-forwarder Docker container v2.2.2 to use less memory and turned on heap debugging options so that more information may be gathered when there is an issue with the Java (JVM) heap. LSQ-2982 LSQ-2989 LSQ-2992 NA LSQ-2995 LSQ-2968 LSQ-3013 LSQ-3002 LSQ-3005 LSQ Cisco Systems, Inc. All Rights Reserved. 17

18 Defect Description LSQ SWD-8670 SWD-8676 The support information updated for STE-97 was translated into Korean, Chinese, and Japanese. The flow rate dropped when the Flow Sensor cache was full. Fixed an issue that caused packets to be dropped during processing when under load. NA LSQ-3023 SWD-8689 SWD-8701 SWD-8702 "Client Port Filtering" was not working with Fast Query selected. A query fix has been provided to make Client Port Filtering work correctly, with or without enabling fast query. OVF resource defaults did not match documented minimums. Updated the SMC and Flow Collector OVFs to 16 GB ram. Unable to edit response management rules in the SMC client interface. Fix added to handle null pointer errors when editing the rules in response management. LSQ-3031 NA LSQ-3038 SWD-8705 A Database Restore failed on a Flow Collector LSQ-3040 SWD-8708 SWD-8727 SWD-8758 SWD-8791 Fixed an issue where Vertica was not stopping correctly. TextCopyHandler failed to read files at /lancope/var/smc/tmp. Scheduled reports temporary file handling process has been improved to avoid SQL errors. Top Alarming Hosts widget was not loading due to unknown host exception error. The svc-sw-reporting container was updated to better handle dealing with exceptional data within the database. Default Services were missing under Host Locking Configuration. Updated the conditions to populate the services list correctly. The MongoDB compact script failed to save SMC configuration. Fixed a typo that caused the script to fail. LSQ-2987 LSQ-3048 LSQ-2987 LSQ-3004 LSQ-3048 LSQ-3052 LSQ Cisco Systems, Inc. All Rights Reserved.

19 Defect Description LSQ SWD-8807 The client interface would redirect the user to the license manager page on a licensed SMC. Updated the code so that users are able to access the client interface on a properly licensed appliance. NA SWD-8819 SWD-9049 SWD-9051 SWD-9207 The Interface Service Traffic report was broken. Corrected an issue with the database query group used by the report. Limited the Vertica MaxMrgOutROSSizeMB parameter to 4096 in order to improve query response performance. The SMC client interface would not load due to a SSL Certificate corruption after restoring default certificates. Added additional actions to correctly restore the default certificates. HTML code appeared in the name of some graphs in the SMC client interface. The <br> HTML tag was removed. LSQ-3066 LSQ-3071 LSQ-3094 LSQ Cisco Systems, Inc. All Rights Reserved. 19

20 Known Issues This section summarizes issues (bugs) that are known to exist in this release. Where possible, workarounds are included. The defect number is provided for reference. Defect Number Description Workaround LVA-306, LVA-307 If you have an untrusted virtual machine installed on the same physical cluster/system as a Stealthwatch appliance, the Stealthwatch appliance is vulnerable to a side-channel attack that can expose private keys. A vulnerability was disclosed for the gnupg software package suite. This vulnerability involves a side-channel attack against the gnupg implementation of the RSA cryptographic algorithm. When RSA keys are in use on the system, the implementation allows for the recovery of bit length private keys. Additionally, it experimentally appears that 13% of the 2048 keyspace is vulnerable as well. More details about the vulnerability can be found by reading the white paper located at The risk from this side-channel attack applies where the private key is in use on the system. For Stealthwatch customers, this applies to SSH and HTTPS sessions. For Important: Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch System appliances. Important: If you are upgrading the system to v6.10 from an earlier version, confirm all appliances have the latest patch files installed. To review the Stealthwatch appliance vulnerability, complete the following steps: 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > Services. Review the SSH section. If the Enable SSH box is checked, you need to regenerate the RSA host key pair using the instructions shown below. 3. Click Configuration > SSL Certificate. Review the installed certificates. If there are custom certificates installed using the RSA or RSA-2048 bit keys, you must regenerate new certificates. 4. Click Configuration > Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates. If the SSH service is enabled on the appliance, regenerate the RSA host key using the following instructions. You will regenerate the RSA host key on every appliance in the system. 1. SSH onto the SW Appliance as root or using the root terminal option in the sysadmin menu. 2. To delete the public and private keys in the primary location, run the following command: rm f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub. 3. To delete the public and private keys in the Cisco Systems, Inc. All Rights Reserved.

21 Defect Number Description Workaround customers running hardware appliances and in fully controlled Virtual Machine infrastructures, the risk of exposure is mitigated by access to the physical and virtual systems. For customers running in a co-located VM infrastructure, the risk of exposure is greater. backup location, run the following command: rm f /lancope/var/admin/ssh/ssh_ host_rsa_key /lancope/var/admin/ssh/ssh_host_rsa_ key.pub 4. To regenerate a new RSA host key pair, run the following command: /lancope/admin/bin/generatesshkeys 5. Do one of the following to restart the SSHD service: o If the appliance software version is 6.9 and later, run the following command: systemctl restart ssh.service o If the appliance version is earlier than 6.9, run the following command: /etc/init.d/ssh restart 6. Repeat these steps on every appliance in the Stealthwatch System. If you have installed custom certificates using RSA or RSA-2048 bit keys on your Stealthwatch appliances, you must regenerate new X509 certificates. 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > SSL Certificate. 3. Click the? icon to open the Help page. o o Use the SSL Certificate instructions to generate a new X509 certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. 4. Delete the old (vulnerable) X509 certificate from the appliance. 5. Click Configuration> Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, regenerate new certificates. o o Click the? icon to open the Help page. Use the Certificate Authority Certificates instructions to add a new X Cisco Systems, Inc. All Rights Reserved. 21

22 Defect Number Description Workaround o certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. SWD-7627 SWD-7655 SWD-8197 SWD-8673 If you reboot your Flow Collector, it deletes all alarm history; however, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a specific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm values in the Hosts table on the Host List View. The generation of a diagnostics pack may fail in large systems as a result of timing out. The Flow Sensor was not detecting enough applications. SystemConfig special character fonts look bad when using the SecureCRT client in ANSI mode. None currently available; the feature will be available in a future release. To overcome this, open the SSH console for the appliance and run this command: dodiagpack. This will allow the generation of the diagnostic pack without timing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP. To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library. To overcome this, disable ANSI Color when connecting or use a different client to view the SystemConfig script. SWD-9052 Offline license activation failing This error may occur if you moved a virtual machine, Cisco Systems, Inc. All Rights Reserved.

23 Defect Number Description Workaround SWD-9300 SWD-9542 SWD-9563 or "Storage Binding Break" error. The Selected Cipher Suite does not appear in the Flow Search Results when using a non-standard port. After configuring Active Directory in the SMC, User Info is empty. The user details are included in the flows but User Info does not show the information due to inconsistencies when querying ISE certificate attributes. When you log in to the Stealthwatch Web App using Internet Explorer v11 and at any point you refresh the Home page, the Desktop Client dropdown arrow and the three navigation icons to the left of this list (top right corner of page) disappear. These three icons include the following: Search (magnifying glass icon) Help (person icon) Global Settings (geer icon) Additionally, the fonts look different from how they appear when displayed using other browsers. uploaded a license more than once, or if the license is corrupted. Please contact Stealthwatch Customer Community for assistance. None currently available; this will be fixed in a future release. The User Info is available if ISE returns Active Directory UPN (User Principal Name) as "username" in the session. To configure ISE to return UPN, go to ISE Administration > External Identity Sources > Certificate Authentication Profile settings. Close the browser and log in again. SWD After a license is activated in the Desktop Client License Manager, the Status column does not update from "Trial" to "Installed" until after the appliance is Reboot the appliance and log in to the Desktop Client License Manager again. The Status will update after the system is rebooted Cisco Systems, Inc. All Rights Reserved. 23

24 Defect Number Description Workaround SWD NA rebooted. The Security Event Queries API is providing results from a larger time span than set in the timerange filter. On the Flow Sensor VE, Export Application Identification is off by default. None currently available; this will be fixed in a future release. To enable application identification, this advanced setting will need to be manually selected Cisco Systems, Inc. All Rights Reserved.

25 2018 Cisco Systems, Inc. All Rights Reserved. SW_6_10_2_Release_Notes_DV_1_2