STEALTHWATCH SYSTEM VERSION RELEASE NOTES

Transcription

1 STEALTHWATCH SYSTEM VERSION RELEASE NOTES This document provides the following information: What's New Fixes for issues reported by customers including previous releases: o Version o Version o Version Issues known to exist in this release. For additional information about the Stealthwatch System, go to the Lancope Customer Community web site ( For a list of alarm types and their IDs, access the Alarm IDs v6.9.0 file. You can also access this document via the Alarm List topic in the SMC Client Interface online help. Important: If you currently do not have pxgrid configured, then when you update to Stealthwatch v6.9.2 you must reconfigure Cisco ISE. (If you configured pxgrid in Stealthwatch 6.8.x, then your configuration will be copied forward to Stealthwatch v6.9.2) Due to changes with APIs, customers running the Host Group Automation Service require a service software upgrade. Please contact See "Contacting Support" for upgrade assistance. For enhanced security, before you add a Flow Collector or Flow Sensor in the System Setup Tool, you must have first created a management channel between the Flow Collector and/or Flow Sensor and the Stealthwatch Management Console (SMC). If you have not done this, you will receive an error message when you try to add either appliance in the System Setup Tool. The specific instructions are on page 43 in the Stealthwatch Management Console VE and Flow Collector VE Installation and Configuration Guide or page 15 in the Hardware Configuration Guide Cisco Systems, Inc. All Rights Reserved. 1

2 For increased security, we recommend updating the IDentity 1000/1100 appliance to v3.3.0.x to take advantage of the new openssl version with TLS 1.2. Notes: This document uses the term "appliance" for any Stealthwatch System product, including virtual editions (VEs) such as the Flow Collector VE. The Stealthwatch System requires Java version 8 (v1.8) or later. The Stealthwatch System requires TLS v1.1 or later. The Stealthwatch System supports Internet Explorer v11 and later. For this release, the security category point contributions have been recalibrated. After updating to v6.9.2 from v6.8.x, it could take 10 days for the system to rebaseline the security categories. You may see an increase or decrease in alarms at first and then a gradual return to a more standard level. Upgrading from v6.9.0/v6.9.1 to v6.9.2 will not cause a re-baselining of security categories. Where once the setting "disabled" for a security event disabled the event, now disabling will disable the alarm. To view the supported hardware platforms for each system version, refer to the Hardware and Version Support Matrix on the Customer Community. What's New These are the new features and improvements for the v6.9.2 release: Flow Sensor and Load Balancer Integration Flow Sensor and Load Balancer Integration Use the Flow Sensor and Load Balancer Integration guide to configure the load balancer and Flow Sensor. This configuration stitches the client side and server side flows together, so the outside host connects to the inside host, providing visibility and enhanced security on the Flow Sensor and the Stealthwatch System. You will disable the X-Forwarded-For (XFF) option for HTTP, create an irule, and enable a virtual server resource. If you have an existing irule, it can be modified Cisco Systems, Inc. All Rights Reserved.

3 Contacting Support If you need technical support, please do one of the following: Contact your local Cisco Partner Contact Cisco Stealthwatch Support o To open a case by web: o To open a case by tac@cisco.com o For phone support: (U.S.) o For worldwide support numbers: worldwide_contacts.html 2017 Cisco Systems, Inc. All Rights Reserved. 3

4 What's Been Fixed This section summarizes fixes made in this release for issues (bugs/defects) reported by customers in previous releases. The Stealthwatch Defect (SWD or LSQ) number is provided for reference. Version LVA-221 Vim did not properly validate values for tree length when handling a spell file, which may have resulted in an integer overflow at a memory allocation site and a resultant buffer overflow. STE-97 Updated Support Contact information within Stealthwatch. SWD-7143 The lc_profiles process on the Flow Collector was very slow. Revamped the host group lookup functionality to fix a bottleneck. LSQ-2713 SWD-7735 SWD-8210 SWD-8200 SWD-8314 SWD-8317 SWD-8323 SWD-8340 ISE "devicetype" and "Security Group ID" fields were empty. Provided value to the fields from the applicable pxgrid fields. A Flow search with too many characters for a IP address range caused Vertica to crash. Changed the logic around constructing IP range searches. The Flow Collector was not processing a non-zero DSCP field. Added support for the DSCP field. External Lookup failed with a 500 internal server error. Fixed the null pointer error when loading the External Lookup configuration page. The SMC was utilizing a high amount of memory. We refactored the SMC client interface code to improve UI responsiveness. Disk expansion was not working on virtual appliances. We modified the partitions to make sure /lancope/var partition was not mounted at resize_fs function, and we added the ability for the expanddatapartition to be able to run again and complete the operation if the previous version had failed. LSQ-2880 LSQ-2869 LSQ-2911 LSQ-2912 LSQ-2904 LSQ Cisco Systems, Inc. All Rights Reserved.

5 SWD-8438 The Flow Collector saved flow records from one source ID and discarded records with the other source ID. Added observation domain binding to the exporter stats in the cases where more than one exporting engine is exporting from a single exporter IP address using different source ID values. LSQ-2557 SWD-8477 SWD-8542 SWD-8559 SWD-8590 SWD-8591 SWD-8598 SWD-8629 SWD-8635 SWD-8636 Vertica MergeOut process was very slow for the flow_stats table. Added several Vertica database tuning parameters to remedy the ROS container backup problems. Security Event details were missing in web application interface. Fixed an issue where Security Event details were always empty. The Online Help referred to an incorrect alarm name. Updated the help to refer to "Ping Oversized Packet" instead of "Long Ping". Tor traffic with no packets from server were alarming as "Successful". The alarm was updated to "Attempted". The Flow Sensor eth4 log was showing an invalid pointer error. Fixed the code to output the log message correctly. The Flow Sensor 3000 was not processing packets with multilayer VLAN tags. The engine has been modified to handle up to 4096 layered tags. The SMC client interface was missing the "user management" menu. Updates users with "SMC manager" rights to have access to the "user management" menu. Cisco Senderbase links were incorrect on the External Lookup configuration page. Fixed broken links. The Traffic by Peer Host Group component was not displaying flow information. Updated the component to display flow data correctly. LSQ-2935 LSQ-2963 LSQ-2982 LSQ-2989 LSQ-2992 LSQ-2995 LSQ-3013 LSQ-3002 LSQ Cisco Systems, Inc. All Rights Reserved. 5

6 SWD-8661 SWD-8670 SWD-8689 Updated the flow-forwarder Docker container v2.2.2 to use less memory and turned on heap debugging options so that more information may be gathered when there is an issue with the Java (JVM) heap. The support information updated for STE-97 was translated into Korean, Chinese, and Japanese. "Client Port Filtering" was not working with Fast Query selected. A query fix has been provided to make Client Port Filtering work correctly, with or without enabling fast query. LSQ-3022 LSQ-3031 SWD-8701 SWD-8702 SWD-8708 SWD-8727 SWD-8771 SWD-8791 SWD-8807 OVF resource defaults did not match documented minimums. Updated the SMC and Flow Collector OVFs to 16 GB ram. Unable to edit response management rules in the SMC client interface. Fix added to handle null pointer errors when editing the rules in response management. TextCopyHandler failed to read files at /lancope/var/smc/tmp. Scheduled reports temporary file handling process has been improved to avoid SQL errors. Top Alarming Hosts widget was not loading due to unknown host exception error. The svc-sw-reporting container was updated to better handle dealing with exceptional data within the database. The MongoDB compact script failed to save SMC configuration. Fixed a typo that caused the script to fail. The client interface would redirect the user to the license manager page on a licensed SMC. Updated the code so that users are able to access the client interface on a properly licensed appliance. LSQ-3038 LSQ-2987 LSQ-3048 LSQ-2987 LSQ-3004 LSQ-3048 LSQ-3012 LSQ-3124 LSQ-3132 LSQ-3133 SWD-8819 The Interface Service Traffic report was broken (LSQ-3066). Corrected an issue with the database query group used by the report. CTA could not be enabled on the Flow Collector 5000 series. Created an API to handle the Flow Collector 5000 Database and Engine. LSQ Cisco Systems, Inc. All Rights Reserved.

7 Version STE-84 SWD-7120 Port number for the server and protocol information have been added to the Response. In the SMC client interface, gaps appeared on the FlowCollector Trend chart on a Flow Collector running a Host Group Automation script. Improved the process so that the host group updates would work without causing gaps in the Flow Collection Trend graphs. LSQ-2462 SWD-7260 In the SMC client interface the Host Manager displayed duplicate entries. New code has been written to transfer values from Java list object to Hash set object, which does not allow duplicates. LSQ-2590 SWD-7322 The Flow Collector engine did not stop inserting data when the disk was 100% full. LSQ-2606 SWD-7371 SWD-7411 SWD-7470 SWD-7525 SWD SWD Added code to disable the stats the database writes at maximum disk utilization and to trigger the performance degraded alarm. A false alarm that the License Term would expire in less than 3 days occurred after a Flow Sensor was added to a Flow Collector. The code was updated to calculate the license expiration date correctly. The Flow Collector Database failed to back up admin hsql database when upgrading. The directory permission is now handled automatically, which allows the backup of the hsql database. The SMC client interface contained settings which are no longer applicable. VM Status and VM Server Status was removed from the Status drop-down menu. After upgrade, deleted exporters caused error "Thread interrupted" to occur. A bottleneck was discovered in the code and removed so that exporter deletions can be performed within a reasonable time period. The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. LSQ-2615 LSQ-2433 LSQ-2646 LSQ Cisco Systems, Inc. All Rights Reserved. 7

8 SWD-7541 The delete option for an SSL Client certificate did not work on a secondary SMC. The fix was to allow the add/delete function for SSL client certificates in a secondary SMC. LSQ-2626 SWD-7549 SWD-7599 SWD-7615 SWD-7621 SWD-7631 SWD-7644 The flow traffic on the Flow Sensor 4010 showed no utilization with non-zero inbound traffic. We fixed the SMC detection of the Flow Sensor fiber port interface speeds used in utilization calculations. There was a database backup return error on system configuration. Updated the backup routines to handle file copies to CIFS destinations differently. The Hardware Configuration Guide had an error in the Configure Primary UDP Director section. The guide was updated with the correct information. The Top Conversations Report was not returning all results when a host filter was used. The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report. The Flow Collector's Vertica database was using all of it's memory. We upgraded Vertica to fix issues with it consuming blocks of memory that it does not free until shutdown and issues with it allocating unused virtual memory. The Top Conversations transaction report was showing incorrect values. A fix has been provided to avoid duplicate values and show the appropriate number of records for each Flow Collector in the transaction report. LSQ-2649 LSQ-2621 LSQ-2572 LSQ-2674 LSQ-2679 LSQ-2593 LSQ-2698 LSQ-2593 SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1. LSQ-2712 The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC Cisco Systems, Inc. All Rights Reserved.

9 SWD SWD-7689 Users could not create a diagnostics pack for an appliance. The fix corrected an exception in the audit log when creating a diagnostics pack. The CPU average load calculation, on the SMC client interface dashboard, was incorrect. The CPU average load has been updated to reflect the updated appliances. LSQ-2692 LSQ-2677 SWD-7692 SWD SWD SWD-7739 SWD-7765 SWD-7787 SWD-7824 SWD-7862 The Top Conversations Report did not return all results when filtering hosts. In the Top Conversations report, the problem was in generating reports if more than one Flow Collector was configured. The fix corrects the query to collect all required data from data base for all required Flow Collectors. Users could not import of DAR and XML files to Document Builder. Fixed an issue with launching a new report from document builder that has several pages that are named alphabetically. Tomcat socket got stuck on an IP address. We implemented code to clear tomcat socket and firewall rule. Flow data queries across multiple Flow Collectors did not return consistent ordering. The fix is to order the records returned for a flow query by flowid when a specific ordering is not requested. This prevents different invocations of this method from returning different results. The Flow Table Service Summary and Service Port columns had mismatched port addresses. Fixed an issue where the service summary port was not updated to match the server port for certain flows. Flow query was failing for IPv6 IP address range 0000-FFFF. The flow query filter has been corrected to recognize and search IPv6 input values. Associated flow table carried previous advanced filter values. The Flow Table retain filter option has been excluded from the associated flow table. LSQ-2593 LSQ-2738 LSQ-2724 LSQ-2652 LSQ-2710 LSQ-2613 LSQ Cisco Systems, Inc. All Rights Reserved. 9

10 SWD-7865 Stealthwatch Management Console had high memory usage for uwsgi appliance update process. Implemented a mechanism designed to prevent memory usage exceeding 4 GB by the uwsgi UPServ application. LSQ-2722 SWD-7939 SWD-7963 SWD-8072 SWD-8089 SWD-8095 SWD-8107 SWD-8128 SWD-8136 SWD-8182 Uploading certificates will continue to display error message even after subsequent successful uploads. Stopped the service call whenever uploading invalid certificate so that the error does not persist after successful certificate upload. The client interface help was not showing topics when using the search tab. Fixed encoding error caused by a tomcat update. Top Reports returns more records than the set limit when there are two or more Flow Collectors. The Top Reports queries have been updated to split the amount of records evenly between Flow Collectors. The selection for "Second" in Flow Table Filter was removed because the seconds rounded up to the next minute anyway. Unable to activate SLIC after recent update to proxy settings. Added code to restart the tomcat process after updating proxy settings. notifications for scheduled documents were not being logged properly. We fixed the log base path location from pointing to the incorrect directory. Creating a diagnostic pack on the Flow Collector Database node triggered DB Channel Down alarm. We increased the session time-out period to avoid false DB Channel Down alarms. Cognitive Threat Analytics (CTA) API calls using JWT tokens were not being made correctly. JWT tokens are now being passed through Authorization headers. UDP Director 2010 could not boot after upgrade. Fixed an issue with the kernel upgrading process. LSQ-2862 LSQ-2822 LSQ-2652 LSQ-2807 LSQ-2834 LSQ-2755 LSQ-2845 LSQ-2876 LSQ Cisco Systems, Inc. All Rights Reserved.

11 SWD-8239 Error when creating and configuring Custom Applications. LSQ-2765 A new java constructor has been added to avoid a bad request error when adding multiple custom application rules in the SMC. LSQ-2829 LSQ-2865 LSQ-2893 Version SWD-6607 Flow Collection drops for one minute when adding or editing custom applications. We changed Application Definitions to perform the update at the beginning of the next minute instead of updating instantly to avoid gaps in flow collection. LSQ-2052 SWD-6700 The SMC Client interface showed VM Server features. LSQ-2201 We removed instances of the VM Servers in the SMC Client interface Enterprise Tree and Traffic menu. SWD-6715 On the SMC the Flow Trend report for a Flow Collector but the other is indicating that there was "no data available." LSQ-2217 We adjusted database queries used by the Flow Collection Trends report to allow larger values for the FPS and flow count values. SWD-6726 In the SMC client interface, Flow Collector alarm details incorrectly displayed "I/O error." LSQ-2170 The error message was changed to: "Unable to connect. Timeout waiting for connection." SWD-6745 The Flow Collector crashed, and in the SMC Web App interface, the Flow Collection Trend had a 25-minute gap. LSQ-2253 Additional protection against a future potential crash was added to string handling in the flows. SWD-6777 A custom service that had been set to "Exclude Security Event" was still triggering Security Events. LSQ-2261 We updated the code to fetch the required service details from the configuration file and use it for event triggering Cisco Systems, Inc. All Rights Reserved. 11

12 SWD-6823 The Flow Collector 5000 Engine node did not show its associated database node. We added a link to the database node on the Flow Collector 5000 support page. LSQ-2328 SWD-6824 The Flow Collector had performance problems. LSQ-2026 Special handling was added for broadcast hosts to prevent thread contention. SWD-6839 The Flow Collector Database Storage Statistics showed incorrect capacity when the number of days of "Flow Interface Details" was smaller than those in "Flow Details." LSQ-2238 We fixed the code to correctly calculate "Capacity in Days" and "Remaining Days." SWD-6857 The defect was that the SMC was not polling the ifhighspeed value for 10 Gbs interface of an exporter. LSQ-2325 We enhanced logging information to aid in determining the solution for the defect. SWD-6858 A segment failure in the Flow Collector occurred when the flow interface buffer size was dynamically increased. LSQ-2026 The code was changed to make the buffer reallocation conflict safe. SWD-6869 The SMC was not using the Secondary pxgrid Mitigation ISE Node when the Primary was down. LSQ-2367 The code was looking at only the primary host. A Java file was changed so that it would look at the next available host. SWD-6886 The Vertica log file was growing too large. A log rotate entry in the config file was added so that old logs are purged and the log will not grow out of control. SWD-6891 The SMC client took about 35 minutes to search a host and open its snapshot. SWD-6873 The locking behavior was adjusted to allow greater concurrency. SWD-6901 SWD-6904 After the SMC was updated, the Scheduled Documents showed errors and would not display any graphs LSQ-2400 The problem for both defects was that an update to Java 8 still required some client groups to have Java 7. The coding was changed so that the SMC will use Java 8 properly Cisco Systems, Inc. All Rights Reserved.

13 SWD-6922 The FlowSensor was dropping 90% of packets. We updated the drivers so the network interface card could pass the packets to the engine to process. LSQ-2410 SWD-6928 The defect was that the SMC Java client took 10 to 15 minutes to finish loading cache. LSQ-2416 We adjusted the lock acquisition behavior of a portion of the SMC Web application so that the loss of communication with Cisco ISE nodes does not cause long delays in the login process through the SMC Java client. SWD-6939 The defect was that the Database Storage Statistics page on the Flow Collector Appliance Admin interface was not loading. LSQ-2238 We updated the JavaScript on the Database Storage Statistics page to use a different library function for greater browser support. SWD-6941 The defect is that a UDP Director flowfan.xml modification and flowfan restart resulted in a High Availability (HA) cluster service error. LSQ-2442 The error was caused by the HA service detecting that the flowfan process was not running because of a delay during manual restart of the service. The delay has been removed. SWD-6955 A custom service that had been set to "Exclude Security Event" was still triggering Security Events. LSQ-2261 We updated the code to fetch the required service details from the configuration file and use it for event triggering. SWD-6960 SWD-6967 Customer had an issue with multiple Cisco ASA's reporting longest duration exports of 1,800. LSQ-2467 The fix was to ignore the Summary Flows that are sent at the end of each firewall flow. SWD-6976 The defect is that the customer was unable to configure custom certificates for SSL/TLS communications on the Stealthwatch appliances. LSQ-2461 The fix provides the ability to install and use certificates with a trust chain longer than 1. The update will restart nginx. The fix is applicable to all appliances. SWD-7061 User received a SMC internal server error. LSQ-2576 To avoid this error message, an intermediary was placed between the interface requests that were causing this error and the Mongo database Cisco Systems, Inc. All Rights Reserved. 13

14 SWD-7107 The FlowCollector was not processing user name. The engine now processes Create events that have no bytes or packets so that it can process the AAA user name from the ASA "Flow created" record. LSQ-2506 SWD-7131 SWD-7132 Some Stealthwatch appliances did not respond to ICMP requests from a Nagios monitoring server. LSQ-2527 The default Docker IP address and the netmask for eth2 on the Flow Collector 5000 series database node were changed. SWD-7149 A customer had an Internal Server error. LSQ-2545 The fix was to decrease the frequency of certain operations made by the SMC Web interface that can cause increased load on the Mongo database. SWD-7229 The Flow Collector home page would not load in an Internet Explorer browser. LSQ-2558 The fix is to change some functions used in loading the Flow Collector home page, which were not supported by IE/Edge browsers. SWD-7322 NetFlow decode was not properly retrieving ICMP type and code. LSQ-2606 An initialization problem in the NetFlow decoder was fixed to properly retrieve the ICMP type and code from the first ICMP Netflow record that it decodes. SWD-7324 The Flow Collector engine did not stop inserting data when the disk was 100% full. LSQ-2606 Added code to disable the stats the database writes at maximum disk utilization and to trigger the performance degraded alarm. SWD-7621 The Top Conversations Report was not returning all results when a host filter was used. LSQ-2593 The fix was to correct the miscalculation while computing the transaction report values in the Top Conversations Report. SWD-7653 IDentity v3.3.0 does not support TLS 1.0 or 1.1. LSQ-2712 The SMC Java client was updated so that the customer could use TLS v1.2 for connections back to the SMC. SWD-8163 Cognitive Threat Analytics (CTA) API calls using JWT tokens were not being made correctly. JWT tokens are now being passed through Authorization headers Cisco Systems, Inc. All Rights Reserved.

15 Known Issues This section summarizes issues (bugs) that are known to exist in this release. Where possible, workarounds are included. The defect number is provided for reference. Defect Number LVA-306, LVA-307 Description If you have an untrusted virtual machine installed on the same physical cluster/system as a Stealthwatch appliance, the Stealthwatch appliance is vulnerable to a side-channel attack that can expose private keys. A vulnerability was disclosed for the gnupg software package suite. This vulnerability involves a side-channel attack against the gnupg implementation of the RSA cryptographic algorithm. When RSA keys are in use on the system, the implementation allows for the recovery of 1024-bit length private keys. Additionally, it experimentally appears that 13% of the 2048 keyspace is vulnerable as well. More details about the vulnerability can be found by reading the white paper located at The risk from this side-channel attack applies where the private key is in use on the system. For Stealthwatch customers, this applies to SSH and HTTPS sessions. For customers running hardware appliances and in fully controlled Virtual Machine infrastructures, the risk of exposure is mitigated by access to the physical and virtual systems. For customers running in a co-located VM infrastructure, the risk of exposure is greater. Workaround Important: Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Stealthwatch System appliances. Important: If you are upgrading the system to v6.10 from an earlier version, confirm all appliances have the latest patch files installed. To review the Stealthwatch appliance vulnerability, complete the following steps: 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > Services. Review the SSH section. If the Enable SSH box is checked, you need to regenerate the RSA host key pair using the instructions shown below. 3. Click Configuration > SSL Certificate. Review the installed certificates. If there are custom certificates installed using the using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates. 4. Click Configuration > Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, you must regenerate new certificates. If the SSH service is enabled on the appliance, regenerate the RSA host key using the following instructions. You will regenerate the RSA host key on every appliance in the system. 1. SSH onto the SW Appliance as root or using the root terminal option in the sysadmin menu. 2. To delete the public and private keys in the primary location, run the following command: rm f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub Cisco Systems, Inc. All Rights Reserved. 15

16 Defect Number Description Workaround 3. To delete the public and private keys in the backup location, run the following command: rm f /lancope/var/admin/ssh/ssh_ host_rsa_key /lancope/var/admin/ssh/ssh_host_rsa_ key.pub 4. To regenerate a new RSA host key pair, run the following command: /lancope/admin/bin/generatesshkeys 5. Do one of the following to restart the SSHD service: o If the appliance software version is 6.9 and later, run the following command: systemctl restart ssh.service o If the appliance version is earlier than 6.9, run the following command: /etc/init.d/ssh restart 6. Repeat these steps on every appliance in the Stealthwatch System. If you have installed custom certificates using RSA or RSA-2048 bit keys on your Stealthwatch appliances, you must regenerate new X509 certificates. 1. Log in to the Stealthwatch Appliance Admin. 2. Click Configuration > SSL Certificate. 3. Click the? icon to open the Help page. o o Use the SSL Certificate instructions to generate a new X509 certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. 4. Delete the old (vulnerable) X509 certificate from the appliance. 5. Click Configuration> Certificate Authority Certificates. Review the installed certificates. If there are custom certificates installed using RSA-1024 or RSA-2048 bit keys, regenerate new certificates. o Click the? icon to open the Help page Cisco Systems, Inc. All Rights Reserved.

17 Defect Number Description Workaround o o Use the Certificate Authority Certificates instructions to add a new X509 certificate. If the certificate is X509 certificate is RSA, create it with a size of 4096 bits. SWD-7627 SWD-7655 SWD-8197 If you reboot your Flow Collector, it deletes all alarm history; however, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a specific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm values in the Hosts table on the Host List View. The generation of a diagnostics pack may fail in large systems as a result of timing out. The Flow Sensor was not detecting enough applications. None currently available; the feature will be available in a future release. To overcome this, open the SSH console for the appliance and run this command: dodiagpack. This will allow the generation of the diagnostic pack without timing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP. To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library. SWD-8673 SWD-9052 SystemConfig special character fonts look bad when using the SecureCRT client in ANSI mode. Offline license activation failing or "Storage Binding Break" error To overcome this, disable ANSI Color when connecting or use a different client to view the SystemConfig script. This error may occur if you moved a virtual machine, uploaded a license more than once, or if the license 2017 Cisco Systems, Inc. All Rights Reserved. 17

18 Defect Number SWD-9300 SWD-9563 Description The Selected Cipher Suite does not appear in the Flow Search Results when using a non-standard port. When you log in to the Stealthwatch Web App using Internet Explorer v11 and at any point you refresh the Home page, the Desktop Client drop-down arrow and the three navigation icons to the left of this list (top right corner of page) disappear. These three icons include the following: Search (magnifying glass icon) Help (person icon) Global Settings (geer icon) Additionally, the fonts look different from how they appear when displayed using other browsers. Workaround is corrupted. Please contact Stealthwatch Customer Community for assistance. None currently available; this will be fixed in a future release. Close the browser and log in again. SWD-7627 SWD-7655 On the Flow Sensor VE, Export Application Identification is off by default. If you reboot your Flow Collector, it deletes all alarm history; however, if you replace your Flow Collector, the new Flow Collector retains the alarm history from the old Flow Collector instead of deleting it. Since the alarming host widgets (which display the number of hosts receiving alarms since the last reset hour for a specific category) on the Security Insight Dashboard and Host Group page then do not update until the next reset hour, you may see a discrepancy between these values and the alarm values in the Hosts table on the Host List View. The generation of a diagnostics pack may fail in large systems as a result of timing To enable application identification, this advanced setting will need to be manually selected. None currently available; the feature will be available in a future release. To overcome this, open the SSH console for the appli Cisco Systems, Inc. All Rights Reserved.

19 Defect Number SWD-8197 SWD-8673 SWD-9258 SWD-9300 out. Description The Flow Sensor was not detecting enough applications. SystemConfig special character fonts look bad when using the SecureCRT client in ANSI mode. The Flow Collector Engine fails to connect a router mitigation device when using SSH. The Selected Cipher Suite does not appear in the Flow Search Results when using a non-standard port. On the Flow Sensor VE, Export Application Identification is off by default. Workaround ance and run this command: dodiagpack. This will allow the generation of the diagnostic pack without timing out. The diagnostic pack can be downloaded using Browse File in the /admin/diagnostics folder, and it can be copied off the box using SCP. To provide more accurate application classification, we updated the third-party library for Application Identification. Due to this update, some traffic will no longer be classified as it was in prior versions and support has been removed for a variety of applications. Updates to the applications supported are dependent on future releases from the third-party library. To overcome this, disable ANSI Color when connecting or use a different client to view the SystemConfig script. To overcome this, use Telnet to connect a router mitigation device instead of SSH. None currently available; this will be fixed in a future release. To enable application identification, this advanced setting will need to be manually selected Cisco Systems, Inc. All Rights Reserved. 19

20 2017 Cisco Systems, Inc. All Rights Reserved. SW_6_9_2_Release_Notes_DV_1_4