Cisco StealthwatchReleaseNotes 7.1.2

Table of ContentsIntroduction 4

Overview 4

Terminology 4

Before You Update 4

Software Version 4

3rd Party Applications 5

Hardware 5

Browsers 5

Alternative Access 5

Hardware 5

Virtual Machines 6

Additional Option 6

Enabling SSH in Central Management 6

Open SSH 6

Enable SSH 6

Enabling SSH in Appliance Admin Interface 7

Identify and Remove Exporters for SWD-13346 7

After You Update 9

What's New 10

New Alarms 10

Exporter Alarms 10

Cisco Threat Response Integration 10

TACACS+ 10

Earlier Versions 11

TACACS+ and ISE 11

Cognitive Integration Enhancements 11

Contacting support 11

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 2 -

What's Been Fixed 12

Version 7.1.2 12

Version 7.1.1 16

Version 7.1.0 17

Known Issues 21

Release Support Information 29

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 3 -

IntroductionOverview

This document provides information on new features and improvements, bug fixes, andknown issues for the Stealthwatch System v7.1.2 release. For additional informationabout the Stealthwatch System, go to Cisco.com. For all features included inStealthwatch v7.1, refer to the release notes for each previous version: v7.1.1.

TerminologyThis guide uses the term “appliance” for any Stealthwatch product, including virtual productssuch as the Stealthwatch Flow Sensor Virtual Edition (VE).

A "cluster" is your group of Stealthwatch appliances that are managed by theStealthwatch Management Console (SMC).

Most appliances are managed by the SMC. If an appliance is not managed by the SMC,such as an Endpoint Concentrator, it is described as a "stand-alone appliance."

Before You UpdateBefore you begin the update process, please review the Stealthwatch® Update Guidev7.0.x to v7.1.2.

Software VersionTo update the appliance software to version 7.1.2, the appliance must have 7.0.0 orlater version of 7.0.x installed. It is also important to note the following:

l Patches: For each software version, make sure you install the latest patches onyour appliances before you upgrade. Follow the instructions in the StealthwatchUpdate Guide v7.0.x to v7.1.2. For details, log in to the Stealthwatch Downloadand License Center at https://stealthwatch.flexnetoperations.com.

l Update your appliance software versions incrementally. For example, if youhave Stealthwatch v6.9.x, make sure you update each appliance from v6.9.x tov6.10.x., and then update from 6.10.x to 7.0.x. Each update guide is available onCisco.com.

l Downgrades:Version downgrades are not supported because of update changes indata structures and configurations that are required to support new features installedduring the update.

l TLS: Stealthwatch requires TLS v1.2 or later.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 4 -

Introduction

l For increased security, we recommend updating the IDentity 1000/1100appliance to v3.3.0.x to take advantage of the new openSSL version with TLS 1.2.

3rd Party ApplicationsStealthwatch does not support installing 3rd party applications on appliances.

HardwareTo view the supported hardware platforms for each system version, refer to the Hardware andVersion Support Matrix.

Browsers

l Compatible Browsers: Stealthwatch supports the latest version of Chrome,Firefox, and Edge.

l Microsoft Edge: There may be a file size limitation with Microsoft Edge. We donot recommend using Microsoft Edge to upload the software update files (SWU).

l Shortcuts: If you use browser shortcuts to access the Appliance Admin interfacefor any of your Stealthwatch appliances, the shortcuts may not work after theupdate process is complete. In this case, delete the shortcuts and recreate them.

Alternative AccessUse the following instructions to enable an alternative method to access yourStealthwatch appliances for any future service needs.

It is important to enable an alternative method to access your Stealthwatchappliances for any future service needs, using one of the following methods foryour hardware or virtual machine.

Hardware

l Console (serial connection to console port): Refer to the latest StealthwatchHardware Installation Guide to connect to the appliance using a laptop or akeyboard and monitor.https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

l iDRAC Enterprise (Dell appliances): Refer to the latest documentation for yourplatform. iDRAC Enterprise requires a license, and iDRAC Express does notallow console access. If you do not have iDRAC Enterprise, direct console orSSH can be used.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 5 -

Introduction

l CIMC (UCS appliances): Refer to the latest Ciscoguide for your platform at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html

Virtual Machines

l Console (serial connection to console port): Refer to the latest KVM orVMware documentation for your appliance installation.

l For example, for KVM, see the Virtual Manager documentation.

l For VMware, see the vCenter Server Appliance Management Interfacedocumentation for vSphere.

Additional OptionIf you cannot log in to the appliance using the virtual or hardware methods, you canenable SSH on the appliance network interface temporarily.

When SSH is enabled, the system’s risk of compromise increases. It isimportant to enable SSH only when you need it. When you are finished usingSSH, disable it.

Enabling SSH in CentralManagement

Open SSHUse the following instructions to open SSH for a selected appliance.

1. Open Central Management > Appliance Manager.2. Click Actions menu for the appliance.3. Select Edit Appliance Configuration.4. Select the Appliance tab.

Enable SSH

1. Locate the SSH section.2. Select whether to enable SSH access only or to also enable root access.

l Enable SSH: To allow SSH access on the appliance, check the check box.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 6 -

Introduction

l Enable Root SSH Access: To allow root access on the appliance, check thecheck box.

3. Click Apply Settings.4. Follow the on-screen prompts.

When SSH is enabled, the system’s risk of compromise increases. It isimportant to enable SSH only when you need it. When you are finished usingSSH, disable it.

Enabling SSH in Appliance Admin InterfaceUse the following instructions to open SSH for a selected appliance through theAppliance Admin Interface.

1. Log in to the Appliance Admin interface.2. Click Configuration > Services.3. Check the Enable SSH check box to allow access to SSH.4. Check the Enable Root SSH Access check box to also allow access to root.5. Click Apply.

When SSH is enabled, the system’s risk of compromise increases. It isimportant to enable SSH only when you need it. When you are finished usingSSH, disable it.

Identify and Remove Exporters for SWD-13346Complete the following steps to identify and remove exporters to alleviate CPU strain forSWD-13346:

Please review the following steps and if you are unsure if this issue isimpacting your environment, or for assistance with identifying potentiallyrelated exporters, please contact Stealthwatch Customer Support.

1. Remove any external cron jobs created to periodically restart tomcat in order tomanage this issue, if applicable.

2. Install this release using the Stealthwatch Update Guide v7.0.x to v7.1.2. Onceinstallation is complete, proceed to step 3.

3. To determine if you have any exporters being flagged as identity exporters, log into the command line interface of the SMC using the following command:

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 7 -

Introduction

#grep 'identity-source="true"'/lancope/var/smc/config/domain_*/exporter*.xml

Example:#grep 'identity-source="true"' /lancope/var/smc/config/domain_*/exporter*.xml

/lancope/var/smc/config/domain_102/exporter_1855_192.168.1.1.xml:<exporter ip="192.168.1.1" exporter-type="exporter"identity-source="true">

Questionable exporters can be identified by the absence of an "id" field at the endof the exporter line (example above).

Below is an example of how the newly generated xml should appear:

Example:<exporter ip="192.168.1.1" exporter-type="exporter" identity-source="true" id="1">

If any files were identified, continue to step 4. If no files were identified, no furtheraction is needed.

4. Stop the tomcat process so that they can be removed using the followingcommand:

#systemctl stop lc-tomcat.service

5. Use the list of files output from step 3 and remove them using the followingcommand:

#rm -f <path_to_xml_file>

6. Log in to the command line interface of the Flow Collector receiving flow from theexporters found in step 3. Manually remove these same exporters from theexporters .xml file:

a. Stop the Flow Collector engine and using the following command:>systemctl stop engine.service

b. Using the following command, cd to the Flow Collector's config directory:>cd /lancope/var/sw/today/config

c. Make a backup copy of exporters.xml:>cp exporters.xml /lancope/var/exporters.xml.bak

d. Use vi or your preferred editor to remove the exporters found in step 3.Below is an example of what a given exporter stanza might look like. Searchfor the IP in question and remove the content between the "exporter" tags.Be sure to save the file when complete.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 8 -

Introduction

Example:<exporter ip="192.168.1.1"><interface if-index="1" active="1" speed-in="1000000000" speed-out="1000000000" threshold-in="90" threshold-out="90"/>

</exporter>

7. Restart the Flow Collector engine using the following command:

#systemctl start engine.service

8. Return to the SMC SSH console using the following command:

#systemctl start lc-tomcat.service

9. Log out of both consoles. These changes should allow for the re-creation of theexporter configuration files related to your identity type appliances.

These new configuration files will be formatted correctly and alleviate and CPU strainthat was previously caused by this issue.

After You UpdateAfter updating your appliances, please install the required patch:

l patch-smc-ROLLUP002-7.1.2-02.swu or later

Review the patch readme files on the Stealthwatch Download and License Center fordetails.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 9 -

Introduction

What's NewThese are the new features and improvements for the Stealthwatch System v7.1.2release:

New AlarmsExporter AlarmsAdded a Flow Collector Longest Export Exceeded alarm to help identify misconfiguredexporters (LSQ-3372). This alarm is triggered when the flow duration from an exporterhas exceeded the threshold setting. If not remedied, inaccurate flow and interface statswill be generated.

You can enable/disable this alarm on the Flow Collector Properties dialog.

Cisco Threat Response IntegrationCisco Threat Response (CTR) is the platform in the Cisco cloud that helps you detect,investigate, analyze, and respond to threats using data aggregated from multipleproducts and sources.

This integration allows you to use Cisco Threat Response Pivot menu, Cisco ThreatResponse Casebook in your SMC appliance UI, send Stealthwatch Alarms to CiscoThreat Response and allows CTR to retrieve information about security events from yourStealthwatch deployment during the investigation process.

For more information, refer to the Cisco Stealthwatch and Threat Response IntegrationGuide.

TACACS+Terminal Access Controller Access-Control System (TACACS+) is a protocol thatsupports authentication and authorization services and allows a user to access multipleapplications with one set of credentials.To configure TACACS+ for Stealthwatch, followthe instructions in the TACACS+ Configuration Guide.

l User Names: Make sure all user names are unique.

l User Roles: For an authorized user login, assign an identity group to each userand configure each identity group with a shell profile. For each shell profile, youcan assign the Master Admin role or create a combination of non-admin roles. Ifyou create a combination of non-admin roles, make sure it meets therequirements.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 10 -

What's New

Earlier VersionsIf you've configured TACACS+ in earlier versions of Stealthwatch (v7.1.1 or earlier),make sure you create new users with unique names for Stealthwatch v7.1.2. We do notrecommend using or duplicating the user names from earlier versions of Stealthwatch.Refer to the TACACS+ Configuration Guide for details.

TACACS+ and ISEIn Stealthwatch v7.1.2, you can configure TACACS+ with Cisco Identity Services Engine(ISE). This configuration enables your TACACS+ users on ISE to log in to Stealthwatchwith their TACACS+ credentials.

l Install and configure ISE using the instructions in the ISE documentation for yourengine.

l Configure TACACS+ using the instructions in the TACACS+ Configuration Guide.Follow the instructions in the TACACS+ Configuration Guide to log in to ISE andconfigure your TACACS+ users.

Cognitive Integration EnhancementsTo see the full list of monthly enhancements for the Cognitive engine, refer to theCognitive Release Notes.

Contacting supportIf you need technical support, please do one of the following:

l Contact your local Cisco Partner

l Contact Cisco Stealthwatch Supporto To open a case by web:

http://www.cisco.com/c/en/us/support/index.htmlo To open a case by email: tac@cisco.como For phone support: 1-800-553-2447 (U.S.)o For worldwide support numbers:

www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 11 -

What's New

What's Been FixedThis section summarizes fixes made in this release for issues (bugs/defects) reported bycustomers in previous releases. The Stealthwatch Defect (SWD, LSQ, or LVA) number isprovided for reference.

Version 7.1.2

Defect Description

SWD-11995Add a new error message for insufficient storage whenattempting to upload a SWU file.

SWD-12307

Fixed an issue where the Security Group Tags (SGT) were notreflected correctly and were not allowed to reset to 0, andSubject Trust Sec Names (SGN) were not shown in the FlowTable. (LSQ-3881)

SWD-12341Fixed an error that caused all archived folders before "today" tobe deleted after a Flow Collector engine restart. (LSQ-3864)

SWD-12456

Historically, address scans added 4,000 points to the ConcernIndex plus a number called the "hit count" every time the eventoccurred. The "hit count" represented the number of times theevent occurred. This has been changed to add just the 4,000points when the event occurs and not to add the "hit count" sothat it now matches the documentation. (LSQ-3701)

SWD-12460

SWD-12689Truncated and rounded off the decimal part of bytes withpredefined filter available. (LSQ-3868)

SWD-12491

Flow Collector engine should set "hasMore" to be true as long asthe "total" combined records from both memory and DB exceedsthe requested number set in limit to show "more recordsavailable" message in security events transaction report. (LSQ-3995)

SWD-12648Corrected an issue causing data being to be written to the DB(daily) with invalid time stamps. (LSQ-4057)

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 12 -

What's Been Fixed

Defect Description

SWD-12670 MAC violation alarms are now properly generated. (LSQ-4062)

SWD-12678Merged export_delay default value changes from 6.10 to 7.x. Thedefault value will be set to the new default on FS engine startupwhen an older config XML file is present. (LSQ-4107)

SWD-12679The SNMP trap now uses the correct MIB for "FlowCollectorDatabase Channel Down". (LSQ-4051)

SWD-12712Fixed an issue that was causing Tomcat to crash when the FPSrate on the FC4K was higher than 400K.

SWD-12724Fixed an error where the Flow Collector engine writes malformed"username" field values in security_event, and causes Verticaparsing errors. (LSQ-4117)

SWD-12996Added new docker services to filter and display in the EndpointConcentrator Admin UI. (LSQ-4165)

SWD-13000Fixed an error where the Stealthwatch Desktop Client wasn'tcommunicating with the Flow Collector and secondary SMC forlicensing. (LSQ-4129)

SWD-13096Added a warning dialog to inform the user that their summarydata will be lost if they remove a flow collector from the SMCinventory.

SWD-13097Fixed an issue where after upgrading the FC and FCDB weregiving license errors and dropping flows. (LSQ-4224)

SWD-13123Fixed an issue where setting up SSO would cause a"AccessDeniedException" error. (LSQ-4518, LSQ-4594)

SWD-13235Fixed an issue with updating Exporter SNMP configurationsthrough an API call. (LSQ-4277)

SWD-13257Changed the host group name filtering based on the searchparameter. (LSQ-4185)

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 13 -

What's Been Fixed

Defect Description

SWD-13284Updated diagnostic packs to include nginx access.log. (LSQ-4232, LSQ-4241, LSQ-4308)

SWD-13299Added event ID checks against default New/Max flows. (LSQ-4359)

SWD-13301Added filter creation logic while pivoting from top ports to tophosts. (LSQ-4360)

SWD-13311Fixed an issue where you were unable to Export All configurationfor a domain. (LSQ-4422)

SWD-13315Fixed an issue where Google Analytics was disabled afterperforming a configuration restore.

SWD-13316Fixed an issue where resync failed due to 504 gateway timeoutand lead to a config channel down in secondary SMC. (LSQ-4333)

SWD-13321Fixed an issue where a Power Analyst's Classify Hosts capabilitywas missing in the Host Report page. (LSQ-4493)

SWD-13342Fixed an issue where Customer Success Metrics was disabledafter performing a configuration restore.

SWD-13346

Fixed a problem related to high CPU load averages on the SMCcaused by identity exporters being incorrectly categorized. (LSQ-4221)

If you are experiencing higher than normal CPU loadaverages due to this issue, you will need to install thisrelease and then complete additional actions to ensurethat these exporter's xml files are regenerated correctly.Please review the Identify and Remove Exporters stepsand if you are unsure if this issue is impacting yourenvironment, or for assistance with identifyingpotentially related exporters, please contact

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 14 -

What's Been Fixed

Defect Description

Stealthwatch Customer Support.

SWD-13353Fixed an issue where dashboards were only displaying on theprimary SMC.

SWD-13408Fixed an issue where a GETBULK function used was notsupported in SNMPV1. (LSQ-4407)

SWD-13454Added ICLOUD and OFFICE365 to the INSTANT_MESSAGINGfilter to prevent the Fake App alarm from alerting. (LSQ-4293)

SWD-13461Fixed an issue where the upgrade to 7.1.1 was not shown in theinstall log. (LSQ-4447)

SWD-13521 Added revocation checking for intermediate certificates.

SWD-13637Fixed an issue where the repeat poll interval was not beingapplied for saved SNMP Profile configurations. (LSQ-4481)

SWD-13721

Fixed an issue where SNMP polling was creating highCPU utilization. (LSQ-4265)

For optimal system performance, set SNMP polling to a 24 hourinterval.

SWD-13722Fixed an issue with running Flow Queries in the Desktop Client.(LSQ-4520)

SWD-13731Fixed an issue where the FlowAggregator was using all availableVertica sessions and disabling the database.

SWD-13796Fixed an issue where the Process Control Block code was beingreferenced prior to their initialization. (LSQ-4512)

SWD-13801Fixed an issue with cache refresh causing Tomcat to becomeunstable when establishing failover.

SWD-13802 Added a new script to handle the enforce-root-login service.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 15 -

What's Been Fixed

Defect Description

(LSQ-4476)

SWD-13810Updated the service "sw-flow-aggregator" to use the apachehttp-client instead of akka-http client. (LSQ-4534)

SWD-13881Updated the Installation and Configuration Guide to include thatSSO is not supported with Integrated Windows Authentication(IWA).

SWD-13915Fixed an issue where the Desktop Client took too long to load.(LSQ-4636)

SWD-13941Updated the Service Definitions XML to reduce excess alarms.(LSQ-4631)

Version 7.1.1

Defect Description More Information

LVA-1248 Updated the Linux kernel.

CVE-2019-3846

CVE-2019-5489

CVE-2019-10126

CVE-2019-11477

CVE-2019-11478

CVE-2019-11479

CVE-2019-11810

CVE-2019-11833

CVE-2019-11884

SWD-12014

Fixed an issue that caused thefollowing message: SMCFailoverSession resync failed: 504Gateway Time-out on sendSnapshot.

LSQ-3853

LSQ-4218

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 16 -

What's Been Fixed

Defect Description More Information

SWD-12031Removed the Flow Sensors vm-server name info from enterprise tree.

LSQ-3859

SWD-12150Removed scaled value of 1000 forflow related alarm.

LSQ-3948

SWD-12989Fixed an issue where downloading alarger SMC configuration backup filefailed.

LSQ-4132

Version 7.1.0

Defect Description

LVA-625Updated files and directory permissions to be more restrictive.(LSQ-3719)

LVA-626Added a value tag in server.xml to hide the server info. (LSQ-3720)

SWD-8351Fixed the x-axis time values on the Flow Collection Trend graph.(LSQ-3748)

SWD-9749The Cyber Threat document failed to generate. (LSQ-3311)

Enable the "suppress empty file" check box when configuring orscheduling a document.

SWD-10546Added a check to make sure the Flow Collector engine is upbefore the SMC sends configuration changes. (LSQ-3466)

SWD-10971Filtering the Flow Table by payload and username fails with 500internal server error. (LSQ-3630)

Fixed the Flow Table filter xml sequence issue.

SWD-10995Updated the Flow Collector to correct permissions onconfiguration files when needed. (LSQ-3624)

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 17 -

What's Been Fixed

Defect Description

SWD-11013

Deleting a domain on the primary SMC did not remove it from thesecondary SMC in a failover pair. (LSQ-3479)

The entire configured call list of the selected domain is sent to thesecondary SMC on deletion.

SWD-11286Updated the supported VMware versions in the documentation.(LSQ-3662)

SWD-11310Updated the fileshare password field to accept the specialcharacter |. (LSQ-3665)

SWD-11311Updated the User Details field for Subject and Peer on the FlowSearch page to allow usernames with special characters andwildcard characters. (LSQ-3667)

SWD-11379Added support for the underscore character in ST_Value patternof /lancope/admin/lib/system.xsd. (LSQ-3678)

SWD-11673Corrected several object types from String to Integer in SNMP MIBand added handling of the variables in newly installed systems.(LSQ-3694)

SWD-11833Fixed an issue where no alarms were found when selectingConcern Index Alarms for a user. (LSQ-3778)

SWD-11861On the Host Group Trends table, the ICMP Name column labelsand tool tips have been corrected to display "Average ICMPPackets Sent ()". (LSQ-3786)

SWD-11925Fixed a validation issue in the Custom Security Eventsconfiguration. (LSQ-3800)

SWD-11961

Added an Advanced Setting to only allow the first NBARapplication ID to be set into the flow to prevent multiple fakeapplication alarms. To disable, set allow_nbar_app_id_migrationto 1 on your Flow Collectors. (LSQ-3789)

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 18 -

What's Been Fixed

Defect Description

SWD-11991Fixed an issue where previously created Response ManagementRules could not be edited. (LSQ-3847)

SWD-12010

SWD-12044

Enhanced the engine to make use of the port definitions inapplication_definitions.xml, which includes Custom Applications.If you have Custom Applications defined using port definitions,the engine now utilizes those definitions in determining theclient/server relationship in flows. (LSQ-3824)

SWD-12071Fixed an issue where the Alarming Hosts widget failed to loaddata. (LSQ-3785)

SWD-12074Fixed an issue where users were unable to edit forwarding ruleson a UDP Director. (LSQ-4184)

SWD-12078Corrected an issue that showed flow duration for more than 34days when "start_time" was unchanged in flow records. (LSQ-3734)

SWD-12234Time out values in nginx had been increased in order to handlelong duration queries.

SWD-12291

Added extra pointer validation checks around the area that it wasseen crashing and added a feature to save a copy of the SLIC feedfile being processed when the engine crashes during the SLICfeed update. The file will be included in a diagnostic pack and canthen be analyzed by Cisco to determine if it is the data in the SLICfeed itself causing the crash.

SWD-12303Changed the baselining code to re-baseline all hosts every timethe engine is restarted. (LSQ-3955)

SWD-12337Fixed an issue where Active Directory configuration would notaccept more than one Domain Controller. (LSQ-4122/4161/4175)

SWD-12419Fixed a problem where the traffic for each host was not beingarchived properly into the traffic trends files. (LSQ-3988)

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 19 -

What's Been Fixed

Defect Description

SWD-12463Fixed an issue where data in Central Management ApplianceSupport (Audit Logs, Backup/Restore Configuration Files) was notviewable.

SWD-12575Upgrade process was fixed the issue that caused Juniper Flow togo to "0% decode" after a 6.8.3 to 6.10.4 upgrade. (LSQ-4084)

SWD-12670 MAC violation alarms are now properly generated. ( LSQ-4062)

SWD-12710 Fixed an issue with Flow Sensor 4k timeout handling. (LSQ-4107)

SWD-12996Added new docker services to filter and display in the EndpointConcentrator Admin UI. (LSQ-4165)

SWD-13289

Added space to the root partition, which is required for applianceswith a5 GB root partition. Follow the instructions in the Stealthwatch®Update Guide v7.0.x to v7.1.1.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 20 -

What's Been Fixed

Known IssuesThis section summarizes issues (bugs) that are known to exist in this release. Wherepossible, workarounds are included. The defect number is provided for reference.

DefectNumber Description Workaround

SWD-7655

The generation of adiagnostics pack may failin large systems as aresult of timing out.

To overcome this, open the SSHconsole for the appliance and run thiscommand: doDiagPack. This will allowthe generation of the diagnostic packwithout timing out. The diagnostic packcan be downloaded using Browse Filein the /admin/diagnostics folder, and itcan be copied off the box using SCP.

SWD-8197The Flow Sensor was notdetecting enoughapplications.

To provide more accurate applicationclassification, we updated the third-party library for ApplicationIdentification. Due to this update, sometraffic will no longer be classified as itwas in prior versions and support hasbeen removed for a variety ofapplications. Updates to theapplications supported are dependenton future releases from the third-partylibrary.

SWD-8673

SystemConfig specialcharacter fonts look badwhen using theSecureCRT client in ANSImode.

To overcome this, disable ANSI Colorwhen connecting or use a differentclient to view the SystemConfig script.

SWD-9052Offline license activationfailing or "Storage BindingBreak" error

This error may occur if you moved avirtual machine, uploaded a licensemore than once, or if the license iscorrupted. Please contact Stealthwatch

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 21 -

Known Issues

DefectNumber Description Workaround

Customer Community for assistance.

SWD-9563

When you log in to theStealthwatch Web Appusing Internet Explorerv11 and at any point yourefresh the Home page,the Desktop Client drop-down arrow and the threenavigation icons to the leftof this list (top right cornerof page) disappear. Thesethree icons include thefollowing:

• Search (magnifying glassicon)• Help (person icon)• Global Settings (geericon)

Additionally, the fontslook different from howthey appear whendisplayed using otherbrowsers.

Close the browser and log in again.

SWD-11822(LVA-664)

Stealthwatch has made amodification to interfaceAPI encoding that takeseffect beginning withv7.0. When configuring aquery parameter for therelated endpoints, you canno longer use un-escapedcharacters within the URI.

In order for your integration with thisAPI to function correctly, you must dothe following:

For all endpoints related to thefollowing:

/tenants/{tenantId}/devices/{deviceId}/exporters/{exporterIp}/interfaces/{interfaceId}

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 22 -

Known Issues

DefectNumber Description Workaround

Filters such as start or end time need tobe formatted as this:

filter%5bstartTime%5d

Not this:

filter[startTime]

SWD-11929The SMC desktop clientdoes not launch over IPv6on Mac.

None currently available.

SWD-12141

When installing the pre-SWU patch using the SMCSystem Managementpage, the Update Statusmay continue to show"Waiting to install."

The message might not clear, but itdoes not block the update. Check thelog to confirm the pre-SWU patch wasinstalled successfully. Make sure youfollow the Finalize procedure in theStealthwatch Update Guide.

SWD-12574

If a user logs in to thecommand line interfacewithout any failedattempts, the EPOCH date(January 1, 1970) might beshown.

None currently available.

SWD-13089

Changing the appliance IPaddress, host name, ornetwork domain name mayfail.

Before you change an appliance IPaddress, host name, or network domainname using the Appliance Setup Tool orSystem Config, review the instructionsin Stealthwatch Online Help.

You will remove the appliance fromCentral Management as part of theprocedure.

Also, confirm the following:

l Before you remove the appliance

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 23 -

Known Issues

DefectNumber Description Workaround

from Central Management, makesure the Appliance Status isshown as Up.

l After you remove the appliancefrom Central Management, theappliance certificates are removedfrom the SMC automatically.Check the other appliance truststores in your cluster. If theappliance identity certificate (ofthe appliance you are changing) issaved to other appliance truststores, delete it.

l After you change the applianceIP address, host name, or networkdomain name, use the ApplianceSetup Tool to add the appliance toCentral Management.

SWD-13154

We've added processimprovements toStealthwatch FlowCollectors as part of thissoftware update. Theupdate may take up to 2hours to finish.

Make sure the FlowCollector update iscompleted and theappliance status is shownas Up before you updatethe next appliance in yourcluster.

Flow Collector 5000

None currently available.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 24 -

Known Issues

DefectNumber Description Workaround

Series: Make sure thedatabase update iscompleted and theappliance status is shownas Up before you start theengine update. Then,make sure the engineupdate is completed andthe appliance status isshown as Up before youupdate the next appliancein your cluster.

SWD-13964The database restore doesnot include the encryptedconfiguration backup.

To overcome this, perform the databaserestore without restoring theconfiguration backup by adding -r tothe doDbRestore command, thenmanually restore the encrypted backup.

SWD-13968

The ANC Query does notrun causing the NetworkClassification page to notprovide any PotentialNetwork Scanners.

Fixed in patch-smc-ROLLUP002-7.1.2-02.swu.

SWD-14671

Unable to log in to theappliance SSH as rootuser from CIMC/iDRACSerial-Over-Lanconnection.

This will be fixed in a future release.

SWD-14940

DBNode RetentionManager drops partitionsduring long databasebackup periods.

We've added procedures to back upyour database that include trimming thedatabase and deleting snapshots afterthe backup. Make sure you follow theinstructions in the Stealthwatch

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 25 -

Known Issues

DefectNumber Description Workaround

Update Guide v7.0.x to v7.1.2.

For assistance, please contact CiscoStealthwatch Support.

SWD-15027Some users are unable tochange passwords for anyappliance after upgrade.

Your system is at risk for this issue ifyou have not changed your passwordssince v6.9.x.

Before the Upgrade: To prevent thisissue, change your admin password andall user passwords for each appliancebefore you upgrade to v7.1.2.

For instructions, refer to theStealthwatch System Update Guidev7.0.x to 7.1.2 .

After the Upgrade:

1. Reset the admin password oneach appliance using theInstallation and ConfigurationGuide.

2. If any users encounter this issue,reset user passwords as follows:

SMC: Log in to the SMC as theadmin user. Select the GlobalSettings icon > UserManagement.

Other Appliances: Log in to theappliance as the admin user.Select Manage Users >Add/Edit/Delete Users.

SWD-15570 Typos in Command to The command to delete Flow Collector

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 26 -

Known Issues

DefectNumber Description Workaround

Delete Flow CollectorSnapshots

snapshots as part of the Back upDatabase instructions is incorrect in theupdate guide.

Use the following command to deleteSMC and Flow Collector databasesnapshots:

/opt/vertica/bin/vsql -Udbadmin -w lan1cope -c"select remove_database_snapshot('StealthWatchSnap1');"

Also, make sure you delete thedatabase snapshots on the SMC andthe Flow Collector.

SWD-15623Error retrieving data onSMC/Flow Collectordatabase

The command to delete Flow Collectorsnapshots as part of the Back upDatabase instructions is incorrect in theupdate guide.

Use the following command to deleteSMC and Flow Collector databasesnapshots:

/opt/vertica/bin/vsql -Udbadmin -w lan1cope -c"select remove_database_snapshot('StealthWatchSnap1');"

Also, make sure you delete thedatabase snapshots on the SMC andthe Flow Collector.

NAOn the Flow Sensor VE,“Export ApplicationIdentification” is off by

To enable application identification, thisadvanced setting will need to bemanually selected.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 27 -

Known Issues

DefectNumber Description Workaround

default.

NA

External Services, e.g.Cognitive Analytics, donot work when FIPSEncryption Libraries isenabled.

In previous releases, enabling bothExternal Services and FIPS EncryptionLibraries was not supported, but it didnot interfere with External Servicesfunctionality. For v7.1 and later, if youwish to enable Cognitive Analytics oranother External Service, you mustdisable FIPS.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 28 -

Known Issues

Release Support InformationOfficial General Availability (GA) date for Release 7.1 is Aug. 19, 2019.

For support timeline information regarding general software maintenance support,patches, general maintenance releases, or other information regarding CiscoStealthwatch Release Support lifecycle, please refer to Cisco Stealthwatch® SoftwareRelease Model and Release Support Timeline Product Bulletin.

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 29 -

Release Support Information

Copyright InformationCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or itsaffiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned arethe property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)

© 2020 Cisco Systems, Inc. and/or its affiliates.

All rights reserved.