Stealthwatch Release Notes v7.0 - Cisco · Introduction Overview Thisdocumentprovidesinformationonnewfeaturesandimprovements,bugfixes,and knownissuesfortheStealthwatchSystemv7.0.3release

Cisco StealthwatchReleaseNotes 7.0.3

Table of ContentsIntroduction 4

Overview 4

Terminology 4

Before You Update 4

Software Version 4

3rd Party Applications 5

Hardware 5

Browsers 5

Alternative Access 5

Hardware 5

Virtual Machines 6

Additional Option 6

Enabling SSH in Central Management 6

Open SSH 6

Enable SSH 6

Enabling SSH in Appliance Admin Interface 7

After You Update 7

Upgrade Issue 7

Identify and Remove Exporters for SWD-13346 7

Installing the Stealthwatch Desktop Client 9

Install the Desktop Client Using Windows 10

Change the memory size 10

Install the Desktop Client Using macOS 11

Change the memory size 12

Contacting support 13

What's Been Fixed 14

Version 7.0.3 14

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved. - 2 -

Version 7.0.2 17

Version 7.0.0 21

Known Issues 32

Release Support Information 38


IntroductionOverviewThis document provides information on new features and improvements, bug fixes, andknown issues for the Stealthwatch System v7.0.3 release. For additional informationabout the Stealthwatch System, go to Cisco.com. For all features included inStealthwatch v7.0, refer to the release notes for each previous version: v7.0.0 andv7.0.2.

TerminologyThis guide uses the term “appliance” for any Stealthwatch product, including virtual productssuch as theStealthwatch Flow Sensor Virtual Edition (VE).

A "cluster" is your group of Stealthwatch appliances that are managed by theStealthwatch Management Console (SMC).

Most appliances are managed by the SMC. If an appliance is not managed by the SMC,such as an Endpoint Concentrator, it is described as a "stand-alone appliance."

Before You UpdateBefore you begin the update process, review the update guide for your currentStealthwatch version:

l v6.10.x: Please review the Stealthwatch® Update Guide v6.10.x to v7.0.3.l v7.0.0: Please review the Stealthwatch® Update Guide v7.0.0 to v7.0.3.

Software VersionTo update the appliance software to version 7.x, the appliance must have 6.10.2, or laterversion of 6.10.x, or 7.0.x installed. It is also important to note the following:

l Patches: Make sure you install the latest patches on your appliances before youupgrade. For details, log in to the Stealthwatch Download and License Center athttps://stealthwatch.flexnetoperations.com.

l Update your appliance software versions incrementally. For example, if youhave Stealthwatch v6.9.x, make sure you update each appliance from v6.9.x tov6.10.x., and then update from 6.10.x to 7.0.x. Each update guide is available onCisco.com.


Introduction

https://www.cisco.com/c/en/us/support/security/stealthwatch/tsd-products-support-series-home.htmlhttps://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_7_0_0_Release_Notes_DV_1_5.pdfhttps://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/release_notes/SW_7_0_2_Release_Notes_DV_4_0.pdfhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.htmlhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.htmlhttps://stealthwatch.flexnetoperations.com/https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

l Downgrades:Version downgrades are not supported becauseof update changes indata structures and configurations that are required to support new features installedduring the update.

l TLS: Stealthwatch requires TLS v1.1 or later.l For increased security, we recommend updating the IDentity 1000/1100appliance to v3.3.0.x to take advantage of the new openSSL version with TLS 1.2.

3rd Party ApplicationsStealthwatch does not support installing 3rd party applications on appliances.

HardwareTo view the supported hardwareplatforms for each system version, refer to theHardware andVersion Support Matrix.

Browsers

l Compatible Browsers: Stealthwatch supports the latest version of Chrome,Firefox, and Edge.

l Microsoft Edge: There may be a file size limitation with Microsoft Edge. We donot recommend using Microsoft Edge to upload the software update files (SWU).

l Shortcuts: If you use browser shortcuts to access the Appliance Admin interfacefor any of your Stealthwatch appliances, the shortcuts may not work after theupdate process is complete. In this case, delete the shortcuts and recreate them.

Alternative AccessUse the following instructions to enable an alternative method to access yourStealthwatch appliances for any future service needs.

It is important to enable an alternative method to access your Stealthwatchappliances for any future service needs, using one of the following methods foryour hardware or virtual machine.

Hardware

l Console (serial connection to console port): Refer to the latest StealthwatchHardware Installation Guide to connect to the appliance using a laptop or akeyboard and monitor.https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html


Introduction

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/SW_7_0_0_Hardware_Software_Matrix_DV_1_0.pdfhttps://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/SW_7_0_0_Hardware_Software_Matrix_DV_1_0.pdfhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.htmlhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.htmlhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.htmlhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

l iDRAC Enterprise (Dell appliances): Refer to the latest documentation for yourplatform. Note that iDRAC Enterprise requires a license, and iDRAC Expressdoes not allow console access. If you do not have iDRAC Enterprise, directconsole or SSH can be used.

l CIMC (UCS appliances): Refer to the latest Cisco UCSguide for your platform at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html

Virtual MachinesConsole (serial connection to console port): Refer to the latest KVM or VMwaredocumentation for your appliance installation.

Additional OptionIf you cannot log in to the appliance using the virtual or hardware methods, you canenable SSH on the appliance network interface temporarily.

When SSH is enabled, the system’s risk of compromise increases. It isimportant to enable SSH only when you need it. When you are finished usingSSH, disable it.

Enabling SSH in CentralManagement

Open SSHUse the following instructions to open SSH for a selected appliance.

1. Open Central Management > Appliance Manager.2. Click Actionsmenu for the appliance.3. Select Edit Appliance Configuration.4. Select the Appliance tab.

Enable SSH

1. Locate the SSH section.2. Select whether to enable SSH access only or to also enable root access.

l Enable SSH: To allow SSH access on the appliance, check the check box.


Introduction

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.htmlhttps://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.htmlhttps://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/cli/config/guide/b_Cisco_CIMC_CLI_Configuration_Guide/Cisco_CIMC_CLI_Configuration_Guide_chapter1.html

l Enable Root SSH Access: To allow root access on the appliance, check thecheck box.

3. Click Apply Settings.4. Follow the on-screen prompts.


Enabling SSH in Appliance Admin InterfaceUse the following instructions to open SSH for a selected appliance through theAppliance Admin Interface.

1. Log in to the Appliance Admin interface.2. Click Configuration > Services.3. Check the Enable SSH check box to allow access to SSH.4. Check the Enable Root SSH Access check box to also allow access to root.5. Click Apply.


After You UpdateUpgrade IssueAfter upgrading to v7.0.3, the Update Manager may show that your appliance is still onthe previous version. You will need to manually reboot the appliance to complete theupgrade.

Identify and Remove Exporters for SWD-13346Complete the following steps to identify and remove exporters to alleviate CPU strain forSWD-13346:

Please review the following steps and if you are unsure if this issue isimpacting your environment, or for assistance with identifying potentiallyrelated exporters, please contact Stealthwatch Customer Support.


Introduction

1. Remove any external cron jobs created to periodically restart tomcat in order tomanage this issue, if applicable.

2. Install this release using the Stealthwatch Update Guide for your version. Onceinstallation is complete, proceed to step 3.

3. To determine if you have any exporters being flagged as identity exporters, log into the command line interface of the SMC using the following command:

#grep 'identity-source="true"'/lancope/var/smc/config/domain_*/exporter*.xml

Example:#grep 'identity-source="true"' /lancope/var/smc/config/domain_*/exporter*.xml

/lancope/var/smc/config/domain_102/exporter_1855_192.168.1.1.xml:

Questionable exporters can be identified by the absence of an "id" field at the endof the exporter line (example above).

Below is an example of how the newly generated xml should appear:

Example:

If any files were identified, continue to step 4. If no files were identified, no furtheraction is needed.

4. Stop the tomcat process so that they can be removed using the followingcommand:

#systemctl stop lc-tomcat.service

5. Use the list of files output from step 3 and remove them using the followingcommand:

#rm -f

6. Log in to the command line interface of the Flow Collector receiving flow from theexporters found in step 3. Manually remove these same exporters from theexporters .xml file:a. Stop the Flow Collector engine and using the following command:

>systemctl stop engine.service

b. Using the following command, cd to the Flow Collector's config directory:>cd /lancope/var/sw/today/config


Introduction

https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html

c. Make a backup copy of exporters.xml:>cp exporters.xml /lancope/var/exporters.xml.bak

d. Use vi or your preferred editor to remove the exporters found in step 3.Below is an example of what a given exporter stanza might look like. Searchfor the IP in question and remove the content between the "exporter" tags.Be sure to save the file when complete.

Example:

7. Restart the Flow Collector engine using the following command:

#systemctl start engine.service

8. Return to the SMC SSH console using the following command:

#systemctl start lc-tomcat.service

9. Log out of both consoles. These changes should allow for the re-creation of theexporter configuration files related to your identity type appliances.

These new configuration files will be formatted correctly and alleviate and CPU strainthat was previously caused by this issue.

Installing the Stealthwatch Desktop ClientAs of Stealthwatch v7.0, Oracle Java will no longer be used to install and openStealthwatch Desktop Client.

Use the following instructions to install the Stealthwatch Desktop Client using Windowsor macOS. Note the following:

l You can locally install different versions of Stealthwatch Desktop Client.

l If you want to access multiple versions of Stealthwatch Desktop Client, you willneed a different executable file for each SMC.

l If you are using both a primary and a secondary SMC, you will need to log off oneSMC before you can log in to the other SMC.

l You can have different versions of Stealthwatch Desktop Client opensimultaneously.

l When you update to a later version of Stealthwatch, you will need to install thenew version of Stealthwatch Desktop Client.


Introduction

l If you have Stealthwatch Desktop Client and update to 7.0.x or later, you can nolonger use Oracle Java with Stealthwatch Desktop Client.

Install the Desktop Client UsingWindows

l You must have sufficient rights to install Stealthwatch Desktop Client.

l Stealthwatch Desktop Client requires a 64-bit operating system. Itcannot run on a 32-bit operating system or Linux.

1. Click Desktop Client in the upper right corner of any page in theStealthwatch Web App.

2. Click the .exe file to begin the installation process.

3. Follow the steps in the wizard to install the Stealthwatch Desktop Client.

4. On your desktop, click the Stealthwatch Desktop Client icon .5. Enter the SMC user name and password.6. Enter the SMC server name or IP address (IPv4 or IPv6).7. Follow the on-screen prompts to open the Desktop Client and trust the appliance

identity certificate.

Change thememory sizeYou can change how much Random Access Memory (RAM) to allocate on your clientcomputer to run the Stealthwatch Desktop Client interface. Consider a larger memoryallocation if you work with many open documents or large data sets (such as flowqueries with over 100k records).

1. In Windows Explorer, go to your home directory.2. Open these folders: AppData > Roaming > Stealthwatch.

You may need to search "Stealthwatch" if the folder is hidden.

3. In the Stealthwatch directory, open the folder that contains the desiredStealthwatch version.

4. Open the application.vmoptions file using an appropriate editing application tobegin editing. (This file is created after you open the Stealthwatch Desktop Clientfor the first time.)

Minimum Memory Size (Xms): We recommend that you allocate no less than


Introduction

512 MB. This number is listed in the third line of the file.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the minimummemory size.

Maximum Memory (Xmx): You can allocate up to half the size of your computer'sRAM for the maximum memory size. This number is listed in the fourth line of thefile.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the maximummemory size.

Use whole numbers. For example, enter Xmx512m, not Xmx0.5m.

l If you notice that the Stealthwatch Desktop Client appears to "hang"frequently, try increasing the memory size.

l If you receive an error message involving Java, try selecting a lowermemory allocation.

Install the Desktop Client UsingmacOS

l You must have sufficient rights to install Stealthwatch Desktop Client.

l Stealthwatch Desktop Client requires a 64-bit operating system. Itcannot run on a 32-bit operating system or Linux.

1. Click Desktop Client in the upper right corner of any page in theStealthwatch Web App.

2. Click the .dmg file to begin the installation process.

An icon and folder are displayed on your monitor, as shown below.


Introduction

3. Drag the Stealthwatch Desktop Client icon ( ) into the Application folder.

The icon is added to the Launchpad.

4. On your desktop, click the Stealthwatch Desktop Client icon .5. Enter the SMC user name and password.6. Enter the SMC server name or IP address (IPv4 or IPv6).7. Follow the on-screen prompts to open the Desktop Client and trust the appliance

identity certificate.

Change thememory sizeYou can change how much Random Access Memory (RAM) to allocate on your clientcomputer to run the Stealthwatch Desktop Client interface. Consider a larger memoryallocation if you work with many open documents or large data sets (such as flowqueries with over 100k records).

1. In Finder, go to your home directory.2. Open the Stealthwatch folder.3. In the Stealthwatch directory, open the folder that contains the

desired Stealthwatch version.

4. Open the application.vmoptions file using an appropriate editing application tobegin editing. (This file is created after you open the Stealthwatch Desktop Clientfor the first time.)

Minimum Memory Size (Xms):We recommend that you allocate no less than512 MB. This number is listed in the third line of the file.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the minimummemory size.


Introduction

Maximum Memory Size (Xmx): You can allocate up to half the size of yourcomputer's RAM for the maximum memory size. This number is listed in the fourthline of the file.

For editors that display the content in one continuous line, refer to the numberhighlighted in the image below to see which number represents the maximummemory size.

Use whole numbers. For example, enter Xmx512m, not Xmx0.5m.

Contacting supportIf you need technical support, please do one of the following:

l Contact your local Cisco Partner

l Contact Cisco Stealthwatch Supporto To open a case by web:http://www.cisco.com/c/en/us/support/index.html

o To open a case by email: [email protected] For phone support: 1-800-553-2447 (U.S.)o For worldwide support numbers:www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html


Introduction

http://www.cisco.com/c/en/us/support/index.htmlhttp://[email protected]/http://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.htmlhttp://www.cisco.com/en/US/partner/support/tsd_cisco_worldwide_contacts.html

What's Been FixedThis section summarizes fixes made in this release for issues (bugs/defects) reported bycustomers in previous releases. The Stealthwatch Defect (SWD or LSQ) number isprovided for reference.

Version 7.0.3

Defect Description

SWD-12069 Geodata library got updated to support IPV6. (LSQ-3861)

SWD-13125Fixed an issue where the print option was not working for theTraffic reports. (LSQ-4149)

SWD-13235Fixed an issue with updating Exporter SNMP configurationsthrough an API call. (LSQ-4277)

SWD-13257

SWD-13368Changed the host group name filtering based on the searchparameter. (LSQ-4185)

SWD-13299

SWD-13356Added event ID checks against default New/Max flows. (LSQ-4359)

SWD-13301Added filter creation logic while pivoting from top ports to tophosts. (LSQ-4360)

SWD-13311Fixed an issue where you were unable to Export All configurationfor a domain. (LSQ-4422)

SWD-13316Fixed an issue where resync failed due to 504 gateway timeoutand lead to a config channel down in secondary SMC. (LSQ-4333)

SWD-13326Fixed an issue where the Users page in the SMC was not loading.(LSQ-4232)

SWD-13334Updated the MTU settings using SystemConfigto fix thetraceback error. (LSQ-4336)


What's Been Fixed

Defect Description

SWD-13344Fixed an issue where the Flow Sensor was running out ofmemory.

SWD-13346

Fixed a problem related to high CPU load averages on the SMCcaused by identity exporters being incorrectly categorized. (LSQ-4221)

If you are experiencing higher than normal CPU loadaverages due to this issue, you will need to install thisrelease and then complete additional actions to ensurethat these exporter's xml files are regenerated correctly.Please review the Identify and Remove Exporters stepsand if you are unsure if this issue is impacting yourenvironment, or for assistance with identifyingpotentially related exporters, please contactStealthwatch Customer Support.

SWD-13408Fixed an issue where a GETBULK function used was notsupported in SNMPV1. (LSQ-4407)

SWD-13454Added ICLOUD and OFFICE365 to the INSTANT_MESSAGINGfilter to prevent the Fake App alarm from alerting. (LSQ-4293)

SWD-13479Added a warning pop-up to SystemConfig when attempting tochange the IP address, if the appliance is managed by CentralManagement. (LSQ-4380)

SWD-13643Fixed an issue where "FlowAggregationResource rollup" wascausing high CPU usage. (LSQ-4411)

SWD-13645Fixed an issue with handling sum overflow in Vertica queries.(LSQ-4405)

SWD-13650Fixed an issue where pivoting to a Flow Search from the TopApplication graph would not show any data. (LSQ-4497)

SWD-13696 Fixed an issue where the UpgradeOutput.log was missing on the


What's Been Fixed

Defect Description

primary SMC.

SWD-13759Fixed an issue where a Packet Query returns an invalid Port orProtocol error. (LSQ-4515)

SWD-13775Added input validation for SNMP fields in system.xsd. (LSQ-4528)

SWD-13778Fixed an issue where support was unable to decrypt SMCdiagnostic packs.

SWD-13789Fixed an issue where the actions and options in the SMC DesktopClient are grayed out after upgrade. (LSQ-4547)

SWD-13796Fixed an issue where the Process Control Block code was beingreferenced prior to their initialization. (LSQ-4512)

SWD-13887Fixed an issue where HA services flash during screen refreshwhen HA is not configured. (LSQ- 4607)

SWD-13911Added support for IP address type for the Flow Collector FlowData Loss document. (LSQ-4628)

SWD-14179Fixed an issue where the Flow Search Results would not allowyou to sort alphabetically.

SWD-14415Fixed an issue where charts didn't appear in printed reports.(LSQ-4735)

SWD-14451Fixed an issue where protocol values didn't appear in exportedTop Ports and Top Conversations reports. (LSQ-4714)

SWD-14466

Created a new Advanced Setting called fake_app_exclude_list.

This setting allows the user to add a comma separated list ofStealthwatch Appliance IDs to be ignored during the FakeApplication test. To get the IDs, go to the/lancope/var/sw/today/config folder on the Flow Collector andopen the application_definitions.xml file.


What's Been Fixed

Defect Description

SWD-14520Fixed an issue where the Flow Sensor stopped processing flows.(LSQ-4294, LSQ-4545)

SWD-14879Added Flow Collector Flow Data Lost to the list of alarms. (LSQ-4798)

Version 7.0.2

Defect Description

LVA-625Updated files and directory permissions to be more restrictive.(LSQ-3719)

LVA-634Removed storage of authentication credentials in smc.log files.(LSQ-3735)

SWD-11673Corrected several object types from String to Integer in SNMPMIB and added handling of the variables in newly installedsystems. (LSQ-3694)

SWD-11839Fixed the Inbound/Outbound direction filter for Top Host Report.(LSQ-3677)

SWD-11961

Added an Advanced Setting to only allow the first NBARapplication ID to be set into the flow to prevent multiple fakeapplication alarms. To disable, set allow_nbar_app_id_migrationto 1 on your Flow Collectors. (LSQ-3789)

SWD-11991Fixed an issue where previously created Response ManagementRules could not be edited. (LSQ-3847)

SWD-12014Fixed an issue that caused the following message: SMCFailoverSession resync failed: 504 Gateway Time-out onsendSnapshot. (LSQ-3853/4218)

SWD-12044Enhanced the engine to make use of the port definitions inapplication_definitions.xml, which includes Custom


What's Been Fixed

Defect Description

Applications. If you have Custom Applications defined usingport definitions, the engine now utilizes those definitions indetermining the client/server relationship in flows. (LSQ-3824)

SWD-12074Fixed an issue where users were unable to edit forwarding ruleson a UDP Director. (LSQ-4184)

SWD-12078Corrected an issue that showed flow duration for more than 34days when "start_time" was unchanged in flow records. (LSQ-3734)

SWD-12150Removed scaled value of 1000 for flow related alarm. (LSQ-3948)

SWD-12234Time out values in nginx had been increased in order to handlelong duration queries.

SWD-12291

Added extra pointer validation checks around the area that it wasseen crashing and added a feature to save a copy of the SLICfeed file being processed when the engine crashes during theSLIC feed update. The file will be included in a diagnostic packand can then be analyzed by Cisco to determine if it is the datain the SLIC feed itself causing the crash.

SWD-12303Changed the baselining code to re-baseline all hosts every timethe engine is restarted. (LSQ-3955)

SWD-12337Fixed an issue where Active Directory configuration would notaccept more than one Domain Controller. (LSQ-4122/4161/4175)

SWD-12341Fixed an error that caused all archived folders before "today" tobe deleted after a Flow Collector engine restart. (LSQ-3864)

SWD-12412Fix provided in FC to launch the home page after "RefreshingData" on IE browser. (LSQ-4013)

SWD-12419 Fixed a problem where the traffic for each host was not being


What's Been Fixed

Defect Description

archived properly into the traffic trends files. (LSQ-3988)

SWD-12421

Fix provided to restrict below files and directories to any webusers in 6.10x version. From 7.0, the only users that haveaccess to these files are "Master Admin." All others are denied.(LSQ-4018)

SWD-12460Truncated and rounded off the decimal part of bytes withpredefined filter available. (LSQ-3868)

SWD-12481 Geodata library was updated to support IPV6. (LSQ-3861)

SWD-12491

Flow Collector engine should set "hasMore" to be true as long asthe "total" combined records from both memory and DB exceedsthe requested number set in limit to show "more recordsavailable" message in security events transaction report (LSQ-3995).

SWD-12497Provided a fix for failure scenario when we have two or morehostgroups with unknown hostgroup combination. (LSQ-4056)

SWD-12504Corrected an issue where stopping packet capture failed andshows "error processing request". (LSQ-4032 )

SWD-12575Upgrade process was fixed the issue that caused Juniper Flowto go to "0% decode" after a 6.8.3 to 6.10.4 upgrade. (LSQ-4084)

SWD-12607Fixed an issue where Host Group mapping for countries was notdisplayed in Flow Searches. (LSQ-4068).

SWD-12648Corrected an issue causing data being to be written to the DB(daily) with invalid time stamps. (LSQ-4057)

SWD-12661An issue was corrected where Undefined TCP records wereappearing in a search of ICMP flow. (LSQ-4089)


What's Been Fixed

Defect Description

SWD-12670 MAC violation alarms are now properly generated. (LSQ-4062)

SWD-12679The SNMP trap now uses the correct MIB for "FlowCollectorDatabase Channel Down". (LSQ-4051)

SWD-12682Added validation to not check duplicate names when trying toedit archive hours. (LSQ- 4105)

SWD-12689Truncated and rounded off the decimal part of bytes withpredefined filter available. (LSQ-3868)

SWD-12710Fixed an issue with Flow Sensor 4k timeout handling. (LSQ-4107)

SWD-12724Fixed an error where the Flow Collector engine writes malformed"username" field values in security_event, and causes Verticaparsing errors. (LSQ-4117)

SWD-12822Fixed RAID management errors that occurred after upgrade.(LSQ-3946)

SWD-12825Fixed an error in the Top Reports where "Total+Client" or"Total+Server" generates a syntax error at or near "select" atcharacter 20XX. (LSQ-4133)

SWD-12844Corrected an issue where users were unable to print from the injava desktop. (LSQ-4149)

SWD-12883Updated OpenDNS to Umbrella in the External Lookupconfiguration. (LSQ-4147)

SWD-12989Fixed an issue where downloading a larger SMC configurationbackup file failed. (LSQ-4132)

SWD-12996Added new docker services to filter and display in the EndpointConcentrator Admin UI. (LSQ-4165)

SWD-12997 Fixed an issue where Active Directory user data was not being


What's Been Fixed

Defect Description

fetched properly. (LSQ-4196)

SWD-13000Fixed an error where the Stealthwatch Desktop Client wasn'tcommunicating with the Flow Collector and secondary SMC forlicensing. (LSQ-4129)

SWD-13021The SMC Rollup005 patch is now properly removed after beinginstalled on Secondary SMC2210 (M5 Hardware). (LSQ-4204)

SWD-13025Fixed an issue with the pre-swu when upgrading from 6.10.2.(LSQ-4083)

SWD-13058Corrected an issue in the previous rollup (003) that caused HostGroup Management in the Web UI to be unusable. (LSQ-4193)

SWD-13112Fixed an issue where the "CallOSAxsD UpdateSystem" call returns False when the file does not exist.(LSQ-4247)

SWD-13126Fixed an issue where the Flow Sensor network card stopsworking after upgrade. (LSQ-4249)

SWD-13169Fixed an issue with proxy authentication after upgrading from6.10.3. (LSQ-4220)

SWD-13311Fixed an issue where you were unable to Export Allconfiguration for a domain. (LSQ-4422)

Version 7.0.0

Defect Description LSQ

SWD-7700

The Flow Collection Trend chart had gapsdue to TextCopyHandler failing to read filesat /lancope/var/smc/tmp folder.

Resolved an issue where scheduledreports would terminate existing SMC data

LSQ-2727


What's Been Fixed


loading processes under certainconditions.

SWD-8115

Multiple instances of the process "acpi_pad" was causing the system to becomenon-responsive.

We blacklisted the "acpi_pad" process tofix this issue.

LSQ-2836

SWD-8142

The Database backup is generating errorsat the final stage of the process.

Improvements have been added to repeatthe Vertica backup process in case ofresync errors.

LSQ-2838

SWD-8773Upgraded mongodb from v2.6.8 tov3.10.15 to take advantage of performanceimprovements.

LSQ-3012

SWD-9128

Temporary files for flow stats were deletedwhen disk space was less than 75%.

This code was removed in order to let thecode that checks disk usage handle anynecessary file removals.

LSQ-3123

SWD-9138

"String index out of range" error in OfflineActivation dialog.

Improved exception handling to addressthe error and added an additional conditionto verify the presence of a dash symbol.

LSQ-3124

SWD-9258

The Flow Collector Engine failed toconnect a router mitigation device whenusing SSH.

Updated the engine code responsible for

LSQ-3141


What's Been Fixed


building and maintaining SSH mitigationsessions.

SWD-9444

The Flow Collector engine had a SIGSEGVerror at pool_exit in process_message.

A memory leak was found and fixed relatedto the deletion of exporters, and extraprotection was put into place in thehandling of the Service Bandwidth datastructures.

LSQ-3196

SWD-9445 Updated the Flow Sensor 1010 spec sheet. LSQ-3176

SWD-9446

A quotation mark in the application detailcolumn caused an error when exporting aflow table to a CSV file.

The application detail fields were updatedto handle quotation marks.

LSQ-3086

SWD-9490

The export button was cut off on the FlowSearch page.

Updated the UI to handle resizing thebrowser window.

LSQ-3223

SWD-9502

The "more details" link on the UDP Directoradmin page disappeared once the pageloaded.

Fixed the hyperlink to be consistent duringand after page load.

LSQ-3224

SWD-9503The SMC 1000 was running out of memorywhich caused Vertica to crash.

Fixed the memory leak.LSQ-3228

SWD-9515The Flow Collector 5020 failed to load the10G driver.

LSQ-3235


What's Been Fixed


Modified the grub configuration files toallow the Intel 10G network card to workwith the Jessie kernel.

SWD-9520

Log rotation for vertica.log was notworking.

Added a daily cron job to cleanup anybackup vertica logs in the target directorythat haven't changed in 30 days.

LSQ-3346

SWD-9524

The UDP Director device informationcolumn was not populating when theManagement Channel Down alarmtriggered.

Added the device type to the system_alarmtable.

LSQ-3207

SWD-9559

The Flow Collector engine had a SIGSEGVerror at search_threat_host.

Reworked threat feed code to minimize thelocking time of the processing threads.

LSQ-3208

SWD-9564

The Proxy Log Configuration Guide had agraphic error in the Configure the UploadClient section.

The port number was corrected in thegraphic.

LSQ-3237

SWD-9568

Vertica hung at "SafetyShutdown".

Added code to monitor vertica and restart itif the process is up but the DB is notresponsive.

LSQ-3228

SWD-9577The hostname field was missing from theHostAlarm structure in the MIB.

LSQ-3209


What's Been Fixed


Added the missing field.

SWD-9607Added the "Peer Host Groups" option tothe Manage Columns menu for the TopConversations table.

LSQ-3266

SWD-9692Fixed the Traffic by Peer Host Groupdisplay that was using the wrongtimestamp for some archive hour settings.

LSQ-3277

SWD-9702

Modified the Flow Collector engine tohandle ICMP type and code sent in theNetFlow source port field instead ofdestination port.

LSQ-3175

SWD-9732

No indication when the SMC server failedto load because of an invalid smc_failover.xml file.

Added the appropriate log to the SMC logfile.

LSQ-3228

SWD-9873

The alarm count was mismatched from theAlarming Hosts component on the SecurityInsight Dashboard and the alarms on thehost list view.

Updated the help text pop-up to explainthat the number in the Alarming Hostcomponent displays the number of hostsreceiving alarms since the last reset hour.Clicking on the alarm number will navigateto a host list view with an alarm categoryfilter applied. These two numbers can bedifferent.

LSQ-3330

SWD-9913Updated the Cognitive Analyticsintegration to work with trial licenses.

LSQ-3675


What's Been Fixed


SWD-9934

Queries for security events failed with aVertica error.

Updated the code to finish installingVertica default packages.

LSQ-3578

SWD-9983

The database storage "Worst Case" valuefor "capacity in days" and "remaining days"was incorrect.

Fixed the code so that the values are nolonger negative.

LSQ-3367

SWD-9996

The “Not Matched” field in the output.logdid not increment when thesource/destination IP address mismatchedthe forwarding rules configuration on theUDP Director.

A fix has been provided to increase the“Not Matched” count.

LSQ-3370

SWD-10008

The "Interface Service Traffic" graph wasmissing data.

Adjusted the query for the graph to fix aVertica database issue.

LSQ-3335

SWD-10101

The SMC did not have enough memoryallocated for Tomcat.

Separated the JVM settings so that Tomcatmemory allocation varies depending on theappliance.

LSQ-3305

LSQ-3453

SWD-10119

Host_group_application_traffic had anoverflow for BPS values.

Fixed the case where the SMC wasinserting too many or too few primary datapoints, which caused the original

LSQ-3397

LSQ-3433


What's Been Fixed


consolidation value to record wrong valuesin Vertica.

SWD-10129

Associated flows information wasincorrect.

Updated SETI and the SMC Web Appinterface online help to have the correctassociated flows information.

LSQ-3415

SWD-10147 Updated packet query logging. LSQ-3418

SWD-10202

Flow information was not showing up whenusing a Cisco 3504 Wireless LANController.

Previously, the engine automaticallyassigned Interface #1 to flows missingInput and Output SNMP Interface IDs.Because of potential conflicts with anactual Interface #1, we decided to use INT_MAX for this assignment.

LSQ-3432

SWD-10239

DBNodeRetentionManager was not waitinglong enough between partition drops whichcaused all partitions to be dropped.

A back-off algorithm was implemented inthe retention code to allow enough time forthe disk space to be freed betweenpartition drops.

LSQ-3444

SWD-10284

The Flow Collector 5000 engine hadSIGSEGV error at various functions.

Added more data input validation onInformation Elements so the engine emitsdecode errors instead of crashing.

LSQ-3454

SWD-10329 Updated Security Group Tags (SGT) LSQ-3461


What's Been Fixed


information in the SMC Web App inferfaceonline help.

SWD-10348

UDP Director failed to update ARP statusfor a host.

Added a ping from the UDP Director tocheck disabled hosts in order to update theARP status.

LSQ-3407

SWD-10387Increased the default buffer length for theUDP Director to reduce "Last Dropped"counts.

LSQ-3463

SWD-10391

Added a script to set the ethX rx buffers tothe maximum allowed value (typically4096) on physical UDP Directors toimprove performance.

LSQ-3463

SWD-10423

The Admin Interface UI hangs after clicking"Test" on the Remote File System page.

Added better error handling for the AdminUI.

LSQ-3483

SWD-10436

The Flow Collector diagnostic pack storedtoo many log files.

Updated the diagnostic pack to onlycontain the vertica.log.

NA

SWD-10444

SWD-10519

Updated the database queries to use AVGfunction to avoid the sum overflowproblems.

LSQ-3487

SWD-10561

The engine had a SIGSEGV error in update_app_definitions.

Ensured that all resource memory pooldeletions are followed by setting the

LSQ-3529


What's Been Fixed


variable using the memory to NULL.

SWD-10570

The Flow Collector engine had an overflowwhen calculating BPS values.

Bytes and packets value handling wasmodified to perform data validation andensure the average packet size is 65535bytes or less.

LSQ-3424

LSQ-3433

LSQ-3397

SWD-10593

The unlicensed feature message was beingdisplayed for the Flow Sensor.

Changed the default setting for themessage to show the appropriate status.

LSQ-3486

SWD-10647

Top Peers flipping the client/server whenselecting "Flows".

Modified the code to snow swap hostswhen creating a flow filter from Top Peers.

LSQ-3554

SWD-10658Removed "Inbound" from the legend fortwo charts on the Interface TrafficDashboard.

LSQ-3335

SWD-10779

User authentication failed due to login filedescriptors not being closed.

Updated the code to close the filedescriptors after a user logs out.

LSQ-3579

SWD-10893

The engined crashed with the error "Threadinterrupted" while processing flows.

Updated the engine to handle situationswhere the flow classification threads getbacked up temporarily.

LSQ-3600


What's Been Fixed


SWD-11065Improvements were made in thecalculations of data byte counts in the per-minute flow statistics.

LSQ-3582

SWD-11123

DBNodeRetentionManager was notdropping the large partitions causing newflow data to not be inserted.

Modified retention code to drop any invalidpartitions (those with dates before 1980) ateach retention check. Any drops of thesepartitions will be logged with a warning"Dropped invalid partition for ". The code also drops up to 5partitions each retention period when overthe disk usage threshold. Disk space ischecked after each drop and when usagedrops back below threshold, no morepartitions are dropped for that period.

LSQ-3623

SWD-11124

Vertica was inserting data when thedatabase disk space was full, causing thesystem to crash.

Modified the Flow Collector 5000 enginecode to query Vertica for disk usage overthe database channel. This allows theengine to stop database inserts when diskusage reaches the critical level on thedatabase node even if the communicationchannel is down.

LSQ-3623

SWD-11197

The Flow Collector 5200 engine wasrunning out of memory.

The fix is to limit the number of processingthreads based on the available memory.The calculated process_instance_countwill be limited to 13 on a Flow Collector

LSQ-3600


What's Been Fixed


5200 series appliance. This value can stillbe manually set in lc_thresholds.txt.

SWD-11198

Multiple errors causing the Flow Collectorengine to crash.

Fixed an out of bounds array reference thatcould corrupt memory and lead to a crash.

LSQ-3600

SWD-11243

Exporter flows could not be processed bythe engine due to changes in the template.

Removed support the old Flow SensorInitiator field "Information Element 68".

LSQ-3647

SWD-11480Removed the code to swap Security GroupTag IDs when client and server wereswapped in the engine (LSQ-3650).

LSQ-3650

SWD-11650

SWD-11722

The Flow Sensor was missingflowsensor.xml after install.

Updated the start_fs process so that it willwrite out a default flowsensor.xml whenthe service is started.

LSQ-3725

LSQ-3729


What's Been Fixed

Known IssuesThis section summarizes issues (bugs) that are known to exist in this release. Wherepossible, workarounds are included. The defect number is provided for reference.

DefectNumber Description Workaround

SWD-7655

The generation of a diagnostics packmay fail in large systems as a result oftiming out.

To overcome this, open the SSHconsole for the appliance andrun this command: doDiagPack.This will allow the generation ofthe diagnostic pack withouttiming out. The diagnostic packcan be downloaded usingBrowse File in the/admin/diagnostics folder, and itcan be copied off the box usingSCP.

SWD-8197

The Flow Sensor was not detectingenough applications.

To provide more accurateapplication classification, weupdated the third-party libraryfor Application Identification.Due to this update, some trafficwill no longer be classified as itwas in prior versions andsupport has been removed for avariety of applications. Updatesto the applications supportedare dependent on futurereleases from the third-partylibrary.

SWD-8673

SystemConfig special character fontslook bad when using the SecureCRTclient in ANSI mode.

To overcome this, disable ANSIColor when connecting or use adifferent client to view theSystemConfig script.


Known Issues


SWD-9052

Offline license activation failing or"Storage Binding Break" error

This error may occur if youmoved a virtual machine,uploaded a license more thanonce, or if the license iscorrupted. Please contactStealthwatch CustomerCommunity for assistance.

SWD-9563

When you log in to the StealthwatchWeb App using Internet Explorer v11and at any point you refresh the Homepage, the Desktop Client drop-downarrow and the three navigation icons tothe left of this list (top right corner ofpage) disappear. These three iconsinclude the following:

• Search (magnifying glass icon)• Help (person icon)• Global Settings (geer icon)

Additionally, the fonts look differentfrom how they appear when displayedusing other browsers.

Close the browser and log inagain.

SWD-11822(LVA-664)

Stealthwatch has made a modificationto interface API encoding that takeseffect beginning with v7.0. Whenconfiguring a query parameter for therelated endpoints, you can no longeruse un-escaped characters within theURI.

In order for your integration withthis API to function correctly,you must do the following:

For all endpoints related to thefollowing:

/tenants/{tenantId}/devices/{deviceId}/exporters/{exporterIp}/interfaces/{interfaceId}

Filters such as start or end time


Known Issues

https://lancope.force.com/Customer/CustomerCommLoginhttps://lancope.force.com/Customer/CustomerCommLogin


need to be formatted as this:

filter%5bstartTime%5d

Not this:

filter[startTime]

SWD-11929

The SMC desktop client does notlaunch over IPv6 on Mac.

None currently available.

SWD-12141

When installing the pre-SWU patchusing the SMC System Managementpage, the Update Status may continueto show "Waiting to install."

The message might not clear,but it does not block the update.Check the log to confirm thepre-SWU patch was installedsuccessfully. Make sure youfollow the Finalize procedure inthe Stealthwatch UpdateGuide.

SWD-13089

Changing the appliance IP address,host name, or network domain namemay fail.

Before you change an applianceIP address, host name, ornetwork domain name using theAppliance Setup Tool or SystemConfig, review the instructionsin Stealthwatch Online Help.

You will remove the appliancefrom Central Management aspart of the procedure.

Also, confirm the following:

l Before you remove theappliance from CentralManagement, make surethe Appliance Status isshown as Up.

l Check the other appliance


Known Issues

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/update_guides/SW_6_10_x_to_7_0_0_Stealthwatch_Update_Guide_DV_1_0.pdfhttps://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/update_guides/SW_6_10_x_to_7_0_0_Stealthwatch_Update_Guide_DV_1_0.pdf


trust stores in your cluster.If the appliance identitycertificate (of theappliance you arechanging) is saved toother appliance truststores, delete it.

l After you change theappliance IP address, hostname, or network domainname, use the ApplianceSetup Tool to add theappliance to CentralManagement.

SWD-13181

The Flow Collector database andengine private network IP addressescannot be changed. Changing theseIP addresses will breakcommunications.

The Flow Collector databaseand engine use private networkIP addresses to communicate.The private network IPaddresses are as follows:

Engine: 169.254.42.100

Database: 169.254.42.101

If you've changed theseIP addresses, change them backto the defaults or contact CiscoStealthwatch Support beforeyou start the update.

SWD-14940

DBNode Retention Manager dropspartitions during long database backupperiods.

We've added procedures toback up your database thatinclude trimming the databaseand deleting snapshots after thebackup. Make sure you followthe instructions in the


Known Issues


Stealthwatch® Update Guide(v6.10.x to 7.0.3 or 7.0.x to7.0.3)

For assistance, please contactCisco Stealthwatch Support.

SWD-15570

Typos in Command to Delete FlowCollector Snapshots

The command to delete FlowCollector snapshots as part ofthe Back up Databaseinstructions is incorrect in theupdate guide.

Use the following command todelete SMC and Flow Collectordatabase snapshots:

/opt/vertica/bin/vsql -U dbadmin -w lan1cope -c "select remove_database_snapshot('StealthWatchSnap1');"

Also, make sure you delete thedatabase snapshots on the SMCand the Flow Collector.

SWD-15623

Error retrieving data on SMC/FlowCollector database

The command to delete FlowCollector snapshots as part ofthe Back up Databaseinstructions is incorrect in theupdate guide.

Use the following command todelete SMC and Flow Collectordatabase snapshots:

/opt/vertica/bin/vsql -U dbadmin -w lan1cope -c "select remove_


Known Issues

https://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.htmlhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.htmlhttps://www.cisco.com/c/en/us/support/security/stealthwatch/products-installation-guides-list.html


database_snapshot('StealthWatchSnap1');"

Also, make sure you delete thedatabase snapshots on the SMCand the Flow Collector.

CHOPIN-25314

If a Stealthwatch user has theirprivileges lifted or demoted (ex. ReadOnly to Read/Write or vice versa), it willtake up to 30 minutes to propagate thechange to the Cognitive Analyticssystem.

None currently available.

NAOn the Flow Sensor VE, “ExportApplication Identification” is off bydefault.

To enable applicationidentification, this advancedsetting will need to be manuallyselected.

NA

Due to changes in the cipher suiteproperties from TLS v1.2 to TLS v1.3,the Key Exchange and AuthenticationAlgorithm properties will display as N/Ain the Flow Search.

Improved audit capabilities forTLS v1.3 will be added in afuture release.

NA

If a user log ins to multipleStealthwatch systems, they can't log into the second system within CognitiveAnalytics.

To overcome this:

l Wait 30 minutes for thefirst login to expire

l Log out of CognitiveAnalytics on the firstsystem


Known Issues

Release Support InformationOfficial General Availability (GA) date for Release 7.0 is Jan. 30, 2019.

For support timeline information regarding general software maintenance support,patches, general maintenance releases, or other information regarding CiscoStealthwatch Release Support lifecycle, please refer to Cisco Stealthwatch® SoftwareRelease Model and Release Support Timeline Product Bulletin.


Release Support Information

https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/bulletin-c25-742163.htmlhttps://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/bulletin-c25-742163.html

Copyright InformationCisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or itsaffiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to thisURL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned arethe property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)

© 2020 Cisco Systems, Inc. and/or its affiliates.

All rights reserved.

https://www.cisco.com/go/trademarks

IntroductionOverviewTerminologyBefore You UpdateSoftware Version3rd Party ApplicationsHardwareBrowsersAlternative AccessHardwareVirtual MachinesAdditional Option

Enabling SSH in Central ManagementOpen SSHEnable SSH

Enabling SSH in Appliance Admin Interface

After You UpdateUpgrade IssueIdentify and Remove Exporters for SWD-13346

Installing the Stealthwatch Desktop ClientInstall the Desktop Client Using WindowsChange the memory size

Install the Desktop Client Using macOSChange the memory size

Contacting support

What's Been FixedVersion 7.0.3Version 7.0.2Version 7.0.0

Known IssuesRelease Support Information

Documents

Stealthwatch Release Notes v7.0 - Cisco · Introduction Overview Thisdocumentprovidesinformationonnewfeaturesandimprovements,bugfixes,and knownissuesfortheStealthwatchSystemv7.0.3release