Here is what I found on the Meltdown and Spectre Bug info so far. Please feel free to add. Please do your research and confirm with your vendor(s) before taking action. This post is for informational purposes only.
End of SW availability and bug fixes for AnyConnect on BlackBerry 10 OS effective 5/31/18. AnyConnect on BlackBerry 10 will no longer be available for new software downloads from BlackBerry App World and will no longer receive bug fixes.
This Article explain way to back and restore configuration of ASA running on Firepower 2100 series platform. When you run ASA on Firepower 2100 platform, you have two software, FXOS and ASA on the platform. You need to backup config on both software. As on ASA 9.8.2, you can backup ASA config using Copying "show running-config". FXOS needs manual configuring.
Backup ASA Configuration:
ASA Configuration can be backup with any one of below items.
1) Copy running-config ftp:/scp:/smb:/tftp: (Copying ASA running configuration to ftp, scp, SMB, tftp, through Management or any of data interfaces)
2) Copy startup-config ftp:/scp:/smb:/tftp: (Copying ASA running configuration to ftp, scp, SMB, tftp, through Management or any of data interfaces)
3) Simply copy (show running-config) and paste to text file
Restoring ASA Configuration:
Restoring ASA config to ASA can be either of below steps.
1) Simply copy past ASA config file on ASA console/Terminal.
2) Copy ftp:/scp:/smb:/tftp: running-config
FXOS Configuration Backup & Restore:
Since FXOS on FP2100 doesn't have backup option, all configurations need to be noted down manually. "show tech-support fprm" can be also used, which have some of below configuration. You may use FCM Firepower Chassis Manager or FXOS CLI to configure below parameters.
Firepower Chassis Manager: https://<FXOS-IP>
Management IP address for FXOS: firepower-2110#Scop fabric-interconnect a firepower-2110 /fabric-interconnect #set out-of-band static/DHCP
DNS Config: firepower-2110#Scope system firepower-2110 /System#Scope Services firepower-2110 /system/services # create dns
Firepower 2100 series platform can run either FTD or ASA software.
When Firepower 2100 series platform running ASA, has two software, FXOS and ASA. Both have its own management IP address and share same physical Interface Management 1/1.
Both ASA and FXOS has its own authentication, same with SNMP, Syslog and tech-support logs.
Toggle between FXOS & ASA prompt:
From FXOS prompt, you can use "connect asa" to go to ASA prompt, "exit" to come back to FXOS.
From ASA prompt, you can use "connectfxos" to go to FXOS prompt, "exit" to come back to ASA.
When using Console, you'll login to fxos prmpt.
ssh/telnet to ASA Management IP to access ASA.
ssh to fxos management IP to access FXOS.
ASA & FXOS Management:
In order to manage ASA, you have ASDM or CLI (SSH, Telnet). To manager FXOS, we have CLI and FCM-Firepower Chassis Manager - Browser base GUI tool.
FXOS useful configurations:-
The Default IP address for FXOS IP address for FP2100 running ASA is 192.168.45.45.
Verify & Configuring Management IP address for FXOS:-
To Verify FXOS IP address
firepower-2110# scope fabric-interconnect a
firepower-2110 /fabric-interconnect #show detail
Product Name: Cisco FPR 2110
Vendor: Cisco Systems, Inc.
Serial (SN): JMX202820M4
OOB IP Addr: 192.168.45.45
OOB Netmask: 255.255.255.0
OOB Gateway: 192.168.45.1
OOB Gateway Use DataPort: No
OOB Boot Proto: Static
OOB IPv6 Address: ::
OOB IPv6 Gateway: ::
OOB IPv6 Gateway Use DataPort: No
IPv6 Boot Proto: Static
DHCPD Admin State: DHCP Server Enabled
Changing FXOS management IP address:
firepower# scope fabric-interconnect a
firepower /fabric-interconnect # set out-of-band static ip 10.106.143.40 netmask 255.255.255.0 gw 10.106.143.1
firepower /fabric-interconnect* #commit-buffer (Commit buffer to save config)
some time you may get below error:
" Error: Update failed: [Management ipv4 address (IP 10.106.143.40 / net mask 255.255.255.0 ) is not in the same network of current DHCP server IP range 192.168.45.5 - 192.168.45.10. Either disable DHCP server first or config with a different ipv4 address.] "
If you get above error, you need to either disable DHCP or change DHCP range in the same subnet as new Management IP address.
Disabling DHCP Server:
firepower# scope system
firepower /system* #scope services
firepower /system* # disable dhcp-server
firepower /system* # enable dhcp-server 10.106.143.10 10.106.143.20 (To enable DHCP server on FXOS)
Configuring NTP ortimezone on ASA running on FP2100 is restricted. Clock,timezone,ntp need to be configured on FXOS, which will besync to ASA.
firepower# scope system
firepower/system* #scope services
firepower/system/services *# set clockoct6 2017 17 12 00
Cisco Email and Web Security training courses are designed to provide you with up-to-date knowledge and skills to successfully evaluate, integrate, deploy, and support Cisco Email and Web Security products and solutions.
Securing Email with Cisco Email Security Appliance (SESA) is a three-day instructor-led training course that provides students with information and practical hands-on reinforcement activities to prepare them to configure, administer, monitor, and conduct basic troubleshooting tasks on the Cisco Email Security Appliance.
Securing the Web with Cisco Web Security Appliance (SWSA) Is a comprehensive, two-day course for customers & partners that provides students with hands-on labs, demonstrations and presentations focusing on installing, configuring, operating, troubleshooting, and maintaining the Cisco Web Security Appliance.
Cisco Email and Web Security Exams
Cisco Email and Web Security exams are available through Pearson VUE testing centers worldwide.
Email Security for Field Engineers
Web Security for Field Engineers
Advanced Security for Account Managers
Security Solutions for System Engineers
Channel Partner Training
Cisco Email and Web Security Training is available for Channel Partners. Please consult the Global Learning Locator to locate a class near you.
Cisco has rolled out a new Data Loss Prevention (DLP) solution starting with AsyncOS 11.0 for on premise Cisco Email Security Appliances (ESA), and Cisco's Cloud Email Security (CES). The Cisco DLP solution replaces the existing RSA DLP solution available on AsyncOS 10.0.x and earlier releases. Cisco's DLP solution allows seamless migration of all the existing DLP policies created in RSA DLP to the new Cisco DLP engine. After the upgrade, you can view or modify the migrated DLP policies from the Mail Policies > DLP Policy Manager page in the ESA's web interface. For more information, see the “Data Loss Prevention” chapter in the User Guide for AsyncOS 11.0 for Cisco Email Security Appliances.
RSA had previously announced the End of Life (EOL) for RSA Data Loss Prevention Suite. The last date of support from RSA for DLP is December 31st, 2017. Beyond December 31st, 2017, Cisco will provide Cisco customers with technical support assistance on ESA for anything relating to RSA DLP solution. However, Cisco will not support feature upgrades or bug fixes with respect to RSA's DLP solution on ESAs running 10.0.x and earlier releases.
Note: There is no support for RSA Enterprise Manager Integration in Async0S 11.0 and later. If you have DLP policies created in RSA Enterprise Manager, you must recreate those policies on your appliance after the upgrade.
In order to continue supportability for DLP on Cisco ESA, customers on AsyncOS 10.0.x or earlier releases are requested to migrate to the AsyncOS 11.0 release at your earliest opportunity.
AnyConnect Apple iOS - Transition to Apple's latest VPN framework (NetworkExtension)
On approximately June 14, 2017, we will begin the public transition away from Apple's deprecated iOS VPN framework (VPN Plugin) which is what is currently used by AnyConnect to Apple's current VPN framework (NetworkExtension). The new framework will allow for more reliable VPN connectivity and also allows for us to finally officially support Per App VPN connectivity, not just for TCP applications, but UDP applications as well. Per App support requires EMM configuration.
Transition timeline and process -
Approximately June 14, 2017 An additional (new) AnyConnect application will appear in the App Store. This new application will be supported on iOS 10.x and later. We recommend the latest version of iOS 10.x or later is always used as Apple has provided bug fixes to improve the reliability of this newer framework.
App Store willing, the old application will be renamed to Cisco Legacy AnyConnect and will be rebranded with legacy branding in this same timeframe.
Phase out of legacy AnyConnect -
The legacy application (existing older AnyConnect) will only receive critical bug fixes going forward and will be phased out over an extended period of time. More details on the phase out timing will be announced at a later date.
Transition process -
Unfortunately there is no ability to automatically transition users from the old OS framework to the new framework. Users will need to download the newer AnyConnect application or have EMM push out the new AnyConnect application. The new application will need to be re-provisioned, whether manually or via EMM. This includes pushing down configuration and certificates (if applicable). To avoid confusion or conflicts, the old application should be removed from the endpoint.
EMM configuration -
EMM vendors must support VPNType (VPN), VPNSubType (com.cisco.anyconnect) and ProviderType (packet-tunnel). For integration with ISE, they must be able to pass the UniqueIdentifier to AnyConnect since AnyConnect no longer has this access directly in the new framework. Please consult with your EMM vendor for how to set this up, some may require this to be set up as a "custom" VPN type and others may not have support available at release time.
Today i will be showing you how to fix romman issue on ASA5525. Im going to link my youtube video on how to fix the romman issue. Dont forget to like my video and subscribe to my channel for more videos>
Here is step by step on how to fix the romman issue on ASA5525:
step1: if your firewall ASA5525 boot to the romman on the first boot that mean the firewall you running is running through issue.
step2: as you see in the video the amaber light led on the alarm not because the firewall was on romman, but the unit was running through hardware issue. It can be the powersupply, fan, memory ......etc.
step3: on the romman type in "boot flash" or just "boot" to boot the software that ASA5525 running.
step4: after you were able to boot to the ASA type in "enable" and press "enter" twice to enter to the ASA console as defult.
step5: check your show version by typing in this command "show Ver" or "show version" to see if the config register was configured to the right register or not. The config resgister should be registered under this "0x1".
step6:If the config register showing something else other the "0x1" you need to change it to "0x1". step7: save the configuration by typing in this command "wr" or "write" then reload .
If you follow all the steps above then you shouldnt have any issue to boot the ASA5525 normally .
If you saw this video was helpfull to you please like, share, comment and subscribe to my channel.
This is a living document and will be updated as and when required.
Q1: Why do we keep the backup?
A1: We keep the backup because we need to keep the record of any changes done in the router configuration file. This is because due to any untoward incident if the hardware or the software or both get damaged then the administrator can easily retrieve the configuration. Otherwise the person would require to reconstruct a complex router configuration file from memory (memory type). When you have the backup of the last working configuration file, you can usually get a router working again within minutes of fixing any (hardware/software or both) problems.
This document describes details about the April 2017 update of the Cisco Trusted Root Bundles and effects on the Cisco Web Security Appliance (WSA).
In effort to keep security of our products at the highest level; Cisco Cryptographic Services team is pleased to announce the release of the next iteration of the Cisco Trusted Root Bundles. This change will also have an effect on WSA.
The bundles will be automatically updated on all supported versions of Cisco AsyncOS for Web, and there are no actions needed from WSA administrators.
These bundles reflect the latest updates to the bundles derived from upstream trusted root stores as of November 2016.
The most important changes to Cisco Trusted Root Bundles to note:
Pursuant to the decision of major trust stores (Google, Apple, Mozilla) to remove them, the new Cisco Trusted Root Bundles no longer contain roots from WoSign/StartCom. Should they resubmit new roots to upstream root stores, we will revisit the decision to remove them from the trust bundles.
The new Cisco Root CA 2099 has been added to all bundles to support new ACT2 chipsets.
The old VeriSign root has been replaced in the Core bundle with the newer root that properly chains VeriSign mPKI certificates.
DST Root CA X1 has been removed from the Core bundle only, as Cisco no longer issues roots from this chain.
What does this mean for WSA users?
Cisco WSA will download new Root Certificate Bundles using our updater process. No action is needed from WSA Administrators
If WSA is configured to use decryption, requests towards sites that have SSL certificates signed by WoSign/StartCom, will be by default dropped by WSA, as Root CA certificates of this vendor will not be trusted by WSA after the update.
Alternatively, WSA will apply action configured in HTTPS Proxy -> Invalid Certificate Handling -> Unrecognized Root Authority / Issuer. This action is DROP by default, and Cisco recommends not to change the default Unrecognized Root Authority action.
In this blog post I'll guide you trough the commands to extend a local LAN via any L3 internet uplink and secure it with IPSEC!
All you need is L2TPv3 (aka pseudowire) which doesn't require any license upgrade with a 89X router (this is the cheap part)! Be aware that if you want to use a 29XX or similar you need a DATA license!!
In this setup I'm using two ISR 892 since you need routed ports. Haven't tested it with VLAN SVI yet.
EDIT: I've tested it with SVI and it works! Here it's listed that it works since 12.4.20(T)
Let's assure you have Office-A with a LAN 10.0.0.0/24 and Office-B with LAN 10.0.0.0/24. To interconnect them both over a DSL link or similar you need L2TPv3. Let's say WAN IP from Office-A is 10.10.10.1 and from Office.B it's 10.10.10.2.
Here's your config for Office-A
l2tp-class l2class authentication password l2
pseudowire-class LAN2LAN encapsulation l2tpv3 protocol l2tpv3 l2class ip local interface GigabitEthernet0
interface FastEthernet8 description LAN no ip address duplex auto speed auto xconnect 10.10.10.2 1 encapsulation l2tpv3 pw-class LAN2LAN ! interface GigabitEthernet0 ip address 10.10.10.1 255.255.255.0
Be aware that FA8 (your LAN) is not allowed to have an IP address, it's the interface to your switch!
Now check the status with
R1#show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP pri ac Fa8:3(Ethernet) UP l2tp 10.10.10.2:1 UP
You have a running setup, fine! But now your LAN traffic is travelling packed within L2TPv3 but in plaintext over the wire. Now we have to encrypt the tunnel via IPSEC (transport mode).
local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2 plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0 current outbound spi: 0x900B4A7(151041191) PFS (Y/N): Y, DH group: group14
Please don't use this setup in large deployments and/or on slow links! It just a PoC to show you how to extend your LAN the "dirty" but quick way.
I am trying to documents as much as possible with all the new things that i see in ASA. I just tried to export cisco anyconnect XML profiles to my local machine, but it didn't allow to export. So, i have to apply following steps to export profiles to local machine.
1. Open ASDM Launcher-->Go to-->Tools-->File Management..
2. Select File Transfer--> drop down-->between local PC and Flash.
3.Select your folder and file cisco anyconnect profile .xml file --->click arrow towards your PC folder.
At this time, we have identified and corrected the issues with the ESA Graymail engine and associated rules that led to earlier work queue build ups on the appliance.
You may re-enable Graymail at this time, and run a updatenow force after in order to assure the new package is pulled from the update server:
Graymail Detection: Disabled
Choose the operation you want to perform: - SETUP - Configure Graymail. > setup
Would you like to use Graymail Detection? [Y]> y
Increasing the following size settings may result in decreased performance. Please consult documentation for size recommendations based on your environment.
Maximum Message Size to Scan (Add a trailing K for kilobytes, M for megabytes, or no letters for bytes.): [1M]>
Timeout for Scanning Single Message(in seconds): >
Graymail Safe Unsubscribe: Disabled Would you like to use Graymail Safe Unsubscribe? [Y]>
Graymail Detection and Safe Unsubscribe is now enabled. Please note: The global settings are recommended only for your DEFAULT mail policy. To configure policy settings, use the incoming or outgoing policy page on web interface or the 'policyconfig' command in CLI.
Choose the operation you want to perform: - SETUP - Configure Graymail. >
Please enter some comments describing your changes: > Graymail re-enable
Do you want to save the current configuration for rollback? [Y]> y
Changes committed: Tue Aug 09 12:49:24 2016 EDT
After, please complete the following:
10.0.0-125.local> updatenow force
Success - Force update for all components requested
You will then want to allow five minutes for updates to complete, or manually watch the updater logs with tail updater_logs, paying close attention to when the graymail service makes the call for update and load of the package:
Tue Aug 9 12:46:46 2016 Info: graymail waiting for new updates Tue Aug 9 12:47:17 2016 Info: Server manifest specified an update for graymail Tue Aug 9 12:47:17 2016 Info: graymail was signalled to start a new update Tue Aug 9 12:47:17 2016 Info: graymail processing files from the server manifest Tue Aug 9 12:47:17 2016 Info: graymail started downloading files Tue Aug 9 12:47:17 2016 Info: graymail waiting on download lock Tue Aug 9 12:48:16 2016 Info: graymail acquired download lock Tue Aug 9 12:48:16 2016 Info: graymail beginning download of remote file "http://updates-static.ironport.com/graymail/1.0/graymail_tools/default/1003" Tue Aug 9 12:48:16 2016 Info: graymail released download lock Tue Aug 9 12:48:16 2016 Info: graymail successfully downloaded file "graymail/1.0/graymail_tools/default/1003" Tue Aug 9 12:48:16 2016 Info: graymail waiting on download lock Tue Aug 9 12:48:16 2016 Info: graymail acquired download lock Tue Aug 9 12:48:16 2016 Info: graymail beginning download of remote file "http://updates-static.ironport.com/graymail/1.0/vaderetro_lib/default/1470761184" Tue Aug 9 12:48:20 2016 Info: graymail released download lock Tue Aug 9 12:48:20 2016 Info: graymail successfully downloaded file "graymail/1.0/vaderetro_lib/default/1470761184" Tue Aug 9 12:48:20 2016 Info: graymail started applying files Tue Aug 9 12:48:22 2016 Info: graymail applying file "graymail/1.0/graymail_tools/default/1003" Tue Aug 9 12:48:25 2016 Info: graymail applying file "graymail/1.0/vaderetro_lib/default/1470761184" Tue Aug 9 12:48:26 2016 Info: graymail apply update and restart graymail Tue Aug 9 12:48:55 2016 Info: graymail verifying applied files Tue Aug 9 12:48:55 2016 Info: graymail updating the client manifest Tue Aug 9 12:48:55 2016 Info: graymail update completed Tue Aug 9 12:48:55 2016 Info: graymail waiting for new updates
After, assure the update shows similar, or newer, than the following:
Component Version Last Updated Graymail Library 01-391.01#13 09 Aug 2016 16:55 (GMT +00:00) Graymail Tools 1.0-03 09 Aug 2016 16:52 (GMT +00:00)
We will post an RCA once this is available for general consumption.
The following is an excerpt of the CSAF TC Charter:
Statement of Purpose
The current threat landscape combined with the emergence of the Internet of Things have profoundly changed how we protect our systems and people, driving us to think about a new approach to cybersecurity, especially around vendor advisories dealing with vulnerability disclosure issues. The purpose of the CSAF Technical Committee is to standardize existing practice in structured machine-readable security vulnerability-related advisories and further refine those standards over time.
The TC will base its efforts on the Common Vulnerability Reporting Framework (CVRF) specification originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI intends to contribute CVRF to the TC. Prior to creation of the TC, the CVRF standard has been adopted by several technology vendors and MITRE, which produce information in the CVRF format. Additionally, a number of organizations are consuming information produced in the CVRF format. By building upon the existing CVRF standard, the TC can offer immediate value and quickly support future development to improve the interoperability and utility of the framework in support of providing structured machine-readable security advisories.
Scope of Work
The TC will use CVRF 1.1 as the basis for creating OASIS Standards Track Work Products. One important consideration will be attempting to maintain backwards compatibility with CVRF 1.1, where possible, by carefully considering changes to the input specifications and minimizing the impact to existing implementations. Another important consideration will be to ensure that the specification provides for sufficient interoperability to allow any consuming application to reliably process vulnerability-related remediation advisories from multiple sources without special semantic handling for each source.
The TC will develop format specifications for structured, machine-readable security vulnerability-related security advisories under the OASIS TC process, with the goal of submitting them at the appropriate time to the membership of the organization for consideration as an OASIS Standard. Other contributions will be accepted for consideration without any prejudice or restrictions and evaluated based on technical merit insofar as they conform to this charter.
The TC will make substantive additions and other changes to the CVRF input specification to correct errors and evolve capabilities based on requirements and capabilities identified by OASIS TC members. The TC will rename the framework to more closely align to the primary use (e.g., Common Security Advisory Framework - CSAF). Deliverables will include a major revision of the framework. In addition to the specification deliverables, the TC may deliver supporting documentation and open source tooling on an ongoing basis in support of the TC's published standard(s). The TC expects to produce a major revision of the framework within 18 months of its first meeting.
Constant Tweaking Further Enhances An Already Robust Threat Visibility Service!
Product Manager, Cisco Threat Awareness Service
Ever since we launched Cisco Threat Awareness Service last February, we’ve been working hard to make it even better than it was the day we introduced you to this new Smart Net Total Care functionality.
Right out of the gate, this service received strong reviews and has become a valuable asset to many of our customers. Actually, Craig Behr, a VP with Citynet, recently mentioned how he feels that Threat Awareness Service is an easy-to-use way for companies to enhance their network security. During the conversation, Behr said that “even someone with limited security experience can easily follow the process and gain valuable information.” Thanks, Mr. Behr. I couldn’t agree with you more!
But, even with the accolades we’ve received from our customers, we’re still always looking for ways to tweak this service. That’s why our 1.6 release—which was just made available at the end of August—improves usability functions by:
Simplifying the filtering of dates
Facilitating how users export email addresses
Increasing chart readability, and
Improving communications to Threat Awareness users and partners
As a reminder, Cisco Threat Awareness Service is a portal-based threat intelligence application that is offered directly through the Smart Net Total Care portal. Just by having an active Smart Net Total Care subscription, your company automatically receives the Base Version of this service, at no additional cost. An upgrade to a premium offer is also available for those who require further threat visibility.
If you have any questions about Cisco Threat Awareness Service, just email me at email@example.com. My goal is to help your company improve its overall security by explaining how you can stay on-top of any potential network threats.
The following are examples of the new fields included:
Cisco bug IDs
extensive vulnerability information
full product list
Since the code is open source, you can also add the capability to add any other fields from the CVRF file. There is even an option to save an API data call to a CSV or JSON file or display it out to the screen in a neat table. openVulnQuery is also a library with importable modules. User can import query_client module to initialize a client with appropriate credentials and perform queries on the Cisco PSIRT openVuln API. The code is available in the Cisco PSIRT github repository and the tool can also be installed using the Python Package Index (PyPI).