HP TippingPoint Security Management System Release Notes

SMS Version 3.2

Abstract This document contains release-specific information for the HP TippingPoint Security Management System (SMS) . The SMS Release Notes describes new and changed features, migration instructions, known issues, and clarifications for the SMS Version 3.2 release. This document is intended for system administrators, technicians and maintenance personnel responsible for installing, configuring, and maintaining HP TippingPoint SMS appliances and associated devices.

Part number: TECHD-000000097 v2 Second edition: October 2010

Legal and notice information 2010 Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided as is without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. TippingPoint, the TippingPoint logo, and Digital Vaccine are registered trademarks of Hewlett-Packard All other company and product names may be trademarks of their respective holders. All rights reserved. This document contains confidential information, trade secrets or both, which are the property of Hewlett-Packard No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from Hewlett-Packard or one of its subsidiaries. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Intel and Itanium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation. Oracle is a registered U.S. trademark of Oracle Corporation, Redwood City, California. UNIX is a registered trademark of The Open Group. Printed in the US.

Security Management System User Guide

Table of Contents
Overview Important Notices Documentation Support Special Restrictions Upgrades Requirements Memory Requirements SMS Client Requirements SMS Replication Bandwidth Requirements Patches Migration Migration Considerations Updating the SMS Updating the Digital Vaccine Migration Clarifications Whats New Active Response Admin CLI Devices Events External Interface Profiles Reports 1 1 2 2 3 3 3 3 4 4 5 5 7 8 9 11 11 11 12 12 13 14 14 16

TippingPoint SMS Release Notes v. 3.2

Clarifications Database Restore Devices: Expired Licenses Devices: Port Health Graphs Devices: SSL Appliance Logs Device Snapshot: Reputation Entries Reputation Database SMS Backup: Auxiliary Digital Vaccines SMS Backup: Restoring a Backup SMS FIPS SNMPv1 Support Virtual Segments VLAN Translation Known Issues Active Response Backups Devices Digital Vaccine Events External Database External Interface - API Info High Availability Interface IPv6 Management IP Address Changes MySQL NFS Profiles SMS Health SMS Snapshot TMC Virtual Ports Virtual Segments

17 17 17 17 17 17 17 17 17 18 18 18 18 19 19 19 19 20 21 22 22 22 22 23 23 23 23 24 25 25 25 26 26

TippingPoint SMS Release Notes v. 3.2

SMS v. 3.2 Release Notes

Overview
This document contains information you may need to operate the v. 3.2 release of the SMS TippingPoint Operating System (TOS). It contains information that may not be available in the TippingPoint documentation, including specific exceptions, clarifications, and additional features of the Security Management System (SMS) and the SMS Command Line Interface (CLI). For additional product information, see the product documentation. Note: To ensure that you have the most current version of the Release Notes and other product documentation, download the documents from the TippingPoint Threat Management Center (TMC) at http://tmc.tippingpoint.com. The Release Notes contain the following major sections: Important Notices on page 1 Special Restrictions on page 3 Patches on page 4 Migration on page 5 Whats New on page 11 Clarifications on page 17 Known Issues on page 19

Important Notices
If you are upgrading from a previous major release to a newer major release, consult the release notes for any interim releases. Before attempting an upgrade, read and follow the information in Upgrades Requirements on page 3.

TippingPoint SMS Release Notes v 3.2

Important Notices

Documentation
For help with features, refer to the SMS online help available through the help area of the product interface. For complete documentation for major releases, refer to the following publications available from the TippingPoint Threat Management Center (TMC) at http://tmc.tippingpoint.com: Quick Start TippingPoint SMS Appliance SMS Installation and Configuration Guide Security Management System Users Guide SMS Safety and Compliance Guide SMS Deployment Notes SMS External Interface Guide TippingPoint Event Taxonomy

To download the SMS documentation:

1.

Log on to the TippingPoint Threat Management Center (TMC) at http://tmc.tippingpoint.com. Select the Documentation tab and then choose Product Documentation. Select the SMS Product Documentation folder and open the most recent version of the SMS documentation. Select the document to view the guide or the download link to download a copy of the guide.

2. 3.

4.

Support
For additional information or assistance, contact TippingPoint Customer Support:

Telephone
North America: +1 866 681 8324 International: +1 512 681 8324 For a list of international toll-free contact numbers, consult one of the following web pages: https://tmc.tippingpoint.com/TMC/Content/support/Support_Contacts http://www.tippingpoint.com/support.html

E-mail
tippingpoint.support@hp.com

TippingPoint SMS Release Notes v. 3.2

Special Restrictions

Special Restrictions
Upgrades Requirements
Before upgrading to v. 3.2 , the SMS must be installed with SMS v. 2.5 or later. For more information, see SMS v. 2.5 Release Notes, available from the TMC. Upgrades from SMS 2.5.0.5182 and newer are supported. Note: Before upgrading from SMS 3.1.1.7943, the latest patch should be installed.

Memory Requirements
The v. 3.2 requires an SMS device with a minimum of 2 Gigabytes of memory to operate correctly. In order to determine if your SMS has the proper amount of memory you should execute the following v. 3.2 from the CLI:
sms11 SMS=> get health.memInfo Memory info (health.memInfo) = 2120323072 2053787648 66535424 153018368 199217152

The CLI command returns the above sample results with the first value being the total memory in bytes. If the first number is less than 2GB, contact TippingPoint TAC for memory upgrade instructions.

SMS Client Requirements

The SMS Client has the following software requirements:

SMS Client Software Requirements

You can monitor the entire TippingPoint system through the SMS client on a computer using: One of the following operating systems: Windows 98, 2nd edition Windows NT, Service Pack 5 or later Windows 2000, Service Pack 3 or later Windows XP Apple Red Hat Linux

One of the fowllowing browsers: Microsoft Internet Explorer, version 6.0 or higher Firefox Safari

TippingPoint SMS Release Notes v. 3.2

Patches

SMS Client Hardware Requirements

Hardware requirements for and above include : 700 MHz Pentium III or equivalent SVGA resolution (1024 x 768) 256 Mb of RAM 120 Mb of disk space

SMS Replication Bandwidth Requirements

The SMS v 3.2 has the following bandwidth requirements: SMS HA heartbeat and system usage/administration (policy management, etc...) operations: less than 10Kb/s DV and upgrade package download: 1Mb/s (these operations will consume as much bandwidth is available between the two systems, however headroom of about 1Mb/s will keep the two systems reasonably synchronized) Event traffic: 1.5Mb/s per 1000 events/second. Space is allocated on the active SMS HA system to buffer data. Up to a day of data is buffered. This will allow for temporary reductions in available bandwidth. When congestion is reduced the system catches up.

WAN Deployments
When an SMS HA pair is connected over a WAN link: Encapsulation overhead introduced by the WAN link may affect the required bandwidth. Fragmentation may occur if the MTU on the WAN link is smaller than Ethernet or going over a VPN. Latency of the WAN link will impact throughput.

Patches
The SMS provides easy and direct methods to install an SMS patch either directly from the TMC or from a local or network file. When a new patch becomes available, an alert message is displayed. Patches provide updates for SMS server and client software. Note: Before installing a patch, you may need to update the base SMS release associated with the patch. See Updating the SMS on page 7. For complete instructions, refer to the Admin section of the SMS online help or the TippingPoint SMS Users Guide.

TippingPoint SMS Release Notes v. 3.2

Migration

Migration
Migration Considerations on page 5 Updating the SMS on page 7 Updating the Digital Vaccine on page 8 Migration Clarifications on page 9

This section details the migration instructions for updating to SMS v. 3.2 . Note: Migration information does not apply to Beta Releases.

Migration Considerations
This section contains important migration information. TippingPoint recommends that you read through the entire Migration section before attempting to migrate to SMS v. 3.2 . Before you begin your migration, review the following items: Image Size on page 5 Upgrade CD on page 5 High Availability on page 5 Reputation on page 6 Quarantine Host List on page 6 SMS Migration Steps on page 6 Time Estimate on page 6

Image Size
The SMS v. 3.2 contains a significant system upgrade from some of the previous versions. When upgrading using the full version, the image size is approximately 700MB.

Upgrade CD
This image is available for download through the TMC. However, due to the increased file size, TippingPoint is also making this upgrade available on CD. Upgrade instructions are included with the Upgrade CD. For an Upgrade CD, contact TippingPoint TAC.

High Availability
Before doing an SMS upgrade, you must disable High Availability (HA). The process for upgrading an HA cluster is to break down the cluster, upgrade each SMS individually, and then re-establish the cluster.

TippingPoint SMS Release Notes v. 3.2

Migration

Reputation
Before Starting migration: Verify that the Reputation Task queue is empty. Disable automatic download of Rep DV and scheduled Profile distributions.

Quarantine Host List

Before upgrading to SMS v 3.2, the SMS must be installed with SMS V 2.5 or later TippingPoint recommends that you disable all quarantine policies and manually unquarantine any quarantined hosts before upgrading. Note: For SMS V 2.7 and above, the SMS Quarantine feature is named Active Response.

SMS Migration Steps

1. 2. 3.

From a browser, log on to the TMC (https://tmc.tippingpoint.com). Download and Install an SMS Software Update: on page 7. Download and Install an SMS Client Update: on page 7

Time Estimate
Upgrading to SMS v. 3.2 varies in time required. Further steps for updating the Digital Vaccine takes varying times. Prior to any upgrade, be sure to backup your SMS.The SMS v. 3.2 upgrade takes, on average, a total time of 25 minutes. Your system automatically reboots twice during the upgrade. During this upgrade the SMS is only accessible during the first step of the upgrade process. During the remainder of the upgrade, the SMS is not be accessible. The steps in the Time Estimates table describe each operation and duration for a typical SMS upgrade using a software package downloaded from TMC. These times are general estimates based on average system hardware configuration and data. Depending on your system and the data it contains, times may be slightly faster or slower than documented. IMPORTANT: Do not reboot or power cycle the system, doing so may cause the upgrade to fail and leave your system in an unusable state.
Table 1 - 1: Time Estimates - SMS Update Step 1 2 3 4 Task Import or download from TMC Extract image and prepare system Reboot. Upgrade software and OS Reboot. Migrate the database. Manual or Automatic Manual Automatic Automatic Automatic Estimated Time varies * 5 minutes 15 minutes 5 minutes Link Status Up Up Down Down

TippingPoint SMS Release Notes v. 3.2

Migration

Table 1 - 1: Time Estimates - SMS Update Step Task Upgrade Completed 5 SMS Startup Automatic 1 - 2 minutes Up Manual or Automatic Estimated Time Link Status

* See Image Size on page 5. Note: During the SMS upgrade, SMS client access is not available. However you can view detailed upgrade status from the local VGA console

Updating the SMS

The following procedures provide an overview of the steps to perform an SMS software and client update. For detailed steps and other important related information, see the TippingPoint SMS Users Guide. This section includes the following tasks: Download and Install an SMS Software Update: on page 7 Download and Install an SMS Client Update: on page 7

Download and Install an SMS Software Update:

1. 2.

Login to the SMS Client. Open the Admin - General screen. Click Download. A dialog box displays with the download progress. The system automatically downloads the latest available version directly from the TMC. Click Install.

3.

Download and Install an SMS Client Update:

1.

Access the SMS server website. Depending on settings, you may need to login with your account. In the Address field of your web browser, enter:
https://<smsipaddr>

where <smsipaddr> is the IP address you configured for your SMS.

2.

On the SMS home page, click the Install the Client link under SMS Client Software.

TippingPoint SMS Release Notes v. 3.2

Migration

3.

Select the Windows or Linux version. For Windows, in the Download Complete dialog, click Open to start the SMS Client installer. For Linux, from the directory containing the installer, run
chmod 755 SMSInstall.sh; ./SMSInstall.sh

4.

Follow the instructions for the installer. The installation wizard begins with a scan of your system. If the system does not have a previous SMS Client installed, it indicates steps and actions to install the application. If the system has a previous SMS Client installed, it informs you that a version is detected and provides an option to continue and upgrade the current version or change directories retaining the older version. The installation wizard continues with messages and information regarding the new client and locations for shortcuts. Each step may include further options and progress indicators. The wizard prompts you to accept a license agreement to proceed.

5.

When complete, you can access the client using the desktop icon. Start the client by doubleclicking the TippingPoint SMS Client icon on your desktop.

Updating the Digital Vaccine

TippingPoint encourages you to upgrade your IPS devices to the current IPS TOS in order to take advantage of the additional security protection provided by the newer Digital Vaccines. The following table lists IPS TOS versions and corresponding supported DV versions.
Table 1 - 2: Digital Vaccine Compatibility Matrix IPS TOS Version 2.1.0 through 2.1.5 2.2.0 through 2.2.5 2.1.6 2.2.6 2.5.0 2.5.1 2.5.2 2.5.3 2.5.4 through 3.1.1 3.2 and above Supported DV Version

2.2.0 2.2.6 2.5.0 2.5.2

3.2.0

After installing and updating the SMS, verify that you have the most recent version of the Digital Vaccine package downloaded and installed on your system. For detailed steps and other important related information, see the TippingPoint Security Management System Users Guide. See also Digital Vaccine on page 20.

TippingPoint SMS Release Notes v. 3.2

Migration

Migration Clarifications
For further information on migration notices, continue reading the following sections: Active Response Policies: Escalate an IPS Quarantine on page 9 Dashboard View Migration on page 9 External Database on page 9 Profiles on page 9 Quarantine Action Sets on page 10 Reputation on page 10 Scheduled Back-up Migration on page 10 SNMP Trap Actions on page 10 Memory Requirements on page 3

Active Response Policies: Escalate an IPS Quarantine

After migration is complete, you should review the response policies and de-select Escalate an IPS Profile Quarantine using this Policy. IPS escalation policies must have their Initiation settings for Enable Policy - Enabled Automatic Response via Correlation and Thresholding and Escalate an IPS Quarantine using this Policy enabled. IPS escalation policies require the Inclusions and Exclusions > Allow Response settings to be set to the IP subnet that corresponds to the hosts that will trigger a response. TippingPoint recommends that any IPS escalation policy Inclusion ranges do not overlap with any other IPS escalation policy Inclusion ranges. If you are using a single IPS escalation policy, TippingPoint recommends that you select Any IP Address for the policy.

Dashboard View Migration

When migrating from an SMS V 2.5 and earlier, the Dashboard preferences are reset to the default values. You must manually update the Dashboard preferences for Admin and Operator views.

External Database
After migration, the external database may not be accessible. See External Database on page 22. SMS migration does not support external replication because the external slave server is not controlled by the SMS. After the SMS is migrated to higher version, external replication users must create a snapshot and download the snapshot from SMS to re-populate the slave MySql server. For instructions on how to create and download a snapshot and how to populate the slave server, see the SMS Deployment Note: External Database available from TippingPoint Threat Management Center (TMC) at http://tmc.tippingpoint.com.

Profiles
If any of your previous profiles contain the < or > character, you may encounter errors exporting the profiles or editing the details. Prior to upgrading, TippingPoint recommends that you use the Save As option on the profile inventory screen to make a new copy of the profile with a new name that does not contain the < or > characters.

TippingPoint SMS Release Notes v. 3.2

Migration

Quarantine Action Sets

If you previously distributed an IPS Quarantine action set to a V 2.1 or older device, you must redistribute the action set after completing all migration procedures. For migration from a V 2.1 SMS, to distribute this action set, you should edit the settings to make the SMS aware a change has occurred. After changing the action set and re-distributing your profile, the new quarantine actions should be correctly configured on your device.

Reputation
When migrating to SMS v. 3.2 from an SMS v2.7 or v3.0 without patch 3, you must reactive the current DV (if the current DV supports reputation and flow management) to use the reputation feature.

Scheduled Back-up Migration

When migrating from V 2.5.2 or older to the SMS v. 3.2 , the configuration settings for database scheduled back-up may not migrate properly. You should review scheduled back-up settings after performing the migration to the SMS v. 3.2 .

SNMP Trap Actions

For migrations from systems prior to v 2.5, the SNMP Trap Action port has been changed to 162 from 161. Any existing SNMP Trap Actions in a previous SMS version will need to be modified to use the new number.

10

TippingPoint SMS Release Notes v. 3.2

Whats New

Whats New
This section includes the following topics: Active Response on page 11 Admin on page 11 CLI on page 12 Devices on page 12 Events on page 13 External Interface on page 14 Profiles on page 14 Reports on page 16

For more information on new features or changes, see the Whats New section of the corresponding chapter of the SMS Users Guide.

Active Response
Reputation Entry Action
The Reputation Entry action is a new response action type that generates an entry in the Reputation Database. You can configure the response action with values for any Reputation Database tag categories defined in the SMS at the time that the action is created. You can also specify when the SMS Active Response service will add the entries to the Reputation Database (either immediately or aggregating and committing the entries every 60 minutes). You can use the Reputation Entry action to specify untagged (blacklist) entries or tagged entries for the Reputation Database. The Reputation Entry action becomes effective when added to an Active Response Policy applied in a Reputation Filter and a match to the defined category occurs

Admin
Admin Database: Backup and Restore
Beginning with SMS version 3.2, SMS supports restoring a backup taken with a previous version of SMS. For example, you can restore a backup taken with SMS 3.1 and restore it to an SMS 3.2 server. When you restore a previous-version backup, SMS not only restores the database but properly migrates the data and data structures to match the version of SMS currently running on your SMS server.

Server Properties: Authentication through an Active Directory Server

SMS offers an additional method to authentication client logon requests. In addition to local and RADIUS authentication, you can now configure SMS to authenticate client logon requests with an Active Directory Server.

General - System and Port Health: Statistics Shown for Passive SMS Server
When SMS is configured for high availability (HA), the SMS environment is comprised of two SMS servers, one operating in an active role and one in a passive role. SMS now shows health statistics not only for the active SMS server; it now shows the same statistics for the passive SMS server.

TippingPoint SMS Release Notes v. 3.2

11

Whats New

Expanded FIPS support

Beginning with SMS 3.2, SMS can be configured to comply with FIPS version 140-2. Within the context of FIPS 140-2, SMS permits you to enable one of two supported levels of FIPS modes: crypto-only and full.

Remote Syslog Events

SMS allows you finer control over the events it sends to a remote syslog server. You can now use a filter to direct a subset of the SMS events to a remote syslog server. As well, when you initially configure a connection to a remote syslog server you can now choose to only send future events, excluding what could be a sizeable number of historical events.

CLI
High Availability
The following attribute was added to the CLI: HA attribute returns the detailed status for the Passive and Active systems in the SMS HA cluster.
ha.cluster-info

Devices
Editing Multiple Devices on the SMS
The SMS supports selecting and edit multiple devices. Through the SMS, you can apply the device configuration settings to multiple devices or device groups at one time.

Import /Export
The SMS provides export and import functions of device settings. Through the Devices > All Devices screen and from a device group member screen, the following new options are available: Export the device configuration to a setting file from a selected device using the Export Configuration button. Import a device settings file to one or more devices using the Import Configuration button. The options are also available from the main edit menu and by right-clicking on a device.

Device Configuration: Remote Authentication

Remote authentication allows the SMS to act as an authentication source for IPS N-Platform devices. User management remains on the device. Remote Authentication is configured through the Services screen. This feature requires port 10043 to be opened. For additional information, see the Port section in the SMS Users Guide or SMS online help.

Packet Trace
Through the Devices (All Devices) screen, the following right-click packet trace options are available: Save and Download to SMS.

12

TippingPoint SMS Release Notes v. 3.2

Whats New

System Snapshot
The System Snapshot feature was reworked and includes the following functionality: New Snapshot creates a new system snapshot and places it on the device. Archive Snapshot archives a device snapshot on the SMS. Snapshots for N-Platform devices have the option to includes LSM create Reputation Entries as well as Reputation DV and SMS created Entries.

TP 10/110/330 Devices
TippingPoint 10/110/330 devices that are new or that are upgraded to TippingPoint Operating System version 3.1.4 or above have increased functionality and include many of the same features that are included in N-Platform devices. To manage these new or upgraded devices, the SMS must be version 3.2 or later. For more information about these devices or upgrades to these devices, refer to the documentation for the specific device or the documentation for TOS version 3.1.4 and above.

TP SecBlade 1200N
The TippingPoint SecBlade 1200N IPS, an industry-leading Intrusion Prevention Systems (IPS) product developed by TippingPoint, is compatible with the H3C S7500E series switches. You can add multiple TP SecBlade 1200N modules to an H3C S7500E switch for service expansion. The TP SecBlade can be installed in H3C S7500E series switches and inspects up to 1.3 Gbps of traffic.

TP SSL Appliance 1500S

The SMS can be used to monitor the TippingPoint SSL Appliance. The 1500S is a hardware-based appliance with dedicated SSL processing that decrypts SSL traffic between clients and site servers and sends the decrypted traffic to a TippingPoint Intrusion Prevention System (IPS) device for analysis.

TippingPoint vController
You can access the TippingPoint vController from the SMS. The TippingPoint vController secures network traffic in virtualized environments and is part of the TippingPoint Secure Virtualization Framework (SVF). Access to the TippingPoint vController management interface is available from the SMS.

Events
Custom Queries
The SMS allows you to customize a query expression. You may modify the expression to use different operators such as AND and OR, or change the order of operations using parenthesis.

Packet Trace
This release adds the ability to request multiple packet trace files from multiple events or all packet traces on a specific device.

Packet Trace; Events Screen

Through the Events screen, the following right-click packet trace options are available: View, Save, Download to SMS, Configure View Settings.

TippingPoint SMS Release Notes v. 3.2

13

Whats New

Packet Trace: External Viewer

Through the Events screen, you can configure the Packet Trace Viewer to use: Internal Packet Capture Viewer An application registered with pcap file association External Packet Capture Viewer

Packet Trace: Devices Screen

Through the Devices screen, the following right-click packet trace options are available: Save and Download to SMS.

Remote Syslog Events

Filtered events can be directed to a remote Syslog server. Through the SMS Admin interface, you can configure which events are sent to a remote Syslog server. When you create a new remote Syslog server, you have the option to exclude backlog events. See also External Interface on page 14 and the SMS Remote Syslog Deployment Note available from the Deployment Note area of the TMC.

Reputation Events
When an Events entry represents a reputation event, a tool tip displays for the Filter Name column of the Events screen. You can view extended information by pressing F2 when the tool tip is displayed. This expanded information is also displayed in the Event Details dialog in the Description field for reputation events. The following information is included: Criteria for the filter that created the event. Tag values for the matching entry from the reputation database. This includes both Reputation DV and user-defined tags.

External Interface
Packet Trace
For SMS v3.2, API support was added for device and event-based packet trace.

Profiles
Custom Shield Writer/Digital Vaccine Toolkit
The Custom Shield Writer (CSW) was renamed to Digital Vaccine Toolkit (DVT).

Deployment Mode
Digital Vaccines contain deployment settings for filters that address specific types of deployments, such as perimeter, core, datacenter, etc.). For 3.2 and above, the Deployment Mode setting for profiles replaces a similar functionality provided in the following TippingPoint preloaded DV-based profiles: TippingPoint Enhanced Security Perimeter Profile TippingPoint Recommended Core Profile TippingPoint Enhanced Security Server Protection Profile

14

TippingPoint SMS Release Notes v. 3.2

Whats New

Updates to TippingPoint Preloaded Profiles are not supported for SMS v3.2 and above. To replace this functionality, use the Deployment Mode option.

Profile Inheritance
Profiles can be set up with a hierarchy and profile attributes can be inherited. For each profile in the hierarchy, the following items can be inherited from the profile in the next level up: Application and Infrastructure Restrictions/Exceptions Performance Protection Restrictions Reputation Exceptions Category settings Filters from the DV, Auxiliary DV and Custom Packages Advanced DDoS filters Traffic Thresholds filters Reputation filters Traffic Management filters

Profile Import/Export
The import/export profile function was extended to allow import and export directly into or out of another SMS.

Reputation Database Interface

The main screen was redesigned and has the following tabbed interface: Summary Tab provides a summary of the number of entries in the database and the status of the database synchronization progress. Activity Tab provides information about Reputation Database activity including sync progress and database tasks. Tag Categories Tab provides information on tag categories that define the types of tags that may be used to tag reputation database entries. A tag category can be created manually or by the Reputation DV.

Reputation DV
SMS supports Reputation Digital Vaccine (DV) is a subscription-based service that identifies and delivers suspect IP and DNS addresses to subscribers.

User Provided Entries

The User Provided Entries screen was redesigned and had the following options: Import User Provided entries Add User Provided entries Delete User Provided entries The search function was moved to a new node in the left navigational tree.

TippingPoint SMS Release Notes v. 3.2

15

Whats New

Search
The Search function was moved to the new Reputation Database Search screen and can be accessed from the left navigational menu. The Search function has the following new search options: Include User Entries Include Reputation DV Entries These entries are displayed in a separate column on the search results table.

Events: Reputation Information

When an Events entry represents a reputation event, a tool tip displays for the Filter Name column of the Events screen. You can view extended information by pressing F2 when the tool tip is displayed. This expanded information is also displayed in the Event Details dialog in the Description field for reputation events. The following information is included: Criteria for the filter that created the event. Tag values for the matching entry from the reputation database. This includes both Reputation DV and user-defined tags.

Reports
Reputation Report Templates
SMS supports the following Reputation reports for the devices that support the Reputation feature: Reputation: All Reports Reputation: Specific Reports Reputation: Top Reports

SecBlade Report Templates

SMS supports the following Attacks reports for SecBlade: Attacks: All Reports Attacks: Specific Reports Attacks: Top Reports Device Traffic Reports

16

TippingPoint SMS Release Notes v. 3.2

Clarifications

Clarifications
Database Restore
For SMS v. 3.2, patches should be reapplied after a database restore if the database and system versions do not match.

Devices: Expired Licenses

If a device has an expired license in the Threat Management Center (TMC), the SMS does not allow the distribution of a Digital Vaccine to that device.

Devices: Port Health Graphs

For port health, the device stores the last 60 minutes of values and displays those values for the graphs. The charting interval is not related to the polling interval preferences.

Devices: SSL Appliance Logs

To get logs from a managed SSL device customer needs to set up SMS as the syslog destination in the SSL web client.

Device Snapshot: Reputation Entries

If the device snapshot is restored to the device, entries that were changed on the SMS due to user entry modifications or Reputation DV entry changes are not synchronized to the device. To synchronize SMS entries with the device, distribute the required profiles from the SMS.

Reputation Database
The SMS limits the number of user-provided reputation entries to a maximum of six million. The actual maximum that can be processed may be lower depending on the number of CIDRs used, the number of addresses each CIDR specifies, and whether or not each CIDR overlaps with other CIDRs. The SMS limits the number of tag categories to a maximum of six. This includes any tags provided by the Reputation DV which currently has three.

SMS Backup: Auxiliary Digital Vaccines

All active auxiliary DVs are included in an SMS backup. The backup summary and email display the number of auxiliary DVs that were backed up.

SMS Backup: Restoring a Backup

When restoring an SMS backup, you must open the following port: TCP 943.

TippingPoint SMS Release Notes v. 3.2

17

Clarifications

SMS FIPS
Full-FIPS Mode Preparations
When preparing the SMS for Full-FIPS Mode, we recommend that you: Perform an SMS backup and archive the backup on a separate system. Disable telnet and http services on the SMS. The https services may still be enabled.

FIPS 140-2 Compliance

To insure continued FIPS 140-2 compliance during operation, the telnet and http services should not be enabled on the SMS.

FIPS Key
When installing a FIPS key with the SMS Web Page to complete the Full FIPS configuration it is possible to inadvertently skip the key installation. When this occurs the SMS must be rebooted and the Password Recovery procedure executed to restore the SMS to functionality. The Full FIPS configuration process will then need to be re-executed. When installing a FIPS key to complete the configuration of your SMS from FIPS key transition mode to Full FIPS mode make sure that the FIPS key imported has the appropriate FIPS key for your SMS and managed devices.

SNMPv1 Support
SMS v. 3.1 and above does not support SNMPv1.

Virtual Segments
Only IPS-N devices support 4095 as an ID for virtual segments. All other IPS devices do not support 4095 as a ID for Virtual Segments.

VLAN Translation
For VLAN Translation, Spanning Tree Protocol (STP) is not supported on the links attached to the IPS.

18

TippingPoint SMS Release Notes v. 3.2

Known Issues

Known Issues
Active Response on page 19 Backups on page 19 Devices on page 19 Segment Names on page 20 Digital Vaccine on page 20 Events on page 21 External Database on page 22 Interface on page 22 IPv6 on page 23 Management IP Address Changes on page 23 MySQL on page 23 NFS on page 23 Profiles on page 24 SMS Health on page 25 SMS Snapshot on page 25 TMC on page 25 Virtual Ports on page 26 Virtual Segments on page 26

Active Response
SSH
SSH is currently not a supported Active Response communication option for network devices.

Backups
Restoring Backups
After restoring a backup, the SMS may need to be restarted in order to view new available SMS software.

Devices
Core Controller
Adding a Core Controller to the SMS
Before the process of adding a Core Controller to the SMS is complete, the SMS system log may display an error message indicating hardware notifications from an unknown device. When the process completes, a subsequent system log message indicates that the Core Controller was successfully added.

TippingPoint SMS Release Notes v. 3.2

19

Known Issues

Snapshot
Snapshot for Core Controller using spaces in the name fails.

Tool Tips
The tool tip for the Port Heath Graphs does not show data for both input and output. The tool tip only shows the data for input. The tool tip shows two numbers: First number time in seconds from the beginning of the graph Second number input data.

Device Replace
The device replace feature is not supported for Core Controllers.

Device Groups
If you launch the Segment Details - Edit dialog from the Network Summary panel on a device group, and change the segment group assignment of the segment you are editing, you must click Refresh to display the new segment group assignment.

IPS-N Devices
These devices only support Digital Vaccine version 2.5.2.7577 and higher. Distributing any prior DV version fails.

Segment Names
Special characters in a segment name on a 3.1+ IPS can cause SMS to fail to manage the device. Recent updates to device TOS 3.1 & 3.2 are causing an issue when special characters are used in a segment name on the device. The SMS may fail to manage a device with these special characters. Also, in the case where a device is already managed by the SMS, the SMS will begin to show errors in the audit log and debug logs related to the device, and the device may not show the correct up-to-date information in the SMS Client. To work around the issue, use the LSM on the device to change the segment name to include only alpha-numeric characters and then re-manage the device with the SMS.

Digital Vaccine
The 3.2 Digital Vaccine can only be used on 3.2 TOS versions. The 2.5 and later Digital Vaccine cannot be used on a 2.2 or earlier TOS versions. 2.2 Digital Vaccines cannot be used on a 2.5 and later X-Family or IPS device. The SMS can use either 2.2, 2.5 or 3.2 Digital Vaccines. When switching between 2.2 and 2.5 and later Digital Vaccines, log off the SMS Client and log on again to refresh the screens. For 2.2 and 2.5 and later Digital Vaccines, the last number in the version is important. The two types of Digital Vaccines are equivalent if the last version number is the same. For Example, Digital Vaccines 2.2.0.7084 is the 2.2 version of Digital Vaccine 2.5.0.7084. They are not the same Digital Vaccine package, but they are functionally equivalent.

20

TippingPoint SMS Release Notes v. 3.2

Known Issues

Auto-download and Auto-distribution

Auto-download and auto-distributions on a v. 3.2 SMS distribute the correct Digital Vaccine package to the correct devices. 3.2 Digital Vaccines automatically download and distribute to 3.2 TOS devices 2.5 and later Digital Vaccines automatically download and distribute only to 2.5 and later X-Family and IPS devices. 2.2 Digital Vaccines automatically download and distribute to 2.2 and earlier IPS devices.

DV Filter Settings
New DVs possesses a platform-specific recommended setting for a set of filters. If you select default recommended settings, those filters that have the platform-specific recommendations are enabled but are not displayed as enabled on the SMS. The LSM correctly displays the filter status on that platform.

Events
Event Search
Event search does not apply network source/destintation address criteria correctly. Applying search criteria to the events view in the SMS does not search correctly when using multiple address/cidr criteria in the Src Addr(s) or Dst Addr(s) network criteria fields.

Exporting Query Results

When exporting query results from using the file menu option in Events, the exported output displays the raw event data. For exported output that shows resolved DNS and named resources, select one or more rows in the query results and use the right-click options.

Searching Events
When searching for events, it may not be possible to query for records using certain criteria under the following circumstances: Events were generated from IPS devices that have not had a profile distributed to them by the SMS Segments were deleted from the SMS.

External Reporting: Unix Time Stamps

Unix time stamps have milliseconds appended. The SMS takes this into account. However, external reporting for both replication or access may be impacted. In those instance, the time must be divided by 1000 or otherwise truncated so it is not returned as NULL.

TippingPoint SMS Release Notes v. 3.2

21

Known Issues

External Database
If you migrate from V 3.0 you should apply patch 3. Otherwise, the external database may not be accessible. To make the database accessible:
1. 2. 3. 4. 5. 6.

From the Admin Navigation menu, select Database. In the External Database Settings section, click Edit. The Edit External Database Settings wizard displays. Turn off external access/external replication. Turn on external access/external replication. Reboot the SMS.

External Interface - API Info

Web Services: Reputation
Reputation add via Web Services does not support exact match for DNS import.

High Availability
When the active SMS cannot communicate with the passive SMS, the SMS health does not display.

Interface
SMS Interface Input Fields
Many fields in the SMS are validated as the user enters a value. The validation is a textual analysis only. A value may be displayed as valid (that is, without the red underline). The information is properly formatted, but may not accurately reflect a valid address. For example, in an IP address field, the value 1.1.1.1 is displayed as valid when there is no such address. Or, an email address may be displayed as a valid RFC822 value, but messages to that address can not be delivered because of the local SMTP server configuration.

Viewing LSM through SMS

Login During Database Restore
During a restore process of the SMS, you are not allowed access to the system. This restriction protects the system from having new events or changes occur in the database while restoring data. In the event that you or TippingPoint technical assistance believes the restore has issues, you can reboot the SMS access the system and service.

22

TippingPoint SMS Release Notes v. 3.2

Known Issues

IPv6
High Availability
High Availability (HA) is not supported with IPv6. If the SMS is IPv6 only, the HA configuration button will display an error when selected.

IPv4 Hardware
When an SMS Client is connected to the server using IPv6 protocol, and the IPv6 traffic is being tunneled through IPv4 hardware, the SMS audit logs, system logs, and active sessions table will show 0.0.0.0 as the client's IP Address.

Network Management
If you are editing the Network Management configuration and want to disable IPv4, use IPv6 to manage the network BEFORE you disable IPv4. If you are editing the Network Management configuration and want to disable IPv6, use IPv4 to manage the network BEFORE you disable IPv6.

SMS Backups
SMS backups to IPv6 NFS destinations are not supported. SMB, sFTP and SCP backups can be done to servers with an IPv6 address.

TMC
The TMC does not support IPv6. An SMS operating in IPv6-only mode will not be able to contact the TMC, unless the SMS IP address is NAT-ed or uses a proxy that has NAT configured.

Management IP Address Changes

When the management IP address has changed, an SMS restart is required. If a restart is not done, problems may occur with device management and configuring an SMS for high availability.

MySQL
The SMS supports versions 5.0 and above of MySQL.

NFS
The SMS must have write permission for the anonymous user on the directory exported by the specified NFS server for the following NFS export cases: export backup export profile export report

TippingPoint SMS Release Notes v. 3.2

23

Known Issues

Profiles
Action Sets
When working within SMS v. 3.2 , you are unable to successfully modify a previously unmodified action set. If the action set has never been modified, changes made within the SMS are displayed but those changes will not be successfully pushed to the IPS. If the action set had been altered before then, subsequent changes made will be successfully pushed to the IPS.

External Replication
For external replication, The SMS HA and the external replication rely on MySQL replication technology. At times, the HA configuration is in conflict with external replication. TippingPoint does NOT recommend using SMS HA and external replication at the same time.

Filter Locks
The locked settings are not retained during the import-export cycle if the locked filter: Is using category settings or Doesnt have any exceptions or AFC settings have not been changed

Filter Resets
After an IPS device completes a successful filter reset, the sms resets the profile iteration ID during the rediscovery process. During this time, the filter and profile IDs may be out of sync and generate a warning.

Profile Distribution Details

If a device does not support certain filter capabilities, such as DDoS, those filters are removed from the distribution. A list of removed filters is available on the Distribution Detail screen in the Extended Status for each device.

Profile Import/Export
When an SMS is in Full FIPS Mode, importing or exporting a profile to or from another SMS is currently not supported.

Reconnaissance Filters: IPS Quarantine Actions

For an SMS V 2.6 and later, Quarantine actions are not allowed for the 7000-7004 Reconnaissance Scan/Sweep filters.

Reconnaissance Filters: N-Platform Devices

3.2 N-Platform management requires an activated 3.2 DV for Reconnaissance Filters 7000-7005.

24

TippingPoint SMS Release Notes v. 3.2

Known Issues

Reputation Filter Imports

When importing a Reputation Filter from an SMS to another SMS, the tags must exist on the SMS that is importing the tags and list item names exactly as they listed on the system that is exporting the tags. Reputation Filters that change tag category types result in import errors and blocked delta distributions.

Reputation Database Search

The Cancel button on the Reputation Database search page does not work.

Traffic Management Filters

Traffic Management filters for ANY IPv6 to ANY IPv6 must be created using the LSM for the IPS device.

SMS Health
System Health Thresholds
SMS System Health Thresholds are view-only. Threshold setting are indicated on the interface. When the system exceeds a threshold setting, the color of the associated indicator changes.

SMS Snapshot
For N-Platform IPS devices with TOS 3.1 and below, the SMS interface incorrectly displays the option to include Manual Reputation DV entries when performing a snapshot of the system. Selecting this option will result in an error.

TMC
Authenticated TMC Proxy Server
For client proxy authentication, some servers support multiple schemes for authenticating users. Because only one authentication scheme may be used at a time, the SMS proxy client must choose which scheme to use. By default, the SMS uses the following order of preference to select the correct authentication scheme: NTML, Digest, Basic. If your proxy server encounters authentication issues with the SMS, you may need to create a rule in the proxy server for the IP address of the SMS to bypass authentication. For more information on how to configure an authenticated TMC Proxy Server, see the Admin section in the online help or User's Guide. The most recent documentation is available from the TippingPoint Threat Management Center (TMC), https://tmc.tippingpoint.com. The TMC does not support IPv6. An SMS operating in IPv6-only mode will not be able to contact the TMC, unless the SMS IP address is NAT-ed or uses a proxy that has NAT configured.

TippingPoint SMS Release Notes v. 3.2

25

Known Issues

Virtual Ports
When a TippingPoint device is added to the SMS, any unused virtual ports (those that are not in a virtual segment in a profile) will be deleted by the SMS. In order to keep any such virtual ports, put them into a virtual segment as SMS valid combinations before adding the TippingPoint device.

Virtual Segments
The SMS does not add a TippingPoint device if the device has virtual segments that are invalid for the SMS. Invalid virtual segments include cases where all VLAN IDs do not match each other on both the incoming and outgoing zones or where the same port is used for both incoming and outgoing zones. You can identify these segments on the IPS device by examining the IPS System Log for a message similar to Suspicious in/out combination: no traffic will ever match name1-name2. Please examine your virtual ports and profiles configuration. The following example would cause the SMS to not add a TippingPoint device:
Port 1 VLAN ID 10,20,30-Port 2 VLAN ID 20,30,40 Port 1 VLAN ID 88-Port 2 VLAN ID 99 Port 1 VLAN ID 1000-Port 1 VLAN ID 1000

If this occurs, remove the profile or correct the virtual segment on the TippingPoint device before you attempt to re-add the device to the SMS.

26

TippingPoint SMS Release Notes v. 3.2