CSM 4.4

michaellambert1980 · ‎02-25-2013

Anyone tried and tested 4.4 yet? Opinions?

Michel Pedersen · ‎03-04-2013

We've installed it in production and upgraded all our firewalls to version 9.

The generel experience with it so far is that it's faster. Especially deploying policies is alot faster than in 4.3sp1.

Drag and drop to move rules is also now supported. Conflict detection is faster and you now get some very nice reports on what is conflicting for each rule.

There is also a nice "view changes" to show what changes have been done to all devices before deploying.

Health manager is also vastly improved with "traffic lights" in the configuration manager itself to see what the state is.

After upgradering our ASA firewalls from 8.4 to 9 we had to convert the rules to "unified" rules. This did create some problems with our access policies where our firewall access policy tree was flattened so we had to rebuild that (all the policies were there though). There are now two firewall access trees, one for pre 9 firewalls and one for >9 firewalls (unified).

We also experienced a problem where the CSM wanted to delete all the contexts and remove all interfaces from our firewalls with multiple contexts initially after upgrading and converting the policies. The configuration in CSM was fine but when deploying we could see that it was trying to delete when deploying. We're not sure why but the workaround was to delete the device, reimport it from the live device and apply the policy bundles and policiesagain. After that it's been fine.

All in all we're very happy with 4.4 but there do seem to be some strange occurences that we cannot understand why is happening so looking forward to the next set of patches/servicepacks becoming available.

-Michel

michaellambert1980 · ‎03-04-2013

Good feedback there. Ive gone and upgraded too. All good apart from csm now polling all my ips modules every half second. It has been filling up my acs auth logs and caused some acs alerts so have had to filter the ips modules
on the log collector. Im running 8.4 on my 5585-x's but will go 9.1 once sp1 is out. Csm does seem to be a good step forward.

Sent from Cisco Technical Support Android App

ericlamer · ‎03-15-2013

The big problem is that the software does not support all the features of the ASA. We have over 80 firewalls and cannot use the software because there is too many features not supported, just to name a few:

No eigrp support

Natting with Access-list

Problem with site-to-site VPN when you dont control both end (VPN with third party).

ip audit signature

timeout tcp-proxy-reassembly

timeout floating-conn

service resetinbound

service resetoutside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

Most of these are supported in ASDM but not in CSM.

This is very disapointing.

Anyone know of any other software that really support Cisco ASA for centralize management?

pweichmann · ‎03-16-2013

I'm using it in production for a few FWSMs and some ASAs purely for managing Firewalls. Mainly the configuration manager all the other software parts are not good enough for me to be used.

After the upgrade (we use AD Authentication and local RBAC authorization) I could not log into the Admin nor the client and my AD users could not log into the client, saying no role associated. Opened a case but it progresses extremely slow. Had to reset the admin password, recreate local RBAC account matching the one in AD. So far all the other features are working properly.