Secure Web Appliance Release Changes

LD

- The system CPU and memory requirements are changed from 12.0 release onwards.

- By default, TLSv1.3 is enabled on the appliance.

- Cipher ‘TLS_AES_256_GCM_SHA384’ is added to the default cipher list.

- The Cisco AsyncOS 12.0 release provides Web Security Appliance with High Performance (HP) for platforms S680, S690, and S695. 

- A new sub-command highperformance is added under the main advancedproxyconfig command to enable and disable the high performance mode.

- Integration the SWA with Cisco Threat Response (CTR) Portal.

- The appliance supports TLSv1.3 version.

- The configuration file backup feature is moved from the sub menu ‘Log Subscriptions’ to ‘Configuration File’ under System Administration.

- The appliance now supports the upload of ECDSA certificate for HTTPS proxy.

- A new diagnostic CLI proxyscannermap sub-command is added under diagnostic > proxy. Tto displays PID mapping between each proxy and correspond scanner process.

- New option searchdetails is added under the CLI command authcache.

- New sub command CTROBSERVABLE is added under the CLI command reportingconfig to enable or disable the CTR observable based indexing.

GD

- A new sub-command scanners is added under the main advancedproxyconfig command to exclude the MIME types to be scanned by the AMP engine.

MD

- Use TLS 1.2 or later versions to connect the appliance to the AMP File Reputation server.

- AMERICAS (Legacy) cloud-sa.amp.sourcefire.com cannot be configured on the appliance.

- A new option "Enter the number of concurrent scans to be supported by AMP" is added in the main CLI command advancedproxyconfig > scanners > AMP.

you can change the default Unscannable verdict of long running scan eviction to Timeout and vice-versa from new CLI sub-command eviction in the main CLI command advancedproxyconfig > scanners. 

MD

- Alert messages are triggered on the web user interface of the appliance 

when the proxy Malloc Memory crosses 90% of proxy Malloc Memory limit and an Email notification is sent to all 'Alert recipients' configured to receive 'Web Proxy' critical alerts.

- The new web interface provides a new look for monitoring reports and tracking web services.

MD

MD

- New URL Categories Update notification

MD

MD

- TLSv1.2 is enabled by default for Appliance Management Web User Interface

- Session Resumption is disabled by default.

- Message is added to indicate the end of support for CDA in the CDA configuration section.

LD

- By default, the Cisco Success Network feature is enabled on the appliance. 

 - These logs are modified to include more details:

The access logs now display the user name when authentication fails.

The authentication framework logs now display the client IP address for these failed authentication protocols: NTLM, BASIC, SSO (Transparent)

- The Cisco AsyncOS 12.5 release provides Web Security Appliance with High Performance (HP) for platforms S680, S690, and S695. This increases the traffic performance of the current high-end appliances.

- You can now upgrade to 12.5 version and avail the High Performance mode on the models (S680, S690, S695, S680F, S690F, and S695F), even if you have enabled these features on your appliance:

• Web Traffic Tap
• Volume and Time Quotas
• Overall Bandwidth Limits

 - You can now configure Web Proxy IP Spoofing by create an IP spoofing profile and add it to the routing policies. 

- You can now create a custom URL category for YouTube and set policies on the YouTube custom category for secure access control.

- In the new web interface, the appliance has a new page (Monitoring > System Status) to display the current status and configuration of the appliance.

- The Cisco Success Network (CSN) feature enables Cisco to collect telemetry of feature usage information of the appliance.

- REST API for Network, Log Subscription, and Other Configurations.

GD

- Deprecation of TLS 1.0/1.1 :

Use TLS 1.2 or later versions to connect the appliance to the AMP File Reputation server. AMERICAS (Legacy) cloud-sa.amp.sourcefire.com is removed from the AMP File Reputation server list, so AMERICAS (Legacy) cloud-sa.amp.sourcefire.com cannot be configured on the appliance.

- The configuration of cache size for authentication (Network > Authentication > Authentication Settings > Credential Cache Options) is not supported from AsyncOS 12.5.1-035 and later versions.

GD

- The alert messages are displayed on the web user interface of the appliance (System Administration > Alerts > View Top Alerts):

• when the proxy malloc memory crosses 90% of proxy malloc memory limit
• when the proxy gets restarted on 100% of malloc memory

In both cases, an e-mail notification is sent to all 'Alert recipients' configured to receive 'Web Proxy' critical alerts.

MD

- A new URL Categories Update notification is introduced in the banner. An email notification on the upcoming URL category updates is also sent to the users.

MD

MD

MD

- From Cisco AsyncOS 12.5.4 version, TLSv1.2 is enabled by default for Appliance Management Web User Interface.

- After an upgrade to Cisco AsyncOS 12.5.4 version, session resumption is disabled by default.

 - The message is added to indicate the end of support for CDA in the CDA configuration section

MD-Refresh

MD

- After an upgrade to Cisco AsyncOS 12.5, you receive a prompt to restart the proxy process when you execute the networktuning command for the first time.

MD-Refresh

MD

LD

- By default, the HTTP 2.0 feature is disabled. To enable this feature, use the <HTTP2> command.

- The AsyncOS 14.0 for Cisco Web Security Appliance supports TLSv1.3 session resumption in client and server.

- The validity periods of these certificates are modified:

• HTTPS
• ISE
• SAAS
• Appliance Certificates
• Demo/Management Certificate

 - The CLI and the GUI of the appliance now displays message when an upgrade fails due to invalid log name and file name in the log subscriptions.

- By default the polling interval is set to 24 hours.

- After you upgrade to this release, you cannot perform the Start Test for LDAP authentication if the Base DN (Base Distinguished Name) field (Network > Authentication > Add Realm) is empty.

- Cisco Web Security appliance now supports integration with Cisco SecureX.

- You can configure custom header profiles for HTTP requests and can create multiple headers under a header rewrite profile. 

- You can now configure the Header Based Authentication scheme for an active directory. The client and the Web Security Appliance consider the user as authenticated and does not prompt again for authentication or user credentials. The X-Authenticated feature works when the Web Security Appliance acts as an upstream device.

- 

The System Status Dashboard of the appliance has been enhanced:

• Capacity Tab—A that provides details on Time Range, System CPU and Memory Usage, Bandwidth and RPS, CPU Usage by Function, and Client or Server Connections.

• The Proxy Traffic Characteristics under the Status tab provides client and server connections details.

• The Service Response Time now includes more details on bar charts and also legend data for previous dates.

- You can now retrieve configuration information, and perform changes (such as modify current information, add a new information, or delete an entry) in the configuration data of the appliance use REST APIs for Management Policies, Access Policies, and Bypass Policies

- Cisco AsyncOS 14.0 version supports HTTP 2.0 for web request and response over TLS. HTTP 2.0 support requires TLS ALPN based negotiation which is available only from TLS 1.2 version onwards.

In this release, the HTTPS 2.0 is not supported for these features:

• Web Traffic Tap
• External DLP
• Overall Bandwidth and Application Bandwidth

- A new CLI command <HTTP2> is introduced to enable or disable HTTP 2.0 configurations. You cannot enable or disable HTTP 2.0 and restrict domain for HTTP 2.0 through the appliance web user interface.

- The configuration of HTTP 2.0 is not supported through Cisco Secure Email and Web Manage

- The CLI displays the new warning message when you try to use the default certificate of any of these features:

• Appliance certificate (In the web user interface, navigate to Network > Certificate Management > Appliance Certificate)
• Credential Encryption certificate (In the web user interface, navigate to Network > Authentication > Edit Settings > Advanced section)
• HTTPS Management UI certificate (In the command line interface, use certconfig > SETUP)

- A new sub-command OCSPVALIDATION_FOR_SERVER_CERT is added under the certconfig. With this new sub-command you can enable the OCSP validation for LDAP and Updater server certificates. If the certificate validation is enabled, you can receive an alert if the certificates involved in communication are revoked.

- A new CLI command gathererdconfig is added to configure the polling functionality between the appliance and the authentication server.

- You can now choose between Management and Data Interface, while you configure smart license feature on the appliance.

LD

- When you enable smart software licensing and register your Web Security Appliance with the Cisco Smart Software Manager, the Cisco Cloud Services

(Network > Cloud Service Settings) automatically enables and registers your Secure Web Appliance through the Cisco Cloud Services portal.

- You cannot disable or deregister Cisco Cloud Service if smart licensing is registered on your appliance.

- If you have already registered your appliances to Cisco Smart Software Manager, and have not configured Cisco Cloud Services, then Cisco Cloud Services is automatically enabled after you upgrade to AsyncOS 14.0.1-040. By default, the region is registered as Americas, and you can modify the region (Europe and APJC) as required.

- You cannot disable or deregister Cisco Cloud Service if smart license is registered on your appliance.

- You can view the details of the smart account created in the Cisco Smart Software Manager portal from the smartaccountinfo command in the CLI.

- If the Cisco Cloud Services certificate has expired or is about to expire, the Cisco Cloud Service auto renews the certificate after the upgrade to AsyncOS 14.0.1-040.

- If the Cisco Cloud Services certificate is expired, you can now download a new certificate from the Cisco Talos Intelligence Services portal from the cloudserviceconfig > fetchcertificate sub-command in the CLI.

- You can auto register the Web Security Appliance with the Cisco Cloud Service portal (cloudserviceconfig > autoregister sub command in the CLI)

- You can load the certificate for virtual appliance and hardware appliances from updateconfig > clientcertificate sub command in the CLI.

- A new URL Categories Update notification is introduced in the banner.

An email notification is also sent to the users about the upcoming URL category updates.

GD

HP

MD

- In Cisco AsyncOS 14.0.2 version, TLSv1.2 is enabled by default for Appliance Management Web User Interface under System Administrator > SSL Configuration.

- Session resumption is disabled by default.

- Message is added to indicate the end of support for CDA in the CDA configuration section.

- You can now choose between Data or Management interface for Smart License Registration from the Test Interface drop-down list.

MD

- After an upgrade to Cisco AsyncOS 14.0, you receive a prompt to restart the proxy process when you execute the networktuning command for the first time.

HP

- When Secure Web Appliance operates in high performance mode, the heap limit exhaustion disables the high latency and accept handlers. This results in lesser number of connections.

MD

LD

- Product Rebrand:

• AMP for Endpoints, Advanced Malware Protection and AMP were changed to Secure Endpoint
• Thread Grid ( File Analysis) changed to Malware Analytics

- The misclassification request is sent over HTTPS and hence you do not receive security alert notifications.

- The Samba version has been upgraded to version 4.11.15.

- TLSv1.2 is enabled by default for Appliance Management web user interface under System Administrator > SSL Configuration .

- On a fresh installation of AsyncOS 14.5, the Expired and Mismatched Hostname certificate configurations value in the HTTPS Proxy page is selected by default as Drop instead of Monitor.

- The Secure Web Appliance can now validate the DNS response received from the DNS server supports cryptographic signatures.

- The Secure Web Appliance restricts the number of concurrent connections initiated by the client to a configured value.

- With AsyncOS Release 14.5, Cisco Web Security Appliance has been rebranded to Cisco Secure Web Appliance

- The accesslog decision tag in the Decrypt Policy group is appended with EUN (End user Notification) when the EUN page appears on the client web browser.

- The clone policy feature allows you to copy or clone the configurations of a policy and to create a new policy.

- You can manage the traffic bandwidth by configure the bandwidth value in quota profile and map the quota profile in access policy URL category or overall web activity quota.

- REST API to configure management policies, decryption policies, routing policies, IP spoofing policies, Anti-Malware and reputation, Authentication realms, Cisco Smart Software License, Cisco Umbrella Seamless ID, Identity services, and System setup.

- You can integrate ISE-SXP deployment with Cisco Secure Web Appliance for passive authentication. This allows you to get all defined mappings, includes SGT-to-IP address mappings that are published through SXP.

- The Cisco Umbrella Seamless ID feature enables the appliance to pass the user identification information to the Cisco Umbrella Secure Web Gateway (SWG) after successful authentication.

- Message is added to indicate the end of support for CDA in the CDA configuration section.

- You can now choose between Data or Management interface for Smart License Registration from the Test Interface drop-down list.

- After an upgrade to Cisco AsyncOS 14.5, you receive a prompt to restart the proxy process when you execute the networktuning command for the first time.

GD

- These policies with clone option in Secure Web Appliance can also be managed by Cisco Secure Email and Web Manager (SMA):

• Access Policy
• Identification profile
• Decryption Policy
• Routing Policy

MD

MD

LD

- AsyncOS 14.6 provides support to Cisco Umbrella with Cisco Secure Web Appliance (SWA). The integration of Umbrella and Secure Web Appliance facilitates deployment of common web policies from Umbrella to Secure Web Appliance.

LD

- FreeBSD version has been upgraded to FreeBSD 13.0.

- Cisco SSL version 1.0.2 to Cisco SSL version 1.1.1.

- Talos engines such as AVC, WBRSD, DCA, and Beaker have been upgraded.

- Scanner engines such as Webroot and McAfee have been upgraded.

- These enhancements made to the Smart Software Licensing feature:

• License Reservation
• Device Led Conversion—After you register Secure Web Appliance with smart license, all current valid classical licenses are automatically converted to smart licenses with the Device Led Conversion (DLC) process. These converted licenses are updated in the virtual account of the CSSM portal.

- You can manage the traffic bandwidth by configure bandwidth value in quota profile and map the quota profile in decryption policy and access policy, URL category or overall web activity quota.

- The clone policy feature allows you to copy or clone the configurations of a policy and to create a new policy.

- Application Discovery and Control (ADC) engine: 

an acceptable use policy component which inspects web traffic to gain deeper understanding and control of web traffic used for applications.

With AsyncOS 15.0, you can use either AVC or ADC engine to monitor web traffic. By default, AVC is enabled. The ADC engine supports high performance mode.

- REST API for ADC Configuration

- Admin can opt to configure custom SNMPv3 username other than the default username v3get.

- The maximum length of the custom header is 16k.

- Option to chose the secure tunnel interface and remote access connection.

GD

-  Device Led Conversion—After you register Secure Web Appliance with smart licensing, all current valid classical licenses are automatically converted to smart licenses with the Device Led Conversion (DLC) process. These converted licenses are updated in the virtual account of the CSSM portal.

 - By default, AVC is enabled. 

- Cisco SSL version 1.0.2 to Cisco SSL version 1.1.1

- Talos engines such as AVC, WBRSD, DCA, and Beaker have been upgraded.

 - Scanner engines such as Webroot and McAfee have been upgraded.

-  FreeBSD 13.0 is compatible with Cisco SSL version 1.1.1 only.

Only Cisco SSH compatible cipher, mac and kex algorithms, can be supported for SSH connectivity to FreeBSD 13.0.

- The DCA feature in Secure Web Appliance is disabled as part of the AsyncOS15.0 GD release.You can enable it after upgrading to this version by navigating to Security Services>Acceptable Use Controls and check the DCA checkbox.

- The SNMPWALK/SNMPGET operations for SNMP OIDs for Proxy Malloc memory is not supported in the multi-prox SWAs (S690, S695, S1000V).

- License Reservation—You can reserve licenses for features enabled in Secure Web Appliance without connecting to the Cisco Smart Software Manager (CSSM) portal. This is mainly beneficial for users that deploy Secure Web Appliance in a highly secured network environment with no communication to the Internet or external devices.

 - You can manage the traffic bandwidth by configuring the bandwidth value in quota profile and mapping the quota profile in decryption policy and access policy URL category or overall web activity quota.

 - The clone policy feature allows you to copy or clone the configurations of a policy and to create a new policy.

- Supports Application Discovery and Control (ADC) engine, an acceptable use policy component which inspects web traffic to gain deeper understanding and control of web traffic used for applications.

now you can use either AVC or ADC engine to monitor web traffic.

- The ADC engine supports high performance mode.

- You can now retrieve configuration information, and perform any changes (such as modify current information, add a new information, or delete an entry) in the access policy configuration data of the appliance with REST APIs.

- Admin can opt to configure custom SNMPv3 username other than the default username v3get.

- The maximum length of the custom headers to web requests is 16k.

- Option to chose the secure tunnel interface and remote access connection

HP

Has fixe for these Defects:

Cisco bug ID CSCvz26149
Cisco bug ID CSCwf78874
Cisco bug ID CSCwf84371
Cisco bug ID CSCwh31573
Cisco bug ID CSCwh37834
Cisco bug ID CSCwh41379
Cisco bug ID CSCwh48523
Cisco bug ID CSCwh71926

LD

- In AsyncOS 15.1 and later releases, Smart Software License is mandatory.

- The integration of Cisco Umbrella and Cisco Secure Web Appliance facilitates deployment of common web policies from Umbrella to Secure Web Appliance. In addition, you can configure policies through the Umbrella dashboard and view logs.

Version

11.8.X

12.0.X

12.5.X

14.0.X

14.5.X

14.6.X

15.0.X

freebsd

10.4

10.4

10.4

11.2

11.2

11.2

13.0