Platform Features
|
New
default configuration for the ASA 5506-X series using Integrated Routing and
Bridging
|
A new
default configuration will be used for the ASA 5506-X series. The Integrated
Bridging and Routing feature provides an alternative to using an external Layer
2 switch. For users replacing the ASA 5505, which includes a hardware switch,
this feature lets you replace the ASA 5505 with an ASA 5506-X or other ASA
model without using additional hardware.
The new
default configuration includes:
-
outside interface on GigabitEthernet 1/1, IP address from DHCP
-
inside bridge group BVI 1 with GigabitEthernet ½ (inside1)
through 1/8 (inside7), IP address 192.168.1.1
-
inside --> outside traffic flow
-
inside ---> inside traffic flow for member interfaces
-
(ASA
5506W-X) wifi interface on GigabitEthernet 1/9, IP address 192.168.10.1
-
(ASA
5506W-X) wifi <--> inside, wifi --> outside traffic flow
-
DHCP
for clients on inside and wifi. The access point itself and all its clients use
the ASA as the DHCP server.
-
Management 1/1 interface is Up, but otherwise unconfigured. The
ASA FirePOWER module can then use this interface to access the ASA inside
network and use the inside interface as the gateway to the Internet.
-
ASDM
access—inside and wifi hosts allowed.
-
NAT—Interface PAT for all traffic from inside, wifi, and
management to outside.
If you
are upgrading, you can either erase your configuration and apply the default
using the
configure
factory-default command, or you can manually configure a BVI and
bridge group members to suit your needs. Note that to easily allow intra-bridge
group communication, you need to enable the
same-security-traffic
permit inter-interface command (this command is already present
for the ASA 5506W-X default configuration).
|
Alarm
ports support on the ISA 3000
|
The ISA
3000 supports two alarm input interfaces and one alarm out interface. External
sensors such as door sensors can be connected to the alarm inputs. External
devices like buzzers can be connected to the alarm out interface. Alarms
triggered are conveyed through two LEDs, syslogs, SNMP traps, and through
devices connected to the alarm out interface.You can configure descriptions of
external alarms. You can also specify the severity and trigger, for external
and internal alarms. All alarms can be configured for relay, monitoring and
logging.
We introduced the following screens:
|
Microsoft Azure Security Center support on the ASAv10
|
Microsoft Azure is a public cloud environment that uses a
private Microsoft Hyper V Hypervisor. Microsoft Azure Security Center is a
Microsoft orchestration and management layer on top of Azure that simplifies
the deployment of a highly secure public cloud infrastructure. Integration of
the ASAv into Azure Security Center allows the ASAv to be offered as a firewall
option to protect Azure environments.
|
Precision Time Protocol (PTP) for the ISA 3000
|
The ISA
3000 supports PTP, a time synchronization protocol for nodes distributed across
a network. It provides greater accuracy than other time synchronization
protocols, such as NTP, due to its hardware timestamp feature. The ISA 3000
supports PTP forward mode, as well as the one-step, end-to-end transparent
clock. We added the following commands to the default configuration to ensure
that PTP traffic is not sent to the ASA FirePOWER module for inspection. If you
have an existing deployment, you need to manually add these commands:
object-group service bypass_sfr_inspect
service-object udp destination range 319 320
access-list sfrAccessList extended deny object-group bypass_sfr_inspect any any
We introduced the following screens:
|
Automatic Backup and Restore for the ISA 3000
|
You can enable auto-backup and/or auto-restore functionality
using pre-set parameters in the backup and restore commands. The
use cases for these features include initial configuration from
external media; device replacement; roll back to an operable
state.
We introduced the following screen:
|
Firewall Features
|
Support
for SCTP multi-streaming reordering and reassembly and fragmentation. Support
for SCTP multi-homing, where the SCTP endpoints have more than one IP address.
|
The
system now fully supports SCTP multi-streaming reordering, reassembly, and
fragmentation, which improves Diameter and M3UA inspection effectiveness for
SCTP traffic. The system also supports SCTP multi-homing, where the endpoints
have more than one IP address each. For multi-homing, the system opens pinholes
for the secondary addresses so that you do not need to write access rules to
allow them. SCTP endpoints must be limited to 3 IP addresses each.
We did not modify any screens.
|
M3UA
inspection improvements.
|
M3UA
inspection now supports stateful failover, semi-distributed clustering, and
multihoming. You can also configure strict application server process (ASP)
state validation and validation for various messages. Strict ASP state
validation is required for stateful failover and clustering.
We modified the following screens:
Add/Edit dialog boxes.
|
Support
for TLSv1.2 in TLS proxy and Cisco Unified Communications Manager 10.5.2.
|
You can
now use TLSv1.2 with TLS proxy for encrypted SIP or SCCP inspection with the
Cisco Unified Communications Manager 10.5.2. The TLS proxy supports the
additional TLSv1.2 cipher suites added as part of the
client
cipher-suite command.
We did not modify any screens.
|
Integrated Routing and Bridging
|
Integrated Routing and Bridging provides the ability to route
between a bridge group and a routed interface. A bridge group is a group of
interfaces that the ASA bridges instead of routes. The ASA is not a true bridge
in that the ASA continues to act as a firewall: access control between
interfaces is controlled, and all of the usual firewall checks are in place.
Previously, you could only configure bridge groups in transparent firewall
mode, where you cannot route between bridge groups. This feature lets you
configure bridge groups in routed firewall mode, and to route between bridge
groups and between a bridge group and a routed interface. The bridge group
participates in routing by using a Bridge Virtual Interface (BVI) to act as a
gateway for the bridge group. Integrated Routing and Bridging provides an
alternative to using an external Layer 2 switch if you have extra interfaces on
the ASA to assign to the bridge group. In routed mode, the BVI can be a named
interface and can participate separately from member interfaces in some
features, such as access rules and DHCP server.
The
following features that are supported in transparent mode are not supported in
routed mode: multiple context mode, ASA clustering. The following features are
also not supported on BVIs: dynamic routing and multicast routing.
We modified the following screens:
|
VM
Attributes
|
You can
define network objects to filter traffic according to attributes associated
with one or more Virtual Machines (VMs) in an VMware ESXi environment managed
by VMware vCenter. You can define access control lists (ACLs) to assign
policies to traffic from groups of VMs sharing one or more attributes.
We added the following screen:
|
Stale
route timeout for interior gateway protocols
|
You can
now configure the timeout for removing stale routes for interior gateway
protocols such as OSPF.
We modified the following screen:
.
|
Network object limitations for object group search.
|
You can reduce the memory required to search access rules by enabling object group search with the the object-group-search access-control command. When enabled, object group search does not expand network or service objects, but instead searches access rules
for matches based on those group definitions.
Starting with this release, the following limitation is applied: For each connection, both the source and destination IP addresses
are matched against network objects. If the number of objects matched by the source address times the number matched by the
destination address exceeds 10,000, the connection is dropped.
This check is to prevent performance degradation. Configure your rules to prevent an excessive number of matches.
|
Routing Features
|
31-bit
Subnet Mask
|
For routed interfaces, you can configure an IP address on a 31-bit subnet for
point-to-point connections. The 31-bit subnet includes only 2
addresses; normally, the first and last address in the subnet is
reserved for the network and broadcast, so a 2-address subnet is
not usable. However, if you have a point-to-point connection and
do not need network or broadcast addresses, a 31-bit subnet is a
useful way to preserve addresses in IPv4. For example, the
failover link between 2 ASAs only requires 2 addresses; any
packet that is transmitted by one end of the link is always
received by the other, and broadcasting is unnecessary. You can
also have a directly-connected management station running SNMP
or Syslog. This feature is not supported for BVIs for bridge
groups or with multicast routing.
We modified the following screens:
|
High Availability and
Scalability Features
|
Inter-site clustering improvement for the ASA on the
Firepower 4100/9300 chassis
|
You can
now configure the site ID for each
Firepower 4100/9300 chassis
when you deploy the ASA cluster. Previously, you had to configure the site ID
within the ASA application; this new feature eases initial deployment. Note
that you can no longer set the site ID within the ASA configuration. Also, for
best compatibility with inter-site clustering, we recommend that you upgrade to
ASA 9.7(1) and FXOS 2.1.1, which includes several improvements to stability and
performance.
We modified the following screen:
|
Director
localization: inter-site clustering improvement for data centers
|
To
improve performance and keep traffic within a site for inter-site clustering
for data centers, you can enable director localization. New connections are
typically load-balanced and owned by cluster members within a given site.
However, the ASA assigns the director role to a member at
any site. Director localization enables additional director
roles: a local director at the same site as the owner, and a global director
that can be at any site. Keeping the owner and director at the same site
improves performance. Also, if the original owner fails, the local director
chooses a new connection owner at the same site. The global director is used if
a cluster member receives packets for a connection that is owned on a different
site.
We modified the following screen:
|
Interface link state monitoring polling for failover now
configurable for faster detection
|
By
default, each ASA in a failover pair checks the link state of its interfaces
every 500 msec. You can now configure the polling interval, between 300 msec
and 799 msec; for example, if you set the polltime to 300 msec, the ASA can
detect an interface failure and trigger failover faster.
We modified the following screen:
|
Bidirectional Forwarding Detection (BFD) support for
Active/Standby failover health monitoring on the Firepower 9300 and 4100
|
You can
enable Bidirectional Forwarding Detection (BFD) for the failover health check
between two units of an Active/Standby pair on the Firepower 9300 and 4100.
Using BFD for the health check is more reliable than the default health check
method and uses less CPU.
We modified the following screen:
|
VPN Features
|
Dynamic
RRI for IKEv2 static crypto maps
|
Dynamic
Reverse Route Injection occurs upon the successful establishment of IPsec
Security Associations (SA's) when
dynamic is
specified for a
crypto map .
Routes are added based on the negotiated selector information. The routes will
be deleted after the IPsec SA's are deleted. Dynamic RRI is supported on IKEv2
based static crypto maps only.
We modified the following screen:
Configuration > Remote Access VPN > Network (Client)
Access > Advanced > IPsec > Crypto Maps > Add/Edit > Tunnel
Policy (Crypto Maps) - Advanced
|
Virtual
Tunnel Interface (VTI) support for ASA VPN module
|
The ASA
VPN module is enhanced with a new logical interface called Virtual Tunnel
Interface (VTI), used to represent a VPN tunnel to a peer. This supports route
based VPN with IPsec profiles attached to each end of the tunnel. Using VTI
does away with the need to configure static crypto map access lists and map
them to interfaces.
We introduced the following screens:
|
SAML 2.0
based SSO for AnyConnect
|
SAML
2.0-based service provider IdP is supported in a private network. With the ASA
as a gateway between the user and services, authentication on IdP is handled
with a restricted anonymous webvpn session, and all traffic between IdP and the
user is translated.
We modified the following screen:
.
|
CMPv2
|
To be
positioned as a security gateway device in wireless LTE networks, the ASA now
supports certain management functions using the Certificate Management Protocol
(CMPv2).
We modified the following screens:
|
Multiple
certificate authentication
|
You can
now validate multiple certificates per session with AnyConnect SSL and IKEv2
client protocols. The Aggregate Authentication protocol has been extended to
define the protocol exchange for multiple-certificate authentication and
utilize this for both session types.
We modified the following screens:
|
Increase
split-tunneling routing limit
|
The
limit for split-tunneling routes for AC-SSL and AC-IKEv2 was increased from 200
to 1200. The IKEv1 limit was left at 200.
|
Smart
Tunnel Support on Chrome
|
A new
method for smart-tunnel support in the Chrome browser on Mac and Windows
devices was created. A Chrome Smart Tunnel Extension has replaced Netscape
Plugin Application Program Interfaces (NPAPIs) that are no longer supported on
Chrome. If you click on the smart tunnel enabled bookmark in Chrome without the
extension already being installed, you are redirected to the Chrome Web Store
to obtain the extension. New Chrome installations will direct the user to the
Chrome Web Store to download the extension. The extension downloads the
binaries from ASA that are required to run smart tunnel. Your usual bookmark
and application configuration while using smart tunnel is unchanged other than
the process of installing the new extension.
|
Clientless SSL VPN: Session information for all web interfaces
|
All web
interfaces will now display details of the current session, including the user
name used to login, and user privileges which are currently assigned. This will
help the user be aware of the current user session and will improve user
security.
|
Clientless SSL VPN: Validation of all cookies for web
applications' sessions
|
All web
applications will now grant access only after validating all security-related
cookies. In each request, each cookie with an authentication token or a session
ID will be verified before granting access to the user session. Multiple
session cookies in the same request will result in the connection being
dropped. Cookies with failed validations will be treated as invalid and the
event will be added to the audit log.
|
AnyConnect: Maximum Connect Time Alert Interval is now supported
in the Group Policy for AnyConnect VPN Client connections.
|
The
alert interval is the interval of time before max connection time is reached
that a message will be displayed to the user warning them of termination. Valid
time interval is 1-30 minutes. Default is 30 minutes. Previously supported for
clientless and site-to-site VPN connections.
We modified the following screen:
Configuration > Remote Access VPN > Network (Client)
Access > Group Policies > Add/Edit > General > More
Options, adding a
Maximum Connect Time Alert Interval field
|
AAA Features
|
IPv6
address support for LDAP and TACACS+ Servers for AAA
|
You can
now use either IPv4 or IPv6 addresses for LDAP and TACACS+ servers used for
AAA.
We modified the following screen:
|
Administrative Features
|
PBKDF2
hashing for all local
username and
enable
passwords
|
Local
username and
enable
passwords of all lengths are stored in the configuration using a PBKDF2
(Password-Based Key Derivation Function 2) hash. Previously, passwords 32
characters and shorter used the MD5-based hashing method. Already existing
passwords continue to use the MD5-based hash unless you enter a new password.
See the "Software and Configurations" chapter in the General Operations
Configuration Guide for downgrading guidelines.
We modified the following screens:
|
Licensing Features
|
Licensing changes for failover pairs on the
Firepower 4100/9300 chassis
|
Only the
active unit requests the license entitlements. Previously, both units requested
license entitlements. Supported with FXOS 2.1.1.
|
Monitoring and
Troubleshooting Features
|
IPv6 address support for traceroute
|
The traceroute command was modified to accept an IPv6 address.
We modified the following screen:
|
Support
for the packet tracer for bridge group member interfaces
|
You can
now use the packet tracer for bridge group member interfaces.
We added
VLAN
ID and
Destination MAC Address fields in the packet-tracer
screen:
|
IPv6
address support for syslog servers
|
You can
now configure syslog servers with IPv6 addresses to record and send syslogs
over TCP and UDP.
We modified the following screen:
|
SNMP
OIDs and MIBs
|
The ASA
now supports SNMP MIB objects corresponding to the end-to-end transparent clock
mode as part of the Precision Time Protocol (PTP) for the ISA 3000. The
following SNMP MIB objects are supported:
|
Manually stop and start packet captures
|
You can now manually stop and start the capture.
Added/Modified screens:
Added/Modified options: Start button, Stop button
|