Release Notes for AsyncOS 15.0 for Cisco Secure Web Appliance

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Release Notes for AsyncOS 15.0 for Cisco Secure Web Appliance

About Secure Web Appliance

The Cisco Secure Web Appliance intercepts and monitors Internet traffic and applies policies to help keep your internal network secure from malware, sensitive data loss, productivity loss, and other Internet-based threats.

What’s New

• What’s New In AsyncOS 15.0.0-355—General Deployment
• Changes in Behavior in AsyncOS 15.0.0-355 GD (General Deployment)
• Known Limitations

What’s New In AsyncOS 15.0.0-355—General Deployment

The following features are introduced for this release:

Smart Software Licensing Enhancements

Following are the enhancements made to the Smart Software Licensing feature:

• License Reservation—You can reserve licenses for features enabled in Secure Web Appliance without connecting to the Cisco Smart Software Manager (CSSM) portal. This is mainly beneficial for users that deploy Secure Web Appliance in a highly secured network environment with no communication to the Internet or external devices. For more information, see Overview of smart licensing and Reserving Feature Licenses" sections in the user guide.
• Device Led Conversion—After you register Secure Web Appliance with smart licensing, all existing valid classical licenses are automatically converted to smart licenses using the Device Led Conversion (DLC) process. These converted licenses are updated in the virtual account of the CSSM portal. For more information, see Overview of smart licensing section in the user guide.

• AsyncOS version 15.0 is the last release to support the Classic license. The next major release of AsyncOS will support only Smart Licenses.

Deeper bandwidth control

You can manage the traffic bandwidth by configuring the bandwidth value in quota profile and mapping the quota profile in decryption policy and access policy URL category or overall web activity quota.

For more information, see Defining Time, Volume, and Bandwidth Quotas section in the user guide.

The clone policy feature allows you to copy or clone the existing configurations of a policy and to create a new policy.

For more information, see Policy Configuration section in the user guide.

Application Discovery and Control (ADC) engine

Supports ADC engine, an acceptable use policy component which inspects web traffic to gain deeper understanding and control of web traffic used for applications.

Starting with AsyncOS 15.0, you can use either AVC or ADC engine to monitor web traffic. By default, AVC is enabled. The ADC engine supports high performance mode.

For more information, see Configuring the URL Filtering Engine and Policy Configuration sections in the user guide.

REST API for ADC Configuration

You can now retrieve configuration information, and perform any changes (such as modify existing information, add a new information, or delete an entry) in the access policy configuration data of the appliance using REST APIs.

SNMP3 non-default username

Starting from AsyncOS 15.0, admin can opt to configure custom SNMPv3 username other than the default username v3get.

For more information, see Monitoring System Health and Status using SNMP section in the user guide.

The maximum length of the custom header is 16k.

For more information, see Adding Custom Headers To Web Requests section in the user guide.

Option to chose the secure tunnel interface and remote access connection

Allows you to select the interface through which the tunnel and remote access connection will be established.

For more information, see Enabling remote access to the appliance section in the user guide.

From AsyncOS 15.0, FreeBSD version has been upgraded to FreeBSD 13.0.

The following has been upgraded:

• Cisco SSL version 1.0.2 to Cisco SSL version 1.1.1.
• Talos engines such as AVC, WBRSD, DCA, and Beaker have been upgraded.
• Scanner engines such as Webroot and McAfee have been upgraded.

FreeBSD 13.0 is compatible with Cisco SSL version 1.1.1 only. Only Cisco SSH compatible cipher, mac and kex algorithms, will be supported for SSH connectivity to FreeBSD 13.0.

Changes in Behavior in AsyncOS 15.0.0-355 GD (General Deployment)

The DCA feature in Secure Web Appliance will be disabled as part of the AsyncOS15.0 GD release and will no longer be supported in future releases. Hence, we DO NOT recommend enabling it.

Known Limitations

This release has the following limitations:

• The SNMPWALK/SNMPGET operations for SNMP OIDs for Proxy Malloc memory is not supported in the multi-prox SWAs (S690, S695, S1000V).

Accessing the New Web Interface

The new web interface provides a new look for monitoring reports and tracking web services. You can access the new web interface in the following way:

• Log in to the legacy web interface and click the Secure Web Appliance is getting a new look. Try it!! link. When you click this link, it opens a new tab in your web browser and goes to https://wsa01-enterprise.com:/ng-login , where wsa01-enterprise.com is the appliance host name and is the trailblazer HTTPS port configured on the appliance for accessing the new web interface.

Important!

• You must log in to the legacy web interface of the appliance.
• Ensure that your DNS server can resolve the hostname of the appliance that you specified.
• By default, the new web interface needs TCP ports 6080, 6443, and 4431 to be operational. Ensure that these ports are not blocked in the enterprise firewall.
• The default port for accessing new web interface is 4431. This can be customized using the trailblazerconfig CLI command. For more information about the trailblazerconfig CLI command, see “Command Line Interface” chapter in the user guide.
• The new web interface also needs AsyncOS API (Monitoring) ports for HTTP and HTTPS. By default, these ports are 6080 and 6443. The AsyncOS API (Monitoring) ports can also be customized using the interfaceconfig CLI command. For more information about the interfaceconfig CLI command, see “Command Line Interface” chapter in the user guide.

If you change these default ports, ensure that the customized ports for the new web interface are not blocked in the enterprise firewall.

The new web interface opens in a new browser window and you must log in again to access it. If you want to log out of the appliance completely, you need to log out of both the new and legacy web interfaces of your appliance.

For a seamless navigation and rendering of HTML pages, Cisco recommends using the following browsers to access the new web interface of the appliance (AsyncOS 11.8 and later):

• Google Chrome
• Mozilla Firefox

You can access the legacy web interface of the appliance on any of the supported browsers.

The supported resolution for the new web interface of the appliance (AsyncOS 11.8 and later) is between 1280x800 and 1680x1050. The best viewed resolution is 1440x900, for all the browsers.

Cisco does not recommend viewing the new web interface of the appliance on higher resolutions.

Release Classification

Each release is identified by the release type (ED - Early Deployment, GD - General Deployment, etc.) For an explanation of these terms, see http://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/content-security-release-terminology.pdf.

Supported Hardware for This Release

The build is available for upgrade on all the existing supported platforms, whereas the enhanced performance support is available only for the following hardware models:

• S100v
• S300v The system CPU and memory requirements are changed from 12.5 release onwards. For more information, see Cisco Content Security Virtual Appliance Installation Guide.
• S600v
• S1000v

• Use the Cisco SFPs which are shipped with the appliance.
• AsyncOS version 15.0 will be the last version supported on Sx90/F models.

Upgrade Paths

Upgrading to AsyncOS 15.0.0-355

• While upgrading, do not connect any devices (keyboard, mouse, management devices (Raritan) etc.) to the USB ports of the appliance.
• We do not recommend upgrading to AsyncOS 15.0 with Federal Information Processing Standards (FIPS) mode enabled since AsyncOS 15.0 does not support FIPS mode.

You can upgrade to the release 15.0.0-355 of AsyncOS for Cisco Web Security appliances from the following versions:

• 11.8.0-453
• 11.8.1-023
• 11.8.3-021
• 11.8.4-004

• 12.0.1-334
• 12.0.2-004
• 12.0.2-012
• 12.0.3-005
• 12.0.3-007
• 12.0.3-503
• 12.0.4-002
• 12.0.5-011
• 12.5.1-011
• 12.5.1-035
• 12.5.1-043
• 12.5.2.011
• 12.5.3-002
• 12.5.3-006
• 12.5.4-005
• 12.5.4-011
• 12.5.5-004
• 12.5.5-005
• 12.5.5-008
• 12.5.5-501
• 12.5.6-008
• 12.7.0-033

• 14.0.1-014
• 14.0.1-040
• 14.0.1-053
• 14.0.2-012
• 14.0.3-014
• 14.0.4-005
• 14.1.0-032
• 14.1.0-041
• 14.1.0-047
• 14.5.0-498
• 14.5.0-537
• 14.5.0-673
• 14.5.1-008
• 14.5.1-016
• 14.6.0-108

• 15.0.0-302
• 15.0.0-322

Post–Upgrade Requirements

After you upgrade to 15.0.0-355, you must perform the following steps if you have not registered your appliance with Cisco Threat Response:

Procedure

Create a user account in the Cisco Threat Response portal with admin access rights.

To create a new user account, navigate to the Cisco Threat Response portal login page using the following URL- https://visibility.amp.cisco.com and click ‘Create a Cisco Security Account’. If you are unable to create a new user account, contact Cisco TAC for assistance.

For registering your appliance with Security Services Exchange (SSE) cloud portal, generate token from SSE portal corresponding to your region.

While registering with SSE cloud portal, select the following FQDN based on your region from the web user interface of your appliance:

• AMERICAS (api-sse.cisco.com)
• EUROPE (api.eu.sse.itd.cisco.com)
• APJC (api.apj.sse.itd.cisco.com)

Make sure that you enable Cisco Threat Response under Cloud Services on the Security Services Exchange portal. Ensure that you open HTTPS (In and Out) 443 port on the firewall for the FQDN api-sse.cisco.com (America) to register your appliance with the Security Services Exchange portal.

To deploy a virtual appliance, see the Cisco Content Security Virtual Appliance Installation Guide, available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.

Compatibility Details

• Compatibility with Cisco AsyncOS for Security Management
• IPv6 and Kerberos Not Available in Cloud Connector Mode
• Functional Support for IPv6 Addresses
• Post–Upgrade Requirements

Compatibility with Cisco AsyncOS for Security Management

For compatibility between this release and AsyncOS for Cisco Content Security Management releases, see the compatibility matrix at: https://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma_all/web-compatibility/index.html.

IPv6 and Kerberos Not Available in Cloud Connector Mode

When the appliance is configured in Cloud Connector mode, unavailable options for IPv6 addresses and Kerberos authentication appear on pages of the web interface. Although the options appear to be available, they are not supported in Cloud Connector mode. Do not attempt to configure the appliance to use IPv6 addresses or Kerberos authentication when in Cloud Connector mode.

Functional Support for IPv6 Addresses

Features and functionality that support IPv6 addresses:

• Command line and web interfaces. You can access the appliance using http://[2001:2:2::8]:8080 or https://[2001:2:2::8]:8443
• Performing proxy actions on IPv6 data traffic (HTTP/HTTPS/SOCKS/FTP)
• IPv6 DNS Servers
• WCCP 2.01 (Cat6K Switch) and Layer 4 transparent redirection
• Upstream Proxies
• Authentication Services
  • Active Directory (NTLMSSP, Basic, and Kerberos)
  • LDAP
  • SaaS SSO
  • Transparent user identification through CDA (communication with CDA is IPv4 only)
  • Credential Encryption

  Features and functionality that require IPv4 addresses:

  • Internal SMTP relay
  • External Authentication
  • Log subscription push methods: FTP, SCP, and Syslog
  • NTP servers
  • Local update servers, including proxy servers for updates
  • Authentication services
  • AnyConnect Security Mobility
  • Novell eDirectory authentication servers
  • Custom logo for end-user notification pages
  • Communication between the Web Security Appliance and the Security Management Appliance
  • WCCP versions prior to 2.01
  • SNMP

  Availability of Kerberos Authentication for Operating Systems and Browsers

  You can use Kerberos authentication with these operating systems and browsers:

  • Windows servers 2003, 2008, 2008R2, and 2012.
  • Latest releases of Safari and Firefox browsers on Mac (OSX Version 10.5 and later)
  • IE (Version 7 and later) and latest releases of Firefox and Chrome browsers on Windows 7 and later.

  Kerberos authentication is not available with these operating systems and browsers:

  • Windows operating systems not mentioned above
  • Browsers not mentioned above
  • iOS and Android