ISE/ISE-PIC Integrations Enhancements
|
-
You can construct access policies using Secure Group Tags and Active
Directory groups.
-
For users that fail transparent identification with ISE/ISE-PIC, you
can configure fallback authentication with Active Directory based
realms.
-
You can configure authentication of users in Virtual Desktop
Environments (Citrix, Microsoft shared/remote desktop services).
Note
|
Fallback authentication for Virtual Desktop Environments (VDI) users is not
supported.
|
For more information, see Overview of the Identity Services Engine (ISE) / ISE Passive Identity Controller (ISE-PIC) Service.
|
Domain Map
|
You can now configure the appliance to allow passthrough of specific HTTPS
traffic without any modification to client requests and certificate checks of
the destination servers.
For more information, see Domain Map.
For Domain Map feature, optional format specifiers for access logs and W3C logs are introduced. For more information, see
Access Log Format Specifiers and W3C Log File Fields.
|
Rollback of Configuration of the appliance
|
A new CLI command rollbackconfig is added. Use this command to rollback to one of the previously committed 10 configurations. The rollback configuration feature
is enabled by default.
For more information, see Web Security Appliance CLI Commands.
|
Automated Backup of the Appliance Configurations
|
A new log type ‘Configuration History Logs’ is added. Use this log type to subscribe for the configuration files and send
them to a remotely located backup server through FTP or SCP.
For more information, see Log File Typesand Using Configuration History Logs.
|
Support for Exception List for External Feeds and O365 feeds
|
You can exclude sites and regular expressions from the feed file of the Custom and External URL categories. This is applicable
only for External Live Feed Category.
For more information, see Creating and Editing Custom URL Categories.
|
Proxy Bypass Setting for O365 Web Services Feed |
You can add the domain names or IP addresses of the Custom URL categories (O365 URLs) to the proxy bypass list. You do not
need to add the domain names or the IP addresses of the Custom URL categories manually.
For more information, see Configuring Web Proxy Bypassing for Web Requests
|
Support for Cisco AMP Threat Grid Clustering for File Analysis
|
You can now add standalone or clustered Cisco AMP Threat Grid appliances for file analysis in the following way:
Security Services > File Reputation and Analysis page in the web interface.
For more information, seeEnabling and Configuring File Reputation and Analysis Services
|
Configuring Threshold Settings for File Analysis
|
You can now set the upper threshold limit for the acceptable file analysis score.
The files that are blocked based on the Threshold Settings are displayed as Custom Threshold in the Incoming Malicious Threat
Files section of the Advanced Malware Protection report.
For more information, see Enabling and Configuring File Reputation and Analysis Services
|
Configuring URL Filtering with Multiple Web Category |
You can now configure the URL filtering engine with multiple URL categories. The multiple URL category feature is applicable
only for access policies.
For more information, see Configuring the URL Filtering Engine
|
Support for New Threat Categories
|
The appliance now has new 22 threat categories. The list of the new threat categories is automatically updated in the appliance’s
new web interface whenever new categories are available.
For more information, see Release Notes for URL Category and Threat Category Updates for Cisco Web and Email Security Appliances’.
|
New Web Interface for Monitoring and Tracking
|
The appliance now has a new web interface for Monitoring and Tracking reports.
In the Monitoring page, you can view reports classified under General reports and Threat reports.
In the Tracking page, you can search for messages or a group of messages depending on your search criteria in Tracking > Search page in the
web interface. See “Tracking Messages” chapter in the User Guide.
Note
|
-
You must login to the legacy web interface of the appliance.
-
Ensure that your DNS server can resolve the hostname of the appliance that you specified.
-
By default, the new web interface needs TCP ports 6080, 6443 and 4431 to be operational. Ensure that these ports are not blocked
in the enterprise firewall.
-
The default port for accessing new web interface is 4431. This can be customized using trailerblazerconfig CLI command. For more information on the trailblazerconfig CLI command, see Web Security Appliance CLI Commands.
-
The new web interface also needs AsyncOS API (Monitoring) ports for HTTP and HTTPS. By default these ports are 6080 and 6443.
The AsyncOS API (Monitoring) ports can also be customized in the interfaceconfig CLI command. For more information on the interfaceconfig CLI command, see Web Security Appliance CLI Commands.
-
If you change these default ports, then ensure that the customized ports for the new web interface too must not be blocked
in the enterprise firewall.
|
For more information, see Secure Appliance Reports on the New Web Interface.
To access the new web interface, see Accessing the Appliance Web Interface
|
The trailblazerconfig CLI Command
|
You can use the trailblazerconfig command to route your incoming and outgoing connections through HTTP and HTTPS ports on the new web interface.
Note
|
By default, trailblazerconfig CLI command is enabled on your appliance. You can see the inline help by typing the command: help trailblazerconfig .
|
For more information, see Command Line Interface.
|