|
Platform Features
|
|
ASA for the Firepower 1010
|
We introduced the ASA for the Firepower 1010. This desktop model includes a built-in hardware switch and Power-Over-Ethernet+
(PoE+) support.
New/Modified screens:
|
|
ASA for the Firepower 1120, 1140, and 1150
|
We introduced the ASA for the Firepower 1120, 1140, and 1150.
New/Modified screens:
|
|
Firepower 2100 Appliance mode
|
The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). You can run
the Firepower 2100 in the following modes:
-
Appliance mode (now the default)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting
commands are available from the FXOS CLI.
-
Platform mode—When in Platform mode, you must configure basic operating parameters and hardware interface settings in FXOS.
These settings include enabling interfaces, establishing EtherChannels, NTP, image management, and more. You can use the Firepower
Chassis Manager web interface or FXOS CLI. You can then configure your security policy in the ASA operating system using ASDM
or the ASA CLI.
If you are upgrading to 9.13(1), the mode will remain in Platform mode.
New/Modified screens:
|
|
DHCP reservation
|
The ASA DHCP server now supports DHCP reservation. You can assign a static IP address from the defined address pool to a DHCP
client based on the client's MAC address.
No modified screens.
|
|
ASAv minimum memory requirement
|
The minimum memory requirement for the ASAv is now 2GB. If your current ASAv runs with less than 2GB of memory, you cannot
upgrade to 9.13(1) from an earlier version without increasing the memory of your ASAv VM. You can also redeploy a new ASAv
VM with version 9.13(1).
No modified screens.
|
|
ASAv MSLA Support
|
The ASAv supports Cisco's Managed Service License Agreement (MSLA) program, which is a software licensing and consumption
framework designed for Cisco customers and partners who offer managed software services to third parties.
MSLA is a new form of Smart Licensing where the licensing Smart Agent keeps track of the usage of licensing entitlements in
units of time.
New/Modified screens: .
|
|
ASAv Flexible Licensing
|
Flexible Licensing is a new form of Smart Licensing where any ASAv license now can be used on any supported ASAv vCPU/memory
configuration. Session limits for AnyConnect and TLS proxy will be determined by the ASAv platform entitlement installed rather
than a platform limit tied to a model type.
New/Modified screens: .
|
|
ASAv for AWS support for the C5 instance; expanded support for C4, C3, and M4 instances
|
The ASAv on the AWS Public Cloud now supports the C5 instance (c5.large, c5.xlarge, and c5.2xlarge).
In addition, support has been expanded for the C4 instance (c4.2xlarge and c4.4xlarge); C3 instance (c3.2xlarge, c3.4xlarge,
and c3.8xlarge); and M4 instance (m4.2xlarge and m4.4xlarge).
No modified screens.
|
|
ASAv for Microsoft Azure support for more Azure virtual machine sizes
|
The ASAv on the Microsoft Azure Public Cloud now supports more Linux virtual machine sizes:
-
Standard_D4, Standard_D4_v2
-
Standard_D8_v3
-
Standard_DS3, Standard_DS3_v2
-
Standard_DS4, Standard_DS4_v2
-
Standard_F4, Standard_F4s
-
Standard_F8, Standard_F8s
Earlier releases only supported the Standard_D3 and Standard_D3_v2 sizes.
No modified screens.
|
|
ASAv enhanced support for DPDK
|
The ASAv supports enhancements to the Data Plane Development Kit (DPDK) to enable support for multiple NIC queues, which
allow multi-core CPUs to concurrently and efficiently service network interfaces.
This applies to all ASAv hypervisors except Microsoft Azure and Hyper-V.
| Note
|
DPDK support was introduced in release ASA 9.10(1)/ASDM 7.13(1).
|
No modified screens.
|
|
ASAv support for VMware ESXi 6.7
|
The ASAv virtual platform supports hosts running on VMware ESXi 6.7. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASAv on ESXi 6.7.
No modified screens.
|
|
Increased VLANs for the ISA 3000
|
The maximum VLANs for the ISA 3000 with the
Security Plus license increased from 25 to
100.
|
|
Firewall Features
|
|
Location logging for mobile stations (GTP inspection).
|
You can configure GTP inspection to log the initial location of a mobile station and subsequent changes to the location. Tracking
location changes can help you identify possibly fraudulent roaming charges.
New/Modified screens: .
|
|
GTPv2 and GTPv1 release 15 support.
|
The system now supports GTPv2 3GPP 29.274 V15.5.0. For GTPv1, support is up to 3GPP 29.060 V15.2.0. The new support includes
recognition of 2 additional messages and 53 information elements.
No modified screens.
|
|
Mapping Address and Port-Translation (MAP-T)
|
Mapping Address and Port (MAP) is primarily a feature for use in service provider (SP) networks. The service provider can
operate an IPv6-only network, the MAP domain, while supporting IPv4-only subscribers and their need to communicate with IPv4-only
sites on the public Internet. MAP is defined in RFC7597, RFC7598, and RFC7599.
New/Modified commands: , .
|
|
Increased limits for AAA server groups and servers per group.
|
You can configure more AAA server groups. In single context mode, you can configure 200 AAA server groups (the former limit
was 100). In multiple context mode, you can configure 8 (the former limit was 4).
In addition, in multiple context mode, you can configure 8 servers per group (the former limit was 4 servers per group). The
single context mode per-group limit of 16 remains unchanged.
We modified the AAA screens to accept these new limits.
|
|
TLS proxy deprecated for SCCP (Skinny) inspection.
|
The tls-proxy keyword, and support for SCCP/Skinny encrypted inspection, was deprecated. The keyword will be removed from the inspect skinny command in a future release.
|
|
VPN Features
|
|
HSTS Support for WebVPN as Client
|
A new CLI mode under WebVPN mode called http-headers was added so that WebVPN could transform HTTP references to HTTPS references
for hosts that are HSTS. Configures whether the user agent should allow the embedding of resources when sending this header
for WebVPN connections from the ASA to browsers.
New/Modified screens: .
|
|
Diffie-Hellman groups 15 and 16 added for key exchange
|
To add support for Diffie-Hellman groups 15 and 16, we modified few crypto commands to accept these new limits.
crypto ikev2 policy <index> group <number>
and crypto map <map-name> <map-index> set pfs <group>.
|
|
show asp table vpn-context enhancement to output
|
To enhance debug capability, these vpn context counters were added to the output: Lock Err, No SA, IP Ver Err, and Tun Down.
New/Modified commands: show asp table vpn-context (output only).
|
|
Immediate session establishment when the
maximum remote access VPN session limit is
reached.
|
When a user reaches the maximum session (login)
limit, the system deletes the user's oldest
session and waits for the deletion to complete
before establishing the new session. This can
prevent the user from successfully connecting on
the first attempt. You can remove this delay and
have the system establish the new connection
without waiting for the deletion to complete.
New/Modified screens: Add/Edit dialog box,
General tab.
|
|
High Availability and Scalability Features
|
|
Initiator and responder information for Dead Connection Detection (DCD), and DCD support in a cluster.
|
If you enable Dead Connection Detection (DCD), you can use the show conn detail command to get information about the initiator and responder. Dead Connection Detection allows you to maintain an inactive
connection, and the show conn output tells you how often the endpoints have been probed. In addition, DCD is now supported in a cluster.
No modified screens.
|
|
Monitor the traffic load for a cluster
|
You can now monitor the traffic load for cluster members, including total connection count, CPU and memory usage, and buffer
drops. If the load is too high, you can choose to manually disable clustering on the unit if the remaining units can handle
the load, or adjust the load balancing on the external switch. This feature is enabled by default.
New/Modified screens:
|
|
Accelerated cluster joining
|
When a data unit has the same
configuration as the control unit, it will skip
syncing the configuration and will join faster.
This feature is enabled by default. This feature
is configured on each unit, and is not replicated
from the control unit to the data unit.
| Note
|
Some configuration commands are not compatible with accelerated cluster joining; if these commands are present on the unit,
even if accelerated cluster joining is enabled, configuration syncing will always occur. You must remove the incompatible
configuration for accelerated cluster joining to work. Use the show cluster info unit-join-acceleration incompatible-config to view incompatible configuration.
|
New/Modified screens: check box
|
|
Routing Features
|
|
SMTP configuration enhancement
|
You can optionally configure the SMTP server with primary and backup interface names to enable ASA for identifying the routing
table to be used for logging—management routing table or data routing table. If no interface is provided, ASA would refer
to management routing table lookup, and if no proper route entry is present, it would look at the data routing table.
|
|
Support to set NSF wait timer
|
OSPF routers are expected to set the RS-bit in the EO-TLV attached to a Hello packet when it is not known whether all neighbors
are listed in the packet, and the restarting router require to preserve their adjacencies. However, the RS-bit value must
not be longer than the RouterDeadInterval seconds. The timers nsf wait command is introduced to set the the RS-bit in Hello packets lesser than RouterDeadInterval seconds.
|
|
Support to set tftp blocksize
|
The typical blocksize fixed for tftp file transfer is 512-octets. A new command, tftp blocksize , is introduced to configure a larger blocksize and thereby enhance the tftp file transfer speed. You can set a blocksize
varying from 513 to 8192 octets. The new default blocksize is 1456 octets. The no form of this command will reset the blocksize to the older default value—512 octets. The timers nsf wait command is introduced to set the the RS-bit in Hello packets lesser than RouterDeadInterval seconds.
|
|
Certificate Features
|
|
Support to view FIPS status
|
The show
running-configuration fips command
displayed the FIPS status only when fips was
enabled. In order to know the operational state,
the show fips command
was introduced where, it displays the fips status
when an user enables or disables fips that is in
disabled or enabled state. This command also
displays the status for rebooting the device after
an enable or disable action.
|
|
CRL cache size increased
|
To prevent failure of large CRL downloads, the
cache size was increased, and the limit on the
number of entries in an individual CRL was
removed.
|
|
Modifications to the CRL Distribution Point commands
|
The static CDP URL configuration commands are removed and moved to the match certificate command.
New/Modified screens: The static CDP URL was re-introduced in 9.13(1)12 to the match certificate command.
|
|
Administrative and Troubleshooting Features
|
|
Management access when the Firepower 1000, Firepower 2100 Appliance mode is in licensing evaluation mode
|
The ASA includes 3DES capability by default for management access only, so you can connect to the License Authority and also
use ASDM immediately. You can also use SSH and SCP if you later configure SSH access on the ASA. Other features that require
strong encryption (such as VPN) must have the Strong Encryption license enabled, which requires you to first register to the
License Authority.
| Note
|
If you attempt to configure any features that can use strong encryption before you have the license—even if you only configure
weak encryption—then your HTTPS connection will be dropped on that interface, and you cannot reconnect. The exception to this
rule is if you are connected to a management-only interface, such as Management 1/1. SSH is not affected. If you lose your
HTTPS connection, you can connect to the console port to reconfigure the ASA, connect to a management-only interface, or connect
to an interface not configured for a strong encryption feature.
|
No modified screens.
|
|
Additional NTP authentication algorithms
|
Formerly, only MD5 was supported for NTP authentication. The ASA now supports the following algorithms:
-
MD5
-
SHA-1
-
SHA-256
-
SHA-512
-
AES-CMAC
New/Modified screens:
button > Add NTP Server Configuration dialog box > Key Algorithm drop-down list
|
|
ASA Security Service Exchange (SSE) Telemetry Support for the Firepower 4100/9300
|
With Cisco Success Network enabled in your network, device usage information and statistics are provided to Cisco which is
used to optimize technical support. The telemetry data that is collected on your ASA devices includes CPU, memory, disk, or
bandwidth usage, license usage, configured feature list, cluster/failover information and the like.
New/Modified screens:
|
|
SSH encryption ciphers are now listed in order
from highest to lowest security for pre-defined
lists
|
SSH encryption ciphers are now listed in order
from highest security to lowest security for
pre-defined lists (such as medium or high). In
earlier releases, they were listed from lowest to
highest, which meant that a low security cipher
would be proposed before a high security
cipher.
New/Modified screens:
|
|
show tech-support includes additional output
|
The output of show tech-support is enhanced to display the output of the following:
show flow-offload info detail
show flow-offload statistics
show asp table socket
New/Modified commands: show tech-support (output only).
|
|
Enhancement to show-capture asp_drop output to include drop location information
|
While troubleshooting using ASP drop counters, the exact location of the drop is unknown, especially when the same ASP drop
reason is used in many different places. This information is critical in finding root cause of the drop. With this enhancement,
the ASP drop details such as the build target, ASA release number, hardware model, and ASLR memory text region (to facilitate
the decode of drop location) are shown.
New/Modified commands: show-capture asp_drop
|
|
Modifications to debug crypto ca
|
The debug crypto ca transactions and debug crypto ca messages options are consolidated to provide all applicable content into the debug crypto ca command itself. Also, the number of available debugging levels are reduced to 14.
New/Modified commands: debug crypto ca
|
|
FXOS Features for the Firepower 1000 and 2100
|
|
Secure Erase
|
The secure erase feature erases
all data on the SSDs so that data cannot be
recovered even by using special tools on the SSD
itself. You should perform a secure erase in FXOS
when decomissioning the device.
New/Modified FXOS commands:
erase secure
(local-mgmt)
Supported models: Firepower 1000 and 2100
|
|
Configurable HTTPS protocol
|
You can set the SSL/TLS versions
for FXOS HTTPS acccess.
New/Modified FXOS commands:
set https
access-protocols
Supported models: Firepower 2100 in Platform Mode
|
|
FQDN enforcement for IPSec and Keyrings
|
For FXOS, you can configure FQDN
enforcement so that the FDQN of the peer needs to
match the DNS Name in the X.509 Certificate
presented by the peer. For IPSec, enforcement is
enabled by default, except for connections created
prior to 9.13(1); you must manually enable
enforcement for those old connections. For
keyrings, all hostnames must be FQDNs, and cannot
use wild cards.
New/Modified FXOS commands:
set dns, set
e-mail, set
fqdn-enforce , set
ip , set
ipv6 , set
remote-address , set
remote-ike-id
Removed commands: fi-a-ip , fi-a-ipv6 , fi-b-ip , fi-b-ipv6
Supported models: Firepower 2100 in Platform Mode
|
|
New IPSec ciphers and algorithms
|
We added the following IKE and ESP ciphers and
algorithms to configure an IPSec tunnel to encrypt
FXOS management traffic:
-
Ciphers—aes192. Existing ciphers include:
aes128, aes256, aes128gcm16.
-
Pseudo-Random Function (PRF) (IKE
only)—prfsha384, prfsha512, prfsha256. Existing
PRFs include: prfsha1.
-
Integrity Algorithms—sha256, sha384, sha512,
sha1_160. Existing algorithms incldue: sha1.
-
Diffie-Hellman Groups—curve25519, ecp256,
ecp384, ecp521,modp3072, modp4096. Existing groups
include: modp2048.
No modified FXOS commands.
Supported models: Firepower 2100 in Platform
Mode
|
|
SSH authentication enhancements
|
We added the following SSH server
encryption algoritghms for FXOS:
We added the following SSH server
key exchange methods for FXOS:
New/Modified FXOS commands:
set ssh-server
encrypt-algorithm , set
ssh-server kex-algorithm
Supported models: Firepower 2100 in Platform Mode
|
|
EDCS keys for X.509 Certificates
|
You can now use EDCS keys for
FXOS certificates. Formerly, only RSA keys were
supported.
New/Modified FXOS commands:
set elliptic-curve ,
set keypair-type
Supported models: Firepower 2100 in Platform Mode
|
|
User password improvements
|
We added FXOS password security
improvements, including the following:
-
User passwords can be up to 127 characters. The old limit was 80 characters.
-
Strong password check is enabled by default.
-
Prompt to set admin password.
-
Password expiration.
-
Limit password reuse.
New/Modified
Firepower Chassis Manager screens:
Supported models: Firepower 2100 in Platform Mode
|
Feedback