Platform Features

ASA virtual AWS IMDSv2 support

AWS Instance Metadata Service version 2 (IMDSv2) API is now supported on ASA virtual, which allows you to retrieve and validate instance metadata. IMDSv2 provides additional security against vulnerabilities targeting the Instance Metadata Service. When deploying ASA virtual on AWS, you can now configure the Metadata version for ASA virtual as follows:

• ASA virtual 9.20(3) and later supports IMDSv2 only (token required) – Set "V2 only (token required)" to enable IMDSv2.

• Earlier ASA virtual versions support only IMDSv1 APIs via the IMDS option - 'IMDSv1 or IMDSv2 (token optional)' – Set "V1 and V2 (token optional).

If you have an existing ASA virtual deployment, you can migrate to "IMDSv2 Required" mode after upgrading to 9.20(3) and later. See AWS documentation, https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html

For more information, see Cisco Secure Firewall ASA Virtual Getting Started Guide, 9.20.

Firewall Features

You can configure threat detection for VPN services to protect against the following types of VPN attack from IPv4 addresses:

• Excessive failed authentication attempts to a remote access VPN, for example brute-force username/password scanning.

• Client initiation attacks, where the attacker starts but does not complete repeated connection attempts to a remote access VPN head-end from a single host.

• Access attempts to invalid VPN services, that is, services that are for internal use only.

These attacks, even when unsuccessful in their attempt to gain access, can consume computational resources and in some cases result in Denial of Service.

The following commands were introduced or changed: clear threat-detection service , show threat-detection service , shun , threat-detection service .

VPN Features

Multiple IdP certificates in a webvpn configuration and a tunnel-group

You can now configure tunnel-group-specific IdP certificates and multiple IdP certificates in a webvpn configuration. This feature lets you trust an old certificate as well as a new certificate, making migration to the new certificate easier.

New/Modified commands: saml idp-trustpoint , trustpoint idp

Rate Limit for Preauthenticated SSL Connections

ASA virtual can rate-limit preauthenticated SSL connections. This limit is calculated as three times the VPN connection limit of the device. When this limit exceeds, no new SSL connections are allowed. The device allows new SSL connections only after the preauthenticated SSL connections count becomes zero. However, this restriction is not valid for management connections.

New/Modified commands: show counters

Platform Features

100GB network module support for the Secure Firewall 3100

You can now use the 100GB network module for the Secure Firewall 3100. This module is also supported for the Secure Firewall 4200.

Increased connection limits for the Secure Firewall 4200

Connection limits have been increased:

• 4215: 15M → 40M

• 4225: 30M → 80M

• 4245: 60M → 80M

ASAv on OCI: Additional instances

ASA Virtual instances on OCI now supports additional shapes to achieve the highest performance and throughput level.

High Availability and Scalability Features

ASAv on Azure: Clustering with Gateway Load Balancing

New/Modified commands:

ASAv on AWS: Resiliency for clustering with Gateway Load Balancing

You can configure the Target Failover option in the Target Groups service of AWS, which helps GWLB to forward existing flows to a healthy target in the event of virtual instance failover. In the ASAv clustering, each instance is associated with a Target Group, where the Target Failover option is enabled. It helps GWLB to identify an unhealthy target and redirect or forward the network traffic to a healthy instance identified or registered as a target node in the target group.

Configurable delay to rejoin cluster after chassis heartbeat failure (Firepower 4100/9300)

By default, if the chassis heartbeat fails and then recovers, the node rejoins the cluster immediately. However, if you configure the health-check chassis-heartbeat-delay-rejoin command, it will rejoin according to the settings of the health-check system auto-rejoin command.

New/Modified commands: health-check chassis-heartbeat-delay-rejoin

show failover statistics includes client statistics

The failover client packet statistics are now enhanced to improve debuggability. The show failover statistics command is enhanced to display np-clients (data-path clients) and cp-clients (control-plane clients) information.

Modified commands: show failover statistics cp-clients , show failover statistics np-clients

Also in 9.18(4).

show failover statistics events includes new events

The show failover statistics events command is now enhanced to identify the local failures notified by the App agent: failover link uptime, supervisor heartbeat failures, and disk full issues.

Modified commands: show failover statistics events

Also in 9.18(4).

Platform Features

Secure Firewall 4200

We introduced the ASA for the Secure Firewall 4215, 4225, and 4245. The Secure Firewall 4200 supports up to 8 units for Spanned EtherChannel clustering. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 4200 25 Gbps and higher interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. There are two Management interfaces.

Firewall Features

ASP rule engine compilation offloaded to the data plane.

By default, ASP rule engine compilation is offloaded to the data plane (instead of the control plane) when any rule-based policy (for example, ACL, NAT, VPN) has more than 100 rule updates. The offload leaves more time for the control plane to perform other tasks.

We added or modified the following commands: asp rule-engine compile-offload , show asp rule-engine .

Data plane quick reload

When data plane needs to be restarted, instead of a reboot of the device, you can now reload the data plane process. When data plane quick reload is enabled, it restarts the data plane and other processes.

New/Modified commands:data-plane quick-reload , show data-plane quick-reload status .

High Availability and Scalability Features

Reduced false failovers for ASA high availability

We now introduced an additional heartbeat module in the data plane of the ASA high availability. This heartbeat module helps to avoid false failovers or split-brain scenarios that can happen due to traffic congestion in the control plain or CPU overload.

Also in 9.18(4).

Configurable cluster keepalive interval for flow status

The flow owner sends keepalives (clu_keepalive messages) and updates (clu_update messages) to the director and backup owner to refresh the flow state. You can now set the keepalive interval. The default is 15 seconds, and you can set the interval between 15 and 55 seconds. You may want to set the interval to be longer to reduce the amount of traffic on the cluster control link.

New/Modified commands: clu-keepalive-interval

Routing Features

EIGRPv6

You can now configure EIGRP for IPv6 and manage them separately. You must explicitly enable IPv6 when configuring EIGRP on each interface.

New/Modified commands: Following are the new commands introduced: ipv6 eigrp , ipv6 hello-interval eigrp , ipv6 hold-time eigrp , ipv6 split-horizon eigrp , show ipv6 eigrp interface , show ipv6 eigrp traffic , show ipv6 eigrp neighbors , show ipv6 eigrp interface , ipv6 summary-address eigrp , show ipv6 eigrp topology , show ipv6 eigrp events , show ipv6 eigrp timers , clear ipv6 eigrp , and clear ipv6 router eigrp

Following commands are modified to support IPv6: default-metric , distribute-list prefix-list , passive-interface , eigrp log-neighbor-warnings , eigrp log-neighbor-changes , eigrp router-id , and eigrp stub

Interface Features

VXLAN VTEP IPv6 support

You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the ASA virtual cluster control link or for Geneve encapsulation.

New/Modified commands: default-mcast-group , mcast-group , peer ip

Loopback interface support for DNS, HTTP, ICMP, and IPsec Flow Offload

You can now add a loopback interface and use it for:

• DNS

• HTTP

• ICMP

• IPsec Flow Offload

License Features

IPv6 for Cloud services such as Smart Licensing and Smart Call Home

Certificate Features

IPv6 PKI for OCSP and CRL

New/Modified commands:crypto ca trustpointcrl , cdp url , ocsp url

Administrative, Monitoring, and Troubleshooting Features

Rate limiting for SNMP syslogs

If you do not set system-wide rate limiting, you can now configure rate limiting separately for syslogs sent to an SNMP server.

New/Modified commands: logging history rate-limit

Packet Capture for switches

You can now configure to capture egress and ingress traffic packets for a switch. This option is applicable only for Secure Firewall 4200 model devices.

VPN Features

Crypto debugging enhancements

Following are the enhancements for crypto debugging:

• Crypto archive is now available in two formats: text and binary format.

• Additional SSL counters.

• Stuck encrypt rules can be removed from the ASP table without rebooting the device.

New/Modified commands:

• show counters

Multiple Key Exchanges for IKEv2

ASA supports multiple key exchanges in IKEv2 to secure the IPsec communication from quantum computer attacks.

New/Modified commands: additional-key-exchange