New URL Categories Update notification

A new URL Categories Update notification is introduced in the banner. An email notification on the upcoming URL category updates is also sent to the users.

Deprecation of TLS 1.0/1.1

Use TLS 1.2 or later versions to connect the appliance to the AMP File Reputation server. AMERICAS (Legacy) cloud-sa.amp.sourcefire.com is removed from the AMP File Reputation server list, so AMERICAS (Legacy) cloud-sa.amp.sourcefire.com cannot be configured on the appliance.

Before you upgrade the appliance to the 12.5.1 version, the following is recommended:

• If the AMP services are enabled and the File Reputation server is configured as AMERICAS (Legacy) cloud-sa.amp.sourcefire.com, change the File Reputation server to AMERICAS (cloud-sa.amp.cisco.com).

• After you upgrade the appliance, check if the File Reputation server is retained as AMERICAS (cloud-sa.amp.cisco.com).

For more information, see Decommissioning Legacy File Reputation Servers for Cisco Web Security Appliances.

Enable Trusted Domain Lookup

Enable Trusted Domain Lookup option is added in the Active Directory Account section (Network > Authentication > Add Realm) to control the behavior of the trusted domain lookup for the realm.

The option is enabled by default.

Support for High Performance

The Cisco AsyncOS 12.5 release provides Web Security Appliance with High Performance (HP) for platforms S680, S690, and S695. This increases the traffic handling performance of the existing high-end appliances.

Web Proxy IP Spoofing

You can now configure Web Proxy IP Spoofing by creating an IP spoofing profile and adding it to the routing policies. When IP spoofing profile is used in a routing policy, the web proxy changes the source IP address to custom IP address defined in the IP spoofing profile.

You can now enable or disable client IP spoofing for native FTP requests in FTP proxy settings.

Prerequisite:

• Make sure you have selected the proxy mode and IP spoofing connection type in the web proxy settings (Services > Web Proxy.)

See the “Intercepting Web Requests” chapter in the user guide.

Support for YouTube Categorization

You can now create a custom URL category for YouTube and set policies on the YouTube custom category for secure access control.

Prerequisites:

Make sure you have:

• Enabled HTTPS proxy (Security Services > HTTPS Proxy).

• Enabled Acceptable Use Controls (Security Services > Acceptable Use Controls).

• Configured Custom and External URL categories (Web Security Manager > Custom and External URL Categories) with www.youtube.com and m.youtube.com.

• Configured decryption policy using the Custom and External URL category for YouTube, with action as 'decrypt'.

• Generated the Google API key using Google API services for YouTube.

See the “Classify URLs for Policy Application” chapter in the user guide.

System Status Dashboard in the New Web Interface

In the new web interface, the appliance has a new page (Monitoring > System Status) to display the current status and configuration of the appliance.

See the “Web Security Appliance Reports on the New Web Interface” chapter in the user guide.

Cisco Success Network on Web Security Appliance

The Cisco Success Network (CSN) feature enables Cisco to collect telemetry of feature usage information of the appliance. These details are used by Cisco to identify the device information, list of free and licensed features and their activation statuses.

Prerequisite:

• Make sure you have enabled Cisco Threat Response

See the “Integrating with Cisco Threat Response” chapter in the user guide.

REST API for Network, Log Subscription, and Other Configurations.

You can now retrieve the configuration information, and perform any changes (such as modify existing information, add new information, or delete an entry) in the configuration data of the appliance by using REST APIs.

See the “AsyncOS API 12.5 for Cisco Web Security Appliances - Getting Started Guide.”

networktuning

After an upgrade to Cisco AsyncOS 12.5, you will receive a prompt to restart the proxy process when you execute the networktuning command for the first time.

SSL Configuration

Beginning Cisco AsyncOS 12.5.4 version, TLSv1.2 is enabled by default for Appliance Management Web User Interface under System Administrator > SSL Configuration to support chrome browser version 98.0.4758.80 or later.

Session resumption

After an upgrade to Cisco AsyncOS 12.5.4 version, session resumption will be disabled by default.

Context Directory Agent (CDA)

Beginning Cisco AsyncOS 12.5.4 version, the following message is added to indicate the end of support for CDA in the CDA configuration section:

"Context Directory Agent (CDA) has reached EOS. It is recommended configuring ISE/ISE-PIC for transparent user authentication instead of CDA".

Warning messages for proxy malloc memory utilization

The following alert messages are displayed on the web user interface of the appliance (System Administration > Alerts > View Top Alerts):

• when the proxy malloc memory crosses 90% of proxy malloc memory limit

  Proxy malloc memory reached to 90%, proxy will restart whenever max limit exceed

• when the proxy gets restarted on reaching 100% of malloc memory

  Proxy malloc memory exceed the max limit, restarting proxy

In both the cases, an e-mail notification is sent to all 'Alert recipients' configured to receive 'Web Proxy' critical alerts.

The critical logs messages are now included in proxy logs.

Cache Size Configuration for Authentication

The configuration of cache size for authentication is not supported from AsyncOS 12.5.1-035 and later versions.

The Cache Size option (Network > Authentication > Authentication Settings > Credential Cache Options) is removed from the web interface of the appliance from AsyncOS 12.5.1-035 and later versions.

Log Subscriptions

Following logs are modified to include more details:

• The access logs now display the user name when authentication fails.

• The authentication framework logs now display the client IP address for the following failed authentication protocols:

  • NTLM

  • BASIC

  • SSO (Transparent)