Beta: AWS CLoudWAN Support

Enhancement: Network Visibility Report

The network visibility report now includes a summary of activity.

Enhancment: GCP Load-Balancer

GCP now uses a single load-balancer for both TCP and UDP traffic. By streamlining the the work to a single load balancer, configuration and maintenance tasks are simplified which reduces the complexity of your network infrastructure and improved resource utilization.

Fixes

The following fixes are included in this release:

• Improves FQDN object matching functionality.

• Improves general performance.

Features

The following feature is included in this release:

• Support for OCI real-time discovery events.

Fixes

The following fixes are included in this release:

• Improved report generation in event batching to support up to 250K for pagination.

• Fixes an issue where session summary events configured for No Log Action continued to generate a logged event. With this fix there is no event logged when this configuration is selected.

• Fixes an issue where syslog forwarding did not include all logging types.

• Updated the list of permissions required for connecting to an OCI account.

Features

The following features are included in this release:

Site-to-Site VPN Tunnel Connections

You can now create site-to-site VPN tunnel connections with the following cloud service providers and platforms:

• Amazon Web Services (AWS)

• Microsoft Azure

• Google Cloud Platform (GCP)

• Cisco ASA managed by Cisco Defense Orchestrator

  Multicloud Defense Gateways

• Extranet devices

Use a Multicloud Defense Gateway as either endpoint, or create an environment where Multicloud Defense Gateway acts as both endpoints. Secure your gateways with either a BGP or IPSec profile to finetune the configuration for your specific environmnent. See Site-to-Site VPN Tunnel Connection for more information.

Dynamic Object Sharing

You can now share, create and deploy, and modify objects that are shared with different platforms and immediately have any changes identifed and updated. See Shared Objects for more informaiton.

Azure NAT Gateways

You can now create a service VPC with the intention of attaching it to a Network Address Translation (NAT) gateway in an egress Azure deployment. See Egress Gateways for more information.

Use an Azure Load Balancer in Your Gateway

You can now opt to use a load balancer created in the Azure dashboard instead of the the load balancer that Multicloud Defense provides when you create a gateway. See Advanced Gateway Configuration: Use Your Own Load Balancer for more information.

Miscellaneous

• Performance improvements.

• Operational improvements.

• Bug fixes and stability improvements.

Features

The following features are included in this release:

Hybrid Cloud

• (Private Preview) Site-to-site VPN (requires Multicloud Defense Gateway version 24.02 or later).

Orchestration

• Cross-Subscription Spoke VNet protection (Azure).

• Route table creation for Spoke VPC/VNet protection.

• LB Health Check Security Group orchestration.

Gateway

• Reduced disk size for all Gateway instance types.

• Enable/Disable Gateway SSH access.

• Upgrade Gateway from Details page.

• Cancel Gateway upgrade.

• Instance level actions (terminate protect, replace instance, restart datapath).

Integrations

• Dynamically track changes to cloud service provider-certificates.

• User management with Azure Active Directory.

Miscellaneous

• Performance improvements.

• Operational improvements.

• Bug fixes and stability improvements.

Enhancements

The following enhancements are included in this release:

• (Private Preview) Added support for site-to-site VPN. This includes VPN tunnel configuration, including IPSec and BGP. The VPN is terminated directly on the gateway to process and protect traffic flowing across the VPN. This enhancement requires Multicloud Defense Gateway version 24.02 or later.

• Adds support for orchestrating route tables in spoke VPCs and VNets to ensure traffic originating or returning from the spoke VNet/VPC and route to the service VPC/VNet containing the Multicloud Defense Gateway. This enhancement includes a workflow for create route tables and route entries, and associating the route tables with subnets.

• Adds support for cross-subscription spoke VNet protection by orchestrating spoke VNet peering to route traffic from the spoke VNet to the services VNet containing Multicloud Defense. This ensures the orchestration in Azure is parity with similar orchestrations in AWS and GCP.

• Adds support for orchestrating the security group, network security group, and firewall rules CIDRs related to health checks from the cloud service provider load balancer (Azure, GCP, OCI) or heath check service (GCP).

• Adds support for enabling and disabling SSH from the Gateway Details page to accommodate reverse SSH using Teleport. Requires Multicloud Defense Gateway version 23.10 or later, which supports Teleport integration.

• Adds support for upgrading the Multicloud Defense Gateway from the Gateway Details page.

• Adds the ability to cancel (abort) a Multicloud Defense Gateway upgrade.

• Adds gateway instance-level actions (terminate protect, replace instance, restart datapath).

• Reduces the disk size for all instances in all cloud service providers from 256GB to 128GB.

• Adds support to dynamically track changes to certificate objects where the private key is stored in the cloud service provider and retrieved by the Multicloud Defense Gateway. When changes take place to the cloud service provider resource, the controller instructs the gateway to reread the private key from the cloud service provider resource to ensure that it is accessible and the updated content is used. If there are any issues with accessing the certificate, a system log message will be generated.

• When selecting a region for gateway deployment, a region friendly name should be displayed for all regions along with the true region name (lowercase name). This enhancement ensures that all regions are displayed with both the friendly and true region names.

• Adds support for configuring the Multicloud Defense Controller to integrate with Azure Active Directory for authentication.

• Improves performance of various resource view pages to reduce number of API calls and improve overall load times.

• Adds pagination support for Traffic Summary page to improve performance.

• Adds pagination support for Stats page to improve performance.

Fixes

The following fixes are included in this release:

• Fixes an issue where the Inventory and Discovery views would not display asset information if the region does not include a gateway deployment.

• Fixes an issue where deployment of an ingress gateway Azure would not be successful if the ingress policy rule set is empty.

• Fixes an issue where log forwarding to an S3 bucket would not work if the log forward profile is used in a group log forwarding profile.

• Fixes an issue where deleting the gateway from the UI does not fully delete the gateway on the backend inhibiting deploying a replacement gateway with the same name.

• Fixes an issue where disabling assign public IP addresses for a gateway deployed in Azure performs a blue/green gateway replacement, but does still assigns public IPs.

• Fixes an issue where the first category and FQDN Row of an FQDN filter profile could not be deleted.

• Fixes an issue to ensure the gateway names in the gateway filter are sorted alphabetically.

• Fixes an issue with export to Terraform for account and gateway resources where the resulting exported Terraform was empty.

• Fixes an issue where the policy rule set Status would show as Updating even though the gateway policy Status is shown as Updated.

• Fixes an issue where a scale out would be unsuccessful due to a health check failure even though the instance is healthy.

• Changes the health check unhealthy time period to 120 seconds. When a new gateway is deployed, the load balancer heath check or health check service will be orchestrated to evaluate an instance health over a 2 minute (120 second) period. The previous orchestration would evaluate over a 20 second period.

• Fixes an issue to ensure the time zone select defaults to Local rather than UTC.

• Fixes an issue in the Stats page where CPU metric was always showing an order of magnitude less than what should be shown.

• Fixes an issue with deleting a spoke VPC peering in GCP where the spoke VPC would not be deleted. This issue occurs only when the VPC ID was used instead of the self-link.

• Fixes consistency issues with the display of Last Modified information across resources.

• Fixes various UI-related resource links where the link would not redirect to the linked resource.

• Fixes various UI-related issues related to advanced search.

• Fixes various UI workflows to ensure proper behavior

Features

The following features are included in this release:

Orchestration

• User-supplied NLB IP for gateway creation in GCP.

• GCP health check CIDRs in datapath firewall rule.

Policy

• Apply ICMP policy to gateways across cloud service providers.

Integrations

• Multiple Syslog Servers in log forwarding group.

Usability

• Additional fields for filtering and advanced search.

• SNAT configuration display in policy rule set.

Miscellaneous

• Performance improvements.

• Operational improvements.

• Bug fixes and stability improvements.

Enhancements

The following enhancements are included in this release:

• Adds fields to Advanced Search that were initially not available.

• Enhances the gateway creation in GCP to allow a user-provided IP resource to be used as the load balancer frontend IP. This can only be supplied when using Terraform.

• Adds display of the service object SNAT setting in the policy rule set view.

• Relaxes the hard requirement for a cloud service provider to support ICMP to apply an ICMP policy to a gateway that is deployed in that cloud service provider. A policy rule set that contains an ICMP policy can now be applied to any gateway that resides in any cloud service provider, whether or not the cloud service provider supports ICMP.

• Adds support for more than one Syslog Server configuration in a log forwarding group.

• Adds GCP health check CIDRs when orchestrating datapath firewall rule.

Fixes

The following fixes are included in this release:

• Fixes an issue where the log forwarding profile for Splunk was showing unreachable even though the Splunk endpoint was reachable.

• Fixes an issue where de-orchestrating an AWS Service VPC would not fully clean up all VPC resources, including the VPC itself.

• Fixes an issue where all address objects would be displayed when a user is creating or editing a reverse proxy service object. Only reverse proxy service objects are now being displayed.

• Fixes an issue where the controller was using an incorrect Project ID when orchestrating a gateway into a GCP shared VPC scenario.

• Fixes an issue where the list of address objects was not showing in the drop down when creating or modifying a group address object.

• Fixes the typeahead search for cloud service provider account in the create gateway workflow.

• Fixes an issue when adding a rule within the policy rule set to improve the performance and ensure the operation is quick.

• Fixes an issue where adding an AWS account through the CDO page could result in a timeout.

• Fixes the count issue for FQDN match and FQDN filtering objects. The counts were representing both types of objects in each view.

• Fixes various advanced search and filter issues.

• Fixes an issue where deploying a gateway into Azure when Azure has no available capacity would fail deployment and not clean up the created resources. When Azure has no capacity, it does not inhibit creating a virtual machine and its associated resources. It creates the VM, but brings up the VM in a failed state with an error message. This scenario needed to be handled in a specific way to ensure that it is recognized, the proper action is taken to clean up the resources and the user is made aware of the cloud service provider issue through a system log message.

• Fixes an issue where the cloud service provider resource and capacity information is not displayed when deploying a gateway in Azure.

• Improves the performance of displaying the list of rules in a policy rule set.

• Fixes an issue where deleting the GCP-based account would not delete all of the inventory objects related to inventory discovery.

• Addresses an issue with gateway instance per-zone rows that would inhibit a user from removing the first row. This only applies to scenarios where the gateway is deployed into a user-managed VPC or VNet.

• Fixes an issue where deploying a gateway into GCP would not orchestrate the egress route into the orchestrated service VPC.

• Fixes an issue where orchestrating spoke VPC protection could fail.

• Corrects an issue where the SNI and L7 DOS profiles would not be displayed when editing a reverse proxy service object.

• Fixes an issue where a UI change operation to the assign public IPs settings could trigger an unnecessary blue/green gateway replacement.

• Fixes an issue where orchestrating a gateway into multiple GCP regions could result in a race condition that would inhibit the gateway from becoming active.

• Fixes an issue where a new gateway deployment would become immediately inactive due to an internal error.

• Fixes an issue where a forwarding or forward proxy policy rule set that was created by Terraform would be displayed in the UI as a reverse proxy rule.

• Fixes an issue where rules could not be reordered when editing a policy rule set.

• Fixes an issue where a service object that contained more than 20 rows would be accepted and pushed to the gateway resulting in a gateway crash. The service object is now limited to 20 rows. This limit validation is performed by both the controller and gateway.

• Fixes an issue to ensure the Gateway Details page displays the date modified and data created times.

• Fixes an issue with proper sorting for views containing objects and profiles that span multiple pages.

• Improves performance of various object creation pages.

• Improves the user experience through fixes and enhancements throughout the UI.

• Ensures the user-specified time setting of local or UTC is honored across views and persists across portal invocations. The persistence across portal invocations is achieved by storing this setting in the browser cache.

• Fixes a UI issue where the tooltip information was missing for custom managed Encryption Key gateway configuration.

• Ensures the controller generates System Log messages when the gateway fails to become active due to cloud service provider errors.

Fixes

The following fix is included in this release:

• Fixes an issue related to ordering of the instance_details blocks for a Gateway (ciscodmcd_gateway) resource deployed in Edge mode. The block order in a multi-zone deployment could be random, causing the Terraform apply to incorrectly detect an infrastructure change. This fix ensures a consistent order based on the user specified Terraform code such that no infrastructure change is detected if there is no change to the order in the code.

Enhancements

The following enhancements are included in this release:

• Adds arm64 support for Windows, Linux and MacOS.

• Enhances the Multicloud Defense Gateway ciscomcd_gateway resource creation in GCP to allow a user-provided IP resource to be used as the load balancer frontend IP.

• Adds support for cross-subscription Spoke VNet peering orchestration in Azure ciscomcd_spoke_vpc. This ensures feature parity across cloud service providers.

• Adds support for account (Tenant/Compartment) onboarding ciscomcd_account and Multicloud Defense Gateway deployment ciscomcd_gateway resources for orchestration in OCI.

Fixes

The following fixes are included in this release:

• Fixes an issue where attempting to create an FQDN filtering ciscomcd_profile_fqdn resource would result in an error message: "unknown action Inherit from decryption profile for profile type FQDN_FILTER".

• Fixes an issue where a change to a decryption profile ciscomcd_profile_decryption resource would not recognize the change producing the message: "No changes. Your infrastructure matches the configuration".

• Fixes an issue with deleting a spoke VPC ciscomcd_spoke_vpc peering in GCP where the spoke VPC peering would not be deleted. This issue occurred only when the VPC ID was used instead of the self-link.

Enhancements

The following enhancements are included in this release:

• Adds support in a cloud service provider account ciscomcd_cloud_account resource for onboarding GCP folder hierarchies to accommodate asset and traffic discovery of all projects that are contained within a Folder hierarchical structure. Onboarding GCP folders permits asset and traffic discovery, but does not permit full orchestration. Discovery is beneficial and necessary for creating a dynamic policy that adapts in real time to changes made within the GCP projects. In order to orchestrate within a project, each project where orchestration is required should be onboarded individually.

• Adds support for sending Multicloud Defense Gateway metrics to 3rd-party SIEMs. This introduces a new metrics forwarding profile ciscomcd_profile_metrics_forwarding resource that can be configured and assigned to Multicloud Defense Gateway ciscomcd_gateway resources in order for gateway metrics to be sent to the SIEM. The first implementation supports Datadog as a SIEM. Support for other SIEMs will follow in future releases.

• Changes the Multicloud Defense Gateway ciscomcd_gateway resource aws_gateway_lb argument default value from false to true. When deploying an AWS egress gateway, the supported transit architecture is an AWS gateway load balancer (GWLB) architecture. This argument is optional and if not specified should default to the appropriate value.

• Adds support for sending audit and system logs to Splunk. This introduces an update to the alert profile ciscomcd_alert_profile resource by adding Splunk as a new value for the type argument.

• Adds support for sending audit and system logs to Microsoft Teams. This introduces an update to the alert profile ciscomcd_alert_profile resource by adding Microsoft Teams as a new value for the type argument.

• Enhances the forward proxy policy to validate the server certificate when negotiating the backend TLS session. The certificate validation is disabled by default, but can be configured in a decryption profile ciscomcd_profile_decryption resource for all TLS sessions and in an FQDN match object ciscomcd_profile_fqdn resource on a per-domain (or set of domains) basis.

• Adds support for creating an Azure Resource Group (RG) as part of the service VNet ciscomcd_service_vpc resource. The RG is required such that all resources orchestrated by the Multicloud Defense Controller will be associated within the specified (or newly created) RG.

Fixes

The following fix is included in this release:

• Fixes an issue where validation was not being performed when configuring a forward or reverse proxy service object ciscomcd_service_object resource to require a decryption profile ciscomcd_profile_decryption to be assigned to the tls_profile argument when using a secure proxy (TLS, HTTPS, WEBSOCKETS) value assigned to the transport_mode argument. If a secure proxy is configured, it must have a decryption profile assigned otherwise the proxy will not operate as a secure proxy and TLS encrypted traffic will be denied.

Enhancements

The following enhancements are included in this release:

• Enhances the forward proxy service object ciscomcd_service_object resource to accommodate L4 (TCP) and L5 (TLS) proxies. This is achieved by specifying either TCP or TLS as a valid value for the transport_mode argument.

• Enhances the Multicloud Defense Gateway ciscomcd_gateway resource to perform a blue/green gateway replacement when a change to assign_public_ip setting is made.

Fixes

The following fixes are included in this release:

• Fixes an issue where an FQDN Profile ciscomcd_fqdn_profile resource with mode=MATCH argument without a policy argument would result in traffic that matches to be denied. The policy argument does not need to be specified and is not listed as an argument in the Terraform Provider documentation.

• Fixes an issue where an update to the policy rules ciscomcd_policy_rule_set resource could take a longtime and generate an RPC error.