Firewall Features:

Security Contexts (i.e. Virtual Firewall) on PIX 515E, 525 and 535 UR/FO models (Separate license required)

Transparent (L2) Firewalling

Application/Protocol Inspection Engines (formally known as Fixups):

Advanced HTTP Inspection Engine

Method Policing for HTTP methods defined in the RFC as well as extension methods.

Port 80 Misuse detection

ESMTP Inspection Engine

GTP/GPRS Inspection Engine (Separate license required, not supported on PIX 501/506/506E)

NAT and PAT support for MGCP Inspection Engine

NAT support for RTSP Inspection Engine

H.323 Inspection Engine enhancements (T.38 and GKRCS)

FTP Inspection Engine support for command filtering (GET, PUT etc.)

Stateful ICMP Inspection Engine

Sun RPC TCP Inspection Engine

NIS+ Inspection Engine

TCP stream reassembly for Inspection Engines

All inspection engines have the ability to be enabled or disabled via configuration

Ability to configure inspection engines on an interface, network, or host basis

Outbound ACLs

Time-based ACLs

Configuring NAT policy will not be required to pass traffic through the device. NAT no longer a prerequisite for firewalling

Option to pass traffic between interfaces with the same security level (knob to change default PIX behavior)

URL filtering performance enhancements

VPN Features:

Are You There (AYT) support for Cisco Security Agent (CSA)

TCP based NAT transparency

VPN Hub, client-to-client routing; traffic u-turn on interface

Block VPN clients by OS and type

Support for Diffie Hellman Group 7 (ECC) and Movian VPN Client

IKE DoS safeguards (Aggressive Mode knob)

Support for n-tiered X.509 certificate chaining

Manual X.509 certificate enrollment (PKCS 10/7 support)

Network Integration Features:

Increased number of VLANs supported per platform

Increased number of physical network ports supported on PIX 525/535

IPv6 phase 1 support (firewall only) - Statement of Direction for IPv6 and Cisco Firewall

Dual IP stack supporting IPv4 and IPv6

Neighbor discovery

Security checks of IPv6 header, including extension headers

ICMPv6 support

Protocol support: TCP, UDP, FTP, HTTP, ICMP, SMTP ·

Management access to the device using HTTP, SSHv1, SSHv2 and Telnet will be supported for both IPv4 and IPv6.

Ping to and from the device will also be supported for both IPv4 and IPv6.

PIM Sparse Mode Multicast support

Low Latency Queuing (LLQ) - controls latency when the system is under load.

Policing - provides rate limiting of the maximum transmission rate for tunneled traffic for remote access and site-to-site tunnels.

Reverse Route Injection (RRI) for OSPF

Resiliency Features:

Active-active failover - this will initially support Firewall and NAT only. (Two UR license systems required)

VPN stateful failover

Authentication, Authorization and Accounting (AAA) Features:

Support multiple RADIUS accounting servers

Accounting for management traffic - generates AAA accounting records for management connections to the device.

Native Window NT/Active Directory user authentication support (VPN only)

Native SDI/RSA SecurID user authentication support (VPN only)

Management Features:

SSHv2

SCP (Secure Copy support)

SNMPv2c

IPSec Flow Monitoring MIB support

Enhanced Ping

TCP syslog server failure policy

Multiple configurations stored in flash

Multiple images on flash

IOS-like CLI parser (command aliasing, contextual help, command completion, etc.)

Certification - Details

ICSA IPSec ready

ICSA Firewall ready

Common Criteria EAL4+ ready