cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

What’s New in CSM 4.20 and ASDM 7.13.1 Releases

429
Views
0
Helpful
0
Comments
Cisco Employee

CSM 4.20

Cisco Security Manager (CSM) continues to provide an integrated end-to-end solution that helps administrators enforce consistent access policies, troubleshoot security events rapidly, and view summarized reports across the deployment.

The latest version CSM 4.20 provides an option to enable the Customer Success Network that helps to avail the features enabled on ASA devices and leverage the same mechanism of Smart Call Home (SCH). The data SCH collects are mostly outdated, and the features added since the release of SCH does not report the exact status. Hence, the Customer Success Network is being introduced. This feature is supported on ASA 9.13(1) and later devices.

Support for ASA 9.13(1) version

  • Support for CGNAT MAP domains— Beginning with version 4.20, Cisco Security Manager supports Carrier-Grade NAT Mapping of Address and Port (CGNAT MAP) domains for ASA 9.13(1) devices operating in single, multi-context, and routed modes. This feature helps to configure MAP domains using default or basic mapping rules and is not supported in transparent mode.
  • Support for GTP location logging— Beginning with version 4.20, Cisco Security Manager supports GTP location logging. When enabled, you can obtain the device location information through a syslog message. The syslog message contains the mobile country code and mobile network code of the device. This syslog message is displayed when activating/updating a PDP context on Gn/Gp in GTPv0/v1 or S5/S8 in GTPv2. You can also add an optional cell ID to the syslog message.
  • NTP server configuration enhancement— Earlier, only md5 authentication type was supported for configuring NTP server. Beginning with version 4.20, Cisco Security Manager enables support for the following new authentication types for NTP Server Configuration—sha1, sha256, sha512, and cmac.
  • VLAN interface support— Beginning with version 4.20, Cisco Security Manager supports L2 hardware switching. The L2 switching support is provided by adding a new interface type called VLAN Interface under the Interface Policy Type and a new Switch Port tab. Security Manager supports this feature on Cisco FPR-1010 Adaptive Security Appliance.
  • PoE enhancement— Beginning with Cisco Security Manager 4.20, Power over Ethernet (PoE) is supported for ASA 9.13(1) or higher devices. This feature comes as part of the physical interface for Ethernet1/7 and Ethernet 1/8 ports. The PoE support is provided by introducing a new Power Over Ethernet tab under Interface Policy. This feature is supported on Cisco FPR-1010 Adaptive Security Appliance.
  • Deprecation of DH groups 2, 5, and 24— Cisco Security Manager supports numerous DH group algorithms in various policies. DH groups determine the strength of the key used in the key exchange process. DH groups 2, 5, and 24 are no longer considered to be secure against modern threats. Hence, beginning from Cisco Security Manager 4.20, the support for DH groups 2, 5, and 24 is removed in ASA 9.13(1) or higher devices.
  • DH group 14 support for IKEv1— Beginning with Cisco Security Manager 4.20, DH group 14 is supported for IKEv1, for ASA 9.13(1) and higher devices. This support is added to all relevant RAVPN and site-to-site VPN policies.
  • DH groups 15, 16 support for IKEv2— Beginning with Cisco Security Manager 4.20, DH groups 15 and 16 are supported for IKEv2, for ASA 9.13(1) and higher devices.
  • New platform support— Beginning with version 4.20, Cisco Security Manager supports the following Firepower 1000 series devices—Cisco FPR-1010, Cisco FPR-1120, Cisco FPR-1140, and Cisco FPR-1150.
  • Appliance mode for FP1000 and FP2100 series— Beginning with version 4.20, Cisco Security Manager enables a new option to select the FXOS mode in which the device is operating. The Appliance Mode lets you configure devices from the CLI, an on-box device such as ASDM, or a multi-device manager such as Cisco Security Manager. The Appliance Mode is supported for the existing Firepower 2100 series and new 1000 series appliances on ASA 9.13(1) or higher devices.
  • Support for NBAPI Hitcount Feature— Beginning with Cisco Security Manager 4.20, you can make API calls at any time to obtain the current or live the values from devices without any manual intervention.
  • Support for Veritas Cluster 7.4— Beginning with version 4.20, Cisco Security Manager supports Veritas Cluster 7.4 in addition to the existing Veritas support.

Resolved and Open Bugs

For information on fixes for various problems, see Resolved caveats—Release 4.20.

Related Documents

For additional information on CSM, see Release Notes

ASDM 7.13(1)

Cisco's Adaptive Security Device Manager (ASDM) is the GUI tool used to manage the Cisco ASA security appliances. This section contains the new features, bugs fixed and open, and related documentation for ASDM 9.13.1 release.

What's New

This release includes the following new features and enhancements:

Feature Description
Platform Features
ASA for the Firepower 1010

We introduced the ASA for the Firepower 1010. This desktop model includes a built-in hardware switch and Power-Over-Ethernet+ (PoE+) support.

New/Modified screens:

  • Configuration > Device Setup > Interface Settings > Interfaces > Edit > Switch Port
  • Configuration > Device Setup > Interface Settings > Interfaces > Edit > Power Over Ethernet
  • Configuration > Device Setup > Interface Settings > Interfaces > Add VLAN Interface
  • Configuration > Device Management > System Image/Configuration > Boot Image/Configuration
  • Configuration > Device Setup > System Time > Clock
  • Monitoring > Interfaces > L2 Switching
  • Monitoring > Interfaces > Power Over Ethernet
ASA for the Firepower 1120, 1140, and 1150

We introduced the ASA for the Firepower 1120, 1140, and 1150.

New/Modified screens:

  • Configuration > Device Management > System Image/Configuration > Boot Image/Configuration
  • Configuration > Device Setup > System Time > Clock
Firepower 2100 Appliance mode

The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). You can run the Firepower 2100 in the following modes:

  • Appliance mode (now the default)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI.
  • Platform mode—When in Platform mode, you must configure basic operating parameters and hardware interface settings in FXOS. These settings include enabling interfaces, establishing EtherChannels, NTP, image management, and more. You can use the Firepower Chassis Manager web interface or FXOS CLI. You can then configure your security policy in the ASA operating system using ASDM or the ASA CLI. If you are upgrading to 9.13(1), the mode will remain in Platform mode.

New/Modified screens:

  • Configuration > Device Management > System Image/Configuration > Boot Image/Configuration
  • Configuration > Device Setup > System Time > Clock
ASAv minimum memory requirement

The minimum memory requirement for the ASAv is now 2GB. If your current ASAv runs with less than 2GB of memory, you cannot upgrade to 9.13(1) from an earlier version without increasing the memory of your ASAv VM. You can also redeploy a new ASAv VM with version 9.13(1).

No modified screens.

ASAv MSLA Support

The ASAv supports Cisco's Managed Service License Agreement (MSLA) program, which is a software licensing and consumption framework designed for Cisco customers and partners who offer managed software services to third parties.

MSLA is a new form of Smart Licensing where the licensing Smart Agent keeps track of the usage of licensing entitlements in units of time.

New/Modified screens: Configuration > Device Management > Licensing > Smart Licensing.

ASAv Flexible Licensing

Flexible Licensing is a new form of Smart Licensing where any ASAv license now can be used on any supported ASAv vCPU/memory configuration. Session limits for AnyConnect and TLS proxy will be determined by the ASAv platform entitlement installed rather than a platform limit tied to a model type.

New/Modified screens: Configuration > Device Management > Licensing > Smart Licensing.

ASAv for AWS support for the C5 instance; expanded support for C4, C3, and M4 instances

The ASAv on the AWS Public Cloud now supports the C5 instance (c5.large, c5.xlarge, and c5.2xlarge).

In addition, support has been expanded for the C4 instance (c4.2xlarge and c4.4xlarge); C3 instance (c3.2xlarge, c3.4xlarge, and c3.8xlarge); and M4 instance (m4.2xlarge and m4.4xlarge).

No modified screens.

ASAv for Microsoft Azure support for more Azure virtual machine sizes

The ASAv on the Microsoft Azure Public Cloud now supports more Linux virtual machine sizes:

  • Standard_D4, Standard_D4_v2
  • Standard_D8_v3
  • Standard_DS3, Standard_DS3_v2
  • Standard_DS4, Standard_DS4_v2
  • Standard_F4, Standard_F4s
  • Standard_F8, Standard_F8s
  • Earlier releases only supported the Standard_D3 and Standard_D3_v2 sizes.

No modified screens.

ASAv enhanced support for DPDK

The ASAv supports enhancements to the Data Plane Development Kit (DPDK) to enable support for multiple NIC queues, which allow multi-core CPUs to concurrently and efficiently service network interfaces.

This applies to all ASAv hypervisors except Microsoft Azure and Hyper-V.

Note

DPDK support was introduced in release ASA 9.10(1)/ASDM 7.13(1).

No modified screens.

ASAv support for VMware ESXi 6.7

The ASAv virtual platform supports hosts running on VMware ESXi 6.7. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASAv on ESXi 6.7.

No modified screens.

Firewall Features
Location logging for mobile stations (GTP inspection).

You can configure GTP inspection to log the initial location of a mobile station and subsequent changes to the location. Tracking location changes can help you identify possible fraudulent roaming charges.

New/Modified screens: Configuration > Firewall > Objects > Inspect Maps > GTP.

GTPv2 and GTPv1 release 15 support

The system now supports GTPv2 3GPP 29.274 V15.5.0. For GTPv1, support is up to 3GPP 29.060 V15.2.0. The new support includes recognition of 2 additional messages and 53 information elements.

No modified screens.

Mapping Address and Port-Translation (MAP-T)

Mapping Address and Port (MAP) is primarily a feature for use in service provider (SP) networks. The service provider can operate an IPv6-only network, the MAP domain, while supporting IPv4-only subscribers and their need to communicate with IPv4-only sites on the public Internet. MAP is defined in RFC7597, RFC7598, and RFC7599.

New/Modified commands: Configuration > Device Setup > CGNAT Map, Monitoring > Properties > MAP Domains.

Increased limits for AAA server groups and servers per group.

You can configure more AAA server groups. In single context mode, you can configure 200 AAA server groups (the former limit was 100). In multiple context mode, you can configure 8 (the former limit was 4).

In addition, in multiple context mode, you can configure 8 servers per group (the former limit was 4 servers per group). The single context mode per-group limit of 16 remains unchanged.

We modified the AAA screens to accept these new limits.

TLS proxy deprecated for SCCP (Skinny) inspection. The tls-proxy keyword and support for SCCP/Skinny encrypted inspection were deprecated. The keyword will be removed from the inspect skinny command in a future release.
VPN Features
HSTS Support for WebVPN as Client

A new CLI mode under WebVPN mode called http-headers was added so that WebVPN could transform HTTP references to HTTPS references for hosts that are HSTS. Configures whether the user agent should allow the embedding of resources when sending this header for WebVPN connections from the ASA to browsers.

New/Modified screens: Configuration Remote Access VPN >Clientless SSL VPN Access > Advanced> Proxies.

Diffie-Hellman groups 15 and 16 added for key exchange

To add support for Diffie-Hellman groups 15 and 16, we modified a few crypto commands to accept these new limits.

crypto ikev2 policy <index> group <number> and crypto map <map-name> <map-index> set pfs <group>.

show asp table vpn-context enhancement to output

To enhance debug capability, these vpn context counters were added to the output: Lock Err, No SA, IP Ver Err, and Tun Down.

New/Modified commands: show asp table vpn-context (output only).

High Availability and Scalability Features
Initiator and responder information for Dead Connection Detection (DCD), and DCD support in a cluster.

If you enable Dead Connection Detection (DCD), you can use the show conn detail command to get information about the initiator and responder. Dead Connection Detection allows you to maintain an inactive connection, and the show conn output tells you how often the endpoints have been probed. In addition, DCD is now supported in a cluster.

No modified screens.

Monitor the traffic load for a cluster

You can now monitor the traffic load for cluster members, including total connection count, CPU and memory usage, and buffer drops. If the load is too high, you can choose to manually disable clustering on the unit if the remaining units can handle the load, or adjust the load balancing on the external switch. This feature is enabled by default.

New/Modified screens:

  • Configuration >Device Management High Availability and Scalability >ASA Cluster >Cluster Configuration > Enable Cluster Load Monitor check box

  • Monitoring > ASA Cluster > Cluster Load-Monitoring

Accelerated cluster joining

When a slave unit has the same configuration as the master unit, it will skip syncing the configuration and will join faster. This feature is enabled by default. This feature is configured on each unit and is not replicated from the master to the slave.

Note

Some configuration commands are not compatible with accelerated cluster joining; if these commands are present on the unit, even if accelerated cluster joining is enabled, configuration syncing will always occur. You must remove the incompatible configuration for accelerated cluster joining to work. Use the show cluster info unit-join-acceleration incompatible-config to view incompatible configuration.

New/Modified screens: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Enable config sync acceleration check box

Routing Features
SMTP configuration enhancement

You can optionally configure the SMTP server with primary and backup interface names to enable ASA for identifying the routing table to be used for logging—management routing table or data routing table. If no interface is provided, ASA would refer to management routing table lookup, and if no proper route entry is present, it would look at the data routing table.

Support to set NSF wait timer

OSPF routers are expected to set the RS-bit in the EO-TLV attached to a Hello packet when it is not known whether all neighbors are listed in the packet, and the restarting router requires to preserve their adjacencies. However, the RS-bit value must not be longer than the RouterDeadInterval seconds. The timers nsf wait command is introduced to set the RS-bit in Hello packets lesser than RouterDeadInterval seconds.

Support to set tftp blocksize

The typical blocksize fixed for tftp file transfer is 512-octets. A new command, tftp blocksize, is introduced to configure a larger blocksize and thereby enhance the tftp file transfer speed. You can set a blocksize varying from 513 to 8192 octets. The new default blocksize is 1456 octets. The no form of this command will reset the blocksize to the older default value—512 octets. The timers nsf wait command is introduced to set the RS-bit in Hello packets lesser than RouterDeadInterval seconds.

Certificate Features
Support to view FIPS status

The show running-configuration fips command displayed the FIPS status only when fips was enabled. In order to know the operational state, the show fips command was introduced where it displays the fips status when a user enables or disables fips that are in the disabled or enabled state. This command also displays the status of rebooting the device after an enable or disable action.

Modifications to the CRL Distribution Point commands

The static CDP URL configuration commands are removed and moved to the match certificate command.

New/Modified screens: Configuration > Device Management > Certificate Management > CA Certificates

Administrative and Troubleshooting Features
Management access when the Firepower 1000, Firepower 2100 Appliance mode is in licensing evaluation mode

The ASA includes 3DES capability by default for management access only, so you can connect to the License Authority and also use ASDM immediately. You can also use SSH and SCP if you later configure SSH access on the ASA. Other features that require strong encryption (such as VPN) must have the Strong Encryption license enabled, which requires you to first register to the License Authority.

Note

If you attempt to configure any features that can use strong encryption before you have the license—even if you only configure weak encryption—then your HTTPS connection will be dropped on that interface, and you cannot reconnect. The exception to this rule is if you are connected to a management-only interface, such as Management 1/1. SSH is not affected. If you lose your HTTPS connection, you can connect to the console port to reconfigure the ASA, connect to a management-only interface, or connect to an interface not configured for a strong encryption feature.

No modified screens.

Additional NTP authentication algorithms

Formerly, only MD5 was supported for NTP authentication. The ASA now supports the following algorithms:

  • MD5

  • SHA-1

  • SHA-256

  • SHA-512

  • AES-CMAC

New/Modified screens: Configuration > Device Setup > System Time > NTP > Add button > Add NTP Server Configuration dialog box > Key Algorithm drop-down list

ASA Security Service Exchange (SSE) Telemetry Support for the Firepower 4100/9300

With Cisco Success Network-enabled in your network, device usage information and statistics are provided to Cisco, which is used to optimize technical support. The telemetry data that is collected on your ASA devices includes CPU, memory, disk, or bandwidth usage, license usage, configured feature list, cluster/failover information and the like.

New/Modified screens:

  • Configuration > Device Management > Telemetry

  • Monitoring > Properties > Telemetry

show tech-support includes additional output

The output of show tech-support is enhanced to display the output of the following:

show flow-offload info detail

show flow-offload statistics

show asp table socket

New/Modified commands: show tech-support (output only).

Enhancement to show-capture asp_drop output to include drop location information

While troubleshooting using ASP drop counters, the exact location of the drop is unknown, especially when the same ASP drop reason is used in many different places. This information is critical in finding the root cause of the drop. With this enhancement, the ASP drop details such as the build target, ASA release number, hardware model, and ASLR memory text region (to facilitate the decode of drop location) are shown.

New/Modified commands: show-capture asp_drop

Modifications to debug crypto ca

The debug crypto ca transactions and debug crypto ca messages options are consolidated to provide all applicable content into the debug crypto ca command itself. Also, the number of available debugging levels are reduced to 14.

New/Modified commands: debug crypto ca

FXOS Features for the Firepower 1000 and 2100
Secure Erase

The secure erase feature erases all data on the SSDs so that data cannot be recovered even by using special tools on the SSD itself. You should perform a secure erase when decommissioning the device.

New/Modified commands: erase secure (local-mgmt)

Supported models: Firepower 1000 and 2100

Configurable HTTPS protocol

You can set the SSL/TLS versions for HTTPS access.

New/Modified commands: set https access-protocols

Supported models: Firepower 2100 in Platform Mode

FQDN enforcement for IPSec and Keyrings

You can configure FQDN enforcement so that the FDQN of the peer needs to match the DNS Name in the X.509 certificate presented by the peer. For IPSec, enforcement is enabled by default, except for connections created prior to 9.13(1); you must manually enable enforcement for those old connections. For keyrings, all hostnames must be FQDNs, and cannot use wild cards.

New/Modified commands: set dns,set e-mail,set fqdn-enforce,set ip,set ipv6set remote-address, set remote-ike-id

Removed commands: fi-a-ip , fi-a-ipv6 , fi-b-ip , fi-b-ipv6

Supported models: Firepower 2100 in Platform Mode

New IPSec ciphers and algorithms

We added the following IKE and ESP ciphers and algorithms (not configurable):

  • Ciphers—aes192. Existing ciphers include: aes128, aes256, aes128gcm16.

  • Pseudo-Random Function (PRF) (IKE only)—prfsha384, prfsha512, prfsha256. Existing PRFs include: prfsha1.

  • Integrity Algorithms—sha256, sha384, sha512, sha1_160. Existing algorithms include: sha1.

  • Diffie-Hellman Groups—curve25519, ecp256, ecp384, ecp521,modp3072, modp4096. Existing groups include: modp2048.

Supported models: Firepower 2100 in Platform Mode

SSH authentication enhancements

We added the following SSH server encryption algorithms:

  • aes128-gcm@openssh.com

  • aes256-gcm@openssh.com

  • chacha20-poly@openssh.com

We added the following SSH server key exchange methods:

  • diffie-hellman-group14-sha256

  • curve25519-sha256

  • curve25519-sha256@libssh.org

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

New/Modified commands: set ssh-server encrypt-algorithm, set ssh-server kex-algorithm

Supported models: Firepower 2100 in Platform Mode

EDCS keys for X.509 Certificates

You can now use EDCS keys for certificates. Formerly, only RSA keys were supported.

New/Modified commands: set elliptic-curve , set keypair-type

Supported models: Firepower 2100 in Platform Mode

User password improvements

We added password security improvements, including the following:

  • User passwords can be up to 127 characters. The old limit was 80 characters.

  • Strong password check is enabled by default.

  • Prompt to set admin password.

  • Password expiration.

  • Limit password reuse.

  • Removed the set change-during-interval command, and added a disabled option for the set change-interval, set no-change-interval, and set history-count commands.

New/Modified commands: set change-during-interval, set expiration-grace-period, set expiration-warning-period, set history-count, set no-change-interval, set password, set password-expiration, set password-reuse-interval

Supported models: Firepower 2100 in Platform Mode

 

Resolved and Open Bugs

For information on fixes for various problems, see Resolved Bugs in Version 7.13.(x)

Related Documents 

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.