The following features are introduced in this release:

Feature	Description
Mandatory Smart License for Secure Web Appliance	In AsyncOS 15.1 and later releases, Smart Software License is mandatory. Implementation of Smart License includes the following features: Smart License is enabled by default when installing the Secure Web Appliance image from CCO. You cannot upgrade to AsyncOS 15.1 build if the system administrator has not enabled the Smart Software License for the device. The AsyncOS 15.1 and later releases do not support the classic license commands and UI options. These commands and UI options are not valid with the Cisco Smart License policy. For more information, see Smart Software Licensing.
Cisco Secure Web Appliance integration with Cisco Umbrella	The integration of Cisco Umbrella and Cisco Secure Web Appliance facilitates deployment of common web policies from Umbrella to Secure Web Appliance. In addition, you can configure policies through the Umbrella dashboard and view logs. When you configure the common web policies in the Umbrella Dashboard, the policies are pushed to Secure Web Appliance. The reporting data of those configured web policies are sent back to Umbrella and available on the Umbrella Dashboard. Reporting data includes information such as URLs browsed, their IP addresses, and whether the URL was permitted or blocked. After successful integration, the following web policies get translated and pushed from Umbrella to Secure Web Appliance.
	From Umbrella	To Secure Web Appliance
	Ruleset Identities	Global Identification Profile
	Destination Lists	Custom and External URL Categories
	Web Policy (rules)	Access Policies
	HTTPS Inspection	Decryption Policies
	Microsoft 365 Compatibility	Custom and External URL Categories
	Block Page settings in Ruleset	End-User Notification
	Application Settings (CASI)	Applications Access Policies
	For more information, see Integrate Cisco Secure Web Appliance with Cisco Umbrella.

Note	There is no SMA compatible build available for the AsyncOS coeus-15-1-0-287 (Limited Deployment) build.

The following are known behaviors of this release:

Secure Web Appliance integration with Umbrella - Hybrid Policies known behavior

• By default, the source interface in Secure Web Appliance Umbrella settings is set to Management. Changing the source interface to Data requires you to submit and commit the changes before enabling Hybrid Policy.

• Hybrid policies support translation for rule actions Allow, Block, and Warn.

• There is support for translation of Content Categories, Destination Lists, and Applications.

• The translation of AD Users, AD Groups, and internal networks that are associated with public networks is supported.

• In Secure Web Appliance, one Global Umbrella pushed identification profile will always be available.

• Policies that are configured by Secure Web Appliance administrator are prioritized following the policy push from Umbrella.

• When policy push is enabled in the registered appliance page, policies configured in the Umbrella are pushed to all Secure Web Appliances registered under Umbrella.

• The WBRS are disabled for Decryption Policies pushed by Umbrella.

• The decryption policies pushed by Umbrella are set to Decrypt action by default.

• The End-User Notification page will always be enabled in Secure Web Appliance as a global setting.

• In Secure Web Appliance, the End-User Notification page is configured only for the block page first selected in first ruleset of Umbrella.

• Changes in the selected block page appearance of the first ruleset will be translated every three hours.

• In the case of Umbrella pushed identification profiles and customer categories, admin configured policies will be disabled from the Secure Web Appliance side if these profiles or categories are deleted from the Umbrella.

• Secure Web Appliance registration with Umbrella ORG is limited to the number of seats assigned to a specific ORG, which can be seen in the following path of the Umbrella user interface: Admin > Licensing > Number of seats.

• SMA policies cannot be pushed to Secure Web Appliance when it is registered with Umbrella ORG.

• Umbrella cannot push profiles, policies, and custom URL categories to Secure Web Appliance if there is no internal network and AD integrated in Umbrella.

• If API keys that were used for registration and enabling hybrid service are expired, the connection will not be closed until you enable hybrid policy or registered Secure Web Appliance with Umbrella again.

• The following Umbrella Rules configuration are not supported for hybrid policy push: Rules Scheduling and Protected Bypass.

• The SMA policies pushed to Secure Web Appliance are not accepted if the Secure Web Appliance is managed by Umbrella.

• The Save and Load configuration feature will not work for Umbrella settings.

• Translation is not supported for the following Ruleset settings:

  • Ruleset Identities - Chromebooks, G Suite OUs, G Suite Users, Tunnels, Roaming Computers, Internal Networks All Tunnels

  • Tenant Controls

  • File Analysis

  • File Type Control

  • HTTPS Inspection - only applications in Selective Decryption list

  • PAC File

  • SafeSearch

  • Ruleset Logging

  • SAML

  • Security Settings

• The changes made to the HTTPS proxy or AD realm on the Secure Web Appliance does not affect the umbrella policy.

• Application Settings (CASI) Translation

  • Application Settings selected in Rules are translated and pushed to Secure Web Appliance's Access Policy only when ADC is enabled under Security Services > Acceptable Use Control in Secure Web Appliance.

  • When the Application is selected in the Rule, a Custom URL category containing the domains of the selected application will be pushed to that Rule. This same category of Custom URLs is selected under the URL Filtering section of the Access Policy, with Monitor as the action.

  • The application available in Secure Web Appliance but not in Umbrella inherits the global settings action. The application available in Umbrella but not in Secure Web Appliance are ignored.

  • In Secure Web Appliance, applications that are not selected within Rules inherit the global settings.

• Selective Policy Psuh

  • Umbrella web policies are pushed to registered Secure Web Appliances only if the Hybrid Policy state is Active and Policy Push is enabled.

• Umbrella UI Error Message

  • The error message for the last policy push failure can be seen on the Registered Appliance page, which has a maximum character limit of 1024.

• Cleanup of Umbrella Pushed Policies

  • After the Umbrella pushed policies are cleaned up, all admin configured policies will be disabled.

Secure Web Appliance integration with Umbrella - Hybrid Reporting known behavior

• The hybrid reporting feature of Secure Web Appliance can only be enabled if a hybrid policy is enabled.

• The Secure Web Appliance sends Umbrella configured policies reporting data to the Umbrella dashboard.

• Approximately 25% of the local reporting disk space is used to store hybrid reporting data, which is then pushed to Umbrella.

• When Secure Web Appliance does not push the reporting data to Umbrella, it stores only those reporting data on disk for later debugging.

• The Secure Web Appliance continues to send reporting data evaluated by Umbrella policies, even after selective policy push is disabled for that SWA. The Umbrella policy reporting dashboard may display deleted rules for those records if the rule has been deleted from the Umbrella policy.

The following are known limitations of this release:

Secure Web Appliance integration with Umbrella - Hybrid Policies known Limitations

• The following scenarios do not trigger policy translation:

  • Change in the name of the Ruleset.

  • Change in the name of the destination list selected in the Rule.

  • Change in the name of the application list selected in the Rule.

  • Change in name of the selective decryption list selected during HTTP inspection.

  • Adding or removing categories from the selective decryption list used for HTTPS inspection.

  • A selective decryption list containing only categories is selected in the HTTPs inspection.

  • Adding or removing AD users or groups from a Ruleset or a Rule.

  • Integrating or removing AD from the Umbrella dashboard.

• When Ruleset identities are the same in multiple Rulesets, only the first Ruleset of the same identity will translate HTTPS inspection settings consistently.

• The format for the Redirect to Custom URL textbox for end-user notification supports only well-formned hostnames or IPV4 addresses. If we push other URL formats configured in the block page of Umbrella to Secure Web Appliance, the policy push fails with the error message stating: 'An http/https URL must consist of a well-formed hostname or IPv4 address, may optionally include a port, but may not contain a querystring ('?...').'.", 'code': '400', 'explanation': '400 = Bad request syntax or unsupported method.'

• In the case where AD groups are selected in rulesets but rules do not match, the access policy will not be created for that rule.

• The categories and domains selected in the Selective Decryption List are set to passthrough for decryption policies that are pushed from Umbrella to Secure Web Appliance. For predefined and custom URL categories, no access policy will be applied in Secure Web Appliance, but rules will be applied to the same configuration in Umbrella.

• If Microsoft 365 compatibility is enabled in Umbrella, decryption policies that are pushed from Umbrella to Secure Web Appliance are set to passthrough. As a result, passthrough will be enabled for all categories of Microsoft 365 endpoints.

• When a trusted AD is not configured in Secure Web Appliance but a group is selected for this AD at the Umbrella level, an error message appears indicating that it needs to be configured at the Secure Web Appliance level.

• If networks with different masks are selected in Ruleset and Rule, translation is not supported.

• When a large number of applications are selected across Rules, Secure Web Appliance performance is affected.

• To avoid redundant configuration, we recommend using application list rather than selecting individual application in Rules.

Secure Web Appliance integration with Umbrella - Hybrid Reporting known Limitations

• If the user is not included in Umbrella policies, the mapping of AD User to Umbrella origin ID is not possible. Events of this type will be identified by Secure Web Appliance's origin ID.

• Filtering support

  • Only external IP addresses are supported by Secure Web Appliance based filtering.

  • Secure Web Appliances from the same Org (different locations) having the same management IP address will result in combined reporting data.

  • For LDAP/ISE/Guest-based identities, Secure Web Appliance AD user-based identities are not supported.

• In some cases, the system may see duplicates or lost reporting entries.

• Upon enabling or disabling hybrid reporting, an application fault occurs in the reported helper.

Note	While upgrading, do not connect any devices (keyboard, mouse, management devices (Raritan) and so on.) to the USB ports of the appliance.

You can upgrade to the AsyncOS 15.1.0-287 version from the following versions:

11.8.0-453 11.8.4-004

12.0.1-334 12.0.5-011 12.5.1-043 12.5.6-008 12.7.0-033

14.0.1-053 14.0.4-005 14.1.0-047 14.5.0-537 14.5.0-673 14.5.1-016 14.6.0-108

15.0.0-355 15.1.0-238

Requirements in this section were introduced in AsyncOS 8.8.

The following security vulnerability will be fixed during upgrade if it exists on your appliance:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport.

Note	This patch is required only for virtual appliance releases that were downloaded or upgraded before June 25, 2015.

If you did not patch this issue before upgrading, you will see a message during upgrade stating that it has been fixed. If you see this message, the following actions are required to return your appliance to full working order after upgrade:

• Remove the existing entry for your appliance from the known hosts list in your ssh utility. Once the new key has been created, connect to the appliance via ssh and accept the connection.

• Clear the old SSH host key for the appliance on the remote server if you are using SCP push to transfer logs to a remote server (including Splunk).

• If your deployment includes a Cisco Content Security Management Appliance, see important instructions in the Release Notes for that appliance.

If you have deployed multiple content security appliances (web, email, and/or management) and you want to view detailed file analysis results in the cloud for all files uploaded from any appliance in your organization, you must configure an appliance group on each appliance after upgrading. To configure appliance groups, see File Reputation Filtering and File Analysis.

If you have deployed multiple content security appliances (web, email, and/or management) and you want to view detailed file analysis results in the cloud for all files uploaded from any appliance in your organization, you must configure an appliance group on each appliance after upgrading. To configure appliance groups, see File Reputation Filtering and File Analysis.

The File Analysis cloud server URL changed in AsyncOS 8.8, and as a result, the file types that can be analyzed may have changed after the upgrade. You should receive an alert if there are changes. To verify the file types selected for analysis, select Security Services > Anti-Malware and Reputation and look at the Advanced Malware Protection settings.

Following upgrades to the regular-expression pattern-matching engine, you may receive an alert regarding unescaped dots in existing pattern definitions after updating your system. Any unescaped dot in a pattern that will return more than 63 characters after the dot will be disabled by the Velocity pattern-matching engine, and an alert to that effect will be sent to you. You will continue to receive an alert following each update until you correct or replace the pattern. Generally, unescaped dots in a larger regular expression can be problematic and should be avoided.

Register for a Cisco account if you do not have one. Go to https://identity.cisco.com/ui/tenants/global/v1.0/enrollment-ui.