Cisco Secure Firewall ASA New Features

This document lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in Version 9.18

New Features in ASA 9.18(1)/ASDM 7.18(1)

Released: June 6, 2022

Feature

Description

Platform Features

ASAv-AWS Security center integration for AWS GuardDuty You can now integrate Amazon GuardDuty service with ASAv. The integration solution helps you to capture and process the threat analysis data or results (malicious IP addresses) reported by Amazon GuardDuty. You can configure and feed these malicious IP addresses in the ASAv through Secure Firewall Management Center Virtual or Secure Firewall device manager to protect the underlying networks and applications.

Alibaba virtual deployments

You can now deploy Secure Firewall ASA Virtual on Alibaba Cloud. The following features are supported:

  • QCOW2 Image package.

  • Basic Product Bringup.

  • Day-0 Configuration.

  • SSH using Public Key or Password.

    Alibaba UI Console to access ASAv for any debugging purpose.

  • Alibaba UI Stop/Restart.

  • Supported instance types: ecs.g5ne.large, ecs.g5ne.xlarge, ecs.g5ne.2xlarge, ecs.g5ne.4xlarge.

  • BYOL License Support.

Firewall Features

Forward referencing of ACLs and objects is always enabled. In addition, object group search for access control is now enabled by default.

You can refer to ACLs or network objects that do not yet exist when configuring access groups or access rules.

In addition, object group search is now enabled by default for access control. After upgrade, if you had object group search disabled, it will no be enabled. If you want to disable it (not recommended), you must do so manually.

We removed the forward-reference enable command, and changed the default for object-group-search access-control to enabled.

Routing Features

Path monitoring metrics in PBR.

PBR uses the metrics to determine the best path (egress interface) for forwarding the traffic. Path monitoring periodically notifies PBR with the monitored interface whose metric got changed. PBR retrieves the latest metric values for the monitored interfaces from the path monitoring database and updates the data path.

New/Modified commands: clear path-monitoring , policy-route , show path-monitoring

New/Modified screens: Configuration > Device Setup > Interface Settings > Interfaces

Interface Features

Pause Frames for Flow Control for the Secure Firewall 3100

If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue.

New/Modified commands: flowcontrol send on

New/Modified screens: Configuration > Device Settings > Interfaces > General

Breakout ports for the Secure Firewall 3130 and 3140

You can now configure four 10GB breakout ports for each 40GB interface on the Secure Firewall 3130 and 3140.

New/Modified commands: breakout

New/Modified screens: Configuration > Device Management > Advanced > EPM

License Features

Secure Firewall 3100 support for the Carrier license

The Carrier license enables Diameter, GTP/GPRS, SCTP inspection.

New/Modified commands: feature carrier

New/Modified screens: Configuration > Device Management > Licensing > Smart Licensing.

Certificate Features

Mutual LDAPS authentication.

You can configure a client certificate for the ASA to present to the LDAP server when it requests a certificate to authenticate. This feature applies when using LDAP over SSL. If an LDAP server is configured to require a peer certificate, the secure LDAP session will not complete and authentication/authorization requests will fail.

New/Modified commands: ssl-client-certificate .

New/Modified screens: Configuration > Device Management > Users/AAA > > AAA Server Groups, Add/Edit LDAP server.

Authentication: Validate certificate name or SAN

When a feature specific reference-identity is configured, the peer certificate identity is validated with the matching criteria specified under crypto ca reference-identity <name> submode commands. If there is no match found in the peer certificate Subject Name/SAN or if the FQDN specified with reference-identity submode command fail to resolve, the connection is terminated

The reference-identity CLI is configured as a submode command for aaa-server host configuration and ddns configuration.

New/Modified commands: ldap-over-ssl , ddns update method , and show update method .

New/Modified screens:

  • Configuration > Device Management > Users/AAA > > AAA Server Groups > LDAP Parameters for authentication/authorization

  • Configuration > Device Management > DNS > Dynamic DNS > Update Methods

Administrative, Monitoring, and Troubleshooting Features

Multiple DNS server groups

You can now use multiple DNS server groups: one group is the default, while other groups can be associated with specific domains. A DNS request that matches a domain associated with a DNS server group will use that group. For example, if you want traffic destined to inside eng.cisco.com servers to use an inside DNS server, you can map eng.cisco.com to an inside DNS group. All DNS requests that do not match a domain mapping will use the default DNS server group, which has no associated domains. For example, the DefaultDNS group can include a public DNS server available on the outside interface.

New/Modified commands: dns-group-map , dns-to-domain

New/Modified screens: Configuration > Device Management > DNS > DNS Client

Dynamic Logging Rate-limit

A new option to limit logging rate when block usage exceeds a specified threshold value was added. It dynamically limits the logging rate as the rate limiting is disabled when the block usage returns to normal value.

New/Modified commands: logging rate-limit

New/Modified screens: Configuration > Device Management > Logging > Rate Limit

Packet Capture for Secure Firewall 3100 devices

The provision to capture switch packets was added. This option can be enabled only for Secure Firewall 3100 devices.

New/Modified commands: capture real-time

New/Modified screens: Wizards > Packet Capture Wizard > Buffers & Captures

VPN Features

IPsec flow offload.

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

New/Modified commands: clear flow-offload-ipsec , flow-offload-ipsec , show flow-offload-ipsec

New/Modified screens: Configuration > Firewall > Advanced > IPsec Offload

Certificate and SAML for Authentication

You can configure remote access VPN connection profiles for certificate and SAML authentication. Users can configure VPN settings to authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes.

New/Modified commands: authentication saml certificate , authentication certificate saml , authentication multiple-certificate saml

New/Modified screens: Configuration > Remote Access VPN > Network (Client) Access > IPsec(IKEv1) Connection Profiles > Add/Edit > Basic

New Features in Version 9.17

New Features in ASDM 7.17(1.152)

Released: February 8, 2022

There are no new features in this release.

New Features in ASA 9.17(1)/ASDM 7.17(1)

Released: December 1, 2021

Feature

Description

Platform Features

Secure Firewall 3100

We introduced the ASA for the Secure Firewall 3110, 3120, 3130, and 3140. The Secure Firewall 3100 supports up to 6 units for Spanned EtherChannel clustering. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID.

New/Modified commands: fec, netmod, speed sfp-detect, raid, show raid, show ssd

New/Modified screens:

  • Configuration > Device Management > Advanced > EPM

  • Configuration > Device Settings > Interfaces > Edit Interface > Configure Hardware Properties

ASA virtual support for Autoscale

The ASA virtual now supports Autoscale for the following Public Cloud offerings:

  • Google Cloud Platform (GCP)

  • Oracle Cloud Infrastructure (OCI)

Autoscaling increases or decreases the number of ASA virtual application instances based on capacity requirements.

ASA virtual for AWS expanded instance support

The ASA virtual on the AWS Public Cloud now supports AWS Nitro System instances from different Nitro instance families.

ASA virtual for AWS adds support for these instances:

  • c5a.large, c5a.xlarge, c5a.2xlarge, c5a.4xlarge

  • c5d.large, c5d.xlarge, c5d.2xlarge, c5d.4xlarge

  • c5ad.large, c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge

  • m5n.large, m5n.xlarge, m5n.2xlarge, m5n.4xlarge

  • m5zn.large, m5zn.xlarge, m5zn.2xlarge

For a detailed list of supported instances, see the Cisco Adaptive Security Virtual Appliance (ASAv) Data Sheet.

ASA virtual for Azure expanded instance support

ASA virtual on the Azure Public Cloud now supports these instances:

  • Standard_D8s_v3

  • Standard_D16s_v3

  • Standard_F8s_v2

  • Standard_F16s_v2

For a detailed list of supported instances, see the Cisco Adaptive Security Virtual Appliance (ASAv) Data Sheet.

Intel QuickAssist Technology (QAT) on ASA virtual

The ASA virtual supports hardware crypto acceleration for ASA virtual deployments that use the Intel QuickAssist (QAT) 8970 PCI adapter. Hardware crypto acceleration for the ASA virtual using QAT is supported on VMware ESXi and KVM only.

Single Root I/O Virtualization (SR-IOV) support for ASA virtual on OCI.

You can now implement Single Root Input/Output Virtualization (SR-IOV) for ASA virtual on OCI. SR-IOV can provide performance improvements for ASA virtual. Mellanox 5 as vNICs are not supported in SR-IOV mode.

Firewall Features

Twice NAT support for fully-qualified domain name (FQDN) objects as the translated (mapped) destination

You can use an FQDN network object, such as one specifying www.example.com, as the translated (mapped) destination address in twice NAT rules. The system configures the rule based on the IP address returned from the DNS server.

Network-service objects and their use in policy-based routing and access control

You can configure network-service objects and use them in extended access control lists for use in policy-based routing route maps and access control groups. Network-service objects include IP subnet or DNS domain name specifications, and optionally protocol and port specifications, that essentially combine network and service objects. This feature also includes the ability to define trusted DNS servers, to ensure that any DNS domain name resolutions acquire IP addresses from trusted sources.

We added or modified the following commands: access-list extended , app-id , clear configure object network-service , clear configure object-group network-service , clear dns ip-cache , clear object , clear object-group , debug network-service , description , dns trusted-source , domain , network-service-member , network-service reload , object-group network-service , object network-service , policy-route cost , set adaptive-interface cost , show asp table classify , show asp table network-service , show dns trusted-source , show dns ip-cache , show object , show object-group , show running-config , subnet .

We added or modified the following screens.

  • Configuration > Device Setup > Routing > Route Maps, Add/Edit dialog boxes.

  • Configuration > Device Setup > Interface Settings > Interfaces, Add/Edit dialog boxes.

  • Configuration > Firewall > Objects > Network Services Objects/Groups.

  • Configuration > Device Management > DNS > DNS Client.

High Availability and Scalability Features

ASAv30, ASAv50, and ASAv100 clustering for VMware and KVM

ASA virtual clustering lets you group up to 16 ASA virtuals together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. ASA virtual clustering supports Individual Interface mode in routed firewall mode; Spanned EtherChannels are not supported. The ASA virtual uses a VXLAN virtual interface (VNI) for the cluster control link.

New/Modified commands: cluster-interface vni, nve-only cluster, peer-group, show cluster info, show cluster info instance-type, show nve 1

New/Modified screens:

  • Configuration > Device Setup > Interface Settings > Interfaces

  • Configuration > Device Management > High Availability and Scalability > ASA Cluster

Clearing routes in a high availability group or cluster

In previous releases, the clear route command cleared the routing table on the unit only. Now, when operating in a high availability group or cluster, the command is available on the active or control unit only, and clears the routing table on all units in the group or cluster.

We changed the clear route command.

Interface Features

Geneve interface support for the ASA virtual

Geneve encapsulation support was added for the ASAv30, ASAv50, and ASAv100 to support single-arm proxy for the AWS Gateway Load Balancer.

New/Modified commands: debug geneve, debug nve, debug vxlan, encapsulation, packet-tracer geneve, proxy single-arm, show asp drop, show capture, show interface, show nve

New/Modified screens:

  • Configuration > Device Setup > Interface Settings > Interfaces > Add > VNI Interface

  • Configuration > Device Setup > Interface Settings > VXLAN

Secure Firewall 3100 auto-negotiation can be enabled or disabled for 1Gigabit and higher interfaces.

Secure Firewall 3100 auto-negotiation can be enabled or disabled for 1Gigabit and higher interfaces. For other model SFP ports, the no speed nonegotiate option sets the speed to 1000 Mbps; the new command means you can set auto-negotiation and speed independently.

New/Modified commands: negotiate-auto

New/Modified screens:

Configuration > Device Setup > Interface Settings > Interfaces > Advanced

Administrative and Troubleshooting Features

Startup time and tmatch compilation status

The show version command now includes information on how long it took to start (boot) up the system. Note that the larger the configuration, the longer it takes to boot up the system.

The new show asp rule-engine command shows status on tmatch compilation. Tmatch compilation is used for an access list that is used as an access group, the NAT table, and some other items. It is an internal process that can consume CPU resources and impact performance while in progress, if you have very large ACLs and NAT tables. Compilation time depends on the size of the access list, NAT table, and so forth.

Enhancements to show access-list element-count output and show tech-support content

The output of the show access-list element-count has be enhanced to show the following:

  • When used in the system context in multiple-context mode, the output shows the element count for all access lists across all the contexts.

  • When used with object-group search enabled, the output includes details about the number of object groups in the element count.

In addition, the show tech-support output now includes the output show access-list element-count and show asp rule-engine .

CiscoSSH stack

The ASA uses a proprietary SSH stack for SSH connections. You can now choose to use the CiscoSSH stack instead, which is based on OpenSSH. The default stack continues to be the ASA stack. Cisco SSH supports:

  • FIPS compliance

  • Regular updates, including updates from Cisco and the open source community

Note that the CiscoSSH stack does not support:

  • SSH to a different interface over VPN (management-access)

  • EdDSA key pair

  • RSA key pair in FIPS mode

If you need these features, you should continue to use the ASA SSH stack.

There is a small change to SCP functionality with the CiscoSSH stack: to use the ASA copy command to copy a file to or from an SCP server, you have to enable SSH access on the ASA for the SCP server subnet/host using the ssh command.

New/Modified commands: ssh stack ciscossh

New/Modified screens:

  • Single context mode: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

  • Multiple context mode: Configuration > Device Management > SSH Stack

PCAP support in packet tracer

You can replay a PCAP file in packet tracer tool and obtain the trace results. pcap and force are two new keywords that is used to support the usage of PCAP in packet tracer.

New/Modified commands: packet-tracer input and show packet-tracer

Stronger local user and enable password requirements

For local users and the enable password, the following password requirements were added:

  • Password length—Minimum 8 characters. Formerly, the minimum was 3 characters.

  • Repetitive and sequential characters—Three or more consecutive sequential or repetitive ASCII characters are disallowed. For example, the following passwords will be rejected:

    • abcuser1

    • user543

    • useraaaa

    • user2666

New/Modified commands: enable password , username

New/Modified screens:

  • Configuration > Device Management > Users/AAA > User Accounts

  • Configuration > Device Setup > Device Name/Password

Local user lockout changes

The ASA can lock out local users after a configurable number of failed login attempts. This feature did not apply to users with privilege level 15. Also, a user would be locked out indefinitely until an admin unlocked their account. Now, users will be unlocked after 10 minutes unless an admin uses the clear aaa local user lockout command before then. Privilege level 15 users are also now affected by the lockout setting.

New/Modified commands: aaa local authentication attempts max-fail , show aaa local user

SSH and Telnet password change prompt

The first time a local user logs into the ASA using SSH or Telnet, they are prompted to change their password. They will also be prompted for the first login after an admin changes their password. If the ASA reloads, however, users will not be prompted even if it is their first login.

Note that any service that uses the local user database, such as VPN, will also have to use the new password if it was changed during an SSH or Telnet login.

New/Modified commands: show aaa local user

Monitoring Features

SNMP now supports IPv6 when grouping multiple hosts in the form of a network object

The host-group command of snmp-server now supports IPv6 host, range, and subnet objects.

New/Modified commands: snmp-server host-group

VPN Features

Local tunnel id support for IKEv2

Support has been added for local Tunnel id configuration for IKEv2.

New/Modified commands: set ikev2 local-identity

Support for SAML Attributes with DAP constraint

Support has been added for SAML assertion attributes which can be used to make DAP policy selections. It also introduces the ability for a group-policy to be specified by the cisco_group_policy attribute.

Multiple SAML trustpoints in IDP configuration

This feature supports adding multiple IDP trustpoints per SAML IDP configuration for applications that support multiple applications for the same Entity ID.

New/Modified commands: saml idp-trustpoint <trustpoint-name>

AnyConnect VPN SAML External Browser

You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO2, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the Secure Client use the client’s local browser instead of the Secure Client embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser.

New/Modified commands: external-browser

New/Modified screens: Remote Access VPN connection profile wizard > SAML Login Experience.

VPN Load balancing with SAML

ASA now supports VPN load balancing with SAML authentication.

New Features in Version 9.16

New Features in ASA 9.16(3)

Released: April 6, 2022

There are no new features in this release.

New Features in ASA 9.16(2)

Released: August 18, 2021

There are no new features in this release.

New Features in ASDM 7.16(1.150)

Released: June 15, 2021

There are no new features in this release.

New Features in ASA 9.16(1)/ASDM 7.16(1)

Released: May 26, 2021

Feature

Description

Firewall Features

New Section 0 for system-defined NAT rules.

A new Section 0 has been added to the NAT rule table. This section is exclusively for the use of the system. Any NAT rules that the system needs for normal functioning are added to this section, and these rules take priority over any rules you create. Previously, system-defined rules were added to Section 1, and user-defined rules could interfere with proper system functioning. You cannot add, edit, or delete Section 0 rules, but you will see them in show nat detail command output.

The default SIP inspection policy map drops non-SIP traffic.

For SIP-inspected traffic, the default is now to drop non-SIP traffic. The previous default was to allow non-SIP traffic on ports inspected for SIP.

We changed the default SIP policy map to include the no traffic-non-sip command.

Ability to specify the IMSI prefixes to be dropped in GTP inspection.

GTP inspection lets you configure IMSI prefix filtering, to identify the Mobile Country Code/Mobile Network Code (MCC/MNC) combinations to allow. You can now do IMSI filtering on the MCC/MNC combinations that you want to drop. This way, you can list out the unwanted combinations, and default to allowing all other combinations.

We added the following command: drop mcc .

We changed the following screens: The Drop option was added to the IMSI Prefix Filtering tab for GTP inspection maps.

Configure the maximum segment size (MSS) for embryonic connections

You can configure a service policy to set the server maximum segment size (MSS) for SYN-cookie generation for embryonic connections upon reaching the embryonic connections limit. This is meaningful for service policies where you are also setting embryonic connection maximums.

New/Modified commands: set connection syn-cookie-mss .

New/Modified screens: Connection Settings in the Add/Edit Service Policy wizard.

Improved CPU usage and performance for many-to-one and one-to-many connections.

The system no longer creates local host objects and locks them when creating connections, except for connections that involve dynamic NAT/PAT and scanning threat detection and host statistics. This improves performance and CPU usage in situations where many connections are going to the same server (such as a load balancer or web server), or one endpoint is making connections to many remote hosts.

We changed the following commands: clear local-host (deprecated), show local-host

Platform Features

ASA Virtual support for VMware ESXi 7.0

The ASA virtual virtual platform supports hosts running on VMware ESXi 7.0. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASA virtual on ESXi 7.0.

No modified commands.

No modified screens.

Intel QuickAssist Technology (QAT) on ASA virtual

The ASA virtual supports hardware crypto acceleration for ASA virtual deployments that use the Intel QuickAssist (QAT) 8970 PCI adapter. Hardware crypto acceleration for the ASA virtual using QAT is supported on VMware ESXi and KVM only.

No modified commands.

No modified screens.

ASA Virtual on OpenStack

The ASA virtual virtual platform has added support for OpenStack.

No modified commands.

No modified screens.

High Availability and Scalability Features

Improved PAT port block allocation for clustering on the Firepower 4100/9300

The improved PAT port block allocation ensures that the control unit keeps ports in reserve for joining nodes, and proactively reclaims unused ports. To best optimize the allocation, you can set the maximum nodes you plan to have in the cluster using the cluster-member-limit command. The control unit can then allocate port blocks to the planned number of nodes, and it will not have to reserve ports for extra nodes you don't plan to use. The default is 16 nodes. You can also monitor syslog 747046 to ensure that there are enough ports available for a new node.

New/Modified commands: cluster-member-limit , show nat pool cluster [summary] , show nat pool ip detail

New/Modified screens: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Cluster Member Limit field

show cluster history command improvements

We have added additional outputs for the show cluster history command.

New/Modified commands: show cluster history brief , show cluster history latest , show cluster history reverse , show cluster history time

Firepower 1140 maximum contexts increased from 5 to 10

The Firepower 1140 now supports up to 10 contexts.

Certificate Features

Enrollment over Secure Transport (EST) for certification

ASA supports certificate enrollment using the Enrollment over Secure Transport (EST). However, you can configure to use EST enrollments only with RSA and ECDSA keys. You cannot use EdDSA keypair for a trustpoint configured for EST enrollment.

New/Modified commands: enrollment protocol , crypto ca authenticate , and crypto ca enroll

New/Modified screens: Configuration > Device Management > Certificate Management > Identity Certificate > Advanced.

Support for new EdDSA key

The new key option, EdDSA, was added to the existing RSA and ECDSA options.

New/Modified commands: crypto key generate , crypto key zeroize , show crypto key mypubkey

New/Modified screens: Configuration > Device Management > Certificate Management > Identity Certificate > Add Identity Certificates > Add Key Pair.

Command to override restrictions on certificate keys

Support to use SHA1with RSA Encryption algorithm for certification and support for certificates with RSA key sizes smaller than 2048 were removed. You can use crypto ca permit-weak-crypto command to override these restrictions.

New/Modified commands: crypto ca permit-weak-crypto

New/Modified screens: Configuration > Device Management > Certificate Management > Identity Certificate, Configuration > Remote Access VPN > Certificate Management > Identity Certificate, and Configuration > Remote Access VPN > Certificate Management > Code Signer

Administrative and Troubleshooting Features

SSH security improvements

SSH now supports the following security improvements:

  • Host key format—crypto key generate {eddsa | ecdsa} . In addition to RSA, we added support for the EdDSA and ECDSA host keys. The ASA tries to use keys in the following order if they exist: EdDSA, ECDSA, and then RSA. If you explicitly configure the ASA to use the RSA key with the ssh key-exchange hostkey rsa command, you must generate a key that is 2048 bits or higher. For upgrade compatibility, the ASA will use smaller RSA host keys only when the default host key setting is used. RSA support will be removed in a later release.

  • Key exchange algorithms—ssh key-exchange group {ecdh-sha2-nistp256 | curve25519-sha256}

  • Encryption algorithms—ssh cipher encryption chacha20-poly1305@openssh.com

  • SSH version 1 is no longer supported—The ssh version command is removed.

New/Modified commands: crypto key generate eddsa , crypto key zeroize eddsa , show crypto key mypubkey, ssh cipher encryption chacha20-poly1305@openssh.com , ssh key-exchange group {ecdh-sha2-nistp256 | curve25519-sha256} , ssh key-exchange hostkey , ssh version

New/Modified screens:

  • Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

  • Configuration > Device Management > Certificate Management > Identity Certificates

  • Configuration > Device Management > Advanced > SSH Ciphers

Monitoring Features

SNMPv3 Authentication

You can now use SHA-224 and SHA-384 for user authentication. You can no longer use MD5 for user authentication.

You can no longer use DES for encryption.

New/Modified commands: snmp-server user

New/Modified screens: Configuration > Device Management > Management Access > SNMP

VPN Features

Support for IPv6 on Static VTI

ASA supports IPv6 addresses in Virtual Tunnel Interfaces (VTI) configurations.

A VTI tunnel source interface can have an IPv6 address, which you can configure to use as the tunnel endpoint. If the tunnel source interface has multiple IPv6 addresses, you can specify which address to be used, else the first IPv6 global address in the list is used by default.

The tunnel mode can be either IPv4 or IPv6, but it must be the same as IP address type configured on VTI for the tunnel to be active. An IPv6 address can be assigned to the tunnel source or the tunnel destination interface in a VTI.

New/Modified commands: tunnel source interface , tunnel destination , tunnel mode

Support for 1024 VTI interfaces per device

The number of maximum VTIs to be configured on a device has been increased from 100 to 1024.

Even if a platform supports more than 1024 interfaces, the VTI count is limited to the number of VLANs configurable on that platform. For example, ASA 5510 supports 100 VLANs, the tunnel count would be 100 minus the number of physical interfaces configured.

New/Modified commands: None

New/Modified screens: None

Support for DH group 15 in SSL

Support has been added for DH group 15 for SSL encryption.

New/Modified commands: ssl dh-group group15

Support for DH group 31 for IPsec encryption

Support has been added for DH group 31 for IPsec encryption.

New/Modified commands: set pfs

Support to limit the SA in IKEv2 queue

Support has been added to limit the number of queues in SA-INIT packets.

New/Modified commands: crypto ikev2 limit queue sa_init

Option to clear IPsec statistics

CLIs have been introduced to clear and reset IPsec statistics.

New/Modified commands: clear crypto ipsec stats and clear ipsec stats

New Features in Version 9.15

New Features in ASDM 7.15(1.150)

Released: February 8, 2021

There are no new features in this release.

New Features in ASA 9.15(1)/ASDM 7.15(1)

Released: November 2, 2020

Feature

Description

Platform Features

ASAv for the Public Cloud

We introduced the ASAv for the following Public Cloud offerings:

  • Oracle Cloud Infrastrucure (OCI)

  • Google Cloud Platform (GCP)

No modified commands.

No modified screens.

ASAv support for Autoscale

The ASAv now supports Autoscale for the following Public Could offerings:

  • Amazon Web Services (AWS)

  • Miscrosoft Azure

Autoscaling increases or decreases the number of ASAv application instances based on capacity requirements.

No modified commands.

No modified screens.

ASAv for Microsoft Azure support for Accelerated Networking (SR-IOV).

The ASAv on the Microsoft Azure Public Cloud now supports Azure's Accelerated Networking (AN), which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.

No modified commands.

No modified screens.

Firewall Features

Changes to PAT address allocation in clustering. The PAT pool flat option is now enabled by default and it is not configurable.

The way PAT addresses are distributed to the members of a cluster is changed. Previously, addresses were distributed to the members of the cluster, so your PAT pool would need a minimum of one address per cluster member. Now, the master instead divides each PAT pool address into equal-sized port blocks and distributes them across cluster members. Each member has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even to as few as one IP address, depending on the amount of connections you typically need to PAT. Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally included the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example, in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool IP address.

As part of this change, PAT pools for all systems, whether standalone or operating in a cluster, now use a flat port range of 1023 - 65535. Previously, you could optionally use a flat range by including the flat keyword in a PAT pool rule. The flat keyword is no longer supported: the PAT pool is now always flat. The include-reserve keyword, which was previously a sub-keyword to flat , is now an independent keyword within the PAT pool configuration. With this option, you can include the 1 - 1023 port range within the PAT pool.

Note that if you configure port block allocation (the block-allocation PAT pool option), your block allocation size is used rather than the default 512-port block. In addition, you cannot configure extended PAT for a PAT pool for systems in a cluster.

New/Modified commands: nat , show nat pool

New/Modified screens: NAT PAT Pool configuration.

XDMCP inspection disabled by default in new installations.

Previously, XDMCP inspection was enabled by default for all traffic. Now, on new installations, which includes new systems and reimaged systems, XDMCP is off by default. If you need this inspection, please enable it. Note that on upgrades, your current settings for XDMCP inspection are retained, even if you simply had it enabled by way of the default inspection settings.

High Availability and Scalability Features

Disable failover delay

When you use bridge groups or IPv6 DAD, when a failover occurs the new active unit waits up to 3000 ms for the standby unit to finish networking tasks and transition to the standby state. Then the active unit can start passing traffic. To avoid this delay, you can disable the waiting time, and the active unit will start passing traffic before the standby unit transitions.

New/Modified commands: failover wait-disable

New/Modified screens: Configuration > Device Management > High Availability and Scalability > Failover > Enable switchover waiting for peer state

Routing Features

Multicast IGMP interface state limit raised from 500 to 5000

The multicast IGMP state limit per interface was raised from 500 to 5000.

New/Modified commands: igmp limit

No ASDM support.

Also in 9.12(4).

Interface Features

ASDM support for unique MAC address generation for single context mode

You can now enable unique MAC address generation for VLAN subinterfaces in single context mode in ASDM. Normally, subinterfaces share the same MAC address with the main interface. Because IPv6 link-local addresses are generated based on the MAC address, this feature allows for unique IPv6 link-local addresses. CLI support was added in ASA 9.8(3), 9.8(4), and 9.9(2) and later.

New/Modified screen: Configuration > Device Setup > Interface Settings > Interfaces

DDNS support for the web update method

You can now configure an interface to use DDNS with the web update method.

New/Modified commands: show ddns update interface , show ddns update method , web update-url , web update-type

New/Modified screens: Configuration > Device Management > DNS > Dynamic DNS

Certificate Features

Modifications to Match Certificate commands to support static CRL Distribution Point URL

The static CDP URL configuration commands allowed CDPs to be mapped uniquely to each certificate in a chain that is being validated. However, only one such mapping was supported for each certificate. This modification allows statically configured CDPs to be mapped to a chain of certificates for authentication.

New/Modified commands: match certificate override cdp ,

Administrative and Troubleshooting Features

Manual import of node secret file from the RSA Authentication Manager for SDI AAA server groups.

You can import the node secret file that you export from the RSA Authentication Manager for use with SDI AAA server groups.

We added the following commands: aaa sdi import-node-secret , clear aaa sdi node-secret , show aaa sdi node-secrets .

We added the following screen: Configuration > Device Management > Users/AAA > AAA SDI.

show fragment command output enhanced

The output for show fragment command was enhanced to include IP fragment related drops and error counters.

No modified commands.

No modified screens

show tech-support command output enhanced

The output for show tech-support command was enhanced to include the bias that is configured for the crypto accelerator. The bias value can be ssl, ipsec, or balanced.

No modified commands.

No modified screens

Monitoring Features

Support to configure cplane keepalive holdtime values

Due to communication delays caused by high CPU usage, the response to the keepalive event fails to reach ASA, resulting in trigerring failover due to card failure. You can now configure the keepalive timeout period and the maximum keepalive counter value to ensure sufficient time and retries are given.

New/Modified commands: service-module

We added the following screen: Configuration > Device Management > Service Module Settings.

VPN Features

Support for configuring the maximum in-negotiation SAs as an absolute value

You can now configure the maximum in-negotiation SAs as an absolute value up to 15000 or a maximum value derived from the maximum device capacity; formerly, only a percentage was allowed.

New/Modified commands: crypto ikev2 limit max-in-negotiation-sa value

No ASDM support.

Also in 9.12(4).

Cross-Site Request Forgery (CSRF) Vulnerabilities Prevention for WebVPN Handlers

ASA provides protection against CSRF attacks for WebVPN handlers. If a CSRF attack is detected, a user is notified by warning messages. This feature is enabled by default.

Kerberos server validation for Kerberos Constrained Delegation (KCD).

When configured for KCD, the ASA initiates an AD domain join with the configured server in order to acquire Kerberos keys. These keys are required for the ASA to request service tickets on behalf of clientless SSL VPN users. You can optionally configure the ASA to validate the identity of the server during domain join.

We modified the kcd-server command to add the validate-server-certificate keyword.

We changed the following screens: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Microsoft KCD Server

New Features in Version 9.14

New Features in ASA 9.14(4)/ASDM 7.17(1)

Released: February 2, 2022

There are no new features in this release.

New Features in ASA 9.14(3)/ASDM 7.15(1.150)

Released: June 15, 2021

There are no new features in this release.

New Features in ASA 9.14(2)

Released: November 9, 2020

Feature

Description

SNMP Features

SNMP polling over site-to-site VPN

For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration.

New Features in ASA 9.14(1.30)

Released: September 23, 2020

Feature

Description

Licensing Features

ASAv100 permanent license reservation

The ASAv100 now supports permanent license reservation using product ID L-ASAV100SR-K9=. Note: Not all accounts are approved for permanent license reservation.

New Features in ASDM 7.14(1.48)

Released: April 30, 2020

Feature

Description

Platform Features

Restore support for the ASA 5512-X, 5515-X, 5585-X, and ASASM for ASA 9.12 and earlier

This ASDM release restores support for the ASA 5512-X, 5515-X, 5585-X, and ASASM when they are running 9.12 or earlier. The final ASA version for these models is 9.12. The original 7.13(1) and 7.14(1) releases blocked backwards compatibility with these models; this version has restored compatibility.

New Features in ASA Virtual 9.14(1.6)

Released: April 30, 2020


Note

This release is only supported on the ASA virtual.


Feature

Description

Platform Features

ASAv100 platform

The ASA virtual virtual platform has added the ASAv100, a high-end performance model that provides 20 Gbps Firewall throughput levels. The ASAv100 is a subscription-based license, available in terms of 1 year, 3 years, or 5 years.

The ASAv100 is supported on VMware ESXi and KVM only.

New Features in ASA 9.14(1)/ASDM 7.14(1)

Released: April 6, 2020

Feature

Description

Platform Features

ASA for the Firepower 4112

We introduced the ASA for the Firepower 4112.

No modified commands.

No modified screens.

Note 

Requires FXOS 2.8(1).

Firewall Features

Ability to see port numbers in show access-list output.

The show access-list command now has the numeric keyword. You can use this to view port numbers in the access control entries rather than names, for example, 80 instead of www.

The object-group icmp-type command is deprecated.

Although the command remains supported in this release, the object-group icmp-type command is deprecated and might be removed in a future release. Please change all ICMP-type objects to service object groups (object-group service ) and specify service icmp within the object.

Kerberos Key Distribution Center (KDC) authentication.

You can import a keytab file from a Kerberos Key Distribution Center (KDC), and the system can authenticate that the Kerberos server is not being spoofed before using it to authenticate users. To accomplish KDC authentication, you must set up a host/ASA_hostname service principal name (SPN) on the Kerberos KDC, then export a keytab for that SPN. You then must upload the keytab to the ASA, and configure the Kerberos AAA server group to validate the KDC.

New/Modified commands: aaa kerberos import-keytab , clear aaa kerberos keytab , show aaa kerberos keytab , validate-kdc .

New/Modified screens: Configuration > Device Management > Users/AAA > AAA Kerberos, Configuration > Device Management > Users/AAA > AAA Server Groups Add/Edit dialog box for Kerberos server groups.

High Availability and Scalability Features

Configuration sync to data units in parallel

The control unit now syncs configuration changes with data units in parallel by default. Formerly, synching occurred sequentially.

New/Modified commands: config-replicate-parallel

New/Modified screens: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Enable parallel configuration replicate check box

Messages for cluster join failure or eviction added to show cluster history

New messages were added to the show cluster history command for when a cluster unit either fails to join the cluster or leaves the cluster.

New/Modified commands: show cluster history

No modified screens.

Interface Features

Speed auto-negotation can be disabled on 1GB fiber interfaces on the Firepower 1000 and 2100

You can now configure a Firepower 1100 or 2100 SFP interface to disable auto-negotiation. For 10GB interfaces, you can configure the speed down to 1GB without auto-negotiation; you cannot disable auto-negotiation for an interface with the speed set to 10GB.

New/Modified commands: speed nonegotiate

New/Modified screens: Configuration > Device Settings > Interfaces > Edit Interface > Configure Hardware Properties > Speed

Administrative and Troubleshooting Features

New connection-data-rate command

The connection-data-rate command was introduced to provide an overview on data rate of individual connections on the ASA. When this command is enabled, per-flow data rate along with the existing connection information are provided. This information helps to identify and block unwanted connections with high data rates, thereby, ensuring an optimized CPU utilization.

New/Modified commands: conn data-rate ,show conn data-rate , show conn detail , clear conn data-rate

No modified screens.

HTTPS idle timeout setting

You can now set the idle timeout for all HTTPS connections to the ASA, including ASDM, WebVPN, and other clients. Formerly, using the http server idle-timeout command, you could only set the ASDM idle timeout. If you set both timeouts, the new command takes precendence.

New/Modified commands: http connection idle-timeout

New/Modified screens: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > HTTP Settings > Connection Idle Timeout check box.

NTPv4 support

The ASA now supports NTPv4.

No modified commands.

No modified screens.

New clear logging counter command

The show logging command provides statistics of messages logged for each logging category configured on the ASA. The clear logging counter command was introduced to clear the logged counters and statistics.

New/Modified commands: clear logging counter

No modified screens.

Debug command changes for FXOS on the Firepower 1000 and 2100 in Appliance mode

The debug fxos_parser command has been simplified to provide commonly-used troubleshooting messages about FXOS. Other FXOS debug commands have been moved under the debug menu fxos_parser command.

New/Modified commands: debug fxos_parser , debug menu fxos_parser

No modified screens.

show tech-support command enhanced

The show ssl objects and show ssl errors command was added to the output of the show tech-support command.

New/Modified commands: show tech-support

No modified screens.

Also in 9.12(4).

Monitoring Features

Net-SNMP version 5.8 Support

The ASA is using Net-SNMP, a suite of applications used to implement SNMP v1, SNMP v2c, and SNMP v3 using both IPv4 and IPv6.

No modified commands.

New/Modified screens: Configuration > Device Management > Management Access > SNMP

SNMP OIDs and MIBs

The ASA enhances support for the CISCO-REMOTE-ACCESS-MONITOR-MIB to track rejected/failed authentications from RADIUS over SNMP. This feature implements three SNMP OIDs:

  • crasNumTotalFailures (total failures)

  • crasNumSetupFailInsufResources (AAA and other internal failures)

  • crasNumAbortedSessions (aborted sessions) objects

The ASA provides support for the Advanced Encryption Standard (AES) Cipher Algorithm. This feature implements the following SNMP OIDs:

  • usmAesCfb128Protocol

  • usmNoPrivProtocol

SNMPv3 Authentication

You can now use SHA-256 HMAC for user authentication.

New/Modified commands: snmp-server user

New/Modified screens: Configuration > Device Management > Management Access > SNMP

debug telemetry command.

You can use the debug telemetry command, debug messages related to telemetry are displayed. The debugs help to identify the cause for errors when generating the telemetry report.

New/Modified commands: debug telemetry , show debug telemetry

No modified screens.

VPN Features

DHCP Relay Server Support on VTI

You can now configure DHCP relay server to forward DHCP messages through VTI tunnel interface.

New/Modified commands: dhcprelay server

New/Modified screens: Configuration > Device Management > DHCP > DHCP Relay

IKEv2 Support for Multiple Peer Crypto Map

You can now configure IKEv2 with multi-peer crypto map—when a peer in a tunnel goes down, IKEv2 attempts to establish the SA with the next peer in the list.

No modified commands.

New/Modified screens: Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Create / Edit IPsec Rule > Tunnel Policy (Crypto Map) - Basic

Username Options for Multiple Certificate Authentication

In multiple certificate authentication, you can now specify from which certificate, first (machine certificate) or second (user certificate), you want the attributes to be used for aaa authentication.

New/Modified commands: username-from-certificate-choice, secondary-username-from-certificate-choice

New/Modified screens:

  • Connection Profile > Advanced > Authentication

  • Connection Profile > Advanced > Secondary Authentication

New Features in Version 9.13

New Features in ASDM 7.13(1.101)

Released: May 7, 2020

Feature

Description

Platform Features

Restore support for the ASA 5512-X, 5515-X, 5585-X, and ASASM for ASA 9.12 and earlier

This ASDM release restores support for the ASA 5512-X, 5515-X, 5585-X, and ASASM when they are running 9.12 or earlier. The final ASA version for these models is 9.12. The original 7.13(1) and 7.14(1) releases blocked backwards compatibility with these models; this version has restored compatibility.

New Features in ASA 9.13(1)/ASDM 7.13(1)

Released: September 25, 2019

Feature

Description

Platform Features

ASA for the Firepower 1010

We introduced the ASA for the Firepower 1010. This desktop model includes a built-in hardware switch and Power-Over-Ethernet+ (PoE+) support.

New/Modified commands: boot system , clock timezone , connect fxos admin , forward interface , interface vlan , power inline , show counters , show environment , show interface , show inventory , show power inline , show switch mac-address-table , show switch vlan , switchport , switchport access vlan , switchport mode , switchport trunk allowed vlan

New/Modified screens:

  • Configuration > Device Setup > Interface Settings > Interfaces > Edit > Switch Port

  • Configuration > Device Setup > Interface Settings > Interfaces > Edit > Power Over Ethernet

  • Configuration > Device Setup > Interface Settings > Interfaces > Add VLAN Interface

  • Configuration > Device Management > System Image/Configuration > Boot Image/Configuration

  • Configuration > Device Setup > System Time > Clock

  • Monitoring > Interfaces > L2 Switching

  • Monitoring > Interfaces > Power Over Ethernet

ASA for the Firepower 1120, 1140, and 1150

We introduced the ASA for the Firepower 1120, 1140, and 1150.

New/Modified commands: boot system , clock timezone , connect fxos admin , show counters , show environment , show interface , show inventory

New/Modified screens:

  • Configuration > Device Management > System Image/Configuration > Boot Image/Configuration

  • Configuration > Device Setup > System Time > Clock

Firepower 2100 Appliance mode

The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS). You can run the Firepower 2100 in the following modes:

  • Appliance mode (now the default)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI.

  • Platform mode—When in Platform mode, you must configure basic operating parameters and hardware interface settings in FXOS. These settings include enabling interfaces, establishing EtherChannels, NTP, image management, and more. You can use the chassis manager web interface or FXOS CLI. You can then configure your security policy in the ASA operating system using ASDM or the ASA CLI.

    If you are upgrading to 9.13(1), the mode will remain in Platform mode.

New/Modified commands: boot system , clock timezone , connect fxos admin , fxos mode appliance , show counters , show environment , show fxos mode , show interface , show inventory

New/Modified screens:

  • Configuration > Device Management > System Image/Configuration > Boot Image/Configuration

  • Configuration > Device Setup > System Time > Clock

DHCP reservation

The ASA DHCP server now supports DHCP reservation. You can assign a static IP address from the defined address pool to a DHCP client based on the client's MAC address.

New/Modified commands: dhcpd reserve-address

No modified screens.

ASA Virtual minimum memory requirement

The minimum memory requirement for the ASA virtual is now 2GB. If your current ASA virtual runs with less than 2GB of memory, you cannot upgrade to 9.13(1) from an earlier version without increasing the memory of your ASA virtual VM. You can also redeploy a new ASA virtual VM with version 9.13(1).

No modified commands.

No modified screens.

ASA Virtual MSLA Support

The ASA virtual supports Cisco's Managed Service License Agreement (MSLA) program, which is a software licensing and consumption framework designed for Cisco customers and partners who offer managed software services to third parties.

MSLA is a new form of Smart Licensing where the licensing Smart Agent keeps track of the usage of licensing entitlements in units of time.

New/Modified commands: license smart , mode , utility , custom-id , custom-info , privacy , transport type , transport url , transport proxy

New/Modified screens: Configuration > Device Management > Licensing > Smart Licensing.

ASA Virtual Flexible Licensing

Flexible Licensing is a new form of Smart Licensing where any ASA virtual license now can be used on any supported ASA virtual vCPU/memory configuration. Session limits for AnyConnect and TLS proxy will be determined by the ASA virtual platform entitlement installed rather than a platform limit tied to a model type.

New/Modified commands: show version , show vm , show cpu , show license features

New/Modified screens: Configuration > Device Management > Licensing > Smart Licensing.

ASA Virtual for AWS support for the C5 instance; expanded support for C4, C3, and M4 instances

The ASA virtual on the AWS Public Cloud now supports the C5 instance (c5.large, c5.xlarge, and c5.2xlarge).

In addition, support has been expanded for the C4 instance (c4.2xlarge and c4.4xlarge); C3 instance (c3.2xlarge, c3.4xlarge, and c3.8xlarge); and M4 instance (m4.2xlarge and m4.4xlarge).

No modified commands.

No modified screens.

ASA Virtual for Microsoft Azure support for more Azure virtual machine sizes

The ASA virtual on the Microsoft Azure Public Cloud now supports more Linux virtual machine sizes:

  • Standard_D4, Standard_D4_v2

  • Standard_D8_v3

  • Standard_DS3, Standard_DS3_v2

  • Standard_DS4, Standard_DS4_v2

  • Standard_F4, Standard_F4s

  • Standard_F8, Standard_F8s

Earlier releases only supported the Standard_D3 and Standard_D3_v2 sizes.

No modified commands.

No modified screens.

ASA Virtual enhanced support for DPDK

The ASA virtual supports enhancements to the Data Plane Development Kit (DPDK) to enable support for multiple NIC queues, which allow multi-core CPUs to concurrently and efficiently service network interfaces.

This applies to all ASA virtual hypervisors except Microsoft Azure and Hyper-V.

Note 

DPDK support was introduced in release ASA 9.10(1)/ASDM 7.13(1).

No modified commands.

No modified screens.

ASA Virtual support for VMware ESXi 6.7

The ASA virtual virtual platform supports hosts running on VMware ESXi 6.7. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASA virtual on ESXi 6.7.

No modified commands.

No modified screens.

Increased VLANs for the ISA 3000

The maximum VLANs for the ISA 3000 with the Security Plus license increased from 25 to 100.

Firewall Features

Location logging for mobile stations (GTP inspection).

You can configure GTP inspection to log the initial location of a mobile station and subsequent changes to the location. Tracking location changes can help you identify possibly fraudulent roaming charges.

New/Modified commands: location-logging .

New/Modified screens: Configuration > Firewall > Objects > Inspect Maps > GTP.

GTPv2 and GTPv1 release 15 support.

The system now supports GTPv2 3GPP 29.274 V15.5.0. For GTPv1, support is up to 3GPP 29.060 V15.2.0. The new support includes recognition of 2 additional messages and 53 information elements.

No modified commands.

No modified screens.

Mapping Address and Port-Translation (MAP-T)

Mapping Address and Port (MAP) is primarily a feature for use in service provider (SP) networks. The service provider can operate an IPv6-only network, the MAP domain, while supporting IPv4-only subscribers and their need to communicate with IPv4-only sites on the public Internet. MAP is defined in RFC7597, RFC7598, and RFC7599.

New/Modified commands: basic-mapping-rule , default-mapping-rule , ipv4-prefix , ipv6-prefix , map-domain , share-ratio , show map-domain , start-port .

New/Modified commands: Configuration > Device Setup > CGNAT Map, Monitoring > Properties > MAP Domains.

Increased limits for AAA server groups and servers per group.

You can configure more AAA server groups. In single context mode, you can configure 200 AAA server groups (the former limit was 100). In multiple context mode, you can configure 8 (the former limit was 4).

In addition, in multiple context mode, you can configure 8 servers per group (the former limit was 4 servers per group). The single context mode per-group limit of 16 remains unchanged.

We modified the following commands to accept these new limits: aaa-server , aaa-server host .

We modified the AAA screens to accept these new limits.

TLS proxy deprecated for SCCP (Skinny) inspection.

The tls-proxy keyword, and support for SCCP/Skinny encrypted inspection, was deprecated. The keyword will be removed from the inspect skinny command in a future release.

VPN Features

HSTS Support for WebVPN as Client

A new CLI mode under WebVPN mode called http-headers was added so that WebVPN could transform HTTP references to HTTPS references for hosts that are HSTS. Configures whether the user agent should allow the embedding of resources when sending this header for WebVPN connections from the ASA to browsers.

You can choose to configure the http-headers as: x-content-type-options , x-xss-protection , hsts-client (HSTS support for WebVPN as client), hsts-server, or content-security-policy .

New/Modified commands: webvpn , show webvpn hsts host (name <hostname&s{253}> | all) and clear webvpn hsts host (name <hostname&s{253}> | all) .

New/Modified screens: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Proxies.

Diffie-Hellman groups 15 and 16 added for key exchange

To add support for Diffie-Hellman groups 15 and 16, we modified few crypto commands to accept these new limits.

crypto ikev2 policy <index> group <number> and crypto map <map-name> <map-index> set pfs <group>.

show asp table vpn-context enhancement to output

To enhance debug capability, these vpn context counters were added to the output: Lock Err, No SA, IP Ver Err, and Tun Down.

New/Modified commands: show asp table vpn-context (output only).

Immediate session establishment when the maximum remote access VPN session limit is reached.

When a user reaches the maximum session (login) limit, the system deletes the user's oldest session and waits for the deletion to complete before establishing the new session. This can prevent the user from successfully connecting on the first attempt. You can remove this delay and have the system establish the new connection without waiting for the deletion to complete.

New/Modified commands: vpn-simultaneous-login-delete-no-delay .

New/Modified screens: Configuration > Remote Access VPN > Network (Client) Access > Group Policies Add/Edit dialog box, General tab.

High Availability and Scalability Features

Initiator and responder information for Dead Connection Detection (DCD), and DCD support in a cluster.

If you enable Dead Connection Detection (DCD), you can use the show conn detail command to get information about the initiator and responder. Dead Connection Detection allows you to maintain an inactive connection, and the show conn output tells you how often the endpoints have been probed. In addition, DCD is now supported in a cluster.

New/Modified commands: show conn (output only).

No modified screens.

Monitor the traffic load for a cluster

You can now monitor the traffic load for cluster members, including total connection count, CPU and memory usage, and buffer drops. If the load is too high, you can choose to manually disable clustering on the unit if the remaining units can handle the load, or adjust the load balancing on the external switch. This feature is enabled by default.

New/Modified commands: debug cluster load-monitor , load-monitor , show cluster info load-monitor

New/Modified screens:

  • Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Enable Cluster Load Monitor check box

  • Monitoring > ASA Cluster > Cluster Load-Monitoring

Accelerated cluster joining

When a data unit has the same configuration as the control unit, it will skip syncing the configuration and will join faster. This feature is enabled by default. This feature is configured on each unit, and is not replicated from the control unit to the data unit.

Note 

Some configuration commands are not compatible with accelerated cluster joining; if these commands are present on the unit, even if accelerated cluster joining is enabled, configuration syncing will always occur. You must remove the incompatible configuration for accelerated cluster joining to work. Use the show cluster info unit-join-acceleration incompatible-config to view incompatible configuration.

New/Modified commands: unit join-acceleration , show cluster info unit-join-acceleration incompatible-config

New/Modified screens: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Enable config sync accelleration check box

Routing Features

SMTP configuration enhancement

You can optionally configure the SMTP server with primary and backup interface names to enable ASA for identifying the routing table to be used for logging—management routing table or data routing table. If no interface is provided, ASA would refer to management routing table lookup, and if no proper route entry is present, it would look at the data routing table.

New/Modified commands: smtp-server [primary-interface][backup-interface]

Support to set NSF wait timer

OSPF routers are expected to set the RS-bit in the EO-TLV attached to a Hello packet when it is not known whether all neighbors are listed in the packet, and the restarting router require to preserve their adjacencies. However, the RS-bit value must not be longer than the RouterDeadInterval seconds. The timers nsf wait command is introduced to set the the RS-bit in Hello packets lesser than RouterDeadInterval seconds.

New/Modified commands: timers nsf wait

Support to set tftp blocksize

The typical blocksize fixed for tftp file transfer is 512-octets. A new command, tftp blocksize , is introduced to configure a larger blocksize and thereby enhance the tftp file transfer speed. You can set a blocksize varying from 513 to 8192 octets. The new default blocksize is 1456 octets. The no form of this command will reset the blocksize to the older default value—512 octets. The timers nsf wait command is introduced to set the the RS-bit in Hello packets lesser than RouterDeadInterval seconds.

New/Modified commands: tftp blocksize

Certificate Features

Support to view FIPS status

The show running-configuration fips command displayed the FIPS status only when fips was enabled. In order to know the operational state, the show fips command was introduced where, it displays the fips status when an user enables or disables fips that is in disabled or enabled state. This command also displays the status for rebooting the device after an enable or disable action.

New/Modified commands: show fips

CRL cache size increased

To prevent failure of large CRL downloads, the cache size was increased, and the limit on the number of entries in an individual CRL was removed.

  • Increased the total CRL cache size to 16 MB per context for multi-context mode.

  • Increased the total CRL cache size to 128 MB for single-context mode.

Modifications to the CRL Distribution Point commands

The static CDP URL configuration commands are removed and moved to the match certificate command.

New/Modified commands: crypto-ca-trustpoint crl and crl url were removed with other related logic. match-certificate override-cdp was introduced.

New/Modified screens: Configuration > Device Management > Certificate Management > CA Certificates

The static CDP URL was re-introduced in 9.13(1)12 to the match certificate command.

Administrative and Troubleshooting Features

Management access when the Firepower 1000, Firepower 2100 Appliance mode is in licensing evaluation mode

The ASA includes 3DES capability by default for management access only, so you can connect to the Smart Software Manager and also use ASDM immediately. You can also use SSH and SCP if you later configure SSH access on the ASA. Other features that require strong encryption (such as VPN) must have Strong Encryption enabled, which requires you to first register to the Smart Software Manager.

Note 

If you attempt to configure any features that can use strong encryption before you register—even if you only configure weak encryption—then your HTTPS connection will be dropped on that interface, and you cannot reconnect. The exception to this rule is if you are connected to a management-only interface, such as Management 1/1. SSH is not affected. If you lose your HTTPS connection, you can connect to the console port to reconfigure the ASA, connect to a management-only interface, or connect to an interface not configured for a strong encryption feature.

No modified commands.

No modified screens.

Additional NTP authentication algorithms

Formerly, only MD5 was supported for NTP authentication. The ASA now supports the following algorithms:

  • MD5

  • SHA-1

  • SHA-256

  • SHA-512

  • AES-CMAC

New/Modified commands: ntp authentication-key

New/Modified screens:

Configuration > Device Setup > System Time > NTP > Add button > Add NTP Server Configuration dialog box > Key Algorithm drop-down list

ASA Security Service Exchange (SSE) Telemetry Support for the Firepower 4100/9300

With Cisco Success Network enabled in your network, device usage information and statistics are provided to Cisco which is used to optimize technical support. The telemetry data that is collected on your ASA devices includes CPU, memory, disk, or bandwidth usage, license usage, configured feature list, cluster/failover information and the like.

New/Modified commands: service telemetry and show telemetry

New/Modified screens:

  • Configuration > Device Management > Telemetry

  • Monitoring > Properties > Telemetry

SSH encryption ciphers are now listed in order from highest to lowest security for pre-defined lists

SSH encryption ciphers are now listed in order from highest security to lowest security for pre-defined lists (such as medium or high). In earlier releases, they were listed from lowest to highest, which meant that a low security cipher would be proposed before a high security cipher.

New/Modified commands: ssh cipher encryption

New/Modified screens:

Configuration > Device Management > Advanced > SSH Ciphers

show tech-support includes additional output

The output of show tech-support is enhanced to display the output of the following:

show flow-offload info detail

show flow-offload statistics

show asp table socket

New/Modified commands: show tech-support (output only).

Enhancement to show-capture asp_drop output to include drop location information

While troubleshooting using ASP drop counters, the exact location of the drop is unknown, especially when the same ASP drop reason is used in many different places. This information is critical in finding root cause of the drop. With this enhancement, the ASP drop details such as the build target, ASA release number, hardware model, and ASLR memory text region (to facilitate the decode of drop location) are shown.

New/Modified commands: show-capture asp_drop

Modifications to debug crypto ca

The debug crypto ca transactions and debug crypto ca messages options are consolidated to provide all applicable content into the debug crypto ca command itself. Also, the number of available debugging levels are reduced to 14.

New/Modified commands: debug crypto ca

FXOS Features for the Firepower 1000 and 2100

Secure Erase

The secure erase feature erases all data on the SSDs so that data cannot be recovered even by using special tools on the SSD itself. You should perform a secure erase in FXOS when decomissioning the device.

New/Modified FXOS commands: erase secure (local-mgmt)

Supported models: Firepower 1000 and 2100

Configurable HTTPS protocol

You can set the SSL/TLS versions for FXOS HTTPS acccess.

New/Modified FXOS commands: set https access-protocols

Supported models: Firepower 2100 in Platform Mode

FQDN enforcement for IPSec and Keyrings

For FXOS, you can configure FQDN enforcement so that the FDQN of the peer needs to match the DNS Name in the X.509 Certificate presented by the peer. For IPSec, enforcement is enabled by default, except for connections created prior to 9.13(1); you must manually enable enforcement for those old connections. For keyrings, all hostnames must be FQDNs, and cannot use wild cards.

New/Modified FXOS commands: set dns, set e-mail, set fqdn-enforce , set ip , set ipv6 , set remote-address , set remote-ike-id

Removed commands: fi-a-ip , fi-a-ipv6 , fi-b-ip , fi-b-ipv6

Supported models: Firepower 2100 in Platform Mode

New IPSec ciphers and algorithms

We added the following IKE and ESP ciphers and algorithms to configure an IPSec tunnel to encrypt FXOS management traffic:

  • Ciphers—aes192. Existing ciphers include: aes128, aes256, aes128gcm16.

  • Pseudo-Random Function (PRF) (IKE only)—prfsha384, prfsha512, prfsha256. Existing PRFs include: prfsha1.

  • Integrity Algorithms—sha256, sha384, sha512, sha1_160. Existing algorithms incldue: sha1.

  • Diffie-Hellman Groups—curve25519, ecp256, ecp384, ecp521,modp3072, modp4096. Existing groups include: modp2048.

No modified FXOS commands.

Supported models: Firepower 2100 in Platform Mode

SSH authentication enhancements

We added the following SSH server encryption algoritghms for FXOS:

  • aes128-gcm@openssh.com

  • aes256-gcm@openssh.com

  • chacha20-poly@openssh.com

We added the following SSH server key exchange methods for FXOS:

  • diffie-hellman-group14-sha256

  • curve25519-sha256

  • curve25519-sha256@libssh.org

  • ecdh-sha2-nistp256

  • ecdh-sha2-nistp384

  • ecdh-sha2-nistp521

New/Modified FXOS commands: set ssh-server encrypt-algorithm , set ssh-server kex-algorithm

Supported models: Firepower 2100 in Platform Mode

EDCS keys for X.509 Certificates

You can now use EDCS keys for FXOS certificates. Formerly, only RSA keys were supported.

New/Modified FXOS commands: set elliptic-curve , set keypair-type

Supported models: Firepower 2100 in Platform Mode

User password improvements

We added FXOS password security improvements, including the following:

  • User passwords can be up to 127 characters. The old limit was 80 characters.

  • Strong password check is enabled by default.

  • Prompt to set admin password.

  • Password expiration.

  • Limit password reuse.

  • Removed the set change-during-interval command, and added a disabled option for the set change-interval , set no-change-interval , and set history-count commands.

New/Modified FXOS commands: set change-during-interval , set expiration-grace-period , set expiration-warning-period , set history-count , set no-change-interval , set password , set password-expiration , set password-reuse-interval

New/Modified Firepower Chassis Manager screens:

  • System > User Management > Local Users

  • System > User Management > Settings

Supported models: Firepower 2100 in Platform Mode

New Features in Version 9.12

New Features in ASA 9.12(4)

Released: May 26, 2020

Feature

Description

Routing Features

Multicast IGMP interface state limit raised from 500 to 5000

The multicast IGMP state limit per interface was raised from 500 to 5000.

New/Modified commands: igmp limit

No ASDM support.

Troubleshooting Features

show tech-support command enhanced

The show ssl objects and show ssl errors command was added to the output of the show tech-support command.

New/Modified commands: show tech-support

No modified screens.

VPN Features

Support for configuring the maximum in-negotiation SAs as an absolute value

You can now configure the maximum in-negotiation SAs as an absolute value up to 15000 or a maximum value derived from the maximum device capacity; formerly, only a percentage was allowed.

New/Modified commands: crypto ikev2 limit max-in-negotiation-sa value

No ASDM support.

New Features in ASA 9.12(3)

Released: November 25, 2019

There are no new features in this release.

New Features in ASA 9.12(2)/ASDM 7.12(2)

Released: May 30, 2019

Feature

Description

Platform Features

Firepower 9300 SM-56 support

We introduced the following security modules: SM-56.

Requires FXOS 2.6.1.157

No modified commands.

No modified screens.

Administration Features

Setting the SSH key exchange mode is restricted to the Admin context

You must set the SSH key exchange in the Admin context; this setting is inherited by all other contexts.

New/Modified commands: ssh key-exchange

New/Modified screen: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH > SSH Settings > DH Key Exchange

ASDM Features

OpenJRE version of ASDM

You can install a version of ASDM that uses OpenJRE 1.8.x instead of Oracle JRE. The filename of the OpenJRE version is asdm-openjre-version.bin.

Tools > Preferences option to specify the ASA FirePOWER module local management file folder

You can now specify the location to install ASA FirePOWER module local management files. You must have read/write privileges to the configured location.

New/Modified screen:

Tools > Preferences > SFR Location Wizard area

New Features in ASA 9.12(1)/ASDM 7.12(1)

Released: March 13, 2019

Feature

Description

Platform Features

ASA for the Firepower 4115, 4125, and 4145

We introduced the Firepower 4115, 4125, and 4145.

Requires FXOS 2.6.1.

No modified commands.

No modified screens.

Support for ASA and threat defense on separate modules of the same Firepower 9300

You can now deploy ASA and threat defense logical devices on the same Firepower 9300.

Requires FXOS 2.6.1.

No modified commands.

No modified screens.

Firepower 9300 SM-40 and SM-48 support

We introduced the following two security modules: SM-40 and SM-48.

Requires FXOS 2.6.1.

No modified commands.

No modified screens.

Firewall Features

GTPv1 release 10.12 support.

The system now supports GTPv1 release 10.12. Previously, the system supported release 6.1. The new support includes recognition of 25 additional GTPv1 messages and 66 information elements.

In addition, there is a behavior change. Now, any unknown message IDs are allowed. Previously, unknown messages were dropped and logged.

No modified commands.

No modified screens.

Cisco Umbrella Enhancements.

You can now identify local domain names that should bypass Cisco Umbrella. DNS requests for these domains go directly to the DNS servers without Umbrella processing. You can also identify which Umbrella servers to use for resolving DNS requests. Finally, you can define the Umbrella inspection policy to fail open, so that DNS requests are not blocked if the Umbrella server is unavailable.

New/Modified commands: local-domain-bypass , resolver , umbrella fail-open .

New/Modified screens: Configuration > Firewall > Objects > Umbrella, Configuration > Firewall > Objects > Inspect Maps > DNS.

The object group search threshold is now disabled by default.

If you enabled object group search, the feature was subject to a threshold to help prevent performance degradation. That threshold is now disabled by default. You can enable it by using the object-group-search threshold command.

New/Modified command: object-group-search threshold .

We changed the following screen: Configuration > Access Rules > Advanced.

Interim logging for NAT port block allocation.

When you enable port block allocation for NAT, the system generates syslog messages during port block creation and deletion. If you enable interim logging, the system generates message 305017 at the interval you specify. The messages report all active port blocks allocated at that time, including the protocol (ICMP, TCP, UDP) and source and destination interface and IP address, and the port block.

New/Modified command: xlate block-allocation pba-interim-logging seconds .

New/Modified screen: Configuration > Firewall > Advanced > PAT Port Block Allocation.

VPN Features

New condition option for debug aaa .

The condition option was added to the debug aaa command. You can use this option to filter VPN debugging based on group name, user name, or peer IP address.

New/Modified commands: debug aaa condition

No modified screens.

Support for RSA SHA-1 in IKEv2

You can now generate a signature using the RSA SHA-1 hashing algorithm for IKEv2.

New/Modified commands: rsa-sig-sha1

New/Modified screens:

View the default SSL configuration for both DES and 3DES encryption licenses as well as available ciphers

You can now view the default SSL configuration with and without the 3DES encryption license. In addition, you can view all the ciphers supported on the device.

New/Modified commands: show ssl information

No modified screens.

Add subdomains to webVPN HSTS

Allows domain owners to submit what domains should be included in the HSTS preload list for web browsers.

New/Modified commands: hostname(config-webvpn) includesubdomains

New/Modified screens:

Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Proxies > Enable HSTS Subdomainsfield

High Availability and Scalability Features

Per-site gratuitous ARP for clustering

The ASA now generates gratuitous ARP (GARP) packets to keep the switching infrastructure up to date: the highest priority member at each site periodically generates GARP traffic for the global MAC/IP addresses. When using per-site MAC and IP addresses, packets sourced from the cluster use a site-specific MAC address and IP address, while packets received by the cluster use a global MAC address and IP address. If traffic is not generated from the global MAC address periodically, you could experience a MAC address timeout on your switches for the global MAC address. After a timeout, traffic destined for the global MAC address will be flooded across the entire switching infrastructure, which can cause performance and security concerns. GARP is enabled by default when you set the site ID for each unit and the site MAC address for each Spanned EtherChannel.

New/Modified commands: site-periodic-garp interval

New/Modified screens: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Site Periodic GARP field

Multiple context mode HTTPS resource management

You can now set the maximum number of non-ASDM HTTPS sessions in a resource class. By default, the limit is set to 6 per context, the maximum. You can use up to 100 HTTPS sesssions across all contexts.

New/Modified commands: limit-resource http

No ASDM support.

Routing Features

OSPF Keychain support for authentication

OSPF authenticates the neighbor and route updates using MD5 keys. In ASA, the keys that are used to generate the MD5 digest had no lifetime associated with it. Thus, user intervention was required to change the keys periodically. To overcome this limitation, OSPFv2 supports MD5 authentication with rotating keys.

Based on the accept and send lifetimes of Keys in KeyChain, OSPF authenticates, accepts or rejects keys and forms adjacency.

New/Modified commands: accept-lifetime , area virtual-link authentication , cryptographic-algorithm , key , key chain , key-string , ospf authentication , send-lifetime

New/Modified screens:

  • Configuration > Device Setup > Key Chain

  • Configuration > Device Setup > Routing > OSPF > Setup > Authentication

  • Configuration > Device Setup > Routing > OSPF > Setup > Virtual Link

Certificate Features

Local CA configurable FQDN for enrollment URL

To make the FQDN of the enrollment URL configurable instead of using the ASA's configured FQDN, a new CLI option is introduced. This new option is added to the smpt mode of crypto ca server .

New/Modified commands: fqdn

Administrative, Monitoring, and Troubleshooting Features

enable password change now required on a login

The default enable password is blank. When you try to access privileged EXEC mode on the ASA, you are now required to change the password to a value of 3 characters or longer. You cannot keep it blank. The no enable password command is no longer supported.

At the CLI, you can access privileged EXEC mode using the enable command, the login command (with a user at privilege level 2+), or an SSH or Telnet session when you enable aaa authorization exec auto-enable . All of these methods require you to set the enable password.

This password change requirement is not enforced for ASDM logins. In ASDM, by default you can log in without a username and with the enable password.

New/Modified commands: enable password

No modified screens.

Configurable limitation of admin sessions

You can configure the maximum number of aggregate, per user, and per-protocol administrative sessions. Formerly, you could configure only the aggregate number of sessions. This feature does not affect console sessions. Note that in multiple context mode, you cannot configure the number of HTTPS sessions, where the maximum is fixed at 5 sessions. The quota management-session command is also no longer accepted in the system configuration, and is instead available in the context configuration. The maximum aggregate sessions is now 15; if you configured 0 (unlimited) or 16+, then when you upgrade, the value is changed to 15.

New/Modified commands: quota management-session , show quota management-session

New/Modified screens: Configuration > Device Management > Management Access > Management Session Quota

Notifications for administrative privilege level changes

When you authenticate for enable access (aaa authentication enable console) or allow privileged EXEC access directly (aaa authorization exec auto-enable ), then the ASA now notifies users if their assigned access level has changed since their last login.

New/Modified commands: show aaa login-history

New/Modified screens:

Status bar > Login History icon

NTP support on IPv6

You can now specify an IPv6 address for the NTP server.

New/Modified commands: ntp server

New/Modified screens: Configuration > Device Setup > System Time > NTP > Add button > Add NTP Server Configuration dialog box

SSH stronger security

See the following SSH security improvements:

  • Diffie-Hellman Group 14 SHA256 key exchange support. This setting is now the default. The former default was Group 1 SHA1.

  • HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha2-256 only). The former default was the medium set.

New/Modified commands: ssh cipher integrity , ssh key-exchange group dh-group14-sha256

New/Modified screens:

  • Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

  • Configuration > Device Management > Advanced > SSH Ciphers

Allow non-browser-based HTTPS clients to access the ASA

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.

New/Modified commands: http server basic-auth-client

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

Capture control plane packets only on the cluster control link

You can now capture control plane packets only on the cluster control link (and no data plane packets). This option is useful in the system in multiple context mode where you cannot match traffic using an ACL.

New/Modified commands: capture interface cluster cp-cluster

New/Modified screens:

Wizards > Packet Capture Wizard > Cluster Option

debug conn command

The debug conn command was added to provide two history mechanisms that record connection processing. The first history list is a per-thread list that records the operations of the thread. The second history list is a list that records the operations into the conn-group. When a connection is enabled, processing events such as a connection lock, unlock, and delete are recorded into the two history lists. When a problem occurs, these two lists can be used to look back at the processing to determine the incorrect logic.

New/Modified commands: debug conn

show tech-support includes additional output

The output of the show tech-support is enhanced to display the output of the following:

  • show ipv6 interface

  • show aaa-server

  • show fragment

New/Modified commands: show tech-support

ASDM support to enable and disable the results for free memory and used memory statistics during SNMP walk operations

To avoid overutilization of CPU resources, you can enable and disable the query of free memory and used memory statistics collected through SNMP walk operations.

New or modified screen: Configuration > Device Management > Management Access > SNMP

Configurable graph update interval for the ASDM Home pane for the System in multiple-context mode

For the System in multiple context mode, you can now set the amount of time between updates for the graphs on the Home pane.

New/Modified screens:

Tools > Preferences > Graph User time interval in System Context

New Features in Version 9.10

New Features in ASA 9.10(1)/ASDM 7.10(1)

Released: October 25, 2018

Feature

Description

Platform Features

ASA Virtual VHD custom images for Azure

You can now create your own custom ASA virtual images on Azure using a compressed VHD image available from Cisco. To deploy using a VHD image, you upload the VHD image to your Azure storage account. Then, you can create a managed image using the uploaded disk image and an Azure Resource Manager template. Azure templates are JSON files that contain resource descriptions and parameter definitions.

ASA Virtual for Azure

The ASA virtual is available in the Azure China Marketplace.

ASA Virtual support for DPDK

DPDK (Dataplane Development Kit) is integrated into the dataplane of the ASA virtual using poll-mode drivers.

ISA 3000 support for FirePOWER module Version 6.3

The previous supported version was FirePOWER 5.4.

Firewall Features

Cisco Umbrella support

You can configure the device to redirect DNS requests to Cisco Umbrella, so that your Enterprise Security policy defined in Cisco Umbrella can be applied to user connections. You can allow or block connections based on FQDN, or for suspicious FQDNs, you can redirect the user to the Cisco Umbrella intelligent proxy, which can perform URL filtering. The Umbrella configuration is part of the DNS inspection policy.

New/Modified commands: umbrella , umbrella-global , token , public-key , timeout edns , dnscrypt , show service-policy inspect dns detail

New/Modified screens:

Configuration > Firewall > Objects > Umbrella, Configuration > Firewall > Objects > Inspect Maps > DNS

GTP inspection enhancements for MSISDN and Selection Mode filtering, anti-replay, and user spoofing protection

You can now configure GTP inspection to drop Create PDP Context messages based on Mobile Station International Subscriber Directory Number (MSISDN) or Selection Mode. You can also implement anti-replay and user spoofing protection.

New/Modified commands: anti-replay , gtp-u-header-check , match msisdn , match selection-mode

New/Modified screens:

Configuration > Firewall > Objects > Inspection Maps > GTP > Add/Edit dialog box

Default idle timeout for TCP state bypass

The default idle timeout for TCP state bypass connections is now 2 minutes instead of 1 hour.

Support for removing the logout button from the cut-through proxy login page

If you configure the cut-through proxy to obtain user identity information (the AAA authentication listener), you can now remove the logout button from the page. This is useful in case where users connect from behind a NAT device and cannot be distinguished by IP address. When one user logs out, it logs out all users of the IP address.

New/Modified commands: aaa authentication listener no-logout-button

No ASDM support.

Also in 9.8(3).

Trustsec SXP connection configurable delete hold down timer

The default SXP connection hold down timer is 120 seconds. You can now configure this timer, between 120 to 64000 seconds.

New/Modified commands: cts sxp delete-hold-down period , show cts sxp connection brief , show cts sxp connections

No ASDM support.

Also in 9.8(3).

Support for offloading NAT'ed flows in transparent mode.

If you are using flow offload (the flow-offload enable and set connection advanced-options flow-offload commands), offloaded flows can now include flows that require NAT in transparent mode.

Support for transparent mode deployment for a Firepower Firepower 4100/9300 ASA logical device

You can now specify transparent or routed mode when you deploy the ASA on a Firepower 4100/9300.

New/Modified FXOS commands: enter bootstrap-key FIREWALL_MODE , set value routed , set value transparent

New/Modified Firepower Chassis Manager screens:

Logical Devices > Add Device > Settings

New/Modified options: Firewall Mode drop-down list

VPN Features

Support for legacy SAML authentication

If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6 (or later). This option will be deprecated in the near future.

New/Modified commands: saml external-browser

New/Modified screens:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles page > Connection Profiles area > Add button > Add AnyConnect Connection Profile dialog box

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > page > Connection Profiles area > Add button > Add Clientless SSL VPN Connection Profile dialog box

New/Modified options: SAML External Browser check box

Also in 9.8(3).

DTLS 1.2 support for AnyConnect VPN remote access connections.

DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models except the 5506-X, 5508-X, and 5516-X; and applies when the ASA is acting as a server only, not a client. DTLS 1.2 supports additional ciphers, as well as all current TLS/DTLS cyphers, and a larger cookie size.

New/Modified commands: show run ssl, show vpn-sessiondb detail anyconnectssl cipher, ssl server-version

New/Modified screens: Configuration > Remote Access VPN > Advanced > SSL Settings

High Availability and Scalability Features

Cluster control link customizable IP Address for the Firepower 4100/9300

By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and multicast (224.0.0.0/4) addresses.

New/Modified FXOS commands: set cluster-control-link network

New/Modified Firepower Chassis Manager screens:

Logical Devices > Add Device > Cluster Information

New/Modified options: CCL Subnet IP field

Parallel joining of cluster units per Firepower 9300 chassis

For the Firepower 9300, this feature ensures that the security modules in a chassis join the cluster simultaneously, so that traffic is evenly distributed between the modules. If a module joins very much in advance of other modules, it can receive more traffic than desired, because the other modules cannot yet share the load.

New/Modified commands: unit parallel-join

New/Modified screens:

Configuration > Device Management > High Availability and Scalability > ASA Cluster

New/Modified options: Parallel Join of Units Per Chassis area

Cluster interface debounce time now applies to interfaces changing from a down state to an up state

When an interface status update occurs, the ASA waits the number of milliseconds specified in the health-check monitor-interface debounce-time command or the ASDM Configuration > Device Management > High Availability and Scalability > ASA Cluster screen before marking the interface as failed and the unit is removed from the cluster. This feature now applies to interfaces changing from a down state to an up state. For example, in the case of an EtherChannel that transitions from a down state to an up state (for example, the switch reloaded, or the switch enabled an EtherChannel), a longer debounce time can prevent the interface from appearing to be failed on a cluster unit just because another cluster unit was faster at bundling the ports.

We did not modify any commands.

We did not modify any screens.

Active/Backup High Availability for ASA virtual on Microsoft Azure Government Cloud

The stateless Active/Backup solution that allows for a failure of the active ASA virtual to trigger an automatic failover of the system to the backup ASA virtual in the Microsoft Azure public cloud is now available in the Azure Government Cloud.

New or modified command: failover cloud

New or modified screens: Configuration > Device Management > High Availability and Scalability > Failover

Monitoring > Properties > Failover > Status

Monitoring > Properties > Failover > History

Interface Features

show interface ip brief and show ipv6 interface output enhancement to show the supervisor association for the Firepower 2100/4100/9300

For the Firepower 2100/4100/9300, the output of the command is enhanced to indicate the supervisor association status of the interfaces.

New/Modified commands: show interface ip brief, show ipv6 interface

The set lacp-mode command was changed to set port-channel-mode on the Firepower 2100

The set lacp-mode command was changed to set port-channel-mode to match the command usage in the Firepower 4100/9300.

New/Modified FXOS commands: set port-channel-mode

Administrative, Monitoring, and Troubleshooting Features

Support for NTP Authentication on the Firepower 2100

You can now configure SHA1 NTP server authentication in FXOS.

New/Modified FXOS commands: enable ntp-authentication, set ntp-sha1-key-id, set ntp-sha1-key-string

New/Modified Firepower Chassis Manager screens:

Platform Settings > NTP

New/Modified options: NTP Server Authentication: Enable check box, Authentication Key field, Authentication Value field

Packet capture support for matching IPv6 traffic without using an ACL

If you use the match keyword for the capture command, the any keyword only matches IPv4 traffic. You can now specify any4 and any6 keywords to capture either IPv4 or IPv6 traffic. The any keyword continues to match only IPv4 traffic.

New/Modified commands: capture match

No ASDM support.

Support for public key authentication for SSH to FXOS on the Firepower 2100

You can set the SSH key so you can use public key authentication instead of/as well as password authentication.

New/Modified FXOS commands: set sshkey

No Firepower Chassis Manager support.

Support for GRE and IPinIP encapsulation

When you do a packet capture on interface inside, the output of the command is enhanced to display the GRE and IPinIP encapsulation on ICMP, UDP, TCP, and others.

New/Modified commands: show capture

Support to enable memory threshold that restricts application cache allocations

You can restrict application cache allocations on reaching certain memory threshold so that there is a reservation of memory to maintain stability and manageability of the device.

New/Modified commands: memory threshold enable, show run memory threshold,clear conf memory threshold

Support for RFC 5424 logging timestamp

You can enable the logging timestamp as per RFC 5424 format.

New/Modified command: logging timestamp

Support to display memory usage of TCB-IPS

Shows application level memory cache for TCB-IPS

New/Modified command: show memory app-cache

Support to enable and disable the results for free memory and used memory statistics during SNMP walk operations

To avoid overutilization of CPU resources, you can enable and disable the query of free memory and used memory statistics collected through SNMP walk operations.

New/Modified command: snmp-server enable oid

No ASDM support.

New Features in Version 9.9

New Features in ASDM 7.9(2.152)

Released: May 9, 2018

Feature

Description

VPN Features

Support for legacy SAML authentication

If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6. This option will be deprecated in the near future.

New/Modified screens:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles page > Connection Profiles area > Add button > Add AnyConnect Connection Profile dialog box

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > page > Connection Profiles area > Add button > Add Clientless SSL VPN Connection Profile dialog box

New/Modified options: SAML External Browser check box

New Features in ASA 9.9(2)/ASDM 7.9(2)

Released: March 26, 2018

Feature

Description

Platform Features

ASA virtual support for VMware ESXi 6.5

The ASA virtual platform supports hosts running on VMware ESXi 6.5. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASA virtual on ESXi 6.5.

We did not modify any commands.

We did not modify any screens.

ASA virtual support for VMXNET3 interfaces

The ASA virtual platform supports VMXNET3 interfaces on VMware hypervisors.

We did not modify any commands.

We did not modify any screens.

ASA virtual support for virtual serial console on first boot

You can now configure the ASA virtual to use the virtual serial console on first boot, instead of the virtual VGA console, to access and configure the ASA virtual.

New or Modified commands: console serial

ASA Virtual support to update user-defined routes in more than one Azure subscription for High Availability on Microsoft Azure

You can now configure the ASA virtual in an Azure High Availability configuration to update user-defined routes in more than one Azure subscription.

New or Modified commands: failover cloud route-table

New or modified screens: Configuration > Device Management > High Availability and Scalability > Failover > Route-Table

VPN Features

Remote Access VPN multi-context support extended to IKEv2 protocol

Support for configuring ASA to allow Anyconnect and third party Standards-based IPSec IKEv2 VPN clients to establish Remote Access VPN sessions to ASA operating in multi-context mode.

IPv6 connectivity to Radius Servers

ASA 9.9.2 now supports IPv6 connectivity to external AAA Radius Servers.

Easy VPN Enhancements for BVI Support

Easy VPN has been enhanced to support a Bridged Virtual Interface (BVI) as its internal secure interface, and you can now directly configure which interface to use as the internal secure interface. Otherwise, the ASA chooses its internal secure interface using security levels.

Also, management services, such as telnet, http, and ssh, can now be configured on a BVI if VPN management-access has been enabled on that BVI. For non-VPN management access, you should continue to configure these services on the bridge group member interfaces.

New or Modified commands: vpnclient secure interface [interface-name], https, telnet, ssh, management-access

Distributed VPN Session Improvements

  • The Active Session Redistribution logic, which balances Distributed S2S VPN active and backup sessions, has been improved. Also, the balancing process may be repeated up to eight times in the background for a single cluster redistribute vpn-sessiondb command entered by the administrator.

  • The handling of dynamic Reverse Route Injections (RRI) across the cluster has been improved.

High Availability and Scalability Features

Automatically rejoin the cluster after an internal failure

Formerly, many error conditions caused a cluster unit to be removed from the cluster, and you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt to rejoin the cluster automatically at the following intervals by default: 5 minutes, 10 minutes, and then 20 minutes. These values are configurable. Internal failures include: application sync timeout; inconsistent application statuses; and so on.

New or Modified commands: health-check system auto-rejoin, show cluster info auto-join

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin

Configurable debounce time to mark an interface as failed for the ASA 5000-X series

You can now configure the debounce time before the ASA considers an interface to be failed and the unit is removed from the cluster on the ASA 5500-X series. This feature allows for faster detection of interface failures. Note that configuring a lower debounce time increases the chances of false-positives. When an interface status update occurs, the ASA waits the number of milliseconds specified before marking the interface as failed and the unit is removed from the cluster. The default debounce time is 500 ms, with a range of 300 ms to 9 seconds. This feature was previously available for the Firepower 4100/9300.

New or modified command: health-check monitor-interface debounce-time

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Show transport related statistics for cluster reliable transport protocol messages

You can now view per-unit cluster reliable transport buffer usage so you can identify packet drop issues when the buffer is full in the control plane.

New or modified command: show cluster info transport cp detail

Show failover history from peer unit

You can now view failover history from the peer unit, using the details keyword . This includes failover state changes and reason for the state change.

New or modified command: show failover

Interface Features

Unique MAC address generation for single context mode

You can now enable unique MAC address generation for VLAN subinterfaces in single context mode. Normally, subinterfaces share the same MAC address with the main interface. Because IPv6 link-local addresses are generated based on the MAC address, this feature allows for unique IPv6 link-local addresses.

New or modified command: mac-address auto

No ASDM support.

Also in 9.8(3) and 9.8(4).

Administrative Features

RSA key pair supports 3072-bit keys

You can now set the modulus size to 3072.

New or modified command: crypto key generate rsa modulus

New or modified screen: Configuration > Device Management > Certificate Management > Identity Certificates

The FXOS bootstrap configuration now sets the enable password

When you deploy the ASA on the Firepower 4100/9300, the password setting in the bootstrap configuration now sets the enable password as well as the admin user password. Requires FXOS Version 2.3.1.

Monitoring and Troubleshooting Features

SNMP IPv6 support

The ASA now supports SNMP over IPv6, including communicating with SNMP servers over IPv6, allowing the execution of queries and traps over IPv6, and supporting IPv6 addresses for existing MIBs. We added the following new SNMP IPv6 MIB objects as described in RFC 8096.

  • ipv6InterfaceTable (OID: 1.3.6.1.2.1.4.30)—Contains per-interface IPv6-specific information.

  • ipAddressPrefixTable (OID:1.3.6.1.2.1.4.32)—Includes all the prefixes learned by this entity.

  • ipAddressTable (OID: 1.3.6.1.2.1.4.34)—Contains addressing information relevant to the entity's interfaces.

  • ipNetToPhysicalTable (OID: 1.3.6.1.2.1.4.35)—Contains the mapping from IP addresses to physical addresses.

New or modified command: snmp-server host

Note 

The snmp-server host-group command does not support IPv6.

New or modified screen: Configuration > Device Management > Management Access > SNMP

Conditional Debugging to troubleshoot a single user session

Conditional debugging feature now assists you to verify the logs of specific ASA VPN sessions based on the filter conditions that are set. Support for "any, any" for IPv4 and IPv6 subnets is provided.

New Features in ASDM 7.9(1.151)

Released: February 14, 2018

There are no new features in this release.

New Features in ASA 9.9(1)/ASDM 7.9(1)

Released: December 4, 2017

Feature

Description

Firewall Features

Ethertype access control list changes

EtherType access control lists now support Ethernet II IPX (EII IPX). In addition, new keywords are added to the DSAP keyword to support common DSAP values: BPDU (0x42), IPX (0xE0), Raw IPX (0xFF), and ISIS (0xFE). Consequently, existing EtherType access contol entries that use the BPDU or ISIS keywords will be converted automatically to use the DSAP specification, and rules for IPX will be converted to 3 rules (DSAP IPX, DSAP Raw IPX, and EII IPX). In addition, packet capture that uses IPX as an EtherType value has been deprecated, because IPX corresponds to 3 separate EtherTypes.

New or modified command: access-list ethertype added the new keywords eii-ipx and dsap {bpdu | ipx | isis | raw-ipx} ; capture ethernet-type no longer supports the ipx keyword.

New or modified screen: Configuration > Firewall > Ethertype Rules.

VPN Features

Distributed Site-to-Site VPN with clustering on the Firepower 9300

An ASA cluster on the Firepower 9300 supports Site-to-Site VPN in distributed mode. Distributed mode provides the ability to have many Site-to-Site IPsec IKEv2 VPN connections distributed across members of an ASA cluster, not just on the control unit (as in centralized mode). This significantly scales VPN support beyond Centralized VPN capabilities and provides high availability. Distributed S2S VPN runs on a cluster of up to two chassis, each containing up to three modules (six total cluster members), each module supporting up to 6K active sessions (12K total), for a maximum of approximately 36K active sessions (72K total).

New or modified commands: cluster redistribute vpn-sessiondb, show cluster vpn-sessiondb, vpn mode , show cluster resource usage, show vpn-sessiondb , show connection detail, show crypto ikev2

New or modified screens:

Monitoring > ASA Cluster > ASA Cluster > VPN Cluster Summary

Monitoring > VPN > VPN Statistics > Sessions

Configuration > Device Management > High Availablility and Scalability > ASA Cluster

Wizards > Site-to-Site

Monitoring > VPN > VPN Statistics > Sessions

Monitoring > ASA Cluster > ASA Cluster > VPN Cluster Summary

Monitoring > ASA Cluster > ASA Cluster > System Resource Graphs > CPU/Memory

Monitoring > Logging > Real-Time Log Viewer

High Availability and Scalability Features

Active/Backup High Availability for ASA virtual on Microsoft Azure

A stateless Active/Backup solution that allows for a failure of the active ASA virtual to trigger an automatic failover of the system to the backup ASA virtual in the Microsoft Azure public cloud.

New or modified command: failover cloud

New or modified screens: Configuration > Device Management > High Availability and Scalability > Failover

Monitoring > Properties > Failover > Status

Monitoring > Properties > Failover > History

Also in 9.8(1.200).

Improved chassis health check failure detection for the Firepower chassis

You can now configure a lower holdtime for the chassis health check: 100 ms. The previous minimum was 300 ms.

New or modified command: app-agent heartbeat interval

No ASDM support.

Inter-site redundancy for clustering

Inter-site redundancy ensures that a backup owner for a traffic flow will always be at the other site from the owner. This feature guards against site failure.

New or modified commands: site-redundancy, show asp cluster counter change, show asp table cluster chash-table, show conn flag

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

cluster remove unit command behavior matches no enable behavior

The cluster remove unit command now removes a unit from the cluster until you manually reenable clustering or reload, similar to the no enable command. Previously, if you redeployed the bootstrap configuration from FXOS, clustering would be reenabled. Now, the disabled status persists even in the case of a bootstrap configuration redeployment. Reloading the ASA, however, will reenable clustering.

New/Modified command: cluster remove unit

New/Modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Administrative, Monitoring, and Troubleshooting Features

SSH version 1 has been deprecated

SSH version 1 has been deprecated, and will be removed in a future release. The default setting has changed from both SSH v1 and v2 to just SSH v2.

New/Modified commands: ssh version

New/Modified screens:

  • Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Enhanced packet tracer and packet capture capabilities

The packet tracer has been enhanced with the following features:

  • Trace a packet when it passes between cluster units.

  • Allow simulated packets to egress the ASA.

  • Bypass security checks for a similated packet.

  • Treat a simulated packet as an IPsec/SSL decrypted packet.

The packet capture has been enhanced with the following features:

  • Capture packets after they are decrypted.

  • Capture traces and retain them in the persistent list.

New or modified commands: cluster exec capture test trace include-decrypted, cluster exec capture test trace persist, cluster exec clear packet-tracer, cluster exec show packet-tracer id, cluster exec show packet-tracer origin, packet-tracer persist, packet-tracer transmit, packet-tracer decrypted, packet-tracer bypass-checks

New or modified screens:

Tools > Packet Tracer

We added Cluster Capture field to support these options: decrypted, persist, bypass-checks, transmit

We added two new options in the Filter By view under the All Sessions drop-down list: Origin and Origin-ID

Monitoring > VPN > VPN Statistics > Packet Tracer and Capture

We added ICMP Capture field in the Packet Capture Wizard screen:Wizards > Packet Capture Wizard

We added two options include-decrypted and persist to support ICMP Capture.

New Features in Version 9.8

New Features in ASA 9.8(4)

Released: April 24, 2019

Feature

Description

VPN Features

Add subdomains to webVPN HSTS

Allows domain owners to submit what domains should be included in the HSTS preload list for web browsers.

New/Modified commands: hostname(config-webvpn) includesubdomains

New/Modified screens:

Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Proxies > Enable HSTS Subdomainsfield

Also in 9.12(1).

Administrative Features

Allow non-browser-based HTTPS clients to access the ASA

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed. Many specialty clients (for example, python libraries, curl, and wget) do not support Cross-site request forgery (CSRF) token-based authentication, so you need to specifically allow these clients to use the ASA basic authentication method. For security purposes, you should only allow required clients.

New/Modified commands: http server basic-auth-client

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

Also in 9.12(1).

show tech-support includes additional output

The output of the show tech-support is enhanced to display the output of the following:

  • show ipv6 interface

  • show aaa-server

  • show fragment

New/Modified commands: show tech-support

Also in 9.12(1).

Support to enable and disable the results for free memory and used memory statistics during SNMP walk operations

To avoid overutilization of CPU resources, you can enable and disable the query of free memory and used memory statistics collected through SNMP walk operations.

New/Modified command: snmp-server enable oid

New or modified screen: Configuration > Device Management > Management Access > SNMP

Also in 9.10(1).

New Features in ASA 9.8(3)/ASDM 7.9(2.152)

Released: July 2, 2018

Feature

Description

Platform Features

Firepower 2100 Active LED now lights amber when in standby mode

Formerly, the Active LED was unlit in standby mode.

Firewall Features

Support for removing the logout button from the cut-through proxy login page.

If you configure the cut-through proxy to obtain user identity information (the AAA authentication listener), you can now remove the logout button from the page. This is useful in case where users connect from behind a NAT device and cannot be distinguished by IP address. When one user logs out, it logs out all users of the IP address.

New/Modified commands: aaa authentication listener no-logout-button .

No ASDM support.

Trustsec SXP connection configurable delete hold down timer

The default SXP connection hold down timer is 120 seconds. You can now configure this timer, between 120 to 64000 seconds.

New/Modified commands: cts sxp delete-hold-down period , show cts sxp connection brief , show cts sxp connections

No ASDM support.

VPN Features

Support for legacy SAML authentication

If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6. This option will be deprecated in the near future.

New/Modified commands: saml external-browser

New/Modified screens:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles page > Connection Profiles area > Add button > Add AnyConnect Connection Profile dialog box

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > page > Connection Profiles area > Add button > Add Clientless SSL VPN Connection Profile dialog box

New/Modified options: SAML External Browser check box

Interface Features

Unique MAC address generation for single context mode

You can now enable unique MAC address generation for VLAN subinterfaces in single context mode. Normally, subinterfaces share the same MAC address with the main interface. Because IPv6 link-local addresses are generated based on the MAC address, this feature allows for unique IPv6 link-local addresses.

New or modified command: mac-address auto

No ASDM support.

Also in 9.9(2) and later.

New Features in ASDM 7.8(2.151)

Released: October 12, 2017

Feature

Description

Firewall Features

Ethertype access control list changes

EtherType access control lists now support Ethernet II IPX (EII IPX). In addition, new keywords are added to the DSAP keyword to support common DSAP values: BPDU (0x42), IPX (0xE0), Raw IPX (0xFF), and ISIS (0xFE). Consequently, existing EtherType access contol entries that use the BPDU or ISIS keywords will be converted automatically to use the DSAP specification, and rules for IPX will be converted to 3 rules (DSAP IPX, DSAP Raw IPX, and EII IPX). In addition, packet capture that uses IPX as an EtherType value has been deprecated, because IPX corresponds to 3 separate EtherTypes.

This feature is supported in 9.8(2.9) and other interim releases. For more information, see CSCvf57908.

We modified the following commands: access-list ethertype added the new keywords eii-ipx and dsap {bpdu | ipx | isis | raw-ipx} ; capture ethernet-type no longer supports the ipx keyword.

We modified the following screens: Configuration > Firewall > Ethertype Rules.

New Features in ASA 9.8(2)/ASDM 7.8(2)

Released: August 28, 2017

Feature

Description

Platform Features

ASA for the Firepower 2100 series

We introduced the ASA for the Firepower 2110, 2120, 2130, and 2140. Similar to the Firepower 4100 and 9300, the Firepower 2100 runs the base FXOS operating system and then the ASA operating system as an application. The Firepower 2100 implementation couples FXOS more closely with the ASA than the Firepower 4100 and 9300 do (pared down FXOS functions, single device image bundle, easy management access for both ASA and FXOS).

FXOS owns configuring hardware settings for interfaces, including creating EtherChannels, as well as NTP services, hardware monitoring, and other basic functions. You can use the Firepower Chassis Manager or the FXOS CLI for this configuration. The ASA owns all other functionality, including Smart Licensing (unlike the Firepower 4100 and 9300). The ASA and FXOS each have their own IP address on the Management 1/1 interface, and you can configure management of both the ASA and FXOS instances from any data interface.

We introduced the following commands: connect fxos, fxos https, fxos snmp, fxos ssh, ip-client

We introduced the following screens:

Configuration > Device Management > Management Access > FXOS Remote Management

Department of Defense Unified Capabilities Approved Products List

The ASA was updated to comply with the Unified Capabilities Approved Products List (UC APL) requirements. In this release, when you enter the fips enable command, the ASA will reload. Both failover peers must be in the same FIPS mode before you enable failover.

We modified the following command: fips enable

ASA virtual for Amazon Web Services M4 instance support

You can now deploy the ASA virtual as an M4 instance.

We did not modify any commands.

We did not modify any screens.

ASAv5 1.5 GB RAM capability

Starting in Version 9.7(1), the ASAv5 may experience memory exhaustion where certain functions such as enabling AnyConnect or downloading files to the ASA virtual fail. You can now assign 1.5 GB (up from 1 GB) of RAM to the ASAv5.

We did not modify any commands.

We did not modify any screens.

VPN Features

HTTP Strict Transport Security (HSTS) header support

HSTS protects websites against protocol downgrade attacks and cookie hijacking on clientless SSL VPN. It lets web servers declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

We introduced the following commands: hsts enable, hsts max-age age_in_seconds

We modified the following screens: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Proxies

Interface Features

VLAN support for the ASAv50

The ASAv50 now supports VLANs on the ixgbe-vf vNIC for SR-IOV interfaces.

We did not modify any commands.

We did not modify any screens.

New Features in ASA 9.8(1.200)

Released: July 30, 2017


Note

This release is only supported on the ASA virtual for Microsoft Azure. These features are not supported in Version 9.8(2).


Feature

Description

High Availability and Scalability Features

Active/Backup High Availability for ASA virtual on Microsoft Azure

A stateless Active/Backup solution that allows for a failure of the active ASA virtual to trigger an automatic failover of the system to the backup ASA virtual in the Microsoft Azure public cloud.

We introduced the following commands: failover cloud

No ASDM support.

New Features in ASDM 7.8(1.150)

Released: June 20, 2017

There are no new features in this release.

New Features in ASA 9.8(1)/ASDM 7.8(1)

Released: May 15, 2017

Feature

Description

Platform Features

ASAv50 platform

The ASA virtual platform has added a high-end performance ASAv50 platform that provides 10 Gbps Firewall throughput levels. The ASAv50 requires ixgbe-vf vNICs, which are supported on VMware and KVM only.

SR-IOV on the ASA virtual platform

The ASA virtual platform supports Single Root I/O Virtualization (SR-IOV) interfaces, which allows multiple VMs to share a single PCIe network adapter inside a host. ASA virtual SR-IOV support is available on VMware, KVM, and AWS only.

Automatic ASP load balancing now supported for the ASA virtual

Formerly, you could only manually enable and disable ASP load balancing.

We modified the following command: asp load-balance per-packet auto

We modified the following screen: Configuration > Device Management > Advanced > ASP Load Balancing

Firewall Features

Support for setting the TLS proxy server SSL cipher suite

You can now set the SSL cipher suite when the ASA acts as a TLS proxy server. Formerly, you could only set global settings for the ASA using the ssl cipher command on the Configuration > Device Management > Advanced > SSL Settings > Encryption page.

We introduced the following command: server cipher-suite

We modified the following screen: Configuration > Firewall > Unified Communications > TLS Proxy, Add/Edit dialog boxes, Server Configuration page.

Global timeout for ICMP errors

You can now set the idle time before the ASA removes an ICMP connection after receiving an ICMP echo-reply packet. When this timeout is disabled (the default), and you enable ICMP inspection, then the ASA removes the ICMP connection as soon as an echo-reply is received; thus any ICMP errors that are generated for the (now closed) connection are dropped. This timeout delays the removal of ICMP connections so you can receive important ICMP errors.

We added the following command: timeout icmp-error

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.

High Availability and Scalability Features

Improved cluster unit health-check failure detection

You can now configure a lower holdtime for the unit health check: .3 seconds minimum. The previous minimum was .8 seconds. This feature changes the unit health check messaging scheme to heartbeats in the data plane from keepalives in the control plane. Using heartbeats improves the reliability and the responsiveness of clustering by not being susceptible to control plane CPU hogging and scheduling delays. Note that configuring a lower holdtime increases cluster control link messaging activity. We suggest that you analyze your network before you configure a low holdtime; for example, make sure a ping from one unit to another over the cluster control link returns within the holdtime/3, because there will be three heartbeat messages during one holdtime interval. If you downgrade your ASA software after setting the hold time to .3 - .7, this setting will revert to the default of 3 seconds because the new setting is unsupported.

We modified the following commands: health-check holdtime, show asp drop cluster counter, show cluster info health details

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Configurable debounce time to mark an interface as failed for the Firepower 4100/9300 chassis

You can now configure the debounce time before the ASA considers an interface to be failed, and the unit is removed from the cluster. This feature allows for faster detection of interface failures. Note that configuring a lower debounce time increases the chances of false-positives. When an interface status update occurs, the ASA waits the number of milliseconds specified before marking the interface as failed and the unit is removed from the cluster. The default debounce time is 500 ms, with a range of 300 ms to 9 seconds.

New or modified command: health-check monitor-interface debounce-time

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

VPN Features

Support for IKEv2, certificate based authentication, and ACL in VTI

Virtual Tunnel Interface (VTI) now supports BGP (static VTI). You can now use IKEv2 in standalone and high availability modes. You can use certificate based authentication by setting up a trustpoint in the IPsec profile. You can also apply access lists on VTI using access-group commands to filter ingress traffic.

We introduced the following command in the IPsec profile configuration mode: set trustpoint.

We introduced options to select the trustpoint for certificate based authentication in the following screen:

Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile > Add

Mobile IKEv2 (MobIKE) is enabled by default

Mobile devices operating as remote access clients require transparent IP address changes while moving. Supporting MobIKE on ASA allows a current IKE security association (SA) to be updated without deleting the current SA. MobIKE is “always on.”

We introduced the following command: ikev2 mobike-rrc. Used to enable/disable return routability checking.

SAML 2.0 SSO Updates

The default signing method for a signature in a SAML request changed from SHA1 to SHA2, and you can configure which signing method you prefer: rsa-sha1, rsa-sha256, rsa-sha384, or rsa-sha512.

We changed the following command in webvpn mode: saml idp signature can be configured with a value. Disabled is still the default.

We introduced changes to the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Sign On Servers > Add.

Change for tunnelgroup webvpn-attributes

We changed the pre-fill-username and secondary-pre-fill-username value from ssl-client to client .

We changed the following commands in webvpn mode: pre-fill-username and secondary-pre-fill-username can be configured with a client value.

AAA Features

Login history

By default, the login history is saved for 90 days. You can disable this feature or change the duration, up to 365 days. This feature only applies to usernames in the local database when you enable local AAA authentication for one or more of the management methods (SSH, ASDM, Telnet, and so on).

We introduced the following commands: aaa authentication login-history, show aaa login-history

We introduced the following screen: Configuration > Device Management > Users/AAA > Login History

Password policy enforcement to prohibit the reuse of passwords, and prohibit use of a password matching a username

You can now prohibit the reuse of previous passwords for up to 7 generations, and you can also prohibit the use of a password that matches a username.

We introduced the following commands: password-history, password-policy reuse-interval, password-policy username-check

We modified the following screen: Configuration > Device Management > Users/AAA > Password Policy

Separate authentication for users with SSH public key authentication and users with passwords

In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.

We did not modify any commands.

We did not modify any screens.

Also in Version 9.6(3).

Monitoring and Troubleshooting Features

Saving currently-running packet captures when the ASA crashes

Formerly, active packet captures were lost if the ASA crashed. Now, packet captures are saved to disk 0 at the time of the crash with the filename [context_name.]capture_name.pcap.

We did not modify any commands.

We did not modify any screens.

New Features in Version 9.7

New Features in ASDM 7.7(1.151)

Released: April 28, 2017


Note

ASDM 7.7(1.150) was removed from Cisco.com due to bug CSCvd90344.


Feature

Description

Admin Features

New background service for the ASDM upgrade tool

ASDM uses a new background service for Tools > Check for ASA/ASDM Upgrades. The older service used by earlier versions of ASDM will be discontinued by Cisco in the future.

New Features in ASA 9.7(1.4)/ASDM 7.7(1)

Released: April 4, 2017


Note

Verion 9.7(1) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

Platform Features

New default configuration for the ASA 5506-X series using Integrated Routing and Bridging

A new default configuration will be used for the ASA 5506-X series. The Integrated Bridging and Routing feature provides an alternative to using an external Layer 2 switch. For users replacing the ASA 5505, which includes a hardware switch, this feature lets you replace the ASA 5505 with an ASA 5506-X or other ASA model without using additional hardware.

The new default configuration includes:

  • outside interface on GigabitEthernet 1/1, IP address from DHCP

  • inside bridge group BVI 1 with GigabitEthernet ½ (inside1) through 1/8 (inside7), IP address 192.168.1.1

  • inside --> outside traffic flow

  • inside ---> inside traffic flow for member interfaces

  • (ASA 5506W-X) wifi interface on GigabitEthernet 1/9, IP address 192.168.10.1

  • (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow

  • DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.

  • Management 1/1 interface is Up, but otherwise unconfigured. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.

  • ASDM access—inside and wifi hosts allowed.

  • NAT—Interface PAT for all traffic from inside, wifi, and management to outside.

If you are upgrading, you can either erase your configuration and apply the default using the configure factory-default command, or you can manually configure a BVI and bridge group members to suit your needs. Note that to easily allow intra-bridge group communication, you need to enable the same-security-traffic permit inter-interface command (this command is already present for the ASA 5506W-X default configuration).

Alarm ports support on the ISA 3000

The ISA 3000 supports two alarm input interfaces and one alarm out interface. External sensors such as door sensors can be connected to the alarm inputs. External devices like buzzers can be connected to the alarm out interface. Alarms triggered are conveyed through two LEDs, syslogs, SNMP traps, and through devices connected to the alarm out interface.You can configure descriptions of external alarms. You can also specify the severity and trigger, for external and internal alarms. All alarms can be configured for relay, monitoring and logging.

We introduced the following commands: alarm contact description, alarm contact severity, alarm contact trigger, alarm facility input-alarm, alarm facility power-supply rps, alarm facility temperature, alarm facility temperature high, alarm facility temperature low, clear configure alarm, clear facility-alarm output, show alarm settings, show environment alarm-contact.

We introduced the following screens:

Configuration > Device Management > Alarm Port > Alarm Contact

Configuration > Device Management > Alarm Port > Redundant Power Supply

Configuration > Device Management > Alarm Port > Temperature

Monitoring > Properties > Alarm > Alarm Settings

Monitoring > Properties > Alarm > Alarm Contact

Monitoring > Properties > Alarm > Facility Alarm Status

Microsoft Azure Security Center support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. Microsoft Azure Security Center is a Microsoft orchestration and management layer on top of Azure that simplifies the deployment of a highly secure public cloud infrastructure. Integration of the ASA virtual into Azure Security Center allows the ASA virtual to be offered as a firewall option to protect Azure environments.

Precision Time Protocol (PTP) for the ISA 3000

The ISA 3000 supports PTP, a time synchronization protocol for nodes distributed across a network. It provides greater accuracy than other time synchronization protocols, such as NTP, due to its hardware timestamp feature. The ISA 3000 supports PTP forward mode, as well as the one-step, end-to-end transparent clock. We added the following commands to the default configuration to ensure that PTP traffic is not sent to the ASA FirePOWER module for inspection. If you have an existing deployment, you need to manually add these commands:


object-group service bypass_sfr_inspect
  service-object udp destination range 319 320
access-list sfrAccessList extended deny object-group bypass_sfr_inspect any any

We introduced the following commands: debug ptp, ptp domain, ptp mode e2etransparent, ptp enable, show ptp clock, show ptp internal-info, show ptp port

We introduced the following screens:

Configuration > Device Management > PTP

Monitoring > Properties > PTP

Automatic Backup and Restore for the ISA 3000

You can enable auto-backup and/or auto-restore functionality using pre-set parameters in the backup and restore commands. The use cases for these features include initial configuration from external media; device replacement; roll back to an operable state.

We introduced the following commands: backup-package location, backup-package auto, show backup-package status, show backup-package summary

We introduced the following screen: Configuration > Device Management > Auto Backup & Restore Configuration

Firewall Features

Support for SCTP multi-streaming reordering and reassembly and fragmentation. Support for SCTP multi-homing, where the SCTP endpoints have more than one IP address.

The system now fully supports SCTP multi-streaming reordering, reassembly, and fragmentation, which improves Diameter and M3UA inspection effectiveness for SCTP traffic. The system also supports SCTP multi-homing, where the endpoints have more than one IP address each. For multi-homing, the system opens pinholes for the secondary addresses so that you do not need to write access rules to allow them. SCTP endpoints must be limited to 3 IP addresses each.

We modified the output of the following command: show sctp detail .

We did not modify any screens.

M3UA inspection improvements.

M3UA inspection now supports stateful failover, semi-distributed clustering, and multihoming. You can also configure strict application server process (ASP) state validation and validation for various messages. Strict ASP state validation is required for stateful failover and clustering.

We added or modified the following commands: clear service-policy inspect m3ua session [assocID id] , match port sctp , message-tag-validation , show service-policy inspect m3ua drop , show service-policy inspect m3ua endpoint , show service-policy inspect m3ua session , show service-policy inspect m3ua table , strict-asp-state , timeout session .

We modified the following screens: Configuration > Firewall > Objects > Inspection Maps > M3UA Add/Edit dialog boxes.

Support for TLSv1.2 in TLS proxy and Cisco Unified Communications Manager 10.5.2.

You can now use TLSv1.2 with TLS proxy for encrypted SIP or SCCP inspection with the Cisco Unified Communications Manager 10.5.2. The TLS proxy supports the additional TLSv1.2 cipher suites added as part of the client cipher-suite command.

We modified the following commands: client cipher-suite

We did not modify any screens.

Integrated Routing and Bridging

Integrated Routing and Bridging provides the ability to route between a bridge group and a routed interface. A bridge group is a group of interfaces that the ASA bridges instead of routes. The ASA is not a true bridge in that the ASA continues to act as a firewall: access control between interfaces is controlled, and all of the usual firewall checks are in place. Previously, you could only configure bridge groups in transparent firewall mode, where you cannot route between bridge groups. This feature lets you configure bridge groups in routed firewall mode, and to route between bridge groups and between a bridge group and a routed interface. The bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a gateway for the bridge group. Integrated Routing and Bridging provides an alternative to using an external Layer 2 switch if you have extra interfaces on the ASA to assign to the bridge group. In routed mode, the BVI can be a named interface and can participate separately from member interfaces in some features, such as access rules and DHCP server.

The following features that are supported in transparent mode are not supported in routed mode: multiple context mode, ASA clustering. The following features are also not supported on BVIs: dynamic routing and multicast routing.

We modified the following commands: access-group, access-list ethertype, arp-inspection, dhcpd, mac-address-table static, mac-address-table aging-time, mac-learn, route, show arp-inspection, show bridge-group, show mac-address-table, show mac-learn

We modified the following screens:

Configuration > Device Setup > Interface Settings > Interfaces

Configuration > Device Setup > Routing > Static Routes

Configuration > Device Management > DHCP > DHCP Server

Configuration > Firewall > Access Rules

Configuration > Firewall > EtherType Rules

VM Attributes

You can define network objects to filter traffic according to attributes associated with one or more Virtual Machines (VMs) in an VMware ESXi environment managed by VMware vCenter. You can define access control lists (ACLs) to assign policies to traffic from groups of VMs sharing one or more attributes.

We added the following command: show attribute .

We added the following screen:

Configuration > Firewall > VM Atttribute Agent

Stale route timeout for interior gateway protocols

You can now configure the timeout for removing stale routes for interior gateway protocols such as OSPF.

We added the following command: timeout igp stale-route .

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.

Network object limitations for object group search.

You can reduce the memory required to search access rules by enabling object group search with the the object-group-search access-control command. When enabled, object group search does not expand network or service objects, but instead searches access rules for matches based on those group definitions.

Starting with this release, the following limitation is applied: For each connection, both the source and destination IP addresses are matched against network objects. If the number of objects matched by the source address times the number matched by the destination address exceeds 10,000, the connection is dropped.

This check is to prevent performance degradation. Configure your rules to prevent an excessive number of matches.

Routing Features

31-bit Subnet Mask

For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections. The 31-bit subnet includes only 2 addresses; normally, the first and last address in the subnet is reserved for the network and broadcast, so a 2-address subnet is not usable. However, if you have a point-to-point connection and do not need network or broadcast addresses, a 31-bit subnet is a useful way to preserve addresses in IPv4. For example, the failover link between 2 ASAs only requires 2 addresses; any packet that is transmitted by one end of the link is always received by the other, and broadcasting is unnecessary. You can also have a directly-connected management station running SNMP or Syslog. This feature is not supported for BVIs for bridge groups or with multicast routing.

We modified the following commands: ip address, http, logging host, snmp-server host, ssh

We modified the following screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General

High Availability and Scalability Features

Inter-site clustering improvement for the ASA on the Firepower 4100/9300 chassis

You can now configure the site ID for each Firepower 4100/9300 chassis when you deploy the ASA cluster. Previously, you had to configure the site ID within the ASA application; this new feature eases initial deployment. Note that you can no longer set the site ID within the ASA configuration. Also, for best compatibility with inter-site clustering, we recommend that you upgrade to ASA 9.7(1) and FXOS 2.1.1, which includes several improvements to stability and performance.

We modified the following command: site-id

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

Director localization: inter-site clustering improvement for data centers

To improve performance and keep traffic within a site for inter-site clustering for data centers, you can enable director localization. New connections are typically load-balanced and owned by cluster members within a given site. However, the ASA assigns the director role to a member at any site. Director localization enables additional director roles: a local director at the same site as the owner, and a global director that can be at any site. Keeping the owner and director at the same site improves performance. Also, if the original owner fails, the local director chooses a new connection owner at the same site. The global director is used if a cluster member receives packets for a connection that is owned on a different site.

We introduced or modified the following commands: director-localization, show asp table cluster chash, show conn, show conn detail

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

Interface link state monitoring polling for failover now configurable for faster detection

By default, each ASA in a failover pair checks the link state of its interfaces every 500 msec. You can now configure the polling interval, between 300 msec and 799 msec; for example, if you set the polltime to 300 msec, the ASA can detect an interface failure and trigger failover faster.

We introduced the following command: failover polltime link-state

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Criteria

Bidirectional Forwarding Detection (BFD) support for Active/Standby failover health monitoring on the Firepower 9300 and 4100

You can enable Bidirectional Forwarding Detection (BFD) for the failover health check between two units of an Active/Standby pair on the Firepower 9300 and 4100. Using BFD for the health check is more reliable than the default health check method and uses less CPU.

We introduced the following command: failover health-check bfd

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup

VPN Features

Dynamic RRI for IKEv2 static crypto maps

Dynamic Reverse Route Injection occurs upon the successful establishment of IPsec Security Associations (SA's) when dynamic is specified for a crypto map . Routes are added based on the negotiated selector information. The routes will be deleted after the IPsec SA's are deleted. Dynamic RRI is supported on IKEv2 based static crypto maps only.

We modified the following command: crypto map set reverse-route.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps > Add/Edit > Tunnel Policy (Crypto Maps) - Advanced

Virtual Tunnel Interface (VTI) support for ASA VPN module

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.

We introduced the following screens:

Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile

Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile > Add > Add IPsec Profile

Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface

Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface > General

Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface > Advanced

SAML 2.0 based SSO for AnyConnect

SAML 2.0-based service provider IdP is supported in a private network. With the ASA as a gateway between the user and services, authentication on IdP is handled with a restricted anonymous webvpn session, and all traffic between IdP and the user is translated.

We added the following command: saml idp

We modified the following commands: debug webvpn saml, show saml metadata

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Sign On Servers > Add SSO Server.

CMPv2

To be positioned as a security gateway device in wireless LTE networks, the ASA now supports certain management functions using the Certificate Management Protocol (CMPv2).

We modified the following commands: enrollment url, keypair, auto-update, crypto-ca-trustpoint, show crypto ca server certificates, show crypto key, show tech-support

We modified the following screens: Configuration > Remote Access VPN > Certificate Management > Identity Certificates > Add an Identity Certificate

Multiple certificate authentication

You can now validate multiple certificates per session with AnyConnect SSL and IKEv2 client protocols. The Aggregate Authentication protocol has been extended to define the protocol exchange for multiple-certificate authentication and utilize this for both session types.

We modified the following command: authentication {[aaa] [certificate | multiple-certificate] | saml}

We modified the following screens:

Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Edit AnyConnect Connection Profile

Configuration > Remote Access VPN > Network Client Access > AnyConnect Connection Profiles > Edit AnyConnect Connection Profiles

Increase split-tunneling routing limit

The limit for split-tunneling routes for AC-SSL and AC-IKEv2 was increased from 200 to 1200. The IKEv1 limit was left at 200.

Smart Tunnel Support on Chrome

A new method for smart-tunnel support in the Chrome browser on Mac and Windows devices was created. A Chrome Smart Tunnel Extension has replaced Netscape Plugin Application Program Interfaces (NPAPIs) that are no longer supported on Chrome. If you click on the smart tunnel enabled bookmark in Chrome without the extension already being installed, you are redirected to the Chrome Web Store to obtain the extension. New Chrome installations will direct the user to the Chrome Web Store to download the extension. The extension downloads the binaries from ASA that are required to run smart tunnel. Your usual bookmark and application configuration while using smart tunnel is unchanged other than the process of installing the new extension.

Clientless SSL VPN: Session information for all web interfaces

All web interfaces will now display details of the current session, including the user name used to login, and user privileges which are currently assigned. This will help the user be aware of the current user session and will improve user security.

Clientless SSL VPN: Validation of all cookies for web applications' sessions

All web applications will now grant access only after validating all security-related cookies. In each request, each cookie with an authentication token or a session ID will be verified before granting access to the user session. Multiple session cookies in the same request will result in the connection being dropped. Cookies with failed validations will be treated as invalid and the event will be added to the audit log.

AnyConnect: Maximum Connect Time Alert Interval is now supported in the Group Policy for AnyConnect VPN Client connections.

The alert interval is the interval of time before max connection time is reached that a message will be displayed to the user warning them of termination. Valid time interval is 1-30 minutes. Default is 30 minutes. Previously supported for clientless and site-to-site VPN connections.

The following command can now be used for AnyConnect connections: vpn-session-timeout alert-interval

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit > General > More Options, adding a Maximum Connect Time Alert Interval field

AAA Features

IPv6 address support for LDAP and TACACS+ Servers for AAA

You can now use either IPv4 or IPv6 addresses for LDAP and TACACS+ servers used for AAA.

We modified the following command: aaa-server host, test aaa-server

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Server Groups > Add AAA Server Group

Administrative Features

PBKDF2 hashing for all local username and enable passwords

Local username and enable passwords of all lengths are stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Previously, passwords 32 characters and shorter used the MD5-based hashing method. Already existing passwords continue to use the MD5-based hash unless you enter a new password. See the "Software and Configurations" chapter in the General Operations Configuration Guide for downgrading guidelines.

We modified the following commands: enable password, username

We modified the following screens:

Configuration > Device Setup > Device Name/Password > Enable Password

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account > Identity

Licensing Features

Licensing changes for failover pairs on the Firepower 4100/9300 chassis

Only the active unit requests the license entitlements. Previously, both units requested license entitlements. Supported with FXOS 2.1.1.

Monitoring and Troubleshooting Features

IPv6 address support for traceroute

The traceroute command was modified to accept an IPv6 address.

We modified the following command: traceroute

We modified the following screen: Tools > Traceroute

Support for the packet tracer for bridge group member interfaces

You can now use the packet tracer for bridge group member interfaces.

We added two new options to the packet-tracer command; vlan-id and dmac

We added VLAN ID and Destination MAC Address fields in the packet-tracer screen:Tools > Packet Tracer

IPv6 address support for syslog servers

You can now configure syslog servers with IPv6 addresses to record and send syslogs over TCP and UDP.

We modified the following commands: logging host, show running config, show logging

We modified the following screen: Configuration > Device Management > Logging > Syslog Servers > Add Syslog Server

SNMP OIDs and MIBs

The ASA now supports SNMP MIB objects corresponding to the end-to-end transparent clock mode as part of the Precision Time Protocol (PTP) for the ISA 3000. The following SNMP MIB objects are supported:

  • ciscoPtpMIBSystemInfo

  • cPtpClockDefaultDSTable

  • cPtpClockTransDefaultDSTable

  • cPtpClockPortTransDSTable

Manually stop and start packet captures

You can now manually stop and start the capture.

Added/Modified commands: capture stop

Added/Modified screens: Wizards > Packet Capture Wizard > Run Captures

Added/Modified options: Start button, Stop button

New Features in Version 9.6

New Features in ASA 9.6(4)/ASDM 7.9(1)

Released: December 13, 2017

There are no new features in this release.

New Features in ASA 9.6(3.1)/ASDM 7.7(1)

Released: April 3, 2017


Note

Version 9.6(3) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

AAA Features

Separate authentication for users with SSH public key authentication and users with passwords

In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.

We did not modify any commands.

We did not modify any screens.

Also in Version 9.8(1).

New Features in ASDM 7.6(2.150)

Released: October 12, 2016

There are no new features in this release.

New Features in ASA 9.6(2)/ASDM 7.6(2)

Released: August 24, 2016

Feature

Description

Platform Features

ASA for the Firepower 4150

We introduced the ASA for the Firepower 4150.

Requires FXOS 2.0.1.

We did not add or modify any commands.

We did not add or modify any screens.

Hot Plug Interfaces on the ASA virtual

You can add and remove Virtio virtual interfaces on the ASA virtual while the system is active. When you add a new interface to the ASA virtual, the virtual machine detects and provisions the interface. When you remove an existing interface, the virtual machine releases any resource associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the Kernel-based Virtual Machine (KVM) hypervisor.

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASA virtual runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASA virtual on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Also in 9.5(2.200).

Through traffic support on the Management 0/0 interface for the ASA virtual

You can now allow through traffic on the Management 0/0 interface on the ASA virtual. Previously, only the ASA virtual on Microsoft Azure supported through traffic; now all ASA virtuals support through traffic. You can optionally configure this interface to be management-only, but it is not configured by default.

We modified the following command: management-only

Common Criteria Certification

The ASA was updated to comply with the Common Criteria requirements. See the rows in this table for the following features that were added for this certification:

  • ASA SSL Server mode matching for ASDM

  • SSL client RFC 6125 support:

    • Reference Identities for Secure Syslog Server connections and Smart Licensing connections

    • ASA client checks Extended Key Usage in server certificates

    • Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

  • PKI debug messages

  • Crypto Key Zeroization verification

  • IPsec/ESP Transport Mode Support for IKEv2

  • New syslog messages

Firewall Features

DNS over TCP inspection

You can now inspect DNS over TCP traffic (TCP/53).

We added the following command: tcp-inspection

We modified the following page: Configuration > Firewall > Objects > Inspection Maps > DNS Add/Edit dialog box

MTP3 User Adaptation (M3UA) inspection

You can now inspect M3UA traffic and also apply actions based on point code, service indicator, and message class and type.

We added or modified the following commands: clear service-policy inspect m3ua {drops | endpoint [IP_address]} , inspect m3ua , match dpc , match opc , match service-indicator , policy-map type inspect m3ua , show asp table classify domain inspect-m3ua , show conn detail , show service-policy inspect m3ua {drops | endpoint IP_address} , ss7 variant , timeout endpoint

We added or modified the following pages: Configuration > Firewall > Objects > Inspection Maps > M3UA; the Rule Action > Protocol Inspection tab for service policy rules

Session Traversal Utilities for NAT (STUN) inspection

You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection opens pinholes required for return traffic.

We added or modified the following commands: inspect stun , show conn detail , show service-policy inspect stun

We added an option to the Rule Actions > Protocol Inspection tab of the Add/Edit Service Policy dialog box

Application layer health checking for Cisco Cloud Web Security

You can now configure Cisco Cloud Web Security to check the health of the Cloud Web Security application when determining if the server is healthy. By checking application health, the system can fail over to the backup server when the primary server responds to the TCP three-way handshake but cannot process requests. This ensures a more reliable system.

We added the following commands: health-check application url , health-check application timeout

We modified the following screen: Configuration > Device Management > Cloud Web Security

Connection holddown timeout for route convergence.

You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping.

We added the following command: timeout conn-holddown

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts

Also in 9.4(3).

Changes in TCP option handling

You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header when configuring a TCP map. In addition, the default handling of the MSS, timestamp, window-size, and selective-ack options has changed. Previously, these options were allowed, even if there were more than one option of a given type in the header. Now, packets are dropped by default if they contain more than one option of a given type. For example, previously a packet with 2 timestamp options would be allowed, now it will be dropped.

You can configure a TCP map to allow multiple options of the same type for MD5, MSS, selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to clear the option, whereas the default now is to allow it. You can also drop packets that contain the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map (per traffic class). The default for all other TCP options remains the same: they are cleared.

We modified the following command: tcp-options

We modified the following screen: Configuration > Firewall > Objects > TCP Maps Add/Edit dialog box

Transparent mode maximum interfaces per bridge group increased to 64

The maximum interfaces per bridge group was increased from 4 to 64.

We did not modify any commands.

We did not modify any screens.

Flow offload support for multicast connections in transparent mode.

You can now offload multicast connections to be switched directly in the NIC on transparent mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups that contain two and only two interfaces.

There are no new commands or ASDM screens for this feature.

Customizable ARP rate limiting

You can set the maximum number of ARP packets allowed per second. The default value depends on your ASA model. You can customize this value to prevent an ARP storm attack.

We added the following commands: arp rate-limit, show arp rate-limit

We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table

Ethertype rule support for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address.

You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address. Because of this addition, the bpdu keyword no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42 .

We modified the following commands: access-list ethertype

We modified the following screen: Configuration > Firewall > EtherType Rules.

Remote Access Features

Pre-fill/Username-from-cert feature for multiple context mode

AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well.

We did not modify any commands.

We did not modify any screens.

Flash Virtualization for Remote Access VPN

Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available:

  • Private storage—Store files associated only with that user and specific to the content that you want for that user.

  • Shared storage—Upload files to this space and have it accessible to any user context for read/write access once you enable it.

We introduced the following commands: limit-resource storage, storage-url

We modified the following screens: Configuration > Context Management > Resource Class > Add Resource Class

Configuration > Context Management > Security Contexts

AnyConnect client profiles supported in multiple context mode

AnyConnect client profiles are supported in multiple context mode. To add a new profile using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013 and later.

Stateful failover for AnyConnect connections in multiple context mode

Stateful failover is now supported for AnyConnect connections in multiple context mode.

We did not modify any commands.

We did not modify any screens.

Remote Access VPN Dynamic Access Policy (DAP) is supported in multiple context mode

You can now configure DAP per context in multiple context mode.

We did not modify any commands.

We did not modify any screens.

Remote Access VPN CoA (Change of Authorization) is supported in multiple context mode

You can now configure CoA per context in multiple context mode.

We did not modify any commands.

We did not modify any screens.

Remote Access VPN localization is supported in multiple context mode

Localization is supported globally. There is only one set of localization files that are shared across different contexts.

We did not modify any commands.

We did not modify any screens.

Umbrella Roaming Security module support

You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming Security module for additional DNS-layer security when no VPN is active.

We did not modify any commands.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.

IPsec/ESP Transport Mode Support for IKEv2

Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel (default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates only the upper-layer protocols of an IP packet. Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet.

We modified the following command: crypto map set ikev2 mode

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > IPsec Proposals (Transform Sets) > IKEv2 proposals > Add/Edit

Per-packet routing lookups for IPsec inner packets

By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not done for packets sent through the IPsec tunnel. In some network topologies, when a routing update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use the new option to enable per-packet routing lookups for the IPsec inner packets.

We added the following command: crypto ipsec inner-routing-lookup

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps adding the Enable IPsec Inner Routing Lookup checkbox.

Certificate and Secure Connection Features

ASA client checks Extended Key Usage in server certificates

Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended Key Usage field. If not, the connection fails.

Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

If the server requests a client certificate from the ASA for authentication, the ASA will send the client identity certificate configured for that interface. The certificate is configured by the ssl trust-point command.

PKI debug messages

The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces under debug crypto ca message 5.

ASA SSL Server mode matching for ASDM

For an ASDM user who authenticates with a certificate, you can now require the certificate to match a certificate map.

We modified the following command: http authentication-certificate match

We modified the following screen: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Reference Identities for Secure Syslog Server connections and Smart Licensing connections

TLS client processing now supports rules for verification of a server identity defined in RFC 6125, Section 6. Identity verification will be done during PKI validation for TLS connections to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be matched against the configured reference identity, the connection is not established.

We added or modified the following commands: crypto ca reference-identity, logging host, call home profile destination address

We modifed the following screens:

Configuration > Remote Access VPN > Advanced

Configuration > Device Management > Logging > Syslog Servers > Add/Edit

Configuration > Device Management > Smart Call Home

Crypto Key Zeroization verification

The ASA crypto system has been updated to comply with new key zeroization requirements. Keys must be overwritten with all zeros and then the data must be read to verify that the write was successful.

SSH public key authentication improvements

In earlier releases, you could enable SSH public key authentication (ssh authentication ) without also enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined.

We modified the following commands: ssh authentication, username

We modifed the following screens:

Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account

Interface Features

Increased MTU size for the ASA on the Firepower 4100/9300 chassis

You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly, the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.

We modified the following command: mtu

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Advanced

Routing Features

Bidirectional Forwarding Detection (BFD) Support

The ASA now supports the BFD routing protocol. Support was added for configuring BFD templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added.

We added or modified the following commands: authentication, bfd echo, bfd interval, bfd map, bfd slow-timers, bfd template, bfd-template, clear bfd counters, echo, debug bfd, neighbor fall-over bfd, show bfd drops, show bfd map, show bfd neighbors, show bfd summary

We added or modified the following screens:

Configuration > Device Setup > Routing > BFD > Template

Configuration > Device Setup > Routing > BFD > Interface

Configuration > Device Setup > Routing > BFD > Map

Configuration > Device Setup > Routing > BGP > IPv6 Family > Neighbors

IPv6 DHCP

The ASA now supports the following features for IPv6 addressing:

  • DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default route from the DHCPv6 server.

  • DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface addresess so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

  • BGP router advertisement for delegated prefixes

  • DHCPv6 stateless server—The ASA provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients.

We added or modified the following commands: clear ipv6 dhcp statistics, domain-name, dns-server, import, ipv6 address autoconfig, ipv6 address dhcp, ipv6 dhcp client pd, ipv6 dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix, sip address, sip domain-name, sntp address

We added or modified the following screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > IPv6

Configuration > Device Management > DHCP > DHCP Pool

Configuration > Device Setup > Routing > BGP > IPv6 Family > Networks

Monitoring > interfaces > DHCP

High Availability and Scalability Features

Improved sync time for dynamic ACLs from AnyConnect when using Active/Standby failover

When you use AnyConnect on a failover pair, then the sync time for the associated dynamic ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync time could take hours during which time the standby unit is busy syncing instead of providing high availability backup.

We did not modify any commands.

We did not modify any screens.

Licensing Features

Permanent License Reservation for the ASA virtual

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA virtual. In 9.6(2), we also added support for this feature for the ASA virtual on Amazon Web Services. This feature is not supported for Microsoft Azure.

Note 

Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

No ASDM support.

Also in 9.5(2.200).

Satellite Server support for the ASA virtual

If your devices cannot access the internet for security reasons, you can optionally install a local Smart Software Manager satellite server as a virtual machine (VM).

We did not modify any commands.

We did not modify any screens.

Permanent License Reservation for the ASA virtual Short String enhancement

Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use shorter strings.

We did not modify any commands.

We did not modify any screens.

Permanent License Reservation for the ASA on the Firepower 4100/9300 chassis

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and Firepower 4100. All available license entitlements are included in the permanent license, including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier licenses. Requires FXOS 2.0.1.

All configuration is performed on the Firepower 4100/9300 chassis; no configuration is required on the ASA.

Smart Agent Upgrade for ASA virtual to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

Note 

If you downgrade from Version 9.5(2.200), the ASA virtual does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force commandConfiguration > Device Management > Licensing > Smart Licensing page with the Force registration option; obtain the ID token from the Smart Software Manager.

We introduced the following commands: show license status, show license summary, show license udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration

We did not change any screens.

Also in 9.5(2.200).

Monitoring Features

Packet capture of type asp-drop supports ACL and match filtering

When you create a packet capture of type asp-drop, you can now also specify an ACL or match option to limit the scope of the capture.

We modified the following command: capture type asp-drop

We did not modify any screens.

Forensic Analysis enhancements

You can create a core dump of any process running on the ASA. The ASA also extracts the text section of the main ASA process that you can copy from the ASA for examination.

We modified the following commands: copy system:text, verify system:text, crashinfo force dump process

We did not modify any screens.

Tracking Packet Count on a Per-Connection Basis through NetFlow

Two counters were added that allow Netflow users to see the number of Layer 4 packets being sent in both directions on a connection. You can use these counters to determine average packet rates and sizes and to better predict traffic types, anomalies, and events.

We did not modify any commands.

We did not modify any screens.

SNMP engineID sync for Failover

In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following command: snmp-server user

No ASDM support.

Also in 9.4(3).

New Features in ASA 9.6(1)/ASDM 7.6(1)

Released: March 21, 2016


Note

The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are available in 9.6(2).


Feature

Description

Platform Features

ASA for the Firepower 4100 series

We introduced the ASA for the Firepower 4110, 4120, and 4140.

Requires FXOS 1.1.4.

We did not add or modify any commands.

We did not add or modify any screens.

SD card support for the ISA 3000

You can now use an SD card for external storage on the ISA 3000. The card appears as disk3 in the ASA file system. Note that plug and play support requires hardware version 2.1 and later. Use the show module command to check your hardware version.

We did not add or modify any commands.

We did not add or modify any screens.

Dual power supply support for the ISA 3000

For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default, the ASA expects a single power supply and won't issue an alarm as long as it includes one working power supply.

We introduced the following command: power-supply dual .

No ASDM support.

Firewall Features

Diameter inspection improvements

You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance checking, and inspect Diameter over SCTP in cluster mode.

We introduced or modified the following commands: client clear-text , inspect diameter , strict-diameter .

We added or modified the following screens:

Configuration > Firewall > Objects > Inspect Maps > Diameter

Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol Inspection tab

SCTP stateful inspection in cluster mode

SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful inspection bypass in cluster mode.

We did not add or modify any commands.

We did not add or modify any screens.

H.323 inspection support for the H.255 FACILITY message coming before the H.225 SETUP message for H.460.18 compatibility.

You can now configure an H.323 inspection policy map to allow for H.225 FACILITY messages to come before the H.225 SETUP message, which can happen when endpoints comply with H.460.18.

We introduced the following command: early-message .

We added an option to the Call Attributes tab in the H.323 inspection policy map.

Cisco Trustsec support for Security Exchange Protocol (SXP) version 3.

Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings, which are more efficient than host bindings.

We introduced or modified the following commands: cts sxp mapping network-map maximum_hosts , cts role-based sgt-map , show cts sgt-map , show cts sxp sgt-map , show asp table cts sgt-map .

We modified the following screens: Configuration > Firewall > Identity By TrustSec and the SGT Map Setup dialog boxes.

Flow off-load support for the Firepower 4100 series.

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC for the Firepower 4100 series.

Requires FXOS 1.1.4.

We did not add or modify any commands.

We did not add or modify any screens.

Remote Access Features

IKEv2 Fragmentation, RFC-7383 support

The ASA now supports this standard fragmentation of IKEv2 packets. This allows interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA continues to support the current, proprietary IKEv2 fragmentation to maintain backward compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect client.

We introduced the following commands: crypto ikev2 fragmentation , show running-config crypto ikev2 , show crypto ikev2 sa detail

VPN Throughput Performance Enhancements on Firepower 9300 and Firepower 4100 series

The crypto engine accelerator-bias command is now supported on the ASA security module on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto cores toward either IPSec or SSL.

We modified the following command: crypto engine accelerator-bias

We did not add or modify any screens.

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

We introduced the following screen: Configuration > Device Management > Advanced > SSH Ciphers

Also available in 9.1(7), 9.4(3), and 9.5(3).

HTTP redirect support for IPv6

When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.

We added functionality to the following command: http redirect

We added functionality to the following screen: Configuration > Device Management > HTTP Redirect

Also available in 9.1(7) and 9.4(3).

Routing Features

IS-IS routing

The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing protocol. Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the IS-IS routing protocol.

We introduced the following commands: advertise passive-only, area-password, authentication key, authentication mode, authentication send-only, clear isis, debug isis, distance, domain-password, fast-flood, hello padding, hostname dynamic, ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval, isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric, isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress, lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime, maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol shutdown, redistribute isis, route priority high, route isis, set-attached-bit, set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address.

We introduced the following screens:

Configuration > Device Setup > Routing > ISIS

Monitoring > Routing > ISIS

High Availability and Scalability Features

Support for site-specific IP addresses in Routed, Spanned EtherChannel mode

For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses from the global MAC address from traveling over the Data Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for some switches that cannot use VACLs to filter MAC addresses.

We modified the following commands: mac-address, show interface

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit EtherChannel Interface > Advanced

Administrative Features

Longer password support for local username and enable passwords (up to 127 characters)

You can now create local username and enable passwords up to 127 characters (the former limit was 32). When you create a password longer than 32 characters, it is stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords continue to use the MD5-based hashing method.

We modified the following commands: enable, username

We modified the following screens:

Configuration > Device Setup > Device Name/Password > Enable Password

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account > Identity

Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.

Note 

The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.

We did not add or modify any commands.

We did not add or modify any screens.

Also available in 9.1(7) and 9.4(3).

REST API Version 1.3.1

We added support for the REST API Version 1.3.1.

New Features in Version 9.5

New Features in ASA 9.5(3.9)/ASDM 7.6(2)

Released: April 11, 2017


Note

Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

Remote Access Features

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

We introduced the following screen: Configuration > Device Management > Advanced > SSH Ciphers

Also available in 9.1(7) and 9.4(3).

New Features in ASA Virtual 9.5(2.200)/ASDM 7.5(2.153)

Released: January 28, 2016


Note

This release supports only the ASA virtual.


Feature

Description

Platform Features

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASA virtual runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASA virtual on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Licensing Features

Permanent License Reservation for the ASA virtual

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA virtual.

Note 

Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

No ASDM support.

Smart Agent Upgrade to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

Note 

If you downgrade from Version 9.5(2.200), the ASA virtual does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force commandConfiguration > Device Management > Licensing > Smart Licensing page with the Force registration option; obtain the ID token from the Smart Software Manager.

We introduced the following commands: show license status, show license summary, show license udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration

We did not change any screens.

New Features in ASA 9.5(2.1)/ASDM 7.5(2)

Released: December 14, 2015


Note

This release supports only the ASA on the Firepower 9300.


Feature

Description

Platform Features

VPN support for the ASA on the Firepower 9300

With FXOS 1.1.3, you can now configure VPN features.

Firewall Features

Flow off-load for the ASA on the Firepower 9300

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC (on the Firepower 9300). This provides improved performance for large data flows in data centers.

Also requires FXOS 1.1.3.

We added or modified the following commands: clear flow-offload , flow-offload enable , set-connection advanced-options flow-offload , show conn detail , show flow-offload .

We added or modified the following screens: Configuration > Firewall > Advanced > Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rules under Configuration > Firewall > Service Policy Rules.

High Availability Features

Inter-chassis clustering for 6 modules, and inter-site clustering for the ASA on the Firepower 9300

With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis.

We did not modify any commands.

We did not modify any screens.

Licensing Features

Strong Encryption (3DES) license automatically applied for the ASA on the Firepower 9300

For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300.

Note 

If you are using the Smart Software Manager satellite deployment, to use ASDM and other strong encryption features, after you deploy the ASA you must enable the Strong Encryption (3DES) license using the ASA CLI.

This feature requires FXOS 1.1.3.

We removed the following command for non-satellite configurations: feature strong-encryption

We modified the following screen: Configuration > Device Management > Licensing > Smart License

New Features in ASA 9.5(2)/ASDM 7.5(2)

Released: November 30, 2015

Feature

Description

Platform Features

Cisco ISA 3000 Support

The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power.

We introduced the following command: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay

We modified the following screen: Configuration > Device Management > Hardware Bypass

Also in Version 9.4(1.225).

Firewall Features

DCERPC inspection improvements and UUID filtering

DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages. You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset or log particular message types. There is a new DCERPC inspection class map for UUID filtering.

We introduced the following command: match [not] uuid . We modified the following command: class-map type inspect .

We added the following screen: Configuration > Firewall > Objects > Class Maps > DCERPC.

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > DCERPC.

Diameter inspection

You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.

We introduced or modified the following commands: class-map type inspect diameter , diameter , inspect diameter , match application-id , match avp , match command-code , policy-map type inspect diameter , show conn detail , show diameter , show service-policy inspect diameter , unsupported

We added or modified the following screens:

Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP

Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol Inspection tab

SCTP inspection and access control

You can now use the SCTP protocol and port specifications in service objects, access control lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrier license.

We introduced the following commands: access-list extended , clear conn protocol sctp , inspect sctp , match ppid , nat static (object), policy-map type inspect sctp , service-object , service , set connection advanced-options sctp-state-bypass , show conn protocol sctp , show local-host connection sctp , show service-policy inspect sctp , timeout sctp

We added or modified the following screens:

Configuration > Firewall > Access Rules add/edit dialogs

Configuration > Firewall > Advanced > ACL Manager add/edit dialogs

Configuration > Firewall > Advanced > Global Timeouts

Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NAT Settings dialog box

Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs

Configuration > Firewall > Objects > Inspect Maps > SCTP

Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > Protocol Inspection and Connection Settings tabs

Carrier Grade NAT enhancements now supported in failover and ASA clustering

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). This feature is now supported in failover and ASA cluster deployments.

We modified the following command: show local-host

We did not modify any screens.

Captive portal for active authentication on ASA FirePOWER 6.0.

The captive portal feature is required to enable active authentication using identity policies starting with ASA FirePOWER 6.0.

We introduced or modified the following commands: captive-portal , clear configure captive-portal , show running-config captive-portal .

High Availability Features

LISP Inspection for Inter-Site Flow Mobility

Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from its location into two different numbering spaces, making server migration transparent to clients. The ASA can inspect LISP traffic for location changes and then use this information for seamless clustering operation; the ASA cluster members inspect LISP traffic passing between the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then change the flow owner to be at the new site.

We introduced or modified the following commands: allowed-eid, clear cluster info flow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug cluster flow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-map type inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster info flow-mobility counters, show conn, show lisp eid, show service-policy, validate-key

We introduced or modified the following screens:

Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

Configuration > Firewall > Objects > Inspect Maps > LISP

Configuration > Firewall > Service Policy Rules > Protocol Inspection

Configuration > Firewall > Service Policy Rules > Cluster

Monitoring > Routing > LISP-EID Table

ASA 5516-X support for clustering

The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default in the base license.

We did not modify any commands.

We did not modify any screens.

Configurable level for clustering trace entries

By default, all levels of clustering events are included in the trace buffer, including many low level events. To limit the trace to higher level events, you can set the minimum trace level for the cluster.

We introduced the following command: trace-level

We did not modify any screens.

Interface Features

Support to map Secondary VLANs to a Primary VLAN

You can now configure one or more secondary VLANs for a subinterface. When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.

We introduced or modified the following commands: vlan secondary, show vlan mapping

We modified the following screens: Configuration > Device Setup > Interface Settings > Interfaces

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General

Routing Features

PIM Bootstrap Router (BSR) support for multicast routing

The ASA currently supports configuring static RPs to route multicast traffic for different groups. For large complex networks where multiple RPs could exist, the ASA now supports dynamic RP selection using PIM BSR to support mobility of RPs.

We introduced the following commands: clear pim group-map, debug pim bsr, pim bsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers

We introduced the following screen: Configuration > Device Setup > Routing > Multicast > PIM > Bootstrap Router

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)

  • Centralized AnyConnect image configuration

  • AnyConnect image upgrade

  • Context Resource Management for AnyConnect connections

Note 

The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

Clientless SSL VPN offers SAML 2.0-based Single Sign-On (SSO) functionality

The ASA acts as a SAML Service Provider.

Clientless SSL VPN conditional debugging

You can debug logs by filtering, based on the filter condition sets, and can then better analyze them.

We introduced the following additions to the debug command:

  • [no] debug webvpn condition user <user name>

  • [no] debug webvpn condition group <group name>

  • [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]

  • [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]

  • debug webvpn condition reset

  • show debug webvpn condition

  • show webvpn debug-condition

Clientless SSL VPN cache disabled by default

The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.


webvpn
   cache
      no disable

We modified the following command: cache

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Cache

Licensing Features

Validation of the Smart Call Home/Smart Licensing certificate if the issuing hierarchy of the server certificate changes

Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint containing the certificate of the CA that issued the Smart Call Home server certificate. The ASA now supports validation of the certificate if the issuing hierarchy of the server certificate changes; you can enable the automatic update of the trustpool bundle at periodic intervals.

We introduced the following command: auto-import

We modified the following screen: Configuration > Remote Access VPN > Certificate Management > Trusted Certificate Pool > Edit Policy

New Carrier license

The new Carrier license replaces the existing GTP/GPRS license, and also includes support for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp command will automatically migrate to the feature carrier command.

We introduced or modified the following commands: feature carrier, show activation-key, show license, show tech-support, show version

We modified the following screen: Configuration > Device Management > Licensing > Smart License

Monitoring Features

SNMP engineID sync

In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following commands: snmp-server user, no snmp-server user

We did not add or modify any screens.

Also available in 9.4(3).