Platform Features

Secure Firewall 220

Secure Firewall 6160, 6170

ASA VirtualGrub bootloader upgraded with UEFI firmware and secure boot.

With the Grub bootloader upgrade from Grub 0.94 to Grub 2.12, we now support UEFI firmware with or without secure boot functionality, along with legacy BIOS mode. Secure boot functionality gives boot-level malware protection. New deployments also use GPT-partitioned images instead of MS-DOS-partitioned disks. If you upgrade, you cannot change to UEFI and secure boot; only new deployments can use the new options.

ASA Virtual AWS dual-arm clustering

In dual-arm mode, after inspection, the ASA Virtual will NAT and forward outbound traffic from its outside interface directly to the internet via the Internet Gateway. Since outbound traffic is directly forwarded to the internet after inspection without making a round trip through the GWLB and the GWLB endpoint, the number of traffic hops is reduced by 2. This reduction is especially useful in providing a common egress path for a multi-VPC deployment.For dual-arm deployments, only egress traffic is supported.

ASA Virtual GCP clustering with autoscale

GCP clustering with autoscale is now supported for ASAv30, ASAv50, and ASAv100.

ASA VirtualOCI Ampere A1 ARM compute shape support

New shapes for OCI.

ASA VirtualKVM flow offload

Flow offload is now supported on the DPU for KVM.

ASA Virtual Nutanix support for AOS 6.8

Nutanix AOS 6.8 supports VPCs, similar toVPCs in public clouds.

ASA Virtual OpenStack support for Caracal

ASA Virtual deployment is supported on the Caracal release of OpenStack.

ASA Virtual MANA NIC Support

ASA Virtual supports MANA NIC hardware on Microsoft Azure for the following instances:

• Standard_D8s_v5

• Standard_D16s_v5

Firewall Features

Application Visibility and Control for the Secure Firewall 6100

Application Visibility and Control (AVC) makes it possible for you to write access control rules based on applications rather than just IP addresses and ports. AVC downloads the Vulnerability Database (VDB), which creates network-service objects and groups that you can use in access control rules. The objects define various applications, and the groups define application categories, so you can easily block applications or entire classes of connections without specifying IP address and port.

We introduced the following screens: Configuration > Firewall > Advanced > Enable AVC, Monitoring > Properties > AVC > Status, Monitoring > Properties > AVC > Top N, Monitoring > Properties > AVC > App Category, Monitoring > Properties > AVC > Allowed/Blocked Applications, Monitoring > Properties > Service Policy, Monitoring > Properties > Network Object > Object Group Network Service

Supported platforms: Secure Firewall 6100

High Availability and Scalability Features

No reboot required for changing the VPN mode

When changing the VPN mode between distributed and centralized, a reboot is no longer required. However, you now need to disable clustering on all nodes before changing the mode.

Data nodes can join the cluster concurrently

Formerly, the control node only allowed one data node to join the cluster at a time. If the configuration sync takes a long time, data nodes can take a long time to join. Concurrent join is enabled by default. If you have NAT and VPN distributed mode enabled, you cannot use concurrent join.

Added/modified screens:

• Configuration > Device Management > High Availablility and Scalability > ASA Cluster

• Monitoring > ASA Cluster > ASA Cluster Concurrent Join

MTU ping test on cluster node join provides more information by trying smaller MTUs

When a node joins the cluster, it checks MTU compatibility by sending a ping to the control node with a packet size matching the cluster control link MTU. If the ping fails, it tries the MTU divided by 2 and keeps dividing by 2 until an MTU ping is successful. A notification is generated so you can fix the MTU to a working value and try again. We recommend increasing the switch MTU size to the recommended value, but if you can't change the switch configuration, a working value for the cluster control link will let you form the cluster.

Added/modified screens: Monitoring > > ASA Cluster > Cluster Summary

Improved cluster control link health check with high CPU

When a cluster node CPU usage is high, the health check will be suspended, and the node will not be marked as unhealthy. You can configure at what CPU use threshold to suspend the health check.

Added/modified screens: Configuration > Device Management > High Availablility and Scalability > ASA Cluster

Clustering on the Secure Firewall 6100

You can cluster up to 4 Secure Firewall 4200 nodes in Spanned EtherChannel or Individual interface mode.

Block depletion monitoring in clustering

When block depletion occurs, the ASA collects troubleshooting logs and sends out a syslog. For clustering, the node will leave the cluster so the other nodes can handle the traffic. The ASA can also force a crash and reload to recover from depletion.

Dynamic PAT support for distributed site-to-site VPN mode

Distributed mode now supports dynamic PAT. However, interface PAT is still not supported.

Interface Features

Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) options to advertise a list of DNS servers and domains to IPv6 clients

You can now configure Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) options to provide DNS servers and domains to SLAAC clients using router advertisements.

New/modified screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > IPv6

Administrative, Monitoring, and Troubleshooting Features

SSH X.509 certificate authentication

You can now use an X.509v3 certificate to authenticate a user for SSH (RFC 6187).

New/Modified screens:

• Configuration > Device Management > Users/AAA > AAA Access > Authorization

• Configuration > Device Management > Certificate Management > CA Certificates > Add/Edit Trustpoint > Advanced

• Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Also in 9.20(4).

AES-256-GCM SSH cipher

The ASA supports the AES-256-GCM cipher for SSH. It is enabled by default for all and high encryption levels.

New/Modified screens: Configuration > Device Management > Advanced > SSH Ciphers

Also in 9.20(4).

Linux kernel crash dump

The Linux kernel crash dump feature lets you debug kernel crash events and find the root cause. This feature is enabled by default.

New/Modified commands: show kernel crash-dump , kernel crash-dump , crashinfoforce kernel-dump

Root Shell Access Support Using Consent Token on ASA Virtual

ASA Virtual supports a new Consent Token mechanism that allows authorized users to obtain one-time access to the Linux root shell for troubleshooting or diagnostic purposes — without requiring the administrator password.

New/Modified commands: consent-token generate-challenge shell-access , consent-token accept-response shell-access

ASDM Features

ASDM 7.24 now requires Java 11

ASDM 7.24 now requires Java 11. For the Oracle version, which is the version bundled with the ASA image, you will need to install Oracle JDK 11: https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html. Later versions are not compatible. To minimize risk and ensure better compatibility and stability with Java, we are taking a phased approach to moving off of Java 8, starting with this move to Java 11. If you upgrade to the ASDM Launcher 1.9(10) or later that comes with 7.24, you can still launch earlier versions of ASDM.

For the OpenJRE version, you do not need to install Java; it is built-in.

ASDM certificate authentication

ASDM Launcher 1.9(10), which comes with ASDM 7.24, now supports user certificate authentication. Previously, this feature was only supported with Java Web Start (discontinued in 7.18). Because the ASA commands were not deprecated in 9.18, you can configure earlier ASA versions to use certificate authentication when using any ASDM version with ASDM Launcher 1.9(10).

New/Modified screens:

• ASDM Launcher login window.

• Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

• Configuration > Site-to-Site VPN > Advanced > IPSec > Certificate to Connection Map > Rules

• Configuration > Device Management > Management Access > HTTP Certificate Rule

ASDM FIPS compliance

By default, ASDM starts in non-FIPS mode. To enable FIPS mode:

• Windows—In the FIPS.conf file, change the fips_mode value to true. The FIPS.conf file is located in the installation directory of the ASDM Launcher.

• MacOS—In the FIPS.plist file, change the fipsMode value to true. The FIPS.plist file is located in the Contents folder of the dm-launcher.

FIPS mode is only supported with ASDM 7.24 and later.

New/Modified screens: ASDM Launcher login window.

New authentication method for the Upgrade Software from Cisco.com Wizard

The Cisco.com Authentication dialog box was replaced by the Cisco.com Device Activation dialog box using a newer authentication method for Cisco.com.

New/Modified screens: Tools > Check for ASA/ASDM Updates

VPN Features

SGT over VTI

VTI tunnels now support Cisco TrustSec SGT tags.

New/Modified screens:

• Configuration > Device Setup > Interface Settings > Interfaces > VTI/DVTI Interface > Advanced > Secure Group Tagging

• Configuration > Site-to-Site VPN > Network (client) Access > Advanced > IPsec > IKE Parameters > Secure Group Tagging

ECMP and BFD fault detection support for VTIs

One or more dynamic VTI interfaces can be part of an Equal-Cost Multi-Path (ECMP) zone. Using zones, traffic towards the spoke can be load-balanced. Bidirectional Forwarding Detection (BFD) link detection is faster, detecting faulty VTI links in few milliseconds or microseconds.

New/Modified commands: bfd template , vtemplate-bfd , vtemplate-zone-member , show zone , show conn all , show route

New/Modified screens for ECMP. There is no ASDM support for BFD on VTIs.

• Configuration > Site-to-Site VPN > Advanced > Tunnel Group > Add > Dynamic VTI >

• Configuration > Site-to-Site VPN > Connection Profiles > Advanced > Tunnel Group > Add > Dynamic VTI >

Loopback interface support for distributed site-to-site VPN

You can now create site-to-site VPN tunnels using loopback interfaces in distributed site-to-site mode. Unlike outside addresses that are tied to a location network, the loopback interfaces are not. This independence means you can move the address to another cluster and use routing protocols to propagate the new location to the upstream routers. The peer’s traffic would then be sent to the new location.

IPsec flow offload and DTLS crypto accelerator for the Secure Firewall 6100

Secure Firewall 6100 supports AES-GCM-128 and AES-GCM-256 ciphers only.

IPsec flow offload for the ASA Virtual on KVM

IPsec flow offload is now supported on the DPU for KVM.