This release contains a number of bug fixes; see the Known and Fixed Issues in Release 15.5.0-710 for additional information.

Note	There are no functional changes between builds 15.5.0-710 and 15.5.0-574. If you are currently using 15.5.0-574 or 15.5.0-566, we recommend that you do not upgrade to 15.5.0-710. Wait for the upcoming 15.5.1 (MD) release for the latest improvements.

This release contains a number of bug fixes; see the Known and Fixed Issues in Release 15.5.0-574 for additional information.

Feature	Description
FIPS 140-3 Compliance	Cisco Secure Web Appliance is FIPS compliant and has integrated with the FIPS 140-3-approved Cisco Common Crypto Module. Enable FIPS mode by navigating to System Administration > FIPS Mode > Edit Setting. Note   The enable option is only available if all the services and certificates listed under Current Service Status are FIPS compliant.
Support for New Version of AMP Engine	The Secure Web Appliance gateway now uses a new version of the Advanced Malware Protection (AMP) engine. This new AMP engine uses HTTPS (port 443) instead of TCP to ensure secure communication between your web appliance gateway and Secure Endpoint Cloud. For more information, see the "Network Security" chapter of User Guide for AsyncOS 15.5 for Cisco SecureWeb Appliance.
Microsoft Updates ByPass	Microsoft updates are essential patches, security updates, and feature enhancements released by Microsoft for its operating systems and software applications. These updates are crucial for maintaining the security, stability, and performance of computers and network devices. These updates often involve downloading large files or numerous smaller files, which can consume considerable bandwidth and processing resources in the proxy server. This may lead to congestion, slower network performance, and increased load on the SWA infrastructure, potentially affecting the overall user experience and other critical network operations. Bypassing Microsoft update traffic from the proxy server is a safe and effective way to manage these challenges. Since Microsoft updates are sourced from trusted Microsoft servers, allowing this traffic to bypass the proxy server can help reduce the load on the proxy server without compromising network security. This ensures that essential updates are delivered efficiently while preserving proxy resources for other security and content-filtering tasks. You can now enable the Microsoft Update ByPass feature by navigating to Web Security Manager > Bypass Settings > Edit Application Bypass Settings.
Cisco Secure Web Appliance Integration with Cisco XDR	SecureX is transitioning to an enhanced and more robust platform, Cisco XDR (eXtended Detection and Response). As part of this transition, it is essential to integrate your Secure Web Appliance. The integration of the Secure Web Appliance with Cisco XDR delivers measurable insights, required outcomes, and unparalleled cross-team collaboration. Cisco XDR unifies the visibility of security infrastructure, enables automation, accelerates incident response workflows, and improves threat detection. For more information on how to integrate your Secure Web Appliance with Cisco XDR, see the "Integrate with Cisco XDR" topic in User Guide for AsyncOS 15.5 for Cisco SecureWeb Appliance.
AES-CMAC Encryption Method Support for NTP Authentication	In addition to SHA1 and MD5 encryption methods, support is introduced for AES-CMAC. You can now select the AES-CMAC encryption method for your NTP server. For detailed information, see the "System Date and Time Management" chapter of User Guide for AsyncOS 15.5 for Cisco SecureWeb Appliance.

• You can no longer enable js scanning from the CLI. This option is removed from the CLI.

• Upgrade pre-requisite—TLSv1.0 and TLSv1.1 are no longer supported in any SSL configuration other than the proxy configuration. You must change the TLS version to TLSv1.2 or later before upgrading your AsyncOS.

• The How-Tos feature is no longer supported on Secure Web Aplliance.

• If you are running an EOL/EOS AsyncOS version or hardware, Secure Web Appliance now displays a notification to alert you on the unsupported version or hardware.

• In the following scenario:

  • End-User Misclassification Reporting is enabled under Security Services > End-User Notification.

  • Uncategorized URL is set to BLOCK.

  • HTTPS proxy is disabled under Web Security Manager > Access Policies > Edit URL filtering.

  When you navigate to un-categorized URL and click on Report Misclassification, you are now redirected to a "Thank You" Page with URL of the HTTP instead of displaying a page with error "The page cannot be displayed".

The following are known behaviors of this release:

Secure Web Appliance AVC or ADC Engine known behavior—When an application is configured to be blocked under ADC/AVC, every sub-category under the application will also be blocked. A specific sub-category can be blocked using fine and gain control feature, however this feature is limited to certain apps like smugmug, facebook, linkedin, etc.

Secure Web Appliance integration with Umbrella - Hybrid Policies known behavior

• By default, the source interface in Secure Web Appliance Umbrella settings is set to Management. Changing the source interface to Data requires you to submit and commit the changes before enabling Hybrid Policy.

• Hybrid policies support translation for rule actions Allow, Block, and Warn.

• There is support for translation of Content Categories, Destination Lists, and Applications.

• The translation of AD Users, AD Groups, and internal networks that are associated with public networks is supported.

• In Secure Web Appliance, one Global Umbrella pushed identification profile will always be available.

• Policies that are configured by Secure Web Appliance administrator are prioritized following the policy push from Umbrella.

• When policy push is enabled in the registered appliance page, policies configured in the Umbrella are pushed to all Secure Web Appliances registered under Umbrella.

• The WBRS are disabled for Decryption Policies pushed by Umbrella.

• The decryption policies pushed by Umbrella are set to Decrypt action by default.

• The End-User Notification page will always be enabled in Secure Web Appliance as a global setting.

• In Secure Web Appliance, the End-User Notification page is configured only for the block page first selected in first ruleset of Umbrella.

• Changes in the selected block page appearance of the first ruleset will be translated every three hours.

• In the case of Umbrella pushed identification profiles and customer categories, admin configured policies will be disabled from the Secure Web Appliance side if these profiles or categories are deleted from the Umbrella.

• Secure Web Appliance registration with Umbrella ORG is limited to the number of seats assigned to a specific ORG, which can be seen in the following path of the Umbrella user interface: Admin > Licensing > Number of seats.

• SMA policies cannot be pushed to Secure Web Appliance when it is registered with Umbrella ORG.

• Umbrella cannot push profiles, policies, and custom URL categories to Secure Web Appliance if there is no internal network and AD integrated in Umbrella.

• If API keys that were used for registration and enabling hybrid service are expired, the connection will not be closed until you enable hybrid policy or registered Secure Web Appliance with Umbrella again.

• The following Umbrella Rules configuration are not supported for hybrid policy push: Rules Scheduling and Protected Bypass.

• The SMA policies pushed to Secure Web Appliance are not accepted if the Secure Web Appliance is managed by Umbrella.

• The Save and Load configuration feature will not work for Umbrella settings.

• Translation is not supported for the following Ruleset settings:

  • Ruleset Identities - Chromebooks, G Suite OUs, G Suite Users, Tunnels, Roaming Computers, Internal Networks All Tunnels

  • Tenant Controls

  • File Analysis

  • File Type Control

  • HTTPS Inspection - only applications in Selective Decryption list

  • PAC File

  • SafeSearch

  • Ruleset Logging

  • SAML

  • Security Settings

• The changes made to the HTTPS proxy or AD realm on the Secure Web Appliance does not affect the umbrella policy.

• Application Settings (CASI) Translation

  • Application Settings selected in Rules are translated and pushed to Secure Web Appliance's Access Policy only when ADC is enabled under Security Services > Acceptable Use Control in Secure Web Appliance.

  • When the Application is selected in the Rule, a Custom URL category containing the domains of the selected application will be pushed to that Rule. This same category of Custom URLs is selected under the URL Filtering section of the Access Policy, with Monitor as the action.

  • The application available in Secure Web Appliance but not in Umbrella inherits the global settings action. The application available in Umbrella but not in Secure Web Appliance are ignored.

  • In Secure Web Appliance, applications that are not selected within Rules inherit the global settings.

• Selective Policy Psuh

  • Umbrella web policies are pushed to registered Secure Web Appliances only if the Hybrid Policy state is Active and Policy Push is enabled.

• Umbrella UI Error Message

  • The error message for the last policy push failure can be seen on the Registered Appliance page, which has a maximum character limit of 1024.

• Cleanup of Umbrella Pushed Policies

  • After the Umbrella pushed policies are cleaned up, all admin configured policies will be disabled.

Secure Web Appliance integration with Umbrella - Hybrid Reporting known behavior

• The hybrid reporting feature of Secure Web Appliance can only be enabled if a hybrid policy is enabled.

• The Secure Web Appliance sends Umbrella configured policies reporting data to the Umbrella dashboard.

• Approximately 25% of the local reporting disk space is used to store hybrid reporting data, which is then pushed to Umbrella.

• When Secure Web Appliance does not push the reporting data to Umbrella, it stores only those reporting data on disk for later debugging.

• The Secure Web Appliance continues to send reporting data evaluated by Umbrella policies, even after selective policy push is disabled for that SWA. The Umbrella policy reporting dashboard may display deleted rules for those records if the rule has been deleted from the Umbrella policy.

The following are known limitations of this release:

Sophos engine known limitation—Sophos cannot scan a file which is multi-encoded with Deflate/Brotli encoding types. Sophos displays a SAVI_CORRUPT error and the file gets blocked by default

MIME type library—The MIME type library is now upgraded from 5.11 to 5.39 and the MIME type for certain file types are changed. As a result of this, there might be a change in behaviour to the allowed/blocked MIME types in SWA. You can modify the MIME type with respect to the latest library to avoid the behaviour change.

Secure Web Appliance integration with Umbrella - Hybrid Policies known Limitations

• The following scenarios do not trigger policy translation:

  • Change in the name of the Ruleset.

  • Change in the name of the destination list selected in the Rule.

  • Change in the name of the application list selected in the Rule.

  • Change in name of the selective decryption list selected during HTTP inspection.

  • Adding or removing categories from the selective decryption list used for HTTPS inspection.

  • A selective decryption list containing only categories is selected in the HTTPs inspection.

  • Adding or removing AD users or groups from a Ruleset or a Rule.

  • Integrating or removing AD from the Umbrella dashboard.

• When Ruleset identities are the same in multiple Rulesets, only the first Ruleset of the same identity will translate HTTPS inspection settings consistently.

• The format for the Redirect to Custom URL textbox for end-user notification supports only well-formned hostnames or IPV4 addresses. If we push other URL formats configured in the block page of Umbrella to Secure Web Appliance, the policy push fails with the error message stating: 'An http/https URL must consist of a well-formed hostname or IPv4 address, may optionally include a port, but may not contain a querystring ('?...').'.", 'code': '400', 'explanation': '400 = Bad request syntax or unsupported method.'

• In the case where AD groups are selected in rulesets but rules do not match, the access policy will not be created for that rule.

• The categories and domains selected in the Selective Decryption List are set to passthrough for decryption policies that are pushed from Umbrella to Secure Web Appliance. For predefined and custom URL categories, no access policy will be applied in Secure Web Appliance, but rules will be applied to the same configuration in Umbrella.

• If Microsoft 365 compatibility is enabled in Umbrella, decryption policies that are pushed from Umbrella to Secure Web Appliance are set to passthrough. As a result, passthrough will be enabled for all categories of Microsoft 365 endpoints.

• When a trusted AD is not configured in Secure Web Appliance but a group is selected for this AD at the Umbrella level, an error message appears indicating that it needs to be configured at the Secure Web Appliance level.

• If networks with different masks are selected in Ruleset and Rule, translation is not supported.

• When a large number of applications are selected across Rules, Secure Web Appliance performance is affected.

• To avoid redundant configuration, we recommend using application list rather than selecting individual application in Rules.

Secure Web Appliance integration with Umbrella - Hybrid Reporting known Limitations

• If the user is not included in Umbrella policies, the mapping of AD User to Umbrella origin ID is not possible. Events of this type will be identified by Secure Web Appliance's origin ID.

• Filtering support

  • Only external IP addresses are supported by Secure Web Appliance based filtering.

  • Secure Web Appliances from the same Org (different locations) having the same management IP address will result in combined reporting data.

  • For LDAP/ISE/Guest-based identities, Secure Web Appliance AD user-based identities are not supported.

• In some cases, the system may see duplicates or lost reporting entries.

• Upon enabling or disabling hybrid reporting, an application fault occurs in the reported helper.

Note

TLSv1.0 and TLSv1.1 are no longer supported in any SSL configuration other than the proxy configuration. You must change the TLS version to TLSv1.2 or later before upgrading your AsyncOS. While upgrading, do not connect any devices (keyboard, mouse, management devices (Raritan) and so on.) to the USB ports of the appliance.

You can upgrade to the AsyncOS 15.5.0-710 version from the following versions:

11-8-3-021 11.8.4-004

14.5.1-016 14.5.2-011 14.5.3-033

15.0.0-355 15.0.1-004 15.1.0-287 15.2.0-116 15.2.0-164 15.2.1-011 15-2-2-009 15-2-3-007

Note

TLSv1.0 and TLSv1.1 are no longer supported in any SSL configuration other than the proxy configuration. You must change the TLS version to TLSv1.2 or later before upgrading your AsyncOS. While upgrading, do not connect any devices (keyboard, mouse, management devices (Raritan) and so on.) to the USB ports of the appliance.

You can upgrade to the AsyncOS 15.5.0-574 version from the following versions:

11-8-3-021 11.8.4-004

14.5.1-016 14.5.2-011 14.5.3-033

15.0.0-355 15.0.1-004 15.1.0-287 15.2.0-116 15.2.0-164 15.2.1-011 15-2-2-009 15-2-3-007 15-5-0-566

Note

TLSv1.0 and TLSv1.1 are no longer supported in any SSL configuration other than the proxy configuration. You must change the TLS version to TLSv1.2 or later before upgrading your AsyncOS. While upgrading, do not connect any devices (keyboard, mouse, management devices (Raritan) and so on.) to the USB ports of the appliance.

You can upgrade to the AsyncOS 15.5.0-566 version from the following versions:

11-8-3-021 11.8.4-004

14.5.1-016 14.5.2-011 14.5.3-033

15.0.0-355 15.0.1-004 15.1.0-287 15.2.0-116 15.2.0-164 15.2.1-011 15-2-2-009

Requirements in this section were introduced in AsyncOS 8.8.

The following security vulnerability will be fixed during upgrade if it exists on your appliance:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport%20

Note	This patch is required only for virtual appliance releases that were downloaded or upgraded before June 25, 2015.

If you did not patch this issue before upgrading, you will see a message during upgrade stating that it has been fixed. If you see this message, the following actions are required to return your appliance to full working order after upgrade:

• Remove the existing entry for your appliance from the known hosts list in your ssh utility. Once the new key has been created, connect to the appliance via ssh and accept the connection.

• Clear the old SSH host key for the appliance on the remote server if you are using SCP push to transfer logs to a remote server (including Splunk).

• If your deployment includes a Cisco Content Security Management Appliance, see important instructions in the Release Notes for that appliance.

If you have deployed multiple content security appliances (web, email, and/or management) and you want to view detailed file analysis results in the cloud for all files uploaded from any appliance in your organization, you must configure an appliance group on each appliance after upgrading. To configure appliance groups, see File Reputation Filtering and File Analysis.

If you have deployed multiple content security appliances (web, email, and/or management) and you want to view detailed file analysis results in the cloud for all files uploaded from any appliance in your organization, you must configure an appliance group on each appliance after upgrading. To configure appliance groups, see File Reputation Filtering and File Analysis.

The File Analysis cloud server URL changed in AsyncOS 8.8, and as a result, the file types that can be analyzed may have changed after the upgrade. You should receive an alert if there are changes. To verify the file types selected for analysis, select Security Services > Anti-Malware and Reputation and look at the Advanced Malware Protection settings.

Following upgrades to the regular-expression pattern-matching engine, you may receive an alert regarding unescaped dots in existing pattern definitions after updating your system. Any unescaped dot in a pattern that will return more than 63 characters after the dot will be disabled by the Velocity pattern-matching engine, and an alert to that effect will be sent to you. You will continue to receive an alert following each update until you correct or replace the pattern. Generally, unescaped dots in a larger regular expression can be problematic and should be avoided.

Register for a Cisco account if you do not have one. Go to https://identity.cisco.com/ui/tenants/global/v1.0/enrollment-ui.