Feature	Description
Single Sign-On using SAML	The Secure Web Appliance now supports Single Sign-On (SSO) using SAML. This enables users to log in to the appliance’s web interface with the same credentials they use for other SAML SSO-enabled services within their organization. By configuring the appliance as a SAML Service Provider (SP) and integrating with a SAML Identity Provider (IdP) such as Microsoft ADFS, users can authenticate once and gain seamless access to all authorized services without repeated logins. Note   This feature is unsupported in the Secure Web Appliance NGUI. NGUI access is unavailable after SSO login. New/Modified Screens: Network > SSO, System Administration > Users > External Authentication
Configuration Audit Logs	The Configuration Audit log is a monitoring page designed to track and log all configuration changes made to the Secure Web Appliance throughout its lifecycle. Previously, there was no dedicated page to monitor these changes, making it difficult to track modifications. New/Modified Screens: Reporting > Configuration Audit
KyberKEM (Post-Quantum Cryptography)	KyberKEM is integrated into the Secure Web Appliance as a Post-Quantum Cryptography (PQC) feature to secure communications against future quantum computing threats. Its primary purpose is to establish a shared secret between two communicating parties while remaining resistant to attackers within the transmission system. Note   By default the feature is disbaled. KyberKEM is only supported on TLS version 1.3. CiscoSSL_PQC 3.3.3.8.3.39 based on OpenSSL 3.3.3 library is introduced for this feature. New/Modified CLI: wsa > advancedproxyconfig > HTTPS
Generative AI Visibility and Control for ADC	Secure Web Appliance now provides enhanced visibility and granular control over Generative AI applications through the Applications Discovery and Control (ADC) engine. This update addresses the security risks associated with Shadow IT and potential data leakage by expanding the ADC database from 4 to over 1,200 Generative AI applications, including tools such as ChatGPT, Claude, Midjourney, and GitHub Copilot. By integrating with Cisco’s Cloud App Security Intelligence (CASI), administrators can now accurately identify, monitor, and apply access policies to a wide range of AI-powered content creation, coding, and productivity tools.

The following are known behaviors of this release:

Secure Web Appliance AVC or ADC Engine known behavior—When an application is configured to be blocked under ADC/AVC, every sub-category under the application will also be blocked. A specific sub-category can be blocked using fine and gain control feature, however this feature is limited to certain apps like smugmug, facebook, linkedin, etc.

Secure Web Appliance integration with Umbrella - Hybrid Policies known behavior

• By default, the source interface in Secure Web Appliance Umbrella settings is set to Management. Changing the source interface to Data requires you to submit and commit the changes before enabling Hybrid Policy.

• Hybrid policies support translation for rule actions Allow, Block, and Warn.

• There is support for translation of Content Categories, Destination Lists, and Applications.

• The translation of AD Users, AD Groups, and internal networks that are associated with public networks is supported.

• In Secure Web Appliance, one Global Umbrella pushed identification profile will always be available.

• Policies that are configured by Secure Web Appliance administrator are prioritized following the policy push from Umbrella.

• When policy push is enabled in the registered appliance page, policies configured in the Umbrella are pushed to all Secure Web Appliances registered under Umbrella.

• The WBRS are disabled for Decryption Policies pushed by Umbrella.

• The decryption policies pushed by Umbrella are set to Decrypt action by default.

• The End-User Notification page will always be enabled in Secure Web Appliance as a global setting.

• In Secure Web Appliance, the End-User Notification page is configured only for the block page first selected in first ruleset of Umbrella.

• Changes in the selected block page appearance of the first ruleset will be translated every three hours.

• In the case of Umbrella pushed identification profiles and customer categories, admin configured policies will be disabled from the Secure Web Appliance side if these profiles or categories are deleted from the Umbrella.

• Secure Web Appliance registration with Umbrella ORG is limited to the number of seats assigned to a specific ORG, which can be seen in the following path of the Umbrella user interface: Admin > Licensing > Number of seats.

• SMA policies cannot be pushed to Secure Web Appliance when it is registered with Umbrella ORG.

• Umbrella cannot push profiles, policies, and custom URL categories to Secure Web Appliance if there is no internal network and AD integrated in Umbrella.

• If API keys that were used for registration and enabling hybrid service are expired, the connection will not be closed until you enable hybrid policy or registered Secure Web Appliance with Umbrella again.

• The following Umbrella Rules configuration are not supported for hybrid policy push: Rules Scheduling and Protected Bypass.

• The SMA policies pushed to Secure Web Appliance are not accepted if the Secure Web Appliance is managed by Umbrella.

• The Save and Load configuration feature will not work for Umbrella settings.

• Translation is not supported for the following Ruleset settings:

  • Ruleset Identities - Chromebooks, G Suite OUs, G Suite Users, Tunnels, Roaming Computers, Internal Networks All Tunnels

  • Tenant Controls

  • File Analysis

  • File Type Control

  • HTTPS Inspection - only applications in Selective Decryption list

  • PAC File

  • SafeSearch

  • Ruleset Logging

  • SAML

  • Security Settings

• The changes made to the HTTPS proxy or AD realm on the Secure Web Appliance does not affect the umbrella policy.

• Application Settings (CASI) Translation

  • Application Settings selected in Rules are translated and pushed to Secure Web Appliance's Access Policy only when ADC is enabled under Security Services > Acceptable Use Control in Secure Web Appliance.

  • When the Application is selected in the Rule, a Custom URL category containing the domains of the selected application will be pushed to that Rule. This same category of Custom URLs is selected under the URL Filtering section of the Access Policy, with Monitor as the action.

  • The application available in Secure Web Appliance but not in Umbrella inherits the global settings action. The application available in Umbrella but not in Secure Web Appliance are ignored.

  • In Secure Web Appliance, applications that are not selected within Rules inherit the global settings.

• Selective Policy Psuh

  • Umbrella web policies are pushed to registered Secure Web Appliances only if the Hybrid Policy state is Active and Policy Push is enabled.

• Umbrella UI Error Message

  • The error message for the last policy push failure can be seen on the Registered Appliance page, which has a maximum character limit of 1024.

• Cleanup of Umbrella Pushed Policies

  • After the Umbrella pushed policies are cleaned up, all admin configured policies will be disabled.

Secure Web Appliance integration with Umbrella - Hybrid Reporting known behavior

• The hybrid reporting feature of Secure Web Appliance can only be enabled if a hybrid policy is enabled.

• The Secure Web Appliance sends Umbrella configured policies reporting data to the Umbrella dashboard.

• Approximately 25% of the local reporting disk space is used to store hybrid reporting data, which is then pushed to Umbrella.

• When Secure Web Appliance does not push the reporting data to Umbrella, it stores only those reporting data on disk for later debugging.

• The Secure Web Appliance continues to send reporting data evaluated by Umbrella policies, even after selective policy push is disabled for that SWA. The Umbrella policy reporting dashboard may display deleted rules for those records if the rule has been deleted from the Umbrella policy.

The following are known limitations of this release:

Sophos engine known limitation—Sophos cannot scan a file which is multi-encoded with Deflate/Brotli encoding types. Sophos displays a SAVI_CORRUPT error and the file gets blocked by default

MIME type library—The MIME type library is now upgraded from 5.11 to 5.39 and the MIME type for certain file types are changed. As a result of this, there might be a change in behaviour to the allowed/blocked MIME types in SWA. You can modify the MIME type with respect to the latest library to avoid the behaviour change.

Secure Web Appliance integration with Umbrella - Hybrid Policies known Limitations

• The following scenarios do not trigger policy translation:

  • Change in the name of the Ruleset.

  • Change in the name of the destination list selected in the Rule.

  • Change in the name of the application list selected in the Rule.

  • Change in name of the selective decryption list selected during HTTP inspection.

  • Adding or removing categories from the selective decryption list used for HTTPS inspection.

  • A selective decryption list containing only categories is selected in the HTTPs inspection.

  • Adding or removing AD users or groups from a Ruleset or a Rule.

  • Integrating or removing AD from the Umbrella dashboard.

• When Ruleset identities are the same in multiple Rulesets, only the first Ruleset of the same identity will translate HTTPS inspection settings consistently.

• The format for the Redirect to Custom URL textbox for end-user notification supports only well-formned hostnames or IPV4 addresses. If we push other URL formats configured in the block page of Umbrella to Secure Web Appliance, the policy push fails with the error message stating: 'An http/https URL must consist of a well-formed hostname or IPv4 address, may optionally include a port, but may not contain a querystring ('?...').'.", 'code': '400', 'explanation': '400 = Bad request syntax or unsupported method.'

• In the case where AD groups are selected in rulesets but rules do not match, the access policy will not be created for that rule.

• The categories and domains selected in the Selective Decryption List are set to passthrough for decryption policies that are pushed from Umbrella to Secure Web Appliance. For predefined and custom URL categories, no access policy will be applied in Secure Web Appliance, but rules will be applied to the same configuration in Umbrella.

• If Microsoft 365 compatibility is enabled in Umbrella, decryption policies that are pushed from Umbrella to Secure Web Appliance are set to passthrough. As a result, passthrough will be enabled for all categories of Microsoft 365 endpoints.

• When a trusted AD is not configured in Secure Web Appliance but a group is selected for this AD at the Umbrella level, an error message appears indicating that it needs to be configured at the Secure Web Appliance level.

• If networks with different masks are selected in Ruleset and Rule, translation is not supported.

• When a large number of applications are selected across Rules, Secure Web Appliance performance is affected.

• To avoid redundant configuration, we recommend using application list rather than selecting individual application in Rules.

Secure Web Appliance integration with Umbrella - Hybrid Reporting known Limitations

• If the user is not included in Umbrella policies, the mapping of AD User to Umbrella origin ID is not possible. Events of this type will be identified by Secure Web Appliance's origin ID.

• Filtering support

  • Only external IP addresses are supported by Secure Web Appliance based filtering.

  • Secure Web Appliances from the same Org (different locations) having the same management IP address will result in combined reporting data.

  • For LDAP/ISE/Guest-based identities, Secure Web Appliance AD user-based identities are not supported.

• In some cases, the system may see duplicates or lost reporting entries.

• Upon enabling or disabling hybrid reporting, an application fault occurs in the reported helper.

The new web interface provides a new look for monitoring reports and tracking web services. You can access the new web interface in the following way:

• Log in to the legacy web interface and click the Secure Web Appliance is getting a new look. Try it!! link. When you click this link, it opens a new tab in your web browser and goes to https://wsa01-enterprise.com:<trailblazer-https-port>/ng-login, where wsa01-enterprise.com is the appliance host name and <trailblazer-https-port> is the trailblazer HTTPS port configured on the appliance for accessing the new web interface.

Important!

• You must log in to the legacy web interface of the appliance.

• Ensure that your DNS server can resolve the hostname of the appliance that you specified.

• By default, the new web interface needs TCP ports 6080, 6443, and 4431 to be operational. Ensure that these ports are not blocked in the enterprise firewall.

• The default port for accessing new web interface is 4431. This can be customized using the trailblazerconfig CLI command. For more information about the trailblazerconfig CLI command, see “Command Line Interface” chapter in the user guide.

• The new web interface also needs AsyncOS API (Monitoring) ports for HTTP and HTTPS. By default, these ports are 6080 and 6443. The AsyncOS API (Monitoring) ports can also be customized using the interfaceconfig CLI command. For more information about the interfaceconfig CLI command, see “Command Line Interface” chapter in the user guide.

If you change these default ports, ensure that the customized ports for the new web interface are not blocked in the enterprise firewall.

The new web interface opens in a new browser window and you must log in again to access it. If you want to log out of the appliance completely, you need to log out of both the new and legacy web interfaces of your appliance.

For a seamless navigation and rendering of HTML pages, Cisco recommends using the following browsers to access the new web interface of the appliance (AsyncOS 11.8 and later):

• Google Chrome

• Mozilla Firefox

You can access the legacy web interface of the appliance on any of the supported browsers.

The supported resolution for the new web interface of the appliance (AsyncOS 11.8 and later) is between 1280x800 and 1680x1050. The best viewed resolution is 1440x900, for all the browsers.

Note	Cisco does not recommend viewing the new web interface of the appliance on higher resolutions.

Each release is identified by the release type (ED - Early Deployment, GD - General Deployment, etc.) For an explanation of these terms, see http://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/content-security-release-terminology.pdf.

This build is only for EFT testing and is only supported on S600V model.

To deploy a virtual appliance, see the Cisco Content Security Virtual Appliance Installation Guide, available at http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.

The user guide in the website (www.cisco.com) may be more current than the online help. To obtain the user guide and other documentation for this product, click the View PDF button in the online help or visit the URL shown in Related Documentation.

Documentation	Location
Cisco Secure Web Appliance User Guide	http://www.cisco.com/c/en/us/support/security/web-security-appliance/tsd-products-support-series-home.html
Cisco Content Security Management Appliance User Guide	https://www.cisco.com/c/en/us/support/security/content-security-management-appliance/series.html
Virtual Appliance Installation Guide	https://www.cisco.com/c/en/us/support/security/email-securityappliance/products-installation-guides-list.html
Secure Web Appliance Release Notes, ISE Compatibility Matrix,and Ciphers	https://www.cisco.com/c/en/us/support/security/web-security-appliance/products-release-notes-list.html
Compatibility Matrix for Cisco Secure Email and Web Manager with Secure Web Appliance	https://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma_all/web-compatibility/index.html
API Guide	https://www.cisco.com/c/en/us/support/security/web-security-appliance/products-programming-reference-guides-list.html

Cisco Support Community is an online forum for Cisco customers, partners, and employees. It provides a place to discuss general web security issues as well as technical information about specific Cisco products. You can post topics to the forum to ask questions and share information with other Cisco users.

Access the Cisco Support Community for web security and associated management:

https://supportforums.cisco.com/community/5786/web-security

Note	To get support for virtual appliances, call Cisco TAC. Have your Virtual License Number (VLN) number ready before you call TAC.

Cisco TAC:

http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.

Support site for legacy IronPort:

http://www.cisco.com/web/services/acquisitions/ironport.html.

For noncritical issues, you can also access customer support from the appliance. For instructions, see the Troubleshooting section of the Secure Web Appliance User Guide.