Smart Software Licensing Enhancements

• When you enable smart software licensing and register your Web Security Appliance with the Cisco Smart Software Manager, the Cisco Cloud Services (Network > Cloud Service Settings) automatically enables and registers your Web Security Appliance through the Cisco Cloud Services portal.

• You can view the details of the smart account created in the Cisco Smart Software Manager portal using the smartaccountinfo command in the CLI.

• If the Cisco Cloud Services certificate is expired, you can now download a new certificate from the Cisco Talos Intelligence Services portal using the cloudserviceconfig > fetchcertificate sub command in the CLI.

  If the Cisco Cloud Services certificate has expired or is about to expire, the Cisco Cloud Service auto renews the certificate after the upgrade to AsyncOS 14.0.1-040. If auto-renewal fails, you can use the fetchcertificate sub command to renew the certificate manually.

  Note	This command is supported only in the smart licensing mode.

• You can auto register the Web Security Appliance with the Cisco Cloud Service portal using the cloudserviceconfig > autoregister sub command in the CLI.

  Note	This command is available only when the auto registration to cloud service portal has failed. You cannot auto register Cisco Cloud Services when smart license is in evaluation mode.

• You can load the certificate for virtual appliance and hardware appliances using the updateconfig > clientcertificate sub command in the CLI.

  Note	You cannot disable or deregister Cisco Cloud Service if smart licensing is registered on your appliance.

See “Smart Software Licensing” section and “Integrating with Cisco SecureX and Cisco Threat Response” chapter in the user guide.

New URL Categories Update notification

A new URL Categories Update notification is introduced in the banner.

An email notification is also sent to the users about the upcoming URL category updates.

Cisco SecureX Integration

Cisco Web Security appliance now supports integration with Cisco SecureX. Cisco SecureX is a security platform embedded with every Cisco security product. The integration of the Web Security appliance with Cisco SecureX delivers measurable insights, desirable outcomes, and unparalleled cross-team collaboration.

Cisco SecureX unifies visibility of security infrastructure, enables automation, accelerates incident response workflows, and improves threat detection. The distributed capabilities of Cisco SecureX are available in the form of applications (apps) and tools in the Cisco SecureX Ribbon.

See “Integrating with Cisco SecureX and Cisco Threat Response” chapter in the user guide.

Header Rewrite

You can configure custom header profiles for HTTP requests and can create multiple headers under a header rewrite profile. The header rewrite profile feature enables the appliance to pass the user and group information to another upstream device after successful authentication. The upstream proxy considers the user as authenticated, bypasses further authentication, and provides access to the user based on the defined access policies.

See “Intercepting Web Requests” chapter in the user guide.

X- Authentication Header Consumption

You can now configure the Header Based Authentication scheme for an active directory. The client and the Web Security Appliance consider the user as authenticated and does not prompt again for authentication or user credentials. The X-Authenticated feature works when the Web Security Appliance acts as an upstream device.

See “Configuring Global Authentication Settings” and “Classifying Users and Client Software” sections in the user guide.

System Status Dashboard in the New Web Interface

The System Status Dashboard of the appliance has been enhanced:

• Capacity Tab—A new tab is added to the existing System Status Dashboard that provides details on Time Range, System CPU and Memory Usage, Bandwidth and RPS, CPU Usage by Function, and Client or Server Connections.

• The Proxy Traffic Characteristics under the Status tab provides client and server connections details.

• The Service Response Time now includes more details on bar charts and also legend data for previous dates.

See “System Status Page on the New Web Interface” section in the user guide.

REST API for Configuring Management Policies, Access Policies, and Bypass Policies

You can now retrieve configuration information, and perform changes (such as modify existing information, add a new information, or delete an entry) in the configuration data of the appliance using REST APIs.

See the “AsyncOS API 14.0 for Cisco Web Security Appliances - Getting Started Guide.”

Support for HTTP 2.0

Cisco AsyncOS 14.0 version supports HTTP 2.0 for web request and response over TLS. HTTP 2.0 support requires TLS ALPN based negotiation which is available only from TLS 1.2 version onwards.

In this release, the HTTPS 2.0 is not supported for the following features:

• Web Traffic Tap

• External DLP

• Overall Bandwidth and Application Bandwidth

A new CLI command <HTTP2> is introduced to enable or disable HTTP 2.0 configurations.

You cannot enable or disable HTTP 2.0 and restrict domain for HTTP 2.0 through the appliance’s web user interface. The configuration of HTTP 2.0 is not supported through Cisco Secure Email and Web Manager (Cisco Content Security Management Appliances).

Cisco AsyncOS 14.0 version does not support the following HTTP 2.0 features:

• Binary Framing: Push Promise and Prioritization

• Plaintext HTTP2.0 (H2C)

• NPN Based Negotiation

• Session and persistent cookies for HTTPS

The HTTP 2.0 feature supports:

• A maximum of 4096 concurrent sessions and 128 concurrent streams.

• All HTTP protocol in ALPN and a maximum of seven protocols in advertised ALPN.

• A maximum header size of 16k.

Enhancements

Command Line Interface Enhancement

A new warning message is added to the command line interface. The CLI displays the new warning message when you try to use the default certificate of any of the following features:

• Appliance certificate (In the web user interface, navigate to Network > Certificate Management > Appliance Certificate)

• Credential Encryption certificate (In the web user interface, navigate to Network > Authentication > Edit Settings > Advanced section)

• HTTPS Management UI certificate (In the command line interface, use certconfig > SETUP)

OCSP Validation for Server Certificates

A new subcommand OCSPVALIDATION_FOR_SERVER_CERT is added under the certconfig. Using the new subcommand you can enable the OCSP validation for LDAP and Updater server certificates. If the certificate validation is enabled, you will receive an alert if the certificates involved in communication are revoked.

Certificates

Minimum Validity

Maximum Validity

Previous

New

Previous

New

HTTPS

1 month

24 months

120 months

60 months

SAAS

1 month

1 month

120 months

48 months

ISE

1 month

24 months

120 months

60 months

Appliance Certificates

1 day

730 days

1825 days

1825 days

Demo/Management Certificate

Validity period is 5 years

networktuning

After an upgrade to Cisco AsyncOS 14.0, you will receive a prompt to restart the proxy process when you execute the networktuning command for the first time.

SSL Configuration

Beginning Cisco AsyncOS 14.0.2 version, TLSv1.2 is enabled by default for Appliance Management Web User Interface under System Administrator > SSL Configuration to support chrome browser version 98.0.4758.80 or later.

Session resumption

After an upgrade to Cisco AsyncOS 14.0.2 version, session resumption will be disabled by default.

Context Directory Agent (CDA)

Beginning Cisco AsyncOS 14.0.2 version, the following message is added to indicate the end of support for CDA in the CDA configuration section:

"Context Directory Agent (CDA) has reached EOS. It is recommended configuring ISE/ISE-PIC for transparent user authentication instead of CDA."

You can now choose between Data or Management interface from the Test Interface drop-down list.

Smart Software Licensing Enhancements

If you have already registered your appliances to Cisco Smart Software Manager, and have not configured Cisco Cloud Services, then Cisco Cloud Services is automatically enabled after you upgrade to AsyncOS 14.0.1-040. By default, the region is registered as Americas, and you can modify the region (Europe and APJC) as required.

You cannot disable or deregister Cisco Cloud Service if smart licensing is registered on your appliance.

Log Subscriptions

The command line interface and the web user interface of the appliance now displays the following message when an upgrade fails due to invalid log name and file name in the log subscriptions,

‘Failed to upgrade (Reason: Invalid log subscription file names/log names).’

The details related to the invalid file names or log names are also displayed.

Support for configuring polling functionality between the appliance and the authentication server.

A new CLI command gathererdconfig is added to configure the polling functionality between the appliance and the authentication server.

Using gathererdconfig CLI command, you can enable and disable the gathererd polling functionality between the appliance and the authentication server. By default the polling interval is set to 24 hours.

The CLI command is applicable only when the appliance is managed by Cisco Secure Email and Web Manager (Cisco Content Security Management Appliances).

Smart Licensing Registration

You can now choose between Management and Data Interface, while configuring smart licensing feature on the appliance.

A new drop-down list Test Interface (System Administration > Smart Software Licensing) is added with two interface options; Data and Management.

This is applicable only when you enable split routing and register for smart licensing.

Start Test Criteria for LDAP Authentication

After you upgrade to this release, you cannot perform the Start Test for LDAP authentication if the Base DN (Base Distinguished Name) field (Network > Authentication > Add Realm) is empty.