Platform Features

Support for ASA and FTD on separate modules of the same Firepower 9300

You can now deploy ASA and FTD logical devices on the same Firepower 9300.

Requires FXOS 2.6.1.

No modified screens.

Firewall Features

GTPv1 release 10.12 support.

The system now supports GTPv1 release 10.12. Previously, the system supported release 6.1. The new support includes recognition of 25 additional GTPv1 messages and 66 information elements.

In addition, there is a behavior change. Now, any unknown message IDs are allowed. Previously, unknown messages were dropped and logged.

No modified screens.

Cisco Umbrella Enhancements.

You can now identify local domain names that should bypass Cisco Umbrella. DNS requests for these domains go directly to the DNS servers without Umbrella processing. You can also identify which Umbrella servers to use for resolving DNS requests. Finally, you can define the Umbrella inspection policy to fail open, so that DNS requests are not blocked if the Umbrella server is unavailable.

New/Modified screens: Configuration > Firewall > Objects > Umbrella, Configuration > Firewall > Objects > Inspect Maps> DNS.

The object group search threshold is now disabled by default.

If you enabled object group search, the feature was subject to a threshold to help prevent performance degradation. That threshold is now disabled by default. You can enable it by using the object-group-search threshold command.

We changed the following screen: Configuration > Access Rules > Advanced.

Interim logging for NAT port block allocation.

When you enable port block allocation for NAT, the system generates syslog messages during port block creation and deletion. If you enable interim logging, the system generates message 305017 at the interval you specify. The messages report all active port blocks allocated at that time, including the protocol (ICMP, TCP, UDP) and source and destination interface and IP address, and the port block.

New/Modified screen: Configuration > Firewall > Advanced > PAT Port Block Allocation.

VPN Features

New condition option for debug aaa .

The condition option was added to the debug aaa command. You can use this option to filter VPN debugging based on group name, user name, or peer IP address.

No modified screens.

Support for RSA SHA-1 in IKEv2

You can now generate a signature using the RSA SHA-1 hashing algorithm for IKEv2.

New/Modified screens:

View the default SSL configuration for both DES and 3DES encryption licenses as well as available ciphers

You can now view the default SSL configuration with and without the 3DES encryption license. In addition, you can view all the ciphers supported on the device.

New/Modified commands: show ssl information

No modified screens.

Add subdomains to webVPN HSTS

Allows domain owners to submit what domains should be included in the HSTS preload list for web browsers.

New/Modified screens:

Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Proxies > Enable HSTS Subdomains field

High Availability and Scalability Features

Per-site gratuitous ARP for clustering

The ASA now generates gratuitous ARP (GARP) packets to keep the switching infrastructure up to date: the highest priority member at each site periodically generates GARP traffic for the global MAC/IP addresses. When using per-site MAC and IP addresses, packets sourced from the cluster use a site-specific MAC address and IP address, while packets received by the cluster use a global MAC address and IP address. If traffic is not generated from the global MAC address periodically, you could experience a MAC address timeout on your switches for the global MAC address. After a timeout, traffic destined for the global MAC address will be flooded across the entire switching infrastructure, which can cause performance and security concerns. GARP is enabled by default when you set the site ID for each unit and the site MAC address for each Spanned EtherChannel.

New/Modified screens: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Site Periodic GARP field

Routing Features

OSPF Keychain support for authentication

OSPF authenticates the neighbor and route updates using MD5 keys. In ASA, the keys that are used to generate the MD5 digest had no lifetime associated with it. Thus, user intervention was required to change the keys periodically. To overcome this limitation, OSPFv2 supports MD5 authentication with rotating keys.

Based on the accept and send lifetimes of Keys in KeyChain, OSPF authenticates, accepts or rejects keys and forms adjacency.

New/Modified screens:

• Configuration > Device Setup > Key Chain
• Configuration > Device Setup > Routing > OSPF > Setup > Authentication
• Configuration > Device Setup > Routing > OSPF > Setup > Virtual Link

Certificate Features

Local CA configurable FQDN for enrollment URL

To make the FQDN of the enrollment URL configurable instead of using the ASA's configured FQDN, a new CLI option is introduced. This new option is added to the smtp mode of crypto ca server .

New/Modified commands: fqdn

Administrative, Monitoring, and Troubleshooting Features

enable password change now required on a login

The default enable password is blank. When you try to access privileged EXEC mode on the ASA, you are now required to change the password to a value of 3 characters or longer. You cannot keep it blank. The no enable password command is no longer supported.

At the CLI, you can access privileged EXEC mode using the enable command, the login command (with a user at privilege level 2+), or an SSH or Telnet session when you enable aaa authorization exec auto-enable . All of these methods require you to set the enable password.

This password change requirement is not enforced for ASDM logins. In ASDM, by default, you can log in without a username and with the enable password.

No modified screens.

Configurable limitation of admin sessions

You can configure the maximum number of aggregate, per user, and per-protocol administrative sessions. Formerly, you could configure only the aggregate number of sessions. This feature does not affect console sessions. Note that in multiple context mode, you cannot configure the number of HTTPS sessions, where the maximum is fixed at five sessions. The quota management-session command is also no longer accepted in the system configuration and is instead available in the context configuration. The maximum aggregate sessions is now 15; if you configured 0 (unlimited) or 16+, then when you upgrade, the value is changed to 15.

New/Modified screens: Configuration > Device Management > Management Access > Management Session Quota

Notifications for administrative privilege level changes

When you authenticate for enable access (aaa authentication enable console ) or allow privileged EXEC access directly (aaa authorization exec auto-enable ), then the ASA now notifies users if their assigned access level has changed since their last login.

New/Modified screens:

Status bar > Login History icon

NTP support on IPv6

You can now specify an IPv6 address for the NTP server.

New/Modified screens: Configuration > Device Setup > System Time > NTP > Add button > Add NTP Server Configuration dialog box

SSH stronger security

See the following SSH security improvements:

• SSH version 1 is no longer supported; only version 2 is supported.
• Diffie-Hellman Group 14 SHA256 key exchange support. This setting is now the default. The former default was Group 1 SHA1.
• HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha1 and hmac-sha2-256). The former default was the medium set.

New/Modified screens:

• Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH
• Configuration > Device Management > Advanced > SSH Ciphers

Allow non-browser-based HTTPS clients to access the ASA

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

Capture control plane packets only on the cluster control link

You can now capture control plane packets only on the cluster control link (and no data plane packets). This option is useful in the system in multiple context mode where you cannot match traffic using an ACL.

New/Modified screens:

Wizards > Packet Capture Wizard > Cluster Option

debug conn command

The debug conn command was added to provide two history mechanisms that record connection processing. The first history list is a per-thread list that records the operations of the thread. The second history list is a list that records the operations into the conn-group. When a connection is enabled, processing events such as a connection lock, unlock, and delete are recorded into the two history lists. When a problem occurs, these two lists can be used to look back at the processing to determine the incorrect logic.

New/Modified commands: debug conn

show tech-support includes additional output

The output of the show tech-support is enhanced to display the output of the following:

• show ipv6 interface
• show aaa-server
• show fragment

New/Modified commands: show tech-support

ASDM support to enable and disable the results for free memory and used memory statistics during SNMP walk operations

To avoid overutilization of CPU resources, you can enable and disable the query of free memory and used memory statistics collected through SNMP walk operations.

New or modified screen: Configuration > Device Management > Management Access > SNMP

Configurable graph update interval for the ASDM Home pane for the System in multiple-context mode

For the System in multiple context mode, you can now set the amount of time between updates for the graphs on the Home pane.

New/Modified screens:

Tools > Preferences > Graph User time interval in System Context