Cisco is excited to announce the FTD 7.1, ASA 9.17.1, FXOS 2.11(1), CSM 4.24, and ASDM 7.17 releases that simplify and harmonize remote access, network, and workload security across your hybrid and multi-cloud environments. Cisco’s year-end innovations keep the network from going dark, with new visibility into encrypted traffic, and drive efficiency at scale, with improved scalability both within and across public cloud providers.
Superior Threat Visibility
- Snort 3 - Rule Recommendations: Associates host vulnerabilities detected on the network with rules tailored to the specific needs of one or more hosts. Updates include no rule overhead and security level rules that are derived from Talos intrusion policies. The recommended actions are based on the security level (policy) selected for more rules.
- Snort 3 - Elephant Flows: Has the ability to identify and provide visibility of long-lived flows that could impact performance, including huge file transfers and database update flows. Currently available for FTDs running Snort 3.
- Snort 3 - Multi-Channel Support for SMB: New SMB inspector detects, and processes SMB sessions that are spread across multiple TCP connections, detects and processes files getting transferred over these sessions, and applies file policy/rules on them. Applies to Snort 3 only.
- TLS & Encrypted Visibility Engine (Experimental): Decryption of internet traffic against Man-in-the-middle attacks, among others, along with TLS 1.3 server certificate encryption, creates a significant load on firewalls. To reduce this, Snort 3 utilizes machine learning to determine the application (client process) generating the Client Hello packet, identifies known processes/browsers – thereby providing a path from now on to reduce the number of decryption events needed.
Direct Internet Access
Utilizes application detection on the first packet and policy-based routing to determine if the traffic should go directly to the Internet or a corporate network. Based on defined ingress/egress interfaces and applications.
VPN Enhancements
- PasswordLess Authentication - This feature introduces support for expanding the passwordless authentication story to Remote Access VPN users. Anyconnect now supports using the user system's default browser, eliminating the need for users to re-authenticate for VPN while using Single Sign-On. With WebAuthN support, the MFA can be expanded to biometrics-based devices such as fingerprint readers, Yubikeys, etc.
- Unique Local Tunnel ID - Enables Umbrella SIG integration for SASE tunnels.
- Support for Multiple Trustpoints in SAML Authentication - Integrates with Azure AD easier for SSO.
- Site to Site Tunnel Monitoring Dashboard
- SAML support with VPN Load Balancing Groups
FQDN NAT
- Ability to change destination address using FQDN response.
- Include FQDN name in NAT policy for enhanced usability.
- Simplified firewall insertion in public/private cloud, Dynamic IPs for destination NAT, and One-to-many DNS resolution with load balancing.
Cisco Secure Dynamic Attributes Connector
This connector helps organizations execute a multi-cloud strategy and associated security controls by consistently managing network security policy, no matter where the workload resides. Without deploying a policy, policy rules can be defined based on non-network ‘attributes’ such as VM Name, Security Group, VPC, etc. The connector currently supports NSX-T, Azure, and AWS, with more environment support planned for future releases.
Wild Card Mask
- Network objects allow wildcard network masks that can be used in Access Control, Prefilter, and NAT policies.
- Supported on devices running Snort3.
Geneve Support
NVE encapsulation in ASAv/FTDv and AWS proxy mode VNI interface in AWS virtual platform. With the support comes enhanced troubleshooting capabilities.
ASAv Clustering
The 9.17.1 release brings clustering to our virtual firewall portfolio for the private cloud, which will help to improve performance and scaling for ASAv deployments significantly.
Firewall Migration Tool Updates
Firewall Migration Tool 2.5 includes support for Threat Defense 7.1, particularly enabling Wildcard Mask migrations. Customers and partners can now optimize access control rules during the migration by identifying and removing redundant and shadow rules. Streamlined Object optimization capabilities and results are now included in the tool’s post-migration report.
This video reviews the Access List & Object Optimization features in the Cisco Secure Firewall Migration Tool during configuration. Download the tool at Cisco Firewall Migration Tool.
Firewall Performance Estimator Updates
- TLS Decryption, VPN IPsec, Clear text percentage slider bars
- Shows percentage of traffic that contains encrypted TLS inside the IPSec VPN
- Option to select custom packet size mix as low as 90B, high as 1024B
- Latest numbers for Firewall software 7.0, select Snort 2/3
- Estimated Logging Volume and Total Event Rate
- Create a list – Product IDs for Cisco Commerce Workspace (CCW) order
- Compare devices with differences highlighted
- Device info - ACE/ACL max limit, Product IDs added
- Product photos
Firewall AppID
The self-service portal is available to all customers to search for Application Detectors. Allows users to view detector vulnerability database release notes, dispute existing application detectors, or request new ones.
Secure Firewall Cloud Resources Site
We are introducing the new and easy-to-navigate Secure Firewall Cloud resources web page. The centralized page provides additional learning and documentation resources on the top 50+ templates for all major cloud environments and key use cases.
Together with the Secure Firewall GitHub repository and a dedicated Youtube Channel, it should provide all the resources needed to deploy and utilize Secure Firewall in the cloud successfully.
External Partnerships
Firewall as a Service
Cisco has collaborated with AWS to simplify the way organizations secure their public cloud infrastructure using Firewall-as-a-Service (FWaaS), where Cisco Secure Firewall is integrated with the AWS Gateway Load Balancer (GWLB).
The FWaaS service was launched at AWS Re: invent 21, and customers can sign up for the limited preview release, which starts in January. This will help simplify how customers consume our virtual firewall in AWS without rearchitecting, deploying, or managing new infrastructure. For more information, read Simplify Network Security with Cisco Secure Firewall-as-a-service (FWaaS) on AWS.
Snort 3 Anywhere
At AWS Re: invent ‘21, Cisco also launched Snort 3 Anywhere - Making Snort 3 officially available in a container form factor to be consumed in customer’s Kubernetes cluster either running on AWS or On-prem.
It’s yet another way Cisco fulfills our vision to simplify security for networks, workloads, and applications across the multi-cloud world.
Equinix’s Network Edge as a Service Platform
Cisco Secure Firewall and Equinix have validated Secure Firewall Threat Defense Virtual to run on Equinix’s Network Edge as a Service platform. Equinix Fabric allows you to connect digital infrastructure and services on demand via secure, software-defined interconnection (Ecosystem). For more information, read more about Equinix.
Next-Generation Security and Threat Defense for Multi-Cloud Networks with Alkira
Cisco Secure Firewall and Alkira join hands to deliver Next-Generation Security and Threat Defense for Multi-Cloud Networks.
The joint solution allows organizations to seamlessly extend their security services to the cloud with Cisco Secure Firewall Threat Defense 7.1, providing granularity, control, and simplicity - unmatched by the native cloud deployments.
Cisco firewalls are integrated into the Alkira Network Services Marketplace, which is part of the Alkira Cloud Services Exchange (Alkira CSX) solution, the industry’s first cloud network infrastructure-as-a-service (CNaaS) platform. For more information, see Next generation security and threat defense for the multi-cloud networks.
Enhanced Firepower Documentation Landing Page
We now have version-specific document landing pages for each release starting at 6.4.
2 Comments
