Welcome to the Secure Web Appliance
About Secure Web Appliance
The Cisco Secure Web Appliance intercepts and monitors internet traffic and applies policies to help keep your internal network secure from malware, sensitive data loss, productivity loss, and other internet-based threats. It acts as a proxy server, intercepting web requests from users and scanning the requested web content for potential threats such as malware, viruses, and phishing attempts. Cisco Secure Web Appliance uses various security technologies such as URL filtering, antivirus scanning, reputation-based filtering, and advanced malware protection to ensure the security of web traffic.
What’s New
What’s New in AsyncOS 15.1.0-287
The following features are introduced in this release:
Feature |
Description |
|
---|---|---|
Mandatory Smart License for Secure Web Appliance |
In AsyncOS 15.1 and later releases, Smart Software License is mandatory. Implementation of Smart License includes the following features:
For more information, see Smart Software Licensing. |
|
Cisco Secure Web Appliance integration with Cisco Umbrella |
The integration of Cisco Umbrella and Cisco Secure Web Appliance facilitates deployment of common web policies from Umbrella to Secure Web Appliance. In addition, you can configure policies through the Umbrella dashboard and view logs. When you configure the common web policies in the Umbrella Dashboard, the policies are pushed to Secure Web Appliance. The reporting data of those configured web policies are sent back to Umbrella and available on the Umbrella Dashboard. Reporting data includes information such as URLs browsed, their IP addresses, and whether the URL was permitted or blocked. After successful integration, the following web policies get translated and pushed from Umbrella to Secure Web Appliance. |
|
From Umbrella |
To Secure Web Appliance |
|
Ruleset Identities |
Global Identification Profile |
|
Destination Lists |
Custom and External URL Categories |
|
Web Policy (rules) |
Access Policies |
|
HTTPS Inspection |
Decryption Policies |
|
Microsoft 365 Compatibility |
Custom and External URL Categories |
|
Block Page settings in Ruleset |
End-User Notification |
|
Application Settings (CASI) |
Applications Access Policies |
|
For more information, see Integrate Cisco Secure Web Appliance with Cisco Umbrella. |
Note |
There is no SMA compatible build available for the AsyncOS coeus-15-1-0-287 (Limited Deployment) build. |
Known Behavior
The following are known behaviors of this release:
Secure Web Appliance integration with Umbrella - Hybrid Policies known behavior
-
By default, the source interface in Secure Web Appliance Umbrella settings is set to Management. Changing the source interface to Data requires you to submit and commit the changes before enabling Hybrid Policy.
-
Hybrid policies support translation for rule actions Allow, Block, and Warn.
-
There is support for translation of Content Categories, Destination Lists, and Applications.
-
The translation of AD Users, AD Groups, and internal networks that are associated with public networks is supported.
-
In Secure Web Appliance, one Global Umbrella pushed identification profile will always be available.
-
Policies that are configured by Secure Web Appliance administrator are prioritized following the policy push from Umbrella.
-
When policy push is enabled in the registered appliance page, policies configured in the Umbrella are pushed to all Secure Web Appliances registered under Umbrella.
-
The WBRS are disabled for Decryption Policies pushed by Umbrella.
-
The decryption policies pushed by Umbrella are set to Decrypt action by default.
-
The End-User Notification page will always be enabled in Secure Web Appliance as a global setting.
-
In Secure Web Appliance, the End-User Notification page is configured only for the block page first selected in first ruleset of Umbrella.
-
Changes in the selected block page appearance of the first ruleset will be translated every three hours.
-
In the case of Umbrella pushed identification profiles and customer categories, admin configured policies will be disabled from the Secure Web Appliance side if these profiles or categories are deleted from the Umbrella.
-
Secure Web Appliance registration with Umbrella ORG is limited to the number of seats assigned to a specific ORG, which can be seen in the following path of the Umbrella user interface: Admin > Licensing > Number of seats.
-
SMA policies cannot be pushed to Secure Web Appliance when it is registered with Umbrella ORG.
-
Umbrella cannot push profiles, policies, and custom URL categories to Secure Web Appliance if there is no internal network and AD integrated in Umbrella.
-
If API keys that were used for registration and enabling hybrid service are expired, the connection will not be closed until you enable hybrid policy or registered Secure Web Appliance with Umbrella again.
-
The following Umbrella Rules configuration are not supported for hybrid policy push: Rules Scheduling and Protected Bypass.
-
The SMA policies pushed to Secure Web Appliance are not accepted if the Secure Web Appliance is managed by Umbrella.
-
The Save and Load configuration feature will not work for Umbrella settings.
-
Translation is not supported for the following Ruleset settings:
-
Ruleset Identities - Chromebooks, G Suite OUs, G Suite Users, Tunnels, Roaming Computers, Internal Networks All Tunnels
-
Tenant Controls
-
File Analysis
-
File Type Control
-
HTTPS Inspection - only applications in Selective Decryption list
-
PAC File
-
SafeSearch
-
Ruleset Logging
-
SAML
-
Security Settings
-
-
The changes made to the HTTPS proxy or AD realm on the Secure Web Appliance does not affect the umbrella policy.
-
Application Settings (CASI) Translation
-
Application Settings selected in Rules are translated and pushed to Secure Web Appliance's Access Policy only when ADC is enabled under
in Secure Web Appliance. -
When the Application is selected in the Rule, a Custom URL category containing the domains of the selected application will be pushed to that Rule. This same category of Custom URLs is selected under the URL Filtering section of the Access Policy, with Monitor as the action.
-
The application available in Secure Web Appliance but not in Umbrella inherits the global settings action. The application available in Umbrella but not in Secure Web Appliance are ignored.
-
In Secure Web Appliance, applications that are not selected within Rules inherit the global settings.
-
-
Selective Policy Psuh
-
Umbrella web policies are pushed to registered Secure Web Appliances only if the Hybrid Policy state is Active and Policy Push is enabled.
-
-
Umbrella UI Error Message
-
The error message for the last policy push failure can be seen on the Registered Appliance page, which has a maximum character limit of 1024.
-
-
Cleanup of Umbrella Pushed Policies
-
After the Umbrella pushed policies are cleaned up, all admin configured policies will be disabled.
-
Secure Web Appliance integration with Umbrella - Hybrid Reporting known behavior
-
The hybrid reporting feature of Secure Web Appliance can only be enabled if a hybrid policy is enabled.
-
The Secure Web Appliance sends Umbrella configured policies reporting data to the Umbrella dashboard.
-
Approximately 25% of the local reporting disk space is used to store hybrid reporting data, which is then pushed to Umbrella.
-
When Secure Web Appliance does not push the reporting data to Umbrella, it stores only those reporting data on disk for later debugging.
-
The Secure Web Appliance continues to send reporting data evaluated by Umbrella policies, even after selective policy push is disabled for that SWA. The Umbrella policy reporting dashboard may display deleted rules for those records if the rule has been deleted from the Umbrella policy.
Known Limitations
The following are known limitations of this release:
Secure Web Appliance integration with Umbrella - Hybrid Policies known Limitations
-
The following scenarios do not trigger policy translation:
-
Change in the name of the Ruleset.
-
Change in the name of the destination list selected in the Rule.
-
Change in the name of the application list selected in the Rule.
-
Change in name of the selective decryption list selected during HTTP inspection.
-
Adding or removing categories from the selective decryption list used for HTTPS inspection.
-
A selective decryption list containing only categories is selected in the HTTPs inspection.
-
Adding or removing AD users or groups from a Ruleset or a Rule.
-
Integrating or removing AD from the Umbrella dashboard.
-
-
When Ruleset identities are the same in multiple Rulesets, only the first Ruleset of the same identity will translate HTTPS inspection settings consistently.
-
The format for the Redirect to Custom URL textbox for end-user notification supports only well-formned hostnames or IPV4 addresses. If we push other URL formats configured in the block page of Umbrella to Secure Web Appliance, the policy push fails with the error message stating: 'An http/https URL must consist of a well-formed hostname or IPv4 address, may optionally include a port, but may not contain a querystring ('?...').'.", 'code': '400', 'explanation': '400 = Bad request syntax or unsupported method.'
-
In the case where AD groups are selected in rulesets but rules do not match, the access policy will not be created for that rule.
-
The categories and domains selected in the Selective Decryption List are set to passthrough for decryption policies that are pushed from Umbrella to Secure Web Appliance. For predefined and custom URL categories, no access policy will be applied in Secure Web Appliance, but rules will be applied to the same configuration in Umbrella.
-
If Microsoft 365 compatibility is enabled in Umbrella, decryption policies that are pushed from Umbrella to Secure Web Appliance are set to passthrough. As a result, passthrough will be enabled for all categories of Microsoft 365 endpoints.
-
When a trusted AD is not configured in Secure Web Appliance but a group is selected for this AD at the Umbrella level, an error message appears indicating that it needs to be configured at the Secure Web Appliance level.
-
If networks with different masks are selected in Ruleset and Rule, translation is not supported.
-
When a large number of applications are selected across Rules, Secure Web Appliance performance is affected.
-
To avoid redundant configuration, we recommend using application list rather than selecting individual application in Rules.
Secure Web Appliance integration with Umbrella - Hybrid Reporting known Limitations
-
If the user is not included in Umbrella policies, the mapping of AD User to Umbrella origin ID is not possible. Events of this type will be identified by Secure Web Appliance's origin ID.
-
Filtering support
-
Only external IP addresses are supported by Secure Web Appliance based filtering.
-
Secure Web Appliances from the same Org (different locations) having the same management IP address will result in combined reporting data.
-
For LDAP/ISE/Guest-based identities, Secure Web Appliance AD user-based identities are not supported.
-
-
In some cases, the system may see duplicates or lost reporting entries.
-
Upon enabling or disabling hybrid reporting, an application fault occurs in the reported helper.
Accessing the New Web Interface
The new web interface provides a new look for monitoring reports and tracking web services. You can access the new web interface in the following way:
-
Log in to the legacy web interface and click the Secure Web Appliance is getting a new look. Try it!! link. When you click this link, it opens a new tab in your web browser and goes to
https://wsa01-enterprise.com:<trailblazer-https-port>/ng-login
, wherewsa01-enterprise.com
is the appliance host name and<trailblazer-https-port>
is the trailblazer HTTPS port configured on the appliance for accessing the new web interface.
Important!
-
You must log in to the legacy web interface of the appliance.
-
Ensure that your DNS server can resolve the hostname of the appliance that you specified.
-
By default, the new web interface needs TCP ports 6080, 6443, and 4431 to be operational. Ensure that these ports are not blocked in the enterprise firewall.
-
The default port for accessing new web interface is 4431. This can be customized using the trailblazerconfig CLI command. For more information about the trailblazerconfig CLI command, see “Command Line Interface” chapter in the user guide.
-
The new web interface also needs AsyncOS API (Monitoring) ports for HTTP and HTTPS. By default, these ports are 6080 and 6443. The AsyncOS API (Monitoring) ports can also be customized using the interfaceconfig CLI command. For more information about the interfaceconfig CLI command, see “Command Line Interface” chapter in the user guide.
If you change these default ports, ensure that the customized ports for the new web interface are not blocked in the enterprise firewall.
The new web interface opens in a new browser window and you must log in again to access it. If you want to log out of the appliance completely, you need to log out of both the new and legacy web interfaces of your appliance.
For a seamless navigation and rendering of HTML pages, Cisco recommends using the following browsers to access the new web interface of the appliance (AsyncOS 11.8 and later):
-
Google Chrome
-
Mozilla Firefox
You can access the legacy web interface of the appliance on any of the supported browsers.
The supported resolution for the new web interface of the appliance (AsyncOS 11.8 and later) is between 1280x800 and 1680x1050. The best viewed resolution is 1440x900, for all the browsers.
Note |
Cisco does not recommend viewing the new web interface of the appliance on higher resolutions. |
Release Classification
Each release is identified by the release type (ED - Early Deployment, GD - General Deployment, etc.) For an explanation of these terms, see http://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/content-security-release-terminology.pdf.
Supported Hardware for This Release
The build is available for upgrade on all the existing supported platforms, whereas the enhanced performance support is available only for the following hardware models:
-
Sx95/F
Virtual Models:
-
S100v
-
S300v
The system CPU and memory requirements are changed from 12.5 release onwards. For more information, see Cisco Content Security Virtual Appliance Installation Guide.
-
S600v
-
S1000v
Note |
|
Upgrade Paths
Upgrading to AsyncOS 15.1.0-287
Note |
While upgrading, do not connect any devices (keyboard, mouse, management devices (Raritan) and so on.) to the USB ports of the appliance. |
You can upgrade to the AsyncOS 15.1.0-287 version from the following versions:
|
|
|
|
Post–Upgrade Requirements
After you upgrade to 15.1.0-287, you must perform the following steps if you have not registered your appliance with Cisco Threat Response:
Procedure
Step 1 |
Create a user account in the Cisco Threat Response portal with admin access rights. To create a new user account, navigate to the Cisco Threat Response portal login page using the following URL- https://visibility.amp.cisco.com and click ‘Create a Cisco Security Account’. If you are unable to create a new user account, contact Cisco TAC for assistance. |
Step 2 |
For registering your appliance with security services exchange cloud portal, generate token from security services exchange portal corresponding to your region. While registering with security services exchange cloud portal, select the following FQDN based on your region from the web user interface of your appliance:
|
Step 3 |
Make sure that you enable Cisco Threat Response under Cloud Services on the security services exchange portal. Ensure that you open HTTPS (In and Out) 443 port on the firewall for the FQDN api-sse.cisco.com (America) to register your appliance with the Security Services Exchange portal. To deploy a virtual appliance, see the Cisco Content Security Virtual Appliance Installation Guide, available from http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html. |
Compatibility Details
Compatibility with Cisco AsyncOS for Security Management
For compatibility between this release and AsyncOS for Cisco Content Security Management releases, see the compatibility matrix at: https://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma_all/web-compatibility/index.html.
IPv6 and Kerberos Not Available in Cloud Connector Mode
When the appliance is configured in Cloud Connector mode, unavailable options for IPv6 addresses and Kerberos authentication appear on pages of the web interface. Although the options appear to be available, they are not supported in Cloud Connector mode. Do not attempt to configure the appliance to use IPv6 addresses or Kerberos authentication when in Cloud Connector mode.
Functional Support for IPv6 Addresses
Features and functionality that support IPv6 addresses:
-
Command line and web interfaces. You can access the appliance using http://[2001:2:2::8]:8080 or https://[2001:2:2::8]:8443
-
Performing proxy actions on IPv6 data traffic (HTTP/HTTPS/SOCKS/FTP)
-
IPv6 DNS Servers
-
WCCP 2.01 (Cat6K Switch) and Layer 4 transparent redirection
-
Upstream Proxies
-
Authentication Services
-
Active Directory (NTLMSSP, Basic, and Kerberos)
-
LDAP
-
SaaS SSO
-
Transparent user identification through CDA (communication with CDA is IPv4 only)
-
Credential Encryption
-
-
Web Reporting and Web Tracking
-
External DLP Servers (communication between the appliance and DLP Server is IPv4 only)
-
PAC File Hosting
-
Protocols: NTP, RADIUS, SNMP, and Syslog over the management server
Features and functionality that require IPv4 addresses:
-
Internal SMTP relay
-
External Authentication
-
Log subscription push methods: FTP, SCP, and Syslog
-
NTP servers
-
Local update servers, including proxy servers for updates
-
Authentication services
-
AnyConnect Security Mobility
-
Novell eDirectory authentication servers
-
Custom logo for end-user notification pages
-
Communication between the Web Security Appliance and the Security Management Appliance
-
WCCP versions prior to 2.01
-
SNMP
Availability of Kerberos Authentication for Operating Systems and Browsers
You can use Kerberos authentication with these operating systems and browsers:
-
Windows servers 2003, 2008, 2008R2, and 2012.
-
Latest releases of Safari and Firefox browsers on Mac (OSX Version 10.5 and later)
-
IE (Version 7 and later) and latest releases of Firefox and Chrome browsers on Windows 7 and later.
Kerberos authentication is not available with these operating systems and browsers:
-
Windows operating systems not mentioned above
-
Browsers not mentioned above
-
iOS and Android
Deploying a Virtual Appliance
To deploy a virtual appliance, see the Cisco Content Security Virtual Appliance Installation Guide, available at http://www.cisco.com/c/en/us/support/security/web-security-appliance/products-installation-guides-list.html.
Migrating from a Hardware Appliance to a Virtual Appliance
Procedure
Step 1 |
Follow the instructions provided in the Post–Upgrade Requirements to configure your virtual appliance using this AsyncOS release.
|
||
Step 2 |
Upgrade your hardware appliance to this version of AsyncOS. |
||
Step 3 |
Save the configuration file for your upgraded hardware appliance. |
||
Step 4 |
Load the configuration file from the hardware appliance onto the virtual appliance. If your virtual appliances and hardware have different IP addresses, unselect Load Network Settings before loading the configuration files. |
||
Step 5 |
Commit your changes. |
||
Step 6 |
Go to and join the domain again. Otherwise, identities won’t work. |
Upgrade AsyncOS for Web
Before you begin
-
Log in as administrator.
-
Perform pr-eupgrade requirements, including updating the RAID controller firmware.
Procedure
Step 1 |
On the page, save the XML configuration file from the Secure Web Appliance. |
||
Step 2 |
On the page, click Upgrade Options. |
||
Step 3 |
Select either Download and install, or Download only option. |
||
Step 4 |
Select an upgrade from the available list. |
||
Step 5 |
Click Proceed. If you chose Download only, the upgrade will be downloaded to the appliance. |
||
Step 6 |
If you chose Download and install, when the upgrade is complete, click Reboot Now to reboot the Secure Web Appliance.
|
Important! Actions Required After Upgrading
In order to ensure that your appliance continues to function properly after upgrade, you must address the following items:
Change the Default Proxy Services Cipher Suites to Cisco Recommended Cipher Suites
From AsyncOS 9.1.1 onwards, the default cipher suites available for Proxy Services are modified to include only secure cipher suites.
However, if you are upgrading from AsyncOS 9.x.x and later releases, the default Proxy Services cipher suites are not modified. For enhanced security, Cisco recommends that you change the default Proxy Services cipher suites to the Cisco recommended cipher suites after the upgrade. Do the following:
Procedure
Step 1 |
Log in to your appliance using the web interface. |
||
Step 2 |
Click . |
||
Step 3 |
Click Edit Settings. |
||
Step 4 |
Under Proxy Services, set the Cipher(s) to Use field to the following field:
|
||
Step 5 |
Submit and commit your changes. |
You can also use the sslconfig command in CLI to perform the above steps.
Virtual Appliances: Required Changes for SSH Security Vulnerability Fix
Requirements in this section were introduced in AsyncOS 8.8.
The following security vulnerability will be fixed during upgrade if it exists on your appliance:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150625-ironport.
Note |
This patch is required only for virtual appliance releases that were downloaded or upgraded before June 25, 2015. |
If you did not patch this issue before upgrading, you will see a message during upgrade stating that it has been fixed. If you see this message, the following actions are required to return your appliance to full working order after upgrade:
-
Remove the existing entry for your appliance from the known hosts list in your ssh utility. Once the new key has been created, connect to the appliance via ssh and accept the connection.
-
Clear the old SSH host key for the appliance on the remote server if you are using SCP push to transfer logs to a remote server (including Splunk).
-
If your deployment includes a Cisco Content Security Management Appliance, see important instructions in the Release Notes for that appliance.
File Analysis: Required Changes to View Analysis Result Details in the Cloud
If you have deployed multiple content security appliances (web, email, and/or management) and you want to view detailed file analysis results in the cloud for all files uploaded from any appliance in your organization, you must configure an appliance group on each appliance after upgrading. To configure appliance groups, see File Reputation Filtering and File Analysis.
File Analysis: Required Changes to View Analysis Result Details in the Cloud
If you have deployed multiple content security appliances (web, email, and/or management) and you want to view detailed file analysis results in the cloud for all files uploaded from any appliance in your organization, you must configure an appliance group on each appliance after upgrading. To configure appliance groups, see File Reputation Filtering and File Analysis.
File Analysis: Verify File Types To Be Analyzed
The File Analysis cloud server URL changed in AsyncOS 8.8, and as a result, the file types that can be analyzed may have changed after the upgrade. You should receive an alert if there are changes. To verify the file types selected for analysis, select
and look at the Advanced Malware Protection settings.Unescaped Dots in Regular Expressions
Following upgrades to the regular-expression pattern-matching engine, you may receive an alert regarding unescaped dots in existing pattern definitions after updating your system. Any unescaped dot in a pattern that will return more than 63 characters after the dot will be disabled by the Velocity pattern-matching engine, and an alert to that effect will be sent to you. You will continue to receive an alert following each update until you correct or replace the pattern. Generally, unescaped dots in a larger regular expression can be problematic and should be avoided.
Documentation Updates
The user guide in the website (www.cisco.com) may be more current than the online help. To obtain the user guide and other documentation for this product, click the View PDF button in the online help or visit the URL shown in Related Documentation.
Known and Fixed Issues
Lists of Known and Fixed Issues
Known and Fixed Issues in Release 15.1.0-287
Bug Search Tool Requirements
Register for a Cisco account if you do not have one. Go to https://identity.cisco.com/ui/tenants/global/v1.0/enrollment-ui.
Finding Information about Known and Resolved Issues
Use the Cisco Bug Search Tool to find current information about known and resolved defects.
Before you begin
Register for a Cisco account if you do not have one. Go to https://identity.cisco.com/ui/tenants/global/v1.0/enrollment-ui.
Procedure
Step 1 |
|
Step 2 |
Log in with your Cisco account credentials. |
Step 3 |
Click , and click OK. |
Step 4 |
In Releases field, enter the version of the release, for example, x.x.x. |
Step 5 |
Depending on your requirements, do one of the following:
|
Note |
If you have questions or problems, click the Help or Feedback links at the top right side of the tool. There is also an interactive tour; to view it, click the link in the orange bar above the search fields. |
Related Documentation
Documentation |
Location |
---|---|
Cisco Secure Web Appliance User Guide |
|
Cisco Content Security Management Appliance User Guide |
https://www.cisco.com/c/en/us/support/security/content-security-management-appliance/series.html |
Virtual Appliance Installation Guide |
|
Secure Web Appliance Release Notes, ISE Compatibility Matrix,and Ciphers |
|
Compatibility Matrix for Cisco Secure Email and Web Manager with Secure Web Appliance |
|
API Guide |
Support
Cisco Support Community
Cisco Support Community is an online forum for Cisco customers, partners, and employees. It provides a place to discuss general web security issues as well as technical information about specific Cisco products. You can post topics to the forum to ask questions and share information with other Cisco users.
Access the Cisco Support Community for web security and associated management:
Customer Support
Note |
To get support for virtual appliances, call Cisco TAC and have your Virtual License Number (VLN) number ready. |
Cisco TAC: Visit http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html.
Support Site for legacy IronPort: Visit http://www.cisco.com/web/services/acquisitions/ironport.html.
For non-critical issues, you can also access customer support from the appliance. For instructions, see the User Guide or online help.