The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco Secure Web Appliance intercepts and monitors Internet traffic and applies policies to help keep your internal network secure from malware, sensitive data loss, productivity loss, and other Internet-based threats.
Introduction of new CLI for Sophos malloc settings- Sophos engine scan may often get timed out and run out of memory when there is a huge traffic running through the engine. To resolve this issue, we have introuduced a new subcommand sophos > malloc_setting under advancedproxyconfig > scanners command. You can use this command to change the default sophos malloc setting.
For more details on the command, see "Secure Web Appliance CLI Commands" section in the user guide.
This release contains a number of bug fixes; see the Known and Fixed Issues in Release 14.5.2-011 for additional information.
This release contains a number of bug fixes; see the Known and Fixed Issues in Release 14.5.1-016 for additional information.
This release contains a number of bug fixes; see the Known and Fixed Issues in Release 14.5.1-008 for additional information.
This release contains a number of bug fixes; see the Known and Fixed Issues in Release 14.5.0-537 for additional information.
The following features are introduced for this release:
The Secure Web Appliance can now validate the DNS response received from the DNS server using cryptographic signatures.
See "Editing DNS Settings" section in the user guide.
Maximum connections per client
The Secure Web Appliance restricts the number of concurrent connections initiated by the client to a configured value.
See "Configuring Web Proxy Settings" section in the user guide.
Rebranding of Cisco Web Security Appliance to Cisco Secure Web Appliance
Beginning with AsyncOS Release 14.5, Cisco Web Security Appliance has been rebranded to Cisco Secure Web Appliance in the web interface and all user documentation.
Web Security Appliance
Secure Web Appliance
AMP for Endpoints
Advanced Malware Protection
Instances of the rebranded terms present in this document do not correspond with the web interface. In the web interface, AMP for Endpoints, Advance Malware Protection, and AMP is referred as Malware Analytics. The web interface will be updated in the upcoming release.
The misclassification request is sent over HTTPS and hence you do not receive security alert notifications.
See "Configuring On-Box End-User Notification Pages" section in the user guide.
New accesslog decision tags
The accesslog decision tag in the Decrypt Policy group is appended with EUN (End user Notification) when the EUN page appears on the client web browser.
See "ACL Decision Tags" section in the user guide.
The clone policy feature allows you to copy or clone the existing configurations of a policy and to create a new policy.
See "Policy Configuration" section in the user guide.
Deeper bandwidth control
You can manage the traffic bandwidth by configuring the bandwidth value in quota profile and mapping the quota profile in access policy URL category or overall web activity quota.
See "Defining Time, Volume, and Bandwidth Quotas" section in the user guide.
REST API for configuring management policies, decryption policies, routing policies, IP spoofing policies, Anti-Malware and reputation, Authentication realms, Cisco Smart Software License, Cisco Umbrella Seamless ID, Identity services, and System setup
You can now retrieve configuration information, and perform any changes (such as modify existing information, add a new information, or delete an entry) in the configuration data of the appliance using REST APIs.
See the “AsyncOS API 14.5 for Cisco Secure Web Appliance - Getting Started Guide.”
You can integrate ISE-SXP deployment with Cisco Secure Web Appliance for passive authentication. This allows you to get all defined mappings, including SGT-to-IP address mappings that are published through SXP.
See "Configure ISE-SXP Integration" section in the user guide.
Cisco Umbrella Seamless ID
The Cisco Umbrella Seamless ID feature enables the appliance to pass the user identification information to the Cisco Umbrella Secure Web Gateway (SWG) after successful authentication. The Cisco Umbrella SWG checks the user information in the Active Directory based on the authenticated identification information received from the Secure Web Appliance. The Cisco Umbrella SWG considers the user as authenticated and provides access to the user based on the defined security policies.
The Secure Web Appliance passes the user identification information to the Cisco Umbrella SWG using the HTTP headers; X-USWG-PKH, X-USWG-SK, and X-USWG-Data.
The Cisco Umbrella Seamless ID headers overwrite the headers with the same names on the Secure Web Appliance, if any.
The Cisco Umbrella Seamless ID feature supports authentication scheme with Active Directory only. This feature does not support LDAP, Cisco Identity Services Engine (ISE), and Cisco Context Directory Agent (CDA).
The Cisco Umbrella SWG does not support FTP and SOCKS traffic.
See "Cisco Umbrella Seamless ID" section in the user guide.
You can enable or disable the SMB1 protocol support for Samba version 4.11.15 using the smbprotoconfig command. By default, this support is disabled and can be enabled based on the authentication realm configuration.
See "Secure Web Appliance CLI Commands" section in the user guide.
(For TAC only)Due to the tiny CLI revert, the HTTPS proxy ports are disabled on virtual Secure Web Appliances. Enable HTTPS on the interface using the interfaceconfig command.
The following policies with cloning option in Secure Web Appliance can also be managed by Cisco Secure Email and Web Manager (SMA).
TLSv1.2 is enabled by default for Appliance Management web user interface under System Administrator > SSL Configuration to support chrome browser version 98.0.4758.80 or later.
After an upgrade, session resumption will be disabled by default.
Context Directory Agent (CDA)
Context Directory Agent (CDA) is no longer supported. It is recommended to configure ISE/ISE-PIC for transparent user identification to achieve the same functionality.
Options to configure CDA will not be available in future releases.
Interface selection for Smart License Registration
You can now choose between Data or Management interface from the Test Interface drop-down list.
Ensure both the Data and Management interface are configured.After an upgrade, when split routing is enabled, the Test Interface for Smart License in the web interface will show as Data Interface . If the split routing is disabled, then the Management Interface is displayed.
On a fresh installation of AsyncOS 14.5, the Expired and Mismatched Hostname certificate configurations value in the HTTPS Proxy page will be selected by default as Drop instead of Monitor .
This is applicable only for a new installation and not for an upgrade.Upgrading the appliance will retain the same configuration from the previous version.
After an upgrade to Cisco AsyncOS 14.5, you will receive a prompt to restart the proxy process when you execute the networktuning command for the first time.
For AsyncOS version earlier than 14.5, this prompt to restart the proxy process is not available.
If the command was executed in any of the previous version before an upgrade, the prompt will not be triggered.
The telnet command for communicating with another host using TELNET protocol is removed from Secure Web Appliance due to a vulnerability. This command is no longer supported in Secure Web Appliance
The new web interface provides a new look for monitoring reports and tracking web services. You can access the new web interface in the following way:
If you change these default ports, ensure that the customized ports for the new web interface are not blocked in the enterprise firewall.
The new web interface opens in a new browser window and you must log in again to access it. If you want to log out of the appliance completely, you need to log out of both the new and legacy web interfaces of your appliance.
For a seamless navigation and rendering of HTML pages, Cisco recommends using the following browsers to access the new web interface of the appliance (AsyncOS 11.8 and later):
You can access the legacy web interface of the appliance on any of the supported browsers.
The supported resolution for the new web interface of the appliance (AsyncOS 11.8 and later) is between 1280x800 and 1680x1050. The best viewed resolution is 1440x900, for all the browsers.
Cisco does not recommend viewing the new web interface of the appliance on higher resolutions.
Each release is identified by the release type (ED - Early Deployment, GD - General Deployment, etc.) For an explanation of these terms, see http://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/content-security-release-terminology.pdf.
The build is available for upgrade on all the existing supported platforms, whereas the enhanced performance support is available only for the following hardware models:
AsyncOS version 14.5 will be the last supported release on Sx90/F models.
Use the Cisco SFPs which are shipped with the appliance.
While upgrading, do not connect any devices (keyboard, mouse, management devices (Raritan) etc.) to the USB ports of the appliance.
You can upgrade to the release 14.5.3-033 of AsyncOS for Cisco Secure Web Appliance from the following versions: