Cisco Cisco ASA 5555-X Adaptive Security Appliance 發佈版本通知
8
Release Notes for Cisco ASDM, Version 6.4(x)
New Features
Improved pseudo-random
number generation
number generation
Hardware-based noise for additional entropy was added to the software-based random number
generation process. This change makes pseudo-random number generation (PRNG) more
random and more difficult for attackers to get a repeatable pattern or guess the next random
number to be used for encryption and decryption operations. Two changes were made to
improve PRNG:
generation process. This change makes pseudo-random number generation (PRNG) more
random and more difficult for attackers to get a repeatable pattern or guess the next random
number to be used for encryption and decryption operations. Two changes were made to
improve PRNG:
•
Use the current hardware-based RNG for random data to use as one of the parameters for
software-based RNG.
software-based RNG.
•
If the hardware-based RNG is not available, use additional hardware noise sources for
software-based RNG. Depending on your model, the following hardware sensors are used:
software-based RNG. Depending on your model, the following hardware sensors are used:
–
ASA 5505—Voltage sensors.
–
ASA 5510 and 5550—Fan speed sensors.
–
ASA 5520, 5540, and 5580—Temperature sensors.
–
ASA 5585-X—Fan speed sensors.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).
Remote Access Features
Clientless SSL VPN:
Enhanced quality for
rewriter engines
Enhanced quality for
rewriter engines
The clientless SSL VPN rewriter engines were significantly improved to provide better quality
and efficacy. As a result, you can expect a better end-user experience for clientless SSL VPN
users.
and efficacy. As a result, you can expect a better end-user experience for clientless SSL VPN
users.
We did not add or modify any ASDM screens for this feature.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Failover Features
Configure the connection
replication rate during a bulk
sync
replication rate during a bulk
sync
You can now configure the rate at which the ASA replicates connections to the standby unit
when using Stateful Failover. By default, connections are replicated to the standby unit during
a 15 second period. However, when a bulk sync occurs (for example, when you first enable
failover), 15 seconds may not be long enough to sync large numbers of connections due to a
limit on the maximum connections per second. For example, the maximum connections on the
ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K
connections per second. However, the maximum connections allowed per second is 300 K. You
can now specify the rate of replication to be less than or equal to the maximum connections per
second, and the sync period will be adjusted until all the connections are synced.
when using Stateful Failover. By default, connections are replicated to the standby unit during
a 15 second period. However, when a bulk sync occurs (for example, when you first enable
failover), 15 seconds may not be long enough to sync large numbers of connections due to a
limit on the maximum connections per second. For example, the maximum connections on the
ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K
connections per second. However, the maximum connections allowed per second is 300 K. You
can now specify the rate of replication to be less than or equal to the maximum connections per
second, and the sync period will be adjusted until all the connections are synced.
This feature is not available in 8.6(1) or 8.7(1). This feature is also in 8.5(1.7).
Application Inspection Features
SunRPC change from
dynamic ACL to pin-hole
mechanism
dynamic ACL to pin-hole
mechanism
Previously, Sun RPC inspection does not support outbound access lists because the inspection
engine uses dynamic access lists instead of secondary connections.
engine uses dynamic access lists instead of secondary connections.
In this release, when you configure dynamic access lists on the ASA, they are supported on the
ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore,
Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC
inspection uses this pinhole mechanism to support outbound dynamic access lists.
ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore,
Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC
inspection uses this pinhole mechanism to support outbound dynamic access lists.
This feature is not available in 8.5(1), 8.6(1), or 8.7(1).
Table 4
New Features for ASA Version 8.4(4.1)/ASDM Version 6.4(9) (continued)
Feature
Description