1 / 22

What’s N ew in 6.2.1?

What’s N ew in 6.2.1?. Remote Access VPN. Secure Remote Access for the Internet Edge. ISP. Secure access using FTD. Secure SSL/IPsec AnyConnect access to corporate network Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data.

justis
Download Presentation

What’s N ew in 6.2.1?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What’s New in 6.2.1?

  2. Remote Access VPN

  3. Secure Remote Access for the Internet Edge ISP Secure access using FTD • Secure SSL/IPsec AnyConnect accessto corporate network • Advanced Application level inspection can be enabled to enforce security on inbound Remote Access User data. • AMP and File inspection Policy to monitor roaming user data. • Easy RA VPN Wizard to configure AnyConnect Remote Access VPN • Monitoring and Troubleshooting to monitor remote access activity and simplified tool for troubleshooting. Internet Edge FP2100 in HA Private Network Private Network

  4. Remote Access VPN support on FTD 6.2.1 • Client: AnyConnect 4.x • Platform: Windows, Mac, Linux & Mobile (Android, iOS) • Protocol: SSL/IPSec • Authentication: LDAP/AD, RADIUS, Client Cert and Cert + AAA • Authorization: RADIUS Attributes • Accounting: RADIUS • Monitoring & Troubleshooting • Availability: FTD-HA, Dual ISP, Multi AAA • Shared across multi device • Supported on FMC & FDM

  5. ASA as Dedicated RA VPN Concentrator Adds advanced features supported by ASA Includes features provided in FTD • Advanced AAA • Kerberos, TACACS, SAM, RSA SDI, Local Authentication, RADIUS CoA • Hostscan/Endpoint assessment • AnyConnect client customization • Dynamic Access Policies (DAP) • LDAP attribute map • VPN Load Balancing • Clientless RA VPN • Next generation security • Basic AAA • LDAP/AD, client certificate, RADIUS attributes, DACLs, Time ranges • Time Ranges • AnyConnect client • Proxy/DNS/WINS server assignment • Simple configuration • Session monitoring and control Position ASA

  6. RA VPN components • Access interfaces – determine interfaces to be used by RA VPN • SSL settings, such as access ports • IKEv2 settings such as certificate • AnyConnect image – client package to be installed on the endpoint • AnyConnect client profile – XML can be uploaded into the FMC as file object. • Referenced in the group policy and downloaded to the endpoint while the VPN connection is initiating • Includes may parameters for the AnyConnect client. • Connection profiles – determine how authentication is performed • Group policies -- a set of user-oriented attribute/value pairs for RA VPN users • DNS/WINS, SSL/DTLS, timeouts, client bypass protocol and DHCP network scope • Split tunnel and split DNS configuration • VPN filter , egress VLAN and client firewall rules • AnyConnect client profile, SSL/DTLS settings and connection settings

  7. FMC objects associated with RA VPN

  8. RA VPN FMC Configuration Wizard

  9. RA VPN Identity Integration and Monitoring • Dashboard widgets show VPN usage by user • User Activity event page gives details of logon and logoff events • Active Sessions page shows status of active sessions • Administrator may monitor and terminate specific sessions

  10. RA VPN eventing

  11. RA VPN Authentication (LDAP)

  12. RA VPN Authentication (RADIUS)

  13. Migration Enhancements

  14. Import as access control policy or prefilter policy Migration Tool in 6.2.0 • Single ContextMode • Transparentor Routed • Active Unit(in HA pair)

  15. Migration Enhancements in 6.2.1 • The migration tool supports migration of 8.4+ configuration(in 6.2, only 9.1.x configurations were supported) • ALC logging migrates to connection events logging • Objects may be reused instead of renamed • Objects with the same name and different content are renamed • Objects with the same name and the same content are reused

  16. Government Certification Enablement

  17. Compliance Modes

  18. Selected Features • Image signing and verification • Transport mode support • Security Association strength enforcement • Configuration of certificate to protect syslog writes with TLS • Timeout of inactive local console session • Failed login limit and password length limit (FMC and FTD) • Logging network packet drops • Expert mode disable for FTD

  19. Other 6.2.1 Enhancements

  20. Policy Apply Improvements • Enhancements in 6.2.1 • Accelerate Policy Apply • Eliminate most cases of snort restart due to policy apply • Enhancements provided soon after 6.2.1 release • Addressing 90% use cases that would cause Snort Restart during Policy Apply • Handling Snort Restarts more gracefully • Fail-open connections with AC rule-matches • If Snort goes down bypassing IPS and file inspections • Future enhancements • Warning on restart when restart may cause packet drop • Reduce restarts to a small number of rare cases

  21. Other 6.2.1 Enhancements • FMC API enhancement – bulk access control rule creation • QoS enhancements • Increase limit of QoS rate per rule to 100000 Mbps in QoS rules(in 6.2, the limit is 1000 Mbps) • Use inline SGTs in QoS rules • Use true client IP (XFF type headers) in QoS rules • Dynamic logging for DAQ and SSL • Packet capture at time of crash • FTD support for Automatic Application Bypass (AAB)

  22. Thank You

More Related