Filter
Top Products
2-3
Cisco ASDM User Guide
OL-16647-01
Chapter 2 Introduction to the Security Appliance
New Features by Platform Release
Show Active Directory
Groups
The CLI command show ad-groups was added to list the active directory groups. ASDM Dynamic
Access Policy uses this command to present the administrator with a list of MS AD groups that can
be used to define the VPN policy.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic
Access Policies > Add/Edit DAP > Add/Edit AAA Attribute.
Smart Tunnel over Mac
OS
Smart tunnels now support Mac OS.
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal >
Smart Tunnels.
Firewall Features
NetFlow Filtering You can filter NetFlow events based on traffic and event-type, and then send records to different
collectors. For example, you can log all flow-create events to one collector, but log flow-denied
events to a different collector. See the flow-export event-type command.
In ASDM, see Configuration > Firewall > Security Policy > Service Policy Rules > Add/Edit
Service Policy Rule > Rule Actions > NetFlow.
NetFlow Delay Flow
Creation Event
For short-lived flows, NetFlow collecting devices benefit from processing a single event as opposed
to seeing two events: flow creation and teardown. You can now configure a delay before sending
the flow creation event. If the flow is torn down before the timer expires, only the flow teardown
event will be sent. See the flow-export delay flow-create command.
Note The teardown event includes all information regarding the flow; there is no loss of
information.
In ASDM, see Configuration > Device Management > Logging > NetFlow.
QoS Traffic Shaping If you have a device that transmits packets at a high speed, such as the security appliance with Fast
Ethernet, and it is connected to a low speed device such as a cable modem, then the cable modem
is a bottleneck at which packets are frequently dropped. To manage networks with differing line
speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See the
shape command.
See also the crypto ipsec security-association replay command, which lets you configure the
IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For
IPSec packets, out-of-order packets that are not within the anti-replay window generate warning
syslog messages. These warnings become false alarms in the case of priority queueing. This new
command avoids possible false alarms.
In ASDM, see Configuration > Firewall > Security Policy > Service Policy Rules > Add/Edit
Service Policy Rule > Rule Actions > QoS. Note that the only traffic class supported for traffic
shaping is class-default, which matches all traffic.
Table 2-1 New Features for ASA Version 8.1(2) (continued)
Feature Description