Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

2-4

Cisco ASDM User Guide

OL-16647-01

Chapter 2 Introduction to the Security Appliance

New Features by Platform Release

New Features in Version 8.1(1)

Table 2-2 lists the new features for Version 8.1(1).

Note Version 8.1(x) is only supported on the Cisco ASA 5580 adaptive security appliance.

TCP Normalization

Enhancements

You can now configure TCP normalization actions for certain packet types. Previously, the default

actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to

allow the packets.

• TCP invalid ACK check (the invalid-ack command)

• TCP packet sequence past window check (the seq-past-window command)

• TCP SYN-ACK with data check (the synack-data command)

You can also set the TCP out-of-order packet buffer timeout (the queue command timeout

keyword). Previously, the timeout was 4 seconds. You can now set the timeout to another value.

The default action for packets that exceed MSS has changed from drop to allow (the exceed-mss

command).

The following non-configurable actions have changed from drop to clear for these packet types:

• Bad option length in TCP

• TCP Window scale on non-SYN

• Bad TCP window scale value

• Bad TCP SACK ALLOW option

In ASDM, see Configuration > Firewall > Objects > TCP Maps.

TCP Intercept statistics You can enable collection for TCP Intercept statistics using the threat-detection statistics

tcp-intercept command, and view them using the show threat-detection statistics command.

In ASDM, see Configuration > Firewall > Threat Detection.

Threat detection shun

timeout

You can now configure the shun timeout for threat detection using the threat-detection

scanning-threat shun duration command.

In ASDM, see Configuration > Firewall > Threat Detection.

Threat detection host

statistics fine tuning

You can now reduce the amount of host statistics collected, thus reducing the system impact of this

feature, by using the threat-detection statistics host number-of-rate command.

In ASDM, see Configuration > Firewall > Threat Detection.

Platform Features

Increased VLANs The number of VLANs supported on the ASA 5580 are increased from 100 to 250.

Table 2-1 New Features for ASA Version 8.1(2) (continued)

Feature Description

previous next