ASMS release A32.00 delivers great new features and enhancements, designed to streamline your process to enable more agile, more secure and more compliant network security policy management.
Major highlights in A32.00 include Zero Touch Object Workflow, support for VMWare NSX-T and Cisco ACI MSO Stretched and Shadow EPGs, new APIs, and much more. As well, A32.00 is the first ASMS release to run on the CentOS 7 operating system.
And, for a preview of coming attractions: We've started our journey in A32.00 towards running ASMS in a micro-services architecture using containers and Kubernetes.
Finally, we'd like to introduce AlgoCare, our new SaaS based support service. AlgoCare speeds up the support process!
Object creation using AppViz
In version A32.00, you can now create a Network Object in AppViz and create a Change Request for adding this object into multiple Firewalls. See Add and edit network objects.
AutoDiscovery now part of the ASMS
AutoDiscovery is now installed with ASMS, so an additional License is no longer required. Both login and user management are handled with the rest of the ASMS system.
AutoDiscovery is hosted on an AlgoSec Remote Agent for the production environment, but for PoCs it can be installed on an ASMS Central Manager. See Welcome to AutoDiscovery.
Devices and orchestration
Cisco Meraki visibility in Early Availability
AlgoSec's new support for Cisco Meraki includes L3 Group and L3 Local Firewall Policy visibility. See the Meraki on the map, run traffic simulation, track change history and produce a report that includes risk analysis, policy optimization, and regulatory compliance. See Cisco Meraki devices in AFA.
Cisco Firepower Policy Optimization (using Traffic logs)
Policy Optimization for the Cisco Firepower has been enhanced, including a number of new recommendations. You can now update the rule log level with ActiveChange.
Cisco ACI MSO visibility and change recommendations
For Cisco ACI APICs managed by a Multi-Site Orchestrator (MSO), ASMS now supports visibility and FireFlow change recommendations for Stretched EPGs and Inter-site contracts (shadow EPG). See Cisco Application Centric Infrastructure (ACI) devices in AFA.
VMWare NSX-T visibility
AlgoSec now supports VMware NSX-T visibility of the device policy. Run Traffic Simulation Queries to see a map with the devices in the path. Query inputs can also include NSX-T Profiles information. From the AlgoSec report, view risk analysis, risky rules, policy optimization recommendations, and regulatory compliance. For auditing, AlgoSec enables you to track policy changes. See Add VMware NSX-T data centers.
Traffic workflow optimization for Check Point R80
Now you can use the traffic workflow to remove a rule if there’s perfectly matching request, or to modify it, if there’s a partially matching request.
Zero touch multi-device object workflow
Now you can run from beginning to end of object management requests, hands free! This functionality is also AppViz triggered. See Multi-device object change workflow.
ActiveChange support for Palo Alto Panorama and Cisco FirePower
The automatic, AppViz triggered, Multi-Device Object Workflow API now supports Cisco FirePower and Palo Alto Panorama. See Multi-device object change workflow.
Security estate visibility
Map navigation improvements
Two connected elements in the network map (like devices, routers, and subnets) can sometimes be too far apart to see at one time on the screen. Instead of trying to zoom and pan each time you want to see what's at the other end of a connection line, you can now:
Double-click the connection line between two elements to bring them closer together
Double-click the line again to toggle elements back to their previous position.
Trusted traffic improved UI
A32.00 introduces an improved interface for the device’s Trusted Traffic Area, allowing you to easily define your trusted traffic either from scratch, or by importing from your Risky Rules Report. See Customize trusted traffic.
Vulnerabilities data in the risk check
AlgoSec integrates with different industry leading vulnerabilities scanners. Now, you can take advantage of vulnerabilities information as part of the risk check in the traffic workflow approval stage. See View host vulnerabilities data.
Prior to A32.00, users could choose between either a statically defined URT (Unified Routing Table) which required manual adjustments in case changes on the device level occurred or an automatically defined URT (by default).
In A32.00, users can benefit from the new hybrid URT mode, where on the same routing table some device definitions can be updated automatically while others can be kept static. See Specify routing data manually.
New regulatory compliance reports
A32.00 introduces new regulatory compliance reports for two significant standards:
SWIFT, the world’s leading provider of secure financial messaging services.
Hong Kong Monetary Authority (HKMA), Hong Kong’s central banking institution.
Azure NSG enhancements
ASMS now supports multiple additional Azure NSG elements like:
Augmented rules (multiple entries in the source, destination or port fields)
Source in outbound rules and destination in inbound rules
Service Tags: Support includes visibility and traffic simulation query
NSG rule description: Support includes visibility only
NSG default rules
Enhanced topology visibility for Microsoft Azure Environments [GA]
Azure topology visibility, previously released in AlgoSec EA (Early Availability) mode, is now generally available. Take advantage of enhanced visibility into the internal subnets and network elements inside the Azure cloud.
New features to the network map include visibility to VNET routers, VNET peering and more, allowing you to browse through the different Azure components and visualize traffic simulation results.
Also, the feature allows for more accurate visibility of virtual firewalls deployed inside the Azure cloud.
Migration to CentOS 7 operating system
Since the end-of-life of CentOS 6 has been announced for this December 2020, we're moving to CentOS 7. AlgoSec ASMS version A32.00 is the first AlgoSec release that runs on the CentOS 7 operating system. We've provided step-by-step instructions in the documentation to walk you easily though the migration process. See Upgrade/migration to A32.00 CentOS 7.
New APIs in A32.00
AlgoSec FireFlow introduces a convenient way for you to schedule your changes implementation with two simple APIs:
Implement on Device: Lets you trigger the actual policy push. See Trigger ActiveChange for change request .
Recalculate Work Order: To make sure Work Order recommendations are up to date. See Get Work Order calculation status.
Trusted Traffic APIs
As part of A32.00’s improved Trusted Traffic user interface, you can now take advantage of new Trusted Traffic related REST API methods that allow:
Adding / editing / deleting trusted traffic
Creation of trusted traffic either from scratch or based on existing device rule
Bulk export and bulk import of trusted traffic
Rule Documentation API
These new Get Rule Documentation and Set Rule Documentation REST APIs are similar to the existing SOAP APIs. They can be used for any rule documentation column, (Documentation or custom).
These APIs extend the existing SOAP API functionality by allowing pagination, appending the text into the documentation cell via the Set Rule Documentation API and getting ALL_RULES documentation (via one API call) using the Get Rule Documentation API.
Get unused rules
This new RESTful API replaces the earlier SOAP API and adds pagination capabilities that were not previously available. See Return a list of unused rules .
Risk Check using Source, Destination and service (using Risk Profile)
This useful API allows getting a list of potential risks defined for a given source, destination and service, based on a specific risk profile, without any correlation to a specific device. See Calculate Risk Check .
Get a list of a device’s reports
This very simple and straight forward API provides the entire list of reports for a specified device. It allows getting the last completed report ID and includes the date, time and status of the reports. See Get all reports.
And more APIs ...
A32.00 introduces Swagger documentation improvements, along with the Swagger exposure of additional existing REST APIs, such as Run Analysis, Get Analysis Status, Login & Logout, Get / Update Interfaces, Get Network Services and Get Risky Rules.
AlgoCare is AlgoSec’s new SaaS-based enhanced support service. AlgoCare speeds up the support process by giving AlgoSec’s support team immediate access to the data it needs to investigate issues. AlgoCare does the job of collecting system data, saving you and your team the time and effort of having to manually collect and send relevant data before starting each ticket investigation.
In its first phase, AlgoCare enables AlgoSec’s support team to perform faster diagnostics of system issues.
To join AlgoCare’s phase-1 program, contact [email protected]