What's new in ASMS A32.00

Release date: December 2020

 

ASMS release A32.00 delivers great new features and enhancements, designed to streamline your process to enable more agile, more secure and more compliant network security policy management.

Major highlights in A32.00 include Zero Touch Object Workflow, support for VMWare NSX-T and Cisco ACI MSO Stretched and Shadow EPGs, new APIs, and much more. As well, A32.00 is the first ASMS release to run on the CentOS 7 operating system.

And, for a preview of coming attractions: We've started our journey in A32.00 towards running ASMS in a micro-services architecture using containers and Kubernetes.

Finally, we'd like to introduce AlgoCare, our new SaaS based support service. AlgoCare speeds up the support process!

 

Business Driven

Object creation using AppViz

In version A32.00, you can now create a Network Object in AppViz and create a Change Request for adding this object into multiple Firewalls. See Add and edit network objects.

AutoDiscovery now part of the ASMS 

AutoDiscovery is now installed with ASMS, so an additional License is no longer required. Both login and user management are handled with the rest of the ASMS system.

AutoDiscovery is hosted on an AlgoSec Remote Agent for the production environment, but for PoCs it can be installed on an ASMS Central Manager. See Welcome to AutoDiscovery.

Back to top

Devices and orchestration

Cisco Meraki visibility in Early Availability

AlgoSec's new support for Cisco Meraki includes L3 Group and L3 Local Firewall Policy visibility. See the Meraki on the map, run traffic simulation, track change history and produce a report that includes risk analysis, policy optimization, and regulatory compliance. See Cisco Meraki devices in AFA.

Cisco Firepower Policy Optimization (using Traffic logs)

Policy Optimization for the Cisco Firepower has been enhanced, including a number of new recommendations. You can now update the rule log level with ActiveChange.

Cisco ACI MSO visibility and change recommendations

For Cisco ACI APICs managed by a Multi-Site Orchestrator (MSO), ASMS now supports visibility and FireFlow change recommendations for Stretched EPGs and Inter-site contracts (shadow EPG)​. See Cisco Application Centric Infrastructure (ACI) devices in AFA.

VMWare NSX-T visibility

AlgoSec now supports VMware NSX-T visibility of the device policy. Run Traffic Simulation Queries to see a map with the devices in the path. Query inputs can also include NSX-T Profiles information. From the AlgoSec report, view risk analysis, risky rules, policy optimization recommendations, and regulatory compliance. For auditing, AlgoSec enables you to track policy changes. See Add VMware NSX-T data centers.

Traffic workflow optimization for Check Point R80

Now you can use the traffic workflow to remove a rule if there’s perfectly matching request, or to modify it, if there’s a partially matching request.

Zero touch multi-device object workflow

Now you can run from beginning to end of object management requests, hands free! This functionality is also AppViz triggered. See Multi-device object change workflow.

ActiveChange support for Palo Alto Panorama and Cisco FirePower

The automatic, AppViz triggered, Multi-Device Object Workflow API now supports Cisco FirePower and Palo Alto Panorama. See Multi-device object change workflow.

Back to top

Security estate visibility

Map navigation improvements

Two connected elements in the network map (like devices, routers, and subnets) can sometimes be too far apart to see at one time on the screen. Instead of trying to zoom and pan each time you want to see what's at the other end of a connection line, you can now:​

  • Double-click the connection line between two elements to bring them closer together

  • Double-click the line again to toggle elements back to their previous position. ​

See Bring connected elements closer on the network map.

Trusted traffic improved UI

A32.00 introduces an improved interface for the device’s Trusted Traffic Area, allowing you to easily define your trusted traffic either from scratch, or by importing from your Risky Rules Report. See Customize trusted traffic.

Vulnerabilities data in the risk check

AlgoSec integrates with different industry leading vulnerabilities scanners. Now, you can take advantage of vulnerabilities information as part of the risk check in the traffic workflow approval stage. See View host vulnerabilities data.

Additional improvements

Hybrid URT

Prior to A32.00, users could choose between either a statically defined URT (Unified Routing Table) which required manual adjustments in case changes on the device level occurred or an automatically defined URT (by default).

In A32.00, users can benefit from the new hybrid URT mode, where on the same routing table some device definitions can be updated automatically while others can be kept static. See Specify routing data manually.

New regulatory compliance reports

A32.00 introduces new regulatory compliance reports for two significant standards:

  • SWIFT, the world’s leading provider of secure financial messaging services.

  • Hong Kong Monetary Authority (HKMA), Hong Kong’s central banking institution.

See REGULATORY COMPLIANCE page.

Back to top

Cloud

Azure NSG enhancements

ASMS now supports multiple additional Azure NSG elements like:

  • Augmented rules (multiple entries in the source, destination or port fields)

  • Source in outbound rules and destination in inbound rules

  • Service Tags: Support includes visibility and traffic simulation query

  • Protocol=ICMP setting

  • NSG rule description: Support includes visibility only

  • NSG default rules

Enhanced topology visibility for Microsoft Azure Environments [GA]

Azure topology visibility, previously released in AlgoSec EA (Early Availability) mode, is now generally available. Take advantage of enhanced visibility into the internal subnets and network elements inside the Azure cloud.

New features to the network map include visibility to VNET routers, VNET peering and more, allowing you to browse through the different Azure components and visualize traffic simulation results.

Also, the feature allows for more accurate visibility of virtual firewalls deployed inside the Azure cloud.

Back to top

Enterprise grade

Migration to CentOS 7 operating system

Since the end-of-life of CentOS 6 has been announced for this December 2020, we're moving to CentOS 7. AlgoSec ASMS version A32.00 is the first AlgoSec release that runs on the CentOS 7 operating system. We've provided step-by-step instructions in the documentation to walk you easily though the migration process. See Upgrade/migration to A32.00 CentOS 7.

New APIs in A32.00

ActiveChange API

AlgoSec FireFlow introduces a convenient way for you to schedule your changes implementation with two simple APIs:

Trusted Traffic APIs

As part of A32.00’s improved Trusted Traffic user interface, you can now take advantage of new Trusted Traffic related REST API methods that allow:

  • Adding / editing / deleting trusted traffic

  • Creation of trusted traffic either from scratch or based on existing device rule

  • Bulk export and bulk import of trusted traffic   

See Trusted Traffic Data APIs.

Rule Documentation API

These new Get Rule Documentation and Set Rule Documentation REST APIs are similar to the existing SOAP API​s. They can be used for any rule documentation column, (Documentation or custom)​.

These APIs extend the existing SOAP API functionality by allowing pagination, appending the text​ into the documentation cell via the Set Rule Documentation API and getting ALL_RULES documentation (via one API call) using the Get Rule Documentation API.

See Get a rule's documentation data and Add to or edit a rule's documentation .

Get unused rules

This new RESTful API replaces the earlier SOAP API and adds pagination capabilities that were not previously available. See Return a list of unused rules .

Risk Check using Source, Destination and service (using Risk Profile)

This useful API allows getting a list of potential risks defined for a given source, destination and service, based on a specific risk profile, without any correlation to a specific device. See Calculate Risk Check .

Get a list of a device’s reports

This very simple and straight forward API provides the entire list of reports for a specified device. It allows getting the last completed report ID​ and includes the date, time and status of the reports​. See Get all reports.

And more APIs ...

A32.00 introduces Swagger documentation improvements, along with the Swagger exposure of additional existing REST APIs, such as Run Analysis​​, Get Analysis Status​​, Login​​ & Logout​​, Get / Update Interfaces​​, Get Network Services and Get Risky Rules.

Back to top

AlgoCare

Back to top