{"id":16696,"date":"2026-02-10T13:22:20","date_gmt":"2026-02-10T13:22:20","guid":{"rendered":"https:\/\/dmsretail.com\/RetailNews\/threat-observability-updates-in-secure-firewall-10-0\/"},"modified":"2026-02-10T13:22:20","modified_gmt":"2026-02-10T13:22:20","slug":"threat-observability-updates-in-secure-firewall-10-0","status":"publish","type":"post","link":"https:\/\/dmsretail.com\/RetailNews\/threat-observability-updates-in-secure-firewall-10-0\/","title":{"rendered":"Threat Observability Updates in Secure Firewall 10.0"},"content":{"rendered":"<p> <p><a href=\"https:\/\/dmsretail.com\/online-workshops-list\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-496\" src=\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\" alt=\"Retail Online Training\" width=\"729\" height=\"91\" srcset=\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png 729w, https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90-300x37.png 300w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/a><\/p><br \/>\n<\/p>\n<div>\n<p>Facing an\u00a0ever-evolving\u00a0and increasingly sophisticated cybersecurity landscape, organizations have a pressing need to gain greater\u00a0visibility of\u00a0and insights into their network traffic.\u00a0Most threats are delivered over encrypted channels, increasing the need to inspect encrypted traffic traversing the network to look for possible obscured threats.<\/p>\n<p>In Cisco Secure Firewall version 10.0,\u00a0our most recent software release,\u00a0we\u2019ve\u00a0delivered four compelling new features to help customers quickly and efficiently assess and act on information in their network traffic.\u00a0You can\u00a0test drive these capabilities today with\u00a0Secure Firewall Test Drive,\u00a0an\u00a0instructor led\u00a0course that will guide you through the Secure Firewall and its powerful roles in cybersecurity for your organization.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-6600dde50878e17ec6be9d5cfb22567f\" id=\"h-simplified-nbsp-decryption\" style=\"font-style:normal;font-weight:400\">Simplified\u00a0decryption<\/h2>\n<p>The best way to gain visibility into encrypted traffic is to decrypt it. The new simplified decryption experience in Cisco Secure Firewall version 10.0 simplifies the steps\u00a0required\u00a0to enable and manage encryption. Instead of a traditional rules-based design, Easy Decrypt allows fast creation of inbound and outbound decryption policies by targeting internal servers via any type of network object.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"422\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/decryption-on-off-1024x422.webp\" alt=\"New policy inbound outbound decryption image\" class=\"lazy lazy-hidden wp-image-485079\" style=\"width:806px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"422\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/decryption-on-off-1024x422.webp\" alt=\"New policy inbound outbound decryption image\" class=\"wp-image-485079\" style=\"width:806px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"317\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/decryption-details-1024x317.webp\" alt=\"Inbound decryption enabled screen\" class=\"lazy lazy-hidden wp-image-485080\" style=\"width:806px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"317\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/decryption-details-1024x317.webp\" alt=\"Inbound decryption enabled screen\" class=\"wp-image-485080\" style=\"width:806px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<p>Additionally, certificates are individually selectable for each server. The public-facing certificates can be serviced by\u00a0LetsEncrypt, significantly reducing certificate maintenance overheads. Outbound decryption certificate management can now be managed right from the decryption policy page, making for an easier workflow when building out policies.<\/p>\n<p>All object types supported for decryption policies include key attributes such as\u00a0fully qualified domain\u00a0name\u00a0(FQDN), URL, network and network groups and ranges, source group tags, dynamic objects, and more.<\/p>\n<p>To ease selective decryption as needed, the Cisco-provided\u00a0AppID\u00a0bypass list allows excluding entries from this list for decryption.\u00a0The\u00a0previous\u00a0release of\u00a0Cisco Secure\u00a0Firewall\u00a0introduced\u00a0Intelligent Decryption Bypass, further easing decision making around which traffic to decrypt by assessing low-risk traffic that is\u00a0likely safe\u00a0to bypass decryption processes. It\u00a0determines\u00a0what traffic is\u00a0low\u00a0risk\u00a0by combining data from\u00a0Talos reputation scores\u00a0and the client threat confidence score presented by the\u00a0Encrypted Visibility Engine (EVE).<\/p>\n<p>Lastly, all new rules are automatically enabled for comprehensive logging to provide better visibility into rules\u2019 usage and any potential considerations within the network.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-183842eb85e68c0f8902f5e37ad754a6\" id=\"h-quic-nbsp-decryption\" style=\"font-style:normal;font-weight:400\">QUIC\u00a0decryption<\/h2>\n<p>Quick UDP Internet Connections\u00a0(QUIC)\u00a0is a natively encrypted secure protocol designed to increase the flexibility and performance of web applications while also bolstering security. However, it is also more difficult to gain visibility into this traffic, as the transport technology is different from traditional\u00a0TCP-encrypted traffic. QUIC instead relies upon\u00a0User Datagram Protocol (UDP)\u00a0transport and\u00a0directly implements\u00a0TLS 1.3 into the session handshake, allowing encryption of handshake messages after the first packet. Whereas TCP+TLS\u00a0encryption\u00a0left handshake messages transparent to inspection,\u00a0almost all\u00a0handshake data after the first packet is hidden with QUIC. Even the Server Name Indicator (SNI),\u00a0which specifies the server the client is communicating with,\u00a0can be encrypted by implementing Encrypted Client Hello (ECH) alongside QUIC.<\/p>\n<p>Several obfuscations within QUIC make it difficult to trace or follow a full QUIC session, such as:<\/p>\n<ul class=\"wp-block-list\">\n<li>Sequence numbering in the header is encrypted<\/li>\n<li>No TCP metadata exists, such as for\u00a0SYN, ACK, FIN, RST messages<\/li>\n<li>Multiplexed streams are hidden inside the encryption<\/li>\n<li>The connection can be migrated across IP addresses without transport header\u00a0indication<\/li>\n<\/ul>\n<p>The express purpose of QUIC is to leave only the essential information a router or similar device requires to\u00a0transmit\u00a0and\u00a0forward\u00a0packets, but this goal runs contrary to the security and\u00a0accountability\u00a0goals of many organizations.<\/p>\n<p>QUIC adoption is on the rise among global web traffic, increasing from about 7% usage in 2020 to around 45% usage in 2025. About a third of all web services and over 80% of Google services are now QUIC-first (that is, services where QUIC is offered before TCP+TLS).<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/quic-adoption.webp\" alt=\"\" class=\"lazy lazy-hidden wp-image-485083\" style=\"width:656px;height:auto\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/quic-adoption.webp\" alt=\"\" class=\"wp-image-485083\" style=\"width:656px;height:auto\"\/><\/noscript><\/figure>\n<\/div>\n<p>Considering this rising adoption and the need for greater visibility and control where the QUIC protocol is in use, decryption policies in Cisco Secure Firewall version 10.0 have been enhanced to allow decryption and inspection upon QUIC traffic to ensure visibility is\u00a0maintained\u00a0while taking advantage of the improvements offered by this protocol.<\/p>\n<p>In environments and use cases where decryption of QUIC traffic\u00a0isn\u2019t\u00a0possible, the Encrypted Visibility Engine (EVE) provides highly\u00a0accurate\u00a0fingerprinting of QUIC traffic that uniquely characterizes and analyzes\u00a0QUIC-encrypted sessions to assess post-exploit beaconing and similar suspicious traffic. This compelling capability\u00a0helps\u00a0ensure that all organizations can gain insight and protections for QUIC traffic as the usage of this protocol increases.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-7ef3c30b4759538ae4aa1851d9d9a211\" id=\"h-shadow-nbsp-traffic-reporting\" style=\"font-style:normal;font-weight:400\">Shadow\u00a0traffic reporting<\/h2>\n<p>Some techniques offered by privacy technologies cause a loss of visibility within organizational networks. This collection of new\u00a0\u201cLoss of Visibility\u201d\u00a0reports focuses on these\u00a0cases, offering statistical and detailed reports to help\u00a0identify\u00a0traffic where security analysis is incomplete due to obfuscations between the source and destination.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"686\" data-lazy-type=\"image\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/02\/shadowtraffic-1024x686.webp\" alt=\"Summary dashboard\" class=\"lazy lazy-hidden wp-image-485345\"\/><noscript><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"686\" src=\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/02\/shadowtraffic-1024x686.webp\" alt=\"Summary dashboard\" class=\"wp-image-485345\"\/><\/noscript><\/figure>\n<\/div>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-123baec8ea51ce145340f5241199ef49\" id=\"h-included-nbsp-loss-of-visibility-nbsp-reports\" style=\"font-style:normal;font-weight:400\">Included\u00a0\u201cLoss of Visibility\u201d\u00a0reports<\/h2>\n<p><strong>Multihop\u00a0proxies:<\/strong>\u00a0Traffic passing from a client to a proxy that in turn passes to one or more proxies becomes difficult to trace to origin and may\u00a0indicate\u00a0an attempt to hide attack attempts.<\/p>\n<p><strong>Encrypted DNS:\u00a0<\/strong>If domain name lookup information is not available, then policies restricting certain domain names do not take effect as expected.<\/p>\n<p><strong>Fake TLS:<\/strong>\u00a0Some traffic\u00a0contains\u00a0TLS handshakes, headers, or other implementations that\u00a0indicate\u00a0TLS encryption is employed while not actually conforming to the protocol, instead providing a route for malware attacks,\u00a0command\u00a0and control beaconing, or tunneling non-encrypted traffic.<\/p>\n<p><strong>Evasive VPN:<\/strong>\u00a0Some VPN services intentionally conceal signals\u00a0indicating\u00a0their use through means such as traffic masking or obfuscating the protocols used for the traffic. When evasive VPNs are detected, the application making the evasive connections is\u00a0identified\u00a0in the Shadow Traffic view, allowing for simple policy creation to block that process.<\/p>\n<p><strong>Domain\u00a0fronting:<\/strong>\u00a0Some connections will advertise widely trusted front domains in the SNI, then use a different HTTP host header inside the encrypted connection to direct traffic to a different backend service on the same provider. This can cause rules\u00a0that\u00a0allow widely trusted domains to have unintended side effects, allowing traffic that is not desirable. These domain-fronting URLs are displayed in the Shadow Traffic view to highlight where policy decisions may need to be made.<\/p>\n<p>Additionally,\u00a0it\u2019s\u00a0now easier to\u00a0modify\u00a0configurations to disallow these technologies where desired.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-5885f49b33cdf9a2261483adb66926ca\" id=\"h-advanced-nbsp-logging\" style=\"font-style:normal;font-weight:400\">Advanced\u00a0logging<\/h2>\n<p>To enhance the already robust set of information available for logged connections within Cisco Secure Firewall and Cisco Secure Network Analytics, a new log type has been created and made searchable. Characteristics logged include:<\/p>\n<p><strong>Application\u00a0metadata:<\/strong>\u00a0Identify\u00a0suspicious applications or attempted misuses of known applications with exposure to the metadata\u00a0pertaining to\u00a0that application<\/p>\n<p><strong>Intelligent PCAPs:\u00a0<\/strong>Detailed packet data to\u00a0facilitate\u00a0deep forensics of security events<\/p>\n<p><strong>Deeper insights on layer 5-7 connections:\u00a0<\/strong>This focus on more detailed information about session, presentation, and application layer traffic provides more comprehensive visibility into\u00a0application-level\u00a0activities to investigate breaches even where network level traffic looks benign or trusted<\/p>\n<p><strong>HTTP, FTP, DNS, and\u00a0connection logging:\u00a0<\/strong>By detailing web, file transfer, domain lookup, and general connection data, greater context is available for closer investigations of security events<\/p>\n<p><strong>Weird\u00a0logging:<\/strong>\u00a0Capturing protocol deviations and unusual network behaviors alert security teams to traffic that may signal novel attacks or misconfigurations within applications and networks<\/p>\n<p><strong>Notice\u00a0logging:<\/strong>\u00a0Specifically,\u00a0security-relevant events are grouped and surfaced to aid in threat hunting and analysis<\/p>\n<p>This enhanced data helps network and security administrators understand more about the traffic in their organization\u2019s network and make informed policy decisions and recommendations.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-ba08440240443656301a395a63a04320\" id=\"h-splunk-nbsp-correlation-nbsp-with-nbsp-advanced-logging\" style=\"font-style:normal;font-weight:400\">Splunk\u00a0correlation\u00a0with\u00a0advanced logging<\/h2>\n<p>The deeper insights in\u00a0advanced logging\u00a0allow for Splunk correlations to existing Cisco Secure Firewall logs and events, as well as other network and security logs and data within organizational environments and\u00a0monitored\u00a0by the organization\u2019s Splunk instance. These correlations offer opportunities to\u00a0more quickly detect, triage, and create responses to security events by streamlining efforts to trace the event through the network and find additional signals to understand the event\u2019s impact.<\/p>\n<h2 class=\"wp-block-heading has-cisco-green-color has-text-color has-link-color wp-elements-92964b56153590fa06f9959baff8d0dd\" id=\"h-take-a-nbsp-hands-on-look-nbsp-at-cisco-secure-firewall-10-0\" style=\"font-style:normal;font-weight:400\">Take a\u00a0hands-on look\u00a0at Cisco Secure Firewall 10.0<\/h2>\n<p>Want to dive deeper into Cisco firewalls? Sign up for the\u202fCisco Secure Firewall Test Drive, an instructor-led,\u00a04-hour hands-on course where\u00a0you\u2019ll\u00a0experience the Cisco\u00a0firewall\u00a0technology in action and learn about the latest security challenges and attacker techniques.<\/p>\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n<p class=\"has-text-align-center\" id=\"block-a1b11bef-8542-478b-95c4-6b43d582001b\"><em>We\u2019d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.<\/em><\/p>\n<p class=\"has-text-align-center\"><strong><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-cisco-green-color\">Cisco Security Social Media<\/mark><\/strong><\/p>\n<p class=\"has-text-align-center\" id=\"block-85b5e58a-7e0a-4b88-a1bd-54a5f658e51f\">LinkedIn<\/p>\n<\/p><\/div>\n<p><p><a href=\"https:\/\/dmsretail.com\/online-workshops-list\/\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-496\" src=\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\" alt=\"Retail Online Training\" width=\"729\" height=\"91\" srcset=\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png 729w, https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90-300x37.png 300w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/a><\/p><br \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Facing an\u00a0ever-evolving\u00a0and increasingly sophisticated cybersecurity landscape, organizations have a pressing need to gain greater\u00a0visibility of\u00a0and insights into their network traffic.\u00a0Most threats are delivered over encrypted [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":16697,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-16696","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts\/16696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/comments?post=16696"}],"version-history":[{"count":0,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts\/16696\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/media\/16697"}],"wp:attachment":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/media?parent=16696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/categories?post=16696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/tags?post=16696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}