April 2, 2024
This release introduces stability, hardening, and performance enhancements.
Release Notes for Cloud-delivered Firewall Management Center : A Feature of Cisco Defense Orchestrator
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- April 2, 2024
Chapter: New Features in Cloud-delivered Firewall Management Center 2024
New Features in Cloud-delivered Firewall Management Center 2024
February 13, 2024
New Features
|
Feature |
Min. Threat Defense |
Details |
|---|---|---|
|
Platform |
||
|
Threat defense Version 7.4.1 support. |
7.4.1 |
You can now manage threat defense devices running Version 7.4.1. |
|
Network modules for the Secure Firewall 3130 and 3140. |
7.4.1 |
The Secure Firewall 3130 and 3140 now support these network modules:
See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide |
|
Optical transceivers for Firepower 9300 network modules. |
7.4.1 |
The Firepower 9300 now supports these optical transceivers:
On these network modules:
|
|
Performance profile support for the Secure Firewall 3100. |
7.4.1 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on threat defense virtual. |
|
NAT |
||
|
Create network groups while editing NAT rules. |
Any |
You can now create network groups in addition to network objects while editing a NAT rule. |
|
Device Management |
||
|
Device management services supported on user-defined VRF interfaces. |
Any |
Device management services configured in the threat defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. Platform restrictions: Not supported with container instances or clustered devices. |
|
SD-WAN |
||
|
SD-WAN Summary dashboard |
7.4.1 |
The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures. In addition, you can also monitor the WAN interface application performance using the Application Monitoring tab. New/modified screens: |
|
Access Control: Identity |
||
|
Captive portal support for multiple Active Directory realms (realm sequences). |
7.4.1 |
Upgrade impact. Update custom authentication forms. You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules. In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously. If you use the HTTP Response Page authentication type, after you upgrade threat defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms. Restrictions: Not supported with Microsoft Azure Active Directory. New/modified screens: |
|
Share captive portal active authentication sessions across firewalls. |
7.4.1 |
Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.
New/modified screens: |
|
Deployment and Policy Management |
||
|
View and generate reports on configuration changes since your last deployment. |
Any |
You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:
This is especially useful after you upgrade threat defense devices, so that you can see the changes made by the upgrade before you deploy. New/modified screens: . |
|
Suggested release notifications. |
Any |
The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases. See: Cisco Secure Firewall Management Center New Features by Release |
|
Enable revert from the threat defense upgrade wizard. |
Any |
You can now enable revert from the threat defense upgrade wizard. Other version restrictions: You must be upgrading threat defense to Version 7.2+. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center |
|
View detailed upgrade status from the threat defense upgrade wizard. |
Any |
The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center |
|
Firmware upgrades included in FXOS upgrades. |
Any |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
|
Upgrade |
||
|
Improved upgrade starting page and package management. |
Any |
A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes. New/modified screens:
Deprecated screens/options:
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center |
|
Administration |
||
|
Updated internet access requirements for direct-downloading software upgrades. |
Any |
The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com. |
|
Scheduled tasks download patches and VDB updates only. |
Any |
The Download Latest Update scheduled task
no longer downloads maintenance releases; now it only downloads
the latest applicable patches and VDB updates. To
direct-download maintenance (and major) releases to the
management center, use System ( |
|
Smaller VDB for lower memory Snort 2 devices. |
Any with Snort 2 |
For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA-5508-X and ASA 5516-X |
)Deprecated Features
|
Feature |
Deprecated in Threat Defense |
Details |
|---|---|---|
|
Deprecated: DHCP relay trusted interfaces with FlexConfig. |
Any |
You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them. |
|
Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig. |
Any |
This feature is now supported in the management center web interface. |
|
Deprecated: frequent drain of events health alerts. |
7.4.1 |
The Disk Usage health module no longer alerts with
|
Feedback