In previous releases, if two or more users simultaneously edited an access control policy, the first user who saved would retain their changes, and all other users would immediately lose all of their edits. Now, these users have the ability to selectively merge their changes, and changes that do not conflict with the first user’s saved changes will automatically be accepted. This improves collaboration between users and reduces the need to lock the policy during edits.

Easily create standard decryption policies using a new interface tailored to the most common and effective scenarios, with single-page certificate management. Or, stick with the legacy wizard and advanced rules-based policy editor.

After Firewall Management Center upgrade, existing policies are labeled as legacy policies and continue to work as before. You can switch from a standard policy to legacy, but not from legacy to standard.

You can now use a certificate and key defined in the decryption rule to decrypt traffic. This certificate and key can be the internal server's certificate or it can be a different certificate; in addition, you can change the certificate and key at any time. You can replace the certificate using the API, a system like the Automated Certificate Management Environment (ACME), or using Object Management.

The Secure Firewall 200 is an affordable security appliance for branch offices and remote locations that balances cost and features. During deployment, the system alerts you to any unsupported configurations.

Limitations include:

• No clustering or multi-instance mode.

• Smaller vulnerability database.

• Cloud-based URL filtering and malware analysis only—no local databases or analysis.

• Less frequent Security Intelligence updates.

• Minimal default system logging.

• Limited health alerts.

• Identity limits to user IPs, SXP/SGT mappings, endpoint profiles, and dynamic objects.

  Limits to IP mappings, users, SGTs, endpoint profiles

Version restrictions: In Version 10.0.0, the Secure Firewall 220 is the only supported device in the Secure Firewall 200 series.

The Secure Firewall 6100 is an ultra-high-end firewall for demanding data center and telecom networks. It has exceptional price-to-performance, modular capability, and high throughput.

The Secure Firewall 6100 supports Spanned EtherChannel and Individual interface clustering for up to 4 nodes.

You can view details, including operational status, for the field-replaceable memory module on the Secure Firewall 6100.

New/modified screens: Choose Devices > Device Management, then edit the device and select the Device tab. In the System section, click View next to Inventory > Memory.

New/modified Firewall Threat Defense commands: show inventory

New/modified FXOS commands: show dimm detail

The FPR4200-PWR-DC for Secure Firewall 4200 is a 1500 W DC power supply. The dual power supply modules can supply up to 1500 W power across the input voltage range (48 VDC to 60 VDC). The load is shared when both power supply modules are plugged in and running at the same time.

The FPR4K-XNM-6X1SXF for the Secure Firewall 4200 is a 6-port 1-Gbps SFP hardware bypass network module that operates in SX multimode. This network module has built-in SFP transceivers.

The Secure Firewall 4225 in multi-instance mode now supports 21 container instances. The previous limit was 14.

For asymmetric flows, cluster redirect lets the forwarding node offload flows to hardware. This feature is enabled by default but can be configured using FlexConfig.

When traffic for an existing flow is sent to a different node, then that traffic is redirected to the owner node over the cluster control link. Because asymmetric flows can create a lot of traffic on the cluster control link, letting the forwarder offload these flows can improve performance.

Added/modified commands: flow-offload cluster-redirect (FlexConfig), show conn , show flow-offload flow , show flow-offload info

For asymmetric flows, cluster redirect lets the forwarding node offload flows to hardware. This feature is enabled by default but can be configured using FlexConfig.

When traffic for an existing flow is sent to a different node, then that traffic is redirected to the owner node over the cluster control link. Because asymmetric flows can create a lot of traffic on the cluster control link, letting the forwarder offload these flows can improve performance.

Added/modified commands: flow-offload cluster-redirect (FlexConfig), show conn , show flow-offload flow , show flow-offload info

Handle traffic based on real-time user posture and risk by correlating identity and device context (from Cisco ISE or pxGrid Cloud) with Cisco Identity Intelligence (from Microsoft Entra ID or Cisco Duo).

The Cisco Identity Services Engine (Cisco ISE) pxGrid Cloud Identity Source enables you to use subscription and user data from a Cisco ISE server or cluster Cisco ISE in access control rules.

A new Splunk integration wizard (Integrations > Splunk) and updated logging options in access control make it easier to send security events to Splunk (or any other SIEM via syslog)..

You can generate protocol-aware (enriched) inspector logs for traffic that you specify. Send these logs via syslog to Splunk or to any syslog server configured as an alert.

To use this feature, enable advanced logging in your access control policy's advanced settings. Then, use access control rules to pinpoint the traffic where you want advanced logs. In those rules, enable the protocols you want to inspect.

To receive alerts when there are communication issues between devices and the syslog server, enable the Snort 3 Statistics module in the device health policy.

Packet data is now included with intrusion events sent to Cisco Security Cloud.

Migrate to the Secure Firewall 3100, 4200, and 6100 from:

• Firepower 4112, 4115, 4125, 4145

• Firepower 9300: SM-40, SM-48, SM-56

Migrate the Firepower 1010 and 1010E to the Secure Firewall 200 and 1200.

The firewall block depletion fault manager introduced in Version 7.7.0 now supports clustered devices. Fault monitoring is automatically enabled on new and upgraded devices. To disable, use FlexConfig.

We made performance and resiliency improvements to:

• Deploying configuration changes

• Event logging to external servers such as syslog or Cisco Security Cloud, for the Secure Firewall 4200 and 6100

• Install and upgrade

• High availability for Firewall Threat Defense

• Snort ML

• Zero-touch provisioning

Firewall Threat Defense Virtual now supports Microsoft Hyper-V.

Firewall Threat Defense Virtual supports dynamic disk expansion on all virtual platforms. This capability optimizes disk utilization on high-capacity systems (for example, systems with 64 vCPUs and 128 GB RAM), ensuring that large core dump files do not trigger disk-space alerts.

Firewall Threat Defense Virtual for VMware and KVM now support an unlimited performance tier (FTDvU). This tier does not rate limit and the RA VPN session limit depends on the allocated resources:

• 20,000 sessions with 32 vCPU and 64 GB RAM

• 32,000 sessions with 64 vCPU and 128 GB RAM

Firewall Threat Defense Virtual for Microsoft Azure now supports MANA NIC hardware, which is optimized for enhanced networking performance.

Supported instances: Standard_D8s_v5, Standard_D16s_v5

Firewall Management Center Virtual and Firewall Threat Defense Virtual for Nutanix now support Nutanix AOS 6.8. This includes Virtual Private Cloud (VPC) support, whose flexible and cloud-like network segmentation and isolation allows you to effectively design and scale secure multi-tenant architectures.

Firewall Management Center Virtual and Firewall Threat Defense Virtual for OpenStack now support the Caracal release.

Firewall Threat Defense Virtual for OCI now supports Flex instances powered by an Ampere ARM-based processor.​ ARM architecture provides high performance with lower power consumption, enabling cost-efficient scaling.

Supported instances: VM.Standard.A1.Flex, VM.Standard.A2.Flex

Firewall Threat Defense Virtual is now compatible with UEFI-based virtual machines. This modern firmware interface replaces legacy BIOS, improves boot performance, and provides enhanced hardware/VM compatibility.

Secure Boot ensures that only signed and trusted bootloaders, kernel modules, and drivers are executed when the VM starts. It improves the virtual appliances security.

You can now use policy based routing to handle traffic using custom application patterns (basic supported from Version 7.7.0). Create an advanced custom application detector by uploading a Lua file with your detection pattern. Then, use the detector in an extended ACL in your PBR policy.

See: Policy Based Routing

You can now configure recursive DNS server (RDNSS) and DNS search list (DNSSL) options to provide DNS servers and domains to SLAAC clients using router advertisements.

New/modified screens: Devices > Device Management > Interfaces > Add/Edit Interfaces > IPv6 > Settings

New/modified commands: show ipv6 nd detail , show ipv6 nd ra dns-search-list , show ipv6 nd ra dns server , show ipv6 nd summary

EVE improvements include:

• EVE configuration moved from the access control policy advanced settings to the main access control policy page (in the More drop-down list).

• New monitor and protect modes. The monitor mode allows you to see EVE verdicts without blocking.

• Five-level threat confidence scale now only two levels: high and very high.

• EVE is now automatically used for application detection when you enable EVE.

• EVE exceptions are now objects, and are automatically shared across all access control policies.

• Security-related connection events now include those for connections with malware processes detected by EVE at higher threat confidence levels.

• New EVE widgets on the Summary Dashboard provide information on targeted resources, as well as on connections blocked over time. Note that new dashboard widgets only show data for Version 10+ devices.

For access control rules, a new Application Default option on the Applications tab lets you limit the rule to the application's default ports. You can also specify that the application be identified on Any port, which is the system's previous behavior.

Note that any specification on the Ports tab overrides these options. You can use the Ports tab to limit the rule to one, multiple, or a range of ports.

You can configure DNS rules in the DNS policy to use dynamic objects or security group tags (SGT). If you are using these types of objects in access control rules already, you can now extend their use to your DNS policy.

We added the Dynamic Attributes tab to the add/edit DNS rule dialog box.

Snort ML now detects HTTP command line injection attacks.

The snort_ml inspector is currently disabled in all default policies except maximum detection. The intrusion rule the generates an event when the snort_ml detects an attack (GID:411 SID:1) is also currently disabled in all default policies except maximum detection.

You can configure threat detection at the cluster level. For nodes in a cluster, detection and prevention happen at the cluster level. Portscans can be detected when they happen across nodes or in an individual node. Shunned hosts are shunned on all devices in the cluster. Shuns are released at the same time on all nodes. Statistics are available at the cluster level.

When a node joins the cluster, it checks MTU compatibility by sending a ping to the control node with a packet size matching the cluster control link MTU. If the ping fails, it tries the MTU divided by 2 and keeps dividing by 2 until an MTU ping is successful. A notification is generated so you can fix the MTU to a working value and try again. We recommend increasing the switch MTU size to the recommended value, but if you can't change the switch configuration, a working value for the cluster control link will let you form the cluster.

New/modified commands: show cluster history

When a cluster node CPU usage is high, the health check will be suspended, and the node will not be marked as unhealthy. This feature is enabled by default when the CPU usage reaches 90% but can be configured using FlexConfig.

New/modified FlexConfig commands: cpu-healthcheck-threshold

Prioritizing critical control traffic increases resiliency in high availability and clustered deployments, especially when forming high availability or rejoining a cluster during times of heavy load.

New/modified commands: show asp priority-polling , show cluster info trace , show failover trace

Deployment restrictions: Not supported with container instances

Platform restrictions: Supported with Secure Firewall 3100, 4200, and 6100 only

You can now use the packet tracer to modify the source and destination IP address, source and destination port, and VLAN ID of a PCAP. In transparent mode, you can also modify the destination MAC address. You can then run a trace with the modified PCAP.

You can now use the CLI to configure most hardware devices to generate a Linux kernel dump on crash. After you enable this feature, the device must reboot for it to take effect. Using the force keyword reboots the device and generates a kernel dump immediately. Or, manually reboot the device later. The upgrade automatically enables this feature.

New CLI command: system support kernel-crash-dump

Platform restrictions: Supported on all hardware devices except the Secure Firewall 200 and ISA 3000.

Recovery-config mode now supports NAT and related object and object-group commands.

It also supports the following interface commands:

• duplex

• fec

• negotiate-auto

• speed

These interface commands, in addition to shutdown, are not supported in recovery-config mode on the cluster control link or failover link.

New/modified diagnostic CLI (system support diagnostic-cli ) command: configure recovery-config

Platform restrictions: Not supported with the Firepower 4100/9300, ISA 3000, or virtual firewall. Not supported for the Secure Firewall 3100/4200 in multi-instance mode.

You can now configure minimal (notice and above) system logging. For most devices, the default is full logging. For the new Secure Firewall 220, the default is minimal logging.

New/modified CLI commands: system support logging-show , system support logging-full , system support logging-minimal

A new, streamlined upgrade wizard makes it easier to select and prepare devices for upgrade, and to identify issues preventing upgrade.

Note that the Firewall Threat Defense wizard takes advantage of a new prepare-only option for unattended mode. This means that while the wizard copies packages and checks readiness, you may see messages about unattended mode running even if you did not explicitly start it.

With unattended Firewall Threat Defense upgrades:

• Prepare for upgrade only—copy packages and check readiness, but do not perform the actual upgrade.

• Skip readiness checks for devices that already passed.

These new options are available when you start unattended mode.

You can now:

• Prevent devices from downloading upgrade packages from the internet. That is, you can now require that devices get upgrade packages from the Firewall Management Center or an internal server, even if the devices have internet access.

• Specify how long devices retry failed downloads from an internal server or the internet. This setting does not apply to transfers between the Firewall Management Center and device.

New/modified screens: Administration > Product Upgrades > Global upgrade settings

We redesigned the Firewall Management Center menus to be more intuitive and consistent with the Cisco Security Cloud user interface. A main, single-column menu provides a subset of your most used items, while all items are visible in expanded mode. You can customize which items to include on the main menu to suit your priorities. Preferences are per user.

Existing and renamed top-level menus include:

• Overview is now Insights & Reports

• Analysis is now Events & Logs

• Policies, Devices, and Objects are the same

• Integration is now Integrations

• System () is now Administration and appears in the left navigation

New top-level menus include:

• Secure Connections

• Troubleshooting

Some submenus were moved to new main menu locations.

You can now use an ACME certificate to authenticate a managed device as an RA VPN gateway.

New/modified screens: Objects > PKI > Cert Enrollment > Add Cert Enrollment > Enrollment Type > ACME

New/modified commands: crypto ca trustpoint

Cisco TrustSec uses security group tags (SGTs) to control access and enforce traffic on a network. This option enables SGT propagation over SVTIs and DVTIs of route-based and SD-WAN VPN topologies. To enable SGT propagation on a specific SVTI or DVTI, configure it in individual devices.

New/modified screens:

• Secure Connections > Site-to-Site VPN & SD-WAN > SD-WAN Topology > Advanced Settings

• Secure Connections > Site-to-Site VPN & SD-WAN > Route-based VPN > Advanced > Tunnel

You can now enable Equal Cost Multi-Path (ECMP) on the dynamic VTIs of hub devices. All virtual access interfaces on the hub connecting to the same spoke are grouped into an ECMP zone.

New/modified screens:

• Secure Connections > Site-to-Site VPN & SD-WAN > SD-WAN Topology > Add Hub

• Secure Connections > Site-to-Site VPN & SD-WAN > Route-based VPN > Hub

You can now enable the BFD routing protocol on the SVTIs and DVTIs of route-based and SD-WAN VPN topologies.

New/modified screens:

• Secure Connections > Site-to-Site VPN & SD-WAN > SD-WAN Topology > Advanced Settings

• Secure Connections > Site-to-Site VPN & SD-WAN > Route-based VPN > Advanced > Tunnel

A cluster on the Secure Firewall 4200 supports site-to-site VPN in distributed mode. Distributed mode provides the ability to have many site-to-site IPsec IKEv2 VPN connections distributed across members of a cluster, not just on the control node (as in centralized mode). This significantly scales VPN support beyond centralized VPN capabilities and provides high availability.

Added/modified commands: cluster redistribute vpn-sessiondb , show cluster vpn-sessiondb , cluster vpn-mode , show cluster resource usage , show vpn-sessiondb , show conn detail , show crypto ikev2 stats

You can choose an ACME certificate for authenticating a managed device as a SAML SP for a zero-trust application policy. ACME certificates automate the lifecycle management of SSL and TLS certificates, including their auto-renewal.

New/modified screens: Objects > PKI > Cert Enrollment > ACME

New/modified commands: crypto ca trustpoint

Clientless ZTNA now provides secure access to applications connected over IPv6 networks.

Limitations: IPv6 source NAT for applications is only for homogeneous scenarios such as NAT66 and NAT44. NAT64 and NAT46 are not supported.

New/modified screens: Policies > Zero Trust Application > Clientless Policy > Add Application

New/modified CLIs: show running-config zero-trust

You can no longer configure a Secure Network Analytics manager-only deployment to store events. Note that manager-only deployments are deprecated in Secure Network Analytics Version 7.5.1.

Although existing manager-only integrations continue to work, we recommend you switch to a single-node data store deployment with the latest supported version of Secure Network Analytics. This allows you to take advantage of new features, resolved issues, and performance improvements.

Upgrade impact. Upgrade VMware before you upgrade the software.

We discontinued support for virtual deployments on VMware vSphere/VMware ESXi 6.5, 6.7, 7.0, and 7.5. Upgrade your hosting environment to Version 8.0 before you upgrade any virtual appliance.

Version restrictions: Versions 7.3.x and 7.4.0–7.4.1 are not qualified on VMware 8.0. If you run any of these versions, upgrade to VMware 8.0 first. Move to the next step as soon as possible. For best results, perform a multi-step upgrade: first the virtual appliance to 7.4.2–7.7.x, then VMware, then the virtual appliances again.

You can no longer monitor device revert from the Message Center. Instead, use the Device Management page (Devices > Device Management). On the Upgrade tab, click View Details next to the device you are reverting.

Some walkthroughs are no longer available. For a list of supported walkthroughs by version, see Walkthroughs in Secure Firewall Management Center.

You can now register an application-mode device to the Firewall Management Center and then convert it to multi-instance mode without having to use the CLI.

New/modified screens:

• Devices > Device Management, then for a device, click More () > Convert to Multi-Instance

• Devices > Device Management, then select multiple devices and choose Select Bulk Action > Convert to Multi-Instance

See: Convert a Device to Multi-Instance Mode