Platform
|
Secure Firewall 1200.
|
7.6.0
|
|
Disable the front panel USB-A port on the
Firepower 1000 and Secure Firewall 3100/4200.
|
7.6.0
|
You can now disable the front panel USB-A port on the
Firepower 1000 and Secure Firewall 3100/4200. By default,
the port is enabled.
New/modified Firewall Threat Defense CLI commands: system support usb
show , system support usb port
disable , system support
usb port enable
New/modified FXOS CLI commands for the Secure Firewall
3100 in
multi-instance mode:
show usb-port , disable USB port , enable usb-port
See: Cisco Secure Firewall Threat Defense
Command Reference and Cisco Firepower 4100/9300 FXOS Command
Reference
|
Device Management
|
Device templates.
|
7.4.1
|
Device templates allow you to deploy multiple branch devices
with pre-provisioned initial device configurations (zero-touch provisioning). You can also apply configuration changes to multiple
devices with different interface configurations, and clone
configuration parameters from existing devices.
Restrictions: You can use device templates to configure a
device as a spoke in a site-to-site VPN topology, but not as
a hub. A device can be part of multiple hub-and-spoke
site-to-site VPN topologies.
New/modified screens:
Supported platforms: Firepower 1000/2100, Secure Firewall
1200/3100. Note that Firepower 2100 support is for Firewall Threat Defense 7.4.1–7.4.x only; those devices cannot run Version
7.6.0.
See: Device Management Using
Device Templates and Onboard Threat Defense
Devices using Device Templates to Cloud-Delivered
Firewall Management Center using Zero-Touch
Provisioning.
|
AAA for user-defined VRF interfaces.
|
7.6.0
|
A device's authentication, authorization, and accounting
(AAA) is now supported on user-defined Virtual Routing and
Forwarding (VRF) interfaces. The default is to use the
management interface.
In device platform settings, you can now associate a security
zone or interface group having the VRF interface, with a
configured external authentication server.
New/modified screens:
See: Enable
Virtual-Router-Aware Interface for External
Authentication of Platform
|
Policy Analyzer & Optimizer cross-launch for access
control.
|
Any
|
The Policy Analyzer & Optimizer evaluates access control
policies for anomalies such as redundant or shadowed rules,
and can take action to fix discovered
anomalies.
You can now launch the Policy Analyzer & Optimizer
directly from the access control policy page. Choose , select policies, and click Analyze Policies.
|
High Availability/Scalability
|
Multi-instance mode for the Secure Firewall
4200.
|
7.6.0
|
|
Multi-instance mode conversion in the Firewall Management
Center for the Secure Firewall 3100/4200.
|
7.6.0
|
You can now register an application-mode device to the Firewall Management
Center and then convert it to multi-instance mode without having
to use the CLI.
New/modified screens:
-
, then for a device, click More ( )
> Convert to Multi-Instance
-
, then select multiple devices and
choose
See: Convert a Device to
Multi-Instance Mode
|
16-node clusters for the Secure Firewall
3100/4200.
|
7.6.0
|
|
Individual interface mode for
Secure Firewall 3100/4200 clusters.
|
7.6.0
|
Individual interfaces are normal routed interfaces, each with
their own local IP address used for routing. The main
cluster IP address for each interface is a fixed address
that always belongs to the control node. When the control
node changes, the main cluster IP address moves to the new
control node, so management of the cluster continues
seamlessly. Load balancing must be configured separately on
the upstream switch.
Restrictions: Not supported for container instances.
New/modified screens:
See: Clustering for the Secure
Firewall 3100/4200 and Address Pools
|
Deploy virtual firewall clusters
across multiple AWS availability zones.
|
7.6.0
|
You can now deploy Firewall Threat Defense
Virtual clusters across multiple availability zones in an AWS
region. This enables continuous traffic inspection and
dynamic scaling (AWS Auto Scaling) during disaster
recovery.
See: Deploy a Threat Defense
Virtual Cluster on AWS
|
Deploy Firewall Threat Defense
Virtual for AWS in two-arm-mode with GWLB.
|
7.6.0 |
You can now deploy Firewall Threat Defense
Virtual for AWS in two-arm-mode with GWLB. This allows you to
directly forward internet-bound traffic after traffic
inspection, while also performing network address
translation (NAT). Two-arm mode is supported in single and
multi-VPC
environments.
Restrictions: Not supported with clustering.
See: Cisco Secure Firewall
Threat Defense Virtual Getting Started
Guide
|
Interfaces
|
Deploy without the diagnostic
interface on Firewall Threat Defense
Virtual for Azure and GCP.
|
7.4.1
|
You can now deploy without the diagnostic interface on Firewall Threat Defense
Virtual for Azure and GCP. Previously, we required one
management, one diagnostic, and at least two data
interfaces. New interface requirements are:
-
Azure: one management, two data (max eight)
-
GCP: one management, three data (max eight)
Restrictions: This feature is supported for new deployments
only. It is not supported for upgraded devices.
See: Cisco Secure Firewall
Threat Defense Virtual Getting Started
Guide
|
SD-WAN
|
SD-WAN wizard.
|
Hub: 7.6.0
Spoke: 7.3.0
|
|
Access Control: Threat Detection and Application
Identification
|
QUIC decryption.
|
7.6.0 with Snort 3
|
You can configure the decryption policy to apply to sessions
running on the QUIC protocol. QUIC decryption is disabled by
default. You can selectively enable QUIC decryption per
decryption policy and write decryption rules to apply to
QUIC traffic. By decrypting QUIC connections, the system can
then inspect the connections for intrusion, malware, or
other issues. You can also apply granular control and
filtering of decrypted QUIC connections based on specific
criteria in the access control policy.
We modified the decryption policy Advanced Settings to
include the option to enable QUIC decryption.
See: Decryption Policy
Advanced Options
|
Snort ML: neural network-based exploit
detector.
|
7.6.0 with Snort 3
|
A new Snort 3 inspector, snort_ml, uses neural network-based
machine learning (ML) to detect known and
0-day attacks without needing multiple
preset rules. The inspector subscribes to HTTP events and
looks for the HTTP URI, which in turn is used by a neural
network to detect exploits (currently limited to SQL
injections). The new inspector is currently disabled in all
default policies except maximum detection.
A new intrusion rule, GID:411 SID:1, generates an event when
the snort_ml detects an attack. This rule is also currently
disabled in all default policies except maximum
detection.
See: Snort 3 Inspector
Reference
|
Allow Cisco Talos to conduct advanced threat hunting and intelligence
gathering using your traffic.
|
7.6.0 with Snort 3
|
Upgrade impact. Upgrade enables telemetry.
You can help Talos (Cisco’s threat intelligence team) develop a more
comprehensive understanding of the threat landscape by
enabling threat hunting telemetry. With this feature, events
from special intrusion
rules are sent to Talos to help with threat analysis, intelligence gathering, and
development of better protection strategies. This setting is
enabled by default in new and upgraded deployments.
New/modified screens: System ( )
See: Intrusion Policy
Preferences
|
Access Control: Identity
|
Passive identity agent for Microsoft
AD.
|
Any
|
This feature is introduced.
Passive Identity
Agent version 1.1 is compatible with 7.6.0 and later and adds
the following:
-
You can use either FQDN, IPv4, or IPv6 to connect
from the Passive Identity
Agent to the Secure Firewall Management Center or Cisco Security Cloud Control.
-
Sends both IPv4 and IPv6 user sessions from Microsoft
Active Directory (AD) to the Firewall Management
Center.
-
You can zip troubleshooting logs.
-
When you start the Passive Identity
Agent software, a list of prerequisites is
displayed.
The Passive Identity
Agent identity source sends session data from Microsoft Active
Directory (AD) to the Firewall Management
Center. Passive identity agent software is supported on:
-
Microsoft AD server (Windows Server 2008 or later)
-
Microsoft AD domain controller (Windows Server 2008 or later)
-
Any client connected to the domain you want to monitor (Windows 8 or later)
See: User Control With the
Passive Identity Agent.
|
pxGrid Cloud Identity Source.
|
|
The Cisco Identity Services Engine (Cisco ISE)
pxGrid Cloud Identity Source enables you to use subscription and user data from
Cisco ISE in Cloud-Delivered Firewall Management Center access control rules. Also, the identity source uses constantly changing dynamic objects from Cisco ISE in access control policies in the Cloud-Delivered Firewall Management Center.
New/updated screens:
See: User Control with the pxGrid Cloud Identity
Source
|
New connectors for Cisco Secure Dynamic Attributes Connector
|
Any
|
|
Microsoft Azure AD realms for
active or passive authentication.
|
Active: 7.6.0 with Snort 3
Passive: 7.4.1 with Snort 3
|
You can now use Microsoft Azure Active Directory (AD) realms
for active and passive authentication:
-
Active authentication using Azure AD: Use Azure AD as a captive portal.
-
Passive authentication using Cisco ISE (introduced in
Version 7.4.0): The Firewall Management
Center gets groups from Azure AD and logged-in user
session data from ISE.
We use SAML (Security Assertion Markup Language) to establish
a trust relationship between a service provider (the devices
that handle authentication requests) and an identity
provider (Azure AD). For
upgraded Firewall Management
Centers, existing Azure AD realms are displayed as SAML -
Azure AD realms.
Upgrade impact. If you had a Microsoft Azure AD realm
configured before the upgrade, it is displayed as a SAML -
Azure AD realm configured for passive authentication. All
previous user session data is preserved.
New/modified screens:
New/modified CLI commands: none
See: Create a Microsoft Azure
AD (SAML) Realm.
|
Event Logging and Analysis
|
MITRE and other enrichment information in
connection events.
|
7.6.0 with Snort 3
|
MITRE and other enrichment information in connection events
makes it easy to access contextual information for detected
threats. This includes information from Talos and from the encrypted visibility engine (EVE). For EVE
enrichment, you must enable EVE.
Connection events have two new fields, available in both the
unified and classic event viewers:
-
MITRE ATT&CK: Click the progression graph to see an expanded view of threat details, including tactics and techniques.
-
Other Enrichment: Click to see any other available enrichment information, including from EVE.
The new Talos Connectivity Status health module monitors Firewall Management
Center connectivity with Talos, which is required for this feature.
See Configure EVE.
|
Administration
|
New theme for the Firewall Management
Center.
|
Any
|
We updated the look and feel of the Firewall Management
Center web interface, including a new left-hand
navigation.
|