Platform
|
Threat defense Version 7.4.0 support.
|
7.4.0
|
You can now manage threat defense devices running Version 7.4.0.
Version 7.4.0 is available only on the Secure Firewall 4200.
You must use a Secure Firewall 4200 for features that require
Version 7.4.0. Support for all other platforms resumes in Version
7.4.1.
|
Secure Firewall
4200.
|
7.4.0
|
|
Performance profile support for
the Secure Firewall 4200.
|
7.4.0
|
The performance profile settings available in the platform
settings policy now apply to the Secure Firewall 4200.
Previously, this feature was supported only on the Firepower
4100/9300 and on Firewall Threat Defense
Virtual.
See: Platform Settings
|
Numbering convention for cloud-delivered Firewall Management
system.
|
Any
|
The cloud-delivered Firewall Management system is a feature of CDO.
For the purposes of troubleshooting, we identify the version number
of the cloud-delivered Firewall Management Center on the FMC
Services page.
See: View Services Page Information.
|
Platform Migration
|
Migrate Firepower 1000/2100 to
Secure Firewall 3100.
|
Any
|
You can now easily migrate configurations from the Firepower
1000/2100 to the Secure Firewall 3100.
New/modified screens:
Platform restrictions: Migration not supported from the
Firepower 1010 or 1010E.
See: Device Management
|
Migrate devices from Firepower
Management Center 1000/2500/4500 to Cloud-Delivered Firewall Management Center.
|
Any
|
You can migrate devices from Firepower Management Center
1000/2500/4500 to Cloud-Delivered Firewall Management Center.
To migrate devices, you must temporarily upgrade the
on-prem Firewall Management
Center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0.
This temporary upgrade is required because Version 7.0 Firewall Management
Centers do not support device migration to the cloud.
Additionally, only standalone and high availability Firewall Threat Defense running Version 7.0.3+ (7.0.5 recommended) are eligible
for migration. Cluster migration is not supported at this
time.
Important
|
Version 7.4.0 is only supported on the 1000/2500/4500
during the migration process. You should minimize the
time between Firewall Management
Center upgrade and device migration.
|
To summarize the migration process:
-
Prepare for upgrade and migration. Read, understand,
and meet all the prerequisites outlined in the
release notes, upgrade guides, and migration guide.
Before you upgrade, it is especially important that
the on-prem Firewall Management
Center is "ready to go," that is, managing only the
devices you want to migrate, configuration impact
assessed (such as VPN impact), freshly deployed,
fully backed up, all appliances in good health, and
so on.
You should also provision, license, and prepare the
cloud tenant. This must include a strategy for
security event logging; you cannot retain the on-prem Firewall Management
Center for analytics because it will be running an
unsupported version.
-
Upgrade the on-prem Firewall Management
Center and all its managed devices to at least Version
7.0.3 (Version 7.0.5 recommended).
If you are already running the minimum version, you
can skip this step.
-
Upgrade the on-prem Firewall Management
Center to Version 7.4.0.
Unzip (but do not untar) the upgrade package before
uploading it to the Firewall Management
Center. Download from: Special Release.
-
Onboard the on-prem Firewall Management
Center to CDO.
-
Migrate all devices from the on-prem Firewall Management
Center to the Cloud-Delivered Firewall Management Center as described in the migration guide.
When you select devices to migrate, make sure you
choose Delete FTD from On-Prem FMC. Note that
the device is not fully deleted unless you commit
the changes or 14 days pass.
-
Verify migration success.
If the migration does not function to your
expectations, you have 14 days to switch back or it
is committed automatically. However, note that
Version 7.4.0 is unsupported for general operations.
To return the on-prem Firewall Management
Center to a supported version you must remove the
re-migrated devices, re image back to Version 7.0.x,
restore from backup, and reregister the
devices.
See:
If you have questions or need assistance at any point in the
migration process, contact Cisco TAC.
|
S2S VPN support in FTD to cloud migration. Migrate threat defense
devices with VPN policies from on-prem to Cloud-Delivered Firewall Management Center.
|
7.0.3-7.0.x
7.2 or later
|
Site-to-site VPN configurations on Secure Firewall Threat Defense
devices are now migrated along with the rest of the configuration
when the device is migrated from the on-prem Firewall Management
Center to the cloud-delivered Firewall Management Center.
See: Migrate On-Prem Management Center managed
Secure Firewall Threat Defense to Cloud-delivered Firewall
Management Center
|
Interfaces
|
Merged management and
diagnostic interfaces.
|
7.4.0
|
Upgrade impact. Merge
interfaces after upgrade.
For new devices using 7.4 and later, you cannot use the
legacy diagnostic interface. Only the merged management
interface is available.
If you upgraded to 7.4 or later and:
-
You did not have any configuration for the diagnostic
interface, then the interfaces will merge
automatically.
-
You have configuration for the diagnostic interface,
then you have the choice to merge the interfaces
manually, or you can continue to use the separate
diagnostic interface. Note that support for the
diagnostic interface will be removed in a later
release, so you should plan to merge the interfaces
as soon as possible.
Merged mode also changes the behavior of AAA traffic to use
the data routing table by default. The management-only
routing table can now only be used if you specify the
management-only interface (including Management) in the
configuration.
For platform settings, this means:
-
You can no longer enable HTTP, ICMP, or SMTP for
diagnostic.
-
For SNMP, you can allow hosts on management instead
of diagnostic.
-
For Syslog servers, you can reach them on management
instead of diagnostic.
-
If Platform Settings for syslog servers or SNMP hosts
specify the diagnostic interface by name, then you
must use separate Platform Settings policies for
merged and non-merged devices.
-
DNS lookups no longer fall back to the
management-only routing table if you do not specify
interfaces.
New/modified screens:
New/modified commands: show management-interface
convergence
See: Interface Overview
|
VXLAN VTEP IPv6 support.
|
7.4.0
|
You can now specify an IPv6 address for the VXLAN VTEP
interface. IPv6 is not supported for the Firewall Threat Defense
Virtual cluster control link or for Geneve encapsulation.
New/modified screens:
See: Regular Firewall Interfaces
|
Loopback interface support for
BGP and management traffic.
|
7.4.0
|
You can now use loopback interfaces for AAA, BGP, DNS, HTTP,
ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and
syslog.
New/modified screens: Devices
> Device Management > Edit
device > Interfaces >
Add Interfaces >
Loopback Interface
See: Regular Firewall Interfaces
|
Loopback and management type
interface group objects.
|
7.4.0
|
You can create interface group objects with only
management-only or loopback interfaces. You can use these
groups for management features such as DNS servers, HTTP
access, or SSH. Loopback groups are available for any
feature that can utilize loopback interfaces. However, it's
important to note that DNS does not support management
interfaces.
New/modified screens:
See: Object Management
|
High Availability/Scalability
|
Reduced "false failovers" for Firewall Threat Defense high availability.
|
7.4.0
|
|
SD-WAN
|
Policy-based routing using HTTP path
monitoring.
|
7.2.0
|
Policy-based routing (PBR) can now use the performance
metrics (RTT, jitter, packet-lost, and MOS) collected by
path monitoring through HTTP client on the application
domain rather than the metrics on a specific destination IP.
HTTP-based application monitoring option is enabled by
default for the interface. You can configure a PBR policy
with match ACL having the monitored applications and
interface ordering for path determination.
New/modified screens: Devices >
Device Management > Edit
device > Edit interface > Path
Monitoring > Enable HTTP based
Application Monitoring check box.
Platform restrictions: Not supported for clustered
devices.
See: Policy Based Routing
|
Policy-based routing with user
identity and SGTs.
|
7.4.0
|
Upgrade impact.
Check SGT propagation before device upgrade.
You can now classify network traffic based on users, user
groups, and SGTs in PBR policies. Select the identity and
SGT objects while defining the extended ACLs for the PBR
policies.
Note that as a result of how this feature was implemented,
Firewall Threat Defense can now add egress SGTs to traffic if the egress
interface is configured to propagate SGTs. This can happen
with ISE integration even if you do not configure
policy-based routing. Starting with Version 7.4.0, the
Propagate Security Group Tag
option is disabled by default for
new interfaces.
But because upgrade respects your current settings, this
option may be enabled for existing interfaces.
Important
|
If you have configured an ISE identity source, before you
upgrade, check the Propagate Security Group
Tag option on your devices' physical,
redundant, and subinterfaces and disable it if
necessary. If downstream devices are not configured to
handle the tags, you could experience traffic loss.
|
New/modified screens: Objects >
Object Management >
Access List >
Extended > Add/Edit Extended
Access List > Add/Edit Extended Access List Entry >
Users and Security
Group Tag
See: Object Management
|
VPN
|
IPsec flow
offload on the VTI loopback
interface for the Secure Firewall 4200.
|
7.4.0
|
On the Secure Firewall 4200, qualifying IPsec connections
through the VTI loopback interface are offloaded by default.
Previously, this feature was supported for physical
interfaces on the Secure Firewall
3100.
You can change the configuration using FlexConfig and the
flow-offload-ipsec
command.
Other requirements: FPGA firmware 6.2+
See: VPN Overview
|
Crypto debugging enhancements for the
Secure Firewall
4200.
|
7.4.0
|
We made the following enhancements to crypto debugging:
-
The crypto archive is now available in text and
binary formats.
-
Additional SSL counters are available for debugging.
-
Remove stuck encrypt rules from the ASP table without
rebooting the device.
New/modified CLI commands: show
counters
|
VPN: Remote Access
|
Customize Secure Client
messages, icons, images, and connect/disconnect
scripts.
|
7.2.0
|
You can now customize Secure Client and deploy these
customizations to the VPN headend. The following are the
supported Secure Client customizations:
Firewall Threat
Defense distributes these customizations to the endpoint when an
end user connects from the Secure Client.
New/modified screens:
See: Remote Access VPN
|
VPN: Site to Site
|
Easily exempt site-to-site VPN
traffic from NAT translation.
|
Any
|
We now make it easier to exempt site-to-site VPN traffic from
NAT
translation.
New/modified screens:
-
Enable NAT exemptions for an endpoint:
-
View NAT exempt rules for devices that do not have a
NAT policy:
-
View NAT exempt rules for a single device:
See: Network Address Translation
|
Easily view IKE and IPsec session details
for VPN nodes.
|
Any
|
You can view the IKE and IPsec session details of VPN nodes
in a user-friendly format in the Site-to-Site VPN
dashboard.
New/modified screens: Overview >
Site to Site VPN > Under the
Tunnel Status widget, hover over a topology, click
View, and then click the
CLI Details tab.
See: Site-to-Site VPNs
|
Access Control: Threat Detection and Application
Identification
|
Sensitive data detection and
masking.
|
7.4.0 with Snort 3
|
Upgrade impact. New
rules in default policies take effect.
Sensitive data such as social security numbers, credit card
numbers, emails, and so on may be leaked onto the internet,
intentionally or accidentally. Sensitive data detection is
used to detect and generate events on possible sensitive
data leakage and generates events only if there is a
transfer of significant amount of Personally Identifiable
Information (PII) data. Sensitive data detection can mask
PII in the output of events, using built-in patterns.
Disabling data masking is not supported.
See: Custom Rules in Snort
3
|
Clientless zero-trust access.
|
7.4.0 with Snort 3
|
Zero Trust Access allows you to authenticate and authorize
access to protected web based resources, applications, or
data from inside (on-premises) or outside (remote) the
network using an external SAML Identity Provider (IdP)
policy.
The configuration consists of a Zero Trust Application Policy
(ZTAP), Application Group, and Applications.
New/modified CLI commands:
-
show running-config zero-trust
application
-
show running-config zero-trust
application-group
-
show zero-trust
sessions
-
show zero-trust
statistics
-
show cluster zero-trust
statistics
-
clear zero-trust sessions
application
-
clear zero-trust sessions
user
-
clear zero-trust
statistics
|
Routing
|
Configure graceful restart
for BGP on IPv6 networks.
|
7.3.0
|
You can now configure BGP graceful restart for IPv6 networks
on managed devices version 7.3 and later.
New/modified screens: Devices >
Device Management > Edit
device > Routing >
BGP >
IPv6 >
Neighbor > Add/Edit Neighbor.
See: BGP
|
Virtual routing with dynamic
VTI.
|
7.4.0
|
You can now configure a virtual router with a dynamic VTI for
a route-based site-to-site VPN.
New/modified screens:
Platform restrictions: Supported only on native mode
standalone or high availability devices. Not supported for
container instances or clustered devices.
See: Virtual Routers
|
Access Control: Threat Detection and Application
Identification
|
Encrypted visibility engine
enhancements.
|
7.4.0 with Snort 3
|
Encrypted Visibility Engine (EVE) can now:
-
Block malicious communications in encrypted traffic
based on threat score.
-
Determine client applications based on EVE-detected
processes.
-
Reassemble fragmented Client Hello packets for
detection purposes.
New/modified screens: Use the access control policy's
advanced settings to enable EVE and configure these
settings.
|
Exempt specific networks and ports
from bypassing or throttling elephant flows.
|
7.4.0 with Snort 3
|
You can now exempt specific networks and ports from bypassing
or throttling elephant
flows.
New/modified screens:
-
When you configure elephant flow detection in the
access control policy's advanced settings, if you
enable the Elephant Flow
Remediation option, you can now click
Add Rule and specify
traffic that you want to exempt from bypass or
throttling.
-
When the system detects an elephant flow that is
exempted from bypass or throttling, it generates a
mid-flow connection event with the reason
Elephant Flow Exempted.
Platform restrictions: Not supported on the Firepower 2100
series.
See: Cisco Secure Firewall
Management Center Snort 3 Configuration
Guide
|
Improved JavaScript
inspection.
|
7.4.0 with Snort 3
|
|
Access Control: Identity
|
Cisco Secure Dynamic Attributes
Connector on the Firewall Management
Center.
|
Any
|
You can now configure the Cisco Secure Dynamic Attributes
Connector on the Firewall Management
Center. Previously, it was only available as a standalone
application.
See: Cisco Secure Dynamic Attributes Connector
|
Event Logging and Analysis
|
Configure Firewall Threat Defense devices as NetFlow exporters from the Firewall Management
Center web interface.
|
Any
|
NetFlow is a Cisco application that provides statistics on
packets flows. You can now use the Firewall Management
Center web interface to configure Firewall Threat Defense devices as NetFlow exporters. If you have an existing
NetFlow FlexConfig and redo your configurations in the web
interface, you cannot deploy until you remove the deprecated
FlexConfigs.
New/modified screens:
See: Platform Settings
|
Health Monitoring
|
New asp drop metrics.
|
7.4.0
|
You can add over 600 new asp (accelerated security path) drop
metrics to a new or existing device health dashboard. Make
sure you choose the ASP Drops metric
group.
New/modified screens: System ( )
See: show asp drop Command
Usage
|
Administration
|
Support for IPv6 URLs when
checking certificate revocation.
|
7.4.0
|
Previously, Firewall Threat Defense supported only IPv4 OCSP URLs. Now, Firewall Threat Defense supports both IPv4 and IPv6 OCSP URLs.
See: Object Management
|
Store threat defense backup files in a secure remote location.
|
Any
|
When you back up a device, the cloud-delivered Firewall Management
Center stores the backup files in its secure cloud storage.
See: Backup/Restore
|
Usability, Performance, and Troubleshooting
|
Usability enhancements.
|
Any
|
You can now:
-
Manage Smart Licensing for Firewall Threat Defense clusters from System ( ). Previously, you had to use the
Device Management page.
See: Licensing
-
Download a report of Message Center notifications. In
the Message Center, click the new
Download Report icon, next
to the Show Notifications
slider.
See: Troubleshooting
-
Download a report of all registered devices. On , click the new Download
Device List Report link, at the top
right of the page.
See: Device Management.
-
Easily create custom health monitoring dashboards,
and easily edit existing dashboards.
See: Health
|
Specify the direction of traffic to
be captured with packet capture for the Secure Firewall
4200.
|
7.4.0
|
|
Management Center REST API
|
Cloud-Delivered Firewall Management Center REST API.
|
Feature dependent
|
For information on changes to the management center REST API, see
What's New in the API quick start
guide.
|