New Features and Functionality
This section describes the new and updated features and functionality in Version 6.2.2.
Firepower Device Manager on Firepower Threat Defense Virtual for VMware
Supported Platforms: Firepower Threat Defense Virtual for VMware, managed by Firepower Device Manager
Introduced In: Version 6.2.2
You can now use Firepower Device Manager to manage Firepower Threat Defense Virtual hosted on VMware. Because this is a newly supported implementation for Version 6.2.2, you deploy a new virtual device. You cannot update an earlier version of Firepower Threat Defense Virtual and then manage it with Firepower Device Manager.
Cisco Threat Intelligence Director
Supported Platforms: Hosted on any Firepower Management Center with at least 15GB of memory, using Version 6.2.2 devices as elements
Introduced In: Version 6.2.2
The Cisco Threat Intelligence Director (TID) operationalizes custom threat intelligence data, helping you aggregate additional intelligence data, configure defensive actions, and analyze threats in your environment.
By ingesting threat intelligence from third-party threat feeds and threat intelligence platforms, TID correlates enriched observations from Cisco security sensors to detect and alert on security incidents. With fewer false positives, you can focus on actual incidents that have been automatically blocked or monitored.
Unlike security devices that rely solely on proprietary threat intelligence, TIDr can use third-party threat feeds to provide more effective security. By converting intelligence into actionable indicators of compromise, your network defenses can block or monitor more threats, reduce the number of alerts to review, and improve your overall security posture. By operationalizing the ingestion and distribution of additional threat intelligence sources, you reduce management complexity and the need to review and track down false alerts.
Remote Access VPN
Supported Platforms: Firepower Threat Defense, any manager
Introduced In: Version 6.2.2
Firepower Remote Access (RA) VPN allows users to connect to a private business network from a remote location using a computer or an Android or Apple iOS mobile device. Remote users can transfer data securely and confidentially using encryption techniques crucial for data being transferred over shared mediums and the internet. Key capabilities of RA VPN include the following:
-
Management—A simple RA VPN wizard provides quick and easy setup of the following:
-
RA VPN policy configurations, including connection profiles, group polices, address pools, and so on.
-
Secure gateways and interfaces where remote users connect.
-
The AnyConnect client image that users download when they initiate a VPN session using a computer. Note that mobile devices obtain AnyConnect from their App Store(s).
-
-
Secured access—Provided by the Cisco AnyConnect VPN client using either SSL or IPsec tunneling and encryption protocols. This presently is the only client supported for remote access connectivity.
-
Authenticated and Authorized Access—AAA support for Authentication (LDAP/AD/RADIUS and Client Certificate-based), Authorization (RADIUS Authorization Attributes-DACL, Group Policy, Address Assignment, and so on) and Accounting (RADIUS).
-
VPN connectivity—Connection profiles and group policies allow you to define address assignments, split tunneling, the DNS server, timeouts, access hours, client firewall ACLs, and AnyConnect client profiles.
-
Monitoring with identity integration—Multiple views, including dashboard widgets, help you track and analyze VPN user activity over time. You can view logon and logout events, see active session status, and can monitor and terminate specific VPN sessions (including forcing a bulk logout).
-
Troubleshooting— Troubleshooting logs are useful when you have issues creating or deploying an RA VPN policy, if RA VPN connections or traffic are not as expected, or if events and statistics are not populating properly.
-
Availability—Firepower Threat Defense high availability, multiple interfaces (dual ISP), and multiple AAA servers are supported.
-
Licensing—Smart Licensing, based on the AnyConnect 4.x model, for Apex, Plus, and VPN-only licenses.
Rate Limiting Enhancements
Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center
Introduced In: Version 6.2.2
Quality of Service (QoS) rate limits traffic based on characteristics including network-based criteria (port, network, zone/interface group), applications, URLs, and users, including Cisco Identity Services Engine (ISE) attributes. A QoS policy applied from the Firepower Management Center enforces rate limiting per interface on Firepower Threat Defense devices.
Intelligent Application Bypass "All Applications" Option
Supported Platforms: Any device managed by a Firepower Management Center, and ASA FirePOWER modules managed by ASDM
Introduced In: Version 6.0.1.4, Version 6.1.0.3, Version 6.2.0.1, and Version 6.2.2
If you are updating from Version 6.2.0, this release adds the All applications including unidentified applications option to the Intelligent Application Bypass settings in the access control policy advanced settings.
If you are updating from a Version 6.2.0.x patch, this option already exists.
When selected, if one of the IAB inspection performance thresholds is met, the system trusts any application that exceeds any flow bypass threshold, regardless of the application type. See the Firepower Management Center Configuration Guide or the Cisco ASA with FirePOWER Services Local Management Configuration Guide for more information.
Packet Capture at Time of Crash
Supported Platforms: Firepower Threat Defense, any manager
Introduced In: Version 6.2.2
Previously, the contents of any active capture on Firepower were not saved when the appliance experienced issues. You can now store active capture contents to flash/disk at the time of an appliance crash to facilitate troubleshooting.
Often, when you troubleshoot a crash that involves traffic, Cisco TAC requires you to specify exactly what traffic causes the crash. Cisco TAC can get this info from a core dump, but the information may be limited by the following factors:
-
The packet might have been corrupted so no useful information is present in the core dump.
-
The crash is caused by a combination of conditions created by a series of packets, but the core dump offers information from only the last packet.
The system now saves captured packets that go in and out of the Firepower appliance until the crash (if the circular option is specified for capture).
Access Control Rule Creation with REST API
Supported Platforms: Firepower Management Center
Introduced In: Version 6.2.2
Using the REST API, the system now supports bulk access control rule creation. Previously, if you had thousands of rules to create, each rule required a post process that could take anywhere from 5-10 seconds to complete. Now, you can submit all of these rules through a single post process greatly reducing the amount of time it takes to perform this action.
Automatic Application Bypass for Firepower Threat Defense
Supported Platforms: Any device managed by a Firepower Management Center
Introduced In: Version 6.2.2
Automatic Application Bypass (AAB) is now available on Firepower Threat Defense devices managed by a Firepower Management Center. Previously, it was only available on non-Firepower Threat Defense devices.
AAB allows you to limit the time Firepower spends on processing a single packet by bypassing inspection if a time limit is exceeded. If you enable AAB, you can adjust the bypass threshold from 250 milliseconds to 60,000 milliseconds (one minute). By default, the system uses 3,000 milliseconds (3 seconds).
AAB is most valuable in IPS inline deployments so you can balance packet processing delays with your network’s tolerance for packet latency. When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes a partial restart of the Snort process and generates troubleshooting data that can help you determine the cause of the excessive processing time. See the Firepower Management Center Configuration Guide for more information.
Policy Deployment Improvements
Supported Platforms: Any device managed by a Firepower Management Center; ASA with FirePOWER Services managed by ASDM
Introduced In: Version 6.2.2
Deployment improvements significantly reduce the number of dropped or uninspected connections by eliminating Snort restarts when you deploy the following configurations:
-
SMTP, POP, and IMAP preprocessor decoding depths
-
Various adaptive profile, performance monitor, and advanced access control policy file and malware settings
-
Access control rules or SSL rules with category/reputation conditions
-
Nonbinary intrusion rule updates
-
A change in the total number of intrusion or network analysis policies
-
A Detect Files or Block Files action in a file policy rule
The system also warns you of Snort restarts when you do the following:
-
Add a Firepower Threat Defense high availability pair
-
Take various actions involving application detectors and user-defined applications
TCP Sequence Randomization Control
Supported Platforms: Firepower Threat Defense, any manager
Introduced In: Version 6.2.2
Each TCP packet carries two sequence numbers. By default, Firepower Threat Defense randomizes the sequence numbers in both the inbound and outbound directions. This feature provides the ability to disable (and if necessary, enable) this randomization with CLI using the configure tcp-randomization command.
You can determine if TCP sequence number randomization is disabled by entering the show running-config policy-map command and looking for the set connection random-sequence-number disable command. If the feature is enabled, there will be no associated command in the running configuration.
Note |
Although you can disable TCP sequence number randomization when using Firepower Device Manager, each time you deploy the configuration from Firepower Device Manager, the feature is reenabled. If you want to keep TCP sequence number randomization disabled, you must reenter the command after each deployment. |
Security Enhancements for Updates: Signed Updates
Supported Platforms: Any
Introduced In: Version 6.2.2
For the system to verify that you are using the correct update file, updates to the system from Version 6.2.2+ are signed. Signed update files terminate in .sh.REL.tar instead of .sh.
If you are updating to Version 6.2.2 from Version 6.2.0 or a later 6.2.0.x patch, those update files are not signed. However, subsequent updates to the system will be.
Note |
After you upload a signed update file to the Firepower Management Center, the Updates tab on the page can take several minutes to load as the system verifies the update file or files. Remove signed update files after you no longer need them to speed up the display. |
Note |
The U.S. Government changed the name of the Unified Capabilities Approved Products List (UCAPL) to the Department of Defense Information Network ApprovedProducts List (DODIN APL). References to UCAPL in this documentation and the Firepower Management Center UI can be interpreted as references to DODIN APL. |
Security Certifications Compliance for Additional Platforms
Supported Platforms: Firepower Management Centers, and all devices managed by Firepower Management Centers.
Introduced In: Version 6.2.2
Firepower Threat Defense devices managed by a Firepower Management Center now support security certifications compliance in Common Criteria (CC) mode or Unified Capabilities Approved Products List (UCAPL) mode using platform settings ( ).
Previously, these modes were available only on Firepower Management Centers and non Firepower Threat Defense devices.
Security Certifications Compliance Enhancements: Boot-Time FSIC
Supported Platforms: Firepower Management Centers, and all devices managed by Firepower Management Centers.
Introduced In: Version 6.2.2
When you boot any appliance that has security certifications compliance enabled, the system performs additional file system integrity checks (FSIC) to ensure the system is secure. If a check fails, the appliance does not boot, SSH access is disabled, and the only access is through the console. If this happens, contact Cisco TAC.
Security Enhancements and Other Updates to FlexConfig Templates
Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center
Introduced In: Version 6.2.2
FlexConfig uses CLI template-based functionality on the Firepower Management Center to enable ASA functions that are not yet supported through the Firepower Management Center user interface.
Government certification requires that sensitive information (like passwords, shared keys in system-provided or user-defined FlexConfig objects) be masked using secret key variables. When you update the Firepower Management Center from Version 6.2.0 to Version 6.2.2, all sensitive information in FlexConfig objects are converted to secret key variable format.
Security Enhancements for Site-to-Site VPN
Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center
Introduced In: Version 6.2.2
The following features were added for IKEv2:
-
Transport Mode—To address Government Certificate requirement FCS_IPSEC_EXT.1.3 Refinement, transport mode (also known as host-to-host VPN).
-
Hex Support for IKEv2 Preshared Manual Key—To address Government Certificate requirement FIA_PSK_EXT.1.4, we have added support for hex-based preshared key.
-
Certificate Map Support—To address Government Certificate requirement FIA_X509_EXT.4.1, we implemented a certificate map used to determine the tunnel to use from the contents of the certificate.
-
SA Strength Enforcement—To address Government Certificate requirement FCS_IPSEC_EXT.1.12, we added an option in the Firepower Management Center to ensure that the encryption algorithm used by the child IPsec SA is not higher than the parent IKE.
Security Enhancements in Device Platform Settings
Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center
Introduced In: Version 6.2.2
The following requirements are now supported:
-
You can configure console idle timeout for managed Firepower Threat Defense devices.
-
You can configure secure syslog and upload Certificate for Firepower Threat Defense syslog-NGTLS.
Security Enhancement to Disable Expert Mode
Supported Platforms: Firepower Threat Defense, any manager
Introduced In: Version 6.2.2
To increase security, you can disable expert mode on Firepower Threat Defense devices. Note that you cannot reverse this command. If you need to restore access to expert mode, you must contact Cisco TAC.