New Features in Firepower Management Center/Firepower Version 6.2.3
The following table lists the new features available in Firepower Version 6.2.3 when configured using a Firepower Management Center.
Feature | Description | ||
---|---|---|---|
Firepower Management Center High Availability Messaging |
The Firepower Management Center high availability pairs have improved UI messaging. The UI now displays interim status messages while Firepower Management Center pairs are being established and rephrased UI messaging to be more intuitive. |
||
Firepower Threat Defense High Availability Hardening |
Version 6.2.3 introduces the following features for Firepower Threat Defense devices in high availability:
|
||
Firepower Management Center REST API Improvements |
The new Firepower Management Center REST APIs support the use of CRUD (create, retrieve, upgrade, and delete) operations for NAT rules, static routing configuration, and corresponding objects while migrating from ASA FirePOWER to Firepower Threat Defense. Newly introduced APIs for NAT:
When deploying Firepower Threat Defense devices in Cisco ACI, APIs enable APIC controller to add proper static routes in place, along with other configuration settings that are needed for a particular service graph. It also enables PBR service graph insertion, which is currently the most flexible way of inserting Firepower Threat Defense in ACI. Newly introduced APIs for Static Route:
|
||
Upgrade Package Push |
You can now copy (or push) an upgrade package from the Firepower Management Center to a managed device before you run the actual upgrade. This is useful because you can push during times of low bandwidth use, outside of the upgrade maintenance window. When you push to high availability, clustered, or stacked devices, the system sends the upgrade package to the active/master/primary first, then to the standby/slave/secondary. New/Modified screens: |
||
SSL Hardware Acceleration |
Certain Firepower managed device models support SSL encryption and decryption acceleration in hardware, greatly improving performance. SSL hardware acceleration is disabled by default for all appliances that support it. The following hardware models support SSL acceleration:
|
||
Cisco Success Network |
Cisco Success Network enablement provides usage information and statistics to Cisco which are essential for Cisco to help improve the product and provide effective technical support. |
||
Web Analytics Tracking |
By default, in order to improve Firepower products, Cisco collects non-personally-identifiable usage data, including but not limited to pages viewed, the time spent on a page, browser versions, product versions, user location, and management IP addresses or hostnames of your Firepower Management Center appliances. You can opt out of this tracking on the page. |
||
Support for VMware ESXi 6.5 |
Firepower Threat Defense Virtual, Firepower Management Center Virtual, and Firepower NGIPS Virtual are now supported on VMware ESXi 6.5. |
||
Firepower Threat Defense Support on ISA3000 |
You can now run Firepower Threat Defense on the ISA 3000 series, using either the Firepower Device Manager or Firepower Management Center for management. Note that the ISA 3000 supports the Threat license only. It does not support the URL Filtering or Malware licenses. Thus, you cannot configure features that require the URL Filtering or Malware licenses on an ISA 3000. Special features for the ISA 3000 that were supported with the ASA, such as Hardware Bypass, Alarm ports, and so on, are not supported with Firepower Threat Defense in this release. |
||
Firepower Threat Defense Serviceability |
Version 6.2.3 improves the show fail over CLI command. The new keyword, -history, details to help troubleshooting.
|
||
Firepower Threat Defense VPN Improvement |
Non-blocking work flow for certificate enrollment operation allows certificate enrollment on multiple Firepower Threat Defense devices in parallel:
|
||
Automatically rejoin the Firepower Threat Defense cluster after an internal failure |
Formerly, many internal error conditions caused a cluster unit to be removed from the cluster, and you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt to rejoin the cluster automatically at the following intervals: 5 minutes, 10 minutes, and then 20 minutes. Internal failures include: application sync timeout; inconsistent application statuses; and so on. New/Modified command: show cluster info auto-join Supported platforms:
|
||
Cluster Control Available in FXOS |
By default, the cluster control link uses the 127.2.0.0/16 subnet. Each unit receives an auto-generated address based on the chassis and slot number. For example, for chassis ID 1, slot 1, the Firepower chassis assigns 127.2.1.1. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS; the same auto-generation is used for each unit IP address. New/Modified FXOS command: set ccl subnet New/Modified Firepower Chassis Management screen: Supported Platforms:
|
||
External Authentication added for Firepower Threat Defense SSH Access |
You can now configure external authentication for SSH access to the Firepower Threat Defense using LDAP or RADIUS. New/Modified screen: Supported platforms:
|
||
Enhanced Vulnerability Database (VDB) Installation |
The Firepower Management Center now warns you before you install a VDB that installing restarts the Snort process, interrupting traffic inspection and, depending on how the managed device handles traffic, possibly interrupting traffic flow. You can cancel the install until a more convenient time, such as during a maintenance window. These warnings can appear:
|
||
Policy Deploy Restart Improvements |
As an enhancement in Version 6.2.3, the configurations that restart the Snort process have been reduced. For Firepower Threat Defense devices, the managing UI now warns you before you deploy if the configuration deployment restarts the Snort process, interrupting traffic inspection and, depending on how the managed device handles traffic, possibly interrupting traffic flow. Note that restart behavior is different for devices managed using the Firepower Device Manager. See the New Features in Firepower Device Manager/Firepower Threat Defense Version 6.2.3 for more information. |
||
Traffic Drop on Policy Apply |
Version 6.2.3 adds the configure snort preserve-connection {enable | disable} command to the Firepower Threat Defense CLI. This command determines whether to preserve existing connections on routed and transparent interfaces if the Snort process goes down. When disabled, all new or existing connections are dropped when Snort goes down and remain dropped until Snort resume. When enabled, connections that were already allowed remain established, but new connections cannot be established until Snort is again available. Note that you cannot permanently disable this command on a Firepower Threat Defense device managed by Firepower Device Manager; existing connections may drop when the settings revert to default during the next configuration deployment. |