Features for Firepower Management Center Deployments
Note |
Version 6.6.0/6.6.x is the last release to support the Cisco Firepower User Agent software as an identity source. You cannot upgrade a Firepower Management Center with user agent configurations to Version 6.7.0+. You should switch to Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC). This will also allow you to take advantage of features that are not available with the user agent. To convert your license, contact your Cisco representative or partner contact. For more information, see the End-of-Life and End-of-Support for the Cisco Firepower User Agent announcement and the Firepower User Identity: Migrating from User Agent to Identity Services Engine TechNote. |
New Features in FMC Version 6.2.3 Patches
Feature |
Description |
||
---|---|---|---|
Version 6.2.3.13 Detection of rule conflicts in FTD NAT policies |
After you upgrade to Version 6.2.3.13+, you can no longer create FTD NAT policies with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where conflicting NAT rules were applied out-of-order. If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However, your NAT rules will continue to be applied out-of-order. Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing (no changes are needed) then attempting to resave. If you have rule conflicts, the system will prevent you from saving. Correct the issues, save, and then deploy.
Supported platforms: Firepower Threat Defense |
||
Version 6.2.3.8 EMS extension support |
Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions now support the EMS extension during ClientHello negotiation, enabling more secure communications. The EMS extension is defined by RFC 7627.
Supported platforms: Any |
||
Version 6.2.3.7 TLS v1.3 downgrade CLI command for FTD |
A new CLI command allows you to specify when to downgrade TLS v1.3 connections to TLS v1.2. Many browsers use TLS v1.3 by default. If you are using an SSL policy to handle encrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites that support TLS v1.3 fail to load. For more information, see the system support commands in the Cisco Firepower Threat Defense Command Reference. We recommend you use these commands only after consulting with Cisco TAC. Supported platforms: Firepower Threat Defense |
||
Version 6.2.3.3 Site-to-site VPN with clustering |
You can now configure site-to-site VPN with clustering. Site-to-site VPN is a centralized feature; only the control unit supports VPN connections. Supported platforms: Firepower 4100/9300 |
Deprecated Features in FMC Version 6.2.3 Patches
Feature |
Upgrade Impact |
Description |
---|---|---|
Versions 6.2.3.1–6.2.3.3 Expired CA certificates for dynamic analysis |
None, but you should patch. |
On June 15, 2018, some AMP for Networks deployments stopped being able to submit files for dynamic analysis. See Expired CA Certificates for Dynamic Analysis. |