SSL/TLS
Decryption
|
You can
decrypt SSL/TLS connections so that you can inspect the contents of the
connection. Without decryption, encrypted connections cannot be effectively
inspected to identify intrusion and malware threats, or to enforce compliance
with your URL and application usage polices. We added the
page and
dashboard.
Attention
|
Identity
policies that implement active authentication automatically generate SSL
decryption rules. If you upgrade from a release that does not support SSL
decryption, the SSL decryption policy is automatically enabled if you have this
type of rule. However, you must specify the certificate to use for
Decrypt-Resign rules after completing the upgrade. Please edit the SSL
decryption settings immediately after upgrade.
|
|
Security
Intelligence Blacklisting
|
From the new
page you can configure a Security
Intelligence policy, which you can use to drop unwanted traffic based on
source/destination IP address or destination URL. Any allowed connections will
still be evaluated by access control policies and might eventually be dropped.
You must enable the Threat license to use Security Intelligence.
We also
renamed the
Policies dashboard to
Access And SI Rules, and the dashboard now includes
Security Intelligence rule-equivalents as well as access rules.
|
Intrusion
Rule Tuning
|
You can
change the action for intrusion rules within the pre-defined intrusion policies
you apply with your access control rules. You can configure each rule to drop
or generate events (alert) matching traffic, or disable the rule. You can
change the action for enabled rules only (those set to drop or alert); you
cannot enable a rule that is disabled by default. To tune intrusion rules,
choose
.
|
Automatic
Network Analysis Policy (NAP) Assignment based on Intrusion Policy
|
In
previous releases, the Balanced Security and Connectivity network analysis
policy was always used for preprocessor settings, regardless of the intrusion
policy assigned to a specific source/destination security zone and network
object combination. Now, the system automatically generates NAP rules to assign
the same-named NAP and intrusion policies to traffic based on those criteria.
Note that if you use Layer 4 or 7 criteria to assign different intrusion
policies to traffic that otherwise matches the same source/destination security
zone and network object, you will not get perfectly matching NAP and intrusion
policies. You cannot create custom network analysis policies.
|
Drill-down
reports for the Threats, Attackers, and Targets dashboards
|
You can now
click into the Threats, Attackers, and Targets dashboards to view more detail
about the reported items. These dashboards are available on the Monitoring
page.
Because of
these new reports, you will lose reporting data for these dashboards when
upgrading from a pre-6.2.3 release.
|
Web
Applications Dashboard
|
The new Web
Applications dashboard shows the top web applications, such as Google, that are
being used in the network. This dashboard augments the Applications dashboard,
which provides protocol-oriented information, such as HTTP usage.
|
New Zones
dashboard replaces the Ingress Zone and Egress Zone dashboards.
|
The new
Zones dashboard shows the top security zone pairs for traffic entering and then
exiting the device. This dashboard replaces the separate dashboards for Ingress
and Egress zones.
|
New
Malware Dashboard
|
The new
Malware dashboard shows the top Malware action and disposition combinations.
You can drill down to see information on the associated file types. You must
configure file policies on access rules to see this information.
|
Self-signed
internal certificates, and Internal CA certificates
|
You can now
generate self-signed internal identity certificates. You can also upload or
generate self-signed internal CA certificates for use with SSL decryption
policies. Configure these features on the
page.
|
Ability to
edit DHCP server settings when editing interface properties
|
You can now
edit settings for a DHCP server configured on an interface at the same time you
edit the interface properties. This makes it easy to redefine the DHCP address
pool if you need to change the interface IP address to a different subnet.
|
The Cisco
Success Network sends usage and statistics data to Cisco to improve the product
and provide effective technical support
|
You can
connect to the Cisco Success Network to send data to Cisco. By enabling Cisco
Success Network, you are providing usage information and statistics to Cisco
which are essential for Cisco to provide you with technical support. This
information also allows Cisco to improve the product and to make you aware of
unused available features so that you can maximize the value of the product in
your network. You can enable the connection when you register the device with
the Cisco Smart Software Manager, or later at your choice. You can disable the
connection at any time.
Cisco
Success Network is a cloud service. The
page is renamed
Cloud Services. You can configure Cisco Defense
Orchestrator from the same page.
|
Firepower Threat Defense Virtual
for Kernel-based Virtual Machine (KVM) hypervisor device configuration
|
You can
configure
FTD
on
Firepower Threat Defense Virtual
for KVM devices using Firepower Device Manager. Previously, only VMware was
supported.
Note
|
You must
install a new 6.2.3 image to get Firepower Device Manager support. You cannot
upgrade an existing virtual machine from an older version and then switch to
Firepower Device Manager.
|
|
ISA 3000
(Cisco 3000 Series Industrial Security Appliances) device configuration
|
You can
configure
FTD
on ISA 3000 devices using Firepower Device Manager. Note that the ISA 3000
supports the Threat license only. It does not support the URL Filtering or
Malware licenses. Thus, you cannot configure features that require the URL
Filtering or Malware licenses on an ISA 3000.
|
Optional
deployment on update of the rules database or VDB
|
When you
update the intrusion rules database or VDB, or configure an update schedule,
you can prevent the immediate deployment of the update. Because the update
restarts the inspection engines, there is a momentary traffic drop during the
deployment. By not deploying automatically, you can choose to initiate the
deployment at a time when traffic drops will be least disruptive.
Note
|
A VDB
download can also restart Snort all by itself, and then again cause a restart
on deployment. You cannot stop the restart on download.
|
|
Improved
messages that indicate whether a deployment restarts Snort. Also, a reduced
need to restart Snort on deployment
|
Before you
start a deployment, Firepower Device Manager indicates whether the
configuration updates require a Snort restart. Snort restarts result in the
momentary dropping of traffic. Thus, you now know whether a deployment will not
impact traffic and can be done immediately, or will impact traffic, so that you
can deploy at a less disruptive time.
In
addition, in prior releases, Snort restarted on every deployment. Now, Snort
restarts for the following reasons only:
-
you
enable or disable SSL decryption policies
-
an
updated rules database or VDB was downloaded
-
you
changed the MTU on one or more physical interface (but not subinterface)
|
CLI
console in Firepower Device Manager
|
You can
now open a CLI Console from Firepower Device Manager. The CLI Console mimics an
SSH or console session, but allows a subset of commands only:
show ,
ping ,
traceroute ,
and
packet-tracer . Use the CLI Console for
troubleshooting and device monitoring.
|
Support
for blocking access to the management address
|
You can
now remove all management access list entries for a protocol to prevent access
to the management IP address. Previously, if you removed all entries, the
system defaulted to allowing access from all client IP addresses. On upgrade to
6.2.3, if you previously had an empty management access list for a protocol
(HTTPS or SSH), the system creates the default allow rule for all IP addresses.
You can then delete these rules as needed.
In
addition, Firepower Device Manager will recognize changes you make to the
management access list from the CLI, including if you disable SSH or HTTPS
access.
Ensure
that you enable HTTPS access for at least one interface, or you will not be
able to configure and manage the device.
|
Smart CLI
and FlexConfig for configuring features using the device CLI
|
Smart CLI
and FlexConfig allows you to configure features that are not yet directly
supported through Firepower Device Manager policies and settings. Firepower
Threat Defense uses ASA configuration commands to implement some features. If
you are a knowledgeable and expert user of ASA configuration commands, you can
configure these features on the device using the following methods:
-
Smart
CLI—(Preferred method.) A Smart CLI template is a pre-defined template for a
particular feature. All of the commands needed for the feature are provided,
and you simply need to select values for variables. The system validates your
selection, so that you are more likely to configure a feature correctly. If a
Smart CLI template exists for the feature you want, you must use this method.
In this release, you can configure OSPFv2 using the Smart CLI.
-
FlexConfig—The FlexConfig policy is a collection of FlexConfig
objects. The FlexConfig objects are more free-form than Smart CLI templates,
and the system does no CLI, variable, or data validation. You must know ASA
configuration commands and follow the ASA configuration guides to create a
valid sequence of commands.
Caution
|
Cisco
strongly recommends using Smart CLI and FlexConfig only if you are an advanced
user with a strong ASA background and at your own risk. You may configure any
commands that are not blacklisted. Enabling features through Smart CLI or
FlexConfig may cause unintended results with other configured features.
|
|
Firepower Threat Defense REST API, and an API Explorer
|
You can
use a REST API to programmatically interact with a
Firepower Threat Defense device that you are managing locally through Firepower
Device Manager. There is an API Explorer that you can use to view object models
and test the various calls you can make from a client program. To open the API
Explorer, log into Firepower Device Manager, and then change the path on the
URL to /#/api-explorer, for example, https://ftd.example.com/#/api-explorer.
|