New Features in Firepower Management Center/Version 6.2.3
The following table lists the new features available in Firepower Version 6.2.3 when configured using a Firepower Management Center.
Feature |
Description |
||
---|---|---|---|
Hardware and Virtual Hardware |
|||
FTD on ISA 3000 |
You can now run Firepower Threat Defense on the ISA 3000 series, using either the Firepower Device Manager or Firepower Management Center for management. Note that the ISA 3000 supports the Threat license only. It does not support the URL Filtering or Malware licenses. Thus, you cannot configure features that require the URL Filtering or Malware licenses on an ISA 3000. Special features for the ISA 3000 that were supported with the ASA, such as Hardware Bypass, Alarm ports, and so on, are not supported with Firepower Threat Defense in this release. |
||
Support for VMware ESXi 6.5 |
Firepower Threat Defense Virtual, Firepower Management Center Virtual, and Firepower NGIPS Virtual are now supported on VMware ESXi 6.5. |
||
Firepower Threat Defense: Encryption and VPN |
|||
SSL Hardware Acceleration |
Certain Firepower managed device models support SSL encryption and decryption acceleration in hardware, greatly improving performance. SSL hardware acceleration is disabled by default for all appliances that support it. Supported Platforms: Firepower 4100/9300 |
||
Firepower Threat Defense VPN Improvement |
Non-blocking work flow for certificate enrollment operation allows certificate enrollment on multiple Firepower Threat Defense devices in parallel:
|
||
Firepower Threat Defense: High Availability and Clustering |
|||
Firepower Management Center High Availability Messaging |
The Firepower Management Center high availability pairs have improved UI messaging. The UI now displays interim status messages while Firepower Management Center pairs are being established and rephrased UI messaging to be more intuitive. |
||
Automatically rejoin the Firepower Threat Defense cluster after an internal failure |
Formerly, many internal error conditions caused a cluster unit to be removed from the cluster, and you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt to rejoin the cluster automatically at the following intervals: 5 minutes, 10 minutes, and then 20 minutes. Internal failures include: application sync timeout; inconsistent application statuses; and so on. New/Modified command: show cluster info auto-join Supported Platforms: Firepower 4100/9300 |
||
Firepower Threat Defense High Availability Hardening |
Version 6.2.3 introduces the following features for Firepower Threat Defense devices in high availability:
|
||
Administration and Troubleshooting |
|||
External Authentication added for Firepower Threat Defense SSH Access |
You can now configure external authentication for SSH access to the Firepower Threat Defense using LDAP or RADIUS. New/Modified screen: Supported platforms: FTD |
||
Enhanced Vulnerability Database (VDB) Installation |
The Firepower Management Center now warns you before you install a VDB that installing restarts the Snort process, interrupting traffic inspection and, depending on how the managed device handles traffic, possibly interrupting traffic flow. You can cancel the install until a more convenient time, such as during a maintenance window. These warnings can appear:
|
||
Upgrade Package Push |
You can now copy (or push) an upgrade package from the Firepower Management Center to a managed device before you run the actual upgrade. This is useful because you can push during times of low bandwidth use, outside of the upgrade maintenance window. When you push to high availability, clustered, or stacked devices, the system sends the upgrade package to the active/master/primary first, then to the standby/slave/secondary. New/Modified screens: |
||
Firepower Threat Defense erviceability |
Version 6.2.3 improves the show fail over CLI command. The new keyword, -history, details to help troubleshooting.
|
||
Device list sorting |
On the View by drop-down list to sort and view the device list by any of the following categories: group, license, model, or access control policy. In a multidomain deployment, you can also sort and view by domain, which is the default display category in that deployment. Devices must belong to a leaf domain. page, you can use the |
||
Audit log improvements |
The audit log now denotes if a policy changed on the Firepower Threat Defense Platform Settings page. |
||
Updated FTD CLI commands |
The asa_mgmt_plane and asa_dataplane options for Firepower Threat Defense device CLI commands are renamed to management-plane and data-plane respectively. |
||
Cisco Success Network |
Upgrade impact. Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support. During upgrade, you are asked to accept or decline participation. You can also opt in or out at any time. |
||
Web Analytics Tracking |
Upgrade impact. Web analytics tracking sends non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your FMCs. Upgrading to Version 6.2.3 enables web analytics tracking. If you do not want Cisco to collect this data, you can opt out after the upgrade. |
||
Performance |
|||
Policy Deploy Restart Improvements |
As an enhancement in Version 6.2.3, the configurations that restart the Snort process have been reduced. For Firepower Threat Defense devices, the managing UI now warns you before you deploy if the configuration deployment restarts the Snort process, interrupting traffic inspection and, depending on how the managed device handles traffic, possibly interrupting traffic flow. Note that restart behavior is different for devices managed using the Firepower Device Manager. See the New Features in Firepower Device Manager/FTD Version 6.2.3 for more information. |
||
Traffic Drop on Policy Apply |
Version 6.2.3 adds the configure snort preserve-connection {enable | disable} command to the Firepower Threat Defense CLI. This command determines whether to preserve existing connections on routed and transparent interfaces if the Snort process goes down. When disabled, all new or existing connections are dropped when Snort goes down and remain dropped until Snort resume. When enabled, connections that were already allowed remain established, but new connections cannot be established until Snort is again available. Note that you cannot permanently disable this command on a Firepower Threat Defense device managed by Firepower Device Manager; existing connections may drop when the settings revert to default during the next configuration deployment. |
||
Increased memory capacity for lower-end appliances |
Versions 6.1.0.7, 6.2.0.5, 6.2.2.2, and 6.2.3 increase the memory capacity for lower-end Firepower appliances. This reduces the number of health alerts. |
||
Faster ISE pxgrid discovery |
If an ISE pxgrid deployed in high availability fails or becomes unreachable, the Firepower Management Center now discovers the new active pxgrid faster. |
||
FMC REST API |
|||
Firepower Management Center REST API Improvements |
The new Firepower Management Center REST APIs support the use of CRUD (create, retrieve, upgrade, and delete) operations for NAT rules, static routing configuration, and corresponding objects while migrating from ASA FirePOWER to Firepower Threat Defense. Newly introduced APIs for NAT:
When deploying Firepower Threat Defense devices in Cisco ACI, APIs enable APIC controller to add proper static routes in place, along with other configuration settings that are needed for a particular service graph. It also enables PBR service graph insertion, which is currently the most flexible way of inserting Firepower Threat Defense in ACI. Newly introduced APIs for Static Route:
|