High availability configuration.
|
You can configure two devices as an active/standby high
availability pair. A high availability or failover setup joins two devices so
that if the primary device fails, the secondary device can take over. This
helps you keep your network operational in case of device failure. The devices
must be of the same model, with the same number and type of interfaces, and
they must run the same software version. You can configure high availability
from the
Device page.
|
Support for passive user identity acquisition.
|
You can configure identity policies to use passive authentication. Passive authentication gathers user identity without prompting
the user for username and password. The system obtains the mappings from the identity sources you specify, which can be Cisco
Identity Services Engine (ISE)/Cisco Identity Services Engine Passive Identity Connector (ISE PIC), or logins from remote
access VPN users.
Changes include supporting passive authentication rules in , and ISE configuration in .
|
Local user support for remote access VPN and user identity.
|
You can now create users directly through Firepower Device Manager. You can then use these local user accounts to authenticate
connections to a remote access VPN. You can use the local user database as either the primary or fallback authentication source.
In addition, you can configure passive authentication rules in the identity policy so that local usernames are reflected in
the dashboards and so they are available for traffic matching in policies.
We added the page, and updated the remote access VPN wizard to include a fallback option.
|
Changed default behavior for VPN traffic handling in the access control policy (sysopt connection permit-vpn ).
|
The default behavior for how VPN traffic is handled by the access control policy has changed. Starting in 6.3, the default
is that all VPN traffic will be processed by the access control policy. This allows you to apply advanced inspections, including
URL filtering, intrusion protection, and file policies, to VPN traffic. You must configure access control rules to allow VPN
traffic. Alternatively, you can use FlexConfig to configure the sysopt connection permit-vpn command, which tells the system to bypass the access control policy (and any advanced inspections) for VPN-terminated traffic
|
Support for FQDN-based network objects and data interface support for DNS lookup.
|
You can now create network objects (and groups) that specify a host by fully-qualified domain name (FQDN) rather than a static
IP address. The system looks up the FQDN-to-IP address mapping periodically for any FQDN object that is used in an access
control rule. You can use these objects in access control rules only.
We added the DNS Group object to the objects page, changed the page to allow group assignment to data interfaces, and the access control rule to allow for FQDN network object selection.
In addition, the DNS configuration for the management interface now uses DNS groups instead of a set list of DNS server addresses.
|
Support for TCP syslog and the ability to send diagnostic syslog messages through the management interface.
|
In previous releases, diagnostic syslog messages (as opposed to connection and intrusion messages) always used a data interface.
You can now configure syslog so that all messages use the management interface. The ultimate source IP address depends on
whether you use the data interfaces as the gateway for the management interface, in which case the IP address will be the
one from the data interface. You can also configure syslog to use TCP instead of UDP as the protocol.
We made changes to the Add/Edit dialog box for syslog servers from .
|
External Authentication and Authorization using RADIUS for Firepower Device Manager Users.
|
You can use an external RADIUS server to authenticate and authorize users logging into Firepower Device Manager. You can give
external users administrative, read-write, or read-only access. Firepower Device Manager can support 5 simultaneous logins;
the sixth session automatically logs off the oldest session. You can forcefully end a Firepower Device Manager user session
if necessary.
We added RADIUS server and RADIUS server group objects to the page for configuring the objects. We added the AAA Configuration tab to , for enabling use of the server groups. In addition, the page lists the active users and lets an administrative user end a session.
|
Pending changes view and deployment improvements.
|
The deployment window has changed to provide a clearer view of the pending changes that will be deployed. In addition, you
now have the option to discard changes, copy changes to the clipboard, and download changes in a YAML formatted file. You
can also name deployment jobs so they are easier to find in the audit log.
|
Audit Log.
|
You can view an audit log that records events such as deployments, system tasks, configuration changes, and administrative
user login and logout. We added the page.
|
Ability to export the configuration.
|
You can download a copy of the device configuration for record keeping purposes. However, you cannot import this configuration
into a device. This feature is not a replacement for backup/restore. We added the page.
|
Improvements to URL filtering for unknown URLs.
|
If you perform category-based URL filtering in access control rules, users might access URLs whose category and reputation
are not defined in the URL database. Previously, you needed to manually enable the option to look up the category and reputation
for these URLs from Cisco Collective Security Intelligence (CSI). Now, that option is enabled by default. In addition, you
can now set the time-to-live (TTL) for the lookup results, so that the system can refresh the category/reputation for each
unknown URL. We updated the page.
|
Security Intelligence logging is now enabled by default.
|
The Security Intelligence policy was introduced in 6.2.3, with logging disabled by default. Starting with 6.3.0, logging is
enabled by default. If you upgrade from 6.2.3, your logging settings are preserved, either enabled or disabled. Enable logging
if you want to see the results of policy enforcement.
|
Passive mode
interfaces
|
You can
configure an interface in passive mode. When acting passively, the interface
simply monitors the traffic from the source ports in a monitoring session
configured on the switch itself (for hardware devices) or on the promiscuous
VLAN (for
Firepower Threat Defense Virtual).
You can use
passive mode to evaluate how the
Firepower Threat Defense Virtual
device would behave if you deployed it as an active firewall. You can also use
passive interfaces in a production network if you need IDS (intrusion detection
system) services, where you want to know about threats, but you do not want the
device to actively prevent the threats. You can select passive mode when
editing physical interfaces and when you create security zones.
|
Smart CLI enhancements for OSPF, and support for BGP.
|
The Smart CLI OSPF configuration has been enhanced, including new Smart CLI object types for standard and extended ACLs, route
maps, AS Path objects, IPv4 and IPv6 prefix lists, policy lists, and standard and expanded community lists. In addition, you
can now use Smart CLI to configure BGP routing. You can find these features on the page.
|
Enhancements for ISA 3000 devices.
|
You can now configure the following features for the ISA 3000: alarms, hardware bypass, and backup and restore using the SD
card. You use FlexConfig to configure the alarms and hardware bypass. For the SD card, we updated the backup/restore pages
in Firepower Device Manager.
|
Support for ASA 5506-X, 5506W-X, 5506H-X, and 5512-X removed starting with FTD 6.3.
|
You cannot install Firepower Threat Defense 6.3 or subsequent releases on the ASA 5506-X, 5506W-X, 5506H-X, and 5512-X. The
final supported FTD release for these platforms is 6.2.3.
|
FTD REST API version 2 (v2).
|
The FTD REST API for software version 6.3 has been incremented to version 2. You must replace v1 in the API URLs with v2. The v2
API includes many new resources that cover all features added in software version 6.3. Please re-evaluate all existing calls,
as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources,
change the end of the Firepower Device Manager URL to /#/api-explorer after logging in.
|
Web analytics for providing product usage information to Cisco.
|
You can enable web analytics, which provides anonymous product usage information to Cisco based on page hits. This information
can help Cisco determine feature usage patterns and help Cisco improve the product. All usage data is anonymous and no sensitive
data is transmitted. Web analytics is enabled by default.
We added Web Analytics to the page.
|
Installing a Vulnerability Database (VDB) update no longer restarts Snort.
|
When you install a VDB update, the installation itself no longer restarts Snort. However, Snort continues to restart during
the next configuration deployment.
|
Deploying an Intrusion Rules (SRU) database update no longer restarts Snort.
|
After you install an intrusion rules (SRU) update, you must deploy the configuration to activate the new rules. The deployment
of the SRU update no longer causes a Snort restart.
|