Firepower 1000 series device configuration.
|
You can configure Firepower Threat Defense on Firepower 1000 series devices using Firepower Device Manager.
Note that you can configure and use the Power over Ethernet (PoE) ports as regular Ethernet ports, but you cannot enable or
configure any PoE-related properties.
|
Hardware bypass for the ISA 3000.
|
You can now configure hardware bypass for the ISA 3000 on the page. In release 6.3, you needed to configure hardware bypass using FlexConfig. If you are using FlexConfig, please redo
the configuring on the Interfaces page and remove the hardware bypass commands from FlexConfig. However, the portion of the
FlexConfig devoted to disabling TCP sequence number randomization is still recommended.
|
Ability to reboot and shut down the system from the FDM CLI Console.
|
You can now issue the reboot and shutdown commands through the CLI Console in FDM. Previously, you needed to open a separate SSH session to the device to reboot or
shut down the system. You must have Administrator privileges to use these commands.
|
External Authentication and Authorization using RADIUS for FTD CLI Users.
|
You can use an external RADIUS server to authenticate and authorize users logging into the FTD CLI. You can give external
users config (administrator) or basic (read-only) access.
We added the SSH configuration to the AAA Configuration tab on the page.
|
Support for network range objects and nested network group objects.
|
You can now create network objects that specify a range of IPv4 or IPv6 addresses, and network group objects that include
other network groups (that is, nested groups).
We modified the network object and network group object Add/Edit dialog boxes to include these features, and modified the
various security policies to allow the use of these objects, contingent on whether address specifications of that type make
sense within the context of the policy.
|
Full-text search options for objects and rules.
|
You can do a full-text search on objects and rules. By searching a policy or object list that has a large number of items,
you can find all items that include your search string anywhere within the rule or object.
We added a search box to all policies that have rules, and to all pages on the Objects list. In addition, you can use the filter=fts~search-string option on GET calls for supported objects in the API to retrieve items based on a full-text search.
|
Obtaining a list of supported API versions for an FDM-managed FTD device.
|
You can use the GET /api/versions (ApiVersions) method to get a list of the API versions that are supported on a device. You
can use your API client to communicate and configure the device using commands and syntax valid for any of the supported versions.
|
FTD REST API version 3 (v3).
|
The FTD REST API for software version 6.4 has been incremented to version 3. You must replace v1/v2 in the API URLs with v3. The
v3 API includes many new resources that cover all features added in software version 6.4. Please re-evaluate all existing
calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view
the resources, change the end of the Firepower Device Manager URL to /#/api-explorer after logging in.
|
Hit counts for access control rules.
|
You can now view hit counts for access control rules. The hit counts indicate how often connections matched the rule.
We updated the access control policy to include hit count information. In the FTD API, we added the HitCounts resource and the includeHitCounts and filter=fetchZeroHitCounts options to the GET Access Policy Rules resource.
|
Site-to-Site VPN enhancements for dynamic addressing and certificate authentication.
|
You can now configure site-to-site VPN connections to use certificates instead of preshared keys to authenticate the peers.
You can also configure connections where the remote peer has an unknown (dynamic) IP address. We added options to the Site-to-Site
VPN wizard and the IKEv1 policy object.
|
Support for RADIUS servers and Change of Authorization in remote access VPN.
|
You can now use RADIUS servers for authenticating, authorizing, and accounting remote access VPN (RA VPN) users. You can also
configure Change of Authentication (CoA), also known as dynamic authorization, to alter a user’s authorization after authentication
when you use a Cisco ISE RADIUS server.
We added attributes to the RADIUS server and server group objects, and made it possible to select a RADIUS server group within
an RA VPN connection profile.
|
Multiple connection profiles and group policies for remote access VPN.
|
You can configure more than one connection profile, and create group policies to use with the profiles.
We changed the page to have separate pages for connection profiles and group policies, and updated the RA VPN Connection wizard to allow
the selection of group policies. Some items that were previously configured in the wizard are now configured in the group
policy.
|
Support for certificate-based, second authentication source, and two-factor authentication in remote access VPN.
|
You can use certificates for user authentication, and configure secondary authentication sources so that users must authenticate
twice before establishing a connection. You can also configure two-factor authentication using RSA tokens or Duo passcodes
as the second factor.
We updated the RA VPN Connection wizard to support the configuration of these additional options.
|
Support for IP address pools with multiple address ranges, and DHCP address pools, for remote access VPN.
|
You can now configure address pools that have more than one address range by selecting multiple network objects that specify
subnets. In addition, you can configure address pools in a DHCP server and use the server to provide addresses to RA VPN clients.
If you use RADIUS for authorization, you can alternatively configure the address pools in the RADIUS server.
We updated the RA VPN Connection wizard to support the configuration of these additional options. You can optionally configure
the address pool in the group policy instead of the connection profile.
|
Active Directory realm enhancements.
|
You can now include up to 10 redundant Active Directory (AD) servers in a single realm. You can also create multiple realms
and delete realms that you no longer need. In addition, the limit for downloading users in a realm is increased to 50,000
from the 2,000 limit in previous releases.
We updated the page to support multiple realms and servers. You can select the realm in the user criteria of access control and SSL decryption
rules, to apply the rule to all users within the realm. You can also select the realm in identity rules and RA VPN connection
profiles.
|
Redundancy support for ISE servers.
|
When you configure Cisco Identity Services Engine (ISE) as an identity source for passive authentication, you can now configure
a secondary ISE server if you have an ISE high availability setup.
We added an attribute for the secondary server to the ISE identity object.
|
File/malware events sent to external syslog servers.
|
You can now configure an external syslog server to receive file/malware events, which are generated by file policies configured
on access control rules. File events use message ID 430004, malware events are 430005.
We added the File/Malware syslog server options to the page.
|
Logging to the internal buffer and support for custom event log filters.
|
You can now configure the internal buffer as a destination for system logging. In addition, you can create event log filters
to customize which messages are generated for the syslog server and internal buffer logging destinations.
We added the Event Log Filter object to the Objects page, and the ability to use the object on the page. The internal buffer options were also added to the Logging Settings page.
|
Certificate for the Firepower Device Manager Web Server.
|
You can now configure the certificate that is used for HTTPS connections to the Firepower Device Manager configuration interface.
By uploading a certificate your web browsers already trust, you can avoid the Untrusted Authority message you get when using
the default internal certificate. We added the page.
|
Cisco Threat Response support.
|
You can configure the system to send intrusion events to the Cisco Threat Response cloud-based application. You can use Cisco
Threat Response to analyze intrusions.
We added Cisco Threat Response to the page.
|