New Features
New Features in FMC Version 6.4
Although you can manage older devices with a newer FMC, we recommend you always update your entire deployment. You should assume that new traffic-handling features require the latest release on both the FMC and device. Features where devices are not obviously involved (cosmetic changes to the web interface, cloud integrations) may only require the latest version on the FMC, but that is not guaranteed. In the new feature descriptions, we are explicit when version requirements deviate from the standard expectation.
|
Feature |
Description |
||
|---|---|---|---|
|
Version 6.4.0.10 Upgrades postpone scheduled tasks |
Upgrade impact. Upgrades now postpone scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.
Note that this feature is supported for Firepower appliances running Version 6.4.0.10 or any later patch. It is not supported for upgrades to Version 6.4.0.10, or upgrades that skip Version 6.4.0.10. This feature is also not supported in Version 6.5.0, 6.6.0, or 6.6.1. It is reintroduced in Version 6.6.3 and Version 6.7.0. |
||
|
Version 6.4.0.9 Default HTTPS server certificates |
Upgrade impact. Upgrading an FMC or 7000/8000 series device from Version 6.4.0–6.4.0.8 to any later Version 6.4.0.x patch (or an FMC to Version 6.6.0+) renews the default HTTPS server certificate, which expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan. Your old certificate was set to expire depending on when it was generated, as follows:
Note that in Version 6.5.0–6.5.0.4, the lifespan-on-renew returns to 3 years, but this is again updated to 800 days with Version 6.5.0.5 and 6.6.0. |
||
|
Version 6.4.0.4 New syslog fields |
These new syslog fields collectively identify a unique connection event:
These fields also appear in syslogs for intrusion, file, and malware events, allowing connection events to be associated with those events. |
||
|
Version 6.4.0.2 Detection of rule conflicts in FTD NAT policies |
Upgrade impact. After you upgrade to Version 6.4.0.2 or later patch, you can no longer create FTD NAT policies with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where conflicting NAT rules were applied out-of-order. If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However, your NAT rules will continue to be applied out-of-order. Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing (no changes are needed) then attempting to resave. If you have rule conflicts, the system will prevent you from saving. Correct the issues, save, and then deploy. |
||
|
Version 6.4.0.2 ISE Connection Status Monitor health module |
A new health module, the ISE Connection Status Monitor, monitors the status of the server connections between the Cisco Identity Services Engine (ISE) and the FMC. |
|
Feature |
Description |
||
|---|---|---|---|
|
Firepower Threat Defense: Device Management |
|||
|
FTDv for VMware defaults to vmxnet3 interfaces |
FTDv for VMware now defaults to vmxnet3 interfaces when you create a virtual device. Previously, the default was e1000. The vmxnet3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance.
Supported platforms: FTDv for VMware |
||
|
Firepower Threat Defense: Routing |
|||
|
Rotating (keychain) authentication for OSPFv2 routing |
You can now use rotating (keychain) authentication when configuring OSPFv2 routing. New/modified pages:
Supported platforms: FTD |
||
|
Firepower Threat Defense: Encryption and VPN |
|||
|
RA VPN: Secondary authentication |
Secondary authentication, also called double authentication, adds an additional layer of security to RA VPN connections by using two different authentication servers. With secondary authentication enabled, AnyConnect VPN users must provide two sets of credentials to log in to the VPN gateway. RA VPN supports secondary authentication for the AAA Only and Client Certificate and AAA authentication methods. New/modified pages: > add/edit configuration > Connection Profile > AAA area Supported platforms: FTD |
||
|
Site-to-site VPN: Dynamic IP addresses for extranet endpoints |
You can now configure site to site VPNs to use a dynamic IP address for extranet endpoints. In hub-and-spoke deployments, you can use a hub as an extranet endpoint. New/modified pages: > add/edit FTD VPN topology > Endpoints tab > add endpoint > IP Address option Supported platforms: FTD |
||
|
Site-to-site VPN: Dynamic crypto maps for point-to-point topologies |
You can now use dynamic crypto maps in point-to-point as well as in hub-and-spoke VPN topologies. Dynamic crypto maps are still not supported for full mesh topologies. You specify the crypto map type when you configure a topology. Make sure you also specify a dynamic IP address for one of the peers in the topology. New/modified pages: > add/edit FTD VPN topology > IPsec tab > Crypto Map Type option Supported platforms: FTD |
||
|
TLS crypto acceleration |
Upgrade impact. SSL hardware acceleration has been renamed TLS crypto acceleration. Depending on the device, TLS crypto acceleration might be performed in software or in hardware. The Version 6.4.0 upgrade process automatically enables acceleration on all eligible devices, even if you previously disabled the feature manually. In most cases you cannot configure this feature; it is automatically enabled and you cannot disable it. However, if you are using the multi-instance capability of the Firepower 4100/9300 chassis, you can enable TLS crypto acceleration for one container instance per module/security engine. Acceleration is disabled for other container instances, but enabled for native instances. New FXOS CLI commands for the Firepower 4100/9300 chassis:
New FTD CLI commands:
Removed FTD CLI commands:
Supported platforms: Firepower 2100 series, Firepower 4100/9300 |
||
|
Event Logging and Analysis |
|||
|
Improvements to syslog messages for file and malware events |
Fully qualified file and malware event data can now be sent from managed devices via syslog. New/modified pages: > add/edit policy > Logging tab > File and Malware Settings area Supported platforms: Any |
||
|
Search intrusion events by CVE ID |
You can now search for intrusion events generated as a result of a particular CVE exploit. New/modified pages: Supported platforms: FMC |
||
|
IntrusionPolicy field is now included in syslog |
Intrusion event syslog messages now specify the intrusion policy that triggered the event. Supported platforms: Any |
||
|
Cisco SecureX integration |
Cisco SecureX is a cloud offering that helps you rapidly detect, investigate, and respond to threats. This feature lets you analyze incidents using data aggregated from multiple products, including Firepower Threat Defense. Note that the FMC web interface refers to this offering as Cisco Threat Response (CTR). See the Cisco Secure Firewall Threat Defense and SecureX Integration Guide.New/modified pages: Supported platforms: FTD |
||
|
Splunk integration |
Splunk users can use a new, separate Splunk app, Cisco Secure Firewall (f.k.a. Firepower) app for Splunk, to analyze events. Available functionality is affected by your Firepower version. See Cisco Secure Firewall App for Splunk User Guide. Supported platforms: FMC |
||
|
Cisco Security Analytics and Logging (SaaS) integration |
You can send Firepower events to the Stealthwatch Cloud for storage, and optionally make your Firepower event data available for security analytics using Stealthwatch Cloud. Using Cisco Security Analytics and Logging (SaaS), also known as SAL (SaaS), your Firepower devices send events as syslog messages to a Security Events Connector (SEC) installed on a virtual machine on your network, and this SEC forwards the events to the Stealthwatch cloud for storage. You view and work with your events using the web-based Cisco Defense Orchestrator (CDO) portal. Depending on the license you purchase, you can also use the Stealthwatch portal to access that product's analytics features. Supported platforms: FTD with FMC |
||
|
Administration and Troubleshooting |
|||
|
New licensing capabilities for ISA 3000 |
For ASA FirePOWER and FTD deployments, the ISA 3000 now supports URL Filtering and Malware licenses and their associated features. For FTD only, the ISA 3000 also now supports Specific License Reservation for approved customers. Supported platforms: ISA 3000 |
||
|
Scheduled remote backups of managed devices |
You can now use the FMC to schedule remote backups of certain managed devices. Previously, only Firepower 7000/8000 series devices supported scheduled backups, and you had to use the device's local GUI. New/modified pages: > add/edit task > choose Job Type: Backup > choose a Backup Type Supported platforms: FTD physical platforms, FTDv for VMware, Firepower 7000/8000 series Exceptions: No support for FTD clustered devices or container instances |
||
|
Ability to disable Duplicate Address Detection (DAD) on management interfaces |
When you enable IPv6, you can disable DAD. You might want to disable DAD because using DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address. New/modified pages: area > edit interface > IPv6 DAD check box Supported platforms: FMC, Firepower 7000/8000 series |
||
|
Ability to disable ICMPv6 Echo Reply and Destination Unreachable messages on management interfaces |
When you enable IPv6, you can now disable ICMPv6 Echo Reply and Destination Unreachable messages. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management interfaces for testing purposes. New/modified pages: New/modified commands:
Supported platforms: FMC (web interface only), managed devices (CLI only) |
||
|
Support for the Service-Type attribute for FTD users defined on the RADIUS server |
For RADIUS authentication of FTD CLI users, you used to have to predefine the usernames in the RADIUS external authentication object and manually make sure that the list matched usernames defined on the RADIUS server. You can now define CLI users on the RADIUS server using the Service-Type attribute and also define both Basic and Config user roles. To use this method, be sure to leave the shell access filter blank in the external authentication object. New/modified pages: tab > add/edit external authentication object > Shell Access Filter Supported platforms: FTD |
||
|
View object use |
The object manager now allows you to see the policies, settings, and other objects where a network, port, VLAN, or URL object is used. New/modified pages: Objects > Object Management > choose object type > Find Usage (binoculars) icon Supported platforms: FMC |
||
|
Hit counts for access control and prefilter rules |
You can now access hit counts for access control and prefilter rules on your FTD devices. New/modified pages:
New commands:
Modified commands: show failover Supported platforms: FTD |
||
|
URL Filtering health monitor improvements |
You can now configure time thresholds for URL Filtering Monitor alerts. New/modified pages: > add/edit policy > URL Filtering Monitor Supported platforms: Any |
||
|
Connection-based troubleshooting |
Connection-based troubleshooting or debugging provides uniform debugging across modules to collect appropriate logs for a specific connection. It also supports level-based debugging up to 7 levels and enables uniform log collection mechanism for lina and Snort logs. New/modified commands:
Supported platforms: FTD |
||
|
New Cisco Success Network monitoring capabilities |
Added the following Cisco Success Network monitoring capabilities:
Supported platforms: FMC |
||
|
Security and Hardening |
|||
|
Signed SRU, VDB, and GeoDB updates |
So Firepower can verify that you are using the correct update files, Version 6.4.0+ uses signed updates for intrusion rules (SRU), the vulnerability database (VDB), and the geolocation database (GeoDB). Earlier versions continue to use unsigned updates. Unless you manually download updates from Cosco—for example, in an air-gapped deployment—you should not notice any difference in functionality. If, however, you do manually download and install SRU, VDB, and GeoDB updates, make sure you download the correct package for your current version. Signed update files for Version 6.4.0+ begin with 'Cisco' instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of .sh:
Update files for Version 5.x through 6.3 still use the old naming scheme:
We will provide both signed and unsigned updates until the end-of-support for versions that require unsigned updates. Do not untar signed (.tar) packages.
Supported platforms: Any |
||
|
SNMPv3 users can authenticate using a SHA-256 authorization algorithm |
SNMPv3 users can now authenticate using a SHA-256 algorithm. New/modified screen: Devices > Platform Settings > SNMP > Users > Auth Algorithm Type Supported platforms: Firepower Threat Defense |
||
|
2048-bit certificate keys now required (security enhancement) |
Upgrade impact. When making secure connections to external data sources, such as AMP for Endpoints or Cisco Threat Intelligence Detector (TID), the FMC now requires that the server certificate be generated with keys that are at least 2048 bits long. Certificates previously generated with 1024-bit keys will no longer work. Note that this security enhancement was introduced in Version 6.3.0.3. If you are upgrading from Version 6.1.0 through 6.3.0.2, you may be affected. If you cannot connect, regenerate the server certificate on your data source. If necessary, reconfigure the FMC connection to the data source. Supported platforms: FMC |
||
|
Usability and Performance |
|||
|
Snort restart improvements |
Before Version 6.4.0, during Snort restarts, the system dropped encrypted connections that matched a 'Do not decrypt' SSL rule or default policy action. Now, routed/transparent traffic passes without inspection instead of dropping, as long as you did not disable large flow offload or Snort preserve-connection. Supported platforms: Firepower 4100/9300 |
||
|
Performance improvement for selected IPS traffic |
Upgrade impact. Egress optimization is a performance feature targeted for selected IPS traffic. The feature is enabled by default on all FTD platforms. The Version 6.4.0 upgrade process enables egress optimization on eligible devices. For more information, see the Cisco Secure Firewall Threat Defense Command Reference. To troubleshoot issues with egress optimization, contact Cisco TAC. Supported platforms: FTD New/modified commands:
|
||
|
Faster SNMP event logging |
Performance improvements when sending intrusion and connection events to an external SNMP trap server. Supported platforms: Any |
||
|
Faster deploy |
Improvements to appliance communications and deploy framework. Supported platforms: FTD |
||
|
Faster upgrade |
Improvements to the event database. Supported platforms: Any |
||
|
Firepower Management Center REST API |
|||
|
New REST API capabilities |
Added REST API objects to support Version 6.4.0 features:
Supported platforms: FMC |
||
|
API Explorer based on OAS |
Version 6.4.0 uses a new API Explorer, based on the OpenAPI Specification (OAS). As part of the OAS, you now use CodeGen to generate sample code. You can still access the legacy API Explorer if you prefer. Supported platforms: FMC |
||
New Features in FDM Version 6.4
|
Feature |
Description |
|---|---|
|
Version 6.4.0.10 Manually uploading VDB, GeoDB, and SRU updates |
You can now manually retrieve update packages for VDB, Geolocation Database, and Intrusion Rules, and then upload them from your workstation to the FTD device using FDM. For example, if you have an air-gapped network, where FDM cannot retrieve updates from the Cisco Cloud, you can now get the update packages you need. We updated the Device > Updates page to allow you to select and upload a file from your workstation. Note that this feature is not supported in Version 6.5.0. It is reintroduced in Version 6.6.0. If you are running Version 6.4.0.10 or later patch, we recommend you upgrade directly to Version 6.6.0+, without using Version 6.5.0 as an intermediate version. |
|
Version 6.4.0.10 Universal Permanent License Reservation (PLR) mode |
If you have an air-gapped network, where there is no path to the internet, you cannot register directly with the Cisco Smart Software Manager (CSSM) for Smart Licensing. In this situation, you can now get authorization to use Universal Permanent License Reservation (PLR) mode, where you can apply a license that does not need direct communication with CSSM. If you have an air-gapped network, please contact your account representative and ask for authorization to use Universal PLR mode in your CSSM account, and to obtain the necessary licenses. We added the ability to switch to PLR mode, and to cancel and unregister a Universal PLR license, to the Device > Smart License page. In the FTD API, there are new resources for PLRAuthorizationCode, PLRCode, PLRReleaseCode, PLRRequestCode, and actions for PLRRequestCode, InstallPLRCode, and CancelReservation. Note that this feature is not supported in Version 6.5.0. It is reintroduced in Version 6.6.0. If you are running Version 6.4.0.10 or later patch, we recommend you upgrade directly to Version 6.6.0+, without using Version 6.5.0 as an intermediate version. |
|
Version 6.4.0.9 Default HTTPS server certificates |
Upgrade impact. Upgrading FDM from Version 6.4.0–6.4.0.8 to any later Version 6.4.0.x patch (or to Version 6.6.0+) renews the default HTTPS server certificate, which expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan. Your old certificate was set to expire depending on when it was generated, as follows:
Note that in Version 6.5.0–6.5.0.4, the lifespan-on-renew returns to 3 years, but this is again updated to 800 days with Version 6.5.0.5 and 6.6.0. |
|
Version 6.4.0.4 New syslog fields |
These new syslog fields collectively identify a unique connection event:
These fields also appear in syslogs for intrusion, file, and malware events, allowing connection events to be associated with those events. |
|
Feature |
Description |
|---|---|
|
Firepower 1000 series device configuration. |
You can configure FTD on Firepower 1000 series devices using FDM. Note that you can configure and use the Power over Ethernet (PoE) ports as regular Ethernet ports, but you cannot enable or configure any PoE-related properties. |
|
Hardware bypass for the ISA 3000. |
You can now configure hardware bypass for the ISA 3000 on the page. In release 6.3, you needed to configure hardware bypass using FlexConfig. If you are using FlexConfig, please redo the configuring on the Interfaces page and remove the hardware bypass commands from FlexConfig. However, the portion of the FlexConfig devoted to disabling TCP sequence number randomization is still recommended. |
|
Ability to reboot and shut down the system from the FDM CLI Console. |
You can now issue the reboot and shutdown commands through the CLI Console in FDM. Previously, you needed to open a separate SSH session to the device to reboot or shut down the system. You must have Administrator privileges to use these commands. |
|
External Authentication and Authorization using RADIUS for FTD CLI Users. |
You can use an external RADIUS server to authenticate and authorize users logging into the FTD CLI. You can give external users config (administrator) or basic (read-only) access. We added the SSH configuration to the AAA Configuration tab on the page. |
|
Support for network range objects and nested network group objects. |
You can now create network objects that specify a range of IPv4 or IPv6 addresses, and network group objects that include other network groups (that is, nested groups). We modified the network object and network group object Add/Edit dialog boxes to include these features, and modified the various security policies to allow the use of these objects, contingent on whether address specifications of that type make sense within the context of the policy. |
|
Full-text search options for objects and rules. |
You can do a full-text search on objects and rules. By searching a policy or object list that has a large number of items, you can find all items that include your search string anywhere within the rule or object. We added a search box to all policies that have rules, and to all pages on the Objects list. In addition, you can use the filter=fts~search-string option on GET calls for supported objects in the API to retrieve items based on a full-text search. |
|
Obtaining a list of supported API versions for an FDM-managed FTD device. |
You can use the GET /api/versions (ApiVersions) method to get a list of the API versions that are supported on a device. You can use your API client to communicate and configure the device using commands and syntax valid for any of the supported versions. |
|
FTD REST API version 3 (v3). |
The FTD REST API for software version 6.4 has been incremented to version 3. You must replace v1/v2 in the API URLs with v3. The v3 API includes many new resources that cover all features added in software version 6.4. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, change the end of the FDM URL to /#/api-explorer after logging in. |
|
Hit counts for access control rules. |
You can now view hit counts for access control rules. The hit counts indicate how often connections matched the rule. We updated the access control policy to include hit count information. In the FTD API, we added the HitCounts resource and the includeHitCounts and filter=fetchZeroHitCounts options to the GET Access Policy Rules resource. |
|
Site-to-Site VPN enhancements for dynamic addressing and certificate authentication. |
You can now configure site-to-site VPN connections to use certificates instead of preshared keys to authenticate the peers. You can also configure connections where the remote peer has an unknown (dynamic) IP address. We added options to the Site-to-Site VPN wizard and the IKEv1 policy object. |
|
Support for RADIUS servers and Change of Authorization in remote access VPN. |
You can now use RADIUS servers for authenticating, authorizing, and accounting remote access VPN (RA VPN) users. You can also configure Change of Authentication (CoA), also known as dynamic authorization, to alter a user’s authorization after authentication when you use a Cisco ISE RADIUS server. We added attributes to the RADIUS server and server group objects, and made it possible to select a RADIUS server group within an RA VPN connection profile. |
|
Multiple connection profiles and group policies for remote access VPN. |
You can configure more than one connection profile, and create group policies to use with the profiles. We changed the page to have separate pages for connection profiles and group policies, and updated the RA VPN Connection wizard to allow the selection of group policies. Some items that were previously configured in the wizard are now configured in the group policy. |
|
Support for certificate-based, second authentication source, and two-factor authentication in remote access VPN. |
You can use certificates for user authentication, and configure secondary authentication sources so that users must authenticate twice before establishing a connection. You can also configure two-factor authentication using RSA tokens or Duo passcodes as the second factor. We updated the RA VPN Connection wizard to support the configuration of these additional options. |
|
Support for IP address pools with multiple address ranges, and DHCP address pools, for remote access VPN. |
You can now configure address pools that have more than one address range by selecting multiple network objects that specify subnets. In addition, you can configure address pools in a DHCP server and use the server to provide addresses to RA VPN clients. If you use RADIUS for authorization, you can alternatively configure the address pools in the RADIUS server. We updated the RA VPN Connection wizard to support the configuration of these additional options. You can optionally configure the address pool in the group policy instead of the connection profile. |
|
Active Directory realm enhancements. |
You can now include up to 10 redundant Active Directory (AD) servers in a single realm. You can also create multiple realms and delete realms that you no longer need. In addition, the limit for downloading users in a realm is increased to 50,000 from the 2,000 limit in previous releases. We updated the page to support multiple realms and servers. You can select the realm in the user criteria of access control and SSL decryption rules, to apply the rule to all users within the realm. You can also select the realm in identity rules and RA VPN connection profiles. |
|
Redundancy support for ISE servers. |
When you configure Cisco Identity Services Engine (ISE) as an identity source for passive authentication, you can now configure a secondary ISE server if you have an ISE high availability setup. We added an attribute for the secondary server to the ISE identity object. |
|
File/malware events sent to external syslog servers. |
You can now configure an external syslog server to receive file/malware events, which are generated by file policies configured on access control rules. File events use message ID 430004, malware events are 430005. We added the File/Malware syslog server options to the page. |
|
Logging to the internal buffer and support for custom event log filters. |
You can now configure the internal buffer as a destination for system logging. In addition, you can create event log filters to customize which messages are generated for the syslog server and internal buffer logging destinations. We added the Event Log Filter object to the Objects page, and the ability to use the object on the page. The internal buffer options were also added to the Logging Settings page. |
|
Certificate for the FDM Web Server. |
You can now configure the certificate that is used for HTTPS connections to the FDM configuration interface. By uploading a certificate your web browsers already trust, you can avoid the Untrusted Authority message you get when using the default internal certificate. We added the page. |
|
Cisco Threat Response support. |
You can configure the system to send intrusion events to the Cisco Threat Response cloud-based application. You can use Cisco Threat Response to analyze intrusions. We added Cisco Threat Response to the page. |
New Hardware and Virtual Platforms in Version 6.4
|
Feature |
Description |
|---|---|
|
FMC 1600, 2600, and 4600 |
We introduced the FMC models FMC 1600, 2600, and 4600. |
|
FMCv for Azure. |
We introduced FMCv for Microsoft Azure. |
|
FTD on the Firepower 1010, 1120, and 1140. |
We introduced the Firepower 1010, 1120, and 1140. |
|
FTD on the Firepower 4115, 4125, and 4145. |
We introduced the Firepower 4115, 4125, and 4145. |
|
Firepower 9300 SM-40, SM-48, and SM-56. support |
We introduced three new security modules: SM-40, SM-48, and SM-56. With FXOS 2.6.1, you can mix different types of security modules in the same chassis. |
|
ASA and FTD on the same Firepower 9300. |
With FXOS 2.6.1, you can now deploy ASA and FTD logical devices on the same Firepower 9300. |
New Intrusion Rules and Keywords
Upgrades can import and auto-enable intrusion rules.
Intrusion rule updates (SRUs/LSPs) provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP.
After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
You can find your Snort version in the Bundled Components section of the compatibility guide, or use one of these commands:
-
FMC: Choose .
-
FDM: Use the show summary CLI command.
The Snort release notes contain details on new keywords. You can read the release notes on the Snort download page: https://www.snort.org/downloads.
Feedback