Platform
|
VMware vSphere/VMware ESXi 7.0 support.
|
7.0
|
7.0
|
You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on
VMware vSphere/VMware ESXi 7.0.
Note that Version 7.0 also discontinues support for VMware 6.0.
Upgrade the hosting environment to a supported version before
you upgrade the Firepower software.
|
FMCv for HyperFlex, Nutanix, and OpenStack.
|
7.0
|
Any
|
We now support FMCv2, v10, and v25 for Cisco HyperFlex, Nutanix
Enterprise Cloud, and OpenStack.
FMCv for HyperFlex supports high availability with FMCv10 and
v25. If you are managing FTD devices, you need two identically
licensed FMCs, as well as one FTD entitlement for each managed
device. For example, to manage 10 devices with an FMCv10 high
availability pair, you need two FMCv10 entitlements and 10 FTD
entitlements. If you are managing Classic devices only (NGIPSv
or ASA FirePOWER), you do not need FMCv entitlements.
|
FTDv for HyperFlex, Nutanix, and OpenStack.
|
7.0
|
7.0
|
We now support FTDv for Cisco HyperFlex, Nutanix Enterprise
Cloud, and OpenStack.
|
FTDv performance tiered Smart
Licensing.
|
7.0
|
7.0
|
Upgrade impact. Upgrading
automatically assigns devices to the FTDv Variable
tier.
FTDv now supports performance-tiered Smart
Software Licensing, based on throughput requirements and RA VPN
session limits. Options run from FTDv5 (100 Mbps/50 sessions) to
FTDv100 (16 Gbps/10,000 sessions).
Before you add a new
device, make sure your account contains the licenses you need.
To purchase additional licenses, contact your Cisco
representative or partner contact. Upgrading FTDv to Version 7.0
automatically assigns the device to the FTDv Variable tier,
although you can change this later.
For more information on
changing performance tiers, supported instances, throughputs, and
other hosting requirements, see the appropriate Getting Started
Guide.
New/modified pages:
|
FTD Clustering
|
Improved PAT port block allocation for clustering
|
7.0
|
7.0
|
The improved PAT port block allocation ensures that the control
unit keeps ports in reserve for joining nodes, and proactively
reclaims unused ports. To best optimize the allocation, you can
set the maximum nodes you plan to have in the cluster using the
cluster-member-limit command
using FlexConfig. The control unit can then allocate port blocks
to the planned number of nodes, and it will not have to reserve
ports for extra nodes you don't plan to use. The default is 16
nodes. You can also monitor syslog 747046 to ensure that there
are enough ports available for a new node.
New/modified commands:
cluster-member-limit (FlexConfig),
show nat pool cluster
[summary] , show nat pool ip
detail
Supported platforms: Firepower 4100/9300
|
FTD CLI show cluster history
improvements.
|
7.0
|
7.0
|
New keywords allow you to customize the output of the
show cluster history
command.
New/modified commands: show cluster
history
[brief ]
[latest ]
[reverse ]
[time ]
Supported platforms: Firepower 4100/9300
|
FTD CLI command to permanently leave a cluster.
|
7.0
|
7.0
|
You can now use the FTD CLI to permanently remove a unit from the
cluster, converting its configuration to a standalone
device.
New/modified commands: cluster
reset-interface-mode
Supported platforms: Firepower 4100/9300
|
FTD NAT
|
Prioritized system-defined NAT rules for FTD.
|
7.0
|
7.0
|
We added a new Section 0 to the NAT rule table. This section is
exclusively for the use of the system. Any NAT rules that the
system needs for normal functioning are added to this section,
and these rules take priority over any rules you create.
Previously, system-defined rules were added to Section 1, and
user-defined rules could interfere with proper system
functioning.
You cannot add, edit, or delete Section 0 rules, but you will see
them in show nat detail command
output.
|
FTD Routing
|
Virtual router support for the ISA 3000.
|
7.0
|
7.0
|
You can now configure up to 10 virtual routers on an ISA 3000
device.
|
FTD VPN: Site to Site
|
Backup virtual tunnel interfaces (VTI) for route-based
site-to-site VPN.
|
7.0
|
6.7
|
When you configure a site-to-site VPN that uses virtual tunnel
interfaces, you can select a backup VTI for the tunnel.
Specifying a backup VTI provides resiliency, so that if the
primary connection goes down, the backup connection might still
be functional. For example, you could point the primary VTI to
the endpoint of one service provider, and the backup VTI to the
endpoint of a different service provider.
New/modified pages: We added the ability to add a backup VTI to
the site-to-site VPN wizard when you select Route-Based as the
VPN type for a point-to-point connection.
|
FTD VPN: Remote Access
|
Load balancing.
|
7.0
|
7.0
|
We now support RA VPN load balancing. The system distributes
sessions among grouped devices by number of sessions; it does
not consider traffic volume or other factors.
New/modified screens: We added load balancing options to the
Advanced settings in an RA VPN policy.
|
Local authentication.
|
7.0
|
7.0
|
We now support local authentication for RA VPN users. You can use
this as the primary or secondary authentication method, or as a
fallback in case the configured remote server cannot be
reached.
-
Create a local realm.
Local usernames and passwords are stored in local realms.
When you create a realm (System ( )) and select the new
LOCAL realm type, the system
prompts you to add one or more local users.
-
Configure RA VPN to use local authentication.
Create or edit an RA VPN policy (Devices >
VPN > Remote Access), create a
connection profile within that policy, then specify
LOCAL as the primary,
secondary, or fallback authentication server in that
connection profile.
-
Associate the local realm you created with an RA VPN
policy.
In the RA VPN policy editor, use the new Local
Realm setting. Every connection profile
in the RA VPN policy that uses local authentication will
use the local realm you specify here.
|
Dynamic access policies.
|
7.0
|
Any
|
The new dynamic access policy allows you to configure remote
access VPN authorization that automatically adapts to a changing
environment:
-
Configure HostScan by uploading the AnyConnect HostScan
package as an AnyConnect file (Objects >
Object Management > VPN > AnyConnect
File). There is a new
HostScan Package option in
the File Type drop-down list.
This module runs on endpoints and performs a posture
assessment that the dynamic access policy will use.
-
Create a dynamic access policy (Devices >
Dynamic Access Policy).
Dynamic access policies specify session attributes (such
as group membership and endpoint security) that you want
to evaluate each time a user initiates a session. You
can then deny or grant access based on that
evaluation.
-
Associate the dynamic access policy you created with an
RA VPN policy.
In the remote access VPN policy editor, use the new
Dynamic Access Policy
setting.
|
Multi-certificate authentication.
|
7.0
|
7.0
|
We now support multi-certificate authentication for remote access
VPN users. You can validate the machine or device certificate,
to ensure the device is a corporate-issued device, in addition
to authenticating the user’s identity certificate to allow VPN
access using the AnyConnect client during SSL or IKEv2 EAP
phase.
|
AnyConnect custom attributes.
|
7.0
|
7.0
|
We now support AnyConnect custom attributes, and provide an
infrastructure to configure AnyConnect client features without
adding explicit support for these features in the system.
|
Access Control: Threat Detection and Application
Identification
|
Snort 3 for FTD.
|
7.0
|
7.0
|
For new FTD deployments, Snort 3 is now the default
inspection engine. Upgraded deployments continue to use
Snort 2, but you can switch at any time.
Advantages to using Snort 3 include, but are not limited
to:
-
Improved performance.
-
Improved SMBv2 inspection.
-
New script detection capabilities.
-
HTTP/2 inspection.
-
Custom rule groups.
-
Syntax that makes custom intrusion rules easier to
write.
-
Reasons for 'would have dropped' inline results in
intrusion
events.
-
No Snort restarts when deploying changes to the VDB,
SSL policies, custom application detectors, captive
portal identity sources, and TLS server identity
discovery.
-
Improved serviceability, due to Snort 3-specific
telemetry data sent to Cisco Success Network, and to
better troubleshooting logs.
A Snort 3 intrusion rule update is called an LSP
(Lightweight Security Package) rather than an SRU. The
system still uses SRUs for Snort 2; downloads from Cisco
contain both the latest LSP and SRU. The system
automatically uses the appropriate rule set for your
configurations.
The FMC can manage a deployment with both Snort 2 and Snort 3
devices, and will apply the correct policies to each device.
However, unlike Snort 2, you cannot update Snort 3 on a
device by upgrading the FMC only and then deploying. With
Snort 3, new features and resolved bugs require you upgrade
the software on the FMC and its managed devices. For
information on the Snort included with each software
version, see the Bundled Components section of
the Cisco Firepower Compatibility
Guide.
Important
|
Before you switch to Snort 3, we strongly
recommend you read and understand the Firepower Management Center Snort 3
Configuration Guide. Pay special attention to feature limitations and
migration instructions. Although upgrading to Snort 3 is
designed for minimal impact, features do not map
exactly. Careful planning and preparation can help you
make sure that traffic handled as expected.
|
You can also visit the Snort 3 website: https://snort.org/snort3.
|
Access Control: Identity
|
Cross-domain trust for Active Directory domains.
|
7.0
|
Any
|
You can now configure user identity rules with users from
Microsoft Active Directory forests (groupings of AD domains that
trust each other).
New/modified pages:
|
Event Logging and Analysis
|
Improved process for storing events in a Secure Network Analytics on-prem deployment.
|
7.0
|
7.0
|
A new Cisco Security
Analytics and Logging (On Premises) app and a new FMC wizard make it easier to configure remote
data storage for on-prem Secure Network Analytics solutions:
-
Deploy hardware or virtual Stealthwatch appliances.
You can use a Stealthwatch Management Console alone, or
you can configure Stealthwatch Management Console, flow
collector, and data store.
-
Install the new Cisco Security Analytics and Logging (On
Premises) app on your Stealthwatch Management Console to
configure Stealthwatch as a remote data store.
-
On the FMC, use one of the new wizards on System ( ) to connect to your Stealthwatch
deployment.
Note that the wizards replace the narrower-focus page
where you used to configure Stealthwatch contextual
cross-launch; that is now a step in the wizard.
For upgraded deployments where you were using syslog to send
Firepower events to Stealthwatch, disable those configurations
before you use the wizard. Otherwise, you will get double
events. To remove the syslog connection to Stealthwatch use FTD
platform settings (Devices > Platform
Settings); to disable sending events to syslog,
edit your access control rules.
For more information, including Stealthwatch hardware and
software requirements, see Cisco Security Analytics
and Logging (On Premises): Firewall Event Integration
Guide.
|
Work with events stored remotely in a Secure Network Analytics
on-prem deployment.
|
7.0
|
Any
|
You can now use the FMC to work with connection events stored
remotely in a Secure Network Analytics on-prem deployment.
A new Data Source option on the connection
events page (Analysis > Connections >
Events) and in the unified event viewer
(Analysis > Unified Events) allows you to choose
which connection events you want to work with. The default is to
display locally stored connection events, unless there are none
in the time range. In that case, the system displays remotely
stored events..
We also added a data source option to report templates
(Overview > Reporting > Report
Templates), so that you can generate reports
based on remotely stored connection events.
Note
|
This feature is supported for connection events only;
cross-launch is still the only way to examine remotely
stored Security Intelligence, intrusion, file and malware
events. Even in the unified event viewer, the system only
displays locally stored events of those types.
However, note that for every Security Intelligence event,
there is an identical connection event—these are the events
with reasons such as 'IP Block' or 'DNS Block.' You can work
with those duplicated events on the connection events page
or in the unified event viewer, but not on the dedicated
Security Intelligence events page.
|
|
Store all connection events in the Secure Network Analytics
cloud.
|
7.0
|
Any
|
You can now store all connection events in the Stealthwatch cloud
using Cisco Security Analytics and Logging (SaaS). Previously,
you were limited to security events: Security Intelligence,
intrusion, file, and malware events, as well as their associated
connection events.
To change the events you send to the cloud, choose System ( ) > Integration. On the
Cloud Services tab, edit the
Cisco Cloud Event Configuration. The
old option to send high priority connection events to the cloud
has been replaced with a choice of All,
None, or Security
Events.
Note
|
These settings also control which events you send to SecureX.
However, even if you choose to send all connection events to
the cloud, SecureX consumes only the security (higher
priority) connection events. Also note that you now
configure the SecureX connection itself on
Analysis > SecureX.
|
|
Unified event viewer.
|
7.0
|
Any
|
The unified event viewer () displays connection, Security Intelligence, intrusion, file,
and malware events in a single table. This can help you look
relationships between events of different types.
A single search field allows you to dynamically filter the view
based on multiple criteria, and a Go Live
option displays events received from managed devices in real
time.
|
SecureX ribbon.
|
7.0
|
Any
|
The SecureX ribbon on the FMC pivots into SecureX for instant
visibility into the threat landscape across your Cisco security
products.
To connect with SecureX and enable the ribbon, use System ( ). Note that you must still use System ( ) > Integration > Cloud
Services to choose your cloud region and to
specify which events to send to SecureX.
For more information, see the Cisco Secure Firewall
Threat Defense and SecureX Integration
Guide.
|
Exempt all connection events from rate limiting when you turn off
local storage.
|
7.0
|
Any
|
Event rate limiting applies to all events sent to the FMC, with
the exception of security events: Security Intelligence,
intrusion, file, and malware events, as well as their associated
connection events.
Now, disabling local connection event storage exempts all
connection events from rate limiting, not just security events.
To do this, set the Maximum Connection
Events to zero on System ( ) > Configuration >
Database.
Note
|
Other than turning it off by setting it to zero,
Maximum Connection Events does
not govern connection event rate limiting. Any non-zero
number in this field ensures that all lower-priority
connection events are rate limited.
|
Note that disabling local event storage does not affect remote
event storage, nor does it affect connection summaries or
correlation. The system still uses connection event information
for features like traffic profiles, correlation policies, and
dashboard displays.
|
Port and protocol displayed together in file and malware event
tables.
|
7.0
|
Any
|
In file and malware event tables, the port field now displays the
protocol, and you can search port fields for
protocol.
For events that existed before upgrade, if the protocol is not
known, the system uses "tcp."
New/modified pages:
|
Health Monitoring
|
New health modules.
|
7.0
|
Module dependent
|
We added the following health modules:
-
AMP Connection Status
-
AMP Threat Grid Status
-
ASP Drop
-
Advanced Snort Statistics
-
Chassis Status FTD
-
Event Stream Status
-
FMC Access Configuration Changes
-
FMC HA Status (replaces HA Status)
-
FTD HA Status
-
File System Integrity Check
-
Flow Offload
-
Hit Count
-
MySQL Status
-
NTP Status FTD
-
Rabbit MQ Status
-
Routing Statistics
-
SSE Connection Status
-
Sybase Status
-
Unresolved Groups Monitor
-
VPN Statistics
-
xTLS Counters
Additionally, full support returns for the Configuration Memory
Allocation module, which was introduced in Version 6.6.3 as the
Appliance Configuration Resource Utilization module, but was not
fully supported in Version
6.7.
|
Deployment and Policy Management
|
Dynamic objects.
|
7.0
|
7.0
|
You can now use dynamic objects in access control
rules.
A dynamic object is just a list of IP addresses/subnets (no
ranges, no FQDN). But unlike a network object, changes to
dynamic objects take effect immediately, without having to
redeploy. This is useful in virtual and cloud environments,
where IP addresses often dynamically map to workload resources.
To create and manage dynamic objects, we recommend the Cisco Secure Dynamic Attributes Connector. The connector is a separate, lightweight application that
quickly and seamlessly updates firewall policies based on
workload changes. To do this, it gets workload attributes from
tagged resources in your environment, and compiles an IP list
based on criteria you specify (a “dynamic attributes filter”).
It then creates a dynamic object on the FMC and populates it
with the IP list. When your workload changes, the connector
updates the dynamic object and the system immediately starts
handling traffic based on the new mappings. For more
information, see the Cisco Secure Dynamic Attributes
Connector Configuration
Guide.
After you create a dynamic object, you can add it to access
control rules on the new Dynamic
Attributes tab in the access control rule
editor. This tab replaces the narrower-focus SGT/ISE
Attributes tab; continue to configure rules with
SGT attributes here.
Supported virtual/cloud workloads for Cisco Secure Dynamic
Attributes Connector integration: Microsoft Azure, AWS, VMware
|
Global search for policies and objects.
|
7.0
|
Any
|
You can now search for certain policies by name, and for certain
objects by name and configured value. This feature is not
available with the Classic theme.
New/modified pages: We added capabilities to the
Search icon and field on the FMC menu
bar, to the left of the Deploy menu.
|
Selectively deploy RA and site-to-site VPN policies.
|
7.0
|
Any
|
Selective policy deployment, which was introduced in Version 6.6,
now supports remote access and site-to-site VPN policies for
FTD.
New/modified pages: We added VPN policy options on the
Deploy > Deployment page.
|
FTD Upgrade
|
Improved FTD upgrade performance and status reporting.
|
7.0
|
7.0
|
FTD upgrades are now easier faster, more reliable, and take
up less disk space. A new Upgrades
tab in the Message Center provides further enhancements to
upgrade status and error reporting.
|
Upgrade wizard for FTD.
|
7.0
|
Any
|
A new device upgrade page () on the FMC provides an easy-to-follow wizard for upgrading Version 6.4+ FTD devices. It walks you through important pre-upgrade
stages, including selecting devices to upgrade, copying the upgrade package to the devices, and compatibility and readiness
checks.
To begin, use the new Upgrade Firepower Software action on the Device Management page .
As you proceed, the system displays basic information about
your selected devices, as well as the current
upgrade-related status. This includes any reasons why you
cannot upgrade. If a device does not "pass" a stage in the
wizard, it does not appear in the next stage.
If you navigate away from wizard, your progress is preserved,
although other users with Administrator access can reset,
modify, or continue the wizard.
Note
|
You must still use to upload or specify the location of FTD upgrade packages. You must also use the System Updates page to upgrade the FMC itself,
as well as all non-FTD managed devices.
|
Note
|
In Version 7.0, the wizard does not correctly display
devices in clusters or high availability pairs. Even
though you must select and upgrade these devices as a
unit, the wizard displays them as standalone devices.
Device status and upgrade readiness are evaluated and
reported on an individual basis. This means it is
possible for one unit to appear to "pass" to the next
stage while the other unit or units do not. However,
these devices are still grouped. Running a readiness
check on one, runs it on all. Starting the upgrade on
one, starts it on all.
To avoid possible time-consuming upgrade failures,
manually ensure all group members are ready
to move on to the next step of the wizard before you
click Next.
|
|
Upgrade more FTD devices at once.
|
7.0
|
Upgrades to 6.7+
|
The number of devices you can upgrade at once is now limited
by your management network bandwidth—not the system's
ability to manage simultaneous upgrades. Previously, we
recommended against upgrading more than five devices at a
time.
Important
|
Only upgrades to FTD Version 6.7+ using the FTD upgrade
wizard see this improvement. If you are upgrading
devices to an older FTD release—even if you are using
the new upgrade wizard—we still recommend you limit to
five devices at a time.
|
|
Upgrade different device models together.
|
7.0
|
Any
|
You can now use the FTD upgrade wizard to queue and invoke
upgrades for all FTD models at the same time, as long as the
system has access to the appropriate upgrade packages.
Previously, you would choose an upgrade package, then choose
the devices to upgrade using that package. That meant that
you could upgrade multiple devices at the same time
only if they shared an upgrade package. For
example, you could upgrade two Firepower 2100 series devices
at the same time, but not a Firepower 2100 series and a
Firepower 1000 series.
|
Administration and Troubleshooting
|
Zero-touch restore for the ISA 3000 using the SD card.
|
7.0
|
7.0
|
When you perform a local backup, the backup file is copied to the
SD card if present. To restore the configuration on a
replacement device, simply install the SD card in the new
device, and depress the Reset button for 3 to 15 seconds during
the device bootup.
|
Security and Hardening
|
New default password for AWS deployments.
|
7.0
|
7.0
|
For FMCv/FTDv for AWS, the default password for the admin account
is now the AWS Instance ID, unless you define a default password
with user data (Advanced Details > User
Data) during the initial deployment.
Previously, the default admin password was Admin123.
|
EST for certificate enrollment.
|
7.0
|
7.0
|
Support for Enrollment over Secure Transport for certificate
enrollment was provided.
New/modified pages: New enrollment options when configuring
Objects > PKI > Cert Enrollment > CA
Information tab.
|
Support for EdDSA certificate type.
|
7.0
|
7.0
|
A new certificate key type- EdDSA was added with key size
256.
New/modified pages: New certificate key options when configuring
Objects > PKI > Cert Enrollment >
Key tab.
|
AES-128 CMAC authentication for NTP servers.
|
7.0
|
Any
|
You can now use AES-128 CMAC keys to secure connections between
the FMC and NTP
servers.
New/modified pages: System ( ).
|
SNMPv3 users can authenticate using a SHA-224 or SHA-384
authorization algorithm.
|
7.0
|
7.0
|
SNMPv3 users can now authenticate using a SHA-224 or SHA-384
algorithm.
New/modified pages: Devices > Platform Settings > SNMP
> Users > Auth Algorithm Type
|
Usability
|
Report appearance has changed.
|
7.0
|
Any
|
To make reports appear cleaner and easier to read, we changed red
color accents to gray and blue, removed background shading on
table and chart titles, and removed alternating row colors in
tables.
New/modified pages:
|
How-to location has changed.
|
7.0
|
Any
|
now invokes walkthroughs. Previously, you clicked
How-Tos at the bottom of the browser
window.
|
Performance
|
Hardware crypto acceleration on FTDv using Intel QuickAssist
Technology (QAT).
|
7.0
|
7.0
|
We now support hardware crypto acceleration (CBC cipher only) on
FTDv for VMware and FTDv for KVM. This feature requires a Intel
QAT 8970 PCI adapter/Version 1.7+ driver on the hosting
platform. After you reboot, hardware crypto acceleration is
automatically enabled.
|
Improved CPU usage and performance for many-to-one and
one-to-many connections.
|
7.0
|
7.0
|
The system no longer creates local host objects and locks them
when creating connections, except for connections that involve
dynamic NAT/PAT and scanning threat detection and host
statistics. This improves FTD performance and CPU usage in
situations where many connections are going to the same server
(such as a load balancer or web server), or one endpoint is
making connections to many remote hosts.
We changed the following commands: clear
local-host (deprecated), show
local-host
|
Deprecated Features
|
End of support: VMware
vSphere/VMware ESXi 6.0.
|
7.0
|
7.0
|
We discontinued support for virtual deployments on VMware
vSphere/VMware ESXi 6.0. Upgrade the hosting environment to a
supported version before you upgrade the Firepower software.
|
Deprecated: RSA certificates with
keys smaller than 2048 bits, or that use SHA-1 in their
signature algorithm.
|
7.0
|
7.0
|
Prevents post-upgrade VPN connections through FTD
devices.
We removed support for RSA certificates with keys smaller than
2048 bits, or that use SHA-1 in their signature algorithm.
Before you upgrade, use the object manager to update your PKI
certificate enrollments with stronger options:
Objects > PKI > Cert
Enrollment. Otherwise, although the upgrade
preserves your current settings, VPN connections through the
device will fail.
To continue managing older FTD devices only (Version 6.4–6.7.x)
with these weaker options, select the new Enable
Weak-Crypto option for each device on the
Devices > Certificates page.
|
Deprecated: MD5 authentication
algorithm and DES encryption for SNMPv3 users.
|
7.0
|
7.0
|
Deletes Users. Prevents post-upgrade deploy.
We removed support for the MD5 authentication algorithm and DES
encryption for SNMPv3 users on FTD devices.
Upgrading FTD to Version 7.0+ deletes these users from the
device, regardless of the configurations on the FMC. If you are
still using these options in your platform settings policy,
change and verify your configurations before you upgrade
FTD.
These options are in the Auth Algorithm
Type and Encryption Type
drop-downs when creating or editing an SNMPv3 user in a Threat
Defense platform settings policy: Devices > Platform
Settings.
|
Deprecated: Port 32137 comms with AMP
clouds.
|
7.0
|
Any
|
Prevents FMC upgrade.
We deprecated the FMC option to use port 32137 to obtain file
disposition data from public and private AMP clouds. Unless you
configure a proxy, the FMC now uses port 443/HTTPS.
Before you upgrade, disable the Use Legacy Port 32137
for AMP for Networks option on the System ( ) page. Do not proceed with upgrade until your AMP
for Networks deployment is working as expected.
|
Deprecated: HA Status health module.
|
7.0
|
Any
|
We renamed the HA Status health module to the FMC HA
Status health module. This is to distinguish it from the new FTD
HA Status module.
|
Deprecated: Legacy API Explorer.
|
7.0
|
Any
|
We removed support for the FMC REST API legacy API Explorer.
|
Deprecated: Geolocation details.
|
Any
|
Any
|
We
no longer provide the geolocation IP
package, which contained contextual data associated with
routable IP addresses. This saves disk space and does not affect
geolocation rules or traffic handling in any way. Any contextual
data is now stale, and upgrading to most later versions deletes
the IP package. Options to view contextual data have no effect,
and are removed in later versions.
|