Platform Features
|
Secure Firewall 1230, 1240, and 1250.
|
See: Cisco Secure Firewall
1230, 1240, and 1250 Hardware Installation
Guide
|
Secure Firewall 1210CP IEEE 802.3bt support
(PoE++ and Hi-PoE).
|
We made the following improvements related to support for IEEE
802.3bt:
-
PoE++ and Hi-PoE—Up to 90W per port.
-
Single- and dual-signature powered devices (PDs).
-
Power budgeting is done on a first-come, first-served
basis.
-
Power budget fields were added to show power
inline .
New/modified screens:
New/modified commands: show power
inline
|
Instances for AWS, Azure, and GCP.
|
We added instances for threat defense virtual from the following
families:
-
AWS (Amazon Web Services): C6i, C6a
-
Azure (Microsoft Azure): Dv4, Dv5
-
GCP (Google Cloud Platform): E2, N1, N2D, C2D
See: Cisco Secure Firewall
Threat Defense Virtual Getting Started
Guide
|
Unattended provisioning for threat defense
virtual for VMware using ISO-based cloud-init
seeding.
|
|
Firewall and IPS Features
|
Hardware bypass support for inline sets.
|
If your device model supports hardware bypass, you can now configure
it for inline sets containing supported interfaces.
We added the Bypass option to inline set
configuration.
|
Deprecated: Snort 2.
|
Upgrade impact. Cannot upgrade Snort 2 devices. Snort 2 is
deprecated. You cannot upgrade a Snort 2 device to Version 7.7.0+.
We removed the ability to switch to Snort 2, as well as the
show snort counters and
show snort
preprocessor-memory-usage commands.
Before
you upgrade, switch to Snort 3. See the Intrusion
Policies chapter in the guide for your current version:
Cisco
Secure Firewall Device Manager Configuration
Guide.
|
Administrative Features
|
Custom login page.
|
You can customize the device manager login page, including adding an
image and text to the login page. For example, you can include
disclaimers and warnings where the user must agree prior to login.
The text is also shown for SSH sessions.
We added the following page: .
|
Custom streaming telemetry using Google Remote Procedure Calls
(gRPC).
|
You can configure the device to send system health and telemetry data
to an external telemetry collector that uses Google Remote Procedure
Calls (gRPC) to collect data. You can then use your telemetry
collector to monitor the device and integrate with your custom
telemetry solution.
Use the API to configure this feature:
/devicesettings/default/telemetrystreamingconfig.
|
Performance
|
Faster failover for high
availability threat
defense.
|
With threat defense high availability failover, the new active device
generates multicast packets for each MAC address entry and sends
them to all bridge group interfaces, which prompts the upstream
switches to update their routing tables. This task now runs
asynchronously in the data plane, privileging critical failover
tasks in the control plane. This makes failover faster, reducing
downtime.
|
High-bandwidth encrypted application
traffic bypasses unnecessary intrusion
inspection.
|
Specific high-bandwidth encrypted application traffic now bypasses
unncessary intrusion inspection even if the connection matches an
Allow rule. Intrusion rule (LSP) and vulnerability database (VDB)
updates can change the applications bypassed but right now they are:
AnyConnect, IPsec, iCloud Private Relay, QUIC (including HTTP/3),
Secure RTCP.
|
Configure threat defense autorecovery
from block depletion using FlexConfig.
|
To reduce downtime due to service disruption, a new fault manager
monitors block depletion and automatically reloads devices when
necessary. In high availability deployments, this triggers failover.
Fault monitoring is automatically enabled on new and upgraded
devices. To disable, use FlexConfig.
New/modified FlexConfig commands:
-
fault-monitor block-depletion
recovery-action
{ none| reload}
Specifying none turns off automatic
reload, but does not turn off fault
monitoring.
For that, use no
fault-monitoring .
-
fault-monitor block-depletion
monitor-interval
seconds
New/modified threat defense CLI commands: show
fault-monitor
block-depletion{ status| statistics}
|
Troubleshooting
|
CPU profiler includes application
identification statistics.
|
The CPU profiler now includes application identification statistics.
After you enable CPU profiling (cpu profile
activate ), you can see the resources used by
processing specific application traffic.
New/modified CLI commands: system support
appid-cpu-profiling status , system
support appid-cpu-profiling dump
See: Cisco Secure Firewall Threat Defense
Command Reference
|
New IP flow statistics.
|
When collecting IP flow statistics from a threat defense
device under the direction of Cisco TAC, a new all parameter logs
additional statistics to the specified file: port, protocol,
application, cumulative latency, and inspection time.
New/modified commands: system support flow-ip-profiling start
flow-ip-file
filename
all
{ enable| disable}
See: Cisco Secure Firewall Threat Defense
Command Reference
|
Security and Hardening
|
Limited user privileges for Threat
Defense CLI Basic user.
|
The scope of the Threat Defense CLI Basic user privilege is
now limited to the following commands: dig, ping,
traceroute. If you have created users with the Basic
privilege, evaluate whether you need to change them to the
Config privilege. You can change a user’s privilege level
using the configure user access
command.
See: Cisco Secure Firewall Threat Defense
Command Reference
|
Require the Message-Authenticator attribute
in all RADIUS
responses.
|
Upgrade impact. After upgrade, enable for existing
servers.
You can now require the Message-Authenticator attribute in all
RADIUS responses, ensuring that the threat defense VPN gateway
securely verifies every response from the RADIUS server, whether
for RA VPN or access to the device itself.
The Require Message-Authenticator for all RADIUS
Responses option is enabled by default for new
RADIUS servers. We also recommend you enable it for existing
servers. Disabling it may expose firewalls to potential
attacks.
New CLI commands:
message-authenticator-required
Version restrictions: Requires Version 7.0.7+ / 7.7.0+.
|