New Features by Release

This document lists new and deprecated features for each release.

Suggested Release

Suggested Release: Version 6.6.5.1

To take advantage of new features and resolved issues, we recommend you upgrade all eligible appliances to at least the suggested release. On the Cisco Support & Download site, the suggested release is marked with a gold star.

Suggested Releases for Older Appliances

If an appliance is too old to run the suggested release and you do not plan to refresh the hardware right now, choose a major version then patch as far as possible. Some major versions are designated long-term or extra long-term, so consider one of those. For an explanation of these terms, see Cisco NGFW Product Line Software Release and Sustaining Bulletin.

If you are interested in a hardware refresh, contact your Cisco representative or partner contact.

Version 7.1.0

New Features in FDM Version 7.1.0

Feature

Description

Platform Features

Support ends for the ASA 5508-X and 5516-X. The last supported release is FTD 7.0.

You cannot install FTD 7.1 on an ASA 5508-X or 5516-X. The last supported release for these models is FTD 7.0.

Firewall and IPS Features

Network Analysis Policy (NAP) configuration for Snort 3.

You can use FDM to configure the Network Analysis Policy (NAP) when running Snort 3. Network analysis policies control traffic preprocessing inspection. Inspectors prepare traffic to be further inspected by normalizing traffic and identifying protocol anomalies. You can select which NAP is used for all traffic, and customize the settings to work best with the traffic in your network. You cannot configure the NAP when running Snort 2.

We added the Network Analysis Policy to the Policies > Intrusion settings dialog box, with an embedded JSON editor to allow direct changes, and other features to let you upload overrides, or download the ones you create.

Manual NAT support for fully-qualified domain name (FQDN) objects as the translated destination.

You can use an FQDN network object, such as one specifying www.example.com, as the translated destination address in manual NAT rules. The system configures the rule based on the IP address returned from the DNS server.

Improved active authentication for identity rules.

You can configure active authentication for identity policy rules to redirect the user’s authentication to a fully-qualified domain name (FQDN) rather than the IP address of the interface through which the user’s connection enters the device. The FQDN must resolve to the IP address of one of the interfaces on the device. By using an FQDN, you can assign a certificate for active authentication that the client will recognize, thus avoiding the untrusted certificate warning users get when being redirected to an IP address. The certificate can specify the FQDN, a wildcard FQDN, or multiple FQDNs in the Subject Alternate Names (SAN) in the certificate.

We added the Redirect to Host Name option in the identity policy settings.

VPN Features

Backup remote peers for site-to-site VPN.

You can configure a site-to-site VPN connection to include remote backup peers. If the primary remote peer is unavailable, the system will try to re-establish the VPN connection using one of the backup peers. You can configure separate pre-shared keys or certificates for each backup peer. Backup peers are supported for policy-based connections only, and are not available for route-based (virtual tunnel interface) connections.

We updated the site-to-site VPN wizard to include backup peer configuration.

Password management for remote access VPN (MSCHAPv2).

You can enable password management for remote access VPN. This allows AnyConnect to prompt the user to change an expired password. Without password management, users must change expired passwords directly with the AAA server, and AnyConnect does not prompt the user to change passwords. For LDAP servers, you can also set a warning period to notify users of upcoming password expiration.

We added the Enable Password Management option to the authentication settings for remote access VPN connection profiles.

AnyConnect VPN SAML External Browser

When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication, that cannot be performed in the embedded browser.

We updated the remote access VPN connection profile wizard to allow you to configure the SAML Login Experience.

Administrative and Troubleshooting Features

Dynamic Domain Name System (DDNS) support for updating fully-qualified domain name (FQDN) to IP address mappings for system interfaces.

You can configure DDNS for the interfaces on the system to send dynamic updates to DNS servers. This helps ensure that FQDNs defined for the interfaces resolve to the correct address, making it easier for users to access the system using a hostname rather than an IP address. This is especially useful for interfaces that get their addresses using DHCP, but it is also useful for statically-addressed interfaces.

After upgrade, if you had used FlexConfig to configure DDNS, you must redo your configuration using FDM or the FTD API, and remove the DDNS FlexConfig object from the FlexConfig policy, before you can deploy changes again.

If you configure DDNS using FDM, then switch to FMC management, the DDNS configuration is retained so that FMC can find the system using the DNS name.

In FDM, we added the System Settings > DDNS Service page. In the FTD API, we added the DDNSService and DDNSInterfaceSettings resources.

The dig command replaces the nslookup command in the device CLI.

To look up the IP address of a fully-qualified domain name (FQDN) in the device CLI, use the dig command. The nslookup command has been removed.

DHCP relay configuration using FDM.

You can use FDM to configure DHCP relay. Using DHCP relay on an interface, you can direct DHCP requests to a DHCP server that is accessible through the other interface. You can configure DHCP relay on physical interfaces, subinterfaces, EtherChannels, and VLAN interfaces. You cannot configure DHCP relay if you configure a DHCP server on any interface.

We added the System Settings > DHCP > DHCP Relay page, and moved DHCP Server under the new DHCP heading.

Key type and size for self-signed certificates in FDM.

You can specify the key type and size when generating new self-signed internal and internal CA certificates in FDM. Key types include RSA, ECDSA, and EDDSA. The allowed sizes differ by key type. We now warn you if you upload a certificate whose key size is smaller than the minimum recommended length. There is also a weak key pre-defined search filter to help you find weak certificates, which you should replace if possible.

Usage validation restrictions for trusted CA certificates.

You can specify whether a trusted CA certificate can be used to validate certain types of connections. You can allow, or prevent, validation for SSL server (used by dynamic DNS), SSL client (used by remote access VPN), IPsec client (used by site-to-site VPN), or other features that are not managed by the Snort inspection engine, such as LDAPS. The primary purpose of these options is to let you prevent VPN connections from getting established because they can be validated against a particular certificate.

We added Validation Usage as a property for trusted CA certificates.

Generating the admin password in FDM.

During initial system configuration in FDM, or when you change the admin password through FDM, you can now click a button to generate a random 16 character password.

Startup time and tmatch compilation status.

The show version command now includes information on how long it took to start (boot) up the system. Note that the larger the configuration, the longer it takes to boot up the system.

The new show asp rule-engine command shows status on tmatch compilation. Tmatch compilation is used for an access list that is used as an access group, the NAT table, and some other items. It is an internal process that can consume CPU resources and impact performance while in progress, if you have very large ACLs and NAT tables. Compilation time depends on the size of the access list, NAT table, and so forth.

Enhancements to show access-list element-count output.

The output of the show access-list element-count command has been enhanced. When used with object-group search enabled, the output includes details about the number of object groups in the element count.

In addition, the show tech-support output now includes the output from show access-list element-count and show asp rule-engine .

Use FDM to configure the FTD for management by a Firepower Management Center (FMC)

When you perform initial setup using FDM, all interface configuration completed in FDM is retained when you switch to FMC for management, in addition to the Management and FMC access settings. Note that other default configuration settings, such as the access control policy or security zones, are not retained. When you use the FTD CLI, only the Management and FMC access settings are retained (for example, the default inside interface configuration is not retained).

After you switch to FMC, you can no longer use FDM to manage the FTD.

New/Modified screens: System Settings > Management Center

FTD REST API version 6.2 (v6).

The FTD REST API for software version 7.1 is version 6.2. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device. Note that the URL version path element for 6.2 is the same as 6.0/1: v6.

Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into FDM, then click the more options button (More options button.) and choose API Explorer.

Deprecated Features in FDM Version 7.1.0

Table 1. Deprecated Features in FDM Version 7.1.0

Feature

Upgrade Impact

Description

ASA 5508-X and 5516-X

Upgrade prohibited.

You cannot run Version 7.1.0+ on the ASA 5508-X or ASA 5516-X.

Version 7.0.0

New Features in FDM Version 7.0.0

Feature

Description

Platform Features

Virtual router support for the ISA 3000.

You can configure up to 10 virtual routers on an ISA 3000 device.

New default password for the FTDv on AWS.

On AWS, the default admin password for the FTDv is the AWS Instance ID, unless you define a default password with user data (Advanced Details > User Data) during the initial deployment.

Firewall and IPS Features

New Section 0 for system-defined NAT rules.

A new Section 0 has been added to the NAT rule table. This section is exclusively for the use of the system. Any NAT rules that the system needs for normal functioning are added to this section, and these rules take priority over any rules you create. Previously, system-defined rules were added to Section 1, and user-defined rules could interfere with proper system functioning. You cannot add, edit, or delete Section 0 rules, but you will see them in show nat detail command output.

Custom intrusion rules for Snort 3.

You can use offline tools to create custom intrusion rules for use with Snort 3, and upload them into an intrusion policy. You can organize custom rules in your own custom rule groups, to make it easy to update them as needed. You can also create the rules directly in FDM, but the rules have the same format as uploaded rules. FDM does not guide you in creating the rules. You can duplicate existing rules, including system-defined rules, as a basis for a new intrusion rule.

We added support for custom groups and rules to the Policies > Intrusion page, when you edit an intrusion policy.

Snort 3 new features for FDM-managed systems.

You can now configure the following additional features when using Snort 3 as the inspection engine on an FDM-managed system:

  • Time-based access control rules. (FTD API only.)

  • Multiple virtual routers.

  • The decryption of TLS 1.1 or lower connections using the SSL Decryption policy.

  • The decryption of the following protocols using the SSL Decryption policy: FTPS, SMTPS, IMAPS, POP3S.

DNS request filtering based on URL category and reputation.

You can apply your URL filtering category and reputation rules to DNS lookup requests. If the fully-qualified domain name (FQDN) in the lookup request has a category and reputation that you are blocking, the system blocks the DNS reply. Because the user does not receive a DNS resolution, the user cannot complete the connection. Use this option to apply URL category and reputation filtering to non-web traffic. You must have the URL filtering license to use this feature.

We added the Reputation Enforcement on DNS Traffic option to the access control policy settings.

VPN Features

FDM SSL cipher settings for remote access VPN.

You can define the TLS versions and encryption ciphers to use for remote access VPN connections in FDM. Previously, you needed to use the FTD API to configure SSL settings.

We added the following pages: Objects > SSL Ciphers; Device > System Settings > SSL Settings.

Support for Diffie-Hellman group 31.

You can now use Diffie-Hellman (DH) group 31 in IKEv2 proposals and policies.

The maximum number of Virtual Tunnel Interfaces on the device is 1024.

The maximum number of Virtual Tunnel Interfaces (VTI) that you can create is 1024. In previous versions, the maximum was 100 per source interface.

IPsec lifetime settings for site-to-site VPN security associations.

You can change the default settings for how long a security association is maintained before it must be re-negotiated.

We added the Lifetime Duration and Lifetime Size options to the site-to-site VPN wizard.

Routing Features

Equal-Cost Multi-Path (ECMP) routing.

You can configure ECMP traffic zones to contain multiple interfaces, which lets traffic from an existing connection exit or enter the FTD device on any interface within the zone. This capability allows Equal-Cost Multi-Path (ECMP) routing on the FTD device as well as external load balancing of traffic to the FTD device across multiple interfaces.

ECMP traffic zones are used for routing only. They are not the same as security zones.

We added the ECMP Traffic Zones tab to the Routing pages. In the FTD API, we added the ECMPZones resources.

Interface Features

New default inside IP address

The default IP address for the inside interface is being changed to 192.168.95.1 from 192.168.1.1 to avoid an IP address conflict when an address on 192.168.1.0/24 is assigned to the outside interface using DHCP.

Default outside IP address now has IPv6 autoconfiguration enabled; new default IPv6 DNS server for Management

The default configuration on the outside interface now includes IPv6 autoconfiguration, in addition to the IPv4 DHCP client. The default Management DNS servers now also include an IPv6 server: 2620:119:35::35.

EtherChannel support for the ISA 3000

You can now use FDM to configure EtherChannels on the ISA 3000.

New/Modified screens: Devices > Interfaces > EtherChannels

Licensing Features

Performance-Tiered Licensing for FTDv

The FTDv now supports performance-tiered Smart Licensing based on throughput requirements and RA VPN session limits. When the FTDv is licensed with one of the available performance licenses, two things occur. First, a rate limiter is installed that limits the device throughput to a specified level. Second, the number of VPN sessions is capped to the level specified by the license.

Administrative and Troubleshooting Features

DHCP relay configuration using the FTD API.

You can use the FTD API to configure DHCP relay. Using DHCP relay on an interface, you can direct DHCP requests to a DHCP server that is accessible through the other interface. You can configure DHCP relay on physical interfaces, subinterfaces, EtherChannels, and VLAN interfaces. You cannot configure DHCP relay if you configure a DHCP server on any interface.

Note that if you used FlexConfig in prior releases to configure DHCP relay (the dhcprelay command), you must re-do the configuration using the API, and delete the FlexConfig object, after you upgrade.

We added the following model to the FTD API: dhcprelayservices

Faster bootstrap processing and early login to Firepower Device Manager.

The process to initially bootstrap an FDM-managed system has been improved to make it faster. Thus, you do not need to wait as long after starting the device to log into FDM. In addition, you can now log in while the bootstrap is in progress. If the bootstrap is not complete, you will see status information on the process so you know what is happening on the device.

Improved CPU usage and performance for many-to-one and one-to-many connections.

The system no longer creates local host objects and locks them when creating connections, except for connections that involve dynamic NAT/PAT and scanning threat detection and host statistics. This improves performance and CPU usage in situations where many connections are going to the same server (such as a load balancer or web server), or one endpoint is making connections to many remote hosts.

We changed the following commands: clear local-host (deprecated), show local-host

Upgrade readiness check for FDM-managed devices.

You can run an upgrade readiness check on an uploaded FTD Software upgrade package before attempting to install it. The readiness check verifies that the upgrade is valid for the system, and that the system meets other requirements needed to install the package. Running an upgrade readiness check helps you avoid failed installations.

A link to run the upgrade readiness check was added to the System Upgrade section of the Device > Updates page.

FTD REST API version 6.1 (v6).

The FTD REST API for software version 7.0 is version 6.1 You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device. Note that the URL version path element for 6.1 is the same as 6.0: v6.

Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into FDM, then click the more options button (More options button.) and choose API Explorer.

Deprecated Features in FDM Version 7.0.0

Table 2. Deprecated Features in FDM Version 7.0.0

Feature

Upgrade Impact

Description

dhcprelay FlexConfig commands

Prevents post-upgrade deploy.

You should redo your configurations after upgrade.

Version 7.0.0 deprecates the following FlexConfig CLI commands for Firepower Threat Defense with FDM:

  • dhcprelay : You can now use the FTD API to configure DHCP relay. Using DHCP relay on an interface, you can direct DHCP requests to a DHCP server running on a different interface on the device, or to a DHCP server that is accessible through the other interface. You can configure DHCP relay on physical interfaces, subinterfaces, EtherChannels, and VLAN interfaces.

You cannot deploy post-upgrade until you remove any associated FlexConfig objects.

VMware 6.0 hosting

Upgrade the hosting environment before you upgrade the Firepower software.

Version 7.0.0 discontinues support for FTDv on VMware vSphere/VMware ESXi 6.0.

Version 6.7.0

New Features in FDM Version 6.7.0

Feature

Description

Platform Features

Support ends for the ASA 5525-X, 5545-X, and 5555-X. The last supported release is FTD 6.6.

You cannot install FTD 6.7 on an ASA 5525-X, 5545-X, or 5555-X. The last supported release for these models is FTD 6.6.

Firewall and IPS Features

TLS server identity discovery for access control rule matching.

TLS 1.3 certificates are encrypted. For traffic encrypted with TLS 1.3 to match access rules that use application or URL filtering, the system must decrypt the TLS 1.3 certificate. We recommend that you enable TLS Server Identity Discovery to ensure encrypted connections are matched to the right access control rule. The setting decrypts the certificate only; the connection remains encrypted.

We added the Access Control Settings (Gear/Settings button.) button and dialog box to the Policy > Access Control page.

External trusted CA certificate groups.

You can now customize the list of trusted CA certificates used by the SSL decryption policy. By default, the policy uses all system-defined trusted CA certificates, but you can create a custom group to add more certificates, or replace the default group with your own, more limited, group.

We added certificate groups to the Objects > Certificates page, and modified the SSL decryption policy settings to allow the selection of certificate groups.

Active Directory realm sequences for passive identity rules.

You can create a realm sequence, which is an ordered list of Active Directory (AD) servers and their domains, and use them in a passive authentication identity rule. Realm sequences are useful if you support more than one AD domain and you want to do user-based access control. Instead of writing separate rules for each AD domain, you can write a single rule that covers all of your domains. The ordering of the AD realms within the sequence is used to resolve identity conflicts if any arise.

We added the AD realm sequence object on the Objects > Identity Sources page, and the ability to select the object as a realm in a passive authentication identity rule. In the FTD API, we added the RealmSequence resource, and in the IdentityRule resource, we added the ability to select a realm sequence object as the realm for a rule that uses passive authentication as the action.

FDM support for Trustsec security group tag (SGT) group objects and their use in access control rules.

In FTD 6.5, support was added to the FTD API to configure SGT group objects and use them as matching criteria in access control rules. In addition, you could modify the ISE identity object to listen to the SXP topic published by ISE. Now, you can configure these features directly in FDM.

We added a new object, SGT groups, and updated the access control policy to allow their selection and display. We also modified the ISE object to include the explicit selection of topics to subscribe to.

Snort 3.0 support.

For new systems, Snort 3.0 is the default inspection engine. If you upgrade to 6.7 from an older release, Snort 2.0 remains the active inspection engine, but you can switch to Snort 3.0. For this release, Snort 3.0 does not support virtual routers, time-based access control rules, or the decryption of TLS 1.1 or lower connections. Enable Snort 3.0 only if you do not need these features. You can freely switch back and forth between Snort 2.0 and 3.0, so you can revert your change if needed. Traffic will be interrupted whenever you switch versions.

We added the ability to switch Snort versions to the Device > Updates page, in the Intrusion Rules group. In the FTD API, we added the IntrusionPolicy resource action/toggleinspectionengine.

In addition, there is a new audit event, Rules Update Event, that shows which intrusion rules were added, deleted, or changed in a Snort 3 rule package update.

Custom intrusion policies for Snort 3.

You can create custom intrusion policies when you are using Snort 3 as the inspection engine. In comparison, you could use the pre-defined policies only if you use Snort 2. With custom intrusion policies, you can add or remove groups of rules, and change the security level at the group level to efficiently change the default action (disabled, alert or drop) of the rules in the group. Snort 3 intrusion policies give you more control over the behavior of your IPS/IDS system without the need to edit the base Cisco Talos-provided policies.

We changed the Policies > Intrusion page to list intrusion policies. You can create new ones, and view or edit existing policies, including adding/removing groups, assigning security levels, and changing the action for rules. You can also select multiple rules and change their actions. In addition, you can select custom intrusion policies in access control rules.

Multiple syslog servers for intrusion events.

You can configure multiple syslog servers for intrusion policies. Intrusion events are sent to each syslog server.

We added the ability to select multiple syslog server objects to the intrusion policy settings dialog box.

URL reputation matching can include sites with unknown reputations.

When you configure URL category traffic-matching criteria, and select a reputation range, you can include URLs with unknown reputation in the reputation match.

We added the Include Sites with Unknown Reputation check box to the URL reputation criteria in access control and SSL decyption rules.

VPN Features

Virtual Tunnel Interface (VTI) and route-based site-to-site VPN.

You can now create route-based site-to-site VPNs by using a Virtual Tunnel Interface as the local interface for the VPN connection profile. With route-based site-to-site VPN, you manage the protected networks in a given VPN connection by simply changing the routing table, without altering the VPN connection profile at all. You do not need to keep track of remote networks and update the VPN connection profile to account for these changes. This simplifies VPN management for cloud service providers and large enterprises.

We added the Virtual Tunnel Interfaces tab to the Interface listing page, and updated the site-to-site VPN wizard so that you can use a VTI as the local interface.

FTD API support for Hostscan and Dynamic Access Policy (DAP) for remote access VPN connections.

You can upload Hostscan packages and the Dynamic Access Policy (DAP) rule XML file, and configure DAP rules to create the XML file, to control how group policies are assigned to remote users based on attributes related to the status of the connecting endpoint. You can use these features to perform Change of Authorization if you do not have Cisco Identity Services Engine (ISE). You can upload Hostscan and configure DAP using the FTD API only; you cannot configure them using FDM. See the AnyConnect documentation for information about Hostscan and DAP usage.

We added or modified the following FTD API object models: dapxml, hostscanpackagefiles, hostscanxmlconfigs, ravpns.

Enabling certificate revocation checking for external CA certificates

You can use the FTD API to enable certificate revocation checking on a particular external CA certificate. Revocation checking is particularly useful for certificates used in remote access VPN. You cannot configure revocation checking on a certificate using FDM, you must use the FTD API.

We added the following attributes to the ExternalCACertificate resource: revocationCheck, crlCacheTime, oscpDisableNonce.

Support removed for less secure Diffie-Hellman groups, and encryption and hash algorithms.

The following features were deprecated in 6.6 and they are now removed. If you are still using them in IKE proposals or IPsec policies, you must replace them after upgrade before you can deploy any configuration changes. We recommend that you change your VPN configuration prior to upgrade to supported DH and encryption algorithms to ensure the VPN works correctly.

  • Diffie-Hellman groups: 2, 5, and 24.

  • Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

  • Hash algorithms: MD5.

Custom port for remote access VPN.

You can configure the port used for remote access VPN (RA VPN) connections. If you need to connect to FDM on the same interface used for RA VPN, you can change the port number for RA VPN connections. FDM uses port 443, which is also the default RA VPN port.

We updated the global settings step of the RA VPN wizard to include port configuration.

SAML Server support for authenticating remote access VPN.

You can configure a SAML 2.0 server as the authentication source for a remote access VPN. Following are the supported SAML servers: Duo.

We added SAML server as an identity source on the Objects > Identity Sources page, and updated remote access VPN connection profiles to allow its use.

FTD API Support for AnyConnect module profiles.

You can use the FTD API to upload module profiles used with AnyConnect, such as AMP Enabler, ISE Posture, or Umbrella. You must create these profiles using the offline profile editors that you can install from the AnyConnect profile editor package.

We added the anyConnectModuleType attribute to the AnyConnectClientProfile model. Although you can initially create AnyConnect Client Profile objects that use module profiles, you will still need to use the API to modify the objects created in FDM to specify the correct module type.

Routing Features

EIGRP support using Smart CLI.

In previous releases, you configured EIGRP in the Advanced Configuration pages using FlexConfig. Now, you configure EIGRP using Smart CLI directly on the Routing page.

If you configured EIGRP using FlexConfig, when you upgrade to release 6.7, you must remove the FlexConfig object from the FlexConfig policy, and then recreate your configuration in the Smart CLI object. You can retain your EIGRP FlexConfig object for reference until you have completed the Smart CLI updates. Your configuration is not automatically converted.

We added the EIGRP Smart CLI object to the Routing pages.

Interface Features

ISA 3000 hardware bypass persistence

You can now enable hardware bypass for ISA 3000 interface pairs with the persistence option: after power is restored, hardware bypass remains enabled until you manually disable it. If you enable hardware bypass without persistence, hardware bypass is automatically disabled after power is restored. There may be a brief traffic interruption when hardware bypass is disabled. The persistence option lets you control when the brief interruption in traffic occurs.

New/Modified screen: Device > Interfaces > Hardware Bypass > Hardware Bypass Configuration

Synchronization between the FTD operational link state and the physical link state for the Firepower 4100/9300

The Firepower 4100/9300 chassis can now synchronize the FTD operational link state with the physical link state for data interfaces. Currently, interfaces will be in an Up state as long as the FXOS admin state is up and the physical link state is up. The FTD application interface admin state is not considered. Without synchronization from FTD, data interfaces can be in an Up state physically before the FTD application has completely come online, for example, or can stay Up for a period of time after you initiate an FTD shutdown. This feature is disabled by default, and can be enabled per logical device in FXOS.

Note 

This feature is not supported for an FTD with a Radware vDP decorator.

New/Modified Firepower Chassis Manager screens: Logical Devices > Enable Link State

New/Modified FXOS commands: set link-state-sync enabled, show interface expand detail

Supported platforms: Firepower 4100/9300

Firepower 1100 and 2100 SFP interfaces now support disabling auto-negotiation

You can now configure a Firepower 1100 and 2100 SFP interface to disable auto-negotiation. For 10GB interfaces, you can configure the speed down to 1GB without auto-negotiation; you cannot disable auto-negotiation for an interface with the speed set to 10GB.

New/Modified screen: Device > Interfaces > Edit Interface > Advanced Options > Speed

Supported platforms: Firepower 1100 and 2100

Administrative and Troubleshooting Features

Ability to cancel a failed FTD software upgrade and to revert to the previous release.

If an FTD major software upgrade fails or is otherwise not functioning correctly, you can revert to the state of the device as it was when you installed the upgrade.

We added the ability to revert the upgrade to the System Upgrade panel in FDM. During an upgrade, the FDM login screen shows the upgrade status and gives you the option to cancel or revert in case of upgrade failure. In the FTD API, we added the CancelUpgrade, RevertUpgrade, RetryUpgrade, and UpgradeRevertInfo resources.

In the FTD CLI, we added the following commands: show last-upgrade status , show upgrade status , show upgrade revert-info , upgrade cancel , upgrade revert , upgrade cleanup-revert , upgrade retry .

Custom HTTPS port for FDM/FTD API access on data interfaces.

You can change the HTTPS port used for FDM or FTD API access on data interfaces. By changing the port from the default 443, you can avoid conflict between management access and other features, such as remote access VPN, configured on the same data interface. Note that you cannot change the management access HTTPS port on the management interface.

We added the ability to change the port to the Device > System Settings > Management Access > Data Interfaces page.

Low-touch provisioning for Cisco Defense Orchestrator on Firepower 1000 and 2100 series devices.

If you plan on managing a new Firepower Threat Defense device using Cisco Defense Orchestrator (CDO), you can now add the device without completing the device setup wizard or even logging into FDM.

New Firepower 1000 and 2100 series devices are initially registered in the Cisco cloud, where you can easily claim them in CDO. Once in CDO, you can immediately manage the devices from CDO. This low-touch provisioning minimizes the need to interact directly with the physical device, and is ideal for remote offices or other locations where your employees are less experienced working with networking devices.

We changed how Firepower 1000 and 2100 series devices are initially provisioned. We also added auto-enrollment to the System Settings > Cloud Services page, so that you can manually start the process for upgraded devices or other devices that you have previously managed using FDM.

FTD API support for SNMP configuration.

You can use the FTD API to configure SNMP version 2c or 3 on an FDM or CDO managed FTD device.

We added the following API resources: SNMPAuthentication, SNMPHost, SNMPSecurityConfiguration, SNMPServer, SNMPUser, SNMPUserGroup, SNMPv2cSecurityConfiguration, SNMPv3SecurityConfiguration.

Note 

If you used FlexConfig to configure SNMP, you must redo your configuration using the FTD API SNMP resources. The commands for configuring SNMP are no longer allowed in FlexConfig. Simply removing the SNMP FlexConfig object from the FlexConfig policy will allow you to deploy changes; you can then use the object as reference while you use the API to reconfigure the feature.

Maximum backup files retained on the system is reduced from 10 to 3.

The system will retain a maximum of 3 backup files on the system rather than 10. As new backups are created, the oldest backup file is deleted. Please ensure that you download backup files to a different system so that you have the versions required to recover the system in case you need to.

FTD API Version backward compatibility.

Starting with FTD Version 6.7, if an API resource model for a feature does not change between releases, then the FTD API can accept calls that are based on the older API version. Even if the feature model did change, if there is a logical way to convert the old model to the new model, the older call can work. For example, a v4 call can be accepted on a v5 system. If you use “latest” as the version number in your calls, these “older” calls are interpreted as a v5 call in this scenario, so whether you are taking advantage of backward compatibility depends on how you are structuring your API calls.

FTD REST API version 6 (v6).

The FTD REST API for software version 6.7 is version 6. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device.

Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into FDM, then click the more options button (More options button.) and choose API Explorer.

Deprecated Features in FDM Version 6.7.0

Table 3.

Feature

Upgrade Impact

Description

Less secure Diffie-Hellman groups, and encryption and hash algorithms

Prevents post-upgrade deploy.

You may not be able to deploy post-upgrade with if you use any of the following Firepower Threat Defense features:

  • Diffie-Hellman groups: 2, 5, and 24.

  • Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

  • Hash algorithms: MD5.

If you are still using these features in IKE proposals or IPsec policies, change and verify your VPN configuration before you upgrade.

FlexConfig commands

Prevents post-upgrade deploy.

You should redo your configurations after upgrade.

Version 6.7.0 deprecates the following FlexConfig CLI commands for Firepower Threat Defense with FDM:

  • router eigrp : You can now create and use Smart CLI EIGRP objects directly on the Routing page: Device > Routing > EIGRP.

  • snmp-server : You can now use the FTD API to configure SNMP version 2c or 3.

You cannot deploy post-upgrade until you remove any associated FlexConfig objects.

Backup file retention

None. Upgrades always purge local backups.

Version 6.7.0 reduces the number of stored backup files from 10 to 3.

Note that we always recommend you back up to a secure remote location and verify transfer success. Upgrades purge locally stored backups.

Microsoft Internet Explorer

You should switch browsers.

We no longer test Firepower web interfaces using Microsoft Internet Explorer. We recommend you switch to Google Chrome, Mozilla Firefox, or Microsoft Edge.

ASA 5525-X, 5545-X, and 5555-X devices with Firepower Threat Defense

Upgrade prohibited.

You cannot upgrade to or freshly install Version 6.7.0+ of the Firepower Threat Defense software on ASA 5525-X, 5545-X, and 5555-X devices.

Version 6.6.0

New Features in FDM Version 6.6.0

Feature

Description

Platform Features

FDM support for Firepower Threat Defense Virtual for the Amazon Web Services (AWS) Cloud.

You can configure Firepower Threat Defense on Firepower Threat Defense Virtual for the AWS Cloud using Firepower Device Manager.

FDM for the Firepower 4112

We introduced the FTD for the Firepower 4112.

Note 

Requires FXOS 2.8.1.

Firewall and IPS Features

Ability to enable intrusion rules that are disabled by default.

Each system-defined intrusion policy has a number of rules that are disabled by default. Previously, you could not change the action for these rules to alert or drop. You can now change the action for rules that are disabled by default.

We changed the Intrusion Policy page to display all rules, even those that are disabled by default, and allow you to edit the action for these rules.

Intrusion Detection System (IDS) mode for the intrusion policy.

You can now configure the intrusion policy to operate in Intrusion Detection System (IDS) mode. In IDS mode, active intrusion rules issue alerts only, even if the rule action is Drop. Thus, you can monitor or test how an intrusion policy works before you make it an active prevention policy in the network.

In FDM, we added an indication of the inspection mode to each intrusion policy on the Policies > Intrusion page, and an Edit link so that you can change the mode.

In the FTD API, we added the inspectionMode attribute to the IntrusionPolicy resource.

Support for manually uploading Vulnerability Database (VDB), Geolocation Database, and Intrusion Rule update packages.

You can now manually retrieve update packages for VDB, Geolocation Database, and Intrusion Rules, and then upload them from your workstation to the FTD device using FDM. For example, if you have an air-gapped network, where FDM cannot retrieve updates from the Cisco Cloud, you can now get the update packages you need.

We updated the Device > Updates page to allow you to select and upload a file from your workstation.

FTD API support for access control rules that are limited based on time.

Using the FTD API, you can create time range objects, which specify one-time or recurring time ranges, and apply these objects to access control rules. Using time ranges, you can apply an access control rule to traffic during certain times of day, or for certain periods of time, to provide flexibility to network usage. You cannot use FDM to create or apply time ranges, nor does FDM show you if an access control rule has a time range applied to it.

The TimeRangeObject, Recurrence, TimeZoneObject, DayLightSavingDateRange, and DayLightSavingDayRecurrence resources were added to the FTD API. The timeRangeObjects attribute was added to the accessrules resource to apply a time range to the access control rule. In addition, there were changes to the GlobalTimeZone and TimeZone resources.

Object group search for access control policies.

While operating, the FTD device expands access control rules into multiple access control list entries based on the contents of any network objects used in the access rule. You can reduce the memory required to search access control rules by enabling object group search. With object group search enabled, the system does not expand network objects, but instead searches access rules for matches based on those group definitions. Object group search does not impact how your access rules are defined or how they appear in Firepower Device Manager. It impacts only how the device interprets and processes them while matching connections to access control rules. Object group search is disabled by default.

In Firepower Device Manager, you must use FlexConfig to enable the object-group-search access-control command.

VPN Features

Backup peer for site-to-site VPN. (FTD API only.)

You can use the FTD API to add a backup peer to a site-to-site VPN connection. For example, if you have two ISPs, you can configure the VPN connection to fail over to the backup ISP if the connection to the first ISP becomes unavailable.

Another main use of a backup peer is when you have two different devices on the other end of the tunnel, such as a primary-hub and a backup-hub. The system would normally establish the tunnel to the primary hub. If the VPN connection fails, the system automatically can re-establish the connection with the backup hub.

We updated the FTD API so that you can specify more than one interface for outsideInterface in the SToSConnectionProfile resource. We also added the BackupPeer resource, and the remoteBackupPeers attribute to the SToSConnectionProfile resource.

You cannot configure a backup peer using FDM, nor will the existence of a backup peer be visible in FDM.

Support for Datagram Transport Layer Security (DTLS) 1.2 in remote access VPN.

You can now use DTLS 1.2 in remote access VPN. This can be configured using the FTD API only, you cannot configure it using FDM. However, DTLS 1.2 is now part of the default SSL cipher group, and you can enable the general use of DTLS using FDM in the AnyConnect attributes of the group policy. Note that DTLS 1.2 is not supported on the ASA 5508-X or 5516-X models.

We updated the protocolVersion attribute of the sslcipher resource to accept DTLSV1_2 as an enum value.

Deprecated support for less secure Diffie-Hellman groups, and encryption and hash algorithms.

The following features are deprecated and will be removed in a future release. You should avoid configuring these features in IKE proposals or IPSec policies for use in VPNs. Please transition away from these features and use stronger options as soon as is practical.

  • Diffie-Hellman groups: 2, 5, and 24.

  • Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

  • Hash algorithms: MD5.

Routing Features

Virtual routers and Virtual Routing and Forwarding (VRF)-Lite.

You can create multiple virtual routers to maintain separate routing tables for groups of interfaces. Because each virtual router has its own routing table, you can provide clean separation in the traffic flowing through the device.

Virtual routers implement the “light” version of Virtual Routing and Forwarding, or VRF-Lite, which does not support Multiprotocol Extensions for BGP (MBGP).

We changed the Routing page so you can enable virtual routers. When enabled, the Routing page shows a list of virtual routers. You can configure separate static routes and routing processes for each virtual router.

We also added the [ vrf name | all] keyword set to the following CLI commands, and changed the output to indicate virtual router information where applicable: clear ospf , clear route , ping , show asp table routing , show bgp , show ipv6 route , show ospf , show route , show snort counters .

We added the following command: show vrf .

OSPF and BGP configuration moved to the Routing pages.

In previous releases, you configured OSPF and BGP in the Advanced Configuration pages using Smart CLI. Although you still configure these routing processes using Smart CLI, the objects are now available directly on the Routing pages. This makes it easier for you to configure processes per virtual router.

The OSPF and BGP Smart CLI objects are no longer available on the Advanced Configuration page. If you configured these objects before upgrading to 6.6, you can find them on the Routing page after upgrade.

High Availability Features

The restriction for externally authenticated users logging into the standby unit of a high availability (HA) pair has been removed.

Previously, an externally-authenticated user could not directly log into the standby unit of an HA pair. The user first needed to log into the active unit, then deploy the configuration, before login to the standby unit was possible.

This restriction has been removed. Externally-authenticated users can log into the standby unit even if they never logged into the active unit, so long as they provide a valid username/password.

Change to how interfaces are handled by the BreakHAStatus resource in the FTD API.

Previously, you could include the clearIntfs query parameter to control the operational status of the interfaces on the device where you break the high availability (HA) configuration.

Starting with version 6.6, there is a new attribute, interfaceOption, which you should use instead of the clearIntfs query parameter. This attribute is optional when used on the active node, but required when used on a non-active node. You can choose from one of two options:

  • DISABLE_INTERFACES (the default)—All data interfaces on the standby device (or this device) are disabled.

  • ENABLE_WITH_STANDBY_IP—If you configured a standby IP address for an interface, the interface on the standby device (or this device) is reconfigured to use the standby address. Any interface that lacks a standby address is disabled.

If you use break HA on the active node when the devices are in a healthy active/standby state, this attribute applies to the interfaces on the standby node. In any other state, such as active/active or suspended, the attribute applies to the node on which you initiate the break.

If you do use the clearIntfs query parameter, clearIntfs=true will act like interfaceOption = DISABLE_INTERFACES. This means that breaking an active/standby pair with clearIntfs=true will no longer disable both devices; only the standby device will be disabled.

When you break HA using FDM, the interface option is always set to DISABLE_INTERFACES. You cannot enable the interfaces with the standby IP address. Use the API call from the API Explorer if you want a different result.

The last failure reason for High Availability problems is now displayed on the High Availability page.

If High Availability (HA) fails for some reason, such as the active device becoming unavailable and failing over to the standby device, the last reason for failure is now shown below the status information for the primary and secondary device. The information includes the UTC time of the event.

Interface Features

PPPoE Support

You can now configure PPPoE for routed interfaces. PPPoE is not supported on High Availability units.

New/Modified screens: Device > Interfaces > Edit > IPv4 Address > Type > PPPoE

New/Modified commands: show vpdn group, show vpdn username, show vpdn session pppoe state

Management Interface acts as a DHCP client by default

The Management interface now defaults to obtaining an IP address from DHCP instead of using the 192.168.45.45 IP address. This change makes it easier for you to deploy an FTD in your existing network. This feature applies to all platforms except for the Firepower 4100/9300 (where you set the IP address when you deploy the logical device), and the Firepower Threat Defense Virtual and ISA 3000 (which still use the 192.168.45.45 IP address). The DHCP server on the Management interface is also no longer enabled.

You can still connect to the default inside IP address by default (192.168.1.1).

HTTP proxy support for FDM management connections.

You can now configure an HTTP proxy for the management interface for use with FDM connections. All management connections, including manual and scheduled database updates, go through the proxy.

We added the System Settings > HTTP Proxy page to configure the setting. In addition, we added the HTTPProxy resource to the FTD API.

Set the MTU for the Management interface

You can now set the MTU for the Management interface up to 1500 bytes. The default is 1500 bytes.

New/Modified commands: configure network mtu, configure network management-interface mtu-management-channel

No modified screens.

Licensing Features

Smart Licensing and Cloud Services enrollment are now separate, and you can manage your enrollments separately.

You can now enroll for cloud services using your security account rather than your Smart Licensing account. Enrolling using the security account is the recommended approach if you intend to manage the device using Cisco Defense Orchestrator. You can also unregister from cloud services without unregistering from Smart Licensing.

We changed how the System Settings > Cloud Services page behaves, and added the ability to unregister from cloud services. In addition, the Web Analytics feature was removed from the page and you can now find it at System Settings > Web Analytics. In the FTD API, the CloudServices resources were modified to reflect the new behavior.

Support for Permanent License Reservation.

If you have an air-gapped network, where there is no path to the internet, you cannot register directly with the Cisco Smart Software Manager (CSSM) for Smart Licensing. In this situation, you can now get authorization to use Universal Permanent License Reservation (PLR) mode, where you can apply a license that does not need direct communication with CSSM. If you have an air-gapped network, please contact your account representative and ask for authorization to use Universal PLR mode in your CSSM account, and to obtain the necessary licenses.

We added the ability to switch to PLR mode, and to cancel and unregister a Universal PLR license, to the Device > Smart License page. In the FTD API, there are new resources for PLRAuthorizationCode, PLRCode, PLRReleaseCode, PLRRequestCode, and actions for PLRRequestCode, InstallPLRCode, and CancelReservation.

Administrative and Troubleshooting Features

FDM direct support for Precision Time Protocol (PTP) configuration for ISA 3000 devices.

You can use FDM to configure the Precision Time Protocol (PTP) on ISA 3000 devices. PTP is a time-synchronization protocol developed to synchronize the clocks of various devices in a packet-based network. The protocol is designed specifically for industrial, networked measurement and control systems. In previous releases, you had to use FlexConfig to configure PTP.

We grouped PTP with NTP on the same System Settings page, and renamed the System Settings > NTP page to Time Services. We also added the PTP resource to the FTD API.

Trust chain validation for the FDM management web server certificate.

When you configure a non-self-signed certificate for the FDM web server, you now need to include all intermediate certificates, and the root certificate, in the trust chain. The system validates the entire chain.

We added the ability to select the certificates in the chain on the Management Web Server tab on the Device > System Settings > Management Access page.

Support for encrypting backup files.

You can now encrypt backup files using a password. To restore an encrypted backup, you must supply the correct password.

We added the ability to choose whether to encrypt backup files for recurring, scheduled, and manual jobs, and to supply the password on restore, to the Device > Backup and Restore page. We also added the encryptArchive and encryptionKey attributes to the BackupImmediate and BackupSchedule resources, and encryptionKey to the RestoreImmediate resource in the FTD API.

Support for selecting which events to send to the Cisco cloud for use by cloud services.

When you configure the device to send events to the Cisco cloud, you can now select which types of events to send: intrusion, file/malware, and connection. For connection events, you can send all events or just the high-priority events, which are those related to connections that trigger intrusion, file, or malware events, or that match Security Intelligence blocking policies.

We changed how the Send Events to the Cisco Cloud Enable button works. The feature is on the System Settings > Cloud Services page.

FTD REST API version 5 (v5).

The FTD REST API for software version 6.6 has been incremented to version 5. You must replace v1/v2/v3/v4 in the API URLs with v5, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device.

The v5 API includes many new resources that cover all features added in software version 6.6. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into FDM, then click the more options button (More options button.) and choose API Explorer.

Deprecated Features in FDM Version 6.6.0

Table 4.

Feature

Upgrade Impact

Description

e1000 Interfaces on FTDv for VMware

Prevents upgrade.

Version 6.6.0 ends support for e1000 interfaces on FTDv for VMware. You cannot upgrade until you switch to vmxnet3 or ixgbe interfaces. Or, you can deploy a new device.

For more information, see the Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide.

Less secure Diffie-Hellman groups, and encryption and hash algorithms

None, but you should switch now.

Version 6.6.0 deprecates the following Firepower Threat Defense security features:

  • Diffie-Hellman groups: 2, 5, and 24.

  • Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

  • Hash algorithms: MD5.

These features are removed in Version 6.7.0. Avoid configuring them in IKE proposals or IPSec policies for use in VPNs. Change to stronger options as soon as possible.

Version 6.5.0

New Features in FDM Version 6.5.0

Feature

Description

FDM support for the Firepower 4100/9300.

You can now use FDM to configure Firepower Threat Defense on the Firepower 4100/9300. Only native instances are supported; container instances are not supported.

FDM support for Firepower Threat Defense Virtual for the Microsoft Azure Cloud.

You can configure Firepower Threat Defense on Firepower Threat Defense Virtual for the Microsoft Azure Cloud using Firepower Device Manager.

Support for the Firepower 1150.

We introduced the FTD for the Firepower 1150.

Firepower 1010 hardware switch support, PoE+ support.

The Firepower 1010 supports setting each Ethernet interface to be a switch port or a regular firewall interface. Assign each switch port to a VLAN interface. The Firepower 1010 also supports Power over Ethernet+ (PoE+) on Ethernet1/7 and Ethernet 1/8.

The default configuration now sets Ethernet1/1 as outside, and Ethernet1/2 through 1/8 as switch ports on the inside VLAN1 interface. Upgrading to version 6.5 retains the existing interface configuration.

Interface scan and replace.

An interface scan detects any added, removed, or restored interfaces on the chassis. You can also replace an old interface with a new interface in the configuration, making interface changes seamless.

Improved interfaces display.

The Device > Interfaces page has been reorganized. There are now separate tabs for physical interfaces, bridge groups, EtherChannels, and VLANs. For any given device model, only those tabs relevant for the model are shown. For example, the VLANs tab is available on the Firepower 1010 model only. In addition, the lists provide more detailed information about the configuration and usage of each interface.

ISA 3000 new default configuration.

The ISA 3000 default configuration has changed so that:

  • All interfaces are bridge group members in BVI1, which is unnamed so it does not participate in routing

  • GigabitEthernet1/1 and 1/3 are outside interfaces, and GigabitEthernet1/2 and 1/4 are inside interfaces

  • Hardware bypass is enabled for each inside/outside pair, when available

  • All traffic is allowed from inside to outside, and outside to inside

Upgrading to version 6.5 retains the existing interface configuration.

Support ends for the ASA 5515-X. The last supported release is FTD 6.4.

You cannot install FTD 6.5 on an ASA 5515-X. The last supported release for the ASA 5515-X is FTD 6.4.

Support for Common Industrial Protocol (CIP) and Modbus application filtering in access control rules on Cisco ISA 3000 devices.

You can enable the Common Industrial Protocol (CIP) and Modbus preprocessors on Cisco ISA 3000 devices, and filter on CIP and Modbus applications in access control rules. All CIP application names start with “CIP,” such as CIP Write. There is only one application for Modbus.

To enable the preprocessors, you must go into expert mode in a CLI session (SSH or Console) and issue the sudo /usr/local/sf/bin/enable_scada.sh {cip | modbus | both} command. You must issue this command after every deployment, as deployment turns off the preprocessors.

Precision Time Protocol (PTP) configuration for ISA 3000 devices.

You can use FlexConfig to configure the Precision Time Protocol (PTP) on ISA 3000 devices. PTP is a time-synchronization protocol developed to synchronize the clocks of various devices in a packet-based network. The protocol is designed specifically for industrial, networked measurement and control systems.

We now allow you to include the ptp and igmp (interface mode) commands, and the global commands ptp mode e2etransparent and ptp domain , in FlexConfig objects. We also added the show ptp command to the FTD CLI.

EtherChannel (port channel) interfaces.

You can configure EtherChannel interfaces, which are also known as port channels.

Note 

You can only add EtherChannels in FDM to the Firepower 1000 and 2100 series. The Firepower 4100/9300 supports EtherChannels, but you must perform all hardware configuration of EtherChannels in FXOS on the chassis. Firepower 4100/9300 EtherChannels appear in the FDM Interfaces page alongside single physical interfaces.

We updated the Device > Interfaces page to allow the creation of EtherChannels.

Ability to reboot and shut down the system from FDM.

You can now reboot or shut down the system from the new Reboot/Shutdown system settings page. Previously, you needed to issue the reboot and shutdown commands through the CLI Console in FDM or from an SSH or console session. You must have Administrator privileges to use these commands.

Support for the failover command in the FDM CLI Console.

You can now issue the failover command in the FDM CLI Console.

Service Level Agreement (SLA) Monitor for static routes.

Configure Service Level Agreement (SLA) Monitor objects for use with static routes. By using an SLA monitor, you can track the health of a static route and automatically replace a failed route with a new one. We added SLA Monitors to the Objects page, and updated static routes so you can select the SLA Monitor object.

Routing changes in Smart CLI and the FTD API.

This release includes some changes to routing configuration in Smart CLI and the FTD API. In previous releases, there was a single Smart CLI template for BGP. Now, there are separate templates for BGP (the routing process configuration) and BGP General Settings (global settings).

In the FTD API, the paths for all methods have changed, with “/virtualrouters” inserted in the paths, with the exception of the new BGP general settings methods.

  • The path for static route methods was /devices/default/routing/{parentId}/staticrouteentries, and it is now /devices/default/routing/virtualrouters/default/staticrouteentries.

  • BGP methods were split into two new paths: /devices/default/routing/bgpgeneralsettings and /devices/default/routing/virtualrouters/default/bgp.

  • OSPF paths are now /devices/default/routing/virtualrouters/default/ospf and /devices/default/routing/virtualrouters/default/ospfinterfacesettings.

If you are using the FTD API to configure any routing process, please examine your calls and correct as necessary.

New URL category and reputation database.

The system uses a different URL database, from Cisco Talos. The new database has some differences in URL categories. Upon upgrade, if any access control or SSL decryption rules use categories that no longer exist, the system will replace the category with an appropriate new category. To make the change effective, deploy the configuration after upgrade. The pending changes dialog will show details about the category changes. You might want to examine your URL filtering policies to verify that they continue to provide the desired results.

We also added a URL lookup feature to the URL tabs in the access control and SSL decryption policies, and on the Device > System Settings > URL Filtering Preferences page. You can use this feature to check which category a particular URL is assigned to. If you disagree, there is also a link to submit a category dispute. Both of these features take you to an external web site, which will provide detailed information about the URL.

Security Intelligence uses the IP address reputation for URL requests that use IP addresses instead of hostnames.

If an HTTP/HTTPS request is to a URL that uses an IP address instead of a hostname, the system looks up the IP address reputation in the network address lists. You do not need to duplicate IP addresses in the network and URL lists. This makes it harder for end users to use proxies to avoid Security Intelligence reputation blocking.

Support for sending connection and high-priority intrusion, file, and malware events to the Cisco Cloud.

You can send events to the Cisco cloud server. From there, various Cisco cloud services can access the events. You can then use these cloud applications, such as Cisco Threat Response, to analyze the events and to evaluate threats that the device might have encountered. When you enable this service, the device will send connection and high-priority intrusion, file, and malware events to the Cisco cloud.

We renamed the Cisco Threat Response item on Device > System Settings > Cloud Services to “Send Events to the Cisco Cloud.”

Cisco Cloud Services region support.

You are now asked to select the Cisco Cloud Services region when you register with smart licensing. This region is used for Cisco Defense Orchestrator, Cisco Threat Response, Cisco Success Network, and any cloud feature that goes through the Cisco Cloud. If you upgrade a registered device from a previous release, you are automatically assigned to the US Region; you must unregister from Smart Licensing, then reregister and select a new region, if you need to change regions.

We added a step to the license registration process on the Smart License page and in the initial device setup wizard. You can also see the region on the Device > System Settings > Cloud Services page.

FTD REST API version 4 (v4).

The FTD REST API for software version 6.5 has been incremented to version 4. You must replace v1/v2/v3 in the API URLs with v4. The v4 API includes many new resources that cover all features added in software version 6.5. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into FDM, then click the more options button (More options button.) and choose API Explorer.

FTD API support for TrustSec security groups as matching criteria for source and destination in access control rules.

You can use the FTD API to configure access control policy rules that use TrustSec security groups for source or destination traffic matching criteria. The system downloads the list of security group tags (SGTs) from ISE. You can configure the system to listen for SXP updates to obtain static SGT-to-IP address mappings.

You can view the list of downloaded tags using the GET /object/securitygrouptag method, and create dynamic objects for one or more tags using the SGTDynamicObject resource. It is the dynamic objects that you can use in access control rules to define traffic matching criteria based on source or destination security group.

Note that any changes you make to the ISE object or access control rules related to security group are preserved if you edit those objects in FDM. However, you cannot see the security group criteria in an access rule if you edit the rule in FDM. If you configure security-group-based access rules using the API, please be careful when subsequently editing rules in the access control policy using FDM.

We added or modified the following FTD API resources: AccessRule (sourceDynamicObjects and destinationDynamicObjects attributes), IdentityServicesEngine (subscribeToSessionDirectoryTopic and subscribeToSxpTopic attributes), SecurityGroupTag, SGTDynamicObject.

We added source and destination security group tag and name as columns in Event Viewer.

Configuration import/export using the FTD API.

You can use the FTD API to export the device configuration and to import a configuration file. You can edit the configuration file to change values, such as the IP addresses assigned to interfaces. Thus, you can use import/export to create a template for new devices, so that you can quickly apply a baseline configuration and get new devices online more quickly. You can also use import/export to restore a configuration after you reimage a device. Or you can simply use it to distribute a set of network objects or other items to a group of devices.

We added the ConfigurationImportExport resources and methods (/action/configexport, /jobs/configexportstatus, /action/downloadconfigfile, /action/uploadconfigfile, /action/configfiles, /action/configimport, /jobs/configimportstatus).

Creation and selection of custom file policies.

You can use the FTD API to create custom file policies, and then select these policies on access control rules using FDM.

We added the following FTD API FileAndMalwarePolicies resources: filepolicies, filetypes, filetypecategories, ampcloudconfig, ampservers, and ampcloudconnections.

We also removed two pre-defined policies, “Block Office Document and PDF Upload, Block Malware Others” and “Block Office Documents Upload, Block Malware Others.” If you are using these policies, during upgrade they are converted to user-defined policies so that you can edit them.

Security Intelligence DNS policy configuration using the FTD API.

You can configure the Security Intelligence DNS policy using the FTD API. This policy does not appear in FDM.

We added the following SecurityIntelligence resources: domainnamefeeds, domainnamegroups, domainnamefeedcategories, securityintelligencednspolicies.

Remote access VPN two-factor authentication using Duo LDAP.

You can configure Duo LDAP as the second authentication source for a remote access VPN connection profile to provide two-factor authentication using Duo passcode, push notification, or phone call. Although you must use the FTD API to create the Duo LDAP identity source object, you can use FDM to select that object as the authentication source for the RA VPN connection profile.

We added the duoldapidentitysources resource and methods to the FTD API.

FTD API support for LDAP attribute maps used in authorizing remote access VPN connections.

You can augment LDAP authorization for remote access VPN using custom LDAP attribute maps. An LDAP attribute map equates customer-specific LDAP attribute names and values with Cisco attribute names and values. You can use these mappings to assign group policies to users based on LDAP attribute values. You can configure these maps using the FTD API only; you cannot configure them using FDM. However, if you set these options using the API, you can subsequently edit the Active Directory identity source in FDM and your settings are preserved.

We added or modified the following FTD API object models: LdapAttributeMap, LdapAttributeMapping, LdapAttributeToGroupPolicyMapping, LDAPRealm, LdapToCiscoValueMapping, LdapToGroupPolicyValueMapping, RadiusIdentitySource.

FTD API support for site-to-site VPN connection reverse route injection and security association (SA) lifetime.

You can use the FTD API to enable reverse route injection for a site-to-site VPN connection. Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. By default, static RRI, where routes are added when you configure the connection is enabled. Dynamic RRI, where routes are inserted only when the security association (SA) is established, and then are deleted when the SA is torn down, is disabled. Note that dynamic RRI is supported for IKEv2 connections only.

You can also set the security association (SA) lifetime (in seconds or in kilobytes transmitted) for the connection. You can also set an unlimited lifetime. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour). When the lifetime is reached, the endpoints negotiate a new security association and secret key.

You cannot configure these features using FDM. However, if you set these options using the API, you can subsequently edit the connection profile in FDM and your settings are preserved.

We added the following attributes to the SToSConnectionProfile resource: dynamicRRIEnabled, ipsecLifetimeInSeconds, ipsecLifetimeInKiloBytes, ipsecLifetimeUnlimited, rriEnabled.

Support for Diffie-Hellman groups 14, 15, and 16 in IKE policies.

You can now configure IKEv1 policies to use DH group 14, and IKEv2 policies to use DH groups 14, 15, and 16. If you are using IKEv1, please upgrade all your policies to DH group 14, as groups 2 and 5 will be removed in a future release. In addition, you should avoid using DH group 24 in IKEv2 policies, and MD5 in any IKE version, as these will also be removed in a future release.

Performance improvements when deploying changes.

If you add, edit, or delete access control rules, the system has been enhanced to deploy your changes more quickly than was done in previous releases.

For systems configured in a high availability group for failover, the process for synchronizing the deployed changes to the standby device has been improved so that the synchronization completes more quickly.

Improved CPU and memory usage calculations on the System dashboard.

The method for calculating CPU and memory usage has been improved so that the information shown on the System dashboard more accurately reflects the actual state of the device.

When upgrading to FTD 6.5, historical report data is no longer available.

When you upgrade an existing system to FTD 6.5, historical report data will not be available due to a database schema change. Thus, you will not see usage data in the dashboards for times prior to the upgrade.

New Features in FDM Version 6.5.0 Patches

Table 5.

Feature

Description

Version 6.5.0.5

Default HTTPS server certificates

Upgrade impact.

Unless the device's current default HTTPS server certificate already has an 800-day lifespan, upgrading to Version 6.5.0.5+ renews the certificate, which now expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan.

Your old certificate was set to expire depending on when it was generated, as follows:

  • 6.5.0 to 6.5.0.4: 3 years

  • 6.4.0.9 and later patches: 800 days

  • 6.4.0 to 6.4.0.8: 3 years

  • 6.3.0 and all patches: 3 years

  • 6.2.3: 20 years

Deprecated Features in FDM Version 6.5.0

Table 6.

Feature

Upgrade Impact

Description

Default HTTPS server certificates

None.

If you are upgrading from Version 6.4.0.9+, the default HTTPS server certificate's lifespan-on-renew returns to 3 years, but this is again updated to 800 days in Version 6.6.0+.

Your current default HTTPS server certificate is set to expire depending on when it was generated, as follows:

  • 6.4.0.9 and later patches: 800 days

  • 6.4.0 to 6.4.0.8: 3 years

  • 6.3.0 and all patches: 3 years

  • 6.2.3: 20 years

Manually uploading VDB, GeoDB, and SRU updates

None, but feature is deprecated until you upgrade to Version 6.6.0+.

Version 6.5.0 does not support manually uploading VDB, GeoDB, and SRU updates to the device.

This feature is supported in Version 6.4.0.10 and later patches, and in Version 6.6.0+. If you are running Version 6.4.0.10 or later patch, we recommend you upgrade directly to Version 6.6.0+, without using Version 6.5.0 as an intermediate version.

Universal Permanent License Reservation (PLR) mode

None, but feature is deprecated until you upgrade to Version 6.6.0+.

Version 6.5.0 does not support Universal Permanent License Reservation (PLR) mode, where you can apply a license that does not need direct communication with Cisco Smart Software Manager (CSSM).

This feature is supported in Version 6.4.0.10 and later patches, and in Version 6.6.0+. If you are running Version 6.4.0.10 or later patch, we recommend you upgrade directly to Version 6.6.0+, without using Version 6.5.0 as an intermediate version.

ASA 5515-X with Firepower Threat Defense

Upgrade prohibited.

You cannot upgrade to or freshly install Firepower Threat Defense Version 6.5.0+ on ASA 5515-X devices.

Version 6.4.0

New Features in FDM Version 6.4.0

Feature

Description

Firepower 1000 series device configuration.

You can configure Firepower Threat Defense on Firepower 1000 series devices using Firepower Device Manager.

Note that you can configure and use the Power over Ethernet (PoE) ports as regular Ethernet ports, but you cannot enable or configure any PoE-related properties.

Hardware bypass for the ISA 3000.

You can now configure hardware bypass for the ISA 3000 on the Device > Interfaces page. In release 6.3, you needed to configure hardware bypass using FlexConfig. If you are using FlexConfig, please redo the configuring on the Interfaces page and remove the hardware bypass commands from FlexConfig. However, the portion of the FlexConfig devoted to disabling TCP sequence number randomization is still recommended.

Ability to reboot and shut down the system from the FDM CLI Console.

You can now issue the reboot and shutdown commands through the CLI Console in FDM. Previously, you needed to open a separate SSH session to the device to reboot or shut down the system. You must have Administrator privileges to use these commands.

External Authentication and Authorization using RADIUS for FTD CLI Users.

You can use an external RADIUS server to authenticate and authorize users logging into the FTD CLI. You can give external users config (administrator) or basic (read-only) access.

We added the SSH configuration to the AAA Configuration tab on the Device > System Settings > Management Access page.

Support for network range objects and nested network group objects.

You can now create network objects that specify a range of IPv4 or IPv6 addresses, and network group objects that include other network groups (that is, nested groups).

We modified the network object and network group object Add/Edit dialog boxes to include these features, and modified the various security policies to allow the use of these objects, contingent on whether address specifications of that type make sense within the context of the policy.

Full-text search options for objects and rules.

You can do a full-text search on objects and rules. By searching a policy or object list that has a large number of items, you can find all items that include your search string anywhere within the rule or object.

We added a search box to all policies that have rules, and to all pages on the Objects list. In addition, you can use the filter=fts~search-string option on GET calls for supported objects in the API to retrieve items based on a full-text search.

Obtaining a list of supported API versions for an FDM-managed FTD device.

You can use the GET /api/versions (ApiVersions) method to get a list of the API versions that are supported on a device. You can use your API client to communicate and configure the device using commands and syntax valid for any of the supported versions.

FTD REST API version 3 (v3).

The FTD REST API for software version 6.4 has been incremented to version 3. You must replace v1/v2 in the API URLs with v3. The v3 API includes many new resources that cover all features added in software version 6.4. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, change the end of the Firepower Device Manager URL to /#/api-explorer after logging in.

Hit counts for access control rules.

You can now view hit counts for access control rules. The hit counts indicate how often connections matched the rule.

We updated the access control policy to include hit count information. In the FTD API, we added the HitCounts resource and the includeHitCounts and filter=fetchZeroHitCounts options to the GET Access Policy Rules resource.

Site-to-Site VPN enhancements for dynamic addressing and certificate authentication.

You can now configure site-to-site VPN connections to use certificates instead of preshared keys to authenticate the peers. You can also configure connections where the remote peer has an unknown (dynamic) IP address. We added options to the Site-to-Site VPN wizard and the IKEv1 policy object.

Support for RADIUS servers and Change of Authorization in remote access VPN.

You can now use RADIUS servers for authenticating, authorizing, and accounting remote access VPN (RA VPN) users. You can also configure Change of Authentication (CoA), also known as dynamic authorization, to alter a user’s authorization after authentication when you use a Cisco ISE RADIUS server.

We added attributes to the RADIUS server and server group objects, and made it possible to select a RADIUS server group within an RA VPN connection profile.

Multiple connection profiles and group policies for remote access VPN.

You can configure more than one connection profile, and create group policies to use with the profiles.

We changed the Device > Remote Access VPN page to have separate pages for connection profiles and group policies, and updated the RA VPN Connection wizard to allow the selection of group policies. Some items that were previously configured in the wizard are now configured in the group policy.

Support for certificate-based, second authentication source, and two-factor authentication in remote access VPN.

You can use certificates for user authentication, and configure secondary authentication sources so that users must authenticate twice before establishing a connection. You can also configure two-factor authentication using RSA tokens or Duo passcodes as the second factor.

We updated the RA VPN Connection wizard to support the configuration of these additional options.

Support for IP address pools with multiple address ranges, and DHCP address pools, for remote access VPN.

You can now configure address pools that have more than one address range by selecting multiple network objects that specify subnets. In addition, you can configure address pools in a DHCP server and use the server to provide addresses to RA VPN clients. If you use RADIUS for authorization, you can alternatively configure the address pools in the RADIUS server.

We updated the RA VPN Connection wizard to support the configuration of these additional options. You can optionally configure the address pool in the group policy instead of the connection profile.

Active Directory realm enhancements.

You can now include up to 10 redundant Active Directory (AD) servers in a single realm. You can also create multiple realms and delete realms that you no longer need. In addition, the limit for downloading users in a realm is increased to 50,000 from the 2,000 limit in previous releases.

We updated the Objects > Identity Sources page to support multiple realms and servers. You can select the realm in the user criteria of access control and SSL decryption rules, to apply the rule to all users within the realm. You can also select the realm in identity rules and RA VPN connection profiles.

Redundancy support for ISE servers.

When you configure Cisco Identity Services Engine (ISE) as an identity source for passive authentication, you can now configure a secondary ISE server if you have an ISE high availability setup.

We added an attribute for the secondary server to the ISE identity object.

File/malware events sent to external syslog servers.

You can now configure an external syslog server to receive file/malware events, which are generated by file policies configured on access control rules. File events use message ID 430004, malware events are 430005.

We added the File/Malware syslog server options to the Device > System Settings > Logging Settings page.

Logging to the internal buffer and support for custom event log filters.

You can now configure the internal buffer as a destination for system logging. In addition, you can create event log filters to customize which messages are generated for the syslog server and internal buffer logging destinations.

We added the Event Log Filter object to the Objects page, and the ability to use the object on the Device > System Settings > Logging Settings page. The internal buffer options were also added to the Logging Settings page.

Certificate for the Firepower Device Manager Web Server.

You can now configure the certificate that is used for HTTPS connections to the Firepower Device Manager configuration interface. By uploading a certificate your web browsers already trust, you can avoid the Untrusted Authority message you get when using the default internal certificate. We added the Device > System Settings > Management Access > Management Web Server page.

Cisco Threat Response support.

You can configure the system to send intrusion events to the Cisco Threat Response cloud-based application. You can use Cisco Threat Response to analyze intrusions.

We added Cisco Threat Response to the Device > System Settings > Cloud Services page.

New Features in FDM Version 6.4.0 Patches

Table 7.

Feature

Description

Version 6.4.0.10

Manually uploading VDB, GeoDB, and SRU updates

You can now manually retrieve update packages for VDB, Geolocation Database, and Intrusion Rules, and then upload them from your workstation to the FTD device using FDM. For example, if you have an air-gapped network, where FDM cannot retrieve updates from the Cisco Cloud, you can now get the update packages you need.

We updated the Device > Updates page to allow you to select and upload a file from your workstation.

Note that this feature is not supported in Version 6.5.0. It is reintroduced in Version 6.6.0. If you are running Version 6.4.0.10 or later patch, we recommend you upgrade directly to Version 6.6.0+, without using Version 6.5.0 as an intermediate version.

Version 6.4.0.10

Universal Permanent License Reservation (PLR) mode

If you have an air-gapped network, where there is no path to the internet, you cannot register directly with the Cisco Smart Software Manager (CSSM) for Smart Licensing. In this situation, you can now get authorization to use Universal Permanent License Reservation (PLR) mode, where you can apply a license that does not need direct communication with CSSM. If you have an air-gapped network, please contact your account representative and ask for authorization to use Universal PLR mode in your CSSM account, and to obtain the necessary licenses.

We added the ability to switch to PLR mode, and to cancel and unregister a Universal PLR license, to the Device > Smart License page. In the FTD API, there are new resources for PLRAuthorizationCode, PLRCode, PLRReleaseCode, PLRRequestCode, and actions for PLRRequestCode, InstallPLRCode, and CancelReservation.

Note that this feature is not supported in Version 6.5.0. It is reintroduced in Version 6.6.0. If you are running Version 6.4.0.10 or later patch, we recommend you upgrade directly to Version 6.6.0+, without using Version 6.5.0 as an intermediate version.

Version 6.4.0.9

Default HTTPS server certificates

Upgrade impact.

Upgrading FDM from Version 6.4.0–6.4.0.8 to any later Version 6.4.0.x patch (or to Version 6.6.0+) renews the default HTTPS server certificate, which expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan.

Your old certificate was set to expire depending on when it was generated, as follows:

  • 6.4.0 to 6.4.0.8: 3 years

  • 6.3.0 and all patches: 3 years

  • 6.2.3 and earlier: 20 years

Note that in Version 6.5.0–6.5.0.4, the lifespan-on-renew returns to 3 years, but this is again updated to 800 days with Version 6.5.0.5 and 6.6.0.

Version 6.4.0.4

New syslog fields

These new syslog fields collectively identify a unique connection event:

  • Sensor UUID

  • First Packet Time

  • Connection Instance ID

  • Connection Counter

These fields also appear in syslogs for intrusion, file, and malware events, allowing connection events to be associated with those events.

Deprecated Features in FDM Version 6.4.0

Table 8.

Feature

Upgrade Impact

Description

Version 6.4.0.7

Egress optimization

Patching turns off egress optimization processing.

To mitigate CSCvq34340, patching Firepower Threat Defense to Version 6.4.0.7+ turns off egress optimization processing. This happens regardless of whether the egress optimization feature is enabled or disabled.

Note 

We recommend you upgrade to Version 6.6.0+, where this issue is fixed. That will turn egress optimization back on, if you left the feature 'enabled.'

If you remain at Version 6.4.0–6.4.0.6, you should manually disable egress optimization from the FTD CLI: no asp inspect-dp egress-optimization .

For more information, see the software advisory: FTD traffic outage due to 9344 block size depletion caused by the egress optimization feature.

Deprecated Features in FDM Version 6.4.0 Patches

Table 9.

Feature

Upgrade Impact

Description

Version 6.4.0.7

Egress optimization

Patching turns off egress optimization processing.

To mitigate CSCvq34340, patching Firepower Threat Defense to Version 6.4.0.7+ turns off egress optimization processing. This happens regardless of whether the egress optimization feature is enabled or disabled.

Note 

We recommend you upgrade to Version 6.6.0+, where this issue is fixed. That will turn egress optimization back on, if you left the feature 'enabled.'

If you remain at Version 6.4.0–6.4.0.6, you should manually disable egress optimization from the FTD CLI: no asp inspect-dp egress-optimization .

For more information, see the software advisory: FTD traffic outage due to 9344 block size depletion caused by the egress optimization feature.

Version 6.3.0

New Features in FDM Version 6.3.0

Feature

Description

High availability configuration.

You can configure two devices as an active/standby high availability pair. A high availability or failover setup joins two devices so that if the primary device fails, the secondary device can take over. This helps you keep your network operational in case of device failure. The devices must be of the same model, with the same number and type of interfaces, and they must run the same software version. You can configure high availability from the Device page.

Support for passive user identity acquisition.

You can configure identity policies to use passive authentication. Passive authentication gathers user identity without prompting the user for username and password. The system obtains the mappings from the identity sources you specify, which can be Cisco Identity Services Engine (ISE)/Cisco Identity Services Engine Passive Identity Connector (ISE PIC), or logins from remote access VPN users.

Changes include supporting passive authentication rules in Policies > Identity, and ISE configuration in Objects > Identity Sources.

Local user support for remote access VPN and user identity.

You can now create users directly through Firepower Device Manager. You can then use these local user accounts to authenticate connections to a remote access VPN. You can use the local user database as either the primary or fallback authentication source. In addition, you can configure passive authentication rules in the identity policy so that local usernames are reflected in the dashboards and so they are available for traffic matching in policies.

We added the Objects > Users page, and updated the remote access VPN wizard to include a fallback option.

Changed default behavior for VPN traffic handling in the access control policy (sysopt connection permit-vpn ).

The default behavior for how VPN traffic is handled by the access control policy has changed. Starting in 6.3, the default is that all VPN traffic will be processed by the access control policy. This allows you to apply advanced inspections, including URL filtering, intrusion protection, and file policies, to VPN traffic. You must configure access control rules to allow VPN traffic. Alternatively, you can use FlexConfig to configure the sysopt connection permit-vpn command, which tells the system to bypass the access control policy (and any advanced inspections) for VPN-terminated traffic

Support for FQDN-based network objects and data interface support for DNS lookup.

You can now create network objects (and groups) that specify a host by fully-qualified domain name (FQDN) rather than a static IP address. The system looks up the FQDN-to-IP address mapping periodically for any FQDN object that is used in an access control rule. You can use these objects in access control rules only.

We added the DNS Group object to the objects page, changed the System Settings > DNS Server page to allow group assignment to data interfaces, and the access control rule to allow for FQDN network object selection. In addition, the DNS configuration for the management interface now uses DNS groups instead of a set list of DNS server addresses.

Support for TCP syslog and the ability to send diagnostic syslog messages through the management interface.

In previous releases, diagnostic syslog messages (as opposed to connection and intrusion messages) always used a data interface. You can now configure syslog so that all messages use the management interface. The ultimate source IP address depends on whether you use the data interfaces as the gateway for the management interface, in which case the IP address will be the one from the data interface. You can also configure syslog to use TCP instead of UDP as the protocol.

We made changes to the Add/Edit dialog box for syslog servers from Objects > Syslog Servers.

External Authentication and Authorization using RADIUS for Firepower Device Manager Users.

You can use an external RADIUS server to authenticate and authorize users logging into Firepower Device Manager. You can give external users administrative, read-write, or read-only access. Firepower Device Manager can support 5 simultaneous logins; the sixth session automatically logs off the oldest session. You can forcefully end a Firepower Device Manager user session if necessary.

We added RADIUS server and RADIUS server group objects to the Objects > Identity Sources page for configuring the objects. We added the AAA Configuration tab to Device > System Settings > Management Access, for enabling use of the server groups. In addition, the Monitoring > Sessions page lists the active users and lets an administrative user end a session.

Pending changes view and deployment improvements.

The deployment window has changed to provide a clearer view of the pending changes that will be deployed. In addition, you now have the option to discard changes, copy changes to the clipboard, and download changes in a YAML formatted file. You can also name deployment jobs so they are easier to find in the audit log.

Audit Log.

You can view an audit log that records events such as deployments, system tasks, configuration changes, and administrative user login and logout. We added the Device > Device Administration > Audit Log page.

Ability to export the configuration.

You can download a copy of the device configuration for record keeping purposes. However, you cannot import this configuration into a device. This feature is not a replacement for backup/restore. We added the Device > Device Administration > Download Configuration page.

Improvements to URL filtering for unknown URLs.

If you perform category-based URL filtering in access control rules, users might access URLs whose category and reputation are not defined in the URL database. Previously, you needed to manually enable the option to look up the category and reputation for these URLs from Cisco Collective Security Intelligence (CSI). Now, that option is enabled by default. In addition, you can now set the time-to-live (TTL) for the lookup results, so that the system can refresh the category/reputation for each unknown URL. We updated the Device > System Settings > URL Filtering Preferences page.

Security Intelligence logging is now enabled by default.

The Security Intelligence policy was introduced in 6.2.3, with logging disabled by default. Starting with 6.3.0, logging is enabled by default. If you upgrade from 6.2.3, your logging settings are preserved, either enabled or disabled. Enable logging if you want to see the results of policy enforcement.

Passive mode interfaces

You can configure an interface in passive mode. When acting passively, the interface simply monitors the traffic from the source ports in a monitoring session configured on the switch itself (for hardware devices) or on the promiscuous VLAN (for Firepower Threat Defense Virtual).

You can use passive mode to evaluate how the Firepower Threat Defense Virtual device would behave if you deployed it as an active firewall. You can also use passive interfaces in a production network if you need IDS (intrusion detection system) services, where you want to know about threats, but you do not want the device to actively prevent the threats. You can select passive mode when editing physical interfaces and when you create security zones.

Smart CLI enhancements for OSPF, and support for BGP.

The Smart CLI OSPF configuration has been enhanced, including new Smart CLI object types for standard and extended ACLs, route maps, AS Path objects, IPv4 and IPv6 prefix lists, policy lists, and standard and expanded community lists. In addition, you can now use Smart CLI to configure BGP routing. You can find these features on the Device > Advanced Configuration page.

Enhancements for ISA 3000 devices.

You can now configure the following features for the ISA 3000: alarms, hardware bypass, and backup and restore using the SD card. You use FlexConfig to configure the alarms and hardware bypass. For the SD card, we updated the backup/restore pages in Firepower Device Manager.

Support for ASA 5506-X, 5506W-X, 5506H-X, and 5512-X removed starting with FTD 6.3.

You cannot install Firepower Threat Defense 6.3 or subsequent releases on the ASA 5506-X, 5506W-X, 5506H-X, and 5512-X. The final supported FTD release for these platforms is 6.2.3.

FTD REST API version 2 (v2).

The FTD REST API for software version 6.3 has been incremented to version 2. You must replace v1 in the API URLs with v2. The v2 API includes many new resources that cover all features added in software version 6.3. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, change the end of the Firepower Device Manager URL to /#/api-explorer after logging in.

Web analytics for providing product usage information to Cisco.

You can enable web analytics, which provides anonymous product usage information to Cisco based on page hits. This information can help Cisco determine feature usage patterns and help Cisco improve the product. All usage data is anonymous and no sensitive data is transmitted. Web analytics is enabled by default.

We added Web Analytics to the Device > System Settings > Cloud Services page.

Installing a Vulnerability Database (VDB) update no longer restarts Snort.

When you install a VDB update, the installation itself no longer restarts Snort. However, Snort continues to restart during the next configuration deployment.

Deploying an Intrusion Rules (SRU) database update no longer restarts Snort.

After you install an intrusion rules (SRU) update, you must deploy the configuration to activate the new rules. The deployment of the SRU update no longer causes a Snort restart.

New Features in FDM Version 6.3.0 Patches

Table 10.

Feature

Description

Version 6.3.0.1

EMS extension support

Upgrade impact.

Version 6.3.0.1 reintroduces EMS extension support, which was introduced in Version 6.2.3.8/6.2.3.9 but was not included in Version 6.3.0.

Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions again support the EMS extension during ClientHello negotiation, enabling more secure communications. The EMS extension is defined by RFC 7627.

Deprecated Features in FDM Version 6.3.0

Table 11.

Feature

Upgrade Impact

Description

EMS extension support for decryption

EMS extension support discontinued until you patch or upgrade.

Version 6.3.0 discontinues EMS extension support, which was introduced in Version 6.2.3.8/6.2.3.9. This means that the Decrypt-Resign and Decrypt-Known Key SSL policy actions no longer support the EMS extension during ClientHello negotiation, which would enable more secure communications. The EMS extension is defined by RFC 7627.

Support is reintroduced in Version 6.3.0.1.

FlexConfig commands

You should redo your configurations after upgrade.

Version 6.3.0 deprecates the following FlexConfig commands for Firepower Threat Defense with FDM:

  • access-list : You can now create extended and standard access lists using the Smart CLI Extended Access List or Standard Access List objects. You can then use them on FlexConfig-supported commands that refer to the ACL by object name, such as match access-list with an extended ACL for service policy traffic classes.

  • as-path : You can now create Smart CLI AS Path objects and use them in a Smart CLI BGP object to configure an autonomous system path filter.

  • community-list : You can now create Smart CLI Expanded Community List or Standard Community List objects and use them in a Smart CLI BGP object to configure a community list filter.

  • dns-group : You can now configure DNS groups using Objects > DNS Groups, and assign the groups using Device > System Settings > DNS Server.

  • policy-list : You can now create Smart CLI Policy List objects and use them in a Smart CLI BGP object to configure a policy list.

  • prefix-list : You can now create Smart CLI IPv4 Prefix List objects and use them in a Smart CLI OSPF or BGP object to configure prefix list filtering for IPv4.

  • route-map : You can now create Smart CLI Route Map objects and use them in a Smart CLI OSPF or BGP object to configure route maps.

  • router bgp : You can now use the Smart CLI templates for BGP.

VMware 5.5 hosting

Upgrade the hosting environment before you upgrade the Firepower software.

Version 6.3.0+ FTDv deployments have not been tested on VMware vSphere/VMware ESXi 5.5.

ASA 5506-X series and ASA 5512-X devices with Firepower Threat Defense

Upgrade prohibited.

You cannot upgrade to or freshly install Firepower Threat Defense Version 6.3.0+ on ASA 5506-X, 5506H-X, 5506W-X, and 5512-X devices.

Version 6.2.3

New Features in FDM Version 6.2.3

Feature

Description

SSL/TLS Decryption

You can decrypt SSL/TLS connections so that you can inspect the contents of the connection. Without decryption, encrypted connections cannot be effectively inspected to identify intrusion and malware threats, or to enforce compliance with your URL and application usage polices. We added the Policies > SSL Decryption page and Monitoring > SSL Decryption dashboard.

Attention 

Identity policies that implement active authentication automatically generate SSL decryption rules. If you upgrade from a release that does not support SSL decryption, the SSL decryption policy is automatically enabled if you have this type of rule. However, you must specify the certificate to use for Decrypt-Resign rules after completing the upgrade. Please edit the SSL decryption settings immediately after upgrade.

Security Intelligence Blacklisting

From the new Policies > Security Intelligence page you can configure a Security Intelligence policy, which you can use to drop unwanted traffic based on source/destination IP address or destination URL. Any allowed connections will still be evaluated by access control policies and might eventually be dropped. You must enable the Threat license to use Security Intelligence.

We also renamed the Policies dashboard to Access And SI Rules, and the dashboard now includes Security Intelligence rule-equivalents as well as access rules.

Intrusion Rule Tuning

You can change the action for intrusion rules within the pre-defined intrusion policies you apply with your access control rules. You can configure each rule to drop or generate events (alert) matching traffic, or disable the rule. You can change the action for enabled rules only (those set to drop or alert); you cannot enable a rule that is disabled by default. To tune intrusion rules, choose Policies > Intrusion.

Automatic Network Analysis Policy (NAP) Assignment based on Intrusion Policy

In previous releases, the Balanced Security and Connectivity network analysis policy was always used for preprocessor settings, regardless of the intrusion policy assigned to a specific source/destination security zone and network object combination. Now, the system automatically generates NAP rules to assign the same-named NAP and intrusion policies to traffic based on those criteria. Note that if you use Layer 4 or 7 criteria to assign different intrusion policies to traffic that otherwise matches the same source/destination security zone and network object, you will not get perfectly matching NAP and intrusion policies. You cannot create custom network analysis policies.

Drill-down reports for the Threats, Attackers, and Targets dashboards

You can now click into the Threats, Attackers, and Targets dashboards to view more detail about the reported items. These dashboards are available on the Monitoring page.

Because of these new reports, you will lose reporting data for these dashboards when upgrading from a pre-6.2.3 release.

Web Applications Dashboard

The new Web Applications dashboard shows the top web applications, such as Google, that are being used in the network. This dashboard augments the Applications dashboard, which provides protocol-oriented information, such as HTTP usage.

New Zones dashboard replaces the Ingress Zone and Egress Zone dashboards.

The new Zones dashboard shows the top security zone pairs for traffic entering and then exiting the device. This dashboard replaces the separate dashboards for Ingress and Egress zones.

New Malware Dashboard

The new Malware dashboard shows the top Malware action and disposition combinations. You can drill down to see information on the associated file types. You must configure file policies on access rules to see this information.

Self-signed internal certificates, and Internal CA certificates

You can now generate self-signed internal identity certificates. You can also upload or generate self-signed internal CA certificates for use with SSL decryption policies. Configure these features on the Objects > Certificates page.

Ability to edit DHCP server settings when editing interface properties

You can now edit settings for a DHCP server configured on an interface at the same time you edit the interface properties. This makes it easy to redefine the DHCP address pool if you need to change the interface IP address to a different subnet.

The Cisco Success Network sends usage and statistics data to Cisco to improve the product and provide effective technical support

You can connect to the Cisco Success Network to send data to Cisco. By enabling Cisco Success Network, you are providing usage information and statistics to Cisco which are essential for Cisco to provide you with technical support. This information also allows Cisco to improve the product and to make you aware of unused available features so that you can maximize the value of the product in your network. You can enable the connection when you register the device with the Cisco Smart Software Manager, or later at your choice. You can disable the connection at any time.

Cisco Success Network is a cloud service. The Device > System Settings > Cloud Management page is renamed Cloud Services. You can configure Cisco Defense Orchestrator from the same page.

Firepower Threat Defense Virtual for Kernel-based Virtual Machine (KVM) hypervisor device configuration

You can configure FTD on Firepower Threat Defense Virtual for KVM devices using Firepower Device Manager. Previously, only VMware was supported.

Note 

You must install a new 6.2.3 image to get Firepower Device Manager support. You cannot upgrade an existing virtual machine from an older version and then switch to Firepower Device Manager.

ISA 3000 (Cisco 3000 Series Industrial Security Appliances) device configuration

You can configure FTD on ISA 3000 devices using Firepower Device Manager. Note that the ISA 3000 supports the Threat license only. It does not support the URL Filtering or Malware licenses. Thus, you cannot configure features that require the URL Filtering or Malware licenses on an ISA 3000.

Optional deployment on update of the rules database or VDB

When you update the intrusion rules database or VDB, or configure an update schedule, you can prevent the immediate deployment of the update. Because the update restarts the inspection engines, there is a momentary traffic drop during the deployment. By not deploying automatically, you can choose to initiate the deployment at a time when traffic drops will be least disruptive.

Note 

A VDB download can also restart Snort all by itself, and then again cause a restart on deployment. You cannot stop the restart on download.

Improved messages that indicate whether a deployment restarts Snort. Also, a reduced need to restart Snort on deployment

Before you start a deployment, Firepower Device Manager indicates whether the configuration updates require a Snort restart. Snort restarts result in the momentary dropping of traffic. Thus, you now know whether a deployment will not impact traffic and can be done immediately, or will impact traffic, so that you can deploy at a less disruptive time.

In addition, in prior releases, Snort restarted on every deployment. Now, Snort restarts for the following reasons only:

  • you enable or disable SSL decryption policies

  • an updated rules database or VDB was downloaded

  • you changed the MTU on one or more physical interface (but not subinterface)

CLI console in Firepower Device Manager

You can now open a CLI Console from Firepower Device Manager. The CLI Console mimics an SSH or console session, but allows a subset of commands only: show , ping , traceroute , and packet-tracer . Use the CLI Console for troubleshooting and device monitoring.

Support for blocking access to the management address

You can now remove all management access list entries for a protocol to prevent access to the management IP address. Previously, if you removed all entries, the system defaulted to allowing access from all client IP addresses. On upgrade to 6.2.3, if you previously had an empty management access list for a protocol (HTTPS or SSH), the system creates the default allow rule for all IP addresses. You can then delete these rules as needed.

In addition, Firepower Device Manager will recognize changes you make to the management access list from the CLI, including if you disable SSH or HTTPS access.

Ensure that you enable HTTPS access for at least one interface, or you will not be able to configure and manage the device.

Smart CLI and FlexConfig for configuring features using the device CLI

Smart CLI and FlexConfig allows you to configure features that are not yet directly supported through Firepower Device Manager policies and settings. Firepower Threat Defense uses ASA configuration commands to implement some features. If you are a knowledgeable and expert user of ASA configuration commands, you can configure these features on the device using the following methods:

  • Smart CLI—(Preferred method.) A Smart CLI template is a pre-defined template for a particular feature. All of the commands needed for the feature are provided, and you simply need to select values for variables. The system validates your selection, so that you are more likely to configure a feature correctly. If a Smart CLI template exists for the feature you want, you must use this method. In this release, you can configure OSPFv2 using the Smart CLI.

  • FlexConfig—The FlexConfig policy is a collection of FlexConfig objects. The FlexConfig objects are more free-form than Smart CLI templates, and the system does no CLI, variable, or data validation. You must know ASA configuration commands and follow the ASA configuration guides to create a valid sequence of commands.

Caution 

Cisco strongly recommends using Smart CLI and FlexConfig only if you are an advanced user with a strong ASA background and at your own risk. You may configure any commands that are not blacklisted. Enabling features through Smart CLI or FlexConfig may cause unintended results with other configured features.

Firepower Threat Defense REST API, and an API Explorer

You can use a REST API to programmatically interact with a Firepower Threat Defense device that you are managing locally through Firepower Device Manager. There is an API Explorer that you can use to view object models and test the various calls you can make from a client program. To open the API Explorer, log into Firepower Device Manager, and then change the path on the URL to /#/api-explorer, for example, https://ftd.example.com/#/api-explorer.

New Features in FDM Version 6.2.3 Patches

Table 12.

Feature

Description

Version 6.2.3.8

EMS extension support

Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions now support the EMS extension during ClientHello negotiation, enabling more secure communications. The EMS extension is defined by RFC 7627.

Note 

Version 6.2.3.8 was removed from the Cisco Support & Download site on 2019-01-07. Upgrading to Version 6.2.3.9 also enables EMS extension support. Version 6.3.0 discontinues EMS extension support. Support is reintroduced in Version 6.3.0.1.

Version 6.2.3.7

TLS v1.3 downgrade CLI command for FTD

A new CLI command allows you to specify when to downgrade TLS v1.3 connections to TLS v1.2.

Many browsers use TLS v1.3 by default. If you are using an SSL policy to handle encrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites that support TLS v1.3 fail to load.

For more information, see the system support commands in the Cisco Firepower Threat Defense Command Reference. We recommend you use these commands only after consulting with Cisco TAC.

Deprecated Features in FDM Version 6.2.3

Table 13.

Feature

Upgrade Impact

Description

pager FlexConfig commands

You should redo your configurations after upgrade.

Version 6.2.3 blocks pager FlexConfig CLI commands for Firepower Threat Defense with FDM.

Version 6.2.2

New Features in FDM Version 6.2.2

Feature

Description

Remote access VPN configuration for ASA 5500-X series devices.

You can configure remote access SSL VPN for the AnyConnect client on ASA 5500-X series devices. Configure RA VPN from the Device > Remote Access VPN group. Configure RA VPN licenses from the Device > Smart License group.

Firepower Threat Defense Virtual for VMware device configuration.

You can configure FTD on Firepower Threat Defense Virtual for VMware devices using Firepower Device Manager. Other virtual platforms are not supported by Firepower Device Manager.

Note 

You must install a new 6.2.2 image to get Firepower Device Manager support. You cannot upgrade an existing virtual machine from an older version and then switch to Firepower Device Manager.

Version 6.2.1

New Features in FDM Version 6.2.1

This release applies to the Firepower 2100 series only.

Feature

Description

Remote access VPN configuration.

You can configure remote access SSL VPN for the AnyConnect client. Configure RA VPN from the Device > Remote Access VPN group. Configure RA VPN licenses from the Device > Smart License group.

Firepower 2100 series device configuration.

You can configure FTD on Firepower 2100 series devices using Firepower Device Manager.

Version 6.2.0

New Features in FDM Version 6.2.0

Feature

Description

Cisco Defense Orchestrator Cloud Management

You can manage the device using the Cisco Defense Orchestrator cloud-based portal. Select Device > System Settings > Cloud Management. For more information on Cisco Defense Orchestrator, see http://www.cisco.com/go/cdo.

Drag and drop for access rules

You can drag and drop access rules to move them in the rules table.

FTD software upgrade

You can install software upgrades through Firepower Device Manager. Select Device > Updates.

FTD default configuration changes

For new or reimaged devices, the default configuration includes significant changes, including:

  • (ASA 5506-X, 5506W-X, 5506H-X.) Except for the first data interface, and the Wi-Fi interface on an ASA 5506W-X, all other data interfaces on these device models are structured into the “inside” bridge group and enabled. There is a DHCP server on the inside bridge group. You can plug endpoints or switches into any bridged interface and endpoints get addresses on the 192.168.1.0/24 network.

  • The inside interface IP address is now 192.168.1.1, and a DHCP server is defined on the interface with the address pool 192.168.1.5-192.168.1.254.

  • HTTPS access is enabled on the inside interface, so you can open Firepower Device Manager through the inside interface at the default address, 192.168.1.1. For the ASA 5506-X models, you can do this through any inside bridge group member interface.

  • The management port hosts a DHCP server for the 192.168.45.0/24 network. You can plug a workstation directly into the management port, get an IP address, and open Firepower Device Manager to configure the device.

  • The OpenDNS public DNS servers are now the default DNS servers for the management interface. Previously, there were no default DNS servers. You can configure different DNS servers during device setup.

  • The default gateway for the management IP address is to use the data interfaces to route to the Internet. Thus, you do not need to wire the Management physical interface to a network.

Management interface and access changes

Several changes to how the management address, and access to Firepower Device Manager, works:

  • You can now open data interfaces to HTTPS (for Firepower Device Manager) and SSH (for CLI) connections. You do not need a separate management network, or to connect the Management/Diagnostic physical port to the inside network, to manage the device. Select Device > System Settings > Management Access List.

  • The system can obtain system database updates through the gateway for the outside interface. You do not need to have an explicit route from the management interface or network to the Internet. The default is to use internal routes through the data interfaces. However, you can set a specific gateway if you prefer to use a separate management network. Select Device > System Settings > Management Interface.

  • You can use Firepower Device Manager to configure the management interface to obtain its IP address through DHCP. Select Device > System Settings > Management Interface.

  • You can configure a DHCP server on the management address if you configure a static address. Select Device > System Settings > Management Interface.

Miscellaneous user interface changes

The following are notable changes to the Firepower Device Manager user interface.

  • Device main menu item. In previous releases, this menu item was the host name of your device. Also, the page opened is called Device Summary instead of Device Dashboard.

  • You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface.

  • Device > System Settings > Cloud Preferences is now called Device > System Settings > URL Filtering Preferences.

  • The System Settings > DHCP Server page is now organized on two tabs, with the table of DHCP servers separated from the global parameters.

Site-to-site VPN connections

You can configure site-to-site virtual private network (VPN) connections using preshared keys. You can configure IKEv1 and IKEv2 connections.

Integrated Routing and Bridging support.

Integrated Routing and Bridging provides the ability to route between a bridge group and a routed interface. A bridge group is a group of interfaces that the FTD device bridges instead of routes. The FTD device is not a true bridge in that the FTD device continues to act as a firewall: access control between interfaces is controlled, and all of the usual firewall checks are in place.

This feature lets you configure bridge groups and to route between bridge groups and between a bridge group and a routed interface. The bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a gateway for the bridge group. Integrated Routing and Bridging provides an alternative to using an external Layer 2 switch if you have extra interfaces on the FTD device to assign to the bridge group. The BVI can be a named interface and can participate separately from member interfaces in some features, such as DHCP server, where you configure other features on bridge group member interfaces, such as NAT and access control rules.

Select Device > Interfaces to configure a bridge group.

Version 6.1.0

New Features in FDM Version 6.1.0

Feature

Description

Supported devices.

You can manage the following device types using Firepower Device Manager:

  • ASA 5506-X, 5506H-X, 5506W-X, 5508-X, 5516-X

  • ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X

Supported firewall mode.

You can configure devices running in routed mode only. Transparent mode is not supported.

Supported interface types and modes.

You can configure routed interfaces only; you cannot configure inline, inline tap, or passive interfaces.

In addition, you can configure physical and sub-interfaces only. You cannot configure Etherchannel or redundant interfaces. You also cannot configure PPPoE.

Security Policies.

You can configure the following types of security policy:

  • Access control—Determine which connections are allowed to pass through the device. You can perform the following types of access control:

    • Filtering on security zone, IP address, geolocation, protocol and port.

    • Filtering on user name and user group.

    • Application filtering.

    • URL category, reputation, and individual URL filtering.

    • Intrusion policies, preventing threats.

    • File policies, preventing malware.

  • Identity policies—Determine which user is associated with an IP address. The system supports active authentication only, not passive authentication.

  • Network address translation—Convert between internal and external addresses. Most NAT features are supported, except for PAT pools.

Routing.

You can configure static routes. Dynamic routing protocols are not support.

System monitoring and syslog.

Firepower Device Manager includes an event viewer so that you can view recent connection events. You can also configure an external syslog server to collect events for longer term analysis.

There are also many dashboards that provide statistical information about the system and the traffic that is passing through the system.

Management interface configuration.

You can configure the management address and interface from Firepower Device Manager; you do not need to use the CLI. You can configure the system hostname, management IP address and gateway, DNS servers, NTP servers, and access rules to limit the IP addresses that can access the CLI or Firepower Device Manager.

Scheduling updates.

You can control how often system databases are updated.

  • Device main menu item. In previous releases, this menu item was the host name of your device. Also, the page opened is called Device Summary instead of Device Dashboard.

  • You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface.

  • Device > System Settings > Cloud Preferences is now called Device > System Settings > URL Filtering Preferences.

  • The System Settings > DHCP Server page is now organized on two tabs, with the table of DHCP servers separated from the global parameters.

Backup and restore.

You can back up the system and restore it from Firepower Device Manager.

Troubleshooting file.

You can generate a troubleshooting file from Firepower Device Manager when working with Cisco Technical Support.

Release Dates

Table 14. Version 7.1.0 Dates

Version

Build

Date

Platforms

7.1.0

90

2021-12-01

All

Table 15. Version 7.0.0/7.0.x Dates

Version

Build

Date

Platforms

7.0.1

84

2021-10-07

All

7.0.0

94

2021-05-26

All

Table 16. Version 7.0.0/7.0.x Patch Dates

Version

Build

Date

Platforms

7.0.0.1

15

2021-07-15

All

Table 17. Version 6.7.0 Dates

Version

Build

Date

Platforms

6.7.0

65

2020-11-02

All

Table 18. Version 6.7.0 Patch Dates

Version

Build

Date

Platforms

6.7.0.2

24

2021-05-11

All

6.7.0.1

13

2021-03-24

All

Table 19. Version 6.6.0/6.6.x Dates

Version

Build

Date

Platforms

6.6.5

81

2021-08-03

All

6.6.4

64

2021-04-29

Firepower 1000 series

59

2021-04-26

FMC/FMCv

All devices except Firepower 1000 series

6.6.3

80

2020-03-11

All

6.6.1

91

2020-09-20

All

90

2020-09-08

6.6.0

90

2020-05-08

Firepower 4112

2020-04-06

FMC/FMCv

All devices except Firepower 4112

Table 20. Version 6.6.0/6.6.x Patch Dates

Version

Build

Date

Platforms

6.6.5.1

15

2021-12-06

All

6.6.0.1

7

2020-07-22

All

Table 21. Version 6.5.0 Dates

Version

Build

Date

Platforms: Upgrade

Platforms: Reimage

6.5.0

123

2020-02-03

FMC/FMCv

FMC/FMCv

6.5.0

120

2019-10-08

6.5.0

115

2019-09-26

All devices

All devices

Table 22. Version 6.5.0 Patch Dates

Version

Build

Date

Platforms

6.5.0.5

95

2021-02-09

All

6.5.0.4

57

2020-03-02

All

6.5.0.3

30

2020-02-03

No longer available.

6.5.0.2

57

2019-12-19

All

6.5.0.1

35

2019-11-20

No longer available.

Table 23. Version 6.4.0 Dates

Version

Build

Date

Platforms

6.4.0

113

2020-03-03

FMC/FMCv

6.4.0

102

2019-06-20

Firepower 4115, 4125, 4145

Firepower 9300 with SM-40, SM-48, and SM-56 modules

2019-06-13

Firepower 1010, 1120, 1140

2019-04-24

Firepower 2110, 2120, 2130, 2140

Firepower 4110, 4120, 4140, 4150

Firepower 9300 with SM-24, SM-36, and SM-44 modules

ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X

ASA 5585-X-SSP-10, -20, -40, -60

ISA 3000

FTDv

Firepower 7000/8000 series

NGIPSv

Table 24. Version 6.4.0 Patch Dates

Version

Build

Date

Platforms

6.4.0.13

57

2021-12-02

All

6.4.0.12

112

2021-05-12

All

6.4.0.11

11

2021-01-11

All

6.4.0.10

95

2020-10-21

All

6.4.0.9

62

2020-05-26

All

6.4.0.8

28

2020-01-29

All

6.4.0.7

53

2019-12-19

All

6.4.0.6

28

2019-10-16

No longer available.

6.4.0.5

23

2019-09-18

All

6.4.0.4

34

2019-08-21

All

6.4.0.3

29

2019-07-17

All

6.4.0.2

35

2019-07-03

FMC/FMCv

FTD/FTDv, except Firepower 1000 series

34

2019-06-27

2019-06-26

Firepower 7000/8000 series

ASA FirePOWER

NGIPSv

6.4.0.1

17

2019-06-27

FMC 1600, 2600, 4600

2019-06-20

Firepower 4115, 4125, 4145

Firepower 9300 with SM-40, SM-48, and SM-56 modules

2019-05-15

FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500

FMCv

Firepower 2110, 2120, 2130, 2140

Firepower 4110, 4120, 4140, 4150

Firepower 9300 with SM-24, SM-36, and SM-44 modules

ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X

ASA 5585-X-SSP-10, -20, -40, -60

ISA 3000

FTDv

Firepower 7000/8000 series

NGIPSv

Table 25. Version 6.3.0 Dates

Version

Build

Date

Platforms: Upgrade

Platforms: Reimage

6.3.0

85

2019-01-22

Firepower 4100/9300

Firepower 4100/9300

6.3.0

84

2018-12-18

FMC/FMCv

ASA FirePOWER

6.3.0

83

2019-06-27

FMC 1600, 2600, 4600

2018-12-03

All FTD devices except Firepower 4100/9300

Firepower 7000/8000

NGIPSv

FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500

FMCv

All devices except Firepower 4100/9300

Table 26. Version 6.3.0 Patch Dates

Version

Build

Date

Platforms

6.3.0.5

35

2019-11-18

Firepower 7000/8000 series

NGIPSv

34

2019-11-18

FMC/FMCv

All FTD devices

ASA FirePOWER

6.3.0.4

44

2019-08-14

All

6.3.0.3

77

2019-06-27

FMC 1600, 2600, 4600

2019-05-01

FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500

FMCv

All devices

6.3.0.2

67

2019-06-27

FMC 1600, 2600, 4600

2019-03-20

FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500

FMCv

All devices

6.3.0.1

85

2019-06-27

FMC 1600, 2600, 4600

2019-02-18

FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500

FMCv

All devices

Table 27. Version 6.2.3 Dates

Version

Build

Date

Platforms: Upgrade

Platforms: Reimage

6.2.3

113

2020-06-01

FMC/FMCv

FMC/FMCv

6.2.3

111

2019-11-25

FTDv: AWS, Azure

6.2.3

110

2019-06-14

6.2.3

99

2018-09-07

6.2.3

96

2018-07-26

6.2.3

92

2018-07-05

6.2.3

88

2018-06-11

6.2.3

85

2018-04-09

6.2.3

84

2018-04-09

Firepower 7000/8000 series

NGIPSv

6.2.3

83

2018-04-02

FTD/FTDv

ASA FirePOWER

FTD: Physical platforms

FTDv: VMware, KVM

Firepower 7000/8000

ASA FirePOWER

NGIPSv

6.2.3

79

2018-03-29

Table 28. Version 6.2.3 Patch Dates
Version Build Date Platforms

6.2.3.17

30

2021-06-21

All

6.2.3.16

59

2020-07-13

All

6.2.3.15

39

2020-02-05

FTD/FTDv

38

2019-09-18

FMC/FMCv

Firepower 7000/8000

ASA FirePOWER

NGIPSv

6.2.3.14

41

2019-07-03

All

36

2019-06-12

All

6.2.3.13

53

2019-05-16

All

6.2.3.12

80

2019-04-17

All

6.2.3.11

55

2019-03-17

All

53

2019-03-13

6.2.3.10

59

2019-02-07

All

6.2.3.9

54

2019-01-10

All

6.2.3.8

51

2019-01-02

No longer available.

6.2.3.7

51

2018-11-15

All

6.2.3.6

37

2018-10-10

All

6.2.3.5

53

2018-11-06

FTD/FTDv

52

2018-12-09

FMC/FMCv

Firepower 7000/8000

ASA FirePOWER

NGIPSv

6.2.3.4

42

2018-08-13

All

6.2.3.3

76

2018-07-11

All

6.2.3.2

46

2018-06-27

All

42

2018-06-06

6.2.3.1

47

2018-06-28

All

45

2018-06-21

43

2018-05-02

Table 29. Version 6.2.2 Dates

Version

Build

Date

Platforms

6.2.2

81

2017-09-05

All

Table 30. Version 6.2.2 Patch Dates

Version

Build

Date

Platforms

6.2.2.5

57

2018-11-27

All

6.2.2.4

43

2018-09-21

FTD/FTDv

34

2018-07-09

FMC/FMCv

Firepower 7000/8000

ASA FirePOWER

NGIPSv

32

2018-06-15

6.2.2.3

69

2018-06-19

All

66

2018-04-24

6.2.2.2

109

2018-02-28

All

6.2.2.1

80

2017-12-05

Firepower 2100 series

78

2017-11-20

73

2017-11-06

FMC/FMCv

All devices except Firepower 2100 series