New Features by Release
This document describes new and deprecated features for each release, including upgrade impact.
A feature has upgrade impact if upgrading and deploying will cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. Or, sometimes the upgrade process has a special requirement; for example, in some cases you must perform a non-standard task before or after upgrade (edit or delete a specific configuration, apply health policies, redo FlexConfig commands in the web interface, and so on).
Although you can manage older devices with a newer management center, we recommend you always update your entire deployment. New traffic-handling features usually require the latest release on both the management center and device. Features where devices are not obviously involved (cosmetic changes to the web interface, cloud integrations) may only require the latest version on the management center, but that is not guaranteed.
Note that if you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.
Suggested Release: Version 7.2.5.x
To take advantage of new features and resolved issues, we recommend you upgrade all eligible appliances to at least the suggested release, including the latest patch. On the Cisco Support & Download site, the suggested release is marked with a gold star. In Version 7.2.6+/7.4.1+, the management center notifies you when a new suggested release is available, and indicates suggested releases on its product upgrades page.
Suggested Releases for Older Appliances
If an appliance is too old to run the suggested release and you do not plan to refresh the hardware right now, choose a major version then patch as far as possible. Some major versions are designated long-term or extra long-term, so consider one of those. For an explanation of these terms, see Cisco NGFW Product Line Software Release and Sustaining Bulletin.
If you are interested in a hardware refresh, contact your Cisco representative or partner contact.
Management Center Features in Version 7.4.1
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Reintroduced Features |
|||
|
Reintroduced features. |
Feature dependent |
Feature dependent |
Version 7.4.1 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x) or in Version 7.4.0. Reintroduced features include:
|
|
Platform |
|||
|
Network modules for the Secure Firewall 3130 and 3140. |
7.4.1 |
7.4.1 |
The Secure Firewall 3130 and 3140 now support these network modules:
See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide |
|
Optical transceivers for Firepower 9300 network modules. |
7.4.1 |
7.4.1 |
The Firepower 9300 now supports these optical transceivers:
On these network modules:
|
|
Performance profile support for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on threat defense virtual. |
|
Interfaces |
|||
|
Deploy without the diagnostic interface on threat defense virtual for Azure and GCP. |
7.4.1 |
7.4.1 |
You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:
Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Device Management |
|||
|
Device management services supported on user-defined VRF interfaces. |
7.4.1 |
Any |
Device management services configured in the threat defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. Platform restrictions: Not supported with container instances or clustered devices. See: Platform Settings |
|
High Availability/Scalability: Threat Defense |
|||
|
Multi-instance mode for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade). New/modified screens: New/modified threat defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6 New/modified FXOS CLI commands: create device-manager , set deploymode Platform restrictions: Not supported on the Secure Firewall 3105. |
|
16-node clusters for threat defense virtual for VMware and KVM. |
7.4.1 |
7.4.1 |
You can now configure 16-node clusters for threat defense virtual for VMware and threat defense virtual for KVM. |
|
Target failover for clustered threat defense virtual devices for AWS. |
7.4.1 |
7.4.1 |
You can now configure target failover for clustered threat defense virtual devices for AWS using the AWS Gateway Load Balancer (GWLB). Platform restrictions: Not available with five and ten-device licenses. |
|
Detect configuration mismatches in threat defense high availability pairs. |
7.4.1 |
7.4.1 |
You can now use the CLI to detect configuration mismatches in threat defense high availability pairs. New/modified CLI commands: show failover config-sync error , show failover config-sync stats |
|
High Availability: Management Center |
|||
|
Management center high availability synchronization enhancements. |
7.4.1 |
Any |
Management center high availability (HA) includes the following synchronization enhancements:
New/modified screens: You can view these alerts on the following screens:
|
|
SD-WAN |
|||
|
Application monitoring on the SD-WAN Summary dashboard. |
7.4.1 |
7.4.1 |
You can now monitor WAN interface application performance on the SD-WAN Summary dashboard. New/modified screens: |
|
VPN |
|||
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
Upgrade impact. Qualifying connections start being offloaded. On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade. You can change the configuration using FlexConfig and the flow-offload-ipsec command. See: IPsec Flow Offload |
|
Crypto debugging enhancements for the Secure Firewall 3100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
The crypto debugging enhancements introduced in Version 7.4.0 now apply to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they were only supported on the Secure Firewall 4200. |
|
View details of the VTIs in route-based VPNs. |
7.4.1 |
Any |
You can now view the details of route-based VPNs' virtual tunnel interfaces (VTI) on your managed devices. You can also view details of all the dynamically created virtual access interfaces of the dynamic VTIs. New/modified screens: Device > Device Management > Edit a device > Interfaces > Virtual Tunnels tab. |
|
Routing |
|||
|
Configure BFD routing on IS-IS interfaces with FlexConfig. |
7.4.1 |
7.4.1 |
You can now use FlexConfig to configure Bidirectional Forwarding Detection (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces. |
|
Access Control: Threat Detection and Application Identification |
|||
|
Zero trust access enhancements. |
7.4.1 |
7.4.1 with Snort 3 |
Management center now includes the following zero trust access enhancements:
New/modified screens: New/modified CLI commands: show running-config zero-trust , show zero-trust statistics See: |
|
CIP detection. |
7.4.1 |
7.4.1 with Snort 3 |
You can now detect and handle Common Industrial Protocol (CIP) by using CIP and Ethernet/IP (ENIP) application conditions in your security policies. |
|
CIP safety detection. |
7.4.1 |
7.4.1 with Snort 3 |
CIP Safety is a CIP extension that enables the safe operation of industrial automation applications. The CIP inspector can now detect the CIP Safety segments in the CIP traffic. To detect and take action on the CIP Safety segments, enable the CIP inspector in the management center's network Analysis policy and assign it to an access control policy. New/modified screens: Policies > Access Control > Edit a policy > Add Rule > Applications tab > Search for CIP Safety in the search box. See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
|
Access Control: Identity |
|||
|
Captive portal support for multiple Active Directory realms (realm sequences). |
7.4.1 |
7.4.1 |
Upgrade impact. Update custom authentication forms. You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules. In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously. If you use the HTTP Response Page authentication type, after you upgrade threat defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms. Restrictions: Not supported with Microsoft Azure Active Directory. New/modified screens: |
|
Share captive portal active authentication sessions across firewalls. |
7.4.1 |
7.4.1 |
Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.
New/modified screens: |
|
Merge downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources, using the management center web interface. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. New/modified screens: New CLI commands:
|
|
Health Monitoring |
|||
|
Chassis-level health alerts for the Firepower 4100/9300. |
7.4.1 |
Any with FXOS 2.14.1 |
Upgrade impact. Enable the new health module and apply device health policy after upgrade. You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the management center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view. You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the management center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI. New/modified screens: |
|
Improved management center memory usage calculation, alerting, and swap memory monitoring. |
7.4.1 |
Any |
Upgrade impact. Memory usage alert thresholds may be lowered. We improved the accuracy of management center memory usage and have lowered the default alert thresholds to 88% warning/90% critical. If your thresholds were higher than the new defaults, the upgrade lowers them automatically—you do not have to apply health policies for this change to take place. Note that the management center may now reboot in extremely critical system memory condition if terminating high-memory processes does not work. You can also add new swap memory usage metrics to a new or existing management center health dashboard. Make sure you choose the Memory metric group. New/modified screens:
|
|
Deployment and Policy Management |
|||
|
Change management. |
7.4.1 |
Any |
You can enable change management if your organization needs to implement more formal processes for configuration changes, including audit tracking and official approval before changes are deployed. We added the System ( See: Change Management |
|
Upgrade |
|||
|
Firmware upgrades included in FXOS upgrades. |
7.4.1 |
Any |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
|
Automatically generate configuration change reports after management center upgrade. |
7.4.1 |
Any |
You can automatically generate reports on configuration changes after major and maintenance management center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center. Other version restrictions: Only supported for management center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version. New/modified screens: System ( |
|
Administration |
|||
|
Erase the hard drives on a hardware management center. |
7.4.1 |
Any |
You can use the management center CLI to reboot and permanently erase its own hard drive data. After the erase is completed, you can install a fresh software image. New/modified CLI commands: secure erase See: Secure Firewall Management Center Command Line Reference |
|
Usability, Performance, and Troubleshooting |
|||
|
Troubleshooting file generation and download available from Device and Cluster pages. |
7.4.1 |
7.4.1 |
You can generate and download troubleshooting files for each
device on the Device page and also for all cluster nodes on the
Cluster page. For a cluster, you can download all files as a
single compressed file. You can also include cluster logs for
the cluster for cluster nodes. You can alternatively trigger
file generation from the > More ( New/modified screens: |
|
Automatic generation of a troubleshooting file on a node when it fails to join the cluster. |
7.4.1 |
7.4.1 |
If a node fails to join the cluster, a troubleshooting file is automatically generated for the node. You can download the file from Tasks or from the Cluster page. |
|
View CLI output for a device or device cluster. |
7.4.1 |
Any |
You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output. New/modified screens: See: View CLI Output |
|
Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
If the data plane process crashes, the system now reloads only the data plane process instead of rebooting the device. Along with the data plane process reload, Snort and a few other processes also get reloaded. However, if the data plane process crashes during bootup, the device follows the normal reload/reboot sequence, which helps avoid a reload process loop from occurring. This feature is enabled by default for both new and upgraded devices. New/modified CLI commands: data-plane quick-reload , no data-plane quick-reload , show data-plane quick-reload status Supported platforms: Firepower 1000/2100, Firepower 4100/9300 Platform restrictions: Not supported in multi-instance mode. See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference. |
|
Deprecated Features |
|||
|
Deprecated: frequent drain of events health alerts. |
7.4.1 |
7.4.1 |
The Disk Usage health module no longer alerts with
|
|
Deprecated: VPN Tunnel Status health module. |
7.4.1 |
Any |
We deprecated the VPN Tunnel Status health module. Use the VPN dashboards instead. |
|
Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. This feature is now supported in the management center web interface. |
)
)
)Management Center Features in Version 7.4.0
 Note |
Version 7.4.0 is available only on the Secure Firewall Management Center and the Secure Firewall 4200. A Version 7.4.0 management center can manage older versions of other device models, but you must use a Secure Firewall 4200 for features that require threat defense 7.4.0. Support for all other device platforms resumes in Version 7.4.1. |
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
||
|---|---|---|---|---|---|
|
Reintroduced Features |
|||||
|
Reintroduced features. |
7.4.0 |
Feature dependent |
Version 7.4.0 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x). Reintroduced features include: |
||
|
Platform |
|||||
|
Management center 1700, 2700, 4700. |
7.4.0 |
Any |
We introduced the Secure Firewall Management Center 1700, 2700, and 4700, which can manage up to 300 devices. Management center high availability is supported. See: Cisco Secure Firewall Management Center 1700, 2700, and 4700 Getting Started Guide |
||
|
Management center virtual for Microsoft Hyper-V. |
7.4.0 |
Any |
We introduced Secure Firewall Management Center Virtual for Microsoft Hyper-V, which can manage up to 25 devices. Management center high availability is supported. See: Cisco Secure Firewall Management Center Virtual Getting Started Guide |
||
|
Secure Firewall 4200. |
7.4.0 |
7.4.0 |
We introduced the Secure Firewall 4215, 4225, and 4245. These devices support the following new network modules:
See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide |
||
|
Performance profile support for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on threat defense virtual. |
||
|
Platform Migration |
|||||
|
Migrate from Firepower 1000/2100 to Secure Firewall 3100. |
7.4.0 |
Any |
You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100. New/modified screens: Platform restrictions: Migration not supported from the Firepower 1010 or 1010E. |
||
|
Migrate from Firepower Management Center 4600 to Secure Firewall Management Center for AWS. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
|
Migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
|
Migrate from Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 only |
7.0.0 |
You can migrate Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. To migrate, you must temporarily upgrade the old management center from Version 7.0 to Version 7.4.0.
To summarize the migration process:
See:
If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
|
Migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center. |
7.4.0 only |
7.0.3 |
You can migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center. To migrate devices, you must temporarily upgrade the on-prem management center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 management centers do not support device migration to the cloud. Additionally, only standalone and high availability threat defense devices running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.
To summarize the migration process:
See: If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
|
Device Management |
|||||
|
Low-touch provisioning to register the Firepower 1000/2100 and Secure Firewall 3100 to the management center using a serial number. |
7.4.0 |
Mgmt. center is publicly reachable: 7.2.0 Mgmt. center is not publicly reachable: 7.2.4 |
Low-touch provisioning lets you register Firepower 1000/2100 and Secure Firewall 3100 devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with SecureX and Cisco Defense Orchestrator for this functionality. New/modified screens: Other version restrictions: This feature is not supported on Version 7.3.x or 7.4.0 threat defense devices when the management center is not publicly reachable. Support returns in Version 7.4.1. See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning) |
||
|
Interfaces |
|||||
|
Merged management and diagnostic interfaces. |
7.4.0 |
7.4.0 |
Upgrade impact. Merge interfaces after upgrade. For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later and:
Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration. For platform settings, this means:
New/modified screens: New/modified commands: show management-interface convergence |
||
|
VXLAN VTEP IPv6 support. |
7.4.0 |
7.4.0 |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation. New/modified screens: |
||
|
Loopback interface support for BGP and management traffic. |
7.4.0 |
7.4.0 |
You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog. New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface |
||
|
Loopback and management type interface group objects. |
7.4.0 |
7.4.0 |
You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces. New/modified screens: See: Interface |
||
|
High Availability/Scalability |
|||||
|
Manage threat defense high availability pairs using a data interface. |
7.4.0 |
7.4.0 |
Threat defense high availability now supports using a regular data interface for communication with the management center. Previously, only standalone devices supported this feature. |
||
|
SD-WAN |
|||||
|
WAN summary dashboard. |
7.4.0 |
7.2.0 |
The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures. New/modified screens: Overview > WAN Summary |
||
|
Policy-based routing using HTTP path monitoring. |
7.4.0 |
7.2.0 |
Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination. New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box. Platform restrictions: Not supported for clustered devices. |
||
|
Policy-based routing with user identity and SGTs. |
7.4.0 |
7.4.0 |
You can now classify the network traffic based on users and user groups, and SGTs in PBR policies. You can select the identity and SGT objects while defining the extended ACLs for the PBR policies. New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag |
||
|
VPN |
|||||
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100. You can change the configuration using FlexConfig and the flow-offload-ipsec command. Other requirements: FPGA firmware 6.2+ See: IPsec Flow Offload |
||
|
Crypto debugging enhancements for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
We made the following enhancements to crypto debugging:
New/modified CLI commands: show counters |
||
|
VPN: Remote Access |
|||||
|
Customize Secure Client messages, icons, images, and connect/disconnect scripts. |
7.4.0 |
7.1.0 |
You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:
Threat defense distributes these customizations to the endpoint when an end user connects from the Secure Client. New/modified screens:
|
||
|
VPN: Site to Site |
|||||
|
Easily view IKE and IPsec session details for VPN nodes. |
7.4.0 |
Any |
You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard. New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab. |
||
|
Site-to-site VPN information in connection events. |
7.4.0 |
7.4.0 with Snort 3 |
Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by. New/modified screens: |
||
|
Easily exempt site-to-site VPN traffic from NAT translation. |
7.4.0 |
Any |
We now make it easier to exempt site-to-site VPN traffic from NAT translation. New/modified screens:
See: NAT Exemption |
||
|
Routing |
|||||
|
Configure graceful restart for BGP on IPv6 networks. |
7.4.0 |
7.3.0 |
You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later. New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor. |
||
|
Virtual routing with dynamic VTI. |
7.4.0 |
7.4.0 |
You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN. New/modified screens: Devices > Device Management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices. |
||
|
Access Control: Threat Detection and Application Identification |
|||||
|
Clientless zero-trust access. |
7.4.0 |
7.4.0 with Snort 3 |
We introduced Zero Trust Access that allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy. The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications. New/modified screens: New/modified CLI commands:
See: Zero Trust Access |
||
|
Encrypted visibility engine enhancements. |
7.4.0 |
7.4.0 with Snort 3 |
Encrypted Visibility Engine (EVE) can now:
New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings. |
||
|
Exempt specific networks and ports from bypassing or throttling elephant flows. |
7.4.0 |
7.4.0 with Snort 3 |
You can now exempt specific networks and ports from bypassing or throttling elephant flows. New/modified screens:
Platform restrictions: Not supported on the Firepower 2100 series. |
||
|
First-packet application identification using custom application detectors. |
7.4.0 |
7.4.0 with Snort 3 |
A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector. |
||
|
Sensitive data detection and masking. |
7.4.0 |
7.4.0 with Snort 3 |
Upgrade impact. New rules in default policies take effect. Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns. Disabling data masking is not supported. |
||
|
Improved JavaScript inspection. |
7.4.0 |
7.4.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
||
|
MITRE information in file and malware events. |
7.4.0 |
7.4.0 |
The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views. See: Local Malware Analysis and File and Malware Event Fields |
||
|
Smaller VDB for lower memory Snort 2 devices. |
6.4.0.17 7.0.6 7.2.4 7.3.1.1 7.4.0 |
Any with Snort 2 |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
||
|
Access Control: Identity |
|||||
|
Cisco Secure Dynamic Attributes Connector on the management center. |
7.4.0 |
Any |
You can now configure the Cisco Secure Dynamic Attributes Connector on the management center. Previously, it was only available as a standalone application. |
||
|
Microsoft Azure AD as a user identity source. |
7.4.0 |
7.4.0 |
You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control. New/modified screens:
Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level) |
||
|
Event Logging and Analysis |
|||||
|
Configure threat defense devices as NetFlow exporters from the management center web interface. |
7.4.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. NetFlow is a Cisco application that provides statistics on packets flows. You can now use the management center web interface to configure threat defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs. New/modified screens: See: Configure NetFlow |
||
|
More information about "unknown" SSL actions in logged encrypted connections. |
7.4.0 |
7.4.0 |
Serviceability improvements to the event reporting and decryption rule matching.
New/modified screens:
See: Connection and Security-Related Connection Event Fields. |
||
|
Health Monitoring |
|||||
|
Stream telemetry to an external server using OpenConfig. |
7.4.0 |
7.4.0 |
You can now send metrics and health monitoring information from your threat defense devices to an external server (gNMI collector) using OpenConfig. You can configure either threat defense or the collector to initiate the connection, which is encrypted by TLS. New/modified screens: System ( |
||
|
New asp drop metrics. |
7.4.0 |
7.4.0 |
You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group. New/modified screens: System ( |
||
|
Administration |
|||||
|
Send detailed management center audit logs to syslog. |
7.4.0 |
Any |
You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The management center supports backup and restore of the audit configuration log. New/modified screens: System ( |
||
|
Granular permissions for modifying access control policies and rules. |
7.4.0 |
Any |
You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams. When defining user roles, you can select the option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions. |
||
|
Support for IPv6 URLs when checking certificate revocation. |
7.4.0 |
7.4.0 |
Previously, threat defense supported only IPv4 OCSP URLs. Now, threat defense supports both IPv4 and IPv6 OCSP URLs. See: Requiring Valid HTTPS Client Certificates and Certificate Enrollment Object Revocation Options |
||
|
Default NTP server updated. |
7.4.0 |
Any |
The default NTP server for new management center deployments
changed from sourcefire.pool.ntp.org to time.cisco.com. We
recommend you use the management center to serve time to its own
devices. You can update the management center's NTP server on
System ( |
||
|
Usability, Performance, and Troubleshooting |
|||||
|
Usability enhancements. |
7.4.0 |
Any |
You can now:
|
||
|
Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, you can use a new direction keyword with the capture command. New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ] |
||
|
Snort 3 restarts when it becomes unresponsive, which can trigger HA failover. |
7.4.0 |
7.4.0 with Snort 3 |
To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.) This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts. New/modified CLI commands: configure snort3-watchdog |
||
|
Cisco Success Network telemetry. |
7.4.0 |
Any |
For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.4.x. |
||
|
Management Center REST API |
|||||
|
Management center REST API. |
7.4.0 |
Any |
For information on changes to the management center REST API, see What's New in Version 7.4 in the API quick start guide. |
||
|
Deprecated Features |
|||||
|
Temporarily deprecated features. |
7.4.0 |
Any |
Although upgrading to Version 7.4.0 is supported, the upgrade will remove critical features, fixes, and enhancements that may be included in your current version. Instead, upgrade to Version 7.4.1+. From Version 7.2.5–7.2.x, upgrading removes:
From Version 7.2.6–7.2.x, upgrading removes:
|
||
|
Deprecated: NetFlow with FlexConfig. |
7.4.0 |
Any |
You can now configure threat defense devices as NetFlow exporters from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs. See: Configure NetFlow |
||
Management Center Features in Version 7.3.1
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Smaller VDB for lower memory Snort 2 devices. |
6.4.0.17 7.0.6 7.2.4 7.3.1.1 7.4.0 |
Any with Snort 2 |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Secure Firewall 3105. |
7.3.1 |
7.3.1 |
We introduced the Secure Firewall 3105. |
Management Center Features in Version 7.3.0
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Platform |
|||
|
Management center virtual 300 for KVM. |
7.3.0 |
Any |
We introduced the FMCv300 for KVM. The FMCv300 can manage up to 300 devices. High availability is supported. |
|
Network modules for the Firepower 4100. |
7.3.0 |
7.3.0 |
We introduced these network modules for the Firepower 4100:
Supported platforms: Firepower 4112, 4115, 4125, 4145 |
|
ISA 3000 System LED support for shutting down. |
7.3.0 |
7.0.5 7.3.0 |
Support returns for this feature. When you shut down the ISA 3000, the System LED turns off. Wait at least 10 seconds after that before you remove power from the device. This feature was introduced in Version 7.0.5 but was temporarily deprecated in Version 7.1–7.2. |
|
New compute shapes for threat defense virtual and management center virtual for OCI. |
7.3.0 |
7.3.0 |
Threat defense virtual for OCI adds support for the following compute shapes:
Management center virtual for OCI adds support for the following compute shapes:
Note that the VM.Standard2.4 and VM.Standard2.8 compute shapes reached end of orderability in February 2022. If you are deploying Version 7.3+, we recommend one of the above compute shapes. For information on compatible compute shapes, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|
Interfaces |
|||
|
IPv6 support for virtual appliances. |
7.3.0 |
7.3.0 |
Threat defense virtual and management center virtual now support IPv6 in the following environments:
For more information, see Cisco Secure Firewall Threat Defense Virtual Getting Started Guide and Cisco Secure Firewall Management Center Virtual Getting Started Guide. |
|
Loopback interface support for VTIs. |
7.3.0 |
7.3.0 |
You can now configure a loopback interface for redundancy of static and dynamic VTI VPN tunnels. A loopback interface is a software interface that emulates a physical interface. It is reachable through multiple physical interfaces with IPv4 and IPv6 addresses. New/modified screens: For more information, see Configure Loopback Interfaces in the device configuration guide. |
|
Redundant manager access data interface. |
7.3.0 |
7.3.0 |
When you use a data interface for manager access, you can configure a secondary data interface to take over management functions if the primary interface goes down. The device uses SLA monitoring to track the viability of the static routes and an ECMP zone that contains both interfaces so management traffic can use both interfaces. New/modified screens: For more information, see Configure a Redundant Manager Access Data Interface in the device configuration guide. |
|
IPv6 DHCP. |
7.3.0 |
7.3.0 |
We now support the following features for IPv6 addressing:
New/modified screens: New/modified CLI commands: show bgp ipv6 unicast , show ipv6 dhcp , show ipv6 general-prefix For more information, see Configure the IPv6 Prefix Delegation Client, BGP, and Configure the DHCPv6 Stateless Server in the device configuration guide. |
|
Paired proxy VXLAN for the threat defense virtual for the Azure Gateway Load Balancer. |
7.3.0 |
7.3.0 |
You can configure a paired proxy mode VXLAN interface for threat defense virtual for Azure for use with the Azure Gateway Load Balancer. The device defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy. New/modified screens: For more information, see Configure VXLAN Interfaces in the device configuration guide. |
|
High Availability/Scalability |
|||
|
High availability for management center virtual for KVM. |
7.3.0 |
Any |
We now support high availability for management center virtual for KVM. In a threat defense deployment, you need two identically licensed management centers, as well as one threat defense entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 threat defense entitlements. If you are managing Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements. Platform restrictions: Not supported with FMCv2 For more information, see the Cisco Secure Firewall Management Center Virtual Getting Started Guide, as well as High Availability in the administration guide. |
|
Clustering for threat defense virtual for Azure. |
7.3.0 |
7.3.0 |
You can now configure clustering for up to 16 nodes with threat defense virtual for Azure. New/modified screens: For more information, see Clustering for Threat Defense Virtual in a Public Cloud in the device configuration guide. |
|
Autoscale for threat defense virtual for Azure Gateway Load Balancers. |
7.3.0 |
7.3.0 |
We now support autoscale for threat defense virtual for Azure Gateway Load Balancers. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|
Back up and restore device clusters. |
7.3.0 |
Any |
You can now use the management center to back up device clusters, except in the public cloud (threat defense virtual for AWS). To restore, use the device CLI. New/modified screens: New/modified commands: restore remote-manager-backup For more information, see Backup/Restore in the administration guide. |
|
Remote Access VPN |
|||
|
RA VPN dashboard. |
7.3.0 |
Any |
We introduced a remote access VPN (RA VPN) dashboard that allows you to monitor real-time data from active RA VPN sessions on the devices. So that you can quickly determine problems related to user sessions and mitigate the problems for your network and users, the dashboard provides:
New/modified screens: For more information, see Dashboards in the administration guide. |
|
Encrypt RA VPN connections with TLS 1.3. |
7.3.0 |
7.3.0 |
You can now use TLS 1.3 to encrypt RA VPN connections with the following ciphers:
Use the threat defense platform settings to set the TLS version: . This feature requires Cisco Secure Client, Release 5 (formerly known as the AnyConnect Secure Mobility Client). For more information, see Configure SSL Settings in the device configuration guide. |
|
Site to Site VPN |
|||
|
Packet tracer in the site-to-site VPN dashboard. |
7.3.0 |
Any |
We added packet tracer capabilities to the site-to-site VPN dashboard, to help you troubleshoot VPN tunnels between devices. Open the dashboard by choosing . Then, click View ( For more information, see Monitoring the Site-to-Site VPNs in the device configuration guide. |
|
Support for dynamic VTIs with site-to-site VPN. |
7.3.0 |
7.3.0 |
We now support dynamic virtual tunnel interfaces (VTI) when you configure a route-based site-to-site VPN in a hub and spoke topology. Previously, you could use only a static VTI. This makes it easier to configure large hub and spoke deployments. A single dynamic VTI can replace several static VTI configurations on the hub. And, you can add new spokes to a hub without changing the hub configuration. New/modified screens: We updated the options when configuring hub-node endpoints for a route-based hub-and-spoke site-to-site VPN topology. For more information, see Configure Endpoints for a Hub and Spoke Topology in the device configuration guide. |
|
Improved Umbrella SIG integration. |
7.3.0 |
7.3.0 |
You can now easily deploy IPsec IKEv2 tunnels between a threat defense device and the Umbrella Secure Internet Gateway (SIG), which allows you to forward all internet-bound traffic to Umbrella for inspection and filtering. To configure and deploy these tunnels, create a SASE topology, a new type of static VTI-based site-to-site VPN topology: . For more information, see Deploy a SASE Tunnel on Umbrella in the device configuration guide. |
|
Routing |
|||
|
Configure BFD for BGP from the management center web interface. |
7.3.0 |
Any |
Upgrade impact. You can now use the management center web interface to configure bidirectional forwarding detection (BFD) for BGP. Note that you can only enable BFD on interfaces belonging to virtual routers. If you have an existing BFD FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs. New/modified screens:
For more information, see Bidirectional Forwarding Detection Routing in the device configuration guide. |
|
Support for IPv4 and IPv6 OSPF routing for VTIs. |
7.3.0 |
7.3.0 |
We now support IPv4 and IPv6 OSPF routing for VTI interfaces. New/modified pages: You can add VTI interfaces to an OSPF routing process on . For more information, see OSPF and Additional Configurations for VTI in the device configuration guide. |
|
Support for IPv4 EIGRP routing for VTIs. |
7.3.0 |
7.3.0 |
We now support IPv4 EIGRP routing for VTI interfaces. New/modified screens: You can define a VTI as the static neighbor for an EIGRP routing process, configure a VTI's interface-specific EIGRP routing properties. and advertise a VTI's summary address on . For more information, see EIGRP and Additional Configurations for VTI in the device configuration guide. |
|
More network service groups for policy-based routing. |
7.3.0 |
7.3.0 |
You can now configure up to 1024 network service groups (application groups in an extended ACL for use in policy-based routing). Previously, the limit was 256. |
|
Support for multiple next-hops while configuring policy-based routing forwarding actions. |
7.3.0 |
7.1 |
You can now configure multiple next-hops while configuring policy-based routing forwarding actions. When traffic matches the criteria for the route, the system attempts to forward traffic to the IP addresses in the order you specify, until it succeeds. New/modified screens: We added several options when you select IP Address from the Send To menu on . For more information, see Configure Policy-Based Routing Policy in the device configuration guide. |
|
Upgrade |
|||
|
Choose and direct-download upgrade packages to the management center from Cisco. |
7.3..x only |
Any |
You can now choose which threat defense upgrade packages you want to direct download to the management center. Use the new Download Updates sub-tab on . Other version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1. |
|
Upload upgrade packages to the management center from the threat defense wizard. |
7.3.x only |
Any |
You now use the wizard to upload threat defense upgrade packages
or specify their location. Previously (depending on
version), you used System ( Other version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1. |
|
Auto-upgrade to Snort 3 after successful threat defense upgrade is no longer optional. |
7.3.0 |
Any |
Upgrade impact. When you upgrade threat defense to Version 7.3+, you can no longer disable the Upgrade Snort 2 to Snort 3 option. After the software upgrade, all eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now. For devices that are ineligible for auto-upgrade because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version. |
|
Combined upgrade and install package for Secure Firewall 3100. |
7.3.0 |
7.3.0 |
Reimage Impact. In Version 7.3, we combined the threat defense install and upgrade package for the Secure Firewall 3100, as follows:
Although you can upgrade threat defense without issue, you cannot reimage from older threat defense and ASA versions directly to threat defense Version 7.3+. This is due to a ROMMON update required by the new image type. To reimage from those older versions, you must "go through" ASA 9.19+, which is supported with the old ROMMON but also updates to the new ROMMON. There is no separate ROMMON updater. To get to threat defense Version 7.3+, your options are:
|
|
Access Control and Threat Detection |
|||
|
SSL policy renamed to decryption policy. |
7.3.0 |
Any |
We renamed the SSL policy to the decryption policy. We also added a policy wizard that makes it easier to create and configure decryption policies, including creating initial rules and certificates for inbound and outbound traffic. New/modified screens:
For more information, see Decryption Policies in the device configuration guide. |
|
Improvements to TLS server identity discovery with Snort 3 devices. |
7.3.0 |
7.3.0 |
We now support improved performance and inspection with the TLS server identity discovery feature, which allows you to handle traffic encrypted with TLS 1.3 with information from the server certificate. Although we recommend you leave it enabled, you can disable this feature using the new Enable adaptive TLS server identity probe option in the decryption policy's advanced settings. For more information, see TLS 1.3 Decryption Best Practices in the device configuration guide. |
|
URL filtering using cloud lookup results only. |
7.3.0 |
7.3.0 |
When you enable (or re-enable) URL filtering, the management center automatically queries Cisco for URL category and reputation data and pushes the dataset to managed devices. You now have more options on how the system uses this dataset to filter web traffic. To do this, we replaced the Query Cisco Cloud for Unknown URLs options with three new options:
New/modified screens: For more information, see URL Filtering Options in the device configuration guide. |
|
Detect HTTP/3 and SMB over QUIC using EVE (Snort 3 only). |
7.3.0 |
7.3.0 with Snort 3 |
Snort 3 devices can now use the encrypted visibility engine (EVE) to detect HTTP/3 and SMB over QUIC. You can then create rules to handle traffic based on these applications. For more information, see Encrypted Visibility Engine in the device configuration guide. |
|
Generate IoC events based on unsafe client applications detected by EVE (Snort 3 only). |
7.3.0 |
7.3.0 with Snort 3 |
Snort 3 devices can now generate indications of compromise (IoC) connection events based unsafe client applications detected by the encrypted visibility engine (EVE). These connection events have a Encrypted Visibility Threat Confidence of Very High.
For more information, see Encrypted Visibility Engine in the device configuration guide. |
|
Improved JavaScript inspection for Snort 3 devices. |
7.3.0 |
7.3.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. The normalizer introduced in Version 7.2 now allows you to inspect within the unescape, decodeURI, and decodeURIComponent functions: %XX, %uXXXX, \uXX, \u{XXXX}\xXX, decimal code point, and hexadecimal code point. It also removes plus operations from strings and concatenates them. For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|
Nested rule groups, including MITRE ATT&CK, in Snort 3 intrusion policies. |
7.3.0 |
7.0 with Snort 3 |
You can now nest rule groups in a Snort 3 intrusion policy. This allows you to view and handle traffic in a more granular fashion; for example, you might group rules by vulnerability type, target system, or threat category. You can create custom nested rule groups and change the security level and rule action per rule group. We also group system-provided rules in a Talos-curated MITRE ATT&CK framework, so you can act on traffic based on those categories. New/modified screens:
For more information, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|
Access control rule conflict analysis. |
7.3.0 |
Any |
You can now enable rule conflict analysis to help identify redundant rules and objects, and shadowed rules that cannot be matched due to previous rules in the policy. For more information, see Analyzing Rule Conflicts and Warnings in the device configuration guide. |
|
Event Logging and Analysis |
|||
|
NetFlow support for Snort 3 devices. |
7.3.0 |
7.3.0 with Snort 3 |
Upgrade impact. Snort 3 devices now can consume NetFlow records (IPv4 and IPv6, NetFlow v5 and v9). Previously, only Snort 2 devices did this. After upgrade, if you have an existing NetFlow exporter and NetFlow rule configured in the network discovery policy, Snort 3 devices may begin processing NetFlow records, generating NetFlow connection events, and adding host and application protocol information to the database based on NetFlow data. For more information, see Network Discovery Policies in the device configuration guide. |
|
Integrations |
|||
|
New remediation module for integration with the Cisco ACI Endpoint Update App |
7.3.0 |
Any |
We introduced a new Cisco ACI Endpoint remediation module. To use it, you must remove the old module then add and configure the new one. This new module can:
For more information, see APIC/Secure Firewall Remediation Module 3.0 in the device configuration guide. |
|
Health Monitoring |
|||
|
Cluster health monitor settings in the management center web interface. |
7.3.0 |
Any |
You can now use the management center web interface to edit cluster health monitor settings. If you configured these settings with FlexConfig in a previous version, the system allows you to deploy, but also warns you to redo your configurations—the FlexConfig settings take precedence. New/modified screens: Devices > Device Management > Edit Cluster > Cluster Health Monitor Settings For more information, see Edit Cluster Health Monitor Settings in the device configuration guide. |
|
Improved health monitoring for device clusters. |
7.3.0 |
Any |
We added cluster dashboards to the health monitor where you can view overall cluster status, load distribution metrics, performance metrics, cluster control link (CCL) and data throughput, and so on. To view the dashboard for each cluster, choose System ( For more information, see Cluster Health Monitor in the administration guide. |
|
Monitor fan speed and temperature for the power supply on the hardware management center. |
7.3.0 |
Any |
We added the Hardware Statistics health module that monitors fan speed and temperature for the power supply on the hardware management center. The upgrade process automatically adds and enables this module. After upgrade, apply the policy. To enable or disable the module and set threshold values, edit the
management center health policy on System ( To view health status, create a custom health dashboard: System ( You can also view module status on the health monitor's Home page and in the management center's alert summary (as Hardware Alarms and Power Supply). You can configure external alert responses and view health events based on module status. For more information, see Hardware Statistics on Management Center in the administration guide. |
|
Monitor temperature and power supply for the Firepower 4100/9300. |
7.3.0 |
7.3.0 |
We added the Chassis Environment Status health module to monitor the temperature and power supply on a Firepower 4100/9300 chassis. The upgrade process automatically adds and enables these modules in all device health policies. After upgrade, apply health policies to Firepower 4100/9300 chassis to begin monitoring. To enable or disable this module and set threshold values, edit the
management center health policy: System ( To view health status, create a custom health dashboard: System ( You can also view module status on the health monitor's Home page and in each device's alert summary. You can configure external alert responses and view health events based on module status. For more information, see Hardware/Environment Status Metrics in the administration guide. |
|
Licensing |
|||
|
Changes to license names and support for the Carrier license. |
7.3.0 |
Any |
We renamed licenses as follows:
In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections. New/modified screens: System ( For more information, see Licenses in the administration guide. |
|
Administration |
|||
|
Migrate configurations from FlexConfig to web interface management. |
7.3.0 |
Feature dependent |
You can now easily migrate these configurations from FlexConfig to web interface management:
After you migrate, you cannot deploy until you remove the deprecated FlexConfigs. New/modified screens: For more information, see Migrating FlexConfig Policies in the device configuration guide. |
|
Automatic VDB downloads. |
7.3.0 |
Any |
The initial setup on the management center schedules a weekly task to download the latest available software updates, which now includes the latest vulnerability database (VDB). We recommend you review this weekly task and adjust if necessary. Optionally, schedule a new weekly task to actually update the VDB and deploy configurations. New/modified screens: The Vulnerability Database check box is now enabled by default in the system-created Weekly Software Download scheduled task. For more information, see Vulnerability Database Update Automation in the administration guide. |
|
Install any VDB. |
7.3.0 |
Any |
Starting with VDB 357, you can now install any VDB as far back as the baseline VDB for that management center. After you update the VDB, deploy configuration changes. If you based configurations on vulnerabilities, application detectors, or fingerprints that are no longer available, examine those configurations to make sure you are handling traffic as expected. Also, keep in mind a scheduled task to update the VDB can undo a rollback. To avoid this, change the scheduled task or delete any newer VDB packages. New/modified screens: On System ( For more information, see Update the Vulnerability Database in the administration guide. |
|
Usability, Performance, and Troubleshooting |
|||
|
New how-to walkthroughs. |
7.3.0 |
Feature dependent |
We added these how-tos:
To launch a how-to, choose System ( |
|
New access control policy user interface is now the default. |
7.3.0 |
Any |
The access control policy user interface introduced in Version 7.2 is now the default interface. The upgrade switches you, but you can switch back. |
|
Maximum objects per match criteria per access control rule is now 200. |
7.3.0 |
Any |
We increased the objects per match criteria in a single access control rule from 50 to 200. For example, you can now use up to 200 network objects in a single access control rule. |
|
Filter devices by version. |
7.3.0 |
Any |
You can now filter devices by version on . |
|
Better status emails for scheduled tasks. |
7.3.0 |
Any |
Email notifications for scheduled tasks are now sent when the task completes—whether success or failure—instead of when the task begins. This means that they can now indicate whether the task failed or succeeded. For failures, they include the reason for the failure and remediations to fix the issue. |
|
Performance profile for CPU core allocation on the Firepower 4100/9300 and threat defense virtual. |
7.3.0 |
7.3.0 |
You can adjust the percentage of system cores assigned to the data plane and Snort to adjust system performance. The adjustment is based on your relative use of VPN and intrusion policies. If you use both, leave the core allocation to the default values. If you use the system primarily for VPN (without applying intrusion policies), or as an IPS (with no VPN configuration), you can skew the core allocation to the data plane (for VPN) or Snort (for intrusion inspection). We added the Performance Profile page to the platform settings policy. For more information, see Configure the Performance Profile in the device configuration guide. |
|
Cisco Success Network telemetry. |
7.3.0 |
Any |
For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.3.x. |
|
Management Center REST API |
|||
|
Management center REST API. |
7.3.0 |
Feature dependent |
For information on changes to the management center REST API, see What's New in 7.3 in the API quick start guide. |
|
Deprecated Features |
|||
|
Temporarily deprecated features. |
7.3.0 |
Feature dependent |
Although upgrading to Version 7.3 is supported, the upgrade will remove critical features, fixes, and enhancements that may be included in your current version. Instead, upgrade to Version 7.4.1+. From Version 7.2.3+, upgrading removes:
From Version 7.2.4+, upgrading removes:
From Version 7.2.5+, upgrading removes:
From Version 7.2.6+, upgrading removes:
|
|
Support ends: Firepower 4110, 4120, 4140, 4150. |
— |
7.3.0 |
You cannot run Version 7.3+ on the Firepower 4110, 4120, 4140, or 4150. |
|
Support ends: Firepower 9300: SM-24, SM-36, SM-44 modules. |
— |
7.3.0 |
You cannot run Version 7.3+ on the Firepower 9300 with SM-24, SM-36, or SM-44 modules. |
|
Deprecated: YouTube EDU content restriction for Snort 2 devices. |
7.3.0 |
Any |
You can no longer enable YouTube EDU content restriction in new or existing access control rules. Your existing YouTube EDU rules will keep working, and you can edit those rules to disable YouTube EDU. Note that this is a Snort 2 feature that is not available for Snort 3. You should redo your configurations after upgrade. |
|
Deprecated: Cluster health monitor settings with FlexConfig. |
7.3.0 |
Any |
You can now edit cluster health monitor settings from the management center web interface. If you do this, the system allows you to deploy but also warns you that any existing FlexConfig settings take precedence. You should redo your configurations after upgrade. |
|
Deprecated: BFD for BGP with FlexConfig. |
7.3.0 |
Any |
You can now configure bidirectional forwarding detection (BFD) for BGP routing from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs. You should redo your configurations after upgrade. |
|
Deprecated: ECMP zones with FlexConfig. |
7.3.0 |
Any |
You can now easily migrate EMCP zone configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs. You should redo your configurations after upgrade. |
|
Deprecated: VXLAN interfaces with FlexConfig. |
7.3.0 |
Any |
You can now easily migrate VXLAN interface configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs. |
)Management Center Features in Version 7.2.6
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Reintroduced Features |
|||
|
Updated web analytics provider. |
7.0.6 7.2.6 7.4.1 |
Any |
Upgrade impact. Your browser connects to new resources. While using the management center, your browser now contacts Amplitude (amplitude.com) instead of Google (google.com) for web analytics. Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your management centers. You are enrolled in web analytics by default but you can change your enrollment at any time after you complete initial setup. Note that ad blockers can block web analytics, so if you choose to remain enrolled, please disable ad blocking for the hostnames/IP addresses of your Cisco appliances. Version restrictions: Amplitude analytics are not supported in management center Version 7.0.0–7.0.5, 7.1.0–7.2.5, 7.3.x, or 7.4.0. Permanent support returns in Version 7.4.1 If you upgrade from a supported version to an unsupported version, your browser resumes contacting Google. |
|
Interfaces |
|||
|
Configure DHCP relay trusted interfaces from the management center web interface. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the threat defense DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then threat defense will drop that packet by default. You can preserve Option 82 and forward the packet by identifying an interface as a trusted interface. New/modified screens: Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, redo your FlexConfigs. |
|
NAT |
|||
|
Create network groups while editing NAT rules. |
7.2.6 7.4.1 |
Any |
You can now create network groups in addition to network objects while editing a NAT rule. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
|
High Availability/Scalability |
|||
|
Reduced "false failovers" for threat defense high availability. |
7.2.6 7.4.0 |
7.2.6 7.4.0 |
Other version restrictions: Not supported with management center or threat defense Version 7.3.x. |
|
Single backup file for high availability management centers. |
7.2.6 7.4.1 |
Any |
When performing a configuration-only backup of the active management center in a high availability pair, the system now creates a single backup file which you can use to restore either unit. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Unified Backup of Management Centers in High Availability |
|
Event Logging & Analysis |
|||
|
Open the packet tracer from the unified event viewer. |
7.2.6 7.4.1 |
Any |
You can now open the packet tracer from the unified event view (). Click the ellipsis icon (...) next to the desired event and click Open in Packet Tracer. Other version restrictions: In Version 7.2.x, use the Expand icon (>) icon instead of the ellipsis icon. Not supported with management center Version 7.3.x or 7.4.0. |
|
Health Monitoring |
|||
|
Health alerts for excessive disk space used by deployment history (rollback) files. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Deploy management center health policy after upgrade. The Disk Usage health module now alerts if deployment history (rollback) files are using excessive disk space on theged management center. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Disk Usage for Device Configuration History Files Health Alert |
|
Health alerts for NTP sync issues. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Deploy management center health policy after upgrade. A new Time Server Status health module reports issues with NTP synchronization. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Time Synchronization and Health Modules |
|
Deployment and Policy Management |
|||
|
View and generate reports on configuration changes since your last deployment. |
7.2.6 7.4.1 |
Any |
You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:
This is especially useful after you upgrade either the management center or threat defense devices, so that you can see the changes made by the upgrade before you deploy. New/modified screens: . Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
|
Set the number of deployment history files to retain for device rollback. |
7.2.6 7.4.1 |
Any |
You can now set the number of deployment history files to retain for device rollback, up to ten (the default). This can help you save disk space on the management center. New/modified screens: Deploy > Deployment
History ( Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
|
Upgrade |
|||
|
Improved upgrade starting page and package management. |
7.2.6 7.4.1 |
Any |
A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the management center, threat defense devices, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages. Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes. New/modified screens:
Deprecated screens/options:
Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Enable revert from the threat defense upgrade wizard. |
7.2.6 7.4.1 |
Any, if upgrading to 7.1+ |
You can now enable revert from the threat defense upgrade wizard. Other version restrictions: You must be upgrading threat defense to Version 7.1+. Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Select devices to upgrade from the threat defense upgrade wizard. |
7.2.6 |
Any |
Use the wizard to select devices to upgrade. You can now use the threat defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
View detailed upgrade status from the threat defense upgrade wizard. |
7.2.6 7.4.1 |
Any |
The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Unattended threat defense upgrades. |
7.2.6 |
Any |
The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Simultaneous threat defense upgrade workflows by different users. |
7.2.6 |
Any |
We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Skip pre-upgrade troubleshoot generation for threat defense devices. |
7.2.6 |
Any |
You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space. To manually generate troubleshooting files for a threat defense
device, choose System ( See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Suggested release notifications. |
7.2.6 7.4.1 |
Any |
The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Management Center New Features by Release |
|
New upgrade wizard for the management center. |
7.2.6 7.4.1 |
Any |
A new upgrade starting page and wizard make it easier to perform
management center upgrades. After you use System ( Other version restrictions: Only supported for management center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0. To upgrade the management center to any version, see the upgrade guide for the version your management center is currently running: : Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center. If you are running Version 7.4.0, you can use the Version 7.3.x guide. |
|
Hotfix high availability management centers without pausing synchronization. |
7.2.6 7.4.1 |
Any |
Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability management centers. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
|
Administration |
|||
|
Updated internet access requirements for direct-downloading software upgrades. |
7.2.6 7.4.1 |
Any |
Upgrade impact. The system connects to new resources. The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
|
Scheduled tasks download patches and VDB updates only. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Scheduled download tasks stop retrieving maintenance releases. The Download Latest Update scheduled task
no longer downloads maintenance releases; now it only downloads
the latest applicable patches and VDB updates. To
direct-download maintenance (and major) releases to the
management center, use System ( Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
|
Download only the country code geolocation package. |
7.2.6 7.4.0 |
Any |
Upgrade impact. Upgrading can delete the IP package. In Version 7.2.6+/7.4.0+, you can configure the system to download only the country code package of the geolocation database (GeoDB), which maps IP addresses to countries/continents. The larger IP package with contextual data is now optional. IP package download is:
The first time you upgrade to any version where download is disabled by default, the system disables download and deletes any existing IP package. Without the IP package, you cannot view contextual geolocation data for IP addresses until you manually enable the option and update the GeoDB. New/modified screens:
|
|
Usability, Performance, and Troubleshooting |
|||
|
Enable/disable access control object optimization. |
7.2.6 7.4.1 |
Any |
You can now enable and disable access control object optimization from the management center web interface. New/modified screens: System ( Other version restrictions: Access control object optimization is automatically enabled on all management centers upgraded or reimaged to Versions 7.2.4–7.2.5 and 7.4.0, and automatically disabled on all management centers upgraded or reimaged to Version 7.3.x. It is configurable and enabled by default for management centers reimaged to Version 7.2.6+/7.4.1+, but respects your current setting when you upgrade to those releases. |
|
Cluster control link ping tool. |
7.2.6 7.4.1 |
Any |
You can check to make sure all the cluster nodes can reach each other over the cluster control link by performing a ping. One major cause for the failure of a node to join the cluster is an incorrect cluster control link configuration; for example, the cluster control link MTU may be set higher than the connecting switch MTUs. New/modified screens: > More ( Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
|
Snort 3 restarts when it uses too much memory, which can trigger HA failover. |
7.2.6 7.4.1 |
7.2.6 with Snort 3 7.4.1 with Snort 3 |
To improve continuity of operations, excessive memory use by Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process uses too much memory. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.) This feature is enabled by default. You can use the CLI to disable it, or configure the memory threshold. Platform restrictions: Not supported with clustered devices. New/modified CLI commands: configure snort3 memory-monitor , show snort3 memory-monitor-status Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
|
Set the frequency of Snort 3 core dumps. |
7.2.6 7.4.1 |
7.2.6 with Snort 3 7.4.1 with Snort 3 |
You can now set the frequency of Snort 3 core dumps. Instead of generating a core dump every time Snort crashes, you can generate one the next time Snort crashes only. Or, generate one if a crash has not occurred in the last day, or week. Snort 3 core dumps are disabled by default for standalone devices. For high availability and clustered devices, the default frequency is now once per day instead of every time. New/modified CLI commands: configure coredump snort3 , show coredump Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
|
Capture dropped packets with the Secure Firewall 3100/4200. |
7.2.6 7.4.1 |
7.2.6 (no 4200) 7.4.1 |
Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100/4200 can now capture these dropped packets. New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command. Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
|
Deprecated Features |
|||
|
Deprecated: DHCP relay trusted interfaces with FlexConfig. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them. Other version restrictions: This feature is not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, also redo your FlexConfigs. |
)Management Center Features in Version 7.2.5
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Interfaces |
|||
|
Management center detects interface sync errors. |
7.2.5 7.4.1 |
Any |
Upgrade impact. You may need to sync interfaces after upgrade. In some cases, the management center can be missing a configuration for an interface even though the interface is correctly configured and functioning on the device. If this happens, and your management center is running:
Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. The management center will neither block deploy nor warn you of missing configurations. You can still sync interfaces manually if you think you are having an issue. |
Management Center Features in Version 7.2.4
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to Clause 108 RS-FEC from Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers. |
7.2.4 |
Any |
When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers. See: Interface Overview. |
|
Automatically update CA bundles. |
7.0.5 7.1.0.3 7.2.4 |
7.0.5 7.1.0.3 7.2.4 |
Upgrade impact. The system connects to Cisco for something new. The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature. New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco. See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference |
|
Access control performance improvements (object optimization). |
7.2.4 |
Any |
Upgrade impact. First deployment after management center upgrade to 7.2.4–7.2.5 or 7.4.0 can take a long time and increase CPU use on managed devices. Access control object optimization improves performance and consumes fewer device resources when you have access control rules with overlapping networks. The optimizations occur on the managed device on the first deploy after the feature is enabled on the management center (including if it is enabled by an upgrade). If you have a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform object optimization. During this time, you may also see higher CPU use on your devices. A similar thing occurs on the first deploy after the feature is disabled (including if it is disabled by upgrade). After this feature is enabled or disabled, we recommend you deploy when it will have the least impact, such as a maintenance window or a low-traffic time. New/modified screens
(requires Version 7.2.6/7.4.1): System ( Other version restrictions: Not supported with management center Version 7.3.x. |
|
Smaller VDB for lower memory Snort 2 devices. |
6.4.0.17 7.0.6 7.2.4 7.3.1.1 7.4.0 |
Any with Snort 2 |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
Management Center Features in Version 7.2.3
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Firepower 1010E. |
7.2.3.1 7.3.1.1 |
7.2.3 |
We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center. Version restrictions: These devices do not support Version 7.3.x or 7.4.0. Support returns in Version 7.4.1. |
Management Center Features in Version 7.2.2
This release introduces stability, hardening, and performance enhancements.
Management Center Features in Version 7.2.1
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Hardware bypass ("fail-to-wire") network modules for the Secure Firewall 3100. |
7.2.1 |
7.2.1 |
We introduced these hardware bypass network modules for the Secure Firewall 3100:
New/modified screens: Devices > Device Management > Interfaces > Edit Physical Interface For more information, see Inline Sets and Passive Interfaces. |
|
Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. |
7.2.1 |
7.2.1 |
We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. For more information, see Getting Started with Secure Firewall Threat Defense Virtual and KVM. |
Management Center Features in Version 7.2.0
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Platform |
||||||||||||||||||||||||||||||||
|
Snapshots allow quick deploy of threat defense virtual for AWS and Azure. |
7.2.0 |
7.2.0 |
You can now take a snapshot of a threat defense virtual for AWS or Azure instance, then use that snapshot to quickly deploy new instances. This feature also improves the performance of the autoscale solutions for AWS and Azure. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
|
Analytics mode for cloud-managed threat defense devices. |
7.2.0 |
7.0.3 7.2.0 |
Concurrently with Version 7.2, we introduced the Cisco Cloud-delivered Firewall Management Center. The cloud-delivered Firewall Management Center uses the Cisco Defense Orchestrator (CDO) platform and unites management across multiple Cisco security solutions. We take care of feature updates. On-prem hardware and virtual management centers running Version 7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging and analytics purposes only. You cannot deploy policy to these devices from an on-prem management center. New/modified screens:
New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers Version restrictions: Not supported with threat defense Version 7.1. For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator. |
|||||||||||||||||||||||||||||
|
ISA 3000 support for shutting down. |
7.2.0 |
7.2.0 |
Support returns for shutting down the ISA 3000. This feature was introduced in Version 7.0.2 but was temporarily deprecated in Version 7.1. |
|||||||||||||||||||||||||||||
|
High Availability/Scalability |
||||||||||||||||||||||||||||||||
|
Clustering for threat defense virtual in both public and private clouds. |
7.2.0 |
7.2.0 |
You can now configure clustering for the following threat defense virtual platforms:
New/modified screens:
For more information, see Clustering for Threat Defense Virtual in a Public Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM, VMware). |
|||||||||||||||||||||||||||||
|
Support for 16-node clusters. |
7.2.0 |
7.2.0 |
You can now configure 16-node clusters for the following platforms:
The Secure Firewall 3100 still only supports 8 nodes. For more information, see Clustering for the Firepower 4100/9300 or Clustering for Threat Defense Virtual in a Public Cloud. |
|||||||||||||||||||||||||||||
|
Autoscale for threat defense virtual for AWS gateway load balancers. |
7.2.0 |
7.2.0 |
We now support autoscale for threat defense virtual for AWS gateway load balancers, using a CloudFormation template. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
|
Autoscale for threat defense virtual for GCP. |
7.2.0 |
7.2.0 |
Upgrade impact. Threat defense virtual for GCP cannot upgrade across Version 7.2.0. We now support autoscale for threat defense virtual for GCP, by positioning a threat defense virtual instance group between a GCP internal load balancer (ILB) and a GCP external load balancer (ELB). Version restrictions: Due to interface changes required to support this feature, threat defense virtual for GCP upgrades cannot cross Version 7.2.0. That is, you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must deploy a new instance and redo any device-specific configurations. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
|
Interfaces |
||||||||||||||||||||||||||||||||
|
LLDP support for the Firepower 2100 and Secure Firewall 3100. |
7.2.0 |
7.2.0 |
You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100 and Secure Firewall 3100 series interfaces. New/modified screens: New/modified commands: show lldp status , show lldp neighbors , show lldp statistics For more information, see Interface Overview. |
|||||||||||||||||||||||||||||
|
Pause frames for flow control for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue. New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Network Connectivity For more information, see Interface Overview. |
|||||||||||||||||||||||||||||
|
Breakout ports for the Secure Firewall 3130 and 3140. |
7.2.0 |
7.2.0 |
You can now configure four 10 GB breakout ports for each 40 GB interface on the Secure Firewall 3130 and 3140. New/modified screens: Devices > Device Management > Chassis Operations For more information, see Interface Overview. |
|||||||||||||||||||||||||||||
|
Configure VXLAN from the management center web interface. |
7.2.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. You can now use the management center web interface to configure VXLAN interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical network to stretch the Layer 2 network. If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings. New/modified screens:
For more information, see Regular Firewall Interfaces. |
|||||||||||||||||||||||||||||
|
NAT |
||||||||||||||||||||||||||||||||
|
Enable, disable, or delete more than one NAT rule at a time. |
7.2.0 |
Any |
You can select multiple NAT rules and enable, disable, or delete them all at the same time. Enable and disable apply to manual NAT rules only, whereas delete applies to any NAT rule. For more information, see Network Address Translation. |
|||||||||||||||||||||||||||||
|
VPN |
||||||||||||||||||||||||||||||||
|
Certificate and SAML authentication for RA VPN connection profiles. |
7.2.0 |
7.2.0 |
We now support certificate and SAML authentication for RA VPN connection profiles. You can authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes. New/modified screens: You can now choose Certificate & SAML option when choosing the authentication method for the connection profile in an RA VPN policy. For more information, see Remote Access VPN. |
|||||||||||||||||||||||||||||
|
Route-based site-to-site VPN with hub and spoke topology. |
7.2.0 |
7.2.0 |
We added support for route-based site-to-site VPNs in a hub and spoke topology. Previously, that topology only supported policy-based (crypto map) VPNs. New/modified screens: When you add a new VPN topology and choose Route Based (VTI), you can now also choose Hub and Spoke. For more information, see Site-to-Site VPNs. |
|||||||||||||||||||||||||||||
|
IPsec flow offload for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance. You can change the configuration using FlexConfig and the flow-offload-ipsec command. For more information, see Site-to-Site VPNs. |
|||||||||||||||||||||||||||||
|
Routing |
||||||||||||||||||||||||||||||||
|
Configure EIGRP from the management center web interface. |
7.2.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. You can now use the management center web interface to configure EIGRP. Note that you can only enable EIGRP on interfaces belonging to the device's Global virtual router. If you configured EIGRP with FlexConfig in a previous version, the system allows you to deploy post-upgrade, but also warns you to redo your EIGRP configurations in the web interface. When you are satisfied with the new configuration, you can delete the deprecated FlexConfig objects or commands. To help you with this process, we provide a command-line migration tool. New/modified screens: For more information, see EIGRP and Migrating FlexConfig Policies. |
|||||||||||||||||||||||||||||
|
Virtual router support for the Firepower 1010. |
7.2.0 |
7.2.0 |
You can now configure up to five virtual routers on the Firepower 1010. For more information, see Virtual Routers. |
|||||||||||||||||||||||||||||
|
Support for VTIs in user-defined virtual routers. |
7.2.0 |
7.2.0 |
You can now assign virtual tunnel interfaces to user-defined virtual routers. Previously, you could only assign VTIs to Global virtual routers. New/modified screens: For more information, see Virtual Routers. |
|||||||||||||||||||||||||||||
|
Policy-based routing with path monitoring. |
7.2.0 |
7.2.0 |
You can now use path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use these metrics to determine the best path for policy based routing. New/modified screens:
New/modified CLI commands: show policy route , show path-monitoring , clear path-monitoring For more information, see Policy Based Routing. |
|||||||||||||||||||||||||||||
|
Threat Intelligence |
||||||||||||||||||||||||||||||||
|
DNS-based threat intelligence from Cisco Umbrella. |
7.2.0 |
Any |
We now support DNS-based Security Intelligence using regularly updated information from Cisco Umbrella. You can use both a local DNS policy and an Umbrella DNS policy, for two layers of protection. New/modified screens:
For more information, see DNS Policies. |
|||||||||||||||||||||||||||||
|
IP-based threat intelligence from Amazon GuardDuty. |
7.2.0 |
Any |
You can now handle traffic based on malicious IP addresses detected by Amazon GuardDuty, when integrated with management center virtual for AWS. The system consumes this threat intelligence via a custom Security Intelligence feed, or via a regularly updated network object group, which you can then use in your security policies. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||||||||||||||||
|
Access Control and Threat Detection |
||||||||||||||||||||||||||||||||
|
Dynamic object management with:
|
7.2.0 |
Any |
Concurrently with Version 7.2, we released the following updates to the Cisco Secure Dynamic Attributes Connector:
|
|||||||||||||||||||||||||||||
|
Bypass inspection or throttle elephant flows on Snort 3 devices. |
7.2.0 |
7.2.0 with Snort 3 |
You can now detect and optionally bypass inspection or throttle elephant flows. By default, access control policies are set to generate an event when the system sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is configurable. For the Firepower 2100 series, you can detect elephant flows but not bypass inspection or throttle. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB). New/modified screens: We added Elephant Flow Settings to the access control policy's Advanced tab. For more information, see Elephant Flow Detection. |
|||||||||||||||||||||||||||||
|
Encrypted visibility engine enhancements. |
7.2.0 |
7.2.0 with Snort 3 |
We made the following enhancements to the encrypted visibility engine (EVE):
The following connection event fields have changed along with these enhancements:
This feature now requires a Threat license. For more information, see Access Control Policies and Application Detection. |
|||||||||||||||||||||||||||||
|
TLS 1.3 inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of TLS 1.3 traffic. New/modified screens: We added the Enable TLS 1.3 Decryption option to the Advanced Settings tab in SSL policies. Note that this option is disabled by default. For more information, see SSL Policies. |
|||||||||||||||||||||||||||||
|
Improved portscan detection. |
7.2.0 |
7.2.0 with Snort 3 |
With an improved portscan detector, you can easily configure the system to detect or prevent portscans. You can refine the networks you want to protect, set the sensitivity, and so on. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use the network analysis policy for portscan detection. New/modified screens: We added Threat Detection to the access control policy's Advanced tab. For more information, see Threat Detection. |
|||||||||||||||||||||||||||||
|
VBA macro inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of VBA (Visual Basic for Applications) macros in Microsoft Office documents, which is done by decompressing the macros and matching rules against the decompressed content. By default, VBA macro decompression is disabled in all system-provided network analysis policies. To enable it use the decompress_vba setting in the imap, smtp, http_inspect, and pop Snort 3 inspectors. To configure custom intrusion rules to match against decompressed macros, use the vba_data option. For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||||||||||||||||
|
Improved JavaScript inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. A new normalizer's enhancements include improved white-space normalization, semicolon insertions, cross-site script handling, identifier normalization and dealiasing, just-in-time (JIT) inspection, and the ability to inspect external scripts. By default, the new normalizer is enabled in all system-provided network analysis policies. To tweak performance or disable the feature in a custom network analysis policy, use the js_norm (improved normalizer) and normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3 inspector. To configure custom intrusion rules to match against normalized JavaScript, use the js_data option, for example: For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||||||||||||||||
|
Improved SMB 3 inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of SMB 3 traffic in the following situations:
For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||||||||||||||||
|
Event Logging and Analysis |
||||||||||||||||||||||||||||||||
|
Improved SecureX integration, SecureX orchestration. |
7.2.0 |
Any |
We have streamlined the SecureX integration process. Now, as long as you already have a SecureX account, you just choose your cloud region on the new Integration > SecureX page, click Enable SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page. When you enable SecureX integration on this new page, licensing and management for the system's cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX the "old" way, you must disable and re-enable to get the benefits of this cloud connection management. Note that this page also governs the cloud region for and
event types sent to the Secure Network
Analytics (Stealthwatch) cloud using Security
Analytics and Logging (SaaS), even though the web interface does not indicate this.
Previously, these options were on System ( The management center also now supports SecureX orchestration—a powerful drag-and-drop interface you can use to automate workflows across security tools. After you enable SecureX, you can enable orchestration. As part of this feature, you can no longer use the REST API to configure SecureX integration. You must use the FMC web interface. Version restrictions: This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in Version 7.1. If you use the new method to enable SecureX integration in Version 7.0.x, you cannot upgrade to Version 7.1 unless you disable the feature. We recommend you upgrade to Version 7.2+. See: Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide |
|||||||||||||||||||||||||||||
|
Log security events to multiple Secure Network Analytics on-prem data stores. |
7.2.0 |
7.0.0 |
When you configure a Secure Network Analytics Data Store (multi-node) integration, you can now add multiple flow collectors for security events. You assign each flow collector to one or more threat defense devices running Version 7.0+. New/modified screens:
This feature requires Secure Network Analytics Version 7.1.4. For more information, see the Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide. |
|||||||||||||||||||||||||||||
|
Database access changes. |
7.2.0 |
Any |
We added ten new tables, deprecated one table, and prohibited joins in six tables. We also added fields to various tables for Snort 3 support and to provide timestamps and IP addresses in human-readable format. For more information, see the What's New topic in the Cisco Secure Firewall Management Center Database Access Guide, Version 7.2. |
|||||||||||||||||||||||||||||
|
eStreamer changes. |
7.2.0 |
Any |
A new Python-based reference client has been added to the SDK. Also, you can now request fully qualified events. For more information, see the What's New topic in the Cisco Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2. |
|||||||||||||||||||||||||||||
|
Deployment and Policy Management |
||||||||||||||||||||||||||||||||
|
Auto rollback of a deployment that causes a loss of management connectivity. |
7.2.0 |
7.2.0 |
You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and threat defense to go down. Previously, you could only manually roll back a configuration using the configure policy rollback command. New/modified screens:
For more information, see Device Management. |
|||||||||||||||||||||||||||||
|
Generate and email a report when you deploy configuration changes. |
7.2.0 |
Any |
You can now generate a report for any deploy task. The report contains details about the deployed configuration. New/modified pages: Deployment
History ( For more information, see Configuration Deployment. |
|||||||||||||||||||||||||||||
|
Access control policy locking. |
7.2.0 |
Any |
You can now lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Any user who has permission to modify the access control policy has permission to lock it. We added an icon to lock or unlock a policy next to the policy name while editing the policy. In addition, there is a new permission to allow users to unlock policies locked by other administrators: Override Access Control Policy Lock. This permission is enabled by default in the Administrator, Access Admin, and Network Admin roles. For more information, see Access Control Policies. |
|||||||||||||||||||||||||||||
|
Object group search is enabled by default. |
7.2.0 |
Any |
The Object Group Search setting is now enabled by default when you add a device to the management center. New/modified screens: For more information, see Device Management. |
|||||||||||||||||||||||||||||
|
Access control rule hit counts persist over reboot. |
7.2.0 |
7.2.0 |
Rebooting a managed device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node. New/modified CLI commands: show rule hits For more information, see the Cisco Secure Firewall Threat Defense Command Reference. |
|||||||||||||||||||||||||||||
|
Usability improvements for the access control policy. |
7.2.0 |
Any |
There is a new user interface available for the access control policy. You can continue to use the legacy user interface, or you can try out the new user interface. The new interface has both a table and a grid view for the rules list, the ability to show or hide columns, enhanced search, infinite scroll, a clearer view of the packet flow related to policies associated with the access control policy, and a simplified add/edit dialog box for creating rules. You can freely switch back and forth between the legacy and new user interfaces while editing an access control policy. Restrictions: The new interface is experimenal. It does not have all the features available in the legacy interface. For more information, see Access Control Policies. |
|||||||||||||||||||||||||||||
|
Upgrade |
||||||||||||||||||||||||||||||||
|
Copy upgrade packages ("peer-to-peer sync") from device to device. |
7.2.0 |
7.2.0 |
Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers. This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone management center. It is not supported for:
New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status For more information, see Copy Threat Defense Upgrade Packages between Devices. |
|||||||||||||||||||||||||||||
|
Auto-upgrade to Snort 3 after successful threat defense upgrade. |
7.2.0 |
7.2.0 |
When you use a Version 7.2+ management center to upgrade threat defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3. After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version. Version restrictions: Not supported for threat defense upgrades to Version 7.0.x or 7.1.x. |
|||||||||||||||||||||||||||||
|
Upgrade for single-node clusters. |
7.2.0 |
Any |
You can now use the device upgrade page () to upgrade clusters with only one active
node. Any deactivated nodes are also upgraded. Previously,
this type of upgrade would fail. This feature is not
supported from the system updates page (System ( Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices. Supported platforms: Firepower 4100/9300, Secure Firewall 3100 |
|||||||||||||||||||||||||||||
|
Revert threat defense upgrades from the CLI. |
7.2.0 |
7.2.0 |
You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.
New/modified CLI commands: upgrade revert , show upgrade revert-info . For more information, see Revert the Upgrade. |
|||||||||||||||||||||||||||||
|
Administration |
||||||||||||||||||||||||||||||||
|
Back up and restore threat defense virtual for AWS. |
7.2.0 |
Any |
You can now use the management center to back up threat defense virtual for AWS, except device clusters. To restore, use the device CLI. For more information, see Backup/Restore. |
|||||||||||||||||||||||||||||
|
Multiple DNS server groups for resolving DNS requests. |
7.2.0 |
Any |
You can configure multiple DNS groups for the resolution of DNS requests from client systems. You can use these DNS server groups to resolve requests for different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers. New/modified screens: For more information, see Platform Settings. |
|||||||||||||||||||||||||||||
|
Configure certificate validation with threat defense by usage type. |
7.2.0 |
7.2.0 |
You can now specify the usage types where validation is allowed with the trustpoint (the threat defense device): IPsec client connections, SSL client connections, and SSL server certificates. New/modified screens: We added a Validation Usage option to certificate enrollment objects: . For more information, see Object Management. |
|||||||||||||||||||||||||||||
|
GeoDB is split into two packages. |
7.2.0 |
Any |
In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. If your Version 7.2.0–7.2.5 management center has internet access and you enable recurring updates or you manually kick off a one-time update from the Cisco Support & Download site, the system automatically obtains both packages. In Version 7.2.6+/7.4.0+, you can configure whether you want the system to obtain the IP package. If you manually download updates—for example, in an air-gapped deployment—you must import the packages separately:
Help
( For more information, see Updates. |
|||||||||||||||||||||||||||||
|
French language option for web interface. |
7.2.0 |
Any |
You can now switch the management center web interface to French. New/modified screens: System ( For more information, see System Configuration. |
|||||||||||||||||||||||||||||
|
Web interface changes: deployment and user activity integrations. |
7.2.0 |
Any |
Version 7.2 changes these management center menu options in all cases.
|
|||||||||||||||||||||||||||||
|
Web interface changes: SecureX, threat intelligence, and other integrations. |
7.2.0 |
Any |
Version 7.2 changes these management center menu options if you are upgrading from Version 7.0.1 or earlier, or from Version 7.1.
|
|||||||||||||||||||||||||||||
|
Usability, Performance, and Troubleshooting |
||||||||||||||||||||||||||||||||
|
Dropped packet statistics for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
The new show packet-statistics threat defense CLI command displays comprehensive information about non-policy related packet drops. Previously this information required using several commands. For more information, see the Cisco Secure Firewall Threat Defense Command Reference. |
|||||||||||||||||||||||||||||
|
Cisco Success Network telemetry. |
7.2.0 |
Any |
For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.2. |
|||||||||||||||||||||||||||||
|
Management Center REST API |
||||||||||||||||||||||||||||||||
|
Management center REST API. |
7.2.0 |
Any |
For information on changes to the FMC REST API, see What's New in 7.2 in the REST API quick start guide. |
|||||||||||||||||||||||||||||
|
Deprecated Features |
||||||||||||||||||||||||||||||||
|
Deprecated: EIGRP with FlexConfig. |
7.2.0 |
Any |
You can now configure EIGRP routing from the management center web interface. You no longer need these FlexConfig objects: Eigrp_Configure, Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all. And these associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon. The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. For details, see Migrating FlexConfig Policies . |
|||||||||||||||||||||||||||||
|
Deprecated: VXLAN with FlexConfig. |
7.2.0 |
Any |
You can now configure VXLAN interfaces from the management center web interface. You no longer need these FlexConfig objects: VxLAN_Clear_Nve, VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve, VxLAN_Make_Nve_Only, VxLAN_Make_Vni. And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only, vxlan_Vni. If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings. |
|||||||||||||||||||||||||||||
|
Deprecated: Automatic pre-upgrade troubleshooting. |
7.2.0 |
Any |
To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files. To manually generate troubleshooting files for the management
center, choose System ( |
|||||||||||||||||||||||||||||
)FMC Features in Version 7.1.0
Note |
You cannot manage a Version 7.1 device with cloud-delivered Firewall Management Center. If your cloud-managed devices are running Version 7.0, upgrade directly to Version 7.2+ to take advantage of the features listed here. |
|
Feature |
Details |
|---|---|
|
Automatically update CA bundles. |
Upgrade impact. The system connects to Cisco for something new. The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature. New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco. See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference |
|
Feature |
Details |
|||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Platform |
||||||||||||||||||||||||||||||
|
Secure Firewall 3100 |
We introduced the Secure Firewall 3110, 3120, 3130, and 3140. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. These devices support up to 8 units for Spanned EtherChannel clustering. Note that the Version 7.1.0 release does not include online help for these devices; new online help is included in Version 7.1.0.2. New/modified screens:
New/modified FTD CLI commands: configure network speed , configure raid , show raid , show ssd |
|||||||||||||||||||||||||||||
|
FMCv300 for AWS FMCv300 for OCI |
We introduced the FMCv300 for both AWS and OCI. The FMCv300 can manage up to 300 devices. |
|||||||||||||||||||||||||||||
|
FTDv for AWS instances. |
FTDv for AWS adds support for these instances:
|
|||||||||||||||||||||||||||||
|
FTDv for Azure instances. |
FTDv for Azure adds support for these instances:
|
|||||||||||||||||||||||||||||
|
Use FDM to configure the FTD for management by the FMC. |
When you perform initial setup using FDM, all interface configuration completed in FDM is retained when you switch to FMC for management, in addition to the Management and FMC access settings. Note that other default configuration settings, such as the access control policy or security zones, are not retained. When you use the FTD CLI, only the Management and FMC access settings are retained (for example, the default inside interface configuration is not retained). After you switch to FMC, you can no longer use FDM to manage the FTD. New/modified FDM screens: |
|||||||||||||||||||||||||||||
|
Device Upgrade |
||||||||||||||||||||||||||||||
|
Revert a successful device upgrade. |
You can now revert major and maintenance upgrades to FTD. Reverting returns the software to its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing a patch, you revert the patch as well as the major and/or maintenance upgrade.
This feature is not supported for container instances. Minimum FTD: 7.1 |
|||||||||||||||||||||||||||||
|
Improvements to the upgrade workflow for clustered and high availability devices. |
We made the following improvements to the upgrade workflow for clustered and high availability devices:
|
|||||||||||||||||||||||||||||
|
Snort 3 backwards compatibility. |
For Snort 3, new features and resolved bugs require that you fully upgrade the FMC and its managed devices. Unlike Snort 2, you cannot update the inspection engine on an older device (for example, Version 7.0) by deploying from a newer FMC (for example, Version 7.1). When you deploy to an older device, the system lists any unsupported configurations and warns you that they will be skipped. We recommend you always update your entire deployment. |
|||||||||||||||||||||||||||||
|
Device Management |
||||||||||||||||||||||||||||||
|
Geneve interface support for an FTDv on AWS instances. |
Geneve encapsulation support was added to support single-arm proxy for the AWS Gateway Load Balancer (GWLB). The AWS GWLB combines a transparent network gateway (with a single entry and exit point for all traffic) and a load balancer that distributes traffic and scales FTDv to match the traffic demand. This support requires FMC with Snort 3 enabled and is available on the following performance tiers:
|
|||||||||||||||||||||||||||||
|
Single Root I/O Virtualization (SR-IOV) support for FTDv on OCI. |
You can now implement Single Root Input/Output Virtualization (SR-IOV) for FTDv on OCI. SR-IOV can provide performance improvements for an FTDv. Mellanox 5 as vNICs are not supported in SR-IOV mode. |
|||||||||||||||||||||||||||||
|
LLDP support for the Firepower 1100. |
You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 1100 interfaces. New/modified screens: New/modified commands: show lldp status , show lldp neighbors , show lldp statistics Supported platforms: Firepower 1100 (1120, 1140, and 1150) |
|||||||||||||||||||||||||||||
|
Interface auto-negotiation is now set independently from speed and duplex, interface sync improved. |
Interface auto-negotiation is now set independently from speed and duplex. Also, when you sync the interfaces in FMC, hardware changes are detected more effectively. New/modified screens: Supported platforms: Firepower 1000/2100, Secure Firewall 3100 |
|||||||||||||||||||||||||||||
|
Support to specify trusted DNS servers. |
You can use FTD platform settings to specify trusted DNS servers for DNS snooping. This helps detect applications on the first packet by mapping domains to IP addresses. By default, trusted DNS servers include those in DNS server objects, and those discovered by dhcp-pool, dhcp-relay, and dhcp-client. |
|||||||||||||||||||||||||||||
|
Import and export device configurations. |
You can export the device-specific configuration, and you can then import the saved configuration for the same device in the following use cases:
New/modified screens: |
|||||||||||||||||||||||||||||
|
High Availability/Scalability |
||||||||||||||||||||||||||||||
|
High availability for:
|
We now support high availability on FMCv for AWS and FMCv for OCI. In an FTD deployment, you need two identically licensed FMCs, as well as one FTD entitlement for each managed device. For example, to manage 10 FTD devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Version 6.5.0–7.0.x Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements. Supported platforms: FMCv10, FMCv25, FMCv300 (not supported for FMCv2) |
|||||||||||||||||||||||||||||
|
Autoscale on FTDv for OCI. |
We now support autoscaling on FTDv for OCI. The serverless infrastructure in cloud-based deployments allow you to automatically adjust the number of FTDv instances in an autoscale group based on capacity needs. This includes automatic registering/unregistering to and from the managing FMC. |
|||||||||||||||||||||||||||||
|
Cluster deployment for firewall changes completes faster. |
Cluster deployment for firewall changes now completes faster. Supported platforms: Firepower 4100/9300, Secure Firewall 3100 |
|||||||||||||||||||||||||||||
|
Clearing routes in a high availability group or cluster. |
In previous releases, the clear route command cleared the routing table on the unit only. Now, when operating in a high availability group or cluster, the command is available on the active or control unit only, and clears the routing table on all units in the group or cluster. |
|||||||||||||||||||||||||||||
|
NAT |
||||||||||||||||||||||||||||||
|
Manual NAT support for fully-qualified domain name (FQDN) objects as the translated destination. |
You can use an FQDN network object, such as one specifying www.example.com, as the translated destination address in manual NAT rules. The system configures the rule based on the IP address returned from the DNS server. |
|||||||||||||||||||||||||||||
|
Routing |
||||||||||||||||||||||||||||||
|
BGP configuration to interconnect virtual routers. |
You can configure BGP settings to dynamically leak routes among user-defined virtual routers, and between global virtual router and user-defined virtual routers. The import and export routes feature was introduced to exchange routes among the virtual routers by tagging them with route targets and optionally, filtering the matched routes with route maps. This BGP feature is accessible only when you select a user-defined virtual router. New/modified screens: For a selected user-defined virtual router, |
|||||||||||||||||||||||||||||
|
BGPv6 support for user-defined virtual routers. |
FTD now supports configuring BGPv6 on user-defined virtual routers. New/modified screens: For a selected user-defined virtual router, |
|||||||||||||||||||||||||||||
|
Configure Equal-Cost-Multi-Path (ECMP) from the FMC web interface. |
Upgrade impact. Redo FlexConfigs after upgrade. You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing in FMC. ECMP routing was previously supported through FlexConfig policies. New/modified screens: |
|||||||||||||||||||||||||||||
|
Configure policy based routing from the FMC web interface. |
Upgrade impact. Redo FlexConfigs after upgrade. You can now configure policy based routing (PBR) from the FMC web interface. This allows you to classify network traffic based on applications and to implement direct internet access (DIA) to send traffic to the internet from a branch deployment. You can define a PBR policy and configure it on ingress interfaces, specifying match criteria and egress interfaces. Network traffic that matches the access control policy is forwarded through the egress interface based on priority or the order as configured in the policy. This feature requires Version 7.1+ on both the FMC and the device. When you upgrade the FMC to Version 7.1+, existing policy based routing FlexConfigs are removed. After you upgrade your devices to Version 7.1+, redo your policy based routing configurations in the FMC web interface. For devices that you do not upgrade to Version 7.1+, redo the FlexConfigs and configure them to deploy "every time." New/modified screens: |
|||||||||||||||||||||||||||||
|
Remote Access VPN |
||||||||||||||||||||||||||||||
|
Copy RA VPN policies. |
You can now create a new RA VPN policy by copying an existing policy. We added a copy button next to each policy on . |
|||||||||||||||||||||||||||||
|
AnyConnect VPN SAML external browser. |
You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser. We updated the remote access VPN connection profile wizard to allow you to configure the SAML Login Experience. |
|||||||||||||||||||||||||||||
|
Multiple trustpoints for SAML identity providers on Microsoft Azure. |
You can now add multiple RA VPN trustpoints for SAML identity providers, as required by Microsoft Azure. In a Microsoft Azure network, Azure can support multiple applications for the same Entity ID. Each application (typically mapped to a different tunnel group) requires a unique certificate. This feature enables you to add multiple trustpoints for RA VPN in FTDv for Microsoft Azure. |
|||||||||||||||||||||||||||||
|
Site to Site VPN |
||||||||||||||||||||||||||||||
|
VPN filters. |
You can now configure site to site VPN filters with rules that determine whether to allow or reject tunneled data packets based on criteria such as source address, destination address, and protocol. The VPN filter is applied to post-decrypted traffic after it exits a tunnel and to pre-encrypted traffic before it enters a tunnel. |
|||||||||||||||||||||||||||||
|
Unique local tunnel ID for IKEv2. |
You can now configure a Local Tunnel ID per IKEv2 tunnel for both policy-based and route-based Site to Site VPNs. You can configure the local tunnel ID with the FMC web interface or from the REST API. This local tunnel ID configuration enables Umbrella SIG integration with FTD. |
|||||||||||||||||||||||||||||
|
Multiple IKE policies. |
You can now configure multiple IKE policies for both policy-based and route-based Site to Site VPNs. Multiple IKE policies can be configured through the FMC GUI and the REST API. |
|||||||||||||||||||||||||||||
|
VPN monitoring dashboard. |
Beta. The Site to Site VPN Monitoring Dashboard provides:
|
|||||||||||||||||||||||||||||
|
Security Intelligence |
||||||||||||||||||||||||||||||
|
Snort 3 support for Security Intelligence on proxied traffic. |
With Snort 3, you can now apply Security Intelligence to HTTP proxy traffic where the IP address is embedded into the HTTP request. For example, when a user uploads a Block list or an Allow list containing IP addresses or networks, the system matches on the destination server IP instead of proxy IP. As a result, traffic to the destination server can be blocked, monitored, or allowed (according to your Security Intelligence configuration). |
|||||||||||||||||||||||||||||
|
Intrusion Detection and Prevention |
||||||||||||||||||||||||||||||
|
Snort 3 support for drop, reject, rewrite, and pass rule actions. |
Version 7.1 FMCs now support the following intrusion rule actions for FTD devices with Snort 3, including Version 7.0 devices:
To configure these new rule actions, edit the Snort 3 version of an intrusion policy and use the Rule Action drop-down for each rule. |
|||||||||||||||||||||||||||||
|
Snort 3 support for TLS-based intrusion rules. |
You can now create TLS-based intrusion rules to inspect decrypted TLS traffic with Snort 3. This feature allows Snort 3 intrusion rules to use TLS information. |
|||||||||||||||||||||||||||||
|
Snort 3 support for inspection of DCE/RPC over SMB2. |
Upgrade impact. Version 7.1 with Snort 3 supports DCE/RPC inspection over SMB2. After the first post-upgrade deploy to Snort 3 devices, existing DCE/RPC rules begin inspecting DCE/RPC over SMB2; previously these rules only inspected DCE/RPC over SMB1. |
|||||||||||||||||||||||||||||
|
Snort 3 support for intrusion rule recommendations. |
Version 7.1 FMCs now support intrusion rule recommendations for FTD devices with Snort 3, including Version 7.0 devices. To configure this feature, edit the Snort 3 version of an intrusion policy and click the Recommendations button (in the left pane, next to All Rules). |
|||||||||||||||||||||||||||||
|
Snort 3 support for ssl_version and ssl_state keywords. |
Upgrade impact. Version 7.1 with Snort 3 supports the ssl_version and ssl_state intrusion rule keywords. Cisco-provided intrusion policies include active rules using those keywords. You can also create, upload, and deploy custom/third party rules using them. In Version 7.0.x, we supported those keywords with Snort 2 only. With Snort 3, rules with those keywords did not match traffic, and thus could not generate alerts or affect traffic. There was no indication that the rules were not working as expected. After the first post-upgrade deploy to Version 7.1+ Snort 3 devices, existing rules with those keywords can match traffic. |
|||||||||||||||||||||||||||||
|
Identity Services and User Control |
||||||||||||||||||||||||||||||
|
Snort 3 captive portal support for interception of HTTP/2 traffic. |
You can now intercept and redirect HTTP/2 traffic for user authentication with captive portal. When a redirect is received by the browser, the browser follows the redirect and authenticates with idhttpsd (Apache web server) using the same process as the HTTP/1 captive portal. After authentication, idhttpsd redirects the user back to the original URL. |
|||||||||||||||||||||||||||||
|
Snort 3 captive portal support for hostname-based redirect. |
You can configure active authentication for identity policy rules to redirect the user’s authentication to a fully-qualified domain name (FQDN) rather than the IP address of the interface through which the user’s connection enters the device. The FQDN must resolve to the IP address of one of the interfaces on the device. By using an FQDN, you can assign a certificate for active authentication that the client will recognize, thus avoiding the untrusted certificate warning users get when being redirected to an IP address. The certificate can specify the FQDN, a wildcard FQDN, or multiple FQDNs in the Subject Alternate Names (SAN) in the certificate. New/modified screens: We added the Redirect to Host Name option in the identity policy settings. |
|||||||||||||||||||||||||||||
|
Encrypted Traffic Handling (TLS/SSL) |
||||||||||||||||||||||||||||||
|
Advanced TLS/SSL policy options. |
You can now configure the following advanced TLS/SSL policy options in the Advanced Settings tab on the SSL Policy page:
|
|||||||||||||||||||||||||||||
|
Encrypted Visibility Engine for visibility into encrypted sessions. |
Beta. You can enable the Encrypted Visibility Engine to gain visibility into an encrypted session without needing to decrypt it. The engine fingerprints and analyzes encrypted traffic. In FMC 7.1, the Encrypted Visibility Engine provides more visibility into encrypted traffic, including protocols such as TLS and QUIC. It does not enforce any actions on that traffic. The Encrypted Visibility Engine is disabled by default. You can enable it on the Advanced tab of an access control policy in the Experimental Features section. New/modified screens:
|
|||||||||||||||||||||||||||||
|
Service Policy |
||||||||||||||||||||||||||||||
|
Configure the maximum segment size (MSS) for embryonic connections. |
You can configure a service policy to set the server maximum segment size (MSS) for SYN-cookie generation for embryonic connections upon reaching the embryonic connections limit. This is meaningful for service policies where you are also setting embryonic connection maximums. New/modified screens: Connection Settings in the Add/Edit Service Policy wizard. |
|||||||||||||||||||||||||||||
|
Network Discovery |
||||||||||||||||||||||||||||||
|
Improved Snort 3 support for network discovery (remote network access support). |
With improvements to network discovery and remote network access support, Snort 3 is now at parity with Snort 2 for those features. The improvements include:
In Snort 3, application detection is always enabled for all networks by default. |
|||||||||||||||||||||||||||||
|
Event Logging and Analysis |
||||||||||||||||||||||||||||||
|
Snort 3 support for elephant flow identification and monitoring. |
With FTD running Snort 3, you can now identify elephant flows—single-session network connections that are large enough to affect overall system performance. By default, elephant flow detection is automatically enabled, and tracks and logs connections larger than 1GB/10 seconds. A new predefined search for connection events (Reason = Elephant Flow) allows you to quickly identify elephant flows. You can also use the health monitor to view active elephant flows on your devices, and to create a custom health dashboard to correlate elephant flow incidence with other device metrics such as CPU usage. To disable this feature or to configure the size and time thresholds, use the FTD CLI.New/modified FTD CLI commands:
|
|||||||||||||||||||||||||||||
|
Send intrusion events and retrospective malware events to the Secure Network Analytics cloud from the FMC. |
Upgrade impact. When you configure the system to send security events to the Stealthwatch cloud using Cisco Security Analytics and Logging (SaaS), the FMC now sends:
If you already enabled this feature, the FMC starts sending this information after a successful upgrade. |
|||||||||||||||||||||||||||||
|
New datastore for intrusion events improves performance. |
To improve performance, Version 7.1 uses a new datastore for intrusion events. After the upgrade finishes and the FMC reboots, historical events are migrated in the background, newest events first. As part of this migration, we deprecated intrusion incidents, the intrusion event clipboard, and custom tables for intrusion events. We also introduced two new fields in the intrusion event table: Source Host Criticality and Destination Host Criticality. |
|||||||||||||||||||||||||||||
|
NAT IP address and port information in connection and Security Intelligence events. |
For additional visibility into NAT translations, we added the following fields to connection and Security Intelligence events:
In the table view of events, these fields are hidden by default. To change the fields that appear, click the x in any column name to display a field chooser. |
|||||||||||||||||||||||||||||
|
Packet tracer enhancements. |
Version 7.1 updates the packet tracer interface for better usability. In addition, you can now:
New/modified FTD CLI commands:
|
|||||||||||||||||||||||||||||
|
Object Management |
||||||||||||||||||||||||||||||
|
Network object support for HTTP, ICMP, and SSH platform settings. |
You can now use network object groups that contain network objects for hosts or networks when configuring the IP addresses in the Threat Defense Platform Settings policy. |
|||||||||||||||||||||||||||||
|
Snort 3 support for network wildcard mask objects. |
You can now create and manage network wildcard mask objects on the Object Management page. You can use network wildcard mask objects in access control, prefilter, and NAT policies. |
|||||||||||||||||||||||||||||
|
Deployment preview enhancements for objects. |
You can now preview deployment changes to Geolocation, File List, and Security Intelligence objects. Updated screen: . In the Preview column, click the Preview icon for a device to see the changes to the file list objects. |
|||||||||||||||||||||||||||||
|
Integrations |
||||||||||||||||||||||||||||||
|
Support for Cisco ACI Endpoint Update App, Version 2.0 and remediation module. |
Version 2.0 of the Cisco ACI Endpoint Update App has the following improvements over previous versions:
A new Cisco ACI Endpoint remediation module is also available with this update. |
|||||||||||||||||||||||||||||
|
Usability, Performance, and Troubleshooting |
||||||||||||||||||||||||||||||
|
Health monitoring enhancements. |
We updated the health monitor as follows:
New/modified screens:
|
|||||||||||||||||||||||||||||
|
Deployment history enhancements. |
You can now bookmark a deployment job, edit the deployment notes for a job, and generate a report. |
|||||||||||||||||||||||||||||
|
Global search enhancements. |
Global search now has the following capabilities:
|
|||||||||||||||||||||||||||||
|
New walkthroughs. |
We added the following walkthroughs:
|
|||||||||||||||||||||||||||||
|
Snort memory usage telemetry sent to Cisco Success Network. |
For improved serviceability, we now send telemetry on Snort memory and swap usage, including out-of-memory events, to Cisco Success Network. We send this information for both Snort 2 and Snort 3. You can change your Cisco Success Network enrollment at any time. |
|||||||||||||||||||||||||||||
|
Snort 3 support for statistics on start-of-flow and end-of-flow events. |
For FTD with Snort 3, the output of the show snort statistics command now reports statistics on start-of-flow and end-of-flow events. |
|||||||||||||||||||||||||||||
|
Web interface changes: SecureX, threat intelligence, and other integrations. |
Version 7.1 changes these FMC menu options if you are upgrading from Version 7.0.2 or any later Version 7.0.x maintenance release.
|
|||||||||||||||||||||||||||||
|
FMC REST API |
||||||||||||||||||||||||||||||
|
FMC REST API. |
For information on changes to the FMC REST API, see What's New in 7.1 in the REST API quick start guide. |
|||||||||||||||||||||||||||||
|
Deprecated Features |
||||||||||||||||||||||||||||||
|
End of support: FMC 1000, 2500, 4500. |
You cannot run Version 7.1+ on the FMC models FMC 1000, 2500, and 4500. You cannot manage Version 7.1+ devices with these FMCs. |
|||||||||||||||||||||||||||||
|
End of support: ASA 5508-X and 5516-X. |
You cannot run Version 7.1+ on the ASA 5508-X or 5516-X. |
|||||||||||||||||||||||||||||
|
End of support: NGIPS software (ASA FirePOWER/NGIPSv). |
Version 7.1 is supported on the FMC and on FTD devices only. It is not supported on ASA FirePOWER or NGIPSv devices. You can still use a Version 7.1 FMC to manage older devices — FTD as well as ASA FirePOWER and NGIPSv — that are running Version 6.5 through 7.0. |
|||||||||||||||||||||||||||||
|
Deprecated (temporary): Improved SecureX integration, SecureX orchestration. |
Upgrade impact. Cannot upgrade to Version 7.1.0 with new SecureX integration. This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in Version 7.1. If you use the new method to enable SecureX integration in Version 7.0.x, you cannot upgrade to Version 7.1 unless you disable the feature. We recommend you upgrade to Version 7.2+. |
|||||||||||||||||||||||||||||
|
Deprecated: Intrusion incidents and the intrusion event clipboard. |
Upgrade impact. Data and configurations can be deleted. We removed the intrusion incidents feature and the related intrusion event clipboard. The upgrade removes all data related to incidents, and deletes report templates sections that use the clipboard as a data source. Deprecated screens/options:
|
|||||||||||||||||||||||||||||
|
Deprecated: Custom tables for intrusion events. |
Upgrade impact. Custom tables can be deleted. Version 7.1 ends support for custom tables for intrusion events. The upgrade deletes custom tables that contain fields from the intrusion event table. When adding fields to a custom table (Analysis > Advanced > Custom Tables), you can no longer choose the Intrusion Events table as a data source. |
|||||||||||||||||||||||||||||
|
Deprecated: ECMP zones with FlexConfig. |
Upgrade impact. Redo FlexConfigs after upgrade. You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing in the FMC web interface. After upgrade, the system ignores ECMP zones configured with FlexConfig. You cannot deploy with equal-cost static routes exist and must assign their interfaces to an ECMP zone. |
|||||||||||||||||||||||||||||
|
Deprecated: Policy based routing with FlexConfig. |
Upgrade impact. Redo FlexConfigs after upgrade. You can now configure policy based routing (PBR) from the FMC web interface. This feature requires Version 7.1+ on both the FMC and the device. When you upgrade the FMC to Version 7.1+, existing policy based routing FlexConfigs are removed. After you upgrade your devices to Version 7.1+, redo your policy based routing configurations in the FMC web interface. For devices that you do not upgrade to Version 7.1+, redo the FlexConfigs and configure them to deploy "every time." |
|||||||||||||||||||||||||||||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
|||||||||||||||||||||||||||||
FMC Features in Version 7.0.6
|
Feature |
Details |
||
|---|---|---|---|
|
Updated web analytics provider. |
Upgrade impact. Your browser connects to new resources. While using the management center, your browser now contacts Amplitude (amplitude.com) instead of Google (google.com) for web analytics. Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your management centers. You are enrolled in web analytics by default but you can change your enrollment at any time after you complete initial setup. Note that ad blockers can block web analytics, so if you choose to remain enrolled, please disable ad blocking for the hostnames/IP addresses of your Cisco appliances. Version restrictions: Amplitude analytics are not supported in management center Version 7.0.0–7.0.5, 7.1.0–7.2.5, 7.3.x, or 7.4.0. Permanent support returns in Version 7.4.1 If you upgrade from a supported version to an unsupported version, your browser resumes contacting Google. |
||
|
Smaller VDB for lower memory Snort 2 devices. |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
||
|
Deprecated Features |
|||
|
Deprecated: high unmanaged disk usage alerts. |
The Disk Usage health module no longer alerts with high unmanaged disk usage. After FMC upgrade, you may continue to see these alerts until you either deploy health policies to managed devices (stops the display of alerts) or upgrade the devices (stops the sending of alerts).
For information on the remaining Disk Usage alerts, see Disk Usage and Drain of Events Health Monitor Alerts. |
||
FMC Features in Version 7.0.5
|
Feature |
Details |
|---|---|
|
ISA 3000 System LED support for shutting down. |
When you shut down the ISA 3000, the System LED turns off. Wait at least 10 seconds after that before you remove power from the device. Version restrictions: Version 7.1 temporarily deprecates support for this feature. Support returns in Version 7.3. |
|
Automatically update CA bundles. |
Upgrade impact. The system connects to Cisco for something new. The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature. New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco. See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference |
FMC Features in Version 7.0.4
This release introduces stability, hardening, and performance enhancements.
FMC Features in Version 7.0.3
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
FTD support for cloud-delivered Firewall Management Center. |
7.2.0 for analytics-only support |
7.0.3 |
Version 7.0.3 FTD devices support management by the cloud-delivered Firewall Management Center, which we introduced in spring of 2022. The cloud-delivered Firewall Management Center uses the Cisco Defense Orchestrator (CDO) platform and unites management across multiple Cisco security solutions. We take care of feature updates. You should use Version 7.0.3 FTD with the cloud-delivered Firewall Management Center if:
If this is your situation, you should:
The cloud-delivered Firewall Management Center cannot manage threat defense devices running Version 7.1, or Classic devices running any version. You cannot upgrade a cloud-managed device from Version 7.0.x to Version 7.1 unless you unregister and disable cloud management. We recommend you upgrade directly to Version 7.2+. New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator. |
FMC Features in Version 7.0.2
|
Feature |
Details |
|||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ISA 3000 support for shutting down. |
You can now shut down the ISA 3000; previously, you could only reboot the device. Version restrictions: Version 7.1 temporarily deprecates support for this feature. Support returns in Version 7.2. |
|||||||||||||||||||||||||||||
|
Dynamic object names now support the dash character. |
Dynamic object names now support the dash character. This is especially useful if you are using the ACI endpoint update app (where the dash character is allowed), to create dynamic objects on the FMC that represent tenant endpoint groups. Minimum threat defense: 7.0.2 |
|||||||||||||||||||||||||||||
|
Improved SecureX integration, SecureX orchestration. |
Upgrade impact. Cannot upgrade Version 7.0.x → 7.1 with feature enabled. We have streamlined the SecureX integration process. Now, as long as you already have a SecureX account, you just choose your cloud region on the new Integration > SecureX page, click Enable SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page. When you enable SecureX integration on this new page, licensing and management for the system's cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX the "old" way, you must disable and re-enable to get the benefits of this cloud connection management. Note that this page also governs the cloud region for and
event types sent to the Secure Network
Analytics (Stealthwatch) cloud using Security
Analytics and Logging (SaaS), even though the web interface does not indicate this.
Previously, these options were on System ( The management center also now supports SecureX orchestration—a powerful drag-and-drop interface you can use to automate workflows across security tools. After you enable SecureX, you can enable orchestration. As part of this feature, you can no longer use the REST API to configure SecureX integration. You must use the FMC web interface. Version restrictions: This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in Version 7.1. If you use the new method to enable SecureX integration in Version 7.0.x, you cannot upgrade to Version 7.1 unless you disable the feature. We recommend you upgrade to Version 7.2+. See: Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide |
|||||||||||||||||||||||||||||
|
Web interface changes: SecureX, threat intelligence, and other integrations. |
We changed these FMC menu options.
|
FMC Features in Version 7.0.1
|
Feature |
Details |
|---|---|
|
Snort 3 rate_filter inspector. |
We introduced the Snort 3 rate_filter inspector. This allows you to change the action of an intrusion rule in response to excessive matches on that rule. You can block rate-based attacks for a specific length of time, then return to allowing matching traffic while still generating events. For more information, see the Snort 3 Inspector Reference. New/modified pages: Configure the inspector by editing the Snort 3 version of a custom network analysis policy. Version restrictions: This feature requires Version 7.0.1+ on
both the FMC and the device. Additionally, you must be running
lsp-rel-20210816-1910 or later. You can check and update the LSP
on System ( |
|
New default password for ISA 3000 with ASA FirePOWER Services. |
For new devices, the default password for the admin account is now Adm!n123. Previously, the default admin password was Admin123. Upgrading or reimaging to Version 7.0.1+ does not change the password. However, we do recommend that all user accounts—especially those with Admin access—have strong passwords. |
FMC Features in Version 7.0.0
|
Feature |
Details |
||||
|---|---|---|---|---|---|
|
Platform |
|||||
|
VMware vSphere/VMware ESXi 7.0 support. |
You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware ESXi 7.0. Note that Version 7.0 also discontinues support for VMware 6.0. Upgrade the hosting environment to a supported version before you upgrade the Firepower software. |
||||
|
New virtual environments. |
We introduced FMCv and FTDv for:
For FMCv, all these implementations support FMCv2, v10, and v25. FMCv for HyperFlex also supports high availability with FMCv10 and v25. In an FTD deployment, you need two identically licensed FMCs, as well as one FTD entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements. |
||||
|
FTDv performance tiered Smart Licensing. |
Upgrade impact. Upgrading automatically assigns devices to the FTDv50 tier. FTDv now supports performance-tiered Smart Software Licensing, based on throughput requirements and RA VPN session limits. Options run from FTDv5 (100 Mbps/50 sessions) to FTDv100 (16 Gbps/10,000 sessions). Before you add a new device, make sure your account contains the licenses you need. To purchase additional licenses, contact your Cisco representative or partner contact. Upgrading FTDv to Version 7.0 automatically assigns the device to the FTDv50 tier. To continue using your legacy (non-tiered) license, after upgrade, change the tier to Variable. For more information on supported instances, throughputs, and other hosting requirements, see the appropriate Getting Started Guide.New/modified pages:
|
||||
|
High Availability/Scalability |
|||||
|
Improved PAT port block allocation for clustering |
The improved PAT port block allocation ensures that the control unit keeps ports in reserve for joining nodes, and proactively reclaims unused ports. To best optimize the allocation, you can set the maximum nodes you plan to have in the cluster using the cluster-member-limit command using FlexConfig. The control unit can then allocate port blocks to the planned number of nodes, and it will not have to reserve ports for extra nodes you don't plan to use. The default is 16 nodes. You can also monitor syslog 747046 to ensure that there are enough ports available for a new node. New/modified commands: cluster-member-limit (FlexConfig), show nat pool cluster [summary] , show nat pool ip detail Supported platforms: Firepower 4100/9300 |
||||
|
FTD CLI show cluster history improvements. |
New keywords allow you to customize the output of the show cluster history command. New/modified commands: show cluster history [brief ] [latest ] [reverse ] [time ] Supported platforms: Firepower 4100/9300 |
||||
|
FTD CLI command to permanently leave a cluster. |
You can now use the FTD CLI to permanently remove a unit from the cluster, converting its configuration to a standalone device. New/modified commands: cluster reset-interface-mode Supported platforms: Firepower 4100/9300 |
||||
|
NAT |
|||||
|
Prioritized system-defined NAT rules. |
We added a new Section 0 to the NAT rule table. This section is exclusively for the use of the system. Any NAT rules that the system needs for normal functioning are added to this section, and these rules take priority over any rules you create. Previously, system-defined rules were added to Section 1, and user-defined rules could interfere with proper system functioning. You cannot add, edit, or delete Section 0 rules, but you will see them in show nat detail command output. Supported platforms: FTD |
||||
|
Virtual Routing |
|||||
|
Virtual router support for the ISA 3000. |
You can now configure up to 10 virtual routers on an ISA 3000 device. Supported platforms: ISA 3000 |
||||
|
Site to Site VPN |
|||||
|
Backup virtual tunnel interfaces (VTI) for route-based site-to-site VPN. |
When you configure a site-to-site VPN that uses virtual tunnel interfaces, you can select a backup VTI for the tunnel. Specifying a backup VTI provides resiliency, so that if the primary connection goes down, the backup connection might still be functional. For example, you could point the primary VTI to the endpoint of one service provider, and the backup VTI to the endpoint of a different service provider. New/modified pages: We added the ability to add a backup VTI to the site-to-site VPN wizard when you select Route-Based as the VPN type for a point-to-point connection. Supported platforms: FTD |
||||
|
Remote Access VPN |
|||||
|
Load balancing. |
We now support RA VPN load balancing. The system distributes sessions among grouped devices by number of sessions; it does not consider traffic volume or other factors. New/modified screens: We added load balancing options to the Advanced settings in an RA VPN policy. Supported platforms: FTD |
||||
|
Local authentication. |
We now support local authentication for RA VPN users. You can use this as the primary or secondary authentication method, or as a fallback in case the configured remote server cannot be reached.
Supported platforms: FTD |
||||
|
Dynamic access policies. |
The new dynamic access policy allows you to configure remote access VPN authorization that automatically adapts to a changing environment:
Supported platforms: FTD |
||||
|
Multi-certificate authentication. |
We now support multi-certificate authentication for remote access VPN users. You can validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access using the AnyConnect client during SSL or IKEv2 EAP phase. Supported platforms: FTD |
||||
|
AnyConnect custom attributes. |
We now support AnyConnect custom attributes, and provide an infrastructure to configure AnyConnect client features without adding explicit support for these features in the system. Supported platforms: FTD |
||||
|
Access Control |
|||||
|
Snort 3 for FTD. |
For new FTD deployments, Snort 3 is now the default inspection engine. Upgraded deployments continue to use Snort 2, but you can switch at any time. Advantages to using Snort 3 include, but are not limited to:
A Snort 3 intrusion rule update is called an LSP (Lightweight Security Package) rather than an SRU. The system still uses SRUs for Snort 2; downloads from Cisco contain both the latest LSP and SRU. The system automatically uses the appropriate rule set for your configurations. The FMC can manage a deployment with both Snort 2 and Snort 3 devices, and will apply the correct policies to each device. However, unlike Snort 2, you cannot update Snort 3 on a device by upgrading the FMC only and then deploying. With Snort 3, new features and resolved bugs require you upgrade the software on the FMC and its managed devices. For information on the Snort included with each software version, see the Bundled Components section of the Cisco Firepower Compatibility Guide.
You can also visit the Snort 3 website: https://snort.org/snort3. Supported platforms: FTD |
||||
|
Dynamic objects. |
You can now use dynamic objects in access control rules. A dynamic object is just a list of IP addresses/subnets (no ranges, no FQDN). But unlike a network object, changes to dynamic objects take effect immediately, without having to redeploy. This is useful in virtual and cloud environments, where IP addresses often dynamically map to workload resources. To create and manage dynamic objects, we recommend the Cisco Secure Dynamic Attributes Connector. The connector is a separate, lightweight application that quickly and seamlessly updates firewall policies based on workload changes. To do this, it gets workload attributes from tagged resources in your environment, and compiles an IP list based on criteria you specify (a “dynamic attributes filter”). It then creates a dynamic object on the FMC and populates it with the IP list. When your workload changes, the connector updates the dynamic object and the system immediately starts handling traffic based on the new mappings. For more information, see the Cisco Secure Dynamic Attributes Connector Configuration Guide. After you create a dynamic object, you can add it to access control rules on the new Dynamic Attributes tab in the access control rule editor. This tab replaces the narrower-focus SGT/ISE Attributes tab; continue to configure rules with SGT attributes here.
Supported platforms: FMC Supported virtual/cloud workloads for Cisco Secure Dynamic Attributes Connector integration: Microsoft Azure, AWS, VMware |
||||
|
Cross-domain trust for Active Directory domains. |
You can now configure user identity rules with users from Microsoft Active Directory forests (groupings of AD domains that trust each other). New/modified pages:
Supported platforms: FMC |
||||
|
DNS filtering. |
DNS filtering, which was introduced as a Beta feature in Version 6.7, is now fully supported and is enabled by default in new access control policies. Supported platforms: Any |
||||
|
Event Logging and Analysis |
|||||
|
Improved process for storing events in a Secure Network Analytics on-prem deployment. |
A new Cisco Security Analytics and Logging (On Premises) app and a new FMC wizard make it easier to configure remote data storage for on-prem Secure Network Analytics solutions:
For upgraded deployments where you were using syslog to send Firepower events to Stealthwatch, disable those configurations before you use the wizard. Otherwise, you will get double events. To remove the syslog connection to Stealthwatch use FTD platform settings (Devices > Platform Settings); to disable sending events to syslog, edit your access control rules. For more information, including Stealthwatch hardware and software requirements, see Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide. Supported platforms: FMC |
||||
|
Work with events stored remotely in a Secure Network Analytics on-prem deployment. |
You can now use the FMC to work with connection events stored remotely in a Secure Network Analytics on-prem deployment. A new Data Source option on the connection events page (Analysis > Connections > Events) and in the unified event viewer (Analysis > Unified Events) allows you to choose which connection events you want to work with. The default is to display locally stored connection events, unless there are none in the time range. In that case, the system displays remotely stored events.. We also added a data source option to report templates (Overview > Reporting > Report Templates), so that you can generate reports based on remotely stored connection events.
Supported platforms: FMC |
||||
|
Store all connection events in the Secure Network Analytics cloud. |
You can now store all connection events in the Stealthwatch cloud using Cisco Security Analytics and Logging (SaaS). Previously, you were limited to security events: Security Intelligence, intrusion, file, and malware events, as well as their associated connection events. To change the events you send to the cloud, choose System (
Supported platforms: FMC |
||||
|
Unified event viewer. |
The unified event viewer () displays connection, Security Intelligence, intrusion, file, and malware events in a single table. This can help you look relationships between events of different types. A single search field allows you to dynamically filter the view based on multiple criteria, and a Go Live option displays events received from managed devices in real time. Supported platforms: FMC |
||||
|
SecureX ribbon. |
The SecureX ribbon on the FMC pivots into SecureX for instant visibility into the threat landscape across your Cisco security products. To connect with SecureX and enable the ribbon, use System ( For more information, see the Cisco Secure Firewall Threat Defense and SecureX Integration Guide. Supported platforms: FMC |
||||
|
Exempt all connection events from rate limiting when you turn off local storage. |
Event rate limiting applies to all events sent to the FMC, with the exception of security events: Security Intelligence, intrusion, file, and malware events, as well as their associated connection events. Now, disabling local connection event storage exempts all
connection events from rate limiting, not just security events. To
do this, set the Maximum Connection Events to
zero on System (
Note that disabling local event storage does not affect remote event storage, nor does it affect connection summaries or correlation. The system still uses connection event information for features like traffic profiles, correlation policies, and dashboard displays. Supported platforms: FMC |
||||
|
Port and protocol displayed together in file and malware event tables. |
In file and malware event tables, the port field now displays the protocol, and you can search port fields for protocol. For events that existed before upgrade, if the protocol is not known, the system uses "tcp." New/modified pages:
Supported platforms: FMC |
||||
|
Upgrade |
|||||
|
Improved FTD upgrade performance and status reporting. |
FTD upgrades are now easier faster, more reliable, and take up less disk space. A new Upgrades tab in the Message Center provides further enhancements to upgrade status and error reporting. Supported platforms: FTD |
||||
|
Upgrade wizard for FTD. |
A new device upgrade page (Devices > Device Upgrade) on the FMC provides an easy-to-follow wizard for upgrading Version 6.4+ FTD devices. It walks you through important pre-upgrade stages, including selecting devices to upgrade, copying the upgrade package to the devices, and compatibility and readiness checks. To begin, use the new Upgrade Firepower Software action on the Device Management page (Devices > Device Management > Select Action). As you proceed, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage in the wizard, it does not appear in the next stage. If you navigate away from wizard, your progress is preserved, although other users with Administrator access can reset, modify, or continue the wizard.
Supported platforms: FTD |
||||
|
Upgrade more FTD devices at once. |
The FTD upgrade wizard lifts the following restrictions:
Supported platforms: FTD |
||||
|
Administration and Troubleshooting |
|||||
|
Zero-touch restore for the ISA 3000 using the SD card. |
When you perform a local backup, the backup file is copied to the SD card if present. To restore the configuration on a replacement device, simply install the SD card in the new device, and depress the Reset button for 3 to 15 seconds during the device bootup. Supported platforms: ISA 3000 |
||||
|
Selectively deploy RA and site-to-site VPN policies. |
Selective policy deployment, which was introduced in Version 6.6, now supports remote access and site-to-site VPN policies. New/modified pages: We added VPN policy options on the Deploy > Deployment page. Supported platforms: FTD |
||||
|
New health modules. |
We added the following health modules:
Additionally, full support returns for the Configuration Memory Allocation module, which was introduced in Version 6.6.3 as the Appliance Configuration Resource Utilization module, but was not fully supported in Version 6.7. Supported platforms: FMC |
||||
|
Security and Hardening |
|||||
|
New default password for AWS deployments. |
The default password for the admin account is now the AWS Instance ID, unless you define a default password with user data (Advanced Details > User Data) during the initial deployment. Previously, the default admin password was Admin123. Supported platforms: FMCv for AWS, FTDv for AWS |
||||
|
EST for certificate enrollment. |
Support for Enrollment over Secure Transport for certificate enrollment was provided. New/modified pages: New enrollment options when configuring Objects > PKI > Cert Enrollment > CA Information tab. Supported platforms: FMC |
||||
|
Support for EdDSA certificate type. |
A new certificate key type- EdDSA was added with key size 256. New/modified pages: New certificate key options when configuring Objects > PKI > Cert Enrollment > Key tab. Supported platforms: FMC |
||||
|
AES-128 CMAC authentication for NTP servers. |
You can now use AES-128 CMAC keys to secure connections between the FMC and NTP servers. New/modified pages: System ( Supported platforms: FMC |
||||
|
SNMPv3 users can authenticate using a SHA-224 or SHA-384 authorization algorithm. |
SNMPv3 users can now authenticate using a SHA-224 or SHA-384 algorithm. New/modified pages: Devices > Platform Settings > SNMP > Users > Auth Algorithm Type Supported platforms: FTD |
||||
|
Usability and Performance |
|||||
|
Global search for policies and objects. |
You can now search for certain policies by name, and for certain objects by name and configured value. This feature is not available with the Classic theme. New/modified pages: We added capabilities to the Search icon and field on the FMC menu bar, to the left of the Deploy menu. Supported platforms: FMC |
||||
|
Hardware crypto acceleration on FTDv using Intel QuickAssist Technology (QAT). |
We now support hardware crypto acceleration (CBC cipher only) on FTDv for VMware and FTDv for KVM. This feature requires a Intel QAT 8970 PCI adapter/Version 1.7+ driver on the hosting platform. After you reboot, hardware crypto acceleration is automatically enabled. Supported platforms: FTDv for VMware, FTDv for KVM |
||||
|
Improved CPU usage and performance for many-to-one and one-to-many connections. |
The system no longer creates local host objects and locks them when creating connections, except for connections that involve dynamic NAT/PAT and scanning threat detection and host statistics. This improves performance and CPU usage in situations where many connections are going to the same server (such as a load balancer or web server), or one endpoint is making connections to many remote hosts. We changed the following commands: clear local-host (deprecated), show local-host Supported platforms: FTD |
||||
|
How-to location has changed. |
now invokes walkthroughs. Previously, you clicked How-Tos at the bottom of the browser window. |
||||
|
FMC REST API |
|||||
|
FMC REST API. |
For information on changes to the management center REST API, see the Firepower Management Center REST API Quick Start Guide, Version 7.0, |
||||
|
Deprecated Features |
|||||
|
End of support: VMware vSphere/VMware ESXi 6.0. |
We discontinued support for virtual deployments on VMware vSphere/VMware ESXi 6.0. Upgrade the hosting environment to a supported version before you upgrade the Firepower software. |
||||
|
Deprecated: RSA certificates with keys smaller than 2048 bits, or that use SHA-1 in their signature algorithm. |
Prevents post-upgrade VPN connections through FTD devices. We removed support for RSA certificates with keys smaller than 2048 bits, or that use SHA-1 in their signature algorithm. Before you upgrade, use the object manager to update your PKI certificate enrollments with stronger options: Objects > PKI > Cert Enrollment. Otherwise, although the upgrade preserves your current settings, VPN connections through the device will fail. To continue managing older FTD devices only (Version 6.4–6.7.x) with these weaker options, select the new Enable Weak-Crypto option for each device on the Devices > Certificates page. |
||||
|
Deprecated: MD5 authentication algorithm and DES encryption for SNMPv3 users. |
Deletes Users. Prevents post-upgrade deploy. We removed support for the MD5 authentication algorithm and DES encryption for SNMPv3 users on FTD devices. Upgrading FTD to Version 7.0+ deletes these users from the device, regardless of the configurations on the FMC. If you are still using these options in your platform settings policy, change and verify your configurations before you upgrade FTD. These options are in the Auth Algorithm Type and Encryption Type drop-downs when creating or editing an SNMPv3 user in a Threat Defense platform settings policy: Devices > Platform Settings. |
||||
|
Deprecated: Port 32137 comms with AMP clouds. |
Prevents FMC upgrade. We deprecated the FMC option to use port 32137 to obtain file disposition data from public and private AMP clouds. Unless you configure a proxy, the FMC now uses port 443/HTTPS. Before you upgrade, disable the Use Legacy Port 32137 for
AMP for Networks option on the System ( |
||||
|
Deprecated: HA Status health module. |
We renamed the HA Status health module to the FMC HA Status health module. This is to distinguish it from the new FTD HA Status module. |
||||
|
Deprecated: Legacy API Explorer. |
We removed support for the FMC REST API legacy API Explorer. |
||||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
||||
FMC Features in Version 6.7.x
|
Feature |
Details |
||
|---|---|---|---|
|
Platform |
|||
|
FMCv and FTDv for OCI and GCP. |
We introduced FMCv and FTDv for:
|
||
|
High availability support on FMCv for VMware. |
FMCv for VMware now supports high availability. You use the FMCv web interface to establish HA, just as you would on hardware models. In an FTD deployment, you need two identically licensed FMCv's, as well as one FTD entitlement for each managed device. For example, to manage 10 FTD devices with an FMCv10 HA pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Classic devices only (7000/8000 series, NGIPSv, ASA FirePOWER), you do not need FMCv entitlements. Note that this feature is not supported on FMCv 2 for VMware—that is, an FMCv licensed to manage only two devices. Supported platforms: FMCv 10, 25, and 300 for VMware |
||
|
Auto Scale improvements for FTDv for AWS. |
Version 6.7.0 includes the following Auto Scale improvements for FTDv for AWS:
Supported platforms: FTDv for AWS |
||
|
Auto Scale improvements for FTDv for Azure. |
The FTDv for Azure Auto Scale solution now includes support for scaling metrics based on CPU and memory (RAM), not just CPU. Supported platforms: FTDv for Azure |
||
|
Firepower Threat Defense: Device Management |
|||
|
Manage FTD on a data interface. |
You can now configure FMC management of the FTD on a data interface instead of using the dedicated management interface. This feature is useful for remote deployment when you want to manage the FTD at a branch office from an FMC at headquarters and need to manage the FTD on the outside interface. If the FTD receives a public IP address using DHCP, then you can optionally configure Dynamic DNS (DDNS) for the interface using the web type update method. DDNS ensures the FMC can reach the FTD at its Fully-Qualified Domain Name (FQDN) if the FTD's IP address changes.
New/modified pages:
New/modified FTD CLI commands: configure network management-data-interface , configure policy rollback Supported platforms: FTD |
||
|
Update the FMC IP address on the FTD. |
If you change the FMC IP address, you can now use the FTD CLI to update the device. New/modified FTD CLI commands: configure manager edit Supported platforms: FTD |
||
|
Synchronization between the FTD operational link state and the physical link state for the Firepower 4100/9300. |
The Firepower 4100/9300 chassis can now synchronize the FTD operational link state with the physical link state for data interfaces. Currently, interfaces will be in an Up state as long as the FXOS admin state is up and the physical link state is up. The FTD application interface admin state is not considered. Without synchronization from FTD, data interfaces can be in an Up state physically before the FTD application has completely come online, for example, or can stay Up for a period of time after you initiate an FTD shutdown. For inline sets, this state mismatch can result in dropped packets because external routers may start sending traffic to the FTD before the FTD can handle it. This feature is disabled by default, and can be enabled per logical device in FXOS.
New/modified Firepower Chassis Manager pages: Logical Devices > Enable Link State New/modified FXOS commands: set link-state-sync enabled , show interface expand detail Supported platforms: Firepower 4100/9300 |
||
|
Firepower 1100/2100 series SFP interfaces now support disabling auto-negotiation. |
Upgrade impact. You can now configure a Firepower 1100/2100 series SFP interface to disable flow control and link status negotiation. Previously, when you set an SFP interface speed (1000 or 10000 Mbps) on these devices, flow control and link status negotiation was automatically enabled. You could not disable it. Now, you can select No Negotiate to disable flow control and link status negotiation. This also sets the speed to 1000 Mbps, regardless of whether you are configuring a 1 GB SFP or 10 GB SFP+ interface. You cannot disable negotation at 10000 Mbps. New/modified pages: Devices > Device Management > Interfaces > edit interface > Hardware Configuration > Speed Supported platforms: Firepower 1100/2100 series |
||
|
Firepower Threat Defense: Clustering |
|||
|
New cluster management functionality on the FMC. |
You can now use the FMC to perform the following cluster management tasks, where previously you had to use the CLI:
New/modified pages:
Supported platforms: Firepower 4100/9300 |
||
|
Faster cluster deployment. |
Cluster deployment now completes faster. Also, for most deployment failures, it fails more quickly. Supported platforms: Firepower 4100/9300 |
||
|
Changes to PAT address allocation in clustering. |
Upgrade impact. The way PAT addresses are distributed to the members of a cluster is changed. Previously, addresses were distributed to the members of the cluster, so your PAT pool would need a minimum of one address per cluster member. Now, the control instead divides each PAT pool address into equal-sized port blocks and distributes them across cluster members. Each member has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even to as few as one IP address, depending on the amount of connections you typically need to PAT. Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally include the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example, in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool IP address. As part of this change, PAT pools for all systems, whether standalone or operating in a cluster, now use a flat port range of 1024–65535. Previously, you could use a flat range by enabling the Flat Port Range option in a PAT pool rule (Pat Pool tab in an FTD NAT rule). The Flat Port Range option is now ignored: the PAT pool is now always flat. You can optionally select the Include Reserved Ports option to include the 1–1023 port range within the PAT pool. Note that if you configure port block allocation (the Block Allocation PAT pool option), your block allocation size is used rather than the default 512-port block. In addition, you cannot configure extended PAT for a PAT pool for systems in a cluster. This change takes effect automatically. You do not need to do anything before or after upgrade. Supported platforms: FTD |
||
|
Firepower Threat Defense: Encryption and VPN |
|||
|
AnyConnect module support for RA VPN. |
FTD RA VPN now supports AnyConnect modules. As part of your RA VPN group policy, you can now configure a variety of optional modules to be downloaded and installed when a user downloads the Cisco AnyConnect VPN client. These modules can provide services such as web security, malware protection, off-network roaming protection, and so on. You must associate each module with a profile containing your custom configurations, created in the AnyConnect Profile Editor and uploaded to the FMC as an AnyConnect File object. New/modified pages:
Supported platforms: FTD |
||
|
AnyConnect management VPN tunnels for RA VPN. |
FTD RA VPN now supports an AnyConnect management VPN tunnel that allows VPN connectivity to endpoints when the corporate endpoints are powered on, not just when a VPN connection is established by the end user. This feature helps administrators perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint operating system login scripts which require corporate network connectivity also benefit. Supported platforms: FTD |
||
|
Single sign-on for RA VPN. |
FTD RA VPN now supports single sign-on (SSO) for remote access VPN users configured at a SAML 2.0-compliant identity provider (IdP). New/modified pages:
Supported platforms: FTD |
||
|
LDAP authorization for RA VPN. |
FTD RA VPN now supports LDAP authorization using LDAP attribute maps. An LDAP attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. Then, when the AD or LDAP server returns authentication to the FTD device during remote access VPN connection establishment, the FTD device can use the information to adjust how the AnyConnect client completes the connection. Supported platforms: FTD |
||
|
Virtual Tunnel Interface (VTI) and route-based site-to-site VPN. |
FTD site-to-site VPN now supports a logical interface called Virtual Tunnel Interface (VTI). As an alternative to policy-based VPN, a VPN tunnel can be created between peers with Virtual Tunnel Interfaces configured. This supports route-based VPN with IPsec profiles attached to the end of each tunnel. This allows dynamic or static routes to be used. Using VTI does away with the requirement of configuring static crypto map access lists and mapping them to interfaces. Traffic is encrypted using static route or BGP. You can create a routed security zone, add VTI interfaces to it, and define access control rules for the decrypted traffic control over the VTI tunnel. VTI-based VPNs can be created between:
New/modified pages: Supported platforms: FTD |
||
|
Dynamic RRI support for site-to-site VPN. |
FTD site-to-site VPN now supports Dynamic Reverse Route Injection (RRI) supported with IKEv2-based static crypto maps in site-to-site VPN deployments. This allowed static routes to be automatically inserted into the routing process for networks and hosts protected by a remote tunnel endpoint. New/modified pages: We added the Enable Dynamic Reverse Route Injection advanced option when adding an endpoint to a site-to-site VPN topology. Supported platforms: FTD |
||
|
Enhancements to manual certificate enrollment. |
You can now obtain signed CA certificates and identity certificates from a CA authority independently of each other. We made the following changes to PKI certificate enrollment objects, which store enrollment parameters for creating Certificate Signing Requests (CSRs) and obtaining identity certificates:
New/modified pages: Objects > Object Management > PKI > Cert Enrollment > Add Cert Enrollment > CA Information > Enrollment Type > Manual Supported platforms: FTD |
||
|
Enhancements to FTD certificate management. |
We made the following enhancements to FTD certificate management:
New/modified pages:
Supported platforms: FTD |
||
|
Access Control: URL Filtering, Application Control, and Security Intelligence |
|||
|
URL filtering and application control on traffic encrypted with TLS 1.3 (TLS Server Identity Discovery). |
You can now perform URL filtering and application control on traffic encrypted with TLS 1.3, by using information from the server certificate. You do not have decrypt the traffic for this feature to work.
New/modified pages: We added a TLS Server Identity Discovery warning and option to the access control policy's Advanced tab. New/modified FTD CLI commands: We added the B flag to the output of the show conn detail command. On a TLS 1.3-encrypted connection, this flag indicates that we used the server certificate for application and URL detection. Supported platforms: FTD |
||
|
URL filtering on traffic to websites with unknown reputation. |
You can now perform URL filtering for websites that have an unknown reputation. New/modified pages: We added an Apply to unknown reputation check box to the access control, QoS, and SSL rule editors. Supported platforms: FMC |
||
|
DNS filtering enhances URL filtering. |
Beta. DNS filtering enhances URL filtering by determining the category and reputation of requested domains earlier in the transaction, including in encrypted traffic—but without decrypting the traffic. You enable DNS filtering per access control policy, where it applies to all category/reputation URL rules in that policy.
New/modified pages: We added the Enable reputation enforcement on DNS traffic option to the access control policy's Advanced tab, under General Settings. Supported platforms: FMC |
||
|
Shorter update frequencies for Security Intelligence feeds. |
The FMC can now update Security Intelligence data every 5 or 15 minutes. Previously, the shortest update frequency was 30 minutes. If you configure one of these shorter frequencies on a custom feed, you must also configure the system to use an md5 checksum to determine whether the feed has updates to download. New/modified pages: We added new options to Objects > Object Management > Security Intelligence > Network Lists and Feeds > edit feed > Update Frequency Supported platforms: FMC |
||
|
Access Control: User Control |
|||
|
pxGrid 2.0 with ISE/ISE-PIC. |
Upgrade impact. Use pxGrid 2.0 when you connect the FMC to an ISE/ISE-PIC identity source. If you are still using pxGrid 1.0, switch now. That version is deprecated. For use with pxGrid 2.0, Version 6.7.0 introduces the Cisco ISE Adaptive Network Control (ANC) remediation, which applies or clears ISE-configured ANC policies involved in a correlation policy violation. If you used the Cisco ISE Endpoint Protection Services (EPS) remediation with pxGrid 1.0, configure and use the ANC remediation with pxGrid 2.0. ISE remediations will not launch if you are using the 'wrong' pxGrid. The ISE Connection Status Monitor health module alerts you to mismatches. For detailed compatibility information for all supported Firepower versions, including integrated products, see the Cisco Firepower Compatibility Guide. New/modified pages:
Supported platforms: FMC |
||
|
Realm sequences. |
You can now group realms into ordered realm sequences. Add a realm sequence to an identity rule in the same way as you add a single realm. When applying the identity rule to network traffic, the system searches the Active Directory domains in the order specified. You cannot create realm sequences for LDAP realms. New/modified pages: System > Integration > Realm Sequences Supported platforms: FMC |
||
|
ISE subnet filtering. |
Especially useful on lower-memory devices, you can now use the CLI to exclude subnets from receiving user-to-IP and Security Group Tag (SGT)-to-IP mappings from ISE. The Snort Identity Memory Usage health module alerts when memory usage exceeds a certain level, which by default is 80%. New device CLI command: configure identity-subnet-filter { add | remove} Supported platforms: FMC-managed devices |
||
|
Access Control: Intrusion and Malware Prevention |
|||
|
Improved preclassification of files for dynamic analysis. |
Upgrade impact. The system can now decide not to submit a suspected malware file for dynamic analysis, based on the static analysis results (for example, a file with no dynamic elements). After you upgrade, in the Captured Files table, these files will have a Dynamic Analysis Status of Rejected for Analysis. Supported platforms: FMC |
||
|
S7Commplus preprocessor. |
The new S7Commplus preprocessor supports the widely accepted S7 industrial protocol. You can use it to apply corresponding intrusion and preprocessor rules, drop malicious traffic, and generate intrusion events. New/modified pages:
Supported platforms: all FTD devices, including ISA 3000 |
||
|
Custom intrusion rule import warns when rules collide. |
The FMC now warns you of rule collisions when you import custom (local) intrusion rules. Previously, the FMC would silently skip the rules that cause collisions—with the exception of Version 6.6.0.1, where a rule import with collisions would fail entirely. On the Rule Updates page, if a rule import had collisions, a warning icon is displayed in the Status column. For more information, hover your pointer over the warning icon and read the tooltip. Note that a collision occurs when you try to import an intrusion rule that has the same SID/revision number as an existing rule. You should always make sure that updated versions of custom rules have new revision numbers. We recommend you read the best practices for importing local intrusion rules in the FMC configuration guide. New/modified pages: We added a warning icon to . Supported platforms: FMC |
||
|
Access Control: TLS/SSL Decryption |
|||
|
ClientHello modification for Decrypt - Known Key TLS/SSL rules. |
Upgrade impact. If you configure TLS/SSL decryption, when a managed device receives a ClientHello message, the system now attempts to match the message to TLS/SSL rules that have the Decrypt - Known Key action. Previously, the system only matched ClientHello messages to Decrypt - Resign rules. The match relies on data from the ClientHello message and from cached server certificate data. If the message matches, the device modifies the ClientHello message in specific ways; see the ClientHello Message Handling topic in the FMC configuration guide. This behavior change occurs automatically after upgrade. If you use Decrypt - Known Key TLS/SSL rules, make sure that encrypted traffic is being handled as expected.Supported platforms: Any device |
||
|
Event Logging and Analysis |
|||
|
Remote data storage and cross-launch with an on-prem Stealthwatch solution. |
You can now store large volumes of Firepower event data off-FMC, using an on-premises Stealthwatch solution: Cisco Security Analytics and Logging (On Premises). When viewing events in FMC, you can quickly cross-launch to view events in your remote data storage location. The FMC uses syslog to send connection, Security Intelligence, intrusion, file, and malware events.
Supported platforms: FMC |
||
|
Quickly add Stealthwatch contextual cross-launch resources. |
A new page on the FMC allows you to quickly add contextual cross-launch resources for your Stealthwatch appliance. After you add Stealthwatch resources, you manage them on the general contextual cross-launch page. This is where you continue to manually create and manage non-Stealthwatch cross-launch resources. New/modified pages:
Supported platform: FMC |
||
|
New cross-launch options field types. |
You can now cross-launch into an external resource using the following additional types of event data:
New/modified pages:
Supported platforms: FMC |
||
|
National Vulnerability Database (NVD) replaces Bugtraq. |
Upgrade impact. Bugtraq vulnerability data is no longer available. Most vulnerability data now comes from the NVD. To support this change, we made the following changes:
If you export vulnerability data, make sure any integrations are working as expected after the upgrade. Supported platforms: FMC |
||
|
Upgrade |
|||
|
Pre-upgrade compatibility check. |
Upgrade impact. In FMC deployments, Firepower appliances must now pass pre-upgrade compatibility checks before you can run more complex readiness checks or attempt to upgrade. This check catches issues that will cause your upgrade to fail—but we now catch them earlier and block you from proceeding. The checks are as follows:
When you select an upgrade package to install, the FMC displays compatibility check results for all eligible appliances. The new Readiness Check page also displays this information. You cannot upgrade until you fix the issues indicated. New/modified pages:
Supported platforms: FMC, FTD |
||
|
Improved readiness checks. |
Upgrade impact. Readiness checks assess a Firepower appliance's preparedness for a software upgrade. These checks include database integrity, file system integrity, configuration integrity, disk space, and so on. After you upgrade the FMC to Version 6.7.0, you will see the following improvements to FTD upgrade readiness checks:
Note that these improvements are supported for FTD upgrades from Version 6.3.0+, as long as the FMC is running Version 6.7.0+. New/modified pages:
Supported platforms: FTD |
||
|
Improved FTD upgrade status reporting and cancel/retry options. |
Upgrade impact. You can now view the status of device upgrades and readiness checks in progress on the Device Management page, as well as a 7-day history of upgrade success/failures. The Message Center also provides enhanced status and error messages. A new Upgrade Status pop-up, accessible from both Device Management and the Message Center with a single click, shows detailed upgrade information, including percentage/time remaining, specific upgrade stage, success/failure data, upgrade logs, and so on. Also on this pop-up, you can manually cancel failed or in-progress upgrades (Cancel Upgrade), or retry failed upgrades (Retry Upgrade). Canceling an upgrade reverts the device to its pre-upgrade state.
New/modified pages:
New FTD CLI commands:
Supported platforms: FTD |
||
|
Upgrades postpone scheduled tasks. |
Upgrade impact. FMC upgrades now postpone scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.
Note that this feature is supported for all upgrades from a supported version. This includes Version 6.4.0.10 and later patches, Version 6.6.3 and later maintenance releases, and Version 6.7.0+. This feature is not supported for upgrades to a supported version from an unsupported version. Supported platforms: FMC |
||
|
Upgrades remove PCAP files to save disk space. |
Upgrade impact. To upgrade a Firepower appliance, you must have enough free disk space or the upgrade fails. Upgrades now remove locally stored PCAP files. Supported platforms: Any |
||
|
Deployment and Policy Management |
|||
|
Configuration rollback. |
Beta. You can now "roll back" configurations on an FTD device, replacing them with the previously deployed configurations.
New/modified pages: Deploy > Deployment History > Rollback column and icons. Supported platforms: FTD |
||
|
Deploy intrusion and file policies independently of access control policies. |
You can now select and deploy intrusion and file policies independently of access control policies, unless there are dependent changes. New/modified pages: Deploy > Deployment Supported platforms: FMC |
||
|
Search access control rule comments. |
You can now search within access control rules comments. New/modified pages: In the access control policy editor, we added the Comments field to the Search Rules drop-down dialog. Supported platforms: FMC |
||
|
Search and filter FTD NAT rules. |
You can now search for rules in an FTD NAT policy to help you find rules based on IP addresses, ports, object names, and so forth. Search results include partial matches. Searching on criteria filters the rule table so only matching rules are displayed. New/modified pages: We added a search field above the rule table when you edit an FTD NAT policy. Supported platforms: FTD |
||
|
Copy and move rules between access control and prefilter policies. |
You can copy access control rules from one access control policy to another. You can also move rules between an access control policy and its associated prefilter policy. New/modified pages: In the access control and prefilter policy editors, we added Copy and Move options to each rule's right-click menu. Supported platforms: FMC |
||
|
Bulk object import. |
You can now bulk-import network, port, URL, VLAN tag, and distinguished name objects onto the FMC, using a comma-separated-values (CSV) file. For restrictions and specific formatting instructions, see the Reusable Objects chapter of the FMC configuration guide. New/modified pages: Objects > Object Management > choose an object type > Add [Object Type] > Import Object Supported platforms: FMC |
||
|
Interface object optimization for access control and prefilter policies. |
You can now enable interface object optimization on specific FTD devices. During deployment, interface groups and security zones used in the access control and prefilter policies generate separate rules for each source/destination interface pair. If you enable interface object optimization, the system will instead deploy a single rule per access control/prefilter rule, which can simplify the device configuration and improve deployment performance. Interface object optimization is disabled by default. If you enable it, you should also enable Object Group Search—which now applies to interface objects in addition to network objects—to reduce memory usage on the device. New/modified pages: section > Interface Object Optimization check box Supported platforms: FTD |
||
|
Administration and Troubleshooting |
|||
|
FMC single sign-on. |
The FMC now supports single sign-on (SSO) for external users configured at any third-party SAML 2.0-compliant identity provider (IdP). You can map user or group roles from the IdP to FMC user roles. New/modified pages: Supported platforms: FMC |
||
|
FMC logout delay. |
When you log out of the FMC, there is an automatic five-second delay and countdown. You can click Log Out again to log out immediately. Supported platforms: FMC |
||
|
Backup and restore for FTD container instances. |
You can now use the FMC to back up and restore Version 6.7.0+ FTD container instances. Supported platforms: Firepower 4100/9300 |
||
|
Health monitoring enhancements. |
We enhanced health monitoring as follows:
Supported platforms: FMC |
||
|
Health module updates. |
We replaced the CPU Usage health module with four new modules:
We added the following health modules to track memory use:
We added the following health modules to track statistics:
Supported platforms: FMC |
||
|
Search Message Center. |
You can now filter the current view in the Message Center. New/modified pages: We added a Filter icon and field to the Message Center, under the Show Notifications slider. Supported platforms: FMC |
||
|
Usability and Performance |
|||
|
Dusk theme. |
Beta. The FMC web interface defaults to the Light theme, but you can also choose a new Dusk theme.
New/modified pages: User Preferences, from the drop-down list under your username Supported platforms: FMC |
||
|
Search FMC menus. |
You can now search the FMC menus. New/modified pages: We added a Search icon and field to the FMC menu bar, to the left of the Deploy menu. Supported platforms: FMC |
||
|
FMC REST API |
|||
|
FMC REST API. |
We added the following FMC REST API services/operations to support new and existing features. Authorization services:
Health services:
Deployment services:
Device services:
Integration services:
Policy services:
Update services:
Supported platforms: FMC |
||
|
Deprecated Features |
|||
|
End of support: ASA 5525-X, 5545-X, and 5555-X devices with Firepower software. |
You cannot run Version 6.7+ on the ASA 5525-X, 5545-X, and 5555-X. |
||
|
Deprecated: Cisco Firepower User Agent software and identity source. |
Prevents FMC upgrade. You cannot upgrade an FMC with user agent configurations to Version 6.7+. Version 6.6 is the last release to support the Cisco Firepower User Agent software as an identity source. You should switch to Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC). To convert your license, contact Sales. For more information, see the End-of-Life and End-of-Support for the Cisco Firepower User Agent announcement and the Firepower User Identity: Migrating from User Agent to Identity Services Engine TechNote. Deprecated FTD CLI commands: configure user agent |
||
|
Deprecated: Cisco ISE Endpoint Protection Services (EPS) remediation. |
ISE remediations can stop working. The Cisco ISE Endpoint Protection Services (EPS) remediation does not work with pxGrid 2.0. Configure and use the new Cisco ISE Adaptive Network Control (ANC) remediation instead. ISE remediations will not launch if you are using the 'wrong' pxGrid to connect the FMC to an ISE/ISE-PIC identity source. The ISE Connection Status Monitor health module alerts you to mismatches. |
||
|
Deprecated: Less secure Diffie-Hellman groups, and encryption and hash algorithms. |
Prevents FMC upgrade. You may not be able to upgrade an FMC if you use any of the following FTD features:
If you are still using these features in IKE proposals or IPsec policies, change and verify your VPN configuration before you upgrade. |
||
|
Deprecated: Appliance Configuration Resource Utilization heath module (temporary). |
Possible post-upgrade errors in the health monitor. Version 6.7 partially and temporarily deprecates support for the Appliance Configuration Resource Utilization health module, which was introduced in Version 6.6.3 and is supported in all later 6.6.x releases. Version 6.7 support is as follows:
Full support returns in Version 7.0, where the module is renamed to Configuration Memory Allocation. |
||
|
Deprecated: Other health modules (permanent). |
Version 6.7 deprecates the following health modules:
|
||
|
Deprecated: Walkthroughs with the Classic theme. |
Version 6.7 discontinues FMC walkthroughs (how-tos) for the Classic theme. You can switch themes in your user preferences. |
||
|
Deprecated: Bugtraq |
Version 6.7 removes database fields and options for Bugtraq. Bugtraq vulnerability data is no longer available. Most vulnerability data now comes from the National Vulnerability Database (NVD). If you export vulnerability data, make sure any integrations are working as expected after the upgrade. |
||
|
Deprecated: Microsoft Internet Explorer |
We no longer test Firepower web interfaces using Microsoft Internet Explorer. We recommend you switch to Google Chrome, Mozilla Firefox, or Microsoft Edge. |
||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
||
FMC Features in Version 6.6.x
|
Feature |
Details |
||
|---|---|---|---|
|
Upgrades postpone scheduled tasks. |
Upgrade impact. Upgrades now postpone scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.
Note that this feature is supported for Firepower appliances running Version 6.6.3+. It is not supported for upgrades to Version 6.6.3, unless you are upgrading from Version 6.4.0.10 or any later patch. |
||
|
Appliance Configuration Resource Utilization health module. |
Upgrade impact for Version 6.7.0. Version 6.6.3 improves device memory management and introduces a new health module: Appliance Configuration Resource Utilization. The module alerts when the size of your deployed configurations puts a device at risk of running out of memory. The alert shows you how much memory your configurations require, and by how much this exceeds the available memory. If this happens, re-evaluate your configurations. Most often you can reduce the number or complexity of access control rules or intrusion policies. For information on best practices for access control, see the configuration guide. The upgrade process automatically adds and enables this module in all health policies. After upgrade, apply health policies to managed devices to begin monitoring.
|
|
Feature |
Details |
|---|---|
|
Deprecated Features |
|
|
Deprecated: Custom intrusion rule import failure when rules collide. |
In Version 6.6.0, the FMC began rejecting custom (local) intrusion rule imports entirely if there were rule collisions. Version 6.6.1 deprecates this feature, and returns to the pre-Version 6.6 behavior of silently skipping the rules that cause collisions. Note that a collision occurs when you try to import an intrusion rule that has the same SID/revision number as an existing rule. You should always make sure that updated versions of custom rules have new revision numbers. We recommend you read the best practices for importing local intrusion rules in the FMC configuration guide. Version 6.7 adds a warning for rule collisions. |
|
Feature |
Description |
||
|---|---|---|---|
|
Platform |
|||
|
FTD on the Firepower 4112. |
We introduced the Firepower 4112. You can also deploy ASA logical devices on this platform. Requires FXOS 2.8.1. |
||
|
Larger instances for AWS deployments. |
Upgrade impact. FTDv for AWS adds support for these larger instances:
FMCv for AWS adds support for these larger instances:
All existing FMCv for AWS instance types are now deprecated (c3.xlarge, c3.2xlarge, c4.xlarge, c4.2xlarge). You must resize before you upgrade. For more information, see the upgrade guidelines for Version 6.6 in the release notes. |
||
|
Autoscale for cloud-based FTDv deployments. |
We introduced support for AWS Auto Scale/Azure Autoscale. The serverless infrastructure in cloud-based deployments allow you to automatically adjust the number of FTDv instances in the Auto Scale group based on capacity needs. This includes automatic registering/unregistering to and from the managing FMC. Supported platforms: FTDv for AWS, FTDv for Azure |
||
|
Firepower Threat Defense: Device Management |
|||
|
Obtain initial management interface IP address using DHCP. |
For Firepower 1000/2000 series and ASA-5500-X series devices, the management interface now defaults to obtaining an IP address from DHCP. This change makes it easier for you to deploy a new device on your existing network. This feature is not supported for Firepower 4100/9300 chassis, where you set the IP address when you deploy the logical device. Nor is it supported for FTDv or the ISA 3000, which continue to default to 192.168.45.45. Supported platforms: Firepower 1000/2000 series, ASA-5500-X series |
||
|
Configure MTU values in CLI. |
You can now use the FTD CLI to configure MTU (maximum transmission unit) values for FTD device interfaces. The default is 1500 bytes. Maximum MTU values are:
New FTD CLI commands: configure network mtu Modified FTD CLI commands: Added the mtu-event-channel and mtu-management-channel keyword to the configure network management-interface command. Supported platforms: FTD |
||
|
Get threat defense upgrade packages from an internal web server. |
FTD devices can now get upgrade packages from your own internal web server, rather than from the FMC. This is especially useful if you have limited bandwidth between the FMC and its devices. It also saves space on the FMC.
New/modified pages: System > Updates > Upload Update button > Specify software update source option Supported platforms: FTD |
||
|
Connection-based troubleshooting enhancements. |
We made the following enhancements to FTD CLI connection-based troubleshooting (debugging):
Supported platforms: FTD |
||
|
Firepower Threat Defense: Clustering |
|||
|
Multi-instance clustering. |
You can now create a cluster using container instances. On the Firepower 9300, you must include one container instance on each module in the cluster. You cannot add more than one container instance to the cluster per security engine/module. We recommend that you use the same security module or chassis model for each cluster instance. However, you can mix and match container instances on different Firepower 9300 security module types or Firepower 4100 models in the same cluster if required. You cannot mix Firepower 9300 and 4100 instances in the same cluster. New FXOS CLI commands: set port-type cluster New/modified Chassis Manager pages:
Supported platforms: Firepower 4100/9300 |
||
|
Parallel configuration sync to data units in FTD clusters. |
The control unit in an FTD cluster now syncs configuration changes with slave units in parallel by default. Formerly, synching occurred sequentially. Supported platforms: Firepower 4100/9300 |
||
|
Messages for cluster join failure or eviction added to show cluster history . |
We added new messages to the show cluster history command for when a cluster unit either fails to join the cluster or leaves the cluster. Supported platforms: Firepower 4100/9300 |
||
|
Firepower Threat Defense: Routing |
|||
|
Virtual routers and VRF-Lite. |
You can now create multiple virtual routers to maintain separate routing tables for groups of interfaces. Because each virtual router has its own routing table, you can provide clean separation in the traffic flowing through the device. Virtual routers implement the “light” version of Virtual Routing and Forwarding, or VRF-Lite, which does not support Multiprotocol Extensions for BGP (MBGP). The maximum number of virtual routers you can create ranges from five to 100, and depends on the device model. For a full list, see the Virtual Routing for Firepower Threat Defense chapter in the Firepower Management Center Configuration Guide. New/modified pages: Devices > Device Management > edit device > Routing tab New FTD CLI commands: show vrf . Modified FTD CLI commands: Added the [ vrf name | all] keyword set to the following CLI commands, and changed the output to indicate virtual router information where applicable: clear ospf , clear route , ping , show asp table routing , show bgp , show ipv6 route , show ospf , show route , show snort counters . Supported platforms: FTD, except Firepower 1010 and ISA 3000 |
||
|
Firepower Threat Defense: VPN |
|||
|
DTLS 1.2 in remote access VPN. |
You can now use Datagram Transport Layer Security (DTLS) 1.2 to encrypt RA VPN connections. Use FTD platform settings to specify the minimum TLS protocol version that the FTD device uses when acting as a, RA VPN server. If you want to specify DTLS 1.2, you must also choose TLS 1.2 as the minimum TLS version. Requires Cisco AnyConnect Secure Mobility Client, Version 4.7+. New/modified pages: Devices > Platform Settings > add/edit Threat Defense policy > SSL > DTLS Version option Supported platforms: FTD, except ASA 5508-X and ASA 5516-X |
||
|
Site-to-site VPN IKEv2 support for multiple peers. |
You can now add a backup peer to a site-to-site VPN connection, for IKEv1 and IKEv2 point-to-point extranet and hub-and-spoke topologies. Previously, you could only configure backup peers for IKEv1 point-to-point topologies. New/modified pages: Devices > VPN > Site to Site > add or edit a point to point or hub and spoke FTD VPN topology > add endpoint > IP Address field now supports comma-separated backup peers Supported platforms: FTD |
||
|
Security Policies |
|||
|
Usability enhancements for security policies. |
Version 6.6.0 makes it easier to work with access control and prefilter rules. You can now:
Supported platforms: FMC |
||
|
Object group search for access control policies. |
While operating, FTD devices expand access control rules into multiple access control list entries based on the contents of any network objects used in the access rule. You can reduce the memory required to search access control rules by enabling object group search. With object group search enabled, the system does not expand network objects, but instead searches access rules for matches based on those group definitions. Object group search does not impact how your rules are defined or how they appear in the FMC. It impacts only how the device interprets and processes them while matching connections to access control rules. Object group search is disabled by default. New/modified pages: Devices > Device Management > edit device > Device tab > Advanced Settings > Object Group Search option Supported platforms: FTD |
||
|
Time-based rules in access control and prefilter policies. |
You can now specify an absolute or recurring time or time range for a rule to be applied. The rule is applied based on the time zone of the device that processes the traffic. New/modified pages:
Supported platforms: FTD |
||
|
Egress optimization re-enabled. |
Upgrade impact. Version 6.6.0 fixes CSCvs86257. If egress optimization was:
Supported platforms: FTD |
||
|
Event Logging and Analysis |
|||
|
New datastore improves performance. |
Upgrade impact. To improve performance, Version 6.6.0 uses a new datastore for connection and Security Intelligence events. After the upgrade finishes and the FMC reboots, historical connection and Security Intelligence events are migrated in the background, resource constrained. Depending on FMC model, system load, and how many events you have stored, this can take from a few hours up to a day. Historical events are migrated by age, newest events first. Events that have not been migrated do not appear in query results or dashboards. If you reach the connection event database limit before the migration completes, for example, because of post-upgrade events, the oldest historical events are not migrated. You can monitor event migration progress in the Message Center. Supported platforms: FMC |
||
|
Wildcard support when searching connection and Security Intelligence events for URLs. |
When searching connection and Security Intelligence events for URLs having the pattern example.com, you must now include wildcards. Specifically, use *example.com* for such searches. Supported platforms: FMC |
||
|
Monitor up to 300,000 concurrent user sessions with FTD devices. |
In Version 6.6.0, some FTD device models support monitoring of additional concurrent user sessions (logins):
All other devices continue to support the old limit of 64,000, except ASA FirePOWER which is limited to 2000. A new health module alerts you when the user identity feature's memory usage reaches a configurable threshold. You can also view a graph of the memory usage over time. New/modified pages:
Supported platforms: FTD devices listed above |
||
|
Integration with IBM QRadar. |
You can use the new Cisco Firepower app for IBM QRadar as an alternate way to display event data and help you analyze, hunt for, and investigate threats to your network. Requires eStreamer. For more information, see the Integration Guide for the Cisco Firepower App for IBM QRadar. Supported platforms: FMC |
||
|
Administration and Troubleshooting |
|||
|
New options for deploying configuration changes. |
The Deploy button on the FMC menu bar is now a menu, with options that add the following functionality:
New/modified pages:
Supported platforms: FMC |
||
|
Initial configuration updates the VDB and schedules SRU updates. |
On new and reimaged FMCs, the setup process now:
Upgraded FMCs are not affected. New/modified pages:
Supported platforms: FMC |
||
|
VDB match no longer required to restore FMC. |
Restoring an FMC from backup no longer requires the same VDB on the replacement FMC. However, restoring does now replace the existing VDB with the VDB in the backup file. Supported platforms: FMC |
||
|
HTTPS certificates with subject alternative name (SAN). |
You can now request a HTTPS server certificate that secures multiple domain names or IP addresses by using SAN. For more information on SAN, see RFC 5280, section 4.2.1.6. New/modified pages: System > Configuration > HTTPS Certificate > Generate New CSR > Subject Alternative Name fields Supported platforms: FMC |
||
|
Real names associated with FMC user accounts. |
You can now specify a real name when you create or modify an FMC user account. This can be a person's name, department, or other identifying attribute. New/modified pages: System > Users > Users > Real Name field. Supported platforms: FMC |
||
|
Cisco Support Diagnostics on additional FTD platforms. |
Upgrade impact. Cisco Support Diagnostics is now fully supported on all FMCs and FTD devices. Previously, support was limited to FMCs, Firepower 4100/9300 with FTD, and FTDv for Azure. Supported platforms: FMC, FTD |
||
|
Usability |
|||
|
Light theme. |
The FMC now defaults to the Light theme, which was introduced as a Beta feature in Version 6.5.0. Upgrading to Version 6.6.0 automatically switches you to the Light theme. You can switch back to the Classic theme in your user preferences. Although we cannot respond to everybody, we welcome feedback on the Light theme. Use the feedback link on the User Preferences page or contact us at fmc-light-theme-feedback@cisco.com. Supported platforms: FMC |
||
|
Display time remaining for upgrades. |
The FMC's Message Center now displays approximately how much time remains until an upgrade will complete. This does not include reboot time. New/modified pages: Message Center Supported platforms: FMC |
||
|
Security and Hardening |
|||
|
Default HTTPS server certificate renewals have 800 day lifespans. |
Upgrade impact. Unless the current default HTTPS server certificate already has an 800-day lifespan, upgrading to Version 6.6.0 renews the certificate, which now expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan. Your old certificate was set to expire depending on when it was generated. Supported platforms: FMC |
||
|
Firepower Management Center REST API |
|||
|
New REST API capabilities. |
Added the following REST API services to support Version 6.6.0 features:
Added the following REST API services to support older features:
Supported platforms: FMC |
||
|
Changed REST API service name for extended access lists. |
Upgrade impact. The extendedaccesslist (singular) service in the FMC REST API is now extendedaccesslists (plural). Make sure you update your client. Using the old service name fails and returns an Invalid URL error. Request Type: GET URL to retrieve the extended access list associated with a specific ID:
URL to retrieve a list of all extended access lists:
Supported platforms: FMC |
||
|
Deprecated Features |
|||
|
Deprecated: Lower-memory instances for cloud-based FMCv deployments. |
For performance reasons, the following FMCv instances are no longer supported:
You must resize before you upgrade to Version 6.6.0+. For more information, see the upgrade guidelines for Version 6.6 in the release notes. Additionally, as of the Version 6.6 release, lower-memory instance types for cloud-based FMCv deployments are fully deprecated. You cannot create new FMCv instances using them, even for earlier Firepower versions. You can continue running existing instances. |
||
|
Deprecated: e1000 Interfaces on FTDv for VMware. |
Prevents upgrade. Version 6.6 ends support for e1000 interfaces on FTDv for VMware. You cannot upgrade until you switch to vmxnet3 or ixgbe interfaces. Or, you can deploy a new device. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
||
|
Deprecated: Less secure Diffie-Hellman groups, and encryption and hash algorithms. |
Version 6.6 deprecates the following FTD security features:
These features are removed in Version 6.7. Avoid configuring them in IKE proposals or IPSec policies for use in VPNs. Change to stronger options as soon as possible. |
||
|
Deprecated: Custom tables for connection events. |
Version 6.6 ends support for custom tables for connection and Security Intelligence events. After you upgrade, existing custom tables for those events are still 'available' but return no results. We recommend you delete them. There is no change to other types of custom tables. Deprecated options:
|
||
|
Deprecated: Ability to delete connection events from the event viewer. |
Version 6.6 ends support for deleting connection and Security Intelligence events from the event viewer. To purge the database, select . Deprecated options:
|
||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
||
FMC Features in Version 6.5.x
|
Feature |
Details |
||
|---|---|---|---|
|
Administration and Troubleshooting |
|||
|
Version 6.5.0.5 Default HTTPS server certificates |
Upgrade impact. Unless the FMC's current default HTTPS server certificate already has an 800-day lifespan, upgrading to Version 6.5.0.5+ renews the certificate, which now expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan. Your old certificate was set to expire depending on when it was generated, as follows:
|
||
|
Deprecated Features |
|||
|
Version 6.5.0.2 Deprecated: Egress optimization (temporary). |
Upgrade impact. Egress optimization is a performance feature targeted for selected IPS traffic. It is enabled by default on all FTD platforms, and the Version 6.5.0 upgrade process enables egress optimization on eligible devices. However, to mitigate CSCvq34340, patching FTD to Version 6.5.0.2+ turns off egress optimization processing. This happens regardless of whether the egress optimization feature is enabled or disabled.
For more information, see the software advisory: FTD traffic outage due to 9344 block size depletion caused by the egress optimization feature. Supported platforms: FTD |
||
|
Feature |
Details |
||
|---|---|---|---|
|
Platform |
|||
|
FTD on the Firepower 1150. |
We introduced the Firepower 1150. |
||
|
Larger instances for FTDv for Azure. |
FTDv for Microsoft Azure now supports larger instances: D4_v2 and D5_v2. |
||
|
FMCv 300 for VMware. |
We introduced the FMCv 300, a larger FMCv for VMware. It can manage up to 300 devices, compared to 25 devices for other FMCv instances. You can use the FMC model migration feature to switch to the FMCv 300 from a less powerful platform. |
||
|
VMware vSphere/VMware ESXi 6.7 support |
You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware ESXi 6.7. |
||
|
Firepower Threat Defense |
|||
|
Firepower 1010 hardware switch support |
The Firepower 1010 now supports setting each Ethernet interface to be a switch port or a firewall interface. New/modified pages:
Supported platforms: Firepower 1010 |
||
|
Firepower 1010 PoE+ support on Ethernet 1/7 and Ethernet 1/8 |
The Firepower 1010 now supports Power over Ethernet+ (PoE+) on Ethernet 1/7 and Ethernet 1/8. New/modified pages: Devices > Device Management > Interfaces > Edit Physical Interface > PoE Supported platforms: Firepower 1010 |
||
|
Carrier-grade NAT enhancements |
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). New/modified pages: > add/edit FTD NAT policy > add/edit NAT rule > PAT Pool tab > Block Allocation option Supported platforms: FTD |
||
|
TLS crypto acceleration for multiple container instances on Firepower 4100/9300 |
TLS crypto acceleration is now supported on multiple container instances (up to 16) on a Firepower 4100/9300 chassis. Previously, you could enable TLS crypto acceleration for only one container instance per module/security engine. New instances have this feature enabled by default. However, the upgrade does not enable acceleration on existing instances. Instead, use the create hw-crypto and scope hw-crypto CLI commands. For more information, see the Cisco Secure Firewall Threat Defense Command Reference. New FXOS CLI commands:
Removed FXOS CLI commands:
Removed FTD CLI commands:
Supported platforms: Firepower 4100/9300 |
||
|
Security Policies |
|||
|
Access control rule filtering |
You can now filter access control rules based on search criteria. New/modified pages: Policies > Access Control > Access Control > add/edit policy > filter button ('show only rules matching filter criteria') Supported platforms: FMC |
||
|
Dispute URL category or reputation |
You can now dispute the category or reputation of a URL. New/modified pages:
Supported platforms: FMC |
||
|
User control with destination-based Security Group Tags (SGT) |
You can now use ISE SGT tags for both source and destination matching criteria in access control rules. SGT tags are tag-to-host/network mappings obtained by ISE. New connection event fields:
Renamed connection event fields:
New/modified pages: System > Integration > Identity Sources > Identity Services Engine > Subscribe to Session Directory Topic and SXP Topic options Supported platforms: Any |
||
|
Cisco Firepower User Agent Version 2.5 integration |
We released Version 2.5 of the Cisco Firepower User Agent, which you can integrate with Firepower Versions 6.4.0 through 6.6.x.
New/modified FMC CLI commands: configure user-agent Supported platforms: FMC |
||
|
Event Logging and Analysis |
|||
|
Threat Intelligence Director priorities. |
TID blocking/monitoring observable actions now have priority over blocking/monitoring with Security Intelligence Block lists. If you configure the Block TID observable action, even if the traffic also matches a Security Intelligence Block list set to Block:
If you configure the Monitor TID observable action, even if the traffic also matches a Security Intelligence Block list set to Monitor:
Previously, in each of these cases, the system reported the category by analysis and did not generate a TID incident.
For complete information on system behavior when you enable both Security Intelligence and TID, see the TID-Firepower Management Center Action Prioritization information in the FMC configuration guide. Supported platforms: FMC |
||
|
'Packet profile' CLI commands |
You can now use the FTD CLI to obtain statistics on how the device handled network traffic. That is, how many packets were fastpathed by a prefilter policy, offloaded as a large flow, fully evaluated by access control (Snort), and so on. New FTD CLI commands:
Supported platforms: FTD |
||
|
Additional event types for Cisco SecureX |
Firepower can now send file and malware events to Cisco SecureX, as well as high priority connection events — those related to intrusion, file, malware, and Security Intelligence events. Note that the FMC web interface refers to this offering as Cisco Threat Response (CTR). New/modified pages: System > Integration > Cloud Services. Supported platforms: FTD (via syslog or direct integration) and Classic (via syslog) devices |
||
|
Administration and Troubleshooting |
|||
|
Precision Time Protocol (PTP) configuration for ISA 3000 devices. |
You can use FlexConfig to configure the Precision Time Protocol (PTP) on ISA 3000 devices. PTP is a time-synchronization protocol developed to synchronize the clocks of various devices in a packet-based network. The protocol is designed specifically for industrial, networked measurement and control systems. We now allow you to include the ptp (interface mode) command, and the global commands ptp mode e2etransparent and ptp domain , in FlexConfig objects. New/modified commands: show ptp Supported platforms: ISA 3000 with FTD |
||
|
Configure more domains (multitenancy) |
When implementing multitenancy (segment user access to managed devices, configurations, and events), you can create up to 100 subdomains under a top-level Global domain, in two or three levels. The previous maximum was 50 domains. Supported platforms: FMC |
||
|
ISE Connection Status Monitor enhancements |
The ISE Connection Status Monitor health module now alerts you to issues with TrustSec SXP (SGT Exchange Protocol) subscription status. Supported platforms: FMC |
||
|
Regional clouds |
Upgrade impact. If you use the Cisco Threat Response integration, Cisco Support Diagnostics, or Cisco Success Network features, you can now select a regional cloud. By default, the upgrade assigns you to the US (North America) region. New/modified pages: Supported platforms: FMC, FTD |
||
|
Cisco Support Diagnostics |
Upgrade impact. Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration and operational health data to Cisco, and processes that data through our automated problem detection system, allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essential information from your devices during the course of a TAC case. During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any time. In Version 6.5.0, Cisco Support Diagnostics support is limited to select platforms. New/modified pages:
Supported platforms: FMC, Firepower 4100/9300, FTDv for Azure |
||
|
FMC model migration |
You can now use the backup and restore feature to migrate configurations and events between FMCs, even if they are not the same model. This makes it easier to replace FMCs due to technical or business reasons such as a growing organization, migration from a physical to a virtual implementation, hardware refresh, and so on. In general, you can migrate from a lower-end to a higher-end FMC, but not the reverse. Migration from KVM and Microsoft Azure is not supported. You must also unregister and reregister with Cisco Smart Software Manager (CSSM). For details, including supported target and destination models, see the Cisco Secure Firewall Management Center Model Migration Guide. Supported platforms: FMC |
||
|
Default HTTPS server certificates. |
If you are upgrading from Version 6.4.0.9+, the default HTTPS server certificate's lifespan-on-renew returns to 3 years, but this is again updated to 800 days in Version 6.5.0.5+ and 6.6+. Your current default HTTPS server certificate is set to expire depending on when it was generated, as follows:
|
||
|
Security and Hardening |
|||
|
Secure erase for appliance components on FXOS-based FTD devices |
You can now use the FXOS CLI to securely erase a specified appliance component. New FXOS CLI commands: erase secure Supported platforms: Firepower 1000/2000 and Firepower 4100/9300 |
||
|
Stricter password requirements for FMC |
FMC initial setup now requires that you choose a ‘strong’ password
for
Supported platforms: FMC |
||
|
Concurrent user session limits |
You can now limit the number of users that can be logged into the FMC at the same time. You can limit concurrent sessions for users with read only roles, read/write roles, or both. Note that CLI users are limited by the read/write setting. New/modified pages: System > Configuration > User Configuration > Max Concurrent Sessions Allowed options Supported platforms: FMC |
||
|
Authenticated NTP servers |
You can now configure secure communications between the FMC and NTP servers using SHA1 or MD5 symmetric key authentication. For system security, we recommend using this feature. New/modified pages: System > Configuration > Time Synchronization Supported platforms: FMC |
||
|
Usability and Performance |
|||
|
Improved initial configuration experience |
On new and reimaged FMCs, a wizard replaces the previous initial setup process. If you use the GUI wizard, when initial setup completes, the FMC displays the device management page so that you can immediately begin licensing and setting up your deployment. The setup process also automatically schedules the following:
These tasks are scheduled in UTC, which means that when they occur locally depends on the date and your specific location. Also, because tasks are scheduled in UTC, they do not adjust for Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location. If you are affected, scheduled tasks occur one hour "later" in the summer than in the winter, according to local time.
Upgraded FMCs are not affected. For details on the initial configuration wizard, see the Getting Started Guide for your FMC model; for details on scheduled tasks, see the FMC configuration guide. Supported platforms: FMC |
||
|
Light theme |
Beta. The FMC web interface defaults to the Classic theme, but you can also choose a new Light theme.
New/modified pages: User Preferences, from the drop-down list under your username Supported platforms: FMC |
||
|
Usability enhancements for viewing objects |
We have enhanced 'view object' capabilities for network, port, VLAN, and URL objects, as follows:
New/modified pages:
Supported platforms: FMC |
||
|
Usability enhancements for deploying configuration changes |
We streamlined the display of errors and warnings related to deploying configuration changes. Instead of an immediate verbose view, you can now Click to view all details to see more information about a particular error or warning. New/modified pages: Errors and Warnings for Requested Deployment dialog box Supported platforms: FMC |
||
|
Usability enhancements to FTD NAT policy management |
When configuring FTD NAT, you can now:
New/modified pages: Devices > NAT > create or edit FTD NAT policy > Show Warnings and Rules Per Page options Supported platforms: FTD |
||
|
Firepower Management Center REST API |
|||
|
New REST API capabilities |
Added the following REST API objects to support Version 6.5.0 features:
Added the following REST API objects to support older features:
Supported platforms: FMC |
||
|
Deprecated Features |
|||
|
End of support: FMC 750, 1500, 3500. |
You cannot run Version 6.5+ on the FMC models FMC 1000, 2500, and 4500. You cannot manage Version 6.5+ devices with these FMCs. |
||
|
End of support: ASA 5515-X and ASA 5585-X series |
You cannot run Version 6.5+ on the ASA 5515-X and ASA 5585-X series devices (SSP-10, -20, -40, and -60). |
||
|
End of support: Firepower 7000/8000 series. |
You cannot run Version 6.5+ on Firepower 7000/8000 series devices, including AMP models. |
||
|
Deprecated: Ability to disable the FMC CLI. |
Version 6.3 introduced the FMC CLI, which you had to explicitly enable. In Version 6.5, the CLI is automatically enabled, for both new and upgraded deployments. If you want to access the Linux shell (also called expert mode), you must log in to the CLI and then use the expert command.
Deprecated options: System > Configuration > Console Configuration > Enable CLI access check box |
||
|
Deprecated: MD5 authentication algorithm and DES encryption for SNMPv3 users. |
Version 6.5 deprecates the MD5 authentication algorithm and DES encryption for SNMPv3 users on FTD. Although these configurations continue to work post-upgrade, the system displays a warning when you deploy. And, you cannot create new users or edit existing users with these options. Support is removed in Version 7.0. If you are still using these options in your platform settings policy, we recommend you switch to stronger options now. New/modified screens: Devices > Platform Settings > SNMP > Users |
||
|
Deprecated: TLS 1.0 & 1.1. |
Upgrade impact. To enhance security:
If your client fails to connect with a Firepower appliance, we recommend you upgrade your client to support TLS 1.2. |
||
|
Deprecated: TLS crypto acceleration FXOS CLI commands for Firepower 4100/9300. |
As part of allowing TLS crypto acceleration for multiple container instances on Firepower 4100/9300, we removed the following FXOS CLI commands:
And this FTD CLI command:
For information on their replacements, see the new feature documentation. |
||
|
Deprecated: Cisco Security Packet Analyzer integration. |
Version 6.5 ends support for FMC integration with Cisco Security Packet Analyzer. Deprecated screens/options:
|
||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
||
) now allows you to drill down into object groups and
nested objects.
FMC Features in Version 6.4.x
|
Feature |
Details |
||
|---|---|---|---|
|
Version 6.4.0.17 Smaller VDB for lower memory devices. |
For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Minimum threat defense: Any Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the FMC, not managed devices. If you upgrade the FMC from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
||
|
Version 6.4.0.10 Upgrades postpone scheduled tasks. |
Upgrade impact. Upgrades now postpone scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.
Note that this feature is supported for Firepower appliances running Version 6.4.0.10 or any later patch. It is not supported for upgrades to Version 6.4.0.10, or upgrades that skip Version 6.4.0.10. This feature is temporarily deprecated in Versions 6.5.0–6.6.1, but returns in Version 6.6.3. |
||
|
Version 6.4.0.9 Default HTTPS server certificates. |
Upgrade impact. Upgrading an FMC or 7000/8000 series device from Version 6.4.0–6.4.0.8 to any later Version 6.4.0.x patch (or an FMC to Version 6.6.0+) renews the default HTTPS server certificate, which expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan. Your old certificate was set to expire depending on when it was generated, as follows:
Note that in Version 6.5.0–6.5.0.4, the lifespan-on-renew returns to 3 years, but this is again updated to 800 days with Version 6.5.0.5 and 6.6.0. |
||
|
Version 6.4.0.4 New syslog fields. |
These new syslog fields collectively identify a unique connection event:
These fields also appear in syslogs for intrusion, file, and malware events, allowing connection events to be associated with those events. |
||
|
Version 6.4.0.2 Detection of rule conflicts in FTD NAT policies. |
Upgrade impact. After you upgrade to Version 6.4.0.2 or later patch, you can no longer create FTD NAT policies with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where conflicting NAT rules were applied out-of-order. If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However, your NAT rules will continue to be applied out-of-order. Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing (no changes are needed) then attempting to resave. If you have rule conflicts, the system will prevent you from saving. Correct the issues, save, and then deploy. |
||
|
Version 6.4.0.2 ISE Connection Status Monitor health module. |
A new health module, the ISE Connection Status Monitor, monitors the status of the server connections between the Cisco Identity Services Engine (ISE) and the FMC. |
|
Feature |
Details |
||
|---|---|---|---|
|
Platform |
|||
|
FMC 1600, 2600, and 4600. |
We introduced the FMC models FMC 1600, 2600, and 4600. |
||
|
FMCv for Azure. |
We introduced FMCv for Microsoft Azure. |
||
|
FTD on the Firepower 1010, 1120, and 1140. |
We introduced the Firepower 1010, 1120, and 1140. |
||
|
FTD on the Firepower 4115, 4125, and 4145. |
We introduced the Firepower 4115, 4125, and 4145. |
||
|
Firepower 9300 SM-40, SM-48, and SM-56 support. |
We introduced three new security modules: SM-40, SM-48, and SM-56. With FXOS 2.6.1, you can mix different types of security modules in the same chassis. |
||
|
ASA and FTD on the same Firepower 9300. |
With FXOS 2.6.1, you can now deploy ASA and FTD logical devices on the same Firepower 9300. |
||
|
Firepower Threat Defense: Device Management |
|||
|
FTDv for VMware defaults to vmxnet3 interfaces. |
FTDv for VMware now defaults to vmxnet3 interfaces when you create a virtual device. Previously, the default was e1000. The vmxnet3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance.
Supported platforms: FTDv for VMware |
||
|
Firepower Threat Defense: Routing |
|||
|
Rotating (keychain) authentication for OSPFv2 routing. |
You can now use rotating (keychain) authentication when configuring OSPFv2 routing. New/modified pages:
Supported platforms: FTD |
||
|
Firepower Threat Defense: Encryption and VPN |
|||
|
RA VPN: Secondary authentication. |
Secondary authentication, also called double authentication, adds an additional layer of security to RA VPN connections by using two different authentication servers. With secondary authentication enabled, AnyConnect VPN users must provide two sets of credentials to log in to the VPN gateway. RA VPN supports secondary authentication for the AAA Only and Client Certificate and AAA authentication methods. New/modified pages: > add/edit configuration > Connection Profile > AAA area Supported platforms: FTD |
||
|
Site-to-site VPN: Dynamic IP addresses for extranet endpoints. |
You can now configure site to site VPNs to use a dynamic IP address for extranet endpoints. In hub-and-spoke deployments, you can use a hub as an extranet endpoint. New/modified pages: > add/edit FTD VPN topology > Endpoints tab > add endpoint > IP Address option Supported platforms: FTD |
||
|
Site-to-site VPN: Dynamic crypto maps for point-to-point topologies. |
You can now use dynamic crypto maps in point-to-point as well as in hub-and-spoke VPN topologies. Dynamic crypto maps are still not supported for full mesh topologies. You specify the crypto map type when you configure a topology. Make sure you also specify a dynamic IP address for one of the peers in the topology. New/modified pages: > add/edit FTD VPN topology > IPsec tab > Crypto Map Type option Supported platforms: FTD |
||
|
TLS crypto acceleration. |
Upgrade impact. SSL hardware acceleration has been renamed TLS crypto acceleration. Depending on the device, TLS crypto acceleration might be performed in software or in hardware. The Version 6.4.0 upgrade process automatically enables acceleration on all eligible devices, even if you previously disabled the feature manually. In most cases you cannot configure this feature; it is automatically enabled and you cannot disable it. However, if you are using the multi-instance capability of the Firepower 4100/9300 chassis, you can enable TLS crypto acceleration for one container instance per module/security engine. Acceleration is disabled for other container instances, but enabled for native instances. New FXOS CLI commands for the Firepower 4100/9300 chassis:
New FTD CLI commands:
Removed FTD CLI commands:
Supported platforms: Firepower 2100 series, Firepower 4100/9300 |
||
|
Event Logging and Analysis |
|||
|
Improvements to syslog messages for file and malware events. |
Fully qualified file and malware event data can now be sent from managed devices via syslog. New/modified pages: > add/edit policy > Logging tab > File and Malware Settings area Supported platforms: Any |
||
|
Search intrusion events by CVE ID. |
You can now search for intrusion events generated as a result of a particular CVE exploit. New/modified pages: Supported platforms: FMC |
||
|
IntrusionPolicy field is now included in syslog. |
Intrusion event syslog messages now specify the intrusion policy that triggered the event. Supported platforms: Any |
||
|
Cisco SecureX integration. |
Cisco SecureX is a cloud offering that helps you rapidly detect, investigate, and respond to threats. This feature lets you analyze incidents using data aggregated from multiple products, including Firepower Threat Defense. Note that the FMC web interface refers to this offering as Cisco Threat Response (CTR). See the Cisco Secure Firewall Threat Defense and SecureX Integration Guide.New/modified pages: Supported platforms: FTD |
||
|
Splunk integration. |
Splunk users can use a new, separate Splunk app, Cisco Secure Firewall (f.k.a. Firepower) app for Splunk, to analyze events. Available functionality is affected by your Firepower version. See Cisco Secure Firewall App for Splunk User Guide. Supported platforms: FMC |
||
|
Cisco Security Analytics and Logging (SaaS) integration. |
You can send Firepower events to the Stealthwatch Cloud for storage, and optionally make your Firepower event data available for security analytics using Stealthwatch Cloud. Using Cisco Security Analytics and Logging (SaaS), also known as SAL (SaaS), your Firepower devices send events as syslog messages to a Security Events Connector (SEC) installed on a virtual machine on your network, and this SEC forwards the events to the Stealthwatch cloud for storage. You view and work with your events using the web-based Cisco Defense Orchestrator (CDO) portal. Depending on the license you purchase, you can also use the Stealthwatch portal to access that product's analytics features. Supported platforms: FTD with FMC |
||
|
Administration and Troubleshooting |
|||
|
New licensing capabilities for ISA 3000. |
For ASA FirePOWER and FTD deployments, the ISA 3000 now supports URL Filtering and Malware licenses and their associated features. For FTD only, the ISA 3000 also now supports Specific License Reservation for approved customers. Supported platforms: ISA 3000 |
||
|
Scheduled remote backups of managed devices. |
You can now use the FMC to schedule remote backups of certain managed devices. Previously, only Firepower 7000/8000 series devices supported scheduled backups, and you had to use the device's local GUI. New/modified pages: > add/edit task > choose Job Type: Backup > choose a Backup Type Supported platforms: FTD physical platforms, FTDv for VMware, Firepower 7000/8000 series Exceptions: No support for FTD clustered devices or container instances |
||
|
Ability to disable Duplicate Address Detection (DAD) on management interfaces. |
When you enable IPv6, you can disable DAD. You might want to disable DAD because using DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address. New/modified pages: area > edit interface > IPv6 DAD check box Supported platforms: FMC, Firepower 7000/8000 series |
||
|
Ability to disable ICMPv6 Echo Reply and Destination Unreachable messages on management interfaces. |
When you enable IPv6, you can now disable ICMPv6 Echo Reply and Destination Unreachable messages. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management interfaces for testing purposes. New/modified pages: New/modified commands:
Supported platforms: FMC (web interface only), managed devices (CLI only) |
||
|
Support for the Service-Type attribute for FTD users defined on the RADIUS server. |
For RADIUS authentication of FTD CLI users, you used to have to predefine the usernames in the RADIUS external authentication object and manually make sure that the list matched usernames defined on the RADIUS server. You can now define CLI users on the RADIUS server using the Service-Type attribute and also define both Basic and Config user roles. To use this method, be sure to leave the shell access filter blank in the external authentication object. New/modified pages: tab > add/edit external authentication object > Shell Access Filter Supported platforms: FTD |
||
|
View object use. |
The object manager now allows you to see the policies, settings, and other objects where a network, port, VLAN, or URL object is used. New/modified pages: Objects > Object Management > choose object type > Find Usage (binoculars) icon Supported platforms: FMC |
||
|
Hit counts for access control and prefilter rules. |
You can now access hit counts for access control and prefilter rules on your FTD devices. New/modified pages:
New commands:
Modified commands: show failover Supported platforms: FTD |
||
|
URL Filtering health monitor improvements. |
You can now configure time thresholds for URL Filtering Monitor alerts. New/modified pages: > add/edit policy > URL Filtering Monitor Supported platforms: Any |
||
|
Connection-based troubleshooting. |
Connection-based troubleshooting or debugging provides uniform debugging across modules to collect appropriate logs for a specific connection. It also supports level-based debugging up to 7 levels and enables uniform log collection mechanism for lina and Snort logs. New/modified commands:
Supported platforms: FTD |
||
|
New Cisco Success Network monitoring capabilities |
Added the following Cisco Success Network monitoring capabilities:
Supported platforms: FMC |
||
|
Security and Hardening |
|||
|
Signed SRU, VDB, and GeoDB updates. |
So Firepower can verify that you are using the correct update files, Version 6.4.0+ uses signed updates for intrusion rules (SRU), the vulnerability database (VDB), and the geolocation database (GeoDB). Earlier versions continue to use unsigned updates. Unless you manually download updates from Cosco—for example, in an air-gapped deployment—you should not notice any difference in functionality. If, however, you do manually download and install SRU, VDB, and GeoDB updates, make sure you download the correct package for your current version. Signed update files for Version 6.4.0+ begin with 'Cisco' instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of .sh:
Update files for Version 5.x through 6.3 still use the old naming scheme:
We will provide both signed and unsigned updates until the end-of-support for versions that require unsigned updates. Do not untar signed (.tar) packages.
Supported platforms: Any |
||
|
SNMPv3 users can authenticate using a SHA-256 authorization algorithm. |
SNMPv3 users can now authenticate using a SHA-256 algorithm. New/modified screen: Devices > Platform Settings > SNMP > Users > Auth Algorithm Type Supported platforms: Firepower Threat Defense |
||
|
2048-bit certificate keys now required (security enhancement). |
Upgrade impact. When making secure connections to external data sources, such as AMP for Endpoints or Cisco Threat Intelligence Detector (TID), the FMC now requires that the server certificate be generated with keys that are at least 2048 bits long. Certificates previously generated with 1024-bit keys will no longer work. Note that this security enhancement was introduced in Version 6.3.0.3. If you are upgrading from Version 6.1.0 through 6.3.0.2, you may be affected. If you cannot connect, regenerate the server certificate on your data source. If necessary, reconfigure the FMC connection to the data source. Supported platforms: FMC |
||
|
Usability and Performance |
|||
|
Snort restart improvements. |
Before Version 6.4.0, during Snort restarts, the system dropped encrypted connections that matched a 'Do not decrypt' SSL rule or default policy action. Now, routed/transparent traffic passes without inspection instead of dropping, as long as you did not disable large flow offload or Snort preserve-connection. Supported platforms: Firepower 4100/9300 |
||
|
Performance improvement for selected IPS traffic. |
Upgrade impact. Egress optimization is a performance feature targeted for selected IPS traffic. It is enabled by default on all FTD platforms, and the Version 6.4.0 upgrade process enables egress optimization on eligible devices. New/modified commands:
For more information, see the Cisco Secure Firewall Threat Defense Command Reference. To troubleshoot issues with egress optimization, contact Cisco TAC.
Supported platforms: FTD |
||
|
Faster SNMP event logging. |
Performance improvements when sending intrusion and connection events to an external SNMP trap server. Supported platforms: Any |
||
|
Faster deploy. |
Improvements to appliance communications and deploy framework. Supported platforms: FTD |
||
|
Faster upgrade. |
Improvements to the event database. Supported platforms: Any |
||
|
Firepower Management Center REST API |
|||
|
New REST API capabilities. |
Added REST API objects to support Version 6.4.0 features:
Supported platforms: FMC |
||
|
API Explorer based on OAS. |
Version 6.4.0 uses a new API Explorer, based on the OpenAPI Specification (OAS). As part of the OAS, you now use CodeGen to generate sample code. You can still access the legacy API Explorer if you prefer. Supported platforms: FMC |
||
|
Deprecated Features |
|||
|
Deprecated: SSL hardware acceleration FTD CLI commands. |
As part of the TLS crypto acceleration feature, we removed the following FTD CLI commands:
|
||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
||
FMC Features in Version 6.3.x
|
Feature |
Details |
|---|---|
|
Version 6.3.0.4 Detection of rule conflicts in FTD NAT policies |
Upgrade impact. After you upgrade to Version 6.3.0.4 or later patch, you can no longer create FTD NAT policies with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where conflicting NAT rules were applied out-of-order. If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However, your NAT rules will continue to be applied out-of-order. Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing (no changes are needed) then attempting to resave. If you have rule conflicts, the system will prevent you from saving. Correct the issues, save, and then deploy. Note that upgrading to Version 6.4.0 deprecates this fix. It is fixed again in Version 6.4.0.2. |
|
Version 6.3.0.4 ISE Connection Status Monitor module |
A new module, the ISE Connection Status Monitor, monitors the status of the server connections between the Cisco Identity Services Engine (ISE) and the FMC. Note that upgrading to Version 6.4.0 deprecates this module. Support returns in Version 6.4.0.2. New/modified screens: System > > Policy > create or edit policy > ISE Connection Status Monitor |
|
Version 6.3.0.3 2048-bit certificate keys now required (security enhancement) |
When making secure connections to external data sources, such as AMP for Endpoints or Cisco Threat Intelligence Detector (TID), the FMC now requires that the server certificate be generated with keys that are at least 2048 bits long. Certificates previously generated with 1024-bit keys will no longer work. If you cannot connect, regenerate the server certificate on your data source. If necessary, reconfigure the FMC connection to the data source. |
|
Version 6.3.0.1 EMS extension support |
Upgrade impact. Version 6.3.0.1 reintroduces EMS extension support, which was introduced in Version 6.2.3.8/6.2.3.9 but was not included in Version 6.3.0. Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions again support the EMS extension during ClientHello negotiation, enabling more secure communications. The EMS extension is defined by RFC 7627. In FMC deployments, this feature depends on the device version. Although best practice is to upgrade your whole deployment, this feature is supported even if you patch only the device. |
|
Feature |
Details |
|||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Platform |
||||||||||||||||||||||
|
FMC 1600, 2600, and 4600. |
We introduced the FMC models FMC 1600, 2600, and 4600. |
|||||||||||||||||||||
|
ISA 3000 with FirePOWER Services. |
ISA 3000 with FirePOWER Services is supported in Version 6.3 (Protection license only). Although ISA 3000 with FirePOWER Services was also supported in Version 5.4.x, you cannot upgrade to Version 6.3 You must reimage. |
|||||||||||||||||||||
|
Hardware bypass support for the Firepower 2100. |
Firepower 2100 series devices now support hardware bypass functionality when using the hardware bypass network modules. New/modified pages: Supported platforms: Firepower 2100 series |
|||||||||||||||||||||
|
Support for data EtherChannels in On mode for the Firepower 4100/9300. |
You can now set data and data-sharing EtherChannels to either Active LACP mode or to On mode. Other types of EtherChannels only support Active mode. New/modified Firepower Chassis Manager pages: New/modified FXOS commands: set port-channel-mode Supported platforms: Firepower 4100/9300 |
|||||||||||||||||||||
|
Firepower Threat Defense: HA and Clustering |
||||||||||||||||||||||
|
Multi-instance capability for Firepower 4100/9300. |
You can now deploy multiple logical devices, each with a Firepower Threat Defense container instance, on a single security engine/module. Formerly, you could only deploy a single native application instance. To provide flexible physical interface use, you can create VLAN subinterfaces in FXOS and also share interfaces between multiple instances. Resource management lets you customize performance capabilities for each instance. You can use high availability using a container instance on 2 separate chassis. Clustering is not supported.
New/modified FMC pages: > edit device > Interfaces tab New/modified Firepower Chassis Manager pages:
New/modified FXOS commands: connect ftdname , connect module telnet , create bootstrap-key PERMIT_EXPERT_MODE ,create resource-profile , create subinterface , scope auto-macpool , set cpu-core-count , set deploy-type , set port-type data-sharing , set prefix , set resource-profile-name , set vlan , scope app-instance ftd name , show cgroups container , show interface , show mac-address , show subinterface , show tech-support module app-instance , show version Supported platforms: Firepower 4100/9300 |
|||||||||||||||||||||
|
Cluster control link customizable IP Address for the Firepower 4100/9300 |
By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and multicast (224.0.0.0/4) addresses. New/modified Firepower Chassis Manager pages: New/modified options: CCL Subnet IP field New/modified FXOS commands: set cluster-control-link network Supported platforms: Firepower 4100/9300 |
|||||||||||||||||||||
|
Improved FTD cluster addition to the FMC |
You can now add any unit of a cluster to the FMC, and the other cluster units are detected automatically. Formerly, you had to add each cluster unit as a separate device, and then group them into a cluster with the FMC. Adding a cluster unit is also now automatic. Note that you must delete a unit manually. New/modified pages:
Supported platforms: Firepower 4100/9300 |
|||||||||||||||||||||
|
Firepower Threat Defense: Encryption and VPN |
||||||||||||||||||||||
|
SSL hardware acceleration |
Additional FTD devices now support SSL hardware acceleration. Also, this option is now enabled by default. Upgrading to Version 6.3.0 automatically enables SSL hardware acceleration on eligible devices. Using SSL hardware acceleration if you are not decrypting traffic can affect performance. We recommend you disable SSL hardware acceleration on devices that are not decrypting traffic. Supported platforms: Firepower 2100 series, Firepower 4100/9300 |
|||||||||||||||||||||
|
RA VPN: RADIUS Dynamic Authorization or Change of Authorization (CoA) |
You can now use RADIUS servers for user authorization of RA VPN using dynamic access control lists (ACLs) or ACL names per user. Supported platforms: FTD |
|||||||||||||||||||||
|
RA VPN: Two-Factor Authentication |
Firepower Threat Defense now supports two-factor authentication for RA VPN users using the Cisco AnyConnect Secure Mobility Client. For the two-factor authentication process, we support:
For more information on Duo multi-factor authentication (MFA) for FTD, see the Cisco Firepower Threat Defense (FTD) VPN with AnyConnect documentation on the Duo Security website. Supported platforms: FTD |
|||||||||||||||||||||
|
Security Policies |
||||||||||||||||||||||
|
Firepower Threat Defense service policy |
You can now configure a Firepower Threat Defense service policy as part of your access control policy advanced options. Use FTD service policies to apply services to specific traffic classes. Features supported include:
New/modified pages: > edit/create policy > Advanced tab > Threat Defense Service Policy Supported platforms: FTD |
|||||||||||||||||||||
|
Update interval for URL category and reputation data |
Upgrade impact. You can now force URL data to expire. There is a tradeoff between security and performance. A shorter interval means you use more current data, while a longer interval can make web browsing faster for your users. If you worked with Cisco TAC to specify a timeout value for the URL filtering cache, the upgrade may change that value. Otherwise, the setting defaults to disabled (the current behavior), meaning that cached URL data does not expire.New/modified pages: setting Supported platforms: FMC |
|||||||||||||||||||||
|
Event Logging and Analysis |
||||||||||||||||||||||
|
Cisco Security Packet Analyzer Integration |
You can integrate with Cisco Security Packet Analyzer to examine events and display analysis results, or download results for further analysis. New/modified pages:
Supported platforms: FMC |
|||||||||||||||||||||
|
Contextual cross-launch |
You can right-click an event in the dashboard or event viewer to look up related information in predefined or custom, public or private URL-based resources. New/modified pages: Supported platforms: FMC |
|||||||||||||||||||||
|
Unified syslog configuration |
Upgrade impact. Version 6.3.0 changes and centralizes the way the system logs connection and intrusion events via syslog. Previously, you configured event logging via syslog in multiple places, depending on the event type. You now configure syslog messaging in the access control policy. These configurations affect connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies, as well as for Security Intelligence. The upgrade does not change your existing settings for connection event logging. However, you may suddenly start receiving intrusion events you did not "expect" via syslog. This is because the intrusion policy now sends syslog events to the destination specified in the access control policy. (Before, you could configure syslog alerting in an intrusion policy to send events to the syslog on the managed device itself rather than to an external host.) For FTD devices, some syslog platform settings now apply to connection and intrusion event messages. For a list, see the Platform Settings for Firepower Threat Defense chapter in the FMC configuration guide. For NGIPS devices (7000/8000 series, ASA FirePOWER, NGIPSv), messages now use the ISO 8601 timestamp format as specified in RFC 5425. Supported platforms: Any |
|||||||||||||||||||||
|
Fully qualified syslog messages for connection and intrusion events |
The format of syslog messages for connection, security intelligence, and intrusion events have the following changes:
Supported platforms: Any |
|||||||||||||||||||||
|
Other syslog improvements for FTD devices |
You can send all syslog messages from the same interface (data or management), using the same IP address, using TCP or UDP protocol. Note that secure syslog is supported on data ports only. You can also use the RFC 5424 format for message timestamps. Supported platforms: FTD |
|||||||||||||||||||||
|
Administration and Troubleshooting |
||||||||||||||||||||||
|
Export-controlled features for approved customers |
Customers whose Smart Accounts are not otherwise eligible to use restricted functionality can purchase term-based licenses, with approval. New/modified pages: Supported platforms: FMC, FTD |
|||||||||||||||||||||
|
Specific License Reservation for approved customers |
Customers can use Specific License Reservation to deploy Smart Licensing in an air-gapped network. The FMC reserves licenses from your virtual account for a specified duration without accessing the Cisco Smart Software Manager or Smart Software Satellite Server. New/modified pages: Supported platforms: FMC, FTD (except ISA 3000) |
|||||||||||||||||||||
|
IPv4 range, subnet, and IPv6 support for SNMP hosts |
You can now use IPv4 range, IPv4 subnet, and IPv6 host network objects to specify the SNMP hosts that can access a Firepower Threat Defense device. New/modified pages: > create or edit FTD policy > SNMP > Hosts tab Supported platforms: FTD |
|||||||||||||||||||||
|
Access control using fully qualified domain names (FQDN) |
You can now create fully qualified domain name (FQDN) network objects and use them in access control and prefilter rules. To use FQDN objects, you must also configure DNS server groups and DNS platform settings, so that the system can resolve the domain names. New/modified pages:
Supported platforms: FTD |
|||||||||||||||||||||
|
CLI for the FMC |
An CLI for the FMC supports a small set of basic commands (change password, show version, reboot/restart, and so on). By default the FMC CLI is disabled, and logging into FMC using SSH accesses the Linux shell. New/modified Classic CLI commands: The system lockdown-sensor command has changed to system lockdown . This command now works for both devices and FMCs. New/modified pages: check box Supported platforms: FMC, including FMCv |
|||||||||||||||||||||
|
Copy device configurations |
You can copy device configurations and policies from one device to another. New/modified pages: > edit the device > General area > Get/Push Device Configuration icons. Supported platforms: FMC |
|||||||||||||||||||||
|
Backup/restore FTD device configurations |
You can use the FMC web interface to back up configurations for some FTD devices. New/modified pages: New/modified CLI commands: restore Supported platforms: All physical FTD devices, FTDv for VMware |
|||||||||||||||||||||
|
Skip deploying to up-to-date devices when you schedule deploy tasks |
Upgrade impact. When you schedule a task to deploy configuration changes, you can now opt to Skip Deployment for up-to-date devices. This performance-enhancing setting is enabled by default. The upgrade process automatically enables this option on existing scheduled tasks. To continue to force a scheduled deploy to up-to-date devices, you must edit the scheduled task. New/modified pages: > add or edit a task > choose Job Type of Deploy Policies Supported platforms: FMC |
|||||||||||||||||||||
|
New health modules |
New health modules alert you when:
New/modified pages:
Supported platforms: FMC |
|||||||||||||||||||||
|
Configurable packet capture size |
You can now store up to 10 GB of packet captures. New/modified CLI commands: file-size , show capture Supported platforms: Firepower 4100/9300 |
|||||||||||||||||||||
|
Web interface changes. |
Version 6.3 changes these menu options:
|
|||||||||||||||||||||
|
Security and Hardening |
||||||||||||||||||||||
|
HTTPS Certificates |
The default HTTPS server certificate provided with the system now expires in three years. If your appliance uses a default server certificate that was generated before you upgraded to Version 6.3.0, the server certificate will expire 20 years from when it was first generated. If you are using the default HTTPS server certificate the system now provides the ability to renew it. New/modified pages: button New/modified Classic CLI commands: show http-cert-expire-date , system renew-http-certnew_key Supported platforms: Physical FMCs, 7000/8000 series devices |
|||||||||||||||||||||
|
Improved login security |
Upgrade impact. Added FMC user configuration settings to improve login security:
We also updated the list of supported ciphers and cryptographic algorithms for secure SSH access. If your SSH client fails to connect with a Firepower appliance due to a cipher error, update your client to the latest version. New/modified pages: Supported platforms: FMC |
|||||||||||||||||||||
|
Limit SSH login failures on devices |
When a user accesses any device via SSH and fails three successive login attempts, the device terminates the SSH session. Supported platforms: Any device |
|||||||||||||||||||||
|
Usability and Performance |
||||||||||||||||||||||
|
How-to walkthroughs |
FMC walkthroughs (also called how-tos) guide you through a variety of basic tasks such as device setup and policy configuration. Just click How To at the bottom of the browser window, choose a walkthrough, and follow the step-by-step instructions. To end a walkthrough at any time, click the x in the upper right corner.
The following are some common problems and solutions:
|
|||||||||||||||||||||
|
Firepower Management Center REST API |
||||||||||||||||||||||
|
New REST API services |
Added REST API services to support these features:
Supported platforms: FMC |
|||||||||||||||||||||
|
Bulk overrides |
You can now perform bulk overrides on specific objects. For a full list, see the Cisco Firepower Management Center REST API Quick Start Guide. |
|||||||||||||||||||||
|
Deprecated Features |
||||||||||||||||||||||
|
End of support: VMware vSphere/VMware ESXi 5.5. |
Version 6.3 discontinues support for virtual deployments on VMware vSphere/VMware ESXi 6.0. Upgrade the hosting environment to a supported version before you upgrade the Firepower software. |
|||||||||||||||||||||
|
End of support: ASA 5512-X and 5506-X series. |
You cannot run Version 6.3+ on the ASA 5506-X, 5506H-X, 5506W-X, and 5512-X. |
|||||||||||||||||||||
|
Deprecated: EMS extension support for decryption (temporary). |
Upgrade impact. Version 6.3.0 temporarily discontinues EMS extension support, which was introduced in Version 6.2.3.8/6.2.3.9. This means that the Decrypt-Resign and Decrypt-Known Key SSL policy actions no longer support the EMS extension during ClientHello negotiation, which would enable more secure communications. The EMS extension is defined by RFC 7627. In FMC deployments, this feature depends on the device version. Upgrading the FMC to Version 6.3.0 does not discontinue support, as long as the device is running a supported version. However, upgrading the device to Version 6.3.0 does discontinue support. Support is reintroduced in Version 6.3.0.1. |
|||||||||||||||||||||
|
Deprecated: Decryption on passive and inline tap interfaces. |
Upgrade impact. Version 6.3 ends support for decrypting traffic on interfaces in passive or inline tap mode, even though the GUI allows you to configure it. Any inspection of encrypted traffic is necessarily limited. |
|||||||||||||||||||||
|
Deprecated: Default DNS group with FlexConfig. |
Version 6.3 deprecates this FlexConfig object for FTD with FMC:
And these associated text objects:
These allowed you to configure the Default DNS group, which defines the DNS servers that can be used when resolving fully qualified domain names on the data interfaces. This allowed you to use commands in the CLI, such as ping , using host names rather than IP addresses. You can now configure DNS for the data interfaces in the FTD platform settings policy: > create or edit FTD policy > DNS. |
|||||||||||||||||||||
|
Deprecated: Embryonic connection limit and timeout with FlexConfig. |
Can cause post-upgrade deployment issues. Version 6.3 deprecates these FlexConfig objects for FTD with FMC:
And these associated text objects:
These allowed you to configure embryonic connection limits and timeouts to protect against SYN Flood Denial of Service (DoS) attacks. You can now configure these features in the FTD service policy: > add/edit policy > Advanced tab > Threat Defense Service Policy.
|
|||||||||||||||||||||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
|||||||||||||||||||||
FMC Features in Version 6.2.3
New Features
|
Feature |
Details |
||
|---|---|---|---|
|
Version 6.2.3.13 Detection of rule conflicts in FTD NAT policies |
After you upgrade to Version 6.2.3.13+, you can no longer create FTD NAT policies with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where conflicting NAT rules were applied out-of-order. If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However, your NAT rules will continue to be applied out-of-order. Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing (no changes are needed) then attempting to resave. If you have rule conflicts, the system will prevent you from saving. Correct the issues, save, and then deploy.
Supported platforms: FTD |
||
|
Version 6.2.3.8 EMS extension support |
Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions now support the EMS extension during ClientHello negotiation, enabling more secure communications. The EMS extension is defined by RFC 7627.
Supported platforms: Any |
||
|
Version 6.2.3.7 TLS v1.3 downgrade CLI command for FTD |
A new CLI command allows you to specify when to downgrade TLS v1.3 connections to TLS v1.2. Many browsers use TLS v1.3 by default. If you are using an SSL policy to handle encrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites that support TLS v1.3 fail to load. For more information, see the system support commands in the Cisco Secure Firewall Threat Defense Command Reference. We recommend you use these commands only after consulting with Cisco TAC. Supported platforms: FTD |
||
|
Version 6.2.3.3 Site-to-site VPN with clustering |
You can now configure site-to-site VPN with clustering. Site-to-site VPN is a centralized feature; only the control unit supports VPN connections. Supported platforms: Firepower 4100/9300 |
|
Feature |
Details |
||
|---|---|---|---|
|
Platform |
|||
|
FTD on the ISA 3000. |
You can now run FTD on the ISA 3000 series. Note that the ISA 3000 supports the Threat license only. It does not support the URL Filtering or Malware licenses. Thus, you cannot configure features that require the URL Filtering or Malware licenses on an ISA 3000. Special features for the ISA 3000 that were supported with the ASA, such as Hardware Bypass, Alarm ports, and so on, are not supported with FTD in this release. |
||
|
Support for VMware ESXi 6.5. |
You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware ESXi 6.5. |
||
|
Firepower Threat Defense: Encryption and VPN |
|||
|
SSL hardware acceleration for Firepower 4100/9300 |
Firepower 4100/9300 with FTD now support SSL encryption and decryption acceleration in hardware, greatly improving performance. SSL hardware acceleration is disabled by default for all appliances that support it.
Supported platforms: Firepower 4100/9300 |
||
|
Certificate enrollment improvements |
Non-blocking work flow for certificate enrollment operation allows certificate enrollment on multiple FTD devices in parallel:
Supported platforms: FTD |
||
|
Firepower Threat Defense: High Availability and Clustering |
|||
|
Automatically rejoin the FTD cluster after an internal failure |
Formerly, many internal error conditions caused a cluster unit to be removed from the cluster, and you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt to rejoin the cluster automatically at the following intervals: 5 minutes, 10 minutes, and then 20 minutes. Internal failures include: application sync timeout; inconsistent application statuses; and so on. New/modified command: show cluster info auto-join Supported platforms: Firepower 4100/9300 |
||
|
FTD High Availability Hardening |
Version 6.2.3 introduces the following features for FTD devices in high availability:
|
||
|
Administration and Troubleshooting |
|||
|
FMC High Availability Messaging |
FMC high availability pairs have improved UI messaging. The UI now displays interim status messages while FMC pairs are being established and rephrased UI messaging to be more intuitive. Supported platforms: FMC |
||
|
External Authentication added for FTD SSH Access |
You can now configure external authentication for SSH access to FTD devices using LDAP or RADIUS. New/modified screen: Supported platforms: FTD |
||
|
Enhanced Vulnerability Database (VDB) Installation |
The FMC now warns you before you install a VDB that installing restarts the Snort process, interrupting traffic inspection and, depending on how the managed device handles traffic, possibly interrupting traffic flow. You can cancel the install until a more convenient time, such as during a maintenance window. These warnings can appear:
Supported platforms: FMC |
||
|
Upgrade Package Push |
You can now copy (or push) an upgrade package from the FMC to a managed device before you run the actual upgrade. This is useful because you can push during times of low bandwidth use, outside of the upgrade maintenance window. When you push to high availability, clustered, or stacked devices, the system sends the upgrade package to the active/control/primary first, then to the standby/data/secondary. New/modified screens: Supported platforms: FMC |
||
|
FTD serviceability |
Version 6.2.3 improves the show fail over CLI command. The new keyword, -history, details to help troubleshooting.
Supported platforms: FTD |
||
|
Device list sorting |
On the page, you can use the View by drop-down list to sort and view the device list by any of the following categories: group, license, model, or access control policy. In a multidomain deployment, you can also sort and view by domain, which is the default display category in that deployment. Devices must belong to a leaf domain. Supported platforms: FMC |
||
|
Audit log improvements |
The audit log now denotes if a policy changed on the FTD Platform Settings page. Supported platforms: FMC with FTD |
||
|
Updated FTD CLI commands |
The asa_mgmt_plane and asa_dataplane options for FTD device CLI commands are renamed to management-plane and data-plane respectively. Supported platforms: FTD |
||
|
Cisco Success Network |
Upgrade impact. Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support. During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any time. Supported platforms: FMC |
||
|
Web Analytics Tracking |
Upgrade impact. Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your management centers. Initial setup enrolls you in web analytics tracking by default, but you can change your enrollment at any time after that. Upgrades can also enroll or re-enroll you in web analytics tracking. Supported platforms: FMC |
||
|
Performance |
|||
|
Snort restarts reduced for FTD devices |
In Version 6.2.3, fewer FTD configuration changes restart the Snort process on FTD devices. The FMC now warns you before you deploy if the configuration deployment restarts the Snort process, interrupting traffic inspection and, depending on how the managed device handles traffic, possibly interrupting traffic flow. Supported platforms: FTD |
||
|
Traffic Drop on Policy Apply |
Version 6.2.3 adds the configure snort preserve-connection {enable | disable} command to the FTD CLI. This command determines whether to preserve existing connections on routed and transparent interfaces if the Snort process goes down. When disabled, all new or existing connections are dropped when Snort goes down and remain dropped until Snort resume. When enabled, connections that were already allowed remain established, but new connections cannot be established until Snort is again available. Note that you cannot permanently disable this command on a FTD device managed by FDM; existing connections may drop when the settings revert to default during the next configuration deployment. |
||
|
Increased memory capacity for lower-end appliances |
Versions 6.1.0.7, 6.2.0.5, 6.2.2.2, and 6.2.3 increase the memory capacity for lower-end Firepower appliances. This reduces the number of health alerts. |
||
|
Faster ISE pxGrid discovery |
If an ISE pxGrid deployed in high availability fails or becomes unreachable, the FMC now discovers the new active pxGrid faster. |
||
|
New result limits in reports. |
Upgrade can change report settings. Version 6.2.3 limits the number of results you can use or include in a report section. For table and detail views, you can include fewer records in a PDF report than in an HTML/CSV report. For HTML/CSV report sections, the new limits are:
For PDF report sections, the new limits are:
If, before you upgrade the FMC, a section in a report template specifies a larger number of results than the HTML/CSV maximum, the upgrade process lowers the setting to the new maximum value. For report templates that generate PDF reports, if you exceed the PDF limit in any template section, the upgrade process changes the output format to HTML. To continue generating PDFs, lower the results limit to the PDF maximum. If you do this after the upgrade, set the output format back to PDF. |
||
|
Firepower Management Center REST API |
|||
|
FMC REST API Improvements |
The new FMC REST APIs support the use of CRUD (create, retrieve, upgrade, and delete) operations for NAT rules, static routing configuration, and corresponding objects while migrating from ASA FirePOWER to FTD. Newly introduced APIs for NAT:
When deploying FTD devices in Cisco ACI, APIs enable APIC controller to add proper static routes in place, along with other configuration settings that are needed for a particular service graph. It also enables PBR service graph insertion, which is currently the most flexible way of inserting FTD in ACI. Newly introduced APIs for Static Route:
|
||
Deprecated Features
|
Feature |
Details |
||
|---|---|---|---|
|
Expired CA certificates for dynamic analysis with AMP for Networks. |
On June 15, 2018, some Firepower deployments stopped being able to submit files for dynamic analysis. This occurred due to an expired CA certificate that was required for communications with the AMP Threat Grid cloud. Version 6.3 is the first major version with the new certificate. If you do not want to upgrade to Version 6.3+, you can patch to obtain the new certificate and reenable dynamic analysis, as follows:
You can also apply a hotfix. For available hotfixes, see the Cisco Secure Firewall Threat Defense/Firepower Hotfix Release Notes. Find the hotfix for your version and platform that applies to CSCvj07038: Firepower devices need to trust Threat Grid certificate. If this is your first time installing the patch or hotfix, make
sure your firewall allows outbound connections to
Note that upgrading a patched or hotfixed deployment to either Version 6.2.0 or Version 6.2.3 reverts to the old certificate and you must patch or hotfix again. |
||
|
Deprecated: Geolocation details. |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.
|
Release Dates
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.4.1.1 |
12 |
2024-04-15 |
All |
|
7.4.1 |
172 |
2023-12-13 |
All |
|
7.4.0 |
81 |
2023-09-07 |
Management center Secure Firewall 4200 series |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.3.1.1 |
83 |
2023-08-24 |
All |
|
7.3.1 |
19 |
2023-03-14 |
All |
|
7.3.0 |
69 |
2022-11-29 |
All |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.2.6 |
168 |
2024-04-22 |
Management center |
|
167 |
2024-03-19 |
Devices |
|
|
7.2.5.1 |
29 |
2023-11-14 |
All |
|
7.2.5 |
208 |
2023-07-27 |
All |
|
7.2.4.1 |
43 |
2023-07-27 |
All |
|
7.2.4 |
169 |
2023-05-10 |
Management center |
|
165 |
2023-05-03 |
Devices |
|
|
7.2.3.1 |
13 |
2023-04-18 |
Management center |
|
7.2.3 |
77 |
2023-02-27 |
All |
|
7.2.2 |
54 |
2022-11-29 |
All |
|
7.2.1 |
40 |
2022-10-03 |
All |
|
7.2.0.1 |
12 |
2022-08-10 |
All |
|
7.2.0 |
82 |
2022-06-06 |
All |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.1.0.3 |
108 |
2022-03-15 |
All |
|
7.1.0.2 |
28 |
2022-08-03 |
FMC/FMCv Secure Firewall 3100 series |
|
7.1.0.1 |
28 |
2022-02-24 |
FMC/FMCv All devices except Secure Firewall 3100 series |
|
7.1.0 |
90 |
2021-12-01 |
All |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.0.6.2 |
65 |
2024-04-15 |
All |
|
7.0.6.1 |
36 |
2023-11-13 |
All |
|
7.0.6 |
236 |
2023-07-18 |
All |
|
7.0.5.1 |
5 |
2023-04-26 |
NGIPSv For devices with security certifications compliance enabled (CC/UCAPL mode). Use with a Version 7.0.5 FMC. |
|
7.0.5 |
72 |
2022-11-17 |
All |
|
7.0.4 |
55 |
2022-08-10 |
All |
|
7.0.3 |
37 |
2022-06-30 |
All |
|
7.0.2.1 |
10 |
2022-06-27 |
All |
|
7.0.2 |
88 |
2022-05-05 |
All |
|
7.0.1.1 |
11 |
2022-02-17 |
All |
|
7.0.1 |
84 |
2021-10-07 |
All |
|
7.0.0.1 |
15 |
2021-07-15 |
All |
|
7.0.0 |
94 |
2021-05-26 |
All |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
6.7.0.3 |
105 |
2022-02-17 |
All |
|
6.7.0.2 |
24 |
2021-05-11 |
All |
|
6.7.0.1 |
13 |
2021-03-24 |
All |
|
6.7.0 |
65 |
2020-11-02 |
All |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
6.6.7.2 |
11 |
2024-04-24 |
All |
|
6.6.7.1 |
42 |
2023-01-26 |
All |
|
6.6.7 |
223 |
2022-07-14 |
All |
|
6.6.5.2 |
14 |
2022-03-24 |
All |
|
6.6.5.1 |
15 |
2021-12-06 |
All |
|
6.6.5 |
81 |
2021-08-03 |
All |
|
6.6.4 |
64 |
2021-04-29 |
Firepower 1000 series |
|
59 |
2021-04-26 |
FMC/FMCv All devices except Firepower 1000 series |
|
|
6.6.3 |
80 |
2020-03-11 |
All |
|
6.6.1 |
91 |
2020-09-20 |
All |
|
90 |
2020-09-08 |
— |
|
|
6.6.0.1 |
7 |
2020-07-22 |
All |
|
6.6.0 |
90 |
2020-05-08 |
Firepower 4112 |
|
2020-04-06 |
FMC/FMCv All devices except Firepower 4112 |
|
Version |
Build |
Date |
Platforms: Upgrade |
Platforms: Reimage |
|---|---|---|---|---|
|
6.5.0.5 |
95 |
2021-02-09 |
All |
— |
|
6.5.0.4 |
57 |
2020-03-02 |
All |
— |
|
6.5.0.3 |
30 |
2020-02-03 |
No longer available. |
— |
|
6.5.0.2 |
57 |
2019-12-19 |
All |
— |
|
6.5.0.1 |
35 |
2019-11-20 |
No longer available. |
— |
|
6.5.0 |
123 |
2020-02-03 |
FMC/FMCv |
FMC/FMCv |
|
120 |
2019-10-08 |
— |
— |
|
|
115 |
2019-09-26 |
All devices |
All devices |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
6.4.0.18 |
24 |
2024-04-24 |
All |
|
6.4.0.17 |
26 |
2023-09-28 |
All |
|
6.4.0.16 |
50 |
2022-11-21 |
All |
|
6.4.0.15 |
26 |
2022-05-31 |
All |
|
6.4.0.14 |
67 |
2022-02-18 |
All |
|
6.4.0.13 |
57 |
2021-12-02 |
All |
|
6.4.0.12 |
112 |
2021-05-12 |
All |
|
6.4.0.11 |
11 |
2021-01-11 |
All |
|
6.4.0.10 |
95 |
2020-10-21 |
All |
|
6.4.0.9 |
62 |
2020-05-26 |
All |
|
6.4.0.8 |
28 |
2020-01-29 |
All |
|
6.4.0.7 |
53 |
2019-12-19 |
All |
|
6.4.0.6 |
28 |
2019-10-16 |
No longer available. |
|
6.4.0.5 |
23 |
2019-09-18 |
All |
|
6.4.0.4 |
34 |
2019-08-21 |
All |
|
6.4.0.3 |
29 |
2019-07-17 |
All |
|
6.4.0.2 |
35 |
2019-07-03 |
FMC/FMCv FTD/FTDv, except Firepower 1000 series |
|
34 |
2019-06-27 |
— |
|
|
2019-06-26 |
Firepower 7000/8000 series ASA FirePOWER NGIPSv |
||
|
6.4.0.1 |
17 |
2019-06-27 |
FMC 1600, 2600, 4600 |
|
2019-06-20 |
Firepower 4115, 4125, 4145 Firepower 9300 with SM-40, SM-48, and SM-56 modules |
||
|
2019-05-15 |
FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500 FMCv Firepower 2110, 2120, 2130, 2140 Firepower 4110, 4120, 4140, 4150 Firepower 9300 with SM-24, SM-36, and SM-44 modules ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X ASA 5585-X-SSP-10, -20, -40, -60 ISA 3000 FTDv Firepower 7000/8000 series NGIPSv |
||
|
6.4.0 |
113 |
2020-03-03 |
FMC/FMCv |
|
102 |
2019-06-20 |
Firepower 4115, 4125, 4145 Firepower 9300 with SM-40, SM-48, and SM-56 modules |
|
|
2019-06-13 |
Firepower 1010, 1120, 1140 |
||
|
2019-04-24 |
Firepower 2110, 2120, 2130, 2140 Firepower 4110, 4120, 4140, 4150 Firepower 9300 with SM-24, SM-36, and SM-44 modules ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X ASA 5585-X-SSP-10, -20, -40, -60 ISA 3000 FTDv Firepower 7000/8000 series NGIPSv |
|
Version |
Build |
Date |
Platforms: Upgrade |
Platforms: Reimage |
|---|---|---|---|---|
|
6.3.0.5 |
35 |
2019-11-18 |
Firepower 7000/8000 series NGIPSv |
— |
|
34 |
2019-11-18 |
FMC/FMCv All FTD devices ASA FirePOWER |
— |
|
|
6.3.0.4 |
44 |
2019-08-14 |
All |
— |
|
6.3.0.3 |
77 |
2019-06-27 |
FMC 1600, 2600, 4600 |
— |
|
2019-05-01 |
FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500 FMCv All devices |
— |
||
|
6.3.0.2 |
67 |
2019-06-27 |
FMC 1600, 2600, 4600 |
— |
|
2019-03-20 |
FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500 FMCv All devices |
— |
||
|
6.3.0.1 |
85 |
2019-06-27 |
FMC 1600, 2600, 4600 |
— |
|
2019-02-18 |
FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500 FMCv All devices |
— |
||
|
6.3.0 |
85 |
2019-01-22 |
Firepower 4100/9300 |
Firepower 4100/9300 |
|
84 |
2018-12-18 |
FMC/FMCv ASA FirePOWER |
— |
|
|
83 |
2019-06-27 |
— |
FMC 1600, 2600, 4600 |
|
|
2018-12-03 |
All FTD devices except Firepower 4100/9300 Firepower 7000/8000 NGIPSv |
FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500 FMCv All devices except Firepower 4100/9300 |
|
Version |
Build |
Date |
Platforms: Upgrade |
Platforms: Reimage |
|---|---|---|---|---|
|
6.2.3.18 |
50 |
2022-02-16 |
All |
— |
|
6.2.3.17 |
30 |
2021-06-21 |
All |
— |
|
6.2.3.16 |
59 |
2020-07-13 |
All |
— |
|
6.2.3.15 |
39 |
2020-02-05 |
FTD/FTDv |
— |
|
38 |
2019-09-18 |
FMC/FMCv Firepower 7000/8000 ASA FirePOWER NGIPSv |
— |
|
|
6.2.3.14 |
41 |
2019-07-03 |
All |
— |
|
36 |
2019-06-12 |
All |
— |
|
|
6.2.3.13 |
53 |
2019-05-16 |
All |
— |
|
6.2.3.12 |
80 |
2019-04-17 |
All |
— |
|
6.2.3.11 |
55 |
2019-03-17 |
All |
— |
|
53 |
2019-03-13 |
— |
— |
|
|
6.2.3.10 |
59 |
2019-02-07 |
All |
— |
|
6.2.3.9 |
54 |
2019-01-10 |
All |
— |
|
6.2.3.8 |
51 |
2019-01-02 |
No longer available. |
— |
|
6.2.3.7 |
51 |
2018-11-15 |
All |
— |
|
6.2.3.6 |
37 |
2018-10-10 |
All |
— |
|
6.2.3.5 |
53 |
2018-11-06 |
FTD/FTDv |
— |
|
52 |
2018-09-12 |
FMC/FMCv Firepower 7000/8000 ASA FirePOWER NGIPSv |
— |
|
|
6.2.3.4 |
42 |
2018-08-13 |
All |
— |
|
6.2.3.3 |
76 |
2018-07-11 |
All |
— |
|
6.2.3.2 |
46 |
2018-06-27 |
All |
— |
|
42 |
2018-06-06 |
— |
— |
|
|
6.2.3.1 |
47 |
2018-06-28 |
All |
— |
|
45 |
2018-06-21 |
— |
— |
|
|
43 |
2018-05-02 |
— |
— |
|
|
6.2.3 |
113 |
2020-06-01 |
FMC/FMCv |
FMC/FMCv |
|
111 |
2019-11-25 |
— |
FTDv: AWS, Azure |
|
|
110 |
2019-06-14 |
— |
— |
|
|
99 |
2018-09-07 |
— |
— |
|
|
96 |
2018-07-26 |
— |
— |
|
|
92 |
2018-07-05 |
— |
— |
|
|
88 |
2018-06-11 |
— |
— |
|
|
85 |
2018-04-09 |
— |
— |
|
|
84 |
2018-04-09 |
Firepower 7000/8000 series NGIPSv |
— |
|
|
83 |
2018-04-02 |
FTD/FTDv ASA FirePOWER |
FTD: Physical platforms FTDv: VMware, KVM Firepower 7000/8000 ASA FirePOWER NGIPSv |
|
|
79 |
2018-03-29 |
— |
— |
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
6.2.2.5 |
57 |
2018-11-27 |
All |
|
6.2.2.4 |
43 |
2018-09-21 |
FTD/FTDv |
|
34 |
2018-07-09 |
FMC/FMCv Firepower 7000/8000 ASA FirePOWER NGIPSv |
|
|
32 |
2018-06-15 |
— |
|
|
6.2.2.3 |
69 |
2018-06-19 |
All |
|
66 |
2018-04-24 |
— |
|
|
6.2.2.2 |
109 |
2018-02-28 |
All |
|
6.2.2.1 |
80 |
2017-12-05 |
Firepower 2100 series |
|
78 |
2017-11-20 |
— |
|
|
73 |
2017-11-06 |
FMC/FMCv All devices except Firepower 2100 series |
|
|
6.2.2 |
81 |
2017-09-05 |
All |
Feedback