Secure Firewall 3105.

Minimum threat defense: 7.3.1

Platform

Management center virtual 300 for KVM.

We introduced the FMCv300 for KVM. The FMCv300 can manage up to 300 devices.

Minimum threat defense: Any

Network modules for the Secure Firewall 4100.

You can now manage the Secure Firewall 4100 with the following network modules:

• 2-port 100G Network Module (FPR-NM-2X100G)

Minimum threat defense: 7.3

Support returns for this feature. When you shut down the ISA 3000, the System LED turns off. Wait at least 10 seconds after that before you remove power from the device. This feature was introduced in Version 7.0.5 but was temporarily deprecated in Version 7.1–7.2.

Interfaces

IPv6 support for virtual appliances.

Threat defense virtual and management center virtual now support IPv6 in the following environments:

• AWS

• Azure

• OCI

• KVM

• VMware

For more information, see Cisco Secure Firewall Threat Defense Virtual Getting Started Guide and Cisco Secure Firewall Management Center Virtual Getting Started Guide.

Loopback interface support for VTIs.

You can now configure a loopback interface for redundancy of static and dynamic VTI VPN tunnels. A loopback interface is a software interface that emulates a physical interface. It is reachable through multiple physical interfaces with IPv4 and IPv6 addresses.

New/modified screens: Devices > Device Management > Device > Interfaces > Add Interfaces > Add Loopback Interface

For more information, see Configure Loopback Interfaces in the device configuration guide.

Redundant manager access data interface.

When you use a data interface for manager access, you can configure a secondary data interface to take over management functions if the primary interface goes down. The device uses SLA monitoring to track the viability of the static routes and an ECMP zone that contains both interfaces so management traffic can use both interfaces.

New/modified screens:

• Devices > Device Management > Device > Management

• Devices > Device Management > Device > Interfaces > Manager Access

For more information, see Configure a Redundant Manager Access Data Interface in the device configuration guide.

IPv6 DHCP.

We now support the following features for IPv6 addressing:

• DHCPv6 Address client: Threat defense obtains an IPv6 global address and optional default route from the DHCPv6 server.

• DHCPv6 Prefix Delegation client: Threat defense obtains delegated prefix(es) from a DHCPv6 server. It can then use these prefixes to configure other threat defense interface addresses so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

• BGP router advertisement for delegated prefixes.

• DHCPv6 stateless server: Threat defense provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to threat defense. Threat defense only accepts IR packets and does not assign addresses to the clients.

New/modified screens:

• Devices > Device Management > Device > Interfaces > Interface > IPv6 > DHCP

• Objects > Object Management > DHCP IPv6 Pool

New/modified CLI commands: show bgp ipv6 unicast , show ipv6 dhcp , show ipv6 general-prefix

For more information, see Configure the IPv6 Prefix Delegation Client, BGP, and Configure the DHCPv6 Stateless Server in the device configuration guide.

Paired proxy VXLAN for the threat defense virtual for the Azure Gateway Load Balancer.

You can configure a paired proxy mode VXLAN interface for threat defense virtual for Azure for use with the Azure Gateway Load Balancer. The device defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy.

New/modified screens: Devices > Device Management > Device > Interfaces > Add Interfaces > VNI Interface

For more information, see Configure VXLAN Interfaces in the device configuration guide.

Forward Error Correction (FEC) defaults changed for fixed ports.

When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

For more information, see Interface Overview in the device configuration guide.

High Availability/Scalability

High availability for management center virtual for KVM and Azure.

We now support high availability for management center virtual for KVM and Azure.

In a threat defense deployment, you need two identically licensed management centers, as well as one threat defense entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 threat defense entitlements. If you are managing Version 7.0.x Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements.

Supported platforms: FMCv10, FMCv25, FMCv300 (not supported for FMCv2)

For more information, see the Cisco Secure Firewall Management Center Virtual Getting Started Guide, as well as High Availability in the administration guide.

Clustering for threat defense virtual for Azure.

You can now configure clustering for up to 16 nodes with threat defense virtual for Azure.

New/modified screens: Devices > Device Management

For more information, see Clustering for Threat Defense Virtual in a Public Cloud in the device configuration guide.

We now support autoscale for threat defense virtual for Azure Gateway Load Balancers. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Backup and restore support for clustered devices.

Remote Access VPN

RA VPN dashboard.

We introduced a remote access VPN (RA VPN) dashboard that allows you to monitor real-time data from active RA VPN sessions on the devices. So that you can quickly determine problems related to user sessions and mitigate the problems for your network and users, the dashboard provides:

• Visualization of active user sessions based on their location.

• Detailed information about the active user sessions.

• Mitigation of user session problems by terminating sessions, if required.

• Distribution of active user sessions per device, encryption type, Secure Client version, operating system, and connection profile.

• Device identity certificate expiration details of the devices.

New/modified screens: Overview > Dashboards > Remote Access VPN

For more information, see Dashboards in the administration guide.

Encrypt RA VPN connections with TLS 1.3.

You can now use TLS 1.3 to encrypt RA VPN connections with the following ciphers:

• TLS_AES_128_GCM_SHA256

• TLS_CHACHA20_POLY1305_SHA256

• TLS_AES_256_GCM_SHA384

Use the threat defense platform settings to set the TLS version: Devices > Platform Settings > Add/Edit Threat Defense Settings Policy > SSL > TLS Version.

This feature requires Cisco Secure Client, Release 5 (formerly known as the AnyConnect Secure Mobility Client).

For more information, see Configure SSL Settings in the device configuration guide.

Site to Site VPN

Packet tracer in the site-to-site VPN dashboard.

We added packet tracer capabilities to the site-to-site VPN dashboard, to help you troubleshoot VPN tunnels between devices.

Open the dashboard by choosing Overview > Dashboards > Site to Site VPN. Then, click View () next to the tunnel you want to investigate, and Packet Tracer in the side pane that appears.

For more information, see Monitoring the Site-to-Site VPNs in the device configuration guide.

Support for dynamic VTIs with site-to-site VPN.

We now support dynamic virtual tunnel interfaces (VTI) when you configure a route-based site-to-site VPN in a hub and spoke topology. Previously, you could use only a static VTI.

This makes it easier to configure large hub and spoke deployments. A single dynamic VTI can replace several static VTI configurations on the hub. And, you can add new spokes to a hub without changing the hub configuration.

New/modified screens: We updated the options when configuring hub-node endpoints for a route-based hub-and-spoke site-to-site VPN topology.

For more information, see Configure Endpoints for a Hub and Spoke Topology in the device configuration guide.

Improved Umbrella SIG integration.

You can now easily deploy IPsec IKEv2 tunnels between a threat defense device and the Umbrella Secure Internet Gateway (SIG), which allows you to forward all internet-bound traffic to Umbrella for inspection and filtering.

To configure and deploy these tunnels, create a SASE topology, a new type of static VTI-based site-to-site VPN topology: Devices > VPN > Site To Site > SASE Topology.

For more information, see Deploy a SASE Tunnel on Umbrella in the device configuration guide.

Routing

Configure BFD for BGP from the management center web interface.

Upgrade impact.

You can now use the management center web interface to configure bidirectional forwarding detection (BFD) for BGP. Note that you can only enable BFD on interfaces belonging to virtual routers. If you have an existing BFD FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens:

• Devices > Device Management > Device > Routing > BFD

• Objects > Object Management > BFD Template

• When configuring BGP neighbor settings, we replaced the BFD Failover check box with a menu where you choose the BFD type: single hop, multi hop, auto detect, or none (disabled). For upgraded management centers, auto-detect hop is selected if the old BFD Failover option was enabled and none is selected if the old option was disabled.

For more information, see Bidirectional Forwarding Detection Routing in the device configuration guide.

Support for IPv4 and IPv6 OSPF routing for VTIs.

We now support IPv4 and IPv6 OSPF routing for VTI interfaces.

New/modified pages: You can add VTI interfaces to an OSPF routing process on Devices > Device Management > Device > Routing > OSPF/OSFPv3.

For more information, see OSPF and Additional Configurations for VTI in the device configuration guide.

Support for IPv4 EIGRP routing for VTIs.

We now support IPv4 EIGRP routing for VTI interfaces.

New/modified screens: You can define a VTI as the static neighbor for an EIGRP routing process, configure a VTI's interface-specific EIGRP routing properties. and advertise a VTI's summary address on Devices > Device Management > Device > Routing > EIGRP.

For more information, see EIGRP and Additional Configurations for VTI in the device configuration guide.

More network service groups for policy-based routing.

You can now configure up to 1024 network service groups (application groups in an extended ACL for use in policy-based routing). Previously, the limit was 256.

Support for multiple next-hops while configuring policy-based routing forwarding actions.

You can now configure multiple next-hops while configuring policy-based routing forwarding actions. When traffic matches the criteria for the route, the system attempts to forward traffic to the IP addresses in the order you specify, until it succeeds.

The feature is available on threat defense devices running Version 7.1+ with a Version 7.3+ management center.

New/modified screens: We added several options when you select IP Address from the Send To menu on Devices > Device Management > Device > Routing > Policy Based Routing > Add Policy Based Route > Add Match Criteria and Egress Interface.

For more information, see Configure Policy-Based Routing Policy in the device configuration guide.

Threat Defense Upgrade

Usability improvements.

For more information, see Upgrade Threat Defense in the management center upgrade guide.

Unattended upgrades.

For more information, see Upgrade Threat Defense with the Wizard in Unattended Mode in the management center upgrade guide.

Skip pre-upgrade troubleshoot generation.

For more information, see Upgrade Threat Defense in the management center upgrade guide.

Auto-upgrade to Snort 3 after successful threat defense upgrade is no longer optional.

Upgrade impact.

Choose and direct-download upgrade packages from Cisco.

For more information, see Download Upgrade Packages with the Management Center in the management center upgrade guide.

Combined upgrade and install package for Secure Firewall 3100.

Reimage Impact.

Access Control and Threat Detection

SSL policy renamed to decryption policy.

We renamed the SSL policy to the decryption policy. We also added a policy wizard that makes it easier to create and configure decryption policies, including creating initial rules and certificates for inbound and outbound traffic.

New/modified screens:

• Add or edit a decryption policy: Policies > Access Control > Decryption.

• Use a decryption policy: Decryption Policy Settings in an access control policy's advanced settings.

For more information, see Decryption Policies in the device configuration guide.

Improvements to TLS server identity discovery with Snort 3 devices.

We now support improved performance and inspection with the TLS server identity discovery feature, which allows you to handle traffic encrypted with TLS 1.3 with information from the server certificate. Although we recommend you leave it enabled, you can disable this feature using the new Enable adaptive TLS server identity probe option in the decryption policy's advanced settings.

For more information, see TLS 1.3 Decryption Best Practices in the device configuration guide.

URL filtering using cloud lookup results only.

When you enable (or re-enable) URL filtering, the management center automatically queries Cisco for URL category and reputation data and pushes the dataset to managed devices. You now have more options on how the system uses this dataset to filter web traffic.

To do this, we replaced the Query Cisco Cloud for Unknown URLs options with three new options:

• Local Database Only: Uses the local URL dataset only. Use this option if you do not want to submit your uncategorized URLs (category and reputation not in the local dataset) to Cisco, for example, for privacy reasons. However, note that connections to uncategorized URLs do not match rules with category or reputation-based URL conditions. You cannot assign categories or reputations to URLs manually.

  For upgraded management centers, this option is enabled if the old Query Cisco Cloud for Unknown URLs was disabled.

• Local Database and Cisco Cloud: Uses the local dataset when possible, which can make web browsing faster. When users browse to an URL whose category and reputation is not in the local dataset or a cache of previously accessed websites, the system submits it to the cloud for threat intelligence evaluation and adds the result to the cache.

  For upgraded management centers, this option is enabled if the old Query Cisco Cloud for Unknown URLs option was enabled.

• Cisco Cloud Only: Does not use the local dataset. When users browse to an URL whose category and reputation is not in a local cache of previously accessed websites, the system submits it to the cloud for threat intelligence evaluation and adds the result to the cache. This option guarantees the most up-to-date category and reputation information.

  This option is the default on new and reimaged Version 7.3+ management centers. Note that it also requires threat defense Version 7.3+. If you enable this option, devices running earlier versions use the Local Database and Cisco Cloud option.

New/modified screens: Integration > Other Integrations > Cloud Services > URL Filtering

For more information, see URL Filtering Options in the device configuration guide.

Detect HTTP/3 and SMB over QUIC using EVE (Snort 3 only).

Snort 3 devices can now use the encrypted visibility engine (EVE) to detect HTTP/3 and SMB over QUIC. You can then create rules to handle traffic based on these applications.

For more information, see Encrypted Visibility Engine in the device configuration guide.

Generate IoC events based on unsafe client applications detected by EVE (Snort 3 only).

Snort 3 devices can now generate indications of compromise (IoC) connection events based unsafe client applications detected by the encrypted visibility engine (EVE). These connection events have a Encrypted Visibility Threat Confidence of Very High.

• View IoCs in the event viewer: Analysis > Hosts/Users > Indications of Compromise

• View IoCs in the network map: Analysis > Hosts > Indications of Compromise

• View IoC information in connection events: Analysis > Connections > Events > Table View of Connection Events > IOC/Encrypted Visibility columns

For more information, see Encrypted Visibility Engine in the device configuration guide.

Improved JavaScript inspection for Snort 3 devices.

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. The normalizer introduced in Version 7.2 now allows you to inspect within the unescape, decodeURI, and decodeURIComponent functions: %XX, %uXXXX, \uXX, \u{XXXX}\xXX, decimal code point, and hexadecimal code point. It also removes plus operations from strings and concatenates them.

For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Nested rule groups, including MITRE ATT&CK, in Snort 3 intrusion policies.

You can now nest rule groups in a Snort 3 intrusion policy. This allows you to view and handle traffic in a more granular fashion; for example, you might group rules by vulnerability type, target system, or threat category. You can create custom nested rule groups and change the security level and rule action per rule group.

We also group system-provided rules in a Talos-curated MITRE ATT&CK framework, so you can act on traffic based on those categories.

New/modified screens:

• View and use rule groups: Policies > Intrusion > Edit Snort 3 Version

• View rule group information in the classic event view: Analysis > Intrusion > Events > Table View of Intrusion Events > Rule Group and MITRE ATT&CK columns

• View rule group information in the unified event view: Analysis > Unified Events > Rule Group and MITRE ATT&CK columns

For more information, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Access control rule conflict analysis.

You can now enable rule conflict analysis to help identify redundant rules and objects, and shadowed rules that cannot be matched due to previous rules in the policy.

For more information, see Analyzing Rule Conflicts and Warnings in the device configuration guide.

Event Logging and Analysis

NetFlow support for Snort 3 devices.

Upgrade impact.

Snort 3 devices now can consume NetFlow records (IPv4 and IPv6, NetFlow v5 and v9). Previously, only Snort 2 devices did this.

After upgrade, if you have an existing NetFlow exporter and NetFlow rule configured in the network discovery policy, Snort 3 devices may begin processing NetFlow records, generating NetFlow connection events, and adding host and application protocol information to the database based on NetFlow data.

For more information, see Network Discovery Policies in the device configuration guide.

Integrations

New remediation module for integration with the Cisco ACI Endpoint Update App

We introduced a new Cisco ACI Endpoint remediation module. To use it, you must remove the old module then add and configure the new one. This new module can:

• Quarantine endpoints in an endpoint security group (ESG) deployment.

• Allow traffic from a quarantined endpoint to a Layer 3 outside network (L3Out) for monitoring and analysis.

• Run in audit-only mode, where it notifies you instead of quarantining.

For more information, see APIC/Secure Firewall Remediation Module 3.0 in the device configuration guide.

Health Monitoring

Cluster health monitor settings in the management center web interface.

You can now use the management center web interface to edit cluster health monitor settings. If you configured these settings with FlexConfig in a previous version, the system allows you to deploy, but also warns you to redo your configurations—the FlexConfig settings take precedence.

New/modified screens: Devices > Device Management > Edit Cluster > Cluster Health Monitor Settings

For more information, see Edit Cluster Health Monitor Settings in the device configuration guide.

Improved health monitoring for device clusters.

We added cluster dashboards to the health monitor where you can view overall cluster status, load distribution metrics, performance metrics, cluster control link (CCL) and data throughput, and so on.

To view the dashboard for each cluster, choose System () > Health > Monitor, then click the cluster.

For more information, see Cluster Health Monitor in the administration guide.

Monitor fan speed and temperature for the power supply on the hardware management center.

We added the Hardware Statistics health module that monitors fan speed and temperature for the power supply on the hardware management center. The upgrade process automatically adds and enables this module. After upgrade, apply the policy.

To enable or disable the module and set threshold values, edit the management center health policy on System () > Health > Policy.

To view health status, create a custom health dashboard: System () > Health > Monitor > Firewall Management Center > Add/Edit. Select the Hardware Statistics metric group, then select the metric you want.

You can also view module status on the health monitor's Home page and in the management center's alert summary (as Hardware Alarms and Power Supply). You can configure external alert responses and view health events based on module status.

For more information, see Hardware Statistics on Management Center in the administration guide.

Monitor temperature and power supply for the Firepower 4100/9300.

We added the Chassis Environment Status health module to monitor the temperature and power supply on a Firepower 4100/9300 chassis. The upgrade process automatically adds and enables these modules in all device health policies. After upgrade, apply health policies to Firepower 4100/9300 chassis to begin monitoring.

To enable or disable this module and set threshold values, edit the management center health policy: System () > Health > Policy > Device Policy.

To view health status, create a custom health dashboard: System () > Health > Monitor > Select Device > Add/Edit Dashboard > Custom Correlation Group. Select the Hardware/Environment Status metric group, then select the Thermal Status metric to view temperature or select any of the Power Supply options to view power supply status.

You can also view module status on the health monitor's Home page and in each device's alert summary. You can configure external alert responses and view health events based on module status.

For more information, see Hardware/Environment Status Metrics in the administration guide.

Licensing

Changes to license names and support for the Carrier license.

We renamed licenses as follows:

• Base is now Essentials

• Threat is now IPS

• Malware is now Malware Defense

• RA VPN/AnyConnect License is now Cisco Secure Client

• AnyConnect Plus is now Secure Client Advantage

• AnyConnect Apex is now Secure Client Premier

• AnyConnect Apex and Plus is now Secure Client Premier and Advantage

• AnyConnect VPN Only is now Secure Client VPN Only

In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections.

New/modified screens: System () > Licenses > Smart Licenses

For more information, see Licenses in the administration guide.

Administration

Migrate configurations from FlexConfig to web interface management.

You can now easily migrate these configurations from FlexConfig to web interface management:

• ECMP zones, supported in the Version 7.1+ web interface

• EIGRP routing, supported in the Version 7.2+ web interface

• VXLAN interfaces, supported in the Version 7.2+ web interface

After you migrate, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > FlexConfig > Edit FlexConfig Policy > Migrate Config

For more information, see Migrating FlexConfig Policies in the device configuration guide.

Automatic VDB downloads.

For more information, see Vulnerability Database Update Automation in the administration guide.

Install any VDB.

For more information, see Update the Vulnerability Database in the administration guide.

For more information, see the Secure Firewall Management Center Command Line Reference in the management center administration guide, and the Cisco Secure Firewall Threat Defense Command Reference.

Usability, Performance, and Troubleshooting

New how-to walkthroughs.

We added these how-tos:

• Renew a certificate using manual re-enrollment.

• Renew a certificate using Self-signed, SCEP, or EST enrollment.

• Configure LDAP attribute map for remote access VPN.

• Add SAML Single Sign-On server object.

• Collect packet capture for threat defense device.

• Collect packet trace to troubleshoot threat defense device.

• Configure Dynamic Access Policy for remote access VPN.

  • Create a Dynamic Access Policy.

  • Create a Dynamic Access Policy record.

  • Associate Dynamic Access Policy with remote access VPN.

To launch a how-to, choose System () > How-Tos.

New access control policy user interface is now the default.

The access control policy user interface introduced in Version 7.2 is now the default interface. The upgrade switches you, but you can switch back.

Maximum objects per match criteria per access control rule is now 200.

We increased the objects per match criteria in a single access control rule from 50 to 200. For example, you can now use up to 200 network objects in a single access control rule.

Filter devices by version.

You can now filter devices by version on Devices > Device Management.

Better status emails for scheduled tasks.

Email notifications for scheduled tasks are now sent when the task completes—whether success or failure—instead of when the task begins. This means that they can now indicate whether the task failed or succeeded. For failures, they include the reason for the failure and remediations to fix the issue.

Performance profile for CPU core allocation.

You can adjust the percentage of system cores assigned to the data plane and Snort to adjust system performance. The adjustment is based on your relative use of VPN and intrusion policies. If you use both, leave the core allocation to the default values. If you use the system primarily for VPN (without applying intrusion policies), or as an IPS (with no VPN configuration), you can skew the core allocation to the data plane (for VPN) or Snort (for intrusion inspection).

We added the Performance Profile page to the platform settings policy.

For more information, see Configure the Performance Profile in the device configuration guide.

Additional telemetry sent to Cisco Success Network.

For improved serviceability, we now send the following data to the Cisco Success Network:

• Device information, including how many devices are registered but are not being actively managed, whether your devices are configured for high availability/scalability, and how many nodes are in any configured cluster.

• Event and network map information, including the number of hosts in your network map, intrusion event counts, and file/malware event counts.

You can change your Cisco Success Network enrollment at any time.

For more information, see Configure Cisco Success Network Enrollment in the administration guide.

Management Center REST API

Management center REST API services/operations.

For information on changes to the FMC REST API, see What's New in 7.3 in the API quick start guide.

Support ends: Firepower 4110, 4120, 4140, 4150.

You cannot run Version 7.3+ on the Firepower 4110, 4120, 4140, or 4150.

Support ends: Firepower 9300: SM-24, SM-36, SM-44 modules.

You cannot run Version 7.3+ on the Firepower 9300 with SM-24, SM-36, or SM-44 modules.

No support for Firepower 1010E (temporary).

Deprecated: YouTube EDU content restriction for Snort 2 devices.

You can no longer enable YouTube EDU content restriction in new or existing access control rules. Your existing YouTube EDU rules will keep working, and you can edit those rules to disable YouTube EDU.

Note that this is a Snort 2 feature that is not available for Snort 3.

You should redo your configurations after upgrade.

Deprecated: Cluster health monitor settings with FlexConfig.

You can now edit cluster health monitor settings from the management center web interface. If you do this, the system allows you to deploy but also warns you that any existing FlexConfig settings take precedence.

You should redo your configurations after upgrade.

Deprecated: BFD for BGP with FlexConfig.

You can now configure bidirectional forwarding detection (BFD) for BGP routing from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs.

You should redo your configurations after upgrade.

Deprecated: ECMP zones with FlexConfig.

You can now easily migrate EMCP zone configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs.

You should redo your configurations after upgrade.

Deprecated: VXLAN interfaces with FlexConfig.

You can now easily migrate VXLAN interface configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs.