The Secure Firewall 3130 and 3140 now support these network modules:

• 2-port 100G QSFP+ network module (FPR3K-XNM-2X100G)

See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide

The Firepower 9300 now supports these optical transceivers:

• QSFP-40/100-SRBD

• QSFP-100G-SR1.2

• QSFP-100G-SM-SR

On these network modules:

• FPR9K-NM-4X100G

• FPR9K-NM-2X100G

• FPR9K-DNM-2X100G

See: Cisco Firepower 9300 Hardware Installation Guide

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on Firewall Threat Defense Virtual.

See: Platform Settings

You can now deploy without the diagnostic interface on Firewall Threat Defense Virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:

• Azure: one management, two data (max eight)

• GCP: one management, three data (max eight)

Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

You can now use Firewall Threat Defense Virtual for Azure to inspect and protect traffic through a Microsoft Azure Virtual WAN hub. This integration allows you to consistently and easily apply security policies and configurations across all spokes in the hub, and to leverage built-in scalability and load balancer capabilities for optimal performance.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Device management services configured in the Firewall Threat Defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces.

Platform restrictions: Not supported with container instances or clustered devices.

See: Platform Settings

You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (Firewall Threat Defense upgrade).

New/modified screens:

• Devices > Device Management > Add > Chassis

• Devices > Device Management > Device > Chassis Manager

• Devices > Platform Settings > New Policy > Chassis Platform Settings

• Devices > Chassis Upgrade

New/modified Firewall Threat Defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6

New/modified FXOS CLI commands: create device-manager , set deploymode

Platform restrictions: Not supported on the Secure Firewall 3105.

See: Multi-Instance Mode for the Secure Firewall 3100 and Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

You can now configure 16-node clusters for Firewall Threat Defense Virtual for VMware and Firewall Threat Defense Virtual for KVM.

See: Clustering for Firewall Threat Defense Virtual in a Private Cloud

You can now configure target failover for clustered Firewall Threat Defense Virtual for AWS using the AWS Gateway Load Balancer (GWLB).

Platform restrictions: Not available with five and ten-device licenses.

See: Clustering for Firewall Threat Defense Virtual in a Public Cloud

You can now use the CLI to detect configuration mismatches in Firewall Threat Defense high availability pairs.

New/modified CLI commands: show failover config-sync error , show failover config-sync stats

See: High Availability and Cisco Secure Firewall Threat Defense Command Reference

Firewall Management Center high availability (HA) includes the following synchronization enhancements:

• Large configuration history files can cause synchronization to fail in high-latency networks. To prevent this from happening, the device configuration history files are now synchronized in parallel with other configuration data. This enhancement also reduces the synchronization time.

• The Firewall Management Center now monitors the configuration history file synchronization process and displays a health alert if the synchronization times out.

New/modified screens: You can view these alerts on the following screens:

• Notifications > Message Center > Health

• Integration > Other Integrations > High Availability > Status (under Summary)

See: High Availability

You can now monitor WAN interface application performance on the SD-WAN Summary dashboard.

New/modified screens: Overview > SD-WAN Summary > Application Monitoring

See: VPN Monitoring and Troubleshooting

Upgrade impact. Qualifying connections start being offloaded.

On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

See: VPN Overview

The crypto debugging enhancements introduced in Version 7.4.0 now apply to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they were only supported on the Secure Firewall 4200.

See: Decryption Rules

You can now view the details of route-based VPNs' virtual tunnel interfaces (VTI) on your managed devices. You can also view details of all the dynamically created virtual access interfaces of the dynamic VTIs.

New/modified screens: Device > Device Management > Edit a device > Interfaces > Virtual Tunnels tab.

See: Site-to-Site VPNs

You can now use FlexConfig to configure Bidirectional Forwarding Detection (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces.

See: Guidelines for BFD Routing

Firewall Management Center now includes the following zero trust access enhancements:

• You can configure source NAT for an application. The configured network object or object group translates the incoming request's public network source IP address to a routable IP address inside the application network.

• You can troubleshoot the zero trust configuration issues using the diagnostics tool.

New/modified screens: Policies > Access Control > Zero Trust Application

New/modified CLI commands: show running-config zero-trust , show zero-trust statistics

You can now detect and handle Common Industrial Protocol (CIP) by using CIP and Ethernet/IP (ENIP) application conditions in your security policies.

See: Access Control Rules

CIP Safety is a CIP extension that enables the safe operation of industrial automation applications. The CIP inspector can now detect the CIP Safety segments in the CIP traffic. To detect and take action on the CIP Safety segments, enable the CIP inspector in the Firewall Management Center's network Analysis policy and assign it to an access control policy.

New/modified screens: Policies > Access Control > Edit a policy > Add Rule > Applications tab > Search for CIP Safety in the search box.

See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide

Upgrade impact. Update custom authentication forms.

You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules.

In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously.

If you use the HTTP Response Page authentication type, after you upgrade Firewall Threat Defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms.

Restrictions: Not supported with Microsoft Azure Active Directory.

New/modified screens:

• Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

• Identity policy > (edit) > Add Rule > Passive Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

• Identity policy > (edit) > Add Rule > Active Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

See: User Control with Captive Portal

Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.

• (Default.) Enable to allow users to authenticate with any managed device associated with the active authentication identity rule.

• Disable to require the user to authenticate with a different managed device, even if they have already authenticated with another managed device to which the active authentication rule is deployed.

New/modified screens: Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

See: User Control with Captive Portal

Upgrade impact. Redo any related FlexConfigs after upgrade.

New/modified screens: Objects > Object Management > AAA Server > RADIUS Server Group > Add RADIUS Server Group > Merge Downloadable ACL with Cisco AV Pair ACL

New CLI commands:

• sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl after-avpair

• sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl before-avpair

See: Object Management

You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the Firewall Management Center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view.

You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the Firewall Management Center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI.

New/modified screens: Devices > Device Management > Add > Chassis

See: Device Management

Upgrade impact. Memory usage alert thresholds may be lowered.

We improved the accuracy of Firewall Management Center memory usage and have lowered the default alert thresholds to 88% warning/90% critical. If your thresholds were higher than the new defaults, the upgrade lowers them automatically—you do not have to apply health policies for this change to take place. Note that the Firewall Management Center may now reboot in extremely critical system memory condition if terminating high-memory processes does not work.

You can also add new swap memory usage metrics to a new or existing Firewall Management Center health dashboard. Make sure you choose the Memory metric group.

New/modified screens:

• System () > Health > Monitoring > Firewall Management Center > Add/Edit Dashboard > Memory

• System () > Health > Policy > Management Center Health Policy > Memory

See: Health

You can enable change management if your organization needs to implement more formal processes for configuration changes, including audit tracking and official approval before changes are deployed.

We added the System() > Configuration > Change Management page to enable the feature. When enabled, there is a System() > Change Management Workflow page, and a new Ticket() quick access icon in the menu.

See: Change Management

Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.

For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware.

Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade.

See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide

You can automatically generate reports on configuration changes after major and maintenance Firewall Management Center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center.

Version restrictions: Only supported for Firewall Management Center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version.

New/modified screens: System > Configuration > Upgrade Configuration > Enable Post-Upgrade Report

See: System Configuration

You can use the Firewall Management Center CLI to reboot and permanently erase its own hard drive data. After the erase is completed, you can install a fresh software image.

New/modified CLI commands: secure erase

See: Secure Firewall Management Center Command Line Reference

You can generate and download troubleshooting files for each device on the Device page and also for all cluster nodes on the Cluster page. For a cluster, you can download all files as a single compressed file. You can also include cluster logs for the cluster for cluster nodes. You can alternatively trigger file generation from the Devices > Device Management > More > Troubleshoot Files menu.

New/modified screens:

• Devices > Device Management > Device > General

• Devices > Device Management > Cluster > General

See: Device Management

If a node fails to join the cluster, a troubleshooting file is automatically generated for the node. You can download the file from Tasks or from the Cluster page.

You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output.

New/modified screens: Devices > Device Management > Cluster > General

See: Device Management

If the data plane process crashes, the system now reloads only the data plane process instead of rebooting the device. Along with the data plane process reload, Snort and a few other processes also get reloaded.

However, if the data plane process crashes during bootup, the device follows the normal reload/reboot sequence, which helps avoid a reload process loop from occurring.

This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig.

New/modified CLI commands: data-plane quick-reload , no data-plane quick-reload , show data-plane quick-reload status

Supported platforms: Firepower 1000/2100, Firepower 4100/9300

Platform restrictions: Not supported in multi-instance mode.

See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference.

The Disk Usage health module no longer alerts with frequent drain of events. You may continue to see these alerts after Firewall Management Center upgrade until you either deploy health policies to managed devices (stops the display of alerts) or upgrade devices to Version 7.4.1+ (stops the sending of alerts).

See: Troubleshooting

We deprecated the VPN Tunnel Status health module. Use the VPN dashboards instead.

See: VPN Monitoring and Troubleshooting

Upgrade impact. Redo any related FlexConfigs after upgrade.

This feature is now supported in the Firewall Management Center web interface.

We introduced the Secure Firewall 4215, 4225, and 4245. You must manage these devices with a Firewall Management Center. They do not support device manager.

These devices support the following new network modules:

• 2-port 100G QSFP+ network module (FPR4K-XNM-2X100G)

• 4-port 200G QSFP+ network module (FPR4K-XNM-4X200G)

See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on Firewall Threat Defense Virtual.

See: Platform Settings

You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100.

New/modified screens: Devices > Device Management > Migrate

Platform restrictions: Migration not supported from the Firepower 1010 or 1010E.

See: Device Management

You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license.

See: Cisco Secure Firewall Management Center Model Migration Guide

You can migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700.

See: Cisco Secure Firewall Management Center Model Migration Guide

You can migrate Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. To migrate, you must temporarily upgrade the old Firewall Management Center from Version 7.0 to Version 7.4.0.

Important

Version 7.4 is only supported on the 1000/2500/4500 during the migration process. You should minimize the time between Firewall Management Center upgrade and device migration.

To summarize the migration process:

1. Prepare for upgrade and migration. Read, understand, and meet all the prerequisites outlined in the release notes, upgrade guides, and migration guide. Make sure the old Firewall Management Center is ready to go: freshly deployed, fully backed up, all appliances in good health, etc. You should also set up the new Firewall Management Center.

2. Upgrade the old Firewall Management Center and all its managed devices to at least Version 7.0.0 (7.0.5 recommended). If you are already running the minimum version, you can skip this step.

3. Upgrade the old Firewall Management Center to Version 7.4.0. Unzip (but do not untar) the upgrade package before uploading it to the Firewall Management Center. Download from: Special Release.

4. Migrate the Firewall Management Center as described in the model migration guide.

5. Verify migration success. If the migration does not function to your expectations and you want to switch back, note that Version 7.4 is unsupported for general operations on the 1000/2500/4500. To return the old Firewall Management Center to a supported version you must reimage back to Version 7.0, restore from backup, and reregister devices.

See:

• Cisco Secure Firewall Threat Defense Release Notes

• Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0

• Cisco Secure Firewall Management Center Model Migration Guide

If you have questions or need assistance at any point in the migration process, contact Cisco TAC.

You can migrate devices from Firepower Management Center 1000/2500/4500 to Cloud-Delivered Firewall Management Center.

To migrate devices, you must temporarily upgrade the on-prem Firewall Management Center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 Firewall Management Centers do not support device migration to the cloud. Additionally, only standalone and high availability Firewall Threat Defense running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.

Important

Version 7.4.0 is only supported on the 1000/2500/4500 during the migration process. You should minimize the time between Firewall Management Center upgrade and device migration.

To summarize the migration process:

1. Prepare for upgrade and migration. Read, understand, and meet all the prerequisites outlined in the release notes, upgrade guides, and migration guide.

   Before you upgrade, it is especially important that the on-prem Firewall Management Center is "ready to go," that is, managing only the devices you want to migrate, configuration impact assessed (such as VPN impact), freshly deployed, fully backed up, all appliances in good health, and so on.

   You should also provision, license, and prepare the cloud tenant. This must include a strategy for security event logging; you cannot retain the on-prem Firewall Management Center for analytics because it will be running an unsupported version.

2. Upgrade the on-prem Firewall Management Center and all its managed devices to at least Version 7.0.3 (Version 7.0.5 recommended).

   If you are already running the minimum version, you can skip this step.

3. Upgrade the on-prem Firewall Management Center to Version 7.4.0.

   Unzip (but do not untar) the upgrade package before uploading it to the Firewall Management Center. Download from: Special Release.

4. Onboard the on-prem Firewall Management Center to CDO.

5. Migrate all devices from the on-prem Firewall Management Center to the Cloud-Delivered Firewall Management Center as described in the migration guide.

   When you select devices to migrate, make sure you choose Delete FTD from On-Prem FMC. Note that the device is not fully deleted unless you commit the changes or 14 days pass.

6. Verify migration success.

   If the migration does not function to your expectations, you have 14 days to switch back or it is committed automatically. However, note that Version 7.4.0 is unsupported for general operations. To return the on-prem Firewall Management Center to a supported version you must remove the re-migrated devices, re image back to Version 7.0.x, restore from backup, and reregister the devices.

See:

• Cisco Secure Firewall Threat Defense Release Notes

• Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0

• Migrate On-Premises Management Center Managed Secure Firewall Threat Defense to Cloud-Delivered Firewall Management Center

If you have questions or need assistance at any point in the migration process, contact Cisco TAC.

Zero-Touch Provisioning (also called low-touch provisioning) lets you register Firepower 1000/2100 and Secure Firewall 3100 devices to the Firewall Management Center by serial number without having to perform any initial setup on the device. The Firewall Management Center integrates with SecureX and Security Cloud Control for this functionality.

New/modified screens: Devices > Device Management > Add > Device > Serial Number

Version restrictions: This feature is not supported on Version 7.3.x or 7.4.0 Firewall Threat Defense when the Firewall Management Center is not publicly reachable. Support returns in Version 7.4.1.

See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning)

Upgrade impact. Merge interfaces after upgrade.

For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available.

If you upgraded to 7.4 or later and:

• You did not have any configuration for the diagnostic interface, then the interfaces will merge automatically.

• You have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible.

Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration.

For platform settings, this means:

• You can no longer enable HTTP, ICMP, or SMTP for diagnostic.

• For SNMP, you can allow hosts on management instead of diagnostic.

• For Syslog servers, you can reach them on management instead of diagnostic.

• If Platform Settings for syslog servers or SNMP hosts specify the diagnostic interface by name, then you must use separate Platform Settings policies for merged and non-merged devices.

• DNS lookups no longer fall back to the management-only routing table if you do not specify interfaces.

New/modified screens: Devices > Device Management > Interfaces

New/modified commands: show management-interface convergence

See: Interface Overview

You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the Firewall Threat Defense Virtual cluster control link or for Geneve encapsulation.

New/modified screens:

• Devices > Device Management > Edit Device > VTEP > Add VTEP

• Devices > Device Management > Edit Devices > Interfaces > Add Interfaces > VNI Interface

See: Regular Firewall Interfaces

You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog.

New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface

See: Regular Firewall Interfaces

You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces.

New/modified screens: Objects > Object Management > Interface > Add > Interface Group

See: Object Management

Firewall Threat Defense high availability now supports using a regular data interface for communication with the Firewall Management Center. Previously, only standalone devices supported this feature.

See: Device Management

The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures.

New/modified screens: Overview > WAN Summary

See: VPN Monitoring and Troubleshooting

Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination.

New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box.

Platform restrictions: Not supported for clustered devices.

See: Policy Based Routing

Upgrade impact. Check SGT propagation before device upgrade.

You can now classify network traffic based on users, user groups, and SGTs in PBR policies. Select the identity and SGT objects while defining the extended ACLs for the PBR policies.

Note that as a result of how this feature was implemented, Firewall Threat Defense can now add egress SGTs to traffic if the egress interface is configured to propagate SGTs. This can happen with ISE integration even if you do not configure policy-based routing. Starting with Version 7.4.0, the Propagate Security Group Tag option is disabled by default for new interfaces. But because upgrade respects your current settings, this option may be enabled for existing interfaces.

Important

If you have configured an ISE identity source, before you upgrade, check the Propagate Security Group Tag option on your devices' physical, redundant, and subinterfaces and disable it if necessary. If downstream devices are not configured to handle the tags, you could experience traffic loss.

New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag

See: Object Management

On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Other requirements: FPGA firmware 6.2+

See: VPN Overview

We made the following enhancements to crypto debugging:

• The crypto archive is now available in text and binary formats.

• Additional SSL counters are available for debugging.

• Remove stuck encrypt rules from the ASP table without rebooting the device.

New/modified CLI commands: show counters

See: Decryption Rules

You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:

• GUI text and messages

• Icons and images

• Scripts

• Binaries

• Customized Installer Transforms

• Localized Installer Transforms

Firewall Threat Defense distributes these customizations to the endpoint when an end user connects from the Secure Client.

New/modified screens:

• Objects > Object Management > VPN > Secure Client Customization

• Devices > Remote Access > Edit VPN policy > Advanced > Secure Client Customization

See: Remote Access VPN

You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard.

New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab.

See: Site-to-Site VPNs

Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by.

New/modified screens: Analysis > Connections > Events > Table View of Events

See: VPN Monitoring and Troubleshooting

We now make it easier to exempt site-to-site VPN traffic from NAT translation.

New/modified screens:

• Enable NAT exemptions for an endpoint: Devices > VPN > Site To Site > Add/Edit Site to Site VPN > Add/Edit Endpoint > Exempt VPN traffic from network address translation

• View NAT exempt rules for devices that do not have a NAT policy: Devices > NAT > NAT Exemptions

• View NAT exempt rules for a single device: Devices > NAT > Threat Defense NAT Policy > NAT Exemptions

See: Network Address Translation

You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later.

New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor.

See: BGP

You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN.

New/modified screens: Devices > Device management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces

Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices.

See: Virtual Routers

Zero Trust Access allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy.

The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications.

New/modified CLI commands:

• show running-config zero-trust application

• show running-config zero-trust application-group

• show zero-trust sessions

• show zero-trust statistics

• show cluster zero-trust statistics

• clear zero-trust sessions application

• clear zero-trust sessions user

• clear zero-trust statistics

Encrypted Visibility Engine (EVE) can now:

• Block malicious communications in encrypted traffic based on threat score.

• Determine client applications based on EVE-detected processes.

• Reassemble fragmented Client Hello packets for detection purposes.

New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings.

See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide

You can now exempt specific networks and ports from bypassing or throttling elephant flows.

New/modified screens:

• When you configure elephant flow detection in the access control policy's advanced settings, if you enable the Elephant Flow Remediation option, you can now click Add Rule and specify traffic that you want to exempt from bypass or throttling.

• When the system detects an elephant flow that is exempted from bypass or throttling, it generates a mid-flow connection event with the reason Elephant Flow Exempted.

Platform restrictions: Not supported on the Firepower 2100 series.

See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide

A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector.

See: Application Detection

Upgrade impact. New rules in default policies take effect.

Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns.

Disabling data masking is not supported.

See: Custom Rules in Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content.

See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide

The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views.

See: Network Malware Protection and File Policies and File/Malware Events and Network File Trajectory

You can now configure the Cisco Secure Dynamic Attributes Connector on the Firewall Management Center. Previously, it was only available as a standalone application.

See: Cisco Secure Dynamic Attributes Connector

You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control.

New/modified screens:

• Integration > Other Integrations > Realms > Add Realm > Azure AD

• Integration > Other Integrations > Realms > Actions, such as downloading users, copying, editing, and deleting

Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level)

See: Realms

Upgrade impact. Redo FlexConfigs after upgrade.

NetFlow is a Cisco application that provides statistics on packets flows. You can now use the Firewall Management Center web interface to configure Firewall Threat Defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > Platform Settings > Threat Defense Settings Policy > NetFlow

See: Platform Settings

Serviceability improvements to the event reporting and decryption rule matching.

• New SSL Status to indicate if the SSL handshake is not complete for an encrypted connection. The SSL Status column of the connection event displays “Unknown (Incomplete Handshake)” when the SSL handshake of the logged connection is not complete.

• Subject Alternative Names (SANs) for certificates are now used when matching Certificate Authority (CA) names for improved decryption rule matching.

New/modified screens:

• Analysis > Connections > Events > SSL Status

• Analysis > Connections > Security-Related Events > SSL Status

See: Connection and Security-Related Connection Events

You can now send metrics and health monitoring information from your Firewall Threat Defense devices to an external server (gNMI collector) using OpenConfig. You can configure either Firewall Threat Defense or the collector to initiate the connection, which is encrypted by TLS.

New/modified screens: System () > Health > Policy > Firewall Threat Defense Policies > Settings > OpenConfig Streaming Telemetry

See: Health

You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group.

New/modified screens: System () > Health > Monitor > Device

See: show asp drop Command Usage

You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The Firewall Management Center supports backup and restore of the audit configuration log.

New/modified screens: System () > Configuration > Audit Log > Send Configuration Changes

See: System Configuration

You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams.

When defining user roles, you can select the Policies > Access Control > Access Control Policy > Modify Access Control Policy > Modify Threat Configuration option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions.

See: Users

Previously, Firewall Threat Defense supported only IPv4 OCSP URLs. Now, Firewall Threat Defense supports both IPv4 and IPv6 OCSP URLs.

See: System Configuration and Object Management

The default NTP server for new Firewall Management Center deployments changed from sourcefire.pool.ntp.org to time.cisco.com. We recommend you use the Firewall Management Center to serve time to its own devices. You can update the Firewall Management Center's NTP server on System () > Configuration > Time Synchronization.

See: Security, Internet Access, and Communication Ports

You can now:

• Manage Smart Licensing for Firewall Threat Defense clusters from System () > Smart Licenses. Previously, you had to use the Device Management page.

  See: Licensing

• Download a report of Message Center notifications. In the Message Center, click the new Download Report icon, next to the Show Notifications slider.

  See: Troubleshooting

• Download a report of all registered devices. On Devices > Device Management, click the new Download Device List Report link, at the top right of the page.

  See: Device Management

• Clone network and port objects. In the object manager (Objects > Object Management), click the new Clone icon next to a port or network object. You can then change the new object's properties and save it using a new name.

  See: Object Management

• Easily create custom health monitoring dashboards, and easily edit existing dashboards.

  See: Health

On the Secure Firewall 4200, you can use a new direction keyword with the capture command.

New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ]

See: Cisco Secure Firewall Threat Defense Command Reference

To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.)

This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts.

New/modified CLI commands: configure snort3-watchdog

See: Cisco Secure Firewall Threat Defense Command Reference

You can now configure Firewall Threat Defense devices as NetFlow exporters from the Firewall Management Center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs.

See: Platform Settings