Platform Features

Secure Firewall 3100

We introduced the Secure Firewall 3110, 3120, 3130, and 3140. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID.

New/Modified screens: Device > Interfaces

New/Modified threat defense commands: configure network speed, configure raid, show raid, show ssd

Support ends for the ASA 5508-X and 5516-X. The last supported release is threat defense 7.0.

You cannot install threat defensethreat defense 7.1 on an ASA 5508-X or 5516-X. The last supported release for these models is threat defense 7.0.

Firewall and IPS Features

Network Analysis Policy (NAP) configuration for Snort 3.

You can use device manager to configure the Network Analysis Policy (NAP) when running Snort 3. Network analysis policies control traffic preprocessing inspection. Inspectors prepare traffic to be further inspected by normalizing traffic and identifying protocol anomalies. You can select which NAP is used for all traffic, and customize the settings to work best with the traffic in your network. You cannot configure the NAP when running Snort 2.

We added the Network Analysis Policy to the Policies > Intrusion settings dialog box, with an embedded JSON editor to allow direct changes, and other features to let you upload overrides, or download the ones you create.

Manual NAT support for fully-qualified domain name (FQDN) objects as the translated destination.

You can use an FQDN network object, such as one specifying www.example.com, as the translated destination address in manual NAT rules. The system configures the rule based on the IP address returned from the DNS server.

Improved active authentication for identity rules.

You can configure active authentication for identity policy rules to redirect the user’s authentication to a fully-qualified domain name (FQDN) rather than the IP address of the interface through which the user’s connection enters the device. The FQDN must resolve to the IP address of one of the interfaces on the device. By using an FQDN, you can assign a certificate for active authentication that the client will recognize, thus avoiding the untrusted certificate warning users get when being redirected to an IP address. The certificate can specify the FQDN, a wildcard FQDN, or multiple FQDNs in the Subject Alternate Names (SAN) in the certificate.

We added the Redirect to Host Name option in the identity policy settings.

VPN Features

Backup remote peers for site-to-site VPN.

You can configure a site-to-site VPN connection to include remote backup peers. If the primary remote peer is unavailable, the system will try to re-establish the VPN connection using one of the backup peers. You can configure separate pre-shared keys or certificates for each backup peer. Backup peers are supported for policy-based connections only, and are not available for route-based (virtual tunnel interface) connections.

We updated the site-to-site VPN wizard to include backup peer configuration.

Password management for remote access VPN (MSCHAPv2).

You can enable password management for remote access VPN. This allows AnyConnect to prompt the user to change an expired password. Without password management, users must change expired passwords directly with the AAA server, and AnyConnect does not prompt the user to change passwords. For LDAP servers, you can also set a warning period to notify users of upcoming password expiration.

We added the Enable Password Management option to the authentication settings for remote access VPN connection profiles.

AnyConnect VPN SAML External Browser

When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication, that cannot be performed in the embedded browser.

We updated the remote access VPN connection profile wizard to allow you to configure the SAML Login Experience.

Administrative and Troubleshooting Features

Dynamic Domain Name System (DDNS) support for updating fully-qualified domain name (FQDN) to IP address mappings for system interfaces.

You can configure DDNS for the interfaces on the system to send dynamic updates to DNS servers. This helps ensure that FQDNs defined for the interfaces resolve to the correct address, making it easier for users to access the system using a hostname rather than an IP address. This is especially useful for interfaces that get their addresses using DHCP, but it is also useful for statically-addressed interfaces.

After upgrade, if you had used FlexConfig to configure DDNS, you must redo your configuration using device manager or the threat defense API, and remove the DDNS FlexConfig object from the FlexConfig policy, before you can deploy changes again.

If you configure DDNS using device manager, then switch to management center management, the DDNS configuration is retained so that management center can find the system using the DNS name.

In device manager, we added the System Settings > DDNS Service page. In the threat defense API, we added the DDNSService and DDNSInterfaceSettings resources.

The dig command replaces the nslookup command in the device CLI.

To look up the IP address of a fully-qualified domain name (FQDN) in the device CLI, use the dig command. The nslookup command has been removed.

DHCP relay configuration using device manager.

You can use device manager to configure DHCP relay. Using DHCP relay on an interface, you can direct DHCP requests to a DHCP server that is accessible through the other interface. You can configure DHCP relay on physical interfaces, subinterfaces, EtherChannels, and VLAN interfaces. You cannot configure DHCP relay if you configure a DHCP server on any interface.

We added the System Settings > DHCP > DHCP Relay page, and moved DHCP Server under the new DHCP heading.

Key type and size for self-signed certificates in device manager.

Usage validation restrictions for trusted CA certificates.

Generating the admin password in device manager.

During initial system configuration in device manager, or when you change the admin password through device manager, you can now click a button to generate a random 16 character password.

Startup time and tmatch compilation status.

The show version command now includes information on how long it took to start (boot) up the system. Note that the larger the configuration, the longer it takes to boot up the system.

The new show asp rule-engine command shows status on tmatch compilation. Tmatch compilation is used for an access list that is used as an access group, the NAT table, and some other items. It is an internal process that can consume CPU resources and impact performance while in progress, if you have very large ACLs and NAT tables. Compilation time depends on the size of the access list, NAT table, and so forth.

Enhancements to show access-list element-count output.

The output of the show access-list element-count command has been enhanced. When used with object-group search enabled, the output includes details about the number of object groups in the element count.

In addition, the show tech-support output now includes the output from show access-list element-count and show asp rule-engine .

Use device manager to configure the threat defense for management by a management center

When you perform initial setup using device manager, all interface configuration completed in device manager is retained when you switch to management center for management, in addition to the Management and management center access settings. Note that other default configuration settings, such as the access control policy or security zones, are not retained. When you use the threat defense CLI, only the Management and management center access settings are retained (for example, the default inside interface configuration is not retained).

After you switch to management center, you can no longer use device manager to manage the threat defense.

New/Modified screens: System Settings > Management Center

threat defense REST API version 6.2 (v6).

The threat defense REST API for software version 7.1 is version 6.2. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device. Note that the URL version path element for 6.2 is the same as 6.0/1: v6.

Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into device manager, then click the more options button () and choose API Explorer.

Platform Features

Support ends for the ASA 5525-X, 5545-X, and 5555-X. The last supported release is threat defense 6.6.

You cannot install threat defense 6.7 on an ASA 5525-X, 5545-X, or 5555-X. The last supported release for these models is threat defense 6.6.

Firewall and IPS Features

TLS server identity discovery for access control rule matching.

TLS 1.3 certificates are encrypted. For traffic encrypted with TLS 1.3 to match access rules that use application or URL filtering, the system must decrypt the TLS 1.3 certificate. We recommend that you enable TLS Server Identity Discovery to ensure encrypted connections are matched to the right access control rule. The setting decrypts the certificate only; the connection remains encrypted.

We added the Access Control Settings () button and dialog box to the Policy > Access Control page.

External trusted CA certificate groups.

You can now customize the list of trusted CA certificates used by the SSL decryption policy. By default, the policy uses all system-defined trusted CA certificates, but you can create a custom group to add more certificates, or replace the default group with your own, more limited, group.

We added certificate groups to the Objects > Certificates page, and modified the SSL decryption policy settings to allow the selection of certificate groups.

Active Directory realm sequences for passive identity rules.

You can create a realm sequence, which is an ordered list of Active Directory (AD) servers and their domains, and use them in a passive authentication identity rule. Realm sequences are useful if you support more than one AD domain and you want to do user-based access control. Instead of writing separate rules for each AD domain, you can write a single rule that covers all of your domains. The ordering of the AD realms within the sequence is used to resolve identity conflicts if any arise.

We added the AD realm sequence object on the Objects > Identity Sources page, and the ability to select the object as a realm in a passive authentication identity rule. In the threat defense API, we added the RealmSequence resource, and in the IdentityRule resource, we added the ability to select a realm sequence object as the realm for a rule that uses passive authentication as the action.

FDM support for Trustsec security group tag (SGT) group objects and their use in access control rules.

In threat defense 6.5, support was added to the threat defense API to configure SGT group objects and use them as matching criteria in access control rules. In addition, you could modify the ISE identity object to listen to the SXP topic published by ISE. Now, you can configure these features directly in FDM.

We added a new object, SGT groups, and updated the access control policy to allow their selection and display. We also modified the ISE object to include the explicit selection of topics to subscribe to.

Snort 3.0 support.

For new systems, Snort 3.0 is the default inspection engine. If you upgrade to 6.7 from an older release, Snort 2.0 remains the active inspection engine, but you can switch to Snort 3.0. For this release, Snort 3.0 does not support virtual routers, time-based access control rules, or the decryption of TLS 1.1 or lower connections. Enable Snort 3.0 only if you do not need these features. You can freely switch back and forth between Snort 2.0 and 3.0, so you can revert your change if needed. Traffic will be interrupted whenever you switch versions.

We added the ability to switch Snort versions to the Device > Updates page, in the Intrusion Rules group. In the threat defense API, we added the IntrusionPolicy resource action/toggleinspectionengine.

In addition, there is a new audit event, Rules Update Event, that shows which intrusion rules were added, deleted, or changed in a Snort 3 rule package update.

Custom intrusion policies for Snort 3.

You can create custom intrusion policies when you are using Snort 3 as the inspection engine. In comparison, you could use the pre-defined policies only if you use Snort 2. With custom intrusion policies, you can add or remove groups of rules, and change the security level at the group level to efficiently change the default action (disabled, alert or drop) of the rules in the group. Snort 3 intrusion policies give you more control over the behavior of your IPS/IDS system without the need to edit the base Cisco Talos-provided policies.

We changed the Policies > Intrusion page to list intrusion policies. You can create new ones, and view or edit existing policies, including adding/removing groups, assigning security levels, and changing the action for rules. You can also select multiple rules and change their actions. In addition, you can select custom intrusion policies in access control rules.

Multiple syslog servers for intrusion events.

You can configure multiple syslog servers for intrusion policies. Intrusion events are sent to each syslog server.

We added the ability to select multiple syslog server objects to the intrusion policy settings dialog box.

URL reputation matching can include sites with unknown reputations.

When you configure URL category traffic-matching criteria, and select a reputation range, you can include URLs with unknown reputation in the reputation match.

We added the Include Sites with Unknown Reputation check box to the URL reputation criteria in access control and SSL decyption rules.

VPN Features

Virtual Tunnel Interface (VTI) and route-based site-to-site VPN.

You can now create route-based site-to-site VPNs by using a Virtual Tunnel Interface as the local interface for the VPN connection profile. With route-based site-to-site VPN, you manage the protected networks in a given VPN connection by simply changing the routing table, without altering the VPN connection profile at all. You do not need to keep track of remote networks and update the VPN connection profile to account for these changes. This simplifies VPN management for cloud service providers and large enterprises.

We added the Virtual Tunnel Interfaces tab to the Interface listing page, and updated the site-to-site VPN wizard so that you can use a VTI as the local interface.

threat defense API support for Hostscan and Dynamic Access Policy (DAP) for remote access VPN connections.

You can upload Hostscan packages and the Dynamic Access Policy (DAP) rule XML file, and configure DAP rules to create the XML file, to control how group policies are assigned to remote users based on attributes related to the status of the connecting endpoint. You can use these features to perform Change of Authorization if you do not have Cisco Identity Services Engine (ISE). You can upload Hostscan and configure DAP using the threat defense API only; you cannot configure them using FDM. See the AnyConnect documentation for information about Hostscan and DAP usage.

We added or modified the following threat defense API object models: dapxml, hostscanpackagefiles, hostscanxmlconfigs, ravpns.

Enabling certificate revocation checking for external CA certificates

You can use the threat defense API to enable certificate revocation checking on a particular external CA certificate. Revocation checking is particularly useful for certificates used in remote access VPN. You cannot configure revocation checking on a certificate using FDM, you must use the threat defense API.

We added the following attributes to the ExternalCACertificate resource: revocationCheck, crlCacheTime, oscpDisableNonce.

Support removed for less secure Diffie-Hellman groups, and encryption and hash algorithms.

The following features were deprecated in 6.6 and they are now removed. If you are still using them in IKE proposals or IPsec policies, you must replace them after upgrade before you can deploy any configuration changes. We recommend that you change your VPN configuration prior to upgrade to supported DH and encryption algorithms to ensure the VPN works correctly.

• Diffie-Hellman groups: 2, 5, and 24.

• Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

• Hash algorithms: MD5.

Custom port for remote access VPN.

You can configure the port used for remote access VPN (RA VPN) connections. If you need to connect to FDM on the same interface used for RA VPN, you can change the port number for RA VPN connections. FDM uses port 443, which is also the default RA VPN port.

We updated the global settings step of the RA VPN wizard to include port configuration.

SAML Server support for authenticating remote access VPN.

You can configure a SAML 2.0 server as the authentication source for a remote access VPN. Following are the supported SAML servers: Duo.

We added SAML server as an identity source on the Objects > Identity Sources page, and updated remote access VPN connection profiles to allow its use.

Threat Defense API Support for AnyConnect module profiles.

You can use the threat defense API to upload module profiles used with AnyConnect, such as AMP Enabler, ISE Posture, or Umbrella. You must create these profiles using the offline profile editors that you can install from the AnyConnect profile editor package.

We added the anyConnectModuleType attribute to the AnyConnectClientProfile model. Although you can initially create AnyConnect Client Profile objects that use module profiles, you will still need to use the API to modify the objects created in FDM to specify the correct module type.

Routing Features

EIGRP support using Smart CLI.

In previous releases, you configured EIGRP in the Advanced Configuration pages using FlexConfig. Now, you configure EIGRP using Smart CLI directly on the Routing page.

If you configured EIGRP using FlexConfig, when you upgrade to release 6.7, you must remove the FlexConfig object from the FlexConfig policy, and then recreate your configuration in the Smart CLI object. You can retain your EIGRP FlexConfig object for reference until you have completed the Smart CLI updates. Your configuration is not automatically converted.

We added the EIGRP Smart CLI object to the Routing pages.

Interface Features

ISA 3000 hardware bypass persistence

You can now enable hardware bypass for ISA 3000 interface pairs with the persistence option: after power is restored, hardware bypass remains enabled until you manually disable it. If you enable hardware bypass without persistence, hardware bypass is automatically disabled after power is restored. There may be a brief traffic interruption when hardware bypass is disabled. The persistence option lets you control when the brief interruption in traffic occurs.

New/Modified screen: Device > Interfaces > Hardware Bypass > Hardware Bypass Configuration

Synchronization between the threat defense operational link state and the physical link state for the Firepower 4100/9300

The Firepower 4100/9300 chassis can now synchronize the threat defense operational link state with the physical link state for data interfaces. Currently, interfaces will be in an Up state as long as the FXOS admin state is up and the physical link state is up. The threat defense application interface admin state is not considered. Without synchronization from threat defense, data interfaces can be in an Up state physically before the threat defense application has completely come online, for example, or can stay Up for a period of time after you initiate an threat defense shutdown. This feature is disabled by default, and can be enabled per logical device in FXOS.

New/Modified chassis manager screens: Logical Devices > Enable Link State

New/Modified FXOS commands: set link-state-sync enabled, show interface expand detail

Supported platforms: Firepower 4100/9300

Firepower 1100 and 2100 SFP interfaces now support disabling auto-negotiation

You can now configure a Firepower 1100 and 2100 SFP interface to disable auto-negotiation. For 10GB interfaces, you can configure the speed down to 1GB without auto-negotiation; you cannot disable auto-negotiation for an interface with the speed set to 10GB.

Supported platforms: Firepower 1100 and 2100

Administrative and Troubleshooting Features

Ability to cancel a failed threat defense software upgrade and to revert to the previous release.

If an threat defense major software upgrade fails or is otherwise not functioning correctly, you can revert to the state of the device as it was when you installed the upgrade.

We added the ability to revert the upgrade to the System Upgrade panel in FDM. During an upgrade, the FDM login screen shows the upgrade status and gives you the option to cancel or revert in case of upgrade failure. In the threat defense API, we added the CancelUpgrade, RevertUpgrade, RetryUpgrade, and UpgradeRevertInfo resources.

In the threat defense CLI, we added the following commands: show last-upgrade status , show upgrade status , show upgrade revert-info , upgrade cancel , upgrade revert , upgrade cleanup-revert , upgrade retry .

Custom HTTPS port for FDM/threat defense API access on data interfaces.

You can change the HTTPS port used for FDM or threat defense API access on data interfaces. By changing the port from the default 443, you can avoid conflict between management access and other features, such as remote access VPN, configured on the same data interface. Note that you cannot change the management access HTTPS port on the management interface.

We added the ability to change the port to the Device > System Settings > Management Access > Data Interfaces page.

Low-touch provisioning for Cisco Defense Orchestrator on Firepower 1000 and 2100 series devices.

If you plan on managing a new threat defense device using Cisco Defense Orchestrator (CDO), you can now add the device without completing the device setup wizard or even logging into FDM.

New Firepower 1000 and 2100 series devices are initially registered in the Cisco cloud, where you can easily claim them in CDO. Once in CDO, you can immediately manage the devices from CDO. This low-touch provisioning minimizes the need to interact directly with the physical device, and is ideal for remote offices or other locations where your employees are less experienced working with networking devices.

We changed how Firepower 1000 and 2100 series devices are initially provisioned. We also added auto-enrollment to the System Settings > Cloud Services page, so that you can manually start the process for upgraded devices or other devices that you have previously managed using FDM.

Threat Defense API support for SNMP configuration.

You can use the threat defense API to configure SNMP version 2c or 3 on an FDM or CDO managed threat defense device.

We added the following API resources: SNMPAuthentication, SNMPHost, SNMPSecurityConfiguration, SNMPServer, SNMPUser, SNMPUserGroup, SNMPv2cSecurityConfiguration, SNMPv3SecurityConfiguration.

Maximum backup files retained on the system is reduced from 10 to 3.

The system will retain a maximum of 3 backup files on the system rather than 10. As new backups are created, the oldest backup file is deleted. Please ensure that you download backup files to a different system so that you have the versions required to recover the system in case you need to.

Threat Defense API Version backward compatibility.

Starting with threat defense Version 6.7, if an API resource model for a feature does not change between releases, then the threat defense API can accept calls that are based on the older API version. Even if the feature model did change, if there is a logical way to convert the old model to the new model, the older call can work. For example, a v4 call can be accepted on a v5 system. If you use “latest” as the version number in your calls, these “older” calls are interpreted as a v5 call in this scenario, so whether you are taking advantage of backward compatibility depends on how you are structuring your API calls.

threat defense REST API version 6 (v6).

The threat defense REST API for software version 6.7 is version 6. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device.

Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into FDM, then click the more options button () and choose API Explorer.

Platform Features

Device Manager support for threat defense virtual for the Amazon Web Services (AWS) Cloud.

You can configure threat defense on threat defense virtual for the AWS Cloud using device manager.

Device Manager for the Firepower 4112

We introduced the threat defense for the Firepower 4112.

Firewall and IPS Features

Ability to enable intrusion rules that are disabled by default.

Each system-defined intrusion policy has a number of rules that are disabled by default. Previously, you could not change the action for these rules to alert or drop. You can now change the action for rules that are disabled by default.

We changed the Intrusion Policy page to display all rules, even those that are disabled by default, and allow you to edit the action for these rules.

Intrusion Detection System (IDS) mode for the intrusion policy.

You can now configure the intrusion policy to operate in Intrusion Detection System (IDS) mode. In IDS mode, active intrusion rules issue alerts only, even if the rule action is Drop. Thus, you can monitor or test how an intrusion policy works before you make it an active prevention policy in the network.

In device manager, we added an indication of the inspection mode to each intrusion policy on the Policies > Intrusion page, and an Edit link so that you can change the mode.

In the threat defense API, we added the inspectionMode attribute to the IntrusionPolicy resource.

Support for manually uploading Vulnerability Database (VDB), Geolocation Database, and Intrusion Rule update packages.

You can now manually retrieve update packages for VDB, Geolocation Database, and Intrusion Rules, and then upload them from your workstation to the threat defense device using device manager. For example, if you have an air-gapped network, where device manager cannot retrieve updates from the Cisco Cloud, you can now get the update packages you need.

We updated the Device > Updates page to allow you to select and upload a file from your workstation.

threat defense API support for access control rules that are limited based on time.

Using the threat defense API, you can create time range objects, which specify one-time or recurring time ranges, and apply these objects to access control rules. Using time ranges, you can apply an access control rule to traffic during certain times of day, or for certain periods of time, to provide flexibility to network usage. You cannot use device manager to create or apply time ranges, nor does device manager show you if an access control rule has a time range applied to it.

The TimeRangeObject, Recurrence, TimeZoneObject, DayLightSavingDateRange, and DayLightSavingDayRecurrence resources were added to the threat defense API. The timeRangeObjects attribute was added to the accessrules resource to apply a time range to the access control rule. In addition, there were changes to the GlobalTimeZone and TimeZone resources.

Object group search for access control policies.

While operating, the threat defense device expands access control rules into multiple access control list entries based on the contents of any network objects used in the access rule. You can reduce the memory required to search access control rules by enabling object group search. With object group search enabled, the system does not expand network objects, but instead searches access rules for matches based on those group definitions. Object group search does not impact how your access rules are defined or how they appear in device manager. It impacts only how the device interprets and processes them while matching connections to access control rules. Object group search is disabled by default.

In device manager, you must use FlexConfig to enable the object-group-search access-control command.

VPN Features

Backup peer for site-to-site VPN. (threat defense API only.)

You can use the threat defense API to add a backup peer to a site-to-site VPN connection. For example, if you have two ISPs, you can configure the VPN connection to fail over to the backup ISP if the connection to the first ISP becomes unavailable.

Another main use of a backup peer is when you have two different devices on the other end of the tunnel, such as a primary-hub and a backup-hub. The system would normally establish the tunnel to the primary hub. If the VPN connection fails, the system automatically can re-establish the connection with the backup hub.

We updated the threat defense API so that you can specify more than one interface for outsideInterface in the SToSConnectionProfile resource. We also added the BackupPeer resource, and the remoteBackupPeers attribute to the SToSConnectionProfile resource.

You cannot configure a backup peer using device manager, nor will the existence of a backup peer be visible in device manager.

Support for Datagram Transport Layer Security (DTLS) 1.2 in remote access VPN.

You can now use DTLS 1.2 in remote access VPN. This can be configured using the threat defense API only, you cannot configure it using device manager. However, DTLS 1.2 is now part of the default SSL cipher group, and you can enable the general use of DTLS using device manager in the AnyConnect attributes of the group policy. Note that DTLS 1.2 is not supported on the ASA 5508-X or 5516-X models.

We updated the protocolVersion attribute of the sslcipher resource to accept DTLSV1_2 as an enum value.

Deprecated support for less secure Diffie-Hellman groups, and encryption and hash algorithms.

The following features are deprecated and will be removed in a future release. You should avoid configuring these features in IKE proposals or IPSec policies for use in VPNs. Please transition away from these features and use stronger options as soon as is practical.

• Diffie-Hellman groups: 2, 5, and 24.

• Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

• Hash algorithms: MD5.

Routing Features

Virtual routers and Virtual Routing and Forwarding (VRF)-Lite.

You can create multiple virtual routers to maintain separate routing tables for groups of interfaces. Because each virtual router has its own routing table, you can provide clean separation in the traffic flowing through the device.

Virtual routers implement the “light” version of Virtual Routing and Forwarding, or VRF-Lite, which does not support Multiprotocol Extensions for BGP (MBGP).

We changed the Routing page so you can enable virtual routers. When enabled, the Routing page shows a list of virtual routers. You can configure separate static routes and routing processes for each virtual router.

We also added the [ vrf name | all] keyword set to the following CLI commands, and changed the output to indicate virtual router information where applicable: clear ospf , clear route , ping , show asp table routing , show bgp , show ipv6 route , show ospf , show route , show snort counters .

We added the following command: show vrf .

OSPF and BGP configuration moved to the Routing pages.

In previous releases, you configured OSPF and BGP in the Advanced Configuration pages using Smart CLI. Although you still configure these routing processes using Smart CLI, the objects are now available directly on the Routing pages. This makes it easier for you to configure processes per virtual router.

The OSPF and BGP Smart CLI objects are no longer available on the Advanced Configuration page. If you configured these objects before upgrading to 6.6, you can find them on the Routing page after upgrade.

High Availability Features

The restriction for externally authenticated users logging into the standby unit of a high availability (HA) pair has been removed.

Previously, an externally-authenticated user could not directly log into the standby unit of an HA pair. The user first needed to log into the active unit, then deploy the configuration, before login to the standby unit was possible.

This restriction has been removed. Externally-authenticated users can log into the standby unit even if they never logged into the active unit, so long as they provide a valid username/password.

Change to how interfaces are handled by the BreakHAStatus resource in the threat defense API.

Previously, you could include the clearIntfs query parameter to control the operational status of the interfaces on the device where you break the high availability (HA) configuration.

Starting with version 6.6, there is a new attribute, interfaceOption, which you should use instead of the clearIntfs query parameter. This attribute is optional when used on the active node, but required when used on a non-active node. You can choose from one of two options:

• DISABLE_INTERFACES (the default)—All data interfaces on the standby device (or this device) are disabled.

• ENABLE_WITH_STANDBY_IP—If you configured a standby IP address for an interface, the interface on the standby device (or this device) is reconfigured to use the standby address. Any interface that lacks a standby address is disabled.

If you use break HA on the active node when the devices are in a healthy active/standby state, this attribute applies to the interfaces on the standby node. In any other state, such as active/active or suspended, the attribute applies to the node on which you initiate the break.

If you do use the clearIntfs query parameter, clearIntfs=true will act like interfaceOption = DISABLE_INTERFACES. This means that breaking an active/standby pair with clearIntfs=true will no longer disable both devices; only the standby device will be disabled.

When you break HA using device manager, the interface option is always set to DISABLE_INTERFACES. You cannot enable the interfaces with the standby IP address. Use the API call from the API Explorer if you want a different result.

The last failure reason for High Availability problems is now displayed on the High Availability page.

If High Availability (HA) fails for some reason, such as the active device becoming unavailable and failing over to the standby device, the last reason for failure is now shown below the status information for the primary and secondary device. The information includes the UTC time of the event.

Interface Features

PPPoE Support

You can now configure PPPoE for routed interfaces. PPPoE is not supported on High Availability units.

New/Modified screens: Device > Interfaces > Edit > IPv4 Address > Type > PPPoE

New/Modified commands: show vpdn group, show vpdn username, show vpdn session pppoe state

Management Interface acts as a DHCP client by default

The Management interface now defaults to obtaining an IP address from DHCP instead of using the 192.168.45.45 IP address. This change makes it easier for you to deploy an threat defense in your existing network. This feature applies to all platforms except for the Firepower 4100/9300 (where you set the IP address when you deploy the logical device), and the threat defense virtual and ISA 3000 (which still use the 192.168.45.45 IP address). The DHCP server on the Management interface is also no longer enabled.

You can still connect to the default inside IP address by default (192.168.1.1).

HTTP proxy support for device manager management connections.

You can now configure an HTTP proxy for the management interface for use with device manager connections. All management connections, including manual and scheduled database updates, go through the proxy.

We added the System Settings > HTTP Proxy page to configure the setting. In addition, we added the HTTPProxy resource to the threat defense API.

Set the MTU for the Management interface

You can now set the MTU for the Management interface up to 1500 bytes. The default is 1500 bytes.

New/Modified commands: configure network mtu, configure network management-interface mtu-management-channel

No modified screens.

Licensing Features

Smart Licensing and Cloud Services enrollment are now separate, and you can manage your enrollments separately.

You can now enroll for cloud services using your security account rather than your Smart Licensing account. Enrolling using the security account is the recommended approach if you intend to manage the device using Cisco Defense Orchestrator. You can also unregister from cloud services without unregistering from Smart Licensing.

We changed how the System Settings > Cloud Services page behaves, and added the ability to unregister from cloud services. In addition, the Web Analytics feature was removed from the page and you can now find it at System Settings > Web Analytics. In the threat defense API, the CloudServices resources were modified to reflect the new behavior.

Support for Permanent License Reservation.

If you have an air-gapped network, where there is no path to the internet, you cannot register directly with the Cisco Smart Software Manager (CSSM) for Smart Licensing. In this situation, you can now get authorization to use Universal Permanent License Reservation (PLR) mode, where you can apply a license that does not need direct communication with CSSM. If you have an air-gapped network, please contact your account representative and ask for authorization to use Universal PLR mode in your CSSM account, and to obtain the necessary licenses. ISA 3000 does not support Universal PLR.

We added the ability to switch to PLR mode, and to cancel and unregister a Universal PLR license, to the Device > Smart License page. In the threat defense API, there are new resources for PLRAuthorizationCode, PLRCode, PLRReleaseCode, PLRRequestCode, and actions for PLRRequestCode, InstallPLRCode, and CancelReservation.

Administrative and Troubleshooting Features

Device Manager direct support for Precision Time Protocol (PTP) configuration for ISA 3000 devices.

You can use device manager to configure the Precision Time Protocol (PTP) on ISA 3000 devices. PTP is a time-synchronization protocol developed to synchronize the clocks of various devices in a packet-based network. The protocol is designed specifically for industrial, networked measurement and control systems. In previous releases, you had to use FlexConfig to configure PTP.

We grouped PTP with NTP on the same System Settings page, and renamed the System Settings > NTP page to Time Services. We also added the PTP resource to the threat defense API.

Trust chain validation for the device manager management web server certificate.

When you configure a non-self-signed certificate for the device manager web server, you now need to include all intermediate certificates, and the root certificate, in the trust chain. The system validates the entire chain.

We added the ability to select the certificates in the chain on the Management Web Server tab on the Device > System Settings > Management Access page.

Support for encrypting backup files.

You can now encrypt backup files using a password. To restore an encrypted backup, you must supply the correct password.

We added the ability to choose whether to encrypt backup files for recurring, scheduled, and manual jobs, and to supply the password on restore, to the Device > Backup and Restore page. We also added the encryptArchive and encryptionKey attributes to the BackupImmediate and BackupSchedule resources, and encryptionKey to the RestoreImmediate resource in the threat defense API.

Support for selecting which events to send to the Cisco cloud for use by cloud services.

When you configure the device to send events to the Cisco cloud, you can now select which types of events to send: intrusion, file/malware, and connection. For connection events, you can send all events or just the high-priority events, which are those related to connections that trigger intrusion, file, or malware events, or that match Security Intelligence blocking policies.

We changed how the Send Events to the Cisco Cloud Enable button works. The feature is on the System Settings > Cloud Services page.

threat defense REST API version 5 (v5).

The threat defense REST API for software version 6.6 has been incremented to version 5. You must replace v1/v2/v3/v4 in the API URLs with v5, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device.

The v5 API includes many new resources that cover all features added in software version 6.6. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into device manager, then click the more options button () and choose API Explorer.

Device Manager support for the Firepower 4100/9300.

You can now use device manager to configure threat defense on the Firepower 4100/9300. Only native instances are supported; container instances are not supported.

Device Manager support for threat defense virtual for the Microsoft Azure Cloud.

You can configure on threat defense virtual for the Microsoft Azure Cloud using device manager.

Support for the Firepower 1150.

We introduced the threat defense for the Firepower 1150.

Firepower 1010 hardware switch support, PoE+ support.

The Firepower 1010 supports setting each Ethernet interface to be a switch port or a regular firewall interface. Assign each switch port to a VLAN interface. The Firepower 1010 also supports Power over Ethernet+ (PoE+) on Ethernet1/7 and Ethernet 1/8.

The default configuration now sets Ethernet1/1 as outside, and Ethernet1/2 through 1/8 as switch ports on the inside VLAN1 interface. Upgrading to version 6.5 retains the existing interface configuration.

Interface scan and replace.

An interface scan detects any added, removed, or restored interfaces on the chassis. You can also replace an old interface with a new interface in the configuration, making interface changes seamless.

Improved interfaces display.

The Device > Interfaces page has been reorganized. There are now separate tabs for physical interfaces, bridge groups, EtherChannels, and VLANs. For any given device model, only those tabs relevant for the model are shown. For example, the VLANs tab is available on the Firepower 1010 model only. In addition, the lists provide more detailed information about the configuration and usage of each interface.

ISA 3000 new default configuration.

The ISA 3000 default configuration has changed so that:

• All interfaces are bridge group members in BVI1, which is unnamed so it does not participate in routing

• GigabitEthernet1/1 and 1/3 are outside interfaces, and GigabitEthernet1/2 and 1/4 are inside interfaces

• Hardware bypass is enabled for each inside/outside pair, when available

• All traffic is allowed from inside to outside, and outside to inside

Upgrading to version 6.5 retains the existing interface configuration.

Support ends for the ASA 5515-X. The last supported release is threat defense 6.4.

You cannot install threat defense 6.5 on an ASA 5515-X. The last supported release for the ASA 5515-X is threat defense 6.4.

Support for Common Industrial Protocol (CIP) and Modbus application filtering in access control rules on Cisco ISA 3000 devices.

You can enable the Common Industrial Protocol (CIP) and Modbus preprocessors on Cisco ISA 3000 devices, and filter on CIP and Modbus applications in access control rules. All CIP application names start with “CIP,” such as CIP Write. There is only one application for Modbus.

To enable the preprocessors, you must go into expert mode in a CLI session (SSH or Console) and issue the sudo /usr/local/sf/bin/enable_scada.sh {cip | modbus | both} command. You must issue this command after every deployment, as deployment turns off the preprocessors.

Precision Time Protocol (PTP) configuration for ISA 3000 devices.

You can use FlexConfig to configure the Precision Time Protocol (PTP) on ISA 3000 devices. PTP is a time-synchronization protocol developed to synchronize the clocks of various devices in a packet-based network. The protocol is designed specifically for industrial, networked measurement and control systems.

We now allow you to include the ptp and igmp (interface mode) commands, and the global commands ptp mode e2etransparent and ptp domain , in FlexConfig objects. We also added the show ptp command to the threat defense CLI.

EtherChannel (port channel) interfaces.

You can configure EtherChannel interfaces, which are also known as port channels.

We updated the Device > Interfaces page to allow the creation of EtherChannels.

Ability to reboot and shut down the system from device manager.

You can now reboot or shut down the system from the new Reboot/Shutdown system settings page. Previously, you needed to issue the reboot and shutdown commands through the CLI Console in device manager or from an SSH or console session. You must have Administrator privileges to use these commands.

Support for the failover command in the device manager CLI Console.

You can now issue the failover command in the device manager CLI Console.

Service Level Agreement (SLA) Monitor for static routes.

Configure Service Level Agreement (SLA) Monitor objects for use with static routes. By using an SLA monitor, you can track the health of a static route and automatically replace a failed route with a new one. We added SLA Monitors to the Objects page, and updated static routes so you can select the SLA Monitor object.

Routing changes in Smart CLI and the threat defense API.

This release includes some changes to routing configuration in Smart CLI and the threat defense API. In previous releases, there was a single Smart CLI template for BGP. Now, there are separate templates for BGP (the routing process configuration) and BGP General Settings (global settings).

In the threat defense API, the paths for all methods have changed, with “/virtualrouters” inserted in the paths, with the exception of the new BGP general settings methods.

• The path for static route methods was /devices/default/routing/{parentId}/staticrouteentries, and it is now /devices/default/routing/virtualrouters/default/staticrouteentries.

• BGP methods were split into two new paths: /devices/default/routing/bgpgeneralsettings and /devices/default/routing/virtualrouters/default/bgp.

• OSPF paths are now /devices/default/routing/virtualrouters/default/ospf and /devices/default/routing/virtualrouters/default/ospfinterfacesettings.

If you are using the threat defense API to configure any routing process, please examine your calls and correct as necessary.

New URL category and reputation database.

The system uses a different URL database, from Cisco Talos. The new database has some differences in URL categories. Upon upgrade, if any access control or SSL decryption rules use categories that no longer exist, the system will replace the category with an appropriate new category. To make the change effective, deploy the configuration after upgrade. The pending changes dialog will show details about the category changes. You might want to examine your URL filtering policies to verify that they continue to provide the desired results.

We also added a URL lookup feature to the URL tabs in the access control and SSL decryption policies, and on the Device > System Settings > URL Filtering Preferences page. You can use this feature to check which category a particular URL is assigned to. If you disagree, there is also a link to submit a category dispute. Both of these features take you to an external web site, which will provide detailed information about the URL.

Security Intelligence uses the IP address reputation for URL requests that use IP addresses instead of hostnames.

If an HTTP/HTTPS request is to a URL that uses an IP address instead of a hostname, the system looks up the IP address reputation in the network address lists. You do not need to duplicate IP addresses in the network and URL lists. This makes it harder for end users to use proxies to avoid Security Intelligence reputation blocking.

Support for sending connection and high-priority intrusion, file, and malware events to the Cisco Cloud.

You can send events to the Cisco cloud server. From there, various Cisco cloud services can access the events. You can then use these cloud applications, such as Cisco Threat Response, to analyze the events and to evaluate threats that the device might have encountered. When you enable this service, the device will send connection and high-priority intrusion, file, and malware events to the Cisco cloud.

We renamed the Cisco Threat Response item on Device > System Settings > Cloud Services to “Send Events to the Cisco Cloud.”

Cisco Cloud Services region support.

You are now asked to select the Cisco Cloud Services region when you register with smart licensing. This region is used for Cisco Defense Orchestrator, Cisco Threat Response, Cisco Success Network, and any cloud feature that goes through the Cisco Cloud. If you upgrade a registered device from a previous release, you are automatically assigned to the US Region; you must unregister from Smart Licensing, then reregister and select a new region, if you need to change regions.

We added a step to the license registration process on the Smart License page and in the initial device setup wizard. You can also see the region on the Device > System Settings > Cloud Services page.

threat defense REST API version 4 (v4).

The threat defense REST API for software version 6.5 has been incremented to version 4. You must replace v1/v2/v3 in the API URLs with v4. The v4 API includes many new resources that cover all features added in software version 6.5. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into device manager, then click the more options button () and choose API Explorer.

threat defense API support for TrustSec security groups as matching criteria for source and destination in access control rules.

You can use the threat defense API to configure access control policy rules that use TrustSec security groups for source or destination traffic matching criteria. The system downloads the list of security group tags (SGTs) from ISE. You can configure the system to listen for SXP updates to obtain static SGT-to-IP address mappings.

You can view the list of downloaded tags using the GET /object/securitygrouptag method, and create dynamic objects for one or more tags using the SGTDynamicObject resource. It is the dynamic objects that you can use in access control rules to define traffic matching criteria based on source or destination security group.

Note that any changes you make to the ISE object or access control rules related to security group are preserved if you edit those objects in device manager. However, you cannot see the security group criteria in an access rule if you edit the rule in device manager. If you configure security-group-based access rules using the API, please be careful when subsequently editing rules in the access control policy using device manager.

We added or modified the following threat defense API resources: AccessRule (sourceDynamicObjects and destinationDynamicObjects attributes), IdentityServicesEngine (subscribeToSessionDirectoryTopic and subscribeToSxpTopic attributes), SecurityGroupTag, SGTDynamicObject.

We added source and destination security group tag and name as columns in Event Viewer.

Configuration import/export using the threat defense API.

You can use the threat defense API to export the device configuration and to import a configuration file. You can edit the configuration file to change values, such as the IP addresses assigned to interfaces. Thus, you can use import/export to create a template for new devices, so that you can quickly apply a baseline configuration and get new devices online more quickly. You can also use import/export to restore a configuration after you reimage a device. Or you can simply use it to distribute a set of network objects or other items to a group of devices.

We added the ConfigurationImportExport resources and methods (/action/configexport, /jobs/configexportstatus, /action/downloadconfigfile, /action/uploadconfigfile, /action/configfiles, /action/configimport, /jobs/configimportstatus).

Creation and selection of custom file policies.

You can use the threat defense API to create custom file policies, and then select these policies on access control rules using device manager.

We added the following threat defense API FileAndMalwarePolicies resources: filepolicies, filetypes, filetypecategories, ampcloudconfig, ampservers, and ampcloudconnections.

We also removed two pre-defined policies, “Block Office Document and PDF Upload, Block Malware Others” and “Block Office Documents Upload, Block Malware Others.” If you are using these policies, during upgrade they are converted to user-defined policies so that you can edit them.

Security Intelligence DNS policy configuration using the threat defense API.

You can configure the Security Intelligence DNS policy using the threat defense API. This policy does not appear in device manager.

We added the following SecurityIntelligence resources: domainnamefeeds, domainnamegroups, domainnamefeedcategories, securityintelligencednspolicies.

Remote access VPN two-factor authentication using Duo LDAP.

You can configure Duo LDAP as the second authentication source for a remote access VPN connection profile to provide two-factor authentication using Duo passcode, push notification, or phone call. Although you must use the threat defense API to create the Duo LDAP identity source object, you can use device manager to select that object as the authentication source for the RA VPN connection profile.

We added the duoldapidentitysources resource and methods to the threat defense API.

threat defense API support for LDAP attribute maps used in authorizing remote access VPN connections.

You can augment LDAP authorization for remote access VPN using custom LDAP attribute maps. An LDAP attribute map equates customer-specific LDAP attribute names and values with Cisco attribute names and values. You can use these mappings to assign group policies to users based on LDAP attribute values. You can configure these maps using the threat defense API only; you cannot configure them using device manager. However, if you set these options using the API, you can subsequently edit the Active Directory identity source in device manager and your settings are preserved.

We added or modified the following threat defense API object models: LdapAttributeMap, LdapAttributeMapping, LdapAttributeToGroupPolicyMapping, LDAPRealm, LdapToCiscoValueMapping, LdapToGroupPolicyValueMapping, RadiusIdentitySource.

threat defense API support for site-to-site VPN connection reverse route injection and security association (SA) lifetime.

You can use the threat defense API to enable reverse route injection for a site-to-site VPN connection. Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. By default, static RRI, where routes are added when you configure the connection is enabled. Dynamic RRI, where routes are inserted only when the security association (SA) is established, and then are deleted when the SA is torn down, is disabled. Note that dynamic RRI is supported for IKEv2 connections only.

You can also set the security association (SA) lifetime (in seconds or in kilobytes transmitted) for the connection. You can also set an unlimited lifetime. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour). When the lifetime is reached, the endpoints negotiate a new security association and secret key.

You cannot configure these features using device manager. However, if you set these options using the API, you can subsequently edit the connection profile in device manager and your settings are preserved.

We added the following attributes to the SToSConnectionProfile resource: dynamicRRIEnabled, ipsecLifetimeInSeconds, ipsecLifetimeInKiloBytes, ipsecLifetimeUnlimited, rriEnabled.

Support for Diffie-Hellman groups 14, 15, and 16 in IKE policies.

You can now configure IKEv1 policies to use DH group 14, and IKEv2 policies to use DH groups 14, 15, and 16. If you are using IKEv1, please upgrade all your policies to DH group 14, as groups 2 and 5 will be removed in a future release. In addition, you should avoid using DH group 24 in IKEv2 policies, and MD5 in any IKE version, as these will also be removed in a future release.

Performance improvements when deploying changes.

If you add, edit, or delete access control rules, the system has been enhanced to deploy your changes more quickly than was done in previous releases.

For systems configured in a high availability group for failover, the process for synchronizing the deployed changes to the standby device has been improved so that the synchronization completes more quickly.

Improved CPU and memory usage calculations on the System dashboard.

The method for calculating CPU and memory usage has been improved so that the information shown on the System dashboard more accurately reflects the actual state of the device.

When upgrading to threat defense 6.5, historical report data is no longer available.

When you upgrade an existing system to threat defense 6.5, historical report data will not be available due to a database schema change. Thus, you will not see usage data in the dashboards for times prior to the upgrade.

Firepower 1000 series device configuration.

You can configure threat defense on Firepower 1000 series devices using device manager.

Note that you can configure and use the Power over Ethernet (PoE) ports as regular Ethernet ports, but you cannot enable or configure any PoE-related properties.

Hardware bypass for the ISA 3000.

You can now configure hardware bypass for the ISA 3000 on the Device > Interfaces page. In release 6.3, you needed to configure hardware bypass using FlexConfig. If you are using FlexConfig, please redo the configuring on the Interfaces page and remove the hardware bypass commands from FlexConfig. However, the portion of the FlexConfig devoted to disabling TCP sequence number randomization is still recommended.

Ability to reboot and shut down the system from the device manager CLI Console.

You can now issue the reboot and shutdown commands through the CLI Console in device manager. Previously, you needed to open a separate SSH session to the device to reboot or shut down the system. You must have Administrator privileges to use these commands.

External Authentication and Authorization using RADIUS for threat defense CLI Users.

You can use an external RADIUS server to authenticate and authorize users logging into the threat defense CLI. You can give external users config (administrator) or basic (read-only) access.

We added the SSH configuration to the AAA Configuration tab on the Device > System Settings > Management Access page.

You can now create network objects that specify a range of IPv4 or IPv6 addresses, and network group objects that include other network groups (that is, nested groups).

We modified the network object and network group object Add/Edit dialog boxes to include these features, and modified the various security policies to allow the use of these objects, contingent on whether address specifications of that type make sense within the context of the policy.

You can do a full-text search on objects and rules. By searching a policy or object list that has a large number of items, you can find all items that include your search string anywhere within the rule or object.

We added a search box to all policies that have rules, and to all pages on the Objects list. In addition, you can use the filter=fts~search-string option on GET calls for supported objects in the API to retrieve items based on a full-text search.

You can use the GET /api/versions (ApiVersions) method to get a list of the API versions that are supported on a device. You can use your API client to communicate and configure the device using commands and syntax valid for any of the supported versions.

Threat Defense REST API version 3 (v3).

The threat defense REST API for software version 6.4 has been incremented to version 3. You must replace v1/v2 in the API URLs with v3. The v3 API includes many new resources that cover all features added in software version 6.4. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, change the end of the device manager URL to /#/api-explorer after logging in.

You can now view hit counts for access control rules. The hit counts indicate how often connections matched the rule.

We updated the access control policy to include hit count information. In the threat defense API, we added the HitCounts resource and the includeHitCounts and filter=fetchZeroHitCounts options to the GET Access Policy Rules resource.

You can now configure site-to-site VPN connections to use certificates instead of preshared keys to authenticate the peers. You can also configure connections where the remote peer has an unknown (dynamic) IP address. We added options to the Site-to-Site VPN wizard and the IKEv1 policy object.

You can now use RADIUS servers for authenticating, authorizing, and accounting remote access VPN (RA VPN) users. You can also configure Change of Authentication (CoA), also known as dynamic authorization, to alter a user’s authorization after authentication when you use a Cisco ISE RADIUS server.

We added attributes to the RADIUS server and server group objects, and made it possible to select a RADIUS server group within an RA VPN connection profile.

You can configure more than one connection profile, and create group policies to use with the profiles.

We changed the Device > Remote Access VPN page to have separate pages for connection profiles and group policies, and updated the RA VPN Connection wizard to allow the selection of group policies. Some items that were previously configured in the wizard are now configured in the group policy.

You can use certificates for user authentication, and configure secondary authentication sources so that users must authenticate twice before establishing a connection. You can also configure two-factor authentication using RSA tokens or Duo passcodes as the second factor.

We updated the RA VPN Connection wizard to support the configuration of these additional options.

You can now configure address pools that have more than one address range by selecting multiple network objects that specify subnets. In addition, you can configure address pools in a DHCP server and use the server to provide addresses to RA VPN clients. If you use RADIUS for authorization, you can alternatively configure the address pools in the RADIUS server.

We updated the RA VPN Connection wizard to support the configuration of these additional options. You can optionally configure the address pool in the group policy instead of the connection profile.

You can now include up to 10 redundant Active Directory (AD) servers in a single realm. You can also create multiple realms and delete realms that you no longer need. In addition, the limit for downloading users in a realm is increased to 50,000 from the 2,000 limit in previous releases.

We updated the Objects > Identity Sources page to support multiple realms and servers. You can select the realm in the user criteria of access control and SSL decryption rules, to apply the rule to all users within the realm. You can also select the realm in identity rules and RA VPN connection profiles.

When you configure Cisco Identity Services Engine (ISE) as an identity source for passive authentication, you can now configure a secondary ISE server if you have an ISE high availability setup.

We added an attribute for the secondary server to the ISE identity object.

You can now configure an external syslog server to receive file/malware events, which are generated by file policies configured on access control rules. File events use message ID 430004, malware events are 430005.

We added the File/Malware syslog server options to the Device > System Settings > Logging Settings page.

You can now configure the internal buffer as a destination for system logging. In addition, you can create event log filters to customize which messages are generated for the syslog server and internal buffer logging destinations.

We added the Event Log Filter object to the Objects page, and the ability to use the object on the Device > System Settings > Logging Settings page. The internal buffer options were also added to the Logging Settings page.

Certificate for the device manager Web Server.

You can now configure the certificate that is used for HTTPS connections to the device manager configuration interface. By uploading a certificate your web browsers already trust, you can avoid the Untrusted Authority message you get when using the default internal certificate. We added the Device > System Settings > Management Access > Management Web Server page.

Cisco Threat Response support.

You can configure the system to send intrusion events to the Cisco Threat Response cloud-based application. You can use Cisco Threat Response to analyze intrusions.

We added Cisco Threat Response to the Device > System Settings > Cloud Services page.

High availability configuration.

You can configure two devices as an active/standby high availability pair. A high availability or failover setup joins two devices so that if the primary device fails, the secondary device can take over. This helps you keep your network operational in case of device failure. The devices must be of the same model, with the same number and type of interfaces, and they must run the same software version. You can configure high availability from the Device page.

Support for passive user identity acquisition.

You can configure identity policies to use passive authentication. Passive authentication gathers user identity without prompting the user for username and password. The system obtains the mappings from the identity sources you specify, which can be Cisco Identity Services Engine (ISE)/Cisco Identity Services Engine Passive Identity Connector (ISE PIC), or logins from remote access VPN users.

Changes include supporting passive authentication rules in Policies > Identity, and ISE configuration in Objects > Identity Sources.

Local user support for remote access VPN and user identity.

You can now create users directly through device manager. You can then use these local user accounts to authenticate connections to a remote access VPN. You can use the local user database as either the primary or fallback authentication source. In addition, you can configure passive authentication rules in the identity policy so that local usernames are reflected in the dashboards and so they are available for traffic matching in policies.

We added the Objects > Users page, and updated the remote access VPN wizard to include a fallback option.

Changed default behavior for VPN traffic handling in the access control policy (sysopt connection permit-vpn ).

The default behavior for how VPN traffic is handled by the access control policy has changed. Starting in 6.3, the default is that all VPN traffic will be processed by the access control policy. This allows you to apply advanced inspections, including URL filtering, intrusion protection, and file policies, to VPN traffic. You must configure access control rules to allow VPN traffic. Alternatively, you can use FlexConfig to configure the sysopt connection permit-vpn command, which tells the system to bypass the access control policy (and any advanced inspections) for VPN-terminated traffic

Support for FQDN-based network objects and data interface support for DNS lookup.

You can now create network objects (and groups) that specify a host by fully-qualified domain name (FQDN) rather than a static IP address. The system looks up the FQDN-to-IP address mapping periodically for any FQDN object that is used in an access control rule. You can use these objects in access control rules only.

We added the DNS Group object to the objects page, changed the System Settings > DNS Server page to allow group assignment to data interfaces, and the access control rule to allow for FQDN network object selection. In addition, the DNS configuration for the management interface now uses DNS groups instead of a set list of DNS server addresses.

Support for TCP syslog and the ability to send diagnostic syslog messages through the management interface.

In previous releases, diagnostic syslog messages (as opposed to connection and intrusion messages) always used a data interface. You can now configure syslog so that all messages use the management interface. The ultimate source IP address depends on whether you use the data interfaces as the gateway for the management interface, in which case the IP address will be the one from the data interface. You can also configure syslog to use TCP instead of UDP as the protocol.

We made changes to the Add/Edit dialog box for syslog servers from Objects > Syslog Servers.

External Authentication and Authorization using RADIUS for device manager Users.

You can use an external RADIUS server to authenticate and authorize users logging into device manager. You can give external users administrative, read-write, or read-only access. Device Manager can support 5 simultaneous logins; the sixth session automatically logs off the oldest session. You can forcefully end a device manager user session if necessary.

We added RADIUS server and RADIUS server group objects to the Objects > Identity Sources page for configuring the objects. We added the AAA Configuration tab to Device > System Settings > Management Access, for enabling use of the server groups. In addition, the Monitoring > Sessions page lists the active users and lets an administrative user end a session.

Pending changes view and deployment improvements.

The deployment window has changed to provide a clearer view of the pending changes that will be deployed. In addition, you now have the option to discard changes, copy changes to the clipboard, and download changes in a YAML formatted file. You can also name deployment jobs so they are easier to find in the audit log.

Audit Log.

You can view an audit log that records events such as deployments, system tasks, configuration changes, and administrative user login and logout. We added the Device > Device Administration > Audit Log page.

Ability to export the configuration.

You can download a copy of the device configuration for record keeping purposes. However, you cannot import this configuration into a device. This feature is not a replacement for backup/restore. We added the Device > Device Administration > Download Configuration page.

Improvements to URL filtering for unknown URLs.

If you perform category-based URL filtering in access control rules, users might access URLs whose category and reputation are not defined in the URL database. Previously, you needed to manually enable the option to look up the category and reputation for these URLs from Cisco Collective Security Intelligence (CSI). Now, that option is enabled by default. In addition, you can now set the time-to-live (TTL) for the lookup results, so that the system can refresh the category/reputation for each unknown URL. We updated the Device > System Settings > URL Filtering Preferences page.

Security Intelligence logging is now enabled by default.

The Security Intelligence policy was introduced in 6.2.3, with logging disabled by default. Starting with 6.3.0, logging is enabled by default. If you upgrade from 6.2.3, your logging settings are preserved, either enabled or disabled. Enable logging if you want to see the results of policy enforcement.

Passive mode interfaces

You can configure an interface in passive mode. When acting passively, the interface simply monitors the traffic from the source ports in a monitoring session configured on the switch itself (for hardware devices) or on the promiscuous VLAN (for threat defense virtual).

You can use passive mode to evaluate how the threat defense virtual device would behave if you deployed it as an active firewall. You can also use passive interfaces in a production network if you need IDS (intrusion detection system) services, where you want to know about threats, but you do not want the device to actively prevent the threats. You can select passive mode when editing physical interfaces and when you create security zones.

Smart CLI enhancements for OSPF, and support for BGP.

The Smart CLI OSPF configuration has been enhanced, including new Smart CLI object types for standard and extended ACLs, route maps, AS Path objects, IPv4 and IPv6 prefix lists, policy lists, and standard and expanded community lists. In addition, you can now use Smart CLI to configure BGP routing. You can find these features on the Device > Advanced Configuration page.

Enhancements for ISA 3000 devices.

You can now configure the following features for the ISA 3000: alarms, hardware bypass, and backup and restore using the SD card. You use FlexConfig to configure the alarms and hardware bypass. For the SD card, we updated the backup/restore pages in device manager.

Support for ASA 5506-X, 5506W-X, 5506H-X, and 5512-X removed starting with threat defense 6.3.

You cannot install threat defense 6.3 or subsequent releases on the ASA 5506-X, 5506W-X, 5506H-X, and 5512-X. The final supported threat defense release for these platforms is 6.2.3.

threat defense REST API version 2 (v2).

The threat defense REST API for software version 6.3 has been incremented to version 2. You must replace v1 in the API URLs with v2. The v2 API includes many new resources that cover all features added in software version 6.3. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, change the end of the device manager URL to /#/api-explorer after logging in.

Web analytics for providing product usage information to Cisco.

You can enable web analytics, which provides anonymous product usage information to Cisco based on page hits. This information can help Cisco determine feature usage patterns and help Cisco improve the product. All usage data is anonymous and no sensitive data is transmitted. Web analytics is enabled by default.

We added Web Analytics to the Device > System Settings > Cloud Services page.

Installing a Vulnerability Database (VDB) update no longer restarts Snort.

When you install a VDB update, the installation itself no longer restarts Snort. However, Snort continues to restart during the next configuration deployment.

Deploying an Intrusion Rules (SRU) database update no longer restarts Snort.

After you install an intrusion rules (SRU) update, you must deploy the configuration to activate the new rules. The deployment of the SRU update no longer causes a Snort restart.

Remote access VPN configuration for ASA 5500-X series devices.

You can configure remote access SSL VPN for the AnyConnect client on ASA 5500-X series devices. Configure RA VPN from the Device > Remote Access VPN group. Configure RA VPN licenses from the Device > Smart License group.

Threat Defense Virtual for VMware device configuration.

You can configure threat defense on threat defense virtual for VMware devices using device manager. Other virtual platforms are not supported by device manager.

Remote access VPN configuration.

You can configure remote access SSL VPN for the AnyConnect client. Configure RA VPN from the Device > Remote Access VPN group. Configure RA VPN licenses from the Device > Smart License group.

Firepower 2100 series device configuration.

You can configure threat defense on Firepower 2100 series devices using device manager.

Supported devices.

You can manage the following device types using Firepower Device Manager:

• ASA 5506-X, 5506H-X, 5506W-X, 5508-X, 5516-X

• ASA 5512-X, 5515-X, 5525-X, 5545-X, 5555-X

Supported firewall mode.

You can configure devices running in routed mode only. Transparent mode is not supported.

Supported interface types and modes.

You can configure routed interfaces only; you cannot configure inline, inline tap, or passive interfaces.

In addition, you can configure physical and sub-interfaces only. You cannot configure Etherchannel or redundant interfaces. You also cannot configure PPPoE.

Security Policies.

You can configure the following types of security policy:

• Access control—Determine which connections are allowed to pass through the device. You can perform the following types of access control:

  • Filtering on security zone, IP address, geolocation, protocol and port.

  • Filtering on user name and user group.

  • Application filtering.

  • URL category, reputation, and individual URL filtering.

  • Intrusion policies, preventing threats.

  • File policies, preventing malware.

• Identity policies—Determine which user is associated with an IP address. The system supports active authentication only, not passive authentication.

• Network address translation—Convert between internal and external addresses. Most NAT features are supported, except for PAT pools.

Routing.

You can configure static routes. Dynamic routing protocols are not support.

System monitoring and syslog.

Firepower Device Manager includes an event viewer so that you can view recent connection events. You can also configure an external syslog server to collect events for longer term analysis.

There are also many dashboards that provide statistical information about the system and the traffic that is passing through the system.

Management interface configuration.

You can configure the management address and interface from Firepower Device Manager; you do not need to use the CLI. You can configure the system hostname, management IP address and gateway, DNS servers, NTP servers, and access rules to limit the IP addresses that can access the CLI or Firepower Device Manager.

Scheduling updates.

You can control how often system databases are updated.

• Device main menu item. In previous releases, this menu item was the host name of your device. Also, the page opened is called Device Summary instead of Device Dashboard.

• You cannot select an alternative outside interface during initial device setup. The first data interface is the default outside interface.

• Device > System Settings > Cloud Preferences is now called Device > System Settings > URL Filtering Preferences.

• The System Settings > DHCP Server page is now organized on two tabs, with the table of DHCP servers separated from the global parameters.

Backup and restore.

You can back up the system and restore it from Firepower Device Manager.

Troubleshooting file.

You can generate a troubleshooting file from Firepower Device Manager when working with Cisco Technical Support.