New Features by Release

This document lists new and deprecated features for each release.

Although you can manage older devices with a newer customer-deployed (or on prem) management center, we recommend you always update your entire deployment. New traffic-handling features usually require the latest release on bo*th the management center and device. Features where devices are not obviously involved (cosmetic changes to the web interface, cloud integrations) may only require the latest version on the management center, but that is not guaranteed. In this document, we are explicit when version requirements deviate from the standard expectation.

Suggested Release

Suggested Release: Version 7.2.5.x

To take advantage of new features and resolved issues, we recommend you upgrade all eligible appliances to at least the suggested release, including any patches. On the Cisco Support & Download site, the suggested release is marked with a gold star.

Suggested Releases for Older Appliances

If an appliance is too old to run the suggested release and you do not plan to refresh the hardware right now, choose a major version then patch as far as possible. Some major versions are designated long-term or extra long-term, so consider one of those. For an explanation of these terms, see Cisco NGFW Product Line Software Release and Sustaining Bulletin.

If you are interested in a hardware refresh, contact your Cisco representative or partner contact.

New Features in Management Center Version 7.4

New Features

Table 1. New Features in Management Center Version 7.4.0

New Feature

Description

Reintroduced features from previous maintenance releases.

Upgrade impact (feature dependent).

Version 7.4.0 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1, 7.3).

Reintroduced features include:

  • Access control performance improvements (object optimization).

Minimum threat defense: feature dependent

Platform

Management center virtual for Microsoft Hyper-V.

We introduced Secure Firewall Management Center Virtual for Microsoft Hyper-V, which can manage up to 25 devices. Management center high availability is supported.

Minimum threat defense: Any

See: Cisco Secure Firewall Management Center Virtual Getting Started Guide

Secure Firewall 4200.

We introduced the Secure Firewall 4215, 4225, and 4245.

These devices support the following new network modules:

  • 2-port 100G QSFP+ network module (FPR4K-XNM-2X100G)

Minimum threat defense: 7.4

See: Cisco Secure Firewall 4200 Getting Started Guide

Performance profile support for the Secure Firewall 4200.

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on threat defense virtual.

Minimum threat defense: 7.4

See: Configure the Performance Profile

Device Management

Low-touch provisioning to register a device to the management center using a serial number.

Low-touch provisioning lets you register devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with SecureX and Cisco Defense Orchestrator for this functionality.

New/modified screens: Devices > Device Management > Add > Device > Serial Number

Minimum threat defense (management center is publicly reachable): 7.2

Minimum threat defense (management center is not publicly reachable): 7.2.4, with support temporarily deprecated in 7.3

Supported platforms: Firepower 1000/2100 and Secure Firewall 3100

See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning)

Interfaces

Merged management and diagnostic interfaces.

For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available.

Merged mode changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration.

For platform settings, this means:

  • You can no longer enable HTTP, ICMP, or SMTP for diagnostic.

  • For SNMP, you can allow hosts on management instead of diagnostic.

  • For Syslog servers, you can reach them on management instead of diagnostic.

  • If Platform Settings for syslog servers or SNMP hosts specify the diagnostic interface by name, then you must use separate Platform Settings policies for merged and non-merged devices.

  • DNS lookups no longer fall back to the management-only routing table if you do not specify interfaces.

New/modified screens: Devices > Device Management > Interfaces

New/modified commands: show management-interface convergence

Minimum threat defense: 7.4

See: Merge the Management and Diagnostic Interfaces

VXLAN VTEP IPv6 support.

You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation.

New/modified screens:

  • Devices > Device Management > Edit Device > VTEP > Add VTEP

  • Devices > Device Management > Edit Devices > Interfaces > Add Interfaces > VNI Interface

Minimum threat defense: 7.4

See: Configure Geneve Interfaces

Loopback interface support for BGP and management traffic.

You can now use loopback interfaces for the following services:

  • AAA

  • BGP

  • DNS

  • HTTP

  • ICMP

  • IPsec flow offload

  • NetFlow

  • SNMP

  • SSH

  • Syslog

New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface

Minimum threat defense: 7.4

See: Configure Loopback Interfaces

Loopback and management type interface group objects.

You can now create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces.

New/modified screens: Objects > Object Management > Interface > Add > Interface Group

Minimum threat defense: 7.4

See: Interface

High Availability/Scalability

Manage threat defense high availability pairs using a data interface.

Threat defense high availability now supports using a regular data interface for communication with the management center. Previously, only standalone devices supported this feature.

Minimum threat defense: 7.4

See: Using the Threat Defense Data Interface for Management

Simplified Branch

WAN summary dashboard.

The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures.

New/modified screens: Overview > WAN Summary

Minimum threat defense: 7.2

See: WAN Summary Dashboard

Policy-based routing using HTTP path monitoring.

Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination.

New/Modified Screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box.

Minimum threat defense: 7.2

Supported platforms: Not supported for clustered devices.

See: Configure Path Monitoring Settings

Policy-based routing with user identity and SGTs.

You can now classify the network traffic based on users and user groups, and SGTs in PBR policies. You can select the identity and SGT objects while defining the extended ACLs for the PBR policies.

New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag

Minimum threat defense: 7.4

See: Configure Extended ACL Objects

VPN

IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200.

Upgrade impact. Qualifying connections start being offloaded.

On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Minimum threat defense: 7.4 with FPGA firmware 6.2+

See: IPsec Flow Offload

Crypto debugging enhancements for the Secure Firewall 4200.

We made the following enhancements to crypto debugging:

  • The crypto archive is now available in text and binary formats.

  • Additional SSL counters are available for debugging.

  • Remove stuck encrypt rules from the ASP table without rebooting the device.

New/modified CLI commands: show counters

Minimum threat defense: 7.4

Supported platforms: Secure Firewall 4200

VPN: Remote Access

Customize Secure Client messages, icons, images, and connect/disconnect scripts.

You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:

  • GUI text and messages

  • Icons and images

  • Scripts

  • Binaries

  • Customized Installer Transforms

  • Localized Installer Transforms

The threat defense distributes these customizations to the endpoint when an end user connects from the Secure Client.

New/Modified Screens:

  • Objects > Object Management > VPN > Secure Client Customization

  • Devices > Remote Access > Edit VPN policy > Advanced > Secure Client Customization

Minimum threat defense: 7.1

See: Customize Cisco Secure Client

Site to Site VPN

Easily view IKE and IPsec session details for VPN nodes.

You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard.

New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab.

Minimum threat defense: Any

Site-to-site VPN information in connection events.

Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by.

New/modified screens: Analysis > Connections > Events > Table View of Events

Minimum threat defense: 7.4

See: Site to Site VPN Connection Event Monitoring

Easily exempt site-to-site VPN traffic from NAT translation.

We now make it easier to exempt site-to-site VPN traffic from NAT translation.

New/modified screens:

  • Enable NAT exemptions for an endpoint: Devices > VPN > Site To Site > Add/Edit Site to Site VPN > Add/Edit Endpoint > Exempt VPN traffic from network address translation

  • View NAT exempt rules for devices that do not have a NAT policy: Devices > NAT > NAT Exemptions

  • View NAT exempt rules for a single device: Devices > NAT > Threat Defense NAT Policy > NAT Exemptions

Minimum threat defense: Any

See: NAT Exemption

Routing

Configure graceful restart for BGP on IPv6 networks.

You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later.

New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor.

Minimum threat defense: 7.3

See: Configure BGP Neighbor Settings

Virtual routing with dynamic VTI.

You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN.

New/modified screens: Devices > Device Management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces

Minimum threat defense: 7.4 on native mode standalone or high availability devices. Not supported for container instances or clustered devices.

See: About Virtual Routers and Dynamic VTI

Access Control: Threat Detection and Application Identification

Clientless zero-trust access.

We introduced Zero Trust Access that allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premise) or outside (remote) the network using an external SAML Identity Provider (IdP) policy.

The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications.

New/modified screens:

  • Policies > Zero Trust Application

  • Analysis > Connections > Events

  • Overview > Dashboard > Zero Trust tab

New/modified CLI commands:

  • show running-config zero-trust application

  • show running-config zero-trust application-group

  • show zero-trust sessions

  • show zero-trust statistics

  • show cluster zero-trust statistics

  • clear zero-trust sessions application

  • clear zero-trust sessions user

  • clear zero-trust statistics

Minimum threat defense: 7.4

See: Zero Trust Application Policy

Encrypted visibility engine enhancements.

Encrypted Visibility Engine (EVE) can now:

  • Block malicious communications in encrypted traffic based on threat score.

  • Determine client applications based on EVE-detected processes.

  • Reassemble fragmented Client Hello packets for detection purposes.

New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings.

Minimum threat defense: 7.4 with Snort 3

See: Encrypted Visibility Engine

Exempt specific networks and ports from bypassing or throttling elephant flows.

You can now exempt specific networks and ports from bypassing or throttling elephant flows.

New/modified screens:

  • When you configure elephant flow detection in the access control policy's advanced settings, if you enable the Elephant Flow Remediation option, you can now click Add Rule and specify traffic that you want to exempt from bypass or throttling.

  • When the system detects an elephant flow that is exempted from bypass or throttling, it generates a mid-flow connection event with the reason Elephant Flow Exempted.

Minimum threat defense: 7.4 with Snort 3

Supported platforms: Any, except the Firepower 2100 series.

See: Elephant Flow Detection

First-packet application identification using custom application detectors.

A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector.

Minimum threat defense: 7.4 with Snort 3

See: Custom Application Detectors

Sensitive data detection and masking.

Upgrade impact. New rules in default policies take effect.

Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns.

Disabling data masking is not supported.

Minimum threat defense: 7.4 with Snort 3

See: Custom Rules in Snort 3

Improved JavaScript inspection.

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content.

Minimum threat defense: 7.4 with Snort 3

See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide

MITRE information in file and malware events.

The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views.

Minimum threat defense: 7.4

See: Local Malware Analysis and File and Malware Event Fields

Access Control: Identity

Enhancements to dynamic object management with Cisco Secure Dynamic Attributes Connector.

We now support dynamic object management with:

  • Cisco Secure Dynamic Attributes Connector on the management center.

  • Cisco Secure Dynamic Attributes Connector 2.1 as a standalone application.

Minimum threat defense: Any

See: Cisco Secure Dynamic Attributes Connector and Cisco Secure Dynamic Attributes Connector Configuration Guide, Version 2.1

Microsoft Azure AD as a user identity source.

You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control.

New/updated screens:

  • Integration > Other Integrations > Realms > Add Realm > Azure AD

  • Integration > Other Integrations > Realms > Actions, such as downloading users, copying, editing, and deleting

Minimum threat defense: 7.4

Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level)

See: Create a Microsoft Azure Active Directory Realm

Event Logging and Analysis

Configure threat defense devices as NetFlow exporters from the management center web interface.

Upgrade impact. Redo any related FlexConfigs after upgrade.

NetFlow is a Cisco application that provides statistics on packets flows. You can now use the management center web interface to configure threat defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > Platform Settings > Threat Defense Settings Policy > NetFlow

Minimum threat defense: Any

See: Configure NetFlow

More information about "unknown" SSL actions in logged encrypted connections.

Serviceability improvements to the event reporting and decryption rule matching.

  • New SSL Status to indicate if the SSL handshake is not complete for an encrypted connection. The SSL Status column of the connection event displays “Unknown (Incomplete Handshake)” when the SSL handshake of the logged connection is not complete.

  • Subject Alternative Names (SANs) for certificates are now used when matching Certificate Authority (CA) names for improved decryption rule matching.

New/modified screens:

  • Analysis > Connections > Events > SSL Status

  • Analysis > Connections > Security-Related Events > SSL Status

Minimum threat defense: 7.4

See: Connection and Security-Related Connection Event Fields.

Health Monitoring

Stream telemetry to an external server using OpenConfig.

You can now send metrics and health monitoring information from your threat defense devices to an external server (gNMI collector) using OpenConfig. You can configure either threat defense or the collector to initiate the connection, which is encrypted by TLS.

New/modified screens: System (system gear icon) > Health > Policy > Firewall Threat Defense Policies > Settings > OpenConfig Streaming Telemetry

Minimum threat defense: 7.4

See: Send Vendor-Neutral Telemetry Streams Using OpenConfig

New asp drop metrics.

You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group.

New/modified screens: System (system gear icon) > Health > Monitor > Device

Minimum threat defense: 7.4

See: show asp drop Command Usage

Administration

Migrate from management center 4600 to AWS.

The management center model migration script now supports migration from Secure Firewall Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license.

Minimum threat defense: Any

See: Firepower Management Center Model Migration Guide

Send detailed management center audit logs to syslog.

You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The management center supports backup and restore of the audit configuration log.

New/modified screens: System (system gear icon) > Configuration > Audit Log > Send Configuration Changes

Minimum threat defense: Any

See: Stream Audit Logs to Syslog

Granular permissions for modifying access control policies and rules.

You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams.

When defining user roles, you can select the Policies > Access Control > Access Control Policy > Modify Access Control Policy > Modify Threat Configuration option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions.

Minimum threat defense: Any

See: Create Custom User Roles

Download only the country code geolocation package.

You can now configure the system to download only the country code package of the geolocation database (GeoDB), which maps IP addresses to countries/continents. The larger IP package that contains contextual data, including additional location details and connection information, is now optional. By default, the system downloads both packages.

New/modified screens: System (system gear icon) > Updates > Geolocation Updates > IP Package Configuration

Minimum threat defense: Any

See: Update the Geolocation Database

Support for IPv6 URLs when checking certificate revocation.

Previously, threat defense supported only IPv4 OCSP URLs. Now, threat defense supports both IPv4 and IPv6 OCSP URLs.

Minimum threat defense: 7.4

See: Requiring Valid HTTPS Client Certificates and Certificate Enrollment Object Revocation Options

Default NTP server updated.

Upgrade impact. The system connects to new resources.

The default NTP servers have changed from sourcefire.pool.ntp.org to time.cisco.com.

Minimum threat defense: Any

See: Internet Access Requirements

Usability, Performance, and Troubleshooting

Usability enhancements.

You can now:

  • Manage Smart Licensing for threat defense clusters from System (system gear icon) > Smart Licenses. Previously, you had to use the Device Management page.

    See: Licensing for Device Clusters

  • Download a report of Message Center notifications. In the Message Center, click the new Download Report icon, next to the Show Notifications slider.

    See: Managing System Messages

  • Download a report of all registered devices. On Devices > Device Management, click the new Download Device List Report link, at the top right of the page.

    See: Download the Managed Device List

  • Clone network and port objects. In the object manager (Objects > Object Management), click the new Clone icon next to a port or network object. You can then change the new object's properties and save it using a new name.

    See: Creating Network Objects and Creating Port Objects

  • Easily create custom and edit health monitoring dashboards.

    See: Correlating Device Metrics

Minimum threat defense: Any

Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200.

On the Secure Firewall 4200, you can use a new direction keyword with the capture command.

New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ]

Minimum threat defense: 7.4.0

See: Cisco Secure Firewall Threat Defense Command Reference

Snort 3 restarts when it becomes unresponsive, which can trigger HA failover.

To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.)

This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts.

New/modified CLI commands: configure snort2-watchdog

Minimum threat defense: 7.4 with Snort 3

See: Snort Restart Scenarios

Management Center REST API

Management center REST API.

For information on changes to the management center REST API, see What's New in Version 7.4 in the API quick start guide.

Deprecated Features

Table 2. Deprecated Features in Management Center Version 7.4.0

Deprecated Feature

Description

Deprecated: NetFlow with FlexConfig.

You can now configure threat defense devices as NetFlow exporters from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs.

Deprecated in threat defense: Any

See: Configure NetFlow

New Features in Management Center Version 7.3

New Features

Table 3. New Features in Management Center Version 7.3.1.1

New Feature

Description

Smaller VDB for lower memory Snort 2 devices.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Minimum threat defense: Any, with Snort 2

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the FMC, not managed devices. If you upgrade the FMC from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Table 4. New Features in Management Center Version 7.3.1

New Feature

Description

Secure Firewall 3105.

We introduced the Secure Firewall 3105.

Minimum threat defense: 7.3.1

Table 5. New Features in Management Center Version 7.3.0

New Feature

Description

Platform

Management center virtual 300 for KVM.

We introduced the FMCv300 for KVM. The FMCv300 can manage up to 300 devices. High availability is supported.

Minimum threat defense: Any

Network modules for the Firepower 4100.

We introduced these network modules for the Firepower 4100:

  • 2-port 100G network module (FPR4K-NM-2X100G)

Minimum threat defense: 7.3

Supported platforms: Firepower 4112, 4115, 4125, 4145

ISA 3000 System LED support for shutting down.

Support returns for this feature. When you shut down the ISA 3000, the System LED turns off. Wait at least 10 seconds after that before you remove power from the device. This feature was introduced in Version 7.0.5 but was temporarily deprecated in Version 7.1–7.2.

New compute shapes for threat defense virtual and management center virtual for OCI.

Threat defense virtual and management center virtual for OCI add support for the following compute shapes:

  • Intel VM.DenseIO2.8

  • Intel VM.StandardB1.4

  • Intel VM.StandardB1.8

  • Intel VM.Standard1.4

  • Intel VM.Standard1.8

  • Intel VM.Standard3.Flex

  • Intel VM.Optimized3.Flex

  • AMD VM.Standard.E4.Flex

Note that the VM.Standard2.4 and VM.Standard2.8 compute shapes reached end of orderability in February 2022. If you are deploying Version 7.3+, we recommend one of the above compute shapes.

For information on compatible compute shapes, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Minimum threat defense: 7.3

Interfaces

IPv6 support for virtual appliances.

Threat defense virtual and management center virtual now support IPv6 in the following environments:

  • AWS

  • Azure

  • OCI

  • KVM

  • VMware

For more information, see Cisco Secure Firewall Threat Defense Virtual Getting Started Guide and Cisco Secure Firewall Management Center Virtual Getting Started Guide.

Loopback interface support for VTIs.

You can now configure a loopback interface for redundancy of static and dynamic VTI VPN tunnels. A loopback interface is a software interface that emulates a physical interface. It is reachable through multiple physical interfaces with IPv4 and IPv6 addresses.

New/modified screens: Devices > Device Management > Device > Interfaces > Add Interfaces > Add Loopback Interface

For more information, see Configure Loopback Interfaces in the device configuration guide.

Redundant manager access data interface.

When you use a data interface for manager access, you can configure a secondary data interface to take over management functions if the primary interface goes down. The device uses SLA monitoring to track the viability of the static routes and an ECMP zone that contains both interfaces so management traffic can use both interfaces.

New/modified screens:

  • Devices > Device Management > Device > Management

  • Devices > Device Management > Device > Interfaces > Manager Access

For more information, see Configure a Redundant Manager Access Data Interface in the device configuration guide.

IPv6 DHCP.

We now support the following features for IPv6 addressing:

  • DHCPv6 Address client: Threat defense obtains an IPv6 global address and optional default route from the DHCPv6 server.

  • DHCPv6 Prefix Delegation client: Threat defense obtains delegated prefix(es) from a DHCPv6 server. It can then use these prefixes to configure other threat defense interface addresses so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

  • BGP router advertisement for delegated prefixes.

  • DHCPv6 stateless server: Threat defense provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to threat defense. Threat defense only accepts IR packets and does not assign addresses to the clients.

New/modified screens:

  • Devices > Device Management > Device > Interfaces > Interface > IPv6 > DHCP

  • Objects > Object Management > DHCP IPv6 Pool

New/modified CLI commands: show bgp ipv6 unicast , show ipv6 dhcp , show ipv6 general-prefix

For more information, see Configure the IPv6 Prefix Delegation Client, BGP, and Configure the DHCPv6 Stateless Server in the device configuration guide.

Paired proxy VXLAN for the threat defense virtual for the Azure Gateway Load Balancer.

You can configure a paired proxy mode VXLAN interface for threat defense virtual for Azure for use with the Azure Gateway Load Balancer. The device defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy.

New/modified screens: Devices > Device Management > Device > Interfaces > Add Interfaces > VNI Interface

For more information, see Configure VXLAN Interfaces in the device configuration guide.

Forward Error Correction (FEC) defaults changed for fixed ports.

When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

For more information, see Interface Overview in the device configuration guide.

High Availability/Scalability

High availability for management center virtual for KVM and Azure.

We now support high availability for management center virtual for KVM and Azure.

In a threat defense deployment, you need two identically licensed management centers, as well as one threat defense entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 threat defense entitlements. If you are managing Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements.

Supported platforms with KVM: FMCv10, FMCv25, FMCv300

Supported platforms with Azure: FMCv10, FMCv25

For more information, see the Cisco Secure Firewall Management Center Virtual Getting Started Guide, as well as High Availability in the administration guide.

Clustering for threat defense virtual for Azure.

You can now configure clustering for up to 16 nodes with threat defense virtual for Azure.

New/modified screens: Devices > Device Management

For more information, see Clustering for Threat Defense Virtual in a Public Cloud in the device configuration guide.

Autoscale for threat defense virtual for Azure Gateway Load Balancers.

We now support autoscale for threat defense virtual for Azure Gateway Load Balancers. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Backup and restore support for clustered devices.

You can now use the management center to perform backups of clusters. To restore the cluster nodes, you must use the device CLI.

New/modified screens: System (system gear icon) > Tools > Backup/Restore > Managed Device Backup

New/modified CLI commands: restore remote-manager-backup

For more information, see Backup/Restore in the administration guide.

Remote Access VPN

RA VPN dashboard.

We introduced a remote access VPN (RA VPN) dashboard that allows you to monitor real-time data from active RA VPN sessions on the devices. So that you can quickly determine problems related to user sessions and mitigate the problems for your network and users, the dashboard provides:

  • Visualization of active user sessions based on their location.

  • Detailed information about the active user sessions.

  • Mitigation of user session problems by terminating sessions, if required.

  • Distribution of active user sessions per device, encryption type, Secure Client version, operating system, and connection profile.

  • Device identity certificate expiration details of the devices.

New/modified screens: Overview > Dashboards > Remote Access VPN

For more information, see Dashboards in the administration guide.

Encrypt RA VPN connections with TLS 1.3.

You can now use TLS 1.3 to encrypt RA VPN connections with the following ciphers:

  • TLS_AES_128_GCM_SHA256

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_256_GCM_SHA384

Use the threat defense platform settings to set the TLS version: Devices > Platform Settings > Add/Edit Threat Defense Settings Policy > SSL > TLS Version.

This feature requires Cisco Secure Client, Release 5 (formerly known as the AnyConnect Secure Mobility Client).

For more information, see Configure SSL Settings in the device configuration guide.

Site to Site VPN

Packet tracer in the site-to-site VPN dashboard.

We added packet tracer capabilities to the site-to-site VPN dashboard, to help you troubleshoot VPN tunnels between devices.

Open the dashboard by choosing Overview > Dashboards > Site to Site VPN. Then, click View (View button) next to the tunnel you want to investigate, and Packet Tracer in the side pane that appears.

For more information, see Monitoring the Site-to-Site VPNs in the device configuration guide.

Support for dynamic VTIs with site-to-site VPN.

We now support dynamic virtual tunnel interfaces (VTI) when you configure a route-based site-to-site VPN in a hub and spoke topology. Previously, you could use only a static VTI.

This makes it easier to configure large hub and spoke deployments. A single dynamic VTI can replace several static VTI configurations on the hub. And, you can add new spokes to a hub without changing the hub configuration.

New/modified screens: We updated the options when configuring hub-node endpoints for a route-based hub-and-spoke site-to-site VPN topology.

For more information, see Configure Endpoints for a Hub and Spoke Topology in the device configuration guide.

Improved Umbrella SIG integration.

You can now easily deploy IPsec IKEv2 tunnels between a threat defense device and the Umbrella Secure Internet Gateway (SIG), which allows you to forward all internet-bound traffic to Umbrella for inspection and filtering.

To configure and deploy these tunnels, create a SASE topology, a new type of static VTI-based site-to-site VPN topology: Devices > VPN > Site To Site > SASE Topology.

For more information, see Deploy a SASE Tunnel on Umbrella in the device configuration guide.

Routing

Configure BFD for BGP from the management center web interface.

Upgrade impact.

You can now use the management center web interface to configure bidirectional forwarding detection (BFD) for BGP. Note that you can only enable BFD on interfaces belonging to virtual routers. If you have an existing BFD FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens:

  • Devices > Device Management > Device > Routing > BFD

  • Objects > Object Management > BFD Template

  • When configuring BGP neighbor settings, we replaced the BFD Failover check box with a menu where you choose the BFD type: single hop, multi hop, auto detect, or none (disabled). For upgraded management centers, auto-detect hop is selected if the old BFD Failover option was enabled and none is selected if the old option was disabled.

For more information, see Bidirectional Forwarding Detection Routing in the device configuration guide.

Support for IPv4 and IPv6 OSPF routing for VTIs.

We now support IPv4 and IPv6 OSPF routing for VTI interfaces.

New/modified pages: You can add VTI interfaces to an OSPF routing process on Devices > Device Management > Device > Routing > OSPF/OSFPv3.

For more information, see OSPF and Additional Configurations for VTI in the device configuration guide.

Support for IPv4 EIGRP routing for VTIs.

We now support IPv4 EIGRP routing for VTI interfaces.

New/modified screens: You can define a VTI as the static neighbor for an EIGRP routing process, configure a VTI's interface-specific EIGRP routing properties. and advertise a VTI's summary address on Devices > Device Management > Device > Routing > EIGRP.

For more information, see EIGRP and Additional Configurations for VTI in the device configuration guide.

More network service groups for policy-based routing.

You can now configure up to 1024 network service groups (application groups in an extended ACL for use in policy-based routing). Previously, the limit was 256.

Support for multiple next-hops while configuring policy-based routing forwarding actions.

You can now configure multiple next-hops while configuring policy-based routing forwarding actions. When traffic matches the criteria for the route, the system attempts to forward traffic to the IP addresses in the order you specify, until it succeeds.

The feature is available on threat defense devices running Version 7.1+ with a Version 7.3+ management center.

New/modified screens: We added several options when you select IP Address from the Send To menu on Devices > Device Management > Device > Routing > Policy Based Routing > Add Policy Based Route > Add Match Criteria and Egress Interface.

For more information, see Configure Policy-Based Routing Policy in the device configuration guide.

Upgrade

Usability improvements.

We introduced some usability improvements to the threat defense upgrade wizard:

  • You can now use the wizard to select devices to upgrade. You can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on.

    Previously, you could only use the Device Management page and the process was much less flexible.

  • You can now use the wizard to upload threat defense upgrade packages or specify upgrade package locations.

    Previously, you could only use the System Updates page.

  • We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow.

    Previously, only one upgrade workflow was allowed at a time across all users.

For all threat defense upgrades, we offer smaller upgrade packages and faster upgrades and readiness checks.

For more information, see Upgrade Threat Defense in the management center upgrade guide.

Unattended upgrades.

The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

With an unattended upgrade, the system automatically copies needed upgrade packages to devices, performs compatibility and readiness checks, and begins the upgrade. Just as happens when you manually step through the wizard, any devices that do not "pass" a stage in the upgrade (for example, failing checks) are not included in the next stage. After the upgrade completes, you pick up with the verification and post-upgrade tasks.

You can pause and restart unattended mode during the copy and checks phases. However, pausing unattended mode does not stop tasks in progress. Copies and checks that have started will run to completion. Similarly, you cannot cancel an upgrade in progress by stopping unattended mode; to cancel an upgrade, use the Upgrade Status pop-up, accessible from the Upgrade tab on Device Management page, and from the Message Center.

For more information, see Upgrade Threat Defense with the Wizard in Unattended Mode in the management center upgrade guide.

Skip pre-upgrade troubleshoot generation.

From the threat defense upgrade wizard, you can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space.

To manually generate troubleshooting files for a threat defense device, choose System (system gear icon) > Health > Monitor, click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

For more information, see Upgrade Threat Defense in the management center upgrade guide.

Auto-upgrade to Snort 3 after successful threat defense upgrade is no longer optional.

Upgrade impact.

When you upgrade threat defense to Version 7.3+, you can no longer disable the Upgrade Snort 2 to Snort 3 option.

After the software upgrade, all eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now.

For devices that are ineligible for auto-upgrade because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Minimum threat defense: Any

Choose and direct-download upgrade packages from Cisco.

You can now choose which threat defense upgrade packages you want to direct download to the management center. Use the new Download Updates sub-tab on > Updates > Product Updates.

Minimum threat defense: Any

See: Download Upgrade Packages with the Management Center

Combined upgrade and install package for Secure Firewall 3100.

Reimage Impact.

In Version 7.3, we combined the threat defense install and upgrade package for the Secure Firewall 3100, as follows:

  • Version 7.1–7.2 install package: cisco-ftd-fp3k.version.SPA

  • Version 7.1–7.2 upgrade package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

  • Version 7.3+ combined package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

Although you can upgrade threat defense without issue, you cannot reimage from older threat defense and ASA versions directly to threat defense Version 7.3+. This is due to a ROMMON update required by the new image type. To reimage from those older versions, you must "go through" ASA 9.19+, which is supported with the old ROMMON but also updates to the new ROMMON. There is no separate ROMMON updater.

To get to threat defense Version 7.3+, your options are:

Access Control and Threat Detection

SSL policy renamed to decryption policy.

We renamed the SSL policy to the decryption policy. We also added a policy wizard that makes it easier to create and configure decryption policies, including creating initial rules and certificates for inbound and outbound traffic.

New/modified screens:

  • Add or edit a decryption policy: Policies > Access Control > Decryption.

  • Use a decryption policy: Decryption Policy Settings in an access control policy's advanced settings.

For more information, see Decryption Policies in the device configuration guide.

Improvements to TLS server identity discovery with Snort 3 devices.

We now support improved performance and inspection with the TLS server identity discovery feature, which allows you to handle traffic encrypted with TLS 1.3 with information from the server certificate. Although we recommend you leave it enabled, you can disable this feature using the new Enable adaptive TLS server identity probe option in the decryption policy's advanced settings.

For more information, see TLS 1.3 Decryption Best Practices in the device configuration guide.

URL filtering using cloud lookup results only.

When you enable (or re-enable) URL filtering, the management center automatically queries Cisco for URL category and reputation data and pushes the dataset to managed devices. You now have more options on how the system uses this dataset to filter web traffic.

To do this, we replaced the Query Cisco Cloud for Unknown URLs options with three new options:

  • Local Database Only: Uses the local URL dataset only. Use this option if you do not want to submit your uncategorized URLs (category and reputation not in the local dataset) to Cisco, for example, for privacy reasons. However, note that connections to uncategorized URLs do not match rules with category or reputation-based URL conditions. You cannot assign categories or reputations to URLs manually.

    For upgraded management centers, this option is enabled if the old Query Cisco Cloud for Unknown URLs was disabled.

  • Local Database and Cisco Cloud: Uses the local dataset when possible, which can make web browsing faster. When users browse to an URL whose category and reputation is not in the local dataset or a cache of previously accessed websites, the system submits it to the cloud for threat intelligence evaluation and adds the result to the cache.

    For upgraded management centers, this option is enabled if the old Query Cisco Cloud for Unknown URLs option was enabled.

  • Cisco Cloud Only: Does not use the local dataset. When users browse to an URL whose category and reputation is not in a local cache of previously accessed websites, the system submits it to the cloud for threat intelligence evaluation and adds the result to the cache. This option guarantees the most up-to-date category and reputation information.

    This option is the default on new and reimaged Version 7.3+ management centers. Note that it also requires threat defense Version 7.3+. If you enable this option, devices running earlier versions use the Local Database and Cisco Cloud option.

New/modified screens: Integration > Other Integrations > Cloud Services > URL Filtering

For more information, see URL Filtering Options in the device configuration guide.

Detect HTTP/3 and SMB over QUIC using EVE (Snort 3 only).

Snort 3 devices can now use the encrypted visibility engine (EVE) to detect HTTP/3 and SMB over QUIC. You can then create rules to handle traffic based on these applications.

For more information, see Encrypted Visibility Engine in the device configuration guide.

Generate IoC events based on unsafe client applications detected by EVE (Snort 3 only).

Snort 3 devices can now generate indications of compromise (IoC) connection events based unsafe client applications detected by the encrypted visibility engine (EVE). These connection events have a Encrypted Visibility Threat Confidence of Very High.

  • View IoCs in the event viewer: Analysis > Hosts/Users > Indications of Compromise

  • View IoCs in the network map: Analysis > Hosts > Indications of Compromise

  • View IoC information in connection events: Analysis > Connections > Events > Table View of Connection Events > IOC/Encrypted Visibility columns

For more information, see Encrypted Visibility Engine in the device configuration guide.

Improved JavaScript inspection for Snort 3 devices.

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. The normalizer introduced in Version 7.2 now allows you to inspect within the unescape, decodeURI, and decodeURIComponent functions: %XX, %uXXXX, \uXX, \u{XXXX}\xXX, decimal code point, and hexadecimal code point. It also removes plus operations from strings and concatenates them.

For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Nested rule groups, including MITRE ATT&CK, in Snort 3 intrusion policies.

You can now nest rule groups in a Snort 3 intrusion policy. This allows you to view and handle traffic in a more granular fashion; for example, you might group rules by vulnerability type, target system, or threat category. You can create custom nested rule groups and change the security level and rule action per rule group.

We also group system-provided rules in a Talos-curated MITRE ATT&CK framework, so you can act on traffic based on those categories.

New/modified screens:

  • View and use rule groups: Policies > Intrusion > Edit Snort 3 Version

  • View rule group information in the classic event view: Analysis > Intrusion > Events > Table View of Intrusion Events > Rule Group and MITRE ATT&CK columns

  • View rule group information in the unified event view: Analysis > Unified Events > Rule Group and MITRE ATT&CK columns

For more information, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Access control rule conflict analysis.

You can now enable rule conflict analysis to help identify redundant rules and objects, and shadowed rules that cannot be matched due to previous rules in the policy.

For more information, see Analyzing Rule Conflicts and Warnings in the device configuration guide.

Event Logging and Analysis

NetFlow support for Snort 3 devices.

Upgrade impact.

Snort 3 devices now can consume NetFlow records (IPv4 and IPv6, NetFlow v5 and v9). Previously, only Snort 2 devices did this.

After upgrade, if you have an existing NetFlow exporter and NetFlow rule configured in the network discovery policy, Snort 3 devices may begin processing NetFlow records, generating NetFlow connection events, and adding host and application protocol information to the database based on NetFlow data.

For more information, see Network Discovery Policies in the device configuration guide.

Integrations

New remediation module for integration with the Cisco ACI Endpoint Update App

We introduced a new Cisco ACI Endpoint remediation module. To use it, you must remove the old module then add and configure the new one. This new module can:

  • Quarantine endpoints in an endpoint security group (ESG) deployment.

  • Allow traffic from a quarantined endpoint to a Layer 3 outside network (L3Out) for monitoring and analysis.

  • Run in audit-only mode, where it notifies you instead of quarantining.

For more information, see APIC/Secure Firewall Remediation Module 3.0 in the device configuration guide.

Health Monitoring

Cluster health monitor settings in the management center web interface.

You can now use the management center web interface to edit cluster health monitor settings. If you configured these settings with FlexConfig in a previous version, the system allows you to deploy, but also warns you to redo your configurations—the FlexConfig settings take precedence.

New/modified screens: Devices > Device Management > Edit Cluster > Cluster Health Monitor Settings

For more information, see Edit Cluster Health Monitor Settings in the device configuration guide.

Improved health monitoring for device clusters.

We added cluster dashboards to the health monitor where you can view overall cluster status, load distribution metrics, performance metrics, cluster control link (CCL) and data throughput, and so on.

To view the dashboard for each cluster, choose System (system gear icon) > Health > Monitor, then click the cluster.

For more information, see Cluster Health Monitor in the administration guide.

Monitor fan speed and temperature for the power supply on the hardware management center.

We added the Hardware Statistics health module that monitors fan speed and temperature for the power supply on the hardware management center. The upgrade process automatically adds and enables this module. After upgrade, apply the policy.

To enable or disable the module and set threshold values, edit the management center health policy on System (system gear icon) > Health > Policy.

To view health status, create a custom health dashboard: System (system gear icon) > Health > Monitor > Firewall Management Center > Add/Edit. Select the Hardware Statistics metric group, then select the metric you want.

You can also view module status on the health monitor's Home page and in the management center's alert summary (as Hardware Alarms and Power Supply). You can configure external alert responses and view health events based on module status.

For more information, see Hardware Statistics on Management Center in the administration guide.

Monitor temperature and power supply for the Firepower 4100/9300.

We added the Chassis Environment Status health module to monitor the temperature and power supply on a Firepower 4100/9300 chassis. The upgrade process automatically adds and enables these modules in all device health policies. After upgrade, apply health policies to Firepower 4100/9300 chassis to begin monitoring.

To enable or disable this module and set threshold values, edit the management center health policy: System (system gear icon) > Health > Policy > Device Policy.

To view health status, create a custom health dashboard: System (system gear icon) > Health > Monitor > Select Device > Add/Edit Dashboard > Custom Correlation Group. Select the Hardware/Environment Status metric group, then select the Thermal Status metric to view temperature or select any of the Power Supply options to view power supply status.

You can also view module status on the health monitor's Home page and in each device's alert summary. You can configure external alert responses and view health events based on module status.

For more information, see Hardware/Environment Status Metrics in the administration guide.

Licensing

Changes to license names and support for the Carrier license.

We renamed licenses as follows:

  • Base is now Essentials

  • Threat is now IPS

  • Malware is now Malware Defense

  • RA VPN/AnyConnect License is now Cisco Secure Client

  • AnyConnect Plus is now Secure Client Advantage

  • AnyConnect Apex is now Secure Client Premier

  • AnyConnect Apex and Plus is now Secure Client Premier and Advantage

  • AnyConnect VPN Only is now Secure Client VPN Only

In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections.

New/modified screens: System (system gear icon) > Licenses > Smart Licenses

For more information, see Licenses in the administration guide.

Administration

Migrate configurations from FlexConfig to web interface management.

You can now easily migrate these configurations from FlexConfig to web interface management:

  • ECMP zones, supported in the Version 7.1+ web interface

  • EIGRP routing, supported in the Version 7.2+ web interface

  • VXLAN interfaces, supported in the Version 7.2+ web interface

After you migrate, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > FlexConfig > Edit FlexConfig Policy > Migrate Config

For more information, see Migrating FlexConfig Policies in the device configuration guide.

Automatic VDB downloads.

The initial setup on the management center schedules a weekly task to download the latest available software updates, which now includes the latest vulnerability database (VDB). We recommend you review this weekly task and adjust if necessary. Optionally, schedule a new weekly task to actually update the VDB and deploy configurations.

New/modified screens: The Vulnerability Database check box is now enabled by default in the system-created Weekly Software Download scheduled task.

For more information, see Vulnerability Database Update Automation in the administration guide.

Install any VDB.

Starting with VDB 357, you can now install any VDB as far back as the baseline VDB for that management center.

After you update the VDB, deploy configuration changes. If you based configurations on vulnerabilities, application detectors, or fingerprints that are no longer available, examine those configurations to make sure you are handling traffic as expected. Also, keep in mind a scheduled task to update the VDB can undo a rollback. To avoid this, change the scheduled task or delete any newer VDB packages.

New/modified screens: On System (system gear icon) > Updates > Product Updates > Available Updates, if you upload an older VDB, a new Rollback icon appears instead of the Install icon.

For more information, see Update the Vulnerability Database in the administration guide.

Automatically update CA bundles.

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

For more information, see the Secure Firewall Management Center Command Line Reference in the management center administration guide, and the Cisco Secure Firewall Threat Defense Command Reference.

Usability, Performance, and Troubleshooting

New how-to walkthroughs.

We added these how-tos:

  • Renew a certificate using manual re-enrollment.

  • Renew a certificate using Self-signed, SCEP, or EST enrollment.

  • Configure LDAP attribute map for remote access VPN.

  • Add SAML Single Sign-On server object.

  • Collect packet capture for threat defense device.

  • Collect packet trace to troubleshoot threat defense device.

  • Configure Dynamic Access Policy for remote access VPN.

    • Create a Dynamic Access Policy.

    • Create a Dynamic Access Policy record.

    • Associate Dynamic Access Policy with remote access VPN.

To launch a how-to, choose System (system gear icon) > How-Tos.

New access control policy user interface is now the default.

The access control policy user interface introduced in Version 7.2 is now the default interface. The upgrade switches you, but you can switch back.

Maximum objects per match criteria per access control rule is now 200.

We increased the objects per match criteria in a single access control rule from 50 to 200. For example, you can now use up to 200 network objects in a single access control rule.

Filter devices by version.

You can now filter devices by version on Devices > Device Management.

Better status emails for scheduled tasks.

Email notifications for scheduled tasks are now sent when the task completes—whether success or failure—instead of when the task begins. This means that they can now indicate whether the task failed or succeeded. For failures, they include the reason for the failure and remediations to fix the issue.

Performance profile for CPU core allocation.

You can adjust the percentage of system cores assigned to the data plane and Snort to adjust system performance. The adjustment is based on your relative use of VPN and intrusion policies. If you use both, leave the core allocation to the default values. If you use the system primarily for VPN (without applying intrusion policies), or as an IPS (with no VPN configuration), you can skew the core allocation to the data plane (for VPN) or Snort (for intrusion inspection).

We added the Performance Profile page to the platform settings policy.

For more information, see Configure the Performance Profile in the device configuration guide.

Additional telemetry sent to Cisco Success Network.

For improved serviceability, we now send the following data to the Cisco Success Network:

  • Device information, including how many devices are registered but are not being actively managed, whether your devices are configured for high availability/scalability, and how many nodes are in any configured cluster.

  • Event and network map information, including the number of hosts in your network map, intrusion event counts, and file/malware event counts.

You can change your Cisco Success Network enrollment at any time.

For more information, see Configure Cisco Success Network Enrollment in the administration guide.

Management Center REST API

Management center REST API services/operations.

For information on changes to the FMC REST API, see What's New in 7.3 in the API quick start guide.

Deprecated Features

Table 6. Deprecated Features in Management Center Version 7.3.0

Deprecated Feature

Description

Support ends: Firepower 4110, 4120, 4140, 4150.

You cannot run Version 7.3+ on the Firepower 4110, 4120, 4140, or 4150.

Support ends: Firepower 9300: SM-24, SM-36, SM-44 modules.

You cannot run Version 7.3+ on the Firepower 9300 with SM-24, SM-36, or SM-44 modules.

No support for Firepower 1010E (temporary).

The Firepower 1010E, which was introduced in Version 7.2.3, does not support Version 7.3. Support will return in a future release.

You cannot upgrade a Version 7.2.x Firepower 1010E to Version 7.3, and you should not reimage there either. If you have a Firepower 1010E device running Version 7.3, reimage to a supported release. Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center.

Deprecated: YouTube EDU content restriction for Snort 2 devices.

You can no longer enable YouTube EDU content restriction in new or existing access control rules. Your existing YouTube EDU rules will keep working, and you can edit those rules to disable YouTube EDU.

Note that this is a Snort 2 feature that is not available for Snort 3.

You should redo your configurations after upgrade.

Deprecated: Cluster health monitor settings with FlexConfig.

You can now edit cluster health monitor settings from the management center web interface. If you do this, the system allows you to deploy but also warns you that any existing FlexConfig settings take precedence.

You should redo your configurations after upgrade.

Deprecated: BFD for BGP with FlexConfig.

You can now configure bidirectional forwarding detection (BFD) for BGP routing from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs.

You should redo your configurations after upgrade.

Deprecated: ECMP zones with FlexConfig.

You can now easily migrate EMCP zone configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs.

You should redo your configurations after upgrade.

Deprecated: VXLAN interfaces with FlexConfig.

You can now easily migrate VXLAN interface configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs.

New Features in Management Center Version 7.2

New Features

Table 7. New Features in Management Center Version 7.2.4

New Feature

Description

Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to Clause 108 RS-FEC from Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

For more information on FEC, see Interface Overview.

Automatically update CA bundles.

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

For more information, see the Secure Firewall Management Center Command Line Reference the Cisco Secure Firewall Threat Defense Command Reference.

Access control performance improvements (object optimization).

Upgrade impact. First deployment after management center upgrade to 7.2.4–7.2.5 can take a long time and increase CPU use on managed devices.

Access control object optimization improves performance and consumes fewer device resources when you have access control rules with overlapping networks. The optimizations occur on the managed device on the first deploy after the feature is enabled on the management center (including if it is enabled by an upgrade). If you have a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform object optimization. During this time, you may also see higher CPU use on your devices. A similar thing occurs on the first deploy after the feature is disabled (including if it is disabled by upgrade). After this feature is enabled or disabled, we recommend you deploy when it will have the least impact, such as a maintenance window or a low-traffic time.

Version restrictions: This feature is not available in Version 7.3.x. Support returns in Version 7.4.0.

Minimum threat defense: Any

See: Extended Post-Upgrade Deploy to Version 7.2.4–7.2.5 for Large Configurations in the release notes

Smaller VDB for lower memory Snort 2 devices.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Minimum threat defense: Any, with Snort 2

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the FMC, not managed devices. If you upgrade the FMC from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Table 8. New Features in Management Center Version 7.2.3

New Feature

Description

Firepower 1010E.

We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center.

For more information on PoE with the Firepower 1010, see Regular Firewall Interfaces.

Minimum threat defense: 7.2.3

Table 9. New Features in Management Center Version 7.2.1

New Feature

Description

Hardware bypass ("fail-to-wire") network modules for the Secure Firewall 3100.

We introduced these hardware bypass network modules for the Secure Firewall 3100:

  • 6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR-X-NM-6X1SX-F)

  • 6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-6X10SR-F)

  • 6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X10LR-F)

  • 6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-X25SR-F)

  • 6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X25LR-F)

  • 8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper) (FPR-X-NM-8X1G-F)

New/modified screens: Devices > Device Management > Interfaces > Edit Physical Interface

For more information, see Inline Sets and Passive Interfaces.

Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

For more information, see Getting Started with Secure Firewall Threat Defense Virtual and KVM.

Table 10. New Features in Management Center Version 7.2.0

New Feature

Description

Platform

Management center virtual and threat defense virtual for Alibaba.

We introduced Secure Firewall Management Center Virtual and Secure Firewall Threat Defense for Alibaba. You must manage threat defense virtual for Alibaba with a management center; device manager is not supported.

Note that due to underlying issues in the Alibaba infrastructure, the threat defense virtual instance type ecs.g5ne.4xLarge has low performance, especially in terms of connections per second (CPS). We recommend the 2xlarge or 4xlarge.

Snapshots allow quick deploy of threat defense virtual for AWS and Azure.

You can now take a snapshot of a threat defense virtual for AWS or Azure instance, then use that snapshot to quickly deploy new instances. This feature also improves the performance of the autoscale solutions for AWS and Azure.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Analytics mode for cloud-managed threat defense devices.

Concurrently with Version 7.2, we introduced the Cisco Cloud-delivered Firewall Management Center. The cloud-delivered Firewall Management Center uses the Cisco Defense Orchestrator (CDO) platform and unites management across multiple Cisco security solutions. We take care of feature updates.

Customer-deployed hardware and virtual management centers running Version 7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging and analytics purposes only. You cannot deploy policy to these devices from a customer-deployed management center.

New/modified screens:

  • When you add a cloud-managed device to a customer-deployed management center, use the new CDO Managed Device check box to specify that it is analytics-only.

  • View which devices are analytics-only on Devices > Device Management.

New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers

For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.

ISA 3000 support for shutting down.

Support returns for shutting down the ISA 3000. This feature was introduced in Version 7.0.2 but was temporarily deprecated in Version 7.1.

High Availability/Scalability

Clustering for threat defense virtual in both public and private clouds.

You can now configure clustering for the following threat defense virtual platforms:

  • Threat defense virtual for AWS: 16-node clusters

  • Threat defense virtual for GCP: 16-node clusters

  • Threat defense virtual for KVM: 4-node clusters

  • Threat defense virtual for VMware: 4-node clusters

New/modified screens:

  • Devices > Device Management > Add Cluster

  • Devices > Device Management > More menu

  • Devices > Device Management > Cluster

For more information, see Clustering for Threat Defense Virtual in a Public Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM, VMware).

Support for 16-node clusters.

You can now configure 16-node clusters for the following platforms:

  • Firepower 4100/9300

  • Threat defense virtual for AWS

  • Threat defense virtual for GCP

The Secure Firewall 3100 still only supports 8 nodes.

For more information, see Clustering for the Firepower 4100/9300 or Clustering for Threat Defense Virtual in a Public Cloud.

Autoscale for threat defense virtual for AWS gateway load balancers.

We now support autoscale for threat defense virtual for AWS gateway load balancers, using a CloudFormation template.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Autoscale for threat defense virtual for GCP.

We now support autoscale for threat defense virtual for GCP, by positioning a threat defense virtual instance group between a GCP internal load balancer (ILB) and a GCP external load balancer (ELB).

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Interfaces

LLDP support for the Firepower 2100 and Secure Firewall 3100.

You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100 and Secure Firewall 3100 series interfaces.

New/modified screens: Devices > Device Management > Interfaces > > Hardware Configuration > LLDP

New/modified commands: show lldp status , show lldp neighbors , show lldp statistics

For more information, see Interface Overview.

Pause frames for flow control for the Secure Firewall 3100.

If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue.

New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Network Connectivity

For more information, see Interface Overview.

Breakout ports for the Secure Firewall 3130 and 3140.

You can now configure four 10 GB breakout ports for each 40 GB interface on the Secure Firewall 3130 and 3140.

New/modified screens: Devices > Device Management > Chassis Operations

For more information, see Interface Overview.

Configure VXLAN from the management center web interface.

You can now use the management center web interface to configure VXLAN interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical network to stretch the Layer 2 network.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

New/modified screens:

  • Configure the VTEP source interface: Devices > Device Management > VTEP

  • Configure the VNI interface: Devices > Device Management > Interfaces > Add VNI Interface

For more information, see Regular Firewall Interfaces.

NAT

Ability to enable, disable, or delete more than one NAT rule at a time.

You can select multiple NAT rules and enable, disable, or delete them all at the same time. Enable and disable apply to manual NAT rules only, whereas delete applies to any NAT rule.

For more information, see Network Address Translation.

VPN

Certificate and SAML authentication for RA VPN connection profiles.

We now support certificate and SAML authentication for RA VPN connection profiles. You can authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes.

New/modified screens: You can now choose Certificate & SAML option when choosing the authentication method for the connection profile in an RA VPN policy.

For more information, see Remote Access VPN.

Route-based site-to-site VPN with hub and spoke topology.

We added support for route-based site-to-site VPNs in a hub and spoke topology. Previously, that topology only supported policy-based (crypto map) VPNs.

New/modified screens: When you add a new VPN topology and choose Route Based (VTI), you can now also choose Hub and Spoke.

For more information, see Site-to-Site VPNs.

IPsec flow offload for the Secure Firewall 3100.

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

For more information, see Site-to-Site VPNs.

Routing

Configure EIGRP from the management center web interface.

You can now use the management center web interface to configure EIGRP. Note that you can only enable EIGRP on interfaces belonging to the device's Global virtual router.

If you configured EIGRP with FlexConfig in a previous version, the system allows you to deploy post-upgrade, but also warns you to redo your EIGRP configurations in the web interface. When you are satisfied with the new configuration, you can delete the deprecated FlexConfig objects or commands. To help you with this process, we provide a command-line migration tool.

New/modified screens: Devices > Device Management > Routing > EIGRP

For more information, see EIGRP and Migrating FlexConfig Policies.

Virtual router support for the Firepower 1010.

You can now configure up to five virtual routers on the Firepower 1010.

For more information, see Virtual Routers.

Support for VTIs in user-defined virtual routers.

You can now assign virtual tunnel interfaces to user-defined virtual routers. Previously, you could only assign VTIs to Global virtual routers.

New/modified screens: Devices > Device Management > Routing > Virtual Router Properties

For more information, see Virtual Routers.

Policy-based routing with path monitoring.

You can now use path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use these metrics to determine the best path for policy based routing.

New/modified screens:

  • Enable path monitoring and choose metrics to collect: Devices > Device Management > Interfaces > Path Monitoring

  • Use the new Interface Ordering option when you are adding a policy based route and specifying a forwarding action: Devices > Device Management > Routing > Policy Based Routing

  • Monitor path metrics in each device's health monitoring dashboard: System (system gear icon) > Health > Monitor > add dashboard > Interface - Path Metrics.

New/modified CLI commands: show policy route , show path-monitoring , clear path-monitoring

For more information, see Policy Based Routing.

Threat Intelligence

DNS-based threat intelligence from Cisco Umbrella.

We now support DNS-based Security Intelligence using regularly updated information from Cisco Umbrella. You can use both a local DNS policy and an Umbrella DNS policy, for two layers of protection.

New/modified screens:

  • Configure connection to Umbrella: Integration > Other Integrations > Cloud Services > Cisco Umbrella Connection

  • Configure Umbrella DNS policy: Policies > DNS > Add DNS Policy > Umbrella DNA Policy

  • Associate Umbrella DNS policy with access control: Policies > Access Control > Edit Policy > Security Intelligence > Umbrella DNS Policy

For more information, see DNS Policies.

IP-based threat intelligence from Amazon GuardDuty.

You can now handle traffic based on malicious IP addresses detected by Amazon GuardDuty, when integrated with management center virtual for AWS. The system consumes this threat intelligence via a custom Security Intelligence feed, or via a regularly updated network object group, which you can then use in your security policies.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Access Control and Threat Detection

Dynamic object management with:

  • Cloud-delivered Cisco Secure Dynamic Attributes Connector

  • On-prem Cisco Secure Dynamic Attributes Connector 2.0

Concurrently with Version 7.2, we released the following updates to the Cisco Secure Dynamic Attributes Connector:

Bypass inspection or throttle elephant flows on Snort 3 devices.

You can now detect and optionally bypass inspection or throttle elephant flows. By default, access control policies are set to generate an event when the system sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is configurable.

For the Firepower 2100 series, you can detect elephant flows but not bypass inspection or throttle. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB).

New/modified screens: We added Elephant Flow Settings to the access control policy's Advanced tab.

For more information, see Elephant Flow Detection.

Encrypted visibility engine enhancements for Snort 3 devices.

We made the following enhancements to the encrypted visibility engine (EVE):

  • EVE can detect the operating system used by the host, which is reported in events and the network map.

  • EVE can detect application traffic by assigning EVE processes that were identified with high confidence to applications, which you can then use in access control rules to control network traffic. (In Version 7.1, you could see EVE processes for connections, but you could not act on that knowledge.)

    To add additional assignments, create custom applications/custom application detectors. When adding a detection pattern to your custom detector, choose Encrypted Visibility Engine as the application. Then, specify the process name and confidence level.

  • EVE now works with QUIC traffic.

The following connection event fields have changed along with these enhancements:

TLS Fingerprint Process Name

is now

Encrypted Visibility Process Name

TLS Fingerprint Process Confidence Score

is now

Encrypted Visibility Process Confidence Score

TLS Fingerprint Malware Confidence

is now

Encrypted Visibility Threat Confidence

TLS Fingerprint Malware Confidence Score

is now

Encrypted Visibility Threat Confidence Score

Detection Type: TLS Fingerprint

is now

Detection Type: Encrypted Visibility

This feature now requires a Threat license.

For more information, see Access Control Policies and Application Detection.

TLS 1.3 inspection for Snort 3 devices.

We now support inspection of TLS 1.3 traffic.

New/modified screens: We added the Enable TLS 1.3 Decryption option to the Advanced Settings tab in SSL policies. Note that this option is disabled by default.

For more information, see SSL Policies.

Improved portscan detection for Snort 3 devices.

With an improved portscan detector, you can easily configure the system to detect or prevent portscans. You can refine the networks you want to protect, set the sensitivity, and so on. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use the network analysis policy for portscan detection.

New/modified screens: We added Threat Detection to the access control policy's Advanced tab.

For more information, see Threat Detection.

VBA macro inspection for Snort 3 devices.

We now support inspection of VBA (Visual Basic for Applications) macros in Microsoft Office documents, which is done by decompressing the macros and matching rules against the decompressed content.

By default, VBA macro decompression is disabled in all system-provided network analysis policies. To enable it use the decompress_vba setting in the imap, smtp, http_inspect, and pop Snort 3 inspectors.

To configure custom intrusion rules to match against decompressed macros, use the vba_data option.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved JavaScript inspection for Snort 3 devices.

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. A new normalizer's enhancements include improved white-space normalization, semicolon insertions, cross-site script handling, identifier normalization and dealiasing, just-in-time (JIT) inspection, and the ability to inspect external scripts.

By default, the new normalizer is enabled in all system-provided network analysis policies. To tweak performance or disable the feature in a custom network analysis policy, use the js_norm (improved normalizer) and normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3 inspector.

To configure custom intrusion rules to match against normalized JavaScript, use the js_data option, for example:

alert tcp any any -> any any (msg:"Script detected!"; 
js_data; content:"var var_0000=1;"; sid:1000001;)

For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved SMB 3 inspection for Snort 3 devices.

We now support inspection of SMB 3 traffic in the following situations:

  • During file server node failover for clusters configured for SMB Transparent Failover.

  • In multiple file server nodes for clusters using SMB Scale-Out.

  • Through directory information changes due to SMB Directory Leasing.

  • Spread across multiple connections due to SMB Multichannel.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Policy Management

Access control policy locking.

You can now lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Any user who has permission to modify the access control policy has permission to lock it.

We added an icon to lock or unlock a policy next to the policy name while editing the policy. In addition, there is a new permission to allow users to unlock policies locked by other administrators: Override Access Control Policy Lock. This permission is enabled by default in the Administrator, Access Admin, and Network Admin roles.

For more information, see Access Control Policies.

Object group search is enabled by default.

The Object Group Search setting is now enabled by default when you add a device to the management center.

New/modified screens: Devices > Device Management > Device > Advanced Settings

For more information, see Device Management.

Access control rule hit counts persist over reboot.

Rebooting a managed device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node.

New/modified CLI commands: show rule hits

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

Usability improvements for the access control policy.

There is a new user interface available for the access control policy. You can continue to use the legacy user interface, or you can try out the new user interface.

The new interface has both a table and a grid view for the rules list, the ability to show or hide columns, enhanced search, infinite scroll, a clearer view of the packet flow related to policies associated with the access control policy, and a simplified add/edit dialog box for creating rules. You can freely switch back and forth between the legacy and new user interfaces while editing an access control policy.

For more information, see Access Control Policies.

Event Logging and Analysis

Improved SecureX integration, SecureX orchestration.

We have streamlined the SecureX integration process. Now, as long as you already have a SecureX account, you just choose your cloud region on the new Integration > SecureX page, click Enable SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page.

When you enable SecureX integration on this new page, licensing and management for the system's cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX the "old" way, you must disable and re-enable to get the benefits of this cloud connection management.

Note that this page also governs the cloud region for and event types sent to the Secure Network Analytics (Stealthwatch) cloud using Security Analytics and Logging (SaaS), even though the web interface does not indicate this. Previously, these options were on System (system gear icon) > Integration > Cloud Services. Enabling SecureX does not affect communications with the Secure Network Analytics cloud; you can send events to both.

The management center also now supports SecureX orchestration—a powerful drag-and-drop interface you can use to automate workflows across security tools. After you enable SecureX, you can enable orchestration.

As part of this feature, you can no longer use the REST API to configure SecureX integration. You must use the FMC web interface.

This feature was introduced Version 7.0.2 and temporarily deprecated in Version 7.1.

For more information, see the Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide.

Log security events to multiple Secure Network Analytics on-prem data stores.

When you configure a Secure Network Analytics Data Store (multi-node) integration, you can now add multiple flow collectors for security events. You assign each flow collector to one or more threat defense devices running Version 7.0+.

New/modified screens:

  • Setup: Integration > Security Analytics & Logging > Secure Network Analytics Data Store

  • Modify: Integration > Security Analytics & Logging > Update Device Assignments

This feature requires Secure Network Analytics Version 7.1.4.

For more information, see the Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide.

Database access changes.

We added ten new tables, deprecated one table, and prohibited joins in six tables. We also added fields to various tables for Snort 3 support and to provide timestamps and IP addresses in human-readable format.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Database Access Guide, Version 7.2.

eStreamer changes.

A new Python-based reference client has been added to the SDK. Also, you can now request fully qualified events.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2.

Upgrade

Copy upgrade packages ("peer-to-peer sync") from device to device.

Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.

This feature is supported for Version 7.2+ standalone devices managed by the same standalone management center. It is not supported for:

  • Container instances.

  • Device high availability pairs and clusters.

    These devices get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.

  • Devices managed by high availability management centers.

  • Devices managed by the cloud-delivered management center, but added to a customer-deployed management center in analytics mode.

  • Devices in different domains, or devices separated by a NAT gateway.

  • Devices upgrading from Version 7.1 or earlier, regardless of management center version.

New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

Minimum threat defense: 7.2

For more information, see Copy Threat Defense Upgrade Packages between Devices.

Auto-upgrade to Snort 3 after successful threat defense upgrade.

When you use a Version 7.2+ management center to upgrade threat defense, you can now choose whether to Upgrade Snort 2 to Snort 3.

After the software upgrade, eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

This option is supported for major and maintenance threat defense upgrades to Version 7.2+. It is not supported for threat defense upgrades to Version 7.0 or 7.1, or for patches to any version.

Upgrade for single-node clusters.

You can now use the device upgrade page (Devices > Device Upgrade) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page (System (system gear icon)Updates).

Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

Revert threat defense upgrades from the CLI.

You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.

Caution

 

Reverting from the CLI can cause configurations between the device and the management center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.

New/modified CLI commands: upgrade revert , show upgrade revert-info .

Minimum threat defense: 7.2

For more information, see Revert the Upgrade.

Administration & Troubleshooting

Dropped packet statistics for the Secure Firewall 3100.

The new show packet-statistics threat defense CLI command displays comprehensive information about non-policy related packet drops. Previously this information required using several commands.

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

Multiple DNS server groups for resolving DNS requests.

You can configure multiple DNS groups for the resolution of DNS requests from client systems. You can use these DNS server groups to resolve requests for different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers.

New/modified screens: Platform Settings > DNS

For more information, see Platform Settings.

Configure certificate validation with threat defense by usage type.

You can now specify the usage types where validation is allowed with the trustpoint (the threat defense device): IPsec client connections, SSL client connections, and SSL server certificates.

New/modified screens: We added a Validation Usage option to certificate enrollment objects: Objects > Object Manager > PKI > Cert Enrollment.

For more information, see Object Management.

Auto rollback of a deployment that causes a loss of management connectivity.

You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and the threat defense to go down. Previously, you could only manually rollback a configuration using the configure policy rollback command.

New/modified screens:

  • Devices > Device Management > Device > Deployment Settings

  • Deploy > Advanced Deploy > Preview

  • Deploy > Deployment History > Preview

For more information, see Device Management.

Generate and email a report when you deploy configuration changes.

You can now generate a report for any deploy task. The report contains details about the deployed configuration.

New/modified pages: Deploy > Deployment History (deployment history icon) icon > More (more icon)Generate Report

For more information, see Configuration Deployment.

GeoDB is split into two packages.

In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

If your Version 7.2+ management center has internet access and you enable recurring updates or you manually kick off a one-time update from the Cisco Support & Download site, the system automatically obtains and imports both packages. However, if you manually download updates—for example, in an air-gapped deployment—make sure you get and import both GeoDB packages:

  • Country code package: Cisco_GEODB_Update-date-build.sh.REL.tar​

  • IP package: Cisco_IP_GEODB_Update-date-build.sh.REL.tar​

The Geolocation Updates (System (system gear icon) > Updates > Geolocation Updates) page and the About page (Help > About) list the versions of the packages currently being used by the system.

For more information, see Updates.

French language option for web interface.

You can now switch the management center web interface to French.

New/modified screens: System (system gear icon) > Configuration > Language

For more information, see System Configuration.

Web interface changes: deployment and user activity integrations.

Version 7.2 changes these management center menu options in all cases.

Deploy > Deployment History

is now

Deploy > Deployment History (deployment history icon) (bottom right corner)

Deploy > Deployment

is now

Deploy > Advanced Deploy

Analysis > Users > Active Sessions

is now

Integration > Users > Active Sessions

Analysis > Users > Users

is now

Integration > Users > Users

Analysis > Users > User Activity

is now

Integration > Users > User Activity

Web interface changes: SecureX, threat intelligence, and other integrations.

Version 7.2 changes these management center menu options if you are upgrading from Version 7.0.1 or earlier, or from Version 7.1.

Note

 

If you are upgrading from Version 7.0.2 or any later Version 7.0.x maintenance release, your menu structure already looks like this.

AMP > AMP Management

is now

Integration > AMP > AMP Management

AMP > Dynamic Analysis Connections

is now

Integration > AMP > Dynamic Analysis Connections

Intelligence > Sources

is now

Integration > Intelligence > Sources

Intelligence > Elements

is now

Integration > Intelligence > Elements

Intelligence > Settings

is now

Integration > Intelligence > Settings

Intelligence > Incidents

is now

Integration > Intelligence > Incidents

System (system gear icon) > Integration

is now

Integration > Other Integrations

System (system gear icon) > Logging > Security Analytics & Logging

is now

Integration > Security Analytics & Logging

System (system gear icon) > SecureX

is now

Integration > SecureX

Management Center REST API

Management center REST API services/operations.

For information on changes to the FMC REST API, see What's New in 7.2 in the REST API quick start guide.

Deprecated Features

Table 11. Deprecated Features in Management Center Version 7.2.0

Deprecated Feature

Description

Deprecated: EIGRP with FlexConfig.

You can now configure EIGRP routing from the management center web interface.

You no longer need these FlexConfig objects: Eigrp_Configure, Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all.

And these associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon.

The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. For details, see Migrating FlexConfig Policies .

Deprecated: VXLAN with FlexConfig.

You can now configure VXLAN interfaces from the management center web interface.

You no longer need these FlexConfig objects: VxLAN_Clear_Nve, VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve, VxLAN_Make_Nve_Only, VxLAN_Make_Vni.

And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only, vxlan_Vni.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

Deprecated: Automatic pre-upgrade troubleshooting.

To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.

To manually generate troubleshooting files for the management center, choose System (system gear icon) > Health > Monitor, click Firewall Management Center in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

New Features in FMC Version 7.1

New Features

Table 12. New Features in FMC Version 7.1 Patches

New Feature

Description

Version 7.1.0.3

Automatically update CA bundles.

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

For more information, see the Firepower Management Center Command Line Reference in the management center administration guide, and the Cisco Secure Firewall Threat Defense Command Reference.

Table 13. New Features in FMC Version 7.1.0

New Feature

Description

Platform

Secure Firewall 3100

We introduced the Secure Firewall 3110, 3120, 3130, and 3140.

You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. These devices support up to 8 units for Spanned EtherChannel clustering.

Note that the Version 7.1.0 release does not include online help for these devices; new online help is included in Version 7.1.0.2.

New/modified screens:

  • Devices > Device Management > Add Cluster

  • Devices > Device Management > More

  • Devices > Device Management > Cluster

  • Devices > Device Management > Chassis Operations

  • Devices > Device Management > Interfaces > edit physical interface > Hardware Configuration

  • Devices > Device Management

New/modified FTD CLI commands: configure network speed , configure raid , show raid , show ssd

FMCv300 for AWS

FMCv300 for OCI

We introduced the FMCv300 for both AWS and OCI. The FMCv300 can manage up to 300 devices.

FTDv for AWS instances.

FTDv for AWS adds support for these instances:

  • c5a.xlarge, c5a.2xlarge, c5a.4xlarge

  • c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge

  • c5d.xlarge, c5d.2xlarge, c5d.4xlarge

  • c5n.xlarge, c5n.2xlarge, c5n.4xlarge

  • i3en.xlarge, i3en.2xlarge, i3en.3xlarge

  • inf1.xlarge, inf1.2xlarge

  • m5.xlarge, m5.2xlarge, m5.4xlarge

  • m5a.xlarge, m5a.2xlarge, m5a.4xlarge

  • m5ad.xlarge, m5ad.2xlarge, m5ad.4xlarge

  • m5d.xlarge, m5d.2xlarge, m5d.4xlarge

  • m5dn.xlarge, m5dn.2xlarge, m5dn.4xlarge

  • m5n.xlarge, m5n.2xlarge, m5n.4xlarge

  • m5zn.xlarge, m5zn.2xlarge, m5zn.3xlarge

  • r5.xlarge, r5.2xlarge, r5.4xlarge

  • r5a.xlarge, r5a.2xlarge, r5a.4xlarge

  • r5ad.xlarge, r5ad.2xlarge, r5ad.4xlarge

  • r5b.xlarge, r5b.2xlarge, r5b.4xlarge

  • r5d.xlarge, r5d.2xlarge, r5d.4xlarge

  • r5dn.xlarge, r5dn.2xlarge, r5dn.4xlarge

  • r5n.xlarge, r5n.2xlarge, r5n.4xlarge

  • z1d.xlarge, z1d.2xlarge, z1d.3xlarge

FTDv for Azure instances.

FTDv for Azure adds support for these instances:

  • Standard_D8s_v3

  • Standard_D16s_v3

  • Standard_F8s_v2

  • Standard_F16s_v2

Use FDM to configure the FTD for management by the FMC.

When you perform initial setup using FDM, all interface configuration completed in FDM is retained when you switch to FMC for management, in addition to the Management and FMC access settings. Note that other default configuration settings, such as the access control policy or security zones, are not retained. When you use the FTD CLI, only the Management and FMC access settings are retained (for example, the default inside interface configuration is not retained).

After you switch to FMC, you can no longer use FDM to manage the FTD.

New/modified FDM screens: System Settings > Management Center

Device Upgrade

Revert a successful device upgrade.

You can now revert major and maintenance upgrades to FTD. Reverting returns the software to its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing a patch, you revert the patch as well as the major and/or maintenance upgrade.

Important

 

If you think you might need to revert, you must use System (system gear icon) > Updates to upgrade FTD. The System Updates page is the only place you can enable the Enable revert after successful upgrade option, which configures the system to save a revert snapshot when you initiate the upgrade. This is in contrast to our usual recommendation to use the wizard on the Devices > Device Upgrade page.

This feature is not supported for container instances.

Minimum FTD: 7.1

Improvements to the upgrade workflow for clustered and high availability devices.

We made the following improvements to the upgrade workflow for clustered and high availability devices:

  • The upgrade wizard now correctly displays clustered and high availability units as groups, rather than as individual devices. The system can identify, report, and preemptively require fixes for group-related issues you might have. For example, you cannot upgrade a cluster on the Firepower 4100/9300 if you have made unsynced changes on Firepower Chassis Manager.

  • We improved the speed and efficiency of copying upgrade packages to clusters and high availability pairs. Previously, the FMC copied the package to each group member sequentially. Now, group members can get the package from each other as part of their normal sync process.

  • You can now specify the upgrade order of data units in a cluster. The control unit always upgrades last.

Snort 3 backwards compatibility.

For Snort 3, new features and resolved bugs require that you fully upgrade the FMC and its managed devices. Unlike Snort 2, you cannot update the inspection engine on an older device (for example, Version 7.0) by deploying from a newer FMC (for example, Version 7.1).

When you deploy to an older device, the system lists any unsupported configurations and warns you that they will be skipped. We recommend you always update your entire deployment.

Device Management

Geneve interface support for an FTDv on AWS instances.

Geneve encapsulation support was added to support single-arm proxy for the AWS Gateway Load Balancer (GWLB). The AWS GWLB combines a transparent network gateway (with a single entry and exit point for all traffic) and a load balancer that distributes traffic and scales FTDv to match the traffic demand.

This support requires FMC with Snort 3 enabled and is available on the following performance tiers:

  • FTDv20

  • FTDv30

  • FTDv50

  • FTDv100

Single Root I/O Virtualization (SR-IOV) support for FTDv on OCI.

You can now implement Single Root Input/Output Virtualization (SR-IOV) for FTDv on OCI. SR-IOV can provide performance improvements for an FTDv. Mellanox 5 as vNICs are not supported in SR-IOV mode.

LLDP support for the Firepower 1100.

You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 1100 interfaces.

New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > LLDP

New/modified commands: show lldp status , show lldp neighbors , show lldp statistics

Supported platforms: Firepower 1100 (1120, 1140, and 1150)

Interface auto-negotiation is now set independently from speed and duplex, interface sync improved.

Interface auto-negotiation is now set independently from speed and duplex. Also, when you sync the interfaces in FMC, hardware changes are detected more effectively.

New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Speed

Supported platforms: Firepower 1000/2100, Secure Firewall 3100

Support to specify trusted DNS servers.

You can use FTD platform settings to specify trusted DNS servers for DNS snooping. This helps detect applications on the first packet by mapping domains to IP addresses. By default, trusted DNS servers include those in DNS server objects, and those discovered by dhcp-pool, dhcp-relay, and dhcp-client.

Import and export device configurations.

You can export the device-specific configuration, and you can then import the saved configuration for the same device in the following use cases:

  • Moving the device to a different FMC.

  • Restore an old configuration.

  • Reregistering a device.

New/modified screens: Devices > Device Management > Device > General

High Availability/Scalability

High availability for:

  • FMCv for AWS

  • FMCv for OCI

We now support high availability on FMCv for AWS and FMCv for OCI.

In an FTD deployment, you need two identically licensed FMCs, as well as one FTD entitlement for each managed device. For example, to manage 10 FTD devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Version 6.5.0–7.0.x Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements.

Supported platforms: FMCv10, FMCv25, FMCv300 (not supported for FMCv2)

Autoscale on FTDv for OCI.

We now support autoscaling on FTDv for OCI.

The serverless infrastructure in cloud-based deployments allow you to automatically adjust the number of FTDv instances in an autoscale group based on capacity needs. This includes automatic registering/unregistering to and from the managing FMC.

Cluster deployment for firewall changes completes faster.

Cluster deployment for firewall changes now completes faster.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

Clearing routes in a high availability group or cluster.

In previous releases, the clear route command cleared the routing table on the unit only. Now, when operating in a high availability group or cluster, the command is available on the active or control unit only, and clears the routing table on all units in the group or cluster.

NAT

Manual NAT support for fully-qualified domain name (FQDN) objects as the translated destination.

You can use an FQDN network object, such as one specifying www.example.com, as the translated destination address in manual NAT rules. The system configures the rule based on the IP address returned from the DNS server.

Routing

BGP configuration to interconnect virtual routers.

You can configure BGP settings to dynamically leak routes among user-defined virtual routers, and between global virtual router and user-defined virtual routers. The import and export routes feature was introduced to exchange routes among the virtual routers by tagging them with route targets and optionally, filtering the matched routes with route maps. This BGP feature is accessible only when you select a user-defined virtual router.

New/modified screens: For a selected user-defined virtual router, Devices > Device Management > Routing > BGPv4/v6 > Route Import/Export

BGPv6 support for user-defined virtual routers.

FTD now supports configuring BGPv6 on user-defined virtual routers.

New/modified screens: For a selected user-defined virtual router, Devices > Device Management > Routing > BGPv6

Equal-Cost-Multi-Path (ECMP) zone support.

You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing in FMC.

ECMP routing was previously supported through FlexConfig policies.

New/modified screens: Devices > Device Management > Routing > ECMP

Direct Internet Access/Policy Based Routing

Direct internet access with policy based routing.

You can now configure policy based routing through the FMC to classify network traffic based on applications and to implement Direct Internet Access (DIA) to send traffic to the internet from a branch deployment. You can define a PBR policy and configure it on ingress interfaces, specifying match criteria and egress interfaces. Network traffic that matches the access control policy is forwarded through the egress interface based on priority or the order as configured in the policy.

New/modified screens: New policy page for configuring the policy based routing policy: Devices > Device Management > Routing > Policy Based Routing

Supported platforms: FTD

FMC REST API enhancements for direct internet access and policy based routing.

You can use the FMC REST API to configure Direct Internet Access through Policy Based Routing. The following enhancements have been made to the FMC REST API to support this:

  • New APIs were added to enable you to create, view, edit, and delete your Policy Based Routing configuration

  • New parameters added to existing APIs for Extended Access Control Lists to define applications

  • New parameters added to existing APIs for device interfaces to define interface priority

Remote Access VPN

Copy RA VPN policies.

You can now create a new RA VPN policy by copying an existing policy. We added a copy button next to each policy on Devices > VPN > Remote Access.

AnyConnect VPN SAML external browser.

You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser.

We updated the remote access VPN connection profile wizard to allow you to configure the SAML Login Experience.

Multiple trustpoints for SAML identity providers on Microsoft Azure.

You can now add multiple RA VPN trustpoints for SAML identity providers, as required by Microsoft Azure.

In a Microsoft Azure network, Azure can support multiple applications for the same Entity ID. Each application (typically mapped to a different tunnel group) requires a unique certificate. This feature enables you to add multiple trustpoints for RA VPN in FTDv for Microsoft Azure.

Site to Site VPN

VPN filters.

You can now configure site to site VPN filters with rules that determine whether to allow or reject tunneled data packets based on criteria such as source address, destination address, and protocol.

The VPN filter is applied to post-decrypted traffic after it exits a tunnel and to pre-encrypted traffic before it enters a tunnel.

Unique local tunnel ID for IKEv2.

You can now configure a Local Tunnel ID per IKEv2 tunnel for both policy-based and route-based Site to Site VPNs. You can configure the local tunnel ID with the FMC web interface or from the REST API.

This local tunnel ID configuration enables Umbrella SIG integration with FTD.

Multiple IKE policies.

You can now configure multiple IKE policies for both policy-based and route-based Site to Site VPNs.

Multiple IKE policies can be configured through the FMC GUI and the REST API.

VPN monitoring dashboard.

Beta.

The Site to Site VPN Monitoring Dashboard provides:

  • Visualization of tunnel status distribution across all devices

  • Visualization of network topology consisting of VPN tunnels

  • Ability to visually isolate and examine tunnels based on criteria like Topology, Device and Status

Note

 

The Site to Site Monitoring Dashboard is a Beta feature and may not work as expected. Do not use it in production environments.

Security Intelligence

Snort 3 support for Security Intelligence on proxied traffic.

With Snort 3, you can now apply Security Intelligence to HTTP proxy traffic where the IP address is embedded into the HTTP request. For example, when a user uploads a Block list or an Allow list containing IP addresses or networks, the system matches on the destination server IP instead of proxy IP. As a result, traffic to the destination server can be blocked, monitored, or allowed (according to your Security Intelligence configuration).

Intrusion Detection and Prevention

Snort 3 support for drop, reject, rewrite, and pass rule actions.

Version 7.1 FMCs now support the following intrusion rule actions for FTD devices with Snort 3, including Version 7.0 devices:

  • Drop: Drops the matching packet, but does not block further traffic in this connection. Generates an intrusion event.

  • Reject: Drops the matching packet and blocks further traffic in this connection. For TCP traffic, sends a TCP reset. For UDP traffic, sends ICMP port unreachable to the source and destination hosts. Generates an intrusion event.

  • Rewrite: Overwrites the matching packet based on the replace option in the rule. Generates an intrusion event.

  • Pass: Allows matching packet to pass without further evaluation by any other intrusion rules. Does not generate an intrusion event.

To configure these new rule actions, edit the Snort 3 version of an intrusion policy and use the Rule Action drop-down for each rule.

Snort 3 support for TLS-based intrusion rules.

You can now create TLS-based intrusion rules to inspect decrypted TLS traffic with Snort 3. This feature allows Snort 3 intrusion rules to use TLS information.

Snort 3 support for inspection of DCE/RPC over SMB2.

Upgrade impact.

Version 7.1 with Snort 3 supports DCE/RPC inspection over SMB2.

After the first post-upgrade deploy to Snort 3 devices, existing DCE/RPC rules begin inspecting DCE/RPC over SMB2; previously these rules only inspected DCE/RPC over SMB1.

Snort 3 support for intrusion rule recommendations.

Version 7.1 FMCs now support intrusion rule recommendations for FTD devices with Snort 3, including Version 7.0 devices.

To configure this feature, edit the Snort 3 version of an intrusion policy and click the Recommendations button (in the left pane, next to All Rules).

Snort 3 support for ssl_version and ssl_state keywords.

Upgrade impact.

Version 7.1 with Snort 3 supports the ssl_version and ssl_state intrusion rule keywords.

Cisco-provided intrusion policies include active rules using those keywords. You can also create, upload, and deploy custom/third party rules using them. In Version 7.0.x, we supported those keywords with Snort 2 only. With Snort 3, rules with those keywords did not match traffic, and thus could not generate alerts or affect traffic. There was no indication that the rules were not working as expected. After the first post-upgrade deploy to Version 7.1+ Snort 3 devices, existing rules with those keywords can match traffic.

Identity Services and User Control

Snort 3 captive portal support for interception of HTTP/2 traffic.

You can now intercept and redirect HTTP/2 traffic for user authentication with captive portal.

When a redirect is received by the browser, the browser follows the redirect and authenticates with idhttpsd (Apache web server) using the same process as the HTTP/1 captive portal. After authentication, idhttpsd redirects the user back to the original URL.

Snort 3 captive portal support for hostname-based redirect.

You can configure active authentication for identity policy rules to redirect the user’s authentication to a fully-qualified domain name (FQDN) rather than the IP address of the interface through which the user’s connection enters the device.

The FQDN must resolve to the IP address of one of the interfaces on the device. By using an FQDN, you can assign a certificate for active authentication that the client will recognize, thus avoiding the untrusted certificate warning users get when being redirected to an IP address. The certificate can specify the FQDN, a wildcard FQDN, or multiple FQDNs in the Subject Alternate Names (SAN) in the certificate.

New/modified screens: We added the Redirect to Host Name option in the identity policy settings.

Encrypted Traffic Handling (TLS/SSL)

Advanced TLS/SSL policy options.

You can now configure the following advanced TLS/SSL policy options in the Advanced Settings tab on the SSL Policy page:

  • Block flows requesting ESNI (Encrypted Server Name Identification)

  • Disable HTTP/3 advertisement

  • Propagate untrusted server certificates to clients

Encrypted Visibility Engine for visibility into encrypted sessions.

Beta.

You can enable the Encrypted Visibility Engine to gain visibility into an encrypted session without needing to decrypt it. The engine fingerprints and analyzes encrypted traffic. In FMC 7.1, the Encrypted Visibility Engine provides more visibility into encrypted traffic, including protocols such as TLS and QUIC. It does not enforce any actions on that traffic.

The Encrypted Visibility Engine is disabled by default. You can enable it on the Advanced tab of an access control policy in the Experimental Features section.

New/modified screens: Policies > Access Control > Access Control Policy name > Advanced

Note

 

The Encrypted Visibility Engine is an experimental Beta feature provided for visibility. It may cause false positives.

Service Policy

Configure the maximum segment size (MSS) for embryonic connections.

You can configure a service policy to set the server maximum segment size (MSS) for SYN-cookie generation for embryonic connections upon reaching the embryonic connections limit. This is meaningful for service policies where you are also setting embryonic connection maximums.

New/modified screens: Connection Settings in the Add/Edit Service Policy wizard.

Network Discovery

Improved Snort 3 support for network discovery (remote network access support).

With improvements to network discovery and remote network access support, Snort 3 is now at parity with Snort 2 for those features. The improvements include:

  • Discovery of hosts and applications for SMB traffic: For SMB traffic on your network, the host is discovered in the network map, and the SMB application protocol and associated operating system information are discovered.

  • Discovery of NetBIOS traffic: For NetBIOS traffic, the NetBIOS name is discovered as well as associated information related to applications, such as the client application and operating system.

  • Discovery of applications only for hosts/networks monitored by the network discovery policy: This enhancement to the filtering logic enables you to discover applications for networks that are being monitored based on a network discovery rule.

In Snort 3, application detection is always enabled for all networks by default.

Event Logging and Analysis

Snort 3 support for elephant flow identification and monitoring.

With FTD running Snort 3, you can now identify elephant flows—single-session network connections that are large enough to affect overall system performance. By default, elephant flow detection is automatically enabled, and tracks and logs connections larger than 1GB/10 seconds.

A new predefined search for connection events (Reason = Elephant Flow) allows you to quickly identify elephant flows. You can also use the health monitor to view active elephant flows on your devices, and to create a custom health dashboard to correlate elephant flow incidence with other device metrics such as CPU usage.

To disable this feature or to configure the size and time thresholds, use the FTD CLI.

New/modified FTD CLI commands:

  • show elephant-flow status

  • show elephant-flow detection-config

  • system support elephant-flow-detection enable

  • system support elephant-flow-detection disable

  • system support elephant-flow-detection bytes-threshold bytes-in-MB

  • system support elephant-flow-detection time-threshold time-in-seconds

Send intrusion events and retrospective malware events to the Secure Network Analytics cloud from the FMC.

Upgrade impact.

When you configure the system to send security events to the Stealthwatch cloud using Cisco Security Analytics and Logging (SaaS), the FMC now sends:

  • Intrusion events. This allows remotely stored intrusion events to include impact flag data. Previously, these events were sent to the cloud by FTD and did not include the impact flag.

  • Retrospective malware events. These supplement the "original disposition" file and malware events that are still sent to the cloud by devices.

If you already enabled this feature, the FMC starts sending this information after a successful upgrade.

New datastore for intrusion events improves performance.

To improve performance, Version 7.1 uses a new datastore for intrusion events. After the upgrade finishes and the FMC reboots, historical events are migrated in the background, newest events first.

As part of this migration, we deprecated intrusion incidents, the intrusion event clipboard, and custom tables for intrusion events. We also introduced two new fields in the intrusion event table: Source Host Criticality and Destination Host Criticality.

NAT IP address and port information in connection and Security Intelligence events.

For additional visibility into NAT translations, we added the following fields to connection and Security Intelligence events:

  • NAT Source IP

  • NAT Destination IP

  • NAT Source Port

  • NAT Destination Port

In the table view of events, these fields are hidden by default. To change the fields that appear, click the x in any column name to display a field chooser.

Packet tracer enhancements.

Version 7.1 updates the packet tracer interface for better usability. In addition, you can now:

  • Access the packet tracer directly from the main menu: Devices > Troubleshoot > Packet Tracer.

  • Save packet traces.

  • Run parallel packet traces across multiple devices.

  • Replay PCAPs through a device.

  • For Snort 3 devices, view enhanced output that provides new details on the phases of traffic evaluation from L2 to L7 (application identification, file/malware detection, intrusion detection, Security Intelligence, and so on), as well as how long each phase takes.

New/modified FTD CLI commands:

  • packet-tracer inputsource_interfacepcappcap_filename

Object Management

Network object support for HTTP, ICMP, and SSH platform settings.

You can now use network object groups that contain network objects for hosts or networks when configuring the IP addresses in the Threat Defense Platform Settings policy.

Snort 3 support for network wildcard mask objects.

You can now create and manage network wildcard mask objects on the Object Management page. You can use network wildcard mask objects in access control, prefilter, and NAT policies.

Deployment preview enhancements for objects.

You can now preview deployment changes to Geolocation, File List, and Security Intelligence objects.

Updated screen: Deploy > Deployment. In the Preview column, click the Preview icon for a device to see the changes to the file list objects.

Integrations

Support for Cisco ACI Endpoint Update App, Version 2.0 and remediation module.

Version 2.0 of the Cisco ACI Endpoint Update App has the following improvements over previous versions:

  • The minimum update interval (how often the app updates the FMC) is now 10 seconds. Previously, it was 30 seconds.

  • The site prefix (a string that creates a network group object on the FMC associated with each APIC tenant) is now limited to 10 characters. Previously, it was 5 characters.

A new Cisco ACI Endpoint remediation module is also available with this update.

Usability, Performance, and Troubleshooting

Health monitoring enhancements.

We updated the health monitor as follows:

  • The health policy editor now groups similar health modules. You can enable and disable entire module groups.

  • The health policy exclusion editor is updated for better usability. Also, when you exclude a device or health module from alerting, you can now specify a time period for the exclusion, from 15 minutes to permanently.

  • The health monitor alert editor is updated for better usability.

  • The health policy deployment interface is updated for better usability.

Note

 

To use the updated health monitor, you must enable REST API access on System (system gear icon) > Configuration > REST API Preferences.

New/modified screens:

  • System (system gear icon) > Health > Policy > Edit Policy

  • System (system gear icon) > Health > Exclude

  • System (system gear icon) > Health > Monitor Alerts

  • System (system gear icon) > Health > Policy > Deploy Policy

Deployment history enhancements.

You can now bookmark a deployment job, edit the deployment notes for a job, and generate a report.

Global search enhancements.

Global search now has the following capabilities:

  • You can search the full text of FMC walkthroughs (how-tos).

  • You can search extended community list names or configured values.

  • You can restrict searches by domain.

New walkthroughs.

We added the following walkthroughs:

  • Create a Snort 3 intrusion policy.

  • Enable or disable Snort 3 on an individual device.

  • Create a Snort 3 network analysis policy.

  • View the network analysis policy mapping.

  • Upgrade FTD.

  • Create and manage a cluster.

  • Change the FMC access interface from Management to Data.

  • Change the FMC access interface from Data to Management.

Snort memory usage telemetry sent to Cisco Success Network.

For improved serviceability, we now send telemetry on Snort memory and swap usage, including out-of-memory events, to Cisco Success Network.

We send this information for both Snort 2 and Snort 3. You can change your Cisco Success Network enrollment at any time.

Snort 3 support for statistics on start-of-flow and end-of-flow events.

For FTD with Snort 3, the output of the show snort statistics command now reports statistics on start-of-flow and end-of-flow events.

Web interface changes: SecureX, threat intelligence, and other integrations.

Version 7.1 changes these FMC menu options if you are upgrading from Version 7.0.2 or any later Version 7.0.x maintenance release.

Note

 

These changes will switch back in Version 7.2.

Integration > AMP > AMP Management

is now

AMP > AMP Management

Integration > AMP > Dynamic Analysis Connections

is now

AMP > Dynamic Analysis Connections

Integration > Intelligence > Sources

is now

Intelligence > Sources

Integration > Intelligence > Elements

is now

Intelligence > Elements

Integration > Intelligence > Settings

is now

Intelligence > Settings

Integration > Intelligence > Incidents

is now

Intelligence > Incidents

Integration > Other Integrations

is now

System (system gear icon) > Integration

Integration > Security Analytics & Logging

is now

System (system gear icon) > Logging > Security Analytics & Logging

Integration > SecureX

is now

System (system gear icon) > SecureX

FMC REST API

FMC REST API services/operations.

For information on changes to the FMC REST API, see What's New in 7.1 in the REST API quick start guide.

Deprecated Features

Table 14. Deprecated Features in FMC Version 7.1.0

Deprecated Feature

Description

End of support: FMC 1000, 2500, 4500.

You cannot run Version 7.1+ on the FMC models FMC 1000, 2500, and 4500. You cannot manage Version 7.1+ devices with these FMCs.

End of support: ASA 5508-X and 5516-X.

You cannot run Version 7.1+ on the ASA 5508-X or 5516-X.

End of support: NGIPS software (ASA FirePOWER/NGIPSv).

Version 7.1 is supported on the FMC and on FTD devices only. It is not supported on ASA FirePOWER or NGIPSv devices.

You can still use a Version 7.1 FMC to manage older devices — FTD as well as ASA FirePOWER and NGIPSv — that are running Version 6.5 through 7.0.

Deprecated: Intrusion incidents and the intrusion event clipboard.

Data and configurations can be deleted.

We removed the intrusion incidents feature and the related intrusion event clipboard. The upgrade removes all data related to incidents, and deletes report templates sections that use the clipboard as a data source.

Deprecated screens/options:

  • Analysis > Intrusions > Incidents

  • Analysis > Intrusions > Clipboard

  • Copy and Copy All on intrusion event workflow pages and packet views

  • When adding sections to a report template (Overview > Reporting > Report Templates), you can no longer choose the Clipboard table as a data source.

Deprecated: Custom tables for intrusion events.

Custom tables can be deleted.

Version 7.1 ends support for custom tables for intrusion events. The upgrade deletes custom tables that contain fields from the intrusion event table.

When adding fields to a custom table (Analysis > Advanced > Custom Tables), you can no longer choose the Intrusion Events table as a data source.

Deprecated: ECMP zones with FlexConfig.

FlexConfig settings ignored. Can prevent deploy.

You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing in the management center web interface. After upgrade, the system ignores ECMP zones configured with FlexConfig. You cannot deploy with equal-cost static routes exist and must assign their interfaces to an ECMP zone.

Temporarily deprecated: Improved SecureX integration, SecureX orchestration.

Can prevent upgrade.

Version 7.1 temporarily deprecates the SecureX integration and orchestration improvements introduced in Version 7.0.2. The improved experience returns in Version 7.2.

If you newly enabled SecureX integration in Version 7.0.2 or later maintenance release, you must disable the feature before you upgrade to Version 7.1. You can re-enable the feature after successful upgrade, using the older method. There are no upgrade issues if you enabled SecureX integration in Version 7.0.0 or 7.0.1, or if you upgrade to Version 7.2.

Deprecated: Geolocation details.

In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.

Important

 

This split does not affect geolocation rules or traffic handling in any way—those rules rely only on the data in the country code package. However, because the country code package essentially replaces the all-in-one package, the contextual data is no longer updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to Version 7.2+ and update the GeoDB.

New Features in FMC Version 7.0

New Features

Table 15. New Features in FMC Version 7.0.6

New Feature

Description

Updated web analytics provider.

Upgrade impact. Your browser connects to new resources.

While using the management center, your browser now contacts Amplitude (amplitude.com) instead of Google (google.com) for web analytics.

Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your management centers. You are enrolled in web analytics by default but you can change your enrollment at any time after you complete initial setup. Note that ad blockers can block web analytics, so if you choose to remain enrolled, please disable ad blocking for the hostnames/IP addresses of your Cisco appliances.

Minimum threat defense: Any

Version restrictions: Amplitude analytics are not supported in Version 7.0.0–7.0.5, 7.1.0–7.2.5, 7.3.x, or 7.4.0. If you upgrade from a supported version to an unsupported version, your browser resumes contacting Google.

Smaller VDB for lower memory Snort 2 devices.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Minimum threat defense: Any, with Snort 2

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the FMC, not managed devices. If you upgrade the FMC from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Table 16. New Features in FMC Version 7.0.5

New Feature

Description

ISA 3000 System LED support for shutting down.

When you shut down the ISA 3000, the System LED turns off. Wait at least 10 seconds after that before you remove power from the device.

Version restrictions: Version 7.1 temporarily deprecates support for this feature. Support returns in Version 7.3.

Automatically update CA bundles.

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

Version restrictions: This feature is not supported in Version 7.0.0–7.0.4, 7.1.0–7.1.0.2, or 7.2.0–7.2.3. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.

For more information, see the Firepower Management Center Command Line Reference in the FMC configuration guide, and the Cisco Secure Firewall Threat Defense Command Reference.

Table 17. New Features in FMC Version 7.0.3

New Feature

Description

FTD support for cloud-delivered management center.

Version 7.0.3 FTD devices support management by the cloud-delivered management center, which we introduced in spring of 2022. The cloud-delivered management center uses the Cisco Defense Orchestrator (CDO) platform and unites management across multiple Cisco security solutions. We take care of feature updates.

You should use Version 7.0.3 FTD with the cloud-delivered management center if:

  • You are currently using a customer-deployed hardware or virtual FMC.

  • You want to migrate to the cloud-delivered management center right now.

  • You do not want to upgrade devices to Version 7.2+, which also supports management by the cloud-delivered management center.

If this is your situation, you should:

  1. Upgrade the current FMC to Version 7.2+.

    Although you can technically use a Version 7.0.3 or 7.1 FMC to upgrade FTD to Version 7.0.3, you will not be able to easily migrate devices to the cloud-delivered management center, nor will you be able to leave the devices registered to the customer-deployed management center for event logging and analytics purposes only ("analytics only").

  2. Use the upgraded FMC to upgrade devices to Version 7.0.3.

  3. Enable cloud management on the devices.

    For Version 7.0.x devices only, you must enable cloud management from the device CLI: configure manager-cdo enable . The show manager-cdo command displays whether cloud management is enabled.

  4. Use CDO's Migrate FTD to Cloud wizard to migrate the devices to the cloud-delivered management center.

    Optionally, leave the devices registered to the customer-deployed management center as analytics-only devices. Or, you can send security events to the Cisco cloud with Security Analytics and Logging (SaaS).

The cloud-delivered Firewall Management Center cannot manage threat defense devices running Version 7.1, or Classic devices running any version. You cannot upgrade a cloud-managed device from Version 7.0.x to Version 7.1 unless you unregister and disable cloud management. We recommend you upgrade the device directly to Version 7.2+.

New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers

For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.

Table 18. New Features in FMC Version 7.0.2

New Feature

Description

ISA 3000 support for shutting down.

You can now shut down the ISA 3000; previously, you could only reboot the device.

Note

 

Version 7.1 temporarily deprecates support for this feature. Support returns in Version 7.2.

Dynamic object names now support the dash character.

Dynamic object names now support the dash character. This is especially useful if you are using the ACI endpoint update app (where the dash character is allowed), to create dynamic objects on the FMC that represent tenant endpoint groups.

Minimum threat defense: 7.0.2

Improved SecureX integration, SecureX orchestration.

We have streamlined the SecureX integration process. Now, as long as you already have a SecureX account, you just choose your cloud region on the new Integration > SecureX page, click Enable SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page.

When you enable SecureX integration on this new page, licensing and management for the system's cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX the "old" way, you must disable and re-enable to get the benefits of this cloud connection management.

Note that this page also governs the cloud region for and event types sent to the Secure Network Analytics (Stealthwatch) cloud using Security Analytics and Logging (SaaS), even though the web interface does not indicate this. Previously, these options were on System (system gear icon) > Integration > Cloud Services. Enabling SecureX does not affect communications with the Secure Network Analytics cloud; you can send events to both.

The management center also now supports SecureX orchestration—a powerful drag-and-drop interface you can use to automate workflows across security tools. After you enable SecureX, you can enable orchestration.

As part of this feature, you can no longer use the REST API to configure SecureX integration. You must use the FMC web interface.

Version restrictions: This feature is temporarily deprecated in Version 7.1, but returns in Version 7.2. Note that if you use the new method to enable SecureX integration, you must disable the feature before you upgrade to Version 7.1. You can re-enable the feature after successful upgrade. Upgrades to Version 7.2+ are not affected.

For more information, see the Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide.

Web interface changes: SecureX, threat intelligence, and other integrations.

We changed these FMC menu options.

Note

 

These changes are temporarily deprecated in Version 7.1, but come back in Version 7.2.

AMP > AMP Management

is now

Integration > AMP > AMP Management

AMP > Dynamic Analysis Connections

is now

Integration > AMP > Dynamic Analysis Connections

Intelligence > Sources

is now

Integration > Intelligence > Sources

Intelligence > Elements

is now

Integration > Intelligence > Elements

Intelligence > Settings

is now

Integration > Intelligence > Settings

Intelligence > Incidents

is now

Integration > Intelligence > Incidents

System (system gear icon) > Integration

is now

Integration > Other Integrations

System (system gear icon) > Logging > Security Analytics & Logging

is now

Integration > Security Analytics & Logging

System (system gear icon) > SecureX

is now

Integration > SecureX

Table 19. New Features in FMC Version 7.0.1

New Feature

Description

Snort 3 rate_filter inspector.

We introduced the Snort 3 rate_filter inspector.

This allows you to change the action of an intrusion rule in response to excessive matches on that rule. You can block rate-based attacks for a specific length of time, then return to allowing matching traffic while still generating events. For more information, see the Snort 3 Inspector Reference.

New/modified pages: Configure the inspector by editing the Snort 3 version of a custom network analysis policy.

Supported platforms: FTD

Version restrictions: This feature requires Version 7.0.1+ on both the FMC and the device. Additionally, you must be running lsp-rel-20210816-1910 or later. You can check and update the LSP on System (system gear icon) > Updates > Rule Updates.

New default password for ISA 3000 with ASA FirePOWER Services

For new devices, the default password for the admin account is now Adm!n123. Previously, the default admin password was Admin123.

Upgrading or reimaging to Version 7.0.1+ does not change the password. However, we do recommend that all user accounts—especially those with Admin access—have strong passwords.

Supported platforms: ISA 3000 with ASA FirePOWER Services

Table 20. New Features in FMC Version 7.0.0

New Feature

Description

Platform

VMware vSphere/VMware ESXi 7.0 support.

You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware ESXi 7.0.

Note that Version 7.0 also discontinues support for VMware 6.0. Upgrade the hosting environment to a supported version before you upgrade the Firepower software.

New virtual environments.

We introduced FMCv and FTDv for:

  • Cisco HyperFlex

  • Nutanix Enterprise Cloud

  • OpenStack

For FMCv, all these implementations support FMCv2, v10, and v25.

FMCv for HyperFlex also supports high availability with FMCv10 and v25. In an FTD deployment, you need two identically licensed FMCs, as well as one FTD entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements.

FTDv performance tiered Smart Licensing.

Upgrade impact. Upgrading automatically assigns devices to the FTDv50 tier.

FTDv now supports performance-tiered Smart Software Licensing, based on throughput requirements and RA VPN session limits. Options run from FTDv5 (100 Mbps/50 sessions) to FTDv100 (16 Gbps/10,000 sessions).

Before you add a new device, make sure your account contains the licenses you need. To purchase additional licenses, contact your Cisco representative or partner contact.

Upgrading FTDv to Version 7.0 automatically assigns the device to the FTDv50 tier. To continue using your legacy (non-tiered) license, after upgrade, change the tier to Variable.

For more information on supported instances, throughputs, and other hosting requirements, see the appropriate Getting Started Guide.

New/modified pages:

  • You can now specify a performance tier when adding or editing an FTDv device on the Device > Device Management page.

  • You can bulk-edit performance tiers on System (system gear icon) > Licenses > Smart Licenses > page.

High Availability/Scalability

Improved PAT port block allocation for clustering

The improved PAT port block allocation ensures that the control unit keeps ports in reserve for joining nodes, and proactively reclaims unused ports. To best optimize the allocation, you can set the maximum nodes you plan to have in the cluster using the cluster-member-limit command using FlexConfig. The control unit can then allocate port blocks to the planned number of nodes, and it will not have to reserve ports for extra nodes you don't plan to use. The default is 16 nodes. You can also monitor syslog 747046 to ensure that there are enough ports available for a new node.

New/modified commands: cluster-member-limit (FlexConfig), show nat pool cluster [summary] , show nat pool ip detail

Supported platforms: Firepower 4100/9300

FTD CLI show cluster history improvements.

New keywords allow you to customize the output of the show cluster history command.

New/modified commands: show cluster history [brief ] [latest ] [reverse ] [time ]

Supported platforms: Firepower 4100/9300

FTD CLI command to permanently leave a cluster.

You can now use the FTD CLI to permanently remove a unit from the cluster, converting its configuration to a standalone device.

New/modified commands: cluster reset-interface-mode

Supported platforms: Firepower 4100/9300

NAT

Prioritized system-defined NAT rules.

We added a new Section 0 to the NAT rule table. This section is exclusively for the use of the system. Any NAT rules that the system needs for normal functioning are added to this section, and these rules take priority over any rules you create. Previously, system-defined rules were added to Section 1, and user-defined rules could interfere with proper system functioning.

You cannot add, edit, or delete Section 0 rules, but you will see them in show nat detail command output.

Supported platforms: FTD

Virtual Routing

Virtual router support for the ISA 3000.

You can now configure up to 10 virtual routers on an ISA 3000 device.

Supported platforms: ISA 3000

Site to Site VPN

Backup virtual tunnel interfaces (VTI) for route-based site-to-site VPN.

When you configure a site-to-site VPN that uses virtual tunnel interfaces, you can select a backup VTI for the tunnel.

Specifying a backup VTI provides resiliency, so that if the primary connection goes down, the backup connection might still be functional. For example, you could point the primary VTI to the endpoint of one service provider, and the backup VTI to the endpoint of a different service provider.

New/modified pages: We added the ability to add a backup VTI to the site-to-site VPN wizard when you select Route-Based as the VPN type for a point-to-point connection.

Supported platforms: FTD

Remote Access VPN

Load balancing.

We now support RA VPN load balancing. The system distributes sessions among grouped devices by number of sessions; it does not consider traffic volume or other factors.

New/modified screens: We added load balancing options to the Advanced settings in an RA VPN policy.

Supported platforms: FTD

Local authentication.

We now support local authentication for RA VPN users. You can use this as the primary or secondary authentication method, or as a fallback in case the configured remote server cannot be reached.

  1. Create a local realm.

    Local usernames and passwords are stored in local realms. When you create a realm (System (system gear icon) > Integration > Realms) and select the new LOCAL realm type, the system prompts you to add one or more local users.

  2. Configure RA VPN to use local authentication.

    Create or edit an RA VPN policy (Devices > VPN > Remote Access), create a connection profile within that policy, then specify LOCAL as the primary, secondary, or fallback authentication server in that connection profile.

  3. Associate the local realm you created with an RA VPN policy.

    In the RA VPN policy editor, use the new Local Realm setting. Every connection profile in the RA VPN policy that uses local authentication will use the local realm you specify here.

Supported platforms: FTD

Dynamic access policies.

The new dynamic access policy allows you to configure remote access VPN authorization that automatically adapts to a changing environment:

  1. Configure HostScan by uploading the AnyConnect HostScan package as an AnyConnect file (Objects > Object Management > VPN > AnyConnect File). There is a new HostScan Package option in the File Type drop-down list.

    This module runs on endpoints and performs a posture assessment that the dynamic access policy will use.

  2. Create a dynamic access policy (Devices > Dynamic Access Policy).

    Dynamic access policies specify session attributes (such as group membership and endpoint security) that you want to evaluate each time a user initiates a session. You can then deny or grant access based on that evaluation.

  3. Associate the dynamic access policy you created with an RA VPN policy.

    In the remote access VPN policy editor, use the new Dynamic Access Policy setting.

Supported platforms: FTD

Multi-certificate authentication.

We now support multi-certificate authentication for remote access VPN users. You can validate the machine or device certificate, to ensure the device is a corporate-issued device, in addition to authenticating the user’s identity certificate to allow VPN access using the AnyConnect client during SSL or IKEv2 EAP phase.

Supported platforms: FTD

AnyConnect custom attributes.

We now support AnyConnect custom attributes, and provide an infrastructure to configure AnyConnect client features without adding explicit support for these features in the system.

Supported platforms: FTD

Access Control

Snort 3 for FTD.

For new FTD deployments, Snort 3 is now the default inspection engine. Upgraded deployments continue to use Snort 2, but you can switch at any time.

Advantages to using Snort 3 include, but are not limited to:

  • Improved performance.

  • Improved SMBv2 inspection.

  • New script detection capabilities.

  • HTTP/2 inspection.

  • Custom rule groups.

  • Syntax that makes custom intrusion rules easier to write.

  • Reasons for 'would have dropped' inline results in intrusion events.

  • No Snort restarts when deploying changes to the VDB, SSL policies, custom application detectors, captive portal identity sources, and TLS server identity discovery.

  • Improved serviceability, due to Snort 3-specific telemetry data sent to Cisco Success Network, and to better troubleshooting logs.

A Snort 3 intrusion rule update is called an LSP (Lightweight Security Package) rather than an SRU. The system still uses SRUs for Snort 2; downloads from Cisco contain both the latest LSP and SRU. The system automatically uses the appropriate rule set for your configurations.

The FMC can manage a deployment with both Snort 2 and Snort 3 devices, and will apply the correct policies to each device. However, unlike Snort 2, you cannot update Snort 3 on a device by upgrading the FMC only and then deploying. With Snort 3, new features and resolved bugs require you upgrade the software on the FMC and its managed devices. For information on the Snort included with each software version, see the Bundled Components section of the Cisco Firepower Compatibility Guide.

Important

 

Before you switch to Snort 3, we strongly recommend you read and understand the Firepower Management Center Snort 3 Configuration Guide. Pay special attention to feature limitations and migration instructions. Although upgrading to Snort 3 is designed for minimal impact, features do not map exactly. Careful planning and preparation can help you make sure that traffic handled as expected.

You can also visit the Snort 3 website: https://snort.org/snort3.

Supported platforms: FTD

Dynamic objects.

You can now use dynamic objects in access control rules.

A dynamic object is just a list of IP addresses/subnets (no ranges, no FQDN). But unlike a network object, changes to dynamic objects take effect immediately, without having to redeploy. This is useful in virtual and cloud environments, where IP addresses often dynamically map to workload resources.

To create and manage dynamic objects, we recommend the Cisco Secure Dynamic Attributes Connector. The connector is a separate, lightweight application that quickly and seamlessly updates firewall policies based on workload changes. To do this, it gets workload attributes from tagged resources in your environment, and compiles an IP list based on criteria you specify (a “dynamic attributes filter”). It then creates a dynamic object on the FMC and populates it with the IP list. When your workload changes, the connector updates the dynamic object and the system immediately starts handling traffic based on the new mappings. For more information, see the Cisco Secure Dynamic Attributes Connector Configuration Guide.

After you create a dynamic object, you can add it to access control rules on the new Dynamic Attributes tab in the access control rule editor. This tab replaces the narrower-focus SGT/ISE Attributes tab; continue to configure rules with SGT attributes here.

Note

 

You can also create a dynamic object on the FMC: Objects > Object Management > External Attributes > Dynamic Objects. However, this creates the container only; you must then populate and manage it using the REST API. See the Firepower Management Center REST API Quick Start Guide, Version 7.0.

Supported platforms: FMC

Supported virtual/cloud workloads for Cisco Secure Dynamic Attributes Connector integration: Microsoft Azure, AWS, VMware

Cross-domain trust for Active Directory domains.

You can now configure user identity rules with users from Microsoft Active Directory forests (groupings of AD domains that trust each other).

New/modified pages:

  • You now configure a realm and directories at the same time.

  • A new Sync Results page (System (system gear icon) > Integration > Sync Results) displays any errors related to downloading users and groups in a cross-domain trust relationship.

Supported platforms: FMC

DNS filtering.

DNS filtering, which was introduced as a Beta feature in Version 6.7, is now fully supported and is enabled by default in new access control policies.

Supported platforms: Any

Event Logging and Analysis

Improved process for storing events in a Secure Network Analytics on-prem deployment.

A new Cisco Security Analytics and Logging (On Premises) app and a new FMC wizard make it easier to configure remote data storage for on-prem Secure Network Analytics solutions:

  1. Deploy hardware or virtual Stealthwatch appliances.

    You can use a Stealthwatch Management Console alone, or you can configure Stealthwatch Management Console, flow collector, and data store.

  2. Install the new Cisco Security Analytics and Logging (On Premises) app on your Stealthwatch Management Console to configure Stealthwatch as a remote data store.

  3. On the FMC, use one of the new wizards on System (system gear icon) > Logging > Security Analytics & Logging to connect to your Stealthwatch deployment.

    Note that the wizards replace the narrower-focus page where you used to configure Stealthwatch contextual cross-launch; that is now a step in the wizard.

For upgraded deployments where you were using syslog to send Firepower events to Stealthwatch, disable those configurations before you use the wizard. Otherwise, you will get double events. To remove the syslog connection to Stealthwatch use FTD platform settings (Devices > Platform Settings); to disable sending events to syslog, edit your access control rules.

For more information, including Stealthwatch hardware and software requirements, see Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide.

Supported platforms: FMC

Work with events stored remotely in a Secure Network Analytics on-prem deployment.

You can now use the FMC to work with connection events stored remotely in a Secure Network Analytics on-prem deployment.

A new Data Source option on the connection events page (Analysis > Connections > Events) and in the unified event viewer (Analysis > Unified Events) allows you to choose which connection events you want to work with. The default is to display locally stored connection events, unless there are none in the time range. In that case, the system displays remotely stored events..

We also added a data source option to report templates (Overview > Reporting > Report Templates), so that you can generate reports based on remotely stored connection events.

Note

 

This feature is supported for connection events only; cross-launch is still the only way to examine remotely stored Security Intelligence, intrusion, file and malware events. Even in the unified event viewer, the system only displays locally stored events of those types.

However, note that for every Security Intelligence event, there is an identical connection event—these are the events with reasons such as 'IP Block' or 'DNS Block.' You can work with those duplicated events on the connection events page or in the unified event viewer, but not on the dedicated Security Intelligence events page.

Supported platforms: FMC

Store all connection events in the Secure Network Analytics cloud.

You can now store all connection events in the Stealthwatch cloud using Cisco Security Analytics and Logging (SaaS). Previously, you were limited to security events: Security Intelligence, intrusion, file, and malware events, as well as their associated connection events.

To change the events you send to the cloud, choose System (system gear icon) > Integration. On the Cloud Services tab, edit the Cisco Cloud Event Configuration. The old option to send high priority connection events to the cloud has been replaced with a choice of All, None, or Security Events.

Note

 

These settings also control which events you send to SecureX. However, even if you choose to send all connection events to the cloud, SecureX consumes only the security (higher priority) connection events. Also note that you now configure the SecureX connection itself on Analysis > SecureX.

Supported platforms: FMC

Unified event viewer.

The unified event viewer (Analysis > Unified Events) displays connection, Security Intelligence, intrusion, file, and malware events in a single table. This can help you look relationships between events of different types.

A single search field allows you to dynamically filter the view based on multiple criteria, and a Go Live option displays events received from managed devices in real time.

Supported platforms: FMC

SecureX ribbon.

The SecureX ribbon on the FMC pivots into SecureX for instant visibility into the threat landscape across your Cisco security products.

To connect with SecureX and enable the ribbon, use System (system gear icon) > SecureX. Note that you must still use System (system gear icon) > Integration > Cloud Services to choose your cloud region and to specify which events to send to SecureX.

For more information, see the Cisco Secure Firewall Threat Defense and SecureX Integration Guide.

Supported platforms: FMC

Exempt all connection events from rate limiting when you turn off local storage.

Event rate limiting applies to all events sent to the FMC, with the exception of security events: Security Intelligence, intrusion, file, and malware events, as well as their associated connection events.

Now, disabling local connection event storage exempts all connection events from rate limiting, not just security events. To do this, set the Maximum Connection Events to zero on System (system gear icon) > Configuration > Database.

Note

 

Other than turning it off by setting it to zero, Maximum Connection Events does not govern connection event rate limiting. Any non-zero number in this field ensures that all lower-priority connection events are rate limited.

Note that disabling local event storage does not affect remote event storage, nor does it affect connection summaries or correlation. The system still uses connection event information for features like traffic profiles, correlation policies, and dashboard displays.

Supported platforms: FMC

Port and protocol displayed together in file and malware event tables.

In file and malware event tables, the port field now displays the protocol, and you can search port fields for protocol. For events that existed before upgrade, if the protocol is not known, the system uses "tcp."

New/modified pages:

  • Analysis > Files > Malware Events

  • Analysis > Files > File Events

Supported platforms: FMC

Upgrade

Improved FTD upgrade performance and status reporting.

FTD upgrades are now easier faster, more reliable, and take up less disk space. A new Upgrades tab in the Message Center provides further enhancements to upgrade status and error reporting.

Supported platforms: FTD

Upgrade wizard for FTD.

A new device upgrade page (Devices > Device Upgrade) on the FMC provides an easy-to-follow wizard for upgrading Version 6.4+ FTD devices. It walks you through important pre-upgrade stages, including selecting devices to upgrade, copying the upgrade package to the devices, and compatibility and readiness checks.

To begin, use the new Upgrade Firepower Software action on the Device Management page (Devices > Device Management > Select Action).

As you proceed, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage in the wizard, it does not appear in the next stage.

If you navigate away from wizard, your progress is preserved, although other users with Administrator access can reset, modify, or continue the wizard.

Note

 

You must still use System (system gear icon) > Updates to upload or specify the location of FTD upgrade packages. You must also use the System Updates page to upgrade the FMC itself, as well as all non-FTD managed devices.

Note

 

In Version 7.0, the wizard does not correctly display devices in clusters or high availability pairs. Even though you must select and upgrade these devices as a unit, the wizard displays them as standalone devices. Device status and upgrade readiness are evaluated and reported on an individual basis. This means it is possible for one unit to appear to "pass" to the next stage while the other unit or units do not. However, these devices are still grouped. Running a readiness check on one, runs it on all. Starting the upgrade on one, starts it on all.

To avoid possible time-consuming upgrade failures, manually ensure all group members are ready to move on to the next step of the wizard before you click Next.

Supported platforms: FTD

Upgrade more FTD devices at once.

The FTD upgrade wizard lifts the following restrictions:

  • Simultaneous device upgrades.

    The number of devices you can upgrade at once is now limited by your management network bandwidth—not the system's ability to manage simultaneous upgrades. Previously, we recommended against upgrading more than five devices at a time.

    Important

     

    Only upgrades to FTD Version 6.7+ see this improvement. If you are upgrading devices to an older FTD release—even if you are using the new upgrade wizard—we still recommend you limit to five devices at a time.

  • Grouping upgrades by device model.

    You can now queue and invoke upgrades for all FTD models at the same time, as long as the system has access to the appropriate upgrade packages.

    Previously, you would choose an upgrade package, then choose the devices to upgrade using that package. That meant that you could upgrade multiple devices at the same time only if they shared an upgrade package. For example, you could upgrade two Firepower 2100 series devices at the same time, but not a Firepower 2100 series and a Firepower 1000 series.

Supported platforms: FTD

Administration and Troubleshooting

Zero-touch restore for the ISA 3000 using the SD card.

When you perform a local backup, the backup file is copied to the SD card if present. To restore the configuration on a replacement device, simply install the SD card in the new device, and depress the Reset button for 3 to 15 seconds during the device bootup.

Supported platforms: ISA 3000

Selectively deploy RA and site-to-site VPN policies.

Selective policy deployment, which was introduced in Version 6.6, now supports remote access and site-to-site VPN policies.

New/modified pages: We added VPN policy options on the Deploy > Deployment page.

Supported platforms: FTD

New health modules.

We added the following health modules:

  • AMP Connection Status

  • AMP Threat Grid Status

  • ASP Drop

  • Advanced Snort Statistics

  • Chassis Status FTD

  • Event Stream Status

  • FMC Access Configuration Changes

  • FMC HA Status (replaces HA Status)

  • FTD HA Status

  • File System Integrity Check

  • Flow Offload

  • Hit Count

  • MySQL Status

  • NTP Status FTD

  • Rabbit MQ Status

  • Routing Statistics

  • SSE Connection Status

  • Sybase Status

  • Unresolved Groups Monitor

  • VPN Statistics

  • xTLS Counters

Additionally, full support returns for the Configuration Memory Allocation module, which was introduced in Version 6.6.3 as the Appliance Configuration Resource Utilization module, but was not fully supported in Version 6.7.

Supported platforms: FMC

Security and Hardening

New default password for AWS deployments.

The default password for the admin account is now the AWS Instance ID, unless you define a default password with user data (Advanced Details > User Data) during the initial deployment.

Previously, the default admin password was Admin123.

Supported platforms: FMCv for AWS, FTDv for AWS

EST for certificate enrollment.

Support for Enrollment over Secure Transport for certificate enrollment was provided.

New/modified pages: New enrollment options when configuring Objects > PKI > Cert Enrollment > CA Information tab.

Supported platforms: FMC

Support for EdDSA certificate type.

A new certificate key type- EdDSA was added with key size 256.

New/modified pages: New certificate key options when configuring Objects > PKI > Cert Enrollment > Key tab.

Supported platforms: FMC

AES-128 CMAC authentication for NTP servers.

You can now use AES-128 CMAC keys to secure connections between the FMC and NTP servers.

New/modified pages: System (system gear icon) > Configuration > Time Synchronization.

Supported platforms: FMC

SNMPv3 users can authenticate using a SHA-224 or SHA-384 authorization algorithm.

SNMPv3 users can now authenticate using a SHA-224 or SHA-384 algorithm.

New/modified pages: Devices > Platform Settings > SNMP > Users > Auth Algorithm Type

Supported platforms: FTD

Usability and Performance

Global search for policies and objects.

You can now search for certain policies by name, and for certain objects by name and configured value. This feature is not available with the Classic theme.

New/modified pages: We added capabilities to the Search icon and field on the FMC menu bar, to the left of the Deploy menu.

Supported platforms: FMC

Hardware crypto acceleration on FTDv using Intel QuickAssist Technology (QAT).

We now support hardware crypto acceleration (CBC cipher only) on FTDv for VMware and FTDv for KVM. This feature requires a Intel QAT 8970 PCI adapter/Version 1.7+ driver on the hosting platform. After you reboot, hardware crypto acceleration is automatically enabled.

Supported platforms: FTDv for VMware, FTDv for KVM

Improved CPU usage and performance for many-to-one and one-to-many connections.

The system no longer creates local host objects and locks them when creating connections, except for connections that involve dynamic NAT/PAT and scanning threat detection and host statistics. This improves performance and CPU usage in situations where many connections are going to the same server (such as a load balancer or web server), or one endpoint is making connections to many remote hosts.

We changed the following commands: clear local-host (deprecated), show local-host

Supported platforms: FTD

How-to location has changed.

Help > How-Tos now invokes walkthroughs. Previously, you clicked How-Tos at the bottom of the browser window.

FMC REST API

We added the following FMC REST API services/operations to support new and existing features. For more information, see the Firepower Management Center REST API Quick Start Guide, Version 7.0.

Device

alerts: GET

Integration

fmchastatuses: GET

securexconfigs: GET and PUT

Object

anyconnectcustomattributes, anyconnectpackages, anyconnectprofiles: GET

anyconnectcustomattributes/overrides: GET

applicationfilters: PUT, POST, and DELETE

certificatemaps: GET

dnsservergroups: GET

dnsservergroups/overrides: GET

dynamicobjectmappings: POST

dynamicobjects: GET, PUT, POST, and DELETE

dynamicobjects/mappings: GET and PUT

geolocations: PUT, POST, and DELETE

grouppolicies: GET

hostscanpackages: GET

intrusionrules, intrusionrulegroups: GET, PUT, POST, and DELETE

intrusionrulesupload: POST

ipv4addresspools, ipv6addresspools: GET

ipv4addresspools/overrides, ipv6addresspools/overrides: GET

localrealmusers: GET, PUT, POST, DELETE

radiusservergroups: GET

realms: PUT, POST, and DELETE

sidnsfeeds, sidnslists, sinetworkfeeds, sinetworklists: GET

sinkholes: GET

ssoservers: GET

ssoservers/overrides: GET

usage: GET

Policy

accesspolicies/securityintelligencepolicies: GET

dnspolicies: GET

dnspolicies/allowdnsrules, dnspolicies/blockdnsrules: GET

dynamicaccesspolicies: GET, PUT, POST, and DELETE

identitypolicies: GET

intrusionpolicies: PUT, POST, and DELETE

intrusionpolicies/intrusionrulegroups, intrusionpolicies/intrusionrules: GET and PUT

networkanalysispolicies: GET, PUT, POST, and DELETE

networkanalysispolicies/inspectorconfigs: GET

networkanalysispolicies/inspectoroverrideconfigs: GET and PUT

ravpns: GET

ravpns/addressassignmentsettings, ravpns/certificatemapsettings, ravpns/connectionprofiles: GET

Search

globalsearch: GET

Deprecated Features

Table 21. Deprecated Features in FMC Version 7.0.6

Deprecated Feature

Description

Deprecated: high unmanaged disk usage alerts.

The Disk Usage health module no longer alerts with high unmanaged disk usage. After FMC upgrade, you may continue to see these alerts until you either deploy health policies to managed devices (stops the display of alerts) or upgrade the devices (stops the sending of alerts).

Note

 

Versions 7.0–7.0.5, 7.1.x, 7.2.0–7.2.3, and 7.3.x continue to support these alerts. If your FMC is running any of these versions, you may also continue to see alerts.

For information on the remaining Disk Usage alerts, see Disk Usage and Drain of Events Health Monitor Alerts.

Table 22. Deprecated Features in FMC Version 7.0.0

Deprecated Feature

Description

End of support: VMware vSphere/VMware ESXi 6.0.

We discontinued support for virtual deployments on VMware vSphere/VMware ESXi 6.0. Upgrade the hosting environment to a supported version before you upgrade the Firepower software.

Deprecated: RSA certificates with keys smaller than 2048 bits, or that use SHA-1 in their signature algorithm.

Prevents post-upgrade VPN connections through FTD devices.

We removed support for RSA certificates with keys smaller than 2048 bits, or that use SHA-1 in their signature algorithm.

Before you upgrade, use the object manager to update your PKI certificate enrollments with stronger options: Objects > PKI > Cert Enrollment. Otherwise, although the upgrade preserves your current settings, VPN connections through the device will fail.

To continue managing older FTD devices only (Version 6.4–6.7.x) with these weaker options, select the new Enable Weak-Crypto option for each device on the Devices > Certificates page.

Deprecated: MD5 authentication algorithm and DES encryption for SNMPv3 users.

Deletes Users. Prevents post-upgrade deploy.

We removed support for the MD5 authentication algorithm and DES encryption for SNMPv3 users on FTD devices.

Upgrading FTD to Version 7.0+ deletes these users from the device, regardless of the configurations on the FMC. If you are still using these options in your platform settings policy, change and verify your configurations before you upgrade FTD.

These options are in the Auth Algorithm Type and Encryption Type drop-downs when creating or editing an SNMPv3 user in a Threat Defense platform settings policy: Devices > Platform Settings.

Deprecated: Port 32137 comms with AMP clouds.

Prevents FMC upgrade.

We deprecated the FMC option to use port 32137 to obtain file disposition data from public and private AMP clouds. Unless you configure a proxy, the FMC now uses port 443/HTTPS.

Before you upgrade, disable the Use Legacy Port 32137 for AMP for Networks option on the System (system gear icon) > Integration > Cloud Services page. Do not proceed with upgrade until your AMP for Networks deployment is working as expected.

Deprecated: HA Status health module.

We renamed the HA Status health module to the FMC HA Status health module. This is to distinguish it from the new FTD HA Status module.

Deprecated: Legacy API Explorer.

We removed support for the FMC REST API legacy API Explorer.

Deprecated: Geolocation details.

In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

The new country code package has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in an air-gapped deployment—make sure you get the country code package and not the IP package.

Important

 

This split does not affect geolocation rules or traffic handling in any way—those rules rely only on the data in the country code package. However, because the country code package essentially replaces the all-in-one package, the contextual data is no longer updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to Version 7.2+ and update the GeoDB.

New Features in FMC Version 6.7

New Features

Table 23. New Features in FMC Version 6.7.0

New Feature

Description

Platform

FMCv and FTDv for OCI and GCP.

We introduced FMCv and FTDv for:

  • Oracle Cloud Infrastructure (OCI)

  • Google Cloud Platform (GCP)

High availability support on FMCv for VMware.

FMCv for VMware now supports high availability. You use the FMCv web interface to establish HA, just as you would on hardware models.

In an FTD deployment, you need two identically licensed FMCv's, as well as one FTD entitlement for each managed device. For example, to manage 10 FTD devices with an FMCv10 HA pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Classic devices only (7000/8000 series, NGIPSv, ASA FirePOWER), you do not need FMCv entitlements.

Note that this feature is not supported on FMCv 2 for VMware—that is, an FMCv licensed to manage only two devices.

Supported platforms: FMCv 10, 25, and 300 for VMware

Auto Scale improvements for FTDv for AWS.

Version 6.7.0 includes the following Auto Scale improvements for FTDv for AWS:

  • Custom Metric Publisher. A new Lambda function polls the FMC every second minute for memory consumption of all FTDv instances in the Auto Scale group, then publishes the value to CloudWatch Metric.

  • A new scaling policy based on memory consumption is available.

  • FTDv private IP connectivity for SSH and Secure Tunnel to the FMC.

  • FMC configuration validation.

  • Support for opening more Listening ports on ELB.

  • Modified to Single Stack deployment. All Lambda functions and AWS resources are deployed from a single stack for a streamlined deployment.

Supported platforms: FTDv for AWS

Auto Scale improvements for FTDv for Azure.

The FTDv for Azure Auto Scale solution now includes support for scaling metrics based on CPU and memory (RAM), not just CPU.

Supported platforms: FTDv for Azure

Firepower Threat Defense: Device Management

Manage FTD on a data interface.

You can now configure FMC management of the FTD on a data interface instead of using the dedicated management interface.

This feature is useful for remote deployment when you want to manage the FTD at a branch office from an FMC at headquarters and need to manage the FTD on the outside interface. If the FTD receives a public IP address using DHCP, then you can optionally configure Dynamic DNS (DDNS) for the interface using the web type update method. DDNS ensures the FMC can reach the FTD at its Fully-Qualified Domain Name (FQDN) if the FTD's IP address changes.

Note

 

FMC access on a data interface is not supported with clustering or high availability.

New/modified pages:

  • Devices > Device Management > Device > Management section

  • Devices > Device Management > Interfaces > FMC Access

  • Devices > Device Management > DHCP > DDNS > DDNS Update Methods page

New/modified FTD CLI commands: configure network management-data-interface , configure policy rollback

Supported platforms: FTD

Update the FMC IP address on the FTD.

If you change the FMC IP address, you can now use the FTD CLI to update the device.

New/modified FTD CLI commands: configure manager edit

Supported platforms: FTD

Synchronization between the FTD operational link state and the physical link state for the Firepower 4100/9300.

The Firepower 4100/9300 chassis can now synchronize the FTD operational link state with the physical link state for data interfaces.

Currently, interfaces will be in an Up state as long as the FXOS admin state is up and the physical link state is up. The FTD application interface admin state is not considered. Without synchronization from FTD, data interfaces can be in an Up state physically before the FTD application has completely come online, for example, or can stay Up for a period of time after you initiate an FTD shutdown. For inline sets, this state mismatch can result in dropped packets because external routers may start sending traffic to the FTD before the FTD can handle it.

This feature is disabled by default, and can be enabled per logical device in FXOS.

Note

 

This feature is not supported for clustering, container instances, or an FTD with a Radware vDP decorator. It is also not supported for ASA.

New/modified Firepower Chassis Manager pages: Logical Devices > Enable Link State

New/modified FXOS commands: set link-state-sync enabled , show interface expand detail

Supported platforms: Firepower 4100/9300

Firepower 1100/2100 series SFP interfaces now support disabling auto-negotiation.

Upgrade impact.

You can now configure a Firepower 1100/2100 series SFP interface to disable flow control and link status negotiation.

Previously, when you set an SFP interface speed (1000 or 10000 Mbps) on these devices, flow control and link status negotiation was automatically enabled. You could not disable it.

Now, you can select No Negotiate to disable flow control and link status negotiation. This also sets the speed to 1000 Mbps, regardless of whether you are configuring a 1 GB SFP or 10 GB SFP+ interface. You cannot disable negotation at 10000 Mbps.

New/modified pages: Devices > Device Management > Interfaces > edit interface > Hardware Configuration > Speed

Supported platforms: Firepower 1100/2100 series

Firepower Threat Defense: Clustering

New cluster management functionality on the FMC.

You can now use the FMC to perform the following cluster management tasks, where previously you had to use the CLI:

  • Enable and disable cluster units.

  • Show cluster status from the Device Management page, including History and Summary per unit.

  • Change the role to the control unit.

New/modified pages:

  • Devices > Device Management > More menu

  • Devices > Device Management > Cluster > General area > Cluster Live Status link > Cluster Status

Supported platforms: Firepower 4100/9300

Faster cluster deployment.

Cluster deployment now completes faster. Also, for most deployment failures, it fails more quickly.

Supported platforms: Firepower 4100/9300

Changes to PAT address allocation in clustering. The PAT pool Flat Port Range option is now enabled by default and it is not configurable.

Upgrade impact.

The way PAT addresses are distributed to the members of a cluster is changed.

Previously, addresses were distributed to the members of the cluster, so your PAT pool would need a minimum of one address per cluster member. Now, the control instead divides each PAT pool address into equal-sized port blocks and distributes them across cluster members. Each member has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even to as few as one IP address, depending on the amount of connections you typically need to PAT.

Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally include the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example, in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool IP address.

As part of this change, PAT pools for all systems, whether standalone or operating in a cluster, now use a flat port range of 1024–65535. Previously, you could use a flat range by enabling the Flat Port Range option in a PAT pool rule (Pat Pool tab in an FTD NAT rule). The Flat Port Range option is now ignored: the PAT pool is now always flat. You can optionally select the Include Reserved Ports option to include the 1–1023 port range within the PAT pool.

Note that if you configure port block allocation (the Block Allocation PAT pool option), your block allocation size is used rather than the default 512-port block. In addition, you cannot configure extended PAT for a PAT pool for systems in a cluster.

This change takes effect automatically. You do not need to do anything before or after upgrade.

Supported platforms: FTD

Firepower Threat Defense: Encryption and VPN

AnyConnect module support for RA VPN.

FTD RA VPN now supports AnyConnect modules.

As part of your RA VPN group policy, you can now configure a variety of optional modules to be downloaded and installed when a user downloads the Cisco AnyConnect VPN client. These modules can provide services such as web security, malware protection, off-network roaming protection, and so on.

You must associate each module with a profile containing your custom configurations, created in the AnyConnect Profile Editor and uploaded to the FMC as an AnyConnect File object.

New/modified pages:

  • Upload module profiles: We added new File Type options to Objects > Object Management > VPN > AnyConnect File > Add AnyConnect File

  • Configure modules: We added Client Modules options to Objects > Object Management > VPN > Group Policy > add or edit a Group Policy object > AnyConnect settings

Supported platforms: FTD

AnyConnect management VPN tunnels for RA VPN.

FTD RA VPN now supports an AnyConnect management VPN tunnel that allows VPN connectivity to endpoints when the corporate endpoints are powered on, not just when a VPN connection is established by the end user.

This feature helps administrators perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint operating system login scripts which require corporate network connectivity also benefit.

Supported platforms: FTD

Single sign-on for RA VPN.

FTD RA VPN now supports single sign-on (SSO) for remote access VPN users configured at a SAML 2.0-compliant identity provider (IdP).

New/modified pages:

  • Connect to an SSO server: Objects > Object Management > AAA Server > Single Sign-on Server

  • Configure SSO as part of RA VPN: We added SAML as an authentication method (AAA settings) when configuring an RA VPN connection profile.

Supported platforms: FTD

LDAP authorization for RA VPN.

FTD RA VPN now supports LDAP authorization using LDAP attribute maps.

An LDAP attribute map equates attributes that exist in the Active Directory (AD) or LDAP server with Cisco attribute names. Then, when the AD or LDAP server returns authentication to the FTD device during remote access VPN connection establishment, the FTD device can use the information to adjust how the AnyConnect client completes the connection.

Supported platforms: FTD

Virtual Tunnel Interface (VTI) and route-based site-to-site VPN.

FTD site-to-site VPN now supports a logical interface called Virtual Tunnel Interface (VTI).

As an alternative to policy-based VPN, a VPN tunnel can be created between peers with Virtual Tunnel Interfaces configured. This supports route-based VPN with IPsec profiles attached to the end of each tunnel. This allows dynamic or static routes to be used. Using VTI does away with the requirement of configuring static crypto map access lists and mapping them to interfaces. Traffic is encrypted using static route or BGP. You can create a routed security zone, add VTI interfaces to it, and define access control rules for the decrypted traffic control over the VTI tunnel.

VTI-based VPNs can be created between:

  • Two FTD devices

  • An FTD device and a public cloud

  • An FTD device and another FTD device with service provider redundancy

New/modified pages:

  • Devices > Device Management > Interfaces > Add Interfaces > Virtual Tunnel Interface

  • Devices > VPN > Site To Site > Add VPN > Firepower Threat Defense Device > Route Based (VTI)

Supported platforms: FTD

Dynamic RRI support for site-to-site VPN.

FTD site-to-site VPN now supports Dynamic Reverse Route Injection (RRI) supported with IKEv2-based static crypto maps in site-to-site VPN deployments. This allowed static routes to be automatically inserted into the routing process for networks and hosts protected by a remote tunnel endpoint.

New/modified pages: We added the Enable Dynamic Reverse Route Injection advanced option when adding an endpoint to a site-to-site VPN topology.