Features and Functionality

Patches contain new features, functionality, and behavior changes related to urgent or resolved issues.

Features for Firepower Management Center Deployments


Note

Version 6.6.0/6.6.x is the last release to support the Cisco Firepower User Agent software as an identity source. You cannot upgrade a Firepower Management Center with user agent configurations to Version 6.7.0+. You should switch to Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC). This will also allow you to take advantage of features that are not available with the user agent. To convert your license, contact your Cisco representative or partner contact.

For more information, see the End-of-Life and End-of-Support for the Cisco Firepower User Agent announcement and the Firepower User Identity: Migrating from User Agent to Identity Services Engine TechNote.

New Features in FMC Version 6.3.0 Patches

Table 1.

Feature

Description

Version 6.3.0.4

Detection of rule conflicts in FTD NAT policies

Upgrade impact.

After you upgrade to Version 6.3.0.4 or later patch, you can no longer create FTD NAT policies with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where conflicting NAT rules were applied out-of-order.

If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However, your NAT rules will continue to be applied out-of-order.

Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing (no changes are needed) then attempting to resave. If you have rule conflicts, the system will prevent you from saving. Correct the issues, save, and then deploy.

Note that upgrading to Version 6.4.0 deprecates this fix. It is fixed again in Version 6.4.0.2.

Version 6.3.0.4

ISE Connection Status Monitor module

A new module, the ISE Connection Status Monitor, monitors the status of the server connections between the Cisco Identity Services Engine (ISE) and the FMC.

Note that upgrading to Version 6.4.0 deprecates this module. Support returns in Version 6.4.0.2.

New/modified screens: System > > Policy > create or edit policy > ISE Connection Status Monitor

Version 6.3.0.3

2048-bit certificate keys now required (security enhancement)

When making secure connections to external data sources, such as AMP for Endpoints or Cisco Threat Intelligence Detector (TID), the FMC now requires that the server certificate be generated with keys that are at least 2048 bits long. Certificates previously generated with 1024-bit keys will no longer work.

If you cannot connect, regenerate the server certificate on your data source. If necessary, reconfigure the FMC connection to the data source.

Version 6.3.0.1

EMS extension support

Upgrade impact.

Version 6.3.0.1 reintroduces EMS extension support, which was introduced in Version 6.2.3.8/6.2.3.9 but was not included in Version 6.3.0.

Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions again support the EMS extension during ClientHello negotiation, enabling more secure communications. The EMS extension is defined by RFC 7627.

In FMC deployments, this feature depends on the device version. Although best practice is to upgrade your whole deployment, this feature is supported even if you patch only the device.

Features for Firepower Device Manager Deployments

New Features in FDM Version 6.3.0 Patches

Table 2.

Feature

Description

Version 6.3.0.1

EMS extension support

Upgrade impact.

Version 6.3.0.1 reintroduces EMS extension support, which was introduced in Version 6.2.3.8/6.2.3.9 but was not included in Version 6.3.0.

Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions again support the EMS extension during ClientHello negotiation, enabling more secure communications. The EMS extension is defined by RFC 7627.

Intrusion Rules and Keywords

Upgrades can import and auto-enable intrusion rules.

Intrusion rule updates (SRUs) provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU.

After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.

Supported keywords depend on your Snort version:

  • FMC: Choose Help > About.

  • FTD with FDM: Use the show summary CLI command.

  • ASA FirePOWER with ASDM: Choose ASA FirePOWER Configuration > System Information.

You can also find your Snort version in the Bundled Components section of the Cisco Firepower Compatibility Guide.

The Snort release notes contain details on new keywords. You can read the release notes on the Snort download page: https://www.snort.org/downloads.

How-To Walkthroughs for the FMC

FMC walkthroughs (also called how-tos) guide you through a variety of basic tasks such as device setup and policy configuration. Just click How To at the bottom of the browser window, choose a walkthrough, and follow the step-by-step instructions.


Note

FMC walkthroughs are tested on the Firefox and Chrome browsers. If you encounter issues with a different browser, we ask that you switch to Firefox or Chrome. If you continue to encounter issues, contact Cisco TAC.

The following table lists some common problems and solutions. To end a walkthrough at any time, click the x in the upper right corner.

Table 3. Troubleshooting Walkthroughs

Problem

Solution

Cannot find the How To link to start walkthroughs.

Make sure walkthroughs are enabled. From the drop-down list under your username, select User Preferences then click How-To Settings.

Walkthrough appears when you do not expect it.

If a walkthrough appears when you do not expect it, end the walkthrough.

Walkthrough disappears or quits suddenly.

If a walkthrough disappears:

  • Move your pointer.

    Sometimes the FMC stops displaying an in-progress walkthrough. For example, pointing to a different top-level menu can make this happen.

  • Navigate to a different page and try again.

    If moving your pointer does not work, the walkthrough may have quit.

Walkthrough is out of sync with the FMC:

  • Starts on the wrong step.

  • Advances prematurely.

  • Will not advance.

If a walkthrough is out of sync, you can:

  • Attempt to continue.

    For example, if you enter an invalid value in a field and the FMC displays an error, the walkthrough can prematurely move on. You may need to go back and resolve the error to complete the task.

  • End the walkthrough, navigate to a different page, and try again.

    Sometimes you cannot continue. For example, if you do not click Next after you complete a step, you may need to end the walkthrough.

Sharing Data with Cisco

Web Analytics tracking

In Version 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your FMCs.

You are enrolled in web analytics tracking by default (by accepting the Version 6.5.0+ EULA you consent to web analytics tracking), but you can change your enrollment at any time after you complete initial setup.


Note

Upgrades to Version 6.2.3 through 6.6.x can enroll you in web analytics tracking. This can occur even if you purposely unenrolled. If you do not want Cisco to collect this data, unenroll after upgrading.

Cisco Success Network

In Version 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support.

During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any time.

Cisco Support Diagnostics

In Version 6.5.0+, Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration and operational health data to Cisco, and processes that data through our automated problem detection system, allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essential information from your devices during the course of a TAC case.

During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any time.


Note

This feature is supported on Firepower Management Centers and their managed Firepower Threat Defense devices. In Version 6.5.0 only, FTD support is restricted to the Firepower 4100/9300 with FTD and FTDv for Azure. This feature is not supported with Firepower Device Manager.