|
Platform
|
|
VMware vSphere/VMware ESXi 7.0 support.
|
You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on
VMware vSphere/VMware ESXi 7.0.
Note that Version 7.0 also discontinues support for VMware 6.0.
Upgrade the hosting environment to a supported version before you
upgrade the Firepower software.
|
|
New virtual environments.
|
We introduced FMCv and FTDv for:
-
Cisco HyperFlex
-
Nutanix Enterprise Cloud
-
OpenStack
For FMCv, all these implementations support FMCv2, v10, and v25.
FMCv for HyperFlex also supports high availability with FMCv10 and
v25. In an FTD deployment, you need two identically licensed FMCs,
as well as one FTD entitlement for each managed device. For example,
to manage 10 devices with an FMCv10 high availability pair, you need
two FMCv10 entitlements and 10 FTD entitlements. If you are managing
Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv
entitlements.
|
|
FTDv performance tiered Smart
Licensing.
|
Upgrade impact. Upgrading
automatically assigns devices to the FTDv Variable
tier.
FTDv now supports performance-tiered Smart Software
Licensing, based on throughput requirements and RA VPN session
limits. Options run from FTDv5 (100 Mbps/50 sessions) to FTDv100 (16
Gbps/10,000 sessions).
Before you add a new device, make sure
your account contains the licenses you need. To purchase additional
licenses, contact your Cisco representative or partner contact.
Upgrading FTDv to Version 7.0 automatically assigns the device to
the FTDv Variable tier, although you can change this later.
For
more information on changing performance tiers, supported instances,
throughputs, and other hosting requirements, see the appropriate Getting Started Guide.
New/modified
pages:
|
|
FTD Clustering
|
|
Improved PAT port block allocation for clustering
|
The improved PAT port block allocation ensures that the control unit
keeps ports in reserve for joining nodes, and proactively reclaims
unused ports. To best optimize the allocation, you can set the
maximum nodes you plan to have in the cluster using the
cluster-member-limit command using
FlexConfig. The control unit can then allocate port blocks to the
planned number of nodes, and it will not have to reserve ports for
extra nodes you don't plan to use. The default is 16 nodes. You can
also monitor syslog 747046 to ensure that there are enough ports
available for a new node.
New/modified commands: cluster-member-limit
(FlexConfig), show nat pool cluster
[summary] , show nat pool ip
detail
Supported platforms: Firepower 4100/9300
|
|
FTD CLI show cluster history
improvements.
|
New keywords allow you to customize the output of the
show cluster history command.
New/modified commands: show cluster history
[brief ] [latest ]
[reverse ]
[time ]
Supported platforms: Firepower 4100/9300
|
|
FTD CLI command to permanently leave a cluster.
|
You can now use the FTD CLI to permanently remove a unit from the
cluster, converting its configuration to a standalone device.
New/modified commands: cluster
reset-interface-mode
Supported platforms: Firepower 4100/9300
|
|
FTD NAT
|
|
Prioritized system-defined NAT rules for FTD.
|
We added a new Section 0 to the NAT rule table. This section is
exclusively for the use of the system. Any NAT rules that the system
needs for normal functioning are added to this section, and these
rules take priority over any rules you create. Previously,
system-defined rules were added to Section 1, and user-defined rules
could interfere with proper system functioning.
You cannot add, edit, or delete Section 0 rules, but you will see
them in show nat detail command
output.
|
|
FTD Routing
|
|
Virtual router support for the ISA 3000.
|
You can now configure up to 10 virtual routers on an ISA 3000
device.
|
|
FTD VPN: Site to Site
|
|
Backup virtual tunnel interfaces (VTI) for route-based site-to-site
VPN.
|
When you configure a site-to-site VPN that uses virtual tunnel
interfaces, you can select a backup VTI for the tunnel.
Specifying a backup VTI provides resiliency, so that if the primary
connection goes down, the backup connection might still be
functional. For example, you could point the primary VTI to the
endpoint of one service provider, and the backup VTI to the endpoint
of a different service provider.
New/modified pages: We added the ability to add a backup VTI to the
site-to-site VPN wizard when you select Route-Based as the VPN type
for a point-to-point connection.
|
|
FTD VPN: Remote Access
|
|
Load balancing.
|
We now support RA VPN load balancing. The system distributes sessions
among grouped devices by number of sessions; it does not consider
traffic volume or other factors.
New/modified screens: We added load balancing options to the Advanced
settings in an RA VPN policy.
|
|
Local authentication.
|
We now support local authentication for RA VPN users. You can use
this as the primary or secondary authentication method, or as a
fallback in case the configured remote server cannot be reached.
-
Create a local realm.
Local usernames and passwords are stored in local realms.
When you create a realm (System ( )) and select the new
LOCAL realm type, the system
prompts you to add one or more local users.
-
Configure RA VPN to use local authentication.
Create or edit an RA VPN policy (Devices > VPN
> Remote Access), create a connection
profile within that policy, then specify
LOCAL as the primary, secondary,
or fallback authentication server in that connection
profile.
-
Associate the local realm you created with an RA VPN
policy.
In the RA VPN policy editor, use the new Local
Realm setting. Every connection profile in
the RA VPN policy that uses local authentication will use
the local realm you specify here.
|
|
Dynamic access policies.
|
The new dynamic access policy allows you to configure remote access
VPN authorization that automatically adapts to a changing
environment:
-
Configure HostScan by uploading the AnyConnect HostScan
package as an AnyConnect file (Objects >
Object Management > VPN > AnyConnect
File). There is a new HostScan
Package option in the File
Type drop-down list.
This module runs on endpoints and performs a posture
assessment that the dynamic access policy will use.
-
Create a dynamic access policy (Devices >
Dynamic Access Policy).
Dynamic access policies specify session attributes (such as
group membership and endpoint security) that you want to
evaluate each time a user initiates a session. You can then
deny or grant access based on that evaluation.
-
Associate the dynamic access policy you created with an RA
VPN policy.
In the remote access VPN policy editor, use the new
Dynamic Access Policy
setting.
|
|
Multi-certificate authentication.
|
We now support multi-certificate authentication for remote access VPN
users. You can validate the machine or device certificate, to ensure
the device is a corporate-issued device, in addition to
authenticating the user’s identity certificate to allow VPN access
using the AnyConnect client during SSL or IKEv2 EAP phase.
|
|
AnyConnect custom attributes.
|
We now support AnyConnect custom attributes, and provide an
infrastructure to configure AnyConnect client features without
adding explicit support for these features in the system.
|
|
Access Control: Threat Detection and Application
Identification
|
|
Snort 3 for FTD.
|
For new FTD deployments, Snort 3 is now the default inspection
engine. Upgraded deployments continue to use Snort 2, but you
can switch at any time.
Advantages to using Snort 3 include, but are not limited to:
-
Improved performance.
-
Improved SMBv2 inspection.
-
New script detection capabilities.
-
HTTP/2 inspection.
-
Custom rule groups.
-
Syntax that makes custom intrusion rules easier to
write.
-
Reasons for 'would have dropped' inline results in
intrusion
events.
-
No Snort restarts when deploying changes to the VDB, SSL
policies, custom application detectors, captive portal
identity sources, and TLS server identity discovery.
-
Improved serviceability, due to Snort 3-specific
telemetry data sent to Cisco Success Network, and to
better troubleshooting logs.
A Snort 3 intrusion rule update is called an LSP
(Lightweight Security Package) rather than an SRU. The system
still uses SRUs for Snort 2; downloads from Cisco contain both
the latest LSP and SRU. The system automatically uses the
appropriate rule set for your configurations.
The FMC can manage a deployment with both Snort 2 and Snort 3
devices, and will apply the correct policies to each device.
However, unlike Snort 2, you cannot update Snort 3 on a device
by upgrading the FMC only and then deploying. With Snort 3, new
features and resolved bugs require you upgrade the software on
the FMC and its managed devices. For information on the
Snort included with each software version, see the Bundled
Components section of the Cisco Firepower Compatibility
Guide.
|
Important
|
Before you switch to Snort 3, we strongly recommend
you read and understand the Firepower Management Center Snort 3
Configuration Guide. Pay special attention to feature limitations and
migration instructions. Although upgrading to Snort 3 is
designed for minimal impact, features do not map exactly.
Careful planning and preparation can help you make sure that
traffic handled as expected.
|
You can also visit the Snort 3 website: https://snort.org/snort3.
|
|
DNS filtering.
|
DNS filtering, which was introduced as a Beta feature in Version 6.7,
is now fully supported and is enabled by default in new access
control policies.
|
|
Access Control: Identity
|
|
Cross-domain trust for Active Directory domains.
|
You can now configure user identity rules with users from Microsoft
Active Directory forests (groupings of AD domains that trust each
other).
New/modified pages:
|
|
Event Logging and Analysis
|
|
Improved process for storing events in a Secure Network Analytics on-prem deployment.
|
A new Cisco Security
Analytics and Logging (On Premises) app and a new FMC wizard make it easier to configure remote data
storage for on-prem Secure Network Analytics solutions:
-
Deploy hardware or virtual Stealthwatch appliances.
You can use a Stealthwatch Management Console alone, or you
can configure Stealthwatch Management Console, flow
collector, and data store.
-
Install the new Cisco Security Analytics and Logging (On
Premises) app on your Stealthwatch Management Console to
configure Stealthwatch as a remote data store.
-
On the FMC, use one of the new wizards on System () to connect to your Stealthwatch
deployment.
Note that the wizards replace the narrower-focus page where
you used to configure Stealthwatch contextual cross-launch;
that is now a step in the wizard.
For upgraded deployments where you were using syslog to send
Firepower events to Stealthwatch, disable those configurations
before you use the wizard. Otherwise, you will get double events. To
remove the syslog connection to Stealthwatch use FTD platform
settings (Devices > Platform Settings); to
disable sending events to syslog, edit your access control rules.
For more information, including Stealthwatch hardware and software
requirements, see Cisco Security Analytics
and Logging (On Premises): Firewall Event Integration
Guide.
|
|
Work with events stored remotely in a Secure Network Analytics
on-prem deployment.
|
You can now use the FMC to work with connection events stored
remotely in a Secure Network Analytics on-prem deployment.
A new Data Source option on the connection
events page (Analysis > Connections >
Events) and in the unified event viewer (Analysis
> Unified Events) allows you to choose which connection
events you want to work with. The default is to display locally
stored connection events, unless there are none in the time range.
In that case, the system displays remotely stored events..
We also added a data source option to report templates
(Overview > Reporting > Report
Templates), so that you can generate reports based
on remotely stored connection events.
|
Note
|
This feature is supported for connection events only;
cross-launch is still the only way to examine remotely stored
Security Intelligence, intrusion, file and malware events. Even
in the unified event viewer, the system only displays locally
stored events of those types.
However, note that for every Security Intelligence event, there
is an identical connection event—these are the events with
reasons such as 'IP Block' or 'DNS Block.' You can work with
those duplicated events on the connection events page or in the
unified event viewer, but not on the dedicated Security
Intelligence events page.
|
|
|
Store all connection events in the Secure Network Analytics
cloud.
|
You can now store all connection events in the Stealthwatch cloud
using Cisco Security Analytics and Logging (SaaS). Previously, you
were limited to security events: Security Intelligence, intrusion,
file, and malware events, as well as their associated connection
events.
To change the events you send to the cloud, choose System () > Integration. On the
Cloud Services tab, edit the
Cisco Cloud Event Configuration. The old
option to send high priority connection events to the cloud has been
replaced with a choice of All,
None, or Security
Events.
|
Note
|
These settings also control which events you send to SecureX.
However, even if you choose to send all connection events to the
cloud, SecureX consumes only the security (higher priority)
connection events. Also note that you now configure the SecureX
connection itself on Analysis >
SecureX.
|
|
|
Unified event viewer.
|
The unified event viewer () displays connection, Security Intelligence, intrusion, file, and
malware events in a single table. This can help you look
relationships between events of different types.
A single search field allows you to dynamically filter the view based
on multiple criteria, and a Go Live option
displays events received from managed devices in real time.
|
|
SecureX ribbon.
|
The SecureX ribbon on the FMC pivots into SecureX for instant
visibility into the threat landscape across your Cisco security
products.
To connect with SecureX and enable the ribbon, use System (). Note that you must still use System () > Integration > Cloud Services
to choose your cloud region and to specify which events to send to
SecureX.
For more information, see the Cisco Secure Firewall
Threat Defense and SecureX Integration
Guide.
|
|
Exempt all connection events from rate limiting when you turn off
local storage.
|
Event rate limiting applies to all events sent to the FMC, with the
exception of security events: Security Intelligence, intrusion,
file, and malware events, as well as their associated connection
events.
Now, disabling local connection event storage exempts all
connection events from rate limiting, not just security events. To
do this, set the Maximum Connection Events to
zero on System () > Configuration > Database.
|
Note
|
Other than turning it off by setting it to zero,
Maximum Connection Events does not
govern connection event rate limiting. Any non-zero number in
this field ensures that all lower-priority connection
events are rate limited.
|
Note that disabling local event storage does not affect remote event
storage, nor does it affect connection summaries or correlation. The
system still uses connection event information for features like
traffic profiles, correlation policies, and dashboard displays.
|
|
Port and protocol displayed together in file and malware event
tables.
|
In file and malware event tables, the port field now displays the
protocol, and you can search port fields for
protocol.
For events that existed before upgrade, if the protocol is not
known, the system uses "tcp."
New/modified pages:
|
|
Health Monitoring
|
|
New health modules.
|
We added the following health modules:
-
AMP Connection Status
-
AMP Threat Grid Status
-
ASP Drop
-
Advanced Snort Statistics
-
Chassis Status FTD
-
Event Stream Status
-
FMC Access Configuration Changes
-
FMC HA Status (replaces HA Status)
-
FTD HA Status
-
File System Integrity Check
-
Flow Offload
-
Hit Count
-
MySQL Status
-
NTP Status FTD
-
Rabbit MQ Status
-
Routing Statistics
-
SSE Connection Status
-
Sybase Status
-
Unresolved Groups Monitor
-
VPN Statistics
-
xTLS Counters
Additionally, full support returns for the Configuration Memory
Allocation module, which was introduced in Version 6.6.3 as the
Appliance Configuration Resource Utilization module, but was not
fully supported in Version
6.7.
|
|
Deployment and Policy Management
|
|
Dynamic objects.
|
You can now use dynamic objects in access control rules.
A dynamic object is just a list of IP addresses/subnets (no ranges,
no FQDN). But unlike a network object, changes to dynamic objects
take effect immediately, without having to redeploy. This is useful
in virtual and cloud environments, where IP addresses often
dynamically map to workload resources.
To create and manage dynamic objects, we recommend the Cisco Secure Dynamic Attributes Connector. The connector is a separate, lightweight application that
quickly and seamlessly updates firewall policies based on workload
changes. To do this, it gets workload attributes from tagged
resources in your environment, and compiles an IP list based on
criteria you specify (a “dynamic attributes filter”). It then
creates a dynamic object on the FMC and populates it with the IP
list. When your workload changes, the connector updates the dynamic
object and the system immediately starts handling traffic based on
the new mappings. For more information, see the Cisco Secure Dynamic Attributes
Connector Configuration
Guide.
After you create a dynamic object, you can add it to access control
rules on the new Dynamic Attributes tab in
the access control rule editor. This tab replaces the narrower-focus
SGT/ISE Attributes tab; continue to
configure rules with SGT attributes here.
Supported virtual/cloud workloads for Cisco Secure Dynamic Attributes
Connector integration: Microsoft Azure, AWS, VMware
|
|
Global search for policies and objects.
|
You can now search for certain policies by name, and for certain
objects by name and configured value. This feature is not available
with the Classic theme.
New/modified pages: We added capabilities to the
Search icon and field on the FMC menu
bar, to the left of the Deploy menu.
|
|
Selectively deploy RA and site-to-site VPN policies.
|
Selective policy deployment, which was introduced in Version 6.6, now
supports remote access and site-to-site VPN policies for FTD.
New/modified pages: We added VPN policy options on the
Deploy > Deployment page.
|
|
FTD Upgrade
|
|
Improved FTD upgrade performance and status reporting.
|
|
|
Upgrade wizard for FTD.
|
A new device upgrade page (Devices > Device
Upgrade) on the FMC provides an easy-to-follow
wizard for upgrading Version 6.4+ FTD devices. It walks you
through important pre-upgrade stages, including selecting
devices to upgrade, copying the upgrade package to the devices,
and compatibility and readiness checks.
To begin, use the new Upgrade Firepower
Software action on the Device Management page
(Devices > Device Management > Select
Action).
As you proceed, the system displays basic information about your
selected devices, as well as the current upgrade-related status.
This includes any reasons why you cannot upgrade. If a device
does not "pass" a stage in the wizard, it does not appear in the
next stage.
If you navigate away from wizard, your progress is preserved,
although other users with Administrator access can reset,
modify, or continue the wizard.
|
Note
|
You must still use System () to upload or specify the location of FTD
upgrade
packages.
You must also use the System Updates page to upgrade the FMC
itself, as well as all non-FTD managed devices.
|
|
Note
|
In Version 7.0, the wizard does not correctly display devices
in clusters or high availability pairs. Even though you must
select and upgrade these devices as a unit, the wizard
displays them as standalone devices. Device status and
upgrade readiness are evaluated and reported on an
individual basis. This means it is possible for one unit to
appear to "pass" to the next stage while the other unit or
units do not. However, these devices are still grouped.
Running a readiness check on one, runs it on all. Starting
the upgrade on one, starts it on all.
To avoid possible time-consuming upgrade failures,
manually ensure all group members are ready to
move on to the next step of the wizard before you click
Next.
|
|
|
Upgrade more FTD devices at once.
|
The FTD upgrade wizard lifts the following restrictions:
-
Simultaneous device upgrades.
The number of devices you can upgrade at once is now
limited by your management network bandwidth—not the
system's ability to manage simultaneous upgrades.
Previously, we recommended against upgrading more than
five devices at a time.
|
Important
|
Only upgrades to FTD Version 6.7+ see this
improvement. If you are upgrading devices to an
older FTD release—even if you are using the new
upgrade wizard—we still recommend you limit to five
devices at a time.
|
-
Grouping upgrades by device model.
You can now queue and invoke upgrades for all FTD models
at the same time, as long as the system has access to
the appropriate upgrade packages.
Previously, you would choose an upgrade package, then
choose the devices to upgrade using that package. That
meant that you could upgrade multiple devices at the
same time only if they shared an upgrade package.
For example, you could upgrade two Firepower 2100 series
devices at the same time, but not a Firepower 2100
series and a Firepower 1000 series.
|
|
Administration and Troubleshooting
|
|
Zero-touch restore for the ISA 3000 using the SD card.
|
When you perform a local backup, the backup file is copied to the SD
card if present. To restore the configuration on a replacement
device, simply install the SD card in the new device, and depress
the Reset button for 3 to 15 seconds during the device bootup.
|
|
Security and Hardening
|
|
New default password for AWS deployments.
|
For FMCv/FTDv for AWS, the default password for the admin account is
now the AWS Instance ID, unless you define a default password with
user data (Advanced Details > User Data)
during the initial deployment.
Previously, the default admin password was Admin123.
|
|
EST for certificate enrollment.
|
Support for Enrollment over Secure Transport for certificate
enrollment was provided.
New/modified pages: New enrollment options when configuring
Objects > PKI > Cert Enrollment > CA
Information tab.
|
|
Support for EdDSA certificate type.
|
A new certificate key type- EdDSA was added with key size 256.
New/modified pages: New certificate key options when configuring
Objects > PKI > Cert Enrollment >
Key tab.
|
|
AES-128 CMAC authentication for NTP servers.
|
You can now use AES-128 CMAC keys to secure connections between the
FMC and NTP
servers.
New/modified pages: System ().
|
|
SNMPv3 users can authenticate using a SHA-224 or SHA-384
authorization algorithm.
|
SNMPv3 users can now authenticate using a SHA-224 or SHA-384
algorithm.
New/modified pages: Devices > Platform Settings > SNMP >
Users > Auth Algorithm Type
|
|
Usability
|
|
Report appearance has changed.
|
To make reports appear cleaner and easier to read, we changed some
things about their appearance:
-
Changed red color accents to gray and blue.
-
Removed background shading on table and chart titles.
-
Removed alternating row colors in tables.
New/modified pages:
|
|
How-to location has changed.
|
now invokes walkthroughs. Previously, you clicked
How-Tos at the bottom of the browser
window.
|
|
Performance
|
|
Hardware crypto acceleration on FTDv using Intel QuickAssist
Technology (QAT).
|
We now support hardware crypto acceleration (CBC cipher only) on FTDv
for VMware and FTDv for KVM. This feature requires a Intel QAT 8970
PCI adapter/Version 1.7+ driver on the hosting platform. After you
reboot, hardware crypto acceleration is automatically enabled.
|
|
Improved CPU usage and performance for many-to-one and one-to-many
connections.
|
The system no longer creates local host objects and locks them when
creating connections, except for connections that involve dynamic
NAT/PAT and scanning threat detection and host statistics. This
improves FTD performance and CPU usage in situations where many
connections are going to the same server (such as a load balancer or
web server), or one endpoint is making connections to many remote
hosts.
We changed the following commands: clear
local-host (deprecated), show
local-host
|
|
FMC REST API
|
|
FMC REST API.
|
For information on changes to the management center REST API, see the
Firepower Management Center REST API Quick
Start Guide, Version 7.0,
|
|
Deprecated Features
|
|
End of support: VMware vSphere/VMware
ESXi 6.0.
|
We discontinued support for virtual deployments on VMware
vSphere/VMware ESXi 6.0. Upgrade the hosting environment to a
supported version before you upgrade the Firepower software.
|
|
Deprecated: RSA certificates with keys
smaller than 2048 bits, or that use SHA-1 in their signature
algorithm.
|
Prevents post-upgrade VPN connections through FTD devices.
We removed support for RSA certificates with keys smaller than 2048
bits, or that use SHA-1 in their signature algorithm.
Before you upgrade, use the object manager to update your PKI
certificate enrollments with stronger options: Objects
> PKI > Cert Enrollment. Otherwise, although
the upgrade preserves your current settings, VPN connections through
the device will fail.
To continue managing older FTD devices only (Version 6.4–6.7.x) with
these weaker options, select the new Enable
Weak-Crypto option for each device on the
Devices > Certificates page.
|
|
Deprecated: MD5 authentication
algorithm and DES encryption for SNMPv3 users.
|
Deletes Users. Prevents post-upgrade deploy.
We removed support for the MD5 authentication algorithm and DES
encryption for SNMPv3 users on FTD devices.
Upgrading FTD to Version 7.0+ deletes these users from the device,
regardless of the configurations on the FMC. If you are still using
these options in your platform settings policy, change and verify
your configurations before you upgrade FTD.
These options are in the Auth Algorithm Type
and Encryption Type drop-downs when creating
or editing an SNMPv3 user in a Threat Defense platform settings
policy: Devices > Platform Settings.
|
|
Deprecated: Port 32137 comms with AMP
clouds.
|
Prevents FMC upgrade.
We deprecated the FMC option to use port 32137 to obtain file
disposition data from public and private AMP clouds. Unless you
configure a proxy, the FMC now uses port 443/HTTPS.
Before you upgrade, disable the Use Legacy Port 32137 for
AMP for Networks option on the System () page. Do not proceed with upgrade until your AMP for
Networks deployment is working as expected.
|
|
Deprecated: HA Status health module.
|
We renamed the HA Status health module to the FMC HA Status
health module. This is to distinguish it from the new FTD HA Status
module.
|
|
Deprecated: Legacy API Explorer.
|
We removed support for the FMC REST API legacy API Explorer.
|
|
Deprecated: Geolocation details.
|
In
May 2022 we split the GeoDB into two packages: a country code
package mapping IP addresses to countries/continents, and an IP
package containing additional contextual data associated with
routable IP addresses. In January 2024, we stopped providing the
IP package. This saves disk space and does not affect
geolocation rules or traffic handling in any way. Any contextual
data is now stale, and upgrading to most later versions deletes
the IP package. Options to view contextual data have no effect,
and are removed in later versions.
|
Feedback