For more information, see the Firepower Management Center Command Line Reference in the management center administration guide, and the Cisco Secure Firewall Threat Defense Command Reference.

Platform

Secure Firewall 3100

We introduced the Secure Firewall 3110, 3120, 3130, and 3140.

You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. These devices support up to 8 units for Spanned EtherChannel clustering.

Note that the Version 7.1.0 release does not include online help for these devices; new online help is included in Version 7.1.0.2.

New/modified screens:

• Devices > Device Management > Add Cluster

• Devices > Device Management > More

• Devices > Device Management > Cluster

• Devices > Device Management > Chassis Operations

• Devices > Device Management > Interfaces > edit physical interface > Hardware Configuration

• Devices > Device Management

New/modified FTD CLI commands: configure network speed , configure raid , show raid , show ssd

FMCv300 for AWS

FMCv300 for OCI

We introduced the FMCv300 for both AWS and OCI. The FMCv300 can manage up to 300 devices.

FTDv for AWS instances.

FTDv for AWS adds support for these instances:

• c5a.xlarge, c5a.2xlarge, c5a.4xlarge

• c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge

• c5d.xlarge, c5d.2xlarge, c5d.4xlarge

• c5n.xlarge, c5n.2xlarge, c5n.4xlarge

• i3en.xlarge, i3en.2xlarge, i3en.3xlarge

• inf1.xlarge, inf1.2xlarge

• m5.xlarge, m5.2xlarge, m5.4xlarge

• m5a.xlarge, m5a.2xlarge, m5a.4xlarge

• m5ad.xlarge, m5ad.2xlarge, m5ad.4xlarge

• m5d.xlarge, m5d.2xlarge, m5d.4xlarge

• m5dn.xlarge, m5dn.2xlarge, m5dn.4xlarge

• m5n.xlarge, m5n.2xlarge, m5n.4xlarge

• m5zn.xlarge, m5zn.2xlarge, m5zn.3xlarge

• r5.xlarge, r5.2xlarge, r5.4xlarge

• r5a.xlarge, r5a.2xlarge, r5a.4xlarge

• r5ad.xlarge, r5ad.2xlarge, r5ad.4xlarge

• r5b.xlarge, r5b.2xlarge, r5b.4xlarge

• r5d.xlarge, r5d.2xlarge, r5d.4xlarge

• r5dn.xlarge, r5dn.2xlarge, r5dn.4xlarge

• r5n.xlarge, r5n.2xlarge, r5n.4xlarge

• z1d.xlarge, z1d.2xlarge, z1d.3xlarge

FTDv for Azure instances.

FTDv for Azure adds support for these instances:

• Standard_D8s_v3

• Standard_D16s_v3

• Standard_F8s_v2

• Standard_F16s_v2

Use FDM to configure the FTD for management by the FMC.

Device Upgrade

Revert a successful device upgrade.

Minimum FTD: 7.1

Improvements to the upgrade workflow for clustered and high availability devices.

We made the following improvements to the upgrade workflow for clustered and high availability devices:

• The upgrade wizard now correctly displays clustered and high availability units as groups, rather than as individual devices. The system can identify, report, and preemptively require fixes for group-related issues you might have. For example, you cannot upgrade a cluster on the Firepower 4100/9300 if you have made unsynced changes on Firepower Chassis Manager.

• We improved the speed and efficiency of copying upgrade packages to clusters and high availability pairs. Previously, the FMC copied the package to each group member sequentially. Now, group members can get the package from each other as part of their normal sync process.

• You can now specify the upgrade order of data units in a cluster. The control unit always upgrades last.

For Snort 3, new features and resolved bugs require that you fully upgrade the FMC and its managed devices. Unlike Snort 2, you cannot update the inspection engine on an older device (for example, Version 7.0) by deploying from a newer FMC (for example, Version 7.1).

When you deploy to an older device, the system lists any unsupported configurations and warns you that they will be skipped. We recommend you always update your entire deployment.

Device Management

Geneve interface support for an FTDv on AWS instances.

Geneve encapsulation support was added to support single-arm proxy for the AWS Gateway Load Balancer (GWLB). The AWS GWLB combines a transparent network gateway (with a single entry and exit point for all traffic) and a load balancer that distributes traffic and scales FTDv to match the traffic demand.

This support requires FMC with Snort 3 enabled and is available on the following performance tiers:

• FTDv20

• FTDv30

• FTDv50

• FTDv100

Single Root I/O Virtualization (SR-IOV) support for FTDv on OCI.

You can now implement Single Root Input/Output Virtualization (SR-IOV) for FTDv on OCI. SR-IOV can provide performance improvements for an FTDv. Mellanox 5 as vNICs are not supported in SR-IOV mode.

LLDP support for the Firepower 1100.

Interface auto-negotiation is now set independently from speed and duplex, interface sync improved.

Support to specify trusted DNS servers.

Import and export device configurations.

High Availability/Scalability

High availability for:

• FMCv for AWS

• FMCv for OCI

We now support high availability on FMCv for AWS and FMCv for OCI.

In an FTD deployment, you need two identically licensed FMCs, as well as one FTD entitlement for each managed device. For example, to manage 10 FTD devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Version 6.5.0–7.0.x Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements.

Supported platforms: FMCv10, FMCv25, FMCv300 (not supported for FMCv2)

Autoscale on FTDv for OCI.

We now support autoscaling on FTDv for OCI.

The serverless infrastructure in cloud-based deployments allow you to automatically adjust the number of FTDv instances in an autoscale group based on capacity needs. This includes automatic registering/unregistering to and from the managing FMC.

Cluster deployment for firewall changes completes faster.

Clearing routes in a high availability group or cluster.

NAT

Manual NAT support for fully-qualified domain name (FQDN) objects as the translated destination.

You can use an FQDN network object, such as one specifying www.example.com, as the translated destination address in manual NAT rules. The system configures the rule based on the IP address returned from the DNS server.

Routing

BGP configuration to interconnect virtual routers.

You can configure BGP settings to dynamically leak routes among user-defined virtual routers, and between global virtual router and user-defined virtual routers. The import and export routes feature was introduced to exchange routes among the virtual routers by tagging them with route targets and optionally, filtering the matched routes with route maps. This BGP feature is accessible only when you select a user-defined virtual router.

New/modified screens: For a selected user-defined virtual router, Devices > Device Management > Routing > BGPv4/v6 > Route Import/Export

BGPv6 support for user-defined virtual routers.

FTD now supports configuring BGPv6 on user-defined virtual routers.

New/modified screens: For a selected user-defined virtual router, Devices > Device Management > Routing > BGPv6

Equal-Cost-Multi-Path (ECMP) zone support.

You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing in FMC.

ECMP routing was previously supported through FlexConfig policies.

New/modified screens: Devices > Device Management > Routing > ECMP

Direct Internet Access/Policy Based Routing

Direct internet access with policy based routing.

You can now configure policy based routing through the FMC to classify network traffic based on applications and to implement Direct Internet Access (DIA) to send traffic to the internet from a branch deployment. You can define a PBR policy and configure it on ingress interfaces, specifying match criteria and egress interfaces. Network traffic that matches the access control policy is forwarded through the egress interface based on priority or the order as configured in the policy.

New/modified screens: New policy page for configuring the policy based routing policy: Devices > Device Management > Routing > Policy Based Routing

Supported platforms: FTD

FMC REST API enhancements for direct internet access and policy based routing.

You can use the FMC REST API to configure Direct Internet Access through Policy Based Routing. The following enhancements have been made to the FMC REST API to support this:

• New APIs were added to enable you to create, view, edit, and delete your Policy Based Routing configuration

• New parameters added to existing APIs for Extended Access Control Lists to define applications

• New parameters added to existing APIs for device interfaces to define interface priority

Remote Access VPN

Copy RA VPN policies.

You can now create a new RA VPN policy by copying an existing policy. We added a copy button next to each policy on Devices > VPN > Remote Access.

AnyConnect VPN SAML external browser.

You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser.

We updated the remote access VPN connection profile wizard to allow you to configure the SAML Login Experience.

Multiple trustpoints for SAML identity providers on Microsoft Azure.

You can now add multiple RA VPN trustpoints for SAML identity providers, as required by Microsoft Azure.

In a Microsoft Azure network, Azure can support multiple applications for the same Entity ID. Each application (typically mapped to a different tunnel group) requires a unique certificate. This feature enables you to add multiple trustpoints for RA VPN in FTDv for Microsoft Azure.

Site to Site VPN

VPN filters.

You can now configure site to site VPN filters with rules that determine whether to allow or reject tunneled data packets based on criteria such as source address, destination address, and protocol.

The VPN filter is applied to post-decrypted traffic after it exits a tunnel and to pre-encrypted traffic before it enters a tunnel.

Unique local tunnel ID for IKEv2.

You can now configure a Local Tunnel ID per IKEv2 tunnel for both policy-based and route-based Site to Site VPNs. You can configure the local tunnel ID with the FMC web interface or from the REST API.

This local tunnel ID configuration enables Umbrella SIG integration with FTD.

Multiple IKE policies.

You can now configure multiple IKE policies for both policy-based and route-based Site to Site VPNs.

Multiple IKE policies can be configured through the FMC GUI and the REST API.

VPN monitoring dashboard.

Beta.

The Site to Site VPN Monitoring Dashboard provides:

• Visualization of tunnel status distribution across all devices

• Visualization of network topology consisting of VPN tunnels

• Ability to visually isolate and examine tunnels based on criteria like Topology, Device and Status

With Snort 3, you can now apply Security Intelligence to HTTP proxy traffic where the IP address is embedded into the HTTP request. For example, when a user uploads a Block list or an Allow list containing IP addresses or networks, the system matches on the destination server IP instead of proxy IP. As a result, traffic to the destination server can be blocked, monitored, or allowed (according to your Security Intelligence configuration).

Intrusion Detection and Prevention

Version 7.1 FMCs now support the following intrusion rule actions for FTD devices with Snort 3, including Version 7.0 devices:

• Drop: Drops the matching packet, but does not block further traffic in this connection. Generates an intrusion event.

• Reject: Drops the matching packet and blocks further traffic in this connection. For TCP traffic, sends a TCP reset. For UDP traffic, sends ICMP port unreachable to the source and destination hosts. Generates an intrusion event.

• Rewrite: Overwrites the matching packet based on the replace option in the rule. Generates an intrusion event.

• Pass: Allows matching packet to pass without further evaluation by any other intrusion rules. Does not generate an intrusion event.

To configure these new rule actions, edit the Snort 3 version of an intrusion policy and use the Rule Action drop-down for each rule.

Snort 3 support for TLS-based intrusion rules.

You can now create TLS-based intrusion rules to inspect decrypted TLS traffic with Snort 3. This feature allows Snort 3 intrusion rules to use TLS information.

Snort 3 support for inspection of DCE/RPC over SMB2.

Upgrade impact.

Version 7.1 with Snort 3 supports DCE/RPC inspection over SMB2.

After the first post-upgrade deploy to Snort 3 devices, existing DCE/RPC rules begin inspecting DCE/RPC over SMB2; previously these rules only inspected DCE/RPC over SMB1.

Snort 3 support for intrusion rule recommendations.

Version 7.1 FMCs now support intrusion rule recommendations for FTD devices with Snort 3, including Version 7.0 devices.

To configure this feature, edit the Snort 3 version of an intrusion policy and click the Recommendations button (in the left pane, next to All Rules).

Snort 3 support for ssl_version and ssl_state keywords.

Upgrade impact.

Version 7.1 with Snort 3 supports the ssl_version and ssl_state intrusion rule keywords.

Cisco-provided intrusion policies include active rules using those keywords. You can also create, upload, and deploy custom/third party rules using them. In Version 7.0.x, we supported those keywords with Snort 2 only. With Snort 3, rules with those keywords did not match traffic, and thus could not generate alerts or affect traffic. There was no indication that the rules were not working as expected. After the first post-upgrade deploy to Version 7.1+ Snort 3 devices, existing rules with those keywords can match traffic.

Identity Services and User Control

Snort 3 captive portal support for interception of HTTP/2 traffic.

You can now intercept and redirect HTTP/2 traffic for user authentication with captive portal.

When a redirect is received by the browser, the browser follows the redirect and authenticates with idhttpsd (Apache web server) using the same process as the HTTP/1 captive portal. After authentication, idhttpsd redirects the user back to the original URL.

Snort 3 captive portal support for hostname-based redirect.

You can configure active authentication for identity policy rules to redirect the user’s authentication to a fully-qualified domain name (FQDN) rather than the IP address of the interface through which the user’s connection enters the device.

The FQDN must resolve to the IP address of one of the interfaces on the device. By using an FQDN, you can assign a certificate for active authentication that the client will recognize, thus avoiding the untrusted certificate warning users get when being redirected to an IP address. The certificate can specify the FQDN, a wildcard FQDN, or multiple FQDNs in the Subject Alternate Names (SAN) in the certificate.

New/modified screens: We added the Redirect to Host Name option in the identity policy settings.

Encrypted Traffic Handling (TLS/SSL)

Advanced TLS/SSL policy options.

You can now configure the following advanced TLS/SSL policy options in the Advanced Settings tab on the SSL Policy page:

• Block flows requesting ESNI (Encrypted Server Name Identification)

• Disable HTTP/3 advertisement

• Propagate untrusted server certificates to clients

Encrypted Visibility Engine for visibility into encrypted sessions.

Beta.

You can enable the Encrypted Visibility Engine to gain visibility into an encrypted session without needing to decrypt it. The engine fingerprints and analyzes encrypted traffic. In FMC 7.1, the Encrypted Visibility Engine provides more visibility into encrypted traffic, including protocols such as TLS and QUIC. It does not enforce any actions on that traffic.

The Encrypted Visibility Engine is disabled by default. You can enable it on the Advanced tab of an access control policy in the Experimental Features section.

New/modified screens: Policies > Access Control > Access Control Policy name > Advanced

Configure the maximum segment size (MSS) for embryonic connections.

You can configure a service policy to set the server maximum segment size (MSS) for SYN-cookie generation for embryonic connections upon reaching the embryonic connections limit. This is meaningful for service policies where you are also setting embryonic connection maximums.

New/modified screens: Connection Settings in the Add/Edit Service Policy wizard.

Network Discovery

With improvements to network discovery and remote network access support, Snort 3 is now at parity with Snort 2 for those features. The improvements include:

• Discovery of hosts and applications for SMB traffic: For SMB traffic on your network, the host is discovered in the network map, and the SMB application protocol and associated operating system information are discovered.

• Discovery of NetBIOS traffic: For NetBIOS traffic, the NetBIOS name is discovered as well as associated information related to applications, such as the client application and operating system.

• Discovery of applications only for hosts/networks monitored by the network discovery policy: This enhancement to the filtering logic enables you to discover applications for networks that are being monitored based on a network discovery rule.

In Snort 3, application detection is always enabled for all networks by default.

Event Logging and Analysis

Snort 3 support for elephant flow identification and monitoring.

With FTD running Snort 3, you can now identify elephant flows—single-session network connections that are large enough to affect overall system performance. By default, elephant flow detection is automatically enabled, and tracks and logs connections larger than 1GB/10 seconds.

A new predefined search for connection events (Reason = Elephant Flow) allows you to quickly identify elephant flows. You can also use the health monitor to view active elephant flows on your devices, and to create a custom health dashboard to correlate elephant flow incidence with other device metrics such as CPU usage.

New/modified FTD CLI commands:

• show elephant-flow status

• show elephant-flow detection-config

• system support elephant-flow-detection enable

• system support elephant-flow-detection disable

• system support elephant-flow-detection bytes-threshold bytes-in-MB

• system support elephant-flow-detection time-threshold time-in-seconds

Send intrusion events and retrospective malware events to the Secure Network Analytics cloud from the FMC.

Upgrade impact.

When you configure the system to send security events to the Stealthwatch cloud using Cisco Security Analytics and Logging (SaaS), the FMC now sends:

• Intrusion events. This allows remotely stored intrusion events to include impact flag data. Previously, these events were sent to the cloud by FTD and did not include the impact flag.

• Retrospective malware events. These supplement the "original disposition" file and malware events that are still sent to the cloud by devices.

If you already enabled this feature, the FMC starts sending this information after a successful upgrade.

New datastore for intrusion events improves performance.

To improve performance, Version 7.1 uses a new datastore for intrusion events. After the upgrade finishes and the FMC reboots, historical events are migrated in the background, newest events first.

As part of this migration, we deprecated intrusion incidents, the intrusion event clipboard, and custom tables for intrusion events. We also introduced two new fields in the intrusion event table: Source Host Criticality and Destination Host Criticality.

NAT IP address and port information in connection and Security Intelligence events.

For additional visibility into NAT translations, we added the following fields to connection and Security Intelligence events:

• NAT Source IP

• NAT Destination IP

• NAT Source Port

• NAT Destination Port

In the table view of events, these fields are hidden by default. To change the fields that appear, click the x in any column name to display a field chooser.

Packet tracer enhancements.

Version 7.1 updates the packet tracer interface for better usability. In addition, you can now:

• Access the packet tracer directly from the main menu: Devices > Troubleshoot > Packet Tracer.

• Save packet traces.

• Run parallel packet traces across multiple devices.

• Replay PCAPs through a device.

• For Snort 3 devices, view enhanced output that provides new details on the phases of traffic evaluation from L2 to L7 (application identification, file/malware detection, intrusion detection, Security Intelligence, and so on), as well as how long each phase takes.

New/modified FTD CLI commands:

• packet-tracer inputsource_interfacepcappcap_filename

Object Management

Network object support for HTTP, ICMP, and SSH platform settings.

You can now use network object groups that contain network objects for hosts or networks when configuring the IP addresses in the Threat Defense Platform Settings policy.

Snort 3 support for network wildcard mask objects.

You can now create and manage network wildcard mask objects on the Object Management page. You can use network wildcard mask objects in access control, prefilter, and NAT policies.

Deployment preview enhancements for objects.

Integrations

Support for Cisco ACI Endpoint Update App, Version 2.0 and remediation module.

Version 2.0 of the Cisco ACI Endpoint Update App has the following improvements over previous versions:

• The minimum update interval (how often the app updates the FMC) is now 10 seconds. Previously, it was 30 seconds.

• The site prefix (a string that creates a network group object on the FMC associated with each APIC tenant) is now limited to 10 characters. Previously, it was 5 characters.

A new Cisco ACI Endpoint remediation module is also available with this update.

Usability, Performance, and Troubleshooting

Health monitoring enhancements.

We updated the health monitor as follows:

• The health policy editor now groups similar health modules. You can enable and disable entire module groups.

• The health policy exclusion editor is updated for better usability. Also, when you exclude a device or health module from alerting, you can now specify a time period for the exclusion, from 15 minutes to permanently.

• The health monitor alert editor is updated for better usability.

• The health policy deployment interface is updated for better usability.

New/modified screens:

• System () > Health > Policy > Edit Policy

• System () > Health > Exclude

• System () > Health > Monitor Alerts

• System () > Health > Policy > Deploy Policy

Deployment history enhancements.

You can now bookmark a deployment job, edit the deployment notes for a job, and generate a report.

Global search enhancements.

Global search now has the following capabilities:

• You can search the full text of FMC walkthroughs (how-tos).

• You can search extended community list names or configured values.

• You can restrict searches by domain.

New walkthroughs.

We added the following walkthroughs:

• Create a Snort 3 intrusion policy.

• Enable or disable Snort 3 on an individual device.

• Create a Snort 3 network analysis policy.

• View the network analysis policy mapping.

• Upgrade FTD.

• Create and manage a cluster.

• Change the FMC access interface from Management to Data.

• Change the FMC access interface from Data to Management.

Snort memory usage telemetry sent to Cisco Success Network.

For improved serviceability, we now send telemetry on Snort memory and swap usage, including out-of-memory events, to Cisco Success Network.

We send this information for both Snort 2 and Snort 3. You can change your Cisco Success Network enrollment at any time.

Snort 3 support for statistics on start-of-flow and end-of-flow events.

For FTD with Snort 3, the output of the show snort statistics command now reports statistics on start-of-flow and end-of-flow events.

Web interface changes: SecureX, threat intelligence, and other integrations.

Version 7.1 changes these FMC menu options if you are upgrading from Version 7.0.2 or any later Version 7.0.x maintenance release.

FMC REST API

FMC REST API services/operations.

For information on changes to the FMC REST API, see What's New in 7.1 in the REST API quick start guide.

End of support: FMC 1000, 2500, 4500

You cannot run Version 7.1+ on the FMC models FMC 1000, 2500, and 4500. You cannot manage Version 7.1+ devices with these FMCs.

End of support: ASA 5508-X and 5516-X

You cannot run Version 7.1+ on the ASA 5508-X or 5516-X.

End of support: NGIPS software (ASA FirePOWER/NGIPSv).

Deprecated: Intrusion incidents and the intrusion event clipboard.

Data and configurations can be deleted.

We removed the intrusion incidents feature and the related intrusion event clipboard. The upgrade removes all data related to incidents, and deletes report templates sections that use the clipboard as a data source.

Deprecated screens/options:

• Analysis > Intrusions > Incidents

• Analysis > Intrusions > Clipboard

• Copy and Copy All on intrusion event workflow pages and packet views

• When adding sections to a report template (Overview > Reporting > Report Templates), you can no longer choose the Clipboard table as a data source.

Deprecated: Custom tables for intrusion events.

Custom tables can be deleted.

Version 7.1 ends support for custom tables for intrusion events. The upgrade deletes custom tables that contain fields from the intrusion event table.

When adding fields to a custom table (Analysis > Advanced > Custom Tables), you can no longer choose the Intrusion Events table as a data source.

Deprecated: ECMP zones with FlexConfig.

FlexConfig settings ignored. Can prevent deploy.

You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing in the management center web interface. After upgrade, the system ignores ECMP zones configured with FlexConfig. You cannot deploy with equal-cost static routes exist and must assign their interfaces to an ECMP zone.

Temporarily deprecated: Improved SecureX integration, SecureX orchestration.

Can prevent upgrade.

Version 7.1 temporarily deprecates the SecureX integration and orchestration improvements introduced in Version 7.0.2. The improved experience returns in Version 7.2.

If you newly enabled SecureX integration in Version 7.0.2 or later maintenance release, you must disable the feature before you upgrade to Version 7.1. You can re-enable the feature after successful upgrade, using the older method. There are no upgrade issues if you enabled SecureX integration in Version 7.0.0 or 7.0.1, or if you upgrade to Version 7.2.

Deprecated: Geolocation details.