New Features by Release

This document describes new and deprecated features for each release, including upgrade impact.

A feature has upgrade impact if upgrading and deploying will cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. Or, sometimes the upgrade process has a special requirement; for example, in some cases you must perform a non-standard task before or after upgrade (edit or delete a specific configuration, apply health policies, redo FlexConfig commands in the web interface, and so on).

Although you can manage older devices with a newer management center, we recommend you always update your entire deployment. New traffic-handling features usually require the latest release on both the management center and device. Features where devices are not obviously involved (cosmetic changes to the web interface, cloud integrations) may only require the latest version on the management center, but that is not guaranteed.

Note that if you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.

Suggested Release: Version 7.2.5.x

To take advantage of new features and resolved issues, we recommend you upgrade all eligible appliances to at least the suggested release, including the latest patch. On the Cisco Support & Download site, the suggested release is marked with a gold star. In Version 7.2.6+/7.4.1+, the management center notifies you when a new suggested release is available, and indicates suggested releases on its product upgrades page.

Suggested Releases for Older Appliances

If an appliance is too old to run the suggested release and you do not plan to refresh the hardware right now, choose a major version then patch as far as possible. Some major versions are designated long-term or extra long-term, so consider one of those. For an explanation of these terms, see Cisco NGFW Product Line Software Release and Sustaining Bulletin.

If you are interested in a hardware refresh, contact your Cisco representative or partner contact.

Management Center Features in Version 7.4.1

Table 1. Management Center Features in Version 7.4.1

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Reintroduced features.

Feature dependent

Feature dependent

Version 7.4.1 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x) or in Version 7.4.0.

Reintroduced features include:

Platform

Network modules for the Secure Firewall 3130 and 3140.

7.4.1

7.4.1

The Secure Firewall 3130 and 3140 now support these network modules:

  • 2-port 100G QSFP+ network module (FPR3K-XNM-2X100G)

See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide

Optical transceivers for Firepower 9300 network modules.

7.4.1

7.4.1

The Firepower 9300 now supports these optical transceivers:

  • QSFP-40/100-SRBD

  • QSFP-100G-SR1.2

  • QSFP-100G-SM-SR

On these network modules:

  • FPR9K-NM-4X100G

  • FPR9K-NM-2X100G

  • FPR9K-DNM-2X100G

See: Cisco Firepower 9300 Hardware Installation Guide

Performance profile support for the Secure Firewall 3100.

7.4.1

7.4.1

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on threat defense virtual.

Interfaces

Deploy without the diagnostic interface on threat defense virtual for Azure and GCP.

7.4.1

7.4.1

You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:

  • Azure: one management, two data (max eight)

  • GCP: one management, three data (max eight)

Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Device Management

Device management services supported on user-defined VRF interfaces.

7.4.1

Any

Device management services configured in the threat defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces.

Platform restrictions: Not supported with container instances or clustered devices.

High Availability/Scalability: Threat Defense

Multi-instance mode for the Secure Firewall 3100.

7.4.1

7.4.1

You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade).

New/modified screens:

  • Devices > Device Management > Add > Chassis

  • Devices > Device Management > Device > Chassis Manager

  • Devices > Platform Settings > New Policy > Chassis Platform Settings

  • Devices > Chassis Upgrade

New/modified threat defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6

New/modified FXOS CLI commands: create device-manager , set deploymode

Platform restrictions: Not supported on the Secure Firewall 3105.

16-node clusters for threat defense virtual for VMware and KVM.

7.4.1

7.4.1

You can now configure 16-node clusters for threat defense virtual for VMware and threat defense virtual for KVM.

Target failover for clustered threat defense virtual devices for AWS.

7.4.1

7.4.1

You can now configure target failover for clustered threat defense virtual devices for AWS using the AWS Gateway Load Balancer (GWLB).

Platform restrictions: Not available with five and ten-device licenses.

Detect configuration mismatches in threat defense high availability pairs.

7.4.1

7.4.1

You can now use the CLI to detect configuration mismatches in threat defense high availability pairs.

New/modified CLI commands: show failover config-sync error , show failover config-sync stats

High Availability: Management Center

Management center high availability synchronization enhancements.

7.4.1

Any

Management center high availability (HA) includes the following synchronization enhancements:

  • Large configuration history files can cause synchronization to fail in high-latency networks. To prevent this from happening, the device configuration history files are now synchronized in parallel with other configuration data. This enhancement also reduces the synchronization time.

  • The management center now monitors the configuration history file synchronization process and displays a health alert if the synchronization times out.

New/modified screens: You can view these alerts on the following screens:

  • Notifications > Message Center > Health

  • Integration > Other Integrations > High Availability > Status (under Summary)

See: Viewing Management Center High Availability Status

SD-WAN

Application monitoring on the SD-WAN Summary dashboard.

7.4.1

7.4.1

You can now monitor WAN interface application performance on the SD-WAN Summary dashboard.

New/modified screens: Overview > SD-WAN Summary > Application Monitoring

VPN

IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100.

7.4.1

7.4.1

Upgrade impact. Qualifying connections start being offloaded.

On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Crypto debugging enhancements for the Secure Firewall 3100 and Firepower 4100/9300.

7.4.1

7.4.1

The crypto debugging enhancements introduced in Version 7.4.0 now apply to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they were only supported on the Secure Firewall 4200.

View details of the VTIs in route-based VPNs.

7.4.1

Any

You can now view the details of route-based VPNs' virtual tunnel interfaces (VTI) on your managed devices. You can also view details of all the dynamically created virtual access interfaces of the dynamic VTIs.

New/modified screens: Device > Device Management > Edit a device > Interfaces > Virtual Tunnels tab.

Routing

Configure BFD routing on IS-IS interfaces with FlexConfig.

7.4.1

7.4.1

You can now use FlexConfig to configure Bidirectional Forwarding Detection (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces.

Access Control: Threat Detection and Application Identification

Zero trust access enhancements.

7.4.1

7.4.1 with Snort 3

Management center now includes the following zero trust access enhancements:

  • You can configure source NAT for an application. The configured network object or object group translates the incoming request's public network source IP address to a routable IP address inside the application network.

  • You can troubleshoot the zero trust configuration issues using the diagnostics tool.

  • To enhance your experience, we now collect zero trust application policy telemetry data.

New/modified screens: Policies > Access Control > Zero Trust Application

New/modified CLI commands: show running-config zero-trust , show zero-trust statistics

See:

CIP detection.

7.4.1

7.4.1 with Snort 3

You can now detect and handle Common Industrial Protocol (CIP) by using CIP and Ethernet/IP (ENIP) application conditions in your security policies.

CIP safety detection.

7.4.1

7.4.1 with Snort 3

CIP Safety is a CIP extension that enables the safe operation of industrial automation applications. The CIP inspector can now detect the CIP Safety segments in the CIP traffic. To detect and take action on the CIP Safety segments, enable the CIP inspector in the management center's network Analysis policy and assign it to an access control policy.

New/modified screens: Policies > Access Control > Edit a policy > Add Rule > Applications tab > Search for CIP Safety in the search box.

See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide

Access Control: Identity

Captive portal support for multiple Active Directory realms (realm sequences).

7.4.1

7.4.1

Upgrade impact. Update custom authentication forms.

You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules.

In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously.

If you use the HTTP Response Page authentication type, after you upgrade threat defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms.

Restrictions: Not supported with Microsoft Azure Active Directory.

New/modified screens:

  • Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

  • Identity policy > (edit) > Add Rule > Passive Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

  • Identity policy > (edit) > Add Rule > Active Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

Share captive portal active authentication sessions across firewalls.

7.4.1

7.4.1

Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.

  • (Default.) Enable to allow users to authenticate with any managed device associated with the active authentication identity rule.

  • Disable to require the user to authenticate with a different managed device, even if they have already authenticated with another managed device to which the active authentication rule is deployed.

New/modified screens: Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

Merge downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources, using the management center web interface.

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

New/modified screens: Objects > Object Management > AAA Server > RADIUS Server Group > Add RADIUS Server Group > Merge Downloadable ACL with Cisco AV Pair ACL

New CLI commands:

  • sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl after-avpair

  • sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl before-avpair

Health Monitoring

Chassis-level health alerts for the Firepower 4100/9300.

7.4.1

Any with FXOS 2.14.1

Upgrade impact. Enable the new health module and apply device health policy after upgrade.

You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the management center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view.

You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the management center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI.

New/modified screens: Devices > Device Management > Add > Chassis

See: Add a Chassis to the Management Center

Improved management center memory usage calculation, alerting, and swap memory monitoring.

7.4.1

Any

Upgrade impact. Memory usage alert thresholds may be lowered.

We improved the accuracy of management center memory usage and have lowered the default alert thresholds to 88% warning/90% critical. If your thresholds were higher than the new defaults, the upgrade lowers them automatically—you do not have to apply health policies for this change to take place. Note that the management center may now reboot in extremely critical system memory condition if terminating high-memory processes does not work.

You can also add new swap memory usage metrics to a new or existing management center health dashboard. Make sure you choose the Memory metric group.

New/modified screens:

  • System (system gear icon) > Health > Monitoring > Firewall Management CenterAdd/Edit DashboardMemory

  • System (system gear icon) > Health > Policy > Management Center Health Policy > Memory

Deployment and Policy Management

Change management.

7.4.1

Any

You can enable change management if your organization needs to implement more formal processes for configuration changes, including audit tracking and official approval before changes are deployed.

We added the System (system gear icon) > Configuration > Change Management page to enable the feature. When enabled, there is a System (system gear icon) > Change Management Workflow page, and a new Ticket (Ticket icon) quick access icon in the menu.

See: Change Management

Upgrade

Firmware upgrades included in FXOS upgrades.

7.4.1

Any

Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.

For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware.

Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade.

See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide

Automatically generate configuration change reports after management center upgrade.

7.4.1

Any

You can automatically generate reports on configuration changes after major and maintenance management center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center.

Other version restrictions: Only supported for management center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version.

New/modified screens: System (system gear icon) > Configuration > Upgrade Configuration > Enable Post-Upgrade Report

Administration

Erase the hard drives on a hardware management center.

7.4.1

Any

You can use the management center CLI to reboot and permanently erase its own hard drive data. After the erase is completed, you can install a fresh software image.

New/modified CLI commands: secure erase

See: Secure Firewall Management Center Command Line Reference

Usability, Performance, and Troubleshooting

Troubleshooting file generation and download available from Device and Cluster pages.

7.4.1

7.4.1

You can generate and download troubleshooting files for each device on the Device page and also for all cluster nodes on the Cluster page. For a cluster, you can download all files as a single compressed file. You can also include cluster logs for the cluster for cluster nodes. You can alternatively trigger file generation from the Devices > Device Management > More (more icon) > Troubleshoot Files menu.

New/modified screens:

  • Devices > Device Management > Device > General

  • Devices > Device Management > Cluster > General

Automatic generation of a troubleshooting file on a node when it fails to join the cluster.

7.4.1

7.4.1

If a node fails to join the cluster, a troubleshooting file is automatically generated for the node. You can download the file from Tasks or from the Cluster page.

View CLI output for a device or device cluster.

7.4.1

Any

You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output.

New/modified screens: Devices > Device Management > Cluster > General

Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300.

7.4.1

7.4.1

If the data plane process crashes, the system now reloads only the data plane process instead of rebooting the device. Along with the data plane process reload, Snort and a few other processes also get reloaded.

However, if the data plane process crashes during bootup, the device follows the normal reload/reboot sequence, which helps avoid a reload process loop from occurring.

This feature is enabled by default for both new and upgraded devices.

New/modified CLI commands: data-plane quick-reload , no data-plane quick-reload , show data-plane quick-reload status

Supported platforms: Firepower 1000/2100, Firepower 4100/9300

Platform restrictions: Not supported in multi-instance mode.

See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference.

Deprecated Features

Deprecated: frequent drain of events health alerts.

7.4.1

7.4.1

The Disk Usage health module no longer alerts with frequent drain of events. You may continue to see these alerts after management center upgrade until you either deploy health policies to managed devices (stops the display of alerts) or upgrade devices to Version 7.4.1+ (stops the sending of alerts).

Deprecated: VPN Tunnel Status health module.

7.4.1

Any

We deprecated the VPN Tunnel Status health module. Use the VPN dashboards instead.

Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig.

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

This feature is now supported in the management center web interface.

Management Center Features in Version 7.4.0


Note


Version 7.4.0 is available only on the Secure Firewall Management Center and the Secure Firewall 4200. A Version 7.4.0 management center can manage older versions of other device models, but you must use a Secure Firewall 4200 for features that require threat defense 7.4.0. Support for all other device platforms resumes in Version 7.4.1.


Table 2. Management Center Features in Version 7.4.0

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Reintroduced features.

7.4.0

Feature dependent

Version 7.4.0 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x).

Reintroduced features include:

Platform

Management center 1700, 2700, 4700.

7.4.0

Any

We introduced the Secure Firewall Management Center 1700, 2700, and 4700, which can manage up to 300 devices. Management center high availability is supported.

See: Cisco Secure Firewall Management Center 1700, 2700, and 4700 Getting Started Guide

Management center virtual for Microsoft Hyper-V.

7.4.0

Any

We introduced Secure Firewall Management Center Virtual for Microsoft Hyper-V, which can manage up to 25 devices. Management center high availability is supported.

See: Cisco Secure Firewall Management Center Virtual Getting Started Guide

Secure Firewall 4200.

7.4.0

7.4.0

We introduced the Secure Firewall 4215, 4225, and 4245.

These devices support the following new network modules:

  • 2-port 100G QSFP+ network module (FPR4K-XNM-2X100G)

  • 4-port 200G QSFP+ network module (FPR4K-XNM-4X200G)

See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide

Performance profile support for the Secure Firewall 4200.

7.4.0

7.4.0

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on threat defense virtual.

See: Configure the Performance Profile

Platform Migration

Migrate from Firepower 1000/2100 to Secure Firewall 3100.

7.4.0

Any

You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100.

New/modified screens: Devices > Device Management > Migrate

Platform restrictions: Migration not supported from the Firepower 1010 or 1010E.

See: About Secure Firewall Threat Defense Model Migration

Migrate from Firepower Management Center 4600 to Secure Firewall Management Center for AWS.

7.4.0

Any

You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license.

See: Cisco Secure Firewall Management Center Model Migration Guide

Migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700.

7.4.0

Any

You can migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700.

See: Cisco Secure Firewall Management Center Model Migration Guide

Migrate from Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700.

7.4.0 only

7.0.0

You can migrate Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. To migrate, you must temporarily upgrade the old management center from Version 7.0 to Version 7.4.0.

Important

 

Version 7.4 is only supported on the 1000/2500/4500 during the migration process. You should minimize the time between management center upgrade and device migration.

To summarize the migration process:

  1. Prepare for upgrade and migration. Read, understand, and meet all the prerequisites outlined in the release notes, upgrade guides, and migration guide. Make sure the old management center is ready to go: freshly deployed, fully backed up, all appliances in good health, etc. You should also set up the new management center.

  2. Upgrade the old management center and all its managed devices to at least Version 7.0.0 (7.0.5 recommended). If you are already running the minimum version, you can skip this step.

  3. Upgrade the old management center to Version 7.4.0. Unzip (but do not untar) the upgrade package before uploading it to the management center. Download from: Special Release.

  4. Migrate the management center as described in the model migration guide.

  5. Verify migration success. If the migration does not function to your expectations and you want to switch back, note that Version 7.4 is unsupported for general operations on the 1000/2500/4500. To return the old management center to a supported version you must reimage back to Version 7.0, restore from backup, and reregister devices.

See:

If you have questions or need assistance at any point in the migration process, contact Cisco TAC.

Migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center.

7.4.0 only

7.0.3

You can migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center.

To migrate devices, you must temporarily upgrade the on-prem management center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 management centers do not support device migration to the cloud. Additionally, only standalone and high availability threat defense devices running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.

Important

 

Version 7.4.0 is only supported on the 1000/2500/4500 during the migration process. You should minimize the time between management center upgrade and device migration.

To summarize the migration process:

  1. Prepare for upgrade and migration. Read, understand, and meet all the prerequisites outlined in the release notes, upgrade guides, and migration guide.

    Before you upgrade, it is especially important that the on-prem management center is "ready to go," that is, managing only the devices you want to migrate, configuration impact assessed (such as VPN impact), freshly deployed, fully backed up, all appliances in good health, and so on.

    You should also provision, license, and prepare the cloud tenant. This must include a strategy for security event logging; you cannot retain the on-prem management center for analytics because it will be running an unsupported version.

  2. Upgrade the on-prem management center and all its managed devices to at least Version 7.0.3 (Version 7.0.5 recommended).

    If you are already running the minimum version, you can skip this step.

  3. Upgrade the on-prem management center to Version 7.4.0.

    Unzip (but do not untar) the upgrade package before uploading it to the management center. Download from: Special Release.

  4. Onboard the on-prem management center to CDO.

  5. Migrate all devices from the on-prem management center to the cloud-delivered Firewall Management Center as described in the migration guide.

    When you select devices to migrate, make sure you choose Delete FTD from On-Prem FMC. Note that the device is not fully deleted unless you commit the changes or 14 days pass.

  6. Verify migration success.

    If the migration does not function to your expectations, you have 14 days to switch back or it is committed automatically. However, note that Version 7.4.0 is unsupported for general operations. To return the on-prem management center to a supported version you must remove the re-migrated devices, re image back to Version 7.0.x, restore from backup, and reregister the devices.

See:

If you have questions or need assistance at any point in the migration process, contact Cisco TAC.

Device Management

Low-touch provisioning to register the Firepower 1000/2100 and Secure Firewall 3100 to the management center using a serial number.

7.4.0

Mgmt. center is publicly reachable: 7.2.0

Mgmt. center is not publicly reachable: 7.2.4

Low-touch provisioning lets you register Firepower 1000/2100 and Secure Firewall 3100 devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with SecureX and Cisco Defense Orchestrator for this functionality.

New/modified screens: Devices > Device Management > Add > Device > Serial Number

Other version restrictions: This feature is not supported on Version 7.3.x or 7.4.0 threat defense devices when the management center is not publicly reachable. Support returns in Version 7.4.1.

See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning)

Interfaces

Merged management and diagnostic interfaces.

7.4.0

7.4.0

Upgrade impact. Merge interfaces after upgrade.

For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available.

If you upgraded to 7.4 or later and:

  • You did not have any configuration for the diagnostic interface, then the interfaces will merge automatically.

  • You have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible.

Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration.

For platform settings, this means:

  • You can no longer enable HTTP, ICMP, or SMTP for diagnostic.

  • For SNMP, you can allow hosts on management instead of diagnostic.

  • For Syslog servers, you can reach them on management instead of diagnostic.

  • If Platform Settings for syslog servers or SNMP hosts specify the diagnostic interface by name, then you must use separate Platform Settings policies for merged and non-merged devices.

  • DNS lookups no longer fall back to the management-only routing table if you do not specify interfaces.

New/modified screens: Devices > Device Management > Interfaces

New/modified commands: show management-interface convergence

See: Merge the Management and Diagnostic Interfaces

VXLAN VTEP IPv6 support.

7.4.0

7.4.0

You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation.

New/modified screens:

  • Devices > Device Management > Edit Device > VTEP > Add VTEP

  • Devices > Device Management > Edit Devices > Interfaces > Add Interfaces > VNI Interface

See: Configure Geneve Interfaces

Loopback interface support for BGP and management traffic.

7.4.0

7.4.0

You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog.

New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface

See: Configure Loopback Interfaces

Loopback and management type interface group objects.

7.4.0

7.4.0

You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces.

New/modified screens: Objects > Object Management > Interface > Add > Interface Group

See: Interface

High Availability/Scalability

Manage threat defense high availability pairs using a data interface.

7.4.0

7.4.0

Threat defense high availability now supports using a regular data interface for communication with the management center. Previously, only standalone devices supported this feature.

See: Using the Threat Defense Data Interface for Management

SD-WAN

WAN summary dashboard.

7.4.0

7.2.0

The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures.

New/modified screens: Overview > WAN Summary

See: WAN Summary Dashboard

Policy-based routing using HTTP path monitoring.

7.4.0

7.2.0

Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination.

New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box.

Platform restrictions: Not supported for clustered devices.

See: Configure Path Monitoring Settings

Policy-based routing with user identity and SGTs.

7.4.0

7.4.0

You can now classify the network traffic based on users and user groups, and SGTs in PBR policies. You can select the identity and SGT objects while defining the extended ACLs for the PBR policies.

New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag

See: Configure Extended ACL Objects

VPN

IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200.

7.4.0

7.4.0

On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Other requirements: FPGA firmware 6.2+

See: IPsec Flow Offload

Crypto debugging enhancements for the Secure Firewall 4200.

7.4.0

7.4.0

We made the following enhancements to crypto debugging:

  • The crypto archive is now available in text and binary formats.

  • Additional SSL counters are available for debugging.

  • Remove stuck encrypt rules from the ASP table without rebooting the device.

New/modified CLI commands: show counters

VPN: Remote Access

Customize Secure Client messages, icons, images, and connect/disconnect scripts.

7.4.0

7.1.0

You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:

  • GUI text and messages

  • Icons and images

  • Scripts

  • Binaries

  • Customized Installer Transforms

  • Localized Installer Transforms

Threat defense distributes these customizations to the endpoint when an end user connects from the Secure Client.

New/modified screens:

  • Objects > Object Management > VPN > Secure Client Customization

  • Devices > Remote Access > Edit VPN policy > Advanced > Secure Client Customization

See: Customize Cisco Secure Client

VPN: Site to Site

Easily view IKE and IPsec session details for VPN nodes.

7.4.0

Any

You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard.

New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab.

See: Monitoring the Site-to-Site VPNs

Site-to-site VPN information in connection events.

7.4.0

7.4.0 with Snort 3

Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by.

New/modified screens: Analysis > Connections > Events > Table View of Events

See: Site to Site VPN Connection Event Monitoring

Easily exempt site-to-site VPN traffic from NAT translation.

7.4.0

Any

We now make it easier to exempt site-to-site VPN traffic from NAT translation.

New/modified screens:

  • Enable NAT exemptions for an endpoint: Devices > VPN > Site To Site > Add/Edit Site to Site VPN > Add/Edit Endpoint > Exempt VPN traffic from network address translation

  • View NAT exempt rules for devices that do not have a NAT policy: Devices > NAT > NAT Exemptions

  • View NAT exempt rules for a single device: Devices > NAT > Threat Defense NAT Policy > NAT Exemptions

See: NAT Exemption

Routing

Configure graceful restart for BGP on IPv6 networks.

7.4.0

7.3.0

You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later.

New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor.

See: Configure BGP Neighbor Settings

Virtual routing with dynamic VTI.

7.4.0

7.4.0

You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN.

New/modified screens: Devices > Device Management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces

Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices.

See: About Virtual Routers and Dynamic VTI

Access Control: Threat Detection and Application Identification

Clientless zero-trust access.

7.4.0

7.4.0 with Snort 3

We introduced Zero Trust Access that allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy.

The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications.

New/modified screens:

  • Policies > Zero Trust Application

  • Analysis > Connections > Events

  • Overview > Dashboard > Zero Trust

New/modified CLI commands:

  • show running-config zero-trust application

  • show running-config zero-trust application-group

  • show zero-trust sessions

  • show zero-trust statistics

  • show cluster zero-trust statistics

  • clear zero-trust sessions application

  • clear zero-trust sessions user

  • clear zero-trust statistics

Encrypted visibility engine enhancements.

7.4.0

7.4.0 with Snort 3

Encrypted Visibility Engine (EVE) can now:

  • Block malicious communications in encrypted traffic based on threat score.

  • Determine client applications based on EVE-detected processes.

  • Reassemble fragmented Client Hello packets for detection purposes.

New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings.

See: Encrypted Visibility Engine

Exempt specific networks and ports from bypassing or throttling elephant flows.

7.4.0

7.4.0 with Snort 3

You can now exempt specific networks and ports from bypassing or throttling elephant flows.

New/modified screens:

  • When you configure elephant flow detection in the access control policy's advanced settings, if you enable the Elephant Flow Remediation option, you can now click Add Rule and specify traffic that you want to exempt from bypass or throttling.

  • When the system detects an elephant flow that is exempted from bypass or throttling, it generates a mid-flow connection event with the reason Elephant Flow Exempted.

Platform restrictions: Not supported on the Firepower 2100 series.

First-packet application identification using custom application detectors.

7.4.0

7.4.0 with Snort 3

A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector.

See: Custom Application Detectors

Sensitive data detection and masking.

7.4.0

7.4.0 with Snort 3

Upgrade impact. New rules in default policies take effect.

Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns.

Disabling data masking is not supported.

See: Custom Rules in Snort 3

Improved JavaScript inspection.

7.4.0

7.4.0 with Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content.

See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide

MITRE information in file and malware events.

7.4.0

7.4.0

The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views.

See: Local Malware Analysis and File and Malware Event Fields

Smaller VDB for lower memory Snort 2 devices.

6.4.0.17

7.0.6

7.2.4

7.3.1.1

7.4.0

Any with Snort 2

Upgrade impact. Application identification on lower memory devices is affected.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Access Control: Identity

Cisco Secure Dynamic Attributes Connector on the management center.

7.4.0

Any

You can now configure the Cisco Secure Dynamic Attributes Connector on the management center. Previously, it was only available as a standalone application.

See: Cisco Secure Dynamic Attributes Connector

Microsoft Azure AD as a user identity source.

7.4.0

7.4.0

You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control.

New/modified screens:

  • Integration > Other Integrations > Realms > Add Realm > Azure AD

  • Integration > Other Integrations > Realms > Actions, such as downloading users, copying, editing, and deleting

Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level)

See: Create a Microsoft Azure Active Directory Realm

Event Logging and Analysis

Configure threat defense devices as NetFlow exporters from the management center web interface.

7.4.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

NetFlow is a Cisco application that provides statistics on packets flows. You can now use the management center web interface to configure threat defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > Platform Settings > Threat Defense Settings Policy > NetFlow

See: Configure NetFlow

More information about "unknown" SSL actions in logged encrypted connections.

7.4.0

7.4.0

Serviceability improvements to the event reporting and decryption rule matching.

  • New SSL Status to indicate if the SSL handshake is not complete for an encrypted connection. The SSL Status column of the connection event displays “Unknown (Incomplete Handshake)” when the SSL handshake of the logged connection is not complete.

  • Subject Alternative Names (SANs) for certificates are now used when matching Certificate Authority (CA) names for improved decryption rule matching.

New/modified screens:

  • Analysis > Connections > Events > SSL Status

  • Analysis > Connections > Security-Related Events > SSL Status

See: Connection and Security-Related Connection Event Fields.

Health Monitoring

Stream telemetry to an external server using OpenConfig.

7.4.0

7.4.0

You can now send metrics and health monitoring information from your threat defense devices to an external server (gNMI collector) using OpenConfig. You can configure either threat defense or the collector to initiate the connection, which is encrypted by TLS.

New/modified screens: System (system gear icon) > Health > Policy > Firewall Threat Defense Policies > Settings > OpenConfig Streaming Telemetry

See: Send Vendor-Neutral Telemetry Streams Using OpenConfig

New asp drop metrics.

7.4.0

7.4.0

You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group.

New/modified screens: System (system gear icon) > Health > Monitor > Device

See: show asp drop Command Usage

Administration

Send detailed management center audit logs to syslog.

7.4.0

Any

You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The management center supports backup and restore of the audit configuration log.

New/modified screens: System (system gear icon) > Configuration > Audit Log > Send Configuration Changes

See: Stream Audit Logs to Syslog

Granular permissions for modifying access control policies and rules.

7.4.0

Any

You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams.

When defining user roles, you can select the Policies > Access Control > Access Control Policy > Modify Access Control Policy > Modify Threat Configuration option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions.

See: Create Custom User Roles

Support for IPv6 URLs when checking certificate revocation.

7.4.0

7.4.0

Previously, threat defense supported only IPv4 OCSP URLs. Now, threat defense supports both IPv4 and IPv6 OCSP URLs.

See: Requiring Valid HTTPS Client Certificates and Certificate Enrollment Object Revocation Options

Default NTP server updated.

7.4.0

Any

The default NTP server for new management center deployments changed from sourcefire.pool.ntp.org to time.cisco.com. We recommend you use the management center to serve time to its own devices. You can update the management center's NTP server on System (system gear icon) > Configuration > Time Synchronization.

See: Internet Access Requirements

Usability, Performance, and Troubleshooting

Usability enhancements.

7.4.0

Any

You can now:

  • Manage Smart Licensing for threat defense clusters from System (system gear icon) > Smart Licenses. Previously, you had to use the Device Management page.

    See: Licensing for Device Clusters

  • Download a report of Message Center notifications. In the Message Center, click the new Download Report icon, next to the Show Notifications slider.

    See: Managing System Messages

  • Download a report of all registered devices. On Devices > Device Management, click the new Download Device List Report link, at the top right of the page.

    See: Download the Managed Device List

  • Clone network and port objects. In the object manager (Objects > Object Management), click the new Clone icon next to a port or network object. You can then change the new object's properties and save it using a new name.

    See: Creating Network Objects and Creating Port Objects

  • Easily create custom health monitoring dashboards, and easily edit existing dashboards.

    See: Correlating Device Metrics

Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200.

7.4.0

7.4.0

On the Secure Firewall 4200, you can use a new direction keyword with the capture command.

New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ]

See: Cisco Secure Firewall Threat Defense Command Reference

Snort 3 restarts when it becomes unresponsive, which can trigger HA failover.

7.4.0

7.4.0 with Snort 3

To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.)

This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts.

New/modified CLI commands: configure snort3-watchdog

See: Cisco Secure Firewall Threat Defense Command Reference

Cisco Success Network telemetry.

7.4.0

Any

For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.4.x.

Management Center REST API

Management center REST API.

7.4.0

Any

For information on changes to the management center REST API, see What's New in Version 7.4 in the API quick start guide.

Deprecated Features

Temporarily deprecated features.

7.4.0

Any

Although upgrading to Version 7.4.0 is supported, the upgrade will remove critical features, fixes, and enhancements that may be included in your current version. Instead, upgrade to Version 7.4.1+.

From Version 7.2.5–7.2.x, upgrading removes:

From Version 7.2.6–7.2.x, upgrading removes:

Deprecated: NetFlow with FlexConfig.

7.4.0

Any

You can now configure threat defense devices as NetFlow exporters from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs.

See: Configure NetFlow

Management Center Features in Version 7.3.1

Table 3. Management Center Features in Version 7.3.1.1

Feature

Minimum Management Center

Minimum Threat Defense

Details

Smaller VDB for lower memory Snort 2 devices.

6.4.0.17

7.0.6

7.2.4

7.3.1.1

7.4.0

Any with Snort 2

Upgrade impact. Application identification on lower memory devices is affected.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Table 4. Management Center Features in Version 7.3.1

Feature

Minimum Management Center

Minimum Threat Defense

Details

Secure Firewall 3105.

7.3.1

7.3.1

We introduced the Secure Firewall 3105.

Management Center Features in Version 7.3.0

Table 5. Management Center Features in Version 7.3.0

Feature

Minimum Management Center

Minimum Threat Defense

Details

Platform

Management center virtual 300 for KVM.

7.3.0

Any

We introduced the FMCv300 for KVM. The FMCv300 can manage up to 300 devices. High availability is supported.

Network modules for the Firepower 4100.

7.3.0

7.3.0

We introduced these network modules for the Firepower 4100:

  • 2-port 100G network module (FPR4K-NM-2X100G)

Supported platforms: Firepower 4112, 4115, 4125, 4145

ISA 3000 System LED support for shutting down.

7.3.0

7.0.5

7.3.0

Support returns for this feature. When you shut down the ISA 3000, the System LED turns off. Wait at least 10 seconds after that before you remove power from the device. This feature was introduced in Version 7.0.5 but was temporarily deprecated in Version 7.1–7.2.

New compute shapes for threat defense virtual and management center virtual for OCI.

7.3.0

7.3.0

Threat defense virtual for OCI adds support for the following compute shapes:

  • Intel VM.DenseIO2.8

  • Intel VM.StandardB1.4

  • Intel VM.StandardB1.8

  • Intel VM.Standard1.4

  • Intel VM.Standard1.8

  • Intel VM.Standard3.Flex

  • Intel VM.Optimized3.Flex

  • AMD VM.Standard.E4.Flex

Management center virtual for OCI adds support for the following compute shapes:

  • Intel VM.StandardB1.4

  • Intel VM.Standard3.Flex

  • Intel VM.Optimized3.Flex

  • AMD VM.Standard.E4.Flex

Note that the VM.Standard2.4 and VM.Standard2.8 compute shapes reached end of orderability in February 2022. If you are deploying Version 7.3+, we recommend one of the above compute shapes.

For information on compatible compute shapes, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Interfaces

IPv6 support for virtual appliances.

7.3.0

7.3.0

Threat defense virtual and management center virtual now support IPv6 in the following environments:

  • AWS

  • Azure

  • OCI

  • KVM

  • VMware

For more information, see Cisco Secure Firewall Threat Defense Virtual Getting Started Guide and Cisco Secure Firewall Management Center Virtual Getting Started Guide.

Loopback interface support for VTIs.

7.3.0

7.3.0

You can now configure a loopback interface for redundancy of static and dynamic VTI VPN tunnels. A loopback interface is a software interface that emulates a physical interface. It is reachable through multiple physical interfaces with IPv4 and IPv6 addresses.

New/modified screens: Devices > Device Management > Device > Interfaces > Add Interfaces > Add Loopback Interface

For more information, see Configure Loopback Interfaces in the device configuration guide.

Redundant manager access data interface.

7.3.0

7.3.0

When you use a data interface for manager access, you can configure a secondary data interface to take over management functions if the primary interface goes down. The device uses SLA monitoring to track the viability of the static routes and an ECMP zone that contains both interfaces so management traffic can use both interfaces.

New/modified screens:

  • Devices > Device Management > Device > Management

  • Devices > Device Management > Device > Interfaces > Manager Access

For more information, see Configure a Redundant Manager Access Data Interface in the device configuration guide.

IPv6 DHCP.

7.3.0

7.3.0

We now support the following features for IPv6 addressing:

  • DHCPv6 Address client: Threat defense obtains an IPv6 global address and optional default route from the DHCPv6 server.

  • DHCPv6 Prefix Delegation client: Threat defense obtains delegated prefix(es) from a DHCPv6 server. It can then use these prefixes to configure other threat defense interface addresses so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

  • BGP router advertisement for delegated prefixes.

  • DHCPv6 stateless server: Threat defense provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to threat defense. Threat defense only accepts IR packets and does not assign addresses to the clients.

New/modified screens:

  • Devices > Device Management > Device > Interfaces > Interface > IPv6 > DHCP

  • Objects > Object Management > DHCP IPv6 Pool

New/modified CLI commands: show bgp ipv6 unicast , show ipv6 dhcp , show ipv6 general-prefix

For more information, see Configure the IPv6 Prefix Delegation Client, BGP, and Configure the DHCPv6 Stateless Server in the device configuration guide.

Paired proxy VXLAN for the threat defense virtual for the Azure Gateway Load Balancer.

7.3.0

7.3.0

You can configure a paired proxy mode VXLAN interface for threat defense virtual for Azure for use with the Azure Gateway Load Balancer. The device defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy.

New/modified screens: Devices > Device Management > Device > Interfaces > Add Interfaces > VNI Interface

For more information, see Configure VXLAN Interfaces in the device configuration guide.

High Availability/Scalability

High availability for management center virtual for KVM.

7.3.0

Any

We now support high availability for management center virtual for KVM.

In a threat defense deployment, you need two identically licensed management centers, as well as one threat defense entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 threat defense entitlements. If you are managing Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements.

Platform restrictions: Not supported with FMCv2

For more information, see the Cisco Secure Firewall Management Center Virtual Getting Started Guide, as well as High Availability in the administration guide.

Clustering for threat defense virtual for Azure.

7.3.0

7.3.0

You can now configure clustering for up to 16 nodes with threat defense virtual for Azure.

New/modified screens: Devices > Device Management

For more information, see Clustering for Threat Defense Virtual in a Public Cloud in the device configuration guide.

Autoscale for threat defense virtual for Azure Gateway Load Balancers.

7.3.0

7.3.0

We now support autoscale for threat defense virtual for Azure Gateway Load Balancers. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Back up and restore device clusters.

7.3.0

Any

You can now use the management center to back up device clusters, except in the public cloud (threat defense virtual for AWS). To restore, use the device CLI.

New/modified screens: System > Tools > Backup/Restore > Managed Device Backup

New/modified commands: restore remote-manager-backup

For more information, see Backup/Restore in the administration guide.

Remote Access VPN

RA VPN dashboard.

7.3.0

Any

We introduced a remote access VPN (RA VPN) dashboard that allows you to monitor real-time data from active RA VPN sessions on the devices. So that you can quickly determine problems related to user sessions and mitigate the problems for your network and users, the dashboard provides:

  • Visualization of active user sessions based on their location.

  • Detailed information about the active user sessions.

  • Mitigation of user session problems by terminating sessions, if required.

  • Distribution of active user sessions per device, encryption type, Secure Client version, operating system, and connection profile.

  • Device identity certificate expiration details of the devices.

New/modified screens: Overview > Dashboards > Remote Access VPN

For more information, see Dashboards in the administration guide.

Encrypt RA VPN connections with TLS 1.3.

7.3.0

7.3.0

You can now use TLS 1.3 to encrypt RA VPN connections with the following ciphers:

  • TLS_AES_128_GCM_SHA256

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_256_GCM_SHA384

Use the threat defense platform settings to set the TLS version: Devices > Platform Settings > Add/Edit Threat Defense Settings Policy > SSL > TLS Version.

This feature requires Cisco Secure Client, Release 5 (formerly known as the AnyConnect Secure Mobility Client).

For more information, see Configure SSL Settings in the device configuration guide.

Site to Site VPN

Packet tracer in the site-to-site VPN dashboard.

7.3.0

Any

We added packet tracer capabilities to the site-to-site VPN dashboard, to help you troubleshoot VPN tunnels between devices.

Open the dashboard by choosing Overview > Dashboards > Site to Site VPN. Then, click View (View button) next to the tunnel you want to investigate, and Packet Tracer in the side pane that appears.

For more information, see Monitoring the Site-to-Site VPNs in the device configuration guide.

Support for dynamic VTIs with site-to-site VPN.

7.3.0

7.3.0

We now support dynamic virtual tunnel interfaces (VTI) when you configure a route-based site-to-site VPN in a hub and spoke topology. Previously, you could use only a static VTI.

This makes it easier to configure large hub and spoke deployments. A single dynamic VTI can replace several static VTI configurations on the hub. And, you can add new spokes to a hub without changing the hub configuration.

New/modified screens: We updated the options when configuring hub-node endpoints for a route-based hub-and-spoke site-to-site VPN topology.

For more information, see Configure Endpoints for a Hub and Spoke Topology in the device configuration guide.

Improved Umbrella SIG integration.

7.3.0

7.3.0

You can now easily deploy IPsec IKEv2 tunnels between a threat defense device and the Umbrella Secure Internet Gateway (SIG), which allows you to forward all internet-bound traffic to Umbrella for inspection and filtering.

To configure and deploy these tunnels, create a SASE topology, a new type of static VTI-based site-to-site VPN topology: Devices > VPN > Site To Site > SASE Topology.

For more information, see Deploy a SASE Tunnel on Umbrella in the device configuration guide.

Routing

Configure BFD for BGP from the management center web interface.

7.3.0

Any

Upgrade impact.

You can now use the management center web interface to configure bidirectional forwarding detection (BFD) for BGP. Note that you can only enable BFD on interfaces belonging to virtual routers. If you have an existing BFD FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens:

  • Devices > Device Management > Device > Routing > BFD

  • Objects > Object Management > BFD Template

  • When configuring BGP neighbor settings, we replaced the BFD Failover check box with a menu where you choose the BFD type: single hop, multi hop, auto detect, or none (disabled). For upgraded management centers, auto-detect hop is selected if the old BFD Failover option was enabled and none is selected if the old option was disabled.

For more information, see Bidirectional Forwarding Detection Routing in the device configuration guide.

Support for IPv4 and IPv6 OSPF routing for VTIs.

7.3.0

7.3.0

We now support IPv4 and IPv6 OSPF routing for VTI interfaces.

New/modified pages: You can add VTI interfaces to an OSPF routing process on Devices > Device Management > Device > Routing > OSPF/OSFPv3.

For more information, see OSPF and Additional Configurations for VTI in the device configuration guide.

Support for IPv4 EIGRP routing for VTIs.

7.3.0

7.3.0

We now support IPv4 EIGRP routing for VTI interfaces.

New/modified screens: You can define a VTI as the static neighbor for an EIGRP routing process, configure a VTI's interface-specific EIGRP routing properties. and advertise a VTI's summary address on Devices > Device Management > Device > Routing > EIGRP.

For more information, see EIGRP and Additional Configurations for VTI in the device configuration guide.

More network service groups for policy-based routing.

7.3.0

7.3.0

You can now configure up to 1024 network service groups (application groups in an extended ACL for use in policy-based routing). Previously, the limit was 256.

Support for multiple next-hops while configuring policy-based routing forwarding actions.

7.3.0

7.1

You can now configure multiple next-hops while configuring policy-based routing forwarding actions. When traffic matches the criteria for the route, the system attempts to forward traffic to the IP addresses in the order you specify, until it succeeds.

New/modified screens: We added several options when you select IP Address from the Send To menu on Devices > Device Management > Device > Routing > Policy Based Routing > Add Policy Based Route > Add Match Criteria and Egress Interface.

For more information, see Configure Policy-Based Routing Policy in the device configuration guide.

Upgrade

Choose and direct-download upgrade packages to the management center from Cisco.

7.3..x only

Any

You can now choose which threat defense upgrade packages you want to direct download to the management center. Use the new Download Updates sub-tab on > Updates > Product Updates.

Other version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1.

See: Download Upgrade Packages with the Management Center

Upload upgrade packages to the management center from the threat defense wizard.

7.3.x only

Any

You now use the wizard to upload threat defense upgrade packages or specify their location. Previously (depending on version), you used System (system gear icon) > Updates or System (system gear icon) > Product Upgrades.

Other version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1.

See: Upgrade Threat Defense

Auto-upgrade to Snort 3 after successful threat defense upgrade is no longer optional.

7.3.0

Any

Upgrade impact.

When you upgrade threat defense to Version 7.3+, you can no longer disable the Upgrade Snort 2 to Snort 3 option.

After the software upgrade, all eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now.

For devices that are ineligible for auto-upgrade because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Combined upgrade and install package for Secure Firewall 3100.

7.3.0

7.3.0

Reimage Impact.

In Version 7.3, we combined the threat defense install and upgrade package for the Secure Firewall 3100, as follows:

  • Version 7.1–7.2 install package: cisco-ftd-fp3k.version.SPA

  • Version 7.1–7.2 upgrade package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

  • Version 7.3+ combined package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

Although you can upgrade threat defense without issue, you cannot reimage from older threat defense and ASA versions directly to threat defense Version 7.3+. This is due to a ROMMON update required by the new image type. To reimage from those older versions, you must "go through" ASA 9.19+, which is supported with the old ROMMON but also updates to the new ROMMON. There is no separate ROMMON updater.

To get to threat defense Version 7.3+, your options are:

Access Control and Threat Detection

SSL policy renamed to decryption policy.

7.3.0

Any

We renamed the SSL policy to the decryption policy. We also added a policy wizard that makes it easier to create and configure decryption policies, including creating initial rules and certificates for inbound and outbound traffic.

New/modified screens:

  • Add or edit a decryption policy: Policies > Access Control > Decryption.

  • Use a decryption policy: Decryption Policy Settings in an access control policy's advanced settings.

For more information, see Decryption Policies in the device configuration guide.

Improvements to TLS server identity discovery with Snort 3 devices.

7.3.0

7.3.0

We now support improved performance and inspection with the TLS server identity discovery feature, which allows you to handle traffic encrypted with TLS 1.3 with information from the server certificate. Although we recommend you leave it enabled, you can disable this feature using the new Enable adaptive TLS server identity probe option in the decryption policy's advanced settings.

For more information, see TLS 1.3 Decryption Best Practices in the device configuration guide.

URL filtering using cloud lookup results only.

7.3.0

7.3.0

When you enable (or re-enable) URL filtering, the management center automatically queries Cisco for URL category and reputation data and pushes the dataset to managed devices. You now have more options on how the system uses this dataset to filter web traffic.

To do this, we replaced the Query Cisco Cloud for Unknown URLs options with three new options:

  • Local Database Only: Uses the local URL dataset only. Use this option if you do not want to submit your uncategorized URLs (category and reputation not in the local dataset) to Cisco, for example, for privacy reasons. However, note that connections to uncategorized URLs do not match rules with category or reputation-based URL conditions. You cannot assign categories or reputations to URLs manually.

    For upgraded management centers, this option is enabled if the old Query Cisco Cloud for Unknown URLs was disabled.

  • Local Database and Cisco Cloud: Uses the local dataset when possible, which can make web browsing faster. When users browse to an URL whose category and reputation is not in the local dataset or a cache of previously accessed websites, the system submits it to the cloud for threat intelligence evaluation and adds the result to the cache.

    For upgraded management centers, this option is enabled if the old Query Cisco Cloud for Unknown URLs option was enabled.

  • Cisco Cloud Only: Does not use the local dataset. When users browse to an URL whose category and reputation is not in a local cache of previously accessed websites, the system submits it to the cloud for threat intelligence evaluation and adds the result to the cache. This option guarantees the most up-to-date category and reputation information.

    This option is the default on new and reimaged Version 7.3+ management centers. Note that it also requires threat defense Version 7.3+. If you enable this option, devices running earlier versions use the Local Database and Cisco Cloud option.

New/modified screens: Integration > Other Integrations > Cloud Services > URL Filtering

For more information, see URL Filtering Options in the device configuration guide.

Detect HTTP/3 and SMB over QUIC using EVE (Snort 3 only).

7.3.0

7.3.0 with Snort 3

Snort 3 devices can now use the encrypted visibility engine (EVE) to detect HTTP/3 and SMB over QUIC. You can then create rules to handle traffic based on these applications.

For more information, see Encrypted Visibility Engine in the device configuration guide.

Generate IoC events based on unsafe client applications detected by EVE (Snort 3 only).

7.3.0

7.3.0 with Snort 3

Snort 3 devices can now generate indications of compromise (IoC) connection events based unsafe client applications detected by the encrypted visibility engine (EVE). These connection events have a Encrypted Visibility Threat Confidence of Very High.

  • View IoCs in the event viewer: Analysis > Hosts/Users > Indications of Compromise

  • View IoCs in the network map: Analysis > Hosts > Indications of Compromise

  • View IoC information in connection events: Analysis > Connections > Events > Table View of Connection Events > IOC/Encrypted Visibility columns

For more information, see Encrypted Visibility Engine in the device configuration guide.

Improved JavaScript inspection for Snort 3 devices.

7.3.0

7.3.0 with Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. The normalizer introduced in Version 7.2 now allows you to inspect within the unescape, decodeURI, and decodeURIComponent functions: %XX, %uXXXX, \uXX, \u{XXXX}\xXX, decimal code point, and hexadecimal code point. It also removes plus operations from strings and concatenates them.

For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Nested rule groups, including MITRE ATT&CK, in Snort 3 intrusion policies.

7.3.0

7.0 with Snort 3

You can now nest rule groups in a Snort 3 intrusion policy. This allows you to view and handle traffic in a more granular fashion; for example, you might group rules by vulnerability type, target system, or threat category. You can create custom nested rule groups and change the security level and rule action per rule group.

We also group system-provided rules in a Talos-curated MITRE ATT&CK framework, so you can act on traffic based on those categories.

New/modified screens:

  • View and use rule groups: Policies > Intrusion > Edit Snort 3 Version

  • View rule group information in the classic event view: Analysis > Intrusion > Events > Table View of Intrusion Events > Rule Group and MITRE ATT&CK columns

  • View rule group information in the unified event view: Analysis > Unified Events > Rule Group and MITRE ATT&CK columns

For more information, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Access control rule conflict analysis.

7.3.0

Any

You can now enable rule conflict analysis to help identify redundant rules and objects, and shadowed rules that cannot be matched due to previous rules in the policy.

For more information, see Analyzing Rule Conflicts and Warnings in the device configuration guide.

Event Logging and Analysis

NetFlow support for Snort 3 devices.

7.3.0

7.3.0 with Snort 3

Upgrade impact.

Snort 3 devices now can consume NetFlow records (IPv4 and IPv6, NetFlow v5 and v9). Previously, only Snort 2 devices did this.

After upgrade, if you have an existing NetFlow exporter and NetFlow rule configured in the network discovery policy, Snort 3 devices may begin processing NetFlow records, generating NetFlow connection events, and adding host and application protocol information to the database based on NetFlow data.

For more information, see Network Discovery Policies in the device configuration guide.

Integrations

New remediation module for integration with the Cisco ACI Endpoint Update App

7.3.0

Any

We introduced a new Cisco ACI Endpoint remediation module. To use it, you must remove the old module then add and configure the new one. This new module can:

  • Quarantine endpoints in an endpoint security group (ESG) deployment.

  • Allow traffic from a quarantined endpoint to a Layer 3 outside network (L3Out) for monitoring and analysis.

  • Run in audit-only mode, where it notifies you instead of quarantining.

For more information, see APIC/Secure Firewall Remediation Module 3.0 in the device configuration guide.

Health Monitoring

Cluster health monitor settings in the management center web interface.

7.3.0

Any

You can now use the management center web interface to edit cluster health monitor settings. If you configured these settings with FlexConfig in a previous version, the system allows you to deploy, but also warns you to redo your configurations—the FlexConfig settings take precedence.

New/modified screens: Devices > Device Management > Edit Cluster > Cluster Health Monitor Settings

For more information, see Edit Cluster Health Monitor Settings in the device configuration guide.

Improved health monitoring for device clusters.

7.3.0

Any

We added cluster dashboards to the health monitor where you can view overall cluster status, load distribution metrics, performance metrics, cluster control link (CCL) and data throughput, and so on.

To view the dashboard for each cluster, choose System (system gear icon) > Health > Monitor, then click the cluster.

For more information, see Cluster Health Monitor in the administration guide.

Monitor fan speed and temperature for the power supply on the hardware management center.

7.3.0

Any

We added the Hardware Statistics health module that monitors fan speed and temperature for the power supply on the hardware management center. The upgrade process automatically adds and enables this module. After upgrade, apply the policy.

To enable or disable the module and set threshold values, edit the management center health policy on System (system gear icon) > Health > Policy.

To view health status, create a custom health dashboard: System (system gear icon) > Health > Monitor > Firewall Management Center > Add/Edit. Select the Hardware Statistics metric group, then select the metric you want.

You can also view module status on the health monitor's Home page and in the management center's alert summary (as Hardware Alarms and Power Supply). You can configure external alert responses and view health events based on module status.

For more information, see Hardware Statistics on Management Center in the administration guide.

Monitor temperature and power supply for the Firepower 4100/9300.

7.3.0

7.3.0

We added the Chassis Environment Status health module to monitor the temperature and power supply on a Firepower 4100/9300 chassis. The upgrade process automatically adds and enables these modules in all device health policies. After upgrade, apply health policies to Firepower 4100/9300 chassis to begin monitoring.

To enable or disable this module and set threshold values, edit the management center health policy: System (system gear icon) > Health > Policy > Device Policy.

To view health status, create a custom health dashboard: System (system gear icon) > Health > Monitor > Select Device > Add/Edit Dashboard > Custom Correlation Group. Select the Hardware/Environment Status metric group, then select the Thermal Status metric to view temperature or select any of the Power Supply options to view power supply status.

You can also view module status on the health monitor's Home page and in each device's alert summary. You can configure external alert responses and view health events based on module status.

For more information, see Hardware/Environment Status Metrics in the administration guide.

Licensing

Changes to license names and support for the Carrier license.

7.3.0

Any

We renamed licenses as follows:

  • Base is now Essentials

  • Threat is now IPS

  • Malware is now Malware Defense

  • RA VPN/AnyConnect License is now Cisco Secure Client

  • AnyConnect Plus is now Secure Client Advantage

  • AnyConnect Apex is now Secure Client Premier

  • AnyConnect Apex and Plus is now Secure Client Premier and Advantage

  • AnyConnect VPN Only is now Secure Client VPN Only

In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections.

New/modified screens: System (system gear icon) > Licenses > Smart Licenses

For more information, see Licenses in the administration guide.

Administration

Migrate configurations from FlexConfig to web interface management.

7.3.0

Feature dependent

You can now easily migrate these configurations from FlexConfig to web interface management:

  • ECMP zones, supported in the Version 7.1+ web interface

  • EIGRP routing, supported in the Version 7.2+ web interface

  • VXLAN interfaces, supported in the Version 7.2+ web interface

After you migrate, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > FlexConfig > Edit FlexConfig Policy > Migrate Config

For more information, see Migrating FlexConfig Policies in the device configuration guide.

Automatic VDB downloads.

7.3.0

Any

The initial setup on the management center schedules a weekly task to download the latest available software updates, which now includes the latest vulnerability database (VDB). We recommend you review this weekly task and adjust if necessary. Optionally, schedule a new weekly task to actually update the VDB and deploy configurations.

New/modified screens: The Vulnerability Database check box is now enabled by default in the system-created Weekly Software Download scheduled task.

For more information, see Vulnerability Database Update Automation in the administration guide.

Install any VDB.

7.3.0

Any

Starting with VDB 357, you can now install any VDB as far back as the baseline VDB for that management center.

After you update the VDB, deploy configuration changes. If you based configurations on vulnerabilities, application detectors, or fingerprints that are no longer available, examine those configurations to make sure you are handling traffic as expected. Also, keep in mind a scheduled task to update the VDB can undo a rollback. To avoid this, change the scheduled task or delete any newer VDB packages.

New/modified screens: On System (system gear icon) > Updates > Product Updates > Available Updates, if you upload an older VDB, a new Rollback icon appears instead of the Install icon.

For more information, see Update the Vulnerability Database in the administration guide.

Usability, Performance, and Troubleshooting

New how-to walkthroughs.

7.3.0

Feature dependent

We added these how-tos:

  • Renew a certificate using manual re-enrollment.

  • Renew a certificate using Self-signed, SCEP, or EST enrollment.

  • Configure LDAP attribute map for remote access VPN.

  • Add SAML Single Sign-On server object.

  • Collect packet capture for threat defense device.

  • Collect packet trace to troubleshoot threat defense device.

  • Configure Dynamic Access Policy for remote access VPN.

    • Create a Dynamic Access Policy.

    • Create a Dynamic Access Policy record.

    • Associate Dynamic Access Policy with remote access VPN.

To launch a how-to, choose System (system gear icon) > How-Tos.

New access control policy user interface is now the default.

7.3.0

Any

The access control policy user interface introduced in Version 7.2 is now the default interface. The upgrade switches you, but you can switch back.

Maximum objects per match criteria per access control rule is now 200.

7.3.0

Any

We increased the objects per match criteria in a single access control rule from 50 to 200. For example, you can now use up to 200 network objects in a single access control rule.

Filter devices by version.

7.3.0

Any

You can now filter devices by version on Devices > Device Management.

Better status emails for scheduled tasks.

7.3.0

Any

Email notifications for scheduled tasks are now sent when the task completes—whether success or failure—instead of when the task begins. This means that they can now indicate whether the task failed or succeeded. For failures, they include the reason for the failure and remediations to fix the issue.

Performance profile for CPU core allocation on the Firepower 4100/9300 and threat defense virtual.

7.3.0

7.3.0

You can adjust the percentage of system cores assigned to the data plane and Snort to adjust system performance. The adjustment is based on your relative use of VPN and intrusion policies. If you use both, leave the core allocation to the default values. If you use the system primarily for VPN (without applying intrusion policies), or as an IPS (with no VPN configuration), you can skew the core allocation to the data plane (for VPN) or Snort (for intrusion inspection).

We added the Performance Profile page to the platform settings policy.

For more information, see Configure the Performance Profile in the device configuration guide.

Cisco Success Network telemetry.

7.3.0

Any

For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.3.x.

Management Center REST API

Management center REST API.

7.3.0

Feature dependent

For information on changes to the management center REST API, see What's New in 7.3 in the API quick start guide.

Deprecated Features

Temporarily deprecated features.

7.3.0

Feature dependent

Although upgrading to Version 7.3 is supported, the upgrade will remove critical features, fixes, and enhancements that may be included in your current version. Instead, upgrade to Version 7.4.1+.

From Version 7.2.3+, upgrading removes:

  • Firepower 1010E.. You cannot upgrade a Version 7.2.x Firepower 1010E to Version 7.3, and you should not reimage there either. If you have a Firepower 1010E device running Version 7.3, reimage to a supported release. Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center.

From Version 7.2.4+, upgrading removes:

From Version 7.2.5+, upgrading removes:

From Version 7.2.6+, upgrading removes:

Support ends: Firepower 4110, 4120, 4140, 4150.

7.3.0

You cannot run Version 7.3+ on the Firepower 4110, 4120, 4140, or 4150.

Support ends: Firepower 9300: SM-24, SM-36, SM-44 modules.

7.3.0

You cannot run Version 7.3+ on the Firepower 9300 with SM-24, SM-36, or SM-44 modules.

Deprecated: YouTube EDU content restriction for Snort 2 devices.

7.3.0

Any

You can no longer enable YouTube EDU content restriction in new or existing access control rules. Your existing YouTube EDU rules will keep working, and you can edit those rules to disable YouTube EDU.

Note that this is a Snort 2 feature that is not available for Snort 3.

You should redo your configurations after upgrade.

Deprecated: Cluster health monitor settings with FlexConfig.

7.3.0

Any

You can now edit cluster health monitor settings from the management center web interface. If you do this, the system allows you to deploy but also warns you that any existing FlexConfig settings take precedence.

You should redo your configurations after upgrade.

Deprecated: BFD for BGP with FlexConfig.

7.3.0

Any

You can now configure bidirectional forwarding detection (BFD) for BGP routing from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs.

You should redo your configurations after upgrade.

Deprecated: ECMP zones with FlexConfig.

7.3.0

Any

You can now easily migrate EMCP zone configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs.

You should redo your configurations after upgrade.

Deprecated: VXLAN interfaces with FlexConfig.

7.3.0

Any

You can now easily migrate VXLAN interface configurations from FlexConfig to web interface management. After you migrate, you cannot deploy until you remove any deprecated FlexConfigs.

Management Center Features in Version 7.2.7

This release introduces stability, hardening, and performance enhancements.

Management Center Features in Version 7.2.6


Note


Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The features listed here are also available in Version 7.2.7.


Table 6. Management Center Features in Version 7.2.6

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Updated web analytics provider.

7.0.6

7.2.6

7.4.1

Any

Upgrade impact. Your browser connects to new resources.

While using the management center, your browser now contacts Amplitude (amplitude.com) instead of Google (google.com) for web analytics.

Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your management centers. You are enrolled in web analytics by default but you can change your enrollment at any time after you complete initial setup. Note that ad blockers can block web analytics, so if you choose to remain enrolled, please disable ad blocking for the hostnames/IP addresses of your Cisco appliances.

Version restrictions: Amplitude analytics are not supported in management center Version 7.0.0–7.0.5, 7.1.0–7.2.5, 7.3.x, or 7.4.0. Permanent support returns in Version 7.4.1 If you upgrade from a supported version to an unsupported version, your browser resumes contacting Google.

Interfaces

Configure DHCP relay trusted interfaces from the management center web interface.

7.2.6

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them.

DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the threat defense DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then threat defense will drop that packet by default. You can preserve Option 82 and forward the packet by identifying an interface as a trusted interface.

New/modified screens: Devices > Device Management > Add/Edit Device > DHCP > DHCP Relay

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, redo your FlexConfigs.

See: Configure the DHCP Relay Agent

NAT

Create network groups while editing NAT rules.

7.2.6

7.4.1

Any

You can now create network groups in addition to network objects while editing a NAT rule.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Customizing NAT Rules for Multiple Devices

High Availability/Scalability

Reduced "false failovers" for threat defense high availability.

7.2.6

7.4.0

7.2.6

7.4.0

Other version restrictions: Not supported with management center or threat defense Version 7.3.x.

See: Heartbeat Module Redundancy

Single backup file for high availability management centers.

7.2.6

7.4.1

Any

When performing a configuration-only backup of the active management center in a high availability pair, the system now creates a single backup file which you can use to restore either unit.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Unified Backup of Management Centers in High Availability

Event Logging & Analysis

Open the packet tracer from the unified event viewer.

7.2.6

7.4.1

Any

You can now open the packet tracer from the unified event view (Analysis > Unified Events). Click the ellipsis icon (...) next to the desired event and click Open in Packet Tracer.

Other version restrictions: In Version 7.2.x, use the Expand icon (>) icon instead of the ellipsis icon. Not supported with management center Version 7.3.x or 7.4.0.

See: Working with the Unified Event Viewer

Health Monitoring

Health alerts for excessive disk space used by deployment history (rollback) files.

7.2.6

7.4.1

Any

Upgrade impact. Deploy management center health policy after upgrade.

The Disk Usage health module now alerts if deployment history (rollback) files are using excessive disk space on theged management center.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Disk Usage for Device Configuration History Files Health Alert

Health alerts for NTP sync issues.

7.2.6

7.4.1

Any

Upgrade impact. Deploy management center health policy after upgrade.

A new Time Server Status health module reports issues with NTP synchronization.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Time Synchronization and Health Modules

Deployment and Policy Management

View and generate reports on configuration changes since your last deployment.

7.2.6

7.4.1

Any

You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:

  • A policy changes report for each device that previews the additions, changes, or deletions in the policy, or the objects that are to be deployed on the device.

  • A consolidated report that categorizes each device based on the status of policy changes report generation.

This is especially useful after you upgrade either the management center or threat defense devices, so that you can see the changes made by the upgrade before you deploy.

New/modified screens: Deploy > Advanced Deploy.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Download Policy Changes Report for Multiple Devices

Set the number of deployment history files to retain for device rollback.

7.2.6

7.4.1

Any

You can now set the number of deployment history files to retain for device rollback, up to ten (the default). This can help you save disk space on the management center.

New/modified screens: Deploy > Deployment History (deployment history icon) > Deployment Setting > Configuration Version Setting

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Set the Number of Configuration Versions

Upgrade

Improved upgrade starting page and package management.

7.2.6

7.4.1

Any

A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the management center, threat defense devices, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages.

Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes.

New/modified screens:

  • System (system gear icon) > Product Upgrades is now where you upgrade the management center and all managed devices, as well as manage upgrade packages.

  • System (system gear icon) > Content Updates is now where you update intrusion rules, the VDB, and the GeoDB.

  • Devices > Threat Defense Upgrade takes you directly to the threat defense upgrade wizard.

  • System (system gear icon) > Users > User Role > Create User Role > Menu-Based Permissions allows you to grant access to Content Updates (VDB, GeoDB, intrusion rules) without allowing access to Product Upgrades (system software).

Deprecated screens/options:

  • System (system gear icon) > Updates is deprecated. All threat defense upgrades now use the wizard.

  • The Add Upgrade Package button on the threat defense upgrade wizard has been replaced by a Manage Upgrade Packages link to the new upgrade page.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Enable revert from the threat defense upgrade wizard.

7.2.6

7.4.1

Any, if upgrading to 7.1+

You can now enable revert from the threat defense upgrade wizard.

Other version restrictions: You must be upgrading threat defense to Version 7.1+. Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Select devices to upgrade from the threat defense upgrade wizard.

7.2.6

Any

Use the wizard to select devices to upgrade.

You can now use the threat defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

View detailed upgrade status from the threat defense upgrade wizard.

7.2.6

7.4.1

Any

The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, Devices > Threat Defense Upgrade brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Unattended threat defense upgrades.

7.2.6

Any

The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Simultaneous threat defense upgrade workflows by different users.

7.2.6

Any

We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Skip pre-upgrade troubleshoot generation for threat defense devices.

7.2.6

Any

You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space.

To manually generate troubleshooting files for a threat defense device, choose System (system gear icon) > Health > Monitor, click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Suggested release notifications.

7.2.6

7.4.1

Any

The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Management Center New Features by Release

New upgrade wizard for the management center.

7.2.6

7.4.1

Any

A new upgrade starting page and wizard make it easier to perform management center upgrades. After you use System (system gear icon) > Product Upgrades to get the appropriate upgrade package onto the management center, click Upgrade to begin.

Other version restrictions: Only supported for management center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0.

To upgrade the management center to any version, see the upgrade guide for the version your management center is currently running: : Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center. If you are running Version 7.4.0, you can use the Version 7.3.x guide.

Hotfix high availability management centers without pausing synchronization.

7.2.6

7.4.1

Any

Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability management centers.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Administration

Updated internet access requirements for direct-downloading software upgrades.

7.2.6

7.4.1

Any

Upgrade impact. The system connects to new resources.

The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See:Internet Access Requirements

Scheduled tasks download patches and VDB updates only.

7.2.6

7.4.1

Any

Upgrade impact. Scheduled download tasks stop retrieving maintenance releases.

The Download Latest Update scheduled task no longer downloads maintenance releases; now it only downloads the latest applicable patches and VDB updates. To direct-download maintenance (and major) releases to the management center, use System (system gear icon) > Product Upgrades.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Software Update Automation

Download only the country code geolocation package.

7.2.6

7.4.0

Any

Upgrade impact. Upgrading can delete the IP package.

In Version 7.2.6+/7.4.0+, you can configure the system to download only the country code package of the geolocation database (GeoDB), which maps IP addresses to countries/continents. The larger IP package with contextual data is now optional.

IP package download is:

  • Version 7.2.0–7.2.5: Always enabled.

  • Version 7.2.6–7.2.x: Disabled by default, but you can enable it.

  • Version 7.3.x: Always enabled.

  • Version 7.4.0–7.4.1: Enabled by default, but you can disable it.

The first time you upgrade to any version where download is disabled by default, the system disables download and deletes any existing IP package. Without the IP package, you cannot view contextual geolocation data for IP addresses until you manually enable the option and update the GeoDB.

New/modified screens:

  • Version 7.2.6/7.4.1: System (system gear icon) > Content Updates > Geolocation Updates

  • Version 7.4.0: System (system gear icon) > Updates > Geolocation Updates

See : Update the Geolocation Database

Usability, Performance, and Troubleshooting

Enable/disable access control object optimization.

7.2.6

7.4.1

Any

You can now enable and disable access control object optimization from the management center web interface.

New/modified screens: System (system gear icon) > Configuration > Access Control Preferences > Object Optimization

Other version restrictions: Access control object optimization is automatically enabled on all management centers upgraded or reimaged to Versions 7.2.4–7.2.5 and 7.4.0, and automatically disabled on all management centers upgraded or reimaged to Version 7.3.x. It is configurable and enabled by default for management centers reimaged to Version 7.2.6+/7.4.1+, but respects your current setting when you upgrade to those releases.

Cluster control link ping tool.

7.2.6

7.4.1

Any

You can check to make sure all the cluster nodes can reach each other over the cluster control link by performing a ping. One major cause for the failure of a node to join the cluster is an incorrect cluster control link configuration; for example, the cluster control link MTU may be set higher than the connecting switch MTUs.

New/modified screens: Devices > Device Management > More (more icon) > Cluster Live Status

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

Snort 3 restarts when it uses too much memory, which can trigger HA failover.

7.2.6

7.4.1

7.2.6 with Snort 3

7.4.1 with Snort 3

To improve continuity of operations, excessive memory use by Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process uses too much memory. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.)

This feature is enabled by default. You can use the CLI to disable it, or configure the memory threshold.

Platform restrictions: Not supported with clustered devices.

New/modified CLI commands: configure snort3 memory-monitor , show snort3 memory-monitor-status

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Set the frequency of Snort 3 core dumps.

7.2.6

7.4.1

7.2.6 with Snort 3

7.4.1 with Snort 3

You can now set the frequency of Snort 3 core dumps. Instead of generating a core dump every time Snort crashes, you can generate one the next time Snort crashes only. Or, generate one if a crash has not occurred in the last day, or week.

Snort 3 core dumps are disabled by default for standalone devices. For high availability and clustered devices, the default frequency is now once per day instead of every time.

New/modified CLI commands: configure coredump snort3 , show coredump

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Capture dropped packets with the Secure Firewall 3100/4200.

7.2.6

7.4.1

7.2.6 (no 4200)

7.4.1

Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100/4200 can now capture these dropped packets.

New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command.

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Deprecated Features

Deprecated: DHCP relay trusted interfaces with FlexConfig.

7.2.6

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them.

Other version restrictions: This feature is not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, also redo your FlexConfigs.

See: Configure the DHCP Relay Agent

Management Center Features in Version 7.2.5

Table 7. Management Center Features in Version 7.2.5

Feature

Minimum Management Center

Minimum Threat Defense

Details

Interfaces

Management center detects interface sync errors.

7.2.5

7.4.1

Any

Upgrade impact. You may need to sync interfaces after upgrade.

In some cases, the management center can be missing a configuration for an interface even though the interface is correctly configured and functioning on the device. If this happens, and your management center is running:

  • Version 7.2.5: Deploy is blocked until you edit the device and sync from the Interfaces page

  • Version 7.2.6+/7.4.1+: Deploy is allowed with a warning, but you cannot edit interface settings without syncing first.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. The management center will neither block deploy nor warn you of missing configurations. You can still sync interfaces manually if you think you are having an issue.

Management Center Features in Version 7.2.4

Table 8. Management Center Features in Version 7.2.4

Feature

Minimum Management Center

Minimum Threat Defense

Details

Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to Clause 108 RS-FEC from Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

7.2.4

Any

When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

See: Interface Overview.

Automatically update CA bundles.

7.0.5

7.1.0.3

7.2.4

7.0.5

7.1.0.3

7.2.4

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.

See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference

Access control performance improvements (object optimization).

7.2.4

Any

Upgrade impact. First deployment after management center upgrade to 7.2.4–7.2.5 or 7.4.0 can take a long time and increase CPU use on managed devices.

Access control object optimization improves performance and consumes fewer device resources when you have access control rules with overlapping networks. The optimizations occur on the managed device on the first deploy after the feature is enabled on the management center (including if it is enabled by an upgrade). If you have a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform object optimization. During this time, you may also see higher CPU use on your devices. A similar thing occurs on the first deploy after the feature is disabled (including if it is disabled by upgrade). After this feature is enabled or disabled, we recommend you deploy when it will have the least impact, such as a maintenance window or a low-traffic time.

New/modified screens (requires Version 7.2.6/7.4.1): System (system gear icon) > Configuration > Access Control Preferences > Object-group optimization.

Other version restrictions: Not supported with management center Version 7.3.x.

Smaller VDB for lower memory Snort 2 devices.

6.4.0.17

7.0.6

7.2.4

7.3.1.1

7.4.0

Any with Snort 2

Upgrade impact. Application identification on lower memory devices is affected.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Management Center Features in Version 7.2.3

Table 9. Management Center Features in Version 7.2.3

Feature

Minimum Management Center

Minimum Threat Defense

Details

Firepower 1010E.

7.2.3.1

7.3.1.1

7.2.3

We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center.

Version restrictions: These devices do not support Version 7.3.x or 7.4.0. Support returns in Version 7.4.1.

See: Regular Firewall Interfaces

Management Center Features in Version 7.2.2

This release introduces stability, hardening, and performance enhancements.

Management Center Features in Version 7.2.1

Table 10. Management Center Features in Version 7.2.1

Feature

Minimum Management Center

Minimum Threat Defense

Details

Hardware bypass ("fail-to-wire") network modules for the Secure Firewall 3100.

7.2.1

7.2.1

We introduced these hardware bypass network modules for the Secure Firewall 3100:

  • 6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR-X-NM-6X1SX-F)

  • 6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-6X10SR-F)

  • 6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X10LR-F)

  • 6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-X25SR-F)

  • 6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X25LR-F)

  • 8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper) (FPR-X-NM-8X1G-F)

New/modified screens: Devices > Device Management > Interfaces > Edit Physical Interface

For more information, see Inline Sets and Passive Interfaces.

Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

7.2.1

7.2.1

We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

For more information, see Getting Started with Secure Firewall Threat Defense Virtual and KVM.

Management Center Features in Version 7.2.0

Table 11. Management Center Features in Version 7.2.0

Feature

Minimum Management Center

Minimum Threat Defense

Details

Platform

Snapshots allow quick deploy of threat defense virtual for AWS and Azure.

7.2.0

7.2.0

You can now take a snapshot of a threat defense virtual for AWS or Azure instance, then use that snapshot to quickly deploy new instances. This feature also improves the performance of the autoscale solutions for AWS and Azure.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Analytics mode for cloud-managed threat defense devices.

7.2.0

7.0.3

7.2.0

Concurrently with Version 7.2, we introduced the Cisco Cloud-delivered Firewall Management Center. The cloud-delivered Firewall Management Center uses the Cisco Defense Orchestrator (CDO) platform and unites management across multiple Cisco security solutions. We take care of feature updates.

On-prem hardware and virtual management centers running Version 7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging and analytics purposes only. You cannot deploy policy to these devices from an on-prem management center.

New/modified screens:

  • When you add a cloud-managed device to an on-prem management center, use the new CDO Managed Device check box to specify that it is analytics-only.

  • View which devices are analytics-only on Devices > Device Management.

New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers

Version restrictions: Not supported with threat defense Version 7.1.

For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.

ISA 3000 support for shutting down.

7.2.0

7.2.0

Support returns for shutting down the ISA 3000. This feature was introduced in Version 7.0.2 but was temporarily deprecated in Version 7.1.

High Availability/Scalability

Clustering for threat defense virtual in both public and private clouds.

7.2.0

7.2.0

You can now configure clustering for the following threat defense virtual platforms:

  • Threat defense virtual for AWS: 16-node clusters

  • Threat defense virtual for GCP: 16-node clusters

  • Threat defense virtual for KVM: 4-node clusters

  • Threat defense virtual for VMware: 4-node clusters

New/modified screens:

  • Devices > Device Management > Add Cluster

  • Devices > Device Management > More menu

  • Devices > Device Management > Cluster

For more information, see Clustering for Threat Defense Virtual in a Public Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM, VMware).

Support for 16-node clusters.

7.2.0

7.2.0

You can now configure 16-node clusters for the following platforms:

  • Firepower 4100/9300

  • Threat defense virtual for AWS

  • Threat defense virtual for GCP

The Secure Firewall 3100 still only supports 8 nodes.

For more information, see Clustering for the Firepower 4100/9300 or Clustering for Threat Defense Virtual in a Public Cloud.

Autoscale for threat defense virtual for AWS gateway load balancers.

7.2.0

7.2.0

We now support autoscale for threat defense virtual for AWS gateway load balancers, using a CloudFormation template.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Autoscale for threat defense virtual for GCP.

7.2.0

7.2.0

Upgrade impact. Threat defense virtual for GCP cannot upgrade across Version 7.2.0.

We now support autoscale for threat defense virtual for GCP, by positioning a threat defense virtual instance group between a GCP internal load balancer (ILB) and a GCP external load balancer (ELB).

Version restrictions: Due to interface changes required to support this feature, threat defense virtual for GCP upgrades cannot cross Version 7.2.0. That is, you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must deploy a new instance and redo any device-specific configurations.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Interfaces

LLDP support for the Firepower 2100 and Secure Firewall 3100.

7.2.0

7.2.0

You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100 and Secure Firewall 3100 series interfaces.

New/modified screens: Devices > Device Management > Interfaces > > Hardware Configuration > LLDP

New/modified commands: show lldp status , show lldp neighbors , show lldp statistics

For more information, see Interface Overview.

Pause frames for flow control for the Secure Firewall 3100.

7.2.0

7.2.0

If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue.

New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Network Connectivity

For more information, see Interface Overview.

Breakout ports for the Secure Firewall 3130 and 3140.

7.2.0

7.2.0

You can now configure four 10 GB breakout ports for each 40 GB interface on the Secure Firewall 3130 and 3140.

New/modified screens: Devices > Device Management > Chassis Operations

For more information, see Interface Overview.

Configure VXLAN from the management center web interface.

7.2.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

You can now use the management center web interface to configure VXLAN interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical network to stretch the Layer 2 network.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

New/modified screens:

  • Configure the VTEP source interface: Devices > Device Management > VTEP

  • Configure the VNI interface: Devices > Device Management > Interfaces > Add VNI Interface

For more information, see Regular Firewall Interfaces.

NAT

Enable, disable, or delete more than one NAT rule at a time.

7.2.0

Any

You can select multiple NAT rules and enable, disable, or delete them all at the same time. Enable and disable apply to manual NAT rules only, whereas delete applies to any NAT rule.

For more information, see Network Address Translation.

VPN

Certificate and SAML authentication for RA VPN connection profiles.

7.2.0

7.2.0

We now support certificate and SAML authentication for RA VPN connection profiles. You can authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes.

New/modified screens: You can now choose Certificate & SAML option when choosing the authentication method for the connection profile in an RA VPN policy.

For more information, see Remote Access VPN.

Route-based site-to-site VPN with hub and spoke topology.

7.2.0

7.2.0

We added support for route-based site-to-site VPNs in a hub and spoke topology. Previously, that topology only supported policy-based (crypto map) VPNs.

New/modified screens: When you add a new VPN topology and choose Route Based (VTI), you can now also choose Hub and Spoke.

For more information, see Site-to-Site VPNs.

IPsec flow offload for the Secure Firewall 3100.

7.2.0

7.2.0

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

For more information, see Site-to-Site VPNs.

Routing

Configure EIGRP from the management center web interface.

7.2.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

You can now use the management center web interface to configure EIGRP. Note that you can only enable EIGRP on interfaces belonging to the device's Global virtual router.

If you configured EIGRP with FlexConfig in a previous version, the system allows you to deploy post-upgrade, but also warns you to redo your EIGRP configurations in the web interface. When you are satisfied with the new configuration, you can delete the deprecated FlexConfig objects or commands. To help you with this process, we provide a command-line migration tool.

New/modified screens: Devices > Device Management > Routing > EIGRP

For more information, see EIGRP and Migrating FlexConfig Policies.

Virtual router support for the Firepower 1010.

7.2.0

7.2.0

You can now configure up to five virtual routers on the Firepower 1010.

For more information, see Virtual Routers.

Support for VTIs in user-defined virtual routers.

7.2.0

7.2.0

You can now assign virtual tunnel interfaces to user-defined virtual routers. Previously, you could only assign VTIs to Global virtual routers.

New/modified screens: Devices > Device Management > Routing > Virtual Router Properties

For more information, see Virtual Routers.

Policy-based routing with path monitoring.

7.2.0

7.2.0

You can now use path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use these metrics to determine the best path for policy based routing.

New/modified screens:

  • Enable path monitoring and choose metrics to collect: Devices > Device Management > Interfaces > Path Monitoring

  • Use the new Interface Ordering option when you are adding a policy based route and specifying a forwarding action: Devices > Device Management > Routing > Policy Based Routing

  • Monitor path metrics in each device's health monitoring dashboard: System (system gear icon) > Health > Monitor > add dashboard > Interface - Path Metrics.

New/modified CLI commands: show policy route , show path-monitoring , clear path-monitoring

For more information, see Policy Based Routing.

Threat Intelligence

DNS-based threat intelligence from Cisco Umbrella.

7.2.0

Any

We now support DNS-based Security Intelligence using regularly updated information from Cisco Umbrella. You can use both a local DNS policy and an Umbrella DNS policy, for two layers of protection.

New/modified screens:

  • Configure connection to Umbrella: Integration > Other Integrations > Cloud Services > Cisco Umbrella Connection

  • Configure Umbrella DNS policy: Policies > DNS > Add DNS Policy > Umbrella DNA Policy

  • Associate Umbrella DNS policy with access control: Policies > Access Control > Edit Policy > Security Intelligence > Umbrella DNS Policy

For more information, see DNS Policies.

IP-based threat intelligence from Amazon GuardDuty.

7.2.0

Any

You can now handle traffic based on malicious IP addresses detected by Amazon GuardDuty, when integrated with management center virtual for AWS. The system consumes this threat intelligence via a custom Security Intelligence feed, or via a regularly updated network object group, which you can then use in your security policies.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Access Control and Threat Detection

Dynamic object management with:

  • Cloud-delivered Cisco Secure Dynamic Attributes Connector

  • On-prem Cisco Secure Dynamic Attributes Connector 2.0

7.2.0

Any

Concurrently with Version 7.2, we released the following updates to the Cisco Secure Dynamic Attributes Connector:

Bypass inspection or throttle elephant flows on Snort 3 devices.

7.2.0

7.2.0 with Snort 3

You can now detect and optionally bypass inspection or throttle elephant flows. By default, access control policies are set to generate an event when the system sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is configurable.

For the Firepower 2100 series, you can detect elephant flows but not bypass inspection or throttle. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB).

New/modified screens: We added Elephant Flow Settings to the access control policy's Advanced tab.

For more information, see Elephant Flow Detection.

Encrypted visibility engine enhancements.

7.2.0

7.2.0 with Snort 3

We made the following enhancements to the encrypted visibility engine (EVE):

  • EVE can detect the operating system used by the host, which is reported in events and the network map.

  • EVE can detect application traffic by assigning EVE processes that were identified with high confidence to applications, which you can then use in access control rules to control network traffic. (In Version 7.1, you could see EVE processes for connections, but you could not act on that knowledge.)

    To add additional assignments, create custom applications/custom application detectors. When adding a detection pattern to your custom detector, choose Encrypted Visibility Engine as the application. Then, specify the process name and confidence level.

  • EVE now works with QUIC traffic.

The following connection event fields have changed along with these enhancements:

TLS Fingerprint Process Name

is now

Encrypted Visibility Process Name

TLS Fingerprint Process Confidence Score

is now

Encrypted Visibility Process Confidence Score

TLS Fingerprint Malware Confidence

is now

Encrypted Visibility Threat Confidence

TLS Fingerprint Malware Confidence Score

is now

Encrypted Visibility Threat Confidence Score

Detection Type: TLS Fingerprint

is now

Detection Type: Encrypted Visibility

This feature now requires a Threat license.

For more information, see Access Control Policies and Application Detection.

TLS 1.3 inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of TLS 1.3 traffic.

New/modified screens: We added the Enable TLS 1.3 Decryption option to the Advanced Settings tab in SSL policies. Note that this option is disabled by default.

For more information, see SSL Policies.

Improved portscan detection.

7.2.0

7.2.0 with Snort 3

With an improved portscan detector, you can easily configure the system to detect or prevent portscans. You can refine the networks you want to protect, set the sensitivity, and so on. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use the network analysis policy for portscan detection.

New/modified screens: We added Threat Detection to the access control policy's Advanced tab.

For more information, see Threat Detection.

VBA macro inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of VBA (Visual Basic for Applications) macros in Microsoft Office documents, which is done by decompressing the macros and matching rules against the decompressed content.

By default, VBA macro decompression is disabled in all system-provided network analysis policies. To enable it use the decompress_vba setting in the imap, smtp, http_inspect, and pop Snort 3 inspectors.

To configure custom intrusion rules to match against decompressed macros, use the vba_data option.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved JavaScript inspection.

7.2.0

7.2.0 with Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. A new normalizer's enhancements include improved white-space normalization, semicolon insertions, cross-site script handling, identifier normalization and dealiasing, just-in-time (JIT) inspection, and the ability to inspect external scripts.

By default, the new normalizer is enabled in all system-provided network analysis policies. To tweak performance or disable the feature in a custom network analysis policy, use the js_norm (improved normalizer) and normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3 inspector.

To configure custom intrusion rules to match against normalized JavaScript, use the js_data option, for example:

alert tcp any any -> any any (msg:"Script detected!"; 
js_data; content:"var var_0000=1;"; sid:1000001;)

For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved SMB 3 inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of SMB 3 traffic in the following situations:

  • During file server node failover for clusters configured for SMB Transparent Failover.

  • In multiple file server nodes for clusters using SMB Scale-Out.

  • Through directory information changes due to SMB Directory Leasing.

  • Spread across multiple connections due to SMB Multichannel.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Event Logging and Analysis

Improved SecureX integration, SecureX orchestration.

7.2.0

Any

We have streamlined the SecureX integration process. Now, as long as you already have a SecureX account, you just choose your cloud region on the new Integration > SecureX page, click Enable SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page.

When you enable SecureX integration on this new page, licensing and management for the system's cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX the "old" way, you must disable and re-enable to get the benefits of this cloud connection management.

Note that this page also governs the cloud region for and event types sent to the Secure Network Analytics (Stealthwatch) cloud using Security Analytics and Logging (SaaS), even though the web interface does not indicate this. Previously, these options were on System (system gear icon) > Integration > Cloud Services. Enabling SecureX does not affect communications with the Secure Network Analytics cloud; you can send events to both.

The management center also now supports SecureX orchestration—a powerful drag-and-drop interface you can use to automate workflows across security tools. After you enable SecureX, you can enable orchestration.

As part of this feature, you can no longer use the REST API to configure SecureX integration. You must use the FMC web interface.

Version restrictions: This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in Version 7.1. If you use the new method to enable SecureX integration in Version 7.0.x, you cannot upgrade to Version 7.1 unless you disable the feature. We recommend you upgrade to Version 7.2+.

See: Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide

Log security events to multiple Secure Network Analytics on-prem data stores.

7.2.0

7.0.0

When you configure a Secure Network Analytics Data Store (multi-node) integration, you can now add multiple flow collectors for security events. You assign each flow collector to one or more threat defense devices running Version 7.0+.

New/modified screens:

  • Setup: Integration > Security Analytics & Logging > Secure Network Analytics Data Store

  • Modify: Integration > Security Analytics & Logging > Update Device Assignments

This feature requires Secure Network Analytics Version 7.1.4.

For more information, see the Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide.

Database access changes.

7.2.0

Any

We added ten new tables, deprecated one table, and prohibited joins in six tables. We also added fields to various tables for Snort 3 support and to provide timestamps and IP addresses in human-readable format.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Database Access Guide, Version 7.2.

eStreamer changes.

7.2.0

Any

A new Python-based reference client has been added to the SDK. Also, you can now request fully qualified events.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2.

Deployment and Policy Management

Auto rollback of a deployment that causes a loss of management connectivity.

7.2.0

7.2.0

You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and threat defense to go down. Previously, you could only manually roll back a configuration using the configure policy rollback command.

New/modified screens:

  • Devices > Device Management > Device > Deployment Settings

  • Deploy > Advanced Deploy > Preview

  • Deploy > Deployment History > Preview

For more information, see Device Management.

Generate and email a report when you deploy configuration changes.

7.2.0

Any

You can now generate a report for any deploy task. The report contains details about the deployed configuration.

New/modified pages: Deploy > Deployment History (deployment history icon) icon > More (more icon)Generate Report

For more information, see Configuration Deployment.

Access control policy locking.

7.2.0

Any

You can now lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Any user who has permission to modify the access control policy has permission to lock it.

We added an icon to lock or unlock a policy next to the policy name while editing the policy. In addition, there is a new permission to allow users to unlock policies locked by other administrators: Override Access Control Policy Lock. This permission is enabled by default in the Administrator, Access Admin, and Network Admin roles.

For more information, see Access Control Policies.

Object group search is enabled by default.

7.2.0

Any

The Object Group Search setting is now enabled by default when you add a device to the management center.

New/modified screens: Devices > Device Management > Device > Advanced Settings

For more information, see Device Management.

Access control rule hit counts persist over reboot.

7.2.0

7.2.0

Rebooting a managed device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node.

New/modified CLI commands: show rule hits

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

Usability improvements for the access control policy.

7.2.0

Any

There is a new experimental user interface available for the access control policy. You can continue to use the legacy user interface, or you can try out the new user interface.

The new interface has both a table and a grid view for the rules list, the ability to show or hide columns, enhanced search, infinite scroll, a clearer view of the packet flow related to policies associated with the access control policy, and a simplified add/edit dialog box for creating rules. You can freely switch back and forth between the legacy and new user interfaces while editing an access control policy.

Restrictions: The new interface does not have all the features available in the legacy interface, and may have performance issues when displaying a large number of rules.

For more information, see Access Control Policies.

Upgrade

Copy upgrade packages ("peer-to-peer sync") from device to device.

7.2.0

7.2.0

Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.

This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone management center. It is not supported for:

  • Container instances.

  • Device high availability pairs and clusters. These devices get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.

  • Devices managed by high availability management centers.

  • Devices managed by the cloud-delivered Firewall Management Center, but added to an on-prem management center in analytics mode.

  • Devices in different domains, or devices separated by a NAT gateway.

  • Devices upgrading from Version 7.1 or earlier, regardless of management center version.

New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

For more information, see Copy Threat Defense Upgrade Packages between Devices.

Auto-upgrade to Snort 3 after successful threat defense upgrade.

7.2.0

7.2.0

When you use a Version 7.2+ management center to upgrade threat defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3.

After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Version restrictions: Not supported for threat defense upgrades to Version 7.0.x or 7.1.x.

Upgrade for single-node clusters.

7.2.0

Any

You can now use the device upgrade page (Devices > Device Upgrade) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page (System (system gear icon)Updates).

Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

Revert threat defense upgrades from the CLI.

7.2.0

7.2.0

You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.

Caution

 

Reverting from the CLI can cause configurations between the device and the management center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.

New/modified CLI commands: upgrade revert , show upgrade revert-info .

For more information, see Revert the Upgrade.

Administration

Back up and restore threat defense virtual for AWS.

7.2.0

Any

You can now use the management center to back up threat defense virtual for AWS, except device clusters. To restore, use the device CLI.

For more information, see Backup/Restore.

Multiple DNS server groups for resolving DNS requests.

7.2.0

Any

You can configure multiple DNS groups for the resolution of DNS requests from client systems. You can use these DNS server groups to resolve requests for different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers.

New/modified screens: Platform Settings > DNS

For more information, see Platform Settings.

Configure certificate validation with threat defense by usage type.

7.2.0

7.2.0

You can now specify the usage types where validation is allowed with the trustpoint (the threat defense device): IPsec client connections, SSL client connections, and SSL server certificates.

New/modified screens: We added a Validation Usage option to certificate enrollment objects: Objects > Object Manager > PKI > Cert Enrollment.

For more information, see Object Management.

GeoDB is split into two packages.

7.2.0

Any

In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

If your Version 7.2.0–7.2.5 management center has internet access and you enable recurring updates or you manually kick off a one-time update from the Cisco Support & Download site, the system automatically obtains both packages. In Version 7.2.6+/7.4.0+, you can configure whether you want the system to obtain the IP package.

If you manually download updates—for example, in an air-gapped deployment—you must import the packages separately:

  • Country code package: Cisco_GEODB_Update-date-build.sh.REL.tar​

  • IP package: Cisco_IP_GEODB_Update-date-build.sh.REL.tar​

Help (help icon) > About lists the versions of the packages currently being used by the system.

For more information, see Updates.

French language option for web interface.

7.2.0

Any

You can now switch the management center web interface to French.

New/modified screens: System (system gear icon) > Configuration > Language

For more information, see System Configuration.

Web interface changes: deployment and user activity integrations.

7.2.0

Any

Version 7.2 changes these management center menu options in all cases.

Deploy > Deployment History

is now

Deploy > Deployment History (deployment history icon) (bottom right corner)

Deploy > Deployment

is now

Deploy > Advanced Deploy

Analysis > Users > Active Sessions

is now

Integration > Users > Active Sessions

Analysis > Users > Users

is now

Integration > Users > Users

Analysis > Users > User Activity

is now

Integration > Users > User Activity

Web interface changes: SecureX, threat intelligence, and other integrations.

7.2.0

Any

Version 7.2 changes these management center menu options if you are upgrading from Version 7.0.1 or earlier, or from Version 7.1.

Note

 

If you are upgrading from Version 7.0.2 or any later Version 7.0.x maintenance release, your menu structure already looks like this.

AMP > AMP Management

is now

Integration > AMP > AMP Management

AMP > Dynamic Analysis Connections

is now

Integration > AMP > Dynamic Analysis Connections

Intelligence > Sources

is now

Integration > Intelligence > Sources

Intelligence > Elements

is now

Integration > Intelligence > Elements

Intelligence > Settings

is now

Integration > Intelligence > Settings

Intelligence > Incidents

is now

Integration > Intelligence > Incidents

System (system gear icon) > Integration

is now

Integration > Other Integrations

System (system gear icon) > Logging > Security Analytics & Logging

is now

Integration > Security Analytics & Logging

System (system gear icon) > SecureX

is now

Integration > SecureX

Usability, Performance, and Troubleshooting

Dropped packet statistics for the Secure Firewall 3100.

7.2.0

7.2.0

The new show packet-statistics threat defense CLI command displays comprehensive information about non-policy related packet drops. Previously this information required using several commands.

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

Cisco Success Network telemetry.

7.2.0

Any

For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.2.

Management Center REST API

Management center REST API.

7.2.0

Any

For information on changes to the FMC REST API, see What's New in 7.2 in the REST API quick start guide.

Deprecated Features

Deprecated: EIGRP with FlexConfig.

7.2.0

Any

You can now configure EIGRP routing from the management center web interface.

You no longer need these FlexConfig objects: Eigrp_Configure, Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all.

And these associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon.

The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. For details, see Migrating FlexConfig Policies .

Deprecated: VXLAN with FlexConfig.

7.2.0

Any

You can now configure VXLAN interfaces from the management center web interface.

You no longer need these FlexConfig objects: VxLAN_Clear_Nve, VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve, VxLAN_Make_Nve_Only, VxLAN_Make_Vni.

And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only, vxlan_Vni.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

Deprecated: Automatic pre-upgrade troubleshooting.

7.2.0

Any

To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.

To manually generate troubleshooting files for the management center, choose System (system gear icon) > Health > Monitor, click Firewall Management Center in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

FMC Features in Version 7.1.0


Note


You cannot manage a Version 7.1 device with cloud-delivered Firewall Management Center. If your cloud-managed devices are running Version 7.0, upgrade directly to Version 7.2+ to take advantage of the features listed here.


Table 12. FMC Features in Version 7.1.0.3

Feature

Details

Automatically update CA bundles.

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.

See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference

Table 13. FMC Features in Version 7.1.0

Feature

Details

Platform

Secure Firewall 3100

We introduced the Secure Firewall 3110, 3120, 3130, and 3140.

You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. These devices support up to 8 units for Spanned EtherChannel clustering.

Note that the Version 7.1.0 release does not include online help for these devices; new online help is included in Version 7.1.0.2.

New/modified screens:

  • Devices > Device Management > Add Cluster

  • Devices > Device Management > More

  • Devices > Device Management > Cluster

  • Devices > Device Management > Chassis Operations

  • Devices > Device Management > Interfaces > edit physical interface > Hardware Configuration

  • Devices > Device Management

New/modified FTD CLI commands: configure network speed , configure raid , show raid , show ssd

FMCv300 for AWS

FMCv300 for OCI

We introduced the FMCv300 for both AWS and OCI. The FMCv300 can manage up to 300 devices.

FTDv for AWS instances.

FTDv for AWS adds support for these instances:

  • c5a.xlarge, c5a.2xlarge, c5a.4xlarge

  • c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge

  • c5d.xlarge, c5d.2xlarge, c5d.4xlarge

  • c5n.xlarge, c5n.2xlarge, c5n.4xlarge

  • i3en.xlarge, i3en.2xlarge, i3en.3xlarge

  • inf1.xlarge, inf1.2xlarge

  • m5.xlarge, m5.2xlarge, m5.4xlarge

  • m5a.xlarge, m5a.2xlarge, m5a.4xlarge

  • m5ad.xlarge, m5ad.2xlarge, m5ad.4xlarge

  • m5d.xlarge, m5d.2xlarge, m5d.4xlarge

  • m5dn.xlarge, m5dn.2xlarge, m5dn.4xlarge

  • m5n.xlarge, m5n.2xlarge, m5n.4xlarge

  • m5zn.xlarge, m5zn.2xlarge, m5zn.3xlarge

  • r5.xlarge, r5.2xlarge, r5.4xlarge

  • r5a.xlarge, r5a.2xlarge, r5a.4xlarge

  • r5ad.xlarge, r5ad.2xlarge, r5ad.4xlarge

  • r5b.xlarge, r5b.2xlarge, r5b.4xlarge

  • r5d.xlarge, r5d.2xlarge, r5d.4xlarge

  • r5dn.xlarge, r5dn.2xlarge, r5dn.4xlarge

  • r5n.xlarge, r5n.2xlarge, r5n.4xlarge

  • z1d.xlarge, z1d.2xlarge, z1d.3xlarge

FTDv for Azure instances.

FTDv for Azure adds support for these instances:

  • Standard_D8s_v3

  • Standard_D16s_v3

  • Standard_F8s_v2

  • Standard_F16s_v2