Management Center New Features by Release
Uploaded by
bobManagement Center New Features by Release
Uploaded by
bobCisco Secure Firewall Management Center New
Features by Release
First Published: 2021-03-26
Last Modified: 2024-05-06
New Features by Release
This document describes new and deprecated features for each release, including upgrade impact.
A feature has upgrade impact if upgrading and deploying will cause the system to process traffic or otherwise
act differently without any other action on your part. This is especially common with new threat detection
and application identification capabilities. Or, sometimes the upgrade process has a special requirement; for
example, in some cases you must perform a non-standard task before or after upgrade (edit or delete a specific
configuration, apply health policies, redo FlexConfig commands in the web interface, and so on).
Although you can manage older devices with a newer management center, we recommend you always update
your entire deployment. New traffic-handling features usually require the latest release on both the management
center and device. Features where devices are not obviously involved (cosmetic changes to the web interface,
cloud integrations) may only require the latest version on the management center, but that is not guaranteed.
Note that if you are using the web interface in a language other than English, features introduced in maintenance
releases and patches may not be translated until the next major release.
Suggested Release: Version 7.2.5.x
To take advantage of new features and resolved issues, we recommend you upgrade all eligible appliances to
at least the suggested release, including the latest patch. On the Cisco Support & Download site, the suggested
release is marked with a gold star. In Version 7.2.6+/7.4.1+, the management center notifies you when a new
suggested release is available, and indicates suggested releases on its product upgrades page.
Suggested Releases for Older Appliances
If an appliance is too old to run the suggested release and you do not plan to refresh the hardware right now,
choose a major version then patch as far as possible. Some major versions are designated long-term or extra
long-term, so consider one of those. For an explanation of these terms, see Cisco NGFW Product Line Software
Release and Sustaining Bulletin.
If you are interested in a hardware refresh, contact your Cisco representative or partner contact.
Cisco Secure Firewall Management Center New Features by Release
1
New Features by Release
Management Center Features in Version 7.4.1
Management Center Features in Version 7.4.1
Table 1: Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Reintroduced Features
Cisco Secure Firewall Management Center New Features by Release
2
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Reintroduced features. Feature Feature
dependent dependent
Cisco Secure Firewall Management Center New Features by Release
3
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Version 7.4.1 reintroduces features, enhancements, and critical fixes that were
included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but
that were not included in odd-numbered versions (7.1.x, 7.3.x) or in Version
7.4.0.
Reintroduced features include:
• Support for threat defense on all device platforms supported in Version
7.3, and also on the Firepower 1010E (last supported in 7.2).
• Management center detects interface sync errors. Upgrade impact.
• Updated web analytics provider. Upgrade impact.
• Configure DHCP relay trusted interfaces from the management center
web interface. Upgrade impact.
• Create network groups while editing NAT rules.
• Single backup file for high availability management centers.
• Open the packet tracer from the unified event viewer.
• Health alerts for excessive disk space used by deployment history
(rollback) files. Upgrade impact.
• Health alerts for NTP sync issues. Upgrade impact.
• View and generate reports on configuration changes since your last
deployment.
• Set the number of deployment history files to retain for device rollback.
• Improved upgrade starting page and package management.
• Enable revert from the threat defense upgrade wizard.
• View detailed upgrade status from the threat defense upgrade wizard.
• Suggested release notifications.
• New upgrade wizard for the management center.
• Hotfix high availability management centers without pausing
synchronization.
• Updated internet access requirements for direct-downloading software
upgrades. Upgrade impact.
• Scheduled tasks download patches and VDB updates only. Upgrade impact.
• Enable/disable access control object optimization.
• Cluster control link ping tool.
• Set the frequency of Snort 3 core dumps.
Cisco Secure Firewall Management Center New Features by Release
4
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
• Capture dropped packets with the Secure Firewall 3100/4200.
Platform
Network modules for the 7.4.1 7.4.1 The Secure Firewall 3130 and 3140 now support these network modules:
Secure Firewall 3130 and
• 2-port 100G QSFP+ network module (FPR3K-XNM-2X100G)
3140.
See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation
Guide
Optical transceivers for 7.4.1 7.4.1 The Firepower 9300 now supports these optical transceivers:
Firepower 9300 network
• QSFP-40/100-SRBD
modules.
• QSFP-100G-SR1.2
• QSFP-100G-SM-SR
On these network modules:
• FPR9K-NM-4X100G
• FPR9K-NM-2X100G
• FPR9K-DNM-2X100G
See: Cisco Firepower 9300 Hardware Installation Guide
Performance profile 7.4.1 7.4.1 The performance profile settings available in the platform settings policy now
support for the Secure apply to the Secure Firewall 3100. Previously, this feature was supported on
Firewall 3100. the Firepower 4100/9300, the Secure Firewall 4200, and on threat defense
virtual.
See: Configure the Performance Profile
Interfaces
Deploy without the 7.4.1 7.4.1 You can now deploy without the diagnostic interface on threat defense virtual
diagnostic interface on for Azure and GCP. Previously, we required one management, one diagnostic,
threat defense virtual for and at least two data interfaces. New interface requirements are:
Azure and GCP.
• Azure: one management, two data (max eight)
• GCP: one management, three data (max eight)
Restrictions: This feature is supported for new deployments only. It is not
supported for upgraded devices.
See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide
Device Management
Cisco Secure Firewall Management Center New Features by Release
5
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Device management 7.4.1 Any Device management services configured in the threat defense platform settings
services supported on (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on
user-defined VRF user-defined Virtual Routing and Forwarding (VRF) interfaces.
interfaces.
Platform restrictions: Not supported with container instances or clustered
devices.
See: Platform Settings
High Availability/Scalability: Threat Defense
Multi-instance mode for 7.4.1 7.4.1 You can deploy the Secure Firewall 3100 as a single device (appliance mode)
the Secure Firewall 3100. or as multiple container instances (multi-instance mode). In multi-instance
mode, you can deploy multiple container instances on a single chassis that act
as completely independent devices. Note that in multi-instance mode, you
upgrade the operating system and the firmware (chassis upgrade) separately
from the container instances (threat defense upgrade).
New/modified screens:
• Devices > Device Management > Add > Chassis
• Devices > Device Management > Device > Chassis Manager
• Devices > Platform Settings > New Policy > Chassis Platform Settings
• Devices > Chassis Upgrade
New/modified threat defense CLI commands: configure multi-instance
network ipv4, configure multi-instance network ipv6
New/modified FXOS CLI commands: create device-manager, set deploymode
Platform restrictions: Not supported on the Secure Firewall 3105.
See: Multi-Instance Mode for the Secure Firewall 3100 and Cisco Secure
Firewall Threat Defense Upgrade Guide for Management Center
16-node clusters for 7.4.1 7.4.1 You can now configure 16-node clusters for threat defense virtual for VMware
threat defense virtual for and threat defense virtual for KVM.
VMware and KVM.
See: Clustering for Threat Defense Virtual in a Private Cloud
Target failover for 7.4.1 7.4.1 You can now configure target failover for clustered threat defense virtual
clustered threat defense devices for AWS using the AWS Gateway Load Balancer (GWLB).
virtual devices for AWS.
Platform restrictions: Not available with five and ten-device licenses.
See: Configure Target Failover for Threat Defense Clustering with GWLB in
AWS
Cisco Secure Firewall Management Center New Features by Release
6
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Detect configuration 7.4.1 7.4.1 You can now use the CLI to detect configuration mismatches in threat defense
mismatches in threat high availability pairs.
defense high availability
New/modified CLI commands: show failover config-sync error, show failover
pairs.
config-sync stats
See: Troubleshoot Configuration Sync Failure and Cisco Secure Firewall Threat
Defense Command Reference
High Availability: Management Center
Management center high 7.4.1 Any Management center high availability (HA) includes the following
availability synchronization enhancements:
synchronization
• Large configuration history files can cause synchronization to fail in
enhancements.
high-latency networks. To prevent this from happening, the device
configuration history files are now synchronized in parallel with other
configuration data. This enhancement also reduces the synchronization
time.
• The management center now monitors the configuration history file
synchronization process and displays a health alert if the synchronization
times out.
New/modified screens: You can view these alerts on the following screens:
• Notifications > Message Center > Health
• Integration > Other Integrations > High Availability > Status (under
Summary)
See: Viewing Management Center High Availability Status
SD-WAN
Application monitoring 7.4.1 7.4.1 You can now monitor WAN interface application performance on the SD-WAN
on the SD-WAN Summary dashboard.
Summary dashboard.
New/modified screens: Overview > SD-WAN Summary > Application
Monitoring
See: WAN Summary Dashboard
VPN
Cisco Secure Firewall Management Center New Features by Release
7
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
IPsec flow offload on the 7.4.1 7.4.1 Upgrade impact. Qualifying connections start being offloaded.
VTI loopback interface
On the Secure Firewall 3100, qualifying IPsec connections through the VTI
for the Secure Firewall
loopback interface are now offloaded by default. Previously, this feature was
3100.
only supported on physical interfaces. This feature is automatically enabled by
the upgrade.
You can change the configuration using FlexConfig and the flow-offload-ipsec
command.
See: IPsec Flow Offload
Crypto debugging 7.4.1 7.4.1 The crypto debugging enhancements introduced in Version 7.4.0 now apply
enhancements for the to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they
Secure Firewall 3100 and were only supported on the Secure Firewall 4200.
Firepower 4100/9300.
See: Troubleshooting Using Crypto Archives
View details of the VTIs 7.4.1 Any You can now view the details of route-based VPNs' virtual tunnel interfaces
in route-based VPNs. (VTI) on your managed devices. You can also view details of all the
dynamically created virtual access interfaces of the dynamic VTIs.
New/modified screens: Device > Device Management > Edit a device >
Interfaces > Virtual Tunnels tab.
See: About Virtual Tunnel Interfaces
Routing
Configure BFD routing 7.4.1 7.4.1 You can now use FlexConfig to configure Bidirectional Forwarding Detection
on IS-IS interfaces with (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces.
FlexConfig.
See: Guidelines for BFD Routing
Access Control: Threat Detection and Application Identification
Cisco Secure Firewall Management Center New Features by Release
8
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Zero trust access 7.4.1 7.4.1 with Management center now includes the following zero trust access enhancements:
enhancements. Snort 3
• You can configure source NAT for an application. The configured network
object or object group translates the incoming request's public network
source IP address to a routable IP address inside the application network.
• You can troubleshoot the zero trust configuration issues using the
diagnostics tool.
• To enhance your experience, we now collect zero trust application policy
telemetry data.
New/modified screens: Policies > Access Control > Zero Trust Application
New/modified CLI commands: show running-config zero-trust, show
zero-trust statistics
See:
• Create an Application
• Monitor Zero Trust Sessions
• Cisco Secure Firewall Threat Defense Command Reference
• Cisco Success Network Telemetry Data Collected from Cisco Secure
Firewall Management Center
CIP detection. 7.4.1 7.4.1 with You can now detect and handle Common Industrial Protocol (CIP) by using
Snort 3 CIP and Ethernet/IP (ENIP) application conditions in your security policies.
See: Application Rule Conditions
CIP safety detection. 7.4.1 7.4.1 with CIP Safety is a CIP extension that enables the safe operation of industrial
Snort 3 automation applications. The CIP inspector can now detect the CIP Safety
segments in the CIP traffic. To detect and take action on the CIP Safety
segments, enable the CIP inspector in the management center's network Analysis
policy and assign it to an access control policy.
New/modified screens: Policies > Access Control > Edit a policy > Add Rule
> Applications tab > Search for CIP Safety in the search box.
See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide
Access Control: Identity
Cisco Secure Firewall Management Center New Features by Release
9
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Captive portal support for 7.4.1 7.4.1 Upgrade impact. Update custom authentication forms.
multiple Active Directory
You can configure active authentication for either an LDAP realm; or a
realms (realm
Microsoft Active Directory realm or a realm sequence. In addition, you can
sequences).
configure a passive authentication rule to fall back to active authentication
using either a realm or a realm sequence. You can optionally share sessions
between managed devices that share the same identity policy in access control
rules.
In addition, you have the option to require users to authenticate again when
they access the system using a different managed device than they accessed
previously.
If you use the HTTP Response Page authentication type, after you upgrade
threat defense, you must add <select name="realm"
id="realm"></select> to your custom authentication form. This allows
the user to choose between realms.
Restrictions: Not supported with Microsoft Azure Active Directory.
New/modified screens:
• Policies > Identity > (edit policy) > Active Authentication > Share
active authentication sessions across firewalls
• Identity policy > (edit) > Add Rule > Passive Authentication >
Realms & Settings > Use active authentication if passive or VPN
identity cannot be established
• Identity policy > (edit) > Add Rule > Active Authentication > Realms
& Settings > Use active authentication if passive or VPN identity
cannot be established
See: How to Configure the Captive Portal for User Control
Share captive portal 7.4.1 7.4.1 Determines whether or not users are required to authenticate when their
active authentication authentication session is sent to a different managed device than one they
sessions across firewalls. previously connected to. If your organization requires users to authenticate
every time they change locations or sites, you should disable this option.
• (Default.) Enable to allow users to authenticate with any managed device
associated with the active authentication identity rule.
• Disable to require the user to authenticate with a different managed device,
even if they have already authenticated with another managed device to
which the active authentication rule is deployed.
New/modified screens: Policies > Identity > (edit policy) > Active
Authentication > Share active authentication sessions across firewalls
See: How to Configure the Captive Portal for User Control
Cisco Secure Firewall Management Center New Features by Release
10
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Merge downloadable 7.4.1 Any Upgrade impact. Redo any related FlexConfigs after upgrade.
access control list with a
New/modified screens: Objects > Object Management > AAA Server >
Cisco attribute-value pair
RADIUS Server Group > Add RADIUS Server Group > Merge
ACL for RADIUS
Downloadable ACL with Cisco AV Pair ACL
identity sources, using
the management center New CLI commands:
web interface.
• sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl
after-avpair
• sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl
before-avpair
See: RADIUS Server Group Options
Health Monitoring
Chassis-level health 7.4.1 Any with Upgrade impact. Enable the new health module and apply device health
alerts for the Firepower FXOS policy after upgrade.
4100/9300. 2.14.1
You can now view chassis-level health alerts for Firepower 4100/9300 by
registering the chassis to the management center as a read-only device. You
must also enable the Firewall Threat Defense Platform Faults health module
and apply the health policy. The alerts appear in the Message Center, the health
monitor (in the left pane, under Devices, select the chassis), and in the health
events view.
You can also add a chassis (and view health alerts for) the Secure Firewall
3100 in multi-instance mode. For those devices, you use the management center
to manage the chassis. But for the Firepower 4100/9300 chassis, you still must
use the chassis manager or the FXOS CLI.
New/modified screens: Devices > Device Management > Add > Chassis
See: Add a Chassis to the Management Center
Cisco Secure Firewall Management Center New Features by Release
11
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Improved management 7.4.1 Any Upgrade impact. Memory usage alert thresholds may be lowered.
center memory usage
We improved the accuracy of management center memory usage and have
calculation, alerting, and
lowered the default alert thresholds to 88% warning/90% critical. If your
swap memory
thresholds were higher than the new defaults, the upgrade lowers them
monitoring.
automatically—you do not have to apply health policies for this change to take
place. Note that the management center may now reboot in extremely critical
system memory condition if terminating high-memory processes does not work.
You can also add new swap memory usage metrics to a new or existing
management center health dashboard. Make sure you choose the Memory
metric group.
New/modified screens:
• System ( ) > Health > Monitoring > Firewall Management
CenterAdd/Edit DashboardMemory
• System ( ) > Health > Policy > Management Center Health Policy >
Memory
See: Using Management Center Health Monitor
Deployment and Policy Management
Change management. 7.4.1 Any You can enable change management if your organization needs to implement
more formal processes for configuration changes, including audit tracking and
official approval before changes are deployed.
We added the System ( ) > Configuration > Change Management page to
enable the feature. When enabled, there is a System ( ) > Change
Management Workflow page, and a new Ticket ( ) quick access icon in the
menu.
See: Change Management
Upgrade
Firmware upgrades 7.4.1 Any Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.
included in FXOS
For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include
upgrades.
firmware upgrades. If any firmware component on the device is older than the
one included in the FXOS bundle, the FXOS upgrade also updates the firmware.
If the firmware is upgraded, the device reboots twice—once for FXOS and
once for the firmware.
Just as with software and operating system upgrades, do not make or deploy
configuration changes during firmware upgrade. Even if the system appears
inactive, do not manually reboot or shut down during firmware upgrade.
See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide
Cisco Secure Firewall Management Center New Features by Release
12
New Features by Release
Management Center Features in Version 7.4.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Automatically generate 7.4.1 Any You can automatically generate reports on configuration changes after major
configuration change and maintenance management center upgrades. This helps you understand the
reports after management changes you are about to deploy. After the system generates the reports, you
center upgrade. can download them from the Tasks tab in the Message Center.
Other version restrictions: Only supported for management center upgrades
from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier
version.
New/modified screens: System ( ) > Configuration > Upgrade
Configuration > Enable Post-Upgrade Report
See: Upgrade Configuration
Administration
Erase the hard drives on 7.4.1 Any You can use the management center CLI to reboot and permanently erase its
a hardware management own hard drive data. After the erase is completed, you can install a fresh
center. software image.
New/modified CLI commands: secure erase
See: Secure Firewall Management Center Command Line Reference
Usability, Performance, and Troubleshooting
Troubleshooting file 7.4.1 7.4.1 You can generate and download troubleshooting files for each device on the
generation and download Device page and also for all cluster nodes on the Cluster page. For a cluster,
available from Device you can download all files as a single compressed file. You can also include
and Cluster pages. cluster logs for the cluster for cluster nodes. You can alternatively trigger file
generation from the Devices > Device Management > More ( ) > Troubleshoot
Files menu.
New/modified screens:
• Devices > Device Management > Device > General
• Devices > Device Management > Cluster > General
See: Generate Troubleshooting Files
Automatic generation of 7.4.1 7.4.1 If a node fails to join the cluster, a troubleshooting file is automatically
a troubleshooting file on generated for the node. You can download the file from Tasks or from the
a node when it fails to Cluster page.
join the cluster.
See: Troubleshooting the Cluster
View CLI output for a 7.4.1 Any You can view a set of pre-defined CLI outputs that can help you troubleshoot
device or device cluster. the device or cluster. You can also enter any show command and see the output.
New/modified screens: Devices > Device Management > Cluster > General
See: View CLI Output
Cisco Secure Firewall Management Center New Features by Release
13
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Quick recovery after data 7.4.1 7.4.1 If the data plane process crashes, the system now reloads only the data plane
plane failure for the process instead of rebooting the device. Along with the data plane process
Firepower 1000/2100 and reload, Snort and a few other processes also get reloaded.
Firepower 4100/9300.
However, if the data plane process crashes during bootup, the device follows
the normal reload/reboot sequence, which helps avoid a reload process loop
from occurring.
This feature is enabled by default for both new and upgraded devices.
New/modified CLI commands: data-plane quick-reload, no data-plane
quick-reload, show data-plane quick-reload status
Supported platforms: Firepower 1000/2100, Firepower 4100/9300
Platform restrictions: Not supported in multi-instance mode.
See: Cisco Secure Firewall Threat Defense Command Reference and Cisco
Secure Firewall ASA Series Command Reference.
Deprecated Features
Deprecated: frequent 7.4.1 7.4.1 The Disk Usage health module no longer alerts with frequent drain of
drain of events events. You may continue to see these alerts after management center upgrade
health alerts. until you either deploy health policies to managed devices (stops the display
of alerts) or upgrade devices to Version 7.4.1+ (stops the sending of alerts).
See: Disk Usage and Drain of Events Health Monitor Alerts
Deprecated: VPN Tunnel 7.4.1 Any We deprecated the VPN Tunnel Status health module. Use the VPN dashboards
Status health module. instead.
See: VPN Monitoring and Troubleshooting
Deprecated: Merging 7.4.1 Any Upgrade impact. Redo any related FlexConfigs after upgrade.
downloadable access
This feature is now supported in the management center web interface.
control list with a Cisco
attribute-value pair ACL
for RADIUS identity
sources with FlexConfig.
Management Center Features in Version 7.4.0
Note Version 7.4.0 is available only on the Secure Firewall Management Center and the Secure Firewall 4200. A
Version 7.4.0 management center can manage older versions of other device models, but you must use a
Secure Firewall 4200 for features that require threat defense 7.4.0. Support for all other device platforms
resumes in Version 7.4.1.
Cisco Secure Firewall Management Center New Features by Release
14
New Features by Release
Management Center Features in Version 7.4.0
Table 2: Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Reintroduced Features
Reintroduced features. 7.4.0 Feature Version 7.4.0 reintroduces features, enhancements, and critical fixes that were
dependent included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but
that were not included in odd-numbered versions (7.1.x, 7.3.x).
Reintroduced features include:
• Access control performance improvements (object optimization). Upgrade
impact.
• Reduced "false failovers" for threat defense high availability.
• Download only the country code geolocation package. Upgrade impact.
Platform
Management center 7.4.0 Any We introduced the Secure Firewall Management Center 1700, 2700, and 4700,
1700, 2700, 4700. which can manage up to 300 devices. Management center high availability is
supported.
See: Cisco Secure Firewall Management Center 1700, 2700, and 4700 Getting
Started Guide
Management center 7.4.0 Any We introduced Secure Firewall Management Center Virtual for Microsoft
virtual for Microsoft Hyper-V, which can manage up to 25 devices. Management center high
Hyper-V. availability is supported.
See: Cisco Secure Firewall Management Center Virtual Getting Started Guide
Secure Firewall 4200. 7.4.0 7.4.0 We introduced the Secure Firewall 4215, 4225, and 4245.
These devices support the following new network modules:
• 2-port 100G QSFP+ network module (FPR4K-XNM-2X100G)
• 4-port 200G QSFP+ network module (FPR4K-XNM-4X200G)
See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide
Performance profile 7.4.0 7.4.0 The performance profile settings available in the platform settings policy now
support for the Secure apply to the Secure Firewall 4200. Previously, this feature was supported only
Firewall 4200. on the Firepower 4100/9300 and on threat defense virtual.
See: Configure the Performance Profile
Platform Migration
Cisco Secure Firewall Management Center New Features by Release
15
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Migrate from Firepower 7.4.0 Any You can now easily migrate configurations from the Firepower 1000/2100 to
1000/2100 to Secure the Secure Firewall 3100.
Firewall 3100.
New/modified screens: Devices > Device Management > Migrate
Platform restrictions: Migration not supported from the Firepower 1010 or
1010E.
See: About Secure Firewall Threat Defense Model Migration
Migrate from Firepower 7.4.0 Any You can migrate from Firepower Management Center 4600 to Secure Firewall
Management Center 4600 Management Center Virtual for AWS with a 300-device license.
to Secure Firewall
See: Cisco Secure Firewall Management Center Model Migration Guide
Management Center for
AWS.
Migrate from Firepower 7.4.0 Any You can migrate from Firepower Management Center 1600/2600/4600 to
Management Center Secure Firewall Management Center 1700/2700/4700.
1600/2600/4600 to
See: Cisco Secure Firewall Management Center Model Migration Guide
Secure Firewall
Management Center
1700/2700/4700.
Cisco Secure Firewall Management Center New Features by Release
16
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Migrate from Firepower 7.4.0 only 7.0.0 You can migrate Firepower Management Center 1000/2500/4500 to Secure
Management Center Firewall Management Center 1700/2700/4700. To migrate, you must
1000/2500/4500 to temporarily upgrade the old management center from Version 7.0 to Version
Secure Firewall 7.4.0.
Management Center
Important Version 7.4 is only supported on the 1000/2500/4500 during the
1700/2700/4700.
migration process. You should minimize the time between
management center upgrade and device migration.
To summarize the migration process:
1. Prepare for upgrade and migration. Read, understand, and meet all the
prerequisites outlined in the release notes, upgrade guides, and migration
guide. Make sure the old management center is ready to go: freshly
deployed, fully backed up, all appliances in good health, etc. You should
also set up the new management center.
2. Upgrade the old management center and all its managed devices to at least
Version 7.0.0 (7.0.5 recommended). If you are already running the minimum
version, you can skip this step.
3. Upgrade the old management center to Version 7.4.0. Unzip (but do not
untar) the upgrade package before uploading it to the management center.
Download from: Special Release.
4. Migrate the management center as described in the model migration guide.
5. Verify migration success. If the migration does not function to your
expectations and you want to switch back, note that Version 7.4 is
unsupported for general operations on the 1000/2500/4500. To return the
old management center to a supported version you must reimage back to
Version 7.0, restore from backup, and reregister devices.
See:
• Cisco Secure Firewall Threat Defense Release Notes
• Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0
• Cisco Secure Firewall Management Center Model Migration Guide
If you have questions or need assistance at any point in the migration process,
contact Cisco TAC.
Cisco Secure Firewall Management Center New Features by Release
17
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Migrate devices from 7.4.0 only 7.0.3
Firepower Management
Center 1000/2500/4500
to cloud-delivered
Firewall Management
Center.
Cisco Secure Firewall Management Center New Features by Release
18
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
You can migrate devices from Firepower Management Center 1000/2500/4500
to cloud-delivered Firewall Management Center.
To migrate devices, you must temporarily upgrade the on-prem management
center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary
upgrade is required because Version 7.0 management centers do not support
device migration to the cloud. Additionally, only standalone and high
availability threat defense devices running Version 7.0.3+ (7.0.5 recommended)
are eligible for migration. Cluster migration is not supported at this time.
Important Version 7.4.0 is only supported on the 1000/2500/4500 during
the migration process. You should minimize the time between
management center upgrade and device migration.
To summarize the migration process:
1. Prepare for upgrade and migration. Read, understand, and meet all the
prerequisites outlined in the release notes, upgrade guides, and migration
guide.
Before you upgrade, it is especially important that the on-prem management
center is "ready to go," that is, managing only the devices you want to
migrate, configuration impact assessed (such as VPN impact), freshly
deployed, fully backed up, all appliances in good health, and so on.
You should also provision, license, and prepare the cloud tenant. This must
include a strategy for security event logging; you cannot retain the on-prem
management center for analytics because it will be running an unsupported
version.
2. Upgrade the on-prem management center and all its managed devices to
at least Version 7.0.3 (Version 7.0.5 recommended).
If you are already running the minimum version, you can skip this step.
3. Upgrade the on-prem management center to Version 7.4.0.
Unzip (but do not untar) the upgrade package before uploading it to the
management center. Download from: Special Release.
4. Onboard the on-prem management center to CDO.
5. Migrate all devices from the on-prem management center to the
cloud-delivered Firewall Management Center as described in the migration
guide.
When you select devices to migrate, make sure you choose Delete FTD
from On-Prem FMC. Note that the device is not fully deleted unless you
commit the changes or 14 days pass.
6. Verify migration success.
If the migration does not function to your expectations, you have 14 days
to switch back or it is committed automatically. However, note that Version
Cisco Secure Firewall Management Center New Features by Release
19
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
7.4.0 is unsupported for general operations. To return the on-prem
management center to a supported version you must remove the re-migrated
devices, re image back to Version 7.0.x, restore from backup, and reregister
the devices.
See:
• Cisco Secure Firewall Threat Defense Release Notes
• Cisco Firepower Management Center Upgrade Guide, Version 6.0–7.0
• Migrate On-Prem Management Center Managed Secure Firewall Threat
Defense to Cloud-delivered Firewall Management Center
If you have questions or need assistance at any point in the migration process,
contact Cisco TAC.
Device Management
Low-touch provisioning 7.4.0 Mgmt. Low-touch provisioning lets you register Firepower 1000/2100 and Secure
to register the Firepower center is Firewall 3100 devices to the management center by serial number without
1000/2100 and Secure publicly having to perform any initial setup on the device. The management center
Firewall 3100 to the reachable: integrates with SecureX and Cisco Defense Orchestrator for this functionality.
management center using 7.2.0
New/modified screens: Devices > Device Management > Add > Device >
a serial number.
Mgmt. Serial Number
center is
Other version restrictions: This feature is not supported on Version 7.3.x or
not publicly
7.4.0 threat defense devices when the management center is not publicly
reachable:
reachable. Support returns in Version 7.4.1.
7.2.4
See: Add a Device to the Management Center Using the Serial Number
(Low-Touch Provisioning)
Interfaces
Cisco Secure Firewall Management Center New Features by Release
20
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Merged management and 7.4.0 7.4.0 Upgrade impact. Merge interfaces after upgrade.
diagnostic interfaces.
For new devices using 7.4 and later, you cannot use the legacy diagnostic
interface. Only the merged management interface is available.
If you upgraded to 7.4 or later and:
• You did not have any configuration for the diagnostic interface, then the
interfaces will merge automatically.
• You have configuration for the diagnostic interface, then you have the
choice to merge the interfaces manually, or you can continue to use the
separate diagnostic interface. Note that support for the diagnostic interface
will be removed in a later release, so you should plan to merge the
interfaces as soon as possible.
Merged mode also changes the behavior of AAA traffic to use the data routing
table by default. The management-only routing table can now only be used if
you specify the management-only interface (including Management) in the
configuration.
For platform settings, this means:
• You can no longer enable HTTP, ICMP, or SMTP for diagnostic.
• For SNMP, you can allow hosts on management instead of diagnostic.
• For Syslog servers, you can reach them on management instead of
diagnostic.
• If Platform Settings for syslog servers or SNMP hosts specify the
diagnostic interface by name, then you must use separate Platform Settings
policies for merged and non-merged devices.
• DNS lookups no longer fall back to the management-only routing table
if you do not specify interfaces.
New/modified screens: Devices > Device Management > Interfaces
New/modified commands: show management-interface convergence
See: Merge the Management and Diagnostic Interfaces
Cisco Secure Firewall Management Center New Features by Release
21
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
VXLAN VTEP IPv6 7.4.0 7.4.0 You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6
support. is not supported for the threat defense virtual cluster control link or for Geneve
encapsulation.
New/modified screens:
• Devices > Device Management > Edit Device > VTEP > Add VTEP
• Devices > Device Management > Edit Devices > Interfaces > Add
Interfaces > VNI Interface
See: Configure Geneve Interfaces
Loopback interface 7.4.0 7.4.0 You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP,
support for BGP and IPsec flow offload, NetFlow, SNMP, SSH, and syslog.
management traffic.
New/modified screens: Devices > Device Management > Edit device >
Interfaces > Add Interfaces > Loopback Interface
See: Configure Loopback Interfaces
Loopback and 7.4.0 7.4.0 You can create interface group objects with only management-only or loopback
management type interfaces. You can use these groups for management features such as DNS
interface group objects. servers, HTTP access, or SSH. Loopback groups are available for any feature
that can utilize loopback interfaces. However, it's important to note that DNS
does not support management interfaces.
New/modified screens: Objects > Object Management > Interface > Add >
Interface Group
See: Interface
High Availability/Scalability
Manage threat defense 7.4.0 7.4.0 Threat defense high availability now supports using a regular data interface
high availability pairs for communication with the management center. Previously, only standalone
using a data interface. devices supported this feature.
See: Using the Threat Defense Data Interface for Management
SD-WAN
WAN summary 7.4.0 7.2.0 The WAN Summary dashboard provides a snapshot of your WAN devices and
dashboard. their interfaces. It provides insight into your WAN network and information
about device health, interface connectivity, application throughput, and VPN
connectivity. You can monitor the WAN links and take proactive and prompt
recovery measures.
New/modified screens: Overview > WAN Summary
See: WAN Summary Dashboard
Cisco Secure Firewall Management Center New Features by Release
22
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Policy-based routing 7.4.0 7.2.0 Policy-based routing (PBR) can now use the performance metrics (RTT, jitter,
using HTTP path packet-lost, and MOS) collected by path monitoring through HTTP client on
monitoring. the application domain rather than the metrics on a specific destination IP.
HTTP-based application monitoring option is enabled by default for the
interface. You can configure a PBR policy with match ACL having the
monitored applications and interface ordering for path determination.
New/modified screens: Devices > Device Management > Edit device > Edit
interface > Path Monitoring > Enable HTTP based Application Monitoring
check box.
Platform restrictions: Not supported for clustered devices.
See: Configure Path Monitoring Settings
Policy-based routing with 7.4.0 7.4.0 You can now classify the network traffic based on users and user groups, and
user identity and SGTs. SGTs in PBR policies. You can select the identity and SGT objects while
defining the extended ACLs for the PBR policies.
New/modified screens: Objects > Object Management > Access List >
Extended > Add/Edit Extended Access List > Add/Edit Extended Access List
Entry > Users and Security Group Tag
See: Configure Extended ACL Objects
VPN
IPsec flow offload on the 7.4.0 7.4.0 On the Secure Firewall 4200, qualifying IPsec connections through the VTI
VTI loopback interface loopback interface are offloaded by default. Previously, this feature was
for the Secure Firewall supported for physical interfaces on the Secure Firewall 3100.
4200.
You can change the configuration using FlexConfig and the flow-offload-ipsec
command.
Other requirements: FPGA firmware 6.2+
See: IPsec Flow Offload
Crypto debugging 7.4.0 7.4.0 We made the following enhancements to crypto debugging:
enhancements for the
• The crypto archive is now available in text and binary formats.
Secure Firewall 4200.
• Additional SSL counters are available for debugging.
• Remove stuck encrypt rules from the ASP table without rebooting the
device.
New/modified CLI commands: show counters
See: Troubleshooting Using Crypto Archives
VPN: Remote Access
Cisco Secure Firewall Management Center New Features by Release
23
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Customize Secure Client 7.4.0 7.1.0 You can now customize Secure Client and deploy these customizations to the
messages, icons, images, VPN headend. The following are the supported Secure Client customizations:
and connect/disconnect
• GUI text and messages
scripts.
• Icons and images
• Scripts
• Binaries
• Customized Installer Transforms
• Localized Installer Transforms
Threat defense distributes these customizations to the endpoint when an end
user connects from the Secure Client.
New/modified screens:
• Objects > Object Management > VPN > Secure Client Customization
• Devices > Remote Access > Edit VPN policy > Advanced > Secure
Client Customization
See: Customize Cisco Secure Client
VPN: Site to Site
Easily view IKE and 7.4.0 Any You can view the IKE and IPsec session details of VPN nodes in a user-friendly
IPsec session details for format in the Site-to-Site VPN dashboard.
VPN nodes.
New/modified screens: Overview > Site to Site VPN > Under the Tunnel
Status widget, hover over a topology, click View, and then click the CLI Details
tab.
See: Monitoring the Site-to-Site VPNs
Site-to-site VPN 7.4.0 7.4.0 with Connection events now contain three new fields: Encrypt Peer, Decrypt Peer,
information in connection Snort 3 and VPN Action. For policy-based and route-based site-to-site VPN traffic,
events. these fields indicate whether a connection was encrypted or decrypted (or both,
for transiting connections), and who by.
New/modified screens: Analysis > Connections > Events > Table View of
Events
See: Site to Site VPN Connection Event Monitoring
Cisco Secure Firewall Management Center New Features by Release
24
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Easily exempt site-to-site 7.4.0 Any We now make it easier to exempt site-to-site VPN traffic from NAT translation.
VPN traffic from NAT
New/modified screens:
translation.
• Enable NAT exemptions for an endpoint: Devices > VPN > Site To Site >
Add/Edit Site to Site VPN > Add/Edit Endpoint > Exempt VPN traffic
from network address translation
• View NAT exempt rules for devices that do not have a NAT policy:
Devices > NAT > NAT Exemptions
• View NAT exempt rules for a single device: Devices > NAT > Threat
Defense NAT Policy > NAT Exemptions
See: NAT Exemption
Routing
Configure graceful restart 7.4.0 7.3.0 You can now configure BGP graceful restart for IPv6 networks on managed
for BGP on IPv6 devices version 7.3 and later.
networks.
New/modified screens: Devices > Device Management > Edit device >
Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor.
See: Configure BGP Neighbor Settings
Virtual routing with 7.4.0 7.4.0 You can now configure a virtual router with a dynamic VTI for a route-based
dynamic VTI. site-to-site VPN.
New/modified screens: Devices > Device Management > Edit Device >
Routing > Virtual Router Properties > Dynamic VTI interfaces under
Available Interfaces
Platform restrictions: Supported only on native mode standalone or high
availability devices. Not supported for container instances or clustered devices.
See: About Virtual Routers and Dynamic VTI
Access Control: Threat Detection and Application Identification
Cisco Secure Firewall Management Center New Features by Release
25
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Clientless zero-trust 7.4.0 7.4.0 with We introduced Zero Trust Access that allows you to authenticate and authorize
access. Snort 3 access to protected web based resources, applications, or data from inside
(on-premises) or outside (remote) the network using an external SAML Identity
Provider (IdP) policy.
The configuration consists of a Zero Trust Application Policy (ZTAP),
Application Group, and Applications.
New/modified screens:
• Policies > Zero Trust Application
• Analysis > Connections > Events
• Overview > Dashboard > Zero Trust
New/modified CLI commands:
• show running-config zero-trust application
• show running-config zero-trust application-group
• show zero-trust sessions
• show zero-trust statistics
• show cluster zero-trust statistics
• clear zero-trust sessions application
• clear zero-trust sessions user
• clear zero-trust statistics
See: Zero Trust Access
Encrypted visibility 7.4.0 7.4.0 with Encrypted Visibility Engine (EVE) can now:
engine enhancements. Snort 3
• Block malicious communications in encrypted traffic based on threat
score.
• Determine client applications based on EVE-detected processes.
• Reassemble fragmented Client Hello packets for detection purposes.
New/modified screens: Use the access control policy's advanced settings to
enable EVE and configure these settings.
See: Encrypted Visibility Engine
Cisco Secure Firewall Management Center New Features by Release
26
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Exempt specific networks 7.4.0 7.4.0 with You can now exempt specific networks and ports from bypassing or throttling
and ports from bypassing Snort 3 elephant flows.
or throttling elephant
New/modified screens:
flows.
• When you configure elephant flow detection in the access control policy's
advanced settings, if you enable the Elephant Flow Remediation option,
you can now click Add Rule and specify traffic that you want to exempt
from bypass or throttling.
• When the system detects an elephant flow that is exempted from bypass
or throttling, it generates a mid-flow connection event with the reason
Elephant Flow Exempted.
Platform restrictions: Not supported on the Firepower 2100 series.
See: Elephant Flow Detection
First-packet application 7.4.0 7.4.0 with A new Lua detector API is now introduced, which maps the IP address, port,
identification using Snort 3 and protocol on the very first packet of a TCP session to application protocol
custom application (service AppID), client application (client AppID), and web application (payload
detectors. AppID). This new Lua API addHostFirstPktApp is used for performance
improvements, reinspection, and early detection of attacks in the traffic. To
use this feature, you must upload the Lua detector by specifying the detection
criteria in advanced detectors in your custom application detector.
See: Custom Application Detectors
Sensitive data detection 7.4.0 7.4.0 with Upgrade impact. New rules in default policies take effect.
and masking. Snort 3
Sensitive data such as social security numbers, credit card numbers, emails,
and so on may be leaked onto the internet, intentionally or accidentally.
Sensitive data detection is used to detect and generate events on possible
sensitive data leakage and generates events only if there is a transfer of
significant amount of Personally Identifiable Information (PII) data. Sensitive
data detection can mask PII in the output of events, using built-in patterns.
Disabling data masking is not supported.
See: Custom Rules in Snort 3
Improved JavaScript 7.4.0 7.4.0 with We improved JavaScript inspection, which is done by normalizing the
inspection. Snort 3 JavaScript and matching rules against the normalized content.
See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center
Snort 3 Configuration Guide
Cisco Secure Firewall Management Center New Features by Release
27
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
MITRE information in 7.4.0 7.4.0 The system now includes MITRE information (from local malware analysis)
file and malware events. in file and malware events. Previously, this information was only available for
intrusion events. You can view MITRE information in both the classic and
unified events views. Note that the MITRE column is hidden by default in both
event views.
See: Local Malware Analysis and File and Malware Event Fields
Smaller VDB for lower 6.4.0.17 Any with Upgrade impact. Application identification on lower memory devices is
memory Snort 2 devices. Snort 2 affected.
7.0.6
For VDB 363+, the system now installs a smaller VDB (also called VDB lite)
7.2.4
on lower memory devices running Snort 2. This smaller VDB contains the
7.3.1.1 same applications, but fewer detection patterns. Devices using the smaller VDB
can miss some application identification versus devices using the full VDB.
7.4.0
Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X,
5516-X, 5525-X, 5545-X
Version restrictions: The ability to install a smaller VDB depends on the version
of the management center, not managed devices. If you upgrade the management
center from a supported version to an unsupported version, you cannot install
VDB 363+ if your deployment includes even one lower memory device. For
a list of affected releases, see CSCwd88641.
See: Update the Vulnerability Database
Access Control: Identity
Cisco Secure Dynamic 7.4.0 Any You can now configure the Cisco Secure Dynamic Attributes Connector on
Attributes Connector on the management center. Previously, it was only available as a standalone
the management center. application.
See: Cisco Secure Dynamic Attributes Connector
Microsoft Azure AD as a 7.4.0 7.4.0 You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE
user identity source. to authenticate users and get user sessions for user control.
New/modified screens:
• Integration > Other Integrations > Realms > Add Realm > Azure AD
• Integration > Other Integrations > Realms > Actions, such as
downloading users, copying, editing, and deleting
Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch
level)
See: Create a Microsoft Azure Active Directory Realm
Event Logging and Analysis
Cisco Secure Firewall Management Center New Features by Release
28
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Configure threat defense 7.4.0 Any Upgrade impact. Redo FlexConfigs after upgrade.
devices as NetFlow
NetFlow is a Cisco application that provides statistics on packets flows. You
exporters from the
can now use the management center web interface to configure threat defense
management center web
devices as NetFlow exporters. If you have an existing NetFlow FlexConfig
interface.
and redo your configurations in the web interface, you cannot deploy until you
remove the deprecated FlexConfigs.
New/modified screens: Devices > Platform Settings > Threat Defense Settings
Policy > NetFlow
See: Configure NetFlow
More information about 7.4.0 7.4.0 Serviceability improvements to the event reporting and decryption rule
"unknown" SSL actions matching.
in logged encrypted
• New SSL Status to indicate if the SSL handshake is not complete for an
connections.
encrypted connection. The SSL Status column of the connection event
displays “Unknown (Incomplete Handshake)” when the SSL handshake
of the logged connection is not complete.
• Subject Alternative Names (SANs) for certificates are now used when
matching Certificate Authority (CA) names for improved decryption rule
matching.
New/modified screens:
• Analysis > Connections > Events > SSL Status
• Analysis > Connections > Security-Related Events > SSL Status
See: Connection and Security-Related Connection Event Fields.
Health Monitoring
Stream telemetry to an 7.4.0 7.4.0 You can now send metrics and health monitoring information from your threat
external server using defense devices to an external server (gNMI collector) using OpenConfig. You
OpenConfig. can configure either threat defense or the collector to initiate the connection,
which is encrypted by TLS.
New/modified screens: System ( ) > Health > Policy > Firewall Threat
Defense Policies > Settings > OpenConfig Streaming Telemetry
See: Send Vendor-Neutral Telemetry Streams Using OpenConfig
New asp drop metrics. 7.4.0 7.4.0 You can add over 600 new asp (accelerated security path) drop metrics to a
new or existing device health dashboard. Make sure you choose the ASP Drops
metric group.
New/modified screens: System ( ) > Health > Monitor > Device
See: show asp drop Command Usage
Cisco Secure Firewall Management Center New Features by Release
29
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Administration
Send detailed 7.4.0 Any You can stream configuration changes as part of audit log data to syslog by
management center audit specifying the configuration data format and the hosts. The management center
logs to syslog. supports backup and restore of the audit configuration log.
New/modified screens: System ( ) > Configuration > Audit Log > Send
Configuration Changes
See: Stream Audit Logs to Syslog
Granular permissions for 7.4.0 Any You can define custom user roles to differentiate between the intrusion
modifying access control configuration in access control policies and rules and the rest of the access
policies and rules. control policy and rules. Using these permissions, you can separate the
responsibilities of your network administration team and your intrusion
administration teams.
When defining user roles, you can select the Policies > Access Control >
Access Control Policy > Modify Access Control Policy > Modify Threat
Configuration option to allow the selection of intrusion policy, variable set,
and file policy in a rule, the configuration of the advanced options for Network
Analysis and Intrusion Policies, the configuration of the Security Intelligence
policy for the access control policy, and intrusion actions in the policy default
action. You can use the Modify Remaining Access Control Policy
Configuration to control the ability to edit all other aspects of the policy. The
existing pre-defined user roles that included the Modify Access Control Policy
permission continue to support all sub-permissions; you need to create your
own custom roles if you want to apply granular permissions.
See: Create Custom User Roles
Support for IPv6 URLs 7.4.0 7.4.0 Previously, threat defense supported only IPv4 OCSP URLs. Now, threat
when checking certificate defense supports both IPv4 and IPv6 OCSP URLs.
revocation.
See: Requiring Valid HTTPS Client Certificates and Certificate Enrollment
Object Revocation Options
Default NTP server 7.4.0 Any The default NTP server for new management center deployments changed from
updated. sourcefire.pool.ntp.org to time.cisco.com. We recommend you use the
management center to serve time to its own devices. You can update the
management center's NTP server on System ( ) > Configuration > Time
Synchronization.
See: Internet Access Requirements
Usability, Performance, and Troubleshooting
Cisco Secure Firewall Management Center New Features by Release
30
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Usability enhancements. 7.4.0 Any You can now:
• Manage Smart Licensing for threat defense clusters from System ( ) >
Smart Licenses. Previously, you had to use the Device Management page.
See: Licensing for Device Clusters
• Download a report of Message Center notifications. In the Message Center,
click the new Download Report icon, next to the Show Notifications
slider.
See: Managing System Messages
• Download a report of all registered devices. On Devices > Device
Management, click the new Download Device List Report link, at the
top right of the page.
See: Download the Managed Device List
• Clone network and port objects. In the object manager (Objects > Object
Management), click the new Clone icon next to a port or network object.
You can then change the new object's properties and save it using a new
name.
See: Creating Network Objects and Creating Port Objects
• Easily create custom health monitoring dashboards, and easily edit existing
dashboards.
See: Correlating Device Metrics
Specify the direction of 7.4.0 7.4.0 On the Secure Firewall 4200, you can use a new direction keyword with the
traffic to be captured with capture command.
packet capture for the
New/modified CLI commands:
Secure Firewall 4200.
capturecapture_nameswitchinterfaceinterface_name[direction{both|egress|ingress}
]
See: Cisco Secure Firewall Threat Defense Command Reference
Snort 3 restarts when it 7.4.0 7.4.0 with To improve continuity of operations, an unresponsive Snort can now trigger
becomes unresponsive, Snort 3 high availability failover. This happens because Snort 3 now restarts if the
which can trigger HA process becomes unresponsive. Restarting the Snort process briefly interrupts
failover. traffic flow and inspection on the device, and in high availability deployments
can trigger failover. (In a standalone deployment, interface configurations
determine whether traffic drops or passes without inspection during the
interruption.)
This feature is enabled by default. You can use the CLI to disable it, or configure
the time or number of unresponsive threads before Snort restarts.
New/modified CLI commands: configure snort3-watchdog
See: Cisco Secure Firewall Threat Defense Command Reference
Cisco Secure Firewall Management Center New Features by Release
31
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Cisco Success Network 7.4.0 Any For telemetry changes, see Cisco Success Network Telemetry Data Collected
telemetry. from Cisco Secure Firewall Management Center, Version 7.4.x.
Management Center REST API
Management center 7.4.0 Any For information on changes to the management center REST API, see What's
REST API. New in Version 7.4 in the API quick start guide.
Deprecated Features
Cisco Secure Firewall Management Center New Features by Release
32
New Features by Release
Management Center Features in Version 7.4.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Temporarily deprecated 7.4.0 Any Although upgrading to Version 7.4.0 is supported, the upgrade will remove
features. critical features, fixes, and enhancements that may be included in your current
version. Instead, upgrade to Version 7.4.1+.
From Version 7.2.5–7.2.x, upgrading removes:
• Management center detects interface sync errors. Upgrade impact.
From Version 7.2.6–7.2.x, upgrading removes:
• Updated web analytics provider. Upgrade impact.
• Configure DHCP relay trusted interfaces from the management center
web interface. Upgrade impact.
• Create network groups while editing NAT rules.
• Single backup file for high availability management centers.
• Open the packet tracer from the unified event viewer.
• Health alerts for excessive disk space used by deployment history
(rollback) files. Upgrade impact.
• Health alerts for NTP sync issues. Upgrade impact.
• View and generate reports on configuration changes since your last
deployment.
• Set the number of deployment history files to retain for device rollback.
• Improved upgrade starting page and package management.
• Enable revert from the threat defense upgrade wizard.
• View detailed upgrade status from the threat defense upgrade wizard.
• Suggested release notifications.
• New upgrade wizard for the management center.
• Hotfix high availability management centers without pausing
synchronization.
• Updated internet access requirements for direct-downloading software
upgrades. Upgrade impact.
• Scheduled tasks download patches and VDB updates only. Upgrade impact.
• Enable/disable access control object optimization.
• Cluster control link ping tool.
• Set the frequency of Snort 3 core dumps.
• Capture dropped packets with the Secure Firewall 3100/4200.
Cisco Secure Firewall Management Center New Features by Release
33
New Features by Release
Management Center Features in Version 7.3.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Deprecated: NetFlow 7.4.0 Any You can now configure threat defense devices as NetFlow exporters from the
with FlexConfig. management center web interface. If you do this, you cannot deploy until you
remove any deprecated FlexConfigs.
See: Configure NetFlow
Management Center Features in Version 7.3.1
Table 3: Management Center Features in Version 7.3.1.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Smaller VDB for lower 6.4.0.17 Any with Upgrade impact. Application identification on lower memory devices is
memory Snort 2 devices. Snort 2 affected.
7.0.6
For VDB 363+, the system now installs a smaller VDB (also called VDB lite)
7.2.4
on lower memory devices running Snort 2. This smaller VDB contains the
7.3.1.1 same applications, but fewer detection patterns. Devices using the smaller VDB
can miss some application identification versus devices using the full VDB.
7.4.0
Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X,
5516-X, 5525-X, 5545-X
Version restrictions: The ability to install a smaller VDB depends on the version
of the management center, not managed devices. If you upgrade the management
center from a supported version to an unsupported version, you cannot install
VDB 363+ if your deployment includes even one lower memory device. For
a list of affected releases, see CSCwd88641.
See: Update the Vulnerability Database
Table 4: Management Center Features in Version 7.3.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Secure Firewall 7.3.1 7.3.1 We introduced the Secure Firewall 3105.
3105.
Cisco Secure Firewall Management Center New Features by Release
34
New Features by Release
Management Center Features in Version 7.3.0
Management Center Features in Version 7.3.0
Table 5: Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Platform
Management center 7.3.0 Any We introduced the FMCv300 for KVM. The FMCv300 can manage up to 300
virtual 300 for KVM. devices. High availability is supported.
Network modules for the 7.3.0 7.3.0 We introduced these network modules for the Firepower 4100:
Firepower 4100.
• 2-port 100G network module (FPR4K-NM-2X100G)
Supported platforms: Firepower 4112, 4115, 4125, 4145
ISA 3000 System LED 7.3.0 7.0.5 Support returns for this feature. When you shut down the ISA 3000, the System
support for shutting LED turns off. Wait at least 10 seconds after that before you remove power
7.3.0
down. from the device. This feature was introduced in Version 7.0.5 but was
temporarily deprecated in Version 7.1–7.2.
Cisco Secure Firewall Management Center New Features by Release
35
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
New compute shapes for 7.3.0 7.3.0 Threat defense virtual for OCI adds support for the following compute shapes:
threat defense virtual and
• Intel VM.DenseIO2.8
management center
virtual for OCI. • Intel VM.StandardB1.4
• Intel VM.StandardB1.8
• Intel VM.Standard1.4
• Intel VM.Standard1.8
• Intel VM.Standard3.Flex
• Intel VM.Optimized3.Flex
• AMD VM.Standard.E4.Flex
Management center virtual for OCI adds support for the following compute
shapes:
• Intel VM.StandardB1.4
• Intel VM.Standard3.Flex
• Intel VM.Optimized3.Flex
• AMD VM.Standard.E4.Flex
Note that the VM.Standard2.4 and VM.Standard2.8 compute shapes reached
end of orderability in February 2022. If you are deploying Version 7.3+, we
recommend one of the above compute shapes.
For information on compatible compute shapes, see the Cisco Secure Firewall
Threat Defense Virtual Getting Started Guide.
Interfaces
IPv6 support for virtual 7.3.0 7.3.0 Threat defense virtual and management center virtual now support IPv6 in the
appliances. following environments:
• AWS
• Azure
• OCI
• KVM
• VMware
For more information, see Cisco Secure Firewall Threat Defense Virtual Getting
Started Guide and Cisco Secure Firewall Management Center Virtual Getting
Started Guide.
Cisco Secure Firewall Management Center New Features by Release
36
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Loopback interface 7.3.0 7.3.0 You can now configure a loopback interface for redundancy of static and
support for VTIs. dynamic VTI VPN tunnels. A loopback interface is a software interface that
emulates a physical interface. It is reachable through multiple physical interfaces
with IPv4 and IPv6 addresses.
New/modified screens: Devices > Device Management > Device >
Interfaces > Add Interfaces > Add Loopback Interface
For more information, see Configure Loopback Interfaces in the device
configuration guide.
Redundant manager 7.3.0 7.3.0 When you use a data interface for manager access, you can configure a
access data interface. secondary data interface to take over management functions if the primary
interface goes down. The device uses SLA monitoring to track the viability of
the static routes and an ECMP zone that contains both interfaces so management
traffic can use both interfaces.
New/modified screens:
• Devices > Device Management > Device > Management
• Devices > Device Management > Device > Interfaces > Manager Access
For more information, see Configure a Redundant Manager Access Data
Interface in the device configuration guide.
Cisco Secure Firewall Management Center New Features by Release
37
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
IPv6 DHCP. 7.3.0 7.3.0 We now support the following features for IPv6 addressing:
• DHCPv6 Address client: Threat defense obtains an IPv6 global address
and optional default route from the DHCPv6 server.
• DHCPv6 Prefix Delegation client: Threat defense obtains delegated
prefix(es) from a DHCPv6 server. It can then use these prefixes to
configure other threat defense interface addresses so that StateLess Address
Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses
on the same network.
• BGP router advertisement for delegated prefixes.
• DHCPv6 stateless server: Threat defense provides other information such
as the domain name to SLAAC clients when they send Information Request
(IR) packets to threat defense. Threat defense only accepts IR packets and
does not assign addresses to the clients.
New/modified screens:
• Devices > Device Management > Device > Interfaces > Interface >
IPv6 > DHCP
• Objects > Object Management > DHCP IPv6 Pool
New/modified CLI commands: show bgp ipv6 unicast, show ipv6 dhcp, show
ipv6 general-prefix
For more information, see Configure the IPv6 Prefix Delegation Client, BGP,
and Configure the DHCPv6 Stateless Server in the device configuration guide.
Paired proxy VXLAN for 7.3.0 7.3.0 You can configure a paired proxy mode VXLAN interface for threat defense
the threat defense virtual virtual for Azure for use with the Azure Gateway Load Balancer. The device
for the Azure Gateway defines an external interface and an internal interface on a single NIC by
Load Balancer. utilizing VXLAN segments in a paired proxy.
New/modified screens: Devices > Device Management > Device >
Interfaces > Add Interfaces > VNI Interface
For more information, see Configure VXLAN Interfaces in the device
configuration guide.
High Availability/Scalability
Cisco Secure Firewall Management Center New Features by Release
38
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
High availability for 7.3.0 Any We now support high availability for management center virtual for KVM.
management center
In a threat defense deployment, you need two identically licensed management
virtual for KVM.
centers, as well as one threat defense entitlement for each managed device. For
example, to manage 10 devices with an FMCv10 high availability pair, you
need two FMCv10 entitlements and 10 threat defense entitlements. If you are
managing Classic devices only (NGIPSv or ASA FirePOWER), you do not
need FMCv entitlements.
Platform restrictions: Not supported with FMCv2
For more information, see the Cisco Secure Firewall Management Center
Virtual Getting Started Guide, as well as High Availability in the administration
guide.
Clustering for threat 7.3.0 7.3.0 You can now configure clustering for up to 16 nodes with threat defense virtual
defense virtual for Azure. for Azure.
New/modified screens: Devices > Device Management
For more information, see Clustering for Threat Defense Virtual in a Public
Cloud in the device configuration guide.
Autoscale for threat 7.3.0 7.3.0 We now support autoscale for threat defense virtual for Azure Gateway Load
defense virtual for Azure Balancers. For more information, see the Cisco Secure Firewall Threat Defense
Gateway Load Balancers. Virtual Getting Started Guide.
Back up and restore 7.3.0 Any You can now use the management center to back up device clusters, except in
device clusters. the public cloud (threat defense virtual for AWS). To restore, use the device
CLI.
New/modified screens: System > Tools > Backup/Restore > Managed Device
Backup
New/modified commands: restore remote-manager-backup
For more information, see Backup/Restore in the administration guide.
Remote Access VPN
Cisco Secure Firewall Management Center New Features by Release
39
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
RA VPN dashboard. 7.3.0 Any We introduced a remote access VPN (RA VPN) dashboard that allows you to
monitor real-time data from active RA VPN sessions on the devices. So that
you can quickly determine problems related to user sessions and mitigate the
problems for your network and users, the dashboard provides:
• Visualization of active user sessions based on their location.
• Detailed information about the active user sessions.
• Mitigation of user session problems by terminating sessions, if required.
• Distribution of active user sessions per device, encryption type, Secure
Client version, operating system, and connection profile.
• Device identity certificate expiration details of the devices.
New/modified screens: Overview > Dashboards > Remote Access VPN
For more information, see Dashboards in the administration guide.
Encrypt RA VPN 7.3.0 7.3.0 You can now use TLS 1.3 to encrypt RA VPN connections with the following
connections with TLS ciphers:
1.3.
• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_256_GCM_SHA384
Use the threat defense platform settings to set the TLS version: Devices >
Platform Settings > Add/Edit Threat Defense Settings Policy > SSL > TLS
Version.
This feature requires Cisco Secure Client, Release 5 (formerly known as the
AnyConnect Secure Mobility Client).
For more information, see Configure SSL Settings in the device configuration
guide.
Site to Site VPN
Packet tracer in the 7.3.0 Any We added packet tracer capabilities to the site-to-site VPN dashboard, to help
site-to-site VPN you troubleshoot VPN tunnels between devices.
dashboard.
Open the dashboard by choosing Overview > Dashboards > Site to Site VPN.
Then, click View ( ) next to the tunnel you want to investigate, and Packet
Tracer in the side pane that appears.
For more information, see Monitoring the Site-to-Site VPNs in the device
configuration guide.
Cisco Secure Firewall Management Center New Features by Release
40
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Support for dynamic 7.3.0 7.3.0 We now support dynamic virtual tunnel interfaces (VTI) when you configure
VTIs with site-to-site a route-based site-to-site VPN in a hub and spoke topology. Previously, you
VPN. could use only a static VTI.
This makes it easier to configure large hub and spoke deployments. A single
dynamic VTI can replace several static VTI configurations on the hub. And,
you can add new spokes to a hub without changing the hub configuration.
New/modified screens: We updated the options when configuring hub-node
endpoints for a route-based hub-and-spoke site-to-site VPN topology.
For more information, see Configure Endpoints for a Hub and Spoke Topology
in the device configuration guide.
Improved Umbrella SIG 7.3.0 7.3.0 You can now easily deploy IPsec IKEv2 tunnels between a threat defense
integration. device and the Umbrella Secure Internet Gateway (SIG), which allows you to
forward all internet-bound traffic to Umbrella for inspection and filtering.
To configure and deploy these tunnels, create a SASE topology, a new type of
static VTI-based site-to-site VPN topology: Devices > VPN > Site To Site >
SASE Topology.
For more information, see Deploy a SASE Tunnel on Umbrella in the device
configuration guide.
Routing
Configure BFD for BGP 7.3.0 Any Upgrade impact.
from the management
You can now use the management center web interface to configure
center web interface.
bidirectional forwarding detection (BFD) for BGP. Note that you can only
enable BFD on interfaces belonging to virtual routers. If you have an existing
BFD FlexConfig and redo your configurations in the web interface, you cannot
deploy until you remove the deprecated FlexConfigs.
New/modified screens:
• Devices > Device Management > Device > Routing > BFD
• Objects > Object Management > BFD Template
• When configuring BGP neighbor settings, we replaced the BFD Failover
check box with a menu where you choose the BFD type: single hop, multi
hop, auto detect, or none (disabled). For upgraded management centers,
auto-detect hop is selected if the old BFD Failover option was enabled
and none is selected if the old option was disabled.
For more information, see Bidirectional Forwarding Detection Routing in the
device configuration guide.
Cisco Secure Firewall Management Center New Features by Release
41
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Support for IPv4 and 7.3.0 7.3.0 We now support IPv4 and IPv6 OSPF routing for VTI interfaces.
IPv6 OSPF routing for
New/modified pages: You can add VTI interfaces to an OSPF routing process
VTIs.
on Devices > Device Management > Device > Routing > OSPF/OSFPv3.
For more information, see OSPF and Additional Configurations for VTI in the
device configuration guide.
Support for IPv4 EIGRP 7.3.0 7.3.0 We now support IPv4 EIGRP routing for VTI interfaces.
routing for VTIs.
New/modified screens: You can define a VTI as the static neighbor for an
EIGRP routing process, configure a VTI's interface-specific EIGRP routing
properties. and advertise a VTI's summary address on Devices > Device
Management > Device > Routing > EIGRP.
For more information, see EIGRP and Additional Configurations for VTI in
the device configuration guide.
More network service 7.3.0 7.3.0 You can now configure up to 1024 network service groups (application groups
groups for policy-based in an extended ACL for use in policy-based routing). Previously, the limit was
routing. 256.
Support for multiple 7.3.0 7.1 You can now configure multiple next-hops while configuring policy-based
next-hops while routing forwarding actions. When traffic matches the criteria for the route, the
configuring policy-based system attempts to forward traffic to the IP addresses in the order you specify,
routing forwarding until it succeeds.
actions.
New/modified screens: We added several options when you select IP Address
from the Send To menu on Devices > Device Management > Device >
Routing > Policy Based Routing > Add Policy Based Route > Add Match
Criteria and Egress Interface.
For more information, see Configure Policy-Based Routing Policy in the device
configuration guide.
Upgrade
Choose and 7.3..x only Any You can now choose which threat defense upgrade packages you want to direct
direct-download upgrade download to the management center. Use the new Download Updates sub-tab
packages to the on > Updates > Product Updates.
management center from
Other version restrictions: this feature is replaced by an improved package
Cisco.
management system in Version 7.2.6/7.4.1.
See: Download Upgrade Packages with the Management Center
Cisco Secure Firewall Management Center New Features by Release
42
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Upload upgrade packages 7.3.x only Any You now use the wizard to upload threat defense upgrade packages or specify
to the management center their location. Previously (depending on version), you used System ( ) >
from the threat defense
Updates or System ( ) > Product Upgrades.
wizard.
Other version restrictions: this feature is replaced by an improved package
management system in Version 7.2.6/7.4.1.
See: Upgrade Threat Defense
Auto-upgrade to Snort 3 7.3.0 Any Upgrade impact.
after successful threat
When you upgrade threat defense to Version 7.3+, you can no longer disable
defense upgrade is no
the Upgrade Snort 2 to Snort 3 option.
longer optional.
After the software upgrade, all eligible devices will upgrade from Snort 2 to
Snort 3 when you deploy configurations. Although you can switch individual
devices back, Snort 2 will be deprecated in a future release and we strongly
recommend you stop using it now.
For devices that are ineligible for auto-upgrade because they use custom
intrusion or network analysis policies, we strongly recommend you manually
upgrade to Snort 3 for improved detection and performance. For migration
assistance, see the Cisco Secure Firewall Management Center Snort 3
Configuration Guide for your version.
Cisco Secure Firewall Management Center New Features by Release
43
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Combined upgrade and 7.3.0 7.3.0 Reimage Impact.
install package for Secure
In Version 7.3, we combined the threat defense install and upgrade package
Firewall 3100.
for the Secure Firewall 3100, as follows:
• Version 7.1–7.2 install package: cisco-ftd-fp3k.version.SPA
• Version 7.1–7.2 upgrade package:
Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar
• Version 7.3+ combined package:
Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar
Although you can upgrade threat defense without issue, you cannot reimage
from older threat defense and ASA versions directly to threat defense Version
7.3+. This is due to a ROMMON update required by the new image type. To
reimage from those older versions, you must "go through" ASA 9.19+, which
is supported with the old ROMMON but also updates to the new ROMMON.
There is no separate ROMMON updater.
To get to threat defense Version 7.3+, your options are:
• Upgrade from threat defense Version 7.1 or 7.2 — use the normal upgrade
process.
See the appropriate Upgrade Guide.
• Reimage from threat defense Version 7.1 or 7.2 — reimage to ASA 9.19+
first, then reimage to threat defense Version 7.3+.
See Threat Defense→ASA: Firepower 1000, 2100; Secure Firewall 3100
and then ASA→Threat Defense: Firepower 1000, 2100 Appliance Mode;
Secure Firewall 3100 in the Cisco Secure Firewall ASA and Secure
Firewall Threat Defense Reimage Guide.
• Reimage from ASA 9.17 or 9.18 — upgrade to ASA 9.19+ first, then
reimage to threat defense Version 7.3+.
See the Cisco Secure Firewall ASA Upgrade Guide and then ASA→Threat
Defense: Firepower 1000, 2100 Appliance Mode; Secure Firewall 3100
in the Cisco Secure Firewall ASA and Secure Firewall Threat Defense
Reimage Guide.
• Reimage from threat defense Version 7.3+ — use the normal reimage
process.
See Reimage the System with a New Software Version in the Cisco FXOS
Troubleshooting Guide for the Firepower 1000/2100 and Secure Firewall
3100/4200 with Firepower Threat Defense.
Access Control and Threat Detection
Cisco Secure Firewall Management Center New Features by Release
44
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
SSL policy renamed to 7.3.0 Any We renamed the SSL policy to the decryption policy. We also added a policy
decryption policy. wizard that makes it easier to create and configure decryption policies, including
creating initial rules and certificates for inbound and outbound traffic.
New/modified screens:
• Add or edit a decryption policy: Policies > Access Control > Decryption.
• Use a decryption policy: Decryption Policy Settings in an access control
policy's advanced settings.
For more information, see Decryption Policies in the device configuration
guide.
Improvements to TLS 7.3.0 7.3.0 We now support improved performance and inspection with the TLS server
server identity discovery identity discovery feature, which allows you to handle traffic encrypted with
with Snort 3 devices. TLS 1.3 with information from the server certificate. Although we recommend
you leave it enabled, you can disable this feature using the new Enable adaptive
TLS server identity probe option in the decryption policy's advanced settings.
For more information, see TLS 1.3 Decryption Best Practices in the device
configuration guide.
Cisco Secure Firewall Management Center New Features by Release
45
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
URL filtering using cloud 7.3.0 7.3.0 When you enable (or re-enable) URL filtering, the management center
lookup results only. automatically queries Cisco for URL category and reputation data and pushes
the dataset to managed devices. You now have more options on how the system
uses this dataset to filter web traffic.
To do this, we replaced the Query Cisco Cloud for Unknown URLs options
with three new options:
• Local Database Only: Uses the local URL dataset only. Use this option
if you do not want to submit your uncategorized URLs (category and
reputation not in the local dataset) to Cisco, for example, for privacy
reasons. However, note that connections to uncategorized URLs do not
match rules with category or reputation-based URL conditions. You cannot
assign categories or reputations to URLs manually.
For upgraded management centers, this option is enabled if the old Query
Cisco Cloud for Unknown URLs was disabled.
• Local Database and Cisco Cloud: Uses the local dataset when possible,
which can make web browsing faster. When users browse to an URL
whose category and reputation is not in the local dataset or a cache of
previously accessed websites, the system submits it to the cloud for threat
intelligence evaluation and adds the result to the cache.
For upgraded management centers, this option is enabled if the old Query
Cisco Cloud for Unknown URLs option was enabled.
• Cisco Cloud Only: Does not use the local dataset. When users browse to
an URL whose category and reputation is not in a local cache of previously
accessed websites, the system submits it to the cloud for threat intelligence
evaluation and adds the result to the cache. This option guarantees the
most up-to-date category and reputation information.
This option is the default on new and reimaged Version 7.3+ management
centers. Note that it also requires threat defense Version 7.3+. If you enable
this option, devices running earlier versions use the Local Database and
Cisco Cloud option.
New/modified screens: Integration > Other Integrations > Cloud Services >
URL Filtering
For more information, see URL Filtering Options in the device configuration
guide.
Detect HTTP/3 and SMB 7.3.0 7.3.0 with Snort 3 devices can now use the encrypted visibility engine (EVE) to detect
over QUIC using EVE Snort 3 HTTP/3 and SMB over QUIC. You can then create rules to handle traffic based
(Snort 3 only). on these applications.
For more information, see Encrypted Visibility Engine in the device
configuration guide.
Cisco Secure Firewall Management Center New Features by Release
46
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Generate IoC events 7.3.0 7.3.0 with Snort 3 devices can now generate indications of compromise (IoC) connection
based on unsafe client Snort 3 events based unsafe client applications detected by the encrypted visibility
applications detected by engine (EVE). These connection events have a Encrypted Visibility Threat
EVE (Snort 3 only). Confidence of Very High.
• View IoCs in the event viewer: Analysis > Hosts/Users > Indications of
Compromise
• View IoCs in the network map: Analysis > Hosts > Indications of
Compromise
• View IoC information in connection events: Analysis > Connections >
Events > Table View of Connection Events > IOC/Encrypted Visibility
columns
For more information, see Encrypted Visibility Engine in the device
configuration guide.
Improved JavaScript 7.3.0 7.3.0 with We improved JavaScript inspection, which is done by normalizing the
inspection for Snort 3 Snort 3 JavaScript and matching rules against the normalized content. The normalizer
devices. introduced in Version 7.2 now allows you to inspect within the unescape,
decodeURI, and decodeURIComponent functions: %XX, %uXXXX, \uXX,
\u{XXXX}\xXX, decimal code point, and hexadecimal code point. It also
removes plus operations from strings and concatenates them.
For more information, see HTTP Inspect Inspector in the Snort 3 Inspector
Reference, as well as the Cisco Secure Firewall Management Center Snort 3
Configuration Guide.
Nested rule groups, 7.3.0 7.0 with You can now nest rule groups in a Snort 3 intrusion policy. This allows you to
including MITRE Snort 3 view and handle traffic in a more granular fashion; for example, you might
ATT&CK, in Snort 3 group rules by vulnerability type, target system, or threat category. You can
intrusion policies. create custom nested rule groups and change the security level and rule action
per rule group.
We also group system-provided rules in a Talos-curated MITRE ATT&CK
framework, so you can act on traffic based on those categories.
New/modified screens:
• View and use rule groups: Policies > Intrusion > Edit Snort 3 Version
• View rule group information in the classic event view: Analysis >
Intrusion > Events > Table View of Intrusion Events > Rule Group
and MITRE ATT&CK columns
• View rule group information in the unified event view: Analysis > Unified
Events > Rule Group and MITRE ATT&CK columns
For more information, see the Cisco Secure Firewall Management Center Snort
3 Configuration Guide.
Cisco Secure Firewall Management Center New Features by Release
47
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Access control rule 7.3.0 Any You can now enable rule conflict analysis to help identify redundant rules and
conflict analysis. objects, and shadowed rules that cannot be matched due to previous rules in
the policy.
For more information, see Analyzing Rule Conflicts and Warnings in the device
configuration guide.
Event Logging and Analysis
NetFlow support for 7.3.0 7.3.0 with Upgrade impact.
Snort 3 devices. Snort 3
Snort 3 devices now can consume NetFlow records (IPv4 and IPv6, NetFlow
v5 and v9). Previously, only Snort 2 devices did this.
After upgrade, if you have an existing NetFlow exporter and NetFlow rule
configured in the network discovery policy, Snort 3 devices may begin
processing NetFlow records, generating NetFlow connection events, and adding
host and application protocol information to the database based on NetFlow
data.
For more information, see Network Discovery Policies in the device
configuration guide.
Integrations
New remediation module 7.3.0 Any We introduced a new Cisco ACI Endpoint remediation module. To use it, you
for integration with the must remove the old module then add and configure the new one. This new
Cisco ACI Endpoint module can:
Update App
• Quarantine endpoints in an endpoint security group (ESG) deployment.
• Allow traffic from a quarantined endpoint to a Layer 3 outside network
(L3Out) for monitoring and analysis.
• Run in audit-only mode, where it notifies you instead of quarantining.
For more information, see APIC/Secure Firewall Remediation Module 3.0 in
the device configuration guide.
Health Monitoring
Cluster health monitor 7.3.0 Any You can now use the management center web interface to edit cluster health
settings in the monitor settings. If you configured these settings with FlexConfig in a previous
management center web version, the system allows you to deploy, but also warns you to redo your
interface. configurations—the FlexConfig settings take precedence.
New/modified screens: Devices > Device Management > Edit Cluster >
Cluster Health Monitor Settings
For more information, see Edit Cluster Health Monitor Settings in the device
configuration guide.
Cisco Secure Firewall Management Center New Features by Release
48
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Improved health 7.3.0 Any We added cluster dashboards to the health monitor where you can view overall
monitoring for device cluster status, load distribution metrics, performance metrics, cluster control
clusters. link (CCL) and data throughput, and so on.
To view the dashboard for each cluster, choose System ( ) > Health >
Monitor, then click the cluster.
For more information, see Cluster Health Monitor in the administration guide.
Monitor fan speed and 7.3.0 Any We added the Hardware Statistics health module that monitors fan speed and
temperature for the temperature for the power supply on the hardware management center. The
power supply on the upgrade process automatically adds and enables this module. After upgrade,
hardware management apply the policy.
center.
To enable or disable the module and set threshold values, edit the management
center health policy on System ( ) > Health > Policy.
To view health status, create a custom health dashboard: System ( ) >
Health > Monitor > Firewall Management Center > Add/Edit. Select the
Hardware Statistics metric group, then select the metric you want.
You can also view module status on the health monitor's Home page and in
the management center's alert summary (as Hardware Alarms and Power
Supply). You can configure external alert responses and view health events
based on module status.
For more information, see Hardware Statistics on Management Center in the
administration guide.
Monitor temperature and 7.3.0 7.3.0 We added the Chassis Environment Status health module to monitor the
power supply for the temperature and power supply on a Firepower 4100/9300 chassis. The upgrade
Firepower 4100/9300. process automatically adds and enables these modules in all device health
policies. After upgrade, apply health policies to Firepower 4100/9300 chassis
to begin monitoring.
To enable or disable this module and set threshold values, edit the management
center health policy: System ( ) > Health > Policy > Device Policy.
To view health status, create a custom health dashboard: System ( ) >
Health > Monitor > Select Device > Add/Edit Dashboard > Custom
Correlation Group. Select the Hardware/Environment Status metric group,
then select the Thermal Status metric to view temperature or select any of the
Power Supply options to view power supply status.
You can also view module status on the health monitor's Home page and in
each device's alert summary. You can configure external alert responses and
view health events based on module status.
For more information, see Hardware/Environment Status Metrics in the
administration guide.
Licensing
Cisco Secure Firewall Management Center New Features by Release
49
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Changes to license names 7.3.0 Any We renamed licenses as follows:
and support for the
• Base is now Essentials
Carrier license.
• Threat is now IPS
• Malware is now Malware Defense
• RA VPN/AnyConnect License is now Cisco Secure Client
• AnyConnect Plus is now Secure Client Advantage
• AnyConnect Apex is now Secure Client Premier
• AnyConnect Apex and Plus is now Secure Client Premier and Advantage
• AnyConnect VPN Only is now Secure Client VPN Only
In addition, you can now apply the Carrier license, which allows you to
configure GTP/GPRS, Diameter, SCTP, and M3UA inspections.
New/modified screens: System ( ) > Licenses > Smart Licenses
For more information, see Licenses in the administration guide.
Administration
Migrate configurations 7.3.0 Feature You can now easily migrate these configurations from FlexConfig to web
from FlexConfig to web dependent interface management:
interface management.
• ECMP zones, supported in the Version 7.1+ web interface
• EIGRP routing, supported in the Version 7.2+ web interface
• VXLAN interfaces, supported in the Version 7.2+ web interface
After you migrate, you cannot deploy until you remove the deprecated
FlexConfigs.
New/modified screens: Devices > FlexConfig > Edit FlexConfig Policy >
Migrate Config
For more information, see Migrating FlexConfig Policies in the device
configuration guide.
Cisco Secure Firewall Management Center New Features by Release
50
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Automatic VDB 7.3.0 Any The initial setup on the management center schedules a weekly task to download
downloads. the latest available software updates, which now includes the latest vulnerability
database (VDB). We recommend you review this weekly task and adjust if
necessary. Optionally, schedule a new weekly task to actually update the VDB
and deploy configurations.
New/modified screens: The Vulnerability Database check box is now enabled
by default in the system-created Weekly Software Download scheduled task.
For more information, see Vulnerability Database Update Automation in the
administration guide.
Install any VDB. 7.3.0 Any Starting with VDB 357, you can now install any VDB as far back as the baseline
VDB for that management center.
After you update the VDB, deploy configuration changes. If you based
configurations on vulnerabilities, application detectors, or fingerprints that are
no longer available, examine those configurations to make sure you are handling
traffic as expected. Also, keep in mind a scheduled task to update the VDB can
undo a rollback. To avoid this, change the scheduled task or delete any newer
VDB packages.
New/modified screens: On System ( ) > Updates > Product Updates >
Available Updates, if you upload an older VDB, a new Rollback icon appears
instead of the Install icon.
For more information, see Update the Vulnerability Database in the
administration guide.
Usability, Performance, and Troubleshooting
Cisco Secure Firewall Management Center New Features by Release
51
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
New how-to 7.3.0 Feature We added these how-tos:
walkthroughs. dependent
• Renew a certificate using manual re-enrollment.
• Renew a certificate using Self-signed, SCEP, or EST enrollment.
• Configure LDAP attribute map for remote access VPN.
• Add SAML Single Sign-On server object.
• Collect packet capture for threat defense device.
• Collect packet trace to troubleshoot threat defense device.
• Configure Dynamic Access Policy for remote access VPN.
• Create a Dynamic Access Policy.
• Create a Dynamic Access Policy record.
• Associate Dynamic Access Policy with remote access VPN.
To launch a how-to, choose System ( ) > How-Tos.
New access control 7.3.0 Any The access control policy user interface introduced in Version 7.2 is now the
policy user interface is default interface. The upgrade switches you, but you can switch back.
now the default.
Maximum objects per 7.3.0 Any We increased the objects per match criteria in a single access control rule from
match criteria per access 50 to 200. For example, you can now use up to 200 network objects in a single
control rule is now 200. access control rule.
Filter devices by version. 7.3.0 Any You can now filter devices by version on Devices > Device Management.
Better status emails for 7.3.0 Any Email notifications for scheduled tasks are now sent when the task
scheduled tasks. completes—whether success or failure—instead of when the task begins. This
means that they can now indicate whether the task failed or succeeded. For
failures, they include the reason for the failure and remediations to fix the issue.
Performance profile for 7.3.0 7.3.0 You can adjust the percentage of system cores assigned to the data plane and
CPU core allocation on Snort to adjust system performance. The adjustment is based on your relative
the Firepower 4100/9300 use of VPN and intrusion policies. If you use both, leave the core allocation to
and threat defense virtual. the default values. If you use the system primarily for VPN (without applying
intrusion policies), or as an IPS (with no VPN configuration), you can skew
the core allocation to the data plane (for VPN) or Snort (for intrusion
inspection).
We added the Performance Profile page to the platform settings policy.
For more information, see Configure the Performance Profile in the device
configuration guide.
Cisco Secure Firewall Management Center New Features by Release
52
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Cisco Success Network 7.3.0 Any For telemetry changes, see Cisco Success Network Telemetry Data Collected
telemetry. from Cisco Secure Firewall Management Center, Version 7.3.x.
Management Center REST API
Management center 7.3.0 Feature For information on changes to the management center REST API, see What's
REST API. dependent New in 7.3 in the API quick start guide.
Deprecated Features
Cisco Secure Firewall Management Center New Features by Release
53
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Temporarily deprecated 7.3.0 Feature
features. dependent
Cisco Secure Firewall Management Center New Features by Release
54
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Although upgrading to Version 7.3 is supported, the upgrade will remove
critical features, fixes, and enhancements that may be included in your current
version. Instead, upgrade to Version 7.4.1+.
From Version 7.2.3+, upgrading removes:
• Firepower 1010E.. You cannot upgrade a Version 7.2.x Firepower 1010E
to Version 7.3, and you should not reimage there either. If you have a
Firepower 1010E device running Version 7.3, reimage to a supported
release. Do not use a Version 7.2.3 or Version 7.3.0 management center
to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version
7.3.1.1+ management center.
From Version 7.2.4+, upgrading removes:
• Access control performance improvements (object optimization). Upgrade
impact.
From Version 7.2.5+, upgrading removes:
• Management center detects interface sync errors. Upgrade impact.
From Version 7.2.6+, upgrading removes:
• Updated web analytics provider. Upgrade impact.
• Reduced "false failovers" for threat defense high availability.)
• Download only the country code geolocation package. Upgrade impact.
• Configure DHCP relay trusted interfaces from the management center
web interface. Upgrade impact.
• Create network groups while editing NAT rules.
• Single backup file for high availability management centers.
• Open the packet tracer from the unified event viewer.
• Health alerts for excessive disk space used by deployment history
(rollback) files. Upgrade impact.
• Health alerts for NTP sync issues. Upgrade impact.
• View and generate reports on configuration changes since your last
deployment.
• Set the number of deployment history files to retain for device rollback.
• Improved upgrade starting page and package management.
• Enable revert from the threat defense upgrade wizard.
• View detailed upgrade status from the threat defense upgrade wizard.
Cisco Secure Firewall Management Center New Features by Release
55
New Features by Release
Management Center Features in Version 7.3.0
Feature Minimum Minimum Details
Management Threat
Center Defense
• Suggested release notifications.
• New upgrade wizard for the management center.
• Hotfix high availability management centers without pausing
synchronization.
• Updated internet access requirements for direct-downloading software
upgrades. Upgrade impact.
• Scheduled tasks download patches and VDB updates only. Upgrade impact.
• Enable/disable access control object optimization.
• Cluster control link ping tool.
• Set the frequency of Snort 3 core dumps.
• Capture dropped packets with the Secure Firewall 3100/4200.
Support ends: Firepower — 7.3.0 You cannot run Version 7.3+ on the Firepower 4110, 4120, 4140, or 4150.
4110, 4120, 4140, 4150.
Support ends: Firepower — 7.3.0 You cannot run Version 7.3+ on the Firepower 9300 with SM-24, SM-36, or
9300: SM-24, SM-36, SM-44 modules.
SM-44 modules.
Deprecated: YouTube 7.3.0 Any You can no longer enable YouTube EDU content restriction in new or existing
EDU content restriction access control rules. Your existing YouTube EDU rules will keep working,
for Snort 2 devices. and you can edit those rules to disable YouTube EDU.
Note that this is a Snort 2 feature that is not available for Snort 3.
You should redo your configurations after upgrade.
Deprecated: Cluster 7.3.0 Any You can now edit cluster health monitor settings from the management center
health monitor settings web interface. If you do this, the system allows you to deploy but also warns
with FlexConfig. you that any existing FlexConfig settings take precedence.
You should redo your configurations after upgrade.
Deprecated: BFD for 7.3.0 Any You can now configure bidirectional forwarding detection (BFD) for BGP
BGP with FlexConfig. routing from the management center web interface. If you do this, you cannot
deploy until you remove any deprecated FlexConfigs.
You should redo your configurations after upgrade.
Deprecated: ECMP zones 7.3.0 Any You can now easily migrate EMCP zone configurations from FlexConfig to
with FlexConfig. web interface management. After you migrate, you cannot deploy until you
remove any deprecated FlexConfigs.
You should redo your configurations after upgrade.
Cisco Secure Firewall Management Center New Features by Release
56
New Features by Release
Management Center Features in Version 7.2.7
Feature Minimum Minimum Details
Management Threat
Center Defense
Deprecated: VXLAN 7.3.0 Any You can now easily migrate VXLAN interface configurations from FlexConfig
interfaces with to web interface management. After you migrate, you cannot deploy until you
FlexConfig. remove any deprecated FlexConfigs.
Management Center Features in Version 7.2.7
This release introduces stability, hardening, and performance enhancements.
Management Center Features in Version 7.2.6
Note Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If
you downloaded it, do not use it. If you are running this version, upgrade. The features listed here are also
available in Version 7.2.7.
Table 6: Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Reintroduced Features
Updated web analytics 7.0.6 Any Upgrade impact. Your browser connects to new resources.
provider.
7.2.6 While using the management center, your browser now contacts Amplitude
(amplitude.com) instead of Google (google.com) for web analytics.
7.4.1
Web analytics provides non-personally-identifiable usage data to Cisco,
including but not limited to page interactions, browser versions, product
versions, user location, and management IP addresses or hostnames of
your management centers. You are enrolled in web analytics by default
but you can change your enrollment at any time after you complete initial
setup. Note that ad blockers can block web analytics, so if you choose to
remain enrolled, please disable ad blocking for the hostnames/IP addresses
of your Cisco appliances.
Version restrictions: Amplitude analytics are not supported in management
center Version 7.0.0–7.0.5, 7.1.0–7.2.5, 7.3.x, or 7.4.0. Permanent support
returns in Version 7.4.1 If you upgrade from a supported version to an
unsupported version, your browser resumes contacting Google.
Interfaces
Cisco Secure Firewall Management Center New Features by Release
57
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Configure DHCP relay 7.2.6 Any Upgrade impact. Redo any related FlexConfigs after upgrade.
trusted interfaces from
7.4.1 You can now use the management center web interface to configure
the management center
interfaces as trusted interfaces to preserve DHCP Option 82. If you do
web interface.
this, these settings override any existing FlexConfigs, although you should
remove them.
DHCP Option 82 is used by downstream switches and routers for DHCP
snooping and IP Source Guard. Normally, if the threat defense DHCP
relay agent receives a DHCP packet with Option 82 already set, but the
giaddr field (which specifies the DHCP relay agent address that is set by
the relay agent before it forwards the packet to the server) is set to 0, then
threat defense will drop that packet by default. You can preserve Option
82 and forward the packet by identifying an interface as a trusted interface.
New/modified screens: Devices > Device Management > Add/Edit
Device > DHCP > DHCP Relay
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0. If you upgrade to an unsupported version, redo your
FlexConfigs.
See: Configure the DHCP Relay Agent
NAT
Create network groups 7.2.6 Any You can now create network groups in addition to network objects while
while editing NAT editing a NAT rule.
7.4.1
rules.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Customizing NAT Rules for Multiple Devices
High Availability/Scalability
Reduced "false 7.2.6 7.2.6 Other version restrictions: Not supported with management center or threat
failovers" for threat defense Version 7.3.x.
7.4.0 7.4.0
defense high
See: Heartbeat Module Redundancy
availability.
Single backup file for 7.2.6 Any When performing a configuration-only backup of the active management
high availability center in a high availability pair, the system now creates a single backup
7.4.1
management centers. file which you can use to restore either unit.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Unified Backup of Management Centers in High Availability
Event Logging & Analysis
Cisco Secure Firewall Management Center New Features by Release
58
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Open the packet tracer 7.2.6 Any You can now open the packet tracer from the unified event view
from the unified event (Analysis > Unified Events). Click the ellipsis icon (...) next to the desired
7.4.1
viewer. event and click Open in Packet Tracer.
Other version restrictions: In Version 7.2.x, use the Expand icon (>) icon
instead of the ellipsis icon. Not supported with management center Version
7.3.x or 7.4.0.
See: Working with the Unified Event Viewer
Health Monitoring
Health alerts for 7.2.6 Any Upgrade impact. Deploy management center health policy after
excessive disk space upgrade.
7.4.1
used by deployment
The Disk Usage health module now alerts if deployment history (rollback)
history (rollback) files.
files are using excessive disk space on theged management center.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Disk Usage for Device Configuration History Files Health Alert
Health alerts for NTP 7.2.6 Any Upgrade impact. Deploy management center health policy after
sync issues. upgrade.
7.4.1
A new Time Server Status health module reports issues with NTP
synchronization.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Time Synchronization and Health Modules
Deployment and Policy Management
Cisco Secure Firewall Management Center New Features by Release
59
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
View and generate 7.2.6 Any You can generate, view, and download (as a zip file) the following reports
reports on on configuration changes since your last deployment:
7.4.1
configuration changes
• A policy changes report for each device that previews the additions,
since your last
changes, or deletions in the policy, or the objects that are to be
deployment.
deployed on the device.
• A consolidated report that categorizes each device based on the status
of policy changes report generation.
This is especially useful after you upgrade either the management center
or threat defense devices, so that you can see the changes made by the
upgrade before you deploy.
New/modified screens: Deploy > Advanced Deploy.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Download Policy Changes Report for Multiple Devices
Set the number of 7.2.6 Any You can now set the number of deployment history files to retain for device
deployment history rollback, up to ten (the default). This can help you save disk space on the
7.4.1
files to retain for management center.
device rollback.
New/modified screens: Deploy > Deployment History ( ) > Deployment
Setting > Configuration Version Setting
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Set the Number of Configuration Versions
Upgrade
Cisco Secure Firewall Management Center New Features by Release
60
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Improved upgrade 7.2.6 Any A new upgrade page makes it easier to choose, download, manage, and
starting page and apply upgrades to your entire deployment. This includes the management
7.4.1
package management. center, threat defense devices, and any older NGIPSv/ASA FirePOWER
devices. The page lists all upgrade packages that apply to your current
deployment, with suggested releases specially marked. You can easily
choose and direct-download packages from Cisco, as well as manually
upload and delete packages.
Internet access is required to retrieve the list/direct download upgrade
packages. Otherwise, you are limited to manual management. Patches are
not listed unless you have at least one appliance at the appropriate
maintenance release (or you manually uploaded the patch). You must
manually upload hotfixes.
New/modified screens:
• System ( ) > Product Upgrades is now where you upgrade the
management center and all managed devices, as well as manage
upgrade packages.
• System ( ) > Content Updates is now where you update intrusion
rules, the VDB, and the GeoDB.
• Devices > Threat Defense Upgrade takes you directly to the threat
defense upgrade wizard.
• System ( ) > Users > User Role > Create User Role >
Menu-Based Permissions allows you to grant access to Content
Updates (VDB, GeoDB, intrusion rules) without allowing access to
Product Upgrades (system software).
Deprecated screens/options:
• System ( ) > Updates is deprecated. All threat defense upgrades
now use the wizard.
• The Add Upgrade Package button on the threat defense upgrade
wizard has been replaced by a Manage Upgrade Packages link to
the new upgrade page.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
Cisco Secure Firewall Management Center New Features by Release
61
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Enable revert from the 7.2.6 Any, if You can now enable revert from the threat defense upgrade wizard.
threat defense upgrade upgrading to
7.4.1 Other version restrictions: You must be upgrading threat defense to Version
wizard. 7.1+
7.1+. Not supported with management center Version 7.3.x or 7.4.0.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
Select devices to 7.2.6 Any Use the wizard to select devices to upgrade.
upgrade from the threat
You can now use the threat defense upgrade wizard to select or refine the
defense upgrade
devices to upgrade. On the wizard, you can toggle the view between
wizard.
selected devices, remaining upgrade candidates, ineligible devices (with
reasons why), devices that need the upgrade package, and so on.
Previously, you could only use the Device Management page and the
process was much less flexible.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
View detailed upgrade 7.2.6 Any The final page of the threat defense upgrade wizard now allows you to
status from the threat monitor upgrade progress. This is in addition to the existing monitoring
7.4.1
defense upgrade capability on the Upgrade tab on the Device Management page, and on
wizard. the Message Center. Note that as long as you have not started a new
upgrade flow, Devices > Threat Defense Upgrade brings you back to
this final wizard page, where you can view the detailed status for the
current (or most recently complete) device upgrade.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
Unattended threat 7.2.6 Any The threat defense upgrade wizard now supports unattended upgrades,
defense upgrades. using a new Unattended Mode menu. You just need to select the target
version and the devices you want to upgrade, specify a few upgrade
options, and step away. You can even log out or close the browser.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
Simultaneous threat 7.2.6 Any We now allow simultaneous upgrade workflows by different users, as
defense upgrade long as you are upgrading different devices. The system prevents you from
workflows by different upgrading devices already in someone else's workflow. Previously, only
users. one upgrade workflow was allowed at a time across all users.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
Cisco Secure Firewall Management Center New Features by Release
62
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Skip pre-upgrade 7.2.6 Any You can now skip the automatic generating of troubleshooting files before
troubleshoot generation major and maintenance upgrades by disabling the new Generate
for threat defense troubleshooting files before upgrade begins option. This saves time and
devices. disk space.
To manually generate troubleshooting files for a threat defense device,
choose System ( ) > Health > Monitor, click the device in the left panel,
then View System & Troubleshoot Details, then Generate
Troubleshooting Files.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
Suggested release 7.2.6 Any The management center now notifies you when a new suggested release
notifications. is available. If you don't want to upgrade right now, you can have the
7.4.1
system remind you later, or defer reminders until the next suggested
release. The new upgrade page also indicates suggested releases.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Cisco Secure Firewall Management Center New Features by Release
New upgrade wizard 7.2.6 Any A new upgrade starting page and wizard make it easier to perform
for the management management center upgrades. After you use System ( ) > Product
7.4.1
center. Upgrades to get the appropriate upgrade package onto the management
center, click Upgrade to begin.
Other version restrictions: Only supported for management center upgrades
from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version
7.3.x or 7.4.0.
To upgrade the management center to any version, see the upgrade guide
for the version your management center is currently running: : Cisco
Secure Firewall Threat Defense Upgrade Guide for Management Center.
If you are running Version 7.4.0, you can use the Version 7.3.x guide.
Hotfix high availability 7.2.6 Any Unless otherwise indicated by the hotfix release notes or Cisco TAC, you
management centers do not have to pause synchronization to install a hotfix on high availability
7.4.1
without pausing management centers.
synchronization.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management
Center
Administration
Cisco Secure Firewall Management Center New Features by Release
63
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Updated internet access 7.2.6 Any Upgrade impact. The system connects to new resources.
requirements for
7.4.1 The management center has changed its direct-download location for
direct-downloading
software upgrade packages from sourcefire.com to amazonaws.com.
software upgrades.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See:Internet Access Requirements
Scheduled tasks 7.2.6 Any Upgrade impact. Scheduled download tasks stop retrieving
download patches and maintenance releases.
7.4.1
VDB updates only.
The Download Latest Update scheduled task no longer downloads
maintenance releases; now it only downloads the latest applicable patches
and VDB updates. To direct-download maintenance (and major) releases
to the management center, use System ( ) > Product Upgrades.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Software Update Automation
Download only the 7.2.6 Any Upgrade impact. Upgrading can delete the IP package.
country code
7.4.0 In Version 7.2.6+/7.4.0+, you can configure the system to download only
geolocation package.
the country code package of the geolocation database (GeoDB), which
maps IP addresses to countries/continents. The larger IP package with
contextual data is now optional.
IP package download is:
• Version 7.2.0–7.2.5: Always enabled.
• Version 7.2.6–7.2.x: Disabled by default, but you can enable it.
• Version 7.3.x: Always enabled.
• Version 7.4.0–7.4.1: Enabled by default, but you can disable it.
The first time you upgrade to any version where download is disabled by
default, the system disables download and deletes any existing IP package.
Without the IP package, you cannot view contextual geolocation data for
IP addresses until you manually enable the option and update the GeoDB.
New/modified screens:
• Version 7.2.6/7.4.1: System ( ) > Content Updates > Geolocation
Updates
• Version 7.4.0: System ( ) > Updates > Geolocation Updates
See : Update the Geolocation Database
Cisco Secure Firewall Management Center New Features by Release
64
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Usability, Performance, and Troubleshooting
Enable/disable access 7.2.6 Any You can now enable and disable access control object optimization from
control object the management center web interface.
7.4.1
optimization.
New/modified screens: System ( ) > Configuration > Access Control
Preferences > Object Optimization
Other version restrictions: Access control object optimization is
automatically enabled on all management centers upgraded or reimaged
to Versions 7.2.4–7.2.5 and 7.4.0, and automatically disabled on all
management centers upgraded or reimaged to Version 7.3.x. It is
configurable and enabled by default for management centers reimaged to
Version 7.2.6+/7.4.1+, but respects your current setting when you upgrade
to those releases.
Cluster control link 7.2.6 Any You can check to make sure all the cluster nodes can reach each other
ping tool. over the cluster control link by performing a ping. One major cause for
7.4.1
the failure of a node to join the cluster is an incorrect cluster control link
configuration; for example, the cluster control link MTU may be set higher
than the connecting switch MTUs.
New/modified screens: Devices > Device Management > More ( ) >
Cluster Live Status
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0.
See: Perform a Ping on the Cluster Control Link
Snort 3 restarts when it 7.2.6 7.2.6 with To improve continuity of operations, excessive memory use by Snort can
uses too much Snort 3 now trigger high availability failover. This happens because Snort 3 now
7.4.1
memory, which can restarts if the process uses too much memory. Restarting the Snort process
7.4.1 with
trigger HA failover. briefly interrupts traffic flow and inspection on the device, and in high
Snort 3
availability deployments can trigger failover. (In a standalone deployment,
interface configurations determine whether traffic drops or passes without
inspection during the interruption.)
This feature is enabled by default. You can use the CLI to disable it, or
configure the memory threshold.
Platform restrictions: Not supported with clustered devices.
New/modified CLI commands: configure snort3 memory-monitor, show
snort3 memory-monitor-status
Other version restrictions: Not supported with management center or threat
defense Version 7.3.x or 7.4.0.
See: Cisco Secure Firewall Threat Defense Command Reference
Cisco Secure Firewall Management Center New Features by Release
65
New Features by Release
Management Center Features in Version 7.2.6
Feature Minimum Minimum Details
Management Threat
Center Defense
Set the frequency of 7.2.6 7.2.6 with You can now set the frequency of Snort 3 core dumps. Instead of generating
Snort 3 core dumps. Snort 3 a core dump every time Snort crashes, you can generate one the next time
7.4.1
Snort crashes only. Or, generate one if a crash has not occurred in the last
7.4.1 with
day, or week.
Snort 3
Snort 3 core dumps are disabled by default for standalone devices. For
high availability and clustered devices, the default frequency is now once
per day instead of every time.
New/modified CLI commands: configure coredump snort3, show
coredump
Other version restrictions: Not supported with management center or threat
defense Version 7.3.x or 7.4.0.
See: Cisco Secure Firewall Threat Defense Command Reference
Capture dropped 7.2.6 7.2.6 (no Packet losses resulting from MAC address table inconsistencies can impact
packets with the Secure 4200) your debugging capabilities. The Secure Firewall 3100/4200 can now
7.4.1
Firewall 3100/4200. capture these dropped packets.
7.4.1
New/modified CLI commands: [drop{disable|mac-filter}] in the
capture command.
Other version restrictions: Not supported with management center or threat
defense Version 7.3.x or 7.4.0.
See: Cisco Secure Firewall Threat Defense Command Reference
Deprecated Features
Deprecated: DHCP 7.2.6 Any Upgrade impact. Redo any related FlexConfigs after upgrade.
relay trusted interfaces
7.4.1 You can now use the management center web interface to configure
with FlexConfig.
interfaces as trusted interfaces to preserve DHCP Option 82. If you do
this, these settings override any existing FlexConfigs, although you should
remove them.
Other version restrictions: This feature is not supported with management
center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version,
also redo your FlexConfigs.
See: Configure the DHCP Relay Agent
Cisco Secure Firewall Management Center New Features by Release
66
New Features by Release
Management Center Features in Version 7.2.5
Management Center Features in Version 7.2.5
Table 7: Management Center Features in Version 7.2.5
Feature Minimum Minimum Details
Management Threat
Center Defense
Interfaces
Management center 7.2.5 Any Upgrade impact. You may need to sync interfaces after upgrade.
detects interface sync
7.4.1 In some cases, the management center can be missing a configuration for an
errors.
interface even though the interface is correctly configured and functioning on
the device. If this happens, and your management center is running:
• Version 7.2.5: Deploy is blocked until you edit the device and sync from
the Interfaces page
• Version 7.2.6+/7.4.1+: Deploy is allowed with a warning, but you cannot
edit interface settings without syncing first.
Other version restrictions: Not supported with management center Version
7.3.x or 7.4.0. The management center will neither block deploy nor warn you
of missing configurations. You can still sync interfaces manually if you think
you are having an issue.
See: Sync Interface Changes with the Management Center
Management Center Features in Version 7.2.4
Table 8: Management Center Features in Version 7.2.4
Feature Minimum Minimum Details
Management Threat
Center Defense
Default Forward Error 7.2.4 Any When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the
Correction (FEC) on default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC
Secure Firewall 3100 for 25 GB+ SR, CSR, and LR transceivers.
fixed ports changed to
See: Interface Overview.
Clause 108 RS-FEC from
Clause 74 FC-FEC for 25
GB+ SR, CSR, and LR
transceivers.
Cisco Secure Firewall Management Center New Features by Release
67
New Features by Release
Management Center Features in Version 7.2.4
Feature Minimum Minimum Details
Management Threat
Center Defense
Automatically update CA 7.0.5 7.0.5 Upgrade impact. The system connects to Cisco for something new.
bundles.
7.1.0.3 7.1.0.3 The local CA bundle contains certificates to access several Cisco services. The
system now automatically queries Cisco for new CA certificates at a daily
7.2.4 7.2.4
system-defined time. Previously, you had to upgrade the software to update
CA certificates. You can use the CLI to disable this feature.
New/modified CLI commands: configure cert-update auto-update, configure
cert-update run-now, configure cert-update test, show cert-update
Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and
7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade
from a supported version to an unsupported version, the feature is temporarily
disabled and the system stops contacting Cisco.
See: Firepower Management Center Command Line Reference and Cisco
Secure Firewall Threat Defense Command Reference
Access control 7.2.4 Any Upgrade impact. First deployment after management center upgrade to
performance 7.2.4–7.2.5 or 7.4.0 can take a long time and increase CPU use on managed
improvements (object devices.
optimization).
Access control object optimization improves performance and consumes fewer
device resources when you have access control rules with overlapping networks.
The optimizations occur on the managed device on the first deploy after the
feature is enabled on the management center (including if it is enabled by an
upgrade). If you have a high number of rules, the system can take several
minutes to an hour to evaluate your policies and perform object optimization.
During this time, you may also see higher CPU use on your devices. A similar
thing occurs on the first deploy after the feature is disabled (including if it is
disabled by upgrade). After this feature is enabled or disabled, we recommend
you deploy when it will have the least impact, such as a maintenance window
or a low-traffic time.
New/modified screens (requires Version 7.2.6/7.4.1): System ( ) >
Configuration > Access Control Preferences > Object-group optimization.
Other version restrictions: Not supported with management center Version
7.3.x.
See: Access Control Preferences
Cisco Secure Firewall Management Center New Features by Release
68
New Features by Release
Management Center Features in Version 7.2.3
Feature Minimum Minimum Details
Management Threat
Center Defense
Smaller VDB for lower 6.4.0.17 Any with Upgrade impact. Application identification on lower memory devices is
memory Snort 2 devices. Snort 2 affected.
7.0.6
For VDB 363+, the system now installs a smaller VDB (also called VDB lite)
7.2.4
on lower memory devices running Snort 2. This smaller VDB contains the
7.3.1.1 same applications, but fewer detection patterns. Devices using the smaller VDB
can miss some application identification versus devices using the full VDB.
7.4.0
Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X,
5516-X, 5525-X, 5545-X
Version restrictions: The ability to install a smaller VDB depends on the version
of the management center, not managed devices. If you upgrade the management
center from a supported version to an unsupported version, you cannot install
VDB 363+ if your deployment includes even one lower memory device. For
a list of affected releases, see CSCwd88641.
See: Update the Vulnerability Database
Management Center Features in Version 7.2.3
Table 9: Management Center Features in Version 7.2.3
Feature Minimum Minimum Details
Management Threat
Center Defense
Firepower 1010E. 7.2.3.1 7.2.3 We introduced the Firepower 1010E, which does not support power over
Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center
7.3.1.1
to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version
7.3.1.1+ management center.
Version restrictions: These devices do not support Version 7.3.x or 7.4.0.
Support returns in Version 7.4.1.
See: Regular Firewall Interfaces
Management Center Features in Version 7.2.2
This release introduces stability, hardening, and performance enhancements.
Cisco Secure Firewall Management Center New Features by Release
69
New Features by Release
Management Center Features in Version 7.2.1
Management Center Features in Version 7.2.1
Table 10: Management Center Features in Version 7.2.1
Feature Minimum Minimum Details
Management Threat
Center Defense
Hardware bypass 7.2.1 7.2.1 We introduced these hardware bypass network modules for the Secure Firewall
("fail-to-wire") network 3100:
modules for the Secure
• 6-port 1G SFP Hardware Bypass Network Module, SX (multimode)
Firewall 3100.
(FPR-X-NM-6X1SX-F)
• 6-port 10G SFP Hardware Bypass Network Module, SR (multimode)
(FPR-X-NM-6X10SR-F)
• 6-port 10G SFP Hardware Bypass Network Module, LR (single mode)
(FPR-X-NM-6X10LR-F)
• 6-port 25G SFP Hardware Bypass Network Module, SR (multimode)
(FPR-X-NM-X25SR-F)
• 6-port 25G Hardware Bypass Network Module, LR (single mode)
(FPR-X-NM-6X25LR-F)
• 8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper)
(FPR-X-NM-8X1G-F)
New/modified screens: Devices > Device Management > Interfaces > Edit
Physical Interface
For more information, see Inline Sets and Passive Interfaces.
Intel Ethernet Network 7.2.1 7.2.1 We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with
Adapter E810-CQDA2 threat defense virtual for KVM.
driver with threat defense
For more information, see Getting Started with Secure Firewall Threat Defense
virtual for KVM.
Virtual and KVM.
Management Center Features in Version 7.2.0
Table 11: Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Platform
Cisco Secure Firewall Management Center New Features by Release
70
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Snapshots allow quick 7.2.0 7.2.0 You can now take a snapshot of a threat defense virtual for AWS or Azure
deploy of threat defense instance, then use that snapshot to quickly deploy new instances. This feature
virtual for AWS and also improves the performance of the autoscale solutions for AWS and Azure.
Azure.
For more information, see the Cisco Secure Firewall Threat Defense Virtual
Getting Started Guide.
Analytics mode for 7.2.0 7.0.3 Concurrently with Version 7.2, we introduced the Cisco Cloud-delivered
cloud-managed threat Firewall Management Center. The cloud-delivered Firewall Management Center
7.2.0
defense devices. uses the Cisco Defense Orchestrator (CDO) platform and unites management
across multiple Cisco security solutions. We take care of feature updates.
On-prem hardware and virtual management centers running Version 7.2+ can
"co-manage" cloud-managed threat defense devices, but for event logging and
analytics purposes only. You cannot deploy policy to these devices from an
on-prem management center.
New/modified screens:
• When you add a cloud-managed device to an on-prem management center,
use the new CDO Managed Device check box to specify that it is
analytics-only.
• View which devices are analytics-only on Devices > Device Management.
New/modified CLI commands: configure manager add, configure manager
delete, configure manager edit, show managers
Version restrictions: Not supported with threat defense Version 7.1.
For more information, see Managing Firewall Threat Defense with
Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.
ISA 3000 support for 7.2.0 7.2.0 Support returns for shutting down the ISA 3000. This feature was introduced
shutting down. in Version 7.0.2 but was temporarily deprecated in Version 7.1.
High Availability/Scalability
Cisco Secure Firewall Management Center New Features by Release
71
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Clustering for threat 7.2.0 7.2.0 You can now configure clustering for the following threat defense virtual
defense virtual in both platforms:
public and private clouds.
• Threat defense virtual for AWS: 16-node clusters
• Threat defense virtual for GCP: 16-node clusters
• Threat defense virtual for KVM: 4-node clusters
• Threat defense virtual for VMware: 4-node clusters
New/modified screens:
• Devices > Device Management > Add Cluster
• Devices > Device Management > More menu
• Devices > Device Management > Cluster
For more information, see Clustering for Threat Defense Virtual in a Public
Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud
(KVM, VMware).
Support for 16-node 7.2.0 7.2.0 You can now configure 16-node clusters for the following platforms:
clusters.
• Firepower 4100/9300
• Threat defense virtual for AWS
• Threat defense virtual for GCP
The Secure Firewall 3100 still only supports 8 nodes.
For more information, see Clustering for the Firepower 4100/9300 or Clustering
for Threat Defense Virtual in a Public Cloud.
Autoscale for threat 7.2.0 7.2.0 We now support autoscale for threat defense virtual for AWS gateway load
defense virtual for AWS balancers, using a CloudFormation template.
gateway load balancers.
For more information, see the Cisco Secure Firewall Threat Defense Virtual
Getting Started Guide.
Cisco Secure Firewall Management Center New Features by Release
72
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Autoscale for threat 7.2.0 7.2.0 Upgrade impact. Threat defense virtual for GCP cannot upgrade across
defense virtual for GCP. Version 7.2.0.
We now support autoscale for threat defense virtual for GCP, by positioning
a threat defense virtual instance group between a GCP internal load balancer
(ILB) and a GCP external load balancer (ELB).
Version restrictions: Due to interface changes required to support this feature,
threat defense virtual for GCP upgrades cannot cross Version 7.2.0. That is,
you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must
deploy a new instance and redo any device-specific configurations.
For more information, see the Cisco Secure Firewall Threat Defense Virtual
Getting Started Guide.
Interfaces
LLDP support for the 7.2.0 7.2.0 You can now enable Link Layer Discovery Protocol (LLDP) for Firepower
Firepower 2100 and 2100 and Secure Firewall 3100 series interfaces.
Secure Firewall 3100.
New/modified screens: Devices > Device Management > Interfaces > >
Hardware Configuration > LLDP
New/modified commands: show lldp status, show lldp neighbors, show lldp
statistics
For more information, see Interface Overview.
Pause frames for flow 7.2.0 7.2.0 If you have a traffic burst, dropped packets can occur if the burst exceeds the
control for the Secure buffering capacity of the FIFO buffer on the NIC and the receive ring buffers.
Firewall 3100. Enabling pause frames for flow control can alleviate this issue.
New/modified screens: Devices > Device Management > Interfaces >
Hardware Configuration > Network Connectivity
For more information, see Interface Overview.
Breakout ports for the 7.2.0 7.2.0 You can now configure four 10 GB breakout ports for each 40 GB interface
Secure Firewall 3130 and on the Secure Firewall 3130 and 3140.
3140.
New/modified screens: Devices > Device Management > Chassis Operations
For more information, see Interface Overview.
Cisco Secure Firewall Management Center New Features by Release
73
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Configure VXLAN from 7.2.0 Any Upgrade impact. Redo FlexConfigs after upgrade.
the management center
You can now use the management center web interface to configure VXLAN
web interface.
interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical
network to stretch the Layer 2 network.
If you configured VXLAN interfaces with FlexConfig in a previous version,
they continue to work. In fact, FlexConfig takes precedence in this case—if
you redo your VXLAN configurations in the web interface, remove the
FlexConfig settings.
New/modified screens:
• Configure the VTEP source interface: Devices > Device Management >
VTEP
• Configure the VNI interface: Devices > Device Management >
Interfaces > Add VNI Interface
For more information, see Regular Firewall Interfaces.
NAT
Enable, disable, or delete 7.2.0 Any You can select multiple NAT rules and enable, disable, or delete them all at
more than one NAT rule the same time. Enable and disable apply to manual NAT rules only, whereas
at a time. delete applies to any NAT rule.
For more information, see Network Address Translation.
VPN
Certificate and SAML 7.2.0 7.2.0 We now support certificate and SAML authentication for RA VPN connection
authentication for RA profiles. You can authenticate a machine certificate or user certificate before
VPN connection profiles. a SAML authentication/authorization is initiated. This can be done using DAP
certificate attributes along with user specific SAML DAP attributes.
New/modified screens: You can now choose Certificate & SAML option
when choosing the authentication method for the connection profile in an RA
VPN policy.
For more information, see Remote Access VPN.
Route-based site-to-site 7.2.0 7.2.0 We added support for route-based site-to-site VPNs in a hub and spoke
VPN with hub and spoke topology. Previously, that topology only supported policy-based (crypto map)
topology. VPNs.
New/modified screens: When you add a new VPN topology and choose Route
Based (VTI), you can now also choose Hub and Spoke.
For more information, see Site-to-Site VPNs.
Cisco Secure Firewall Management Center New Features by Release
74
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
IPsec flow offload for the 7.2.0 7.2.0 On the Secure Firewall 3100, IPsec flows are offloaded by default. After the
Secure Firewall 3100. initial setup of an IPsec site-to-site VPN or remote access VPN security
association (SA), IPsec connections are offloaded to the field-programmable
gate array (FPGA) in the device, which should improve device performance.
You can change the configuration using FlexConfig and the flow-offload-ipsec
command.
For more information, see Site-to-Site VPNs.
Routing
Configure EIGRP from 7.2.0 Any Upgrade impact. Redo FlexConfigs after upgrade.
the management center
You can now use the management center web interface to configure EIGRP.
web interface.
Note that you can only enable EIGRP on interfaces belonging to the device's
Global virtual router.
If you configured EIGRP with FlexConfig in a previous version, the system
allows you to deploy post-upgrade, but also warns you to redo your EIGRP
configurations in the web interface. When you are satisfied with the new
configuration, you can delete the deprecated FlexConfig objects or commands.
To help you with this process, we provide a command-line migration tool.
New/modified screens: Devices > Device Management > Routing > EIGRP
For more information, see EIGRP and Migrating FlexConfig Policies.
Virtual router support for 7.2.0 7.2.0 You can now configure up to five virtual routers on the Firepower 1010.
the Firepower 1010.
For more information, see Virtual Routers.
Support for VTIs in 7.2.0 7.2.0 You can now assign virtual tunnel interfaces to user-defined virtual routers.
user-defined virtual Previously, you could only assign VTIs to Global virtual routers.
routers.
New/modified screens: Devices > Device Management > Routing > Virtual
Router Properties
For more information, see Virtual Routers.
Cisco Secure Firewall Management Center New Features by Release
75
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Policy-based routing with 7.2.0 7.2.0 You can now use path monitoring to collect the performance metrics (RTT,
path monitoring. jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use
these metrics to determine the best path for policy based routing.
New/modified screens:
• Enable path monitoring and choose metrics to collect: Devices > Device
Management > Interfaces > Path Monitoring
• Use the new Interface Ordering option when you are adding a policy
based route and specifying a forwarding action: Devices > Device
Management > Routing > Policy Based Routing
• Monitor path metrics in each device's health monitoring dashboard: System
( ) > Health > Monitor > add dashboard > Interface - Path Metrics.
New/modified CLI commands: show policy route, show path-monitoring,
clear path-monitoring
For more information, see Policy Based Routing.
Threat Intelligence
DNS-based threat 7.2.0 Any We now support DNS-based Security Intelligence using regularly updated
intelligence from Cisco information from Cisco Umbrella. You can use both a local DNS policy and
Umbrella. an Umbrella DNS policy, for two layers of protection.
New/modified screens:
• Configure connection to Umbrella: Integration > Other Integrations >
Cloud Services > Cisco Umbrella Connection
• Configure Umbrella DNS policy: Policies > DNS > Add DNS Policy >
Umbrella DNA Policy
• Associate Umbrella DNS policy with access control: Policies > Access
Control > Edit Policy > Security Intelligence > Umbrella DNS Policy
For more information, see DNS Policies.
IP-based threat 7.2.0 Any You can now handle traffic based on malicious IP addresses detected by
intelligence from Amazon GuardDuty, when integrated with management center virtual for AWS.
Amazon GuardDuty. The system consumes this threat intelligence via a custom Security Intelligence
feed, or via a regularly updated network object group, which you can then use
in your security policies.
For more information, see the Cisco Secure Firewall Threat Defense Virtual
Getting Started Guide.
Access Control and Threat Detection
Cisco Secure Firewall Management Center New Features by Release
76
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Dynamic object 7.2.0 Any Concurrently with Version 7.2, we released the following updates to the Cisco
management with: Secure Dynamic Attributes Connector:
• Cloud-delivered • Cloud-delivered Cisco Secure Dynamic Attributes Connector
Cisco Secure (CDO-managed service)
Dynamic Attributes
Supported management centers: Version 7.1+ and the cloud-delivered
Connector
management center.
• On-prem Cisco Supported virtual/cloud workloads: AWS, Azure, Azure service tags,
Secure Dynamic Google Cloud Connector, GitHub, and Office 365.
Attributes
Connector 2.0 For more information: Managing the Cisco Secure Dynamic Attributes
Connector with Cisco Defense Orchestrator chapters in Managing Firewall
Threat Defense with Cloud-Delivered Firewall Management Center in
Cisco Defense Orchestrator.
• On-prem Cisco Secure Dynamic Attributes Connector 2.0
Supported management centers: Version 7.0+ and the cloud-delivered
management center.
Supported virtual/cloud workloads: AWS, Azure, Azure service tags,
Google Cloud Connector, GitHub, Office 365, and VMware.
For more information: Cisco Secure Dynamic Attributes Connector
Configuration Guide 2.0.
Bypass inspection or 7.2.0 7.2.0 with You can now detect and optionally bypass inspection or throttle elephant flows.
throttle elephant flows on Snort 3 By default, access control policies are set to generate an event when the system
Snort 3 devices. sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is
configurable.
For the Firepower 2100 series, you can detect elephant flows but not bypass
inspection or throttle. For devices running Snort 2 and for devices running
Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB).
New/modified screens: We added Elephant Flow Settings to the access control
policy's Advanced tab.
For more information, see Elephant Flow Detection.
Cisco Secure Firewall Management Center New Features by Release
77
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Encrypted visibility 7.2.0 7.2.0 with We made the following enhancements to the encrypted visibility engine (EVE):
engine enhancements. Snort 3
• EVE can detect the operating system used by the host, which is reported
in events and the network map.
• EVE can detect application traffic by assigning EVE processes that were
identified with high confidence to applications, which you can then use
in access control rules to control network traffic. (In Version 7.1, you
could see EVE processes for connections, but you could not act on that
knowledge.)
To add additional assignments, create custom applications/custom
application detectors. When adding a detection pattern to your custom
detector, choose Encrypted Visibility Engine as the application. Then,
specify the process name and confidence level.
• EVE now works with QUIC traffic.
The following connection event fields have changed along with these
enhancements:
TLS Fingerprint Process Name is now Encrypted Visibility Process
Name
TLS Fingerprint Process is now Encrypted Visibility Process
Confidence Score Confidence Score
TLS Fingerprint Malware is now Encrypted Visibility Threat
Confidence Confidence
TLS Fingerprint Malware is now Encrypted Visibility Threat
Confidence Score Confidence Score
Detection Type: TLS Fingerprint is now Detection Type: Encrypted
Visibility
This feature now requires a Threat license.
For more information, see Access Control Policies and Application Detection.
TLS 1.3 inspection. 7.2.0 7.2.0 with We now support inspection of TLS 1.3 traffic.
Snort 3
New/modified screens: We added the Enable TLS 1.3 Decryption option to
the Advanced Settings tab in SSL policies. Note that this option is disabled by
default.
For more information, see SSL Policies.
Cisco Secure Firewall Management Center New Features by Release
78
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Improved portscan 7.2.0 7.2.0 with With an improved portscan detector, you can easily configure the system to
detection. Snort 3 detect or prevent portscans. You can refine the networks you want to protect,
set the sensitivity, and so on. For devices running Snort 2 and for devices
running Version 7.1 and earlier, continue to use the network analysis policy
for portscan detection.
New/modified screens: We added Threat Detection to the access control
policy's Advanced tab.
For more information, see Threat Detection.
VBA macro inspection. 7.2.0 7.2.0 with We now support inspection of VBA (Visual Basic for Applications) macros
Snort 3 in Microsoft Office documents, which is done by decompressing the macros
and matching rules against the decompressed content.
By default, VBA macro decompression is disabled in all system-provided
network analysis policies. To enable it use the decompress_vba setting in the
imap, smtp, http_inspect, and pop Snort 3 inspectors.
To configure custom intrusion rules to match against decompressed macros,
use the vba_data option.
For more information, see the Snort 3 Inspector Reference and the Cisco Secure
Firewall Management Center Snort 3 Configuration Guide.
Improved JavaScript 7.2.0 7.2.0 with We improved JavaScript inspection, which is done by normalizing the
inspection. Snort 3 JavaScript and matching rules against the normalized content. A new
normalizer's enhancements include improved white-space normalization,
semicolon insertions, cross-site script handling, identifier normalization and
dealiasing, just-in-time (JIT) inspection, and the ability to inspect external
scripts.
By default, the new normalizer is enabled in all system-provided network
analysis policies. To tweak performance or disable the feature in a custom
network analysis policy, use the js_norm (improved normalizer) and
normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3
inspector.
To configure custom intrusion rules to match against normalized JavaScript,
use the js_data option, for example:
alert tcp any any -> any any (msg:"Script detected!";
js_data; content:"var var_0000=1;"; sid:1000001;)
For more information, see HTTP Inspect Inspector in the Snort 3 Inspector
Reference, as well as the Cisco Secure Firewall Management Center Snort 3
Configuration Guide.
Cisco Secure Firewall Management Center New Features by Release
79
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Improved SMB 3 7.2.0 7.2.0 with We now support inspection of SMB 3 traffic in the following situations:
inspection. Snort 3
• During file server node failover for clusters configured for SMB
Transparent Failover.
• In multiple file server nodes for clusters using SMB Scale-Out.
• Through directory information changes due to SMB Directory Leasing.
• Spread across multiple connections due to SMB Multichannel.
For more information, see the Snort 3 Inspector Reference and the Cisco Secure
Firewall Management Center Snort 3 Configuration Guide.
Event Logging and Analysis
Improved SecureX 7.2.0 Any We have streamlined the SecureX integration process. Now, as long as you
integration, SecureX already have a SecureX account, you just choose your cloud region on the new
orchestration. Integration > SecureX page, click Enable SecureX, and authenticate to
SecureX. The option to send events to the cloud, as well as to enable Cisco
Success Network and Cisco Support Diagnostics, are also moved to this new
page.
When you enable SecureX integration on this new page, licensing and
management for the system's cloud connection switches from Cisco Smart
Licensing to SecureX. If you already enabled SecureX the "old" way, you must
disable and re-enable to get the benefits of this cloud connection management.
Note that this page also governs the cloud region for and event types sent to
the Secure Network Analytics (Stealthwatch) cloud using Security Analytics
and Logging (SaaS), even though the web interface does not indicate this.
Previously, these options were on System ( ) > Integration > Cloud Services.
Enabling SecureX does not affect communications with the Secure Network
Analytics cloud; you can send events to both.
The management center also now supports SecureX orchestration—a powerful
drag-and-drop interface you can use to automate workflows across security
tools. After you enable SecureX, you can enable orchestration.
As part of this feature, you can no longer use the REST API to configure
SecureX integration. You must use the FMC web interface.
Version restrictions: This feature is included in Versions 7.0.2+ and 7.2+. It is
not supported in Version 7.1. If you use the new method to enable SecureX
integration in Version 7.0.x, you cannot upgrade to Version 7.1 unless you
disable the feature. We recommend you upgrade to Version 7.2+.
See: Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX
Integration Guide
Cisco Secure Firewall Management Center New Features by Release
80
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Log security events to 7.2.0 7.0.0 When you configure a Secure Network Analytics Data Store (multi-node)
multiple Secure Network integration, you can now add multiple flow collectors for security events. You
Analytics on-prem data assign each flow collector to one or more threat defense devices running Version
stores. 7.0+.
New/modified screens:
• Setup: Integration > Security Analytics & Logging > Secure Network
Analytics Data Store
• Modify: Integration > Security Analytics & Logging > Update Device
Assignments
This feature requires Secure Network Analytics Version 7.1.4.
For more information, see the Cisco Security Analytics and Logging (On
Premises): Firewall Event Integration Guide.
Database access changes. 7.2.0 Any We added ten new tables, deprecated one table, and prohibited joins in six
tables. We also added fields to various tables for Snort 3 support and to provide
timestamps and IP addresses in human-readable format.
For more information, see the What's New topic in the Cisco Secure Firewall
Management Center Database Access Guide, Version 7.2.
eStreamer changes. 7.2.0 Any A new Python-based reference client has been added to the SDK. Also, you
can now request fully qualified events.
For more information, see the What's New topic in the Cisco Secure Firewall
Management Center Event Streamer Integration Guide, Version 7.2.
Deployment and Policy Management
Auto rollback of a 7.2.0 7.2.0 You can now enable auto rollback of the configuration if a deployment causes
deployment that causes a the management connection between the management center and threat defense
loss of management to go down. Previously, you could only manually roll back a configuration
connectivity. using the configure policy rollback command.
New/modified screens:
• Devices > Device Management > Device > Deployment Settings
• Deploy > Advanced Deploy > Preview
• Deploy > Deployment History > Preview
For more information, see Device Management.
Cisco Secure Firewall Management Center New Features by Release
81
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Generate and email a 7.2.0 Any You can now generate a report for any deploy task. The report contains details
report when you deploy about the deployed configuration.
configuration changes.
New/modified pages: Deploy > Deployment History ( ) icon > More
( )Generate Report
For more information, see Configuration Deployment.
Access control policy 7.2.0 Any You can now lock an access control policy to prevent other administrators from
locking. editing it. Locking the policy ensures that your changes will not be invalidated
if another administrator edits the policy and saves changes before you save
your changes. Any user who has permission to modify the access control policy
has permission to lock it.
We added an icon to lock or unlock a policy next to the policy name while
editing the policy. In addition, there is a new permission to allow users to
unlock policies locked by other administrators: Override Access Control Policy
Lock. This permission is enabled by default in the Administrator, Access
Admin, and Network Admin roles.
For more information, see Access Control Policies.
Object group search is 7.2.0 Any The Object Group Search setting is now enabled by default when you add a
enabled by default. device to the management center.
New/modified screens: Devices > Device Management > Device > Advanced
Settings
For more information, see Device Management.
Access control rule hit 7.2.0 7.2.0 Rebooting a managed device no longer resets access control rule hit counts to
counts persist over zero. Hit counts are reset only if you actively clear the counters. In addition,
reboot. counts are maintained by each unit in an HA pair or cluster separately. You
can use the show rule hits command to see cumulative counters across the HA
pair or cluster, or see the counts per node.
New/modified CLI commands: show rule hits
For more information, see the Cisco Secure Firewall Threat Defense Command
Reference.
Cisco Secure Firewall Management Center New Features by Release
82
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Usability improvements 7.2.0 Any There is a new experimental user interface available for the access control
for the access control policy. You can continue to use the legacy user interface, or you can try out
policy. the new user interface.
The new interface has both a table and a grid view for the rules list, the ability
to show or hide columns, enhanced search, infinite scroll, a clearer view of the
packet flow related to policies associated with the access control policy, and a
simplified add/edit dialog box for creating rules. You can freely switch back
and forth between the legacy and new user interfaces while editing an access
control policy.
Restrictions: The new interface does not have all the features available in the
legacy interface, and may have performance issues when displaying a large
number of rules.
For more information, see Access Control Policies.
Upgrade
Copy upgrade packages 7.2.0 7.2.0 Instead of copying upgrade packages to each device from the management
("peer-to-peer sync") center or internal web server, you can use the threat defense CLI to copy
from device to device. upgrade packages between devices ("peer to peer sync"). This secure and
reliable resource-sharing goes over the management network but does not rely
on the management center. Each device can accommodate 5 package concurrent
transfers.
This feature is supported for Version 7.2.x–7.4.x standalone devices managed
by the same Version 7.2.x–7.4.x standalone management center. It is not
supported for:
• Container instances.
• Device high availability pairs and clusters. These devices get the package
from each other as part of their normal sync process. Copying the upgrade
package to one group member automatically syncs it to all group members.
• Devices managed by high availability management centers.
• Devices managed by the cloud-delivered Firewall Management Center,
but added to an on-prem management center in analytics mode.
• Devices in different domains, or devices separated by a NAT gateway.
• Devices upgrading from Version 7.1 or earlier, regardless of management
center version.
New/modified CLI commands: configure p2psync enable, configure p2psync
disable, show peers, show peer details, sync-from-peer, show
p2p-sync-status
For more information, see Copy Threat Defense Upgrade Packages between
Devices.
Cisco Secure Firewall Management Center New Features by Release
83
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Auto-upgrade to Snort 3 7.2.0 7.2.0 When you use a Version 7.2+ management center to upgrade threat defense to
after successful threat Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3.
defense upgrade.
After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3
when you deploy configurations. For devices that are ineligible because they
use custom intrusion or network analysis policies, we strongly recommend you
manually upgrade to Snort 3 for improved detection and performance. For help,
see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide
for your version.
Version restrictions: Not supported for threat defense upgrades to Version 7.0.x
or 7.1.x.
Upgrade for single-node 7.2.0 Any You can now use the device upgrade page (Devices > Device Upgrade) to
clusters. upgrade clusters with only one active node. Any deactivated nodes are also
upgraded. Previously, this type of upgrade would fail. This feature is not
supported from the system updates page (System ( )Updates).
Hitless upgrades are also not supported in this case. Interruptions to traffic flow
and inspection depend on the interface configurations of the lone active unit,
just as with standalone devices.
Supported platforms: Firepower 4100/9300, Secure Firewall 3100
Revert threat defense 7.2.0 7.2.0 You can now revert threat defense upgrades from the device CLI if
upgrades from the CLI. communications between the management center and device are disrupted.
Note that in high availability/scalability deployments, revert is more successful
when all units are reverted simultaneously. When reverting with the CLI, open
sessions with all units, verify that revert is possible on each, then start the
processes at the same time.
Caution Reverting from the CLI can cause configurations between the
device and the management center to go out of sync, depending
on what you changed post-upgrade. This can cause further
communication and deployment issues.
New/modified CLI commands: upgrade revert, show upgrade revert-info.
For more information, see Revert the Upgrade.
Administration
Back up and restore 7.2.0 Any You can now use the management center to back up threat defense virtual for
threat defense virtual for AWS, except device clusters. To restore, use the device CLI.
AWS.
For more information, see Backup/Restore.
Cisco Secure Firewall Management Center New Features by Release
84
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Multiple DNS server 7.2.0 Any You can configure multiple DNS groups for the resolution of DNS requests
groups for resolving DNS from client systems. You can use these DNS server groups to resolve requests
requests. for different DNS domains. For example, you could have a catch-all default
group that uses public DNS servers, for use with connections to the Internet.
You could then configure a separate group to use internal DNS servers for
internal traffic, for example, any connection to a machine in the example.com
domain. Thus, connections to an FQDN using your organization’s domain
name would be resolved using your internal DNS servers, whereas connections
to public servers use external DNS servers.
New/modified screens: Platform Settings > DNS
For more information, see Platform Settings.
Configure certificate 7.2.0 7.2.0 You can now specify the usage types where validation is allowed with the
validation with threat trustpoint (the threat defense device): IPsec client connections, SSL client
defense by usage type. connections, and SSL server certificates.
New/modified screens: We added a Validation Usage option to certificate
enrollment objects: Objects > Object Manager > PKI > Cert Enrollment.
For more information, see Object Management.
GeoDB is split into two 7.2.0 Any In May 2022, shortly before the Version 7.2 release, we split the GeoDB into
packages. two packages: a country code package that maps IP addresses to
countries/continents, and an IP package that contains additional contextual data
associated with routable IP addresses. The contextual data in the IP package
can include additional location details, as well as connection information such
as ISP, connection type, proxy type, domain name, and so on.
If your Version 7.2.0–7.2.5 management center has internet access and you
enable recurring updates or you manually kick off a one-time update from the
Cisco Support & Download site, the system automatically obtains both
packages. In Version 7.2.6+/7.4.0+, you can configure whether you want the
system to obtain the IP package.
If you manually download updates—for example, in an air-gapped
deployment—you must import the packages separately:
• Country code package: Cisco_GEODB_Update-date-build.sh.REL.tar
• IP package: Cisco_IP_GEODB_Update-date-build.sh.REL.tar
Help ( ) > About lists the versions of the packages currently being used by
the system.
For more information, see Updates.
French language option 7.2.0 Any You can now switch the management center web interface to French.
for web interface.
New/modified screens: System ( ) > Configuration > Language
For more information, see System Configuration.
Cisco Secure Firewall Management Center New Features by Release
85
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Web interface changes: 7.2.0 Any Version 7.2 changes these management center menu options in all cases.
deployment and user
activity integrations. Deploy > Deployment History is now Deploy > Deployment History
( ) (bottom right corner)
Deploy > Deployment is now Deploy > Advanced Deploy
Analysis > Users > Active is now Integration > Users > Active
Sessions Sessions
Analysis > Users > Users is now Integration > Users > Users
Analysis > Users > User is now Integration > Users > User
Activity Activity
Web interface changes: 7.2.0 Any Version 7.2 changes these management center menu options if you are
SecureX, threat upgrading from Version 7.0.1 or earlier, or from Version 7.1.
intelligence, and other
Note If you are upgrading from Version 7.0.2 or any later Version 7.0.x
integrations.
maintenance release, your menu structure already looks like this.
AMP > AMP Management is now Integration > AMP > AMP
Management
AMP > Dynamic Analysis is now Integration > AMP > Dynamic
Connections Analysis Connections
Intelligence > Sources is now Integration > Intelligence >
Sources
Intelligence > Elements is now Integration > Intelligence >
Elements
Intelligence > Settings is now Integration > Intelligence >
Settings
Intelligence > Incidents is now Integration > Intelligence >
Incidents
System ( ) > Integration is now Integration > Other
Integrations
System ( ) > Logging > is now Integration > Security Analytics
Security Analytics & Logging & Logging
System ( ) > SecureX is now Integration > SecureX
Usability, Performance, and Troubleshooting
Cisco Secure Firewall Management Center New Features by Release
86
New Features by Release
Management Center Features in Version 7.2.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Dropped packet statistics 7.2.0 7.2.0 The new show packet-statistics threat defense CLI command displays
for the Secure Firewall comprehensive information about non-policy related packet drops. Previously
3100. this information required using several commands.
For more information, see the Cisco Secure Firewall Threat Defense Command
Reference.
Cisco Success Network 7.2.0 Any For telemetry changes, see Cisco Success Network Telemetry Data Collected
telemetry. from Cisco Secure Firewall Management Center, Version 7.2.
Management Center REST API
Management center 7.2.0 Any For information on changes to the FMC REST API, see What's New in 7.2 in
REST API. the REST API quick start guide.
Deprecated Features
Deprecated: EIGRP with 7.2.0 Any You can now configure EIGRP routing from the management center web
FlexConfig. interface.
You no longer need these FlexConfig objects: Eigrp_Configure,
Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all.
And these associated text objects: eigrpAS, eigrpNetworks,
eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly,
eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic,
eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId,
eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon.
The system does allow you to deploy post-upgrade, but also warns you to redo
your EIGRP configurations. To help you with this process, we provide a
command-line migration tool. For details, see Migrating FlexConfig Policies
.
Deprecated: VXLAN 7.2.0 Any You can now configure VXLAN interfaces from the management center web
with FlexConfig. interface.
You no longer need these FlexConfig objects: VxLAN_Clear_Nve,
VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve,
VxLAN_Make_Nve_Only, VxLAN_Make_Vni.
And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only,
vxlan_Vni.
If you configured VXLAN interfaces with FlexConfig in a previous version,
they continue to work. In fact, FlexConfig takes precedence in this case—if
you redo your VXLAN configurations in the web interface, remove the
FlexConfig settings.
Cisco Secure Firewall Management Center New Features by Release
87
New Features by Release
FMC Features in Version 7.1.0
Feature Minimum Minimum Details
Management Threat
Center Defense
Deprecated: Automatic 7.2.0 Any To save time and disk space, the management center upgrade process no longer
pre-upgrade automatically generates troubleshooting files before the upgrade begins. Note
troubleshooting. that device upgrades are unaffected and continue to generate troubleshooting
files.
To manually generate troubleshooting files for the management center, choose
System ( ) > Health > Monitor, click Firewall Management Center in the
left panel, then View System & Troubleshoot Details, then Generate
Troubleshooting Files.
FMC Features in Version 7.1.0
Note You cannot manage a Version 7.1 device with cloud-delivered Firewall Management Center. If your
cloud-managed devices are running Version 7.0, upgrade directly to Version 7.2+ to take advantage of the
features listed here.
Table 12: FMC Features in Version 7.1.0.3
Feature Details
Automatically update CA Upgrade impact. The system connects to Cisco for something new.
bundles.
The local CA bundle contains certificates to access several Cisco services. The system now
automatically queries Cisco for new CA certificates at a daily system-defined time. Previously,
you had to upgrade the software to update CA certificates. You can use the CLI to disable this
feature.
New/modified CLI commands: configure cert-update auto-update, configure cert-update
run-now, configure cert-update test, show cert-update
Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not
supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an
unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.
See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat
Defense Command Reference
Table 13: FMC Features in Version 7.1.0
Feature Details
Platform
Cisco Secure Firewall Management Center New Features by Release
88
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Secure Firewall 3100 We introduced the Secure Firewall 3110, 3120, 3130, and 3140.
You can hot swap a network module of the same type while the firewall is powered up without
having to reboot; making other module changes requires a reboot. Secure Firewall 3100 25 Gbps
interfaces support Forward Error Correction as well as speed detection based on the SFP installed.
The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID.
These devices support up to 8 units for Spanned EtherChannel clustering.
Note that the Version 7.1.0 release does not include online help for these devices; new online help
is included in Version 7.1.0.2.
New/modified screens:
• Devices > Device Management > Add Cluster
• Devices > Device Management > More
• Devices > Device Management > Cluster
• Devices > Device Management > Chassis Operations
• Devices > Device Management > Interfaces > edit physical interface > Hardware
Configuration
• Devices > Device Management
New/modified FTD CLI commands: configure network speed, configure raid, show raid, show
ssd
FMCv300 for AWS We introduced the FMCv300 for both AWS and OCI. The FMCv300 can manage up to 300 devices.
FMCv300 for OCI
Cisco Secure Firewall Management Center New Features by Release
89
New Features by Release
FMC Features in Version 7.1.0
Feature Details
FTDv for AWS instances. FTDv for AWS adds support for these instances:
• c5a.xlarge, c5a.2xlarge, c5a.4xlarge
• c5ad.xlarge, c5ad.2xlarge, c5ad.4xlarge
• c5d.xlarge, c5d.2xlarge, c5d.4xlarge
• c5n.xlarge, c5n.2xlarge, c5n.4xlarge
• i3en.xlarge, i3en.2xlarge, i3en.3xlarge
• inf1.xlarge, inf1.2xlarge
• m5.xlarge, m5.2xlarge, m5.4xlarge
• m5a.xlarge, m5a.2xlarge, m5a.4xlarge
• m5ad.xlarge, m5ad.2xlarge, m5ad.4xlarge
• m5d.xlarge, m5d.2xlarge, m5d.4xlarge
• m5dn.xlarge, m5dn.2xlarge, m5dn.4xlarge
• m5n.xlarge, m5n.2xlarge, m5n.4xlarge
• m5zn.xlarge, m5zn.2xlarge, m5zn.3xlarge
• r5.xlarge, r5.2xlarge, r5.4xlarge
• r5a.xlarge, r5a.2xlarge, r5a.4xlarge
• r5ad.xlarge, r5ad.2xlarge, r5ad.4xlarge
• r5b.xlarge, r5b.2xlarge, r5b.4xlarge
• r5d.xlarge, r5d.2xlarge, r5d.4xlarge
• r5dn.xlarge, r5dn.2xlarge, r5dn.4xlarge
• r5n.xlarge, r5n.2xlarge, r5n.4xlarge
• z1d.xlarge, z1d.2xlarge, z1d.3xlarge
FTDv for Azure instances. FTDv for Azure adds support for these instances:
• Standard_D8s_v3
• Standard_D16s_v3
• Standard_F8s_v2
• Standard_F16s_v2
Cisco Secure Firewall Management Center New Features by Release
90
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Use FDM to configure the FTD When you perform initial setup using FDM, all interface configuration completed in FDM is
for management by the FMC. retained when you switch to FMC for management, in addition to the Management and FMC access
settings. Note that other default configuration settings, such as the access control policy or security
zones, are not retained. When you use the FTD CLI, only the Management and FMC access settings
are retained (for example, the default inside interface configuration is not retained).
After you switch to FMC, you can no longer use FDM to manage the FTD.
New/modified FDM screens: System Settings > Management Center
Device Upgrade
Revert a successful device You can now revert major and maintenance upgrades to FTD. Reverting returns the software to
upgrade. its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing
a patch, you revert the patch as well as the major and/or maintenance upgrade.
Important If you think you might need to revert, you must use System ( ) > Updates to upgrade
FTD. The System Updates page is the only place you can enable the Enable revert
after successful upgrade option, which configures the system to save a revert snapshot
when you initiate the upgrade. This is in contrast to our usual recommendation to use
the wizard on the Devices > Device Upgrade page.
This feature is not supported for container instances.
Minimum FTD: 7.1
Improvements to the upgrade We made the following improvements to the upgrade workflow for clustered and high availability
workflow for clustered and high devices:
availability devices.
• The upgrade wizard now correctly displays clustered and high availability units as groups,
rather than as individual devices. The system can identify, report, and preemptively require
fixes for group-related issues you might have. For example, you cannot upgrade a cluster on
the Firepower 4100/9300 if you have made unsynced changes on Firepower Chassis Manager.
• We improved the speed and efficiency of copying upgrade packages to clusters and high
availability pairs. Previously, the FMC copied the package to each group member sequentially.
Now, group members can get the package from each other as part of their normal sync process.
• You can now specify the upgrade order of data units in a cluster. The control unit always
upgrades last.
Snort 3 backwards For Snort 3, new features and resolved bugs require that you fully upgrade the FMC and its managed
compatibility. devices. Unlike Snort 2, you cannot update the inspection engine on an older device (for example,
Version 7.0) by deploying from a newer FMC (for example, Version 7.1).
When you deploy to an older device, the system lists any unsupported configurations and warns
you that they will be skipped. We recommend you always update your entire deployment.
Device Management
Cisco Secure Firewall Management Center New Features by Release
91
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Geneve interface support for an Geneve encapsulation support was added to support single-arm proxy for the AWS Gateway Load
FTDv on AWS instances. Balancer (GWLB). The AWS GWLB combines a transparent network gateway (with a single entry
and exit point for all traffic) and a load balancer that distributes traffic and scales FTDv to match
the traffic demand.
This support requires FMC with Snort 3 enabled and is available on the following performance
tiers:
• FTDv20
• FTDv30
• FTDv50
• FTDv100
Single Root I/O Virtualization You can now implement Single Root Input/Output Virtualization (SR-IOV) for FTDv on OCI.
(SR-IOV) support for FTDv on SR-IOV can provide performance improvements for an FTDv. Mellanox 5 as vNICs are not
OCI. supported in SR-IOV mode.
LLDP support for the Firepower You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 1100 interfaces.
1100.
New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration >
LLDP
New/modified commands: show lldp status, show lldp neighbors, show lldp statistics
Supported platforms: Firepower 1100 (1120, 1140, and 1150)
Interface auto-negotiation is Interface auto-negotiation is now set independently from speed and duplex. Also, when you sync
now set independently from the interfaces in FMC, hardware changes are detected more effectively.
speed and duplex, interface sync
New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration >
improved.
Speed
Supported platforms: Firepower 1000/2100, Secure Firewall 3100
Support to specify trusted DNS You can use FTD platform settings to specify trusted DNS servers for DNS snooping. This helps
servers. detect applications on the first packet by mapping domains to IP addresses. By default, trusted
DNS servers include those in DNS server objects, and those discovered by dhcp-pool, dhcp-relay,
and dhcp-client.
Import and export device You can export the device-specific configuration, and you can then import the saved configuration
configurations. for the same device in the following use cases:
• Moving the device to a different FMC.
• Restore an old configuration.
• Reregistering a device.
New/modified screens: Devices > Device Management > Device > General
High Availability/Scalability
Cisco Secure Firewall Management Center New Features by Release
92
New Features by Release
FMC Features in Version 7.1.0
Feature Details
High availability for: We now support high availability on FMCv for AWS and FMCv for OCI.
• FMCv for AWS In an FTD deployment, you need two identically licensed FMCs, as well as one FTD entitlement
for each managed device. For example, to manage 10 FTD devices with an FMCv10 high availability
• FMCv for OCI pair, you need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Version
6.5.0–7.0.x Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv
entitlements.
Supported platforms: FMCv10, FMCv25, FMCv300 (not supported for FMCv2)
Autoscale on FTDv for OCI. We now support autoscaling on FTDv for OCI.
The serverless infrastructure in cloud-based deployments allow you to automatically adjust the
number of FTDv instances in an autoscale group based on capacity needs. This includes automatic
registering/unregistering to and from the managing FMC.
Cluster deployment for firewall Cluster deployment for firewall changes now completes faster.
changes completes faster.
Supported platforms: Firepower 4100/9300, Secure Firewall 3100
Clearing routes in a high In previous releases, the clear route command cleared the routing table on the unit only. Now,
availability group or cluster. when operating in a high availability group or cluster, the command is available on the active or
control unit only, and clears the routing table on all units in the group or cluster.
NAT
Manual NAT support for You can use an FQDN network object, such as one specifying www.example.com, as the translated
fully-qualified domain name destination address in manual NAT rules. The system configures the rule based on the IP address
(FQDN) objects as the returned from the DNS server.
translated destination.
Routing
BGP configuration to You can configure BGP settings to dynamically leak routes among user-defined virtual routers,
interconnect virtual routers. and between global virtual router and user-defined virtual routers. The import and export routes
feature was introduced to exchange routes among the virtual routers by tagging them with route
targets and optionally, filtering the matched routes with route maps. This BGP feature is accessible
only when you select a user-defined virtual router.
New/modified screens: For a selected user-defined virtual router, Devices > Device Management >
Routing > BGPv4/v6 > Route Import/Export
BGPv6 support for user-defined FTD now supports configuring BGPv6 on user-defined virtual routers.
virtual routers.
New/modified screens: For a selected user-defined virtual router, Devices > Device Management >
Routing > BGPv6
Configure Upgrade impact. Redo FlexConfigs after upgrade.
Equal-Cost-Multi-Path (ECMP)
You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing
from the FMC web interface.
in FMC. ECMP routing was previously supported through FlexConfig policies.
New/modified screens: Devices > Device Management > Routing > ECMP
Cisco Secure Firewall Management Center New Features by Release
93
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Configure policy based routing Upgrade impact. Redo FlexConfigs after upgrade.
from the FMC web interface.
You can now configure policy based routing (PBR) from the FMC web interface. This allows you
to classify network traffic based on applications and to implement direct internet access (DIA) to
send traffic to the internet from a branch deployment. You can define a PBR policy and configure
it on ingress interfaces, specifying match criteria and egress interfaces. Network traffic that matches
the access control policy is forwarded through the egress interface based on priority or the order
as configured in the policy.
This feature requires Version 7.1+ on both the FMC and the device. When you upgrade the FMC
to Version 7.1+, existing policy based routing FlexConfigs are removed. After you upgrade your
devices to Version 7.1+, redo your policy based routing configurations in the FMC web interface.
For devices that you do not upgrade to Version 7.1+, redo the FlexConfigs and configure them to
deploy "every time."
New/modified screens: Devices > Device Management > Routing > Policy Based Routing
Remote Access VPN
Copy RA VPN policies. You can now create a new RA VPN policy by copying an existing policy. We added a copy button
next to each policy on Devices > VPN > Remote Access.
AnyConnect VPN SAML You can now configure AnyConnect VPN SAML External Browser to enable additional
external browser. authentication choices, such as passwordless authentication, WebAuthN, FIDO, SSO, U2F, and
an improved SAML experience due to the persistence of cookies. When you use SAML as the
primary authentication method for a remote access VPN connection profile, you can elect to have
the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser
to perform the web authentication. This option enables single sign-on (SSO) between your VPN
authentication and other corporate logins. Also choose this option if you want to support web
authentication methods, such as biometric authentication and Yubikeys, that cannot be performed
in the embedded browser.
We updated the remote access VPN connection profile wizard to allow you to configure the SAML
Login Experience.
Multiple trustpoints for SAML You can now add multiple RA VPN trustpoints for SAML identity providers, as required by
identity providers on Microsoft Microsoft Azure.
Azure.
In a Microsoft Azure network, Azure can support multiple applications for the same Entity ID.
Each application (typically mapped to a different tunnel group) requires a unique certificate. This
feature enables you to add multiple trustpoints for RA VPN in FTDv for Microsoft Azure.
Site to Site VPN
VPN filters. You can now configure site to site VPN filters with rules that determine whether to allow or reject
tunneled data packets based on criteria such as source address, destination address, and protocol.
The VPN filter is applied to post-decrypted traffic after it exits a tunnel and to pre-encrypted traffic
before it enters a tunnel.
Cisco Secure Firewall Management Center New Features by Release
94
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Unique local tunnel ID for You can now configure a Local Tunnel ID per IKEv2 tunnel for both policy-based and route-based
IKEv2. Site to Site VPNs. You can configure the local tunnel ID with the FMC web interface or from the
REST API.
This local tunnel ID configuration enables Umbrella SIG integration with FTD.
Multiple IKE policies. You can now configure multiple IKE policies for both policy-based and route-based Site to Site
VPNs.
Multiple IKE policies can be configured through the FMC GUI and the REST API.
VPN monitoring dashboard. Beta.
The Site to Site VPN Monitoring Dashboard provides:
• Visualization of tunnel status distribution across all devices
• Visualization of network topology consisting of VPN tunnels
• Ability to visually isolate and examine tunnels based on criteria like Topology, Device and
Status
Note The Site to Site Monitoring Dashboard is a Beta feature and may not work as expected.
Do not use it in production environments.
Security Intelligence
Snort 3 support for Security With Snort 3, you can now apply Security Intelligence to HTTP proxy traffic where the IP address
Intelligence on proxied traffic. is embedded into the HTTP request. For example, when a user uploads a Block list or an Allow
list containing IP addresses or networks, the system matches on the destination server IP instead
of proxy IP. As a result, traffic to the destination server can be blocked, monitored, or allowed
(according to your Security Intelligence configuration).
Intrusion Detection and Prevention
Snort 3 support for drop, reject, Version 7.1 FMCs now support the following intrusion rule actions for FTD devices with Snort 3,
rewrite, and pass rule actions. including Version 7.0 devices:
• Drop: Drops the matching packet, but does not block further traffic in this connection.
Generates an intrusion event.
• Reject: Drops the matching packet and blocks further traffic in this connection. For TCP
traffic, sends a TCP reset. For UDP traffic, sends ICMP port unreachable to the source and
destination hosts. Generates an intrusion event.
• Rewrite: Overwrites the matching packet based on the replace option in the rule. Generates
an intrusion event.
• Pass: Allows matching packet to pass without further evaluation by any other intrusion rules.
Does not generate an intrusion event.
To configure these new rule actions, edit the Snort 3 version of an intrusion policy and use the
Rule Action drop-down for each rule.
Cisco Secure Firewall Management Center New Features by Release
95
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Snort 3 support for TLS-based You can now create TLS-based intrusion rules to inspect decrypted TLS traffic with Snort 3. This
intrusion rules. feature allows Snort 3 intrusion rules to use TLS information.
Snort 3 support for inspection Upgrade impact.
of DCE/RPC over SMB2.
Version 7.1 with Snort 3 supports DCE/RPC inspection over SMB2.
After the first post-upgrade deploy to Snort 3 devices, existing DCE/RPC rules begin inspecting
DCE/RPC over SMB2; previously these rules only inspected DCE/RPC over SMB1.
Snort 3 support for intrusion Version 7.1 FMCs now support intrusion rule recommendations for FTD devices with Snort 3,
rule recommendations. including Version 7.0 devices.
To configure this feature, edit the Snort 3 version of an intrusion policy and click the
Recommendations button (in the left pane, next to All Rules).
Snort 3 support for ssl_version Upgrade impact.
and ssl_state keywords.
Version 7.1 with Snort 3 supports the ssl_version and ssl_state intrusion rule keywords.
Cisco-provided intrusion policies include active rules using those keywords. You can also create,
upload, and deploy custom/third party rules using them. In Version 7.0.x, we supported those
keywords with Snort 2 only. With Snort 3, rules with those keywords did not match traffic, and
thus could not generate alerts or affect traffic. There was no indication that the rules were not
working as expected. After the first post-upgrade deploy to Version 7.1+ Snort 3 devices, existing
rules with those keywords can match traffic.
Identity Services and User Control
Snort 3 captive portal support You can now intercept and redirect HTTP/2 traffic for user authentication with captive portal.
for interception of HTTP/2
When a redirect is received by the browser, the browser follows the redirect and authenticates with
traffic.
idhttpsd (Apache web server) using the same process as the HTTP/1 captive portal. After
authentication, idhttpsd redirects the user back to the original URL.
Snort 3 captive portal support You can configure active authentication for identity policy rules to redirect the user’s authentication
for hostname-based redirect. to a fully-qualified domain name (FQDN) rather than the IP address of the interface through which
the user’s connection enters the device.
The FQDN must resolve to the IP address of one of the interfaces on the device. By using an FQDN,
you can assign a certificate for active authentication that the client will recognize, thus avoiding
the untrusted certificate warning users get when being redirected to an IP address. The certificate
can specify the FQDN, a wildcard FQDN, or multiple FQDNs in the Subject Alternate Names
(SAN) in the certificate.
New/modified screens: We added the Redirect to Host Name option in the identity policy settings.
Encrypted Traffic Handling (TLS/SSL)
Cisco Secure Firewall Management Center New Features by Release
96
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Advanced TLS/SSL policy You can now configure the following advanced TLS/SSL policy options in the Advanced Settings
options. tab on the SSL Policy page:
• Block flows requesting ESNI (Encrypted Server Name Identification)
• Disable HTTP/3 advertisement
• Propagate untrusted server certificates to clients
Encrypted Visibility Engine for Beta.
visibility into encrypted
You can enable the Encrypted Visibility Engine to gain visibility into an encrypted session without
sessions.
needing to decrypt it. The engine fingerprints and analyzes encrypted traffic. In FMC 7.1, the
Encrypted Visibility Engine provides more visibility into encrypted traffic, including protocols
such as TLS and QUIC. It does not enforce any actions on that traffic.
The Encrypted Visibility Engine is disabled by default. You can enable it on the Advanced tab of
an access control policy in the Experimental Features section.
New/modified screens: Policies > Access Control > Access Control Policy name > Advanced
Note The Encrypted Visibility Engine is an experimental Beta feature provided for visibility.
It may cause false positives.
Service Policy
Configure the maximum You can configure a service policy to set the server maximum segment size (MSS) for SYN-cookie
segment size (MSS) for generation for embryonic connections upon reaching the embryonic connections limit. This is
embryonic connections. meaningful for service policies where you are also setting embryonic connection maximums.
New/modified screens: Connection Settings in the Add/Edit Service Policy wizard.
Network Discovery
Improved Snort 3 support for With improvements to network discovery and remote network access support, Snort 3 is now at
network discovery (remote parity with Snort 2 for those features. The improvements include:
network access support).
• Discovery of hosts and applications for SMB traffic: For SMB traffic on your network, the
host is discovered in the network map, and the SMB application protocol and associated
operating system information are discovered.
• Discovery of NetBIOS traffic: For NetBIOS traffic, the NetBIOS name is discovered as well
as associated information related to applications, such as the client application and operating
system.
• Discovery of applications only for hosts/networks monitored by the network discovery policy:
This enhancement to the filtering logic enables you to discover applications for networks that
are being monitored based on a network discovery rule.
In Snort 3, application detection is always enabled for all networks by default.
Event Logging and Analysis
Cisco Secure Firewall Management Center New Features by Release
97
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Snort 3 support for elephant With FTD running Snort 3, you can now identify elephant flows—single-session network
flow identification and connections that are large enough to affect overall system performance. By default, elephant flow
monitoring. detection is automatically enabled, and tracks and logs connections larger than 1GB/10 seconds.
A new predefined search for connection events (Reason = Elephant Flow) allows you to quickly
identify elephant flows. You can also use the health monitor to view active elephant flows on your
devices, and to create a custom health dashboard to correlate elephant flow incidence with other
device metrics such as CPU usage.
To disable this feature or to configure the size and time thresholds, use the FTD CLI.
New/modified FTD CLI commands:
• show elephant-flow status
• show elephant-flow detection-config
• system support elephant-flow-detection enable
• system support elephant-flow-detection disable
• system support elephant-flow-detection bytes-threshold bytes-in-MB
• system support elephant-flow-detection time-threshold time-in-seconds
Send intrusion events and Upgrade impact.
retrospective malware events to
When you configure the system to send security events to the Stealthwatch cloud using Cisco
the Secure Network Analytics
Security Analytics and Logging (SaaS), the FMC now sends:
cloud from the FMC.
• Intrusion events. This allows remotely stored intrusion events to include impact flag data.
Previously, these events were sent to the cloud by FTD and did not include the impact flag.
• Retrospective malware events. These supplement the "original disposition" file and malware
events that are still sent to the cloud by devices.
If you already enabled this feature, the FMC starts sending this information after a successful
upgrade.
New datastore for intrusion To improve performance, Version 7.1 uses a new datastore for intrusion events. After the upgrade
events improves performance. finishes and the FMC reboots, historical events are migrated in the background, newest events
first.
As part of this migration, we deprecated intrusion incidents, the intrusion event clipboard, and
custom tables for intrusion events. We also introduced two new fields in the intrusion event table:
Source Host Criticality and Destination Host Criticality.
Cisco Secure Firewall Management Center New Features by Release
98
New Features by Release
FMC Features in Version 7.1.0
Feature Details
NAT IP address and port For additional visibility into NAT translations, we added the following fields to connection and
information in connection and Security Intelligence events:
Security Intelligence events.
• NAT Source IP
• NAT Destination IP
• NAT Source Port
• NAT Destination Port
In the table view of events, these fields are hidden by default. To change the fields that appear,
click the x in any column name to display a field chooser.
Packet tracer enhancements. Version 7.1 updates the packet tracer interface for better usability. In addition, you can now:
• Access the packet tracer directly from the main menu: Devices > Troubleshoot > Packet
Tracer.
• Save packet traces.
• Run parallel packet traces across multiple devices.
• Replay PCAPs through a device.
• For Snort 3 devices, view enhanced output that provides new details on the phases of traffic
evaluation from L2 to L7 (application identification, file/malware detection, intrusion detection,
Security Intelligence, and so on), as well as how long each phase takes.
New/modified FTD CLI commands:
• packet-tracer inputsource_interfacepcappcap_filename
Object Management
Network object support for You can now use network object groups that contain network objects for hosts or networks when
HTTP, ICMP, and SSH configuring the IP addresses in the Threat Defense Platform Settings policy.
platform settings.
Snort 3 support for network You can now create and manage network wildcard mask objects on the Object Management page.
wildcard mask objects. You can use network wildcard mask objects in access control, prefilter, and NAT policies.
Deployment preview You can now preview deployment changes to Geolocation, File List, and Security Intelligence
enhancements for objects. objects.
Updated screen: Deploy > Deployment. In the Preview column, click the Preview icon for a
device to see the changes to the file list objects.
Integrations
Cisco Secure Firewall Management Center New Features by Release
99
New Features by Release
FMC Features in Version 7.1.0
Feature Details
Support for Cisco ACI Endpoint Version 2.0 of the Cisco ACI Endpoint Update App has the following improvements over previous
Update App, Version 2.0 and versions:
remediation module.
• The minimum update interval (how often the app updates the FMC) is now 10 seconds.
Previously, it was 30 seconds.
• The site prefix (a string that creates a network group object on the FMC associated with each
APIC tenant) is now limited to 10 characters. Previously, it was 5 characters.
A new Cisco ACI Endpoint remediation module is also available with this update.
Usability, Performance, and Troubleshooting
Health monitoring We updated the health monitor as follows:
enhancements.
• The health policy editor now groups similar health modules. You can enable and disable entire
module groups.
• The health policy exclusion editor is updated for better usability. Also, when you exclude a
device or health module from alerting, you can now specify a time period for the exclusion,
from 15 minutes to permanently.
• The health monitor alert editor is updated for better usability.
• The health policy deployment interface is updated for better usability.
Note To use the updated health monitor, you must enable REST API access on System
( ) > Configuration > REST API Preferences.
New/modified screens:
• System ( ) > Health > Policy > Edit Policy
• System ( ) > Health > Exclude
• System ( ) > Health > Monitor Alerts
• System ( ) > Health > Policy > Deploy Policy
Deployment history You can now bookmark a deployment job, edit the deployment notes for a job, and generate a
enhancements. report.
Global search enhancements. Global search now has the following capabilities:
• You can search the full text of FMC walkthroughs (how-tos).
• You can search extended community list names or configured values.
• You can restrict searches by domain.
Cisco Secure Firewall Management Center New Features by Release
100
New Features by Release
FMC Features in Version 7.1.0
Feature Details
New walkthroughs. We added the following walkthroughs:
• Create a Snort 3 intrusion policy.
• Enable or disable Snort 3 on an individual device.
• Create a Snort 3 network analysis policy.
• View the network analysis policy mapping.
• Upgrade FTD.
• Create and manage a cluster.
• Change the FMC access interface from Management to Data.
• Change the FMC access interface from Data to Management.
Snort memory usage telemetry For improved serviceability, we now send telemetry on Snort memory and swap usage, including
sent to Cisco Success Network. out-of-memory events, to Cisco Success Network.
We send this information for both Snort 2 and Snort 3. You can change your Cisco Success Network
enrollment at any time.
Snort 3 support for statistics on For FTD with Snort 3, the output of the show snort statistics command now reports statistics on
start-of-flow and end-of-flow start-of-flow and end-of-flow events.
events.
Web interface changes: Version 7.1 changes these FMC menu options if you are upgrading from Version 7.0.2 or any later
SecureX, threat intelligence, and Version 7.0.x maintenance release.
other integrations.
Note These changes will switch back in Version 7.2.
Integration > AMP > AMP Management is now AMP > AMP Management
Integration > AMP > Dynamic Analysis is now AMP > Dynamic Analysis Connections
Connections
Integration > Intelligence > Sources is now Intelligence > Sources
Integration > Intelligence > Elements is now Intelligence > Elements
Integration > Intelligence > Settings is now Intelligence > Settings
Integration > Intelligence > Incidents is now Intelligence > Incidents
Integration > Other Integrations is now System ( ) > Integration
Integration > Security Analytics & is now System ( ) > Logging > Security
Logging Analytics & Logging
Integration > SecureX is now System ( ) > SecureX
FMC REST API
Cisco Secure Firewall Management Center New Features by Release
101
New Features by Release
FMC Features in Version 7.1.0
Feature Details
FMC REST API. For information on changes to the FMC REST API, see What's New in 7.1 in the REST API quick
start guide.
Deprecated Features
End of support: FMC 1000, You cannot run Version 7.1+ on the FMC models FMC 1000, 2500, and 4500. You cannot manage
2500, 4500. Version 7.1+ devices with these FMCs.
End of support: ASA 5508-X You cannot run Version 7.1+ on the ASA 5508-X or 5516-X.
and 5516-X.
End of support: NGIPS software Version 7.1 is supported on the FMC and on FTD devices only. It is not supported on ASA
(ASA FirePOWER/NGIPSv). FirePOWER or NGIPSv devices.
You can still use a Version 7.1 FMC to manage older devices — FTD as well as ASA FirePOWER
and NGIPSv — that are running Version 6.5 through 7.0.
Deprecated (temporary): Upgrade impact. Cannot upgrade to Version 7.1.0 with new SecureX integration.
Improved SecureX integration,
This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in Version 7.1. If you use
SecureX orchestration.
the new method to enable SecureX integration in Version 7.0.x, you cannot upgrade to Version
7.1 unless you disable the feature. We recommend you upgrade to Version 7.2+.
Deprecated: Intrusion incidents Upgrade impact. Data and configurations can be deleted.
and the intrusion event
We removed the intrusion incidents feature and the related intrusion event clipboard. The upgrade
clipboard.
removes all data related to incidents, and deletes report templates sections that use the clipboard
as a data source.
Deprecated screens/options:
• Analysis > Intrusions > Incidents
• Analysis > Intrusions > Clipboard
• Copy and Copy All on intrusion event workflow pages and packet views
• When adding sections to a report template (Overview > Reporting > Report Templates),
you can no longer choose the Clipboard table as a data source.
Deprecated: Custom tables for Upgrade impact. Custom tables can be deleted.
intrusion events.
Version 7.1 ends support for custom tables for intrusion events. The upgrade deletes custom tables
that contain fields from the intrusion event table.
When adding fields to a custom table (Analysis > Advanced > Custom Tables), you can no longer
choose the Intrusion Events table as a data source.
Deprecated: ECMP zones with Upgrade impact. Redo FlexConfigs after upgrade.
FlexConfig.
You can now group interfaces in traffic zones and configure Equal-Cost-Multi-Path (ECMP) routing
in the FMC web interface. After upgrade, the system ignores ECMP zones configured with
FlexConfig. You cannot deploy with equal-cost static routes exist and must assign their interfaces
to an ECMP zone.
Cisco Secure Firewall Management Center New Features by Release
102
New Features by Release
FMC Features in Version 7.0.6
Feature Details
Deprecated: Policy based Upgrade impact. Redo FlexConfigs after upgrade.
routing with FlexConfig.
You can now configure policy based routing (PBR) from the FMC web interface. This feature
requires Version 7.1+ on both the FMC and the device. When you upgrade the FMC to Version
7.1+, existing policy based routing FlexConfigs are removed. After you upgrade your devices to
Version 7.1+, redo your policy based routing configurations in the FMC web interface. For devices
that you do not upgrade to Version 7.1+, redo the FlexConfigs and configure them to deploy "every
time."
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
FMC Features in Version 7.0.6
Table 14:
Feature Details
Updated web analytics provider. Upgrade impact. Your browser connects to new resources.
While using the management center, your browser now contacts Amplitude (amplitude.com) instead
of Google (google.com) for web analytics.
Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited
to page interactions, browser versions, product versions, user location, and management IP addresses
or hostnames of your management centers. You are enrolled in web analytics by default but you
can change your enrollment at any time after you complete initial setup. Note that ad blockers can
block web analytics, so if you choose to remain enrolled, please disable ad blocking for the
hostnames/IP addresses of your Cisco appliances.
Version restrictions: Amplitude analytics are not supported in management center Version
7.0.0–7.0.5, 7.1.0–7.2.5, 7.3.x, or 7.4.0. Permanent support returns in Version 7.4.1 If you upgrade
from a supported version to an unsupported version, your browser resumes contacting Google.
Cisco Secure Firewall Management Center New Features by Release
103
New Features by Release
FMC Features in Version 7.0.5
Feature Details
Smaller VDB for lower memory Upgrade impact. Application identification on lower memory devices is affected.
Snort 2 devices.
For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory
devices running Snort 2. This smaller VDB contains the same applications, but fewer detection
patterns. Devices using the smaller VDB can miss some application identification versus devices
using the full VDB.
Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X,
5545-X
Version restrictions: The ability to install a smaller VDB depends on the version of the management
center, not managed devices. If you upgrade the management center from a supported version to
an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower
memory device. For a list of affected releases, see CSCwd88641.
See: Update the Vulnerability Database
Deprecated Features
Deprecated: high The Disk Usage health module no longer alerts with high unmanaged disk usage. After
unmanaged disk usage FMC upgrade, you may continue to see these alerts until you either deploy health policies to
alerts. managed devices (stops the display of alerts) or upgrade the devices (stops the sending of alerts).
Note Versions 7.0–7.0.5, 7.1.x, 7.2.0–7.2.3, and 7.3.x continue to support these alerts. If
your FMC is running any of these versions, you may also continue to see alerts.
For information on the remaining Disk Usage alerts, see Disk Usage and Drain of Events Health
Monitor Alerts.
FMC Features in Version 7.0.5
Table 15:
Feature Details
ISA 3000 System LED support When you shut down the ISA 3000, the System LED turns off. Wait at least 10 seconds after that
for shutting down. before you remove power from the device.
Version restrictions: Version 7.1 temporarily deprecates support for this feature. Support returns
in Version 7.3.
Cisco Secure Firewall Management Center New Features by Release
104
New Features by Release
FMC Features in Version 7.0.4
Feature Details
Automatically update CA Upgrade impact. The system connects to Cisco for something new.
bundles.
The local CA bundle contains certificates to access several Cisco services. The system now
automatically queries Cisco for new CA certificates at a daily system-defined time. Previously,
you had to upgrade the software to update CA certificates. You can use the CLI to disable this
feature.
New/modified CLI commands: configure cert-update auto-update, configure cert-update
run-now, configure cert-update test, show cert-update
Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not
supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an
unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.
See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat
Defense Command Reference
FMC Features in Version 7.0.4
This release introduces stability, hardening, and performance enhancements.
Cisco Secure Firewall Management Center New Features by Release
105
New Features by Release
FMC Features in Version 7.0.3
FMC Features in Version 7.0.3
Table 16: FMC Features in Version 7.0.3
Feature Minimum Minimum Details
Management Threat
Center Defense
FTD support for 7.2.0 for 7.0.3
cloud-delivered Firewall analytics-only
Management Center. support
Cisco Secure Firewall Management Center New Features by Release
106
New Features by Release
FMC Features in Version 7.0.3
Feature Minimum Minimum Details
Management Threat
Center Defense
Version 7.0.3 FTD devices support management by the cloud-delivered Firewall
Management Center, which we introduced in spring of 2022. The
cloud-delivered Firewall Management Center uses the Cisco Defense
Orchestrator (CDO) platform and unites management across multiple Cisco
security solutions. We take care of feature updates.
You should use Version 7.0.3 FTD with the cloud-delivered Firewall
Management Center if:
• You are currently using a customer-deployed ("on prem") hardware or
virtual FMC.
• You want to migrate to the cloud-delivered Firewall Management Center
right now.
• You do not want to upgrade devices to Version 7.2+, which also supports
management by the cloud-delivered Firewall Management Center.
If this is your situation, you should:
1. Upgrade the current FMC to Version 7.2+.
Although you can technically use a Version 7.0.3 or 7.1 FMC to upgrade
FTD to Version 7.0.3, you will not be able to easily migrate devices to the
cloud-delivered management center, nor will you be able to leave the
devices registered to the on-prem management center for event logging
and analytics purposes only ("analytics only").
2. Use the upgraded FMC to upgrade devices to Version 7.0.3.
3. Enable cloud management on the devices.
For Version 7.0.x devices only, you must enable cloud management from
the device CLI: configure manager-cdo enable. The show manager-cdo
command displays whether cloud management is enabled.
4. Use CDO's Migrate FTD to Cloud wizard to migrate the devices to the
cloud-delivered Firewall Management Center.
Optionally, leave the devices registered to the on-prem management center
as analytics-only devices. Or, you can send security events to the Cisco
cloud with Security Analytics and Logging (SaaS).
The cloud-delivered Firewall Management Center cannot manage threat defense
devices running Version 7.1, or Classic devices running any version. You
cannot upgrade a cloud-managed device from Version 7.0.x to Version 7.1
unless you unregister and disable cloud management. We recommend you
upgrade directly to Version 7.2+.
New/modified CLI commands: configure manager add, configure manager
delete, configure manager edit, show managers
For more information, see Managing Firewall Threat Defense with
Cisco Secure Firewall Management Center New Features by Release
107
New Features by Release
FMC Features in Version 7.0.2
Feature Minimum Minimum Details
Management Threat
Center Defense
Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.
FMC Features in Version 7.0.2
Table 17:
Feature Details
ISA 3000 support for shutting You can now shut down the ISA 3000; previously, you could only reboot the device.
down.
Version restrictions: Version 7.1 temporarily deprecates support for this feature. Support returns
in Version 7.2.
Dynamic object names now Dynamic object names now support the dash character. This is especially useful if you are using
support the dash character. the ACI endpoint update app (where the dash character is allowed), to create dynamic objects on
the FMC that represent tenant endpoint groups.
Minimum threat defense: 7.0.2
Improved SecureX integration, Upgrade impact. Cannot upgrade Version 7.0.x → 7.1 with feature enabled.
SecureX orchestration.
We have streamlined the SecureX integration process. Now, as long as you already have a SecureX
account, you just choose your cloud region on the new Integration > SecureX page, click Enable
SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable
Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page.
When you enable SecureX integration on this new page, licensing and management for the system's
cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX
the "old" way, you must disable and re-enable to get the benefits of this cloud connection
management.
Note that this page also governs the cloud region for and event types sent to the Secure Network
Analytics (Stealthwatch) cloud using Security Analytics and Logging (SaaS), even though the web
interface does not indicate this. Previously, these options were on System ( ) > Integration >
Cloud Services. Enabling SecureX does not affect communications with the Secure Network
Analytics cloud; you can send events to both.
The management center also now supports SecureX orchestration—a powerful drag-and-drop
interface you can use to automate workflows across security tools. After you enable SecureX, you
can enable orchestration.
As part of this feature, you can no longer use the REST API to configure SecureX integration. You
must use the FMC web interface.
Version restrictions: This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in
Version 7.1. If you use the new method to enable SecureX integration in Version 7.0.x, you cannot
upgrade to Version 7.1 unless you disable the feature. We recommend you upgrade to Version
7.2+.
See: Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide
Cisco Secure Firewall Management Center New Features by Release
108
New Features by Release
FMC Features in Version 7.0.1
Feature Details
Web interface changes: We changed these FMC menu options.
SecureX, threat intelligence, and
Note These changes are temporarily deprecated in Version 7.1, but come back in Version
other integrations.
7.2.
AMP > AMP Management is now Integration > AMP > AMP Management
AMP > Dynamic Analysis Connections is now Integration > AMP > Dynamic Analysis
Connections
Intelligence > Sources is now Integration > Intelligence > Sources
Intelligence > Elements is now Integration > Intelligence > Elements
Intelligence > Settings is now Integration > Intelligence > Settings
Intelligence > Incidents is now Integration > Intelligence > Incidents
System ( ) > Integration is now Integration > Other Integrations
System ( ) > Logging > Security is now Integration > Security Analytics &
Analytics & Logging Logging
System ( ) > SecureX is now Integration > SecureX
FMC Features in Version 7.0.1
Table 18: FMC Features in Version 7.0.1
Feature Details
Snort 3 rate_filter inspector. We introduced the Snort 3 rate_filter inspector.
This allows you to change the action of an intrusion rule in response to excessive matches on that
rule. You can block rate-based attacks for a specific length of time, then return to allowing matching
traffic while still generating events. For more information, see the Snort 3 Inspector Reference.
New/modified pages: Configure the inspector by editing the Snort 3 version of a custom network
analysis policy.
Version restrictions: This feature requires Version 7.0.1+ on both the FMC and the device.
Additionally, you must be running lsp-rel-20210816-1910 or later. You can check and update the
LSP on System ( ) > Updates > Rule Updates.
New default password for ISA For new devices, the default password for the admin account is now Adm!n123. Previously, the
3000 with ASA FirePOWER default admin password was Admin123.
Services.
Upgrading or reimaging to Version 7.0.1+ does not change the password. However, we do
recommend that all user accounts—especially those with Admin access—have strong passwords.
Cisco Secure Firewall Management Center New Features by Release
109
New Features by Release
FMC Features in Version 7.0.0
FMC Features in Version 7.0.0
Table 19: FMC Features in Version 7.0.0
Feature Details
Platform
VMware vSphere/VMware You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware
ESXi 7.0 support. ESXi 7.0.
Note that Version 7.0 also discontinues support for VMware 6.0. Upgrade the hosting environment
to a supported version before you upgrade the Firepower software.
New virtual environments. We introduced FMCv and FTDv for:
• Cisco HyperFlex
• Nutanix Enterprise Cloud
• OpenStack
For FMCv, all these implementations support FMCv2, v10, and v25.
FMCv for HyperFlex also supports high availability with FMCv10 and v25. In an FTD deployment,
you need two identically licensed FMCs, as well as one FTD entitlement for each managed device.
For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10
entitlements and 10 FTD entitlements. If you are managing Classic devices only (NGIPSv or ASA
FirePOWER), you do not need FMCv entitlements.
FTDv performance tiered Smart Upgrade impact. Upgrading automatically assigns devices to the FTDv50 tier.
Licensing.
FTDv now supports performance-tiered Smart Software Licensing, based on throughput requirements
and RA VPN session limits. Options run from FTDv5 (100 Mbps/50 sessions) to FTDv100 (16
Gbps/10,000 sessions).
Before you add a new device, make sure your account contains the licenses you need. To purchase
additional licenses, contact your Cisco representative or partner contact.
Upgrading FTDv to Version 7.0 automatically assigns the device to the FTDv50 tier. To continue
using your legacy (non-tiered) license, after upgrade, change the tier to Variable.
For more information on supported instances, throughputs, and other hosting requirements, see
the appropriate Getting Started Guide.
New/modified pages:
• You can now specify a performance tier when adding or editing an FTDv device on the Device
> Device Management page.
• You can bulk-edit performance tiers on System ( ) > Licenses > Smart Licenses > page.
High Availability/Scalability
Cisco Secure Firewall Management Center New Features by Release
110
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Improved PAT port block The improved PAT port block allocation ensures that the control unit keeps ports in reserve for
allocation for clustering joining nodes, and proactively reclaims unused ports. To best optimize the allocation, you can set
the maximum nodes you plan to have in the cluster using the cluster-member-limit command
using FlexConfig. The control unit can then allocate port blocks to the planned number of nodes,
and it will not have to reserve ports for extra nodes you don't plan to use. The default is 16 nodes.
You can also monitor syslog 747046 to ensure that there are enough ports available for a new node.
New/modified commands: cluster-member-limit (FlexConfig), show nat pool cluster [summary],
show nat pool ip detail
Supported platforms: Firepower 4100/9300
FTD CLI show cluster history New keywords allow you to customize the output of the show cluster history command.
improvements.
New/modified commands: show cluster history [brief] [latest] [reverse] [time]
Supported platforms: Firepower 4100/9300
FTD CLI command to You can now use the FTD CLI to permanently remove a unit from the cluster, converting its
permanently leave a cluster. configuration to a standalone device.
New/modified commands: cluster reset-interface-mode
Supported platforms: Firepower 4100/9300
NAT
Prioritized system-defined NAT We added a new Section 0 to the NAT rule table. This section is exclusively for the use of the
rules. system. Any NAT rules that the system needs for normal functioning are added to this section, and
these rules take priority over any rules you create. Previously, system-defined rules were added to
Section 1, and user-defined rules could interfere with proper system functioning.
You cannot add, edit, or delete Section 0 rules, but you will see them in show nat detail command
output.
Supported platforms: FTD
Virtual Routing
Virtual router support for the You can now configure up to 10 virtual routers on an ISA 3000 device.
ISA 3000.
Supported platforms: ISA 3000
Site to Site VPN
Backup virtual tunnel interfaces When you configure a site-to-site VPN that uses virtual tunnel interfaces, you can select a backup
(VTI) for route-based site-to-site VTI for the tunnel.
VPN.
Specifying a backup VTI provides resiliency, so that if the primary connection goes down, the
backup connection might still be functional. For example, you could point the primary VTI to the
endpoint of one service provider, and the backup VTI to the endpoint of a different service provider.
New/modified pages: We added the ability to add a backup VTI to the site-to-site VPN wizard
when you select Route-Based as the VPN type for a point-to-point connection.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
111
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Remote Access VPN
Load balancing. We now support RA VPN load balancing. The system distributes sessions among grouped devices
by number of sessions; it does not consider traffic volume or other factors.
New/modified screens: We added load balancing options to the Advanced settings in an RA VPN
policy.
Supported platforms: FTD
Local authentication. We now support local authentication for RA VPN users. You can use this as the primary or
secondary authentication method, or as a fallback in case the configured remote server cannot be
reached.
1. Create a local realm.
Local usernames and passwords are stored in local realms. When you create a realm (System
( ) > Integration > Realms) and select the new LOCAL realm type, the system prompts
you to add one or more local users.
2. Configure RA VPN to use local authentication.
Create or edit an RA VPN policy (Devices > VPN > Remote Access), create a connection
profile within that policy, then specify LOCAL as the primary, secondary, or fallback
authentication server in that connection profile.
3. Associate the local realm you created with an RA VPN policy.
In the RA VPN policy editor, use the new Local Realm setting. Every connection profile in
the RA VPN policy that uses local authentication will use the local realm you specify here.
Supported platforms: FTD
Dynamic access policies. The new dynamic access policy allows you to configure remote access VPN authorization that
automatically adapts to a changing environment:
1. Configure HostScan by uploading the AnyConnect HostScan package as an AnyConnect file
(Objects > Object Management > VPN > AnyConnect File). There is a new HostScan
Package option in the File Type drop-down list.
This module runs on endpoints and performs a posture assessment that the dynamic access
policy will use.
2. Create a dynamic access policy (Devices > Dynamic Access Policy).
Dynamic access policies specify session attributes (such as group membership and endpoint
security) that you want to evaluate each time a user initiates a session. You can then deny or
grant access based on that evaluation.
3. Associate the dynamic access policy you created with an RA VPN policy.
In the remote access VPN policy editor, use the new Dynamic Access Policy setting.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
112
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Multi-certificate authentication. We now support multi-certificate authentication for remote access VPN users. You can validate
the machine or device certificate, to ensure the device is a corporate-issued device, in addition to
authenticating the user’s identity certificate to allow VPN access using the AnyConnect client
during SSL or IKEv2 EAP phase.
Supported platforms: FTD
AnyConnect custom attributes. We now support AnyConnect custom attributes, and provide an infrastructure to configure
AnyConnect client features without adding explicit support for these features in the system.
Supported platforms: FTD
Access Control
Cisco Secure Firewall Management Center New Features by Release
113
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Snort 3 for FTD. For new FTD deployments, Snort 3 is now the default inspection engine. Upgraded deployments
continue to use Snort 2, but you can switch at any time.
Advantages to using Snort 3 include, but are not limited to:
• Improved performance.
• Improved SMBv2 inspection.
• New script detection capabilities.
• HTTP/2 inspection.
• Custom rule groups.
• Syntax that makes custom intrusion rules easier to write.
• Reasons for 'would have dropped' inline results in intrusion events.
• No Snort restarts when deploying changes to the VDB, SSL policies, custom application
detectors, captive portal identity sources, and TLS server identity discovery.
• Improved serviceability, due to Snort 3-specific telemetry data sent to Cisco Success Network,
and to better troubleshooting logs.
A Snort 3 intrusion rule update is called an LSP (Lightweight Security Package) rather than an
SRU. The system still uses SRUs for Snort 2; downloads from Cisco contain both the latest LSP
and SRU. The system automatically uses the appropriate rule set for your configurations.
The FMC can manage a deployment with both Snort 2 and Snort 3 devices, and will apply the
correct policies to each device. However, unlike Snort 2, you cannot update Snort 3 on a device
by upgrading the FMC only and then deploying. With Snort 3, new features and resolved bugs
require you upgrade the software on the FMC and its managed devices. For information on the
Snort included with each software version, see the Bundled Components section of the Cisco
Firepower Compatibility Guide.
Important Before you switch to Snort 3, we strongly recommend you read and understand the
Firepower Management Center Snort 3 Configuration Guide. Pay special attention
to feature limitations and migration instructions. Although upgrading to Snort 3 is
designed for minimal impact, features do not map exactly. Careful planning and
preparation can help you make sure that traffic handled as expected.
You can also visit the Snort 3 website: https://snort.org/snort3.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
114
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Dynamic objects. You can now use dynamic objects in access control rules.
A dynamic object is just a list of IP addresses/subnets (no ranges, no FQDN). But unlike a network
object, changes to dynamic objects take effect immediately, without having to redeploy. This is
useful in virtual and cloud environments, where IP addresses often dynamically map to workload
resources.
To create and manage dynamic objects, we recommend the Cisco Secure Dynamic Attributes
Connector. The connector is a separate, lightweight application that quickly and seamlessly updates
firewall policies based on workload changes. To do this, it gets workload attributes from tagged
resources in your environment, and compiles an IP list based on criteria you specify (a “dynamic
attributes filter”). It then creates a dynamic object on the FMC and populates it with the IP list.
When your workload changes, the connector updates the dynamic object and the system immediately
starts handling traffic based on the new mappings. For more information, see the Cisco Secure
Dynamic Attributes Connector Configuration Guide.
After you create a dynamic object, you can add it to access control rules on the new Dynamic
Attributes tab in the access control rule editor. This tab replaces the narrower-focus SGT/ISE
Attributes tab; continue to configure rules with SGT attributes here.
Note You can also create a dynamic object on the FMC: Objects > Object Management
> External Attributes > Dynamic Objects. However, this creates the container only;
you must then populate and manage it using the REST API. See the Firepower
Management Center REST API Quick Start Guide, Version 7.0.
Supported platforms: FMC
Supported virtual/cloud workloads for Cisco Secure Dynamic Attributes Connector integration:
Microsoft Azure, AWS, VMware
Cross-domain trust for Active You can now configure user identity rules with users from Microsoft Active Directory forests
Directory domains. (groupings of AD domains that trust each other).
New/modified pages:
• You now configure a realm and directories at the same time.
• A new Sync Results page (System ( ) > Integration > Sync Results) displays any errors
related to downloading users and groups in a cross-domain trust relationship.
Supported platforms: FMC
DNS filtering. DNS filtering, which was introduced as a Beta feature in Version 6.7, is now fully supported and
is enabled by default in new access control policies.
Supported platforms: Any
Event Logging and Analysis
Cisco Secure Firewall Management Center New Features by Release
115
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Improved process for storing A new Cisco Security Analytics and Logging (On Premises) app and a new FMC wizard make it
events in a Secure Network easier to configure remote data storage for on-prem Secure Network Analytics solutions:
Analytics on-prem deployment.
1. Deploy hardware or virtual Stealthwatch appliances.
You can use a Stealthwatch Management Console alone, or you can configure Stealthwatch
Management Console, flow collector, and data store.
2. Install the new Cisco Security Analytics and Logging (On Premises) app on your Stealthwatch
Management Console to configure Stealthwatch as a remote data store.
3. On the FMC, use one of the new wizards on System ( ) > Logging > Security Analytics &
Logging to connect to your Stealthwatch deployment.
Note that the wizards replace the narrower-focus page where you used to configure Stealthwatch
contextual cross-launch; that is now a step in the wizard.
For upgraded deployments where you were using syslog to send Firepower events to Stealthwatch,
disable those configurations before you use the wizard. Otherwise, you will get double events. To
remove the syslog connection to Stealthwatch use FTD platform settings (Devices > Platform
Settings); to disable sending events to syslog, edit your access control rules.
For more information, including Stealthwatch hardware and software requirements, see Cisco
Security Analytics and Logging (On Premises): Firewall Event Integration Guide.
Supported platforms: FMC
Work with events stored You can now use the FMC to work with connection events stored remotely in a Secure Network
remotely in a Secure Network Analytics on-prem deployment.
Analytics on-prem deployment.
A new Data Source option on the connection events page (Analysis > Connections > Events)
and in the unified event viewer (Analysis > Unified Events) allows you to choose which connection
events you want to work with. The default is to display locally stored connection events, unless
there are none in the time range. In that case, the system displays remotely stored events..
We also added a data source option to report templates (Overview > Reporting > Report
Templates), so that you can generate reports based on remotely stored connection events.
Note This feature is supported for connection events only; cross-launch is still the only
way to examine remotely stored Security Intelligence, intrusion, file and malware
events. Even in the unified event viewer, the system only displays locally stored
events of those types.
However, note that for every Security Intelligence event, there is an identical
connection event—these are the events with reasons such as 'IP Block' or 'DNS Block.'
You can work with those duplicated events on the connection events page or in the
unified event viewer, but not on the dedicated Security Intelligence events page.
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
116
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Store all connection events in You can now store all connection events in the Stealthwatch cloud using Cisco Security Analytics
the Secure Network Analytics and Logging (SaaS). Previously, you were limited to security events: Security Intelligence, intrusion,
cloud. file, and malware events, as well as their associated connection events.
To change the events you send to the cloud, choose System ( ) > Integration. On the Cloud
Services tab, edit the Cisco Cloud Event Configuration. The old option to send high priority
connection events to the cloud has been replaced with a choice of All, None, or Security Events.
Note These settings also control which events you send to SecureX. However, even if you
choose to send all connection events to the cloud, SecureX consumes only the security
(higher priority) connection events. Also note that you now configure the SecureX
connection itself on Analysis > SecureX.
Supported platforms: FMC
Unified event viewer. The unified event viewer (Analysis > Unified Events) displays connection, Security Intelligence,
intrusion, file, and malware events in a single table. This can help you look relationships between
events of different types.
A single search field allows you to dynamically filter the view based on multiple criteria, and a
Go Live option displays events received from managed devices in real time.
Supported platforms: FMC
SecureX ribbon. The SecureX ribbon on the FMC pivots into SecureX for instant visibility into the threat landscape
across your Cisco security products.
To connect with SecureX and enable the ribbon, use System ( ) > SecureX. Note that you must
still use System ( ) > Integration > Cloud Services to choose your cloud region and to specify
which events to send to SecureX.
For more information, see the Cisco Secure Firewall Threat Defense and SecureX Integration
Guide.
Supported platforms: FMC
Exempt all connection events Event rate limiting applies to all events sent to the FMC, with the exception of security events:
from rate limiting when you turn Security Intelligence, intrusion, file, and malware events, as well as their associated connection
off local storage. events.
Now, disabling local connection event storage exempts all connection events from rate limiting,
not just security events. To do this, set the Maximum Connection Events to zero on System ( )
> Configuration > Database.
Note Other than turning it off by setting it to zero, Maximum Connection Events does
not govern connection event rate limiting. Any non-zero number in this field ensures
that all lower-priority connection events are rate limited.
Note that disabling local event storage does not affect remote event storage, nor does it affect
connection summaries or correlation. The system still uses connection event information for features
like traffic profiles, correlation policies, and dashboard displays.
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
117
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Port and protocol displayed In file and malware event tables, the port field now displays the protocol, and you can search port
together in file and malware fields for protocol. For events that existed before upgrade, if the protocol is not known, the system
event tables. uses "tcp."
New/modified pages:
• Analysis > Files > Malware Events
• Analysis > Files > File Events
Supported platforms: FMC
Upgrade
Improved FTD upgrade FTD upgrades are now easier faster, more reliable, and take up less disk space. A new Upgrades
performance and status tab in the Message Center provides further enhancements to upgrade status and error reporting.
reporting.
Supported platforms: FTD
Upgrade wizard for FTD. A new device upgrade page (Devices > Device Upgrade) on the FMC provides an easy-to-follow
wizard for upgrading Version 6.4+ FTD devices. It walks you through important pre-upgrade
stages, including selecting devices to upgrade, copying the upgrade package to the devices, and
compatibility and readiness checks.
To begin, use the new Upgrade Firepower Software action on the Device Management page
(Devices > Device Management > Select Action).
As you proceed, the system displays basic information about your selected devices, as well as the
current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does
not "pass" a stage in the wizard, it does not appear in the next stage.
If you navigate away from wizard, your progress is preserved, although other users with
Administrator access can reset, modify, or continue the wizard.
Note You must still use System ( ) > Updates to upload or specify the location of FTD
upgrade packages. You must also use the System Updates page to upgrade the FMC
itself, as well as all non-FTD managed devices.
Note In Version 7.0, the wizard does not correctly display devices in clusters or high
availability pairs. Even though you must select and upgrade these devices as a unit,
the wizard displays them as standalone devices. Device status and upgrade readiness
are evaluated and reported on an individual basis. This means it is possible for one
unit to appear to "pass" to the next stage while the other unit or units do not. However,
these devices are still grouped. Running a readiness check on one, runs it on all.
Starting the upgrade on one, starts it on all.
To avoid possible time-consuming upgrade failures, manually ensure all group
members are ready to move on to the next step of the wizard before you click Next.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
118
New Features by Release
FMC Features in Version 7.0.0
Feature Details
Upgrade more FTD devices at The FTD upgrade wizard lifts the following restrictions:
once.
• Simultaneous device upgrades.
The number of devices you can upgrade at once is now limited by your management network
bandwidth—not the system's ability to manage simultaneous upgrades. Previously, we
recommended against upgrading more than five devices at a time.
Important Only upgrades to FTD Version 6.7+ see this improvement. If you are upgrading
devices to an older FTD release—even if you are using the new upgrade
wizard—we still recommend you limit to five devices at a time.
• Grouping upgrades by device model.
You can now queue and invoke upgrades for all FTD models at the same time, as long as the
system has access to the appropriate upgrade packages.
Previously, you would choose an upgrade package, then choose the devices to upgrade using
that package. That meant that you could upgrade multiple devices at the same time only if
they shared an upgrade package. For example, you could upgrade two Firepower 2100 series
devices at the same time, but not a Firepower 2100 series and a Firepower 1000 series.
Supported platforms: FTD
Administration and Troubleshooting
Zero-touch restore for the ISA When you perform a local backup, the backup file is copied to the SD card if present. To restore
3000 using the SD card. the configuration on a replacement device, simply install the SD card in the new device, and depress
the Reset button for 3 to 15 seconds during the device bootup.
Supported platforms: ISA 3000
Selectively deploy RA and Selective policy deployment, which was introduced in Version 6.6, now supports remote access
site-to-site VPN policies. and site-to-site VPN policies.
New/modified pages: We added VPN policy options on the Deploy > Deployment page.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
119
New Features by Release
FMC Features in Version 7.0.0
Feature Details
New health modules. We added the following health modules:
• AMP Connection Status
• AMP Threat Grid Status
• ASP Drop
• Advanced Snort Statistics
• Chassis Status FTD
• Event Stream Status
• FMC Access Configuration Changes
• FMC HA Status (replaces HA Status)
• FTD HA Status
• File System Integrity Check
• Flow Offload
• Hit Count
• MySQL Status
• NTP Status FTD
• Rabbit MQ Status
• Routing Statistics
• SSE Connection Status
• Sybase Status
• Unresolved Groups Monitor
• VPN Statistics
• xTLS Counters
Additionally, full support returns for the Configuration Memory Allocation module, which was
introduced in Version 6.6.3 as the Appliance Configuration Resource Utilization module, but was
not fully supported in Version 6.7.
Supported platforms: FMC
Security and Hardening
New default password for AWS The default password for the admin account is now the AWS Instance ID, unless you define a
deployments. default password with user data (Advanced Details > User Data) during the initial deployment.
Previously, the default admin password was Admin123.
Supported platforms: FMCv for AWS, FTDv for AWS
Cisco Secure Firewall Management Center New Features by Release
120
New Features by Release
FMC Features in Version 7.0.0
Feature Details
EST for certificate enrollment. Support for Enrollment over Secure Transport for certificate enrollment was provided.
New/modified pages: New enrollment options when configuring Objects > PKI > Cert Enrollment
> CA Information tab.
Supported platforms: FMC
Support for EdDSA certificate A new certificate key type- EdDSA was added with key size 256.
type.
New/modified pages: New certificate key options when configuring Objects > PKI > Cert
Enrollment > Key tab.
Supported platforms: FMC
AES-128 CMAC authentication You can now use AES-128 CMAC keys to secure connections between the FMC and NTP servers.
for NTP servers.
New/modified pages: System ( ) > Configuration > Time Synchronization.
Supported platforms: FMC
SNMPv3 users can authenticate SNMPv3 users can now authenticate using a SHA-224 or SHA-384 algorithm.
using a SHA-224 or SHA-384
New/modified pages: Devices > Platform Settings > SNMP > Users > Auth Algorithm Type
authorization algorithm.
Supported platforms: FTD
Usability and Performance
Global search for policies and You can now search for certain policies by name, and for certain objects by name and configured
objects. value. This feature is not available with the Classic theme.
New/modified pages: We added capabilities to the Search icon and field on the FMC menu bar,
to the left of the Deploy menu.
Supported platforms: FMC
Hardware crypto acceleration We now support hardware crypto acceleration (CBC cipher only) on FTDv for VMware and FTDv
on FTDv using Intel for KVM. This feature requires a Intel QAT 8970 PCI adapter/Version 1.7+ driver on the hosting
QuickAssist Technology (QAT). platform. After you reboot, hardware crypto acceleration is automatically enabled.
Supported platforms: FTDv for VMware, FTDv for KVM
Improved CPU usage and The system no longer creates local host objects and locks them when creating connections, except
performance for many-to-one for connections that involve dynamic NAT/PAT and scanning threat detection and host statistics.
and one-to-many connections. This improves performance and CPU usage in situations where many connections are going to the
same server (such as a load balancer or web server), or one endpoint is making connections to
many remote hosts.
We changed the following commands: clear local-host (deprecated), show local-host
Supported platforms: FTD
How-to location has changed. Help > How-Tos now invokes walkthroughs. Previously, you clicked How-Tos at the bottom of
the browser window.
FMC REST API
Cisco Secure Firewall Management Center New Features by Release
121
New Features by Release
FMC Features in Version 7.0.0
Feature Details
FMC REST API. For information on changes to the management center REST API, see the Firepower Management
Center REST API Quick Start Guide, Version 7.0,
Deprecated Features
End of support: VMware We discontinued support for virtual deployments on VMware vSphere/VMware ESXi 6.0. Upgrade
vSphere/VMware ESXi 6.0. the hosting environment to a supported version before you upgrade the Firepower software.
Deprecated: RSA certificates Prevents post-upgrade VPN connections through FTD devices.
with keys smaller than 2048
We removed support for RSA certificates with keys smaller than 2048 bits, or that use SHA-1 in
bits, or that use SHA-1 in their
their signature algorithm.
signature algorithm.
Before you upgrade, use the object manager to update your PKI certificate enrollments with stronger
options: Objects > PKI > Cert Enrollment. Otherwise, although the upgrade preserves your
current settings, VPN connections through the device will fail.
To continue managing older FTD devices only (Version 6.4–6.7.x) with these weaker options,
select the new Enable Weak-Crypto option for each device on the Devices > Certificates page.
Deprecated: MD5 authentication Deletes Users. Prevents post-upgrade deploy.
algorithm and DES encryption
We removed support for the MD5 authentication algorithm and DES encryption for SNMPv3 users
for SNMPv3 users.
on FTD devices.
Upgrading FTD to Version 7.0+ deletes these users from the device, regardless of the configurations
on the FMC. If you are still using these options in your platform settings policy, change and verify
your configurations before you upgrade FTD.
These options are in the Auth Algorithm Type and Encryption Type drop-downs when creating
or editing an SNMPv3 user in a Threat Defense platform settings policy: Devices > Platform
Settings.
Deprecated: Port 32137 comms Prevents FMC upgrade.
with AMP clouds.
We deprecated the FMC option to use port 32137 to obtain file disposition data from public and
private AMP clouds. Unless you configure a proxy, the FMC now uses port 443/HTTPS.
Before you upgrade, disable the Use Legacy Port 32137 for AMP for Networks option on the
System ( ) > Integration > Cloud Services page. Do not proceed with upgrade until your AMP
for Networks deployment is working as expected.
Deprecated: HA Status health We renamed the HA Status health module to the FMC HA Status health module. This is to
module. distinguish it from the new FTD HA Status module.
Deprecated: Legacy API We removed support for the FMC REST API legacy API Explorer.
Explorer.
Cisco Secure Firewall Management Center New Features by Release
122
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
FMC Features in Version 6.7.x
Table 20: FMC Features in Version 6.7.0
Feature Details
Platform
FMCv and FTDv for OCI and We introduced FMCv and FTDv for:
GCP.
• Oracle Cloud Infrastructure (OCI)
• Google Cloud Platform (GCP)
High availability support on FMCv for VMware now supports high availability. You use the FMCv web interface to establish
FMCv for VMware. HA, just as you would on hardware models.
In an FTD deployment, you need two identically licensed FMCv's, as well as one FTD entitlement
for each managed device. For example, to manage 10 FTD devices with an FMCv10 HA pair, you
need two FMCv10 entitlements and 10 FTD entitlements. If you are managing Classic devices
only (7000/8000 series, NGIPSv, ASA FirePOWER), you do not need FMCv entitlements.
Note that this feature is not supported on FMCv 2 for VMware—that is, an FMCv licensed to
manage only two devices.
Supported platforms: FMCv 10, 25, and 300 for VMware
Cisco Secure Firewall Management Center New Features by Release
123
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Auto Scale improvements for Version 6.7.0 includes the following Auto Scale improvements for FTDv for AWS:
FTDv for AWS.
• Custom Metric Publisher. A new Lambda function polls the FMC every second minute for
memory consumption of all FTDv instances in the Auto Scale group, then publishes the value
to CloudWatch Metric.
• A new scaling policy based on memory consumption is available.
• FTDv private IP connectivity for SSH and Secure Tunnel to the FMC.
• FMC configuration validation.
• Support for opening more Listening ports on ELB.
• Modified to Single Stack deployment. All Lambda functions and AWS resources are deployed
from a single stack for a streamlined deployment.
Supported platforms: FTDv for AWS
Auto Scale improvements for The FTDv for Azure Auto Scale solution now includes support for scaling metrics based on CPU
FTDv for Azure. and memory (RAM), not just CPU.
Supported platforms: FTDv for Azure
Firepower Threat Defense: Device Management
Manage FTD on a data You can now configure FMC management of the FTD on a data interface instead of using the
interface. dedicated management interface.
This feature is useful for remote deployment when you want to manage the FTD at a branch office
from an FMC at headquarters and need to manage the FTD on the outside interface. If the FTD
receives a public IP address using DHCP, then you can optionally configure Dynamic DNS (DDNS)
for the interface using the web type update method. DDNS ensures the FMC can reach the FTD
at its Fully-Qualified Domain Name (FQDN) if the FTD's IP address changes.
Note FMC access on a data interface is not supported with clustering or high availability.
New/modified pages:
• Devices > Device Management > Device > Management section
• Devices > Device Management > Interfaces > FMC Access
• Devices > Device Management > DHCP > DDNS > DDNS Update Methods page
New/modified FTD CLI commands: configure network management-data-interface, configure
policy rollback
Supported platforms: FTD
Update the FMC IP address on If you change the FMC IP address, you can now use the FTD CLI to update the device.
the FTD.
New/modified FTD CLI commands: configure manager edit
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
124
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Synchronization between the The Firepower 4100/9300 chassis can now synchronize the FTD operational link state with the
FTD operational link state and physical link state for data interfaces.
the physical link state for the
Currently, interfaces will be in an Up state as long as the FXOS admin state is up and the physical
Firepower 4100/9300.
link state is up. The FTD application interface admin state is not considered. Without synchronization
from FTD, data interfaces can be in an Up state physically before the FTD application has completely
come online, for example, or can stay Up for a period of time after you initiate an FTD shutdown.
For inline sets, this state mismatch can result in dropped packets because external routers may start
sending traffic to the FTD before the FTD can handle it.
This feature is disabled by default, and can be enabled per logical device in FXOS.
Note This feature is not supported for clustering, container instances, or an FTD with a
Radware vDP decorator. It is also not supported for ASA.
New/modified Firepower Chassis Manager pages: Logical Devices > Enable Link State
New/modified FXOS commands: set link-state-sync enabled, show interface expand detail
Supported platforms: Firepower 4100/9300
Firepower 1100/2100 series SFP Upgrade impact.
interfaces now support disabling
You can now configure a Firepower 1100/2100 series SFP interface to disable flow control and
auto-negotiation.
link status negotiation.
Previously, when you set an SFP interface speed (1000 or 10000 Mbps) on these devices, flow
control and link status negotiation was automatically enabled. You could not disable it.
Now, you can select No Negotiate to disable flow control and link status negotiation. This also
sets the speed to 1000 Mbps, regardless of whether you are configuring a 1 GB SFP or 10 GB
SFP+ interface. You cannot disable negotation at 10000 Mbps.
New/modified pages: Devices > Device Management > Interfaces > edit interface > Hardware
Configuration > Speed
Supported platforms: Firepower 1100/2100 series
Firepower Threat Defense: Clustering
Cisco Secure Firewall Management Center New Features by Release
125
New Features by Release
FMC Features in Version 6.7.x
Feature Details
New cluster management You can now use the FMC to perform the following cluster management tasks, where previously
functionality on the FMC. you had to use the CLI:
• Enable and disable cluster units.
• Show cluster status from the Device Management page, including History and Summary per
unit.
• Change the role to the control unit.
New/modified pages:
• Devices > Device Management > More menu
• Devices > Device Management > Cluster > General area > Cluster Live Status link >
Cluster Status
Supported platforms: Firepower 4100/9300
Faster cluster deployment. Cluster deployment now completes faster. Also, for most deployment failures, it fails more quickly.
Supported platforms: Firepower 4100/9300
Changes to PAT address Upgrade impact.
allocation in clustering.
The way PAT addresses are distributed to the members of a cluster is changed.
Previously, addresses were distributed to the members of the cluster, so your PAT pool would need
a minimum of one address per cluster member. Now, the control instead divides each PAT pool
address into equal-sized port blocks and distributes them across cluster members. Each member
has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even
to as few as one IP address, depending on the amount of connections you typically need to PAT.
Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally include
the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example,
in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections
per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool
IP address.
As part of this change, PAT pools for all systems, whether standalone or operating in a cluster,
now use a flat port range of 1024–65535. Previously, you could use a flat range by enabling the
Flat Port Range option in a PAT pool rule (Pat Pool tab in an FTD NAT rule). The Flat Port
Range option is now ignored: the PAT pool is now always flat. You can optionally select the
Include Reserved Ports option to include the 1–1023 port range within the PAT pool.
Note that if you configure port block allocation (the Block Allocation PAT pool option), your
block allocation size is used rather than the default 512-port block. In addition, you cannot configure
extended PAT for a PAT pool for systems in a cluster.
This change takes effect automatically. You do not need to do anything before or after upgrade.
Supported platforms: FTD
Firepower Threat Defense: Encryption and VPN
Cisco Secure Firewall Management Center New Features by Release
126
New Features by Release
FMC Features in Version 6.7.x
Feature Details
AnyConnect module support for FTD RA VPN now supports AnyConnect modules.
RA VPN.
As part of your RA VPN group policy, you can now configure a variety of optional modules to be
downloaded and installed when a user downloads the Cisco AnyConnect VPN client. These modules
can provide services such as web security, malware protection, off-network roaming protection,
and so on.
You must associate each module with a profile containing your custom configurations, created in
the AnyConnect Profile Editor and uploaded to the FMC as an AnyConnect File object.
New/modified pages:
• Upload module profiles: We added new File Type options to Objects > Object Management
> VPN > AnyConnect File > Add AnyConnect File
• Configure modules: We added Client Modules options to Objects > Object Management
> VPN > Group Policy > add or edit a Group Policy object > AnyConnect settings
Supported platforms: FTD
AnyConnect management VPN FTD RA VPN now supports an AnyConnect management VPN tunnel that allows VPN connectivity
tunnels for RA VPN. to endpoints when the corporate endpoints are powered on, not just when a VPN connection is
established by the end user.
This feature helps administrators perform patch management on out-of-the-office endpoints,
especially devices that are infrequently connected by the user, via VPN, to the office network.
Endpoint operating system login scripts which require corporate network connectivity also benefit.
Supported platforms: FTD
Single sign-on for RA VPN. FTD RA VPN now supports single sign-on (SSO) for remote access VPN users configured at a
SAML 2.0-compliant identity provider (IdP).
New/modified pages:
• Connect to an SSO server: Objects > Object Management > AAA Server > Single Sign-on
Server
• Configure SSO as part of RA VPN: We added SAML as an authentication method (AAA
settings) when configuring an RA VPN connection profile.
Supported platforms: FTD
LDAP authorization for RA FTD RA VPN now supports LDAP authorization using LDAP attribute maps.
VPN.
An LDAP attribute map equates attributes that exist in the Active Directory (AD) or LDAP server
with Cisco attribute names. Then, when the AD or LDAP server returns authentication to the FTD
device during remote access VPN connection establishment, the FTD device can use the information
to adjust how the AnyConnect client completes the connection.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
127
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Virtual Tunnel Interface (VTI) FTD site-to-site VPN now supports a logical interface called Virtual Tunnel Interface (VTI).
and route-based site-to-site
As an alternative to policy-based VPN, a VPN tunnel can be created between peers with Virtual
VPN.
Tunnel Interfaces configured. This supports route-based VPN with IPsec profiles attached to the
end of each tunnel. This allows dynamic or static routes to be used. Using VTI does away with the
requirement of configuring static crypto map access lists and mapping them to interfaces. Traffic
is encrypted using static route or BGP. You can create a routed security zone, add VTI interfaces
to it, and define access control rules for the decrypted traffic control over the VTI tunnel.
VTI-based VPNs can be created between:
• Two FTD devices
• An FTD device and a public cloud
• An FTD device and another FTD device with service provider redundancy
New/modified pages:
• Devices > Device Management > Interfaces > Add Interfaces > Virtual Tunnel Interface
• Devices > VPN > Site To Site > Add VPN > Firepower Threat Defense Device > Route
Based (VTI)
Supported platforms: FTD
Dynamic RRI support for FTD site-to-site VPN now supports Dynamic Reverse Route Injection (RRI) supported with
site-to-site VPN. IKEv2-based static crypto maps in site-to-site VPN deployments. This allowed static routes to be
automatically inserted into the routing process for networks and hosts protected by a remote tunnel
endpoint.
New/modified pages: We added the Enable Dynamic Reverse Route Injection advanced option
when adding an endpoint to a site-to-site VPN topology.
Supported platforms: FTD
Enhancements to manual You can now obtain signed CA certificates and identity certificates from a CA authority
certificate enrollment. independently of each other.
We made the following changes to PKI certificate enrollment objects, which store enrollment
parameters for creating Certificate Signing Requests (CSRs) and obtaining identity certificates:
• We added the CA Only option to the manual enrollment settings for PKI certificate enrollment
objects. If you enable this option, you will receive only a signed CA certificate from the CA
authority, and not the identity certificate.
• You can now leave the CA Certificate field blank in the manual enrollment settings for PKI
certificate enrollment objects. If you do this, you will receive only the identity certificate from
the CA authority, and not the signed CA certificate.
New/modified pages: Objects > Object Management > PKI > Cert Enrollment > Add Cert
Enrollment > CA Information > Enrollment Type > Manual
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
128
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Enhancements to FTD We made the following enhancements to FTD certificate management:
certificate management.
• You can now view the chain of certifying authorities (CAs) when viewing certificate contents.
• You can now export certificates.
New/modified pages:
• Devices > Certificates > Status column > View icon (magnifying glass)
• Devices > Certificates > Export icon
Supported platforms: FTD
Access Control: URL Filtering, Application Control, and Security Intelligence
URL filtering and application You can now perform URL filtering and application control on traffic encrypted with TLS 1.3, by
control on traffic encrypted with using information from the server certificate. You do not have decrypt the traffic for this feature
TLS 1.3 (TLS Server Identity to work.
Discovery).
Note We recommend enabling this feature if you want to perform URL filtering and
application control on encrypted traffic. However, it can affect device performance,
especially on lower-memory models.
New/modified pages: We added a TLS Server Identity Discovery warning and option to the
access control policy's Advanced tab.
New/modified FTD CLI commands: We added the B flag to the output of the show conn detail
command. On a TLS 1.3-encrypted connection, this flag indicates that we used the server certificate
for application and URL detection.
Supported platforms: FTD
URL filtering on traffic to You can now perform URL filtering for websites that have an unknown reputation.
websites with unknown
New/modified pages: We added an Apply to unknown reputation check box to the access control,
reputation.
QoS, and SSL rule editors.
Supported platforms: FMC
DNS filtering enhances URL Beta.
filtering.
DNS filtering enhances URL filtering by determining the category and reputation of requested
domains earlier in the transaction, including in encrypted traffic—but without decrypting the traffic.
You enable DNS filtering per access control policy, where it applies to all category/reputation URL
rules in that policy.
Note DNS filtering is a Beta feature and may not work as expected. Do not use it in
production environments.
New/modified pages: We added the Enable reputation enforcement on DNS traffic option to
the access control policy's Advanced tab, under General Settings.
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
129
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Shorter update frequencies for The FMC can now update Security Intelligence data every 5 or 15 minutes. Previously, the shortest
Security Intelligence feeds. update frequency was 30 minutes.
If you configure one of these shorter frequencies on a custom feed, you must also configure the
system to use an md5 checksum to determine whether the feed has updates to download.
New/modified pages: We added new options to Objects > Object Management > Security
Intelligence > Network Lists and Feeds > edit feed > Update Frequency
Supported platforms: FMC
Access Control: User Control
pxGrid 2.0 with ISE/ISE-PIC. Upgrade impact.
Use pxGrid 2.0 when you connect the FMC to an ISE/ISE-PIC identity source. If you are still using
pxGrid 1.0, switch now. That version is deprecated.
For use with pxGrid 2.0, Version 6.7.0 introduces the Cisco ISE Adaptive Network Control (ANC)
remediation, which applies or clears ISE-configured ANC policies involved in a correlation policy
violation.
If you used the Cisco ISE Endpoint Protection Services (EPS) remediation with pxGrid 1.0,
configure and use the ANC remediation with pxGrid 2.0. ISE remediations will not launch if you
are using the 'wrong' pxGrid. The ISE Connection Status Monitor health module alerts you to
mismatches.
For detailed compatibility information for all supported Firepower versions, including integrated
products, see the Cisco Firepower Compatibility Guide.
New/modified pages:
• Policies > Actions > Modules > Installed Remediation Modules list
• Policies > Actions > Instances > Select a module type drop-down list
Supported platforms: FMC
Realm sequences. You can now group realms into ordered realm sequences.
Add a realm sequence to an identity rule in the same way as you add a single realm. When applying
the identity rule to network traffic, the system searches the Active Directory domains in the order
specified. You cannot create realm sequences for LDAP realms.
New/modified pages: System > Integration > Realm Sequences
Supported platforms: FMC
ISE subnet filtering. Especially useful on lower-memory devices, you can now use the CLI to exclude subnets from
receiving user-to-IP and Security Group Tag (SGT)-to-IP mappings from ISE.
The Snort Identity Memory Usage health module alerts when memory usage exceeds a certain
level, which by default is 80%.
New device CLI command: configure identity-subnet-filter {add | remove}
Supported platforms: FMC-managed devices
Cisco Secure Firewall Management Center New Features by Release
130
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Access Control: Intrusion and Malware Prevention
Improved preclassification of Upgrade impact.
files for dynamic analysis.
The system can now decide not to submit a suspected malware file for dynamic analysis, based on
the static analysis results (for example, a file with no dynamic elements).
After you upgrade, in the Captured Files table, these files will have a Dynamic Analysis Status of
Rejected for Analysis.
Supported platforms: FMC
S7Commplus preprocessor. The new S7Commplus preprocessor supports the widely accepted S7 industrial protocol. You can
use it to apply corresponding intrusion and preprocessor rules, drop malicious traffic, and generate
intrusion events.
New/modified pages:
• Enable the preprocessor: In the network analysis policy editor, click Settings (you must click
the word 'Settings'), and enable S7Commplus Configuration under SCADA Preprocessors.
• Configure the preprocessor: In the network analysis policy editor, under Settings, click
S7Commplus Configuration.
• Configure S7Commplus preprocessor rules: In the intrusion policy editor, click Rules >
Preprocessors > S7 Commplus Configurations.
Supported platforms: all FTD devices, including ISA 3000
Custom intrusion rule import The FMC now warns you of rule collisions when you import custom (local) intrusion rules.
warns when rules collide. Previously, the FMC would silently skip the rules that cause collisions—with the exception of
Version 6.6.0.1, where a rule import with collisions would fail entirely.
On the Rule Updates page, if a rule import had collisions, a warning icon is displayed in the Status
column. For more information, hover your pointer over the warning icon and read the tooltip.
Note that a collision occurs when you try to import an intrusion rule that has the same SID/revision
number as an existing rule. You should always make sure that updated versions of custom rules
have new revision numbers. We recommend you read the best practices for importing local intrusion
rules in the FMC configuration guide.
New/modified pages: We added a warning icon to System > Updates > Rule Updates.
Supported platforms: FMC
Access Control: TLS/SSL Decryption
Cisco Secure Firewall Management Center New Features by Release
131
New Features by Release
FMC Features in Version 6.7.x
Feature Details
ClientHello modification for Upgrade impact.
Decrypt - Known Key TLS/SSL
If you configure TLS/SSL decryption, when a managed device receives a ClientHello message,
rules.
the system now attempts to match the message to TLS/SSL rules that have the Decrypt - Known
Key action. Previously, the system only matched ClientHello messages to Decrypt - Resign rules.
The match relies on data from the ClientHello message and from cached server certificate data. If
the message matches, the device modifies the ClientHello message in specific ways; see the
ClientHello Message Handling topic in the FMC configuration guide.
This behavior change occurs automatically after upgrade. If you use Decrypt - Known Key TLS/SSL
rules, make sure that encrypted traffic is being handled as expected.
Supported platforms: Any device
Event Logging and Analysis
Remote data storage and You can now store large volumes of Firepower event data off-FMC, using an on-premises
cross-launch with an on-prem Stealthwatch solution: Cisco Security Analytics and Logging (On Premises).
Stealthwatch solution.
When viewing events in FMC, you can quickly cross-launch to view events in your remote data
storage location. The FMC uses syslog to send connection, Security Intelligence, intrusion, file,
and malware events.
Note This on-prem solution is supported for FMCs running Version 6.4.0+. However,
contextual cross-launch requires Firepower Version 6.7.0+. This solution also depends
on availability of the Security Analytics and Logging On Prem app for the Stealthwatch
Management Console (SMC), which must be running Stealthwatch Enterprise (SWE)
version 7.3.
Supported platforms: FMC
Quickly add Stealthwatch A new page on the FMC allows you to quickly add contextual cross-launch resources for your
contextual cross-launch Stealthwatch appliance.
resources.
After you add Stealthwatch resources, you manage them on the general contextual cross-launch
page. This is where you continue to manually create and manage non-Stealthwatch cross-launch
resources.
New/modified pages:
• Add Stealthwatch resources: System > Logging > Security Analytics and Logging
• Manage resources: Analysis > Advanced > Contextual Cross-Launch
Supported platform: FMC
Cisco Secure Firewall Management Center New Features by Release
132
New Features by Release
FMC Features in Version 6.7.x
Feature Details
New cross-launch options field You can now cross-launch into an external resource using the following additional types of event
types. data:
• Access control policy
• Intrusion policy
• Application protocol
• Client application
• Web application
• Username (including realm)
New/modified pages:
• New variables when creating or editing cross-launch query links: Analysis > Advanced >
Contextual Cross-Launch.
• New data types in the dashboard and event viewer now offer cross-launch on right click.
Supported platforms: FMC
National Vulnerability Database Upgrade impact.
(NVD) replaces Bugtraq.
Bugtraq vulnerability data is no longer available. Most vulnerability data now comes from the
NVD. To support this change, we made the following changes:
• Added the CVE ID and Severity fields to the Vulnerabilities table. Right-clicking the CVE
ID in the table view allows you to view details about the vulnerability on the NVD.
• Renamed the Vulnerability Impact field to Impact (in the table view only).
• Removed the obsolete/redundant Bugtraq ID, Title, Available Exploits, Technical
Description, and Solution fields.
• Removed the Bugtraq ID filtering option from the Hosts network map.
If you export vulnerability data, make sure any integrations are working as expected after the
upgrade.
Supported platforms: FMC
Upgrade
Cisco Secure Firewall Management Center New Features by Release
133
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Pre-upgrade compatibility Upgrade impact.
check.
In FMC deployments, Firepower appliances must now pass pre-upgrade compatibility checks
before you can run more complex readiness checks or attempt to upgrade. This check catches issues
that will cause your upgrade to fail—but we now catch them earlier and block you from proceeding.
The checks are as follows:
• You cannot use the FMC to upgrade a Firepower 4100/9300 chassis to Version 6.7.0+ until
you upgrade FXOS to the new release's companion FXOS version.
Upgrade is blocked as long as you are upgrading the device to Version 6.7.0 or later. For
example, you are not blocked from attempting a Firepower 4100/9300 upgrade from 6.3 →
6.6.x, even if the device is running a version of FXOS that is too old for Firepower Version
6.6.x.
• You cannot use the FMC to upgrade a device if that device has out-of-date configurations.
Upgrade is blocked as long as the FMC is running Version 6.7.0 or later, and you are upgrading
a managed device to a valid target. For example, you are blocked from upgrading a device
from 6.3.0 → 6.6.x if the device has outdated configurations.
• You cannot upgrade an FMC from Version 6.7.0+ if its devices have out-of-date configurations.
Upgrade is blocked as long as the FMC is running Version 6.7.0 or later. For upgrades from
earlier versions (including to Version 6.7.0), you must make sure you deploy yourself.
When you select an upgrade package to install, the FMC displays compatibility check results for
all eligible appliances. The new Readiness Check page also displays this information. You cannot
upgrade until you fix the issues indicated.
New/modified pages:
• System > Update > Product Updates > Available Updates > Install icon for the upgrade
package
• System > Update > Product Updates > Readiness Checks
Supported platforms: FMC, FTD
Cisco Secure Firewall Management Center New Features by Release
134
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Improved readiness checks. Upgrade impact.
Readiness checks assess a Firepower appliance's preparedness for a software upgrade. These checks
include database integrity, file system integrity, configuration integrity, disk space, and so on.
After you upgrade the FMC to Version 6.7.0, you will see the following improvements to FTD
upgrade readiness checks:
• Readiness checks are faster.
• Readiness checks are now supported on high availability and clustered FTD devices, without
having to log into the device CLI.
• Readiness checks for FTD device upgrades to Version 6.7.0+ no longer require the upgrade
package to reside on the device. Although we still recommend you push the upgrade package
to the device before you begin the upgrade itself, you no longer have to do so before you run
the readiness check.
• When you select an upgrade package to install, the FMC now shows the readiness status for
all applicable FTD devices. A new Readiness Checks page allows you to view the results of
readiness checks for the FTD devices in your deployment. You can also re-run readiness
checks from this page.
• Readiness check results include the estimated upgrade time (but do not include reboot time).
• Error messages are better. You can also download success/failure logs from the Message
Center on the FMC.
Note that these improvements are supported for FTD upgrades from Version 6.3.0+, as long as the
FMC is running Version 6.7.0+.
New/modified pages:
• System > Update > Product Updates > Available Updates > Install icon for the upgrade
package
• System > Update > Product Updates > Readiness Checks
• Message Center > Tasks
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
135
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Improved FTD upgrade status Upgrade impact.
reporting and cancel/retry
You can now view the status of device upgrades and readiness checks in progress on the Device
options.
Management page, as well as a 7-day history of upgrade success/failures. The Message Center also
provides enhanced status and error messages.
A new Upgrade Status pop-up, accessible from both Device Management and the Message Center
with a single click, shows detailed upgrade information, including percentage/time remaining,
specific upgrade stage, success/failure data, upgrade logs, and so on.
Also on this pop-up, you can manually cancel failed or in-progress upgrades (Cancel Upgrade),
or retry failed upgrades (Retry Upgrade). Canceling an upgrade reverts the device to its pre-upgrade
state.
Note To be able to manually cancel or retry a failed upgrade, you must disable the new
auto-cancel option, which appears when you use the FMC to upgrade an FTD device:
Automatically cancel on upgrade failure and roll back to the previous version.
With the option enabled, the device automatically reverts to its pre-upgrade state upon
upgrade failure.
Auto-cancel is not supported for patches. In an HA or clustered deployment,
auto-cancel applies to each device individually. That is, if the upgrade fails on one
device, only that device is reverted.
New/modified pages:
• System > Update > Product Updates > Available Updates > Install icon for the FTD
upgrade package
• Devices > Device Management > Upgrade
• Message Center > Tasks
New FTD CLI commands:
• show upgrade status detail
• show upgrade status continuous
• show upgrade status
• upgrade cancel
• upgrade retry
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
136
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Upgrades postpone scheduled Upgrade impact.
tasks.
FMC upgrades now postpone scheduled tasks. Any task scheduled to begin during the upgrade
will begin five minutes after the post-upgrade reboot.
Note Before you begin any upgrade, you must still make sure running tasks are complete.
Tasks running when the upgrade begins are stopped, become failed tasks, and cannot
be resumed.
Note that this feature is supported for all upgrades from a supported version. This includes Version
6.4.0.10 and later patches, Version 6.6.3 and later maintenance releases, and Version 6.7.0+. This
feature is not supported for upgrades to a supported version from an unsupported version.
Supported platforms: FMC
Upgrades remove PCAP files to Upgrade impact.
save disk space.
To upgrade a Firepower appliance, you must have enough free disk space or the upgrade fails.
Upgrades now remove locally stored PCAP files.
Supported platforms: Any
Deployment and Policy Management
Configuration rollback. Beta.
You can now "roll back" configurations on an FTD device, replacing them with the previously
deployed configurations.
Note Rollback is a Beta feature, and is not supported in all deployment types and scenarios.
It is also a disruptive operation. Make sure you read and understand the guidelines
and limitations in the Policy Management chapter of the FMC configuration guide.
New/modified pages: Deploy > Deployment History > Rollback column and icons.
Supported platforms: FTD
Deploy intrusion and file You can now select and deploy intrusion and file policies independently of access control policies,
policies independently of access unless there are dependent changes.
control policies.
New/modified pages: Deploy > Deployment
Supported platforms: FMC
Search access control rule You can now search within access control rules comments.
comments.
New/modified pages: In the access control policy editor, we added the Comments field to the
Search Rules drop-down dialog.
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
137
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Search and filter FTD NAT You can now search for rules in an FTD NAT policy to help you find rules based on IP addresses,
rules. ports, object names, and so forth. Search results include partial matches. Searching on criteria
filters the rule table so only matching rules are displayed.
New/modified pages: We added a search field above the rule table when you edit an FTD NAT
policy.
Supported platforms: FTD
Copy and move rules between You can copy access control rules from one access control policy to another. You can also move
access control and prefilter rules between an access control policy and its associated prefilter policy.
policies.
New/modified pages: In the access control and prefilter policy editors, we added Copy and Move
options to each rule's right-click menu.
Supported platforms: FMC
Bulk object import. You can now bulk-import network, port, URL, VLAN tag, and distinguished name objects onto
the FMC, using a comma-separated-values (CSV) file.
For restrictions and specific formatting instructions, see the Reusable Objects chapter of the FMC
configuration guide.
New/modified pages: Objects > Object Management > choose an object type > Add [Object
Type] > Import Object
Supported platforms: FMC
Interface object optimization for You can now enable interface object optimization on specific FTD devices.
access control and prefilter
During deployment, interface groups and security zones used in the access control and prefilter
policies.
policies generate separate rules for each source/destination interface pair. If you enable interface
object optimization, the system will instead deploy a single rule per access control/prefilter rule,
which can simplify the device configuration and improve deployment performance.
Interface object optimization is disabled by default. If you enable it, you should also enable Object
Group Search—which now applies to interface objects in addition to network objects—to reduce
memory usage on the device.
New/modified pages: Devices > Device Management > Device > Advanced Settings section >
Interface Object Optimization check box
Supported platforms: FTD
Administration and Troubleshooting
FMC single sign-on. The FMC now supports single sign-on (SSO) for external users configured at any third-party SAML
2.0-compliant identity provider (IdP). You can map user or group roles from the IdP to FMC user
roles.
New/modified pages:
• Login > Single Sign-On
• System > Users > SSO
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
138
New Features by Release
FMC Features in Version 6.7.x
Feature Details
FMC logout delay. When you log out of the FMC, there is an automatic five-second delay and countdown. You can
click Log Out again to log out immediately.
Supported platforms: FMC
Backup and restore for FTD You can now use the FMC to back up and restore Version 6.7.0+ FTD container instances.
container instances.
Supported platforms: Firepower 4100/9300
Health monitoring We enhanced health monitoring as follows:
enhancements.
• Health Status summary page that provides an at-a-glance view of the health of the Firepower
Management Center and all of the devices that the FMC manages.
• The Monitoring navigation pane allows you to navigate the device hierarchy.
• Managed devices are listed individually, or grouped according to their geolocation, high
availability, or cluster status where applicable.
• You can view health monitors for individual devices from the navigation pane.
• Custom dashboards to correlate interrelated metrics. Select from predefined correlation groups,
such as CPU and Snort; or create a custom correlation dashboard by building your own variable
set from the available metric groups.
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
139
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Health module updates. We replaced the CPU Usage health module with four new modules:
• CPU Usage (per core): Monitors the CPU usage on all of the cores.
• CPU Usage Data Plane: Monitors the average CPU usage of all data plane processes on the
device.
• CPU Usage Snort: Monitors the average CPU usage of the Snort processes on the device.
• CPU Usage System: Monitors the average CPU usage of all system processes on the device.
We added the following health modules to track memory use:
• Memory Usage Data Plane: Monitors the percentage of allocated memory used by data plane
processes.
• Memory Usage Snort: Monitors the percentage of allocated memory used by the Snort process.
We added the following health modules to track statistics:
• Connection Statistics: Monitors connection statistics and NAT translation counts.
• Critical Process Statistics: Monitors the state of critical processes, their resource consumption,
and the restart counts.
• Deployed Configuration Statistics: Monitors statistics about the deployed configuration, such
as the number of ACEs and IPS rules.
• Snort Statistics: Monitors Snort statistics for events, flows, and packets.
Supported platforms: FMC
Search Message Center. You can now filter the current view in the Message Center.
New/modified pages: We added a Filter icon and field to the Message Center, under the Show
Notifications slider.
Supported platforms: FMC
Usability and Performance
Dusk theme. Beta.
The FMC web interface defaults to the Light theme, but you can also choose a new Dusk theme.
Note The Dusk theme is a Beta feature. If you encounter issues that prevent you from using
a page or feature, switch to a different theme. Although we cannot respond to
everybody, we also welcome feedback — please use the feedback link on the User
Preferences page or contact us at fmc-light-theme-feedback@cisco.com.
New/modified pages: User Preferences, from the drop-down list under your username
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
140
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Search FMC menus. You can now search the FMC menus.
New/modified pages: We added a Search icon and field to the FMC menu bar, to the left of the
Deploy menu.
Supported platforms: FMC
FMC REST API
FMC REST API. We added the following FMC REST API services/operations to support new and existing features.
Authorization services:
• ssoconfig: GET and PUT operations to retrieve and modify FMC single-sign on.
Health services:
• metrics: GET operation to retrieve metrics for the health monitor.
• alerts: GET operation to retrieve health alerts.
• deploymentdetails: GET operation to retrieve deployment health details.
Deployment services:
• jobhistories: GET operation to retrieve deployment history.
• rollbackrequests: POST operation to request a configuration rollback.
Device services:
• metrics: GET operation to retrieve device metrics.
• virtualtunnelinterfaces: GET, PUT, POST, and DELETE operations to retrieve and modify
virtual tunnel interfaces.
Integration services:
• externalstorage: GET, GET by ID, and PUT operations to retrieve and modify external event
storage configuration.
Policy services:
• intrusionpolicies: POST and DELETE operations to modify intrusion policies.
Update services:
• cancelupgrades: POST operation to cancel a failed upgrade.
• retryupgrades: POST operation to retry a failed upgrade.
Supported platforms: FMC
Deprecated Features
Cisco Secure Firewall Management Center New Features by Release
141
New Features by Release
FMC Features in Version 6.7.x
Feature Details
End of support: ASA 5525-X, You cannot run Version 6.7+ on the ASA 5525-X, 5545-X, and 5555-X.
5545-X, and 5555-X devices
with Firepower software.
Deprecated: Cisco Firepower Prevents FMC upgrade.
User Agent software and
You cannot upgrade an FMC with user agent configurations to Version 6.7+.
identity source.
Version 6.6 is the last release to support the Cisco Firepower User Agent software as an identity
source. You should switch to Cisco Identity Services Engine/Passive Identity Connector
(ISE/ISE-PIC). To convert your license, contact Sales.
For more information, see the End-of-Life and End-of-Support for the Cisco Firepower User Agent
announcement and the Firepower User Identity: Migrating from User Agent to Identity Services
Engine TechNote.
Deprecated FTD CLI commands: configure user agent
Deprecated: Cisco ISE Endpoint ISE remediations can stop working.
Protection Services (EPS)
The Cisco ISE Endpoint Protection Services (EPS) remediation does not work with pxGrid 2.0.
remediation.
Configure and use the new Cisco ISE Adaptive Network Control (ANC) remediation instead.
ISE remediations will not launch if you are using the 'wrong' pxGrid to connect the FMC to an
ISE/ISE-PIC identity source. The ISE Connection Status Monitor health module alerts you to
mismatches.
Deprecated: Less secure Prevents FMC upgrade.
Diffie-Hellman groups, and
You may not be able to upgrade an FMC if you use any of the following FTD features:
encryption and hash algorithms.
• Diffie-Hellman groups: 2, 5, and 24.
Group 5 continues to be supported in FMC deployments for IKEv1, but we recommend you
change to a stronger option.
• Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES,
AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is
the only option) for users who do not satisfy export controls.
• The NULL "encryption algorithm" (authentication without encryption, for testing purposes)
continues to be supported in FMC deployments for both IKEv1 and IKEv2 IPsec proposals.
However, it is no longer supported in IKEv2 policies.
• Hash algorithms: MD5.
If you are still using these features in IKE proposals or IPsec policies, change and verify your VPN
configuration before you upgrade.
Cisco Secure Firewall Management Center New Features by Release
142
New Features by Release
FMC Features in Version 6.7.x
Feature Details
Deprecated: Appliance Possible post-upgrade errors in the health monitor.
Configuration Resource
Version 6.7 partially and temporarily deprecates support for the Appliance Configuration Resource
Utilization heath module
Utilization health module, which was introduced in Version 6.6.3 and is supported in all later 6.6.x
(temporary).
releases.
Version 6.7 support is as follows:
• FMC upgraded to Version 6.7 from Version 6.6.3+
Continues to support the module, but only if the devices remain at Version 6.6.x. If you
upgrade the devices to Version 6.7, the module stops working and the health monitor displays
an error. To resolve the error, use the FMC to disable the module and reapply policies.
• FMC upgraded to Version 6.7 from Version 6.3–6.6.1, or FMC freshly installed to Version
6.7.
Does not support the module.
In the rare case that you add a Version 6.6.x device that has the module enabled to an FMC
where the module is not supported, the health monitor displays an error that you cannot resolve.
This error is safe to ignore.
Full support returns in Version 7.0, where the module is renamed to Configuration Memory
Allocation.
Deprecated: Other health Version 6.7 deprecates the following health modules:
modules (permanent).
• CPU Usage: Replaced by four new modules; see the new features table above.
• Local Malware Analysis: This module was replaced by the Threat Data Updates on Devices
module in Version 6.3. A Version 6.7+ FMC can no longer manage any devices where the
older module applies.
• User Agent Status Monitor: Cisco Firepower User Agent is no longer supported.
Deprecated: Walkthroughs with Version 6.7 discontinues FMC walkthroughs (how-tos) for the Classic theme. You can switch
the Classic theme. themes in your user preferences.
Deprecated: Bugtraq Version 6.7 removes database fields and options for Bugtraq. Bugtraq vulnerability data is no
longer available. Most vulnerability data now comes from the National Vulnerability Database
(NVD).
If you export vulnerability data, make sure any integrations are working as expected after the
upgrade.
Deprecated: Microsoft Internet We no longer test Firepower web interfaces using Microsoft Internet Explorer. We recommend
Explorer you switch to Google Chrome, Mozilla Firefox, or Microsoft Edge.
Cisco Secure Firewall Management Center New Features by Release
143
New Features by Release
FMC Features in Version 6.6.x
Feature Details
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
FMC Features in Version 6.6.x
Table 21: FMC Features in Version 6.6.3
Feature Details
Upgrades postpone scheduled Upgrade impact.
tasks.
Upgrades now postpone scheduled tasks. Any task scheduled to begin during the upgrade will
begin five minutes after the post-upgrade reboot.
Note Before you begin any upgrade, you must still make sure running tasks are complete.
Tasks running when the upgrade begins are stopped, become failed tasks, and cannot
be resumed.
Note that this feature is supported for Firepower appliances running Version 6.6.3+. It is not
supported for upgrades to Version 6.6.3, unless you are upgrading from Version 6.4.0.10 or any
later patch.
Cisco Secure Firewall Management Center New Features by Release
144
New Features by Release
FMC Features in Version 6.6.x
Feature Details
Appliance Configuration Upgrade impact for Version 6.7.0.
Resource Utilization health
Version 6.6.3 improves device memory management and introduces a new health module: Appliance
module.
Configuration Resource Utilization.
The module alerts when the size of your deployed configurations puts a device at risk of running
out of memory. The alert shows you how much memory your configurations require, and by how
much this exceeds the available memory. If this happens, re-evaluate your configurations. Most
often you can reduce the number or complexity of access control rules or intrusion policies. For
information on best practices for access control, see the configuration guide.
The upgrade process automatically adds and enables this module in all health policies. After
upgrade, apply health policies to managed devices to begin monitoring.
Note This module requires Version 6.6.3 or later 6.6.x release or Version 7.0+ on both the
FMC and managed devices.
Version 6.7 partially and temporarily deprecates support for this module. For details,
see Deprecated: Appliance Configuration Resource Utilization heath module
(temporary). Full support returns in Version 7.0, where the module is renamed to
Configuration Memory Allocation.
Table 22: FMC Features in Version 6.6.1
Feature Details
Deprecated Features
Deprecated: Custom intrusion In Version 6.6.0, the FMC began rejecting custom (local) intrusion rule imports entirely if there
rule import failure when rules were rule collisions. Version 6.6.1 deprecates this feature, and returns to the pre-Version 6.6
collide. behavior of silently skipping the rules that cause collisions.
Note that a collision occurs when you try to import an intrusion rule that has the same SID/revision
number as an existing rule. You should always make sure that updated versions of custom rules
have new revision numbers. We recommend you read the best practices for importing local intrusion
rules in the FMC configuration guide.
Version 6.7 adds a warning for rule collisions.
Table 23: FMC Features in Version 6.6.0
Feature Description
Platform
FTD on the Firepower 4112. We introduced the Firepower 4112. You can also deploy ASA logical devices on this platform.
Requires FXOS 2.8.1.
Cisco Secure Firewall Management Center New Features by Release
145
New Features by Release
FMC Features in Version 6.6.x
Feature Description
Larger instances for AWS Upgrade impact.
deployments.
FTDv for AWS adds support for these larger instances:
• C5.xlarge
• C5.2xlarge
• C5.4xlarge
FMCv for AWS adds support for these larger instances:
• C3.4xlarge
• C4.4xlarge
• C5.4xlarge
All existing FMCv for AWS instance types are now deprecated (c3.xlarge, c3.2xlarge, c4.xlarge,
c4.2xlarge). You must resize before you upgrade. For more information, see the upgrade guidelines
for Version 6.6 in the release notes.
Autoscale for cloud-based FTDv We introduced support for AWS Auto Scale/Azure Autoscale.
deployments.
The serverless infrastructure in cloud-based deployments allow you to automatically adjust the
number of FTDv instances in the Auto Scale group based on capacity needs. This includes automatic
registering/unregistering to and from the managing FMC.
Supported platforms: FTDv for AWS, FTDv for Azure
Firepower Threat Defense: Device Management
Obtain initial management For Firepower 1000/2000 series and ASA-5500-X series devices, the management interface now
interface IP address using defaults to obtaining an IP address from DHCP. This change makes it easier for you to deploy a
DHCP. new device on your existing network.
This feature is not supported for Firepower 4100/9300 chassis, where you set the IP address when
you deploy the logical device. Nor is it supported for FTDv or the ISA 3000, which continue to
default to 192.168.45.45.
Supported platforms: Firepower 1000/2000 series, ASA-5500-X series
Configure MTU values in CLI. You can now use the FTD CLI to configure MTU (maximum transmission unit) values for FTD
device interfaces. The default is 1500 bytes. Maximum MTU values are:
• Management interface: 1500 bytes
• Eventing interface: 9000 bytes
New FTD CLI commands: configure network mtu
Modified FTD CLI commands: Added the mtu-event-channel and mtu-management-channel
keyword to the configure network management-interface command.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
146
New Features by Release
FMC Features in Version 6.6.x
Feature Description
Get threat defense upgrade FTD devices can now get upgrade packages from your own internal web server, rather than from
packages from an internal web the FMC. This is especially useful if you have limited bandwidth between the FMC and its devices.
server. It also saves space on the FMC.
Note This feature is supported only for FTD devices running Version 6.6.0+. It is not
supported for upgrades to Version 6.6.0, nor is it supported for the FMC or Classic
devices.
New/modified pages: System > Updates > Upload Update button > Specify software update
source option
Supported platforms: FTD
Connection-based We made the following enhancements to FTD CLI connection-based troubleshooting (debugging):
troubleshooting enhancements.
• debug packet-module trace: Added to enable module level packet tracing.
• debug packet-condition: Modified to support troubleshooting of ongoing connections.
Supported platforms: FTD
Firepower Threat Defense: Clustering
Multi-instance clustering. You can now create a cluster using container instances. On the Firepower 9300, you must include
one container instance on each module in the cluster. You cannot add more than one container
instance to the cluster per security engine/module.
We recommend that you use the same security module or chassis model for each cluster instance.
However, you can mix and match container instances on different Firepower 9300 security module
types or Firepower 4100 models in the same cluster if required. You cannot mix Firepower 9300
and 4100 instances in the same cluster.
New FXOS CLI commands: set port-type cluster
New/modified Chassis Manager pages:
• Logical Devices > Add Cluster
• Interfaces > All Interfaces > Add New drop-down menu > Subinterface > Type field
Supported platforms: Firepower 4100/9300
Parallel configuration sync to The control unit in an FTD cluster now syncs configuration changes with slave units in parallel by
data units in FTD clusters. default. Formerly, synching occurred sequentially.
Supported platforms: Firepower 4100/9300
Messages for cluster join failure We added new messages to the show cluster history command for when a cluster unit either fails
or eviction added to show to join the cluster or leaves the cluster.
cluster history.
Supported platforms: Firepower 4100/9300
Firepower Threat Defense: Routing
Cisco Secure Firewall Management Center New Features by Release
147
New Features by Release
FMC Features in Version 6.6.x
Feature Description
Virtual routers and VRF-Lite. You can now create multiple virtual routers to maintain separate routing tables for groups of
interfaces. Because each virtual router has its own routing table, you can provide clean separation
in the traffic flowing through the device.
Virtual routers implement the “light” version of Virtual Routing and Forwarding, or VRF-Lite,
which does not support Multiprotocol Extensions for BGP (MBGP).
The maximum number of virtual routers you can create ranges from five to 100, and depends on
the device model. For a full list, see the Virtual Routing for Firepower Threat Defense chapter in
the Firepower Management Center Configuration Guide.
New/modified pages: Devices > Device Management > edit device > Routing tab
New FTD CLI commands: show vrf.
Modified FTD CLI commands: Added the [vrf name | all] keyword set to the following CLI
commands, and changed the output to indicate virtual router information where applicable: clear
ospf, clear route, ping, show asp table routing, show bgp, show ipv6 route, show ospf, show
route, show snort counters.
Supported platforms: FTD, except Firepower 1010 and ISA 3000
Firepower Threat Defense: VPN
DTLS 1.2 in remote access You can now use Datagram Transport Layer Security (DTLS) 1.2 to encrypt RA VPN connections.
VPN.
Use FTD platform settings to specify the minimum TLS protocol version that the FTD device uses
when acting as a, RA VPN server. If you want to specify DTLS 1.2, you must also choose TLS
1.2 as the minimum TLS version.
Requires Cisco AnyConnect Secure Mobility Client, Version 4.7+.
New/modified pages: Devices > Platform Settings > add/edit Threat Defense policy > SSL >
DTLS Version option
Supported platforms: FTD, except ASA 5508-X and ASA 5516-X
Site-to-site VPN IKEv2 support You can now add a backup peer to a site-to-site VPN connection, for IKEv1 and IKEv2
for multiple peers. point-to-point extranet and hub-and-spoke topologies. Previously, you could only configure backup
peers for IKEv1 point-to-point topologies.
New/modified pages: Devices > VPN > Site to Site > add or edit a point to point or hub and spoke
FTD VPN topology > add endpoint > IP Address field now supports comma-separated backup
peers
Supported platforms: FTD
Security Policies
Cisco Secure Firewall Management Center New Features by Release
148
New Features by Release
FMC Features in Version 6.6.x
Feature Description
Usability enhancements for Version 6.6.0 makes it easier to work with access control and prefilter rules. You can now:
security policies.
• Edit certain attributes of multiple access control rules in a single operation: state, action,
logging, intrusion policy, and so on.
In the access control policy editor, select the relevant rules, right-click, and choose Edit.
• Search access control rules by multiple parameters.
In the access control policy editor, click the Search Rules text box to see your options.
• View object details and usage in an access control or prefilter rule.
In the access control or prefilter policy editor, right-click the rule and choose Object Details.
Supported platforms: FMC
Object group search for access While operating, FTD devices expand access control rules into multiple access control list entries
control policies. based on the contents of any network objects used in the access rule. You can reduce the memory
required to search access control rules by enabling object group search.
With object group search enabled, the system does not expand network objects, but instead searches
access rules for matches based on those group definitions.
Object group search does not impact how your rules are defined or how they appear in the FMC.
It impacts only how the device interprets and processes them while matching connections to access
control rules. Object group search is disabled by default.
New/modified pages: Devices > Device Management > edit device > Device tab > Advanced
Settings > Object Group Search option
Supported platforms: FTD
Time-based rules in access You can now specify an absolute or recurring time or time range for a rule to be applied. The rule
control and prefilter policies. is applied based on the time zone of the device that processes the traffic.
New/modified pages:
• Access control and prefilter rule editors
• Devices > Platform Settings > add/edit Threat Defense policy > Time Zone
• Objects > Object Management > Time Range and Time Zone
Supported platforms: FTD
Egress optimization re-enabled. Upgrade impact.
Version 6.6.0 fixes CSCvs86257. If egress optimization was:
• Enabled but turned off, the upgrade turns it back on. (We turned off egress optimization in
some Version 6.4.0.x and 6.5.0.x patches, even if the feature was enabled.)
• Manually disabled, we recommend you reenable it post-upgrade: asp inspect-dp
egress-optimization.
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
149
New Features by Release
FMC Features in Version 6.6.x
Feature Description
Event Logging and Analysis
New datastore improves Upgrade impact.
performance.
To improve performance, Version 6.6.0 uses a new datastore for connection and Security Intelligence
events.
After the upgrade finishes and the FMC reboots, historical connection and Security Intelligence
events are migrated in the background, resource constrained. Depending on FMC model, system
load, and how many events you have stored, this can take from a few hours up to a day.
Historical events are migrated by age, newest events first. Events that have not been migrated do
not appear in query results or dashboards. If you reach the connection event database limit before
the migration completes, for example, because of post-upgrade events, the oldest historical events
are not migrated.
You can monitor event migration progress in the Message Center.
Supported platforms: FMC
Wildcard support when When searching connection and Security Intelligence events for URLs having the pattern
searching connection and example.com, you must now include wildcards. Specifically, use *example.com* for such
Security Intelligence events for searches.
URLs.
Supported platforms: FMC
Monitor up to 300,000 In Version 6.6.0, some FTD device models support monitoring of additional concurrent user
concurrent user sessions with sessions (logins):
FTD devices.
• 300,000 sessions: Firepower 4140, 4145, 4150, 9300
• 150,000 sessions: Firepower 2140, 4112, 4115, 4120, 4125
All other devices continue to support the old limit of 64,000, except ASA FirePOWER which is
limited to 2000.
A new health module alerts you when the user identity feature's memory usage reaches a
configurable threshold. You can also view a graph of the memory usage over time.
New/modified pages:
• System > Health > Policy > add or edit health policy > Snort Identity Memory Usage
• System > Health > Monitor > select a device > Graph option for the Snort Identity Memory
Usage module
Supported platforms: FTD devices listed above
Integration with IBM QRadar. You can use the new Cisco Firepower app for IBM QRadar as an alternate way to display event
data and help you analyze, hunt for, and investigate threats to your network. Requires eStreamer.
For more information, see the Integration Guide for the Cisco Firepower App for IBM QRadar.
Supported platforms: FMC
Administration and Troubleshooting
Cisco Secure Firewall Management Center New Features by Release
150
New Features by Release
FMC Features in Version 6.6.x
Feature Description
New options for deploying The Deploy button on the FMC menu bar is now a menu, with options that add the following
configuration changes. functionality:
• Status: For each device, the system displays whether changes need to be deployed; whether
there are warnings or errors you should resolve before you deploy; and whether your last
deploy is in process, failed, or completed successfully.
• Preview: See all applicable policy and object changes you have made since you last deployed
to the device.
• Selective deploy: Choose from the policies and configurations you want to deploy to a managed
device.
• Deploy time estimate: Display an estimate of how long it will take to deploy to a particular
device. You can display estimates for a full deploy, as well as for specific policies and
configurations.
• History: View details of previous deploys.
New/modified pages:
• Deploy > Deployment
• Deploy > Deployment History
Supported platforms: FMC
Initial configuration updates the On new and reimaged FMCs, the setup process now:
VDB and schedules SRU
• Downloads and installs the latest vulnerability database (VDB) update.
updates.
• Enables daily intrusion rule (SRU) downloads. Note that the setup process does not enable
auto-deploy after these downloads, although you can change this setting.
Upgraded FMCs are not affected.
New/modified pages:
• System > Updates > Product Updates (VDB updates)
• System > Updates > Rule Updates (SRU updates)
Supported platforms: FMC
VDB match no longer required Restoring an FMC from backup no longer requires the same VDB on the replacement FMC.
to restore FMC. However, restoring does now replace the existing VDB with the VDB in the backup file.
Supported platforms: FMC
HTTPS certificates with subject You can now request a HTTPS server certificate that secures multiple domain names or IP addresses
alternative name (SAN). by using SAN. For more information on SAN, see RFC 5280, section 4.2.1.6.
New/modified pages: System > Configuration > HTTPS Certificate > Generate New CSR >
Subject Alternative Name fields
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
151
New Features by Release
FMC Features in Version 6.6.x
Feature Description
Real names associated with You can now specify a real name when you create or modify an FMC user account. This can be a
FMC user accounts. person's name, department, or other identifying attribute.
New/modified pages: System > Users > Users > Real Name field.
Supported platforms: FMC
Cisco Support Diagnostics on Upgrade impact.
additional FTD platforms.
Cisco Support Diagnostics is now fully supported on all FMCs and FTD devices. Previously,
support was limited to FMCs, Firepower 4100/9300 with FTD, and FTDv for Azure.
Supported platforms: FMC, FTD
Usability
Light theme. The FMC now defaults to the Light theme, which was introduced as a Beta feature in Version
6.5.0. Upgrading to Version 6.6.0 automatically switches you to the Light theme. You can switch
back to the Classic theme in your user preferences.
Although we cannot respond to everybody, we welcome feedback on the Light theme. Use the
feedback link on the User Preferences page or contact us at fmc-light-theme-feedback@cisco.com.
Supported platforms: FMC
Display time remaining for The FMC's Message Center now displays approximately how much time remains until an upgrade
upgrades. will complete. This does not include reboot time.
New/modified pages: Message Center
Supported platforms: FMC
Security and Hardening
Default HTTPS server Upgrade impact.
certificate renewals have 800
Unless the current default HTTPS server certificate already has an 800-day lifespan, upgrading to
day lifespans.
Version 6.6.0 renews the certificate, which now expires 800 days from the date of the upgrade.
All future renewals have an 800 day lifespan.
Your old certificate was set to expire depending on when it was generated.
Supported platforms: FMC
Firepower Management Center REST API
Cisco Secure Firewall Management Center New Features by Release
152
New Features by Release
FMC Features in Version 6.6.x
Feature Description
New REST API capabilities. Added the following REST API services to support Version 6.6.0 features:
• bgp, bgpgeneralsettings, ospfinterface, ospfv2routes, ospfv3interfaces, ospfv3routes,
virtualrouters, routemaps, ipv4prefixlists, ipv6prefixlists, aspathlists, communitylists,
extendedcommunitylists, standardaccesslists, standardcommunitylists, policylists: Routing
• virtualrouters, virtualipv4staticroutes, virtualipv6staticroutes, virtualstaticroutes: Virtual
routing
• timeranges, globaltimezones, timezoneobjects: Time-based rules
• commands: Run a limited set of CLI commands from the REST API
• pendingchanges: Deploy improvements
Added the following REST API services to support older features:
• intrusionrules, intrusionpolicies: Intrusion policies
Supported platforms: FMC
Changed REST API service Upgrade impact.
name for extended access lists.
The extendedaccesslist (singular) service in the FMC REST API is now extendedaccesslists (plural).
Make sure you update your client. Using the old service name fails and returns an Invalid URL
error.
Request Type: GET
URL to retrieve the extended access list associated with a specific ID:
• Old: /api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslist/{objectId}
• New: /api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslists/{objectId}
URL to retrieve a list of all extended access lists:
• Old: /api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslist
• New: /api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslists
Supported platforms: FMC
Deprecated Features
Cisco Secure Firewall Management Center New Features by Release
153
New Features by Release
FMC Features in Version 6.6.x
Feature Description
Deprecated: Lower-memory For performance reasons, the following FMCv instances are no longer supported:
instances for cloud-based FMCv
• c3.xlarge on AWS
deployments.
• c3.2xlarge on AWS
• c4.xlarge on AWS
• c4.2xlarge on AWS
• Standard_D3_v2 on Azure
You must resize before you upgrade to Version 6.6.0+. For more information, see the upgrade
guidelines for Version 6.6 in the release notes.
Additionally, as of the Version 6.6 release, lower-memory instance types for cloud-based FMCv
deployments are fully deprecated. You cannot create new FMCv instances using them, even for
earlier Firepower versions. You can continue running existing instances.
Deprecated: e1000 Interfaces on Prevents upgrade.
FTDv for VMware.
Version 6.6 ends support for e1000 interfaces on FTDv for VMware. You cannot upgrade until
you switch to vmxnet3 or ixgbe interfaces. Or, you can deploy a new device.
For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.
Deprecated: Less secure Version 6.6 deprecates the following FTD security features:
Diffie-Hellman groups, and
• Diffie-Hellman groups: 2, 5, and 24.
encryption and hash algorithms.
• Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES,
AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is
the only option) for users who do not satisfy export controls.
• Hash algorithms: MD5.
These features are removed in Version 6.7. Avoid configuring them in IKE proposals or IPSec
policies for use in VPNs. Change to stronger options as soon as possible.
Deprecated: Custom tables for Version 6.6 ends support for custom tables for connection and Security Intelligence events. After
connection events. you upgrade, existing custom tables for those events are still 'available' but return no results. We
recommend you delete them.
There is no change to other types of custom tables.
Deprecated options:
• Analysis > Advanced > Custom Tables > click Create Custom Table > Tables drop-down
list > Connection Events and Security Intelligence Events
Cisco Secure Firewall Management Center New Features by Release
154
New Features by Release
FMC Features in Version 6.5.x
Feature Description
Deprecated: Ability to delete Version 6.6 ends support for deleting connection and Security Intelligence events from the event
connection events from the viewer. To purge the database, select System > Tools > Data Purge.
event viewer.
Deprecated options:
• Analysis > Connections > Events > Delete and Delete All
• Analysis > Connections > Security Intelligence Events > Delete and Delete All
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
FMC Features in Version 6.5.x
Table 24: FMC Features in Version 6.5.x Patches
Feature Details
Administration and Troubleshooting
Version 6.5.0.5 Upgrade impact.
Default HTTPS server Unless the FMC's current default HTTPS server certificate already has an 800-day lifespan,
certificates upgrading to Version 6.5.0.5+ renews the certificate, which now expires 800 days from the date
of the upgrade. All future renewals have an 800 day lifespan.
Your old certificate was set to expire depending on when it was generated, as follows:
• 6.5.0 to 6.5.0.4: 3 years
• 6.4.0.9 and later patches: 800 days
• 6.4.0 to 6.4.0.8: 3 years
• 6.3.0 and all patches: 3 years
• 6.2.3: 20 years
Cisco Secure Firewall Management Center New Features by Release
155
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Deprecated Features
Version 6.5.0.2 Upgrade impact.
Deprecated: Egress optimization Egress optimization is a performance feature targeted for selected IPS traffic. It is enabled by
(temporary). default on all FTD platforms, and the Version 6.5.0 upgrade process enables egress optimization
on eligible devices. However, to mitigate CSCvq34340, patching FTD to Version 6.5.0.2+ turns
off egress optimization processing. This happens regardless of whether the egress optimization
feature is enabled or disabled.
Note We recommend you upgrade to Version 6.6+, where this issue is fixed. That will turn
egress optimization back on, if you left the feature 'enabled.' If you remain at Version
6.5.0 or 6.5.0.1, you should manually disable egress optimization from the FTD CLI:
no asp inspect-dp egress-optimization.
For more information, see the software advisory: FTD traffic outage due to 9344 block size depletion
caused by the egress optimization feature.
Supported platforms: FTD
Table 25: FMC Features in Version 6.5.0
Feature Details
Platform
FTD on the Firepower 1150. We introduced the Firepower 1150.
Larger instances for FTDv for FTDv for Microsoft Azure now supports larger instances: D4_v2 and D5_v2.
Azure.
FMCv 300 for VMware. We introduced the FMCv 300, a larger FMCv for VMware. It can manage up to 300 devices,
compared to 25 devices for other FMCv instances.
You can use the FMC model migration feature to switch to the FMCv 300 from a less powerful
platform.
VMware vSphere/VMware You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware
ESXi 6.7 support ESXi 6.7.
Firepower Threat Defense
Firepower 1010 hardware The Firepower 1010 now supports setting each Ethernet interface to be a switch port or a firewall
switch support interface.
New/modified pages:
• Devices > Device Management > Interfaces
• Devices > Device Management > Interfaces > Edit Physical Interface
• Devices > Device Management > Interfaces > Add VLAN Interface
Supported platforms: Firepower 1010
Cisco Secure Firewall Management Center New Features by Release
156
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Firepower 1010 PoE+ support The Firepower 1010 now supports Power over Ethernet+ (PoE+) on Ethernet 1/7 and Ethernet 1/8.
on Ethernet 1/7 and Ethernet 1/8
New/modified pages: Devices > Device Management > Interfaces > Edit Physical Interface >
PoE
Supported platforms: Firepower 1010
Carrier-grade NAT For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than
enhancements have NAT allocate one port translation at a time (see RFC 6888).
New/modified pages: Devices > NAT > add/edit FTD NAT policy > add/edit NAT rule > PAT
Pool tab > Block Allocation option
Supported platforms: FTD
TLS crypto acceleration for TLS crypto acceleration is now supported on multiple container instances (up to 16) on a Firepower
multiple container instances on 4100/9300 chassis. Previously, you could enable TLS crypto acceleration for only one container
Firepower 4100/9300 instance per module/security engine.
New instances have this feature enabled by default. However, the upgrade does not enable
acceleration on existing instances. Instead, use the create hw-crypto and scope hw-crypto CLI
commands. For more information, see the Cisco Secure Firewall Threat Defense Command
Reference.
New FXOS CLI commands:
• create hw-crypto
• delete hw-crypto
• scope hw-crypto
• show hw-crypto
Removed FXOS CLI commands:
• show hwCrypto (replaced by show hw-crypto)
• config hwCrypto
Removed FTD CLI commands:
• show crypto accelerator status
Supported platforms: Firepower 4100/9300
Security Policies
Access control rule filtering You can now filter access control rules based on search criteria.
New/modified pages: Policies > Access Control > Access Control > add/edit policy > filter button
('show only rules matching filter criteria')
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
157
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Dispute URL category or You can now dispute the category or reputation of a URL.
reputation
New/modified pages:
• Analysis > Connection Events > right-click a category or reputation > Dispute.
• Analysis > Advanced > URL > search for URL > Dispute button
• System > Integration > Cloud Services > Dispute link
Supported platforms: FMC
User control with You can now use ISE SGT tags for both source and destination matching criteria in access control
destination-based Security rules. SGT tags are tag-to-host/network mappings obtained by ISE.
Group Tags (SGT)
New connection event fields:
• Destination SGT (syslog: DestinationSecurityGroupTag): SGT attribute for the connection
responder.
Renamed connection event fields:
• Source SGT (syslog: SourceSecurityGroupTag): SGT attribute for the connection initiator.
Replaces Security Group Tag (syslog: SecurityGroup).
New/modified pages: System > Integration > Identity Sources > Identity Services Engine >
Subscribe to Session Directory Topic and SXP Topic options
Supported platforms: Any
Cisco Firepower User Agent We released Version 2.5 of the Cisco Firepower User Agent, which you can integrate with Firepower
Version 2.5 integration Versions 6.4.0 through 6.6.x.
Note Version 6.6 is the last release to support the Cisco Firepower User Agent software
as an identity source. You cannot upgrade an FMC with user agent configurations to
Version 6.7+. You should switch to Cisco Identity Services Engine/Passive Identity
Connector (ISE/ISE-PIC). This will also allow you to take advantage of features that
are not available with the user agent. To convert your license, contact your Cisco
representative or partner contact.
For more information, see the End-of-Life and End-of-Support for the Cisco Firepower
User Agent announcement and the Firepower User Identity: Migrating from User
Agent to Identity Services Engine TechNote.
New/modified FMC CLI commands: configure user-agent
Supported platforms: FMC
Event Logging and Analysis
Cisco Secure Firewall Management Center New Features by Release
158
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Threat Intelligence Director TID blocking/monitoring observable actions now have priority over blocking/monitoring with
priorities. Security Intelligence Block lists.
If you configure the Block TID observable action, even if the traffic also matches a Security
Intelligence Block list set to Block:
• The Security Intelligence category in the connection event is a variant of TID Block.
• The system generates a TID incident with an action taken of Blocked.
If you configure the Monitor TID observable action, even if the traffic also matches a Security
Intelligence Block list set to Monitor:
• The Security Intelligence category in the connection event is a variant of TID Monitor
• The system generates a TID incident with an action taken of Monitored.
Previously, in each of these cases, the system reported the category by analysis and did not generate
a TID incident.
Note The system still effectively handles traffic as before. Traffic that was blocked before
is still blocked, and monitored traffic is still monitored. This simply changes which
component gets the 'credit.' You may also see more TID incidents generated.
For complete information on system behavior when you enable both Security Intelligence and TID,
see the TID-Firepower Management Center Action Prioritization information in the FMC
configuration guide.
Supported platforms: FMC
'Packet profile' CLI commands You can now use the FTD CLI to obtain statistics on how the device handled network traffic. That
is, how many packets were fastpathed by a prefilter policy, offloaded as a large flow, fully evaluated
by access control (Snort), and so on.
New FTD CLI commands:
• asp packet-profile
• no asp packet-profile
• show asp packet-profile
• clear asp packet-profile
Supported platforms: FTD
Additional event types for Cisco Firepower can now send file and malware events to Cisco SecureX, as well as high priority
SecureX connection events — those related to intrusion, file, malware, and Security Intelligence events.
Note that the FMC web interface refers to this offering as Cisco Threat Response (CTR).
New/modified pages: System > Integration > Cloud Services.
Supported platforms: FTD (via syslog or direct integration) and Classic (via syslog) devices
Administration and Troubleshooting
Cisco Secure Firewall Management Center New Features by Release
159
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Precision Time Protocol (PTP) You can use FlexConfig to configure the Precision Time Protocol (PTP) on ISA 3000 devices.
configuration for ISA 3000 PTP is a time-synchronization protocol developed to synchronize the clocks of various devices in
devices. a packet-based network. The protocol is designed specifically for industrial, networked measurement
and control systems.
We now allow you to include the ptp (interface mode) command, and the global commands ptp
mode e2etransparent and ptp domain, in FlexConfig objects.
New/modified commands: show ptp
Supported platforms: ISA 3000 with FTD
Configure more domains When implementing multitenancy (segment user access to managed devices, configurations, and
(multitenancy) events), you can create up to 100 subdomains under a top-level Global domain, in two or three
levels. The previous maximum was 50 domains.
Supported platforms: FMC
ISE Connection Status Monitor The ISE Connection Status Monitor health module now alerts you to issues with TrustSec SXP
enhancements (SGT Exchange Protocol) subscription status.
Supported platforms: FMC
Regional clouds Upgrade impact.
If you use the Cisco Threat Response integration, Cisco Support Diagnostics, or Cisco Success
Network features, you can now select a regional cloud.
By default, the upgrade assigns you to the US (North America) region.
New/modified pages: System > Integration > Cloud Services
Supported platforms: FMC, FTD
Cisco Support Diagnostics Upgrade impact.
Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration and
operational health data to Cisco, and processes that data through our automated problem detection
system, allowing us to proactively notify you of issues. This feature also allows Cisco TAC to
collect essential information from your devices during the course of a TAC case.
During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment
at any time.
In Version 6.5.0, Cisco Support Diagnostics support is limited to select platforms.
New/modified pages:
• System > Smart Licenses
• System > Smart Licenses > Register
Supported platforms: FMC, Firepower 4100/9300, FTDv for Azure
Cisco Secure Firewall Management Center New Features by Release
160
New Features by Release
FMC Features in Version 6.5.x
Feature Details
FMC model migration You can now use the backup and restore feature to migrate configurations and events between
FMCs, even if they are not the same model. This makes it easier to replace FMCs due to technical
or business reasons such as a growing organization, migration from a physical to a virtual
implementation, hardware refresh, and so on.
In general, you can migrate from a lower-end to a higher-end FMC, but not the reverse. Migration
from KVM and Microsoft Azure is not supported. You must also unregister and reregister with
Cisco Smart Software Manager (CSSM).
For details, including supported target and destination models, see the Cisco Secure Firewall
Management Center Model Migration Guide.
Supported platforms: FMC
Default HTTPS server If you are upgrading from Version 6.4.0.9+, the default HTTPS server certificate's lifespan-on-renew
certificates. returns to 3 years, but this is again updated to 800 days in Version 6.5.0.5+ and 6.6+.
Your current default HTTPS server certificate is set to expire depending on when it was generated,
as follows:
• 6.4.0.9 and later patches: 800 days
• 6.4.0 to 6.4.0.8: 3 years
• 6.3.0 and all patches: 3 years
• 6.2.3: 20 years
Security and Hardening
Secure erase for appliance You can now use the FXOS CLI to securely erase a specified appliance component.
components on FXOS-based
New FXOS CLI commands: erase secure
FTD devices
Supported platforms: Firepower 1000/2000 and Firepower 4100/9300
Stricter password requirements FMC initial setup now requires that you choose a ‘strong’ password for admin accounts. The setup
for FMC admin accounts during process applies this strong password to both the FMC web interface and CLI admin accounts.
initial setup
Note Upgrading to Version 6.5.0+ does not force you to change weak passwords to strong
passwords. With the exception of LOM users on physical FMCs (and this does include
the admin user), you are not prohibited from choosing a new weak password. However,
we do recommend that all Firepower user accounts — especially those with Admin
access — have strong passwords.
Supported platforms: FMC
Concurrent user session limits You can now limit the number of users that can be logged into the FMC at the same time. You can
limit concurrent sessions for users with read only roles, read/write roles, or both. Note that CLI
users are limited by the read/write setting.
New/modified pages: System > Configuration > User Configuration > Max Concurrent Sessions
Allowed options
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
161
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Authenticated NTP servers You can now configure secure communications between the FMC and NTP servers using SHA1
or MD5 symmetric key authentication. For system security, we recommend using this feature.
New/modified pages: System > Configuration > Time Synchronization
Supported platforms: FMC
Usability and Performance
Improved initial configuration On new and reimaged FMCs, a wizard replaces the previous initial setup process. If you use the
experience GUI wizard, when initial setup completes, the FMC displays the device management page so that
you can immediately begin licensing and setting up your deployment.
The setup process also automatically schedules the following:
• Software downloads. The system creates a weekly scheduled task to download (but not install)
software patches and publicly available hotfixes that apply to your deployment.
• FMC configuration-only backups. The system creates a weekly scheduled task to back up
FMC configurations and store them locally.
• GeoDB updates. The system enables weekly geolocation database updates.
These tasks are scheduled in UTC, which means that when they occur locally depends on the date
and your specific location. Also, because tasks are scheduled in UTC, they do not adjust for Daylight
Saving Time, summer time, or any such seasonal adjustments that you may observe in your location.
If you are affected, scheduled tasks occur one hour "later" in the summer than in the winter,
according to local time.
Note We strongly recommend you review the auto-scheduled tasks/GeoDB updates and
adjust them if necessary.
Upgraded FMCs are not affected. For details on the initial configuration wizard, see the Getting
Started Guide for your FMC model; for details on scheduled tasks, see the FMC configuration
guide.
Supported platforms: FMC
Light theme Beta.
The FMC web interface defaults to the Classic theme, but you can also choose a new Light theme.
Note The Light theme is a Beta feature. You may see misaligned text or other UI elements.
In some cases, you may also experience slower-than-normal response times. If you
encounter issues that prevent you from using a page or feature, switch back to the
Classic theme. Although we cannot respond to everybody, we also welcome feedback
— please use the feedback link on the User Preferences page or contact us at
fmc-light-theme-feedback@cisco.com">.
New/modified pages: User Preferences, from the drop-down list under your username
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
162
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Usability enhancements for We have enhanced 'view object' capabilities for network, port, VLAN, and URL objects, as follows:
viewing objects
• In the access control policy and while configuring FTD routing, you can right-click an object
and choose View Objects to display details about that object.
• When you are viewing details about an object, or when you are browsing objects in the object
manager, clicking Find Usage ( ) now allows you to drill down into object groups and
nested objects.
New/modified pages:
• Objects > Object Management > choose a supported object type > Find Usage ( )
• Policies > Access Control > Access Control > create or edit policy > create or edit rule >
choose a supported condition type > right-click an object > View Objects
• Devices > Device Management > edit FTD device > Routing > right-click a supported object
> View Objects
Supported platforms: FMC
Usability enhancements for We streamlined the display of errors and warnings related to deploying configuration changes.
deploying configuration changes Instead of an immediate verbose view, you can now Click to view all details to see more information
about a particular error or warning.
New/modified pages: Errors and Warnings for Requested Deployment dialog box
Supported platforms: FMC
Usability enhancements to FTD When configuring FTD NAT, you can now:
NAT policy management
• View warnings and errors in your NAT policy, by device. Warnings and errors mark
configurations that could adversely affect traffic flow or prevent the policy from deploying.
• Display up to 1000 NAT rules per page. The default is 100.
New/modified pages: Devices > NAT > create or edit FTD NAT policy > Show Warnings and
Rules Per Page options
Supported platforms: FTD
Firepower Management Center REST API
Cisco Secure Firewall Management Center New Features by Release
163
New Features by Release
FMC Features in Version 6.5.x
Feature Details
New REST API capabilities Added the following REST API objects to support Version 6.5.0 features:
• cloudregions: Regional clouds
Added the following REST API objects to support older features:
• categories: Categories for access control rules
• domain, inheritancesettings: Domains and policy inheritance
• prefilterpolicies, prefilterrules, tunneltags: Prefilter policies
• vlaninterfaces: VLAN interfaces
Supported platforms: FMC
Deprecated Features
End of support: FMC 750, 1500, You cannot run Version 6.5+ on the FMC models FMC 1000, 2500, and 4500. You cannot manage
3500. Version 6.5+ devices with these FMCs.
End of support: ASA 5515-X You cannot run Version 6.5+ on the ASA 5515-X and ASA 5585-X series devices (SSP-10, -20,
and ASA 5585-X series -40, and -60).
End of support: Firepower You cannot run Version 6.5+ on Firepower 7000/8000 series devices, including AMP models.
7000/8000 series.
Deprecated: Ability to disable Version 6.3 introduced the FMC CLI, which you had to explicitly enable. In Version 6.5, the CLI
the FMC CLI. is automatically enabled, for both new and upgraded deployments. If you want to access the Linux
shell (also called expert mode), you must log in to the CLI and then use the expert command.
Caution We recommend you do not access Firepower appliances using the shell, unless directed
by Cisco TAC.
Deprecated options: System > Configuration > Console Configuration > Enable CLI access
check box
Deprecated: MD5 authentication Version 6.5 deprecates the MD5 authentication algorithm and DES encryption for SNMPv3 users
algorithm and DES encryption on FTD.
for SNMPv3 users.
Although these configurations continue to work post-upgrade, the system displays a warning when
you deploy. And, you cannot create new users or edit existing users with these options.
Support is removed in Version 7.0. If you are still using these options in your platform settings
policy, we recommend you switch to stronger options now.
New/modified screens: Devices > Platform Settings > SNMP > Users
Cisco Secure Firewall Management Center New Features by Release
164
New Features by Release
FMC Features in Version 6.5.x
Feature Details
Deprecated: TLS 1.0 & 1.1. Upgrade impact.
To enhance security:
• Captive portal (active authentication) has removed support for TLS 1.0.
• Host input has removed support for TLS 1.0 and TLS 1.1.
If your client fails to connect with a Firepower appliance, we recommend you upgrade your client
to support TLS 1.2.
Deprecated: TLS crypto As part of allowing TLS crypto acceleration for multiple container instances on Firepower
acceleration FXOS CLI 4100/9300, we removed the following FXOS CLI commands:
commands for Firepower
• show hwCrypto
4100/9300.
• config hwCrypto
And this FTD CLI command:
• show crypto accelerator status
For information on their replacements, see the new feature documentation.
Deprecated: Cisco Security Version 6.5 ends support for FMC integration with Cisco Security Packet Analyzer.
Packet Analyzer integration.
Deprecated screens/options:
• System > Integration > Packet Analyzer
• Analysis > Advanced > Packet Analyzer Queries
• Query Packet Analyzer when right-clicking on an event in the dashboard or event viewer
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
Cisco Secure Firewall Management Center New Features by Release
165
New Features by Release
FMC Features in Version 6.4.x
FMC Features in Version 6.4.x
Table 26: FMC Features in Version 6.4.x Patches
Feature Details
Version 6.4.0.17 For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory
devices. This smaller VDB contains the same applications, but fewer detection patterns. Devices
Smaller VDB for lower memory
using the smaller VDB can miss some application identification versus devices using the full VDB.
devices.
Minimum threat defense: Any
Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X,
5545-X
Version restrictions: The ability to install a smaller VDB depends on the version of the FMC, not
managed devices. If you upgrade the FMC from a supported version to an unsupported version,
you cannot install VDB 363+ if your deployment includes even one lower memory device. For a
list of affected releases, see CSCwd88641.
Version 6.4.0.10 Upgrade impact.
Upgrades postpone scheduled Upgrades now postpone scheduled tasks. Any task scheduled to begin during the upgrade will
tasks. begin five minutes after the post-upgrade reboot.
Note Before you begin any upgrade, you must still make sure running tasks are complete.
Tasks running when the upgrade begins are stopped, become failed tasks, and cannot
be resumed.
Note that this feature is supported for Firepower appliances running Version 6.4.0.10 or any later
patch. It is not supported for upgrades to Version 6.4.0.10, or upgrades that skip Version 6.4.0.10.
This feature is temporarily deprecated in Versions 6.5.0–6.6.1, but returns in Version 6.6.3.
Version 6.4.0.9 Upgrade impact.
Default HTTPS server Upgrading an FMC or 7000/8000 series device from Version 6.4.0–6.4.0.8 to any later Version
certificates. 6.4.0.x patch (or an FMC to Version 6.6.0+) renews the default HTTPS server certificate, which
expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan.
Your old certificate was set to expire depending on when it was generated, as follows:
• 6.4.0 to 6.4.0.8: 3 years
• 6.3.0 and all patches: 3 years
• 6.2.3 and earlier: 20 years
Note that in Version 6.5.0–6.5.0.4, the lifespan-on-renew returns to 3 years, but this is again updated
to 800 days with Version 6.5.0.5 and 6.6.0.
Cisco Secure Firewall Management Center New Features by Release
166
New Features by Release
FMC Features in Version 6.4.x
Feature Details
Version 6.4.0.4 These new syslog fields collectively identify a unique connection event:
New syslog fields. • Sensor UUID
• First Packet Time
• Connection Instance ID
• Connection Counter
These fields also appear in syslogs for intrusion, file, and malware events, allowing connection
events to be associated with those events.
Version 6.4.0.2 Upgrade impact.
Detection of rule conflicts in After you upgrade to Version 6.4.0.2 or later patch, you can no longer create FTD NAT policies
FTD NAT policies. with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where
conflicting NAT rules were applied out-of-order.
If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However,
your NAT rules will continue to be applied out-of-order.
Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing
(no changes are needed) then attempting to resave. If you have rule conflicts, the system will
prevent you from saving. Correct the issues, save, and then deploy.
Version 6.4.0.2 A new health module, the ISE Connection Status Monitor, monitors the status of the server
connections between the Cisco Identity Services Engine (ISE) and the FMC.
ISE Connection Status Monitor
health module.
Table 27: FMC Features in Version 6.4.0
Feature Details
Platform
FMC 1600, 2600, and 4600. We introduced the FMC models FMC 1600, 2600, and 4600.
FMCv for Azure. We introduced FMCv for Microsoft Azure.
FTD on the Firepower 1010, We introduced the Firepower 1010, 1120, and 1140.
1120, and 1140.
FTD on the Firepower 4115, We introduced the Firepower 4115, 4125, and 4145.
4125, and 4145.
Firepower 9300 SM-40, SM-48, We introduced three new security modules: SM-40, SM-48, and SM-56.
and SM-56 support.
With FXOS 2.6.1, you can mix different types of security modules in the same chassis.
ASA and FTD on the same With FXOS 2.6.1, you can now deploy ASA and FTD logical devices on the same Firepower 9300.
Firepower 9300.
Firepower Threat Defense: Device Management
Cisco Secure Firewall Management Center New Features by Release
167
New Features by Release
FMC Features in Version 6.4.x
Feature Details
FTDv for VMware defaults to FTDv for VMware now defaults to vmxnet3 interfaces when you create a virtual device. Previously,
vmxnet3 interfaces. the default was e1000. The vmxnet3 device drivers and network processing are integrated with the
ESXi hypervisor, so they use fewer resources and offer better network performance.
Note Version 6.6 ends support for e1000 interfaces. You will not be able to upgrade to
Version 6.6+ until you switch to vmxnet3 or ixgbe interfaces. We recommend you
do this now. For more information, refer to the instructions on adding and configuring
VMware interfaces in the Cisco Secure Firewall Threat Defense Virtual Getting
Started Guide.
Supported platforms: FTDv for VMware
Firepower Threat Defense: Routing
Rotating (keychain) You can now use rotating (keychain) authentication when configuring OSPFv2 routing.
authentication for OSPFv2
New/modified pages:
routing.
• Objects > Object Management > Key Chain object
• Devices > Device Management > edit device > Routing tab > OSPF settings > Interface
tab > add/edit interface > Authentication option
• Devices > Device Management > edit device > Routing tab > OSPF settings > Area tab >
add/edit area > Virtual Link sub-tab > add/edit virtual link > Authentication option
Supported platforms: FTD
Firepower Threat Defense: Encryption and VPN
RA VPN: Secondary Secondary authentication, also called double authentication, adds an additional layer of security
authentication. to RA VPN connections by using two different authentication servers. With secondary authentication
enabled, AnyConnect VPN users must provide two sets of credentials to log in to the VPN gateway.
RA VPN supports secondary authentication for the AAA Only and Client Certificate and AAA
authentication methods.
New/modified pages: Devices > VPN > Remote Access > add/edit configuration > Connection
Profile > AAA area
Supported platforms: FTD
Site-to-site VPN: Dynamic IP You can now configure site to site VPNs to use a dynamic IP address for extranet endpoints. In
addresses for extranet endpoints. hub-and-spoke deployments, you can use a hub as an extranet endpoint.
New/modified pages: Devices > VPN > Site To Site > add/edit FTD VPN topology > Endpoints
tab > add endpoint > IP Address option
Supported platforms: FTD
Cisco Secure Firewall Management Center New Features by Release
168
New Features by Release
FMC Features in Version 6.4.x
Feature Details
Site-to-site VPN: Dynamic You can now use dynamic crypto maps in point-to-point as well as in hub-and-spoke VPN
crypto maps for point-to-point topologies. Dynamic crypto maps are still not supported for full mesh topologies.
topologies.
You specify the crypto map type when you configure a topology. Make sure you also specify a
dynamic IP address for one of the peers in the topology.
New/modified pages: Devices > VPN > Site To Site > add/edit FTD VPN topology > IPsec tab
> Crypto Map Type option
Supported platforms: FTD
TLS crypto acceleration. Upgrade impact.
SSL hardware acceleration has been renamed TLS crypto acceleration. Depending on the device,
TLS crypto acceleration might be performed in software or in hardware. The Version 6.4.0 upgrade
process automatically enables acceleration on all eligible devices, even if you previously disabled
the feature manually.
In most cases you cannot configure this feature; it is automatically enabled and you cannot disable
it. However, if you are using the multi-instance capability of the Firepower 4100/9300 chassis,
you can enable TLS crypto acceleration for one container instance per module/security engine.
Acceleration is disabled for other container instances, but enabled for native instances.
New FXOS CLI commands for the Firepower 4100/9300 chassis:
• show hwCrypto
• config hwCrypto
New FTD CLI commands:
• show crypto accelerator status (replaces system support ssl-hw-status)
Removed FTD CLI commands:
• system support ssl-hw-accel
• system support ssl-hw-status
Supported platforms: Firepower 2100 series, Firepower 4100/9300
Event Logging and Analysis
Improvements to syslog Fully qualified file and malware event data can now be sent from managed devices via syslog.
messages for file and malware
New/modified pages: Policies > Access Control > Access Control > add/edit policy > Logging
events.
tab > File and Malware Settings area
Supported platforms: Any
Search intrusion events by CVE You can now search for intrusion events generated as a result of a particular CVE exploit.
ID.
New/modified pages: Analysis > Search
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
169
New Features by Release
FMC Features in Version 6.4.x
Feature Details
IntrusionPolicy field is now Intrusion event syslog messages now specify the intrusion policy that triggered the event.
included in syslog.
Supported platforms: Any
Cisco SecureX integration. Cisco SecureX is a cloud offering that helps you rapidly detect, investigate, and respond to threats.
This feature lets you analyze incidents using data aggregated from multiple products, including
Firepower Threat Defense. Note that the FMC web interface refers to this offering as Cisco Threat
Response (CTR).
See the Cisco Secure Firewall Threat Defense and SecureX Integration Guide.
New/modified pages: System > Integration > Cloud Services
Supported platforms: FTD
Splunk integration. Splunk users can use a new, separate Splunk app, Cisco Secure Firewall (f.k.a. Firepower) app for
Splunk, to analyze events. Available functionality is affected by your Firepower version.
See Cisco Secure Firewall App for Splunk User Guide.
Supported platforms: FMC
Cisco Security Analytics and You can send Firepower events to the Stealthwatch Cloud for storage, and optionally make your
Logging (SaaS) integration. Firepower event data available for security analytics using Stealthwatch Cloud.
Using Cisco Security Analytics and Logging (SaaS), also known as SAL (SaaS), your Firepower
devices send events as syslog messages to a Security Events Connector (SEC) installed on a virtual
machine on your network, and this SEC forwards the events to the Stealthwatch cloud for storage.
You view and work with your events using the web-based Cisco Defense Orchestrator (CDO)
portal. Depending on the license you purchase, you can also use the Stealthwatch portal to access
that product's analytics features.
See Cisco Secure Firewall Management Center and Cisco Security Analytics and Logging (SaaS)
Integration Guide.
Supported platforms: FTD with FMC
Administration and Troubleshooting
New licensing capabilities for For ASA FirePOWER and FTD deployments, the ISA 3000 now supports URL Filtering and
ISA 3000. Malware licenses and their associated features.
For FTD only, the ISA 3000 also now supports Specific License Reservation for approved customers.
Supported platforms: ISA 3000
Scheduled remote backups of You can now use the FMC to schedule remote backups of certain managed devices. Previously,
managed devices. only Firepower 7000/8000 series devices supported scheduled backups, and you had to use the
device's local GUI.
New/modified pages: System > Tools > Scheduling > add/edit task > choose Job Type: Backup
> choose a Backup Type
Supported platforms: FTD physical platforms, FTDv for VMware, Firepower 7000/8000 series
Exceptions: No support for FTD clustered devices or container instances
Cisco Secure Firewall Management Center New Features by Release
170
New Features by Release
FMC Features in Version 6.4.x
Feature Details
Ability to disable Duplicate When you enable IPv6, you can disable DAD. You might want to disable DAD because using
Address Detection (DAD) on DAD opens up the possibility of denial of service attacks. If you disable this setting, you need
management interfaces. check manually that this interface is not using an already-assigned address.
New/modified pages: System > Configuration > Management Interfaces > Interfaces area >
edit interface > IPv6 DAD check box
Supported platforms: FMC, Firepower 7000/8000 series
Ability to disable ICMPv6 Echo When you enable IPv6, you can now disable ICMPv6 Echo Reply and Destination Unreachable
Reply and Destination messages. You might want to disable these packets to guard against potential denial of service
Unreachable messages on attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management
management interfaces. interfaces for testing purposes.
New/modified pages: System > Configuration > Management Interfaces > ICMPv6
New/modified commands:
• configure network ipv6 destination-unreachable
• configure network ipv6 echo-reply
Supported platforms: FMC (web interface only), managed devices (CLI only)
Support for the Service-Type For RADIUS authentication of FTD CLI users, you used to have to predefine the usernames in the
attribute for FTD users defined RADIUS external authentication object and manually make sure that the list matched usernames
on the RADIUS server. defined on the RADIUS server. You can now define CLI users on the RADIUS server using the
Service-Type attribute and also define both Basic and Config user roles. To use this method, be
sure to leave the shell access filter blank in the external authentication object.
New/modified pages: System > Users > External Authentication tab > add/edit external
authentication object > Shell Access Filter
Supported platforms: FTD
View object use. The object manager now allows you to see the policies, settings, and other objects where a network,
port, VLAN, or URL object is used.
New/modified pages: Objects > Object Management > choose object type > Find Usage
(binoculars) icon
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
171
New Features by Release
FMC Features in Version 6.4.x
Feature Details
Hit counts for access control and You can now access hit counts for access control and prefilter rules on your FTD devices.
prefilter rules.
New/modified pages:
• Policies > Access Control > Access Control > add/edit policy > Analyze Hit Counts
• Policies > Access Control > Prefilter > add/edit policy > Analyze Hit Counts
New commands:
• show rule hits
• clear rule hits
• cluster exec show rule hits
• cluster exec clear rule hits
• show cluster rule hits
Modified commands: show failover
Supported platforms: FTD
URL Filtering health monitor You can now configure time thresholds for URL Filtering Monitor alerts.
improvements.
New/modified pages: System > Health > Policy > add/edit policy > URL Filtering Monitor
Supported platforms: Any
Connection-based Connection-based troubleshooting or debugging provides uniform debugging across modules to
troubleshooting. collect appropriate logs for a specific connection. It also supports level-based debugging up to 7
levels and enables uniform log collection mechanism for lina and Snort logs.
New/modified commands:
• clear packet debugs
• debug packet start
• debug packet stop
• show packet debugs
Supported platforms: FTD
New Cisco Success Network Added the following Cisco Success Network monitoring capabilities:
monitoring capabilities
• CSPA (Cisco Security Packet Analyzer) query information
• Contextual cross-launch instances enabled on the FMC
• TLS/SSL inspection events
• Snort restarts
Supported platforms: FMC
Security and Hardening
Cisco Secure Firewall Management Center New Features by Release
172
New Features by Release
FMC Features in Version 6.4.x
Feature Details
Signed SRU, VDB, and GeoDB So Firepower can verify that you are using the correct update files, Version 6.4.0+ uses signed
updates. updates for intrusion rules (SRU), the vulnerability database (VDB), and the geolocation database
(GeoDB). Earlier versions continue to use unsigned updates. Unless you manually download
updates from Cosco—for example, in an air-gapped deployment—you should not notice any
difference in functionality.
If, however, you do manually download and install SRU, VDB, and GeoDB updates, make sure
you download the correct package for your current version. Signed update files for Version 6.4.0+
begin with 'Cisco' instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of .sh:
• SRU: Cisco_Firepower_SRU-date-build-vrt.sh.REL.tar
• VDB: Cisco_VDB_Fingerprint_Database-4.5.0-version.sh.REL.tar
• GeoDB: Cisco_GEODB_Update-date-build.sh.REL.tar
Update files for Version 5.x through 6.3 still use the old naming scheme:
• SRU: Sourcefire_Rule_Update-date-build-vrt.sh
• VDB: Sourcefire_VDB_Fingerprint_Database-4.5.0-version.sh
• GeoDB: Sourcefire_Geodb_Update-date-build.sh
We will provide both signed and unsigned updates until the end-of-support for versions that require
unsigned updates. Do not untar signed (.tar) packages.
Note If you accidentally upload a signed update to an older FMC or ASA FirePOWER
device, you must manually delete it. Leaving the package takes up disk space, and
also may cause issues with future upgrades.
Supported platforms: Any
SNMPv3 users can authenticate SNMPv3 users can now authenticate using a SHA-256 algorithm.
using a SHA-256 authorization
New/modified screen: Devices > Platform Settings > SNMP > Users > Auth Algorithm Type
algorithm.
Supported platforms: Firepower Threat Defense
2048-bit certificate keys now Upgrade impact.
required (security
When making secure connections to external data sources, such as AMP for Endpoints or Cisco
enhancement).
Threat Intelligence Detector (TID), the FMC now requires that the server certificate be generated
with keys that are at least 2048 bits long. Certificates previously generated with 1024-bit keys will
no longer work.
Note that this security enhancement was introduced in Version 6.3.0.3. If you are upgrading from
Version 6.1.0 through 6.3.0.2, you may be affected. If you cannot connect, regenerate the server
certificate on your data source. If necessary, reconfigure the FMC connection to the data source.
Supported platforms: FMC
Usability and Performance
Cisco Secure Firewall Management Center New Features by Release
173
New Features by Release
FMC Features in Version 6.4.x
Feature Details
Snort restart improvements. Before Version 6.4.0, during Snort restarts, the system dropped encrypted connections that matched
a 'Do not decrypt' SSL rule or default policy action. Now, routed/transparent traffic passes without
inspection instead of dropping, as long as you did not disable large flow offload or Snort
preserve-connection.
Supported platforms: Firepower 4100/9300
Performance improvement for Upgrade impact.
selected IPS traffic.
Egress optimization is a performance feature targeted for selected IPS traffic. It is enabled by
default on all FTD platforms, and the Version 6.4.0 upgrade process enables egress optimization
on eligible devices.
New/modified commands:
• asp inspect-dp egress optimization
• show asp inspect-dp egress optimization
• clear asp inspect-dp egress optimization
• show conn state egress_optimization
For more information, see the Cisco Secure Firewall Threat Defense Command Reference. To
troubleshoot issues with egress optimization, contact Cisco TAC.
Note To mitigate CSCvq34340, patching FTD device to Version 6.4.0.7+ turns off egress
optimization processing. This happens regardless of whether the egress optimization
feature is enabled or disabled. We recommend you upgrade to Version 6.6+, where
this issue is fixed. That will turn egress optimization back on, if you left the feature
'enabled.' If you remain at Version 6.4.0–6.4.0.6, you should manually disable egress
optimization from the FTD CLI: no asp inspect-dp egress-optimization.
For more information, see the software advisory: FTD traffic outage due to 9344
block size depletion caused by the egress optimization feature.
Supported platforms: FTD
Faster SNMP event logging. Performance improvements when sending intrusion and connection events to an external SNMP
trap server.
Supported platforms: Any
Faster deploy. Improvements to appliance communications and deploy framework.
Supported platforms: FTD
Faster upgrade. Improvements to the event database.
Supported platforms: Any
Firepower Management Center REST API
Cisco Secure Firewall Management Center New Features by Release
174
New Features by Release
FMC Features in Version 6.4.x
Feature Details
New REST API capabilities. Added REST API objects to support Version 6.4.0 features:
• cloudeventsconfigs: Manage SecureX integration.
• ftddevicecluster: Manage chassis clustering.
• hitcounts: Manage hit count statistics for access control and prefilter rules.
• keychain: Manage key chain objects used for rotating authentication when configuring OSPFv2
routing.
• loggingsettings: Manage logging settings for access control policies
Supported platforms: FMC
API Explorer based on OAS. Version 6.4.0 uses a new API Explorer, based on the OpenAPI Specification (OAS). As part of
the OAS, you now use CodeGen to generate sample code. You can still access the legacy API
Explorer if you prefer.
Supported platforms: FMC
Deprecated Features
Deprecated: SSL hardware As part of the TLS crypto acceleration feature, we removed the following FTD CLI commands:
acceleration FTD CLI
• system support ssl-hw-accel enable
commands.
• system support ssl-hw-accel disable
• system support ssl-hw-status
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
Cisco Secure Firewall Management Center New Features by Release
175
New Features by Release
FMC Features in Version 6.3.x
FMC Features in Version 6.3.x
Table 28: FMC Features in Version 6.3.x Patches
Feature Details
Version 6.3.0.4 Upgrade impact.
Detection of rule conflicts in After you upgrade to Version 6.3.0.4 or later patch, you can no longer create FTD NAT policies
FTD NAT policies with conflicting rules (often referred to as duplicate or overlapping rules). This fixes an issue where
conflicting NAT rules were applied out-of-order.
If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However,
your NAT rules will continue to be applied out-of-order.
Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing
(no changes are needed) then attempting to resave. If you have rule conflicts, the system will
prevent you from saving. Correct the issues, save, and then deploy.
Note that upgrading to Version 6.4.0 deprecates this fix. It is fixed again in Version 6.4.0.2.
Version 6.3.0.4 A new module, the ISE Connection Status Monitor, monitors the status of the server connections
between the Cisco Identity Services Engine (ISE) and the FMC.
ISE Connection Status Monitor
module Note that upgrading to Version 6.4.0 deprecates this module. Support returns in Version 6.4.0.2.
New/modified screens: System > > Policy > create or edit policy > ISE Connection Status
Monitor
Version 6.3.0.3 When making secure connections to external data sources, such as AMP for Endpoints or Cisco
Threat Intelligence Detector (TID), the FMC now requires that the server certificate be generated
2048-bit certificate keys now
with keys that are at least 2048 bits long. Certificates previously generated with 1024-bit keys will
required (security enhancement)
no longer work.
If you cannot connect, regenerate the server certificate on your data source. If necessary, reconfigure
the FMC connection to the data source.
Version 6.3.0.1 Upgrade impact.
EMS extension support Version 6.3.0.1 reintroduces EMS extension support, which was introduced in Version 6.2.3.8/6.2.3.9
but was not included in Version 6.3.0.
Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions again support the EMS
extension during ClientHello negotiation, enabling more secure communications. The EMS extension
is defined by RFC 7627.
In FMC deployments, this feature depends on the device version. Although best practice is to
upgrade your whole deployment, this feature is supported even if you patch only the device.
Table 29: FMC Features in Version 6.3.0
Feature Details
Platform
Cisco Secure Firewall Management Center New Features by Release
176
New Features by Release
FMC Features in Version 6.3.x
Feature Details
FMC 1600, 2600, and 4600. We introduced the FMC models FMC 1600, 2600, and 4600.
ISA 3000 with FirePOWER ISA 3000 with FirePOWER Services is supported in Version 6.3 (Protection license only).
Services.
Although ISA 3000 with FirePOWER Services was also supported in Version 5.4.x, you cannot
upgrade to Version 6.3 You must reimage.
Hardware bypass support for the Firepower 2100 series devices now support hardware bypass functionality when using the hardware
Firepower 2100. bypass network modules.
New/modified pages: Devices > Device Management > Interfaces > Edit Physical Interface
Supported platforms: Firepower 2100 series
Support for data EtherChannels You can now set data and data-sharing EtherChannels to either Active LACP mode or to On mode.
in On mode for the Firepower Other types of EtherChannels only support Active mode.
4100/9300.
New/modified Firepower Chassis Manager pages: Interfaces > All Interfaces > Edit Port
Channel > Mode
New/modified FXOS commands: set port-channel-mode
Supported platforms: Firepower 4100/9300
Firepower Threat Defense: HA and Clustering
Cisco Secure Firewall Management Center New Features by Release
177
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Multi-instance capability for You can now deploy multiple logical devices, each with a Firepower Threat Defense container
Firepower 4100/9300. instance, on a single security engine/module. Formerly, you could only deploy a single native
application instance.
To provide flexible physical interface use, you can create VLAN subinterfaces in FXOS and also
share interfaces between multiple instances. Resource management lets you customize performance
capabilities for each instance.
You can use high availability using a container instance on 2 separate chassis. Clustering is not
supported.
Note Multi-instance capability is similar to ASA multiple context mode, although the
implementation is different. Multiple context mode is not available for FTD.
New/modified FMC pages: Devices > Device Management > edit device > Interfaces tab
New/modified Firepower Chassis Manager pages:
• Overview > Devices
• Interfaces > All Interfaces > Add New drop-down menu > Subinterface
• Interfaces > All Interfaces > Type
• Logical Devices > Add Device
• Platform Settings > Mac Pool
• Platform Settings > Resource Profiles
New/modified FXOS commands: connect ftdname, connect module telnet, create bootstrap-key
PERMIT_EXPERT_MODE,create resource-profile, create subinterface, scope auto-macpool,
set cpu-core-count, set deploy-type, set port-type data-sharing, set prefix, set
resource-profile-name, set vlan, scope app-instance ftd name, show cgroups container, show
interface, show mac-address, show subinterface, show tech-support module app-instance,
show version
Supported platforms: Firepower 4100/9300
Cluster control link By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network
customizable IP Address for the when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface
Firepower 4100/9300 IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However,
some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now
set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and
multicast (224.0.0.0/4) addresses.
New/modified Firepower Chassis Manager pages: Logical Devices > Add Device > Cluster
Information
New/modified options: CCL Subnet IP field
New/modified FXOS commands: set cluster-control-link network
Supported platforms: Firepower 4100/9300
Cisco Secure Firewall Management Center New Features by Release
178
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Improved FTD cluster addition You can now add any unit of a cluster to the FMC, and the other cluster units are detected
to the FMC automatically. Formerly, you had to add each cluster unit as a separate device, and then group them
into a cluster with the FMC. Adding a cluster unit is also now automatic. Note that you must delete
a unit manually.
New/modified pages:
• Devices > Device Management > Add drop-down menu > Device > Add Device dialog box
• Devices > Device Management > Cluster tab > General area > Cluster Registration Status
> Current Cluster Summary link > Cluster Status dialog box
Supported platforms: Firepower 4100/9300
Firepower Threat Defense: Encryption and VPN
SSL hardware acceleration Additional FTD devices now support SSL hardware acceleration. Also, this option is now enabled
by default.
Upgrading to Version 6.3.0 automatically enables SSL hardware acceleration on eligible devices.
Using SSL hardware acceleration if you are not decrypting traffic can affect performance. We
recommend you disable SSL hardware acceleration on devices that are not decrypting traffic.
Supported platforms: Firepower 2100 series, Firepower 4100/9300
RA VPN: RADIUS Dynamic You can now use RADIUS servers for user authorization of RA VPN using dynamic access control
Authorization or Change of lists (ACLs) or ACL names per user.
Authorization (CoA)
Supported platforms: FTD
RA VPN: Two-Factor Firepower Threat Defense now supports two-factor authentication for RA VPN users using the
Authentication Cisco AnyConnect Secure Mobility Client. For the two-factor authentication process, we support:
• First factor: any RADIUS or LDAP/AD server
• Second factor: RSA tokens or DUO passcodes pushed to mobile
For more information on Duo multi-factor authentication (MFA) for FTD, see the Cisco Firepower
Threat Defense (FTD) VPN with AnyConnect documentation on the Duo Security website.
Supported platforms: FTD
Security Policies
Cisco Secure Firewall Management Center New Features by Release
179
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Firepower Threat Defense You can now configure a Firepower Threat Defense service policy as part of your access control
service policy policy advanced options. Use FTD service policies to apply services to specific traffic classes.
Features supported include:
• TCP State Bypass
• Randomizing TCP sequence numbers
• Decrementing the time-to-live (TTL) value on packets
• Dead Connection Detection
• Setting a limit on the maximum number of connections and embryonic connections per traffic
class and per client.
• Timeouts for embryonic, half closed, and idle connections
Note Before Version 6.3.0, you could configure connection-related service rules using the
TCP_Embryonic_Conn_Limit and TCP_Embryonic_Conn_Timeout predefined
FlexConfig objects. You should remove those objects and redo your rules in the FTD
service policy. If you created any custom FlexConfig objects to implement any of
these connection-related features (that is, set connection commands), you should
also remove those objects and implement the features through the FTD service policy.
Failure to do so can cause deployment issues.
The Threat Defense Service Policies chapter in the FMC configuration guide has
details on how service policies relate to FlexConfig and other features.
New/modified pages: Policies > Access Control > edit/create policy > Advanced tab > Threat
Defense Service Policy
Supported platforms: FTD
Update interval for URL Upgrade impact.
category and reputation data
You can now force URL data to expire. There is a tradeoff between security and performance. A
shorter interval means you use more current data, while a longer interval can make web browsing
faster for your users.
If you worked with Cisco TAC to specify a timeout value for the URL filtering cache, the upgrade
may change that value. Otherwise, the setting defaults to disabled (the current behavior), meaning
that cached URL data does not expire.
New/modified pages: System > Integration > Cisco CSI > Cached URLs Expire setting
Supported platforms: FMC
Event Logging and Analysis
Cisco Secure Firewall Management Center New Features by Release
180
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Cisco Security Packet Analyzer You can integrate with Cisco Security Packet Analyzer to examine events and display analysis
Integration results, or download results for further analysis.
New/modified pages:
• System > Integration > Packet Analyzer
• Analysis > Advanced > Packet Analyzer Queries
• Query Packet Analyzer when right-clicking on an event in the dashboard or event viewer
Supported platforms: FMC
Contextual cross-launch You can right-click an event in the dashboard or event viewer to look up related information in
predefined or custom, public or private URL-based resources.
New/modified pages: Analysis > Advanced > Contextual Cross-Launch
Supported platforms: FMC
Unified syslog configuration Upgrade impact.
Version 6.3.0 changes and centralizes the way the system logs connection and intrusion events via
syslog.
Previously, you configured event logging via syslog in multiple places, depending on the event
type. You now configure syslog messaging in the access control policy. These configurations affect
connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies,
as well as for Security Intelligence.
The upgrade does not change your existing settings for connection event logging. However, you
may suddenly start receiving intrusion events you did not "expect" via syslog. This is because the
intrusion policy now sends syslog events to the destination specified in the access control policy.
(Before, you could configure syslog alerting in an intrusion policy to send events to the syslog on
the managed device itself rather than to an external host.)
For FTD devices, some syslog platform settings now apply to connection and intrusion event
messages. For a list, see the Platform Settings for Firepower Threat Defense chapter in the FMC
configuration guide.
For NGIPS devices (7000/8000 series, ASA FirePOWER, NGIPSv), messages now use the ISO
8601 timestamp format as specified in RFC 5425.
Supported platforms: Any
Fully qualified syslog messages The format of syslog messages for connection, security intelligence, and intrusion events have the
for connection and intrusion following changes:
events
• Messages from FTD devices now include event type identification numbers.
• Fields with empty or unknown values are no longer included, so messages are shorter and
important data is less likely to be truncated.
• Timestamps now use the ISO 8601 timestamp format as specified in the RFC 5425 syslog
format (optional for FTD, required for Classic).
Supported platforms: Any
Cisco Secure Firewall Management Center New Features by Release
181
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Other syslog improvements for You can send all syslog messages from the same interface (data or management), using the same
FTD devices IP address, using TCP or UDP protocol. Note that secure syslog is supported on data ports only.
You can also use the RFC 5424 format for message timestamps.
Supported platforms: FTD
Administration and Troubleshooting
Export-controlled features for Customers whose Smart Accounts are not otherwise eligible to use restricted functionality can
approved customers purchase term-based licenses, with approval.
New/modified pages: System > Licenses > Smart Licenses
Supported platforms: FMC, FTD
Specific License Reservation for Customers can use Specific License Reservation to deploy Smart Licensing in an air-gapped
approved customers network. The FMC reserves licenses from your virtual account for a specified duration without
accessing the Cisco Smart Software Manager or Smart Software Satellite Server.
New/modified pages: System > Licenses > Specific Licenses
Supported platforms: FMC, FTD (except ISA 3000)
IPv4 range, subnet, and IPv6 You can now use IPv4 range, IPv4 subnet, and IPv6 host network objects to specify the SNMP
support for SNMP hosts hosts that can access a Firepower Threat Defense device.
New/modified pages: Devices > Platform Settings > create or edit FTD policy > SNMP > Hosts
tab
Supported platforms: FTD
Access control using fully You can now create fully qualified domain name (FQDN) network objects and use them in access
qualified domain names control and prefilter rules. To use FQDN objects, you must also configure DNS server groups and
(FQDN) DNS platform settings, so that the system can resolve the domain names.
New/modified pages:
• Objects > Object Management > Network
• Objects > Object Management > DNS Server Group
• Devices > Platform Settings > create or edit FTD policy > DNS
Supported platforms: FTD
CLI for the FMC An CLI for the FMC supports a small set of basic commands (change password, show version,
reboot/restart, and so on). By default the FMC CLI is disabled, and logging into FMC using SSH
accesses the Linux shell.
New/modified Classic CLI commands: The system lockdown-sensor command has changed to
system lockdown. This command now works for both devices and FMCs.
New/modified pages: System > Configuration > Console Configuration > Enable CLI Access
check box
Supported platforms: FMC, including FMCv
Cisco Secure Firewall Management Center New Features by Release
182
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Copy device configurations You can copy device configurations and policies from one device to another.
New/modified pages: Devices > Device Management > edit the device > General area > Get/Push
Device Configuration icons.
Supported platforms: FMC
Backup/restore FTD device You can use the FMC web interface to back up configurations for some FTD devices.
configurations
New/modified pages: System > Tools > Backup/Restore
New/modified CLI commands: restore
Supported platforms: All physical FTD devices, FTDv for VMware
Skip deploying to up-to-date Upgrade impact.
devices when you schedule
When you schedule a task to deploy configuration changes, you can now opt to Skip Deployment
deploy tasks
for up-to-date devices. This performance-enhancing setting is enabled by default.
The upgrade process automatically enables this option on existing scheduled tasks. To continue to
force a scheduled deploy to up-to-date devices, you must edit the scheduled task.
New/modified pages: System > Tools > Scheduling > add or edit a task > choose Job Type of
Deploy Policies
Supported platforms: FMC
New health modules New health modules alert you when:
• Threat Data Updates on Devices: Threat identification data on managed devices fails to
update.
• Realm: A user is reported to the FMC without being downloaded, or a user logs into a domain
that corresponds to a realm not known to the FMC.
New/modified pages:
• System > Health > Policy
• System > Health > Monitor
Supported platforms: FMC
Configurable packet capture size You can now store up to 10 GB of packet captures.
New/modified CLI commands: file-size, show capture
Supported platforms: Firepower 4100/9300
Cisco Secure Firewall Management Center New Features by Release
183
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Web interface changes. Version 6.3 changes these menu options:
Analysis > Advanced > Whois is now Analysis > Lookup > Whois
Analysis > Advanced > Geolocation is now Analysis > Lookup > Geolocation
Analysis > Advanced > URL is now Analysis > Lookup > URL
Analysis > Advanced > Custom is now Analysis > Custom > Custom Workflows
Workflows
Analysis > Advanced > Custom Tables is now Analysis > Custom > Custom Tables
Analysis > Hosts > Vulnerabilities is now Analysis > Vulnerabilities >
Vulnerabilities
Analysis > Hosts > Third-Party is now Analysis > Vulnerabilities > Third-Party
Vulnerabilities Vulnerabilities
Security and Hardening
HTTPS Certificates The default HTTPS server certificate provided with the system now expires in three years.
If your appliance uses a default server certificate that was generated before you upgraded to Version
6.3.0, the server certificate will expire 20 years from when it was first generated. If you are using
the default HTTPS server certificate the system now provides the ability to renew it.
New/modified pages: System > Configuration > HTTPS Certificate > Renew HTTPS Certificate
button
New/modified Classic CLI commands: show http-cert-expire-date, system
renew-http-certnew_key
Supported platforms: Physical FMCs, 7000/8000 series devices
Improved login security Upgrade impact.
Added FMC user configuration settings to improve login security:
• Track Successful Logins: Track the number of successful logins each FMC account has
performed within a specific time period.
• Password Reuse Limit: Track an FMC user's password history to prevent reuse.
• Max Number of Login Failures and Set Time in Minutes to Temporarily Lockout Users:
Limit the number of times in a row an FMC user can enter incorrect web interface login
credentials before being temporarily blocked.
We also updated the list of supported ciphers and cryptographic algorithms for secure SSH access.
If your SSH client fails to connect with a Firepower appliance due to a cipher error, update your
client to the latest version.
New/modified pages: System > Configuration > User Configuration
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
184
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Limit SSH login failures on When a user accesses any device via SSH and fails three successive login attempts, the device
devices terminates the SSH session.
Supported platforms: Any device
Usability and Performance
How-to walkthroughs FMC walkthroughs (also called how-tos) guide you through a variety of basic tasks such as device
setup and policy configuration. Just click How To at the bottom of the browser window, choose
a walkthrough, and follow the step-by-step instructions. To end a walkthrough at any time, click
the x in the upper right corner.
Note FMC walkthroughs are tested on the Firefox and Chrome browsers. If you encounter
issues with a different browser, we ask that you switch to Firefox or Chrome. If you
continue to encounter issues, contact Cisco TAC.
The following are some common problems and solutions:
• Problem: Cannot find the link to start walkthroughs.
Solution: Make sure walkthroughs are enabled. From the drop-down list under your username,
select User Preferences then click How-To Settings.
• Problem: Walkthrough appears when you do not expect it.
Solution: End the walkthrough.
• Problem: Walkthrough disappears or quits suddenly.
Solution: Move your pointer, or navigate to a different page and try again.
• Problem: Walkthrough is out of sync with the FMC (starts on the wrong step, advances
prematurely, will not advance).
Solution: Attempt to continue. For example, if you enter an invalid value in a field and the
FMC displays an error, the walkthrough can prematurely move on. You may need to go back
and resolve the error to complete the task. However, sometimes you cannot continue. For
example, if you do not click Next after you complete a step, you may need to end the
walkthrough, navigate to a different page, and try again.
Firepower Management Center REST API
New REST API services Added REST API services to support these features:
• Site-to-site VPN topology: ftds2svpns, endpoints, ipsecsettings, advancedsettings, ikesettings,
ikev1ipsecproposals, ikev1policies, ikev2ipsecproposals, ikev2policies
• HA device failover: failoverinterfacemacaddressconfigs, monitoredinterfaces
Supported platforms: FMC
Bulk overrides You can now perform bulk overrides on specific objects. For a full list, see the Cisco Firepower
Management Center REST API Quick Start Guide.
Deprecated Features
Cisco Secure Firewall Management Center New Features by Release
185
New Features by Release
FMC Features in Version 6.3.x
Feature Details
End of support: VMware Version 6.3 discontinues support for virtual deployments on VMware vSphere/VMware ESXi 6.0.
vSphere/VMware ESXi 5.5. Upgrade the hosting environment to a supported version before you upgrade the Firepower software.
End of support: ASA 5512-X You cannot run Version 6.3+ on the ASA 5506-X, 5506H-X, 5506W-X, and 5512-X.
and 5506-X series.
Deprecated: EMS extension Upgrade impact.
support for decryption
Version 6.3.0 temporarily discontinues EMS extension support, which was introduced in Version
(temporary).
6.2.3.8/6.2.3.9. This means that the Decrypt-Resign and Decrypt-Known Key SSL policy actions
no longer support the EMS extension during ClientHello negotiation, which would enable more
secure communications. The EMS extension is defined by RFC 7627.
In FMC deployments, this feature depends on the device version. Upgrading the FMC to Version
6.3.0 does not discontinue support, as long as the device is running a supported version. However,
upgrading the device to Version 6.3.0 does discontinue support.
Support is reintroduced in Version 6.3.0.1.
Deprecated: Decryption on Upgrade impact.
passive and inline tap interfaces.
Version 6.3 ends support for decrypting traffic on interfaces in passive or inline tap mode, even
though the GUI allows you to configure it. Any inspection of encrypted traffic is necessarily limited.
Deprecated: Default DNS group Version 6.3 deprecates this FlexConfig object for FTD with FMC:
with FlexConfig.
• Default_DNS_Configure
And these associated text objects:
• defaultDNSNameServerList
• defaultDNSParameters
These allowed you to configure the Default DNS group, which defines the DNS servers that can
be used when resolving fully qualified domain names on the data interfaces. This allowed you to
use commands in the CLI, such as ping, using host names rather than IP addresses.
You can now configure DNS for the data interfaces in the FTD platform settings policy: Devices >
Platform Settings > create or edit FTD policy > DNS.
Cisco Secure Firewall Management Center New Features by Release
186
New Features by Release
FMC Features in Version 6.3.x
Feature Details
Deprecated: Embryonic Can cause post-upgrade deployment issues.
connection limit and timeout
Version 6.3 deprecates these FlexConfig objects for FTD with FMC:
with FlexConfig.
• TCP_Embryonic_Conn_Limit
• TCP_Embryonic_Conn_Timeout
And these associated text objects:
• tcp_conn_misc
• tcp_conn_limit
• tcp_conn_timeout
These allowed you to configure embryonic connection limits and timeouts to protect against SYN
Flood Denial of Service (DoS) attacks.
You can now configure these features in the FTD service policy: Policies > Access Control >
add/edit policy > Advanced tab > Threat Defense Service Policy.
Caution If you used set connection commands to implement connection-related service rules,
you should remove the associated objects and implement the features through the
FTD service policy. Failure to do so can cause deployment issues.
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
Cisco Secure Firewall Management Center New Features by Release
187
New Features by Release
FMC Features in Version 6.2.3
FMC Features in Version 6.2.3
Table 30: FMC Features in Version 6.2.3 Patches
Feature Details
Version 6.2.3.13 After you upgrade to Version 6.2.3.13+, you can no longer create FTD NAT policies with conflicting
rules (often referred to as duplicate or overlapping rules). This fixes an issue where conflicting
Detection of rule conflicts in
NAT rules were applied out-of-order.
FTD NAT policies
If you currently have conflicting NAT rules, you will be able to deploy post-upgrade. However,
your NAT rules will continue to be applied out-of-order.
Therefore, we recommend that after the upgrade, you inspect your FTD NAT policies by editing
(no changes are needed) then attempting to resave. If you have rule conflicts, the system will
prevent you from saving. Correct the issues, save, and then deploy.
Note Upgrading to Version 6.3.0 or 6.4.0 deprecates this fix. The issue is addressed in
Version 6.3.0.4 and 6.4.0.2.
Supported platforms: FTD
Version 6.2.3.8 Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions now support the EMS
extension during ClientHello negotiation, enabling more secure communications. The EMS extension
EMS extension support
is defined by RFC 7627.
Note Version 6.2.3.8 was removed from the Cisco Support & Download site on 2019-01-07.
Upgrading to Version 6.2.3.9 also enables EMS extension support. Version 6.3.0
discontinues EMS extension support. In FMC deployments, this feature depends on
the device version. Upgrading the FMC to Version 6.3.0 does not discontinue support,
but upgrading the device does. Support is reintroduced in Version 6.3.0.1.
Supported platforms: Any
Version 6.2.3.7 A new CLI command allows you to specify when to downgrade TLS v1.3 connections to TLS
v1.2.
TLS v1.3 downgrade CLI
command for FTD Many browsers use TLS v1.3 by default. If you are using an SSL policy to handle encrypted traffic,
and people in your monitored network use browsers with TLS v1.3 enabled, websites that support
TLS v1.3 fail to load.
For more information, see the system support commands in the Cisco Secure Firewall Threat
Defense Command Reference. We recommend you use these commands only after consulting with
Cisco TAC.
Supported platforms: FTD
Version 6.2.3.3 You can now configure site-to-site VPN with clustering. Site-to-site VPN is a centralized feature;
only the control unit supports VPN connections.
Site-to-site VPN with clustering
Supported platforms: Firepower 4100/9300
Cisco Secure Firewall Management Center New Features by Release
188
New Features by Release
FMC Features in Version 6.2.3
Table 31: FMC Features in Version 6.2.3
Feature Details
Platform
FTD on the ISA 3000. You can now run FTD on the ISA 3000 series.
Note that the ISA 3000 supports the Threat license only. It does not support the URL Filtering or
Malware licenses. Thus, you cannot configure features that require the URL Filtering or Malware
licenses on an ISA 3000. Special features for the ISA 3000 that were supported with the ASA,
such as Hardware Bypass, Alarm ports, and so on, are not supported with FTD in this release.
Support for VMware ESXi 6.5. You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware
ESXi 6.5.
Firepower Threat Defense: Encryption and VPN
SSL hardware acceleration for Firepower 4100/9300 with FTD now support SSL encryption and decryption acceleration in
Firepower 4100/9300 hardware, greatly improving performance. SSL hardware acceleration is disabled by default for
all appliances that support it.
Note This feature is renamed TLS crypto acceleration in Version 6.4.0+.
Supported platforms: Firepower 4100/9300
Certificate enrollment Non-blocking work flow for certificate enrollment operation allows certificate enrollment on
improvements multiple FTD devices in parallel:
• The administrator can now choose to have the Remote Access VPN Policy wizard enroll
certificates for all devices in the policy by checking Enroll the selected certificate object
on the target devices check box in the Access & Certificate step. If this is chosen, only
deployment needs to be done after the wizard finishes. This is selected by default.
• Administrators no longer have to initiate Remote Access VPN certificate enrollment on devices
one at a time. The enrollment process for each device is now independent and can be done in
parallel.
• In the event of a PKS12 certificate enrollment failure, the administrator no longer needs to
re-upload the PKS12 file again to retry enrollment, since it is now stored in the certificate
enrollment object.
Supported platforms: FTD
Firepower Threat Defense: High Availability and Clustering
Automatically rejoin the FTD Formerly, many internal error conditions caused a cluster unit to be removed from the cluster, and
cluster after an internal failure you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt
to rejoin the cluster automatically at the following intervals: 5 minutes, 10 minutes, and then 20
minutes. Internal failures include: application sync timeout; inconsistent application statuses; and
so on.
New/modified command: show cluster info auto-join
Supported platforms: Firepower 4100/9300
Cisco Secure Firewall Management Center New Features by Release
189
New Features by Release
FMC Features in Version 6.2.3
Feature Details
FTD High Availability Version 6.2.3 introduces the following features for FTD devices in high availability:
Hardening
• Whenever active or standby FTD devices in a high availability pair restart, the FMC may not
display accurate high availability status for either managed device. However, the status may
not upgrade on the FMC because the communication between the device and the FMC is not
established yet. The Refresh Node Status option on the Devices > Device Management
page allows you to refresh the high availability node status to obtain accurate information
about the active and standby device in a high availability pair.
• The Devices > Device Management page of the FMC UI has a new Switch Active Peer
icon.
• Version 6.2.3 includes a new REST API object, Device High Availability Pair Services,
that contains four functions:
• DELETE ftddevicehapairs
• PUT ftddevicehapairs
• POST ftddevicehapairs
• GET ftddevicehapairs
Administration and Troubleshooting
FMC High Availability FMC high availability pairs have improved UI messaging. The UI now displays interim status
Messaging messages while FMC pairs are being established and rephrased UI messaging to be more intuitive.
Supported platforms: FMC
External Authentication added You can now configure external authentication for SSH access to FTD devices using LDAP or
for FTD SSH Access RADIUS.
New/modified screen: Devices > Platform Settings > External Authentication
Supported platforms: FTD
Enhanced Vulnerability The FMC now warns you before you install a VDB that installing restarts the Snort process,
Database (VDB) Installation interrupting traffic inspection and, depending on how the managed device handles traffic, possibly
interrupting traffic flow. You can cancel the install until a more convenient time, such as during a
maintenance window.
These warnings can appear:
• After you download and manually install a VDB.
• When you create a scheduled task to install the VDB.
• When the VDB installs in the background, such as during a previously scheduled task or as
part of a Firepower software upgrade.
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
190
New Features by Release
FMC Features in Version 6.2.3
Feature Details
Upgrade Package Push You can now copy (or push) an upgrade package from the FMC to a managed device before you
run the actual upgrade. This is useful because you can push during times of low bandwidth use,
outside of the upgrade maintenance window.
When you push to high availability, clustered, or stacked devices, the system sends the upgrade
package to the active/control/primary first, then to the standby/data/secondary.
New/modified screens: System > Updates
Supported platforms: FMC
FTD serviceability Version 6.2.3 improves the show fail over CLI command. The new keyword, -history, details to
help troubleshooting.
• Show fail over history displays failure reason along with its specific details.
• Show fail over history details displays fail over history from the peer unit.
Note This command includes fail over state changes and the reason for the state change
for the peer unit.
Supported platforms: FTD
Device list sorting On the Devices > Devices Management page, you can use the View by drop-down list to sort and
view the device list by any of the following categories: group, license, model, or access control
policy. In a multidomain deployment, you can also sort and view by domain, which is the default
display category in that deployment. Devices must belong to a leaf domain.
Supported platforms: FMC
Audit log improvements The audit log now denotes if a policy changed on the FTD Platform Settings Devices > Platform
Settings page.
Supported platforms: FMC with FTD
Updated FTD CLI commands The asa_mgmt_plane and asa_dataplane options for FTD device CLI commands are renamed
to management-plane and data-plane respectively.
Supported platforms: FTD
Cisco Success Network Upgrade impact.
Cisco Success Network sends usage information and statistics to Cisco, which are essential to
provide you with technical support.
During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment
at any time.
Supported platforms: FMC
Cisco Secure Firewall Management Center New Features by Release
191
New Features by Release
FMC Features in Version 6.2.3
Feature Details
Web Analytics Tracking Upgrade impact.
Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited
to page interactions, browser versions, product versions, user location, and management IP addresses
or hostnames of your management centers.
Initial setup enrolls you in web analytics tracking by default, but you can change your enrollment
at any time after that. Upgrades can also enroll or re-enroll you in web analytics tracking.
Supported platforms: FMC
Performance
Snort restarts reduced for FTD In Version 6.2.3, fewer FTD configuration changes restart the Snort process on FTD devices.
devices
The FMC now warns you before you deploy if the configuration deployment restarts the Snort
process, interrupting traffic inspection and, depending on how the managed device handles traffic,
possibly interrupting traffic flow.
Supported platforms: FTD
Traffic Drop on Policy Apply Version 6.2.3 adds the configure snort preserve-connection {enable | disable} command to the
FTD CLI. This command determines whether to preserve existing connections on routed and
transparent interfaces if the Snort process goes down. When disabled, all new or existing connections
are dropped when Snort goes down and remain dropped until Snort resume. When enabled,
connections that were already allowed remain established, but new connections cannot be established
until Snort is again available.
Note that you cannot permanently disable this command on a FTD device managed by FDM;
existing connections may drop when the settings revert to default during the next configuration
deployment.
Increased memory capacity for Versions 6.1.0.7, 6.2.0.5, 6.2.2.2, and 6.2.3 increase the memory capacity for lower-end Firepower
lower-end appliances appliances. This reduces the number of health alerts.
Faster ISE pxGrid discovery If an ISE pxGrid deployed in high availability fails or becomes unreachable, the FMC now discovers
the new active pxGrid faster.
Cisco Secure Firewall Management Center New Features by Release
192
New Features by Release
FMC Features in Version 6.2.3
Feature Details
New result limits in reports. Upgrade can change report settings.
Version 6.2.3 limits the number of results you can use or include in a report section. For table and
detail views, you can include fewer records in a PDF report than in an HTML/CSV report.
For HTML/CSV report sections, the new limits are:
• Bar and pie charts: 100 (top or bottom)
• Table views: 400,000
• Detail views: 1,000
For PDF report sections, the new limits are:
• Bar and pie charts: 100 (top or bottom)
• Table views: 100,000
• Detail views: 500
If, before you upgrade the FMC, a section in a report template specifies a larger number of results
than the HTML/CSV maximum, the upgrade process lowers the setting to the new maximum value.
For report templates that generate PDF reports, if you exceed the PDF limit in any template section,
the upgrade process changes the output format to HTML. To continue generating PDFs, lower the
results limit to the PDF maximum. If you do this after the upgrade, set the output format back to
PDF.
Firepower Management Center REST API
FMC REST API Improvements The new FMC REST APIs support the use of CRUD (create, retrieve, upgrade, and delete) operations
for NAT rules, static routing configuration, and corresponding objects while migrating from ASA
FirePOWER to FTD.
Newly introduced APIs for NAT:
• NAT rules
• FTD NAT policies
• Auto NAT rules
• Manual NAT rules
When deploying FTD devices in Cisco ACI, APIs enable APIC controller to add proper static
routes in place, along with other configuration settings that are needed for a particular service
graph. It also enables PBR service graph insertion, which is currently the most flexible way of
inserting FTD in ACI.
Newly introduced APIs for Static Route:
• IPv4 static routes
• IPv6 static routes
• SLA monitors
Cisco Secure Firewall Management Center New Features by Release
193
New Features by Release
FMC Features in Version 6.2.3
Feature Details
Deprecated Features
Expired CA certificates for On June 15, 2018, some Firepower deployments stopped being able to submit files for dynamic
dynamic analysis with AMP for analysis. This occurred due to an expired CA certificate that was required for communications with
Networks. the AMP Threat Grid cloud. Version 6.3 is the first major version with the new certificate.
If you do not want to upgrade to Version 6.3+, you can patch to obtain the new certificate and
reenable dynamic analysis, as follows:
• Version 6.2.3 → patch to Version 6.2.3.4
• Version 6.2.2 → patch to Version 6.2.2.4
• Version 6.2.1 → no patches available
• Version 6.2 → patch to Version 6.2.0.6
• Version 6.1 → patch to Version 6.1.0.7
• Version 6.0 → no patches available
You can also apply a hotfix. For available hotfixes, see the Cisco Secure Firewall Threat
Defense/Firepower Hotfix Release Notes. Find the hotfix for your version and platform that applies
to CSCvj07038: Firepower devices need to trust Threat Grid certificate.
If this is your first time installing the patch or hotfix, make sure your firewall allows outbound
connections to fmc.api.threatgrid.com (replacing panacea.threatgrid.com) from both the
FMC and its managed devices.
Note that upgrading a patched or hotfixed deployment to either Version 6.2.0 or Version 6.2.3
reverts to the old certificate and you must patch or hotfix again.
Deprecated: Geolocation details. In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses
to countries/continents, and an IP package that contains additional contextual data associated with
routable IP addresses. The contextual data in the IP package can include additional location details,
as well as connection information such as ISP, connection type, proxy type, domain name, and so
on.
The new country code package has the same file name as the old all-in-one package:
Cisco_GEODB_Update-date-build. This allows deployments running Version 7.1 and earlier to
continue to obtain GeoDB updates. If you manually download GeoDB updates—for example, in
an air-gapped deployment—make sure you get the country code package and not the IP package.
Important This split does not affect geolocation rules or traffic handling in any way—those rules
rely only on the data in the country code package. However, because the country code
package essentially replaces the all-in-one package, the contextual data is no longer
updated and will grow stale. To obtain fresh data, upgrade or reimage the FMC to
Version 7.2+ and update the GeoDB.
Cisco Secure Firewall Management Center New Features by Release
194
New Features by Release
Release Dates
Release Dates
Table 32: Version 7.4 Dates
Version Build Date Platforms
7.4.1.1 12 2024-04-15 All
7.4.1 172 2023-12-13 All
7.4.0 81 2023-09-07 Management center
Secure Firewall 4200 series
Table 33: Version 7.3 Dates
Version Build Date Platforms
7.3.1.1 83 2023-08-24 All
7.3.1 19 2023-03-14 All
7.3.0 69 2022-11-29 All
Table 34: Version 7.2 Dates
Version Build Date Platforms
7.2.7 500 2024-04-29 All
7.2.6 168 2024-04-22 No longer available.
167 2024-03-19 No longer available.
7.2.5.2 4 2024-05-06 All
7.2.5.1 29 2023-11-14 All
7.2.5 208 2023-07-27 All
7.2.4.1 43 2023-07-27 All
7.2.4 169 2023-05-10 Management center
165 2023-05-03 Devices
7.2.3.1 13 2023-04-18 Management center
7.2.3 77 2023-02-27 All
7.2.2 54 2022-11-29 All
7.2.1 40 2022-10-03 All
Cisco Secure Firewall Management Center New Features by Release
195
New Features by Release
Release Dates
Version Build Date Platforms
7.2.0.1 12 2022-08-10 All
7.2.0 82 2022-06-06 All
Table 35: Version 7.1 Dates
Version Build Date Platforms
7.1.0.3 108 2022-03-15 All
7.1.0.2 28 2022-08-03 FMC/FMCv
Secure Firewall 3100 series
7.1.0.1 28 2022-02-24 FMC/FMCv
All devices except Secure Firewall 3100 series
7.1.0 90 2021-12-01 All
Table 36: Version 7.0 Dates
Version Build Date Platforms
7.0.6.2 65 2024-04-15 All
7.0.6.1 36 2023-11-13 All
7.0.6 236 2023-07-18 All
7.0.5.1 5 2023-04-26 NGIPSv
For devices with security certifications compliance enabled
(CC/UCAPL mode). Use with a Version 7.0.5 FMC.
7.0.5 72 2022-11-17 All
7.0.4 55 2022-08-10 All
7.0.3 37 2022-06-30 All
7.0.2.1 10 2022-06-27 All
7.0.2 88 2022-05-05 All
7.0.1.1 11 2022-02-17 All
7.0.1 84 2021-10-07 All
7.0.0.1 15 2021-07-15 All
7.0.0 94 2021-05-26 All
Cisco Secure Firewall Management Center New Features by Release
196
New Features by Release
Release Dates
Table 37: Version 6.7 Dates
Version Build Date Platforms
6.7.0.3 105 2022-02-17 All
6.7.0.2 24 2021-05-11 All
6.7.0.1 13 2021-03-24 All
6.7.0 65 2020-11-02 All
Table 38: Version 6.6 Dates
Version Build Date Platforms
6.6.7.2 11 2024-04-24 All
6.6.7.1 42 2023-01-26 All
6.6.7 223 2022-07-14 All
6.6.5.2 14 2022-03-24 All
6.6.5.1 15 2021-12-06 All
6.6.5 81 2021-08-03 All
6.6.4 64 2021-04-29 Firepower 1000 series
59 2021-04-26 FMC/FMCv
All devices except Firepower 1000 series
6.6.3 80 2020-03-11 All
6.6.1 91 2020-09-20 All
90 2020-09-08 —
6.6.0.1 7 2020-07-22 All
6.6.0 90 2020-05-08 Firepower 4112
2020-04-06 FMC/FMCv
All devices except Firepower 4112
Table 39: Version 6.5 Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.5.0.5 95 2021-02-09 All —
6.5.0.4 57 2020-03-02 All —
Cisco Secure Firewall Management Center New Features by Release
197
New Features by Release
Release Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.5.0.3 30 2020-02-03 No longer available. —
6.5.0.2 57 2019-12-19 All —
6.5.0.1 35 2019-11-20 No longer available. —
6.5.0 123 2020-02-03 FMC/FMCv FMC/FMCv
120 2019-10-08 — —
115 2019-09-26 All devices All devices
Table 40: Version 6.4 Dates
Version Build Date Platforms
6.4.0.18 24 2024-04-24 All
6.4.0.17 26 2023-09-28 All
6.4.0.16 50 2022-11-21 All
6.4.0.15 26 2022-05-31 All
6.4.0.14 67 2022-02-18 All
6.4.0.13 57 2021-12-02 All
6.4.0.12 112 2021-05-12 All
6.4.0.11 11 2021-01-11 All
6.4.0.10 95 2020-10-21 All
6.4.0.9 62 2020-05-26 All
6.4.0.8 28 2020-01-29 All
6.4.0.7 53 2019-12-19 All
6.4.0.6 28 2019-10-16 No longer available.
6.4.0.5 23 2019-09-18 All
6.4.0.4 34 2019-08-21 All
6.4.0.3 29 2019-07-17 All
Cisco Secure Firewall Management Center New Features by Release
198
New Features by Release
Release Dates
Version Build Date Platforms
6.4.0.2 35 2019-07-03 FMC/FMCv
FTD/FTDv, except Firepower 1000 series
34 2019-06-27 —
2019-06-26 Firepower 7000/8000 series
ASA FirePOWER
NGIPSv
6.4.0.1 17 2019-06-27 FMC 1600, 2600, 4600
2019-06-20 Firepower 4115, 4125, 4145
Firepower 9300 with SM-40, SM-48, and SM-56 modules
2019-05-15 FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500
FMCv
Firepower 2110, 2120, 2130, 2140
Firepower 4110, 4120, 4140, 4150
Firepower 9300 with SM-24, SM-36, and SM-44 modules
ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X
ASA 5585-X-SSP-10, -20, -40, -60
ISA 3000
FTDv
Firepower 7000/8000 series
NGIPSv
Cisco Secure Firewall Management Center New Features by Release
199
New Features by Release
Release Dates
Version Build Date Platforms
6.4.0 113 2020-03-03 FMC/FMCv
102 2019-06-20 Firepower 4115, 4125, 4145
Firepower 9300 with SM-40, SM-48, and SM-56 modules
2019-06-13 Firepower 1010, 1120, 1140
2019-04-24 Firepower 2110, 2120, 2130, 2140
Firepower 4110, 4120, 4140, 4150
Firepower 9300 with SM-24, SM-36, and SM-44 modules
ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X
ASA 5585-X-SSP-10, -20, -40, -60
ISA 3000
FTDv
Firepower 7000/8000 series
NGIPSv
Table 41: Version 6.3 Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.3.0.5 35 2019-11-18 Firepower 7000/8000 series —
NGIPSv
34 2019-11-18 FMC/FMCv —
All FTD devices
ASA FirePOWER
6.3.0.4 44 2019-08-14 All —
6.3.0.3 77 2019-06-27 FMC 1600, 2600, 4600 —
2019-05-01 FMC 750, 1000, 1500, 2000, —
2500, 3500, 4000, 4500
FMCv
All devices
6.3.0.2 67 2019-06-27 FMC 1600, 2600, 4600 —
2019-03-20 FMC 750, 1000, 1500, 2000, —
2500, 3500, 4000, 4500
FMCv
All devices
Cisco Secure Firewall Management Center New Features by Release
200
New Features by Release
Release Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.3.0.1 85 2019-06-27 FMC 1600, 2600, 4600 —
2019-02-18 FMC 750, 1000, 1500, 2000, —
2500, 3500, 4000, 4500
FMCv
All devices
6.3.0 85 2019-01-22 Firepower 4100/9300 Firepower 4100/9300
84 2018-12-18 FMC/FMCv —
ASA FirePOWER
83 2019-06-27 — FMC 1600, 2600, 4600
2018-12-03 All FTD devices except FMC 750, 1000, 1500, 2000,
Firepower 4100/9300 2500, 3500, 4000, 4500
Firepower 7000/8000 FMCv
NGIPSv All devices except Firepower
4100/9300
Table 42: Version 6.2.3 Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.2.3.18 50 2022-02-16 All —
6.2.3.17 30 2021-06-21 All —
6.2.3.16 59 2020-07-13 All —
6.2.3.15 39 2020-02-05 FTD/FTDv —
38 2019-09-18 FMC/FMCv —
Firepower 7000/8000
ASA FirePOWER
NGIPSv
6.2.3.14 41 2019-07-03 All —
36 2019-06-12 All —
6.2.3.13 53 2019-05-16 All —
6.2.3.12 80 2019-04-17 All —
6.2.3.11 55 2019-03-17 All —
53 2019-03-13 — —
Cisco Secure Firewall Management Center New Features by Release
201
New Features by Release
Release Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.2.3.10 59 2019-02-07 All —
6.2.3.9 54 2019-01-10 All —
6.2.3.8 51 2019-01-02 No longer available. —
6.2.3.7 51 2018-11-15 All —
6.2.3.6 37 2018-10-10 All —
6.2.3.5 53 2018-11-06 FTD/FTDv —
52 2018-09-12 FMC/FMCv —
Firepower 7000/8000
ASA FirePOWER
NGIPSv
6.2.3.4 42 2018-08-13 All —
6.2.3.3 76 2018-07-11 All —
6.2.3.2 46 2018-06-27 All —
42 2018-06-06 — —
6.2.3.1 47 2018-06-28 All —
45 2018-06-21 — —
43 2018-05-02 — —
Cisco Secure Firewall Management Center New Features by Release
202
New Features by Release
Release Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.2.3 113 2020-06-01 FMC/FMCv FMC/FMCv
111 2019-11-25 — FTDv: AWS, Azure
110 2019-06-14 — —
99 2018-09-07 — —
96 2018-07-26 — —
92 2018-07-05 — —
88 2018-06-11 — —
85 2018-04-09 — —
84 2018-04-09 Firepower 7000/8000 series —
NGIPSv
83 2018-04-02 FTD/FTDv FTD: Physical platforms
ASA FirePOWER FTDv: VMware, KVM
Firepower 7000/8000
ASA FirePOWER
NGIPSv
79 2018-03-29 — —
Table 43: Version 6.2.2 Dates
Version Build Date Platforms
6.2.2.5 57 2018-11-27 All
6.2.2.4 43 2018-09-21 FTD/FTDv
34 2018-07-09 FMC/FMCv
Firepower 7000/8000
ASA FirePOWER
NGIPSv
32 2018-06-15 —
6.2.2.3 69 2018-06-19 All
66 2018-04-24 —
6.2.2.2 109 2018-02-28 All
Cisco Secure Firewall Management Center New Features by Release
203
New Features by Release
Release Dates
Version Build Date Platforms
6.2.2.1 80 2017-12-05 Firepower 2100 series
78 2017-11-20 —
73 2017-11-06 FMC/FMCv
All devices except Firepower 2100 series
6.2.2 81 2017-09-05 All
Cisco Secure Firewall Management Center New Features by Release
204
© 2021–2024 Cisco Systems, Inc. All rights reserved.
You might also like
- CISCO FMC Management Center Device Config 77No ratings yetCISCO FMC Management Center Device Config 772,792 pages
- Cisco - Secure - Firewall - Management - Center - Hardening - Guide - v72 - Last Updated 27 June 2022No ratings yetCisco - Secure - Firewall - Management - Center - Hardening - Guide - v72 - Last Updated 27 June 202219 pages
- Cisco Secure Firewall Threat Defense Hardening Guide, Version 7.2No ratings yetCisco Secure Firewall Threat Defense Hardening Guide, Version 7.219 pages
- Keeping Up On Network Security W Cisco Secure FirewallNo ratings yetKeeping Up On Network Security W Cisco Secure Firewall62 pages
- Cisco Sdwan Security Policy Design GuideNo ratings yetCisco Sdwan Security Policy Design Guide53 pages
- DC TAC Time My Time As An Escalation Engineer Lessons From The Front LinesNo ratings yetDC TAC Time My Time As An Escalation Engineer Lessons From The Front Lines62 pages
- Cisco Secure Firewall Threat Defense Hardening Guide Version 72 - Last Updated 30 April 2022No ratings yetCisco Secure Firewall Threat Defense Hardening Guide Version 72 - Last Updated 30 April 202218 pages
- CISBenchmarkingAndComplianceRefreshFD R230No ratings yetCISBenchmarkingAndComplianceRefreshFD R23060 pages
- SW 7 0 X To 7 1 1 Stealthwatch Update Guide DV 2 0No ratings yetSW 7 0 X To 7 1 1 Stealthwatch Update Guide DV 2 062 pages
- Cisco Secure Firewall Management Center (Formerly Firepower Management Center)No ratings yetCisco Secure Firewall Management Center (Formerly Firepower Management Center)14 pages
- Software Guidance: Cisco Application Centric InfrastructureNo ratings yetSoftware Guidance: Cisco Application Centric Infrastructure4 pages
- T24 Browser - Navigation: Temenos T24 Media Release T24R05100% (1)T24 Browser - Navigation: Temenos T24 Media Release T24R0558 pages
- Release Notes For Cisco Wireless LAN Controllers and Lightweight Access Points For Release 7.2.110.0No ratings yetRelease Notes For Cisco Wireless LAN Controllers and Lightweight Access Points For Release 7.2.110.046 pages
- Firepower Release Notes, Version 6.6.1 and 6.6.3No ratings yetFirepower Release Notes, Version 6.6.1 and 6.6.388 pages
- B Cisco APIC Layer 2 Configuration GuideNo ratings yetB Cisco APIC Layer 2 Configuration Guide256 pages
- Firewall 7.2 Basic Lab v3.2 220729-FinalNo ratings yetFirewall 7.2 Basic Lab v3.2 220729-Final118 pages
- Zeta 633 / Zeta 633 L: Whole New Dimension of FlexibilityNo ratings yetZeta 633 / Zeta 633 L: Whole New Dimension of Flexibility6 pages
- 204.4295.40 - DmOS - Release Notes - 5.6.0 - EnglishNo ratings yet204.4295.40 - DmOS - Release Notes - 5.6.0 - English24 pages
- DSP Lab Manual: 332:348 - Digital Signal Processing LaboratoryNo ratings yetDSP Lab Manual: 332:348 - Digital Signal Processing Laboratory82 pages
- NASSCOM COPA M12 Creating and Running Simple Python Programs ILT PPT V2No ratings yetNASSCOM COPA M12 Creating and Running Simple Python Programs ILT PPT V2142 pages
- How To Offline Install .NET Framework 3.5 in Windows 10, 8 Using This Tool - TechGainerNo ratings yetHow To Offline Install .NET Framework 3.5 in Windows 10, 8 Using This Tool - TechGainer8 pages
- Installing UCS Files Containing Encrypted Passwords or PassphrasesNo ratings yetInstalling UCS Files Containing Encrypted Passwords or Passphrases7 pages
- Visual SourceSafe 2005 Software Configuration Management in PracticeFrom EverandVisual SourceSafe 2005 Software Configuration Management in PracticeNo ratings yet
- Pop!_OS System Administration Guide: Definitive Reference for Developers and EngineersFrom EverandPop!_OS System Administration Guide: Definitive Reference for Developers and EngineersNo ratings yet