topic Re: Firepower 7.1 Released in Network Security

Firepower 7.1 Released

Marvin Rhoads — Thu, 02 Dec 2021 14:51:31 GMT

In case you missed it, Firepower 7.1 was released on 1 December:

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/relnotes/firepower-release-notes-710/features.html

https://software.cisco.com/download/home/286259687/type/286271056/release/7.1.0

We are still waiting on the Gold Star for release 7.0.1. Hopefully that will come soon!

Re: Firepower 7.1 Released

Massimo Baschieri — Fri, 03 Dec 2021 07:05:11 GMT

I take the chance to ask for a suggestion about upgrading:

I need to upgrade a deployment soon in order to leverage saml support for anyconnect (azure mfa integration) and data interface management.

I was oriented toward 6.7 since it's more mature than 7.0.1, even if it's a short term release, do you agree about that, or do you think that 7.0.1, even if it's not gold star yet, worth the upgrade?

Re: Firepower 7.1 Released

Marvin Rhoads — Fri, 03 Dec 2021 08:50:47 GMT

@Massimo Baschieri I would recommend 7.0.1 over any release of 6.7 at this time.

Re: Firepower 7.1 Released

Massimo Baschieri — Fri, 03 Dec 2021 19:18:16 GMT

Thanks for the advice Marvin, are you saying that because of you own experience or you have some positive feedbacks from cisco tac?

Do you have any idea when 7.0.1 will become gold star?

Re: Firepower 7.1 Released

Marvin Rhoads — Sat, 04 Dec 2021 02:37:02 GMT

My recommendation is based on both having deployed about 20 production Firepower 7.0.1 firewalls to date (1010s, 2100 and 4100 series as well as FMC both on hardware and software platforms) as well as having positive (albeit informal) conversations with both TAC and other Cisco staff.

The ones I've deployed include locally-managed (FDM only), CDO-managed and FMC-managed.

We hope to see Gold Star status for 7.0.1 this month (December 2021) but it's pending internal Cisco approval still.

Re: Firepower 7.1 Released

Massimo Baschieri — Sat, 04 Dec 2021 06:57:48 GMT

My deployment is quite complex, about 50 devices, FPR1Ks, 2Ks, ASA5516s, even ASA5545s

Did you also move to snort 3 on those deployments?

Re: Firepower 7.1 Released

Marvin Rhoads — Sun, 05 Dec 2021 14:14:50 GMT

The upgrades I changed to Snort 3. The greenfield 7.0.1 ones are also using Snort 3. My primary motivation for that is the improved performance.

Re: Firepower 7.1 Released

toddlammle — Tue, 07 Dec 2021 17:30:29 GMT

Marvin, I had serious issues with 7.0 at my customers (7.0.1 too). I was on the beta team for 7.0 and 7.1 and beat the hell out of them but the issues I had with 7.0 at my customers were serious and I never saw that coming and never had those issues in beta testing

7.1 is superior to any previous code (6.6, 6.7, 7.0)

I recommend 7.1, the features are unparalleled to 7.0 even

Re: Firepower 7.1 Released

BmfL — Tue, 07 Dec 2021 22:32:13 GMT

7.1 on FTD has issues as well, like you cant create VTIs properly, unless you have 7.1 on FMC but still 7.0.x on FTD.

I would wait couple more weeks and upgrade to a stable release.

Re: Firepower 7.1 Released

Massimo Baschieri — Wed, 08 Dec 2021 09:40:16 GMT

@Marvin Rhoads but also to the others:

I take the chance you mentioned it, do you have a good experience on CDO?

Is it reliable as much as FMC is?

What are the features you miss the most about FMC?

Is identity working fine with CDO?

Thanks.

Re: Firepower 7.1 Released

Marvin Rhoads — Wed, 08 Dec 2021 12:32:15 GMT

@Massimo Baschieri CDO generally works as advertised. It is not a 1-1 replacement for FMC just like FDM is not. I kind of think of it as Meraki MX vs. Cisco ASA or FTD. As long as you don't need the advanced features (of FMC), CDO is an attractive choice.

Identity works fine but I had to do the setup from FDM first and then CDO (and the Secure Analytics and Logging or SAL along with Stealthwatch Cloud / Secure Cloud Analytics) consumes it OK.

I had done a whitepaper on that about 2 years ago. In case you missed it here's a link:

https://community.cisco.com/t5/security-documents/whitepaper-firepower-threat-defense-cloud-management-with/ta-p/3991368

Re: Firepower 7.1 Released

Massimo Baschieri — Thu, 09 Dec 2021 16:15:22 GMT

It seems Cisco was faster than you expected, 7.0.1 became gold star today!!!

Now I've no doubt on the release to upgrade to.

Re: Firepower 7.1 Released

Massimo Baschieri — Thu, 09 Dec 2021 16:17:45 GMT

Nice document Marvin, since I have no experience at all on FDM and CDO, can you please provide me a quick list of the features I'm about to loose moving from FMC to FMM/CDO?

Thanks,

Re: Firepower 7.1 Released

Marvin Rhoads — Thu, 09 Dec 2021 17:26:41 GMT

There are quite a few things FDM cannot do that FMC can. Just weigh the respective configuration guides - 856 pages for FDM 7.0 vs. 3192 pages for FMC.

All the basics are there, just not some advanced features and the ability to manage multiple firewalls from one console, share objects, store events etc.

Re: Firepower 7.1 Released

HQuest — Fri, 10 Dec 2021 14:37:10 GMT

I too noticed performance improvements by changing from Snort2 to Snort3. Preliminary tests I did with 7.0 on a small 1010 appliance gave about a 33% raw network speed difference with unmodified “Security over Connectivity” IPS policies. On a 350Mbps up/down link, full 350Mbps on Snort3 vs ~230Mbps on Snort2.

However Snort3 does block things randomly and out of the blue, whereas Snort2 does not - even while both are set to “detect”, and not “protect”. Seen it breaking server side tasks such as DNS XFER, SMTP STARTTLS sessions, and client access such as to Apple’s AppStore app - with or without an IPS policy set on the matching AC policy. It seemed less often on 7.0.1, but they are still plaguing me every now and then. Fastpath doesn't help, nor changing IPS or AC policies: I have to either bypass the firewall (wrong) or to downgrade to Snort2 and back to Snort3: somehow this keeps things working for another while.

So I’m on a difficult position now: to have random outages or to lose bandwidth.

Re: Firepower 7.1 Released

Massimo Baschieri — Sat, 11 Dec 2021 07:25:08 GMT

@marvin

Here a list of the most important features (to me) I found missing in CDO:

security intelligence / TID

url/app reputation/advanced classification

advanced settings in access policies

active authentication

ssl inspection

prefilter

centralized logging without SAL

Others?

Maybe some of them are available directly on device through FDM, better than nothing, but not a good approach

Do you agree?

Re: Firepower 7.1 Released

Marvin Rhoads — Sat, 11 Dec 2021 14:39:16 GMT

That's a good list @Massimo Baschieri . I would add that CDO can use Identity Policy but it needs to be configured first in FDM.

Also note that CDO is frequently updated as they follow an Agile development lifecycle. So be sure to check their What's New page for updates.

https://docs.defenseorchestrator.com/Welcome_to_Cisco_Defense_Orchestrator/0005_What's_New_for_Cisco_Defense_Orchestrator

Re: Firepower 7.1 Released

toddlammle — Sat, 11 Dec 2021 17:36:58 GMT

I tell my clients to stay on S2 until they know how to look at the IPS network analysis in Snort3 and tune the process. You need to tune your IPS whether it’s snort 2 or 3, but in situation it seems that s3 needs more tuning the s2 for now. Also, from what you’re saying in your posts, it looks like you have preprocessor events that need to be tuned
You are using cisco base polies without tuning and getting unpredictable results, which is predictable.
If you haven’t learned to tune snort, then stay on snort 2 for now. Once s3 is tuned, the performance is much better.
Todd Lammle