Cisco FMC 2600 - implementing IPv6 and hardening the FTDs

robert-l-swafford2-ctr · ‎11-19-2025

Greetings,

We are in the process of implementing IPv6 addresses in an established IPv4 enterprise.

I am looking for anyone that has go through this process in the past and could offer some lessons learned.

1. Does anyone know of any recommended FMC hardening configurations specifically for the FMC and IPv6?

2. Has anyone discovered any IPv6 hardening configuration guides that might offered a how to?

3. Has anyone developed and dashboard widgets with in the FMC to display IPv6 events separate of IPv4 events?

If anyone has any other lesson learn topics I failed to ask, please offer them.

Version 7.7.10 (build 3089)
Model Cisco Secure Firewall Management Center 2600
Serial Number XXXXXXXXXX
Snort Version 2.9.24 (Build 99)
Snort3 Version 3.3.5.1000 (Build 57)
Rule Pack Version 3178
Module Pack Version 3568
LSP Version lsp-rel-20251117-1954
VDB Version build 418 (2025-11-04 09:21:45)
Rule Update Version 2025-11-17-001-vrt
Geolocation Version 2025-11-08-029
OS Cisco Firepower Extensible Operating System (FX-OS) 82.17.26 (build 14)
Hostname XXXXXXXXXX

Sheraz.Salim · ‎11-20-2025

Hardening FMC for IPv6 involves both general FMC security and steps specific to FXOS and IPv6 traffic, Limit access to management interfaces and regularly audit user privileges.

Harden FXOS (Firepower Extensible OS) itself, Restrict FMC management access to trusted networks/subnets (using Platform Settings) for both IPv4 and IPv6.

Monitor and apply Cisco security advisories for your specific FMC version, as IPv6 support and vulnerabilities frequently evolve.

Available IPv6 Hardening Guides, The "Cisco Secure Firewall Threat Defense Hardening Guide" (see v7.2 or greater) provides hardening recommendations that address both IPv4 and IPv6, including device policies and access control for mixed environments.

I think you just need to take approach of First, second and third layer of Defence.

please do not forget to rate.

robert-l-swafford2-ctr · ‎11-20-2025

Thank you for the reply.

My FMC is a 2600, running version 7.7.1.10. Do you have any documents that I can reference and compare my current settings against future IPv6 development in our enterprise?

My IPS models are 2130, 4120, 4125 devices with various FTD software versions. Each 41XX device chassis is running the highest FXOS version Cisco has released. Do you have any thing specific to these devices regarding IPv6?

The Cisco Secure Firewall Threat Defense Hardening guide you mention, we have reviewed and applied that prior to adding IPv6 to our environment, but I did not see anything specific guide related to IPv6. If you have the most current version please provide it.

Defense in Depth is what we have here, and I agree.

Sheraz.Salim · ‎11-21-2025

IPv6 provides a significantly more secure and scalable addressing architecture compared to its predecessor, IPv4. When your security appliances—such as Cisco FMC-FTD are properly configured, continuously monitored, and maintained, the overall security posture remains strong.

Ensure that all systems are updated with the latest patches and that known vulnerabilities are remediated promptly. Apply the principles of least privilege and need-to-know to limit unnecessary access. In addition, enable comprehensive auditing and logging to support monitoring, incident detection, and forensic analysis.

Information specific to IPv6 security can sometimes be limited, but following these fundamental security practices provides a solid foundation for operating securely in an IPv6 environment.

Just a side note FTD2100,FTD4100 are now End Of Life (EOL)

Check this link might find useful for you
https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3270451/nsa-publishes-internet-protocol-version-6-ipv6-security-guidance/

please do not forget to rate.