cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5845
Views
35
Helpful
17
Replies

Firepower 7.1 Released

Marvin Rhoads
Hall of Fame
Hall of Fame

In case you missed it, Firepower 7.1 was released on 1 December:

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/relnotes/firepower-release-notes-710/features.html

https://software.cisco.com/download/home/286259687/type/286271056/release/7.1.0

We are still waiting on the Gold Star for release 7.0.1. Hopefully that will come soon!

17 Replies 17

I take the chance to ask for a suggestion about upgrading:

I need to upgrade a deployment soon in order to leverage saml support for anyconnect (azure mfa integration) and data interface management.

I was oriented toward 6.7 since it's more mature than 7.0.1, even if it's a short term release, do you agree about that, or do you think that 7.0.1, even if it's not gold star yet, worth the upgrade?

@Massimo Baschieri I would recommend 7.0.1 over any release of 6.7 at this time.

Thanks for the advice Marvin, are you saying that because of you own experience or you have some positive feedbacks from cisco tac?

Do you have any idea when 7.0.1 will become gold star?

 

My recommendation is based on both having deployed about 20 production Firepower 7.0.1 firewalls to date (1010s, 2100 and 4100 series as well as FMC both on hardware and software platforms) as well as having positive (albeit informal) conversations with both TAC and other Cisco staff.

The ones I've deployed include locally-managed (FDM only), CDO-managed and FMC-managed.

We hope to see Gold Star status for 7.0.1 this month (December 2021) but it's pending internal Cisco approval still.

My deployment is quite complex, about 50 devices, FPR1Ks, 2Ks, ASA5516s, even ASA5545s

Did you also move to snort 3 on those deployments?

The upgrades I changed to Snort 3. The greenfield 7.0.1 ones are also using Snort 3. My primary motivation for that is the improved performance.

I too noticed performance improvements by changing from Snort2 to Snort3. Preliminary tests I did with 7.0 on a small 1010 appliance gave about a 33% raw network speed difference with unmodified “Security over Connectivity” IPS policies. On a 350Mbps up/down link, full 350Mbps on Snort3 vs ~230Mbps on Snort2.

 

However Snort3 does block things randomly and out of the blue, whereas Snort2 does not - even while both are set to “detect”, and not “protect”. Seen it breaking server side tasks such as DNS XFER, SMTP STARTTLS sessions, and client access such as to Apple’s AppStore app - with or without an IPS policy set on the matching AC policy. It seemed less often on 7.0.1, but they are still plaguing me every now and then. Fastpath doesn't help, nor changing IPS or AC policies: I have to either bypass the firewall (wrong) or to downgrade to Snort2 and back to Snort3: somehow this keeps things working for another while.

 

So I’m on a difficult position now: to have random outages or to lose bandwidth.

I tell my clients to stay on S2 until they know how to look at the IPS network analysis in Snort3 and tune the process. You need to tune your IPS whether it’s snort 2 or 3, but in situation it seems that s3 needs more tuning the s2 for now. Also, from what you’re saying in your posts, it looks like you have preprocessor events that need to be tuned
You are using cisco base polies without tuning and getting unpredictable results, which is predictable.
If you haven’t learned to tune snort, then stay on snort 2 for now. Once s3 is tuned, the performance is much better.
Todd Lammle

@Marvin Rhoads but also to the others:

I take the chance you mentioned it, do you have a good experience on CDO?

Is it reliable as much as FMC is?

What are the features you miss the most about FMC?

Is identity working fine with CDO?

Thanks.

@Massimo Baschieri CDO generally works as advertised. It is not a 1-1 replacement for FMC just like FDM is not. I kind of think of it as Meraki MX vs. Cisco ASA or FTD. As long as you don't need the advanced features (of FMC), CDO is an attractive choice.

Identity works fine but I had to do the setup from FDM first and then CDO (and the Secure Analytics and Logging or SAL along with Stealthwatch Cloud / Secure Cloud Analytics) consumes it OK.

I had done a whitepaper on that about 2 years ago. In case you missed it here's a link:

https://community.cisco.com/t5/security-documents/whitepaper-firepower-threat-defense-cloud-management-with/ta-p/3991368

Nice document Marvin, since I have no experience at all on FDM and CDO, can you please provide me a quick list of the features I'm about to loose moving from FMC to FMM/CDO?

Thanks, 

It seems Cisco was faster than you expected, 7.0.1 became gold star today!!!

Now I've no doubt on the release to upgrade to.

There are quite a few things FDM cannot do that FMC can. Just weigh the respective configuration guides - 856 pages for FDM 7.0 vs. 3192 pages for FMC.

All the basics are there, just not some advanced features and the ability to manage multiple firewalls from one console, share objects, store events etc.

@marvin

Here a list of the most important features (to me) I found missing in CDO:

security intelligence / TID

url/app reputation/advanced classification

advanced settings in access policies

active authentication

ssl inspection

prefilter

centralized logging without SAL

Others?

Maybe some of them are available directly on device through FDM, better than nothing, but not a good approach

Do you agree?

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: