cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11459
Views
15
Helpful
26
Replies

Firepower Threat Defense (FTD) / Sourcefire 6.2 - Released

nspasov
Cisco Employee
Cisco Employee

The 6.2 train of FirePOWER/Sourcefire was posted yesterday to on cisco.com. Some very nice new features (see below) with inter-chassis clustering and ASA migration tool being a big hits:

https://software.cisco.com/download/release.html?mdfid=286285773&flowid=77253&softwareid=286306337&release=6.2.0&relind=AVAILABLE&rellifecycle=&reltype=latest

New Feature

Description

Supported Platforms

Migration Tool

Migrating from Cisco ASA-to-Firepower Threat Defense can be a daunting task for customers with multiple access control lists (ACLs), NAT policies, and related configuration objects. The migration tool is specifically designed to assist this migration process. The tool allows you to convert ASA configurations (ACL, NAT and related objects) to Firepower Threat Defense configurations, which you can then import into the Firepower Management Center. The migration tool supports the conversion of up to 600,000 total access rule elements per ASA configuration file.

  • 64-bit Firepower Management Center Virtual (VMware and KVM)

REST API

Firepower Version 6.2.0 allows REST clients to create and configure interfaces for Firepower Threat Defense devices via the Firepower Management Center REST API. This feature enables the Firepower Management Center to interact with various Cisco products and services, as well as those from third-party vendors. Implementation of these APIs is ideal in the following scenarios:

  • large enterprises who want to control policy changes in Firepower through other Cisco systems such as Application Centric Infrastructure (ACI) or through their own proprietary orchestration solutions

  • managed security service providers who want to adopt software defined networking, application-centric infrastructure,and network function virtualization solutions

Note   

SDN controllers do not have a way to automatically insert Firepower Threat Defense devices in the traffic path.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

Packet Tracer and Capture

The Packet Tracer and Capture offers the ability to show all the processing steps that a packet takes, the outcomes, and whether the traffic is blocked or allowed. This allows users to initiate and display output of tracing from the Firepower Management Center. The tracing information includes information from SNORT and preprocessors about verdicts and action taken while processing a packet.

  • Firepower Threat Defense

Table 2 New Features for Version 6.2.0: Architecture

New Feature

Description

Supported Platforms

Integrated Routing and Bridging (IRB)

Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces).

  • Firepower Threat Defense on ASA 5506-X, ASA 5506W-X, or ASA 5506H-X

Inter-chassis Clustering

Clustering lets you group multiple FXOS chassis Firepower Threat Defense devices together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. In Version 6.2.0, the Firepower System supports clustering across multiple chassis (inter-chassis clustering), allowing for higher scalability. You can use the Firepower Management Center to automatically discover all nodes of a cluster.

  • Firepower Threat Defense on Firepower 4100 Series

  • Firepower Threat Defense on Firepower 9300 Series

Policy Change Improvement

Deploying policy changes to a Firepower Threat Defense device can result in restarting the SNORT process and the related loss of some packets. As part of a continuing effort to address this issue, Firepower Version 6.2.0 allows you to configure actions separately for fault conditions, such as SNORT Busy/Overload or SNORT Down. This feature allows you to emphasize either continuity or security by checking a checkbox option in the Firepower Management Center.

Firepower Threat Defense (inline mode only)

Table 3 New Features for Version 6.2.0: Platform/Integration

New Feature

Description

Supported Platforms

Firepower Threat Defense on Microsoft Azure

In Firepower Version 6.2.0, Cisco Firepower Threat Defense Virtual is available in the Microsoft Azure Marketplace. This new platform enables you to secure workloads consistently across the data center and public cloud. Managed centrally by an on-premises Firepower Management Center, Firepower Threat Defense Virtual provides advanced threat protection in the Azure environment without forcing customers to backhaul traffic to the data center.

  • Firepower Threat Defense virtual

Firepower Threat Grid API Key Integration

This feature streamlines the process of associating a Threat Grid account with your Firepower Management Center.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

ISE and SGT tags without Identity

Before Firepower Version 6.2.0, you had to create a realm and identity policy to perform user control-based on ISE Security Group Tag (SGT) data, even if you did not want to configure passive authentication using ISE. In Firepower Version 6.2.0, you no longer need to create a realm or identity policy to perform user control-based on ISE Security Group Tag (SGT) data.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

  • 7000 and 8000 Series

  • NGIPSv

  • ASA with FirePOWER Services

  • Firepower Threat Defense

  • Firepower Threat Defense Virtual

Table 4 New Features for Version 6.2.0: Platform/Integration

New Feature

Description

Supported Platforms

Site-to-Site VPN

The site-to-site VPN with PKI support is an addition to the current capability of site-to-site VPN with pre shared keys. The Firepower Device Manager (FDM) also allows you to configure site-to-site VPN with pre shared keys.

  • Firepower Threat Defense managed byFirepower Management Center

  • Firepower Threat Defense Virtual

PKI Support for Firepower Management Center

Public Key Infrastructure (PKI) is required to create certificate-based trusted identities for devices establishing site-to-site VPN tunnels. This feature allows you to associate PKI certificate data with devices with the Firepower Management Center.

  • Firepower Threat Defense

  • Firepower Threat Defense Virtual

User-based Indications of Compromise (IOCs)

This feature allows you to generate user-based IOCs from intrusion events, or view the associations of users and IOCs. You can also enable and disable eventing of a given IOC per user (against false positives). With this feature, you can correlate IOCs and events to both hosts and users, plus give them more visibility and alerting options on a per-user basis.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

  • 7000 and 8000 Series

  • NGIPSv

  • ASA with FirePOWER Services

  • Firepower Threat Defense managed byFirepower Management Center

  • Firepower Threat Defense Virtual

URL Lookups

This feature allows you to perform a bulk lookup of URLs (up to 250 URLs at a time) to obtain information, such as reputation, category, and matching policy. You can also export the results as a file of comma-separated values.

The feature reduces the manual work necessary to determine if your organization is protected against a malicious URL or if you should add a custom rule for a specific IOC. You can use this feature to reduce the number of custom rules, which in turn reduces the chance of performance degradation due to extensive custom rule lists.

  • Firepower Management Center Virtual

  • 64-bit Firepower Management Center Virtual

FlexConfig

The FlexConfig feature allows you use the Firepower Management Center to deploy ASA CLI template-based functionality to Firepower Threat Defense devices. This feature allows you to enable some of the most valuable ASA functions that are not currently available on Firepower Threat Defense devices. This functionality is structured as templates and objects that are stitched together in a policy. The default templates are officially supported by Cisco TAC Support.

The targeted features unlocked by FlexConfig potentially include:

  • Non-Inspection Templates:

    • Routing (EIGRP, PBR, and IS-IS)

    • Netflow (NSEL) export

    • MPF connection limits, timeouts (including DCD), and Normalizer settings

    • Platform sysopt commands

    • Proxy ARP Neighbor Discovery (sysopt noproxyarp interface)

    • IPv6 Prefix Delegation

    • IPV6

    • WCCP

    • VXLAN

  • Application Layer Inspection Templates:

    • ALGs default configuration

    • GTPv1/v2 support

    • Diameter inspection

    • LISP inspection

    • SCTP support and inspection

    • SIP

    • SS7 inspection

  • Firepower Threat Defense

  • Firepower Threat Defense Virtual

26 Replies 26

While ASA code on the Firepower 2100 series is orderable (since early July 2017), it will not be shipping until (currently projected) September 2017.

The platform was originally designed as FTD-only but customer demand spurred Cisco to revisit that decision.

Oliver Kaiser
Level 7
Level 7

Most important new feature imo: BVIs for ASA + FTD. Finally we can bridge between ports again and dont need an additional switch for small 5506-X deployments. ;)

As for Inter-Chassis Clustering... if anyone is brave enough to use this feature in production let me know, I would wait a little longer since there are still some ceveats associated with the central management only (FMC) approach which can get very funny when re-adding devices to FMC in case of fmc migration and bugs (like static route configuration being removed and nat config being redeployed, which will result in traffic loss and possible communication issues between fmc and your sensor).

As far as I know 6.2 release should have been the first release that officially supports VDI, unfortunately I cannot see any mention to it into release notes, it has not even been published a new user agent on cco, anyone has news about it?

According to my local Cisco SE, TS-Agent is definetly supported with 6.2. Documentation has already been published to cisco.com but it seems like the ts-agent installer is not in cco yet. Still waiting for a response about this. 

I will update this post when I get feedback

Update: TS-Agent has been published yesterday.

https://software.cisco.com/download/release.html?i=!y&mdfid=286282812&softwareid=286271056&release=6.2.0&os

Philip D'Ath
VIP Alumni
VIP Alumni

Is there any user to site VPN support in this release?  It would be a real handicap not having this.

If there is, what have they supported?  AnyConnect?  L2TP over IPSec?

Not yet. I have read some rumors that anyconnect should be added in 6.2.1 soon, but might be posponed until 6.3

hoffa2000
Level 3
Level 3

Too bad the ASA version requirement, if you run ASA with Firepower services, is 9.7.1 which is brand new and not everyone is keen jumping into a brand new release train just to gain new Firepower functionality. I am one of those and I'm especially crossed since I just spent alot of time jumping from ASA 9.4.x to get Firepower 6.2 support.

/Fredrim

Yes, we noticed that as well.  We are trying it out in our lab, but because of this we probably wouldn't deploy it at a customer site for a year or so.  To give the software more time to mature.

Has anyone tried to use the IPv6 Prefix Delegation feature that is supposed to work in 6.2.0 ?

I am unable to get this working, nor find some good documentation on how it should work other that that i need to know the commands to enter.

Creating a flexconfig containing the old config from my 9.7 ASA release does not work.

interface GigabitEthernet1/1
ipv6 dhcp client pd CanalDigital-Prefix

This throws an error stating "Error - Unsupported CLI"

Running ASA 5506X with FTD 6.2.0.1 and FMC 6.2.0 (build 362)

Anyone tried this and succeeded ?

Br

Tor-Ivar Kristoffersen

Hi Just wanted to know in future the ASA line of software 8.x to 9.x will get retire and all focus will be on FTD.

seems how things going on FTD will take over the ASA and cisco will EOL ASA software?

please do not forget to rate.

There are no current plans to retire the ASA hardware or software as a whole line. Of course the oldest platforms and versions will naturally reach end of sales but Cisco continues to develop both hardware and software on the rich legacy of ASA.

Review Cisco Networking for a $25 gift card