01-24-2017 11:00 AM - edited 03-12-2019 01:49 AM
The 6.2 train of FirePOWER/Sourcefire was posted yesterday to on cisco.com. Some very nice new features (see below) with inter-chassis clustering and ASA migration tool being a big hits:
New Feature |
Description |
Supported Platforms |
---|---|---|
Integrated Routing and Bridging (IRB) |
Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces). |
|
Inter-chassis Clustering |
Clustering lets you group multiple FXOS chassis Firepower Threat Defense devices together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. In Version 6.2.0, the Firepower System supports clustering across multiple chassis (inter-chassis clustering), allowing for higher scalability. You can use the Firepower Management Center to automatically discover all nodes of a cluster. |
|
Policy Change Improvement |
Deploying policy changes to a Firepower Threat Defense device can result in restarting the SNORT process and the related loss of some packets. As part of a continuing effort to address this issue, Firepower Version 6.2.0 allows you to configure actions separately for fault conditions, such as SNORT Busy/Overload or SNORT Down. This feature allows you to emphasize either continuity or security by checking a checkbox option in the Firepower Management Center. |
Firepower Threat Defense (inline mode only) |
New Feature |
Description |
Supported Platforms |
---|---|---|
Firepower Threat Defense on Microsoft Azure |
In Firepower Version 6.2.0, Cisco Firepower Threat Defense Virtual is available in the Microsoft Azure Marketplace. This new platform enables you to secure workloads consistently across the data center and public cloud. Managed centrally by an on-premises Firepower Management Center, Firepower Threat Defense Virtual provides advanced threat protection in the Azure environment without forcing customers to backhaul traffic to the data center. |
|
Firepower Threat Grid API Key Integration |
This feature streamlines the process of associating a Threat Grid account with your Firepower Management Center. |
|
ISE and SGT tags without Identity |
Before Firepower Version 6.2.0, you had to create a realm and identity policy to perform user control-based on ISE Security Group Tag (SGT) data, even if you did not want to configure passive authentication using ISE. In Firepower Version 6.2.0, you no longer need to create a realm or identity policy to perform user control-based on ISE Security Group Tag (SGT) data. |
|
New Feature |
Description |
Supported Platforms |
---|---|---|
Site-to-Site VPN |
The site-to-site VPN with PKI support is an addition to the current capability of site-to-site VPN with pre shared keys. The Firepower Device Manager (FDM) also allows you to configure site-to-site VPN with pre shared keys. |
|
PKI Support for Firepower Management Center |
Public Key Infrastructure (PKI) is required to create certificate-based trusted identities for devices establishing site-to-site VPN tunnels. This feature allows you to associate PKI certificate data with devices with the Firepower Management Center. |
|
User-based Indications of Compromise (IOCs) |
This feature allows you to generate user-based IOCs from intrusion events, or view the associations of users and IOCs. You can also enable and disable eventing of a given IOC per user (against false positives). With this feature, you can correlate IOCs and events to both hosts and users, plus give them more visibility and alerting options on a per-user basis. |
|
URL Lookups |
This feature allows you to perform a bulk lookup of URLs (up to 250 URLs at a time) to obtain information, such as reputation, category, and matching policy. You can also export the results as a file of comma-separated values. The feature reduces the manual work necessary to determine if your organization is protected against a malicious URL or if you should add a custom rule for a specific IOC. You can use this feature to reduce the number of custom rules, which in turn reduces the chance of performance degradation due to extensive custom rule lists. |
|
FlexConfig |
The FlexConfig feature allows you use the Firepower Management Center to deploy ASA CLI template-based functionality to Firepower Threat Defense devices. This feature allows you to enable some of the most valuable ASA functions that are not currently available on Firepower Threat Defense devices. This functionality is structured as templates and objects that are stitched together in a policy. The default templates are officially supported by Cisco TAC Support. The targeted features unlocked by FlexConfig potentially include:
|
|
08-09-2017 07:36 PM
While ASA code on the Firepower 2100 series is orderable (since early July 2017), it will not be shipping until (currently projected) September 2017.
The platform was originally designed as FTD-only but customer demand spurred Cisco to revisit that decision.
01-25-2017 12:10 AM
Most important new feature imo: BVIs for ASA + FTD. Finally we can bridge between ports again and dont need an additional switch for small 5506-X deployments. ;)
As for Inter-Chassis Clustering... if anyone is brave enough to use this feature in production let me know, I would wait a little longer since there are still some ceveats associated with the central management only (FMC) approach which can get very funny when re-adding devices to FMC in case of fmc migration and bugs (like static route configuration being removed and nat config being redeployed, which will result in traffic loss and possible communication issues between fmc and your sensor).
01-25-2017 01:39 AM
As far as I know 6.2 release should have been the first release that officially supports VDI, unfortunately I cannot see any mention to it into release notes, it has not even been published a new user agent on cco, anyone has news about it?
01-25-2017 01:42 AM
According to my local Cisco SE, TS-Agent is definetly supported with 6.2. Documentation has already been published to cisco.com but it seems like the ts-agent installer is not in cco yet. Still waiting for a response about this.
I will update this post when I get feedback
01-27-2017 02:44 AM
Update: TS-Agent has been published yesterday.
https://software.cisco.com/download/release.html?i=!y&mdfid=286282812&softwareid=286271056&release=6.2.0&os
01-25-2017 01:09 PM
Is there any user to site VPN support in this release? It would be a real handicap not having this.
If there is, what have they supported? AnyConnect? L2TP over IPSec?
01-25-2017 02:14 PM
Not yet. I have read some rumors that anyconnect should be added in 6.2.1 soon, but might be posponed until 6.3
01-26-2017 11:07 AM
Too bad the ASA version requirement, if you run ASA with Firepower services, is 9.7.1 which is brand new and not everyone is keen jumping into a brand new release train just to gain new Firepower functionality. I am one of those and I'm especially crossed since I just spent alot of time jumping from ASA 9.4.x to get Firepower 6.2 support.
/Fredrim
01-26-2017 11:11 AM
Yes, we noticed that as well. We are trying it out in our lab, but because of this we probably wouldn't deploy it at a customer site for a year or so. To give the software more time to mature.
04-10-2017 04:28 AM
Has anyone tried to use the IPv6 Prefix Delegation feature that is supposed to work in 6.2.0 ?
I am unable to get this working, nor find some good documentation on how it should work other that that i need to know the commands to enter.
Creating a flexconfig containing the old config from my 9.7 ASA release does not work.
interface GigabitEthernet1/1
ipv6 dhcp client pd CanalDigital-Prefix
This throws an error stating "Error - Unsupported CLI"
Running ASA 5506X with FTD 6.2.0.1 and FMC 6.2.0 (build 362)
Anyone tried this and succeeded ?
Br
Tor-Ivar Kristoffersen
05-27-2017 02:39 AM
Hi Just wanted to know in future the ASA line of software 8.x to 9.x will get retire and all focus will be on FTD.
seems how things going on FTD will take over the ASA and cisco will EOL ASA software?
05-27-2017 03:10 AM
There are no current plans to retire the ASA hardware or software as a whole line. Of course the oldest platforms and versions will naturally reach end of sales but Cisco continues to develop both hardware and software on the rich legacy of ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide