Migration Tool

Migrating from Cisco ASA-to-Firepower Threat Defense can be a daunting task for customers with multiple access control lists (ACLs), NAT policies, and related configuration objects. The migration tool is specifically designed to assist this migration process. The tool allows you to convert ASA configurations (ACL, NAT and related objects) to Firepower Threat Defense configurations, which you can then import into the Firepower Management Center. The migration tool supports the conversion of up to 600,000 total access rule elements per ASA configuration file.

• 64-bit Firepower Management Center Virtual (VMware and KVM)

REST API

Firepower Version 6.2.0 allows REST clients to create and configure interfaces for Firepower Threat Defense devices via the Firepower Management Center REST API. This feature enables the Firepower Management Center to interact with various Cisco products and services, as well as those from third-party vendors. Implementation of these APIs is ideal in the following scenarios:

• large enterprises who want to control policy changes in Firepower through other Cisco systems such as Application Centric Infrastructure (ACI) or through their own proprietary orchestration solutions

• managed security service providers who want to adopt software defined networking, application-centric infrastructure,and network function virtualization solutions

• Firepower Management Center

• 64-bit Firepower Management Center Virtual

Packet Tracer and Capture

The Packet Tracer and Capture offers the ability to show all the processing steps that a packet takes, the outcomes, and whether the traffic is blocked or allowed. This allows users to initiate and display output of tracing from the Firepower Management Center. The tracing information includes information from SNORT and preprocessors about verdicts and action taken while processing a packet.

• Firepower Threat Defense

Integrated Routing and Bridging (IRB)

Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces).

• Firepower Threat Defense on ASA 5506-X, ASA 5506W-X, or ASA 5506H-X

Inter-chassis Clustering

Clustering lets you group multiple FXOS chassis Firepower Threat Defense devices together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. In Version 6.2.0, the Firepower System supports clustering across multiple chassis (inter-chassis clustering), allowing for higher scalability. You can use the Firepower Management Center to automatically discover all nodes of a cluster.

• Firepower Threat Defense on Firepower 4100 Series

• Firepower Threat Defense on Firepower 9300 Series

Policy Change Improvement

Deploying policy changes to a Firepower Threat Defense device can result in restarting the SNORT process and the related loss of some packets. As part of a continuing effort to address this issue, Firepower Version 6.2.0 allows you to configure actions separately for fault conditions, such as SNORT Busy/Overload or SNORT Down. This feature allows you to emphasize either continuity or security by checking a checkbox option in the Firepower Management Center.

Firepower Threat Defense (inline mode only)

Firepower Threat Defense on Microsoft Azure

In Firepower Version 6.2.0, Cisco Firepower Threat Defense Virtual is available in the Microsoft Azure Marketplace. This new platform enables you to secure workloads consistently across the data center and public cloud. Managed centrally by an on-premises Firepower Management Center, Firepower Threat Defense Virtual provides advanced threat protection in the Azure environment without forcing customers to backhaul traffic to the data center.

• Firepower Threat Defense virtual

Firepower Threat Grid API Key Integration

This feature streamlines the process of associating a Threat Grid account with your Firepower Management Center.

• Firepower Management Center

• 64-bit Firepower Management Center Virtual

ISE and SGT tags without Identity

Before Firepower Version 6.2.0, you had to create a realm and identity policy to perform user control-based on ISE Security Group Tag (SGT) data, even if you did not want to configure passive authentication using ISE. In Firepower Version 6.2.0, you no longer need to create a realm or identity policy to perform user control-based on ISE Security Group Tag (SGT) data.

• Firepower Management Center

• 64-bit Firepower Management Center Virtual

• 7000 and 8000 Series

• NGIPSv

• ASA with FirePOWER Services

• Firepower Threat Defense

• Firepower Threat Defense Virtual

Site-to-Site VPN

The site-to-site VPN with PKI support is an addition to the current capability of site-to-site VPN with pre shared keys. The Firepower Device Manager (FDM) also allows you to configure site-to-site VPN with pre shared keys.

• Firepower Threat Defense managed byFirepower Management Center

• Firepower Threat Defense Virtual

PKI Support for Firepower Management Center

Public Key Infrastructure (PKI) is required to create certificate-based trusted identities for devices establishing site-to-site VPN tunnels. This feature allows you to associate PKI certificate data with devices with the Firepower Management Center.

• Firepower Threat Defense

• Firepower Threat Defense Virtual

User-based Indications of Compromise (IOCs)

This feature allows you to generate user-based IOCs from intrusion events, or view the associations of users and IOCs. You can also enable and disable eventing of a given IOC per user (against false positives). With this feature, you can correlate IOCs and events to both hosts and users, plus give them more visibility and alerting options on a per-user basis.

• Firepower Management Center

• 64-bit Firepower Management Center Virtual

• 7000 and 8000 Series

• NGIPSv

• ASA with FirePOWER Services

• Firepower Threat Defense managed byFirepower Management Center

• Firepower Threat Defense Virtual

URL Lookups

This feature allows you to perform a bulk lookup of URLs (up to 250 URLs at a time) to obtain information, such as reputation, category, and matching policy. You can also export the results as a file of comma-separated values.

The feature reduces the manual work necessary to determine if your organization is protected against a malicious URL or if you should add a custom rule for a specific IOC. You can use this feature to reduce the number of custom rules, which in turn reduces the chance of performance degradation due to extensive custom rule lists.

• Firepower Management Center Virtual

• 64-bit Firepower Management Center Virtual

FlexConfig

The FlexConfig feature allows you use the Firepower Management Center to deploy ASA CLI template-based functionality to Firepower Threat Defense devices. This feature allows you to enable some of the most valuable ASA functions that are not currently available on Firepower Threat Defense devices. This functionality is structured as templates and objects that are stitched together in a policy. The default templates are officially supported by Cisco TAC Support.

The targeted features unlocked by FlexConfig potentially include:

• Non-Inspection Templates:

  • Routing (EIGRP, PBR, and IS-IS)

  • Netflow (NSEL) export

  • MPF connection limits, timeouts (including DCD), and Normalizer settings

  • Platform sysopt commands

  • Proxy ARP Neighbor Discovery (sysopt noproxyarp interface)

  • IPv6 Prefix Delegation

  • IPV6

  • WCCP

  • VXLAN

• Application Layer Inspection Templates:

  • ALGs default configuration

  • GTPv1/v2 support

  • Diameter inspection

  • LISP inspection

  • SCTP support and inspection

  • SIP

  • SS7 inspection

• Firepower Threat Defense

• Firepower Threat Defense Virtual