cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11458
Views
15
Helpful
26
Replies

Firepower Threat Defense (FTD) / Sourcefire 6.2 - Released

nspasov
Cisco Employee
Cisco Employee

The 6.2 train of FirePOWER/Sourcefire was posted yesterday to on cisco.com. Some very nice new features (see below) with inter-chassis clustering and ASA migration tool being a big hits:

https://software.cisco.com/download/release.html?mdfid=286285773&flowid=77253&softwareid=286306337&release=6.2.0&relind=AVAILABLE&rellifecycle=&reltype=latest

New Feature

Description

Supported Platforms

Migration Tool

Migrating from Cisco ASA-to-Firepower Threat Defense can be a daunting task for customers with multiple access control lists (ACLs), NAT policies, and related configuration objects. The migration tool is specifically designed to assist this migration process. The tool allows you to convert ASA configurations (ACL, NAT and related objects) to Firepower Threat Defense configurations, which you can then import into the Firepower Management Center. The migration tool supports the conversion of up to 600,000 total access rule elements per ASA configuration file.

  • 64-bit Firepower Management Center Virtual (VMware and KVM)

REST API

Firepower Version 6.2.0 allows REST clients to create and configure interfaces for Firepower Threat Defense devices via the Firepower Management Center REST API. This feature enables the Firepower Management Center to interact with various Cisco products and services, as well as those from third-party vendors. Implementation of these APIs is ideal in the following scenarios:

  • large enterprises who want to control policy changes in Firepower through other Cisco systems such as Application Centric Infrastructure (ACI) or through their own proprietary orchestration solutions

  • managed security service providers who want to adopt software defined networking, application-centric infrastructure,and network function virtualization solutions

Note   

SDN controllers do not have a way to automatically insert Firepower Threat Defense devices in the traffic path.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

Packet Tracer and Capture

The Packet Tracer and Capture offers the ability to show all the processing steps that a packet takes, the outcomes, and whether the traffic is blocked or allowed. This allows users to initiate and display output of tracing from the Firepower Management Center. The tracing information includes information from SNORT and preprocessors about verdicts and action taken while processing a packet.

  • Firepower Threat Defense

Table 2 New Features for Version 6.2.0: Architecture

New Feature

Description

Supported Platforms

Integrated Routing and Bridging (IRB)

Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces).

  • Firepower Threat Defense on ASA 5506-X, ASA 5506W-X, or ASA 5506H-X

Inter-chassis Clustering

Clustering lets you group multiple FXOS chassis Firepower Threat Defense devices together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. In Version 6.2.0, the Firepower System supports clustering across multiple chassis (inter-chassis clustering), allowing for higher scalability. You can use the Firepower Management Center to automatically discover all nodes of a cluster.

  • Firepower Threat Defense on Firepower 4100 Series

  • Firepower Threat Defense on Firepower 9300 Series

Policy Change Improvement

Deploying policy changes to a Firepower Threat Defense device can result in restarting the SNORT process and the related loss of some packets. As part of a continuing effort to address this issue, Firepower Version 6.2.0 allows you to configure actions separately for fault conditions, such as SNORT Busy/Overload or SNORT Down. This feature allows you to emphasize either continuity or security by checking a checkbox option in the Firepower Management Center.

Firepower Threat Defense (inline mode only)

Table 3 New Features for Version 6.2.0: Platform/Integration

New Feature

Description

Supported Platforms

Firepower Threat Defense on Microsoft Azure

In Firepower Version 6.2.0, Cisco Firepower Threat Defense Virtual is available in the Microsoft Azure Marketplace. This new platform enables you to secure workloads consistently across the data center and public cloud. Managed centrally by an on-premises Firepower Management Center, Firepower Threat Defense Virtual provides advanced threat protection in the Azure environment without forcing customers to backhaul traffic to the data center.

  • Firepower Threat Defense virtual

Firepower Threat Grid API Key Integration

This feature streamlines the process of associating a Threat Grid account with your Firepower Management Center.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

ISE and SGT tags without Identity

Before Firepower Version 6.2.0, you had to create a realm and identity policy to perform user control-based on ISE Security Group Tag (SGT) data, even if you did not want to configure passive authentication using ISE. In Firepower Version 6.2.0, you no longer need to create a realm or identity policy to perform user control-based on ISE Security Group Tag (SGT) data.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

  • 7000 and 8000 Series

  • NGIPSv

  • ASA with FirePOWER Services

  • Firepower Threat Defense

  • Firepower Threat Defense Virtual

Table 4 New Features for Version 6.2.0: Platform/Integration

New Feature

Description

Supported Platforms

Site-to-Site VPN

The site-to-site VPN with PKI support is an addition to the current capability of site-to-site VPN with pre shared keys. The Firepower Device Manager (FDM) also allows you to configure site-to-site VPN with pre shared keys.

  • Firepower Threat Defense managed byFirepower Management Center

  • Firepower Threat Defense Virtual

PKI Support for Firepower Management Center

Public Key Infrastructure (PKI) is required to create certificate-based trusted identities for devices establishing site-to-site VPN tunnels. This feature allows you to associate PKI certificate data with devices with the Firepower Management Center.

  • Firepower Threat Defense

  • Firepower Threat Defense Virtual

User-based Indications of Compromise (IOCs)

This feature allows you to generate user-based IOCs from intrusion events, or view the associations of users and IOCs. You can also enable and disable eventing of a given IOC per user (against false positives). With this feature, you can correlate IOCs and events to both hosts and users, plus give them more visibility and alerting options on a per-user basis.

  • Firepower Management Center

  • 64-bit Firepower Management Center Virtual

  • 7000 and 8000 Series

  • NGIPSv

  • ASA with FirePOWER Services

  • Firepower Threat Defense managed byFirepower Management Center

  • Firepower Threat Defense Virtual

URL Lookups

This feature allows you to perform a bulk lookup of URLs (up to 250 URLs at a time) to obtain information, such as reputation, category, and matching policy. You can also export the results as a file of comma-separated values.

The feature reduces the manual work necessary to determine if your organization is protected against a malicious URL or if you should add a custom rule for a specific IOC. You can use this feature to reduce the number of custom rules, which in turn reduces the chance of performance degradation due to extensive custom rule lists.

  • Firepower Management Center Virtual

  • 64-bit Firepower Management Center Virtual

FlexConfig

The FlexConfig feature allows you use the Firepower Management Center to deploy ASA CLI template-based functionality to Firepower Threat Defense devices. This feature allows you to enable some of the most valuable ASA functions that are not currently available on Firepower Threat Defense devices. This functionality is structured as templates and objects that are stitched together in a policy. The default templates are officially supported by Cisco TAC Support.

The targeted features unlocked by FlexConfig potentially include:

  • Non-Inspection Templates:

    • Routing (EIGRP, PBR, and IS-IS)

    • Netflow (NSEL) export

    • MPF connection limits, timeouts (including DCD), and Normalizer settings

    • Platform sysopt commands

    • Proxy ARP Neighbor Discovery (sysopt noproxyarp interface)

    • IPv6 Prefix Delegation

    • IPV6

    • WCCP

    • VXLAN

  • Application Layer Inspection Templates:

    • ALGs default configuration

    • GTPv1/v2 support

    • Diameter inspection

    • LISP inspection

    • SCTP support and inspection

    • SIP

    • SS7 inspection

  • Firepower Threat Defense

  • Firepower Threat Defense Virtual

26 Replies 26

Philip D'Ath
VIP Alumni
VIP Alumni

This sounds like a huge step forward.

For little firewalls, like the 5506, is there any on-board management option or do you have to use Firesight for management?

You can use Firepower Device Manager to manage standalone devices ranging from 5506-X to 5545-X. Keep in mind that FDM has some limitations when it comes to features... If you need any details let me know.

Hi I currently have a standalone 5506X ASA and I'm using the ASDM to manage the Firepower side of things. Can you point me in the right direction on how to migrate away from this to the Firepower Device Manager?

Thanks,

Ross.

ross_rulz  ,

ASA with FirePOWER services module cannot be managed with FDM.

Only the integrated FTD image can use FDM. As noted, FTD does not yet have feature parity with all of the legacy ASA features - most notably remote access VPN. 

Marvin -- any time frame for AnyConnect VPN Support?

Look forward to april. ;)

Hi,

Is there any update on client to site VPN support ?

6.2.1 was released 2 weeks ago. AnyConnect is only available for the FP2100 platform as of now. Support for ASA 5500-X and FP4100/9300 will follow in april july with version 6.2.2.

If you interested in some limitations as of now I did a quick write up on my blog: http://dependencyhell.net/2017/05/27/AnyConnect-for-FTD/

regards

Oliver

OK waiting for this feature on ASA5500-X.

You mean june ? We are on 5/31

I meant july, didnt realize I typed april. :)

I just finished a run around with FTD and have to go back to ASA with sourcefire. There's just so many things missing from FTD when using FDM. Dynamic routing, multicast routing, etherchannel, DHCP relay, etc. 

What makes it more frustrating is that the documentation states that most of these things are available, as there does not seem to be a different set of documentation showing the limitations of FDM.

All in all, it's a beautiful UI with some interesting ideas but for full functionality I'll have to go back for now. Maybe in v7 it'll be parity. 

nathanielscriven  I'm interested in learning more from your experience here. So did you purchase a 2100 series with FTD but because of lack of feature set you installed the ASA code on the 2100?

No we purchased some 5506s and 5508s. I installed FTD on them to see how much better it was than asdm, and while very pretty it was missing so many features it was unusable. Couple that with having to join it to a Firepower appliance for full functionality and the removal of 99% of the CLI commands, going back to standard ASA/ASDM was a requirement.

Oh ok. I've been looking all over for more info on the 2100's but my guess is that  FTD is missing a lot of features vs the ASA code because there isn't a ton of reviews or information on them yet. My understanding is that you can buy a 2100 and install the ASA code on them but I'd like to know how that's worked out for anyone who's done so...? What I dont really want to do is continue to purchase the ASA 5525x+ models when it feels the shift is to sunset those platforms in the next couple of years. I'd rather get in the new hardware platform now but run ASA code until FTD is feature rich and then migrate to the FTD code.

Review Cisco Networking for a $25 gift card