New Features in FMC/Firepower Version 6.3.0
This table summarizes the new features available in Firepower Version 6.3 when configured using a Firepower Management Center.
Feature | Description |
Hardware | |
ISA 3000 with FirePOWER Services |
ISA 3000 with FirePOWER Services is supported in Version 6.3. Although ISA 3000 with FirePOWER Services was also supported in Version 5.4.x, you cannot upgrade to Version 6.3. You must reimage. Supported Platforms: ISA 3000 |
Licensing | |
Export-controlled features for approved customers |
Customers whose Smart Accounts are not otherwise eligible to use restricted functionality can purchase term-based licenses, with approval. New/Modified Screens: Supported Platforms: FMC, FTD |
Specific License Reservation for approved customers | Customers can use Specific License Reservation to deploy Smart Licensing in an air-gapped network. The FMC reserves licenses from your virtual account for a specified duration without accessing the Cisco Smart Software Manager or Smart Software Satellite Server.
New/Modified Screens: Supported Platforms: FMC, FTD |
Interface Features | |
Hardware bypass support on the Firepower 2100 for supported network modules | Firepower 2100 devices now support hardware bypass functionality when using the hardware bypass network modules.
New/Modified Screens: Supported Platforms: Firepower 2100 |
Support for data EtherChannels in On mode | You can now set data and data-sharing EtherChannels to either Active LACP mode or to On mode. Other types of EtherChannels only support Active mode.
New/Modified Firepower Chassis Manager Screens: New/Modified FXOS commands: set port-channel-mode Supported Platforms: Firepower 4100/9300 |
Access Control | |
Update interval for URL category and reputation data |
You can now force URL data to expire. There is a tradeoff between security and performance. A shorter interval means you use more current data, while a longer interval can make web browsing faster for your users. Upgrading to Version 6.3 does not change system behavior. The setting defaults to disabled (the current behavior), meaning that cached URL data does not expire. New/Modified Screens: setting |
IAB enabled by default | Intelligent Application Bypass (IAB) is now enabled by default in new access control policies, using predefined settings. Upgrading to Version 6.3 does not change existing access control policies.
New/Modified Screens: > create new policy > Advanced tab |
High Availability and Scalability | |
Multi-instance capability for Firepower 4100/9300 with FTD
|
You can now deploy multiple logical devices, each with a Firepower Threat Defense container instance, on a single security engine/module. Formerly, you could only deploy a single native application instance. To provide flexible physical interface use, you can create VLAN subinterfaces in FXOS and also share interfaces between multiple instances. Resource management lets you customize performance capabilities for each instance. You can use high availability using a container instance on 2 separate chassis. Clustering is not supported. Note: Multi-instance capability is similar to ASA multiple context mode, although the implementation is different. Multiple context mode is not available for FTD. New/Modified Firepower Chassis Manager Screens:New/Modified FMC Screens: > edit device > Interfaces tab
New/Modified FXOS Commands: connect ftd name , connect module telnet , create bootstrap-key PERMIT_EXPERT_MODE ,create resource-profile , create subinterface , scope auto-macpool , set cpu-core-count , set deploy-type , set port-type data-sharing , set prefix , set resource-profile-name , set vlan , scope app-instance ftd name , show cgroups container , show interface , show mac-address , show subinterface , show tech-support module app-instance , show version Supported Platforms: Firepower 4100/9300 |
Cluster control link customizable IP Address for the Firepower 4100/9300 | By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and multicast (224.0.0.0/4) addresses.
New/Modified Firepower Chassis Manager Screens: New/Modified Options: CCL Subnet IP field New/Modified FXOS Commands: set cluster-control-link network Supported Platforms: Firepower 4100/9300 |
Improved FTD cluster addition to the FMC | You can now add any unit of a cluster to the FMC, and the other cluster units are detected automatically. Formerly, you had to add each cluster unit as a separate device, and then group them into a cluster with the FMC. Adding a cluster unit is also now automatic. Note that you must delete a unit manually.
New/Modified Screens:
Supported Platforms: Firepower 4100/9300 |
Encryption and VPN | |
SSL hardware acceleration
|
Additional Firepower Threat Defense devices now support SSL hardware acceleration. Also, this option is now enabled by default.
Upgrading to Version 6.3 automatically enables SSL hardware acceleration on eligible devices. Using SSL hardware acceleration if you are not decrypting traffic can affect performance. We recommend you disable SSL hardware acceleration on devices that are not decrypting traffic. Supported Platforms: Firepower 2100 series, Firepower 4100/9300 |
RA VPN: RADIUS Dynamic Authorization or Change of Authorization (CoA) | You can now use RADIUS servers for user authorization of RA VPN and firewall cut-through-proxy sessions, using dynamic access control lists (ACLs) or ACL names per user.
Supported Platforms: FTD |
Events, Logging, and Analysis | |
Cisco Security Packet Analyzer Integration | You can integrate with Cisco Security Packet Analyzer to examine events and display analysis results, or download results for further analysis.
New/Modified Screens:
Contextual cross-launch You can right-click an event in the dashboard or event viewer to look up related information in predefined or custom, public or private URL-based resources. New/Modified Screens: Unified syslog configuration Previously, you configured event logging via syslog in multiple places, depending on the event type. In Version 6.3, you now configure syslog messaging in the access control policy. These configurations affect connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies, as well as for Security Intelligence. For Firepower Threat Defense devices, some syslog platform settings now apply to connection and intrusion event messages. For a list, see the "Platform Settings for Firepower Threat Defense" chapter in the Configuration Guide. Supported Platforms: Varies |
Fully-qualified syslog messages for connection and intrusion events | The format of syslog messages for connection, security intelligence, and intrusion events have the following changes:
Other syslog improvements for FTD devices You can send all syslog messages from the same interface (data or management), using the same IP address, using TCP or UDP protocol. Note that secure syslog is supported on data ports only. You can also use the RFC 5424 format for message timestamps. Supported Platforms: FTD |
Administration and Troubleshooting |
|
HTTPS Certificates |
The default HTTPS server certificate provided with the system now expires in three years.
If your appliance uses a default server certificate that was generated before you upgraded to Version 6.3, the server certificate will expire 20 years from when it was first generated. If you are using the default HTTPS server certificate the system now provides the ability to renew it. New/Modified Screens: button New/Modified Classic CLI Commands: show http-cert-expire-date , system renew-http-cert new_key Supported Platforms: Physical FMCs, 7000 and 8000 Series devices IPv4 range, subnet, and IPv6 support for SNMP hosts You can now use IPv4 range, IPv4 subnet, and IPv6 host network objects to specify the SNMP hosts that can access a Firepower Threat Defense device. New/Modified Screens: > create or edit FTD policy > SNMP > Hosts tab Supported Platforms: FTD |
Access control using fully qualified domain names (FQDN) |
You can now create fully qualified domain name (FQDN) network objects and use them in access control and prefilter rules. To use FQDN objects, you must also configure DNS server groups and DNS platform settings, so that the system can resolve the domain names. New/Modified Screens:
Supported Platforms: FTD |
CLI for the FMC |
An CLI for the FMC supports a small set of basic commands (change password, show version, reboot/restart, and so on). By default the FMC CLI is disabled, and logging into FMC using SSH accesses the Linux shell.
New/Modified Classic CLI Commands: The system lockdown-sensor command has changed to system lockdown . This command now works for both devices and FMCs. New/Modified Screens: check box Supported Platforms: FMC, including FMCv |
Improved login security |
Added FMC user configuration settings to improve login security:
New/Modified Screens: > User Configuration Supported Platforms: FMC |
Limit SSH login failures on devices
|
When a user accesses any device via SSH and fails three successive login attempts, the device terminates the SSH session.
Supported platforms: Managed devices |
Copy device configurations |
You can copy device configurations and policies from one device to another. New/Modified Screens: > edit the device > General area > Get/Push Device Configuration icons.
|
Backup/restore FTD device configurations
|
You can use the FMC web interface to back up configurations for some FTD devices.
New/Modified Screens: New/Modified CLI Commands: restore Supported Platforms: All physical FTD devices, FTDv on VMware |
Skip deploying to up-to-date devices when you schedule deploy tasks | When you schedule a task to deploy configuration changes, you can now opt to Skip Deployment for up-to-date devices. This performance-enhancing setting is enabled by default.
The upgrade process automatically enables this option on existing scheduled tasks. To continue to force a scheduled deploy to up-to-date devices, you must edit the scheduled task. New/Modified Screens: > add or edit a task > choose Job Type of Deploy Policies New health modules New health modules alert you when:
New/Modified Screens:
Supported Platforms: FMC |
Configurable packet capture size | You can now store up to 10 GB of packet captures.
New/Modified CLI Commands: file-size , show capture Supported Platforms: Firepower 4100/9300 |
Firepower Management Center REST API
|
|
New objects
|
The FMC REST API supports new objects for site-to-site VPN topology and HA device failover. New objects for site-to-site VPN topology: ftds2svpns, endpoints, ipsecsettings, advancedsettings, ikesettings, ikev1ipsecproposals, ikev1policies, ikev2ipsecproposals, ikev2policies New objects for HA device failover: failoverinterfacemacaddressconfigs, monitoredinterfaces |
Bulk overrides
|
You can now perform bulk overrides on specific objects. For a full list, see the Cisco Firepower Management Center REST API Quick Start Guide. |
New Features in Firepower Device Manager/FTD Version 6.3.0