Hardware and Virtual Hardware

FMCv on Azure

We introduced Firepower Management Center Virtual on Microsoft Azure.

ASA and FTD on the same Firepower 9300

You can now deploy ASA and FTD logical devices on the same Firepower 9300, which requires FXOS 2.6.1.

For more information, see Cisco Firepower 4100/9300 FXOS Release Notes, 2.6(1) and Release Notes for the Cisco ASA Series, 9.12(x).

Firepower Threat Defense Routing

Rotating (keychain) authentication for OSPFv2 routing

You can now use rotating (keychain) authentication when configuring OSPFv2 routing.

New/modified screens:

• Objects > Object Management > Key Chain object
• Devices > Device Management > edit device > Routing tab > OSPF settings > Interface tab > add/edit interface > Authentication option
• Devices > Device Management > edit device > Routing tab > OSPF settings > Area tab > add/edit area > Virtual Link sub-tab > add/edit virtual link > Authentication option

Supported platforms: FTD

Firepower Threat Defense Encryption and VPN

RA VPN: Duo as first factor in two-factor authentication

You can now use a Duo proxy server (which also acts as a RADIUS server) as the first factor in RA VPN two-factor authentication. For details from Duo, see: Cisco Firepower Threat Defense (FTD) VPN with AnyConnect.

Supported platforms: FTD

RA VPN: Secondary authentication

Secondary authentication, also called double authentication, adds an additional layer of security to RA VPN connections by using two different authentication servers. With secondary authentication enabled, AnyConnect VPN users must provide two sets of credentials to log in to the VPN gateway.

RA VPN supports secondary authentication for the AAA Only and Client Certificate and AAA authentication methods.

New/modified screens:

Devices > VPN > Remote Access > add/edit configuration > Connection Profile > AAA area

Supported platforms: FTD

Site-to-site VPN: Dynamic IP addresses for extranet endpoints

You can now configure site to site VPNs to use a dynamic IP address for extranet endpoints. In hub-and-spoke deployments, you can use a hub as an extranet endpoint.

New/modified screens:

Devices > VPN > Site To Site > add/edit FTD VPN topology > Endpoints tab > add endpoint > IP Address option

Supported platforms: FTD

Site-to-site VPN: Dynamic crypto maps for point-to-point topologies

You can now use dynamic crypto maps in point-to-point as well as in hub-and-spoke VPN topologies. Dynamic crypto maps are still not supported for full mesh topologies.

You specify the crypto map type when you configure a topology. Make sure you also specify a dynamic IP address for one of the peers in the topology.

New/modified screens:

Devices > VPN > Site To Site > add/edit FTD VPN topology > IPsec tab > Crypto Map Type option

Supported platforms: FTD

TLS crypto acceleration

SSL hardware acceleration has been renamed TLS crypto acceleration. Depending on the device, TLS crypto acceleration might be performed in software or in hardware. The Version 6.4 upgrade process automatically enables acceleration on all eligible devices, even if you previously disabled the feature manually.

In most cases you cannot configure this feature; it is automatically enabled and you cannot disable it. However, if you are using the multi-instance capability of the Firepower 4100/9300 chassis, you can enable TLS crypto acceleration for one container instance per module/security engine. Acceleration is disabled for other container instances, but enabled for native instances.

New FXOS CLI commands for the Firepower 4100/9300 chassis:

• show hwCrypto enable
• config hwCrypto enable

New FTD CLI commands:

• show crypto accelerator status (replaces system support ssl-hw-status )

Removed FTD CLI commands:

• system support ssl-hw-accel enable
• system support ssl-hw-accel disable
• system support ssl-hw-status

Supported platforms: Firepower 2100 series, Firepower 4100/9300 chassis

Events, Logging, and Analysis

Improvements to syslog messages for file and malware events

Fully-qualified file and malware event data can now be sent from managed devices via syslog.

New/modified screens:

Policies > Access Control > Access Control > add/edit policy > Logging tab > File and Malware Settings area

Supported platforms: Any

Search intrusion events by CVE ID

You can now search for intrusion events generated as a result of a particular CVE exploit.

New/modified screens:

Analysis > Search

Supported platforms: FMC

IntrusionPolicy field is now included in syslog

Intrusion event syslog messages now specify the intrusion policy that triggered the event.

Supported platforms: Any

Cisco Threat Response (CTR) integration

Cisco Threat Response is a new Cisco offering that you will be able to integrate with Firepower Threat Defense deployments. CTR's powerful analysis tools will allow you to integrate Firepower event data with data from other sources for a unified view of threats on your network.

New/modified screens:

System > Integration > Cloud Services

Supported platforms: FTD

Splunk integration

Splunk users can use a new, separate Splunk app, Cisco Firepower App for Splunk, to analyze events. Available functionality is affected by your Firepower version.

Supported platforms: FMC

Administration

FTDv on VMware defaults to vmxnet3 interfaces

FTDv on VMware now defaults to vmxnet3 interfaces when you create a virtual device. Previously, the default was e1000. The vmxnet3 device drivers and network processing are integrated with the ESXi hypervisor, so they use fewer resources and offer better network performance.

Supported platforms: FTDv on VMware

Ability to disable Duplicate Address Detection (DAD) on management interfaces

When you enable IPv6, you can disable DAD. You might want to disable DAD because using DAD opens up the possibility of denial of service attacks. If you disable this setting, you need check manually that this interface is not using an already-assigned address.

New/modified screens:

System > Configuration > Management Interfaces > Interfaces area > edit interface > IPv6 DADcheck box

Supported platforms: FMC, 7000 and 8000 Series

Ability to disable ICMPv6 Echo Reply and Destination Unreachable messages on management interfaces

When you enable IPv6, you can now disable ICMPv6 Echo Reply and Destination Unreachable messages. You might want to disable these packets to guard against potential denial of service attacks. Disabling Echo Reply packets means you cannot use IPv6 ping to the device management interfaces for testing purposes.

New/modified screens:

System > Configuration > Management Interfaces > ICMPv6

New/modified commands:

• configure network ipv6 destination-unreachable
• configure network ipv6 echo-reply

Supported platforms: FMC (web interface only), managed devices (CLI only)

Support for the Service-Type attribute for FTDusers defined on the RADIUS server

For RADIUS authentication of FTD CLI users, you used to have to predefine the usernames in the RADIUS external authentication object and manually make sure that the list matched usernames defined on the RADIUS server. You can now define CLI users on the RADIUS server using the Service-Type attribute and also define both Basic and Config user roles. To use this method, be sure to leave the shell access filter blank in the external authentication object.

New/modified screens:

System > Users > External Authentication tab > add/edit external authentication object > Shell Access Filter

Supported platforms: FTD

Signed SRU, VDB, and GeoDB updates

So that Firepower can verify that you are using the correct update files, Version 6.4+ uses signedupdates for intrusion rules (SRU), the vulnerability database (VDB), and the geolocation database (GeoDB). For more information, see Security Enhancement: Signed SRU, VDB, and GeoDB Updates.

Supported platforms: Any

Scheduled remote backups of managed devices

You can now use the FMC to schedule remote backups of certain managed devices. Previously, only 7000 and 8000 series devices supported scheduled backups, and you had to use the device's local GUI.

New/modified screens:

System > Tools > Scheduling > add/edit task > choose Job Type: Backup > choose a Backup Type

Supported platforms: FTD physical platforms, FTDv for VMware, 7000/8000 series

Exceptions: No support for FTD clustered devices or container instances

Monitoring and Troubleshooting

URL Filtering Monitor improvements

You can now configure time thresholds for URL Filtering Monitor alerts.

New/modified screens:

System > Health > Policy > add/edit policy > URL Filtering Monitor

Supported platforms: Any

Hit counts for access control and prefilter rules

You can now access hit counts for access control and prefilter rules on your FTD devices.

New/modified screens:

• Policies > Access Control > Access Control > add/edit policy > Analyze Hit Counts
• Policies > Access Control > Prefilter > add/edit policy > Analyze Hit Counts

New commands:

• show rule hits
• clear rule hits
• cluster exec show rule hits
• cluster exec clear rule hits
• show cluster rule hits

Modified commands:

• show failover now contains object static counts related to syncing hit counts between HA peers

Supported platforms: FTD

Connection-based troubleshooting

Connection-based troubleshooting or debugging provides uniform debugging across modules to collect appropriate logs for a specific connection. It also supports level-based debugging up to 7 levels and enables uniform log collection mechanism for lina and Snort logs.

New/modified commands:

• clear packet debug
• debug packet start
• debug packet stop
• show packet debugs

Supported platforms: FTD

Firepower Management Center REST API

New REST API capabilities

Added REST API objects to support Version 6.4 features:

• cloudeventsconfigs: Manage Cisco Threat Response integration.
• ftddevicecluster: Manage chassis clustering.
• hitcounts: Manage hit count statistics for access control and prefilter rules.
• keychain: Manage key chain objects used for rotating authentication when configuring OSPFv2 routing.
• loggingsettings: Manage logging settings for access control policies

Supported platforms: FMC

API Explorer based on OAS

Version 6.4 uses a new API Explorer, based on the OpenAPI Specification (OAS). As part of the OAS, you now use CodeGen to generate sample code. You can still access the legacy API Explorer if you prefer.

Supported platforms: FMC

Performance

Snort restart improvements

Before Version 6.4, during Snort restarts, the system dropped encrypted connections that matched a 'Do not decrypt' SSL rule or default policy action. Now, routed/transparent traffic passes without inspection instead of dropping, as long as you did not disable large flow offload or Snort preserve-connection.

Supported platforms: Firepower 4100/9300

Faster access control

The Version 6.4 upgrade process enables egress optimization on eligible devices, which enhances access control performance. For more information, see the Cisco Firepower Threat Defense Command Reference. We strongly recommend you leave this feature enabled. If you have questions, contact Cisco TAC.

Supported platforms: FTD

Faster SNMP event logging

Performance improvements when sending intrusion and connection events to an external SNMP trap server.

Supported platforms: Any

Faster deploy

Improvements to appliance communications and deploy framework.

Supported platforms: FTD

Faster upgrade

Improvements to the event database.

Supported platforms: Any

Hardware bypass for the ISA 3000.

You can now configure hardware bypass for the ISA 3000 on the Device > Interfaces page. In release 6.3, you needed to configure hardware bypass using FlexConfig. If you are using FlexConfig, please redo the configuring on the Interfaces page and remove the hardware bypass commands from FlexConfig. However, the portion of the FlexConfig devoted to disabling TCP sequence number randomization is still recommended.

Ability to reboot and shut down the system from FDM.

You can now issue the reboot and shutdown commands through the CLI Console in FDM. Previously, you needed to open a separate SSH session to the device to reboot or shut down the system. You must have Administrator privileges to use these commands.

External Authentication and Authorization using RADIUS for FTD CLI Users.

You can use an external RADIUS server to authenticate and authorize users logging into the FTD CLI. You can give external users config (administrator) or basic (read-only) access.

We added the SSH configuration to the AAA Configuration tab on the Device > System Settings > Management Access page.

Support for network range objects and nested network group objects.

You can now create network objects that specify a range of IPv4 or IPv6 addresses, and network group objects that include other network groups (that is, nested groups).

We modified the network object and network group object Add/Edit dialog boxes to include these features, and modified the various security policies to allow the use of these objects, contingent on whether address specifications of that type make sense within the context of the policy.

Full-text search options for objects and rules.

You can do a full-text search on objects and rules. By searching a policy or object list that has a large number of items, you can find all items that include your search string anywhere within the rule or object.

We added a search box to all policies that have rules, and to all pages on the Objects list. In addition, you can use the filter=fts~ search-string option on GET calls for supported objects in the API to retrieve items based on a full-text search.

Obtaining a list of supported API versions for an FDM-managed FTD device.

You can use the GET /api/versions (ApiVersions) method to get a list of the API versions that are supported on a device. You can use your API client to communicate and configure the device using commands and syntax valid for any of the supported versions.

FTD REST API version 3 (v3).

The FTD REST API for software version 6.4 has been incremented to version 3. You must replace v1/v2 in the API URLs with v3. The v3 API includes many new resources that cover all features added in software version 6.4. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, change the end of the Firepower Device Manager URL to /#/api-explorer after logging in.

Hit counts for access control rules.

You can now view hit counts for access control rules. The hit counts indicate how often connections matched the rule.

We updated the access control policy to include hit count information. In the FTD API, we added the HitCounts resource and the includeHitCounts and filter=fetchZeroHitCounts options to the GET Access Policy Rules resource.

Site-to-Site VPN enhancements for dynamic addressing and certificate authentication.

You can now configure site-to-site VPN connections to use certificates instead of preshared keys to authenticate the peers. You can also configure connections where the remote peer has an unknown (dynamic) IP address. We added options to the Site-to-Site VPN wizard and the IKEv1 policy object.

Support for RADIUS servers and Change of Authorization in remote access VPN.

You can now use RADIUS servers for authenticating, authorizing, and accounting remote access VPN (RA VPN) users. You can also configure Change of Authentication (CoA), also known as dynamic authorization, to alter a user’s authorization after authentication when you use a Cisco ISE RADIUS server.

We added attributes to the RADIUS server and server group objects, and made it possible to select a RADIUS server group within an RA VPN connection profile.

Multiple connection profiles and group policies for remote access VPN.

You can configure more than one connection profile, and create group policies to use with the profiles.

We changed the Device > Remote Access VPN page to have separate pages for connection profiles and group policies, and updated the RA VPN Connection wizard to allow the selection of group policies. Some items that were previously configured in the wizard are now configured in the group policy.

Support for certificate-based, second authentication source, and two-factor authentication in remote access VPN.

You can use certificates for user authentication, and configure secondary authentication sources so that users must authenticate twice before establishing a connection. You can also configure two-factor authentication using RSA tokens or Duo passcodes as the second factor.

We updated the RA VPN Connection wizard to support the configuration of these additional options.

Support for IP address pools with multiple address ranges, and DHCP address pools, for remote access VPN.

You can now configure address pools that have more than one address range by selecting multiple network objects that specify subnets. In addition, you can configure address pools in a DHCP server and use the server to provide addresses to RA VPN clients. If you use RADIUS for authorization, you can alternatively configure the address pools in the RADIUS server.

We updated the RA VPN Connection wizard to support the configuration of these additional options. You can optionally configure the address pool in the group policy instead of the connection profile.

Active Directory realm enhancements.

You can now include up to 10 redundant Active Directory (AD) servers in a single realm. You can also create multiple realms and delete realms that you no longer need. In addition, the limit for downloading users in a realm is increased to 50,000 from the 2,000 limit in previous releases.

We updated the Objects > Identity Sources page to support multiple realms and servers. You can select the realm in the user criteria of access control and SSL decryption rules, to apply the rule to all users within the realm. You can also select the realm in identity rules and RA VPN connection profiles.

Redundancy support for ISE servers.

When you configure Cisco Identity Services Engine (ISE) as an identity source for passive authentication, you can now configure a secondary ISE server if you have an ISE high availability setup.

We added an attribute for the secondary server to the ISE identity object.

File/malware events sent to external syslog servers.

You can now configure an external syslog server to receive file/malware events, which are generated by file policies configured on access control rules. File events use message ID 430004, malware events are 430005.

We added the File/Malware syslog server options to the Device > System Settings > Logging Settingspage.

Logging to the internal buffer and support for custom event log filters.

You can now configure the internal buffer as a destination for system logging. In addition, you can create event log filters to customize which messages are generated for the syslog server and internal buffer logging destinations.

We added the Event Log Filter object to the Objects page, and the ability to use the object on the Device > System Settings > Logging Settings page. The internal buffer options were also added to the Logging Settings page.

Certificate for the Firepower Device Manager Web Server.

You can now configure the certificate that is used for HTTPS connections to the Firepower Device Manager configuration interface. By uploading a certificate your web browsers already trust, you can avoid the Untrusted Authority message you get when using the default internal certificate. We added the Device > System Settings > Management Access > Management Web Server page.

Cisco Threat Response support.

You can configure the system to send intrusion events to the Cisco Threat Response cloud-based application. You can use Cisco Threat Response to analyze intrusions.

We added Cisco Threat Response to the Device > System Settings > Cloud Services page.