Cisco is excited to announce the FTD 7.1, ASA 9.17.1, FXOS 2.11(1), CSM 4.24, and ASDM 7.17 releases that simplify and harmonize remote access, network, and workload security across your hybrid and multi-cloud environments. Cisco’s year-end innovations keep the network from going dark, with new visibility into encrypted traffic, and drive efficiency at scale, with improved scalability both within and across public cloud providers.
Superior Threat Visibility
Snort 3 - Rule Recommendations: Associates host vulnerabilities detected on the network with rules tailored to the specific needs of one or more hosts. Updates include no rule overhead and security level rules that are derived from Talos intrusion policies. The recommended actions are based on the security level (policy) selected for more rules.
Snort 3 - Elephant Flows: Has the ability to identify and provide visibility of long-lived flows that could impact performance, including huge file transfers and database update flows. Currently available for FTDs running Snort 3.
Snort 3 -Multi-Channel Support for SMB: New SMB inspector detects, and processes SMB sessions that are spread across multiple TCP connections, detects and processes files getting transferred over these sessions, and applies file policy/rules on them. Applies to Snort 3 only.
TLS & Encrypted Visibility Engine (Experimental): Decryption of internet traffic against Man-in-the-middle attacks, among others, along with TLS 1.3 server certificate encryption, creates a significant load on firewalls. To reduce this, Snort 3 utilizes machine learning to determine the application (client process) generating the Client Hello packet, identifies known processes/browsers – thereby providing a path from now on to reduce the number of decryption events needed.
Direct Internet Access
Utilizes application detection on the first packet and policy-based routing to determine if the traffic should go directly to the Internet or a corporate network. Based on defined ingress/egress interfaces and applications.
PasswordLess Authentication - This feature introduces support for expanding the passwordless authentication story to Remote Access VPN users. Anyconnect now supports using the user system's default browser, eliminating the need for users to re-authenticate for VPN while using Single Sign-On. With WebAuthN support, the MFA can be expanded to biometrics-based devices such as fingerprint readers, Yubikeys, etc.
Unique Local Tunnel ID - Enables Umbrella SIG integration for SASE tunnels.
Support for Multiple Trustpoints in SAML Authentication - Integrates with Azure AD easier for SSO.
Site to Site Tunnel Monitoring Dashboard
SAML support with VPN Load Balancing Groups
Ability to change destination address using FQDN response.
Include FQDN name in NAT policy for enhanced usability.
Simplified firewall insertion in public/private cloud, Dynamic IPs for destination NAT, and One-to-many DNS resolution with load balancing.
Cisco Secure Dynamic Attributes Connector
This connector helps organizations execute a multi-cloud strategy and associated security controls by consistently managing network security policy, no matter where the workload resides. Without deploying a policy, policy rules can be defined based on non-network ‘attributes’ such as VM Name, Security Group, VPC, etc. The connector currently supports NSX-T, Azure, and AWS, with more environment support planned for future releases.
Wild Card Mask
Network objects allow wildcard network masks that can be used in Access Control, Prefilter, and NAT policies.
Supported on devices running Snort3.
NVE encapsulation in ASAv/FTDv and AWS proxy mode VNI interface in AWS virtual platform. With the support comes enhanced troubleshooting capabilities.
The 9.17.1 release brings clustering to our virtual firewall portfolio for the private cloud, which will help to improve performance and scaling for ASAv deployments significantly.
Firewall Migration Tool Updates
Firewall Migration Tool 2.5 includes support for Threat Defense 7.1, particularly enabling Wildcard Mask migrations. Customers and partners can now optimize access control rules during the migration by identifying and removing redundant and shadow rules. Streamlined Object optimization capabilities and results are now included in the tool’s post-migration report.
This video reviews the Access List & Object Optimization features in the Cisco Secure Firewall Migration Tool during configuration. Download the tool at Cisco Firewall Migration Tool.
Firewall Performance Estimator Updates
TLS Decryption, VPN IPsec, Clear text percentage slider bars
Shows percentage of traffic that contains encrypted TLS inside the IPSec VPN
Option to select custom packet size mix as low as 90B, high as 1024B
Latest numbers for Firewall software 7.0, select Snort 2/3
Estimated Logging Volume and Total Event Rate
Create a list – Product IDs for Cisco Commerce Workspace (CCW) order
Compare devices with differences highlighted
Device info - ACE/ACL max limit, Product IDs added
The self-service portal is available to all customers to search for Application Detectors. Allows users to view detector vulnerability database release notes, dispute existing application detectors, or request new ones.
Secure Firewall Cloud Resources Site
We are introducing the new and easy-to-navigate Secure Firewall Cloud resources web page. The centralized page provides additional learning and documentation resources on the top 50+ templates for all major cloud environments and key use cases.
Cisco has collaborated with AWS to simplify the way organizations secure their public cloud infrastructure using Firewall-as-a-Service (FWaaS), where Cisco Secure Firewall is integrated with the AWS Gateway Load Balancer (GWLB).
At AWS Re: invent ‘21, Cisco also launched Snort 3 Anywhere - Making Snort 3 officially available in a container form factor to be consumed in customer’s Kubernetes cluster either running on AWS or On-prem.
It’s yet another way Cisco fulfills our vision to simplify security for networks, workloads, and applications across the multi-cloud world.
Equinix’s Network Edge as a Service Platform
Cisco Secure Firewall and Equinix have validated Secure Firewall Threat Defense Virtual to run on Equinix’s Network Edge as a Service platform. Equinix Fabric allows you to connect digital infrastructure and services on demand via secure, software-defined interconnection (Ecosystem). For more information, read more about Equinix.
Next-Generation Security and Threat Defense for Multi-Cloud Networks with Alkira
Cisco Secure Firewall and Alkira join hands to deliver Next-Generation Security and Threat Defense for Multi-Cloud Networks.
The joint solution allows organizations to seamlessly extend their security services to the cloud with Cisco Secure Firewall Threat Defense 7.1, providing granularity, control, and simplicity - unmatched by the native cloud deployments.
Hello everyone, May i ask if there is a way to configure a dual wan load balancing with a 50%/50% ratio on both outside interface using FMC. Right now my current config is just basic failover. I have a FTD 5508X v188.8.131.52 and FMC v184.108.40.206&nb...
I am currently having issues establishing a IPSec Tunnel between a FTD and a IOS Router. It looks as if they get past Phase 1 but then perhaps fail on establishing the IPSec Tunnel. I have posted the IOS Configurations as well as my debug messages ...
I've configured FMC to send Connection Events to an external syslog but not everything is being sent. I've taken some tcpdumps and only the events with some relevant impact are sent. I'm interested in sending every event, even the allowed ones. ...
Is it possible to see the utilization percentage of an interface over a specific period of time? I want to see how much "in percentage" a host is using.what I want to see for example is : host x connected to outside2 interface, and using 50% of the i...