December 13, 2022
Feature |
Description |
---|---|
Onboarding to CDO and Threat Defense Upgrades |
|
Additional Device Support and Onboarding |
You can now onboard clustered devices, AWS VPC environments, and Azure VNET environments to cloud-delivered Firewall Management Center. Onboarding these devices currently requires login credentials. Clustered devices must be already formed in their designated managing platform. See the following topics at https://docs.defenseorchestrator.com for more information:
|
Unattended Threat Defense Upgrade |
The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser. With an unattended upgrade, the system automatically copies needed upgrade packages to devices, performs compatibility and readiness checks, and begins the upgrade. Just as happens when you manually step through the wizard, any devices that do not "pass" a stage in the upgrade (for example, failing checks) are not included in the next stage. After the upgrade completes, you pick up with the verification and post-upgrade tasks. You can pause and restart unattended mode during the copy and checks phases. However, pausing unattended mode does not stop tasks in progress. Copies and checks that have started will run to completion. Similarly, you cannot cancel an upgrade in progress by stopping unattended mode; to cancel an upgrade, use the Upgrade Status pop-up, accessible from the Upgrade tab on Device Management page, and from the Message Center. See Upgrade Threat Defense in the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center. |
Auto-upgrade to Snort 3 |
When you upgrade threat defense to Version 7.3+, you can no longer disable the Upgrade Snort 2 to Snort 3 option. After the software upgrade, all eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now. For devices that are ineligible for auto-upgrade because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
CDO-managed Secure Firewall Threat Defense Devices on Firepower 4100/9300 |
The Firepower 4100/9300 is a flexible security platform on which you can install one or more logical devices. Before you can add the threat defense to the management center, you must configure chassis interfaces, add a logical device, and assign interfaces to the device on the Firepower 4100/9300 chassis using the Secure Firewall chassis manager or the FXOS CLI. You can now create a CDO-managed, standalone logical threat defense device on the Firepower 4100/9300, by configuring CDO as the manager when creating the device. See Configure Logical Devices in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator |
Interfaces |
|
IPv6 DHCP Enhancements |
The Dynamic Host Configuration Protocol (DHCP) provides network configuration parameters, such as IP addresses, to DHCP clients. The threat defense device can provide a DHCP server to DHCP clients attached to threat defense device interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. The cloud-delivered Firewall Management Center now supports the following IPv6 addressing features for Secure Firewall Threat Defense devices:
See Configure IPv6 Addressing in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information. |
Support for Loopback Interface |
A loopback interface is a software interface that emulates a physical interface. It is reachable through multiple physical interfaces with IPv4 and IPv6 addresses. You can configure a loopback interface for the redundancy of static and dynamic VTI VPN tunnels. See Regular Firewall Interfaces in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator. |
Paired Proxy VXLAN for the Threat Defense Virtual for the Azure Gateway Load Balancer |
You can configure a paired proxy mode VXLAN interface for the threat defense virtual in Azure for use with the Azure Gateway Load Balancer (GWLB). The threat defense virtual defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy. See Clustering for Threat Defense Virtual in a Public Cloud in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more. |
Redundant Manager Access Data Interface |
You can now configure a secondary data interface to take over the management functions if the primary interface goes down, when using a data interface for manager access. The device uses SLA monitoring to track the viability of the static routes and an equal-cost multi-path (ECMP) zone that contains both interfaces so management traffic can use both interfaces. See Configure a Redundant Manager Access Data Interface in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information. |
Remote Access VPN |
|
TLS 1.3 in Remote Access VPN |
You can now use TLS 1.3 to encrypt remote access VPN connections. Use threat defense platform settings to specify that the device must use TLS 1.3 protocol when acting as a remote access VPN server. See Platform Settings in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator. |
Site to Site VPN |
|
Support for Dynamic Virtual Tunnel Interface |
You can create a dynamic VTI and use it to configure a route-based site-to-site VPN in a hub and spoke topology. Previously, you could use only a static VTI to configure a route-based site-to-site VPN in a hub and spoke topology. Dynamic VTI eases the configuration of peers for large enterprise hub and spoke deployments. A single dynamic VTI can replace several static VTI configurations on the hub. You can add new spokes to a hub without changing the hub configuration. See Site-to-Site VPNs for Secure Firewall Threat Defense in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator |
Routing |
|
Support for Bidirectional Forwarding Detection |
Cloud-delivered Firewall Management Center now supports Bidirectional Forwarding Detection (BFD) configuration on Secure Firewall Threat Defense devices. BFD operates in a unicast, point-to-point mode on top of any data protocol being forwarded between two systems. However, in threat defense, BFD is supported on BGP protocols only. BFD configuration on the device includes creating templates and policies and enabling BFD support in the BGP neighbor settings. See Bidirectional Forwarding Detection Routing in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information. |
EIGRP (IPv4) routing support on Virtual Tunnel Interface |
EIGRP (IPv4) routing is now supported on the Virtual Tunnel Interface. You can now use EIGRP (IPv4) protocol to share routing information and to route traffic flow over a VTI-based VPN tunnel between peers. See Additional Configurations for VTI in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator. |
Virtual Tunnel Interface (VTI) Support for OSPF |
The IPv4 or IPv6 OSPF can be configured on the VTI interface of a threat defense device. You can use OSPF to share routing information and route traffic through a VTI-based VPN tunnel between the devices. See Site-to-Site VPNs for Secure Firewall Threat Defense in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator. |
Access Control and Threat Detection |
|
Decryption Policy |
Feature renamed from SSL policy to decryption policy to better reflect what it does. We now enable you to configure a decryption policy with one or more Decrypt - Resign or Decrypt - Known Key rules at the same time. Get started by going to . The Create Decryption Policy dialog box now has two tab pages: Outbound Connections and Inbound Connections. Use the Outbound Connections tab page to configure one or more decryption rules with a Decrypt - Resign rule action. (You can either upload or generate certificate authorities at the same time). Each combination of a CA with networks and ports results in one decryption rule. Use the Inbound Connections tab page to configure one or more decryption rules with a Decrypt - Known Key rule action. (You can upload your server's certificate at the same time.) Each combination of a server certificate with networks and ports results in one decryption rule. |
Health Monitoring |
|
Cloud-delivered Firewall Management Center Deployment Notifications on CDO |
CDO now notifies you about the status of deployments that are performed on the cloud-delivered Firewall Management Center. The notification messages include information on whether the deployment has succeeded, failed, or is in progress, the time and date of the deployment, and a link to the deployment history page of the cloud-delivered Firewall Management Center. See Notifications in Managing FDM Devices with Cisco Defense Orchestrator for more information. |
Cluster Health Monitor Settings |
You can now edit cluster health monitor settings in the cloud-delivered Firewall Management Center web interface. If you configure these settings with the FlexConfig in a previous version, the system allows you to deploy, but also warns you to redo the configuration because the FlexConfig settings take precedence. See Edit Cluster Health Monitor Settings in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more. |
Improved Health Monitoring for Device Clusters |
You can now use the health monitor for each cluster to view overall cluster status, load distribution metrics, performance metrics, cluster control link (CCL) and data throughput, and so on. See Cluster Health Monitor in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more. |
New Health Monitoring Alerts |
The cloud-delivered Firewall Management Center now provides new health modules to monitor the temperature and power supply on a Firepower 4100/9300 chassis. Using the new Environment Status and Power Supply health modules, you can create a custom health dashboard and set threshold values for temperature and power supply on your physical appliance. See Health Monitor Alerts in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more. |
Licensing |
|
Carrier License |
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. The cloud-delivered Firewall Management Center now supports Carrier license, in addition to the existing smart licenses. The Carrier license allows GTP/GPRS, Diameter, SCTP, and M3UA inspection configurations. See Licenses in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator. |
Usability, Performance, and Troubleshooting |
|
Core Allocation Performance Profiles |
The CPU cores on the Secure Firewall Threat Defense device are assigned to two of the main system processes: Lina and Snort. Lina handles VPN connections, routing, and other basic layer 3/4 processing. Snort provides advanced inspection, including intrusion and malware prevention, URL filtering, application filtering, and other features that require deep packet inspection. You can now adjust the percentage of system cores assigned to the data plane and Snort to adjust system performance, using the performance profiles. Based on your relative use of VPN and intrusion policies, you can choose a desired performance profile. See Configure the Performance Profile in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information. |
Identity |
|
Proxy Sequence |
A proxy sequence is one or more managed devices that can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC server. It is necessary only if CDO cannot communicate with your Active Directory or ISE/ISE-PIC server. (For example, CDO might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.) Although you can use one managed device as a proxy sequence, we strongly recommend you set up two or more so that, in the event one managed device cannot communicate with Active Directory or ISE/ISE-PIC, another managed device can take over. Create a proxy sequence by going to . |