New Features in Cloud-delivered Firewall Management Center 2022

December 13, 2022

Table 1. New Features: December 13, 2022
Feature

Description

Onboarding to CDO and Threat Defense Upgrades

Additional Device Support and Onboarding

You can now onboard clustered devices, AWS VPC environments, and Azure VNET environments to cloud-delivered Firewall Management Center. Onboarding these devices currently requires login credentials. Clustered devices must be already formed in their designated managing platform. See the following topics at https://docs.defenseorchestrator.com for more information:

  • Onboard a Cluster

  • Onboard a Device Associated with an AWS VPC.

  • Onboard an Azure VNet Environment

Unattended Threat Defense Upgrade

The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

With an unattended upgrade, the system automatically copies needed upgrade packages to devices, performs compatibility and readiness checks, and begins the upgrade. Just as happens when you manually step through the wizard, any devices that do not "pass" a stage in the upgrade (for example, failing checks) are not included in the next stage. After the upgrade completes, you pick up with the verification and post-upgrade tasks.

You can pause and restart unattended mode during the copy and checks phases. However, pausing unattended mode does not stop tasks in progress. Copies and checks that have started will run to completion. Similarly, you cannot cancel an upgrade in progress by stopping unattended mode; to cancel an upgrade, use the Upgrade Status pop-up, accessible from the Upgrade tab on Device Management page, and from the Message Center.

See Upgrade Threat Defense in the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center.

Auto-upgrade to Snort 3

When you upgrade threat defense to Version 7.3+, you can no longer disable the Upgrade Snort 2 to Snort 3 option. After the software upgrade, all eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now.

For devices that are ineligible for auto-upgrade because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance.

For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

CDO-managed Secure Firewall Threat Defense Devices on Firepower 4100/9300

The Firepower 4100/9300 is a flexible security platform on which you can install one or more logical devices. Before you can add the threat defense to the management center, you must configure chassis interfaces, add a logical device, and assign interfaces to the device on the Firepower 4100/9300 chassis using the Secure Firewall chassis manager or the FXOS CLI.

You can now create a CDO-managed, standalone logical threat defense device on the Firepower 4100/9300, by configuring CDO as the manager when creating the device. See Configure Logical Devices in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator

Interfaces

IPv6 DHCP Enhancements

The Dynamic Host Configuration Protocol (DHCP) provides network configuration parameters, such as IP addresses, to DHCP clients. The threat defense device can provide a DHCP server to DHCP clients attached to threat defense device interfaces. The DHCP server provides network configuration parameters directly to DHCP clients.

The cloud-delivered Firewall Management Center now supports the following IPv6 addressing features for Secure Firewall Threat Defense devices:

  • DHCPv6 Address Client: Threat defense obtains an IPv6 global address and optional default route from the DHCPv6 server.

  • DHCPv6 Prefix Delegation Client: Threat defense obtains delegated prefix(es) from a DHCPv6 server. It can then use these prefixes to configure other threat defense interface addresses so that StateLess Address Auto Configuration (SLAAC) clients can auto-configure IPv6 addresses on the same network.

  • BGP router advertisement for delegated prefixes.

  • DHCPv6 Stateless Server: Threat defense provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to threat defense. Threat defense only accepts IR packets and does not assign addresses to the clients.

See Configure IPv6 Addressing in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

Support for Loopback Interface

A loopback interface is a software interface that emulates a physical interface. It is reachable through multiple physical interfaces with IPv4 and IPv6 addresses.

You can configure a loopback interface for the redundancy of static and dynamic VTI VPN tunnels. See Regular Firewall Interfaces in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator.

Paired Proxy VXLAN for the Threat Defense Virtual for the Azure Gateway Load Balancer

You can configure a paired proxy mode VXLAN interface for the threat defense virtual in Azure for use with the Azure Gateway Load Balancer (GWLB). The threat defense virtual defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy.

See Clustering for Threat Defense Virtual in a Public Cloud in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more.

Redundant Manager Access Data Interface

You can now configure a secondary data interface to take over the management functions if the primary interface goes down, when using a data interface for manager access. The device uses SLA monitoring to track the viability of the static routes and an equal-cost multi-path (ECMP) zone that contains both interfaces so management traffic can use both interfaces. See Configure a Redundant Manager Access Data Interface in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

Remote Access VPN

TLS 1.3 in Remote Access VPN

You can now use TLS 1.3 to encrypt remote access VPN connections. Use threat defense platform settings to specify that the device must use TLS 1.3 protocol when acting as a remote access VPN server. See Platform Settings in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator.

Site to Site VPN

Support for Dynamic Virtual Tunnel Interface

You can create a dynamic VTI and use it to configure a route-based site-to-site VPN in a hub and spoke topology. Previously, you could use only a static VTI to configure a route-based site-to-site VPN in a hub and spoke topology.

Dynamic VTI eases the configuration of peers for large enterprise hub and spoke deployments. A single dynamic VTI can replace several static VTI configurations on the hub. You can add new spokes to a hub without changing the hub configuration. See Site-to-Site VPNs for Secure Firewall Threat Defense in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator

Routing

Support for Bidirectional Forwarding Detection

Cloud-delivered Firewall Management Center now supports Bidirectional Forwarding Detection (BFD) configuration on Secure Firewall Threat Defense devices. BFD operates in a unicast, point-to-point mode on top of any data protocol being forwarded between two systems. However, in threat defense, BFD is supported on BGP protocols only. BFD configuration on the device includes creating templates and policies and enabling BFD support in the BGP neighbor settings.

See Bidirectional Forwarding Detection Routing in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

EIGRP (IPv4) routing support on Virtual Tunnel Interface

EIGRP (IPv4) routing is now supported on the Virtual Tunnel Interface. You can now use EIGRP (IPv4) protocol to share routing information and to route traffic flow over a VTI-based VPN tunnel between peers. See Additional Configurations for VTI in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator.

Virtual Tunnel Interface (VTI) Support for OSPF

The IPv4 or IPv6 OSPF can be configured on the VTI interface of a threat defense device. You can use OSPF to share routing information and route traffic through a VTI-based VPN tunnel between the devices. See Site-to-Site VPNs for Secure Firewall Threat Defense in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator.

Access Control and Threat Detection

Decryption Policy

Feature renamed from SSL policy to decryption policy to better reflect what it does. We now enable you to configure a decryption policy with one or more Decrypt - Resign or Decrypt - Known Key rules at the same time.

Get started by going to Policies > Access Control > Decryption.

The Create Decryption Policy dialog box now has two tab pages: Outbound Connections and Inbound Connections.

Use the Outbound Connections tab page to configure one or more decryption rules with a Decrypt - Resign rule action. (You can either upload or generate certificate authorities at the same time). Each combination of a CA with networks and ports results in one decryption rule.

Use the Inbound Connections tab page to configure one or more decryption rules with a Decrypt - Known Key rule action. (You can upload your server's certificate at the same time.) Each combination of a server certificate with networks and ports results in one decryption rule.

Health Monitoring

Cloud-delivered Firewall Management Center Deployment Notifications on CDO

CDO now notifies you about the status of deployments that are performed on the cloud-delivered Firewall Management Center. The notification messages include information on whether the deployment has succeeded, failed, or is in progress, the time and date of the deployment, and a link to the deployment history page of the cloud-delivered Firewall Management Center. See Notifications in Managing FDM Devices with Cisco Defense Orchestrator for more information.

Cluster Health Monitor Settings

You can now edit cluster health monitor settings in the cloud-delivered Firewall Management Center web interface. If you configure these settings with the FlexConfig in a previous version, the system allows you to deploy, but also warns you to redo the configuration because the FlexConfig settings take precedence.

See Edit Cluster Health Monitor Settings in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more.

Improved Health Monitoring for Device Clusters

You can now use the health monitor for each cluster to view overall cluster status, load distribution metrics, performance metrics, cluster control link (CCL) and data throughput, and so on.

See Cluster Health Monitor in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more.

New Health Monitoring Alerts

The cloud-delivered Firewall Management Center now provides new health modules to monitor the temperature and power supply on a Firepower 4100/9300 chassis.

Using the new Environment Status and Power Supply health modules, you can create a custom health dashboard and set threshold values for temperature and power supply on your physical appliance. See Health Monitor Alerts in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator to learn more.

Licensing

Carrier License

Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. The cloud-delivered Firewall Management Center now supports Carrier license, in addition to the existing smart licenses. The Carrier license allows GTP/GPRS, Diameter, SCTP, and M3UA inspection configurations. See Licenses in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator.

Usability, Performance, and Troubleshooting

Core Allocation Performance Profiles

The CPU cores on the Secure Firewall Threat Defense device are assigned to two of the main system processes: Lina and Snort. Lina handles VPN connections, routing, and other basic layer 3/4 processing. Snort provides advanced inspection, including intrusion and malware prevention, URL filtering, application filtering, and other features that require deep packet inspection.

You can now adjust the percentage of system cores assigned to the data plane and Snort to adjust system performance, using the performance profiles. Based on your relative use of VPN and intrusion policies, you can choose a desired performance profile. See Configure the Performance Profile in Managing Firewall Threat Defense with Cloud-delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

Identity

Proxy Sequence

A proxy sequence is one or more managed devices that can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC server. It is necessary only if Security Cloud Control cannot communicate with your Active Directory or ISE/ISE-PIC server. (For example, Security Cloud Control might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.)

Although you can use one managed device as a proxy sequence, we strongly recommend you set up two or more so that, in the event one managed device cannot communicate with Active Directory or ISE/ISE-PIC, another managed device can take over.

Create a proxy sequence by going to Integration > Other Integrations > Realms > Proxy Sequence.

October 20, 2022

Support for Configuring Next-Hop IP Addresses in a Policy-based Route Map

Policy-Based Routing (PBR) helps route network traffic for specified applications based on your priorities, such as source port, destination address, destination port, protocol, applications, or a combination of these objects, rather than by destination network criteria. For example, you can use PBR to route your high-priority network traffic over a high-bandwidth, expensive link and your lower priority network traffic over a lower bandwidth, lower cost link.

The cloud-delivered Firewall Management Center now supports defining next-hop IP addresses when creating a policy-based route map. See About Policy Based Routing and Configure Policy-Based Routing Policy in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

URL Filtering Enhancements

URL filtering lets you control access to websites that the users on your network can use. You can filter websites based on category and reputation, for which your device needs a URL-filtering license, or manually by specifying URLs. The category and reputation-based filtering—the quicker and smarter way to filter URLs—uses Cisco's up-to-date threat intelligence information and is highly recommended.

The cloud-delivered Firewall Management Center can now query for up-to-date URL category and reputation information directly from the Cisco Talos cloud instead of using the local database information. The local database gets updated every 24 to 48 hours. See URL Filtering Options in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for detailed information.

Umbrella Tunnel Integration with Secure Firewall Threat Defense using Cloud-delivered Firewall Management Center

You can now automatically deploy IPsec IKEv2 tunnels to Umbrella from a threat defense device using cloud-delivered Firewall Management Center. This tunnel forwards all internet-bound traffic to the Umbrella Secure Internet Gateway (SIG) for inspection and filtering. Create a SASE topology, a new type of static VTI-based site-to-site VPN topology, using a simple wizard to configure and deploy the Umbrella tunnels.

See About Umbrella SASE Topology in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

Support for Remote Access VPN Policy in FTD to Cloud Migration

CDO now imports the remote access VPN policy during the migration of the FTD to cloud.

See Migrate FTD to Cloud in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

Migrate Flex Configured Routing Policies

Cloud-delivered Firewall Management Center now supports the migration of Flex configured ECMP, VxLAN, and EIGRP policies using the Migration Config option in the user interface.

See Migrating FlexConfig Policies in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

Smart Licensing Standardization

The license names used by cloud-delivered Firewall Management Center have been changed.

Table 2. Smart License Name Changes

Old Name

is now

New Name

Base

is now

Essentials

Threat

is now

IPS

Malware

is now

Malware Defense

RA VPN/AnyConnect License

is now

Cisco Secure Client

AnyConnect Plus

is now

Secure Client Advantage

AnyConnect Apex

is now

Secure Client Premier

AnyConnect Apex and Plus

is now

Secure Client Premier and Advantage

AnyConnect VPN Only

is now

Secure Client VPN Only

See License Types and Restrictions in Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator for more information.

June 9, 2022

Cisco Defense Orchestrator (CDO) is now the platform for the cloud-delivered Firewall Management Center.

The cloud-delivered Firewall Management Center is a software-as-a-service (SaaS) product that manages Secure Firewall Threat Defense devices. It offers many of the same functions as an on-premises Secure Firewall Management Center, it has the same appearance and behavior as an on-premises Secure Firewall Management Center, and uses the same FMC API.

This product is designed for Secure Firewall Management Center customers who want to move from an on-premises version of the Secure Firewall Management Center to a SaaS version.

As a SaaS product, the CDO operations team is responsible for maintaining it. As new features are introduced, the CDO operations team updates CDO and the cloud-delivered Firewall Manager for you.

A migration wizard is available to help you migrate your Secure Firewall Threat Defense devices registered to your on-premises Secure Firewall Management Center to the cloud-delivered Firewall Management Center.

Onboarding Secure Firewall Threat Defense devices is carried out in CDO using familiar processes such as onboarding a device with its serial number or using a CLI command that includes a registration key. Once the device is onboarded, it is visible in both CDO and in the cloud-delivered Firewall Management Center, however, you configure the device in the cloud-delivered Firewall Management Center. Secure Firewall Threat Defense devices running Version 7.2 or later can be onboarded.

The license for cloud-delivered Firewall Management Center is a per-device-managed license and there is no license required for the cloud delivered FMC itself. Existing Secure Firewall Threat Defense devices re-use their existing smart licenses and new Secure Firewall Threat Defense devices provision new smart licenses for each feature implemented on the FTD.

In a remote branch office deployment, the data interface of the threat defense device is used for Cisco Defense Orchestrator management instead of the Management interface on the device. Because most remote branch offices only have a single internet connection, outside CDO access makes centralized management possible. In the case of remote branch deployment, CDO provides high availability support for the threat defense devices that it manages through the data interface.

You can analyze syslog events generated by your onboarded threat defense devices using Security Analytics and Logging (SaaS) or Security Analytics and Logging (On Premises). The SaaS version stores events in the cloud and you view the events in CDO. The on-premises version stores events in an on-premises Secure Network Analytics appliance and analysis is done in the on-premises Secure Firewall Management Center. In both cases, just as with an on-premises FMC today, you can still send logs to a log collector of your choice directly from the sensors.

The FTD dashboard provides you an at-a-glance view of the status, including events data collected and generated by all threat defense devices managed by the cloud-delivered Firewall Management Center. You can use this dashboard to view collective information that is related to the device status and the overall health of the devices in your deployment. The information that the FTD dashboard provides depends on how you license, configure, and deploy the devices in your system. The FTD dashboard displays data for all CDO-managed threat defense devices. However, you can choose to filter device-based data. You can also choose the time range to display for specific time range.

The Cisco Secure Dynamic Attributes Connector enables you to use service tags and categories from various cloud service platforms in cloud-delivered Firewall Management Center access control rules. Network constructs such as IP addresses may be ephemeral in virtual, cloud and container environments due to the dynamic nature of the workloads and the inevitability of IP address overlap. Customers require policy rules to be defined based on non-network constructs such as VM name or security group, so that firewall policy is persistent even when the IP address or VLAN changes.

Proxy sequences of one or more managed devices can be used to communicate with an LDAP, Active Directory, or ISE/ISE-PIC servers. It is necessary only if Cisco Defense Orchestrator (CDO) cannot communicate with your Active Directory or ISE/ISE-PIC server. For example, CDO might be in a public cloud but Active Directory or ISE/ISE-PIC might be in a private cloud.

Although you can use one managed device as a proxy sequence, we strongly recommend you set up two or more so that, in the event one managed device cannot communicate with Active Directory or ISE/ISE-PIC, another managed device can take over.

Any customer can use CDO to manage other device types like, the Secure Firewall ASA, Meraki, Cisco IOS devices, Umbrella, and AWS virtual private clouds. If you use CDO to manage a Secure Firewall Threat Defense device configured for local management with Firepower Device Manager, you can continue to manage them with CDO as well. If you are new to CDO, you can manage Secure Firewall Threat Defense devices with the new cloud-delivered Firewall Management Center and all of the other device types as well.

Learn more about the Firewall Management Center features we support in the cloud-delivered Firewall Management Center.