|
Platform
|
|
Threat defense Version 7.4.0 support.
|
7.4.0
|
You can now manage threat defense devices running Version 7.4.0.
Version 7.4.0 is available only on the Secure Firewall 4200.
You must use a Secure Firewall 4200 for features that require
Version 7.4.0. Support for all other platforms resumes in Version
7.4.1.
|
|
Secure Firewall
4200.
|
7.4.0
|
|
|
Performance profile support for
the Secure Firewall 4200.
|
7.4.0
|
The performance profile settings available in the platform
settings policy now apply to the Secure Firewall 4200.
Previously, this feature was supported only on the Firepower
4100/9300 and on threat defense virtual.
See: Configure the Performance
Profile
|
|
Numbering convention for cloud-delivered Firewall Management
system.
|
Any
|
The cloud-delivered Firewall Management system is a feature of CDO.
For the purposes of troubleshooting, we identify the version number
of the cloud-delivered Firewall Management Center on the FMC
Services page.
See: View Services Page Information.
|
|
Platform Migration
|
|
Migrate from Firepower 1000/2100 to
Secure Firewall 3100.
|
Any
|
You can now easily migrate configurations from the Firepower
1000/2100 to the Secure Firewall 3100.
New/modified screens:
Platform restrictions: Migration not supported from the
Firepower 1010 or 1010E.
See: Migrate the Configuration to a new
Model.
|
|
Migrate devices from Firepower
Management Center 1000/2500/4500 to cloud-delivered Firewall
Management Center.
|
Any
|
You can migrate devices from Firepower Management Center
1000/2500/4500 to cloud-delivered Firewall
Management Center.
To migrate devices, you must temporarily upgrade the
on-prem management center from Version 7.0.3 (7.0.5
recommended) to Version 7.4.0. This temporary upgrade is
required because Version 7.0 management centers do not
support device migration to the cloud. Additionally, only
standalone and high availability threat defense devices
running Version 7.0.3+ (7.0.5 recommended) are eligible for
migration. Cluster migration is not supported at this
time.
|
Important
|
Version 7.4.0 is only supported on the 1000/2500/4500
during the migration process. You should minimize the
time between management center upgrade and device
migration.
|
To summarize the migration process:
-
Prepare for upgrade and migration. Read, understand,
and meet all the prerequisites outlined in the
release notes, upgrade guides, and migration guide.
Before you upgrade, it is especially important that
the on-prem management center is "ready to go," that
is, managing only the devices you want to migrate,
configuration impact assessed (such as VPN impact),
freshly deployed, fully backed up, all appliances in
good health, and so on.
You should also provision, license, and prepare the
cloud tenant. This must include a strategy for
security event logging; you cannot retain the on-prem management
center for analytics because it will be running an
unsupported version.
-
Upgrade the on-prem management center and all its
managed devices to at least Version 7.0.3 (Version
7.0.5 recommended).
If you are already running the minimum version, you
can skip this step.
-
Upgrade the on-prem management center to Version
7.4.0.
Unzip (but do not untar) the upgrade package before
uploading it to the management center. Download
from: Special Release.
-
Onboard the on-prem management center to CDO.
-
Migrate all devices from the on-prem management
center to the cloud-delivered Firewall
Management Center as described in the migration guide.
When you select devices to migrate, make sure you
choose Delete FTD from On-Prem FMC. Note that
the device is not fully deleted unless you commit
the changes or 14 days pass.
-
Verify migration success.
If the migration does not function to your
expectations, you have 14 days to switch back or it
is committed automatically. However, note that
Version 7.4.0 is unsupported for general operations.
To return the on-prem management center to a
supported version you must remove the re-migrated
devices, re image back to Version 7.0.x, restore
from backup, and reregister the
devices.
See:
If you have questions or need assistance at any point in the
migration process, contact Cisco TAC.
|
|
S2S VPN support in FTD to cloud migration. Migrate threat defense
devices with VPN policies from on-prem to cloud-delivered Firewall
Management Center.
|
7.0.3-7.0.x
7.2 or later
|
Site-to-site VPN configurations on Secure Firewall Threat Defense
devices are now migrated along with the rest of the configuration
when the device is migrated from the on-prem Firewall Management
Center to the cloud-delivered Firewall Management Center.
See: Migrate On-Prem Management Center managed
Secure Firewall Threat Defense to Cloud-delivered Firewall
Management Center
|
|
Interfaces
|
|
Merged management and
diagnostic interfaces.
|
7.4.0
|
Upgrade impact. Merge
interfaces after upgrade.
For new devices using 7.4 and later, you cannot use the
legacy diagnostic interface. Only the merged management
interface is available.
If you upgraded to 7.4 or later and:
-
You did not have any configuration for the diagnostic
interface, then the interfaces will merge
automatically.
-
You have configuration for the diagnostic interface,
then you have the choice to merge the interfaces
manually, or you can continue to use the separate
diagnostic interface. Note that support for the
diagnostic interface will be removed in a later
release, so you should plan to merge the interfaces
as soon as possible.
Merged mode also changes the behavior of AAA traffic to use
the data routing table by default. The management-only
routing table can now only be used if you specify the
management-only interface (including Management) in the
configuration.
For platform settings, this means:
-
You can no longer enable HTTP, ICMP, or SMTP for
diagnostic.
-
For SNMP, you can allow hosts on management instead
of diagnostic.
-
For Syslog servers, you can reach them on management
instead of diagnostic.
-
If Platform Settings for syslog servers or SNMP hosts
specify the diagnostic interface by name, then you
must use separate Platform Settings policies for
merged and non-merged devices.
-
DNS lookups no longer fall back to the
management-only routing table if you do not specify
interfaces.
New/modified screens:
New/modified commands: show management-interface
convergence
See: Merge the Management and Diagnostic
Interfaces
|
|
VXLAN VTEP IPv6 support.
|
7.4.0
|
You can now specify an IPv6 address for the VXLAN VTEP
interface. IPv6 is not supported for the threat defense
virtual cluster control link or for Geneve
encapsulation.
New/modified screens:
See: Configure Geneve Interfaces
|
|
Loopback interface support for
BGP and management traffic.
|
7.4.0
|
You can now use loopback interfaces for AAA, BGP, DNS, HTTP,
ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and
syslog.
New/modified screens: Devices
> Device Management > Edit
device > Interfaces >
Add Interfaces >
Loopback Interface
See: Configure Loopback
Interfaces
|
|
Loopback and management type
interface group objects.
|
7.4.0
|
You can create interface group objects with only
management-only or loopback interfaces. You can use these
groups for management features such as DNS servers, HTTP
access, or SSH. Loopback groups are available for any
feature that can utilize loopback interfaces. However, it's
important to note that DNS does not support management
interfaces.
New/modified screens:
See: Interface
|
|
High Availability/Scalability
|
|
Reduced "false failovers" for threat
defense high availability.
|
7.4.0
|
|
|
SD-WAN
|
|
Policy-based routing using HTTP path
monitoring.
|
7.2.0
|
Policy-based routing (PBR) can now use the performance
metrics (RTT, jitter, packet-lost, and MOS) collected by
path monitoring through HTTP client on the application
domain rather than the metrics on a specific destination IP.
HTTP-based application monitoring option is enabled by
default for the interface. You can configure a PBR policy
with match ACL having the monitored applications and
interface ordering for path determination.
New/modified screens: Devices >
Device Management > Edit
device > Edit interface > Path
Monitoring > Enable HTTP based
Application Monitoring check box.
Platform restrictions: Not supported for clustered
devices.
See: Configure Path Monitoring
Settings
|
|
Policy-based routing with user
identity and SGTs.
|
7.4.0
|
You can now classify network traffic based on users, user
groups, and SGTs in PBR policies. Select the identity and
SGT objects while defining the extended ACLs for the PBR
policies.
New/modified screens: Objects >
Object Management >
Access List >
Extended > Add/Edit Extended
Access List > Add/Edit Extended Access List Entry >
Users and Security
Group Tag
See: Configure Extended ACL
Objects
|
|
VPN
|
|
IPsec flow
offload on the VTI loopback
interface for the Secure Firewall 4200.
|
7.4.0
|
On the Secure Firewall 4200, qualifying IPsec connections
through the VTI loopback interface are offloaded by default.
Previously, this feature was supported for physical
interfaces on the Secure Firewall
3100.
You can change the configuration using FlexConfig and the
flow-offload-ipsec
command.
Other requirements: FPGA firmware 6.2+
See: IPSec Flow Offload
|
|
Crypto debugging enhancements for the
Secure Firewall
4200.
|
7.4.0
|
We made the following enhancements to crypto debugging:
-
The crypto archive is now available in text and
binary formats.
-
Additional SSL counters are available for debugging.
-
Remove stuck encrypt rules from the ASP table without
rebooting the device.
New/modified CLI commands: show
counters
|
|
VPN: Remote Access
|
|
Customize Secure Client
messages, icons, images, and connect/disconnect
scripts.
|
7.2.0
|
You can now customize Secure Client and deploy these
customizations to the VPN headend. The following are the
supported Secure Client customizations:
Threat defense distributes these customizations to the
endpoint when an end user connects from the Secure
Client.
New/modified screens:
See: Customize Secure Client
|
|
VPN: Site to Site
|
|
Easily exempt site-to-site VPN
traffic from NAT translation.
|
Any
|
We now make it easier to exempt site-to-site VPN traffic from
NAT
translation.
New/modified screens:
-
Enable NAT exemptions for an endpoint:
-
View NAT exempt rules for devices that do not have a
NAT policy:
-
View NAT exempt rules for a single device:
See: NAT Exemption
|
|
Easily view IKE and IPsec session details
for VPN nodes.
|
Any
|
You can view the IKE and IPsec session details of VPN nodes
in a user-friendly format in the Site-to-Site VPN
dashboard.
New/modified screens: Overview >
Site to Site VPN > Under the
Tunnel Status widget, hover over a topology, click
View, and then click the
CLI Details tab.
See: Monitoring the Site-to-Site
VPNs
|
|
Access Control: Threat Detection and Application
Identification
|
|
Sensitive data detection and
masking.
|
7.4.0 with Snort 3
|
Upgrade impact. New
rules in default policies take effect.
Sensitive data such as social security numbers, credit card
numbers, emails, and so on may be leaked onto the internet,
intentionally or accidentally. Sensitive data detection is
used to detect and generate events on possible sensitive
data leakage and generates events only if there is a
transfer of significant amount of Personally Identifiable
Information (PII) data. Sensitive data detection can mask
PII in the output of events, using built-in patterns.
Disabling data masking is not supported.
See: Custom Rules in Snort
3
|
|
Clientless zero-trust access.
|
7.4.0 with Snort 3
|
We introduced Zero Trust Access that allows you to
authenticate and authorize access to protected web based
resources, applications, or data from inside (on-premises)
or outside (remote) the network using an external SAML
Identity Provider (IdP) policy.
The configuration consists of a Zero Trust Application Policy
(ZTAP), Application Group, and Applications.
New/modified screens:
New/modified CLI commands:
-
show running-config zero-trust
application
-
show running-config zero-trust
application-group
-
show zero-trust
sessions
-
show zero-trust
statistics
-
show cluster zero-trust
statistics
-
clear zero-trust sessions
application
-
clear zero-trust sessions
user
-
clear zero-trust
statistics
|
|
Routing
|
|
Configure graceful restart
for BGP on IPv6 networks.
|
7.3.0
|
You can now configure BGP graceful restart for IPv6 networks
on managed devices version 7.3 and later.
New/modified screens: Devices >
Device Management > Edit
device > Routing >
BGP >
IPv6 >
Neighbor > Add/Edit Neighbor.
See: Configure BGP Neighbor
Settings
|
|
Virtual routing with dynamic
VTI.
|
7.4.0
|
You can now configure a virtual router with a dynamic VTI for
a route-based site-to-site VPN.
New/modified screens: Devices >
Device Management > Edit
Device > Routing >
Virtual Router Properties >
Dynamic VTI interfaces under Available
Interfaces
Platform restrictions: Supported only on native mode
standalone or high availability devices. Not supported for
container instances or clustered devices.
See: About Virtual Routers and Dynamic
VTI
|
|
Access Control: Threat Detection and Application
Identification
|
|
Encrypted visibility engine
enhancements.
|
7.4.0 with Snort 3
|
Encrypted Visibility Engine (EVE) can now:
-
Block malicious communications in encrypted traffic
based on threat score.
-
Determine client applications based on EVE-detected
processes.
-
Reassemble fragmented Client Hello packets for
detection purposes.
New/modified screens: Use the access control policy's
advanced settings to enable EVE and configure these
settings.
See: Encrypted Visibility Engine
|
|
Exempt specific networks and ports
from bypassing or throttling elephant flows.
|
7.4.0 with Snort 3
|
You can now exempt specific networks and ports from bypassing
or throttling elephant
flows.
New/modified screens:
-
When you configure elephant flow detection in the
access control policy's advanced settings, if you
enable the Elephant Flow
Remediation option, you can now click
Add Rule and specify
traffic that you want to exempt from bypass or
throttling.
-
When the system detects an elephant flow that is
exempted from bypass or throttling, it generates a
mid-flow connection event with the reason
Elephant Flow Exempted.
Platform restrictions: Not supported on the Firepower 2100
series.
|
|
Improved JavaScript
inspection.
|
7.4.0 with Snort 3
|
|
|
Access Control: Identity
|
|
Cisco Secure Dynamic Attributes
Connector on the management
center.
|
Any
|
|
|
Event Logging and Analysis
|
|
Configure threat defense devices as
NetFlow exporters from the management center web
interface.
|
Any
|
NetFlow is a Cisco application that provides statistics on
packets flows. You can now use the management center web
interface to configure threat defense devices as NetFlow
exporters. If you have an existing NetFlow FlexConfig and
redo your configurations in the web interface, you cannot
deploy until you remove the deprecated FlexConfigs.
New/modified screens:
See: Configure NetFlow
|
|
Health Monitoring
|
|
New asp drop metrics.
|
7.4.0
|
You can add over 600 new asp (accelerated security path) drop
metrics to a new or existing device health dashboard. Make
sure you choose the ASP Drops metric
group.
New/modified screens: System ( )
See: show asp drop Command
Usage
|
|
Administration
|
|
Support for IPv6 URLs when
checking certificate revocation.
|
7.4.0
|
|
|
Store threat defense backup files in a secure remote location.
|
Any
|
When you back up a device, the cloud-delivered Firewall Management
Center stores the backup files in its secure cloud storage.
See: Backup/Restore
|
|
Usability, Performance, and Troubleshooting
|
|
Usability enhancements.
|
Any
|
You can now:
-
Manage Smart Licensing for threat defense clusters
from System (). Previously, you had to use the
Device Management page.
See: Licenses for
Clustering
-
Download a report of Message Center notifications. In
the Message Center, click the new
Download Report icon, next
to the Show Notifications
slider.
See: Managing System
Messages.
-
Download a report of all registered devices. On , click the new Download
Device List Report link, at the top
right of the page.
See: Download the Managed Device
List.
-
Easily create custom health monitoring dashboards,
and easily edit existing dashboards.
See: Correlating Device
Metrics
|
|
Specify the direction of traffic to
be captured with packet capture for the Secure Firewall
4200.
|
7.4.0
|
|
|
Management Center REST API
|
|
Cloud-delivered Firewall Management Center REST API.
|
Feature dependent
|
For information on changes to the management center REST API, see
What's New in the API quick start
guide.
|
Feedback