Platform
|
Secure Firewall 1200.
|
7.6.0
|
|
Disable the front panel USB-A port on the
Firepower 1000 and Secure Firewall 3100/4200.
|
7.6.0
|
You can now disable the front panel USB-A port on the
Firepower 1000 and Secure Firewall 3100/4200. By default,
the port is enabled.
New/modified threat defense CLI commands: system
support usb show , system
support usb port disable ,
system support usb port
enable
New/modified FXOS CLI commands for the Secure Firewall
3100 in
multi-instance mode:
show usb-port , disable
USB port , enable
usb-port
See: Cisco Secure Firewall Threat Defense
Command Reference and Cisco Firepower 4100/9300 FXOS Command
Reference
|
Device Management
|
Device templates.
|
7.4.1
|
Device templates allow you to deploy multiple branch devices
with pre-provisioned initial device configurations (zero-touch provisioning). You can also apply configuration changes to multiple
devices with different interface configurations, and clone
configuration parameters from existing devices.
Restrictions: You can use device templates to configure a
device as a spoke in a site-to-site VPN topology, but not as
a hub. A device can be part of multiple hub-and-spoke
site-to-site VPN topologies.
New/modified screens:
Supported platforms: Firepower 1000/2100, Secure Firewall
1200/3100. Note that Firepower 2100 support is for threat
defense 7.4.1–7.4.x only; those devices cannot run Version
7.6.0.
See : Device Management Using
Device Templates and Onboard Threat Defense
Devices using Device Templates to Cloud-delivered
Firewall Management Center using Zero-Touch
Provisioning.
|
AAA for user-defined VRF interfaces.
|
7.6.0
|
A device's authentication, authorization, and accounting
(AAA) is now supported on user-defined Virtual Routing and
Forwarding (VRF) interfaces. The default is to use the
management interface.
In device platform settings, you can now associate a security
zone or interface group having the VRF interface, with a
configured external authentication server.
New/modified screens:
See: Enable
Virtual-Router-Aware Interface for External
Authentication of Platform
|
Policy Analyzer & Optimizer cross-launch for access
control.
|
Any
|
The Policy Analyzer & Optimizer evaluates access control
policies for anomalies such as redundant or shadowed rules,
and can take action to fix discovered
anomalies.
You can now launch the Policy Analyzer & Optimizer
directly from the access control policy page. Choose , select policies, and click
Analyze Policies.
|
High Availability/Scalability
|
Multi-instance mode for the Secure Firewall
4200.
|
7.6.0
|
|
Multi-instance mode conversion in the
management center for the Secure Firewall
3100/4200.
|
7.6.0
|
You can now register an application-mode device to the
management center and then convert it to multi-instance mode
without having to use the CLI.
New/modified screens:
|
16-node clusters for the Secure Firewall
3100/4200.
|
7.6.0
|
|
Individual interface mode for
Secure Firewall 3100/4200 clusters.
|
7.6.0
|
Individual interfaces are normal routed interfaces, each with
their own local IP address used for routing. The main
cluster IP address for each interface is a fixed address
that always belongs to the control node. When the control
node changes, the main cluster IP address moves to the new
control node, so management of the cluster continues
seamlessly. Load balancing must be configured separately on
the upstream switch.
Restrictions: Not supported for container instances.
New/modified screens:
See: Clustering for the Secure
Firewall 3100/4200 and Address Pools
|
Deploy threat defense virtual clusters
across multiple AWS availability zones.
|
7.6.0
|
You can now deploy threat defense virtual clusters across
multiple availability zones in an AWS region. This enables
continuous traffic inspection and dynamic scaling (AWS Auto
Scaling) during disaster recovery.
See: Deploy a Threat Defense
Virtual Cluster on AWS
|
Deploy threat defense virtual for AWS in
two-arm-mode with GWLB.
|
7.6.0 |
You can now deploy threat defense virtual for AWS in
two-arm-mode with GWLB. This allows you to directly forward
internet-bound traffic after traffic inspection, while also
performing network address translation (NAT). Two-arm mode
is supported in single and multi-VPC
environments.
Restrictions: Not supported with clustering.
See: Cisco Secure Firewall
Threat Defense Virtual Getting Started
Guide
|
Interfaces
|
Deploy without the diagnostic
interface on threat defense virtual for Azure and
GCP.
|
7.4.1
|
You can now deploy without the diagnostic interface on threat
defense virtual for Azure and GCP. Previously, we required
one management, one diagnostic, and at least two data
interfaces. New interface requirements are:
-
Azure: one management, two data (max eight)
-
GCP: one management, three data (max eight)
Restrictions: This feature is supported for new deployments
only. It is not supported for upgraded devices.
See: Cisco Secure Firewall
Threat Defense Virtual Getting Started
Guide
|
SD-WAN
|
SD-WAN wizard.
|
Hub: 7.6.0
Spoke: 7.3.0
|
|
Access Control: Threat Detection and Application
Identification
|
QUIC decryption.
|
7.6.0 with Snort 3
|
You can configure the decryption policy to apply to sessions
running on the QUIC protocol. QUIC decryption is disabled by
default. You can selectively enable QUIC decryption per
decryption policy and write decryption rules to apply to
QUIC traffic. By decrypting QUIC connections, the system can
then inspect the connections for intrusion, malware, or
other issues. You can also apply granular control and
filtering of decrypted QUIC connections based on specific
criteria in the access control policy.
We modified the decryption policy Advanced Settings to
include the option to enable QUIC decryption.
See: Decryption Policy
Advanced Options
|
Snort ML: neural network-based exploit
detector.
|
7.6.0 with Snort 3
|
A new Snort 3 inspector, snort_ml, uses neural network-based
machine learning (ML) to detect known and
0-day attacks without needing multiple
preset rules. The inspector subscribes to HTTP events and
looks for the HTTP URI, which in turn is used by a neural
network to detect exploits (currently limited to SQL
injections). The new inspector is currently disabled in all
default policies except maximum detection.
A new intrusion rule, GID:411 SID:1, generates an event when
the snort_ml detects an attack. This rule is also currently
disabled in all default policies except maximum
detection.
See: Snort 3 Inspector
Reference
|
Allow Cisco Talos to conduct advanced threat hunting and intelligence
gathering using your traffic.
|
7.6.0 with Snort 3
|
Upgrade impact. Upgrade enables telemetry.
You can help Talos (Cisco’s threat intelligence team) develop a more
comprehensive understanding of the threat landscape by
enabling threat hunting telemetry. With this feature, events
from special intrusion
rules are sent to Talos to help with threat analysis, intelligence gathering, and
development of better protection strategies. This setting is
enabled by default in new and upgraded deployments.
New/modified screens: System ()
See: Intrusion Policy
Preferences
|
Access Control: Identity
|
Passive identity agent for Microsoft
AD.
|
Any
|
This feature is introduced.
The passive identity agent identity source sends session data
from Microsoft Active Directory (AD) to the management
center. Passive identity agent software is supported on:
-
Microsoft AD server (Windows Server 2008 or
later)
-
Microsoft AD domain controller (Windows Server 2008
or later)
-
Any client connected to the domain you want to
monitor (Windows 8 or later)
See: User Control With the
Passive Identity Agent.
|
pxGrid Cloud Identity Source.
|
|
The Cisco Identity Services Engine (Cisco ISE)
pxGrid Cloud Identity Source enables you to use subscription and user data from Cisco ISE in cloud-delivered Firewall Management Center access control rules.
The pxGrid cloud identity source enables the use of constantly changing dynamic objects from ISE to be used for user control in access control policies in
the cloud-delivered Firewall Management Center.
New/updated screens:
See: User Control with the pxGrid Cloud Identity Source
|
New connectors for Cisco Secure
Dynamic Attributes Connector
|
Any
|
|
Microsoft Azure AD realms for
active or passive authentication.
|
Active: 7.6.0 with Snort 3
Passive: 7.4.1 with Snort 3
|
You can now use Microsoft Azure Active Directory (AD) realms
for active and passive authentication:
-
Active authentication using Azure AD: Use Azure AD as
a captive portal.
-
Passive authentication using Cisco ISE (introduced in
Version 7.4.0): The management center gets groups
from Azure AD and logged-in user session data from
ISE.
We use SAML (Security Assertion Markup Language) to establish
a trust relationship between a service provider (the devices
that handle authentication requests) and an identity
provider (Azure AD). For
upgraded management centers, existing Azure AD realms
are displayed as SAML - Azure AD realms.
Upgrade impact. If you had a Microsoft Azure AD realm
configured before the upgrade, it is displayed as a SAML -
Azure AD realm configured for passive authentication. All
previous user session data is preserved.
New/modified screens:
New/modified CLI commands: none
See: Create a Microsoft Azure
AD (SAML) Realm.
|
Event Logging and Analysis
|
MITRE and other enrichment information in
connection events.
|
7.6.0 with Snort 3
|
MITRE and other enrichment information in connection events
makes it easy to access contextual information for detected
threats. This includes information from Talos and from the encrypted visibility engine (EVE). For EVE
enrichment, you must enable EVE.
Connection events have two new fields, available in both the
unified and classic event viewers:
-
MITRE ATT&CK: Click the
progression graph to see an expanded view of threat
details, including tactics and techniques.
-
Other Enrichment: Click to see
any other available enrichment information,
including from EVE.
The new Talos Connectivity Status health module monitors
management center connectivity with Talos, which is required for this feature. For the
specific internet resources required, see Internet Access
Requirements.
See Configure EVE.
|
Administration
|
New theme for the management
center..
|
Any
|
We introduced new left-hand navigation for the
cloud-deilvered Firewall Management Center for
streamlined usability; and updated the look and feel of
the interface.
|