Platform
|
Threat defense Version 7.4.1 support.
|
7.4.1
|
You can now manage threat defense devices running Version
7.4.1.
|
Network modules for the Secure Firewall
3130 and 3140.
|
7.4.1
|
|
Optical transceivers for Firepower 9300
network modules.
|
7.4.1
|
|
Performance profile support for the
Secure Firewall 3100.
|
7.4.1
|
The performance profile settings available in the platform
settings policy now apply to the Secure Firewall 3100.
Previously, this feature was supported on the Firepower
4100/9300, the Secure Firewall 4200, and on threat defense
virtual.
See: Configure the Performance
Profile
|
NAT
|
Create network groups while editing NAT
rules.
|
Any
|
|
Device Management
|
Device management services supported on
user-defined VRF interfaces.
|
Any
|
Device management services configured in the threat defense
platform settings (NetFlow, SSH
access, SNMP
hosts, syslog servers) are now
supported on user-defined Virtual Routing and Forwarding (VRF)
interfaces.
Platform restrictions: Not supported with container instances or
clustered devices.
|
SD-WAN
|
SD-WAN Summary dashboard
|
7.4.1 |
The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN
network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can
monitor the WAN links and take proactive and prompt recovery measures. In addition, you can also monitor the WAN interface
application performance using the Application Monitoring tab.
New/modified screens:
|
Access Control: Identity
|
Captive portal support for multiple Active
Directory realms (realm sequences).
|
7.4.1
|
Upgrade impact. Update custom authentication forms.
You can configure active authentication for either an LDAP realm;
or a Microsoft Active Directory realm or a realm sequence. In
addition, you can configure a passive authentication rule to
fall back to active authentication using either a realm or a
realm sequence. You can optionally share sessions between
managed devices that share the same identity policy in access
control rules.
In addition, you have the option to require users to authenticate
again when they access the system using a different managed
device than they accessed previously.
If you use the HTTP Response Page authentication type, after you
upgrade threat defense, you must add <select
name="realm" id="realm"></select> to
your custom authentication form. This allows the user to choose
between realms.
Restrictions: Not supported with Microsoft Azure Active
Directory.
New/modified screens:
|
Share captive portal active authentication
sessions across firewalls.
|
7.4.1
|
Determines whether or not users are required to authenticate when
their authentication session is sent to a different managed
device than one they previously connected to. If your
organization requires users to authenticate every time they
change locations or sites, you should disable this
option.
-
(Default.) Enable to allow users to authenticate with any
managed device associated with the active authentication
identity rule.
-
Disable to require the user to authenticate with a
different managed device, even if they have already
authenticated with another managed device to which the
active authentication rule is deployed.
New/modified screens:
|
|
Deployment and Policy Management
|
View and generate reports on configuration
changes since your last deployment.
|
Any
|
You can generate, view, and download (as a zip file) the
following reports on configuration changes since your last
deployment:
-
A policy changes report for each device that previews the
additions, changes, or deletions in the policy, or the
objects that are to be deployed on the device.
-
A consolidated report that categorizes each device based
on the status of policy changes report generation.
This is especially useful after you upgrade threat defense devices, so that you can see
the changes made by the upgrade before you deploy.
New/modified screens: .
See: Download Policy Changes
Report for Multiple Devices
|
Suggested release
notifications.
|
Any
|
The management center now notifies you when a new suggested
release is
available.
If you don't want to upgrade right now, you can have the system
remind you later, or defer
reminders until the next suggested release. The new upgrade page
also indicates suggested
releases.
See: Cisco Secure Firewall
Management Center New Features by
Release
|
Enable revert from the threat defense
upgrade wizard.
|
Any
|
|
View detailed upgrade status from the
threat defense upgrade wizard.
|
Any
|
The final page of the threat defense upgrade wizard now allows
you to monitor upgrade progress. This is in addition to the
existing monitoring capability on the Upgrade tab on the Device
Management page, and on the Message Center. Note that as long as
you have not started a new upgrade flow, brings you back to this final wizard page, where
you can view the detailed status for the current (or most
recently complete) device upgrade.
See: Cisco Secure Firewall
Threat Defense Upgrade Guide for Cloud-Delivered
Firewall Management Center
|
Firmware upgrades included in FXOS
upgrades.
|
Any
|
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra
reboot.
For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now
include firmware upgrades.
If any firmware component on the device is older than the one
included in the FXOS bundle, the FXOS upgrade also updates the
firmware. If the firmware is upgraded, the device reboots
twice—once for FXOS and once for the firmware.
Just as with software and operating system upgrades, do not make
or deploy configuration changes during firmware upgrade. Even if
the system appears inactive, do not manually reboot or shut down
during firmware upgrade.
See: Cisco Firepower 4100/9300
FXOS Firmware Upgrade Guide
|
Upgrade
|
Improved upgrade starting page and
package management.
|
Any
|
A new upgrade page makes it easier to choose, download, manage,
and apply upgrades to your entire deployment. The page lists all
upgrade packages that apply to your current deployment, with
suggested releases specially marked. You can easily choose and
direct-download packages from Cisco, as well as manually upload
and delete packages.
Patches are not listed unless you have at least one
appliance at the appropriate maintenance release (or you
manually uploaded the patch). You must manually upload
hotfixes.
New/modified screens:
-
System () is now where you upgrade devices, as well as
manage upgrade packages.
-
System () is now where you update intrusion rules,
the VDB, and the GeoDB.
-
takes you directly to the threat defense
upgrade wizard.
Deprecated screens/options:
-
System () is deprecated. All threat defense
upgrades now use the wizard.
-
The Add Upgrade Package button on
the threat defense upgrade wizard has been replaced by a
Manage Upgrade Packages link
to the new upgrade page.
See: Cisco Secure Firewall
Threat Defense Upgrade Guide for Cloud-Delivered
Firewall Management Center
|
Administration
|
Updated internet access
requirements for direct-downloading software upgrades.
|
Any
|
The management center has changed its direct-download location
for software upgrade packages from sourcefire.com to
amazonaws.com.
See: Internet Access
Requirements
|
Scheduled tasks download patches
and VDB updates only.
|
Any
|
The Download Latest Update scheduled task
no longer downloads maintenance releases; now it only downloads
the latest applicable patches and VDB updates. To
direct-download maintenance (and major) releases to the
management center, use System ().
See: Software Update Automation
|
Smaller VDB for lower memory Snort 2
devices.
|
Any with Snort 2
|
For VDB 363+, the system now installs a smaller VDB (also called
VDB lite) on lower memory devices running Snort 2.
This smaller VDB contains the same applications, but fewer
detection patterns. Devices using the smaller VDB can miss some
application identification versus devices using the full
VDB.
Lower memory devices:
ASA-5508-X and ASA 5516-X
|
Deprecated Features
|
Deprecated: DHCP relay trusted
interfaces with FlexConfig.
|
Any
|
You can now use the management center web interface to configure
interfaces as trusted interfaces to preserve DHCP Option 82. If
you do this, these settings override any existing FlexConfigs,
although you should remove them.
See: Configure the DHCP Relay Agent
|
Deprecated: Merging downloadable
access control list with a Cisco attribute-value pair ACL for
RADIUS identity sources with FlexConfig.
|
Any
|
This feature is now supported in the management center web
interface.
|
Deprecated: frequent drain of
events health alerts.
|
7.4.1
|
The Disk Usage health module no longer alerts with
frequent drain of events . You may continue
to see these alerts until you either deploy
health policies to managed devices (stops the display of alerts)
or upgrade devices to Version 7.4.1+ (stops the sending of
alerts).
|