We introduced the Secure Firewall 1200, which includes these models:

• Secure Firewall 1210CX, with 8x1000BASE-T ports

• Secure Firewall 1210CP, with 8x1000BASE-T ports. Ports 1/5-1/8 support power over Ethernet (PoE).

• Secure Firewall 1220CX, with 8x1000BASE-T ports and two SFP+ ports.

See: Cisco Secure Firewall CSF-1210CE, CSF-1210CP, and CSF-1220CX Hardware Installation Guide

Device templates allow you to deploy multiple branch devices with pre-provisioned initial device configurations (zero-touch provisioning). You can also apply configuration changes to multiple devices with different interface configurations, and clone configuration parameters from existing devices.

Restrictions: You can use device templates to configure a device as a spoke in a site-to-site VPN topology, but not as a hub. A device can be part of multiple hub-and-spoke site-to-site VPN topologies.

New/modified screens: Devices > Template Management

Supported platforms: Firepower 1000/2100, Secure Firewall 1200/3100. Note that Firepower 2100 support is for threat defense 7.4.1–7.4.x only; those devices cannot run Version 7.6.0.

A device's authentication, authorization, and accounting (AAA) is now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. The default is to use the management interface.

In device platform settings, you can now associate a security zone or interface group having the VRF interface, with a configured external authentication server.

New/modified screens: Devices > Platform Settings > External Authentication

See: Enable Virtual-Router-Aware Interface for External Authentication of Platform

The Policy Analyzer & Optimizer evaluates access control policies for anomalies such as redundant or shadowed rules, and can take action to fix discovered anomalies.

Multi-instance mode is now supported on the Secure Firewall 4200.

See: Multi-Instance Mode for the Secure Firewall 3100/4200

You can now register an application-mode device to the management center and then convert it to multi-instance mode without having to use the CLI.

New/modified screens:

• Devices > Device Management > > Convert to Multi-Instance

• Devices > Device Management > Select Bulk Action > Convert to Multi-Instance

For the Secure Firewall 3100 and 4200, the maximum nodes were increased from 8 to 16.

See: Clustering for the Secure Firewall 3100/4200

Individual interfaces are normal routed interfaces, each with their own local IP address used for routing. The main cluster IP address for each interface is a fixed address that always belongs to the control node. When the control node changes, the main cluster IP address moves to the new control node, so management of the cluster continues seamlessly. Load balancing must be configured separately on the upstream switch.

Restrictions: Not supported for container instances.

New/modified screens:

• Devices > Device Management > Add Cluster

• Devices > Device Management > Cluster > Interfaces / EIGRP / OSPF / OSPFv3 / BGP

• Objects > Object Management > Address Pools > MAC Address Pool

See: Clustering for the Secure Firewall 3100/4200 and Address Pools

You can now deploy threat defense virtual clusters across multiple availability zones in an AWS region. This enables continuous traffic inspection and dynamic scaling (AWS Auto Scaling) during disaster recovery.

See: Deploy a Threat Defense Virtual Cluster on AWS

You can now deploy threat defense virtual for AWS in two-arm-mode with GWLB. This allows you to directly forward internet-bound traffic after traffic inspection, while also performing network address translation (NAT). Two-arm mode is supported in single and multi-VPC environments.

Restrictions: Not supported with clustering.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:

• Azure: one management, two data (max eight)

• GCP: one management, three data (max eight)

Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

A new wizard allows you to easily configure VPN tunnels between your centralized headquarters and remote branch sites.

New/modified screens: Devices > VPN > Site To Site > Add > SD-WAN Topology

See: Configure an SD-WAN Topology Using the SD-WAN Wizard

You can configure the decryption policy to apply to sessions running on the QUIC protocol. QUIC decryption is disabled by default. You can selectively enable QUIC decryption per decryption policy and write decryption rules to apply to QUIC traffic. By decrypting QUIC connections, the system can then inspect the connections for intrusion, malware, or other issues. You can also apply granular control and filtering of decrypted QUIC connections based on specific criteria in the access control policy.

We modified the decryption policy Advanced Settings to include the option to enable QUIC decryption.

See: Decryption Policy Advanced Options

A new Snort 3 inspector, snort_ml, uses neural network-based machine learning (ML) to detect known and 0-day attacks without needing multiple preset rules. The inspector subscribes to HTTP events and looks for the HTTP URI, which in turn is used by a neural network to detect exploits (currently limited to SQL injections). The new inspector is currently disabled in all default policies except maximum detection.

A new intrusion rule, GID:411 SID:1, generates an event when the snort_ml detects an attack. This rule is also currently disabled in all default policies except maximum detection.

See: Snort 3 Inspector Reference

Upgrade impact. Upgrade enables telemetry.

You can help Talos (Cisco’s threat intelligence team) develop a more comprehensive understanding of the threat landscape by enabling threat hunting telemetry. With this feature, events from special intrusion rules are sent to Talos to help with threat analysis, intelligence gathering, and development of better protection strategies. This setting is enabled by default in new and upgraded deployments.

New/modified screens: System () > Configuration > Intrusion Policy Preferences > Talos Threat Hunting Telemetry

See: Intrusion Policy Preferences

This feature is introduced.

The passive identity agent identity source sends session data from Microsoft Active Directory (AD) to the management center. Passive identity agent software is supported on:

• Microsoft AD server (Windows Server 2008 or later)

• Microsoft AD domain controller (Windows Server 2008 or later)

• Any client connected to the domain you want to monitor (Windows 8 or later)

See: User Control With the Passive Identity Agent.

Cisco Secure Dynamic Attributes Connector now supports AWS security groups, AWS service tags, and Cisco Cyber Vision.

Version restrictions: For on-prem Cisco Secure Dynamic Attributes Connector integrations, requires Version 3.0.

See Amazon Web Services Connector—About User Permissions and Imported Data,

You can now use Microsoft Azure Active Directory (AD) realms for active and passive authentication:

• Active authentication using Azure AD: Use Azure AD as a captive portal.

• Passive authentication using Cisco ISE (introduced in Version 7.4.0): The management center gets groups from Azure AD and logged-in user session data from ISE.

We use SAML (Security Assertion Markup Language) to establish a trust relationship between a service provider (the devices that handle authentication requests) and an identity provider (Azure AD). For upgraded management centers, existing Azure AD realms are displayed as SAML - Azure AD realms.

Upgrade impact. If you had a Microsoft Azure AD realm configured before the upgrade, it is displayed as a SAML - Azure AD realm configured for passive authentication. All previous user session data is preserved.

New/modified screens: Integration > Other Integrations > Realms > Add Realm > SAML - Azure AD

New/modified CLI commands: none

See: Create a Microsoft Azure AD (SAML) Realm.

MITRE and other enrichment information in connection events makes it easy to access contextual information for detected threats. This includes information from Talos and from the encrypted visibility engine (EVE). For EVE enrichment, you must enable EVE.

Connection events have two new fields, available in both the unified and classic event viewers:

• MITRE ATT&CK: Click the progression graph to see an expanded view of threat details, including tactics and techniques.

• Other Enrichment: Click to see any other available enrichment information, including from EVE.

The new Talos Connectivity Status health module monitors management center connectivity with Talos, which is required for this feature. For the specific internet resources required, see Internet Access Requirements.

See Configure EVE.

You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade).

New/modified screens:

• Inventory > FTD Chassis

• Devices > Device Management > Device > Chassis Manager

• Devices > Platform Settings > New Policy > Chassis Platform Settings

• Devices > Chassis Upgrade

New/modified threat defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6

New/modified FXOS CLI commands: create device-manager , set deploymode

Platform restrictions: Not supported on the Secure Firewall 3105.

It is now easier to bypass decryption for sensitive and undecryptable traffic, which protects users and improves performance.

New decryption policies now include predefined rules that, if enabled, can automatically bypass decryption for sensitive URL categories (such as finance or medical), undecryptable distinguished names, and undecryptable applications. Distinguished names and applications are undecryptable typically because they use TLS/SSL certificate pinning, which is itself not decryptable.

For outbound decryption, you enable/disable these rules as part of creating the policy. For inbound decryption, the rules are disabled by default. After the policy is created, you can edit, reorder, or delete the rules entirely.

New/modified screens: Policies > Access Control > Decryption > Create Decryption Policy

See: Create a Decryption Policy

See: Create a Decryption Policy

You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control.

New/modified screens:

• Integration > Other Integrations > Realms > Add Realm > Azure AD

• Integration > Other Integrations > Realms > Actions, such as downloading users, copying, editing, and deleting

Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level)

See: Create a Microsoft Azure Active Directory Realm

You can now choose a default health policy to apply upon device registration. On the health policy page, the policy name indicates which is the default. If you want to use a different policy for a specific device post-registration, change it there. You cannot delete the default device health policy.

New/modified screens: System () > Health > Policy > More () > Set as Default

See: Set a Default Health Policy

You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the management center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view.

You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the management center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI.

New/modified screens: Inventory > FTD Chassis

See: Onboard a Chassis

When replacing a failed unit in a high availability pair, you no longer have to manually resume high availability after the restore completes and the device reboots. You should still confirm that high availability has resumed before you deploy.

Version restrictions: Not supported with threat defense Version 7.0–7.0.6, 7.1.x, 7.2.0–7.2.9, 7.3.x, or 7.4.0–7.4.2.

See: Restore Security Cloud Control-Managed Devices

You can now take over another user’s ticket. This is useful if a ticket is blocking other updates to a policy and the user is unavailable.

These features are now included in the approval workflow: decryption policies, DNS policies, file and malware policies, network discovery, certificates and certificate groups, cipher suite lists, Distinguished Name objects, Sinkhole objects.

See: Change Management

New CPU and rule profilers help you troubleshoot Snort 3 performance issues. You can now monitor:

• CPU time taken by Snort 3 modules/inspectors to process packets.

• CPU resources each module is consuming, relative to the total CPU consumed by the Snort 3 process.

• Modules with unsatisfactory performance when Snort 3 is consuming high CPU.

• Intrusion rules with unsatisfactory performance.

New/modified screens: Devices > Troubleshoot > Snort 3 Profiling

Platform restrictions: Not supported for container instances.

See: Advanced Troubleshooting for the Secure Firewall Threat Defense Device

See: Advanced Troubleshooting for the Secure Firewall Threat Defense Device

If you are using an on-prem management center for analytics with Version 7.0.x devices, we recommend you upgrade those devices to at least Version 7.2.x, if possible. This will allow you to get events from those older devices while also adding devices running the latest release.