August 23, 2024
Feature |
Minimum Threat Defense |
Details |
||||
---|---|---|---|---|---|---|
Platform |
||||||
Threat defense Version 7.6.0 support. |
7.6.0 |
You can now manage threat defense devices running Version 7.6.0.
|
||||
High Availability/Scalability |
||||||
Multi-instance mode for the Secure Firewall 3100. |
7.4.1 |
You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade). New/modified screens: New/modified threat defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6 New/modified FXOS CLI commands: create device-manager , set deploymode Platform restrictions: Not supported on the Secure Firewall 3105. See: Use Multi-Instance Mode for the Secure Firewall and Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center |
||||
Access Control: Threat Detection and Application Identification |
||||||
Easily bypass decryption for sensitive and undecryptable traffic. |
Any |
It is now easier to bypass decryption for sensitive and undecryptable traffic, which protects users and improves performance. New decryption policies now include predefined rules that, if enabled, can automatically bypass decryption for sensitive URL categories (such as finance or medical), undecryptable distinguished names, and undecryptable applications. Distinguished names and applications are undecryptable typically because they use TLS/SSL certificate pinning, which is itself not decryptable. For outbound decryption, you enable/disable these rules as part of creating the policy. For inbound decryption, the rules are disabled by default. After the policy is created, you can edit, reorder, or delete the rules entirely. New/modified screens: |
||||
Access Control: Identity |
||||||
Microsoft Azure AD as a user identity source. |
7.4.2 |
You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control. New/modified screens:
Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level) |
||||
Health Monitoring |
||||||
Collect health data without alerting. |
Any |
You can now disable health alerts/health alert sub-types for ASP Drop, CPU, and Memory health modules, while continuing to collect health data. This allows you to minimize health alert noise and focus on the most critical issues. New/modified screens: In any health policy (System () ), there are now checkboxes that enable and disable ASP Drop (threat defense only), CPU, and Memory health alert sub-types. See: Health Policies |
||||
Chassis-level health alerts for the Firepower 4100/9300. |
7.4.1 |
You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the management center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view. You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the management center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI. New/modified screens: See: Onboard a Chassis |
||||
Threat Defense Upgrade |
||||||
Administration |
||||||
Threat defense high availability automatically resumes after restoring from backup. |
Any |
When replacing a failed unit in a high availability pair, you no longer have to manually resume high availability after the restore completes and the device reboots. You should still confirm that high availability has resumed before you deploy. |
||||
Change management ticket takeover; more features in the approval workflow. |
Any |
You can now take over another user’s ticket. This is useful if a ticket is blocking other updates to a policy and the user is unavailable. These features are now included in the approval workflow: decryption policies, DNS policies, file and malware policies, network discovery, certificates and certificate groups, cipher suite lists, Distinguished Name objects, Sinkhole objects. See: Change Management |
||||
Troubleshooting |
||||||
Troubleshoot Snort 3 performance issues with a CPU and rule profiler. |
7.6.0 with Snort 3 |
New CPU and rule profilers help you troubleshoot Snort 3 performance issues. You can now monitor:
New/modified screens: Platform restrictions: Not supported for container instances. See: Advanced Troubleshooting for the Secure Firewall Threat Defense Device See: Advanced Troubleshooting for the Secure Firewall Threat Defense Device |
||||
Deprecated Features |
||||||
End of support: analytics-only capabilities with the full range of threat defense devices. |
Any |
If you are using an on-prem management center for analytics with Version 7.0.x devices, we recommend you upgrade those devices to at least Version 7.2.x, if possible. This will allow you to get events from those older devices while also adding devices running the latest release. The cloud-delivered Firewall Management Center supports a wider range of managed device versions than on-prem management centers. This can cause issues if you use an on-prem management center for analytics because devices can be "too old" or "too new" to co-manage. You can be prevented from:
For example, consider a scenario where you want to add co-managed Version 7.6.0 devices to a deployment that currently includes co-managed Version 7.0.x devices. The cloud-delivered Firewall Management Center can manage this full range of devices, but the on-prem analytics management center cannot. In order of preference, you can:
That is, your choices are:
|