Features and Functionality

For information on the new and changed features and functionality in this release, see:

New Features and Functionality

This section describes the new and updated features and functionality in Version 6.2.2.

Firepower Device Manager on Firepower Threat Defense Virtual for VMware

Supported Platforms: Firepower Threat Defense Virtual for VMware, managed by Firepower Device Manager

Introduced In: Version 6.2.2

You can now use Firepower Device Manager to manage Firepower Threat Defense Virtual hosted on VMware. Because this is a newly supported implementation for Version 6.2.2, you deploy a new virtual device. You cannot update an earlier version of Firepower Threat Defense Virtual and then manage it with Firepower Device Manager.

Cisco Threat Intelligence Director

Supported Platforms: Hosted on any Firepower Management Center with at least 15GB of memory, using Version 6.2.2 devices as elements

Introduced In: Version 6.2.2

The Cisco Threat Intelligence Director (TID) operationalizes custom threat intelligence data, helping you aggregate additional intelligence data, configure defensive actions, and analyze threats in your environment.

By ingesting threat intelligence from third-party threat feeds and threat intelligence platforms, TID correlates enriched observations from Cisco security sensors to detect and alert on security incidents. With fewer false positives, you can focus on actual incidents that have been automatically blocked or monitored.

Unlike security devices that rely solely on proprietary threat intelligence, TIDr can use third-party threat feeds to provide more effective security. By converting intelligence into actionable indicators of compromise, your network defenses can block or monitor more threats, reduce the number of alerts to review, and improve your overall security posture. By operationalizing the ingestion and distribution of additional threat intelligence sources, you reduce management complexity and the need to review and track down false alerts.

Remote Access VPN

Supported Platforms: Firepower Threat Defense, any manager

Introduced In: Version 6.2.2

Firepower Remote Access (RA) VPN allows users to connect to a private business network from a remote location using a computer or an Android or Apple iOS mobile device. Remote users can transfer data securely and confidentially using encryption techniques crucial for data being transferred over shared mediums and the internet. Key capabilities of RA VPN include the following:

  • Management—A simple RA VPN wizard provides quick and easy setup of the following:

    • RA VPN policy configurations, including connection profiles, group polices, address pools, and so on.

    • Secure gateways and interfaces where remote users connect.

    • The AnyConnect client image that users download when they initiate a VPN session using a computer. Note that mobile devices obtain AnyConnect from their App Store(s).

  • Secured access—Provided by the Cisco AnyConnect VPN client using either SSL or IPsec tunneling and encryption protocols. This presently is the only client supported for remote access connectivity.

  • Authenticated and Authorized Access—AAA support for Authentication (LDAP/AD/RADIUS and Client Certificate-based), Authorization (RADIUS Authorization Attributes-DACL, Group Policy, Address Assignment, and so on) and Accounting (RADIUS).

  • VPN connectivity—Connection profiles and group policies allow you to define address assignments, split tunneling, the DNS server, timeouts, access hours, client firewall ACLs, and AnyConnect client profiles.

  • Monitoring with identity integration—Multiple views, including dashboard widgets, help you track and analyze VPN user activity over time. You can view logon and logout events, see active session status, and can monitor and terminate specific VPN sessions (including forcing a bulk logout).

  • Troubleshooting— Troubleshooting logs are useful when you have issues creating or deploying an RA VPN policy, if RA VPN connections or traffic are not as expected, or if events and statistics are not populating properly.

  • Availability—Firepower Threat Defense high availability, multiple interfaces (dual ISP), and multiple AAA servers are supported.

  • Licensing—Smart Licensing, based on the AnyConnect 4.x model, for Apex, Plus, and VPN-only licenses.

Rate Limiting Enhancements

Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center

Introduced In: Version 6.2.2

Quality of Service (QoS) rate limits traffic based on characteristics including network-based criteria (port, network, zone/interface group), applications, URLs, and users, including Cisco Identity Services Engine (ISE) attributes. A QoS policy applied from the Firepower Management Center enforces rate limiting per interface on Firepower Threat Defense devices.

Intelligent Application Bypass "All Applications" Option

Supported Platforms: Any device managed by a Firepower Management Center, and ASA FirePOWER modules managed by ASDM

Introduced In: Version 6.0.1.4, Version 6.1.0.3, Version 6.2.0.1, and Version 6.2.2

If you are updating from Version 6.2.0, this release adds the All applications including unidentified applications option to the Intelligent Application Bypass settings in the access control policy advanced settings.

If you are updating from a Version 6.2.0.x patch, this option already exists.

When selected, if one of the IAB inspection performance thresholds is met, the system trusts any application that exceeds any flow bypass threshold, regardless of the application type. See the Firepower Management Center Configuration Guide or the Cisco ASA with FirePOWER Services Local Management Configuration Guide for more information.

Packet Capture at Time of Crash

Supported Platforms: Firepower Threat Defense, any manager

Introduced In: Version 6.2.2

Previously, the contents of any active capture on Firepower were not saved when the appliance experienced issues. You can now store active capture contents to flash/disk at the time of an appliance crash to facilitate troubleshooting.

Often, when you troubleshoot a crash that involves traffic, Cisco TAC requires you to specify exactly what traffic causes the crash. Cisco TAC can get this info from a core dump, but the information may be limited by the following factors:

  • The packet might have been corrupted so no useful information is present in the core dump.

  • The crash is caused by a combination of conditions created by a series of packets, but the core dump offers information from only the last packet.

The system now saves captured packets that go in and out of the Firepower appliance until the crash (if the circular option is specified for capture).

Access Control Rule Creation with REST API

Supported Platforms: Firepower Management Center

Introduced In: Version 6.2.2

Using the REST API, the system now supports bulk access control rule creation. Previously, if you had thousands of rules to create, each rule required a post process that could take anywhere from 5-10 seconds to complete. Now, you can submit all of these rules through a single post process greatly reducing the amount of time it takes to perform this action.

Automatic Application Bypass for Firepower Threat Defense

Supported Platforms: Any device managed by a Firepower Management Center

Introduced In: Version 6.2.2

Automatic Application Bypass (AAB) is now available on Firepower Threat Defense devices managed by a Firepower Management Center. Previously, it was only available on non-Firepower Threat Defense devices.

AAB allows you to limit the time Firepower spends on processing a single packet by bypassing inspection if a time limit is exceeded. If you enable AAB, you can adjust the bypass threshold from 250 milliseconds to 60,000 milliseconds (one minute). By default, the system uses 3,000 milliseconds (3 seconds).

AAB is most valuable in IPS inline deployments so you can balance packet processing delays with your network’s tolerance for packet latency. When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes a partial restart of the Snort process and generates troubleshooting data that can help you determine the cause of the excessive processing time. See the Firepower Management Center Configuration Guide for more information.

Policy Deployment Improvements

Supported Platforms: Any device managed by a Firepower Management Center; ASA with FirePOWER Services managed by ASDM

Introduced In: Version 6.2.2

Deployment improvements significantly reduce the number of dropped or uninspected connections by eliminating Snort restarts when you deploy the following configurations:

  • SMTP, POP, and IMAP preprocessor decoding depths

  • Various adaptive profile, performance monitor, and advanced access control policy file and malware settings

  • Access control rules or SSL rules with category/reputation conditions

  • Nonbinary intrusion rule updates

  • A change in the total number of intrusion or network analysis policies

  • A Detect Files or Block Files action in a file policy rule

The system also warns you of Snort restarts when you do the following:

  • Add a Firepower Threat Defense high availability pair

  • Take various actions involving application detectors and user-defined applications

TCP Sequence Randomization Control

Supported Platforms: Firepower Threat Defense, any manager

Introduced In: Version 6.2.2

Each TCP packet carries two sequence numbers. By default, Firepower Threat Defense randomizes the sequence numbers in both the inbound and outbound directions. This feature provides the ability to disable (and if necessary, enable) this randomization with CLI using the configure tcp-randomization command.

You can determine if TCP sequence number randomization is disabled by entering the show running-config policy-map command and looking for the set connection random-sequence-number disable command. If the feature is enabled, there will be no associated command in the running configuration.


Note

Although you can disable TCP sequence number randomization when using Firepower Device Manager, each time you deploy the configuration from Firepower Device Manager, the feature is reenabled. If you want to keep TCP sequence number randomization disabled, you must reenter the command after each deployment.

Security Enhancements for Updates: Signed Updates

Supported Platforms: Any

Introduced In: Version 6.2.2

For the system to verify that you are using the correct update file, updates to the system from Version 6.2.2+ are signed. Signed update files terminate in .sh.REL.tar instead of .sh.

If you are updating to Version 6.2.2 from Version 6.2.0 or a later 6.2.0.x patch, those update files are not signed. However, subsequent updates to the system will be.


Note
After you upload a signed update file to the Firepower Management Center, the Updates tab on the System > Updates page can take several minutes to load as the system verifies the update file or files. Remove signed update files after you no longer need them to speed up the display.

Note

The U.S. Government changed the name of the Unified Capabilities Approved Products List (UCAPL) to the Department of Defense Information Network ApprovedProducts List (DODIN APL). References to UCAPL in this documentation and the Firepower Management Center UI can be interpreted as references to DODIN APL.

Security Certifications Compliance for Additional Platforms

Supported Platforms: Firepower Management Centers, and all devices managed by Firepower Management Centers.

Introduced In: Version 6.2.2

Firepower Threat Defense devices managed by a Firepower Management Center now support security certifications compliance in Common Criteria (CC) mode or Unified Capabilities Approved Products List (UCAPL) mode using platform settings (Devices > Platform Settings).

Previously, these modes were available only on Firepower Management Centers and non Firepower Threat Defense devices.

Security Certifications Compliance Enhancements: Boot-Time FSIC

Supported Platforms: Firepower Management Centers, and all devices managed by Firepower Management Centers.

Introduced In: Version 6.2.2

When you boot any appliance that has security certifications compliance enabled, the system performs additional file system integrity checks (FSIC) to ensure the system is secure. If a check fails, the appliance does not boot, SSH access is disabled, and the only access is through the console. If this happens, contact Cisco TAC.

Security Enhancements and Other Updates to FlexConfig Templates

Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center

Introduced In: Version 6.2.2

FlexConfig uses CLI template-based functionality on the Firepower Management Center to enable ASA functions that are not yet supported through the Firepower Management Center user interface.

Government certification requires that sensitive information (like passwords, shared keys in system-provided or user-defined FlexConfig objects) be masked using secret key variables. When you update the Firepower Management Center from Version 6.2.0 to Version 6.2.2, all sensitive information in FlexConfig objects are converted to secret key variable format.

Security Enhancements for Site-to-Site VPN

Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center

Introduced In: Version 6.2.2

The following features were added for IKEv2:

  • Transport Mode—To address Government Certificate requirement FCS_IPSEC_EXT.1.3 Refinement, transport mode (also known as host-to-host VPN).

  • Hex Support for IKEv2 Preshared Manual Key—To address Government Certificate requirement FIA_PSK_EXT.1.4, we have added support for hex-based preshared key.

  • Certificate Map Support—To address Government Certificate requirement FIA_X509_EXT.4.1, we implemented a certificate map used to determine the tunnel to use from the contents of the certificate.

  • SA Strength Enforcement—To address Government Certificate requirement FCS_IPSEC_EXT.1.12, we added an option in the Firepower Management Center to ensure that the encryption algorithm used by the child IPsec SA is not higher than the parent IKE.

Security Enhancements in Device Platform Settings

Supported Platforms: Firepower Threat Defense managed by a Firepower Management Center

Introduced In: Version 6.2.2

The following requirements are now supported:

  • You can configure console idle timeout for managed Firepower Threat Defense devices.

  • You can configure secure syslog and upload Certificate for Firepower Threat Defense syslog-NGTLS.

Security Enhancement to Disable Expert Mode

Supported Platforms: Firepower Threat Defense, any manager

Introduced In: Version 6.2.2

To increase security, you can disable expert mode on Firepower Threat Defense devices. Note that you cannot reverse this command. If you need to restore access to expert mode, you must contact Cisco TAC.

Features and Functionality Introduced in Version 6.2.1

Cisco Firepower Version 6.2.1 has been replaced by Cisco Firepower Version 6.2.2, which offers the same functionality and supports the full set of Firepower platforms. For posterity, this section describes the new and updated features and functionality included in Version 6.2.1:

Table 1. New Features in Version 6.2.1: Core Firewall

Feature

Description

Supported Platforms

Remote Access VPN

Firepower Remote Access (RA) VPN allows individual users to connect to a private business network from a remote location using a laptop or desktop computer connected to the internet, or an Android or Apple iOS mobile device. Remote users transfer data securely and confidentially using encryption techniques crucial for data being transferred over shared mediums and the Internet. Key capabilities of RA VPN include:

  • Secured Access – provided by the Cisco AnyConnect VPN client using either SSL or IPsec tunneling and encryption protocols. This is the only client supported for remote access connectivity.

  • Authenticated & Authorized Access – AAA support for Authentication (LDAP/AD/RADIUS and Client Certificate-based), Authorization (RADIUS Authorization Attributes-DACL, Group Policy, Address Assignment, etc.) and Accounting (RADIUS).

  • VPN Connectivity – Connection Profiles and Group Policies allow you to define address assignments, split tunneling, the DNS server, timeouts, access hours, client firewall ACLs, and AnyConnect client profiles.

  • Monitoring & Troubleshooting – provides multiple analysis views so that VPN user activity can be tracked and analyzed over time. In addition, you can view the Remote Access VPN Troubleshooting Logs. Troubleshooting can be used when having issues creating or deploying a RA VPN policy, if RA VPN connections or traffic is not as expected, or if events and statistics are not populating properly. This feature also provides the capability to bulk logout the currently logged in VPN users. These functions can be used in either the Firepower Management Center or the Firepower Device Manager.

  • Availability – Firepower Threat Defense high availability, multiple interfaces (dual ISP), and multiple AAA servers are supported.

  • Licensing – Smart Licensing, based on the AnyConnect 4.x model, for Apex, Plus and VPN-only licenses.

  • Management – A simple RA VPN wizard on both the Firepower Management Center and the Firepower Device Manager which provides quick and easy set-up of:

    • RA VPN Policy configuration entities: including Connection Profiles, Group Polices, Address Pools,etc.

    • secure gateways to which the remote user connects to Firepower Threat Defense devices.

    • Interfaces on the managed Firepower Threat Defense that users will access to establish VPN connections.

    • The AnyConnect client image downloaded when a connection is initiated by a desktop or laptop platform. Mobile devices obtain AnyConnect from their App store.

  • Identity Integration and Monitoring – Seven new dashboard widgets allow you to monitor user VPN activity. This includes logon and logoff events, active session status, and the ability to monitor and terminate specific VPN sessions.

  • Firepower Management Center

QoS/Rate Limiting Enhancements

Rate limiting is a mechanism to manage the rate of traffic flowing in and out of network interfaces based on traffic attributes, such as application, file downloading, etc. It can achieve great results when enhanced with the capability to provide bandwidth control based on the traffic attributes, such as source zones, destination zones, source networks, destination networks, source ports, destination ports, applications, users, URLs, and ISE attributes. Network administrators are able to achieve rate limiting per network interface by configuring a QoS (Quality of Service) Policy on their Firepower Device Manager and deploying the policy to Firepower Threat Defense devices. Administrators can do the following in Version 6.2.1:

  • Rate limit traffic up to 100,000 Mbps (previously 1,000Mbps).

  • Use customer Security Group Tags (SGTs) in QoS rules.

  • Use original client network conditions (XFF, True-Client-IP, or custom-defined HTTP headers) in QoS rules.

  • Firepower Management Center

Packet Capture at Time of Crash

Previously, the contents of any active capture on Firepower were not saved when the appliance experienced issues. You can now store active capture contents to flash/disk at the time of an appliance crash to facilitate troubleshooting.

Often times, when you troubleshoot a crash that involves traffic,Cisco TAC requires exactly what traffic causes the crash. Cisco TAC can get this info from a core dump, but the information may be limited by the following factors:

  • The packet might have been corrupted so no useful info is present in the core dump.

  • The crash is caused by combination of conditions createdby a series of packets, but core dump offers information from only the last packet.

Version 6.2.1 now saves captured packets that are in and out of the Firepower appliance up until the point of box crash (if circular option is specified for capture).

  • Firepower Management Center

  • Firepower Device Manager

Access Rule Bulk Insert

Using the REST API, Version 6.2.1 now supports bulk access control rule creation. Previously, if you had a thousand access rules to create, each access rule required a post process that could take anywhere from 5-10 seconds to complete. Now, using this API enhancement you can submit all of these rules through a single post process and greatly reducing the amount of time it takes to perform this action.

  • Firepower Management Center

Firepower Management Center API Enhancement

The Firepower Management Center API now supports bulk access control rule creation. Previously, if you had a thousand access rules to create, each access rule required a post process that could take anywhere from 5-10 seconds to complete. Now, using this API enhancement you can submit all of these rules through a single post process and greatly reduce the amount of time it takes to perform this action.

  • Firepower Management Center

Automatic Application Bypass

Automatic Application Bypass (AAB) provides the ability to limit the amount of time spent processing a single packet through an interface. It enables those packets to bypass detection if the time is exceeded. The feature functions with any deployment; however, it is most valuable in IPS inline deployments to balance packet processing delays with network’s tolerance for packet latency. When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes Snort to restart and generates troubleshooting data that can be analyzed to determine the cause of the excessive processing time. A user can change the bypass threshold if the option is selected. The default setting is 3,000 milliseconds. The valid range is from 250 milliseconds to 60,000 milliseconds.

  • Firepower Management Center

FlexConfig Updates

FlexConfig uses CLI template-based functionality on the Firepower Management Center to enable ASA functions that are not yet supported through the Firepower Management Center user interface.

As per the Government Certification requirements, all sensitive information like password, shared keys in system-provided or user-defined FlexConfig object should be masked using secret key variables. After you update the Firepower Management Center to Version 6.2.1, all sensitive information in FlexConfigObjects are converted to secret key variable format.

In addition, the following new FlexConfig templates are added as part of Version 6.2.1:

  • TCP Embryonic connection limit and timeout configuration template allows you to configure embryonic connection limits/timeout CLIs to protect from SYN Flood DoSAttack.

  • Turn on threat detection configure and clear templates allow you to configure threat detection statistics for attacks intercepted by TCP Intercept.

  • IPV6 router header inspection template allows you to configure of IPV6 inspection header for selectively allow/block certain headers with different types (e.g. allowing RH Type 2,mobile).

  • DHCPv6 prefix delegation template allows you to configure one outside (PD client) and one inside interface (recipient of delegated prefix) for IPv6 prefix delegation.

  • Firepower Management Center

Policy Deployment Improvements

Elimination of Snort restarts during configuration deployment of:

  • SMTP, POP, and IMAP preprocessor decoding depths

  • HTTP preprocessor compression depths

  • Affected adaptive profile, performance monitor, and advanced access control policy file and malware settings

Warnings of Snort restarts when:

  • Turning on or breaking Firepower Threat Defense high availability

  • Activating, deactivating, or modifying application detectors

  • Firepower Management Center

CLI Command to Control TCP Sequence Randomization

Each TCP packet carries two sequence numbers. FTD devices, by default, randomizes the sequence numbers in both the inbound and outbound directions. This feature provides the ability to enable and disable this randomization via the command line.

If necessary, to confirm TCP randomization is disabled, collect TCP packets on inside and outside interface. For the same packet on inside and outside interface sequence numbers will remain the same.

  • Firepower Management Center

  • Firepower Device Manager
Table 2. New Features in Version 6.2.1: Government Certification Support

Feature

Description

Supported Platform

Government Certificate Support for Site-to-Site VPN

The following features that were added to Site-2-Site VPN that were not supported in Version 6.2.0:

  • Transport Mode – In order to address Government Certificate requirement FCS_IPSEC_EXT.1.3 Refinement, transport mode (also known as host-to-host VPN).

  • Hex Support for IKEv2 Pre-shared Manual Key – In order to address Government Certificate requirement FIA_PSK_EXT.1.4, we have added support for hex-based pre-shared key.

  • Certificate Map Support – In order to address Government Certificate requirement FIA_X509_EXT.4.1, we implemented a certificate map used to determine the tunnel to use from the contents of the certificate.

  • SA Strength Enforcement - In order to address Government Certificate requirement FCS_IPSEC_EXT.1.12, we added an option in the Firepower Management Center to ensure that the encryption algorithm used by the child IPsec SA is not higher than the parent IKE.

Note 

The features supported are for IKEv2only.

  • Firepower Management Center

  • Firepower Device Manager

Platform Setting Enhancements (Compliance Mode Support)

The following requirements have been supported in Version 6.2.1 release of Firepower Management Center:

  • User should be able to configure console idle timeout for managed Firepower Threat Defense devices.

  • User can configure secure syslog and should be able to upload Certificate for Firepower Threat Defense syslog-NGTLS.

  • Firepower Management Center

Ability to Disable Expert Mode for Firepower Threat Defense

In order to increase security, this feature allows you to disable expert mode on Firepower Threat Defense environments.

  • Firepower Management Center

  • Firepower Device Manager

USGv6 FlexConfig: Firepower Management Center Routing Headers

FlexConfig uses CLI template-based functionality on the Firepower Management Center to enable ASA functions that are not yet supported through the Firepower Management Center user interface.

The USGv6 NPD:FW certification requires that the USGv6GCT TME selectively allow/block IPv6 Headers of differenttypes (e.g. EH, Routing, etc.). On an ASA FirePOWER module, the user was able touse policy maps to allow this, but you could not figure this on Firepower Management Centers.

Now, you are able to develop policy objects and policy groups to configure policies to block/permit/log certain IPv6 headers.The header types now able to be blocked/permitted/logged are:

  • Authentication extension header

  • Destination-option extension header

  • ESP extension header

  • Fragment extension header

  • Hop-by-hop extension header

  • Routing header type 2-225

  • Firepower Management Center

The following functionality changed in Version 6.2.1:

  • Updating from Version 6.2.0.1 or a subsquent 6.2.0.x patch to Version 6.2.1 removes the Intelligent Application Bypass (IAB) All applications including unidentified application option from the user interface.

    If this option is enabled when you update to Version 6.2.1, and your access control policy does not contain bypassable application and filter configurations, the user interface has the following unexpected behaviors:

    • IAB is enabled, but the All applications including unidentified applications option is no longer present.

    • The IAB configuration page displays 1 Applications/Filters, incorrectly indicating that you have configured one application or filter.

    • The Selected Applications and Filters window in the applications and filters editor displays either deleted (Firepower Management Center, ASA with FirePOWER Services) or Any Application (ASA FirePOWER module managed by ASDM).

Changed Behavior and Functionality

The system exhibits the following behavior changes in Version 6.2.2:

URL Filtering on Lower-Memory Devices

Supported Platforms: Lower-memory devices (7000 Family and the following ASA models: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, and ASA 5525-X)

Introduced In: Version 6.1.0.3 and Version 6.2.0.1

If you are updating from Version 6.2.0, you may notice that the system now performs cloud lookups to determine category and reputation for websites not in the local database on lower-memory devices.

If you are updating from Version 6.2.0.1 or a later 6.2.0.x patch the system already exhibits this behavior.

This change was implemented because due to memory limitations, some device models perform most URL filtering with a smaller, less granular, set of categories and reputations. For example, even if a parent URL's subsites have different URL categories and reputations, some devices may store only the parent URL's data.

Deprecated Functionality

The following feature is deprecated functionality in Verison 6.2.2:

  • The configure snort preserve-connections {enable | disable} CLI command is not available on managed devices running Firepower Threat Defense in Version 6.2.2.