Device management services supported on
user-defined VRF interfaces.
|
7.6.0
|
7.6.0
|
Device access management is now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces.
See: Platform Settings
|
View diagnostic syslog messages in the Unified Events table.
|
7.6.0
|
Any
|
You can now configure threat
defense devices to send all device syslogs to your management center. Go to the threat
defense platform settings policy assigned to your managed devices and select All Logs under the Logging to Secure Firewall Management Center setting. Once you have enabled the logging settings, you can view the device syslogs as a new event type called Troubleshoot Events in the Unified Events table.
|
Support for Firepower Platform Settings policy is removed.
|
7.6.0
|
7.6.0
|
The provision to manage a Firepower Platform Settings policy is removed.
|
Device management services supported on
user-defined VRF interfaces.
|
7.4.1
|
7.4.1
|
Device management services configured in the threat defense
platform settings (NetFlow, SSH
access, SNMP
hosts, syslog servers) are now
supported on user-defined Virtual Routing and Forwarding (VRF)
interfaces.
Platform restrictions: Not supported with container instances or
clustered devices.
|
Chassis platform settings for the Secure Firewall 3100.
|
7.4.1
|
7.4.1
|
New platform settings for multi-instance chassis on the Secure
Firewall 3100.
New/modified screens:
Supported platforms: Secure Firewall 3100
|
Performance profile support for the Secure Firewall 3100/4200.
|
7.4.0
|
7.4.0
|
The performance profile settings available in the platform settings
policy now apply to Secure Firewall 3100/4200 devices.
|
Loopback interface support for DNS, HTTP, ICMP, NetFlow, SNMP and
SSH.
|
7.4.0
|
7.4.0
|
You can create a loopback interface and use it for:
-
DNS
-
HTTP
-
ICMP
-
NetFlow
-
SNMP
-
SSH
New/modified screens:
-
Devices > Platform Settings > DNS > DNS
Settings
Devices > Platform Settings > HTTP Access >
Add
Devices > Platform Settings > ICMP Access >
Add
-
Devices > Platform Settings > NetFlow > Add
Collector
-
Devices > Platform Settings > SNMP > Hosts >
Add
-
Devices > Platform Settings > SSH Access >
Add
|
Merged Management and Diagnostic interfaces.
|
7.4.0
|
7.4.0
|
For new devices using 7.4 and later, you cannot use the legacy
Diagnostic interface. Only the merged Management interface is
available. If you upgraded to 7.4 or later, and you did not have any
configuration for the Diagnostic interface, then the interfaces will
merge automatically.
If you upgraded to 7.4 or later, and you have configuration for the
Diagnostic interface, then you have the choice to merge the
interfaces manually, or you can continue to use the separate
Diagnostic interface. Note that support for the Diagnostic interface
will be removed in a later release, so you should plan to merge the
interfaces as soon as possible.
Merged mode also changes the behavior of AAA traffic to use the data
routing table by default. The management-only routing table can now
only be used if you specify the management-only interface (including
Management) in the configuration.
For platform settings, this means:
-
You can no longer enable HTTP, ICMP, or SMTP for
Diagnostic.
-
For SNMP, you can allow hosts on Management instead of
Diagnostic.
-
For Syslog servers, you can reach them on Management instead
of Diagnostic.
-
If Platform Settings for syslog servers or SNMP hosts specify
the Diagnostic interface by name, then you must use separate
Platform Settings policies for merged and non-merged
devices.
-
DNS lookups no longer fall back to the management-only
routing table if you do not specify interfaces.
New/modified screens:
New/modified commands: show management-interface
convergence
|
Performance profile for CPU core allocation.
|
7.3.0
|
7.3.0
|
You can adjust the percentage of system cores assigned to the data
plane and Snort to adjust system performance. The adjustment is
based on your relative use of VPN and intrusion policies. If you use
both, leave the core allocation to the default values. If you use
the system primarily for VPN (without applying intrusion policies),
or as an IPS (with no VPN configuration), you can skew the core
allocation to the data plane (for VPN) or Snort (for intrusion
inspection).
We added the Performance Profile page to the
platform settings policy.
|
TLS 1.3 in Remote Access VPN.
|
7.3.0
|
7.3.0
|
You can now use TLS 1.3 to encrypt remote access VPN connections.
Use threat defense platform settings to specify that the device must
use TLS 1.3 protocol when acting as a remote access VPN server.
TLS 1.3 adds support for the following ciphers:
This feature requires Cisco Secure Client, Version 5.0 and above.
New/modified screens: Devices > Platform Settings > New
Policy > Add/Edit Threat Defense Settings > SSL > TLS
Version
|
Multiple DNS server groups for resolving DNS requests.
|
7.2.0
|
7.2.0
|
You can configure multiple DNS groups for the resolution of DNS
requests from client systems. You can use these DNS server groups to
resolve requests for different DNS domains. For example, you could
have a catch-all default group that uses public DNS servers, for use
with connections to the Internet. You could then configure a
separate group to use internal DNS servers for internal traffic, for
example, any connection to a machine in the example.com domain.
Thus, connections to an FQDN using your organization’s domain name
would be resolved using your internal DNS servers, whereas
connections to public servers use external DNS servers.
We changed the page.
|
Network object support for HTTP, ICMP, and SSH platform settings.
|
7.1.0
|
7.1.0
|
You can now use network object groups that contain network objects
for hosts or networks when configuring the IP addresses in the
Threat Defense Platform Settings policy.
Supported platforms: Threat Defense
|
Support to specify trusted DNS servers.
|
7.1.0
|
7.1.0
|
The option to specify DNS servers that you can trust
for address resolution while using direct internet access was
introduced.
We added a tab for configuring the trusted DNS
servers when configuring direct internet access: .
Supported platforms: Threat Defense
|
Platform settings using the MD5 authentication algorithm or DES encryption for SNMPv3 users can not be deployed to threat
defense devices running Versions 7.0+.
|
7.0.0
|
7.0.0
|
The MD5 authentication algorithm and DES encryption for SNMPv3 users on threat
defense were deprecated in Version 6.5. If your deployment includes SNMPv3 users using the MD5 authentication algorithm or DES encryption
that were created using Version 6.4 or earlier, you can continue to use those users for threat
defense devices running Version 6.7 or earlier. However, you cannot edit those users and retain the MD5 or DES settings, and you
cannot create new users with the MD5 or DES settings. If your management center manages any threat
defenses running Versions 7.0+, deploying a platform settings policy with SNMP v3 users using the MD5 authentication algorithm or
DES encryption to those threat
defenses will fail.
New/modified screens:
Supported platforms: Threat Defense
|
Specify SHA224 or SHA384 for SNMPv3 users' authorization
algorithm.
|
7.0.0
|
7.0.0
|
You can now select SHA224 or SHA384 for SNMPv3 users' authorization
algorithm.
New/modified screens:
Supported platforms: Threat Defense
|
Specify time zone for device.
|
6.6.0
|
6.6.0
|
Specify a local time zone for a managed device, for use in time-based
policy application.
New/modified screens:
Supported platforms: Threat Defense
|
Specify the Management interface for SNMP communication.
|
6.6.0
|
6.6.0
|
You can now select the Management interface for communication between
the device and the SNMP management station.
New/modified screens:
Supported platforms: Threat Defense
|
Specify SHA256 for SNMPv3 users' authorization algorithm.
|
6.6.0
|
6.6.0
|
You can now select SHA256 for SNMPv3 users' authorization
algorithm.
New/modified screens:
Supported platforms: Threat Defense
|
DES encryption and the MD5 authentication algorithm for SNMPv3 users
on threat
defense have been deprecated.
|
6.5.0
|
Any
|
We recommend that you not use the MD5 authentication algorithm or DES
encryption for SNMPv3 users on threat
defense devices, as these options have been deprecated. If your
deployment includes SNMPv3 users using the MD5 authentication
algorithm or DES encryption that were created using a Version 6.4 or
earlier, you can continue to use those users. However, you cannot
edit those users and retain the MD5 or DES settings, and you cannot
create new users with the MD5 or DES settings.
New/modified screens:
Supported platforms: Threat Defense
|
Allow user traffic to pass when TCP syslog server is down.
|
6.3.0
|
6.3.0
|
We recommend that you allow connections through the threat defense
device when the external TCP syslog server is
unreachable by the device. The Allow user traffic to pass
when TCP syslog server is down (Recommended to be
enabled) option in the Platform Settings is Enabled by
default.
|
Limit number of SSH login failures.
|
6.3.0
|
6.3.0
|
When a user accesses any device via SSH and fails three successive
login attempts, the device terminates the SSH session.
|
External authentication added for SSH.
|
6.2.3
|
6.2.3
|
You can now configure external authentication for SSH access to the
threat
defense using LDAP or RADIUS.
New/modified screens:
Supported platforms: Threat Defense
|
Support for UC/APPL compliance mode.
|
6.2.1
|
6.2.1
|
You can enable security certifications compliance in CC mode or UCAPL
mode. Enabling security certifications compliance does not guarantee
strict compliance with all requirements of the security mode
selected. For more information on hardening procedures, refer to the
guidelines for this product provided by the certifying entity.
New/modified screens:
Supported platforms: Any device
|
SSL settings for remote access VPN.
|
6.2.1
|
6.2.1
|
The threat
defense device uses the Secure Sockets Layer (SSL) protocol and Transport
Layer Security (TLS) to support secure message transmission for
Remote Access VPN connection from remote clients. You can configure
SSL versions and encryption algorithms that will be negotiated and
used for message transmission during remote VPN access over SSL.
New/modified screens:
Supported platforms: Threat Defense
|
External authentication for SSH and HTML removed.
|
6.1.0
|
6.1.0
|
Due to changes to support converged management access, only local
users are supported for SSH and HTML to data interfaces. Also, you
can no longer SSH to the logical Diagnostic interface; instead you
can SSH to the logical Management interface (which shares the same
physical port). Previously, only external authentication was
supported for SSH and HTML access to Diagnostic and data interfaces,
while only local users were supported to the Management
interface.
New/modified screens:
Supported platforms: Threat Defense
|
Firepower Threat Defense support.
|
6.0.1
|
6.0.1
|
This feature was introduced.
New/modified screens:
Supported platforms: Threat Defense
|