Announcing the availability of the Firepower 6.3 Release

haaravin · ‎12-07-2018

Cisco announces the availability of Firepower 6.3.0.

In addition to the new features (summarised in the table below), the Firepower 6.3.0 release includes these significant enhancements to user experience:

How-To widget on the Firepower Management Center web interface : This provides walkthroughs to help you navigate through on-boarding tasks on the FMC web interface, after installing a new Firepower Management Center. These walkthroughs guide you to perform the steps required to achieve a task by taking you through each step, one after the other irrespective of the various UI screens that you may have to navigate, to complete the task. The How To widget is enabled by default.
Licensing: Licensing content has been refined and we have introduced a comprehensive start-to-finish “recipe” for licensing FTD devices managed by FMC, including links to additional information here: How to License Firepower Threat Defense Devices Managed by Firepower Management Center
Configuration Example: We added a configuration example that explains how to set up a Firepower Management Center Version 6.2.3 device to manage a Firepower Threat Defense Version 6.2.3 device to provide inspection and security for a sample network that includes an inside network and outside network (that is, the internet).
Best Practices Information: We have added Best practices information to
- eStreamer integration in the Firepower System Event Streamer Integration Guide, Version 6.3.0
- Firepower Management Center Upgrade Guide
- Logging across the Firepower Management Center Config Guide

New Features in FMC/Firepower Version 6.3.0

This table summarizes the new features available in Firepower Version 6.3 when configured using a Firepower Management Center.

Feature	Description
Hardware
ISA 3000 with FirePOWER Services	ISA 3000 with FirePOWER Services is supported in Version 6.3. Although ISA 3000 with FirePOWER Services was also supported in Version 5.4.x, you cannot upgrade to Version 6.3. You must reimage. Supported Platforms: ISA 3000
Licensing
Export-controlled features for approved customers	Customers whose Smart Accounts are not otherwise eligible to use restricted functionality can purchase term-based licenses, with approval. New/Modified Screens: System > Licenses > Smart Licenses Supported Platforms: FMC, FTD
Specific License Reservation for approved customers	Customers can use Specific License Reservation to deploy Smart Licensing in an air-gapped network. The FMC reserves licenses from your virtual account for a specified duration without accessing the Cisco Smart Software Manager or Smart Software Satellite Server. New/Modified Screens: System > Licenses > Specific Licenses Supported Platforms: FMC, FTD
Interface Features
Hardware bypass support on the Firepower 2100 for supported network modules	Firepower 2100 devices now support hardware bypass functionality when using the hardware bypass network modules. New/Modified Screens: Devices > Device Management > Interfaces > Edit Physical Interface Supported Platforms: Firepower 2100
Support for data EtherChannels in On mode	You can now set data and data-sharing EtherChannels to either Active LACP mode or to On mode. Other types of EtherChannels only support Active mode. New/Modified Firepower Chassis Manager Screens: Interfaces > All Interfaces > Edit Port Channel > Mode New/Modified FXOS commands: set port-channel-mode Supported Platforms: Firepower 4100/9300
Access Control
Update interval for URL category and reputation data	You can now force URL data to expire. There is a tradeoff between security and performance. A shorter interval means you use more current data, while a longer interval can make web browsing faster for your users. Upgrading to Version 6.3 does not change system behavior. The setting defaults to disabled (the current behavior), meaning that cached URL data does not expire. New/Modified Screens: System > Integration > Cisco CSI > Cached URLs Expire setting
IAB enabled by default	Intelligent Application Bypass (IAB) is now enabled by default in new access control policies, using predefined settings. Upgrading to Version 6.3 does not change existing access control policies. New/Modified Screens: Policies > Access Control > create new policy > Advanced tab
High Availability and Scalability
Multi-instance capability for Firepower 4100/9300 with FTD	You can now deploy multiple logical devices, each with a Firepower Threat Defense container instance, on a single security engine/module. Formerly, you could only deploy a single native application instance. To provide flexible physical interface use, you can create VLAN subinterfaces in FXOS and also share interfaces between multiple instances. Resource management lets you customize performance capabilities for each instance. You can use high availability using a container instance on 2 separate chassis. Clustering is not supported. Note: Multi-instance capability is similar to ASA multiple context mode, although the implementation is different. Multiple context mode is not available for FTD. New/Modified Firepower Chassis Manager Screens:New/Modified FMC Screens: Devices > Device Management > edit device > Interfaces tab Overview > Devices Interfaces > All Interfaces > Add New drop-down menu > Subinterface Interfaces > All Interfaces > Type Logical Devices > Add Device Platform Settings > Mac Pool Platform Settings > Resource Profiles New/Modified FXOS Commands: connect ftd `name` , connect module telnet , create bootstrap-key PERMIT_EXPERT_MODE ,create resource-profile , create subinterface , scope auto-macpool , set cpu-core-count , set deploy-type , set port-type data-sharing , set prefix , set resource-profile-name , set vlan , scope app-instance ftd `name` , show cgroups container , show interface , show mac-address , show subinterface , show tech-support module app-instance , show version Supported Platforms: Firepower 4100/9300
Cluster control link customizable IP Address for the Firepower 4100/9300	By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and multicast (224.0.0.0/4) addresses. New/Modified Firepower Chassis Manager Screens: Logical Devices > Add Device > Cluster Information New/Modified Options: CCL Subnet IP field New/Modified FXOS Commands: set cluster-control-link network Supported Platforms: Firepower 4100/9300
Improved FTD cluster addition to the FMC	You can now add any unit of a cluster to the FMC, and the other cluster units are detected automatically. Formerly, you had to add each cluster unit as a separate device, and then group them into a cluster with the FMC. Adding a cluster unit is also now automatic. Note that you must delete a unit manually. New/Modified Screens: Devices > Device Management > Add drop-down menu > Device > Add Device dialog box Devices > Device Management > Cluster tab > General area > Cluster Registration Status > Current Cluster Summary link > Cluster Status dialog box Supported Platforms: Firepower 4100/9300
Encryption and VPN
SSL hardware acceleration	Additional Firepower Threat Defense devices now support SSL hardware acceleration. Also, this option is now enabled by default. Upgrading to Version 6.3 automatically enables SSL hardware acceleration on eligible devices. Using SSL hardware acceleration if you are not decrypting traffic can affect performance. We recommend you disable SSL hardware acceleration on devices that are not decrypting traffic. Supported Platforms: Firepower 2100 series, Firepower 4100/9300
RA VPN: RADIUS Dynamic Authorization or Change of Authorization (CoA)	You can now use RADIUS servers for user authorization of RA VPN and firewall cut-through-proxy sessions, using dynamic access control lists (ACLs) or ACL names per user. Supported Platforms: FTD
Events, Logging, and Analysis
Cisco Security Packet Analyzer Integration	You can integrate with Cisco Security Packet Analyzer to examine events and display analysis results, or download results for further analysis. New/Modified Screens: System > Integration > Packet Analyzer Analysis > Advanced > Packet Analyzer Queries Query Packet Analyzer when right-clicking on an event in the dashboard or event viewer Contextual cross-launch You can right-click an event in the dashboard or event viewer to look up related information in predefined or custom, public or private URL-based resources. New/Modified Screens: Analysis > Advanced > Contextual Cross-Launch Unified syslog configuration Previously, you configured event logging via syslog in multiple places, depending on the event type. In Version 6.3, you now configure syslog messaging in the access control policy. These configurations affect connection and intrusion event logging for the access control, SSL, prefilter, and intrusion policies, as well as for Security Intelligence. For Firepower Threat Defense devices, some syslog platform settings now apply to connection and intrusion event messages. For a list, see the "Platform Settings for Firepower Threat Defense" chapter in the Configuration Guide. Supported Platforms: Varies
Fully-qualified syslog messages for connection and intrusion events	The format of syslog messages for connection, security intelligence, and intrusion events have the following changes: Messages from Firepower Threat Defense devices now include event type identification numbers. Fields with empty or unknown values are no longer included, so messages are shorter and important data is less likely to be truncated. Timestamps now use the ISO 8601 timestamp format as specified in the RFC 5425 syslog format (optional for FTD, required for Classic). Other syslog improvements for FTD devices You can send all syslog messages from the same interface (data or management), using the same IP address, using TCP or UDP protocol. Note that secure syslog is supported on data ports only. You can also use the RFC 5424 format for message timestamps. Supported Platforms: FTD
Administration and Troubleshooting
HTTPS Certificates	The default HTTPS server certificate provided with the system now expires in three years. If your appliance uses a default server certificate that was generated before you upgraded to Version 6.3, the server certificate will expire 20 years from when it was first generated. If you are using the default HTTPS server certificate the system now provides the ability to renew it. New/Modified Screens: System > Configuration > HTTPS Certificate > Renew HTTPS Certificate button New/Modified Classic CLI Commands: show http-cert-expire-date , system renew-http-cert `new_key` Supported Platforms: Physical FMCs, 7000 and 8000 Series devices IPv4 range, subnet, and IPv6 support for SNMP hosts You can now use IPv4 range, IPv4 subnet, and IPv6 host network objects to specify the SNMP hosts that can access a Firepower Threat Defense device. New/Modified Screens: Devices > Platform Settings > create or edit FTD policy > SNMP > Hosts tab Supported Platforms: FTD
Access control using fully qualified domain names (FQDN)	You can now create fully qualified domain name (FQDN) network objects and use them in access control and prefilter rules. To use FQDN objects, you must also configure DNS server groups and DNS platform settings, so that the system can resolve the domain names. New/Modified Screens: Objects > Object Management > Network Objects > Object Management > DNS Server Group Devices > Platform Settings > create or edit FTD policy > DNS Supported Platforms: FTD
CLI for the FMC	An CLI for the FMC supports a small set of basic commands (change password, show version, reboot/restart, and so on). By default the FMC CLI is disabled, and logging into FMC using SSH accesses the Linux shell. New/Modified Classic CLI Commands: The system lockdown-sensor command has changed to system lockdown . This command now works for both devices and FMCs. New/Modified Screens: System > Configuration > Console Configuration > Enable CLI Access check box Supported Platforms: FMC, including FMCv
Improved login security	Added FMC user configuration settings to improve login security: Track Successful Logins: Track the number of successful logins each FMCaccount has performed within a specific time period. Password Reuse Limit: Track an FMC user's password history to prevent reuse. Max Number of Login Failures and Set Time in Minutes to Temporarily Lockout Users: Limit the number of times in a row an FMC user can enter incorrect web interface login credentials before being temporarily blocked. New/Modified Screens: System > Configuration > User Configuration Supported Platforms: FMC
Limit SSH login failures on devices	When a user accesses any device via SSH and fails three successive login attempts, the device terminates the SSH session. Supported platforms: Managed devices
Copy device configurations	You can copy device configurations and policies from one device to another. New/Modified Screens: Devices > Device Management > edit the device > General area > Get/Push Device Configuration icons.
Backup/restore FTD device configurations	You can use the FMC web interface to back up configurations for some FTD devices. New/Modified Screens: System > Tools > Backup/Restore New/Modified CLI Commands: restore Supported Platforms: All physical FTD devices, FTDv on VMware
Skip deploying to up-to-date devices when you schedule deploy tasks	When you schedule a task to deploy configuration changes, you can now opt to Skip Deployment for up-to-date devices. This performance-enhancing setting is enabled by default. The upgrade process automatically enables this option on existing scheduled tasks. To continue to force a scheduled deploy to up-to-date devices, you must edit the scheduled task. New/Modified Screens: System > Tools > Scheduling > add or edit a task > choose Job Type of Deploy Policies New health modules New health modules alert you when: Threat Data Updates on Devices: Threat identification data on managed devices fails to update. Realm: A user is reported to the FMC without being downloaded, or a user logs into a domain that corresponds to a realm not known to the FMC. New/Modified Screens: System > Health > Policy System > Health > Monitor Supported Platforms: FMC
Configurable packet capture size	You can now store up to 10 GB of packet captures. New/Modified CLI Commands: file-size , show capture Supported Platforms: Firepower 4100/9300
Firepower Management Center REST API
New objects	The FMC REST API supports new objects for site-to-site VPN topology and HA device failover. New objects for site-to-site VPN topology: ftds2svpns, endpoints, ipsecsettings, advancedsettings, ikesettings, ikev1ipsecproposals, ikev1policies, ikev2ipsecproposals, ikev2policies New objects for HA device failover: failoverinterfacemacaddressconfigs, monitoredinterfaces
Bulk overrides	You can now perform bulk overrides on specific objects. For a full list, see the Cisco Firepower Management Center REST API Quick Start Guide.

New Features in Firepower Device Manager/FTD Version 6.3.0

The following table lists the new features available in FTD 6.3.0 when configured using Firepower Device Manager:

Features	Description
High availability configuration.	You can configure two devices as an active/standby high availability pair. A high availability or failover setup joins two devices so that if the primary device fails, the secondary device can take over. This helps you keep your network operational in case of device failure. The devices must be of the same model, with the same number and type of interfaces, and they must run the same software version. You can configure high availability from the Device page.
Support for passive user identity acquisition.	You can configure identity policies to use passive authentication. Passive authentication gathers user identity without prompting the user for username and password. The system obtains the mappings from the identity sources you specify, which can be Cisco Identity Services Engine (ISE)/Cisco Identity Services Engine Passive Identity Connector (ISE PIC), or logins from remote access VPN users. Changes include supporting passive authentication rules in Policies > Identity, and ISE configuration in Objects > Identity Sources.
Local user support for remote access VPN and user identity.	You can now create users directly through Firepower Device Manager. You can then use these local user accounts to authenticate connections to a remote access VPN. You can use the local user database as either the primary or fallback authentication source. In addition, you can configure passive authentication rules in the identity policy so that local usernames are reflected in the dashboards and so they are available for traffic matching in policies. We added the Objects > Users page, and updated the remote access VPN wizard to include a fallback option.
Changed default behavior for VPN traffic handling in the access control policy (sysopt connection permit-vpn ).	The default behavior for how VPN traffic is handled by the access control policy has changed. Starting in 6.3, the default is that all VPN traffic will be processed by the access control policy. This allows you to apply advanced inspections, including URL filtering, intrusion protection, and file policies, to VPN traffic. You must configure access control rules to allow VPN traffic. Alternatively, you can use FlexConfig to configure the sysopt connection permit-vpn command, which tells the system to bypass the access control policy (and any advanced inspections) for VPN-terminated traffic
Support for FQDN-based network objects and data interface support for DNS lookup.	You can now create network objects (and groups) that specify a host by fully-qualified domain name (FQDN) rather than a static IP address. The system looks up the FQDN-to-IP address mapping periodically for any FQDN object that is used in an access control rule. You can use these objects in access control rules only. We added the DNS Group object to the objects page, changed the System Settings > DNS Server page to allow group assignment to data interfaces, and the access control rule to allow for FQDN network object selection. In addition, the DNS configuration for the management interface now uses DNS groups instead of a set list of DNS server addresses.
Support for TCP syslog and the ability to send diagnostic syslog messages through the management interface.	In previous releases, diagnostic syslog messages (as opposed to connection and intrusion messages) always used a data interface. You can now configure syslog so that all messages use the management interface. The ultimate source IP address depends on whether you use the data interfaces as the gateway for the management interface, in which case the IP address will be the one from the data interface. You can also configure syslog to use TCP instead of UDP as the protocol. We made changes to the Add/Edit dialog box for syslog servers from Objects > Syslog Servers.
External Authentication and Authorization using RADIUS for Firepower Device Manager Users.	You can use an external RADIUS server to authenticate and authorize users logging into Firepower Device Manager. You can give external users administrative, read-write, or read-only access. Firepower Device Manager can support 5 simultaneous logins; the sixth session automatically logs off the oldest session. You can forcefully end a Firepower Device Manager user session if necessary. We added RADIUS server and RADIUS server group objects to the Objects > Identity Sources page for configuring the objects. We added the AAA Configuration tab to Device > System Settings > Management Access, for enabling use of the server groups. In addition, the Monitoring > Sessions page lists the active users and lets an administrative user end a session.
Pending changes view and deployment improvements	The deployment window has changed to provide a clearer view of the pending changes that will be deployed. In addition, you now have the option to discard changes, copy changes to the clipboard, and download changes in a YAML formatted file. You can also name deployment jobs so they are easier to find in the audit log.
Audit Log	You can view an audit log that records events such as deployments, system tasks, configuration changes, and administrative user login and logout. We added the Device > Device Administration > Audit Logpage.
Ability to export the configuration	You can download a copy of the device configuration for record keeping purposes. However, you cannot import this configuration into a device. This feature is not a replacement for backup/restore. We added the Device > Device Administration > Download Configuration page.
Improvements to URL filtering for unknown URLs.	If you perform category-based URL filtering in access control rules, users might access URLs whose category and reputation are not defined in the URL database. Previously, you needed to manually enable the option to look up the category and reputation for these URLs from Cisco Collective Security Intelligence (CSI). Now, that option is enabled by default. In addition, you can now set the time-to-live (TTL) for the lookup results, so that the system can refresh the category/reputation for each unknown URL. We updated the Device > System Settings > URL Filtering Preferences page.
Security Intelligence logging is now enabled by default	The Security Intelligence policy was introduced in 6.2.3, with logging disabled by default. Starting with 6.3.0, logging is enabled by default. If you upgrade from 6.2.3, your logging settings are preserved, either enabled or disabled. Enable logging if you want to see the results of policy enforcement.
Passive mode interfaces	You can configure an interface in passive mode. When acting passively, the interface simply monitors the traffic from the source ports in a monitoring session configured on the switch itself (for hardware devices) or on the promiscuous VLAN (for Firepower Threat Defense Virtual). You can use passive mode to evaluate how the Firepower Threat Defense Virtual device would behave if you deployed it as an active firewall. You can also use passive interfaces in a production network if you need IDS (intrusion detection system) services, where you want to know about threats, but you do not want the device to actively prevent the threats. You can select passive mode when editing physical interfaces and when you create security zones.
Smart CLI enhancements for OSPF, and support for BGP.	The Smart CLI OSPF configuration has been enhanced, including new Smart CLI object types for standard and extended ACLs, route maps, AS Path objects, IPv4 and IPv6 prefix lists, policy lists, and standard and expanded community lists. In addition, you can now use Smart CLI to configure BGP routing. You can find these features on the Device > Advanced Configuration page.
Enhancements for ISA 3000 devices	You can now configure the following features for the ISA 3000: alarms, hardware bypass, and backup and restore using the SD card. You use FlexConfig to configure the alarms and hardware bypass. For the SD card, we updated the backup/restore pages in Firepower Device Manager.
Support for ASA 5506-X, 5506W-X, 5506H-X, and 5512-X removed starting with FTD 6.3	You cannot install Firepower Threat Defense 6.3 or subsequent releases on the ASA 5506-X, 5506W-X, 5506H-X, and 5512-X. The final supported FTD release for these platforms is 6.2.3.
FTD REST API version 2 (v2).	The FTD REST API for software version 6.3 has been incremented to version 2. You must replace v1 in the API URLs with v2. The v2 API includes many new resources that cover all features added in software version 6.3. Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, change the end of the Firepower Device Manager URL to /#/api-explorer after logging in.
Web analytics for providing product usage information to Cisco.	You can enable web analytics, which provides anonymous product usage information to Cisco based on page hits. This information can help Cisco determine feature usage patterns and help Cisco improve the product. All usage data is anonymous and no sensitive data is transmitted. Web analytics is enabled by default. We added Web Analytics to the Device > System Settings > Cloud Services page.
Installing a Vulnerability Database (VDB) update no longer restarts Snort.	When you install a VDB update, the installation itself no longer restarts Snort. However, Snort continues to restart during the next configuration deployment.
Deploying an Intrusion Rules (SRU) database update no longer restarts Snort.	After you install an intrusion rules (SRU) update, you must deploy the configuration to activate the new rules. The deployment of the SRU update no longer causes a Snort restart.

For more information refer to the Firepower 6.3 release notes.

kskksaa · ‎12-09-2018

It´s a shame that ASA5506-X does not recieve any further functional updates.

Cisco did not smash with glory with FTD and it´s a hit in the face for customers to tell them their recently bought branch firewalls which have had many problems needs to be replaced for new features.

Announcing the availability of the Firepower 6.3 Release

New Features in FMC/Firepower Version 6.3.0

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)