October 19, 2023

New Features: Version 20230929

Feature

Min. Threat Defense

Details

Platform

Threat defense Version 7.4.0 support.

7.4.0

You can now manage threat defense devices running Version 7.4.0.

Version 7.4.0 is available only on the Secure Firewall 4200. You must use a Secure Firewall 4200 for features that require Version 7.4.0. Support for all other platforms resumes in Version 7.4.1.

Secure Firewall 4200.

7.4.0

You can now manage the Secure Firewall 4215, 4225, and 4245 with Cloud-Delivered Firewall Management Center.

These devices support the following new network modules:

2-port 100G QSFP+ network module (FPR4K-XNM-2X100G)
4-port 200G QSFP+ network module (FPR4K-XNM-4X200G)

See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide

Performance profile support for the Secure Firewall 4200.

7.4.0

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on Firewall Threat Defense Virtual.

See: Platform Settings

Numbering convention for cloud-delivered Firewall Management system.

Any

The cloud-delivered Firewall Management system is a feature of CDO. For the purposes of troubleshooting, we identify the version number of the cloud-delivered Firewall Management Center on the FMC Services page.

Platform Migration

Migrate Firepower 1000/2100 to Secure Firewall 3100.

Any

You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100.

New/modified screens: Devices > Device Management > Migrate

Platform restrictions: Migration not supported from the Firepower 1010 or 1010E.

See: Device Management

Migrate devices from Firepower Management Center 1000/2500/4500 to Cloud-Delivered Firewall Management Center.

Any

You can migrate devices from Firepower Management Center 1000/2500/4500 to Cloud-Delivered Firewall Management Center.

To migrate devices, you must temporarily upgrade the on-prem Firewall Management Center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 Firewall Management Centers do not support device migration to the cloud. Additionally, only standalone and high availability Firewall Threat Defense running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.

Important

Version 7.4.0 is only supported on the 1000/2500/4500 during the migration process. You should minimize the time between Firewall Management Center upgrade and device migration.

To summarize the migration process:

Prepare for upgrade and migration. Read, understand, and meet all the prerequisites outlined in the release notes, upgrade guides, and migration guide.

Before you upgrade, it is especially important that the on-prem Firewall Management Center is "ready to go," that is, managing only the devices you want to migrate, configuration impact assessed (such as VPN impact), freshly deployed, fully backed up, all appliances in good health, and so on.

You should also provision, license, and prepare the cloud tenant. This must include a strategy for security event logging; you cannot retain the on-prem Firewall Management Center for analytics because it will be running an unsupported version.
Upgrade the on-prem Firewall Management Center and all its managed devices to at least Version 7.0.3 (Version 7.0.5 recommended).

If you are already running the minimum version, you can skip this step.
Upgrade the on-prem Firewall Management Center to Version 7.4.0.

Unzip (but do not untar) the upgrade package before uploading it to the Firewall Management Center. Download from: Special Release.
Onboard the on-prem Firewall Management Center to CDO.
Migrate all devices from the on-prem Firewall Management Center to the Cloud-Delivered Firewall Management Center as described in the migration guide.

When you select devices to migrate, make sure you choose Delete FTD from On-Prem FMC. Note that the device is not fully deleted unless you commit the changes or 14 days pass.
Verify migration success.

If the migration does not function to your expectations, you have 14 days to switch back or it is committed automatically. However, note that Version 7.4.0 is unsupported for general operations. To return the on-prem Firewall Management Center to a supported version you must remove the re-migrated devices, re image back to Version 7.0.x, restore from backup, and reregister the devices.

See:

If you have questions or need assistance at any point in the migration process, contact Cisco TAC.

S2S VPN support in FTD to cloud migration. Migrate threat defense devices with VPN policies from on-prem to Cloud-Delivered Firewall Management Center.

7.0.3-7.0.x

7.2 or later

Site-to-site VPN configurations on Secure Firewall Threat Defense devices are now migrated along with the rest of the configuration when the device is migrated from the on-prem Firewall Management Center to the cloud-delivered Firewall Management Center.

Interfaces

Merged management and diagnostic interfaces.

7.4.0

Upgrade impact. Merge interfaces after upgrade.

For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available.

If you upgraded to 7.4 or later and:

You did not have any configuration for the diagnostic interface, then the interfaces will merge automatically.
You have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible.

Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration.

For platform settings, this means:

You can no longer enable HTTP, ICMP, or SMTP for diagnostic.
For SNMP, you can allow hosts on management instead of diagnostic.
For Syslog servers, you can reach them on management instead of diagnostic.
If Platform Settings for syslog servers or SNMP hosts specify the diagnostic interface by name, then you must use separate Platform Settings policies for merged and non-merged devices.
DNS lookups no longer fall back to the management-only routing table if you do not specify interfaces.

New/modified screens: Devices > Device Management > Interfaces

New/modified commands: show management-interface convergence

See: Interface Overview

VXLAN VTEP IPv6 support.

7.4.0

You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the Firewall Threat Defense Virtual cluster control link or for Geneve encapsulation.

New/modified screens:

Devices > Device Management > Edit Device > VTEP > Add VTEP
Devices > Device Management > Edit Devices > Interfaces > Add Interfaces > VNI Interface

See: Regular Firewall Interfaces

Loopback interface support for BGP and management traffic.

7.4.0

You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog.

New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface

See: Regular Firewall Interfaces

Loopback and management type interface group objects.

7.4.0

You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces.

New/modified screens: Objects > Object Management > Interface > Add > Interface Group

See: Object Management

High Availability/Scalability

Reduced "false failovers" for Firewall Threat Defense high availability.

7.4.0

Other version restrictions: Not supported with Firewall Threat Defense Version 7.3.x.

See: Heartbeat Module Redundancy

SD-WAN

Policy-based routing using HTTP path monitoring.

7.2.0

Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination.

New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box.

Platform restrictions: Not supported for clustered devices.

See: Policy Based Routing

Policy-based routing with user identity and SGTs.

7.4.0

Upgrade impact. Check SGT propagation before device upgrade.

You can now classify network traffic based on users, user groups, and SGTs in PBR policies. Select the identity and SGT objects while defining the extended ACLs for the PBR policies.

Note that as a result of how this feature was implemented, Firewall Threat Defense can now add egress SGTs to traffic if the egress interface is configured to propagate SGTs. This can happen with ISE integration even if you do not configure policy-based routing. Starting with Version 7.4.0, the Propagate Security Group Tag option is disabled by default for new interfaces. But because upgrade respects your current settings, this option may be enabled for existing interfaces.

Important

If you have configured an ISE identity source, before you upgrade, check the Propagate Security Group Tag option on your devices' physical, redundant, and subinterfaces and disable it if necessary. If downstream devices are not configured to handle the tags, you could experience traffic loss.

New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag

See: Object Management

VPN

IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200.

7.4.0

On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Other requirements: FPGA firmware 6.2+

See: VPN Overview

Crypto debugging enhancements for the Secure Firewall 4200.

7.4.0

We made the following enhancements to crypto debugging:

The crypto archive is now available in text and binary formats.
Additional SSL counters are available for debugging.
Remove stuck encrypt rules from the ASP table without rebooting the device.

New/modified CLI commands: show counters

VPN: Remote Access

Customize Secure Client messages, icons, images, and connect/disconnect scripts.

7.2.0

You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:

GUI text and messages
Icons and images
Scripts
Binaries
Customized Installer Transforms
Localized Installer Transforms

Threat defense distributes these customizations to the endpoint when an end user connects from the Secure Client.

New/modified screens:

Objects > Object Management > VPN > Secure Client Customization
Devices > Remote Access > Edit VPN policy > Advanced > Secure Client Customization

See: Remote Access VPN

VPN: Site to Site

Easily exempt site-to-site VPN traffic from NAT translation.

Any

We now make it easier to exempt site-to-site VPN traffic from NAT translation.

New/modified screens:

Enable NAT exemptions for an endpoint: Devices > VPN > Site To Site > Add/Edit Site to Site VPN > Add/Edit Endpoint > Exempt VPN traffic from network address translation
View NAT exempt rules for devices that do not have a NAT policy: Devices > NAT > NAT Exemptions
View NAT exempt rules for a single device: Devices > NAT > Threat Defense NAT Policy > NAT Exemptions

See: Network Address Translation

Easily view IKE and IPsec session details for VPN nodes.

Any

You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard.

New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab.

See: Site-to-Site VPNs

Access Control: Threat Detection and Application Identification

Sensitive data detection and masking.

7.4.0 with Snort 3

Upgrade impact. New rules in default policies take effect.

Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns.

Disabling data masking is not supported.

See: Custom Rules in Snort 3

Clientless zero-trust access.

7.4.0 with Snort 3

Zero Trust Access allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy.

The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications.

New/modified screens: Policies > Zero Trust Application

New/modified CLI commands:

show running-config zero-trust application
show running-config zero-trust application-group
show zero-trust sessions
show zero-trust statistics
show cluster zero-trust statistics
clear zero-trust sessions application
clear zero-trust sessions user
clear zero-trust statistics

Routing

Configure graceful restart for BGP on IPv6 networks.

7.3.0

You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later.

New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor.

See: BGP

Virtual routing with dynamic VTI.

7.4.0

You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN.

New/modified screens: Devices > Device management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces

Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices.

See: Virtual Routers

Access Control: Threat Detection and Application Identification

Encrypted visibility engine enhancements.

7.4.0 with Snort 3

Encrypted Visibility Engine (EVE) can now:

Block malicious communications in encrypted traffic based on threat score.
Determine client applications based on EVE-detected processes.
Reassemble fragmented Client Hello packets for detection purposes.

New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings.

Exempt specific networks and ports from bypassing or throttling elephant flows.

7.4.0 with Snort 3

You can now exempt specific networks and ports from bypassing or throttling elephant flows.

New/modified screens:

When you configure elephant flow detection in the access control policy's advanced settings, if you enable the Elephant Flow Remediation option, you can now click Add Rule and specify traffic that you want to exempt from bypass or throttling.
When the system detects an elephant flow that is exempted from bypass or throttling, it generates a mid-flow connection event with the reason Elephant Flow Exempted.

Platform restrictions: Not supported on the Firepower 2100 series.

See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide

Improved JavaScript inspection.

7.4.0 with Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content.

See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide

Access Control: Identity

Cisco Secure Dynamic Attributes Connector on the Firewall Management Center.

Any

You can now configure the Cisco Secure Dynamic Attributes Connector on the Firewall Management Center. Previously, it was only available as a standalone application.

See: Cisco Secure Dynamic Attributes Connector

Event Logging and Analysis

Configure Firewall Threat Defense devices as NetFlow exporters from the Firewall Management Center web interface.

Any

NetFlow is a Cisco application that provides statistics on packets flows. You can now use the Firewall Management Center web interface to configure Firewall Threat Defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > Platform Settings > Threat Defense Settings Policy > NetFlow

See: Platform Settings

Health Monitoring

New asp drop metrics.

7.4.0

You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group.

New/modified screens: System ( system gear icon ) > Health > Monitor > Device

See: show asp drop Command Usage

Administration

Support for IPv6 URLs when checking certificate revocation.

7.4.0

Previously, Firewall Threat Defense supported only IPv4 OCSP URLs. Now, Firewall Threat Defense supports both IPv4 and IPv6 OCSP URLs.

See: Object Management

Store threat defense backup files in a secure remote location.

Any

When you back up a device, the cloud-delivered Firewall Management Center stores the backup files in its secure cloud storage.

Usability, Performance, and Troubleshooting

Usability enhancements.

Any

You can now:

Manage Smart Licensing for Firewall Threat Defense clusters from System () > Smart Licenses. Previously, you had to use the Device Management page.

See: Licensing
Download a report of Message Center notifications. In the Message Center, click the new Download Report icon, next to the Show Notifications slider.

See: Troubleshooting
Download a report of all registered devices. On Devices > Device Management, click the new Download Device List Report link, at the top right of the page.

See: Device Management.
Easily create custom health monitoring dashboards, and easily edit existing dashboards.

See: Health

Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200.

7.4.0

On the Secure Firewall 4200, you can use a new direction keyword with the capture command.

New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ]

See: Cisco Secure Firewall Threat Defense Command Reference

Management Center REST API

Cloud-Delivered Firewall Management Center REST API.

Feature dependent

For information on changes to the management center REST API, see What's New in the API quick start guide.

Deprecated Features: Version 20230929
Feature	Deprecated in Threat Defense	Details
Deprecated: NetFlow with FlexConfig.	Any	You can now configure Firewall Threat Defense devices as NetFlow exporters from the Firewall Management Center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs. See: Platform Settings
Deprecated: `high unmanaged disk usage` alerts.	7.0.6 7.2.4 7.4.0	The Disk Usage health module no longer alerts with `high unmanaged disk usage`. You may continue to see these alerts until you either deploy health policies to managed devices (stops the display of alerts), or upgrade the devices to Version 7.0.6, 7.2.4, 7.4.x (stops the sending of alerts). For information on the remaining Disk Usage alerts, see Disk Usage and Drain of Events Health Monitor Alerts.