February 13, 2024

Features in Version 20240203

Feature

Minimum Threat Defense

Details

Platform

Threat defense Version 7.4.1 support.

7.4.1

You can now manage threat defense devices running Version 7.4.1.

Network modules for the Secure Firewall 3130 and 3140.

7.4.1

The Secure Firewall 3130 and 3140 now support these network modules:

  • 2-port 100G QSFP+ network module (FPR3K-XNM-2X100G)

See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide

Optical transceivers for Firepower 9300 network modules.

7.4.1

The Firepower 9300 now supports these optical transceivers:

  • QSFP-40/100-SRBD

  • QSFP-100G-SR1.2

  • QSFP-100G-SM-SR

On these network modules:

  • FPR9K-NM-4X100G

  • FPR9K-NM-2X100G

  • FPR9K-DNM-2X100G

See: Cisco Firepower 9300 Hardware Installation Guide

Performance profile support for the Secure Firewall 3100.

7.4.1

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on Firewall Threat Defense Virtual.

See: Platform Settings

NAT

Create network groups while editing NAT rules.

Any

You can now create network groups in addition to network objects while editing a NAT rule.

See: Customizing NAT Rules for Multiple Devices

Device Management

Device management services supported on user-defined VRF interfaces.

Any

Device management services configured in the Firewall Threat Defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces.

Platform restrictions: Not supported with container instances or clustered devices.

See: Platform Settings

SD-WAN

SD-WAN Summary dashboard

7.4.1

The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures. In addition, you can also monitor the WAN interface application performance using the Application Monitoring tab.

New/modified screens: Analysis > SD-WAN Summary

Access Control: Identity

Captive portal support for multiple Active Directory realms (realm sequences).

7.4.1

Upgrade impact. Update custom authentication forms.

You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules.

In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously.

If you use the HTTP Response Page authentication type, after you upgrade Firewall Threat Defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms.

Restrictions: Not supported with Microsoft Azure Active Directory.

New/modified screens:

  • Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

  • Identity policy > (edit) > Add Rule > Passive Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

  • Identity policy > (edit) > Add Rule > Active Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

See: User Control with Captive Portal

Share captive portal active authentication sessions across firewalls.

7.4.1

Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.

  • (Default.) Enable to allow users to authenticate with any managed device associated with the active authentication identity rule.

  • Disable to require the user to authenticate with a different managed device, even if they have already authenticated with another managed device to which the active authentication rule is deployed.

New/modified screens: Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

See: User Control with Captive Portal

Deployment and Policy Management

View and generate reports on configuration changes since your last deployment.

Any

You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:

  • A policy changes report for each device that previews the additions, changes, or deletions in the policy, or the objects that are to be deployed on the device.

  • A consolidated report that categorizes each device based on the status of policy changes report generation.

This is especially useful after you upgrade Firewall Threat Defense, so that you can see the changes made by the upgrade before you deploy.

New/modified screens: Deploy > Advanced Deploy.

See: Download Policy Changes Report for Multiple Devices

Suggested release notifications.

Any

The Firewall Management Center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases.

See: Cisco Secure Firewall Management Center New Features by Release

Enable revert from the Firewall Threat Defense upgrade wizard.

Any

You can now enable revert from the Firewall Threat Defense upgrade wizard.

Other version restrictions: You must be upgrading Firewall Threat Defense to Version 7.2+.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center

View detailed upgrade status from the Firewall Threat Defense upgrade wizard.

Any

The final page of the Firewall Threat Defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, Devices > Threat Defense Upgrade brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center

Firmware upgrades included in FXOS upgrades.

Any

Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.

For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. Secure Firewall 3100 in multi-instance mode (new in Version 7.4.1) also bundles FXOS and firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware.

Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade.

See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide

Upgrade

Improved upgrade starting page and package management.

Any

A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages.

Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes.

New/modified screens:

  • System > Product Upgrades is now where you upgrade devices, as well as manage upgrade packages.

  • System > Content Updates is now where you update intrusion rules, the VDB, and the GeoDB.

  • Devices > Threat Defense Upgrade takes you directly to the Firewall Threat Defense upgrade wizard.

Deprecated screens/options:

  • System > Updates is deprecated. All Firewall Threat Defense upgrades now use the wizard.

  • The Add Upgrade Package button on the Firewall Threat Defense upgrade wizard has been replaced by a Manage Upgrade Packages link to the new upgrade page.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Cloud-Delivered Firewall Management Center

Administration

Updated internet access requirements for direct-downloading software upgrades.

Any

The Firewall Management Center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com.

Scheduled tasks download patches and VDB updates only.

Any

The Download Latest Update scheduled task no longer downloads maintenance releases; now it only downloads the latest applicable patches and VDB updates. To direct-download maintenance (and major) releases to the Firewall Management Center, use System > Product Upgrades.

See: Software Update Automation

Smaller VDB for lower memory Snort 2 devices.

Any with Snort 2

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Lower memory devices: ASA-5508-X and ASA 5516-X

Deprecated Features

Deprecated: DHCP relay trusted interfaces with FlexConfig.

Any

You can now use the Firewall Management Center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them.

See: Configure the DHCP Relay Agent

Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig.

Any

This feature is now supported in the Firewall Management Center web interface.

Deprecated: Health alerts for frequent drain of events.

7.4.1

The Disk Usage health module no longer alerts with frequent drain of events. You may continue to see these alerts until you either deploy health policies to managed devices (stops the display of alerts) or upgrade devices to Version 7.4.1+ (stops the sending of alerts).

See: Troubleshooting