November 8, 2024

We introduced the Secure Firewall 1200, which includes these models:

• Secure Firewall 1210CX, with 8x1000BASE-T ports

• Secure Firewall 1210CP, with 8x1000BASE-T ports, where ports 1/5-1/8 support power over Ethernet (PoE)

• Secure Firewall 1220CX, with 8x1000BASE-T ports and two SFP+ ports

See: Cisco Secure Firewall CSF-1210CE, CSF-1210CP, and CSF-1220CX Hardware Installation Guide

Device templates allow you to deploy multiple branch devices with pre-provisioned initial device configurations (zero-touch provisioning). You can also apply configuration changes to multiple devices with different interface configurations, and clone configuration parameters from existing devices.

Restrictions: You can use device templates to configure a device as a spoke in a site-to-site VPN topology, but not as a hub. A device can be part of multiple hub-and-spoke site-to-site VPN topologies.

New/modified screens: Devices > Template Management

Supported platforms: Firepower 1000/2100, Secure Firewall 1200/3100. Note that Firepower 2100 support is for Firewall Threat Defense 7.4.1–7.4.x only; those devices cannot run Version 7.6.0.

See: Device Management Using Device Templates and Onboard Threat Defense Devices using Device Templates to Cloud-delivered Firewall Management Center using Zero-Touch Provisioning.

A device's authentication, authorization, and accounting (AAA) is now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. The default is to use the management interface.

In device platform settings, you can now associate a security zone or interface group having the VRF interface, with a configured external authentication server.

New/modified screens: Devices > Platform Settings > External Authentication

See: Enable Virtual-Router-Aware Interface for External Authentication of Platform

The Policy Analyzer & Optimizer evaluates access control policies for anomalies such as redundant or shadowed rules, and can take action to fix discovered anomalies.

Multi-instance mode is now supported on the Secure Firewall 4200.

See: Multi-Instance Mode for the Secure Firewall 3100/4200

You can now register an application-mode device to the Firewall Management Center and then convert it to multi-instance mode without having to use the CLI.

New/modified screens:

• Devices > Device Management > > Convert to Multi-Instance

• Devices > Device Management > Select Bulk Action > Convert to Multi-Instance

See: Convert a Device to Multi-Instance Mode

For the Secure Firewall 3100 and 4200, the maximum nodes were increased from 8 to 16.

See: Clustering for the Secure Firewall 3100/4200

Individual interfaces are normal routed interfaces, each with their own local IP address used for routing. The main cluster IP address for each interface is a fixed address that always belongs to the control node. When the control node changes, the main cluster IP address moves to the new control node, so management of the cluster continues seamlessly. Load balancing must be configured separately on the upstream switch.

Restrictions: Not supported for container instances.

New/modified screens:

• Devices > Device Management > Add Cluster

• Devices > Device Management > Cluster > Interfaces / EIGRP / OSPF / OSPFv3 / BGP

• Objects > Object Management > Address Pools > MAC Address Pool

See: Clustering for the Secure Firewall 3100/4200 and Address Pools

You can now deploy Firewall Threat Defense Virtual clusters across multiple availability zones in an AWS region. This enables continuous traffic inspection and dynamic scaling (AWS Auto Scaling) during disaster recovery.

See: Deploy a Threat Defense Virtual Cluster on AWS

You can now deploy Firewall Threat Defense Virtual for AWS in two-arm-mode with GWLB. This allows you to directly forward internet-bound traffic after traffic inspection, while also performing network address translation (NAT). Two-arm mode is supported in single and multi-VPC environments.

Restrictions: Not supported with clustering.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

You can now deploy without the diagnostic interface on Firewall Threat Defense Virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:

• Azure: one management, two data (max eight)

• GCP: one management, three data (max eight)

Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

A new wizard allows you to easily configure VPN tunnels between your centralized headquarters and remote branch sites.

New/modified screens: Devices > VPN > Site To Site > Add > SD-WAN Topology

See: Configure an SD-WAN Topology Using the SD-WAN Wizard

You can configure the decryption policy to apply to sessions running on the QUIC protocol. QUIC decryption is disabled by default. You can selectively enable QUIC decryption per decryption policy and write decryption rules to apply to QUIC traffic. By decrypting QUIC connections, the system can then inspect the connections for intrusion, malware, or other issues. You can also apply granular control and filtering of decrypted QUIC connections based on specific criteria in the access control policy.

We modified the decryption policy Advanced Settings to include the option to enable QUIC decryption.

See: Decryption Policy Advanced Options

A new Snort 3 inspector, snort_ml, uses neural network-based machine learning (ML) to detect known and 0-day attacks without needing multiple preset rules. The inspector subscribes to HTTP events and looks for the HTTP URI, which in turn is used by a neural network to detect exploits (currently limited to SQL injections). The new inspector is currently disabled in all default policies except maximum detection.

A new intrusion rule, GID:411 SID:1, generates an event when the snort_ml detects an attack. This rule is also currently disabled in all default policies except maximum detection.

See: Snort 3 Inspector Reference

Upgrade impact. Upgrade enables telemetry.

You can help Talos (Cisco’s threat intelligence team) develop a more comprehensive understanding of the threat landscape by enabling threat hunting telemetry. With this feature, events from special intrusion rules are sent to Talos to help with threat analysis, intelligence gathering, and development of better protection strategies. This setting is enabled by default in new and upgraded deployments.

New/modified screens: System () > Configuration > Intrusion Policy Preferences > Talos Threat Hunting Telemetry

See: Intrusion Policy Preferences

This feature is introduced.

Passive Identity Agent version 1.1 is compatible with 7.6.0 and later and adds the following:

• You can use either FQDN, IPv4, or IPv6 to connect from the Passive Identity Agent to the Secure Firewall Management Center or Cisco Security Cloud Control.

• Sends both IPv4 and IPv6 user sessions from Microsoft Active Directory (AD) to the Firewall Management Center.

• You can zip troubleshooting logs.

• When you start the Passive Identity Agent software, a list of prerequisites is displayed.

The Passive Identity Agent identity source sends session data from Microsoft Active Directory (AD) to the Firewall Management Center. Passive identity agent software is supported on:

• Microsoft AD server (Windows Server 2008 or later)

• Microsoft AD domain controller (Windows Server 2008 or later)

• Any client connected to the domain you want to monitor (Windows 8 or later)

See: User Control With the Passive Identity Agent.

Cisco Secure Dynamic Attributes Connector now supports AWS security groups, AWS service tags, and Cisco Cyber Vision.

Version restrictions: For on-prem Cisco Secure Dynamic Attributes Connector integrations, requires Version 3.0.

See Amazon Web Services Connector—About User Permissions and Imported Data

You can now use Microsoft Azure Active Directory (AD) realms for active and passive authentication:

• Active authentication using Azure AD: Use Azure AD as a captive portal.

• Passive authentication using Cisco ISE (introduced in Version 7.4.0): The Firewall Management Center gets groups from Azure AD and logged-in user session data from ISE.

We use SAML (Security Assertion Markup Language) to establish a trust relationship between a service provider (the devices that handle authentication requests) and an identity provider (Azure AD). For upgraded Firewall Management Centers, existing Azure AD realms are displayed as SAML - Azure AD realms.

Upgrade impact. If you had a Microsoft Azure AD realm configured before the upgrade, it is displayed as a SAML - Azure AD realm configured for passive authentication. All previous user session data is preserved.

New/modified screens: Integration > Other Integrations > Realms > Add Realm > SAML - Azure AD

New/modified CLI commands: none

See: Create a Microsoft Azure AD (SAML) Realm.

MITRE and other enrichment information in connection events makes it easy to access contextual information for detected threats. This includes information from Talos and from the encrypted visibility engine (EVE). For EVE enrichment, you must enable EVE.

Connection events have two new fields, available in both the unified and classic event viewers:

• MITRE ATT&CK: Click the progression graph to see an expanded view of threat details, including tactics and techniques.

• Other Enrichment: Click to see any other available enrichment information, including from EVE.

The new Talos Connectivity Status health module monitors Firewall Management Center connectivity with Talos, which is required for this feature.

See Configure EVE.