Cisco Releases Firepower/FTD Code 6.2! Wait for 6.2.1….

| | |

Okay, sounds like I am going to bash Cisco Firepower/FTD code 6.2… Not so!
I now have all my Firepower customers and 36 Firepower training pods all upgraded to 6.2.

So why wait? Well if you’re strickly FTD then wouldn’t you want Anyconnect? Seems to be the Bain of all my customers having to run FTD because they bought the 4100, when they’d rather not run FTD right now (speaking of the 4100, it’s a shame that you can run it in ASA OR FTD mode, but not ASA/Firepower….but get used to it because that’s obviously our future). Hey, at least we get some CLI back – a little for verification…more CLI please. But no one is happy about missing anyconnect at the moment.

So, what did we get?
How about:
*EIGRP routing

Policy Change Improvement: Deploying policy changes to a Firepower Threat Defense device can result in restarting the SNORT process and the related loss of some packets. As part of a continuing effort to address this issue, Firepower Version 6.2.0 allows you to configure actions separately for fault conditions, such as SNORT Busy/Overload or SNORT Down. This feature allows you to emphasize either continuity or security by checking a checkbox option in the Firepower Management Center.

Management backwards compatibility: – you can only manage 6.1 or 6.2 devices.

New M4 based FMC hardware (secure boot): Versions prior to 6.2 will not run on the M4 or M3 hardware not manufactured after 2016.

FTDv on Azure: in Firepower Version 6.2, Cisco Firepower Threat Defense Virtual is available in the Microsoft Azure Marketplace. This new platform enables you to secure workloads consistently across the data center and public cloud. Managed centrally by an on-premises Firepower Management Center, Firepower Threat Defense Virtual provides advanced threat protection in the Azure environment without forcing customers to backhaul traffic to the data center.

-FDM enhancements (on-box manager)

PKI authentication for site-to-site VPN: Public Key Infrastructure (PKI) is required to create certificate-based trusted identities for devices establishing site-to-site VPN tunnels. This feature allows you to associate PKI certificate data with devices via the Firepower Management Center.

User-based IOCs: This feature allows you to generate user-based IOCs from intrusion events, or view the associations of users and IOCs. You can also enable and disable eventing of a given IOC per user (against false positives). With this feature, you can correlate IOCs and events to both hosts and users, plus give them more visibility and alerting options on a per-user basis.

Site-to-site VPN’s: The site-to-site VPN with PKI support is an addition to the current capability of site-to-site VPN with pre shared keys. The Firepower Device Management (FDM) also allows you to configure site-to-site VPN with pre shared keys.

-*ISE SGT without identity information (you won’t need an ISE server connection to use SGT in AC rules): Before Firepower Version 6.2.0, you had to create a realm and identity policy to perform user control-based on ISE Security Group Tag (SGT) data, even if you did not want to configure passive authentication using ISE. In Firepower Version 6.2, you no longer need to create a realm or identity policy to perform user control-based on ISE Security Group Tag (SGT) data.

Softswitch integrated routing and bridging (5506, 5508, 5516): Customers often want to have multiple physical interfaces configured to be part of the same VLAN. The IRB feature meets this demand by allowing users to configure bridges in routed mode, and enables the devices to perform L2 switching between interfaces (including subinterfaces).

ASA to FTD migration tool: Migrating from Cisco ASA to Firepower Threat Defense can be a daunting task for customers with multiple access control lists (ACLs), NAT policies, and related configuration objects. The migration tool is specifically designed to assist this migration process. The tool allows you to convert ASA configurations (ACL, NAT and related objects) to Firepower Threat Defense configurations, which you can then import into the Firepower Management Center. The migration tool supports the conversion of up to 600,000 total access rule elements per ASA configuration file.

*Packet tracer and packet capture on FMC: The Packet Tracer and Capture offers the ability to show all the processing steps that a packet takes, the outcomes, and whether the traffic is blocked or allowed. This allows users to initiate and display output of tracing from the Firepower Management Center. The tracing information includes information from SNORT and preprocessors about verdicts and action taken while processing a packet.

REST API improvements:Firepower Version 6.2.0 allows REST clients to create and configure interfaces for Firepower Threat Defense devices via the Firepower Management Center REST API. This feature enables the Firepower Management Center to interact with various Cisco products and services, as well as those from third-party vendors.

FlexConfig policy for FTD: The FlexConfig feature allows you use the Firepower Management Center to deploy ASA CLI template-based functionality to Firepower Threat Defense devices. This feature allows you to enable some of the most valuable ASA functions that are not currently available on Firepower Threat Defense devices. This functionality is structured as templates and objects that are stitched together in a policy.

User requested URL lookup: This feature allows you to perform a bulk lookup of URLs (up to 250 URLs at a time) to obtain information, such as reputation, category, and matching policy. You can also export the results as a file of comma-separated values.
The feature reduces the manual work necessary to determine if your organization is protected against a malicious URL or if you should add a custom rule for a specific IOC. You can use this feature to reduce the number of custom rules, which in turn reduces the chance of performance degradation due to extensive custom rule lists.

Iter-chassis clustering on FP4100 and FP9300: Clustering lets you group multiple FXOS chassis ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices. In Version 6.2, the Firepower System supports clustering across multiple chassis (inter-chassis clustering), allowing for higher scalability. You can use the Firepower Management Center to automatically discover all nodes of a cluster.

* denotes awesome or very cool feature

6.2.1 coming out next month…
*Remote access VPN (AnyConnect client VPN)
– AC rule bulk import via REST API
– Event scalability (event appliance cluster)
(more minor stuff)

Look for my new Firepower Threat Defense (FTD) I’m March with 6.2.1 code!
Here is the outline I am working on:
o ASA to FTD Device Installation
o FTD 6.2.1 Firepower Device Manager
o NGFWv and NGIPSv Device Installation
o Device Registration and Smart Licensing
o FMC Web Interface and New Features
o NGIPSv IDS and IPS Modes
o Firewall Mode and Interface Type
o Basic Configuration
o Routing – BGP
o Routing – EIGRP
o Network Address Translation (NAT)
o Prefilter Policy
o Multicast and QoS
o Safesearch and Youtube EDU
o Inline SGT
o ISE Remediation
o Site-to-Site VPN
o Anyconnect
o High Availability
o Conversion back to ASA

Nice!
Talk soon!
Todd Lammle