Firepower 7.0 New Features
We are working hard on incredible new Cisco Firepower training for you here at Lammle.com. To celebrate, let’s review some of the key new features of the crown jewel in the Cisco security portfolio.
- Deploy FMCv, FTDv, and NGIPSv virtual appliances on VMware vSphere/VMware ESXi 7.0
- Cisco HyperFlex, Nutanix Enterprise Cloud, and OpenStack support for FMCv and FTDv
- Firepower Threat Defense Virtual now supports performance-tiered Smart Software Licensing, based on throughput requirements and RA VPN session limits
- FTD CLI show cluster history improvements
- FTD CLI command to permanently leave a cluster
- Prioritized system-defined NAT rules
- Virtual router support for the ISA 3000
- Backup virtual tunnel interfaces (VTI) for route-based site-to-site VPN
- Load balancing
- Support local authentication for RA VPN users
- New dynamic access policy allows configuration of remote access VPN authorization that automatically adapts to a changing environment
- Snort 3 for Firepower Threat Defense
- Dynamic objects in access control rules
- Configure user identity rules with users from MS Active Directory forests
- DNS filtering enabled by default in new access control policies
- Improved process for storing events in a Stealthwatch on-prem deployment
- Work with events stored remotely in a Stealthwatch on-prem deployment
- The unified event viewer (Analysis > Unified Events) displays connection, Security Intelligence, intrusion, file, and malware events in a single table
- The SecureX ribbon on the Firepower Management Center pivots into SecureX for instant visibility into the threat landscape across your Cisco security products
- Improved upgrade performance and status reporting
- Zero-touch restore for the ISA 3000 using the SD card
- Selectively deploy RA and site-to-site VPN policies
- New health modules
- Global search for policies and objects
- Hardware crypto acceleration on FTDv using Intel QuickAssist Technology (QAT)
- Improved CPU usage and performance for many-to-one and one-to-many connections
- More Firepower Management Center REST API services/operations to support new and existing features
Hello Todd, any idea of when 7.0 might be considered stable for prod, or when it will be marked as the gold star?
We are still on 6.6 for our greenfield setup, soon to be in prod. The features are very tempting.
Thanks!
7.0 is superior in every way to 6.6 and 6.7 codes. I now recommend and update all my customers to 7.0
We are just finishing beta for 7.1, which add another couple dozen great features. I recommend it now
thanks,
Todd
Thanks Todd!
Also, 6.7 introduced FMC HA. So, from 6.6, 7.0 seems to be the way to go. I like where the product is going.
Nico
7.1 is twice as good as 6.7, I highly recommended it
Hi Todd,
Great article! Do you anticipate any major bugs on FTD version 7.0 patch 1? I’m thinking of recommending a client of mine to upgrade to this version due to all the new features, but I’m a bit apprehensive about it because it’s not the recommended release yet. Would you say it’s production ready based on what you know?
Thanks,
Jacopo
It is mostly production ready, as it’s better than 6.7 that’s for sure
We are just finishing 7.1 beta and that will be out around end of Oct, if not sooner, so I’d just wait for that at this point. 7.1 has even more features that are really awesome! As well as some fixes for a couple issues we found in 7.0 release…
Nice update Todd! Thanks for the work.
Hi Todd,
Can you have ASA firewall 112, CML image (works only as firewall) connected directly to Cisco ASA 1120, FTD image (works only as the thread defense IPS, AMP, URL)?
If so what is the best design for that? Do you have some link to check it?
yes, I actually run that design in my home office. I don’t have a link, but I connect the ASA to the internet with port E1/1 and then port E1/2 goes to E1/1 of the FTD. E1/2 of the FTD goes to the inside network. If you set both to factory default, that design will work with you having to do no configuration. Very cool. The FTD does security and logging for me, and you have to configure the snort process using FDM or the FMC.
We do not use FTD in our environments, just SFR on ASAs, everything (including the PXGrid) works fine, is the upgrade worth it?
Probably not. If you wanted to go to FTD for all the new features, then yes, but if you are happy with what you have and it is working just fine, you should just leave it for now. However, the ASA and the Firepower module that goes with it, are all end of life, so you’ll have to migrate within the next year or so
Hi Todd,
I wonder if you had an issue with connection time out , i discovered that 7.0.1 resets active connections after one an hour ( default connection timeout 1 hour) , ftd is not aware that connection is still active.
First, I recommend you upgrade to 7.1 and try that. If no luck, contact TAC because that’s not correct.
I just upgraded to 7.0.1 and have this issue. Active sessions are being timed out at exactly 3599 seconds. Was TAC’s recommendation to upgrade to 7.1 even though 7.0.1 is gold?
Rob, go to 7.1.0.1 ASAP. 7.0 is not gold in any sense.
Did 7.1.0.1 solve your issue?
Hey Todd,
What are your thoughts on 7.2? I am currently on 7.0.4. Should I move to 7.1 or 7.2?
7.2 seems pretty stable, but I tell everyone to go to 7.1.0.1 instead of any 7.0 code. it’s superior.
I didn’t think you could upgrade from 7.0.4 to 7.1?
yes, sure, but i recommend 7.2 because of the enhancements of the features
Have you had any issues with 7.0.4, we are in the process of upgrading from 6.4.x
go to 7.2
Thanks! The main thing that was making me think about 7.2 is that EVE is in beta for 7.1 and official in 7.2.
Yes, that is true, but it’s not 100% in 7.2, although its good. I’m in beta for 7.3 and it’s superior, but I have not had any issues with 7.2, but I’m leary about suggesting .0 code :)
any comments for 7.3? I’m tempting to use on production :)
I second this question. I am debating on going to 7.2.2 or 7.3.0. What are your thoughts?
7.4.1 is what i suggest…its the best code by far
7.3.1.1 is pretty good and solid, but 7.4.1 is better
BTW use 7.2.1 there is a bug with URL classification in 7.2.0.
thank you!
Hi,
Is SNORT inspected VPN traffic in FTD.
not by default, but you can
How can you please help on this? Please share details