Features and Functionality

Patches contain new features, functionality, and behavior changes related to urgent or resolved issues.

Features for Firepower Management Center Deployments


Note

Version 6.6.0/6.6.x is the last release to support the Cisco Firepower User Agent software as an identity source. You cannot upgrade a Firepower Management Center with user agent configurations to Version 6.7.0+. You should switch to Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC). This will also allow you to take advantage of features that are not available with the user agent. To convert your license, contact your Cisco representative or partner contact.

For more information, see the End-of-Life and End-of-Support for the Cisco Firepower User Agent announcement and the Firepower User Identity: Migrating from User Agent to Identity Services Engine TechNote.

New Features in FMC Version 6.5.0 Patches

Table 1.

Feature

Description

Version 6.5.0.5

Default HTTPS server certificates

Upgrade impact.

Unless the FMC's current default HTTPS server certificate already has an 800-day lifespan, upgrading to Version 6.5.0.5+ renews the certificate, which now expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan.

Your old certificate was set to expire depending on when it was generated, as follows:

  • 6.5.0 to 6.5.0.4: 3 years

  • 6.4.0.9 and later patches: 800 days

  • 6.4.0 to 6.4.0.8: 3 years

  • 6.3.0 and all patches: 3 years

  • 6.2.3: 20 years

Deprecated Features in FMC Version 6.5.0 Patches

Table 2.

Feature

Upgrade Impact

Description

Version 6.5.0.2

Egress optimization

Patching turns off egress optimization processing.

To mitigate CSCvq34340, patching Firepower Threat Defense to Version 6.5.0.2+ turns off egress optimization processing. This happens regardless of whether the egress optimization feature is enabled or disabled.

Note 

We recommend you upgrade to Version 6.6.0+, where this issue is fixed. That will turn egress optimization back on, if you left the feature 'enabled.'

If you remain at Version 6.5.0 or 6.5.0.1, you should manually disable egress optimization from the FTD CLI: no asp inspect-dp egress-optimization .

For more information, see the software advisory: FTD traffic outage due to 9344 block size depletion caused by the egress optimization feature.

Features for Firepower Device Manager Deployments

New Features in FDM Version 6.5.0 Patches

Table 3.

Feature

Description

Version 6.5.0.5

Default HTTPS server certificates

Upgrade impact.

Unless the device's current default HTTPS server certificate already has an 800-day lifespan, upgrading to Version 6.5.0.5+ renews the certificate, which now expires 800 days from the date of the upgrade. All future renewals have an 800 day lifespan.

Your old certificate was set to expire depending on when it was generated, as follows:

  • 6.5.0 to 6.5.0.4: 3 years

  • 6.4.0.9 and later patches: 800 days

  • 6.4.0 to 6.4.0.8: 3 years

  • 6.3.0 and all patches: 3 years

  • 6.2.3: 20 years

Deprecated Features in FDM Version 6.5.0 Patches

Table 4.

Feature

Upgrade Impact

Description

Version 6.5.0.2

Egress optimization

Patching turns off egress optimization processing.

To mitigate CSCvq34340, patching a Firepower Threat Defense to Version 6.5.0.2+ turns off egress optimization processing. This happens regardless of whether the egress optimization feature is enabled or disabled.

Note 

We recommend you upgrade to Version 6.6.0+, where this issue is fixed. That will turn egress optimization back on, if you left the feature 'enabled.'

If you remain at Version 6.5.0 or 6.5.0.1, you should manually disable egress optimization from the FTD CLI: no asp inspect-dp egress-optimization .

For more information, see the software advisory: FTD traffic outage due to 9344 block size depletion caused by the egress optimization feature.

Intrusion Rules and Keywords

Upgrades can import and auto-enable intrusion rules.

Intrusion rule updates (SRUs) provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU.

After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.

Supported keywords depend on your Snort version:

  • FMC: Choose Help > About.

  • FTD with FDM: Use the show summary CLI command.

  • ASA FirePOWER with ASDM: Choose ASA FirePOWER Configuration > System Information.

You can also find your Snort version in the Bundled Components section of the Cisco Firepower Compatibility Guide.

The Snort release notes contain details on new keywords. You can read the release notes on the Snort download page: https://www.snort.org/downloads.

How-To Walkthroughs for the FMC

FMC walkthroughs (also called how-tos) guide you through a variety of basic tasks such as device setup and policy configuration. Just click How To at the bottom of the browser window, choose a walkthrough, and follow the step-by-step instructions.


Note

FMC walkthroughs are tested on the Firefox and Chrome browsers. If you encounter issues with a different browser, we ask that you switch to Firefox or Chrome. If you continue to encounter issues, contact Cisco TAC.

The following table lists some common problems and solutions. To end a walkthrough at any time, click the x in the upper right corner.

Table 5. Troubleshooting Walkthroughs

Problem

Solution

Cannot find the How To link to start walkthroughs.

Make sure walkthroughs are enabled. From the drop-down list under your username, select User Preferences then click How-To Settings.

Walkthrough appears when you do not expect it.

If a walkthrough appears when you do not expect it, end the walkthrough.

Walkthrough disappears or quits suddenly.

If a walkthrough disappears:

  • Move your pointer.

    Sometimes the FMC stops displaying an in-progress walkthrough. For example, pointing to a different top-level menu can make this happen.

  • Navigate to a different page and try again.

    If moving your pointer does not work, the walkthrough may have quit.

Walkthrough is out of sync with the FMC:

  • Starts on the wrong step.

  • Advances prematurely.

  • Will not advance.

If a walkthrough is out of sync, you can:

  • Attempt to continue.

    For example, if you enter an invalid value in a field and the FMC displays an error, the walkthrough can prematurely move on. You may need to go back and resolve the error to complete the task.

  • End the walkthrough, navigate to a different page, and try again.

    Sometimes you cannot continue. For example, if you do not click Next after you complete a step, you may need to end the walkthrough.

Sharing Data with Cisco

Web Analytics tracking

In Version 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, including but not limited to page interactions, browser versions, product versions, user location, and management IP addresses or hostnames of your FMCs.

You are enrolled in web analytics tracking by default (by accepting the Version 6.5.0+ EULA you consent to web analytics tracking), but you can change your enrollment at any time after you complete initial setup.


Note

Upgrades to Version 6.2.3 through 6.6.x can enroll you in web analytics tracking. This can occur even if you purposely unenrolled. If you do not want Cisco to collect this data, unenroll after upgrading.

Cisco Success Network

In Version 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support.

During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any time.

Cisco Support Diagnostics

In Version 6.5.0+, Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration and operational health data to Cisco, and processes that data through our automated problem detection system, allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essential information from your devices during the course of a TAC case.

During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any time.


Note

This feature is supported on Firepower Management Centers and their managed Firepower Threat Defense devices. In Version 6.5.0 only, FTD support is restricted to the Firepower 4100/9300 with FTD and FTDv for Azure. This feature is not supported with Firepower Device Manager.