FMC New Features by Release

Cisco Firepower Management Center New
Features by Release
First Published: 2021-03-26
Last Modified: 2021-05-26
New Features by Release

This document lists new and deprecated features for each release.
Firepower Software Suggested Release

Suggested Release: Version 6.6.4
To take advantage of new features and resolved issues, we recommend you upgrade all eligible Firepower
appliances to the suggested release. On the Cisco Support & Download site, the Firepower suggested release
is marked with a gold star.
Suggested Releases for Older Appliances

If an appliance is too old to run the suggested release and you do not plan to refresh the hardware right now,
choose a major version then patch as far as possible. Some major versions are designated long-term or extra
long-term, so consider one of those. For an explanation of these terms, see Cisco NGFW Product Line Software
Release and Sustaining Bulletin.
If you are interested in a hardware refresh, contact your Cisco representative or partner contact.
Version 7.0.0
New Features in FMC Version 7.0.0
The list of new features for Firepower Management Center deployments is incomplete. We will address this
issue in the coming days.
Table 1: Hardware and Virtual Appliances
Feature Description
VMware vSphere/VMware ESXi You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on
7.0 support VMware vSphere/VMware ESXi 7.0.
Cisco Firepower Management Center New Features by Release

1
Feature Description
New virtual environments We introduced FMCv and FTDv for:

• Cisco HyperFlex
• Nutanix Enterprise Cloud
• OpenStack
FTDv performance tiered licensing The FTDv now supports performance-tiered Smart Licensing based on
throughput requirements and RA VPN session limits. When the FTDv
is licensed with one of the available performance licenses, two things
occur. First, a rate limiter is installed that limits the device throughput
to a specified level. Second, the number of VPN sessions is capped to
the level specified by the license.
Table 2: Firepower Threat Defense: Management
Feature Description
Flow offload container instances Container instances now support flow offload to hardware.
Supported platforms: Firepower 4100/9300
FTD CLI show cluster history New keywords allow you to customize the output of the show cluster
improvements history command.
New/modified commands: show cluster history [brief] [latest]
[reverse] [time]
FTD CLI command to permanently You can now use the FTD CLI to permanently remove a unit from the
leave a cluster cluster, converting its configuration to a standalone device.
New/modified commands: cluster reset-interface-mode
Table 3: Firepower Threat Defense: NAT
Feature Description
New Section 0 for system-defined We added a new Section 0 to the NAT show cluster history rule table.
NAT rules.
This section is exclusively for the use of the system. Any NAT rules
that the system needs for normal functioning are added to this section,
and these rules take priority over any rules you create. Previously,
system-defined rules were added to Section 1, and user-defined rules
could interfere with proper system functioning.
You cannot add, edit, or delete Section 0 rules, but you will see them
in show nat detail command output.
Supported platforms: Firepower Threat Defense

2
Table 4: Firepower Threat Defense: Virtual Routing
Feature Description
Virtual router support for the ISA You can now configure up to 10 virtual routers on an ISA 3000 device.
3000
Supported platforms: ISA 3000
Table 5: Firepower Threat Defense: Site to Site VPN
Feature Description
Backup virtual tunnel interfaces When you configure a site-to-site VPN that uses virtual tunnel interfaces,
(VTI) for route-based site-to-site you can select a backup VTI for the tunnel.
VPN.
Specifying a backup VTI provides resiliency, so that if the primary
connection goes down, the backup connection might still be functional.
For example, you could point the primary VTI to the endpoint of one
service provider, and the backup VTI to the endpoint of a different
service provider.
New/modified pages: We added the ability to add a backup VTI to the
site-to-site VPN wizard when you select Route-Based as the VPN type
for a point-to-point connection.
Table 6: Access Control
Feature Description
Snort 3 for Firepower Threat For new Version 7.0.0+ Firepower Threat Defense deployments, Snort
Defense 3 is the default inspection engine. Upgraded deployments continue to
use Snort 2, but you can switch at any time.
A Version 7.0.0+ Firepower Management Center can manage a
deployment with both Snort 2 and Snort 3 devices. The system
automatically applies the correct policies to each device.
A Snort 3 intrusion rule update is called an LSP (Lightweight Security
Package) rather than an SRU. The system still uses SRUs for Snort 2;
downloads from Cisco contain both the latest LSP and SRU. The system
automatically uses the appropriate rule set for your configurations.
Important Before you switch, we strongly recommend you read and
understand the Firepower Management Center Snort 3
Configuration Guide.
Pay special attention to feature limitations and migration
instructions. Although upgrading to Snort 3 is designed for
minimal impact, features do not map exactly. Careful planning
and preparation can help you make sure that traffic handled
as expected.

3
Feature Description
Dynamic objects You can now configure dynamic objects and use them in access control
rules.
A dynamic object represents a container for IP addresses/subnets that
you can use much like a network object. However, you update the
dynamic object IP address mappings using the Firepower Management
Center REST API—not the FMC web interface.
When you use dynamic objects in access control, changes to mappings
take effect immediately, without having to deploy. This allows you
flexibility in dynamic virtual/cloud and other similar environments.
Note that dynamic objects support CIDR notation, but do not support
fully-qualified domain names or address ranges.
New/modified pages:
• To create a dynamic object, use Objects > Object Management
> External Attributes > Dynamic Objects.
• To use a dynamic object, use the new Dynamic Attributes tab in
the access control rule editor.
Supported platforms: Firepower Management Center
Cross-domain trust for Active You can now configure user identity rules with users from Microsoft
Directory domains Active Directory forests (groupings of AD domains that trust each other).
New/modified pages:
• You now configure a realm and directories at the same time.
• A new Sync Results page (System > Integration > Realms > Sync
Results) displays any errors related to downloading users and
groups in a cross-domain trust relationship.
DNS filtering DNS filtering, which was introduced as a Beta feature in Version 6.7.0,
is now fully supported and is enabled by default in new access control
policies.
Supported Platforms: All
Table 7: Event Logging and Analysis
Feature Description
Unified event viewer View and work in a single table with multiple event types: connection
(including Security Intelligence), intrusion, file, and malware.
New/modified pages: Analysis > Unified Events.

4
Feature Description
Port and protocol displayed In file and malware event tables, the port field now displays the protocol,
together in file and malware event and you can search port fields for protocol. For events that existed before
tables upgrade, if the protocol is not known, the system uses "tcp."
New/modified pages:
• Analysis > Files > Malware Events
• Analysis > Files > File Events
Table 8: Firepower Threat Defense: Upgrade
Feature Description
Improved upgrade performance and Firepower Threat Defense upgrades are now easier faster, more reliable,
status reporting and take up less disk space. A new Upgrades tab in the Message Center
provides further enhancements to upgrade status and error reporting.

5
Feature Description
Easy-to-follow upgrade workflow A new device upgrade page (Devices > Upgrade) on the Version 7.0.0
Firepower Management Center provides an easy-to-follow workflow
for upgrading Version 6.4.0+ Firepower Threat Defense devices.
The system walks you through important pre-upgrade stages, including:
• Selecting devices to upgrade.
• Copying the upgrade package to the devices.
• Compatibility and readiness checks.
To begin, use the new Upgrade Firepower Software action on the

Device Management page (Devices > Device Management > Select
Action).
Note You must still use the System Updates page (System >
Updates) page to upload or specify the location of Firepower
Threat Defense upgrade packages. You must also use the
System Updates page to upgrade the Firepower Management
Center itself, as well as all non-Firepower Threat Defense
managed devices.
As you proceed with the upgrade workflow, the system displays basic
information about your selected devices, as well as the current
upgrade-related status. This includes any reasons why you cannot
upgrade. If a device does not "pass" a stage in the workflow, it does not
appear in the next stage.
If you navigate away from workflow, your progress is preserved,
although other users with Administrator access can reset, modify, or
continue the workflow.
Note In Version 7.0.0/7.0.x, the Device Upgrade page does not
correctly display devices in clusters or high availability pairs.
Even though you must select and upgrade these devices as a
unit, the workflow displays them as standalone devices.
Device status and upgrade readiness are evaluated and
reported on an individual basis. This means it is possible for
one unit to appear to "pass" to the next stage while the other
unit or units do not. However, these devices are still grouped.
Running a readiness check on one, runs it on all. Starting the
upgrade on one, starts it on all.
To avoid possible time-consuming upgrade failures, manually
ensure all group members are ready to move on to the next
step of the workflow before you click Next.

6
Feature Description
Upgrade more devices at once The Firepower Threat Defense upgrade workflow lifts the following
restrictions:
• Simultaneous device upgrades.
The number of devices you can upgrade at once is now limited by
your management network bandwidth—not the system's ability to
manage simultaneous upgrades. Previously, we recommended
against upgrading more than five devices at a time.
Important Only upgrades to FTD Version 6.7.0+ see this
improvement. If you are upgrading devices to an older
FTD release—even if you are using the new upgrade
workflow—we still recommend you limit to five devices
at a time.
• Grouping upgrades by device model.

You can now queue and invoke upgrades for all Firepower Threat
Defense models at the same time, as long as the system has access
to the appropriate upgrade packages.
Previously, you would choose an upgrade package, then choose
the devices to upgrade using that package. That meant that you
could upgrade multiple devices at the same time only if they shared
an upgrade package. For example, you could upgrade two Firepower
2100 series devices at the same time, but not a Firepower 2100
series and a Firepower 1000 series.
Table 9: Administration and Troubleshooting
Feature Description
Zero-touch restore for the ISA 3000 When you perform a local backup, the backup file is copied to the SD
using the SD card card if present. To restore the configuration on a replacement device,
simply install the SD card in the new device, and depress the Reset
button for 3 to 15 seconds during the device bootup.

7
Feature Description
New health modules We added the following health modules:

• AMP Connection Status
• AMP Threat Grid Status
• ASP Drop
• Advanced Snort Statistics
• Chassis Status FTD
• Event Stream Status
• FMC Access Configuration Changes
• FMC HA Status (replaces HA Status)
• FTD HA Status
• File System Integrity Check
• Flow Offload
• Hit Count
• MySQL Status
• NTP Status FTD
• Rabbit MQ Status
• Routing Statistics
• SSE Connection Status
• Sybase Status
• Unresolved Groups Monitor
• VPN Statistics
• xTLS Counters
Additionally, full support returns for the Configuration Memory

Allocation module, which was introduced in Version 6.6.3 as the
Appliance Configuration Resource Utilization module, but was not fully
supported in Version 6.7.0.

8
Table 10: Security and Hardening
Feature Description
New default password for AWS The default password for the admin account is now the AWS Instance
deployments ID, unless you define a default password with user data (Advanced
Details > User Data) during the initial deployment.
Previously, the default admin password was Admin123.
Supported platforms: FMCv for AWS, FTDv for AWS
Table 11: Usability and Performance
Feature Description
Search for policies and objects You can now search for certain policies by name, and for certain objects
by name and configured value. This feature is not available with the
Classic theme.
New/modified pages: We added capabilities to the Search icon and field
on the FMC menu bar, to the left of the Deploy menu.
Platform: Firepower Management Center
We added the following Firepower Management Center REST API services/operations to support new and
existing features. For more information, see the Firepower Management Center REST API Quick Start Guide,
Version 7.0.
Table 12: Firepower Management Center REST API: New Services and Operations
Service Operations
Device alerts: GET
Integration fmchastatuses: GET

securexconfigs: GET and PUT

9
Service Operations
Object anyconnectcustomattributes, anyconnectpackages, anyconnectprofiles:

GET
anyconnectcustomattributes/overrides: GET
applicationfilters: PUT, POST, and DELETE
certificatemaps: GET
dnsservergroups: GET
dnsservergroups/overrides: GET
dynamicobjectmappings: POST
dynamicobjects: GET, PUT, POST, and DELETE
dynamicobjects/mappings: GET and PUT
geolocations: PUT, POST, and DELETE
grouppolicies: GET
hostscanpackages: GET
intrusionrules, intrusionrulegroups: GET, PUT, POST, and DELETE
intrusionrulesupload: POST
ipv4addresspools, ipv6addresspools: GET
ipv4addresspools/overrides, ipv6addresspools/overrides: GET
localrealmusers: GET, PUT, POST, DELETE
radiusservergroups: GET
realms: PUT, POST, and DELETE
sidnsfeeds, sidnslists, sinetworkfeeds, sinetworklists: GET
sinkholes: GET
ssoservers: GET
ssoservers/overrides: GET
usage: GET

10
Deprecated Features in FMC Version 7.0.0
Service Operations
Policy accesspolicies/securityintelligencepolicies: GET

dnspolicies: GET
dnspolicies/allowdnsrules, dnspolicies/blockdnsrules: GET
dynamicaccesspolicies: GET, PUT, POST, and DELETE
identitypolicies: GET
intrusionpolicies: PUT, POST, and DELETE
intrusionpolicies/intrusionrulegroups, intrusionpolicies/intrusionrules:
GET and PUT
networkanalysispolicies: GET, PUT, POST, and DELETE
networkanalysispolicies/inspectorconfigs: GET
networkanalysispolicies/inspectoroverrideconfigs: GET and PUT
ravpns: GET
ravpns/addressassignmentsettings, ravpns/certificatemapsettings,
ravpns/connectionprofiles: GET
Search globalsearch: GET

Table 13:
Feature Upgrade Impact Description
RSA certficates with Prevents Version 7.0.0 removes support for RSA certficates with keys
keys smaller than post-upgrade VPN smaller than 2048 bits, or that use SHA-1 in their signature
2048 bits, or that use connections through algorithm.
SHA-1 in their FTD devices.
Before you upgrade, use the object manager to update your PKI
signature algorithm
certficate enrollments with stronger options: Objects > PKI >
Cert Enrollment. Otherwise, although the upgrade preserves
your current settings, VPN connections through the device will
fail.
To continue managing older FTD devices only (Version
6.4.0–6.7.x) with these weaker options, select the new Enable
Weak-Crypto option for each device on the Devices >
Certificates page.

11
MD5 authentication Prevents Version 7.0.0 removes support for the MD5 authentication
algorithm and DES post-upgrade deploy. algorithm and DES encryption for SNMPv3 users on FTD
encryption for devices.
SNMPv3 users
Upgrading FTD to Version 7.0.0 deletes these users from the
(removed)
device, regardless of the configurations on the FMC. If you are
still using these options in your platform settings policy, change
and verify your configurations before you upgrade FTD.
These options are in the Auth Algorithm Type and Encryption
Type drop-downs when creating or editing an SNMPv3 user in
a Threat Defense platform settings policy: Devices > Platform
Settings.
Port 32137 comms Prevents FMC Version 7.0.0 deprecates the FMC option to use port 32137 to
with AMP clouds upgrade. obtain file disposition data from public and private AMP clouds.
Unless you configure a proxy, the FMC now uses port
443/HTTPS.
Before you upgrade, disable the Use Legacy Port 32137 for
AMP for Networks option on the System > Integration >
Cloud Services page. Do not proceed with upgrade until your
AMP for Networks deployment is working as expected.
HA Status health None. Version 7.0.0 renames the HA Status health module. It is now
module the FMC HA Status health module. This is to distinguish it from
the new FTD HA Status module.
VMware 6.0 hosting Upgrade the hosting Version 7.0.0 discontinues support for virtual deployments on
environment before VMware vSphere/VMware ESXi 6.0.
you upgrade the
This includes FMCv, FTDv, and NGIPSv for VMware.
Firepower software.
Location changes None. Version 7.0.0 changes these menu options:

for SecureX
• System > SecureX now configures SecureX integration.
integration
configurations and Previously, these configurations were on System >
FMC walkthroughs Integration > Cloud Services.
• Help > How-Tos now invokes FMC walkthroughs.
Previously, you clicked How-Tos at the bottom of the
browser window.

12
Version 6.7.0
Version 6.7.0
Table 14:
Feature Description
Hardware and Virtual Appliances
Oracle Cloud Infrastructure (OCI) We introduced FMCv and FTDv for Oracle Cloud Infrastructure.
virtual deployments
Google Cloud Platform (GCP) We introduced FMCv and FTDv for Google Cloud Platform.
virtual deployments
High availability support on FMCv FMCv for VMware now supports high availability. You use the FMCv
for VMware web interface to establish HA, just as you would on hardware models.
In an FTD deployment, you need two identically licensed FMCv's, as
well as one FTD entitlement for each managed device. For example, to
manage 10 FTD devices with an FMCv10 HA pair, you need two
FMCv10 entitlements and 10 FTD entitlements. If you are managing
Classic devices only (7000/8000 series, NGIPSv, ASA FirePOWER),
you do not need FMCv entitlements.
Note that this feature is not supported on FMCv 2 for VMware—that
is, an FMCv licensed to manage only two devices.
Supported platforms: FMCv 10, 25, and 300 for VMware
Auto Scale improvements for FTDv Version 6.7.0 includes the following Auto Scale improvements for FTDv
for AWS for AWS:
• Custom Metric Publisher. A new Lambda function polls the FMC
every second minute for memory consumption of all FTDv
instances in the Auto Scale group, then publishes the value to
CloudWatch Metric.
• A new scaling policy based on memory consumption is available.
• FTDv private IP connectivity for SSH and Secure Tunnel to the
FMC.
• FMC configuration validation.
• Support for opening more Listening ports on ELB.
• Modified to Single Stack deployment. All Lambda functions and
AWS resources are deployed from a single stack for a streamlined
deployment.
Supported platforms: FTDv for AWS

13
Feature Description
Auto Scale improvements for FTDv The FTDv for Azure Auto Scale solution now includes support for
for Azure scaling metrics based on CPU and memory (RAM), not just CPU.
Supported platforms: FTDv for Azure
Firepower Threat Defense: Device Management
Manage FTD on a data interface You can now configure FMC management of the FTD on a data interface
instead of using the dedicated management interface.
This feature is useful for remote deployment when you want to manage
the FTD at a branch office from an FMC at headquarters and need to
manage the FTD on the outside interface. If the FTD receives a public
IP address using DHCP, then you can optionally configure Dynamic
DNS (DDNS) for the interface using the web type update method. DDNS
ensures the FMC can reach the FTD at its Fully-Qualified Domain Name
(FQDN) if the FTD's IP address changes.
Note FMC access on a data interface is not supported with
clustering or high availability.
New/modified pages:
• Devices > Device Management > Device > Management section
• Devices > Device Management > Interfaces > FMC Access
• Devices > Device Management > DHCP > DDNS > DDNS
Update Methods page
New/modified FTD CLI commands: configure network

management-data-interface, configure policy rollback
Supported platforms: FTD
Update the FMC IP address on the If you change the FMC IP address, you can now use the FTD CLI to
FTD update the device.
New/modified FTD CLI commands: configure manager edit

14
Feature Description
Synchronization between the FTD The Firepower 4100/9300 chassis can now synchronize the FTD
operational link state and the operational link state with the physical link state for data interfaces.
physical link state for the Firepower
Currently, interfaces will be in an Up state as long as the FXOS admin
4100/9300
state is up and the physical link state is up. The FTD application interface
admin state is not considered. Without synchronization from FTD, data
interfaces can be in an Up state physically before the FTD application
has completely come online, for example, or can stay Up for a period
of time after you initiate an FTD shutdown. For inline sets, this state
mismatch can result in dropped packets because external routers may
start sending traffic to the FTD before the FTD can handle it.
This feature is disabled by default, and can be enabled per logical device
in FXOS.
Note This feature is not supported for clustering, container
instances, or an FTD with a Radware vDP decorator. It is
also not supported for ASA.
New/modified Firepower Chassis Manager pages: Logical Devices >

Enable Link State
New/modified FXOS commands: set link-state-sync enabled, show
interface expand detail
Firepower 1100/2100 series SFP Upgrade impact.

interfaces now support disabling
You can now configure a Firepower 1100/2100 series SFP interface to
auto-negotiation
disable flow control and link status negotiation.
Previously, when you set an SFP interface speed (1000 or 10000 Mbps)
on these devices, flow control and link status negotiation was
automatically enabled. You could not disable it.
Now, you can select No Negotiate to disable flow control and link status
negotiation. This also sets the speed to 1000 Mbps, regardless of whether
you are configuring a 1 GB SFP or 10 GB SFP+ interface. You cannot
disable negotation at 10000 Mbps.
New/modified pages: Devices > Device Management > Interfaces >
edit interface > Hardware Configuration > Speed
Supported platforms: Firepower 1100/2100 series
Firepower Threat Defense: Clustering

15
Feature Description
New cluster management You can now use the FMC to perform the following cluster management
functionality on the FMC tasks, where previously you had to use the CLI:
• Enable and disable cluster units.
• Show cluster status from the Device Management page, including
History and Summary per unit.
• Change the role to the control unit.
New/modified pages:
• Devices > Device Management > More menu
• Devices > Device Management > Cluster > General area >
Cluster Live Status link > Cluster Status
Faster cluster deployment Cluster deployment now completes faster. Also, for most deployment
failures, it fails more quickly.

16
Feature Description
Changes to PAT address allocation Upgrade impact.

in clustering. The PAT pool Flat
The way PAT addresses are distributed to the members of a cluster is
Port Range option is now enabled
changed.
by default and it is not
configurable. Previously, addresses were distributed to the members of the cluster, so
your PAT pool would need a minimum of one address per cluster
member. Now, the control instead divides each PAT pool address into
equal-sized port blocks and distributes them across cluster members.
Each member has port blocks for the same PAT addresses. Thus, you
can reduce the size of the PAT pool, even to as few as one IP address,
depending on the amount of connections you typically need to PAT.
Port blocks are allocated in 512-port blocks from the 1024-65535 range.
You can optionally include the reserved ports, 1-1023, in this block
allocation when you configure PAT pool rules. For example, in a 4-node
cluster, each node gets 32 blocks with which it will be able to handle
16384 connections per PAT pool IP address compared to a single node
handling all 65535 connections per PAT pool IP address.
As part of this change, PAT pools for all systems, whether standalone
or operating in a cluster, now use a flat port range of 1024–65535.
Previously, you could use a flat range by enabling the Flat Port Range
option in a PAT pool rule (Pat Pool tab in an FTD NAT rule). The Flat
Port Range option is now ignored: the PAT pool is now always flat.
You can optionally select the Include Reserved Ports option to include
the 1–1023 port range within the PAT pool.
Note that if you configure port block allocation (the Block Allocation
PAT pool option), your block allocation size is used rather than the
default 512-port block. In addition, you cannot configure extended PAT
for a PAT pool for systems in a cluster.
This change takes effect automatically. You do not need to do anything
before or after upgrade.
Firepower Threat Defense: Encryption and VPN

17
Feature Description
AnyConnect module support for FTD RA VPN now supports AnyConnect modules.
RA VPN
As part of your RA VPN group policy, you can now configure a variety
of optional modules to be downloaded and installed when a user
downloads the Cisco AnyConnect VPN client. These modules can
provide services such as web security, malware protection, off-network
roaming protection, and so on.
You must associate each module with a profile containing your custom
configurations, created in the AnyConnect Profile Editor and uploaded
to the FMC as an AnyConnect File object.
New/modified pages:
• Upload module profiles: We added new File Type options to
Objects > Object Management > VPN > AnyConnect File >
Add AnyConnect File
• Configure modules: We added Client Modules options to Objects
> Object Management > VPN > Group Policy > add or edit a
Group Policy object > AnyConnect settings
AnyConnect management VPN FTD RA VPN now supports an AnyConnect management VPN tunnel
tunnels for RA VPN that allows VPN connectivity to endpoints when the corporate endpoints
are powered on, not just when a VPN connection is established by the
end user.
This feature helps administrators perform patch management on
out-of-the-office endpoints, especially devices that are infrequently
connected by the user, via VPN, to the office network. Endpoint
operating system login scripts which require corporate network
connectivity also benefit.
Single sign-on for RA VPN FTD RA VPN now supports single sign-on (SSO) for remote access
VPN users configured at a SAML 2.0-compliant identity provider (IdP).
New/modified pages:
• Connect to an SSO server: Objects > Object Management > AAA
Server > Single Sign-on Server
• Configure SSO as part of RA VPN: We added SAML as an
authentication method (AAA settings) when configuring an RA
VPN connection profile.

18
Feature Description
LDAP authorization for RA VPN FTD RA VPN now supports LDAP authorization using LDAP attribute
maps.
An LDAP attribute map equates attributes that exist in the Active
Directory (AD) or LDAP server with Cisco attribute names. Then, when
the AD or LDAP server returns authentication to the FTD device during
remote access VPN connection establishment, the FTD device can use
the information to adjust how the AnyConnect client completes the
connection.
Virtual Tunnel Interface (VTI) and FTD site-to-site VPN now supports a logical interface called Virtual
route-based site-to-site VPN Tunnel Interface (VTI).
As an alternative to policy-based VPN, a VPN tunnel can be created
between peers with Virtual Tunnel Interfaces configured. This supports
route-based VPN with IPsec profiles attached to the end of each tunnel.
This allows dynamic or static routes to be used. Using VTI does away
with the requirement of configuring static crypto map access lists and
mapping them to interfaces. Traffic is encrypted using static route or
BGP. You can create a routed security zone, add VTI interfaces to it,
and define access control rules for the decrypted traffic control over the
VTI tunnel.
VTI-based VPNs can be created between:
• Two FTD devices
• An FTD device and a public cloud
• An FTD device and another FTD device with service provider
redundancy
New/modified pages:
• Devices > Device Management > Interfaces > Add Interfaces >
Virtual Tunnel Interface
• Devices > VPN > Site To Site > Add VPN > Firepower Threat
Defense Device > Route Based (VTI)
Dynamic RRI support for FTD site-to-site VPN now supports Dynamic Reverse Route Injection
site-to-site VPN (RRI) supported with IKEv2-based static crypto maps in site-to-site
VPN deployments. This allowed static routes to be automatically inserted
into the routing process for networks and hosts protected by a remote
tunnel endpoint.
New/modified pages: We added the Enable Dynamic Reverse Route
Injection advanced option when adding an endpoint to a site-to-site
VPN topology.

19
Feature Description
Enhancements to manual certificate You can now obtain signed CA certificates and identity certificates from
enrollment a CA authority independently of each other.
We made the following changes to PKI certificate enrollment objects,
which store enrollment parameters for creating Certificate Signing
Requests (CSRs) and obtaining identity certificates:
• We added the CA Only option to the manual enrollment settings
for PKI certificate enrollment objects. If you enable this option,
you will receive only a signed CA certificate from the CA authority,
and not the identity certificate.
• You can now leave the CA Certificate field blank in the manual
enrollment settings for PKI certificate enrollment objects. If you
do this, you will receive only the identity certificate from the CA
authority, and not the signed CA certificate.
New/modified pages: Objects > Object Management > PKI > Cert
Enrollment > Add Cert Enrollment > CA Information > Enrollment
Type > Manual
Enhancements to FTD certificate We made the following enhancements to FTD certificate management:
management
• You can now view the chain of certifying authorities (CAs) when
viewing certificate contents.
• You can now export certificates.
New/modified pages:
• Devices > Certificates > Status column > View icon (magnifying
glass)
• Devices > Certificates > Export icon
Access Control: URL Filtering, Application Control, and Security Intelligence

20
Feature Description
URL filtering and application You can now perform URL filtering and application control on traffic
control on traffic encrypted with encrypted with TLS 1.3, by using information from the server certificate.
TLS 1.3 (TLS Server Identity You do not have decrypt the traffic for this feature to work.
Discovery)
Note We recommend enabling this feature if you want to perform
URL filtering and application control on encrypted traffic.
However, it can affect device performance, especially on
lower-memory models.
New/modified pages: We added a TLS Server Identity Discovery

warning and option to the access control policy's Advanced tab.
New/modified FTD CLI commands: We added the B flag to the output
of the show conn detail command. On a TLS 1.3-encrypted connection,
this flag indicates that we used the server certificate for application and
URL detection.
URL filtering on traffic to websites You can now perform URL filtering for websites that have an unknown
with unknown reputation reputation.
New/modified pages: We added an Apply to unknown reputation
check box to the access control, QoS, and SSL rule editors.
Supported platforms: FMC
DNS filtering enhances URL Beta.

filtering
DNS filtering enhances URL filtering by determining the category and
reputation of requested domains earlier in the transaction, including in
encrypted traffic—but without decrypting the traffic. You enable DNS
filtering per access control policy, where it applies to all
category/reputation URL rules in that policy.
Note DNS filtering is a Beta feature and may not work as expected.
Do not use it in production environments.
New/modified pages: We added the Enable reputation enforcement

on DNS traffic option to the access control policy's Advanced tab, under
General Settings.

21
Feature Description
Shorter update frequencies for The FMC can now update Security Intelligence data every 5 or 15
Security Intelligence feeds minutes. Previously, the shortest update frequency was 30 minutes.
If you configure one of these shorter frequencies on a custom feed, you
must also configure the system to use an md5 checksum to determine
whether the feed has updates to download.
New/modified pages: We added new options to Objects > Object
Management > Security Intelligence > Network Lists and Feeds >
edit feed > Update Frequency
Access Control: User Control
pxGrid 2.0 with ISE/ISE-PIC Upgrade impact.

Use pxGrid 2.0 when you connect the FMC to an ISE/ISE-PIC identity
source. If you are still using pxGrid 1.0, switch now. That version is
deprecated.
For use with pxGrid 2.0, Version 6.7.0 introduces the Cisco ISE Adaptive
Network Control (ANC) remediation, which applies or clears
ISE-configured ANC policies involved in a correlation policy violation.
If you used the Cisco ISE Endpoint Protection Services (EPS)
remediation with pxGrid 1.0, configure and use the ANC remediation
with pxGrid 2.0. ISE remediations will not launch if you are using the
'wrong' pxGrid. The ISE Connection Status Monitor health module alerts
you to mismatches.
For detailed compatibility information for all supported Firepower
versions, including integrated products, see the Cisco Firepower
Compatibility Guide.
New/modified pages:
• Policies > Actions > Modules > Installed Remediation Modules
list
• Policies > Actions > Instances > Select a module type drop-down
list
Realm sequences You can now group realms into ordered realm sequences.
Add a realm sequence to an identity rule in the same way as you add a
single realm. When applying the identity rule to network traffic, the
system searches the Active Directory domains in the order specified.
You cannot create realm sequences for LDAP realms.
New/modified pages: System > Integration > Realm Sequences

22
Feature Description
ISE subnet filtering Especially useful on lower-memory devices, you can now use the CLI
to exclude subnets from receiving user-to-IP and Security Group Tag
(SGT)-to-IP mappings from ISE.
The Snort Identity Memory Usage health module alerts when memory
usage exceeds a certain level, which by default is 80%.
New device CLI command: configure identity-subnet-filter {add
| remove}
Supported platforms: FMC-managed devices
Access Control: Intrusion and Malware Prevention
Improved preclassification of files Upgrade impact.

for dynamic analysis
The system can now decide not to submit a suspected malware file for
dynamic analysis, based on the static analysis results (for example, a
file with no dynamic elements).
After you upgrade, in the Captured Files table, these files will have a
Dynamic Analysis Status of Rejected for Analysis.
S7Commplus preprocessor The new S7Commplus preprocessor supports the widely accepted S7
industrial protocol. You can use it to apply corresponding intrusion and
preprocessor rules, drop malicious traffic, and generate intrusion events.
New/modified pages:
• Enable the preprocessor: In the network analysis policy editor,
click Settings (you must click the word 'Settings'), and enable
S7Commplus Configuration under SCADA Preprocessors.
• Configure the preprocessor: In the network analysis policy editor,
under Settings, click S7Commplus Configuration.
• Configure S7Commplus preprocessor rules: In the intrusion policy
editor, click Rules > Preprocessors > S7 Commplus
Configurations.
Supported platforms: all FTD devices, including ISA 3000

23
Feature Description
Custom intrusion rule import warns The FMC now warns you of rule collisions when you import custom
when rules collide (local) intrusion rules. Previously, the FMC would silently skip the rules
that cause collisions—with the exception of Version 6.6.0.1, where a
rule import with collisions would fail entirely.
On the Rule Updates page, if a rule import had collisions, a warning
icon is displayed in the Status column. For more information, hover
your pointer over the warning icon and read the tooltip.
Note that a collision occurs when you try to import an intrusion rule that
has the same SID/revision number as an existing rule. You should always
make sure that updated versions of custom rules have new revision
numbers. We recommend you read the best practices for importing local
intrusion rules in the Firepower Management Center Configuration
Guide.
New/modified pages: We added a warning icon to System > Updates >
Rule Updates.
Access Control: TLS/SSL Decryption
ClientHello modification for Upgrade impact.

Decrypt - Known Key TLS/SSL
If you configure TLS/SSL decryption, when a managed device receives
rules
a ClientHello message, the system now attempts to match the message
to TLS/SSL rules that have the Decrypt - Known Key action. Previously,
the system only matched ClientHello messages to Decrypt - Resign
rules.
The match relies on data from the ClientHello message and from cached
server certificate data. If the message matches, the device modifies the
ClientHello message in specific ways; see the ClientHello Message
Handling topic in the Firepower Management Center Configuration
Guide.
This behavior change occurs automatically after upgrade. If you use
Decrypt - Known Key TLS/SSL rules, make sure that encrypted traffic
is being handled as expected.
Supported platforms: Any device
Event Logging and Analysis

24
Feature Description
Remote data storage and You can now store large volumes of Firepower event data off-FMC,
cross-launch with an on-prem using an on-premises Stealthwatch solution: Cisco Security Analytics
Stealthwatch solution and Logging (On Premises).
When viewing events in FMC, you can quickly cross-launch to view
events in your remote data storage location. The FMC uses syslog to
send connection, Security Intelligence, intrusion, file, and malware
events.
Note This on-prem solution is supported for FMCs running Version
6.4.0+. However, contextual cross-launch requires Firepower
Version 6.7.0+. This solution also depends on availability of
the Security Analytics and Logging On Prem app for the
Stealthwatch Management Console (SMC), which must be
running Stealthwatch Enterprise (SWE) version 7.3.
Quickly add Stealthwatch A new page on the FMC allows you to quickly add contextual
contextual cross-launch resources cross-launch resources for your Stealthwatch appliance.
After you add Stealthwatch resources, you manage them on the general
contextual cross-launch page. This is where you continue to manually
create and manage non-Stealthwatch cross-launch resources.
New/modified pages:
• Add Stealthwatch resources: System > Logging > Security
Analytics and Logging
• Manage resources: Analysis > Advanced > Contextual
Cross-Launch
Supported platform: FMC

25
Feature Description
New cross-launch options field You can now cross-launch into an external resource using the following
types additional types of event data:
• Access control policy
• Intrusion policy
• Application protocol
• Client application
• Web application
• Username (including realm)
New/modified pages:
• New variables when creating or editing cross-launch query links:
Analysis > Advanced > Contextual Cross-Launch.
• New data types in the dashboard and event viewer now offer
cross-launch on right click.
National Vulnerability Database Upgrade impact.

(NVD) replaces Bugtraq
Bugtraq vulnerability data is no longer available. Most vulnerability
data now comes from the NVD. To support this change, we made the
following changes:
• Added the CVE ID and Severity fields to the Vulnerabilities table.
Right-clicking the CVE ID in the table view allows you to view
details about the vulnerability on the NVD.
• Renamed the Vulnerability Impact field to Impact (in the table
view only).
• Removed the obsolete/redundant Bugtraq ID, Title, Available
Exploits, Technical Description, and Solution fields.
• Removed the Bugtraq ID filtering option from the Hosts network
map.
If you export vulnerability data, make sure any integrations are working
as expected after the upgrade.
Upgrade

26
Feature Description
Pre-upgrade compatibility check Upgrade impact.

In FMC deployments, Firepower appliances must now pass pre-upgrade
compatibility checks before you can run more complex readiness checks
or attempt to upgrade. This check catches issues that will cause your
upgrade to fail—but we now catch them earlier and block you from
proceeding.
The checks are as follows:
• You cannot use the FMC to upgrade a Firepower 4100/9300 chassis
to Version 6.7.0+ until you upgrade FXOS to the new release's
companion FXOS version.
Upgrade is blocked as long as you are upgrading the device to
Version 6.7.0 or later. For example, you are not blocked from
attempting a Firepower 4100/9300 upgrade from 6.3 → 6.6.x, even
if the device is running a version of FXOS that is too old for
Firepower Version 6.6.x.
• You cannot use the FMC to upgrade a device if that device has
out-of-date configurations.
Upgrade is blocked as long as the FMC is running Version 6.7.0
or later, and you are upgrading a managed device to a valid target.
For example, you are blocked from upgrading a device from 6.3.0
→ 6.6.x if the device has outdated configurations.
• You cannot upgrade an FMC from Version 6.7.0+ if its devices
have out-of-date configurations.
Upgrade is blocked as long as the FMC is running Version 6.7.0
or later. For upgrades from earlier versions (including to Version
6.7.0), you must make sure you deploy yourself.
When you select an upgrade package to install, the FMC displays

compatibility check results for all eligible appliances. The new Readiness
Check page also displays this information. You cannot upgrade until
you fix the issues indicated.
New/modified pages:
• System > Update > Product Updates > Available Updates >
Install icon for the upgrade package
• System > Update > Product Updates > Readiness Checks
Supported platforms: FMC, FTD

27
Feature Description
Improved readiness checks Upgrade impact.

Readiness checks assess a Firepower appliance's preparedness for a
software upgrade. These checks include database integrity, file system
integrity, configuration integrity, disk space, and so on.
After you upgrade the FMC to Version 6.7.0, you will see the following
improvements to FTD upgrade readiness checks:
• Readiness checks are faster.
• Readiness checks are now supported on high availability and
clustered FTD devices, without having to log into the device CLI.
• Readiness checks for FTD device upgrades to Version 6.7.0+ no
longer require the upgrade package to reside on the device.
Although we still recommend you push the upgrade package to the
device before you begin the upgrade itself, you no longer have to
do so before you run the readiness check.
• When you select an upgrade package to install, the FMC now shows
the readiness status for all applicable FTD devices. A new
Readiness Checks page allows you to view the results of readiness
checks for the FTD devices in your deployment. You can also
re-run readiness checks from this page.
• Readiness check results include the estimated upgrade time (but
do not include reboot time).
• Error messages are better. You can also download success/failure
logs from the Message Center on the FMC.
Note that these improvements are supported for FTD upgrades from
Version 6.3.0+, as long as the FMC is running Version 6.7.0+.
New/modified pages:
Install icon for the upgrade package
• System > Update > Product Updates > Readiness Checks
• Message Center > Tasks

28
Feature Description
Improved FTD upgrade status Upgrade impact.

reporting and cancel/retry options
You can now view the status of device upgrades and readiness checks
in progress on the Device Management page, as well as a 7-day history
of upgrade success/failures. The Message Center also provides enhanced
status and error messages.
A new Upgrade Status pop-up, accessible from both Device Management
and the Message Center with a single click, shows detailed upgrade
information, including percentage/time remaining, specific upgrade
stage, success/failure data, upgrade logs, and so on.
Also on this pop-up, you can manually cancel failed or in-progress
upgrades (Cancel Upgrade), or retry failed upgrades (Retry Upgrade).
Canceling an upgrade reverts the device to its pre-upgrade state.
Note To be able to manually cancel or retry a failed upgrade, you
must disable the new auto-cancel option, which appears when
you use the FMC to upgrade an FTD device: Automatically
cancel on upgrade failure and roll back to the previous
version. With the option enabled, the device automatically
reverts to its pre-upgrade state upon upgrade failure.
Auto-cancel is not supported for patches. In an HA or
clustered deployment, auto-cancel applies to each device
individually. That is, if the upgrade fails on one device, only
that device is reverted.
New/modified pages:
Install icon for the FTD upgrade package
• Devices > Device Management > Upgrade
• Message Center > Tasks
New FTD CLI commands:

• show upgrade status detail
• show upgrade status continuous
• show upgrade status
• upgrade cancel
• upgrade retry

29
Feature Description
Upgrades postpone scheduled tasks Upgrade impact.

FMC upgrades now postpone scheduled tasks. Any task scheduled to
begin during the upgrade will begin five minutes after the post-upgrade
reboot.
Note Before you begin any upgrade, you must still make sure
running tasks are complete. Tasks running when the upgrade
begins are stopped, become failed tasks, and cannot be
resumed.
Note that this feature is supported for all upgrades from a supported
version. This includes Version 6.4.0.10 and later patches, Version 6.6.3
and later maintenance releases, and Version 6.7.0+. This feature is not
supported for upgrades to a supported version from an unsupported
version.
Upgrades remove PCAP files to Upgrade impact.

save disk space
To upgrade a Firepower appliance, you must have enough free disk
space or the upgrade fails. Upgrades now remove locally stored PCAP
files.
Supported platforms: Any
Deployment and Policy Management
Configuration rollback Beta.

You can now "roll back" configurations on an FTD device, replacing
them with the previously deployed configurations.
Note Rollback is a Beta feature, and is not supported in all
deployment types and scenarios. It is also a disruptive
operation. Make sure you read and understand the guidelines
and limitations in the Policy Management chapter of the
Firepower Management Center Configuration Guide.
New/modified pages: Deploy > Deployment History > Rollback

column and icons.
Back up and restore FTD container You can now use the FMC to back up FTD container instances.
instances
Deploy intrusion and file policies You can now select and deploy intrusion and file policies independently
independently of access control of access control policies, unless there are dependent changes.
policies
New/modified pages: Deploy > Deployment

30
Feature Description
Search access control rule You can now search within access control rules comments.
comments
New/modified pages: In the access control policy editor, we added the
Comments field to the Search Rules drop-down dialog.
Search and filter FTD NAT rules You can now search for rules in an FTD NAT policy to help you find
rules based on IP addresses, ports, object names, and so forth. Search
results include partial matches. Searching on criteria filters the rule table
so only matching rules are displayed.
New/modified pages: We added a search field above the rule table when
you edit an FTD NAT policy.
Copy and move rules between You can copy access control rules from one access control policy to
access control and prefilter policies another. You can also move rules between an access control policy and
its associated prefilter policy.
New/modified pages: In the access control and prefilter policy editors,
we added Copy and Move options to each rule's right-click menu.
Bulk object import You can now bulk-import network, port, URL, VLAN tag, and
distinguished name objects onto the FMC, using a
comma-separated-values (CSV) file.
For restrictions and specific formatting instructions, see the Reusable
Objects chapter of the Firepower Management Center Configuration
Guide.
New/modified pages: Objects > Object Management > choose an
object type > Add [Object Type] > Import Object

31
Feature Description
Interface object optimization for You can now enable interface object optimization on specific FTD
access control and prefilter policies devices.
During deployment, interface groups and security zones used in the
access control and prefilter policies generate separate rules for each
source/destination interface pair. If you enable interface object
optimization, the system will instead deploy a single rule per access
control/prefilter rule, which can simplify the device configuration and
improve deployment performance.
Interface object optimization is disabled by default. If you enable it, you
should also enable Object Group Search—which now applies to
interface objects in addition to network objects—to reduce memory
usage on the device.
New/modified pages: Devices > Device Management > Device >
Advanced Settings section > Interface Object Optimization check
box
Administration and Troubleshooting
FMC single sign-on The FMC now supports single sign-on (SSO) for external users
configured at any third-party SAML 2.0-compliant identity provider
(IdP). You can map user or group roles from the IdP to FMC user roles.
New/modified pages:
• Login > Single Sign-On
• System > Users > SSO
FMC logout delay When you log out of the FMC, there is an automatic five-second delay
and countdown. You can click Log Out again to log out immediately.

32
Feature Description
Health monitoring enhancements We enhanced health monitoring as follows:

• Health Status summary page that provides an at-a-glance view of
the health of the Firepower Management Center and all of the
devices that the FMC manages.
• The Monitoring navigation pane allows you to navigate the device
hierarchy.
• Managed devices are listed individually, or grouped according to
their geolocation, high availability, or cluster status where
applicable.
• You can view health monitors for individual devices from the
navigation pane.
• Custom dashboards to correlate interrelated metrics. Select from
predefined correlation groups, such as CPU and Snort; or create a
custom correlation dashboard by building your own variable set
from the available metric groups.

33
Feature Description
Health module updates We replaced the CPU Usage health module with four new modules:
• CPU Usage (per core): Monitors the CPU usage on all of the cores.
• CPU Usage Data Plane: Monitors the average CPU usage of all
data plane processes on the device.
• CPU Usage Snort: Monitors the average CPU usage of the Snort
processes on the device.
• CPU Usage System: Monitors the average CPU usage of all system
processes on the device.
We added the following health modules to track memory use:

• Memory Usage Data Plane: Monitors the percentage of allocated
memory used by data plane processes.
• Memory Usage Snort: Monitors the percentage of allocated memory
used by the Snort process.
We added the following health modules to track statistics:

• Connection Statistics: Monitors connection statistics and NAT
translation counts.
• Critical Process Statistics: Monitors the state of critical processes,
their resource consumption, and the restart counts.
• Deployed Configuration Statistics: Monitors statistics about the
deployed configuration, such as the number of ACEs and IPS rules.
• Snort Statistics: Monitors Snort statistics for events, flows, and
packets.
Search Message Center You can now filter the current view in the Message Center.
New/modified pages: We added a Filter icon and field to the Message
Center, under the Show Notifications slider.
Usability and Performance

34
Feature Description
Dusk theme Beta.

The FMC web interface defaults to the Light theme, but you can also
choose a new Dusk theme.
Note The Dusk theme is a Beta feature. If you encounter issues
that prevent you from using a page or feature, switch to a
different theme. Although we cannot respond to everybody,
we also welcome feedback — please use the feedback link
on the User Preferences page or contact us at
[email protected].
New/modified pages: User Preferences, from the drop-down list under

your username
Search FMC menus You can now search the FMC menus.
New/modified pages: We added a Search icon and field to the FMC
menu bar, to the left of the Deploy menu.
Firepower Management Center REST API

35
Feature Description
New REST API services We added the following FMC REST API services/operations to support
new and existing features.
Authorization services:
• ssoconfig: GET and PUT operations to retrieve and modify FMC
single-sign on.
Health services:
• metrics: GET operation to retrieve metrics for the health monitor.
• alerts: GET operation to retrieve health alerts.
• deploymentdetails: GET operation to retrieve deployment health
details.
Deployment services:
• jobhistories: GET operation to retrieve deployment history.
• rollbackrequests: POST operation to request a configuration
rollback.
Device services:
• metrics: GET operation to retrieve device metrics.
• virtualtunnelinterfaces: GET, PUT, POST, and DELETE operations
to retrieve and modify virtual tunnel interfaces.
Integration services:
• externalstorage: GET, GET by ID, and PUT operations to retrieve
and modify external event storage configuration.
Policy services:
• intrusionpolicies: POST and DELETE operations to modify
intrusion policies.
Update services:
• cancelupgrades: POST operation to cancel a failed upgrade.
• retryupgrades: POST operation to retry a failed upgrade.

36

Table 15:
Cisco Firepower Prevents FMC You cannot upgrade an FMC with user agent configurations to
User Agent software upgrade. Version 6.7.0+.
and identity source
Version 6.6.0/6.6.x is the last release to support the Cisco
Firepower User Agent software as an identity source. You should
switch to Cisco Identity Services Engine/Passive Identity
Connector (ISE/ISE-PIC). To convert your license, contact Sales.
For more information, see the End-of-Life and End-of-Support
for the Cisco Firepower User Agent announcement and the
Firepower User Identity: Migrating from User Agent to Identity
Services Engine TechNote.
Deprecated FTD CLI commands: configure user agent
Cisco ISE Endpoint ISE remediations The Cisco ISE Endpoint Protection Services (EPS) remediation
Protection Services can stop working. does not work with pxGrid 2.0. Configure and use the new Cisco
(EPS) remediation ISE Adaptive Network Control (ANC) remediation instead.
ISE remediations will not launch if you are using the 'wrong'
pxGrid to connect the FMC to an ISE/ISE-PIC identity source.
The ISE Connection Status Monitor health module alerts you to
mismatches.
Less secure Prevents FMC You may not be able to upgrade an FMC if you use any of the
Diffie-Hellman upgrade. following FTD features:
groups, and
• Diffie-Hellman groups: 2, 5, and 24.
encryption and hash
algorithms Group 5 continues to be supported in FMC deployments for
IKEv1, but we recommend you change to a stronger option.
• Encryption algorithms for users who satisfy export controls
for strong encryption: DES, 3DES, AES-GMAC,
AES-GMAC-192, AES-GMAC-256. DES continues to be
supported (and is the only option) for users who do not
satisfy export controls.
• The NULL "encryption algorithm" (authentication without
encryption, for testing purposes) continues to be supported
in FMC deployments for both IKEv1 and IKEv2 IPsec
proposals. However, it is no longer supported in IKEv2
policies.
• Hash algorithms: MD5.
If you are still using these features in IKE proposals or IPsec

policies, change and verify your VPN configuration before you
upgrade.

37
Appliance Possible Version 6.7.0 partially and temporarily deprecates support for
Configuration post-upgrade errors the Appliance Configuration Resource Utilization health module,
Resource Utilization in the health which was introduced in Version 6.6.3 and is supported in all
heath module monitor later 6.6.x releases.
(temporary
Version 6.7.0 support is as follows:
deprecation)
• FMC upgraded to Version 6.7.0 from Version 6.6.3+
Continues to support the module, but only if the devices
remain at Version 6.6.3/6.6.x. If you upgrade the devices
to Version 6.7.0, the module stops working and the health
monitor displays an error. To resolve the error, use the FMC
to disable the module and reapply policies.
• FMC upgraded to Version 6.7.0 from Version 6.3.0–6.6.1,
or FMC freshly installed to Version 6.7.0.
Does not support the module .
In the rare case that you add a Version 6.6.3/6.6.x device
that has the module enabled to an FMC where the module
is not supported, the health monitor displays an error that
you cannot resolve. This error is safe to ignore.
Full support returns in Version 7.0.0, where the module is

renamed to Configuration Memory Allocation.
Other health None. Version 6.7.0 deprecates the following health modules:
modules (permanent
• CPU Usage: Replaced by four new modules; see New
deprecation)
Features in FMC Version 6.7.0, on page 13.
• Local Malware Analysis: This module was replaced by the
Threat Data Updates on Devices module in Version 6.3.0.
A Version 6.7.0+ FMC can no longer manage any devices
where the older module applies.
• User Agent Status Monitor: Cisco Firepower User Agent is
no longer supported.
FMC walkthroughs None. Version 6.7.0 discontinues FMC walkthroughs (how-tos) for the
with the Classic Classic theme. You can switch themes in your user preferences.
theme
Bugtraq If you export Version 6.7.0 removes database fields and options for Bugtraq.
vulnerability data, Bugtraq vulnerability data is no longer available. Most
make sure any vulnerability data now comes from the National Vulnerability
integrations are Database (NVD).
working as expected
For more information, see New Features in FMC Version 6.7.0,
after the upgrade.
on page 13.

38
Version 6.6.3
Microsoft Internet You should switch We no longer test Firepower web interfaces using Microsoft
Explorer browsers. Internet Explorer. We recommend you switch to Google Chrome,
Mozilla Firefox, or Microsoft Edge.
For more information, see Web Browser Compatibility
ASA 5525-X, Upgrade prohibited. You cannot upgrade to or freshly install Version 6.7.0+ of the
5545-X, and 5555-X Firepower software (both FTD and ASA FirePOWER) on ASA
devices with 5525-X, 5545-X, and 5555-X devices.
Firepower software
Version 6.6.3
Table 16:
Feature Description
Upgrades postpone Upgrade impact.

scheduled tasks
Upgrades now postpone scheduled tasks. Any task scheduled to begin during
the upgrade will begin five minutes after the post-upgrade reboot.
Note Before you begin any upgrade, you must still make sure running
tasks are complete. Tasks running when the upgrade begins are
stopped, become failed tasks, and cannot be resumed.
Note that this feature is supported for Firepower appliances running Version
6.6.3+. It is not supported for upgrades to Version 6.6.3, unless you are
upgrading from Version 6.4.0.10 or any later patch.

39
Version 6.6.1
Feature Description
Appliance Configuration Upgrade impact for Version 6.7.0.

Resource Utilization health
Version 6.6.3 improves device memory management and introduces a new
module
health module: Appliance Configuration Resource Utilization.
The module alerts when the size of your deployed configurations puts a device
at risk of running out of memory. The alert shows you how much memory
your configurations require, and by how much this exceeds the available
memory. If this happens, re-evaluate your configurations. Most often you can
reduce the number or complexity of access control rules or intrusion policies.
For information on best practices for access control, see the Firepower
Management Center Configuration Guide.
The upgrade process automatically adds and enables this module in all health
policies. After upgrade, apply health policies to managed devices to begin
monitoring.
Note This module requires Version 6.6.3 or later 6.6.x release, or Version
7.0.0+ on both the FMC and managed devices.
Version 6.7.0 partially and temporarily deprecates support for this
module. For details, see Deprecated Features in FMC Version 6.7.0,
on page 37.
Full support returns in Version 7.0.0, where the module is renamed
to Configuration Memory Allocation.
Version 6.6.1
Table 17:
Custom intrusion None. In Version 6.6.0, the FMC began rejecting custom (local)
rule import does not intrusion rule imports entirely if there were rule collisions.
fail when rules Version 6.6.1 deprecates this feature, and returns to the
collide pre-Version 6.6.0 behavior of silently skipping the rules that
cause collisions.
Note that a collision occurs when you try to import an intrusion
rule that has the same SID/revision number as an existing rule.
You should always make sure that updated versions of custom
rules have new revision numbers. We recommend you read the
best practices for importing local intrusion rules in the Firepower
Version 6.7.0 adds a warning for rule collisions in a later release.

40
Version 6.6.0
Version 6.6.0
Table 18:
Feature Description
FTD on the Firepower 4112 We introduced the Firepower 4112. You can also deploy ASA logical
devices on this platform. Requires FXOS 2.8.1.
Larger instances for AWS Upgrade impact.

deployments
FTDv for AWS adds support for these larger instances:
• C5.xlarge
• C5.2xlarge
• C5.4xlarge
FMCv for AWS adds support for these larger instances:

• C3.4xlarge
• C4.4xlarge
• C5.4xlarge
All existing FMCv for AWS instance types are now deprecated. You
must resize before you upgrade. For more information, see the Version
6.6.0 upgrade guidelines.
Supported platforms: FTDv for AWS, FTDv for AWS
Autoscale for cloud-based FTDv Version 6.6.0 introduces support for AWS Auto Scale/Azure Autoscale.
deployments
The serverless infrastructure in cloud-based deployments allow you to
automatically adjust the number of FTDv instances in the Auto Scale
group based on capacity needs. This includes automatic
registering/unregistering to and from the managing FMC.
Supported platforms: FTDv for AWS, FTDv for Azure

41
Feature Description
Obtain initial management interface For Firepower 1000/2000 series and ASA-5500-X series devices, the
IP address using DHCP management interface now defaults to obtaining an IP address from
DHCP. This change makes it easier for you to deploy a new device on
your existing network.
This feature is not supported for Firepower 4100/9300 chassis, where
you set the IP address when you deploy the logical device. Nor is it
supported for FTDv or the ISA 3000, which continue to default to
192.168.45.45.
Supported platforms: Firepower 1000/2000 series, ASA-5500-X series
Configure MTU values in CLI You can now use the FTD CLI to configure MTU (maximum
transmission unit) values for FTD device interfaces. The default is 1500
bytes. Maximum MTU values are:
• Management interface: 1500 bytes
• Eventing interface: 9000 bytes
New FTD CLI commands: configure network mtu

Modified FTD CLI commands: Added the mtu-event-channel and
mtu-management-channel keyword to the configure network
management-interface command.
Get upgrade packages from an FTD devices can now get upgrade packages from your own internal
internal web server web server, rather than from the FMC. This is especially useful if you
have limited bandwidth between the FMC and its devices. It also saves
space on the FMC.
Note This feature is supported only for FTD devices running
Version 6.6.0+. It is not supported for upgrades to Version
6.6.0, nor is it supported for the FMC or Classic devices.
New/modified pages: System > Updates > Upload Update button >
Specify software update source option
Connection-based troubleshooting We made the following enhancements to FTD CLI connection-based

enhancements troubleshooting (debugging):
• debug packet-module trace: Added to enable module level packet
tracing.
• debug packet-condition: Modified to support troubleshooting of
ongoing connections.
Firepower Threat Defense: Clustering

42
Feature Description
Multi-instance clustering You can now create a cluster using container instances. On the Firepower
9300, you must include one container instance on each module in the
cluster. You cannot add more than one container instance to the cluster
per security engine/module.
We recommend that you use the same security module or chassis model
for each cluster instance. However, you can mix and match container
instances on different Firepower 9300 security module types or
Firepower 4100 models in the same cluster if required. You cannot mix
Firepower 9300 and 4100 instances in the same cluster.
New FXOS CLI commands: set port-type cluster
New/modified Firepower Chassis Manager pages:
• Logical Devices > Add Cluster
• Interfaces > All Interfaces > Add New drop-down menu >
Subinterface > Type field
Parallel configuration sync to data The control unit in an FTD cluster now syncs configuration changes
units in FTD clusters with slave units in parallel by default. Formerly, synching occurred
sequentially.
Messages for cluster join failure or We added new messages to the show cluster history command for
eviction added to show cluster when a cluster unit either fails to join the cluster or leaves the cluster.
history
Firepower Threat Defense: Routing

43
Feature Description
Virtual routers and VRF-Lite You can now create multiple virtual routers to maintain separate routing
tables for groups of interfaces. Because each virtual router has its own
routing table, you can provide clean separation in the traffic flowing
through the device.
Virtual routers implement the “light” version of Virtual Routing and
Forwarding, or VRF-Lite, which does not support Multiprotocol
Extensions for BGP (MBGP).
The maximum number of virtual routers you can create ranges from
five to 100, and depends on the device model. For a full list, see the
Virtual Routing for Firepower Threat Defense chapter in the Firepower
New/modified pages: Devices > Device Management > edit device >
Routing tab
New FTD CLI commands: show vrf.
Modified FTD CLI commands: Added the [vrf name | all]
keyword set to the following CLI commands, and changed the output
to indicate virtual router information where applicable: clear ospf, clear
route, ping, show asp table routing, show bgp, show ipv6 route,
show ospf, show route, show snort counters.
Supported platforms: FTD, except Firepower 1010 and ISA 3000
Firepower Threat Defense: VPN
DTLS 1.2 in remote access VPN You can now use Datagram Transport Layer Security (DTLS) 1.2 to
encrypt RA VPN connections.
Use FTD platform settings to specify the minimum TLS protocol version
that the FTD device uses when acting as a, RA VPN server. If you want
to specify DTLS 1.2, you must also choose TLS 1.2 as the minimum
TLS version.
Requires Cisco AnyConnect Secure Mobility Client, Version 4.7+.
New/modified pages: Devices > Platform Settings > add/edit Threat
Defense policy > SSL > DTLS Version option
Supported platforms: FTD, except ASA 5508-X and ASA 5516-X
Site-to-site VPN IKEv2 support for You can now add a backup peer to a site-to-site VPN connection, for
multiple peers IKEv1 and IKEv2 point-to-point extranet and hub-and-spoke topologies.
Previously, you could only configure backup peers for IKEv1
point-to-point topologies.
New/modified pages: Devices > VPN > Site to Site > add or edit a
point to point or hub and spoke FTD VPN topology > add endpoint >
IP Address field now supports comma-separated backup peers
Security Policies

44
Feature Description
Usability enhancements for security Version 6.6.0 makes it easier to work with access control and prefilter
policies rules. You can now:
• Edit certain attributes of multiple access control rules in a single
operation: state, action, logging, intrusion policy, and so on.
In the access control policy editor, select the relevant rules,
right-click, and choose Edit.
• Search access control rules by multiple parameters.
In the access control policy editor, click the Search Rules text box
to see your options.
• View object details and usage in an access control or prefilter rule.
In the access control or prefilter policy editor, right-click the rule
and choose Object Details.
Object group search for access While operating, FTD devices expand access control rules into multiple
control policies access control list entries based on the contents of any network objects
used in the access rule. You can reduce the memory required to search
access control rules by enabling object group search.
With object group search enabled, the system does not expand network
objects, but instead searches access rules for matches based on those
group definitions.
Object group search does not impact how your rules are defined or how
they appear in the FMC. It impacts only how the device interprets and
processes them while matching connections to access control rules.
Object group search is disabled by default.
New/modified pages: Devices > Device Management > edit device >
Device tab > Advanced Settings > Object Group Search option
Time-based rules in access control You can now specify an absolute or recurring time or time range for a
and prefilter policies rule to be applied. The rule is applied based on the time zone of the
device that processes the traffic.
New/modified pages:
• Access control and prefilter rule editors
• Devices > Platform Settings > add/edit Threat Defense policy >
Time Zone
• Objects > Object Management > Time Range and Time Zone

45
Feature Description
Egress optimization re-enabled Upgrade impact.

Version 6.6.0 fixes CSCvs86257. If egress optimization was:
• Enabled but turned off, the upgrade turns it back on. (We turned
off egress optimization in some Version 6.4.0.x and 6.5.0.x patches,
even if the feature was enabled.)
• Manually disabled, we recommend you reenable it post-upgrade:
asp inspect-dp egress-optimization.
New datastore improves Upgrade impact.

performance
To improve performance, Version 6.6.0 uses a new datastore for
connection and Security Intelligence events.
After the upgrade finishes and the FMC reboots, historical connection
and Security Intelligence events are migrated in the background, resource
constrained. Depending on FMC model, system load, and how many
events you have stored, this can take from a few hours up to a day.
Historical events are migrated by age, newest events first. Events that
have not been migrated do not appear in query results or dashboards.
If you reach the connection event database limit before the migration
completes, for example, because of post-upgrade events, the oldest
historical events are not migrated.
You can monitor event migration progress in the Message Center.
Wildcard support when searching When searching connection and Security Intelligence events for URLs
connection and Security having the pattern example.com, you must now include wildcards.
Intelligence events for URLs Specifically, use *example.com* for such searches.

46
Feature Description
Monitor up to 300,000 concurrent In Version 6.6.0, some FTD device models support monitoring of
user sessions with FTD devices additional concurrent user sessions (logins):
• 300,000 sessions: Firepower 4140, 4145, 4150, 9300
• 150,000 sessions: Firepower 2140, 4112, 4115, 4120, 4125
All other devices continue to support the old limit of 64,000, except
ASA FirePOWER which is limited to 2000.
A new health module alerts you when the user identity feature's memory
usage reaches a configurable threshold. You can also view a graph of
the memory usage over time.
New/modified pages:
• System > Health > Policy > add or edit health policy > Snort
Identity Memory Usage
• System > Health > Monitor > select a device > Graph option
for the Snort Identity Memory Usage module
Supported platforms: FTD devices listed above
Integration with IBM QRadar You can use the new Cisco Firepower app for IBM QRadar as an
alternate way to display event data and help you analyze, hunt for, and
investigate threats to your network. Requires eStreamer.
For more information, see the Integration Guide for the Cisco Firepower
App for IBM QRadar

47
Feature Description
New options for deploying The Deploy button on the FMC menu bar is now a menu, with options
configuration changes that add the following functionality:
• Status: For each device, the system displays whether changes need
to be deployed; whether there are warnings or errors you should
resolve before you deploy; and whether your last deploy is in
process, failed, or completed successfully.
• Preview: See all applicable policy and object changes you have
made since you last deployed to the device.
• Selective deploy: Choose from the policies and configurations you
want to deploy to a managed device.
• Deploy time estimate: Display an estimate of how long it will take
to deploy to a particular device. You can display estimates for a
full deploy, as well as for specific policies and configurations.
• History: View details of previous deploys.
New/modified pages:
• Deploy > Deployment
• Deploy > Deployment History
Initial configuration updates the On new and reimaged FMCs, the setup process now:
VDB and schedules SRU updates
• Downloads and installs the latest vulnerability database (VDB)
update.
• Enables daily intrusion rule (SRU) downloads. Note that the setup
process does not enable auto-deploy after these downloads,
although you can change this setting.
Upgraded FMCs are not affected.

New/modified pages:
• System > Updates > Product Updates (VDB updates)
• System > Updates > Rule Updates (SRU updates)
VDB match no longer required to Restoring an FMC from backup no longer requires the same VDB on
restore FMC the replacement FMC. However, restoring does now replace the existing
VDB with the VDB in the backup file.

48
Feature Description
HTTPS certificates with subject You can now request a HTTPS server certificate that secures multiple
alternative name (SAN) domain names or IP addresses by using SAN. For more information on
SAN, see RFC 5280, section 4.2.1.6.
New/modified pages: System > Configuration > HTTPS Certificate
> Generate New CSR > Subject Alternative Name fields
Real names associated with FMC You can now specify a real name when you create or modify an FMC
user accounts user account. This can be a person's name, department, or other
identifying attribute.
New/modified pages: System > Users > Users > Real Name field.
Cisco Support Diagnostics on Upgrade impact.

additional FTD platforms
Cisco Support Diagnostics is now fully supported on all FMCs and FTD
devices. Previously, support was limited to FMCs, Firepower 4100/9300
with FTD, and FTDv for Azure.
Usability
Light theme The FMC now defaults to the Light theme, which was introduced as a
Beta feature in Version 6.5.0. Upgrading to Version 6.6.0 automatically
switches you to the Light theme. You can switch back to the Classic
theme in your user preferences.
Although we cannot respond to everybody, we welcome feedback on
the Light theme. Use the feedback link on the User Preferences page
or contact us at [email protected].
Display time remaining for The FMC's Message Center now displays approximately how much
upgrades time remains until an upgrade will complete. This does not include
reboot time.
New/modified pages: Message Center
Security and Hardening

49
Feature Description
Default HTTPS server certificate Upgrade impact.

renewals have 800 day lifespans
Unless the current default HTTPS server certificate already has an
800-day lifespan, upgrading to Version 6.6.0 renews the certificate,
which now expires 800 days from the date of the upgrade. All future
renewals have an 800 day lifespan.
Your old certificate was set to expire depending on when it was
generated.
New REST API capabilities Added the following REST API services to support Version 6.6.0
features:
• bgp, bgpgeneralsettings, ospfinterface, ospfv2routes,
ospfv3interfaces, ospfv3routes, virtualrouters, routemaps,
ipv4prefixlists, ipv6prefixlists, aspathlists, communitylists,
extendedcommunitylists, standardaccesslists,
standardcommunitylists, policylists: Routing
• virtualrouters, virtualipv4staticroutes, virtualipv6staticroutes,
virtualstaticroutes: Virtual routing
• timeranges, globaltimezones, timezoneobjects: Time-based rules
• commands: Run a limited set of CLI commands from the REST
API
• pendingchanges: Deploy improvements
Added the following REST API services to support older features:

• intrusionrules, intrusionpolicies: Intrusion policies

50
Feature Description
Changed REST API service name Upgrade impact.

for extended access lists
The extendedaccesslist (singular) service in the FMC REST API is now
extendedaccesslists (plural). Make sure you update your client. Using
the old service name fails and returns an Invalid URL error.
Request Type: GET
URL to retrieve the extended access list associated with a specific ID:
• Old:
/api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslist/{objectId}
• New:
/api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslists/{objectId}
URL to retrieve a list of all extended access lists:

• Old:
/api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslist
• New:
/api/fmc_config/v1/domain/{domainUUID}/object/extendedaccesslists

Table 19:
Lower-memory Upgrade prohibited. For performance reasons, the following FMCv instances are no
instances for longer supported:
cloud-based FMCv
• c3.xlarge on AWS
deployments
• c3.2xlarge on AWS
• c4.xlarge on AWS
• c4.2xlarge on AWS
• Standard_D3_v2 on Azure
You must resize before you upgrade to Version 6.6.0+. For more
information, see the Version 6.6.0 upgrade guidelines.
Additionally, as of the Version 6.6.0 release, lower-memory
instance types for cloud-based FMCv deployments are fully
deprecated. You cannot create new FMCv instances using them,
even for earlier Firepower versions. You can continue running
existing instances.

51
e1000 Interfaces on Prevents upgrade. Version 6.6.0 ends support for e1000 interfaces on FTDv for
FTDv for VMware VMware. You cannot upgrade until you switch to vmxnet3 or
ixgbe interfaces. Or, you can deploy a new device.
For more information, see the Cisco Firepower Threat Defense
Virtual for VMware Getting Started Guide.
Less secure None, but you Version 6.6.0 deprecates the following FTD features:
Diffie-Hellman should switch now.
• Diffie-Hellman groups: 2, 5, and 24.
groups, and
encryption and hash • Encryption algorithms for users who satisfy export controls
algorithms for strong encryption: DES, 3DES, AES-GMAC,
AES-GMAC-192, AES-GMAC-256. DES continues to be
supported (and is the only option) for users who do not
satisfy export controls.
• Hash algorithms: MD5.
These features are removed in Version 6.7.0. Avoid configuring

them in IKE proposals or IPSec policies for use in VPNs. Change
to stronger options as soon as possible.
Custom tables for You should delete Version 6.6.0 ends support for custom tables for connection and
connection events unsupported custom Security Intelligence events. After you upgrade, existing custom
tables. tables for those events are still 'available' but return no results.
We recommend you delete them.
There is no change to other types of custom tables.
Deprecated options:
• Analysis > Advanced > Custom Tables > click Create
Custom Table > Tables drop-down list > Connection
Events and Security Intelligence Events
Ability to delete None. Version 6.6.0 ends support for deleting connection and Security
connection events Intelligence events from the event viewer. To purge the database,
from the event select System > Tools > Data Purge.
viewer
Deprecated options:
• Analysis > Connections > Events > Delete and Delete All
• Analysis > Connections > Security Intelligence Events
> Delete and Delete All

52
Version 6.5.0
Version 6.5.0
Table 20:
Feature Description
FTD on the Firepower 1150 We introduced the Firepower 1150.
Larger instances for FTDv for Firepower Threat Defense Virtual on Microsoft Azure now supports
Azure larger instances: D4_v2 and D5_v2.
FMCv 300 for VMware We introduced the FMCv 300, a larger Firepower Management Center
Virtual for VMware. It can manage up to 300 devices, compared to 25
devices for other FMCv instances.
You can use the FMC model migration feature to switch to the FMCv
300 from a less powerful platform.
VMware vSphere/VMware ESXi You can now deploy FMCv, FTDv, and NGIPSv virtual appliances on
6.7 support VMware vSphere/VMware ESXi 6.7.
Firepower Threat Defense
Firepower 1010 hardware switch The Firepower 1010 now supports setting each Ethernet interface to be
support a switch port or a firewall interface.
New/modified pages:
• Devices > Device Management > Interfaces
• Devices > Device Management > Interfaces > Edit Physical
Interface
• Devices > Device Management > Interfaces > Add VLAN
Interface
Supported platforms: Firepower 1010
Firepower 1010 PoE+ support on The Firepower 1010 now supports Power over Ethernet+ (PoE+) on
Ethernet 1/7 and Ethernet 1/8 Ethernet 1/7 and Ethernet 1/8.
Edit Physical Interface > PoE
Supported platforms: Firepower 1010

53
Feature Description
Carrier-grade NAT enhancements For carrier-grade or large-scale PAT, you can allocate a block of ports
for each host, rather than have NAT allocate one port translation at a
time (see RFC 6888).
New/modified pages: Devices > NAT > add/edit FTD NAT policy >
add/edit NAT rule > PAT Pool tab > Block Allocation option
TLS crypto acceleration for TLS crypto acceleration is now supported on multiple container instances
multiple container instances on (up to 16) on a Firepower 4100/9300 chassis. Previously, you could
Firepower 4100/9300 enable TLS crypto acceleration for only one container instance per
module/security engine.
New instances have this feature enabled by default. However, the
upgrade does not enable acceleration on existing instances. Instead, use
the create hw-crypto and scope hw-crypto CLI commands. For more
information, see the Cisco Firepower 4100/9300 FXOS Command
Reference.
New FXOS CLI commands:
• create hw-crypto
• delete hw-crypto
• scope hw-crypto
• show hw-crypto
Removed FXOS CLI commands:

• show hwCrypto (replaced by show hw-crypto)
• config hwCrypto
Removed FTD CLI commands:

• show crypto accelerator status
Security Policies
Access control rule filtering You can now filter access control rules based on search criteria.
New/modified pages: Policies > Access Control > Access Control >
add/edit policy > filter button ('show only rules matching filter criteria')

54
Feature Description
Dispute URL category or reputation You can now dispute the category or reputation of a URL.
New/modified pages:
• Analysis > Connection Events > right-click a category or
reputation > Dispute.
• Analysis > Advanced > URL > search for URL > Dispute button
• System > Integration > Cloud Services > Dispute link
User control with destination-based You can now use ISE SGT tags for both source and destination matching
Security Group Tags (SGT) criteria in access control rules. SGT tags are tag-to-host/network
mappings obtained by ISE.
New connection event fields:
• Destination SGT (syslog: DestinationSecurityGroupTag): SGT
attribute for the connection responder.
Renamed connection event fields:

• Source SGT (syslog: SourceSecurityGroupTag): SGT attribute for
the connection initiator. Replaces Security Group Tag (syslog:
SecurityGroup).
New/modified pages: System > Integration > Identity Sources >

Identity Services Engine > Subscribe to Session Directory Topic and
SXP Topic options
Cisco Firepower User Agent We released Version 2.5 of the Cisco Firepower User Agent, which you
Version 2.5 integration can integrate with Firepower Versions 6.4.0 through 6.6.x.
Note Version 6.6.0/6.6.x is the last release to support the Cisco
Firepower User Agent software as an identity source. You
cannot upgrade an FMC with user agent configurations to
Version 6.7.0+. You should switch to Cisco Identity Services
Engine/Passive Identity Connector (ISE/ISE-PIC). This will
also allow you to take advantage of features that are not
available with the user agent. To convert your license, contact
Sales.
For more information, see the End-of-Life and
End-of-Support for the Cisco Firepower User Agent
announcement and the Firepower User Identity: Migrating
from User Agent to Identity Services Engine TechNote.
New/modified FMC CLI commands: configure user-agent


55
Feature Description
Cisco Threat Intelligence Director TID blocking/monitoring observable actions now have priority over
(TID) priorities. blocking/monitoring with Security Intelligence Block lists.
If you configure the Block TID observable action, even if the traffic
also matches a Security Intelligence Block list set to Block:
• The Security Intelligence category in the connection event is a
variant of TID Block.
• The system generates a TID incident with an action taken of
Blocked.
If you configure the Monitor TID observable action, even if the traffic
also matches a Security Intelligence Block list set to Monitor:
• The Security Intelligence category in the connection event is a
variant of TID Monitor
• The system generates a TID incident with an action taken of
Monitored.
Previously, in each of these cases, the system reported the category by

analysis and did not generate a TID incident.
Note The system still effectively handles traffic as before. Traffic
that was blocked before is still blocked, and monitored traffic
is still monitored. This simply changes which component
gets the 'credit.' You may also see more TID incidents
generated.
For complete information on system behavior when you enable both

Security Intelligence and TID, see the TID-Firepower Management
Center Action Prioritization information in the Firepower Management
Center Configuration Guide.
'Packet profile' CLI commands You can now use the FTD CLI to obtain statistics on how the device
handled network traffic. That is, how many packets were fastpathed by
a prefilter policy, offloaded as a large flow, fully evaluated by access
control (Snort), and so on.
• asp packet-profile
• no asp packet-profile
• show asp packet-profile
• clear asp packet-profile

56
Feature Description
Additional event types for Cisco Firepower can now send file and malware events to Cisco SecureX threat
SecureX threat response response, as well as high priority connection events — those related to
intrusion, file, malware, and Security Intelligence events.
Note that the FMC web interface refers to this offering as Cisco Threat
Response (CTR).
New/modified pages: System > Integration > Cloud Services.
Supported platforms: FTD (via syslog or direct integration) and Classic
(via syslog) devices
Precision Time Protocol (PTP) You can use FlexConfig to configure the Precision Time Protocol (PTP)
configuration for ISA 3000 devices. on ISA 3000 devices. PTP is a time-synchronization protocol developed
to synchronize the clocks of various devices in a packet-based network.
The protocol is designed specifically for industrial, networked
measurement and control systems.
We now allow you to include the ptp (interface mode) command, and
the global commands ptp mode e2etransparent and ptp domain, in
FlexConfig objects.
New/modified commands: show ptp
Supported platforms: ISA 3000 with FTD
Configure more domains When implementing multitenancy (segment user access to managed
(multitenancy) devices, configurations, and events), you can create up to 100
subdomains under a top-level Global domain, in two or three levels.
The previous maximum was 50 domains.
ISE Connection Status Monitor The ISE Connection Status Monitor health module now alerts you to
enhancements issues with TrustSec SXP (SGT Exchange Protocol) subscription status.
Regional clouds Upgrade impact.

If you use the Cisco Threat Response integration, Cisco Support
Diagnostics, or Cisco Success Network features, you can now select a
regional cloud.
By default, the upgrade assigns you to the US (North America) region.
New/modified pages: System > Integration > Cloud Services

57
Feature Description
Cisco Support Diagnostics Upgrade impact.

Cisco Support Diagnostics (sometimes called Cisco Proactive Support)
sends configuration and operational health data to Cisco, and processes
that data through our automated problem detection system, allowing us
to proactively notify you of issues. This feature also allows Cisco TAC
to collect essential information from your devices during the course of
a TAC case.
During initial setup and upgrades, you may be asked to enroll. You can
also change your enrollment at any time.
In Version 6.5.0, Cisco Support Diagnostics support is limited to select
platforms.
New/modified pages:
• System > Smart Licenses
• System > Smart Licenses > Register
Supported platforms: FMC, Firepower 4100/9300, FTDv for Azure
FMC model migration You can now use the backup and restore feature to migrate configurations
and events between FMCs, even if they are not the same model. This
makes it easier to replace FMCs due to technical or business reasons
such as a growing organization, migration from a physical to a virtual
implementation, hardware refresh, and so on.
In general, you can migrate from a lower-end to a higher-end FMC, but
not the reverse. Migration from KVM and Microsoft Azure is not
supported. You must also unregister and reregister with Cisco Smart
Software Manager (CSSM).
For details, including supported target and destination models, see the
Firepower Management Center Model Migration Guide.
Secure erase for appliance You can now use the FXOS CLI to securely erase a specified appliance
components on FXOS-based FTD component.
devices
New FXOS CLI commands: erase secure
Supported platforms: Firepower 1000/2000 and Firepower 4100/9300

58
Feature Description
Stricter password requirements for FMC initial setup now requires that you choose a ‘strong’ password for
FMC admin accounts during initial admin accounts. The setup process applies this strong password to both
setup the FMC web interface and CLI admin accounts.
Note Upgrading to Version 6.5.0+ does not force you to change
weak passwords to strong passwords. With the exception of
LOM users on physical FMCs (and this does include the
admin user), you are not prohibited from choosing a new
weak password. However, we do recommend that all
Firepower user accounts — especially those with Admin
access — have strong passwords.
Concurrent user session limits You can now limit the number of users that can be logged into the FMC
at the same time. You can limit concurrent sessions for users with read
only roles, read/write roles, or both. Note that CLI users are limited by
the read/write setting.
New/modified pages: System > Configuration > User Configuration
> Max Concurrent Sessions Allowed options
Authenticated NTP servers You can now configure secure communications between the FMC and
NTP servers using SHA1 or MD5 symmetric key authentication. For
system security, we recommend using this feature.
New/modified pages: System > Configuration > Time Synchronization

59
Feature Description
Improved initial configuration On new and reimaged FMCs, a wizard replaces the previous initial setup
experience process. If you use the GUI wizard, when initial setup completes, the
FMC displays the device management page so that you can immediately
begin licensing and setting up your deployment.
The setup process also automatically schedules the following:
• Software downloads. The system creates a weekly scheduled task
to download (but not install) software patches and publicly available
hotfixes that apply to your deployment.
• FMC configuration-only backups. The system creates a weekly
scheduled task to back up FMC configurations and store them
locally.
• GeoDB updates. The system enables weekly geolocation database
updates.
These tasks are scheduled in UTC, which means that when they occur
locally depends on the date and your specific location. Also, because
tasks are scheduled in UTC, they do not adjust for Daylight Saving
Time, summer time, or any such seasonal adjustments that you may
observe in your location. If you are affected, scheduled tasks occur one
hour "later" in the summer than in the winter, according to local time.
Note We strongly recommend you review the auto-scheduled
tasks/GeoDB updates and adjust them if necessary.
Upgraded FMCs are not affected. For details on the initial configuration
wizard, see the Getting Started Guide for your FMC model; for details
on scheduled tasks, see the Firepower Management Center Configuration
Guide.
Light theme Beta.

The FMC web interface defaults to the Classic theme, but you can also
choose a new Light theme.
Note The Light theme is a Beta feature. You may see misaligned
text or other UI elements. In some cases, you may also
experience slower-than-normal response times. If you
encounter issues that prevent you from using a page or
feature, switch back to the Classic theme. Although we cannot
respond to everybody, we also welcome feedback — please
use the feedback link on the User Preferences page or contact
us at [email protected]">.
New/modified pages: User Preferences, from the drop-down list under

your username

60
Feature Description
Usability enhancements for viewing We have enhanced 'view object' capabilities for network, port, VLAN,
objects and URL objects, as follows:
• In the access control policy and while configuring FTD routing,
you can right-click an object and choose View Objects to display
details about that object.
• When you are viewing details about an object, or when you are
browsing objects in the object manager, clicking Find Usage ( )
now allows you to drill down into object groups and nested objects.
New/modified pages:
• Objects > Object Management > choose a supported object type
> Find Usage ( )
• Policies > Access Control > Access Control > create or edit policy
> create or edit rule > choose a supported condition type >
right-click an object > View Objects
• Devices > Device Management > edit FTD device > Routing >
right-click a supported object > View Objects
Usability enhancements for We streamlined the display of errors and warnings related to deploying
deploying configuration changes configuration changes. Instead of an immediate verbose view, you can
now Click to view all details to see more information about a particular
error or warning.
New/modified pages: Errors and Warnings for Requested
Deployment dialog box
Usability enhancements to FTD When configuring FTD NAT, you can now:
NAT policy management
• View warnings and errors in your NAT policy, by device. Warnings
and errors mark configurations that could adversely affect traffic
flow or prevent the policy from deploying.
• Display up to 1000 NAT rules per page. The default is 100.
New/modified pages: Devices > NAT > create or edit FTD NAT policy
> Show Warnings and Rules Per Page options

61
New Features in FMC Version 6.5.0 Patches
Feature Description
New REST API capabilities Added the following REST API objects to support Version 6.5.0 features:
• cloudregions: Regional clouds
Added the following REST API objects to support older features:

• categories: Categories for access control rules
• domain, inheritancesettings: Domains and policy inheritance
• prefilterpolicies, prefilterrules, tunneltags: Prefilter policies
• vlaninterfaces: VLAN interfaces

Table 21:
Feature Description
Version 6.5.0.5 Upgrade impact.

Default HTTPS server Unless the FMC's current default HTTPS server certificate already has an
certificates 800-day lifespan, upgrading to Version 6.5.0.5+ renews the certificate, which
now expires 800 days from the date of the upgrade. All future renewals have
an 800 day lifespan.
Your old certificate was set to expire depending on when it was generated, as
follows:
• 6.5.0 to 6.5.0.4: 3 years
• 6.4.0.9 and later patches: 800 days
• 6.4.0 to 6.4.0.8: 3 years
• 6.3.0 and all patches: 3 years
• 6.2.3: 20 years

62

Table 22:
Ability to disable the None. Version 6.3.0 introduced the FMC CLI, which you had to
FMC CLI explicitly enable. In Version 6.5.0, the FMC CLI is automatically
enabled, for both new and upgraded deployments. If you want
to access the Linux shell (also called expert mode), you must log
in to the CLI and then use the expert command.
Caution We recommend you do not access Firepower
appliances using the shell, unless directed by Cisco
TAC.
Deprecated options: System > Configuration > Console

Configuration > Enable CLI access check box
MD5 authentication None, but you Version 6.5.0 deprecates the MD5 authentication algorithm and
algorithm and DES should switch now. DES encryption for SNMPv3 users on FTD devices.
encryption for
Although these configurations continue to work post-upgrade,
SNMPv3 users
the system displays a warning when you deploy. And, you cannot
(deprecated)
create new users or edit existing users with these options.
Support will be removed in a future release. If you are still using
these options in your platform settings policy, we recommend
you switch to stronger options now.
New/modified screens: Devices > Platform Settings > SNMP
> Users
TLS 1.0 & 1.1 Client may fail to To enhance security:

connect with an
• Captive portal (active authentication) has removed support
upgraded appliance.
for TLS 1.0.
• Host input has removed support for TLS 1.0 and TLS 1.1.
If your client fails to connect with a Firepower appliance, we

recommend you upgrade your client to support TLS 1.2.

63
TLS crypto None. As part of allowing TLS crypto acceleration for multiple
acceleration FXOS container instances on Firepower 4100/9300, we removed the
CLI commands for following FXOS CLI commands:
Firepower
• show hwCrypto
4100/9300
• config hwCrypto
And this FTD CLI command:

• show crypto accelerator status
For information on their replacements, see the new feature

documentation.
Cisco Security None, but Version 6.5.0 ends support for FMC integration with Cisco
Packet Analyzer integration is no Security Packet Analyzer.
integration longer supported.
Deprecated screens/options:
• System > Integration > Packet Analyzer
• Analysis > Advanced > Packet Analyzer Queries
• Query Packet Analyzer when right-clicking on an event
in the dashboard or event viewer
Default HTTPS None. If you are upgrading from Version 6.4.0.9+, the default HTTPS
server certificates server certificate's lifespan-on-renew returns to 3 years, but this
is again updated to 800 days in Version 6.6.0+.
Your current default HTTPS server certificate is set to expire
depending on when it was generated, as follows:
• 6.4.0.9 and later patches: 800 days
• 6.4.0 to 6.4.0.8: 3 years
• 6.2.3: 20 years
Firepower Upgrade prohibited. You cannot upgrade to or freshly install Version 6.5.0+ of the
Management Center Firepower Management Center software on the FMC 750, FMC
models FMC 750, 1500, and FMC 3500. You cannot manage Version 6.5.0+
1500, 3500 devices with these FMCs.
ASA 5515-X and Upgrade prohibited. You cannot upgrade to or freshly install Version 6.5.0+ of the
ASA 5585-X series Firepower software (both FTD and ASA FirePOWER) on ASA
devices with 5515-X and ASA 5585-X series devices (SSP-10, -20, -40, and
Firepower software -60).

64
Version 6.4.0
Firepower Upgrade prohibited. You cannot upgrade to or freshly install Version 6.5.0+ of the
7000/8000 series Firepower software on Firepower 7000/8000 series devices,
devices including AMP models.
Version 6.4.0
Table 23:
Feature Description
FMC models FMC 1600, 2600, and We introduced the Firepower Management Center models FMC 1600,
4600 2600, and 4600.
FMCv on Azure We introduced Firepower Management Center Virtual for Microsoft

Azure.
FTD on the Firepower 1010, 1120, We introduced the Firepower 1010, 1120, and 1140.
and 1140
FTD on the Firepower 4115, 4125, We introduced the Firepower 4115, 4125, and 4145.
and 4145
Firepower 9300 SM-40, SM-48, We introduced three new security modules: SM-40, SM-48, and SM-56.
and SM-56 support
With FXOS 2.6.1, you can mix different types of security modules in
the same chassis.
ASA and FTD on the same With FXOS 2.6.1, you can now deploy ASA and FTD logical devices
Firepower 9300 on the same Firepower 9300.
FTDv for VMware defaults to FTDv for VMware now defaults to vmxnet3 interfaces when you create
vmxnet3 interfaces a virtual device. Previously, the default was e1000. The vmxnet3 device
drivers and network processing are integrated with the ESXi hypervisor,
so they use fewer resources and offer better network performance.
Note Version 6.6.0 ends support for e1000 interfaces. You will not
be able to upgrade to Version 6.6.0+ until you switch to
vmxnet3 or ixgbe interfaces. We recommend you do this
now. For more information, refer to the instructions on adding
and configuring VMware interfaces in the Cisco Firepower
Threat Defense Virtual for VMware Getting Started Guide.
Supported platforms: FTDv for VMware

65
Feature Description
Firepower Threat Defense: Routing
Rotating (keychain) authentication You can now use rotating (keychain) authentication when configuring
for OSPFv2 routing OSPFv2 routing.
New/modified pages:
• Objects > Object Management > Key Chain object
• Devices > Device Management > edit device > Routing tab >
OSPF settings > Interface tab > add/edit interface >
Authentication option
• Devices > Device Management > edit device > Routing tab >
OSPF settings > Area tab > add/edit area > Virtual Link sub-tab
> add/edit virtual link > Authentication option
RA VPN: Secondary authentication Secondary authentication, also called double authentication, adds an
additional layer of security to RA VPN connections by using two
different authentication servers. With secondary authentication enabled,
AnyConnect VPN users must provide two sets of credentials to log in
to the VPN gateway.
RA VPN supports secondary authentication for the AAA Only and Client
Certificate and AAA authentication methods.
New/modified pages: Devices > VPN > Remote Access > add/edit
configuration > Connection Profile > AAA area
Site-to-site VPN: Dynamic IP You can now configure site to site VPNs to use a dynamic IP address
addresses for extranet endpoints for extranet endpoints. In hub-and-spoke deployments, you can use a
hub as an extranet endpoint.
New/modified pages: Devices > VPN > Site To Site > add/edit FTD
VPN topology > Endpoints tab > add endpoint > IP Address option
Site-to-site VPN: Dynamic crypto You can now use dynamic crypto maps in point-to-point as well as in
maps for point-to-point topologies hub-and-spoke VPN topologies. Dynamic crypto maps are still not
supported for full mesh topologies.
You specify the crypto map type when you configure a topology. Make
sure you also specify a dynamic IP address for one of the peers in the
topology.
New/modified pages: Devices > VPN > Site To Site > add/edit FTD
VPN topology > IPsec tab > Crypto Map Type option

66
Feature Description
TLS crypto acceleration Upgrade impact.

SSL hardware acceleration has been renamed TLS crypto acceleration.
Depending on the device, TLS crypto acceleration might be performed
in software or in hardware. The Version 6.4.0 upgrade process
automatically enables acceleration on all eligible devices, even if you
previously disabled the feature manually.
In most cases you cannot configure this feature; it is automatically
enabled and you cannot disable it. However, if you are using the
multi-instance capability of the Firepower 4100/9300 chassis, you can
enable TLS crypto acceleration for one container instance per
module/security engine. Acceleration is disabled for other container
instances, but enabled for native instances.
New FXOS CLI commands for the Firepower 4100/9300 chassis:
• show hwCrypto
• config hwCrypto

• show crypto accelerator status (replaces system support
ssl-hw-status)
Removed FTD CLI commands:

• system support ssl-hw-accel
• system support ssl-hw-status
Supported platforms: Firepower 2100 series, Firepower 4100/9300
Improvements to syslog messages Fully qualified file and malware event data can now be sent from
for file and malware events managed devices via syslog.
New/modified pages: Policies > Access Control > Access Control >
add/edit policy > Logging tab > File and Malware Settings area
Search intrusion events by CVE ID You can now search for intrusion events generated as a result of a
particular CVE exploit.
New/modified pages: Analysis > Search
IntrusionPolicy field is now Intrusion event syslog messages now specify the intrusion policy that
included in syslog triggered the event.

67
Feature Description
Cisco SecureX threat response Cisco SecureX threat response is a Cisco Cloud offering that helps you
integration rapidly detect, investigate, and respond to threats.
This feature lets you analyze incidents using data aggregated from
multiple products, including Firepower Threat Defense. Note that the
FMC web interface refers to this offering as Cisco Threat Response
(CTR).
See the Cisco Firepower and SecureX Integration Guide.
New/modified pages: System > Integration > Cloud Services
Splunk integration Splunk users can use a new, separate Splunk app, Cisco Secure Firewall
(f.k.a. Firepower) App for Splunk, to analyze events. Available
functionality is affected by your Firepower version.
See Cisco Firepower App for Splunk User Guide.
Cisco Security Analytics and You can send Firepower events to the Stealthwatch Cloud for storage,
Logging (SaaS) integration and optionally make your Firepower event data available for security
analytics using Stealthwatch Cloud.
Using Cisco Security Analytics and Logging (SaaS), also known as SAL
(SaaS), your Firepower devices send events as syslog messages to a
Security Events Connector (SEC) installed on a virtual machine on your
network, and this SEC forwards the events to the Stealthwatch cloud
for storage. You view and work with your events using the web-based
Cisco Defense Orchestrator (CDO) portal. Depending on the license
you purchase, you can also use the Stealthwatch portal to access that
product's analytics features.
See Firepower Management Center and Cisco Security Analytics and
Logging (SaaS) Integration Guide.
Supported platforms: FTD with FMC
New licensing capabilities for ISA For ASA FirePOWER and FTD deployments, the ISA 3000 now
3000 supports URL Filtering and Malware licenses and their associated
features.
For FTD only, the ISA 3000 also now supports Specific License
Reservation for approved customers.

68
Feature Description
Scheduled remote backups of You can now use the FMC to schedule remote backups of certain
managed devices managed devices. Previously, only Firepower 7000/8000 series devices
supported scheduled backups, and you had to use the device's local GUI.
New/modified pages: System > Tools > Scheduling > add/edit task >
choose Job Type: Backup > choose a Backup Type
Supported platforms: FTD physical platforms, FTDv for VMware,
Firepower 7000/8000 series
Exceptions: No support for FTD clustered devices or container instances
Ability to disable Duplicate When you enable IPv6, you can disable DAD. You might want to disable
Address Detection (DAD) on DAD because using DAD opens up the possibility of denial of service
management interfaces attacks. If you disable this setting, you need check manually that this
interface is not using an already-assigned address.
New/modified pages: System > Configuration > Management
Interfaces > Interfaces area > edit interface > IPv6 DAD check box
Supported platforms: FMC, Firepower 7000/8000 series
Ability to disable ICMPv6 Echo When you enable IPv6, you can now disable ICMPv6 Echo Reply and
Reply and Destination Unreachable Destination Unreachable messages. You might want to disable these
messages on management packets to guard against potential denial of service attacks. Disabling
interfaces Echo Reply packets means you cannot use IPv6 ping to the device
management interfaces for testing purposes.
New/modified pages: System > Configuration > Management
Interfaces > ICMPv6
New/modified commands:
• configure network ipv6 destination-unreachable
• configure network ipv6 echo-reply
Supported platforms: FMC (web interface only), managed devices (CLI

only)
Support for the Service-Type For RADIUS authentication of FTD CLI users, you used to have to
attribute for FTD users defined on predefine the usernames in the RADIUS external authentication object
the RADIUS server and manually make sure that the list matched usernames defined on the
RADIUS server. You can now define CLI users on the RADIUS server
using the Service-Type attribute and also define both Basic and Config
user roles. To use this method, be sure to leave the shell access filter
blank in the external authentication object.
New/modified pages: System > Users > External Authentication tab
> add/edit external authentication object > Shell Access Filter

69
Feature Description
View object use The object manager now allows you to see the policies, settings, and
other objects where a network, port, VLAN, or URL object is used.
New/modified pages: Objects > Object Management > choose object
type > Find Usage (binoculars) icon
Hit counts for access control and You can now access hit counts for access control and prefilter rules on
prefilter rules your FTD devices.
New/modified pages:
• Policies > Access Control > Access Control > add/edit policy >
Analyze Hit Counts
• Policies > Access Control > Prefilter > add/edit policy > Analyze
Hit Counts
New commands:
• show rule hits
• clear rule hits
• cluster exec show rule hits
• cluster exec clear rule hits
• show cluster rule hits
Modified commands: show failover

URL Filtering health monitor You can now configure time thresholds for URL Filtering Monitor alerts.
improvements
New/modified pages: System > Health > Policy > add/edit policy >
URL Filtering Monitor
Connection-based troubleshooting Connection-based troubleshooting or debugging provides uniform

debugging across modules to collect appropriate logs for a specific
connection. It also supports level-based debugging up to 7 levels and
enables uniform log collection mechanism for lina and Snort logs.
• clear packet debugs
• debug packet start
• debug packet stop
• show packet debugs

70
Feature Description
New Cisco Success Network Added the following Cisco Success Network monitoring capabilities:
monitoring capabilities
• CSPA (Cisco Security Packet Analyzer) query information
• Contextual cross-launch instances enabled on the FMC
• TLS/SSL inspection events
• Snort restarts
Signed SRU, VDB, and GeoDB So Firepower can verify that you are using the correct update files,
updates Version 6.4.0+ uses signed updates for intrusion rules (SRU), the
vulnerability database (VDB), and the geolocation database (GeoDB).
Earlier versions continue to use unsigned updates. Unless you manually
download updates from the Cisco Support & Download site—for
example, in an air-gapped deployment—you should not notice any
difference in functionality.
If, however, you do manually download and install SRU, VDB, and
GeoDB updates, make sure you download the correct package for your
current version. Signed update files for Version 6.4.0+ begin with 'Cisco'
instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of .sh:
• SRU: Cisco_Firepower_SRU-date-build-vrt.sh.REL.tar
• VDB: Cisco_VDB_Fingerprint_Database-4.5.0-version.sh.REL.tar
• GeoDB: Cisco_GEODB_Update-date-build.sh.REL.tar
Update files for Version 5.x through 6.3 still use the old naming scheme:
• SRU: Sourcefire_Rule_Update-date-build-vrt.sh
• VDB: Sourcefire_VDB_Fingerprint_Database-4.5.0-version.sh
• GeoDB: Sourcefire_Geodb_Update-date-build.sh
We will provide both signed and unsigned updates until the

end-of-support for versions that require unsigned updates. Do not untar
signed (.tar) packages.
Note If you accidentally upload a signed update to an older FMC
or ASA FirePOWER device, you must manually delete it.
Leaving the package takes up disk space, and also may cause
issues with future upgrades.

71
Feature Description
SNMPv3 users can authenticate SNMPv3 users can now authenticate using a SHA-256 algorithm.
using a SHA-256 authorization
New/modified screen: Devices > Platform Settings > SNMP > Users
algorithm
> Auth Algorithm Type
2048-bit certificate keys now Upgrade impact.

required (security enhancement)
When making secure connections to external data sources, such as AMP
for Endpoints or Cisco Threat Intelligence Detector (TID), the FMC
now requires that the server certificate be generated with keys that are
at least 2048 bits long. Certificates previously generated with 1024-bit
keys will no longer work.
Note that this security enhancement was introduced in Version 6.3.0.3.
If you are upgrading from Version 6.1.0 through 6.3.0.2, you may be
affected. If you cannot connect, regenerate the server certificate on your
data source. If necessary, reconfigure the FMC connection to the data
source.
Snort restart improvements Before Version 6.4.0, during Snort restarts, the system dropped encrypted
connections that matched a 'Do not decrypt' SSL rule or default policy
action. Now, routed/transparent traffic passes without inspection instead
of dropping, as long as you did not disable large flow offload or Snort
preserve-connection.
Performance improvement for Upgrade impact.

selected IPS traffic
Egress optimization is a performance feature targeted for selected IPS
traffic. The feature is enabled by default on all FTD platforms.
The Version 6.4.0 upgrade process enables egress optimization on
eligible devices. For more information, see the Cisco Firepower Threat
Defense Command Reference. To troubleshoot issues with egress
optimization, contact Cisco TAC.
• asp inspect-dp egress optimization
• show asp inspect-dp egress optimization
• clear asp inspect-dp egress optimization
• show conn state egress_optimization

72
Feature Description
Faster SNMP event logging Performance improvements when sending intrusion and connection
events to an external SNMP trap server.
Faster deploy Improvements to appliance communications and deploy framework.

Faster upgrade Improvements to the event database.

New REST API capabilities Added REST API objects to support Version 6.4.0 features:
• cloudeventsconfigs: Manage Cisco SecureX threat response
integration.
• ftddevicecluster: Manage chassis clustering.
• hitcounts: Manage hit count statistics for access control and prefilter
rules.
• keychain: Manage key chain objects used for rotating authentication
when configuring OSPFv2 routing.
• loggingsettings: Manage logging settings for access control policies
API Explorer based on OAS Version 6.4.0 uses a new API Explorer, based on the OpenAPI
Specification (OAS). As part of the OAS, you now use CodeGen to
generate sample code. You can still access the legacy API Explorer if
you prefer.

73

Table 24:
Feature Description

Upgrades postpone Upgrades now postpone scheduled tasks. Any task scheduled to begin during
scheduled tasks the upgrade will begin five minutes after the post-upgrade reboot.
Note Before you begin any upgrade, you must still make sure running
tasks are complete. Tasks running when the upgrade begins are
stopped, become failed tasks, and cannot be resumed.
Note that this feature is supported for Firepower appliances running Version
6.4.0.10 or any later patch. It is not supported for upgrades to Version 6.4.0.10,
or upgrades that skip Version 6.4.0.10.
This feature is also not supported in Version 6.5.0, 6.6.0, or 6.6.1. It is
reintroduced in Version 6.6.3 and Version 6.7.0.

Default HTTPS server Upgrading an FMC or 7000/8000 series device from Version 6.4.0–6.4.0.8 to
certificates any later Version 6.4.0.x patch (or an FMC to Version 6.6.0+) renews the
default HTTPS server certificate, which expires 800 days from the date of the
upgrade. All future renewals have an 800 day lifespan.
Your old certificate was set to expire depending on when it was generated, as
follows:
• 6.4.0 to 6.4.0.8: 3 years
• 6.2.3 and earlier: 20 years
Note that in Version 6.5.0–6.5.0.4, the lifespan-on-renew returns to 3 years,

but this is again updated to 800 days with Version 6.5.0.5 and 6.6.0.
Version 6.4.0.4 These new syslog fields collectively identify a unique connection event:
New syslog fields • Sensor UUID
• First Packet Time
• Connection Instance ID
• Connection Counter
These fields also appear in syslogs for intrusion, file, and malware events,
allowing connection events to be associated with those events.

74
Feature Description

Detection of rule conflicts in After you upgrade to Version 6.4.0.2 or later patch, you can no longer create
FTD NAT policies FTD NAT policies with conflicting rules (often referred to as duplicate or
overlapping rules). This fixes an issue where conflicting NAT rules were
applied out-of-order.
If you currently have conflicting NAT rules, you will be able to deploy
post-upgrade. However, your NAT rules will continue to be applied
out-of-order.
Therefore, we recommend that after the upgrade, you inspect your FTD NAT
policies by editing (no changes are needed) then attempting to resave. If you
have rule conflicts, the system will prevent you from saving. Correct the issues,
save, and then deploy.
Version 6.4.0.2 A new health module, the ISE Connection Status Monitor, monitors the status
of the server connections between the Cisco Identity Services Engine (ISE)
ISE Connection Status
and the FMC.
Monitor health module

Table 25:
SSL hardware None. As part of the TLS crypto acceleration feature, we removed the
acceleration FTD following FTD CLI commands:
CLI commands
• system support ssl-hw-accel enable
• system support ssl-hw-accel disable
• system support ssl-hw-status
For information on their replacements, see the new feature

documentation.
FMC menu changes None. These FMC pages have changed location in Version 6.4.0.
System > Integration > is System > Integration >

Cloud Services now Cisco CSI

75
Deprecated Features in FMC Version 6.4.0 Patches
Deprecated Features in FMC Version 6.4.0 Patches

Table 26:
Version 6.4.0.7 Patching turns off To mitigate CSCvq34340, patching an FTD device to Version
egress optimization 6.4.0.7+ turns off egress optimization processing. This happens
Egress optimization
processing. regardless of whether the egress optimization feature is enabled
or disabled.
Note We recommend you upgrade to Version 6.6.0+, where
this issue is fixed. That will turn egress optimization
back on, if you left the feature 'enabled.'
If you remain at Version 6.4.0–6.4.0.6, you should
manually disable egress optimization from the FTD
CLI: no asp inspect-dp egress-optimization.
For more information, see the software advisory: FTD traffic

outage due to 9344 block size depletion caused by the egress
optimization feature.
Version 6.3.0
Table 27:
Feature Description
Hardware
FMC models FMC 1600, 2600, and We introduced the Firepower Management Center models FMC 1600,
4600 2600, and 4600.
ISA 3000 with FirePOWER ISA 3000 with FirePOWER Services is supported in Version 6.3.0
Services (Protection license only).
Although ISA 3000 with FirePOWER Services was also supported in
Version 5.4.x, you cannot upgrade to Version 6.3.0. You must reimage.
Hardware bypass support on the Firepower 2100 series devices now support hardware bypass
Firepower 2100 series for functionality when using the hardware bypass network modules.
supported network modules
Edit Physical Interface
Supported platforms: Firepower 2100 series

76
Feature Description
Support for data EtherChannels in You can now set data and data-sharing EtherChannels to either Active
On mode LACP mode or to On mode. Other types of EtherChannels only support
Active mode.
New/modified Firepower Chassis Manager pages: Interfaces > All
Interfaces > Edit Port Channel > Mode
New/modified FXOS commands: set port-channel-mode
Firepower Threat Defense: HA and Clustering

77
Feature Description
Multi-instance capability for You can now deploy multiple logical devices, each with a Firepower
Firepower 4100/9300 with FTD Threat Defense container instance, on a single security engine/module.
Formerly, you could only deploy a single native application instance.
To provide flexible physical interface use, you can create VLAN
subinterfaces in FXOS and also share interfaces between multiple
instances. Resource management lets you customize performance
capabilities for each instance.
You can use high availability using a container instance on 2 separate
chassis. Clustering is not supported.
Note Multi-instance capability is similar to ASA multiple context
mode, although the implementation is different. Multiple
context mode is not available for FTD.
New/modified FMC pages: Devices > Device Management > edit

device > Interfaces tab
New/modified Firepower Chassis Manager pages:
• Overview > Devices
• Interfaces > All Interfaces > Add New drop-down menu >
Subinterface
• Interfaces > All Interfaces > Type
• Logical Devices > Add Device
• Platform Settings > Mac Pool
• Platform Settings > Resource Profiles
New/modified FXOS commands: connect ftdname, connect module

telnet, create bootstrap-key PERMIT_EXPERT_MODE,create
resource-profile, create subinterface, scope auto-macpool, set
cpu-core-count, set deploy-type, set port-type data-sharing, set
prefix, set resource-profile-name, set vlan, scope app-instance ftd
name, show cgroups container, show interface, show mac-address,
show subinterface, show tech-support module app-instance, show
version

78
Feature Description
Cluster control link customizable By default, the cluster control link uses the 127.2.0.0/16 network. You
IP Address for the Firepower can now set the network when you deploy the cluster in FXOS. The
4100/9300 chassis auto-generates the cluster control link interface IP address for
each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id.
However, some networking deployments do not allow 127.2.0.0/16
traffic to pass. Therefore, you can now set a custom /16 subnet for the
cluster control link in FXOS except for loopback (127.0.0.0/8) and
multicast (224.0.0.0/4) addresses.
New/modified Firepower Chassis Manager pages: Logical Devices >
Add Device > Cluster Information
New/modified options: CCL Subnet IP field
New/modified FXOS commands: set cluster-control-link network
Improved FTD cluster addition to You can now add any unit of a cluster to the FMC, and the other cluster
the FMC units are detected automatically. Formerly, you had to add each cluster
unit as a separate device, and then group them into a cluster with the
FMC. Adding a cluster unit is also now automatic. Note that you must
delete a unit manually.
New/modified pages:
• Devices > Device Management > Add drop-down menu > Device
> Add Device dialog box
• Devices > Device Management > Cluster tab > General area >
Cluster Registration Status > Current Cluster Summary link
> Cluster Status dialog box
SSL hardware acceleration Additional FTD devices now support SSL hardware acceleration. Also,
this option is now enabled by default.
Upgrading to Version 6.3.0 automatically enables SSL hardware
acceleration on eligible devices. Using SSL hardware acceleration if
you are not decrypting traffic can affect performance. We recommend
you disable SSL hardware acceleration on devices that are not decrypting
traffic.
Supported platforms: Firepower 2100 series, Firepower 4100/9300
RA VPN: RADIUS Dynamic You can now use RADIUS servers for user authorization of RA VPN
Authorization or Change of using dynamic access control lists (ACLs) or ACL names per user.
Authorization (CoA)

79
Feature Description
RA VPN: Two-Factor Firepower Threat Defense now supports two-factor authentication for
Authentication RA VPN users using the Cisco AnyConnect Secure Mobility Client.
For the two-factor authentication process, we support:
• First factor: any RADIUS or LDAP/AD server
• Second factor: RSA tokens or DUO passcodes pushed to mobile
For more information on Duo multi-factor authentication (MFA) for

FTD, see the Cisco Firepower Threat Defense (FTD) VPN with
AnyConnect documentation on the Duo Security website.
Security Policies
Firepower Threat Defense service You can now configure a Firepower Threat Defense service policy as
policy part of your access control policy advanced options. Use FTD service
policies to apply services to specific traffic classes.
Features supported include:
• TCP State Bypass
• Randomizing TCP sequence numbers
• Decrementing the time-to-live (TTL) value on packets
• Dead Connection Detection
• Setting a limit on the maximum number of connections and
embryonic connections per traffic class and per client.
• Timeouts for embryonic, half closed, and idle connections
Note Before Version 6.3.0, you could configure connection-related

service rules using the TCP_Embryonic_Conn_Limit and
TCP_Embryonic_Conn_Timeout predefined FlexConfig
objects. You should remove those objects and redo your rules
in the FTD service policy. If you created any custom
FlexConfig objects to implement any of these
connection-related features (that is, set connection
commands), you should also remove those objects and
implement the features through the FTD service policy.
Failure to do so can cause deployment issues.
The Threat Defense Service Policies chapter in the Firepower
Management Center Configuration Guide has details on how
service policies relate to FlexConfig and other features.
New/modified pages: Policies > Access Control > edit/create policy >
Advanced tab > Threat Defense Service Policy

80
Feature Description
Update interval for URL category Upgrade impact.

and reputation data
You can now force URL data to expire. There is a tradeoff between
security and performance. A shorter interval means you use more current
data, while a longer interval can make web browsing faster for your
users.
If you worked with Cisco TAC to specify a timeout value for the URL
filtering cache, the upgrade may change that value. Otherwise, the setting
defaults to disabled (the current behavior), meaning that cached URL
data does not expire.
New/modified pages: System > Integration > Cisco CSI > Cached
URLs Expire setting
Cisco Security Packet Analyzer You can integrate with Cisco Security Packet Analyzer to examine
Integration events and display analysis results, or download results for further
analysis.
New/modified pages:
• System > Integration > Packet Analyzer
• Analysis > Advanced > Packet Analyzer Queries
• Query Packet Analyzer when right-clicking on an event in the
dashboard or event viewer
Contextual cross-launch You can right-click an event in the dashboard or event viewer to look
up related information in predefined or custom, public or private
URL-based resources.
New/modified pages: Analysis > Advanced > Contextual
Cross-Launch

81
Feature Description
Unified syslog configuration Upgrade impact.

Version 6.3.0 changes and centralizes the way the system logs connection
and intrusion events via syslog.
Previously, you configured event logging via syslog in multiple places,
depending on the event type. You now configure syslog messaging in
the access control policy. These configurations affect connection and
intrusion event logging for the access control, SSL, prefilter, and
intrusion policies, as well as for Security Intelligence.
The upgrade does not change your existing settings for connection event
logging. However, you may suddenly start receiving intrusion events
you did not "expect" via syslog. This is because the intrusion policy
now sends syslog events to the destination specified in the access control
policy. (Before, you could configure syslog alerting in an intrusion
policy to send events to the syslog on the managed device itself rather
than to an external host.)
For FTD devices, some syslog platform settings now apply to connection
and intrusion event messages. For a list, see the Platform Settings for
Firepower Threat Defense chapter in the Firepower Management Center
Configuration Guide.
For NGIPS devices (7000/8000 series, ASA FirePOWER, NGIPSv),
messages now use the ISO 8601 timestamp format as specified in RFC
5425.
Fully qualified syslog messages for The format of syslog messages for connection, security intelligence,
connection and intrusion events and intrusion events have the following changes:
• Messages from FTD devices now include event type identification
numbers.
• Fields with empty or unknown values are no longer included, so
messages are shorter and important data is less likely to be
truncated.
• Timestamps now use the ISO 8601 timestamp format as specified
in the RFC 5425 syslog format (optional for FTD, required for
Classic).
Other syslog improvements for You can send all syslog messages from the same interface (data or
FTD devices management), using the same IP address, using TCP or UDP protocol.
Note that secure syslog is supported on data ports only. You can also
use the RFC 5424 format for message timestamps.

82
Feature Description
Export-controlled features for Customers whose Smart Accounts are not otherwise eligible to use
approved customers restricted functionality can purchase term-based licenses, with approval.
New/modified pages: System > Licenses > Smart Licenses
Specific License Reservation for Customers can use Specific License Reservation to deploy Smart
approved customers Licensing in an air-gapped network. The FMC reserves licenses from
your virtual account for a specified duration without accessing the Cisco
Smart Software Manager or Smart Software Satellite Server.
New/modified pages: System > Licenses > Specific Licenses
Supported platforms: FMC, FTD (except ISA 3000)
IPv4 range, subnet, and IPv6 You can now use IPv4 range, IPv4 subnet, and IPv6 host network objects
support for SNMP hosts to specify the SNMP hosts that can access a Firepower Threat Defense
device.
New/modified pages: Devices > Platform Settings > create or edit FTD
policy > SNMP > Hosts tab
Access control using fully qualified You can now create fully qualified domain name (FQDN) network
domain names (FQDN) objects and use them in access control and prefilter rules. To use FQDN
objects, you must also configure DNS server groups and DNS platform
settings, so that the system can resolve the domain names.
New/modified pages:
• Objects > Object Management > Network
• Objects > Object Management > DNS Server Group
• Devices > Platform Settings > create or edit FTD policy > DNS
CLI for the FMC An CLI for the FMC supports a small set of basic commands (change
password, show version, reboot/restart, and so on). By default the FMC
CLI is disabled, and logging into FMC using SSH accesses the Linux
shell.
New/modified Classic CLI commands: The system lockdown-sensor
command has changed to system lockdown. This command now works
for both devices and FMCs.
New/modified pages: System > Configuration > Console
Configuration > Enable CLI Access check box
Supported platforms: FMC, including FMCv

83
Feature Description
Copy device configurations You can copy device configurations and policies from one device to
another.
New/modified pages: Devices > Device Management > edit the device
> General area > Get/Push Device Configuration icons.
Backup/restore FTD device You can use the FMC web interface to back up configurations for some
configurations FTD devices.
New/modified pages: System > Tools > Backup/Restore
New/modified CLI commands: restore
Supported platforms: All physical FTD devices, FTDv for VMware
Skip deploying to up-to-date Upgrade impact.

devices when you schedule deploy
When you schedule a task to deploy configuration changes, you can
tasks
now opt to Skip Deployment for up-to-date devices. This
performance-enhancing setting is enabled by default.
The upgrade process automatically enables this option on existing
scheduled tasks. To continue to force a scheduled deploy to up-to-date
devices, you must edit the scheduled task.
New/modified pages: System > Tools > Scheduling > add or edit a task
> choose Job Type of Deploy Policies
New health modules New health modules alert you when:

• Threat Data Updates on Devices: Threat identification data on
managed devices fails to update.
• Realm: A user is reported to the FMC without being downloaded,
or a user logs into a domain that corresponds to a realm not known
to the FMC.
New/modified pages:
• System > Health > Policy
• System > Health > Monitor
Configurable packet capture size You can now store up to 10 GB of packet captures.
New/modified CLI commands: file-size, show capture

84
Feature Description
HTTPS Certificates The default HTTPS server certificate provided with the system now
expires in three years.
If your appliance uses a default server certificate that was generated
before you upgraded to Version 6.3.0, the server certificate will expire
20 years from when it was first generated. If you are using the default
HTTPS server certificate the system now provides the ability to renew
it.
New/modified pages: System > Configuration > HTTPS Certificate >
Renew HTTPS Certificate button
New/modified Classic CLI commands: show http-cert-expire-date,
system renew-http-certnew_key
Supported platforms: Physical FMCs, 7000/8000 series devices
Improved login security Upgrade impact.

Added FMC user configuration settings to improve login security:
• Track Successful Logins: Track the number of successful logins
each FMC account has performed within a specific time period.
• Password Reuse Limit: Track an FMC user's password history to
prevent reuse.
• Max Number of Login Failures and Set Time in Minutes to
Temporarily Lockout Users: Limit the number of times in a row
an FMC user can enter incorrect web interface login credentials
before being temporarily blocked.
We also updated the list of supported ciphers and cryptographic

algorithms for secure SSH access. If your SSH client fails to connect
with a Firepower appliance due to a cipher error, update your client to
the latest version.
New/modified pages: System > Configuration > User Configuration
Limit SSH login failures on devices When a user accesses any device via SSH and fails three successive
login attempts, the device terminates the SSH session.
Supported platforms: Any device

85
Feature Description
New REST API services Added REST API services to support these features:
• Site-to-site VPN topology: ftds2svpns, endpoints, ipsecsettings,
advancedsettings, ikesettings, ikev1ipsecproposals, ikev1policies,
ikev2ipsecproposals, ikev2policies
• HA device failover: failoverinterfacemacaddressconfigs,
monitoredinterfaces
Bulk overrides You can now perform bulk overrides on specific objects. For a full list,
see the Cisco Firepower Management Center REST API Quick Start
Guide.

Table 28:
Feature Description

Detection of rule conflicts in After you upgrade to Version 6.3.0.4 or later patch, you can no longer create
FTD NAT policies FTD NAT policies with conflicting rules (often referred to as duplicate or
overlapping rules). This fixes an issue where conflicting NAT rules were
applied out-of-order.
If you currently have conflicting NAT rules, you will be able to deploy
post-upgrade. However, your NAT rules will continue to be applied
out-of-order.
Therefore, we recommend that after the upgrade, you inspect your FTD NAT
policies by editing (no changes are needed) then attempting to resave. If you
have rule conflicts, the system will prevent you from saving. Correct the issues,
save, and then deploy.
Note that upgrading to Version 6.4.0 deprecates this fix. It is fixed again in
Version 6.4.0.2.
Version 6.3.0.4 A new module, the ISE Connection Status Monitor, monitors the status of the
server connections between the Cisco Identity Services Engine (ISE) and the
ISE Connection Status
FMC.
Monitor module
Note that upgrading to Version 6.4.0 deprecates this module. Support returns
in Version 6.4.0.2.
New/modified screens: System > > Policy > create or edit policy > ISE
Connection Status Monitor

86
Feature Description
Version 6.3.0.3 When making secure connections to external data sources, such as AMP for
Endpoints or Cisco Threat Intelligence Detector (TID), the FMC now requires
2048-bit certificate keys now
that the server certificate be generated with keys that are at least 2048 bits long.
required (security
Certificates previously generated with 1024-bit keys will no longer work.
enhancement)
If you cannot connect, regenerate the server certificate on your data source. If
necessary, reconfigure the FMC connection to the data source.

EMS extension support Version 6.3.0.1 reintroduces EMS extension support, which was introduced
in Version 6.2.3.8/6.2.3.9 but was not included in Version 6.3.0.
Both the Decrypt-Resign and Decrypt-Known Key SSL policy actions again
support the EMS extension during ClientHello negotiation, enabling more
secure communications. The EMS extension is defined by RFC 7627.
In FMC deployments, this feature depends on the device version. Although
best practice is to upgrade your whole deployment, this feature is supported
even if you patch only the device.

Table 29:
EMS extension EMS extension Version 6.3.0 discontinues EMS extension support, which was
support for support discontinued introduced in Version 6.2.3.8/6.2.3.9. This means that the
decryption until you patch or Decrypt-Resign and Decrypt-Known Key SSL policy actions
upgrade. no longer support the EMS extension during ClientHello
negotiation, which would enable more secure communications.
The EMS extension is defined by RFC 7627.
In FMC deployments, this feature depends on the device version.
Upgrading the FMC to Version 6.3.0 does not discontinue
support, as long as the device is running a supported version.
However, upgrading the device to Version 6.3.0 does discontinue
support.
Support is reintroduced in Version 6.3.0.1.
Decryption on The system stops Version 6.3.0 ends support for decrypting traffic on interfaces
passive and inline decrypting traffic in in passive or inline tap mode, even though the GUI allows you
tap Interfaces passive to configure it. Any inspection of encrypted traffic is necessarily
deployments. limited.

87
Default DNS group You should redo Version 6.3.0 deprecates this FlexConfig object for FTD with
FlexConfig objects your configurations FMC:
after upgrade.
• Default_DNS_Configure
And these associated text objects:

• defaultDNSNameServerList
• defaultDNSParameters
These allowed you to configure the Default DNS group, which

defines the DNS servers that can be used when resolving fully
qualified domain names on the data interfaces. This allowed you
to use commands in the CLI, such as ping, using host names
rather than IP addresses.
You can now configure DNS for the data interfaces in the FTD
platform settings policy: Devices > Platform Settings > create
or edit FTD policy > DNS.
Embryonic Post-upgrade Version 6.3.0 deprecates these FlexConfig objects for FTD with
connection limit and deployment issues. FMC:
timeout FlexConfig
You should redo • TCP_Embryonic_Conn_Limit
objects
your configurations
after upgrade. • TCP_Embryonic_Conn_Timeout
And these associated text objects:

• tcp_conn_misc
• tcp_conn_limit
• tcp_conn_timeout
These allowed you to configure embryonic connection limits and

timeouts to protect against SYN Flood Denial of Service (DoS)
attacks.
You can now configure these features in the FTD service policy:
Policies > Access Control > add/edit policy > Advanced tab >
Threat Defense Service Policy.
Caution If you used set connection commands to implement
connection-related service rules, you should remove
the associated objects and implement the features
through the FTD service policy. Failure to do so can
cause deployment issues.

88
Date-Based Features
FMC menu options None. Version 6.3.0 changes these menu options:
Analysis > Advanced > is Analysis > Lookup >

Whois now Whois

Geolocation now Geolocation

URL now URL
Analysis > Advanced > is Analysis > Custom >

Custom Workflows now Custom Workflows
Analysis > Advanced > is Analysis > Custom >

Custom Tables now Custom Tables
Analysis > Hosts > is Analysis > Vulnerabilities

Vulnerabilities now > Vulnerabilities
Analysis > Hosts > is Analysis > Vulnerabilities

Third-Party now > Third-Party
Vulnerabilities Vulnerabilities
VMware 5.5 hosting Upgrade the hosting Version 6.3.0+ virtual deployments have not been tested on
environment before VMware vSphere/VMware ESXi 5.5. This includes FMCv,
you upgrade the FTDv, and NGIPSv for VMware.
Firepower software.
ASA 5506-X series Upgrade prohibited. You cannot upgrade to or freshly install Version 6.3.0+ of the
and ASA 5512-X Firepower software (both FTD and ASA FirePOWER) on ASA
devices with 5506-X, 5506H-X, 5506W-X, and 5512-X devices.
Firepower software
Date-Based Features
Expired CA Certificates for Dynamic Analysis
Deployments: AMP for Networks (malware detection) deployments where you submit files for dynamic
analysis
Affected Versions: Version 6.0+
Resolves: CSCvj07038
On June 15, 2018, some Firepower deployments stopped being able to submit files for dynamic analysis. This
occurred due to an expired CA certificate that was required for communications with the AMP Threat Grid
cloud. Version 6.3.0 is the first major version with the new certificate.

89
Release Dates for Firepower Software
Note If you do not want to upgrade to Version 6.3.0+, you must patch or hotfix to obtain the new certificate and
reenable dynamic analysis. However, subsequently upgrading a patched or hotfixed deployment to either
Version 6.2.0 or Version 6.2.3 reverts to the old certificate and you must patch or hotfix again.
If this is your first time installing the patch or hotfix, make sure your firewall allows outbound connections
to fmc.api.threatgrid.com (replacing panacea.threatgrid.com) from both the FMC and its managed
devices. Managed devices submit files to the cloud for dynamic analysis; the FMC queries for results.
This table lists the versions with the old certificates, as well as the patches and hotfixes that contain the new
certificates, for each major version sequence and platform. Patches and hotfixes are available on the Cisco
Support & Download site.
Table 30: Patches and Hotfixes with New CA Certificates
Versions with Old Cert First Patch with New Cert Hotfix with New Cert
6.2.3 through 6.2.3.3 6.2.3.4 Hotfix G FTD devices
Hotfix H FMC, NGIPS

devices
6.2.2 through 6.2.2.3 6.2.2.4 Hotfix BN All platforms
6.2.1 None. You must upgrade. None. You must upgrade.
6.2.0 through 6.2.0.5 6.2.0.6 Hotfix BX FTD devices
Hotfix BW FMC, NGIPS

devices
6.1.0 through 6.1.0.6 6.1.0.7 Hotfix EM All platforms
6.0.x None. You must upgrade. None. You must upgrade.

Table 31: Version 7.0.0/7.0.x Dates
Version Build Date Platforms
7.0.0 94 2020-05-26 All
6.7.0 65 2020-11-02 All

90
Table 33: Version 6.7.0/6.7.x Patch Dates
6.7.0.2 24 2021-05-11 All
6.7.0.1 13 2021-03-24 All
6.6.4 64 2021-04-29 Firepower 1000 series
59 2021-04-26 FMC/FMCv
All devices except Firepower 1000 series
6.6.3 80 2020-03-11 All
6.6.1 91 2020-09-20 All
90 2020-09-08 —
6.6.0 90 2020-05-08 Firepower 4112
2020-04-06 FMC/FMCv
All devices except Firepower 4112
Table 35: Version 6.6.0/6.6.x Patch Dates
6.6.0.1 7 2020-07-22 All
Table 36: Version 6.5.0 Dates
Version Build Date Platforms: Upgrade Platforms: Reimage
6.5.0 123 2020-02-03 FMC/FMCv FMC/FMCv
6.5.0 120 2019-10-08 — —
6.5.0 115 2019-09-26 All devices All devices
Table 37: Version 6.5.0 Patch Dates
6.5.0.5 95 2021-02-09 All
6.5.0.4 57 2020-03-02 All
6.5.0.3 30 2020-02-03 No longer available.

91
6.5.0.2 57 2019-12-19 All
6.4.0 113 2020-03-03 FMC/FMCv
6.4.0 102 2019-06-20 Firepower 4115, 4125, 4145

Firepower 9300 with SM-40, SM-48, and SM-56 modules
2019-06-13 Firepower 1010, 1120, 1140
2019-04-24 Firepower 2110, 2120, 2130, 2140

Firepower 4110, 4120, 4140, 4150
ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X
ASA 5585-X-SSP-10, -20, -40, -60
ISA 3000
FTDv
NGIPSv
6.4.0.12 112 2021-05-12 All
6.4.0.11 11 2021-01-11 All
6.4.0.10 95 2020-10-21 All
6.4.0.9 62 2020-05-26 All
6.4.0.8 28 2020-01-29 All
6.4.0.7 53 2019-12-19 All
6.4.0.5 23 2019-09-18 All
6.4.0.4 34 2019-08-21 All

92
6.4.0.3 29 2019-07-17 All
6.4.0.2 35 2019-07-03 FMC/FMCv

FTD/FTDv, except Firepower 1000 series
34 2019-06-27 —
2019-06-26 Firepower 7000/8000 series

ASA FirePOWER
NGIPSv
6.4.0.1 17 2019-06-27 FMC 1600, 2600, 4600
2019-06-20 Firepower 4115, 4125, 4145

2019-05-15 FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500
FMCv
Firepower 2110, 2120, 2130, 2140
Firepower 4110, 4120, 4140, 4150
ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X
ASA 5585-X-SSP-10, -20, -40, -60
ISA 3000
FTDv
NGIPSv
6.3.0 85 2019-01-22 Firepower 4100/9300 Firepower 4100/9300
6.3.0 84 2018-12-18 FMC/FMCv —

ASA FirePOWER

93
6.3.0 83 2019-06-27 — FMC 1600, 2600, 4600
2018-12-03 All FTD devices except FMC 750, 1000, 1500, 2000,
Firepower 4100/9300 2500, 3500, 4000, 4500
Firepower 7000/8000 FMCv
NGIPSv All devices except Firepower
4100/9300
6.3.0.5 35 2019-11-18 Firepower 7000/8000 series

NGIPSv
34 2019-11-18 FMC/FMCv
All FTD devices
ASA FirePOWER
6.3.0.4 44 2019-08-14 All
6.3.0.3 77 2019-06-27 FMC 1600, 2600, 4600
2019-05-01 FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500
FMCv
All devices
6.3.0.2 67 2019-06-27 FMC 1600, 2600, 4600
2019-03-20 FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500
FMCv
All devices
6.3.0.1 85 2019-06-27 FMC 1600, 2600, 4600
2019-02-18 FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500
FMCv
All devices
6.2.3 113 2020-06-01 FMC/FMCv FMC/FMCv
6.2.3 111 2019-11-25 — FTDv: AWS, Azure

94
6.2.3 110 2019-06-14 — —
6.2.3 99 2018-09-07 — —
6.2.3 96 2018-07-26 — —
6.2.3 92 2018-07-05 — —
6.2.3 88 2018-06-11 — —
6.2.3 85 2018-04-09 — —
6.2.3 84 2018-04-09 Firepower 7000/8000 series —

NGIPSv
6.2.3 83 2018-04-02 FTD/FTDv FTD: Physical platforms

ASA FirePOWER FTDv: VMware, KVM
Firepower 7000/8000
ASA FirePOWER
NGIPSv
6.2.3 79 2018-03-29 — —

6.2.3.16 59 2020-07-13 All
6.2.3.15 39 2020-02-05 FTD/FTDv
38 2019-09-18 FMC/FMCv
Firepower 7000/8000
ASA FirePOWER
NGIPSv
6.2.3.14 41 2019-07-03 All
36 2019-06-12 All
6.2.3.13 53 2019-05-16 All
6.2.3.12 80 2019-04-17 All
6.2.3.11 55 2019-03-17 All
53 2019-03-13 —
6.2.3.10 59 2019-02-07 All

95

6.2.3.9 54 2019-01-10 All
6.2.3.7 51 2018-11-15 All
6.2.3.6 37 2018-10-10 All
6.2.3.5 53 2018-11-06 FTD/FTDv
52 2018-12-09 FMC/FMCv
Firepower 7000/8000
ASA FirePOWER
NGIPSv
6.2.3.4 42 2018-08-13 All
6.2.3.3 76 2018-07-11 All
6.2.3.2 46 2018-06-27 All
42 2018-06-06 —
6.2.3.1 47 2018-06-28 All
45 2018-06-21 —
43 2018-05-02 —

96
© 2021 Cisco Systems, Inc. All rights reserved.

FMC New Features by Release

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FMC New Features by Release

Uploaded by

Copyright:

Available Formats

Cisco Firepower Management Center New

New Features by Release

Firepower Software Suggested Release

Suggested Releases for Older Appliances

Table 1: Hardware and Virtual Appliances

Cisco Firepower Management Center New Features by Release

New virtual environments We introduced FMCv and FTDv for:

Table 2: Firepower Threat Defense: Management

Table 3: Firepower Threat Defense: NAT

Cisco Firepower Management Center New Features by Release

Table 4: Firepower Threat Defense: Virtual Routing

Table 5: Firepower Threat Defense: Site to Site VPN

Table 6: Access Control

Supported platforms: Firepower Threat Defense

Cisco Firepower Management Center New Features by Release

Supported platforms: Firepower Management Center

Supported platforms: Firepower Management Center

Table 7: Event Logging and Analysis

Cisco Firepower Management Center New Features by Release

Supported platforms: Firepower Management Center

Table 8: Firepower Threat Defense: Upgrade

Cisco Firepower Management Center New Features by Release

To begin, use the new Upgrade Firepower Software action on the

Supported platforms: Firepower Threat Defense

Cisco Firepower Management Center New Features by Release

• Grouping upgrades by device model.

Supported platforms: Firepower Threat Defense

Table 9: Administration and Troubleshooting

Cisco Firepower Management Center New Features by Release

New health modules We added the following health modules:

Additionally, full support returns for the Configuration Memory

Cisco Firepower Management Center New Features by Release

Table 10: Security and Hardening

Table 11: Usability and Performance

Device alerts: GET

Integration fmchastatuses: GET

Cisco Firepower Management Center New Features by Release

Object anyconnectcustomattributes, anyconnectpackages, anyconnectprofiles:

Cisco Firepower Management Center New Features by Release

Policy accesspolicies/securityintelligencepolicies: GET

Search globalsearch: GET

Deprecated Features in FMC Version 7.0.0

Feature Upgrade Impact Description

Cisco Firepower Management Center New Features by Release

Feature Upgrade Impact Description

Location changes None. Version 7.0.0 changes these menu options:

Cisco Firepower Management Center New Features by Release

Hardware and Virtual Appliances

Supported platforms: FTDv for AWS

Cisco Firepower Management Center New Features by Release

Firepower Threat Defense: Device Management

New/modified FTD CLI commands: configure network

Cisco Firepower Management Center New Features by Release

New/modified Firepower Chassis Manager pages: Logical Devices >

Firepower 1100/2100 series SFP Upgrade impact.

Firepower Threat Defense: Clustering

Cisco Firepower Management Center New Features by Release

Supported platforms: Firepower 4100/9300

Cisco Firepower Management Center New Features by Release

Changes to PAT address allocation Upgrade impact.

Firepower Threat Defense: Encryption and VPN

Cisco Firepower Management Center New Features by Release

Supported platforms: FTD