What’s New in Cisco Secure Firewall Version 7
What’s New in Cisco Secure Firewall Version 7
Cisco Firewall (formerly Firepower) Threat Defense 7.0 is the next big overhaul, introducing a completely rewritten detection engine (Snort 3) and a lot of anticipated improvements to the existing software. The new release introduces OpenStack support for our virtual products (ASAv/FTDv/FMCv), launching a tiered licensing model, and a brand new FTDv instance with increased throughput up to 15.5 Gbps. At its most, Cisco FTDv100, customers can leverage their virtual firewall like a Cisco Firepower 4100 series.
An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent exploits. Essentially, Snort 3 is the next-generation of Snort 2 IPS with a new architecture designed for performance, detection, scalability and usability improvement and provides the foundation for Cisco Secure Firewall (formerly Firepower).
It benefits from modern architecture for viable handling of Snort 2 evasions, supports for HTTP/2, IoT, multi-session signatures and etc. Moreover, Snort 3 uses intelligent traffic normalization to identify obfuscated threats and also, improved rules language allows Cisco TALOS to provide better protection.
Furthermore, Snore 3 offers a significant performance improvement over Snort 2 and support for acceleration via Regex offload on next generation platforms with more efficient memory utilization.
By providing modularity, Snort 3 with support for new use-cases provides faster time to market. Also, in Snort 3 everything is implemented as plug-ins which help Cisco TALOS to address zero-day issues quickly with new rule options or inspections. Plus, these modularity features make it deployable as a cloud service which caused the improved maintainability and telemetry.
FTDv7 Dynamic Objects and Dynamic Attributes Connector enables robust policies in environments where fixed IP addresses don’t exist.
Secure Remote Worker
Dynamic Access Policy (DAP), Hostscan, Per App VPN, Dynamic Split Tunneling, Deferred Update, Multi-Cert Authentication, SAML attributes support in DAP, SAML + VPN Load Balancing and Local Authentication for RAVPN brings significant improvements around Remote Access VPN (RAVPN), eliminating the obstacles to increase NGFW adoption, and leading to a smoother migration from ASA to NGFW.
Unified Real Time Event Viewer
The Unified Event Viewer Aggregates Connection, File, Malware and Intrusion Events into a single view. By introducing a search bar on the top of the page and a real-time mode the new event viewer is a great addition to all operators out there. Powered by advanced content filtering, provides a simple view of all security events. It streams data from sensors and correlates events, leading to faster investigations.
This feature enables SecOps teams to pivot from any event seen in the Firewall to the SecureX platform, correlating data across the entire SecureX integrated ecosystem.
Identity Mapping Filter
The device level mapping filters allow you to control what. Identity mappings which are distributed to individual firewalls in your deployment. Since Cisco FTD 7.0 release you can configure your FMC to filter out identity mappings on the device level. The filters are applicable to ISC source by name and dynamic objects, the new type of attributes introduced in FTD version 7. In the previous releases of software FMC shared all learned identity mappings with all managed devices.
Consequently, in many cases, the overall capacity of the firewall deployment was limited by the common denominator, the lowest memory device managed by the FMC. Now by having control per individual device, we can distribute the bindings to firewalls in the network as needed and support more use cases than before.
By default, the Cisco FMC shares all bindings it knows about with all managed devices we may run into capacity issues some of the firewalls may not have enough memory to accommodate all the bindings sent from the FMC. In such case the firewall installs bindings up to its limits and ignores the rest. This is where identity mapping filters come into play.
Starting from 7.0 you can filter out unnecessary bindings as they are delivered to the firewalls with lower capacity. The mapping filters are set with host or subnet objects and are configurable per individual firewalls or groups of devices.
FMC 6.x and FMC7 Differences
In the new release of Cisco Secure Firewall Version 7, a few preview changes made in new and historical deployments. Also, NetOps/SecOps gets increased visibility to deployment preview and history. Plus, the ability to see who did what changes is added now.
While version 6.7.0 only supported connection events, version 7.0.0 also adds support for all security events and FTD-LINA syslog events. It also adds a new integration wizard and support for FMC domains.
Moreover, Firepower 7.0.0 adds over 80 new REST API calls including CRUD operations for DHCP Relay, Realms, DAPs, Intrusion Policies (and rules!), Network Analysis Policies, Local realm users, Dynamic Objects, SecureX configuration, Application filters and GET operations for AnyConnect related configuration.
A new feature that is available from the navigation bar allows us to search across Policies, Objects and all UI elements within FMC, making it easier to find your configuration across all the different pages on FMC.
Note: Cisco FMC v7 supports license reservation feature (Cisco FMC PLR License) which can enable all the capabilities on the Firepower devices.