Secure Firewall DocsYouTube ChannelDevNetApplication DetectionSecurity Cloud Control
Guides

What's New in 10.0

This document provides an overview of new features and notable improvements in the 10.0 release. Features that have a dedicated document on this site are linked below, and more will be added. Version 10.0 is a feature-rich release that expands on many of the improvements in version 7.6 while adding brand new features in multiple key areas.

Suggest Edits

Threat and Malware

Version 10.0 makes further improvements to our leading detection differentiators, EVE and SnortML. Refinements include easier and more clear configuration, new detection, and improved inspection latency. Building on improvements in 7.6, the Decryption Policy again makes it easier for admins to get set up and get decrypting. Improvements to AppID improve performance and simplify administrative matching of applications to ports. A new Tenable integration offers new remediation and virtual patching capabilities.

  1. Simplified Decryption: Secure Firewall 10.0 introduces a new intent-based decryption workflow that makes inbound and outbound TLS inspection dramatically easier to deploy. Default policy creation, smarter certificate handling, and selective decryption options reduce setup and operational friction. Admins can now focus on what they want to decrypt instead of how to build a ruleset around their requirements.

  2. SnortML Update: SnortML continues to get better, with added detection for command injection and cross-site scripting, and dramatic reduction in inspection latency. SnortML provides zero-day coverage against entire classes of vulnerabilities, protecting your network even against brand-new vulnerabilities, no rule updates required!

  3. Tenable Connector: Security Cloud Control now brings Tenable vulnerability context directly into policy decisions, letting the firewall automatically adapt access control and intrusion prevention based on which hosts are actually exposed. Track vulnerable hosts in real-time and use Tenable CVE data to enable network-based virtual patching, targeting the actual risks in you environment instead of relying on generic rulesets.

  4. Advanced Logging: New advanced logging emits full protocol-level telemetry directly from the Snort engine, giving SOC teams Zeek-like visibility without deploying separate sensors. By exposing raw network conversions—such as DNS lookups, HTTP exchanges, anomalies, and more—the firewall becomes a native investigation source for advanced threat hunting.

  5. Application Default Ports: Each application is not associated with its expected default ports in access control rules, allowing administrators to enforce both application and port context in a single step. This removes guesswork and dramatically reduces the tendency to allow apps on "any port," while still preserving easy customization. When multiple apps are placed in a single rule, the correct ports are mapped automatically, tightening enforcement, without extra configuration effort.

  6. Simplified EVE Configuration: Encrypted Visibility Engine is more easily discovered, within its own tab of the access control policy. New simple monitor and protect modes allow for quick configuration of C2 detection or blocking, and a simple global exception lists allows you to easily tune for false positives.

Software Defined Wide Area Networking (SD-WAN)

10.0 expands on the SD-WAN improvements in 7.6 to address additional use cases including the propagation of Security Group Tags (SGTs) across SD-WAN environments. Improvements to load balancing address more hub and spoke scenarios.

  1. Improvements for SGT Propagation: Dynamic Virtual Tunnel Interfaces (DVTIs) and Static Virtual Tunnel Interfaces (SVTIs) can now receive and propagate SGTs. This facilitates extending SGT enforcement across SD-WAN environments.

  2. Better Load Balancing: In prior versions, only spoke to hub traffic could be load balanced. In version 10.0, hub load balancing via multiple paths to a given spoke is now supported through equal-cost multi-path (ECMP) routing and Bidirectional Forwarding Detection (BFD).

Management & Upgrade Improvements

Before 10.0, syslog suffered from a convoluted configuration path and lack of parity with eStreamer for event types. In 10.0, syslog configuration is greatly consolidated and simplified, and new event types are added. Advanced Logging makes an additional improvement to log export, delivering granular protocol specific logging to SIEMs. The FMC GUI has been improved to be more navigable, more customizable, and more closely aligned to SCC. Administrators will also enjoy improvements to the upgrade process that allow control over revert and rollback options and better visibility of upgrading devices. Model migration options have also been expanded to further facilitate the transition to new hardware platforms.

  1. Streamlined Syslog Integration: A new wizard greatly simplifies syslog integration. The wizard is compatible with Splunk on day one. Users of other SIEMs should check with their vendors regarding ingest.

  2. New Syslog Event Types: New event types are added to syslog, including intrusion event packet data and AMP/Retrospective.

  3. Simplified FMC GUI: Top level menus have been streamlined and brought into greater parity with Security Cloud Control. Administrators can also now customize menu entries.

  4. Upgrade Improvements: Advanced settings allow administrative direction for revert and rollback scenarios. All managed device upgrades can now be monitored from a single pane.

  5. Additional Model Migration Support: Expanded options for migrating configuration from the 1010, 1100, 2100, 4100, and 9300 models to the 1210 and 1220, and the 3100 and 4200 series.

Hardware Innovations

Cisco continues to build on its powerful, datasheet accurate hardware lines with new models launching at both the low end and the ultra high end. The 200 series offers our most affordable option for branch and site deployments, while the 6100 series offers significantly more throughput than the 4200 while maintaining the same clustering capabilities. New FMC models provide better performance for the low, mid, and high end.

  1. Secure Firewall 200 Series: The 200 series launches with one model, the 220. The 220 model supports up to 1.5 Gbps of NGFW traffic and utilizes SoC embedded accelerators for encryption and traffic processing. Intended for branch and service use cases.

  2. Secure Firewall 6100 Series: Delivers up to 400 Gbps per device while offering the same impressive 16x clustering of the 4200 series. These ultra high-end models are based on Cisco's leading price/performance architecture in the 3100 and 4200 lines, offering even more capacity for Data Center, Service Provider, and other high end environments.

  3. New FMC Models: The 1800, 2800, and 4800 models deliver improved capability for low, mid, and high end management scenarios. The 4800 can manage 1,500 FTDs and can handle twice the event rate and event retention of the 4700.

Identity

Administrators seeking to improve Zero Trust at the network level will welcome new integrations with Cisco Identity Intelligence and ISE that facilitate the assignment of dynamic trust levels to individual users and devices. 10.0 also brings additional scaling capability for multiple ISE clusters, and better traceability of user data inside the firewall.

  1. Dynamic Firewall: A new wizard provides configuration to integrate an identity source (ISE or pxGrid Cloud) with Cisco Identity Intelligence (CII) to assign a trust level to individual users and devices. CSDAC dynamic objects facilitate restrictions in network permissions for users and devices that lose trust levels.

  2. Better Scaling: Multiple ISE clusters (integrated either with pxGrid cloud or onprem) can now be leveraged in the identity policy.

  3. Traceability Tool: This CLI based tool retrieves user session information and compiles it into a structured table. Multiple search modes are available for different troubleshooting scenarios, streamlining debugging and analysis workflows.

Public & Private Cloud

10.0 delivers new deployment options across cloud and virtualization environments. In the cloud, GCP deployments add clustering with dynamic scaling capabilities, while ARM support is added for OCI. In virtualization, a new Unlimited license is available to meet scaling use cases for VMWare and KVM environments.

  1. GCP Clustering with Autoscale: Clustering with dynamic scaling is now available for GCP deployments. Both ASAv and FTDv are supported.

  2. OCI ARM Instance Support: ARM based FTDv and ASAv virtual instances are now supported for OCI. 4, 8, 12, or 16 Oracle CPUs are supported per instance.

  3. New FTDv Unlimited License: An unlimited license has been added for VMWare and KVM deployments of the virtual FTD (FTDv). The new license is intended for FTDv devices that wish to scale beyond the CPU core and rate limits of the existing licenses.

Updated 15 days ago

© 2025 Cisco Systems, Inc.
Title of the document The current suggested release is 7.6.2 Release 10.0 is live!