Secure Firewall DocsYouTube ChannelDevNetApplication DetectionSecurity Cloud Control
Guides

What's New in 10.0

This document provides an overview of new features and notable improvements in the 10.0 release. Features that have a dedicated document on this site are linked below, and more will be added. Version 10.0 is a feature-rich release that expands on many of the improvements in version 7.6 while adding brand new features in multiple key areas.

Suggest Edits

Threat and Malware

Version 10.0 makes further improvements to our leading detection differentiators, EVE and SnortML. Refinements include easier and more clear configuration, new detection, and improved inspection latency. Building on improvements in 7.6, the Decryption Policy again makes it easier for admins to get set up and get decrypting. Improvements to AppID improve performance and simplify administrative matching of applications to ports.

  1. Simplified EVE Configuration - EVE configuration has been moved from Advanced Settings to the main Access Control Policy. Monitor and Protect modes are introduced, with Protect having block thresholds of High and Very High.

  2. Simplified Decryption Interface - 10.0 introduces a new Standard policy creation mode, with the prior policy creation moved to Legacy. Improvements to certificate management and a new option for Selective Decryption are included. QUIC decryption is now a standard feature, and the experimental label has been removed.

  3. Application Default Ports - When adding application detection to an Access Control rule, default ports will be associated to the application detection. Rules with multiple detections will be mapped to the correct ports automatically, e.g. a rule with both SSH and HTTP applications configured would map SSH to port 22 and HTTP to port 80. This allows administrators to enforce both application and port criteria simultaneously.

  4. SnortML Update - SnortML continues to get better, with added detection for command injection and reduction of inspection latency.

Software Defined Wide Area Networking (SD-WAN)

10.0 expands on the SD-WAN improvements in 7.6 to address additional use cases including the propagation of Security Group Tags (SGTs) across SD-WAN environments. Improvements to load balancing address more hub and spoke scenarios.

  1. Improvements for SGT Propagation - Dynamic Virtual Tunnel Interfaces (DVTIs) and Static Virtual Tunnel Interfaces (SVTIs) can now receive and propagate SGTs. This facilitates extending SGT enforcement across SD-WAN environments.

  2. Better Load Balancing - In prior versions, only spoke to hub traffic could be load balanced. In version 10.0, hub load balancing via multiple paths to a given spoke is now supported through equal-cost multi-path (ECMP) routing and Bidirectional Forwarding Detection (BFD).

Management & Upgrade Improvements

Before 10.0, syslog suffered from a convoluted configuration path and lack of parity with eStreamer for event types. In 10.0, syslog configuration is greatly consolidated and simplified, and new event types are added. Advanced Logging makes an additional improvement to log export, delivering granular protocol specific logging to SIEMs. The FMC GUI has been improved to be more navigable, more customizable, and more closely aligned to SCC. Administrators will also enjoy improvements to the upgrade process that allow control over revert and rollback options and better visibility of upgrading devices. Model migration options have also been expanded to further facilitate the transition to new hardware platforms.

  1. Streamlined Syslog Integration - A new wizard greatly simplifies syslog integration. The wizard is compatible with Splunk on day one. Users of other SIEMs should check with their vendors regarding ingest.

  2. New Syslog Event Types - New event types are added to syslog, including intrusion event packet data and AMP/Retrospective.
  3. Advanced Logging - Leverages the deep packet inspection capabilities of Snort 3 to generate logs with granular protocol data. Log types include DNS, FTP, HTTP, end of connection data, data collected from intrusion events, and logs related to anomalies.

  4. Simplified FMC GUI - Top level menus have been streamlined and brought into greater parity with Security Cloud Control. Administrators can also now customize menu entries.

  5. Upgrade Improvements - Advanced settings allow administrative direction for revert and rollback scenarios. All managed device upgrades can now be monitored from a single pane.

  6. Additional Model Migration Support - Expanded options for migrating configuration from the 1010, 1100, 2100, 4100, and 9300 models to the 1210 and 1220, and the 3100 and 4200 series.

Hardware Innovations

Cisco continues to build on its powerful, datasheet accurate hardware lines with new models launching at both the low end and the ultra high end. The 200 series offers our most affordable option for branch and site deployments, while the 6100 series offers significantly more throughput than the 4200 while maintaining the same clustering capabilities. New FMC models provide better performance for the low, mid, and high end.

  1. [Secure Firewall 200 Series] - The 200 series launches with one model, the 220. The 220 model supports up to 1.5 Gbps of NGFW traffic and utilizes SoC embedded accelerators for encryption and traffic processing. Intended for branch and service use cases.

  2. Secure Firewall 6100 Series - Delivers up to 400 Gbps per device while offering the same impressive 16x clustering of the 4200 series. These ultra high-end models are based on Cisco's leading price/performance architecture in the 3100 and 4200 lines, offering even more capacity for Data Center, Service Provider, and other high end environments.

  3. New FMC Models - The 1800, 2800, and 4800 models deliver improved capability for low, mid, and high end management scenarios. The 4800 can manage 1,500 FTDs and can handle twice the event rate and event retention of the 4700.

Identity

Administrators seeking to improve Zero Trust at the network level will welcome new integrations with Cisco Identity Intelligence and ISE that facilitate the assignment of dynamic trust levels to individual users and devices. 10.0 also brings additional scaling capability for multiple ISE clusters, and better traceability of user data inside the firewall.

  1. Dynamic Firewall - A new wizard provides configuration to integrate an identity source (ISE or pxGrid Cloud) with Cisco Identity Intelligence (CII) to assign a trust level to individual users and devices. CSDAC dynamic objects facilitate restrictions in network permissions for users and devices that lose trust levels.

  2. Better Scaling - Multiple ISE clusters (integrated either with pxGrid cloud or onprem) can now be leveraged in the identity policy.

  3. Traceability Tool - This CLI based tool retrieves user session information and compiles it into a structured table. Multiple search modes are available for different troubleshooting scenarios, streamlining debugging and analysis workflows.

Public & Private Cloud

10.0 delivers new deployment options across cloud and virtualization environments. In the cloud, GCP deployments add clustering with dynamic scaling capabilities, while ARM support is added for OCI. In virtualization, a new Unlimited license is available to meet scaling use cases for VMWare and KVM environments.

  1. GCP Clustering with Autoscale - Clustering with dynamic scaling is now available for GCP deployments. Both ASAv and FTDv are supported.

  2. OCI ARM Instance Support - ARM based FTDv and ASAv virtual instances are now supported for OCI. 4, 8, 12, or 16 Oracle CPUs are supported per instance.

  3. New FTDv Unlimited License - An unlimited license has been added for VMWare and KVM deployments of the virtual FTD (FTDv). The new license is intended for FTDv devices that wish to scale beyond the CPU core and rate limits of the existing licenses.

Updated about 11 hours ago

© 2025 Cisco Systems, Inc.
Title of the document The current suggested release is 7.6.2 Release 10.0 is live!