What's New in 7.6

Highlight overview of the top deliverables in the release. NOTE: Some highlights will not have associated documentation. To see the full list of 7.6 Release Deliverables, visit New Features in Management Center Version 7.6

Cloud-Enabled Features

FMC 7.6 comes with exciting new cloud-enabled features, including AI Assistant and new capabilities for Access Control policy analysis:

  1. Cisco Security Cloud Integration - We've updated FMC cloud onboarding to leverage the new Cisco Security Cloud.

  2. AI Assistant - We've integrated the AI Assistant into FMC, providing an intuitive interface for administrators to retrieve policy information, enhancing the ability to comprehend & optimize configurations.

  3. Policy Analyzer and Optimizer - Introducing Policy Analyzer and Optimizer, a new cloud-delivered feature to review policies and provide actionable recommendations.

Threat and Malware

Up until 7.6, Security Analysts constantly needed to dissect newly discovered vulnerabilities to write Snort Rules (signatures) to protect networks, customers needed to repeatedly revise their decryption policy to avoid network disruptions & adhere to regulatory & privacy requirements, the encrypted visibility engine (EVE) block feature was too robust and would block trusted networks, and users following the MITRE ATT&CK framework were looking for better representation in our event viewer. As of 7.6:

  1. SnortML - SnortML is our new machine learning-based exploit detection framework, protecting your environment against entire vulnerability classes, including both known and zero-day exploits.

  2. Simplified Do-Not-Decrypt - A new Multistep decryption policy wizard offers the option to configure decryption exclusions for outbound connections. Enabling users to easily define decryption exclusions that will not impact existing decryption policies.

  3. EVE Exception List - We created the EVE Exception List to grant users the ability to choose which connections should be blocked or allowed, ensuring the continuity of connections and services when EVE's block feature is enabled.

  4. Security Content Tagging - Unified Event Viewer Updates with single pane view for MITRE techniques, progression graph, and other contextual enrichment to give users more information in one central location.

  5. QUIC Decryption - Decryption of the QUIC protocol allows for full threat and malware inspection of a growing segment of encrypted internet traffic.

Software Defined Wide Area Networking (SD-WAN)

With version 7.6, Cisco continues to expand its SD-WAN offering with enhancements and a number of new customer requested features. These include device templates for deploying consistent configurations at scale, bulk pre-provisioning to reduce onboarding time, and a new SD-WAN wizard to simplify configuration of hub and spoke topologies. An improvement has also been made to improve flexibility of AAA communications over VRF interfaces.

  1. SD-WAN Wizard - This release introduces a simplified and automated guided wizard for route based hub and spoke topology in an SD-WAN deployment. This significantly reduces the configuration steps and simplifies the creation and management of SD-WAN topologies in Firewall Management Center.

  2. Device Templates & Bulk Pre-provisioning - Low Touch Provisioning (LTP) is now supported in On Prem FMC via the new Add Device Wizard and can configure FTD devices using templates and register the device(s) in bulk. Thereby enabling SD-WAN remote branch rollouts.

  3. AAA VRF Support - Extended the 7.4.1 VRF support to add AAA VRF support for FTD Management on FTD data interfaces, allowing customers to partition their Management interface traffic into different network segments.

Hardware Innovations

For some time now, the 1010 and 1100 series firewalls have been available in the market and Cisco recognized we needed a new device to address advancements in network performance. Also, with Multi-Instance being provided on the 3100 series through FMC, requests for it on the 4200 series came pouring in, along with other improvement requests. In 7.6:

  1. Secure Firewall 1200 Series - Cisco is excited to introduce the new Secure Firewall 1200 series that comes in three new form factors, with enterprise-grade ARM-based SoC with FTD.

  2. Multi-Instance on 4200 Series - The Secure Firewall 4200 now has Multi-Instance, managed via FMC, and supports increased numbers of instances.

  3. Other Improvements - The front panel USB (Type-A) port can now be disabled to minimize external physical exposure of the managed device. Introduced the Individual Interface Mode for clustering of Secure Firewall 3100 and 4200 series devices to enable high traffic isolation and more granular topology handling as each traffic type can have a dedicated interface. Accelerated DTLS connections on the Secure Firewall 3100 and 4200 series devices to enhance their ability to manage encrypted traffic, achieve higher throughput, lower latency, and increase overall performance.

Identity

Before 7.6, customers requested an alternative to provide passive identity without Identity Services Engine (ISE) or ISE Passive Identity Connector (ISE-PIC). As of 7.6:

  1. Passive Identity Direct from Active Directory (AD) - To provide passive identity without ISE, we now offer the Passive Identity Agent.
  2. Azure Active Directory (AD) Active Authorization - Support for Active authentication with Azure AD using SAML & enforced rules based on Azure AD users & groups.

Management & Upgrade Improvements

Currently, upgrading Firewall Management Center (FMC) High Availability (HA) is a complex and time-consuming process that can result in failures, the previously introduced Change Management Workflow didn't allow ticket reassignment, and customers stated our user interface needed an update. In 7.6:

  1. Improvement: HA Upgrade Wizard & Improved Validations - Changes to the FMC High Availability (HA) upgrade wizard reduced the number of steps required from 9 to 6, along with Improved HA validations for an FTD upgrade should significantly reduce FTD upgrade failures.

  2. Change Management Workflow Update - Users with both Review and Modify Ticket permissions can take over a ticket and assign it to themselves or another user. Virtually eliminating the issue of approval delays.

  3. Bonus: Magnetic Framework - FMC now has the Magnetic Framework option in user preferences to provide a cleaner, refreshed look and feel for users working with our product.

Public Cloud

Before 7.6, the existing deployment architecture for clustering was confined to a single AZ, so the failure of an AZ would bring down the whole cluster. Additionally, only Single Arm topologies were supported that weren't ideal for egress traffic. In 7.6:

  1. Improvement: AWS Multi-Availability Zone (AZ) Clustering with Autoscale - ASAv/FTDv Clustering created on different Availability Zones (single or multiple AZ’s, based on user requirement, with dynamic scaling enabled) for increased redundancy and reliability.

  2. Improvement: AWS Dual-Arm Deployment Gateway Load Balancing Support - Dual-Arm topology for only egress traffic is now available, providing improved traffic handling.