History for Regular Firewall Interfaces for Secure Firewall Threat Defense

Feature

Minimum Management Center

Minimum Threat Defense

Details

VXLAN VTEP IPv6 support

7.4

Any

You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation.

New/Modified screens:

  • Devices > Device Management > Edit > VTEP > Add VTEP

    Devices > Device Management > Edit > Interfaces > Add Interfaces > VNI Interface

Requires threat defense version 7.4.

You can specify an IPv6 address for the VXLAN VTEP interface for Secure Firewall 4200 Series devices only.

Loopback interface support for BGP and management traffic

7.4

Any

You can use a loopback interface for:

  • AAA

  • BGP

  • DNS

  • HTTP

  • ICMP

  • IPsec Flow Offload

  • NetFlow

  • SNMP

  • SSH

  • Syslog

Requires threat defense version 7.4.

Loopback interface support for VTI

7.3

Any

You can now add a loopback interface. The loopback interface helps to overcome path failures. If an interface goes down, you can access all interfaces through the IP address assigned to the loopback interface. For VTI, in addition to setting a loopback interface as the source interface, support has also been added to inherit the IP address from a loopback interface instead of a statically configured IP address.

New/Modified screens:

Devices > Device Management > Interfaces > Add Interfaces > Add Loopback Interface

IPv6 DHCP

7.3

Any

The threat defense now supports the following features for IPv6 addressing:

  • DHCPv6 Address client—The threat defense obtains an IPv6 global address and optional default route from the DHCPv6 server.

  • DHCPv6 Prefix Delegation client—The threat defense obtains delegated prefix(es) from a DHCPv6 server. The threat defense can then use these prefixes to configure other threat defense interface addresses so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

  • BGP router advertisement for delegated prefixes

  • DHCPv6 stateless server—The threat defense provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the threat defense. The threat defense only accepts IR packets, and does not assign addresses to the clients.

New/Modified screens:

  • Devices > Device Management > Interfaces > Add/Edit Interfaces > IPv6 > DHCP

  • Objects > Object Management > DHCP IPv6 Pool

New/Modified commands: show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix

Paired proxy VXLAN for the threat defense virtual for the Azure Gateway Load Balancer

7.3

Any

You can configure a paired proxy mode VXLAN interface for the threat defense virtual in Azure for use with the Azure Gateway Load Balancer (GWLB). The threat defense virtual defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy.

New/Modified screens:

  • Devices > Device Management > Device > Interfaces > Add Interfaces > VNI Interface

Supported platforms: Threat Defense Virtual in Azure

VXLAN support

7.2

Any

VXLAN encapsulation support was added.

New/Modified screens:

  • Devices > Device Management > Device > VTEP

  • Devices > Device Management > Device > Interfaces > Add Interfaces > VNI Interface

  • Devices > Device Management > Device > Interfaces edit physical interface > General

Supported platforms: All.

Geneve support for the Threat Defense Virtual

7.1

Any

Geneve encapsulation support was added for the threat defense virtual to support single-arm proxy for the Amazon Web Services (AWS) Gateway Load Balancer. The AWS Gateway Load Balancer combines a transparent network gateway (with a single entry and exit point for all traffic) and a load balancer that distributes traffic and scales threat defense virtual to match the traffic demand.

This feature requires Snort 3.

New/Modified screens:

  • Devices > Device Management > Device > VTEP

  • Devices > Device Management > Device > Interfaces > Add Interfaces > VNI Interface

  • Devices > Device Management > Device > Interfaces edit physical interface > General

Supported platforms: Threat Defense Virtual in AWS

31-bit Subnet Mask

7.0

Any

For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections. The 31-bit subnet includes only 2 addresses; normally, the first and last address in the subnet is reserved for the network and broadcast, so a 2-address subnet is not usable. However, if you have a point-to-point connection and do not need network or broadcast addresses, a 31-bit subnet is a useful way to preserve addresses in IPv4. For example, the failover link between 2 FTDs only requires 2 addresses; any packet that is transmitted by one end of the link is always received by the other, and broadcasting is unnecessary. You can also have a directly-connected management station running SNMP or Syslog. This feature is not supported for BVIs for bridge groups or with multicast routing.

New/Modified screens:

Devices > Device Management > Interfaces

Synchronization between the threat defense operational link state and the physical link state for the Firepower 4100/9300

6.7

Any

The Firepower 4100/9300 chassis can now synchronize the threat defense operational link state with the physical link state for data interfaces. Currently, interfaces will be in an Up state as long as the FXOS admin state is up and the physical link state is up. The threat defense application interface admin state is not considered. Without synchronization from threat defense, data interfaces can be in an Up state physically before the threat defense application has completely come online, for example, or can stay Up for a period of time after you initiate an threat defense shutdown. For inline sets, this state mismatch can result in dropped packets because external routers may start sending traffic to the threat defense before the threat defense can handle it. This feature is disabled by default, and can be enabled per logical device in FXOS.

Note

This feature is not supported for clustering, container instances, or threat defense with a Radware vDP decorator. It is also not supported for ASA.

New/Modified Firepower Chassis Manager screens: Logical Devices > Enable Link State

New/Modified FXOS commands: set link-state-sync enabled, show interface expand detail

Supported platforms: Firepower 4100/9300

Firepower 1010 hardware switch support

6.5

Any

The Firepower 1010 supports setting each Ethernet interface to be a switch port or a firewall interface.

New/Modified screens:

  • Devices > Device Management > Interfaces

  • Devices > Device Management > Interfaces > Edit Physical Interface

  • Devices > Device Management > Interfaces > Add VLAN Interface

Firepower 1010 PoE+ support on Ethernet 1/7 and Ethernet 1/8

6.5

Any

The Firepower 1010 supports Power over Ethernet+ (PoE+) on Ethernet 1/7 and Ethernet 1/8 when they are configured as switch ports.

New/Modified screens:

Devices > Device Management > Interfaces > Edit Physical Interface > PoE

VLAN subinterfaces for use with container instances

6.3.0

Any

To provide flexible physical interface use, you can create VLAN subinterfaces in FXOS and also share interfaces between multiple instances.

New/Modified Secure Firewall Management Center screens:

Devices > Device Management > Edit icon > Interfaces tab

New/Modified Secure Firewall chassis manager screens:

Interfaces > All Interfaces > Add New drop-down menu > Subinterface

New/Modified FXOS commands: create subinterface, set vlan, show interface,show subinterface

Supported platforms: Firepower 4100/9300

Data-sharing interfaces for container instances

6.3.0

Any

To provide flexible physical interface use, you can share interfaces between multiple instances.

New/Modified Secure Firewall chassis manager screens:

Interfaces > All Interfaces > Type

New/Modified FXOS commands: set port-type data-sharing, show interface

Supported platforms: Firepower 4100/9300

Integrated Routing and Bridging

6.2.0

Any

Integrated Routing and Bridging provides the ability to route between a bridge group and a routed interface. A bridge group is a group of interfaces that the threat defense bridges instead of routes. The threat defense is not a true bridge in that the threat defense continues to act as a firewall: access control between interfaces is controlled, and all of the usual firewall checks are in place. Previously, you could only configure bridge groups in transparent firewall mode, where you cannot route between bridge groups. This feature lets you configure bridge groups in routed firewall mode, and to route between bridge groups and between a bridge group and a routed interface. The bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a gateway for the bridge group. Integrated Routing and Bridging provides an alternative to using an external Layer 2 switch if you have extra interfaces on the threat defense to assign to the bridge group. In routed mode, the BVI can be a named interface and can participate separately from member interfaces in some features, such as access rules and DHCP server.

The following features that are supported in transparent mode are not supported in routed mode: clustering. The following features are also not supported on BVIs: dynamic routing and multicast routing.

New/Modified screens:

  • Devices > Device Management > Interfaces > Edit Physical Interface

  • Devices > Device Management > Interfaces > Add Interfaces > Bridge Group Interface

Supported platforms: All except for the Firepower 2100 and the threat defense virtual