History for Regular Firewall Interfaces for Secure Firewall Threat Defense
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
||
---|---|---|---|---|---|
VXLAN VTEP IPv6 support |
7.4 |
Any |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation. New/Modified screens: Requires threat defense version 7.4. You can specify an IPv6 address for the VXLAN VTEP interface for Secure Firewall 4200 Series devices only. |
||
Loopback interface support for BGP and management traffic |
7.4 |
Any |
You can use a loopback interface for:
Requires threat defense version 7.4. |
||
Loopback interface support for VTI |
7.3 |
Any |
You can now add a loopback interface. The loopback interface helps to overcome path failures. If an interface goes down, you can access all interfaces through the IP address assigned to the loopback interface. For VTI, in addition to setting a loopback interface as the source interface, support has also been added to inherit the IP address from a loopback interface instead of a statically configured IP address. New/Modified screens:
|
||
IPv6 DHCP |
7.3 |
Any |
The threat defense now supports the following features for IPv6 addressing:
New/Modified screens: New/Modified commands: show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix |
||
Paired proxy VXLAN for the threat defense virtual for the Azure Gateway Load Balancer |
7.3 |
Any |
You can configure a paired proxy mode VXLAN interface for the threat defense virtual in Azure for use with the Azure Gateway Load Balancer (GWLB). The threat defense virtual defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy. New/Modified screens: Supported platforms: Threat Defense Virtual in Azure |
||
VXLAN support |
7.2 |
Any |
VXLAN encapsulation support was added. New/Modified screens:
Supported platforms: All. |
||
Geneve support for the Threat Defense Virtual |
7.1 |
Any |
Geneve encapsulation support was added for the threat defense virtual to support single-arm proxy for the Amazon Web Services (AWS) Gateway Load Balancer. The AWS Gateway Load Balancer combines a transparent network gateway (with a single entry and exit point for all traffic) and a load balancer that distributes traffic and scales threat defense virtual to match the traffic demand. This feature requires Snort 3. New/Modified screens:
Supported platforms: Threat Defense Virtual in AWS |
||
31-bit Subnet Mask |
7.0 |
Any |
For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections. The 31-bit subnet includes only 2 addresses; normally, the first and last address in the subnet is reserved for the network and broadcast, so a 2-address subnet is not usable. However, if you have a point-to-point connection and do not need network or broadcast addresses, a 31-bit subnet is a useful way to preserve addresses in IPv4. For example, the failover link between 2 FTDs only requires 2 addresses; any packet that is transmitted by one end of the link is always received by the other, and broadcasting is unnecessary. You can also have a directly-connected management station running SNMP or Syslog. This feature is not supported for BVIs for bridge groups or with multicast routing. New/Modified screens:
|
||
Synchronization between the threat defense operational link state and the physical link state for the Firepower 4100/9300 |
6.7 |
Any |
The Firepower 4100/9300 chassis can now synchronize the threat defense operational link state with the physical link state for data interfaces. Currently, interfaces will be in an Up state as long as the FXOS admin state is up and the physical link state is up. The threat defense application interface admin state is not considered. Without synchronization from threat defense, data interfaces can be in an Up state physically before the threat defense application has completely come online, for example, or can stay Up for a period of time after you initiate an threat defense shutdown. For inline sets, this state mismatch can result in dropped packets because external routers may start sending traffic to the threat defense before the threat defense can handle it. This feature is disabled by default, and can be enabled per logical device in FXOS.
New/Modified Firepower Chassis Manager screens: Logical Devices > Enable Link State New/Modified FXOS commands: set link-state-sync enabled, show interface expand detail Supported platforms: Firepower 4100/9300 |
||
Firepower 1010 hardware switch support |
6.5 |
Any |
The Firepower 1010 supports setting each Ethernet interface to be a switch port or a firewall interface. New/Modified screens: |
||
Firepower 1010 PoE+ support on Ethernet 1/7 and Ethernet 1/8 |
6.5 |
Any |
The Firepower 1010 supports Power over Ethernet+ (PoE+) on Ethernet 1/7 and Ethernet 1/8 when they are configured as switch ports. New/Modified screens:
|
||
VLAN subinterfaces for use with container instances |
6.3.0 |
Any |
To provide flexible physical interface use, you can create VLAN subinterfaces in FXOS and also share interfaces between multiple instances. New/Modified Secure Firewall Management Center screens: icon > Interfaces tab New/Modified Secure Firewall chassis manager screens: drop-down menu > Subinterface New/Modified FXOS commands: create subinterface, set vlan, show interface,show subinterface Supported platforms: Firepower 4100/9300 |
||
Data-sharing interfaces for container instances |
6.3.0 |
Any |
To provide flexible physical interface use, you can share interfaces between multiple instances. New/Modified Secure Firewall chassis manager screens:
New/Modified FXOS commands: set port-type data-sharing, show interface Supported platforms: Firepower 4100/9300 |
||
Integrated Routing and Bridging |
6.2.0 |
Any |
Integrated Routing and Bridging provides the ability to route between a bridge group and a routed interface. A bridge group is a group of interfaces that the threat defense bridges instead of routes. The threat defense is not a true bridge in that the threat defense continues to act as a firewall: access control between interfaces is controlled, and all of the usual firewall checks are in place. Previously, you could only configure bridge groups in transparent firewall mode, where you cannot route between bridge groups. This feature lets you configure bridge groups in routed firewall mode, and to route between bridge groups and between a bridge group and a routed interface. The bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a gateway for the bridge group. Integrated Routing and Bridging provides an alternative to using an external Layer 2 switch if you have extra interfaces on the threat defense to assign to the bridge group. In routed mode, the BVI can be a named interface and can participate separately from member interfaces in some features, such as access rules and DHCP server. The following features that are supported in transparent mode are not supported in routed mode: clustering. The following features are also not supported on BVIs: dynamic routing and multicast routing. New/Modified screens: Supported platforms: All except for the Firepower 2100 and the threat defense virtual |