CISCO Firepower System Version 6.1 Out Now – First Look and Upgrade Process

Firepower System Version 6.1 Out Now – First Look and Upgrade Process

Cisco just released yesterday the latest version of the FirePOWER software IE Version 6.1. The release notes can be found HERE. This post will provide a first look and quick review of the upgrade process using the FirePOWER virtual manager.
My current lab has a ASA5506 managed by a virtual FirePOWER appliance. Both are running 6.0.1. Here is my 5506 managed by the virtual FirePOWER appliance.

The first step for me to upgrade to 6.1 is to upgrade my FirePOWER manager. I downloaded the file Sourcefire_3D_Defense_Center_S3_Upgrade-6.1.0-330.sh and went to the GUI manager, clicked system -> updates and selected add upload update. I selected the upgrade file (little package image) and applied it to my manager.
It took about 5 minutes to upload the upgrade file and about 2-3 hours to run the upgrade process ( I did it before I went to bed and checked it in the middle of the night). While checking the manager, I saw the following screen after an hour

Once my manager was upgraded, I downloaded two files to upgrade my ASA5506. The first is a the Cisco_FTD_Upgrade-6.1.0-330.sh script and other is the upgrade utility Cisco_FTD_6.1.0_Pre-install-6.0.1.999-1224.sh. I tried running the upgrade directly a few times and it failed every time at the 20 minute point.

I found the fix was to delete the ASA from the Manager, log into the command line of the ASA and remove the manager using the command “configure manager delete”, then add the manager back in ASA CLI using the command “configure manager add X.X.X.X (special term), then add the ASA back to the FirePOWER manager. Once I had the FirePOWER showing the ASA correctly, applying the Cisco_FTD_Upgrade-6.1.0-330.sh  worked. Note I did these steps AFTER I upgraded the FirePOWER manager.  If you have trouble upgrading a FirePOWER appliance or ASA with FirePOWER, try removing and adding it!

The ASA5506 6.0.1 to 6.1 upgrade process took about two hours to complete. Once completed,  it rebooted and I had everything at 6.1.

And that was all that was to that. Now here is a quick list of some of the new features.

1. A very cool and New On-Box Device Manager. I’ll be post more about this later this week since I”m using the centralized manager hence can’t pull that up without adding another ASA via separate manager. I’ve seen demos of it and its nice. More to come on that shortly.
2. Integrated Risk Reports – This use to be a script to see various risk reports. Now they are built into FirePOWER. Here is a screenshot of the three risk report templates
3. High Availability for Firepower Management Center … kind of important.
4. Rate Limiting – Yeay finally! The ability to permit but limit a specific service. Here is a screenshot of the basic QoS Page. As you can see, the rate limiting stuff is to the right.
5. Prefilter policies support the efficient flow of traffic. Here is a screenshot of the tunnel rule and prefilter rule options. It is configured like a access control policy.
6. Site-to-Site VPN is now available
7. Multicast Routing is now available
8. VDI Identity Support – This one solves a identity gap. The problem was FirePOWER could only see the traffic within its vision meaning anything behind a NAT would be seen as one IP address. This new feature associates a user with a IP address and port range combination through the use of a new agent deployed on the Windows Terminal Server. The Cisco Terminal Services Agent intercepts logs and assigns port ranges to every user that logs in. This gives FirePOWER visibility of the actual port ranges of the users.
9. SafeSearch / YouTube EDU Policies – Can support higher education needs for filtering searching.
10. ISE Remediation – FirePOWER integration is now built int for auto remediation of threats.
11. True-IP Policy Enforcement – As long as the proxy server supports the insertion of XFF headers into it, Firepower is now able to enforce policies based on the actual IP address.
12. Inline SGT Tags – With Version 6.1, you can now configure inline Security Group Tag (SGT) policies that will read the SGT tag off of the packet and enforce the policy on the packet without requiring a connection to the ISE Server all the time.
13. AMP Private Cloud with ThreatGrid