There are some new crucial changes in Firepower 6.3 image which fixed issues for a lot of customers in DACH region at least.
Well, as you know Firepower 6.3 is released a couple of months ago! This release brings several long awaited features including multi-instance and FQDN Access Control rules. Let’s take a closer look at some of it's magical features!
Here is a table which summarizes new features in FTD 6.3
Objects: You no longer need to deploy after de-listing a blacklisted host
In network analysis you can easily blacklist hosts, which is an awesome feature. However, it is easy to blacklist hosts, like your email server for example, by mistake.
To remove a host from the global blacklist, navigate to Objects>Network Lists and Feeds>Global-Blacklist, then click on and remove the IP.
However, take care in a productive environment because when you right-click>blacklist an IP, the TCP session is dropped immediately!
When you take an IP out of the blacklist you used to have to redeploy to push the new blacklist out, but with 6.3 the push is automatic.
FTD Platform Policy:
From the beginning there was actually a big issue with the FTD Platform settings which Cisco never admitted to 😊
Starting at 6.1 code, I refused to configure a platform setting on the FTD devices at my customer location. However, when 6.2.3 code came out, there were enough changes that made the platform settings mostly work as well as some needed Lina-syslogging, but it didn't change the situation because there were still no documentation for this issue from Cisco.
It overwhelmed many of our customers because their FTD instances could just become a brick, and the FMC would show NO activity at all since the issues for the platform were found in the Ingress Lina area = (an area that sends no data to the FMC.)
Based upon our past experiences with ASA’s Firewalls, I knew that configuring a Syslog using TCP could cause an issue if the syslog server went down, so I had some idea where to look as there was a work around with the ASA’s, and actually there was one as well with the FTD devices
(but not documented, and this workaround solution was in fact disabled BY DEFAULT so many of my customers unwittingly brought their FTD boxes to their knees if their syslog server lost connection to the FTD box.
Notice that it is now enabled and they even added the circumlocution that they recommend it be enabled. Great Job Cisco!!!!
However unlikely that you may feel this scenario would or could be, it certainly did occur to many customers and the results were disastrous. You could ping, etc the FTD devices but they passed NO PACKETS, and the FMC showed nothing, zero, zip.
Before version 6.3 the shown check box was not enabled by default!
System>Integration>Query Cisco CSI for Unknown URLs:
Since Cisco released the first version of ASA with Firepower, this Query Cisco CSI setting under System>Integration was always off by default.
With that being said, when you filtered by URL category, it would come back as Uncategorized and allow the packets through instead of blocking a particular URL.
By querying Cisco Security Intelligence for the URL category, it could then categorize the URL and immediately start blocking the packets.
Here another tiny change which can have a tremendously huge impact in some cases:
When I went to enable this in System>Integration after installing 6.3 code and in order for my ACP with URL filtering rules to start blocking, the check box was already enabled!
I could never figure out why it was disabled by default before! :)