Cisco Cisco Firepower Management Center 2000
6
FireSIGHT System Release Notes
New Features and Functionality
Simplified Normalization and Preprocessor Configuration
You now configure traffic normalization and preprocessing in the access control policy, rather than the intrusion policy.
This simplifies configuration, especially for new users. The sensitive data preprocessor, rule states, alerting, and event
thresholds can still be configured at an individual intrusion policy level.
This simplifies configuration, especially for new users. The sensitive data preprocessor, rule states, alerting, and event
thresholds can still be configured at an individual intrusion policy level.
New file_type Keyword in the Snort Rule Language
A new file_type keyword is available in the Snort rules language that enables the specification of a file type for detection.
This is a streamlined alternative to the existing flowbits-driven method.
This is a streamlined alternative to the existing flowbits-driven method.
Expanded IoC support from FireAMP Connectors
The list of Indicators of Compromise (IoC) provided by FireAMP is now dynamic and data-driven. As new IoCs become
available, they are automatically supported by the Defense Center. This enhances the IoC correlation capability in any
deployment where FireAMP is used.
available, they are automatically supported by the Defense Center. This enhances the IoC correlation capability in any
deployment where FireAMP is used.
Protected Rule Content
A new capability of the Snort rule language is available for use in high-security environments. You can now create a Snort
content match using hashed data. This allows the rule writer to specify what content to search for, but never exposes
the content in plain text.
content match using hashed data. This allows the rule writer to specify what content to search for, but never exposes
the content in plain text.
Previously Changed Functionality
The following functionality was introduced in Version 5.4.1.2:
You must apply the same access control policy to all devices that you plan to stack or cluster before you configure
the stack or cluster.
the stack or cluster.
You are now able to choose to not inspect traffic during policy apply to prevent network disruption.
The system no longer reports the discovery event status to the Health Policy page.
You can now create an access control policy that references either an access control rule network condition set to
block all IPv6 addresses with ::/0 or a network rule set to block all IPv4 addresses with 0.0.0.0/0 is now supported.
block all IPv6 addresses with ::/0 or a network rule set to block all IPv4 addresses with 0.0.0.0/0 is now supported.
The system now reports an event for all CPU reports when CPU usage changes from a high level to a normal state.
The following functionality was introduced in Version 5.4.1.1:
The system now clears all intrusion policy locks when you upload intrusion rules or install intrusion rule updates.
The following functionality was introduced in Version 5.4.1:
Registered ASA devices now have configurable advanced options on the Advanced tab of the Device Management
page (Devices > Device Management).
page (Devices > Device Management).
The show users CLI command is now supported on ASA devices.
You can configure alerts only for retrospective events or network-based malware events from the Advanced Malware
Protections Alerts tab on the Alerts page.
Protections Alerts tab on the Alerts page.
The following features and functionality were updated in Version 5.4:
You can now view VLAN tags for connection events in the event viewer (Analysis > Connections > Events).
The system now identifies login attempts over the FTP, HTTP, and MDNS protocols.
You can now select archived connection events separately from discovery events for transmission to the eStreamer
client.
client.
The Discovery Event Health Monitor is no longer available in health policies.