I was part of Firepower 6.7 Beta Program and I really was very impressed how I was supported by Cisco and in the way the feedback was appreciated. Since Version 6.7 was released to Public I want to show some of the new Features. I focus on FMC managed FTDs, since this use case is from my perspective by far the most used.
Release Notes https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670.html
I tested with some Virtual Devices for trying things out and had a HA pair running mainly AnyConnect Access throughout the Program in kinda productive fashion. There were actually no concerns regarding stability.
The described points below are not 100% complete on all new features, just a summary of my experiences throghout the testing process. I wasn't able to go through all of them, for example I had no chance to test any of the new features of NGFW in public Clouds.
FMC GUI Improvments
Upgrade Management
Good News for GUI Lovers - Rediness Check for HA Pairs is now possible through the GUI. Acutally there is also a Compatibility Check, where FMC points you to open Policy Deployments or a needed Upgrade on the FXOS side.
Also the whole Upgrade Process improved from a GUI perspective. Checking the actual status of an Upgrade and even accessing Logfiles is possible through GUI. So the way of closing down CLI at some point was continued - we'll see if this finally happens in future.
FMC Change Management
I big step from an operational standpoint, especially for Teams with more Administrators working on FMC. You can check in detail what changes were made to policies or device configuration before deploying a policy. Like with many SDx Solutions you can check a config diff to see what changes gets pushed out on the device.
This is also true from an auditing perspective. Going to the Audit log gets a simple option to view the actual changes a FMC admin did, also in a config diff view.
Another nice thing is Selective Policy Deployment. Imagine you want to modify a Snort Rule but you are not sure what the pending change of a new route on the device will do. So you simple uncheck the device changes in the Policy Deployment process and just push the Snort changes.
There is also an option for Deployment Rollback in case you did something wrong and not sure how to go back.
Usability Improvements
In the Beta Release at least, there was to option to enable a dark mode - big improvement *gg*
Another really nice thing is performance monitoring. You know the issue where you wanted to check overall system load from a firewall, like CPU, RAM, HDD, throughput and so on?! Now there's an overview which can provide all the answers in a single overview.
VPN Improvements
AnyConnect
S2S VPN
Other Nice Features to mention
SGT Support for using as Source and Destionation Match Criteria
pxGrid 2.0 Support
HTTP/2 Support
Snort3 - well, not for FMC managed devices in the Release Version
Remote Branch Deployment
It's now possible to connect FMC to a remote FTD through a Data Interface (ex. Outside Interface), so there is no need to workaround to get the Management Interface connected. Downside at the moment is, that High Availability is not yet supported.
