Cisco Releases new Firepower 6.6, and new ASA code with lots of cool new features….


Cisco’s NGFW Spring CY20 releases (FTD 6.6, ASA 9.14.1, and FXOS 2.8) are now live on CCO!


These releases deliver significant improvements to manageability and usability including FMC policy troubleshooting and object optimization, and previewing of changes prior to policy deployment. FDM now includes support for air-gapped networks with PLR.

In addition, functionality has been delivered to better support large enterprises. Scalability and resiliency are greatly improved with support for VRFs, MI clustering, and increased support for user identity sessions from 64,000 to 300,000.

120 features across 25 initiatives were delivered, including:

  • Multi-instance clustering support
  • Multi-VRF support
  • Device install and upgrade improvements
  • Azure & AWS horizontal autoscaling and AWS c5 support for FTDv
  • Identity 300K active user sessions support for FTD platforms
  • FTD-API/FDM, Cloud management for IPS signature tuning, HTTP proxy, PPPoE, AWS support
  • SNMP over management port as part of Mgmt/Diagnostic convergence
  • Firepower 4112 new platform support
  • Policy deploy improvements and deploy time prediction
  • FDM Airgap licensing PLR support
  • FMC usability improvements
  • FMC change management – Policy delta preview
  • FMC API’s for CDO support – Dynamic routing
  • Improved PAT operation in clustering
  • ISA 3000 New features
  • Policy and event trouble shooting improvements
  • TLS 1.3 downgrade support improvements
  • TAC Serviceability and debugging improvements
  • ASA policy gaps in FTD (Time based rules support)
  • Certification support for FTD and ASA
  • CSDL/PSB compliance support and Thirdparty SW compliance
  • Improved User assistance Whatfix FMC walkthrough
  • DHCP/IP support on mgmt. interface for Low-touch provisioning
  • VPN S2S IKEv2 support
  • Threat efficacy improvements

Here are resources for each:





  1. Do you know details of the improved PAT operation in clustering? I have a 9300 cluster and had issues with bank sites and a few others that would not allow logging in if I used a PAT pool. The server would see multiple source addresses for the same client due to load balancing on ether-channel from our ASR 9000. The suggested work around from Cisco was to change ether-channel load balancing to Source/Destination IP only, but the ASR 9000 only does 5 tuple hash and adds ports and protocol into the load balancing decision. A Cisco principal engineer told us a solution was coming this year so I am hopeful.

  2. Hi Jessie, I do not know the answer to that question, but if you find out please post it here!
    I spent the beta mostly doing mult-instance clustering & VRF.

  3. Here I am just wanting DHCP Option support in FDM….

    One day maybe.

    Cisco’s answer to EVERYTHING is “use FMC”. The ASA-5506 was great as a small business device. Yes I know a firewall isn’t a router or meant to be positioned as one, but ASA could do a heck of a lot more than FDM and fit these small business use cases. If I want to run ASA code, I’ll run an actual ASA.

    1. my 1010’s have run wtih FDM and I was able to use DHCP on them, no problem.
      I use CDO to manage them now, but FMD works a lot better now than in the past, no doubt.
      the 1010’s are pretty awesome!
      Agreed the ASA’s still have some more functionality at times…

      1. While creating dhcp scope for data interfaces, am not able to assign the DNS addresses as I need to put different DNS on different interface dhcp pool.
        Is this achievable on fdm 1010 6.5.

        1. yes, of course, you need to add a new pool for each interface, in which you can assign a different DNS server for each pool

  4. How is the responsiveness of the new GUI in 6.6? Still so slow as to not recommend, or have they got it moving a bit slicker?

    Take it the recommendation is to wait for or before upgrading production?

    1. Yes, they did all new databases, so it is better, but analysis is always still the same….they do a lot more merges now, so deployment is much faster.
      Wait till 6.6.x :)

    1. Not that I am aware of. They don’t have the same FXOS as a 4100/9300
      I hope so, but I have not heard anythnig

  5. Hello,
    i have an issue with the client anyconnect, i must do some rules based on the IP clients (not users because i need authorize the ip on others switchs).

    I use my DHCP Cluster on my system infrastructure, delegated to my AD domain.

    The problem the MAC adress transfered by FTD isn’t based on the standard, a lot of characters suite (256) and sometimes somes clients have the same !!!

    My question, why the FTD do that ? Because i can identify an unique MAC address for configure some reservation on my DHCP servers.

    Thank you for your help :)

  6. Todd,

    FDM does DHCP but no options. You cannot for example set option 150 for a phone. You can do this with FMC of course.

    Flexconfig cannot do it, as the dhcpd command is blacklisted. There is literally no way to set DHCP options using FDM. Cisco will tell you the same as say use FMC.

    Often times the branch firewall is the only device capable of DHCP at a remote or small office.

  7. I can go on such a huge rant but Reddit does that enough on Firepower.

    Another example, even FMC can’t do this!!

    VPN Phone feature. Cisco IP Phones could be taken home and register to a CUCM cluster using their builtin Anyconnect VPN client no sweat before. FTD? Nope. Need an ASA in parallel to do that. These are *insane* usability issues the BU refuses to address. Imagine how nice that VPN Phone feature would be in COVID? Orgs who “upgraded” to Firepower are hosed unless they want to do a janky ASA on a stick for it.

    Every release I hope Cisco erases some of these braindead decisions but it never happens. We need feature parity with ASA, now.

  8. Hi Chris, I understand your frustration, and people on reddit go there ONLY to bitch mostly. It’s horrible.
    However, I am not downplaying your experience. I can make Cisco Firepower work in ANY network, location or application. That said, I am really, really good at Firepower, which is what you need to be to run it. See where I am going with this? The people that bitch want to turn on and have it work, and PA does that slightly, but it’s not as good of a correctly configured Cisco Firepower network, that is damn certain. But you cannot turn on FP out of the box and make it work all that well, so that’s the problem. People don’t want to spend time to learn it.
    I have 1010’s at a lot of my customers, and I can make the DHCP do anything I want it to.
    However, if it doesn’t do what you want, then run it on something else, pretty much everything runs the service today. However, please understand that in the new code coming out later this year, there will be huge changes for the small remote issues you discuss….amazing good ones. I understand that this helps no one today.
    But cheer up! It’s a beautiful evening! :)

  9. Chris, Todd,
    thank you for your answer, just for understanding and clarify (sorry english isn’t my native language).

    FTD = physical appliance in my case : Cluster of Cisco Firepower 2110 Security Appliance
    FMC = Virtual or physical appliances for Manage your physical/virtual devices FTD ?

    Right ?

    What is FDM ?

    I’m a good client for Cisco since over 20 years with a medium network (400 employees Eur/Us/Mobile -> Full Cisco).

    Cisco are very very challenged now on different technology (Security, Wireless, Network, Authentification…). In this situation, since 3/4 years Cisco launch any products not very mature… For adapt quickly in “the competition”, like Firepower, Nexus and latest Wireless Controller…

    Now when i have project, i challenge Cisco in the past i was take Cisco with my eyes closed, if i need new firewall, i will take Palo Alto (Firepower with 2/3 in advance…)

    The roadmap on the Cisco Firewall is strange : you can buy ASA (legacy but very efficient) ASA-Firepower “slow two” or Firepower but not all feature from ASA are supported :)

    I have Firepower since 3 years, in version 6.5.xx (all previous versions are poored and bugged*) the product become stable with somes good features, the 6.5.XX are released since few months…

    Other thing, i don’t understand why Cisco recommanded v6.4.XX not 6.5.XX or 6.6 ?
    In version 6.4, the talos base isn’t implemented, the URL filtering is very BAD.

    The interface GUI is not intuitive and very long response when you click on an item… (VM is hosted on SSD Drivre, 32GB RAM, CPUs multicores…), I have tested the new interface in 6.5 lot of display bugs…

    Actually the firepower with version 6.5.x is normal, but i have some limitation, in my case :

    i must active the encryption/decryption SSL but i don’t know is it possible like other higher model can use the dedicaded ASIC and do not consume all CPU

    Replace the Cisco Firepower Agent (depreciated in futur release 6.7) with ISE PIC (take time and money again)

    DHCP reservation, if anybody have a solution for this i take :)

    Sorry for the long post and my bad english, just sharing my experience/situation to support each other.

    * Bug with Syslogs, Identity with Cisco Firepower Agent, SSL Encryption, Anyconnect feature missed, Cluster heartbeat bug : Cluster load balanced in permanence : answer from Cisco disable HA, wait new release :), Deploy time for apply new configuration over 10 min… the lists is long…

  10. Chris, I sent your DHCP complaint. Here’s what I found out –

    DHCP options can now be added via Flexconfig starting in 6.6, so hopefully that will solve the immediate problem.

  11. Hi Nono, thank you for writing.
    The DHCP reservations and options can now be added with Flexconfig in 6.6 code
    I do not know why cisco says use 6.4.x code, I’ve had nothing but issues with 6.4.
    The 6.5 and 6.6 code are far superior in my mind
    Yes, getting rid of the 1995 FPUA is a good thing, and replacing it with ISE PIC is where you should be.
    if you only have two FTD devices, then a virtual FMC will work fine for you.

  12. Chris,
    for your telephony needs, use Jabber softphone it’s more adapt for mobile users, better exploitation for IT teams and you gain some costs VS physical phone, and for your users you give more experience with headset, chat, file transfert, status availability, share screen and remote control…

    The beginning of this year, also i have migrate all my lines standard under the softphone and that’s work very well.

    I have a US branch office under Webex Teams, actually we migrate all offices under Webex Teams and it’s more efficient ! You can use it for multi usage like softphone, webconference with or without your local rooms (room kit Cisco), the application works under iOS and Android.

    I think if you have not a particular usage to impose the physical phone, forget it and migrate under a softphone solution.

  13. Thanks Todd and Nono….great discussion.

    Todd I will check the blacklist tomorrow in Flex.

  14. Todd,

    Here it is:

    Wow. OK so the command is still blacklisted but not when option is specified. This is great news.

    Full disclosure… I am a 19 year ‘FE’ for a Cisco VAR in San Diego. I’ve drank the Kool Aid for a long time. Firepower experience is 4 years now. I’m a believer Todd but we need some serious improvement. Glad to see I can set options now.

    1. They are really a few years behind. Had they come out with what they have now in 2016, we’d be in a different worlds. 6.6 and 6.7 code are drastic improvements, I just think it’s too late for some people. Certainly not all as I made a great living on Firepower…

  15. Dear Todd,
    Me too find myself following your blog with hope that things will get to the point where FTD should be.

    Now at 6.6 I’m really start to think about “upgrading” back to asa. Still too many things missing, especially for small businesses like the majority of my clients. I think if the new boxes would be capable of running asa+firepower I would be there.

    First I had to convince my clients that they need a virtual machine (a very powerful one for a very laggy experience) just to do the configuration, now Cisco is deprecating FPUA in favor of PxGgrid. Ok so I bought the license and now I need a new virtual machine (money, time, plus 4 cpu and 16 gigs of ram more to do what I was doing before..), but I still need an asa to do proper anyconnect. Just do the math and sum up all ram, cpu and disks just to manage the firepower and still can’t do a lot of things you can do with the asa.. (plus you need a router too if you need to lets say load balance connections or do sdwan stuff, but this is another story and i can understand why for cisco this is not firewall’s stuff)

    I don’t want to rant, I’d really like to love this product but it has been a while now and I think we all deserve at least the stability and all the feature of the “old” asa.

    PS: if they also could at least add local authentication for vpn as they did with FDM, I’d love that, and if they listen I know a lot of people who would like the ability to push the umbrella extension in anyconnect.

    1. There is some local authentication with 6.6, but yes, they need to add more quickly. They are a couple years behind. I still think it is the greatest NGFW, it just needs to be configured correctly, and doesn’t work that great out of the box, but I like it better than PA, etc

      1. I saw that now it’s possible to push extensions, like umbrella or amp, to anyconnect. This is a good step forward!

  16. Hi Todd,

    Is there a way to export an entire ACP in a manegeable way like in CSV? The only option i see available is in PDF. How do you normally deal with modifications of 1000s of rules at once?


    1. you can export the ACP policy and then import it into another FMC, or you can generate a report on a single ACP, but I haven’t heard of exporting an ACP to CSV.

  17. Hi Todd,

    We are currently running firepower 2110 with version 6.4.0.x. Cisco’s recommended version is still version What would your advise be to which version to upgrade? Will be stable enough?

    1. I like 6.5 and 6.6 even better, but I will stop short of telling you to upgrade to these because it is possible they can cause an issue with an application flow that I cannot understand at this point. All of my customers are running either 6.5 or 6.6, so if I was to do a consulting job with your company, I’d look at the application flow and then make a recommendation, just as I did with all my customers. Good luck!! :)

      1. Can you elaborate on the 6.6 version issue with application flow? Were having an issue where the acp is getting stuck on application inspection. we had to disable rule to clear up. If we debug it hangs at

        y.y.y.y-57646 > x.x.x.x-8081 6 AS 1-1 I 9 pending rule order 15, ‘Block Applications’, WebApp
        x.x.x.x-57646 – x.x.x.x-8081 6 AS 1-1 CID 0 Firewall: pending rule-matching, ‘Default-Deny-Outside’, pending WebApp

        Was causing some strange behavior with port scan testing from outside in.

        1. I am trying to remember what that was– I had to look back at my post and I didn’t see why I wrote that, but I had just finished a long beta on 6.6 at that time. It had to do with inspection if I can remember, and your debug looks like what I saw. So much has happened this year, that I just cannot remember why I wrote that now… However, if it is what I remember, that would have been fixed in Are you using the latest update?

          1. Yea is what we are running. Another question i have is cisco is forcing the acp for firewall and ips rules in one in there later migration utilities. I am used to prefilter for firewall rules and acp for ips related things. Is it more efficient to run everything in one or is it still ok to separate into prefilter for asa rules and acp for ips?

          2. HI Eric, that depends of what you’re using the prefilter for and how you’re configuring the rules.
            if you just are fastpathing everything because you don’t want any inspection for certain traffic, then that is what the prefiter is for.
            Also, you can block later 3/4 traffic there as well, which is more efficient instead of waiting to drop it at the ACP.

  18. Hi Todd
    Thank you for a great source of networking news.
    I wonder if you have heard why Cisco suddenly have marked FTD version 6.6.1 as their recommended version? I’ve asked around when I’ve had TAC on the line on unrelated cases but noone seems to know.


  19. Thats a good question Fredrik, I am not sure they didn’t say, however as someone that did extensive testing with 6.6 in beta, I would agree that’s the best code to go with

  20. Does anyone know if new FTD code now provides ANyconnect features that were not available on previous FTD code but available on ASA? I.E. DAP, ISE posture, Hostscan, SAML SSO, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *