Cisco Firepower 1010 Getting Started page 6

New Features in FDM/FTD Version 7.1.0
Feature
DHCP relay configuration using
FDM.
Key type and size for self-signed
certificates in FDM.
Usage validation restrictions for
trusted CA certificates.
Generating the admin password in
FDM.
Startup time and tmatch
compilation status.
Enhancements to show access-list
element-count output.
Getting Started
6
Description
You can use FDM to configure DHCP relay. Using DHCP relay on an
interface, you can direct DHCP requests to a DHCP server that is
accessible through the other interface. You can configure DHCP relay
on physical interfaces, subinterfaces, EtherChannels, and VLAN
interfaces. You cannot configure DHCP relay if you configure a DHCP
server on any interface.
We added the System Settings > DHCP > DHCP Relay page, and
moved DHCP Server under the new DHCP heading.
You can specify the key type and size when generating new self-signed
internal and internal CA certificates in FDM. Key types include RSA,
ECDSA, and EDDSA. The allowed sizes differ by key type. We now
warn you if you upload a certificate whose key size is smaller than the
minimum recommended length. There is also a weak key pre-defined
search filter to help you find weak certificates, which you should replace
if possible.
You can specify whether a trusted CA certificate can be used to validate
certain types of connections. You can allow, or prevent, validation for
SSL server (used by dynamic DNS), SSL client (used by remote access
VPN), IPsec client (used by site-to-site VPN), or other features that are
not managed by the Snort inspection engine, such as LDAPS. The
primary purpose of these options is to let you prevent VPN connections
from getting established because they can be validated against a
particular certificate.
We added Validation Usage as a property for trusted CA certificates.
During initial system configuration in FDM, or when you change the
admin password through FDM, you can now click a button to generate
a random 16 character password.
The show version command now includes information on how long it
took to start (boot) up the system. Note that the larger the configuration,
the longer it takes to boot up the system.
The new show asp rule-engine command shows status on tmatch
compilation. Tmatch compilation is used for an access list that is used
as an access group, the NAT table, and some other items. It is an internal
process that can consume CPU resources and impact performance while
in progress, if you have very large ACLs and NAT tables. Compilation
time depends on the size of the access list, NAT table, and so forth.
The output of the show access-list element-count command has been
enhanced. When used with object-group search enabled, the output
includes details about the number of object groups in the element count.
In addition, the show tech-support output now includes the output from
show access-list element-count and show asp rule-engine.
Getting Started