2025.x Feature Release Change Log

Initial 2025 Feature release. View What's New in FireMon Support Center (sign in required)

A bug affecting Policy Planner automation results for stateless devices like Cisco IOS, IOS-XR, and Nexus switches/routers has been identified. When a ticket is defined with a requirement in Policy Planner for new connectivity against one of these device types and auto-design or Rule Recommendation is used, the results should create two rules, one rule for establishing the connection in one policy, and a second rule for the return traffic in a different policy. When leveraging rule recommendations, this bug returns a new rule to be created with the defined source and destination merged. Manual rule planning against these stateless devices is recommended until this issue is resolved.

• Security Manager DisplayName Updates: In a previous release, we went through the Policy Planner UI to make sure we're displaying the appropriate fields everywhere. In 2025.2.0, we've done the same with Security Manager so that displayName should be honored everywhere in the UI across our various products.

• Device Group Policies View: We have expanded the Policy > Policies view in Security Manager to support Device Groups. Previously, this view was limited to a single device at a time.

  With this update, users can now view all normalized Policies for each cloud-type device within a selected device group, providing greater visibility and efficiency in policy management. To better reflect this enhancement, the view has been renamed Cloud Policies.

  This improvement is based on customer feedback and aims to streamline policy oversight across multiple cloud devices.

• FQDN Support Within Rule Recommendation: Rule Recommendation now supports FQDNs as source or destination values in requirements. This enhancement enables more flexible and precise policy definitions.

  Key capabilities include:

  • Resolving FQDNs to IP addresses for rule processing.

  • Auto Design leveraging Rule Recommendation to process FQDNs and generate a suggested change plan.

  • Fallback to IP addresses in the change plan when FQDNs are not supported by the device.

  • User-defined DNS servers and/or Hosts files for FQDN resolution during Rule Recommendation processing.

    This enhancement improves accuracy and adaptability in policy recommendations, ensuring better alignment with network configurations.

• Warning and Error Messages to Rule Recommendation Results: To enhance feedback when recommendations are incomplete or errors occur, Rule Recommendation results now display errors and warnings more prominently. This improvement ensures users can quickly identify and address issues, leading to more efficient policy updates and troubleshooting.

• Rule Recommendation Performance Improvements: We have significantly improved the performance and behavior of Rule Recommendation:

  • Up to 3x faster recommendation processing.

  • Real-time aggregation of results as they arrive, reducing memory usage.

  • Prevention of heap exhaustion for large-scale requests.

  • Improved scalability, with better performance when additional processor cores are allocated.

    These optimizations enhance efficiency, especially for high-volume recommendation requests, ensuring faster and more reliable policy updates.

• Personal Access Tokens: To enhance security and reduce reliance on embedded credentials in scripts, users can now generate Personal Access Tokens (PATs). These tokens function like passwords while inheriting the user's permissions, enabling secure authentication for automated processes.

  Key features:

  • Secure alternative to embedded credentials in scripts.

  • Token-based authentication with the same permissions as the user.

  • Revocable tokens for added security.

  • Auto-expiration to enforce periodic credential rotation.

    This feature improves security and aligns with best practices for authentication management. About Personal Access Tokens

Insight users are recommended to either update to the newest FMOS versions (2025.1.4 or 2025.2.2) or use the default firemon admin account created during installation. This prevents an admin user who navigates to Administration > Settings > Security Manager from being logged out immediately if the system does not have a Policy Planner license. This affects all admin users authenticating locally or via SAML, LDAP, or similar methods.

• New Retrieval Option for Large ASA Access-List: Customers with large ASA access lists now have a faster retrieval option. Enabling Save Access List to Disk in Advanced device settings temporarily writes the access list to the device's disk. It then securely transfers it via SCP to the data collector.

  Requirements:

  • The ASA must have SCP enabled (ssh scopy enable).

  • The retrieval user account must have privilege level 15.

  If these conditions are unmet, the system will detect and provide meaningful error messages.

• Inline and Derived Objects in Decommission Workflow: This feature enhances the handling of inline objects during clone and decommission operations, ensuring accurate change plan generation, reliable automation, and support for scenarios with single-value column restrictions.

• Set Default Value for L7 Requirement Fields: This feature enables users to set default values for lookup fields in custom workflows within Policy Planner, resolving an issue where empty arrays previously prevented default values from triggering correctly.

• Rule Ignore from APA, Rule Rec, and Removable Rules Reports: This feature allows users to mark specific firewall security rules as ignored, excluding them from Behavior Model functions such as Device APA, Network APA, and Removable Rules. Since Rule Recommendation relies on APA and routes, it will automatically reflect these updates. Ignore a Rule

• Improved Elasticsearch Reindex Process: We introduce a batch-loading approach that tracks reindex progress, allowing it to resume from the last completed state after a restart.

• Option to Set Syslog TimeZone for CLI: This feature allows users to configure Syslog time zone settings via the CLI, enabling them to customize the time zone or retain UTC logging. It ensures compliance with RBI guidelines and InfoSec policies while providing greater control over log management. Remote Syslog Timezone

• Palo Alto Cluster Discovery: Panorama will now discover high availability (HA) pairs during firewall discovery and create FireMon clusters for the firewalls in the HA Pair (note this is not the same as what Palo calls HA Clusters, which only syncs session state). Subsequent Panorama retrievals will update the active/primary cluster member appropriately. This will not override any pre-existing FireMon clusters that a user has created manually.

• Juniper Normalization Updates to Support Behavior: Juniper devices (SRX, LSYS, M-series, and EX) have received numerous normalization updates to more accurately model the behavior of these devices.

• Updates to Service Object Naming: Remove "/0-65535" Suffix. In Policy Planner, the Rule Recommendation has been updated to prevent appending "/0-65535" to service object names when creating new services for protocols with unspecified port ranges. Service Objects for protocols other than ICMP(1), ICMP(58), TCP(6), UDP(17), and STCP(132) will not have the “/0-65535” appended to them.

• Rule Recommendation Performance Improvements: Improved rule recommendation runtime.

• Map Performance Improvements: Interface address matching for linking devices in the network map was slowing down map generation. With this improvement, map generation for this particular use case decreased from approximately four hours to a few minutes.

• Rule Recommendation: Added a new management station recommendation option to prefer shared. Similar to the "fewest changes" option, when "fewest changes" and "least access” end in a tie, prefer the global policy. Global Policy affects as few policies as possible, and will always select available global policies.

• Functional Policy Route Handling in JunOS Behavior Models: APA and Rule Recommendation more accurately model traffic flow for all JunOS devices.

• Support for IP Ranges in Source and Destination Fields for Rule Recommendation Requirements and Auto-Design: Rule recommendations and Auto-Design now fully support network ranges in source and destination fields.

• Support file export at the device group level: The system now allows you to export the latest normalized revisions of multiple devices in a single user interaction, reducing the required end-user data capture effort. Export Support Files

The following devices will be deprecated and no longer supported, beginning with the May 2025 release. Juniper ScreenOS, Juniper ScreenOS VSYS, Juniper SA, and Juniper NSM.authenticating locally or via SAML, LDAP, or similar methods.

• Juniper Device Pack Consolidation: To reduce code duplication and simplify maintenance and testing in the future, we have consolidated some of the many Juniper device packs into three device packs: Juniper SRX Series, Juniper EX/QFX Series, and Juniper MX/ACX/PTX/CTP Series. Your existing devices have automatically been assigned the appropriate device pack during the upgrade. When you create a new Juniper device, you'll see a simplified list of available options.

  This is how the Juniper devices will be seen in the UI:

The following devices have been deprecated and are no longer supported: Juniper ScreenOS, Juniper ScreenOS VSYS, Juniper SA, and Juniper NSM.

• Juniper BGP Community Route Filtering: Juniper customers with extensive BGP routing tables can now limit which routes are retrieved by specifying BGP Communities. This new option reduces both retrieval time and file size.

• Azure Manager Cross-Subscription Hit Count Retrieval: You can now set an alternate Subscription ID for hit-count retrievals at the Azure Manager level. This setting automatically applies to all child devices when specified, eliminating the need to configure each individually.

• Policy Planner Requirements Form Validation: You can now easily identify which inputs fail validation. This improvement reduces frustration in both the manual requirements form and CSV imports.

• Service Object Stack Types for Cisco IOS: Cisco IOS devices can now accurately generate CLI commands with IPv6 and IPv4 stack types for service object groups.

  Post-change Policy Planner auto verification may fail when changes involve IPv6 object groups or IPv6 ACL rules. A fix is currently in development and will be included in an upcoming release.

• Device Consistency Report: The Device Consistency Report now includes options to choose diff viewing modes and set diff limits. A legend is also displayed before each diff to clarify what is being compared. These updates enhance readability and help prevent timeout errors when generating large reports. Schedule a Device Consistency Report and Run a Device Consistency Report

• Administration Module UI for FQDN Support: In February 2025, we introduced troubleshooting APIs with FQDN support. This month, we're enhancing the experience by adding a user interface for those APIs, making them easier to access and use.

• Improved PCA Improvement: You’ll see an improvement in PCA processing time.

• Rule Ignore Improvements:

  • The Rule Documentation property added for Rule Ignore in March has been renamed to Ignore Behavior.

  • Rule Documentation descriptions now appear as hover text throughout the UI, providing quick access to context.

  • Ignored rule IDs are now included in the mkdiag output for improved diagnostics and visibility.

• Network and Device APA Improvement: While the API has supported CIDR formats in the source field, the UI for both Device APA and Network APA now also supports entering CIDR addresses.

• Rule Consolidation Performance Improvement: As part of our ongoing effort to improve behavioral feature performance, the Rule Consolidation report now leverages some of the same enhancements used in Rule Recommendation. Testing showed a 90% improvement in performance.

• Licensing Change for Traffic Manager Module (TMM) Devices: To support the transition away from separate TMM license SKUs, the system now handles license assignment as follows:

  • It will be automatically assigned to TMM devices when available.

  • If no TMM licenses are available, SMLO licenses will be assigned to TMM devices instead.

  • If a TMM device with a TMM license is removed, the system will reassign that available TMM license to the next TMM device currently using an SMLO license.

• TLS 1.3 Enabled for SIP and FMOS-CPL: We’ve enhanced the security of our applications over HTTPS by adopting TLS 1.3, the current industry standard for Transport Layer Security. While this change is not visually noticeable, it ensures our platform remains aligned with modern security best practices.

• Upgrade OpenSSH to Version 9.6: We’ve improved the security of our SSH connections by addressing a series of known vulnerabilities (CVEs). This update strengthens overall system security and ensures alignment with current best practices.