2025.x Feature Release Change Log

Below are listed any changes to topics as a result of the monthly Feature release.

Release	Change
2025.2 - Feb 26, 2025	Initial 2025 Feature release. View What's New in FireMon Support Center (sign in required)
2025.2.1 - Mar 26, 2025	New Retrieval Option for Large ASA Access-List: Customers with large ASA access lists now have a faster retrieval option. Enabling Save Access List to Disk in Advanced device settings temporarily writes the access list to the device's disk. It then securely transfers it via SCP to the data collector. Inline and Derived Objects in Decommission Workflow: This feature enhances the handling of inline objects during clone and decommission operations, ensuring accurate change plan generation, reliable automation, and support for scenarios with single-value column restrictions. Set Default Value for L7 Requirement Fields: This feature enables users to set default values for lookup fields in custom workflows within Policy Planner, resolving an issue where empty arrays previously prevented default values from triggering correctly. Rule Ignore from APA, Rule Rec, and Removable Rules Reports: This feature allows users to mark specific firewall security rules as ignored, excluding them from Behavior Model functions such as Device APA, Network APA, and Removable Rules. Since Rule Recommendation relies on APA and routes, it will automatically reflect these updates. Ignore a Rule Improved Elasticsearch Reindex Process: We introduce a batch-loading approach that tracks reindex progress, allowing it to resume from the last completed state after a restart. Option to Set Syslog TimeZone for CLI: This feature allows users to configure Syslog time zone settings via the CLI, enabling them to customize the time zone or retain UTC logging. It ensures compliance with RBI guidelines and InfoSec policies while providing greater control over log management. Remote Syslog Timezone
2025.2.2 - Apr 30, 2025	Palo Alto Cluster Discovery: Panorama will now discover high availability (HA) pairs during firewall discovery and create FireMon clusters for the firewalls in the HA Pair (note this is not the same as what Palo calls HA Clusters, which only syncs session state). Subsequent Panorama retrievals will update the active/primary cluster member appropriately. This will not override any pre-existing FireMon clusters that a user has created manually. Juniper Normalization Updates to Support Behavior: Juniper devices (SRX, LSYS, M-series, and EX) have received numerous normalization updates to more accurately model the behavior of these devices. Updates to Service Object Naming: Remove "/0-65535" Suffix. In Policy Planner, the Rule Recommendation has been updated to prevent appending "/0-65535" to service object names when creating new services for protocols with unspecified port ranges. Service Objects for protocols other than ICMP(1), ICMP(58), TCP(6), UDP(17), and STCP(132) will not have the “/0-65535” appended to them. Rule Recommendation Performance Improvements: Improved rule recommendation times per recommendation by an average of 50x. Map Performance Improvements: Interface address matching for linking devices in the network map was slowing down map generation. With this improvement, map generation for this particular use case decreased from approximately four hours to a few minutes. Rule Recommendation: Added a new management station recommendation option to prefer shared. Similar to the "fewest changes" option, when "fewest changes" and "least access” end in a tie, prefer the global policy. Global Policy affects as few policies as possible, and will always select available global policies. Functional Policy Route Handling in JunOS Behavior Models: APA and Rule Recommendation more accurately model traffic flow for all JunOS devices. Support for IP Ranges in Source and Destination Fields for Rule Recommendation Requirements and Auto-Design: Rule recommendations and Auto-Design now fully support network ranges in source and destination fields. Support file export at the device group level: The system now allows you to export the latest normalized revisions of multiple devices in a single user interaction, reducing the required end-user data capture effort. Export Support Files

Release

Change

2025.2 - Feb 26, 2025

Initial 2025 Feature release. View What's New in FireMon Support Center (sign in required)

2025.2.1 - Mar 26, 2025

New Retrieval Option for Large ASA Access-List: Customers with large ASA access lists now have a faster retrieval option. Enabling Save Access List to Disk in Advanced device settings temporarily writes the access list to the device's disk. It then securely transfers it via SCP to the data collector.

Inline and Derived Objects in Decommission Workflow: This feature enhances the handling of inline objects during clone and decommission operations, ensuring accurate change plan generation, reliable automation, and support for scenarios with single-value column restrictions.
Set Default Value for L7 Requirement Fields: This feature enables users to set default values for lookup fields in custom workflows within Policy Planner, resolving an issue where empty arrays previously prevented default values from triggering correctly.
Rule Ignore from APA, Rule Rec, and Removable Rules Reports: This feature allows users to mark specific firewall security rules as ignored, excluding them from Behavior Model functions such as Device APA, Network APA, and Removable Rules. Since Rule Recommendation relies on APA and routes, it will automatically reflect these updates. Ignore a Rule
Improved Elasticsearch Reindex Process: We introduce a batch-loading approach that tracks reindex progress, allowing it to resume from the last completed state after a restart.
Option to Set Syslog TimeZone for CLI: This feature allows users to configure Syslog time zone settings via the CLI, enabling them to customize the time zone or retain UTC logging. It ensures compliance with RBI guidelines and InfoSec policies while providing greater control over log management. Remote Syslog Timezone

2025.2.2 - Apr 30, 2025

Palo Alto Cluster Discovery: Panorama will now discover high availability (HA) pairs during firewall discovery and create FireMon clusters for the firewalls in the HA Pair (note this is not the same as what Palo calls HA Clusters, which only syncs session state). Subsequent Panorama retrievals will update the active/primary cluster member appropriately. This will not override any pre-existing FireMon clusters that a user has created manually.
Juniper Normalization Updates to Support Behavior: Juniper devices (SRX, LSYS, M-series, and EX) have received numerous normalization updates to more accurately model the behavior of these devices.
Updates to Service Object Naming: Remove "/0-65535" Suffix. In Policy Planner, the Rule Recommendation has been updated to prevent appending "/0-65535" to service object names when creating new services for protocols with unspecified port ranges. Service Objects for protocols other than ICMP(1), ICMP(58), TCP(6), UDP(17), and STCP(132) will not have the “/0-65535” appended to them.
Rule Recommendation Performance Improvements: Improved rule recommendation times per recommendation by an average of 50x.
Map Performance Improvements: Interface address matching for linking devices in the network map was slowing down map generation. With this improvement, map generation for this particular use case decreased from approximately four hours to a few minutes.
Rule Recommendation: Added a new management station recommendation option to prefer shared. Similar to the "fewest changes" option, when "fewest changes" and "least access” end in a tie, prefer the global policy. Global Policy affects as few policies as possible, and will always select available global policies.
Functional Policy Route Handling in JunOS Behavior Models: APA and Rule Recommendation more accurately model traffic flow for all JunOS devices.
Support for IP Ranges in Source and Destination Fields for Rule Recommendation Requirements and Auto-Design: Rule recommendations and Auto-Design now fully support network ranges in source and destination fields.
Support file export at the device group level: The system now allows you to export the latest normalized revisions of multiple devices in a single user interaction, reducing the required end-user data capture effort. Export Support Files