Firepower System Release Notes, Version 6.0.0.1
Available Languages
Table of Contents
Firepower System Release Notes
Supported Platforms and Compatibility
Management Platform-Managed Device Compatibility
New Features and Functionality
Features and Functionality Introduced in Previous Versions
Before You Begin: Important Update and Compatibility Notes
Configuration and Event Backup Guidelines
Traffic Flow and Inspection During the Update
Audit Logging During the Update
Time and Disk Space Requirements for Updating to Version 6.0.0.1
Firepower Version Requirements for Updating to Version 6.0.0.1
Web Browser and Screen Resolution Compatibility in Version 6.0.0.1
Integrated Product Compatibility in Version 6.0.0.1
Updating Firepower Management Centers
Updating Managed Devices and ASA FirePOWER Modules via the Firepower Management Center
Updating ASA FirePOWER modules Managed by ASDM
Uninstalling the Update from a Managed Device
Uninstalling the Update from a Cisco ASA with FirePOWER Services
Uninstalling the Update from a NGIPSv
Uninstalling the Update from a Firepower Management Center
Uninstalling the Update from a Cisco ASA with FirePOWER Services Managed by ASDM
Issues Resolved in Previous Versions:
Firepower System Release Notes
First Published: February 1, 2016
These release notes are valid for Version 6.0.0.1 of the Firepower System. Even if you are familiar with the update process, make sure you thoroughly read and understand these release notes, which describe supported platforms, changed features and functionality, management platform-managed device compatibility, and known and resolved issues. They also contain detailed information on prerequisites, warnings, and specific installation and uninstallation instructions.
Tip To access the full documentation for the Firepower System, see the documentation roadmap at http://www.cisco.com/c/en/us/td/docs/security/firesight/roadmap/firesight-roadmap.html.
Supported Platforms and Compatibility
Supported platforms, minimum originating versions, and operating systems vary by version. For more information, see:
Supported Platforms
You can run Version 6.0.0.1 on the platforms specified in the following table. For minimum Firepower System version requirements, see Firepower Version Requirements for Updating to Version 6.0.0.1.
Note: Version 6.0 of the Firepower Management Center requires more memory than the previous versions for some Firepower Management Center models (previously referred to as the FireSIGHT Management Center or the Defense Center). To be specific, MC750 requires two 4GB dual in-line memory modules (DIMM). Similarly, MC1500 with 8GB of memory also requires additional memory.
Note: For more information see the Firepower Management Center Installation Guide.
Management Platform-Managed Device Compatibility
Management capability varies by version. The following tables detail available management platforms and the devices that those platforms can manage:
New Features and Functionality
This section of the release notes summarizes the new and updated features and functionality included in Version 6.0.0.1 of the Firepower System:
Updated Terminology
The terminology used in Version 6.0.0.1 may differ from the terminology used in previous releases. For more information, see the Firepower Compatibility Guide .
Updated Documentation
To access the full documentation for the Firepower System, see the documentation roadmap at http://www.cisco.com/c/en/us/td/docs/security/firesight/roadmap/firesight-roadmap.html . In Version 6.0.0.1, the following documents were updated to reflect the addition of new features and changed functionality and to address reported documentation issues:
- Firepower Management Center Online Help
- ASA FirePOWER Module Online Help
- Firepower Management Center Configuration Guide
- Firepower NGIPSv for VMware Quick Start Guide
- Firepower Management Center Quick Start Guide for VMware
- Cisco ASA FirePOWER Services Local Management Configuration Guide
The documentation updated for Version 6.0.0.1 contains the following errors:
- The Firepower Management Center Configuration Guide does not reflect that in a multidomain deployment, when you create a DNS policy, the Descendant Whitelists for DNS rule and Descendant Blacklists for DNS rule are disabled by default. You can enable each rule by editing them. (CSCuw62140)
- The online help incorrectly states that the default intrusion policy instead of the currently deployed access control policy inspects traffic during policy deployment if you deploy your configuration changes with Inspect traffic during policy apply enabled and no specific configuration requires a snort restart.
- The Firepower Management Center Configuration Guide does not reflect that you cannot use a Firepower Management Center certificate generated using algorithms other than
sha1WithRSAEncryption or sha256WithRSAEncryptionorgenerated using a public server key with more than 2048 bits.- The Firepower Management Center Configuration Guide does not reflect that when using URL Filtering with Retry URL cache miss lookup enabled to allow URL retry, the system delays packets for URLs that have not been previously seen by the firewall while the URL category and reputation are determined so URL filtering rules can be resolved. Until the lookup of the URL category and reputation is completed, or the lookup request times out, in inline, routed, or transparent deployments the packet will be held at the firewall. If a two second time limit is reached without the category and reputation determination completing the URL category Uncategorized is used with no reputation, and rule evaluation proceeds. URL category determination can introduce up to two seconds of delay in packet delivery, depending on local network conditions. If such delay is not acceptable, URL retry should be disabled. Note that with URL retry disabled, URL filtering may not be effective until such time as URL category and reputation determination completes for each URL. Until that time, packets that would have been filtered based on the URL’s category or reputation will be filtered based on the Uncategorized category. To disable URL retry, clear the Retry URL cache miss lookup option in the General advanced settings of the access control policy ( Policies > Access Control > Access Control > edit policy > Advanced > edit General Settings ). Note that this option is enabled and URL retry is allowed by default.
Note: The online help content may differ from the Firepower Management Center Configuration Guide content. The Firepower Management Center Configuration Guide content is updated more regularly than the online help.
Features and Functionality Introduced in Previous Versions
Functionality described in previous versions may be superseded by other new functionality or updated through resolved issues.
Version 6.0.0
The following features and functionality were updated in Version 6.0.0:
- You cannot compare policies on the following pages: the NAT Policy page, the Platform Settings page, and the SSL Policy page.
- Version 6.0 does not support AMP for Firepower signature lookups with the private AMP cloud. In Version 6.0, the system automatically submits SHA-256 signatures to the public AMP cloud. If you have a private AMP cloud and are receiving events from endpoints, the Version 6.0 Firepower Management Center will continue to receive those events without any additional changes to your configuration.
- Syslog messages for connection events now populate information for the following fields: HTTP Referrer, User Agent, and Referenced Host.
- Version 6.0 does not support Discovery Event Health Monitoring.)
- You can now edit Automatic Application Bypass (AAB) settings on ASA modules running FirePOWER services.
Expanded Threat Protection
URL and DNS-based Security Intelligence
New Security Intelligence feeds based on URLs and Domain Name System (DNS) servers are provided to enhance the existing IP-based Security Intelligence capability. Currently, IP-based intelligence is used to control access to known malware, phishing, command & control, and Bot sites. New attack methods designed to defeat IP-based intelligence (e.g., fast flux) abuse DNS load balancing features in an effort to hide the actual IP address of a malicious server. While the IP addresses associated with the attack are frequently swapped in and out, the domain name will rarely change. The URL-based intelligence will supplement the IP-based intelligence in addressing this kind of attack, and the DNS-based intelligence will help identify known DNS servers that are complicit in these kinds of attacks. Access control policies can be created using these new intelligence feeds and new dashboards provide visibility and analysis. In addition, both URL-based and DNS-based Security Intelligence events will also feed in to the Indications of Compromise (IoC) correlation feature. These new feeds are provided through regular updates from the Cisco Talos Security Intelligence and Research Group and, like the IP-based Security Intelligence feature, are part of the base product and do not require a separate license.
The same way that attackers use the SSL protocol to hide their activity, attackers use the DNS protocol with the same intentions. For that reason, and as another way to address fast flux-type attacks, the Firepower system provides the ability to intercept DNS traffic requests and take appropriate action based on the policy setting. A DNS policy allows for requests to known command & control, spam, phishing, etc., sites to be blocked, to return a
Domain Not Foundmessage, or have the traffic directed to a pre-configured sinkhole. This last option routes the traffic directly through the Firepower managed device and gives information about the endpoint that could result in an IoC alert.Enhanced Network Visibility and Control
SSL Decryption for Cisco ASA with FirePOWER Services Managed Via ASDM
Cisco’s next-generation firewall (NGFW), Cisco ASA with FirePOWER Services, now has the ability to locally manage SSL communications and decrypt the traffic before performing attack, application, and malware detection against it. This is the same capability we introduced in Version 5.4 for Cisco’s Firepower next-generation IPS (NGIPS) appliances. SSL decryption can be deployed in both passive and inline modes, and supports HTTPS and StartTLS-based applications (e.g., SMTPS, POP3S, FTPS, IMAPS, TelnetS). Decryption policies can be configured to exert granular control over encrypted traffic logging and handling, such as limiting decryption based on URL categories to enforce privacy concerns. It also provides the ability to block self-signed encrypted traffic, or on SSL version, specific Cipher Suites, and/or unapproved mobile devices.
Support for OpenAppID-Defined Applications
OpenAppID is Cisco’s open source, application-focused detection language that enables users to create, share and implement new application detection signatures for custom, localized, and cloud applications, without being dependent upon a NGFW vendor’s release cycle or roadmap. In Version 6.0, the Firepower application detection engine that identifies and controls access to over 3,000 applications has been enhanced to recognize OpenAppID-defined applications. In the same way that Snort was an effort to open source the intrusion detection game, OpenAppID is a way to open source the application detection game. Support for OpenAppId-defined applications demonstrates Cisco’s commitment to the open source initiatives and the flexibility that it provides to our customers.
Captive Portal and Active Authentication
In order to provide better visibility in mapping users to IP addresses and their associated network events, the Captive Portal and Active Authentication feature can be configured to require users to enter their credentials when prompted through a browser window. The mapping also allows policies to be based on a user or group of users. This feature supplements the existing Sourcefire User Agent (SUA) integration with Active Directory to address non-Windows environments, BYOD users, and guests.
Note: Cisco ASA with FirePOWER Services running ASA version 9.5(2) do not support the Captive Portal and Active Authentication feature.
Integration with Cisco Identity Services Engine (ISE)
The integration with Cisco ISE enhances the user identity data available to the system to use in analysis and policy control. By subscribing to Cisco’s Platform Exchange Grid (PxGrid), the Firepower Management Center is able to download additional user data, device type data, device location data, and Security Group Tags (SGTs —a method used by ISE to provide network access control). Beyond the added visibility into the users on your network, this data is also actionable intelligence because it extends the control you can provide by creating policies based on SGTs, or on device type, or any of the other information provided by ISE.
Note: In Version 6.0, you cannot use ISE to automatically quarantine an infected endpoint. This functionality will be added in a later release.
Improved Threat Defense Against Advanced Persistent Threats
This feature provides the ability to identify popular/common malware directly on the Firepower appliance, and reduces the need to send files for dynamic analysis (sandboxing), either in the cloud or on-prem (see Intergration with AMP Threat Grid). Using high-fidelity ClamAV signatures, files whose SHA-256 lookup return a disposition of
Unknownwill be analyzed locally on the Firepower appliance to identify common characteristics associated with malware, reducing the need for dynamic analysis.Because certain file types support nested content that can be used to hide malware, this feature provides local analysis of files to determine the viability of malware hidden within. For example, a PDF file can contain different types of files nested inside the file. A file composition report is then run that identifies if nested data exists within the file, what file types those nested files represent, and how likely each nested file is to contain malware. Based on this information, you can choose whether or not to send the file on for dynamic analysis.
Integration with AMP Threat Grid
Cisco’s acquisition of ThreatGrid in June 2014 increased our abilities in helping our customers address advanced persistent threats, and that technology has now been fully integrated in Firepower v6.0. AMP Threat Grid now provides our sandboxing capabilities in the cloud when using our AMP for Firepower option. Files sent to the cloud for dynamic analysis are securely analyzed and correlated against hundreds of millions of other analyzed malware artifacts to provide a global view of malware attacks, campaigns, and their distribution. Detailed reports identify key behavioral indicators and determine threat scores for faster prioritization and recovery from advanced attacks.
In addition, we have greatly expanded the file types we support for automatic dynamic analysis from just executable files to include PDF and Office documents.
Expanded Management Functionality
To address the service provider market which must manage separate customer environments, as well as enterprises with acquisitions (resulting in overlapping IP addresses) or geographic business units that need to be managed separately, the Firepower Management Center now has the ability to create multiple management domains. These domains (up to 50) enable separate management environments and are administered using granular role-based access control (RBAC). Each domain provides separate event data, reporting, and network maps.
Policy Hierarchy and Inheritance
To support multiple domain management and make policy administration more efficient, Version 6.0 provides the ability to create a hierarchy of policies. Global policies (e.g., access control) can be established that will apply to all management environments. A policy hierarchy can then be constructed underneath the global policy level to represent different environments, different companies, different business units, or different parts of the organization. Each of these policy environments will inherit the policies of the hierarchy above it, allowing for more consistent and efficient policy management.
Expanded ASDM Management Availability
Cisco’s Adaptive Security Device Manager (ASDM) is the local management feature for Cisco ASA with FirePOWER Services. It was introduced as part of the Cisco ASA 5506-X, ASA 5508-X, and ASA 5516-X appliances. With Firepower v6.0, ASDM is now available on the remaining Cisco ASA with FirePOWER Services appliances (ASA 5512-X / ASA 5515-X / ASA 5525-X / ASA 5545-X / ASA 5555-X / ASA 5585-X).
Before You Begin: Important Update and Compatibility Notes
Before you begin the update process for Version 6.0.0.1, you should familiarize yourself with the behavior of the system during the update process, as well as with any compatibility issues or required pre- or post-update configuration changes.
Caution: Cisco strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment.For more information, see the following sections:
- Configuration and Event Backup Guidelines
- Traffic Flow and Inspection During the Update
- Audit Logging During the Update
- Time and Disk Space Requirements for Updating to Version 6.0.0.1
- Web Browser and Screen Resolution Compatibility in Version 6.0.0.1
- Integrated Product Compatibility in Version 6.0.0.1
Configuration and Event Backup Guidelines
Before you begin the update, Cisco strongly recommends that you delete or move any backup files that reside on your appliance, then back up current event and configuration data to an external location.
Before you begin the update, Cisco strongly recommends that you back up current event and configuration data to an external location. This data is not backed up as part of the update process.
Use the Firepower Management Center to back up event and configuration data for itself and the devices it manages. For more information on the backup and restore feature, see the Firepower Management Center Configuration Guide .
Note: The Firepower Management Center purges locally stored backups from previous updates. To retain archived backups, store the backups externally.
Traffic Flow and Inspection During the Update
When you update your sensing devices, traffic either drops throughout the update or traverses the network without inspection depending on how your devices are configured and deployed: routed or transparent, inline vs passive, bypass mode settings, and so on. We strongly recommend performing the update in a maintenance window or at a time when the interruptions will have the least impact on your deployment.
Note: When you update 8000 Series clusters or stack pairs, the system performs the update one device at a time to avoid traffic interruption.
This section discusses traffic behavior during the following update stages:
Traffic Behavior During the Update
The following table describes how updates, including related device reboots, affect traffic flow for different deployments. Note that appliances do not perform switching, routing, NAT, and VPN during the update process, regardless of how you configure any inline sets.
Traffic Behavior During Configuration Deployment
During the upgrade process, you deploy configurations either twice (standalone devices) or three times (devices managed by the Firepower Management Center). When you deploy, resource demands may result in a small number of packets dropping without inspection. In most cases, the deployment immediately after the upgrade restarts the Snort process. During subsequent deployments, the Snort process restarts only if, before deploying, you modify specific policy or device configurations that always restart the process when deployed.
The following table describes how different devices handle traffic during Snort process restarts.
Audit Logging During the Update
When updating appliances that have a web interface, after the system completes its pre-update tasks and the streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the update process is complete and the appliance reboots.
Time and Disk Space Requirements for Updating to Version 6.0.0.1
The table below provides disk space and time guidelines for the Version 6.0.0.1 update. Note that when you use the Firepower Management Center to update a managed device, the Firepower Management Center requires additional disk space on its
/Volumepartition.Caution: Do not restart the update or reboot your appliance at any time during the update process. Cisco provides time estimates as a guide, but actual update times vary depending on the appliance model, deployment, and configuration. Note that the system may appear inactive during the pre-checks portion of the update and after rebooting; this is expected behavior.The reboot portion of the update includes a database check. If errors are found during the database check, the update requires additional time to complete. System daemons that interact with the database do not run during the database check and repair.
Note: The closer your appliance’s current version to the release version (Version 6.0.0.1), the less time the update takes.
If you encounter issues with the progress of your update, contact Support.
Firepower Version Requirements for Updating to Version 6.0.0.1
Appliances must be running the minimum versions specified in the following table in order to update to Version 6.0.0.1 of the Firepower System. For minimum operating system requirements and information about management platform-managed device compatibility, see Supported Platforms and Compatibility.
Note: A Firepower Management Center must be running at least Version 6.0.0.1 if you want to use it to update its managed devices to Version 6.0.0.1.
Web Browser and Screen Resolution Compatibility in Version 6.0.0.1
Note the following to optimize your experience using the web interface.
Version 6.0.0.1 of the web interface for the Firepower System has been tested on the browsers listed in the following table.
Note: The Chrome browser does not cache static content, such as images, CSS, or Javascript, with the system-provided self-signed certificate. This may cause the system to redownload static content when you refresh. To avoid this, add a self-signed certificate to the trust store of the browser/OS or use another web browser.
Note: If you use the Microsoft Internet Explorer 11 browser, you must disable the Include local directory path when uploading files to server option in your Internet Explorer settings via Tools > Internet Options > Security > Custom level.
JavaScript, cookies, Secure Sockets Layer (SSL) v3, 128-bit encryption, Active scripting security setting, Compatibility View, set Check for newer versions of stored pages to Automatically
Note: Many browsers use Transport Layer Security (TLS) v1.3 by default. If you have an active SSL policy and your browser uses TLSv1.3, websites that support TLSv1.3 fail to load As a workaround, configure your managed device to remove extension 43 (TLS 1.3) from ClientHello negotiation. See this software advisory for more information.
Screen Resolution Compatibility
Cisco recommends selecting a screen resolution that is at least 1280 pixels wide. The user interface is compatible with lower resolutions, but a higher resolution optimizes the display.
Integrated Product Compatibility in Version 6.0.0.1
The required versions for the following integrated products vary by Firepower System version:
For more information, see the Firepower System Compatibility Guide .
Installing the Update
Before you begin the update, you must thoroughly read and understand these release notes, especially Supported Platforms and Compatibility and Before You Begin: Important Update and Compatibility Notes.
Note: Updates can require large data transfers from the Firepower Management Center to managed devices. Before you begin, make sure your management network has sufficient bandwidth to successfully perform the transfer. See the Troubleshooting Tech Note at https://www.cisco.com/c/en/us/support/docs/security/ firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html.
For minimum Firepower System version requirements, see Firepower Version Requirements for Updating to Version 6.0.0.1. To update your appliances, see the guidelines and procedures outlined below:
- Updating Firepower Management Centers
- Updating Managed Devices and ASA FirePOWER Modules via the Firepower Management Center
- Updating ASA FirePOWER modules Managed by ASDM
Caution: Do not reboot or shut down your appliances during the update until you see the login prompt. The system may appear inactive during the pre-checks portion of the update; this is expected behavior and does not require you to reboot or shut down your appliances.Note: Version 6.0 of the Firepower Management Center requires more memory than the previous versions for some Firepower Management Center models (previously referred to as the FireSIGHT Management Center or the Defense Center). To be specific, MC750 requires two 4GB dual in-line memory modules (DIMM). Similarly, MC1500 with 8GB of memory also requires additional memory.
Note: For more information see the Firepower Management Center Installation Guide.
Because the update process may affect traffic inspection, traffic flow, and link state, Cisco strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment.
Use the Firepower Management Center’s web interface to perform the update. Update the Firepower Management Center first, then use it to update the devices it manages.
For installing the update on a ASA FirePOWER module managed by ASDM, use the ASA FirePOWER module’s web interface, via ASDM, to perform the update.
Update your Firepower Management Centers before updating the devices they manage.
Installing the Update on Paired Firepower Management Centers
Firepower Management Center high availability is not supported in Version 6.0.x. In order to update Firepower Management Centers in a high availability environment, you must break the pair and update each Firepower Management Center individually. In order to update to Version 6.0.x, you must break the high availability pair.
Installing the Update on Clustered Devices
When you install an update on clustered devices (in Version 6.0.0.1, 7000 Series or 8000 Series devices or device stacks in a high-availability pair), the system performs the update on the devices one at a time. When the update starts, the system applies the update one device at a time.
Installing the Update on Clustered Series 3 Devices in Inline Deployment
When you install an update on clustered 7000 Series or 8000 Series devices the system performs the update on the devices one at a time. When the update starts, the system first applies it to the primary device, which goes into maintenance mode until any necessary processes restart and the device is processing traffic again. Then the system updates the secondary device.
Installing the Update on Stacked Devices
When you install an update on stacked devices, the system performs the updates simultaneously. Each device resumes normal operation when the update completes. Note that:
- If the primary device completes the update beforle all of the secondary devices, the stack operates in a limited, mixed-version state until all devices have completed the update.
- If the primary device completes the update after all of the secondary devices, the stack resumes normal operation when the update completes on the primary device.
Installing the Update on ASA FirePOWER modules managed by ASDM
Use the ASA FirePOWER module’s web interface, via ASDM, to perform the update.
After you perform the update on either the Firepower Management Center or managed devices, you must redeploy your configurations. Deployment may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Firepower Management Center Configuration Guide .
Caution: After updating the system to Version 6.0.0.1, you must download and installSourcefire_hotfix_6.0.0-k-build_3.tarfrom the Support site. If you do not installSourcefire_hotfix_6.0.0-k-build_3.tarafter updating to Version 6.0.0.1, the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.There are several additional post-update steps you should take to ensure that your appliances are performing properly. These include:
- verifying that the update succeeded
- making sure that all appliances in your deployment are communicating successfully
- updating to the latest patch for Version 6.0.0.1, if available, to take advantage of the latest enhancements and security fixes
- optionally, updating your intrusion rules and vulnerability database (VDB) and redeploying your configurations
- making any required configuration changes based on the information in New Features and Functionality
The next sections include detailed instructions not only on performing the update, but also on completing any post-update steps. Make sure you complete all of the listed tasks.
Updating Firepower Management Centers
Use the procedure in this section to update your Firepower Management Centers, including Firepower Management Centers Virtual. For the Version 6.0.0.1 update, Firepower Management Centers reboot.
Caution: Before you update the Firepower Management Center, redeploy your configurations to any managed devices. Otherwise, the managed device update may fail.Caution: Do not reboot or shut down your appliances during the update until after you see the login prompt. The system may appear inactive during the pre-checks portion of the update; this is expected behavior and does not require you to reboot or shut down your appliances.Note: Updating a Firepower Management Center to Version 6.0.0.1 removes existing uninstallers from the appliance.
To update a Firepower Management Center:
Step 1 Read these release notes and complete any required pre-update tasks.
Note: Firepower Management Center high availability is not supported in Version 6.0.0.1. You need to break your Firepower Management Center high availability pairs and may need to install additional memory on your MC750 or Firepower Management Center Virtual appliances prior to update. If your Firepower Management Center uses a custom HTTPS certificate that uses a
RSASSA-PSSsignature algorithm or was generated using a public key with more than 2048 bits, you may also need to generate and upload a new certificate or you will not be able to access the user interface on the Firepower Management Center after upgrade. For more information, see Before You Begin: Important Update and Compatibility Notes.Step 2 Download the update from the Support site:
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
Step 3 Upload the update to the Firepower Management Center by selecting System > Updates , then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload .
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.
Step 4 Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 5 Monitor the update's progress in the Firepower Management Center’s task queue by clicking the System Status icon, then clicking the Tasks tab.
You must wait until any long-running tasks are complete before you begin the update. After the system update completes, to reduce clutter, remove the messages for these tasks from the Message Center.
Step 6 Select System > Updates.
The Product Updates tab appears.
Step 7 Click the install icon next to the update you uploaded.
The Install Update page appears.
Step 8 Select the Firepower Management Center and click Install . Confirm that you want to install the update and reboot the Firepower Management Center.
The update process begins. You can monitor the update's progress in the Firepower Management Center’s task queue by clicking the System Status icon, then clicking the Tasks tab. However, after the Firepower Management Center completes its necessary pre-update checks, you are logged out. When you log back in, the Upgrade Status page appears. The Upgrade Status page displays a progress bar and provides details about the script currently running.
If the update fails for any reason, the page displays an error message indicating the time and date of the failure, which script was running when the update failed, and instructions on how to contact Support. Do not restart the update.
Caution: If you encounter any other issue with the update (for example, if a manual refresh of the Update Status page shows no progress for several minutes), do not restart the update. Instead, contact Support.When the update completes, the Firepower Management Center displays a success message and reboots.
The update process begins. You can monitor the update's progress in the Firepower Management Center's task queue by clicking the System Status icon, the clicking the Task tab.
Caution: Do not use the web interface to perform any other tasks until the update completes and the Firepower Management Center reboots. Before the update completes, the web interface may become unavailable and the Firepower Management Center may log you out. This is expected behavior; log in again to view the task queue. If the update is still running, do not use the web interface until the update completes. If you encounter issues with the update (for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress for several minutes), do not restart the update. Instead, contact Support.Step 9 After the update finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
Step 10 Log into the Firepower Management Center.
Step 11 Review and accept the End User License Agreement (EULA). Note that you are logged out of the appliance if you do not accept the EULA.
Step 12 Select Help > About and confirm that the software version is listed correctly: Version 6.0.0.1. Also note the versions of the intrusion rule update and VDB on the Firepower Management Center; you will need this information later.
Step 13 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 14 If the rule update available on the Support site is newer than the rules on your Firepower Management Center, import the newer rules. Do not auto-apply the imported rules at this time.
For information on rule updates, see the Firepower Management Center Configuration Guide .
Step 15 If the VDB available on the Support site is newer than the VDB on your Firepower Management Center, install the latest VDB.
Installing a VDB update causes a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Firepower Management Center Configuration Guide .
Step 16 Redeploy your configurations to all managed devices.
Deployment may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Firepower Management Center Configuration Guide .
Step 17 If a patch for Version 6.0.0.1 is available on the Support site, apply the latest patch as described for that version.
You must update to the latest patch to take advantage of the latest enhancements and security fixes.
Caution: After updating the system to Version 6.0.0.1, you must download and installSourcefire_hotfix_6.0.0-k-build_3.tarfrom the Support site. If you do not installSourcefire_hotfix_6.0.0-k-build_3.tarafter updating to Version 6.0.0.1, the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.Caution: When using URL Filtering with Retry URL cache miss lookup enabled to allow URL retry, the system delays packets for URLs that have not been previously seen by the firewall while the URL category and reputation are determined so URL filtering rules can be resolved. Until the lookup of the URL category and reputation is completed, or the lookup request times out, in inline, routed, or transparent deployments the packet will be held at the firewall. If a two second time limit is reached without the category and reputation determination completing the URL category Uncategorized is used with no reputation, and rule evaluation proceeds. URL category determination can introduce up to two seconds of delay in packet delivery, depending on local network conditions. If such delay is not acceptable, URL retry should be disabled. Note that with URL retry disabled, URL filtering may not be effective until such time as URL category and reputation determination completes for each URL. Until that time, packets that would have been filtered based on the URL’s category or reputation will be filtered based on the Uncategorized category. To disable URL retry, clear the Retry URL cache miss lookup option in the General advanced settings of the access control policy (Policies > Access Control > Access Control > edit policy > Advanced > edit General Settings). Note that this option is enabled and URL retry is allowed by default.
Updating Managed Devices and ASA FirePOWER Modules via the Firepower Management Center
After you update your Firepower Management Centers to Version 6.0.0.1, use them to update the devices they manage.
You must use a Firepower Management Center running Version 6.0 to update any managed device that does not have its own web interface. For ASA FirePOWER modules running on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, or ASA 5516-X, you can update the module using the Firepower Management Center or connect to the ASA device and update the ASA FirePOWER module using local management via ASDM. For more information, see Updating Managed Devices and ASA FirePOWER Modules via the Firepower Management Center or Updating ASA FirePOWER modules Managed by ASDM respectively.
Updating managed devices is a two-step process. First, download the update from the Support site and upload it to the managing Firepower Management Center. Next, install the software. You can update multiple devices at once, but only if they use the same update file.
For the Version 6.0.0.1 update, all devices reboot. 7000 Series and 8000 Series devices do not perform traffic inspection, switching, routing, NAT, VPN, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
Caution: Before you update a managed device, use its managing Firepower Management Center to redeploy your configuration to the managed device. Otherwise, the managed device update may fail.Caution: Do not reboot or shut down your appliances during the update until after you see the login prompt. The system may appear inactive during the pre-checks portion of the update; this is expected behavior and does not require you to reboot or shut down your appliances.To update managed devices and ASA FirePOWER modules:
Step 1 Read these release notes and complete any required pre-update tasks.
For more information, see Before You Begin: Important Update and Compatibility Notes.
Step 2 Update the software on the devices’ managing Firepower Management Center; see Updating Firepower Management Centers.
Step 3 Download the update from the Support site:
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
Step 4 Upload the update to the Firepower Management Center by selecting System > Updates , then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload .
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.
Step 5 Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 6 Click the install icon next to the update you are installing.
The Install Update page appears.
Step 7 Select the devices where you want to install the update.
If you are updating a stacked pair, selecting one member of the pair automatically selects the other. You must update members of a stacked pair together.
Step 8 Click Install . Confirm that you want to install the update and reboot the devices.
Step 9 The update process begins. You can monitor the update's progress in the Firepower Management Center’s task queue by clicking the System Status icon, then clicking the Tasks tab.
Note that managed devices may reboot twice during the update; this is expected behavior.
Caution: If you encounter issues with the update (for example, if the Message Center indicates that the update has failed, or shows no progress on the update task for several minutes), do not restart the update. Instead, contact Support.Step 10 Select Devices > Device Management and confirm that the devices you updated have the correct software version: Version 6.0.0.1.
Step 11 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 12 Redeploy your configurations to all managed devices.
Deployment may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Firepower Management Center User Guide .
Step 13 If a patch for Version 6.0.0.1 is available on the Support site, apply the latest patch as described in the for that version.
Caution: After updating the system to Version 6.0.0.1, you must download and installSourcefire_hotfix_6.0.0-k-build_3.tarfrom the Support site. If you do not installSourcefire_hotfix_6.0.0-k-build_3.tarafter updating to Version 6.0.0.1, the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules or rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.Caution: When using URL Filtering with Retry URL cache miss lookup enabled to allow URL retry, the system delays packets for URLs that have not been previously seen by the firewall while the URL category and reputation are determined so URL filtering rules can be resolved. Until the lookup of the URL category and reputation is completed, or the lookup request times out, in inline, routed, or transparent deployments the packet will be held at the firewall. If a two second time limit is reached without the category and reputation determination completing the URL category Uncategorized is used with no reputation, and rule evaluation proceeds. URL category determination can introduce up to two seconds of delay in packet delivery, depending on local network conditions. If such delay is not acceptable, URL retry should be disabled. Note that with URL retry disabled, URL filtering may not be effective until such time as URL category and reputation determination completes for each URL. Until that time, packets that would have been filtered based on the URL’s category or reputation will be filtered based on the Uncategorized category. To disable URL retry, clear the Retry URL cache miss lookup option in the General advanced settings of the access control policy (Policies > Access Control > Access Control > edit policy > Advanced > edit General Settings). Note that this option is enabled and URL retry is allowed by default.Updating ASA FirePOWER modules Managed by ASDM
Step 1 Update the ASA FirePOWER software on the devices running ASA FirePOWER FireSIGHT module to ASA FirePOWER version 9.5(1.5) and ASDM 7.5.1. For more information, see the Release Notes for the Cisco ASA Series , 9.5(x) and the Release Notes for Cisco ASDM , 7.5(x) .
Step 2 Download the update from the Beta site:
Step 3 Note : Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
Step 4 Select Configuration > ASA FirePOWER Configuration > Updates .
Step 6 Click Choose File to navigate to and select the update.
Step 8 Select Monitoring > ASA FirePOWER Monitoring > Task Status to view the task tab and make sure that there are no jobs in process.
You must wait until any long-running tasks are complete before you begin the update. After the system update completes, to reduce clutter, remove the messages for these tasks from the Message Center.
Step 9 Select Configuration > ASA FirePOWER Configuration > Updates .
Step 10 Click the install icon next to the update you uploaded.
The update process begins. How you monitor the update depends on whether the update is a major or minor update. For major updates, you can begin monitoring the update’s progress in the task queue. However, after the ASA FirePOWER module completes its necessary pre-update checks, you are locked out of the module interface.
Step 11 After the update finishes, reconnect ASDM to the ASA device.
Step 12 Access the ASA FirePOWER module interface and refresh the page. Otherwise, the interface may exhibit unexpected behavior. If you are the first user to access the interface after a major update, the End User License Agreement (EULA) may appear. You must review and accept the EULA to continue.
Step 13 If the intrusion rule update available on the Support site is newer than the rules on your ASA FirePOWER module, import the newer rules. Do not auto-apply the imported rules when working with .
For more information, see the Cisco ASA with FirePOWER Services Local Management Configuration Guide ,
Step 14 If the VDB available on the Support Site is newer than the most recently installed VDB, install the latest VDB.
Installing a VDB update causes a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Cisco ASA with FirePOWER Services Local Management Configuration Guide , .
Deploying an access control policy may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Cisco ASA with FirePOWER Services Local Management Configuration Guide .
Caution: After updating the system to Version 6.0.0.1, you must download and installSourcefire_hotfix_6.0.0-k-build_3.tarfrom the Support site. If you do not installSourcefire_hotfix_6.0.0-k-build_3.tarafter updating to Version 6.0.0.1, the Firepower Management Center fails to update access control rules referencing intrusion policies containing shared objects rules with the generator ID (GID) of 3 even though the Message center displays the deploy successful.Caution: When using URL Filtering with Retry URL cache miss lookup enabled to allow URL retry, the system delays packets for URLs that have not been previously seen by the firewall while the URL category and reputation are determined so URL filtering rules can be resolved. Until the lookup of the URL category and reputation is completed, or the lookup request times out, in inline, routed, or transparent deployments the packet will be held at the firewall. If a two second time limit is reached without the category and reputation determination completing the URL category Uncategorized is used with no reputation, and rule evaluation proceeds. URL category determination can introduce up to two seconds of delay in packet delivery, depending on local network conditions. If such delay is not acceptable, URL retry should be disabled. Note that with URL retry disabled, URL filtering may not be effective until such time as URL category and reputation determination completes for each URL. Until that time, packets that would have been filtered based on the URL’s category or reputation will be filtered based on the Uncategorized category. To disable URL retry, clear the Retry URL cache miss lookup option in the General advanced settings of the access control policy (Policies > Access Control > Access Control > edit policy > Advanced > edit General Settings). Note that this option is enabled and URL retry is allowed by default.Uninstalling the Update
We will need a section for uninstalling the update from the MDC when that comes back. Enhancement: add section for uninstalling from DCs via the shell
The following sections help you uninstall the Version 6.0.0.1 update from your appliances:
- Planning the Uninstallation
- Uninstalling the Update from a Managed Device
- Uninstalling the Update from a NGIPSv
- Uninstalling the Update from a Firepower Management Center
- Uninstalling the Update from a Cisco ASA with FirePOWER Services Managed by ASDM
Planning the Uninstallation
Before you uninstall the update, you must thoroughly read and understand the following sections.
You must uninstall updates locally. You cannot use a Firepower Management Center to uninstall the update from a managed device.
For all physical appliances and virtual Firepower Management Centers, uninstall the update using the local web interface. Because virtual managed devices do not have a web interface, you must use the bash shell to uninstall the update.
Uninstall the update in the reverse order that you installed it. That is, first uninstall the update from managed devices, then from Firepower Management Centers.
Uninstalling the Update from Clustered or Paired Appliances
Clustered devices must run the same version of the Firepower System. Although the uninstallation process triggers an automatic failover, appliances in mismatched pairs or clusters do not share configuration information, nor do they install or uninstall updates as part of their synchronization. If you need to uninstall an update from redundant appliances, plan to perform the uninstallations in immediate succession.
To ensure continuity of operations, uninstall the update from clustered devices and paired Firepower Management Centers one at a time. First, uninstall the update from the secondary appliance. Wait until the uninstallation process completes, then immediately uninstall the update from the primary appliance.
Caution: If the uninstallation process on a clustered device or paired Firepower Management Center fails, do not restart the uninstall or change configurations on its peer. Instead, contact Support.Uninstalling the Update from Devices Deployed Inline
Managed devices do not perform traffic inspection, switching, routing, or related functions while the update is being uninstalled. Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
Uninstalling the Update and Online Help
Uninstalling the Version 6.0.0.1 update does not revert the online help to its previous version. If the version of your online help does not match that of your Firepower System software, your online help may contain documentation for unavailable features and may have problems with context sensitivity and link functionality.
After you uninstall the update, there are several steps you should take to ensure that your deployment is performing properly. These include verifying that the uninstall succeeded and that all appliances in your deployment are communicating successfully.
The next sections include detailed instructions not only on performing the update, but also on completing any post-update steps. Make sure you complete all of the listed tasks.
Uninstalling the Update from a Managed Device
The following procedure explains how to use the local web interface to uninstall the Version 6.0.0.1 update from managed devices. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.0.0.1 update results in a device running Version 6.0.0. For information on uninstalling a previous version, refer to the release notes for that version.
Uninstalling the Version 6.0.0.1 update reboots the device. Managed devices do not perform traffic inspection, switching, routing, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
To uninstall the update from a managed device:
Step 1 Read and understand Planning the Uninstallation.
Step 2 On the managing Firepower Management Center, make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 3 Monitor the update's progress in the Firepower Management Center’s task queue by clicking the System Status icon, then clicking the Tasks tab.
You must wait until any long-running tasks are complete before you begin the update. After the system update completes, to reduce clutter, remove the messages for these tasks from the Message Center.
Step 4 Select System > Updates .
The Product Updates tab appears.
Step 5 Click the install icon next to the uninstaller that matches the update you want to remove, then confirm that you want to uninstall the update and reboot the device.
The uninstallation process begins. You can monitor the uninstallation progress by clicking the System Status icon, then clicking the Tasks tab.
Caution: Do not use the web interface to perform any other tasks until the uninstallation has completed and the device reboots. Before the uninstallation completes, the web interface may become unavailable and the device may log you out. This is expected behavior; log in again to view the task queue. If the uninstallation is still running, do not use the web interface until the uninstallation has completed. If you encounter issues with the uninstallation (for example, if the task queue indicates that the update has failed or the task tab shows no progress for several minutes), do not restart the uninstallation. Instead, contact Support.Step 6 After the uninstallation finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
Step 8 Select Help > About and confirm that the software version is listed correctly: Version 6.0.0.
Step 9 On the managing Firepower Management Center, verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Uninstalling the Update from a Cisco ASA with FirePOWER Services
The following procedure explains how to uninstall the Version 6.0.0.1 update from virtual managed devices. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.0.0.1 update results in a device running Version 6.0.0. For information on uninstalling a previous version, refer to the for that version.
Uninstalling the Version 6.0.0.1 update reboots the device. Virtual managed devices do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Traffic Flow and Inspection During the Update.
To uninstall the update from a Cisco ASA with FirePOWER Services:
Step 1 Read and understand Planning the Uninstallation.
Step 2 Log into the device as
admin, via SSH or through the virtual console.Step 3 At the CLI prompt, type
session sfr console.Step 4 At the CLI prompt, type
expertto access the bash shell.Step 5 At the bash shell prompt, type
sudo su -.Step 6 Type the admin password to continue the process with root privileges.
Step 7 At the prompt, enter the following on a single line:
The uninstallation process begins.
Caution: If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact Support.Step 8 After the uninstallation finishes, log into the managing Firepower Management Center and select Help > About . Confirm that the device where you uninstalled the update has the correct software version: Version 6.0.0.
Step 9 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Uninstalling the Update from a NGIPSv
The following procedure explains how to uninstall the Version 6.0.0.1 update from an NGIPSv device. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.0.0.1 update results in a device running Version 6.0.0. For information on uninstalling a previous version, refer to the for that version.
Uninstalling the Version 6.0.0.1 update reboots the device. NGIPSv devices do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Traffic Flow and Inspection During the Update.
To uninstall the update from a NGIPSv device:
Step 1 Read and understand Planning the Uninstallation.
Step 2 Log into the device as
admin, via SSH or through the virtual console.Step 3 At the CLI prompt, type
expertto access the bash shell.Step 4 At the bash shell prompt, type
sudo su -.Step 5 Type the admin password to continue the process with root privileges.
Step 6 At the prompt, enter the following on a single line:
install_update.pl --detach /var/sf/updates/Sourcefire_3D_Device_Virtual64_VMware_Patch_Uninstaller-6.0.0.1-26.shThe uninstallation process begins.
Caution: If you encounter issues with the uninstallation, do not restart the uninstallation. Instead, contact Support.Step 7 After the uninstallation finishes, log into the managing Firepower Management Center and select Devices > Device Management . Confirm that the device where you uninstalled the update has the correct software version: Version 6.0.0.
Step 8 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Uninstalling the Update from a Firepower Management Center
Use the following procedure to uninstall the Version 6.0.0.1 update from Firepower Management Centers and Firepower Management Centers virtual. Note that the uninstallation process reboots the Firepower Management Center.
Uninstalling lthe Version 6.0.0.1 update results in a Firepower Management Center running Version 6.0.0. For information on uninstalling a previous version, refer to the For more information, see the Traffic Flow and Inspection During the Update.
To uninstall the update from a Firepower Management Center:
Step 1 Read and understand Planning the Uninstallation.
Step 2 Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 3 Monitor the update's progress in the Firepower Management Center’s task queue by clicking the System Status icon, then clicking the Tasks tab.
Tasks that are running when the uninstallation begins are stopped, become failed tasks, and cannot be resumed; the task tab automatically refreshes every 10 seconds. You must wait until any long-running tasks are complete before you begin the uninstallation.
Step 4 Select System > Updates .
The Product Updates tab appears.
Step 5 Click the install icon next to the uninstaller that matches the update you want to remove.
The Install Update page appears.
Step 6 Select the Firepower Management Center and click Install , then confirm that you want to uninstall the update and reboot the device.
The uninstallation process begins. Monitor the update's progress in the Firepower Management Center’s task queue by clicking the System Status icon, then clicking the Tasks tab.
Caution: Do not use the web interface to perform any other tasks until the uninstallation has completed and the Firepower Management Center reboots. Before the uninstallation completes, the web interface may become unavailable and the Firepower Management Center may log you out. This is expected behavior; log in again to view the task queue. If the uninstallation is still running, do not use the web interface until the uninstallation has completed. If you encounter issues with the uninstallation (for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress for several minutes), do not restart the uninstallation. Instead, contact Support.Step 7 After the uninstallation finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
Step 8 Log in to the Firepower Management Center.
Step 9 Select Help > About and confirm that the software version is listed correctly: Version 6.0.0.
Step 10 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Uninstalling the Update from a Cisco ASA with FirePOWER Services Managed by ASDM
You can use ASDM to uninstall a patch from a locally managed Cisco ASA with FirePOWER Services. Note that devices do not perform traffic inspection or related functions while the update is being uninstalled. Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
Step 1 Read and understand Planning the Uninstallation.
Step 2 Log into the device as
admin, via SSH or through the virtual console.Step 3 At the CLI prompt, type
expertto access the bash shell.Step 4 At the bash shell prompt, type
sudo su -.Step 5 Type the admin password to continue the process with root privileges.
Step 6 At the prompt, enter the following on a single line:
The uninstallation process begins.
Step 7 After the uninstall finishes, reconnect ASDM to the ASA device.
Step 8 Select Configuration > ASA FirePOWER Configuration > System Information and confirm that the software version is listed correctly: Version 6.0.0.
For more information, see the Cisco ASA with FirePOWER Services Local Management Configuration Guide , Version 6.0.
Resolved Issues
You can view defects resolved in this release using the Cisco Bug Search Tool ( https://tools.cisco.com/bugsearch/ ). A Cisco account is required.
The following issues are resolved in Version 6.0.0.1:
- Resolved an issue where editing a file list in a domain did not cause the relevant file policy to be marked out-of-date. (CSCuw52764)
- Resolved an issue where 802.1ad traffic transiting Firepower 7000 Series and 8000 Series devices might have the outer ethertype modified, potentially resulting in unexpected behavior from adjacent devices. (CSCuw57916)
- Resolved an issue where deploying an access control policy containing custom URLs on a system running Version 6.0 caused high CPU usage and system issues. (CSCux35554)
- Resolved an issue where, if you upgraded or baselined your system to Version 6.0, the system incorrectly archived event logs generated by FireAMP cloud connection. (CSCux38795)
- In some cases, if you edit an intrusion policy from the Intrusion policy page ( Policies > Intrusion > Intrusion Policy ) and select the filter search bar's help icon (
?), the system generates anError 404: page not founderror instead of displaying the online help. (CSCux77012)Issues Resolved in Previous Versions:
Issues resolved in Version 6.0.0
- Security Issue Addressed a cross-site request forgery (CSRF) vulnerability.
- Security Issue Addressed a vulnerability that allowed an authenticated user can access system files using path traversal.
- Security Issue Addressed multiple cross-site scripting (XSS) vulnerabilities, including those described in CVE-2015-0737, CVE-2015-4270, and CVE-2015-6353.
- Security Issue Addressed multiple cross-site scripting (XSS) and arbitrary HTML injection vulnerabilities including those described in CVE-2015-0707.
- Security Issue Addressed multiple vulnerability issues in MYSQL, DNS, NTP, and OpenSSL as described in CVE-2010-3614, CVE-2014-3569, CVE-2014-3570, CVE-2014-3572, CVE-2014-6568, CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298, CVE-2015-0205, CVE-2015-0287, CVE-2015-0292, CVE-2015-0374, CVE-2015-0381, CVE-2015-0382, CVE-2015-0385, CVE-2015-0391, CVE-2015-0409, CVE-2015-0411, CVE-2015-0432, CVE-2015-0498, CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0511, CVE-2015-1798, CVE-2015-1799, CVE-2015-1499, CVE-2015-2566, CVE-2015-2567, CVE-2015-3405, CVE-2015-3676.
- Security Issue Addressed multiple vulnerability issues that generated denial of service in MYSQL, Linux, GNU C Library, NTP, XML, OpenSSL, and other third parties as described in CVE-2009-0696, CVE-2011-1155, CVE-2012-0876, CVE-2012-2807, CVE-2012-287, CVE-2012-3509, CVE-2012-3400, CVE-2012-3480, CVE-2012-5134, CVE-2013-0242, CVE-2013-1914, CVE-2013-4332, CVE-2013-4458, CVE-2014-3512, CVE-2014-3571, CVE-2014-3660, CVE-2014-6040, CVE-2014-8502, CVE-2015-0206, CVE-2015-0286, CVE-2015-0288, CVE-2015-0293, CVE-2015-1473, CVE-2015-1781, CVE-2015-1819.
- Security Issue Addressed multiple arbitrary script injection vulnerabilities allowing unauthenticated, remote attackers to exploit or overwrite functionality as described in CVE-2008-3075, CVE-2008-4101, CVE-2010-2252, CVE-2010-4494, CVE-2010-4651, CVE-2011-2716, CVE-2011-3102, CVE-2014-047, CVE-2014-4877, CVE-2014-5119, CVE-2014-7817, CVE-2015-1472, CVE-2015-6307.
- Security Issue Addressed multiple vulnerabilities in HTTP connection handling that allowed users to be redirected to malicious websites as described in CVE-2012-1033 and CVE-2015-0706.
- Security Issue Addressed multiple vulnerabilities that allowed unauthenticated, remote attacker to disclose sensitive information on an affected system, including those described in CVE-2011-1098 and CVE-2015-3153.
- Security Issue Addressed multiple vulnerabilities in SSLv3 that allowed external attacks on client connections, as described in CVE-2014-3556.
- Security Issue Addressed multiple parameter manipulation and misconfiguration vulnerabilities, including those described in CVE-2009-0025, CVE-2009-4022, and CVE-2015-0773.
- Security Issue Resolved multiple vulnerabilities where managed devices experienced microengine failure when processing traffic, including those described in CVE-2015-6307.
- Resolved an issue where, if the device did not process sufficient traffic, the system failed to generate complete performance graphs. (108348/CSCze87001)
- Resolved an issue where the intrusion performance graph incorrectly reported the minimum packets received instead of the actual number of packets received. (124331/CSCze87003)
- Resolved an issue where deploying a policy with a policy identification number greater than
4096failed. (134385/CSCze89030)- Resolved an issue which could have artificially limited the number of active dynamic NAT translations. (134561/CSCze87078)
- Resolved an issue where, in some cases, the front panel LCD informational screen of Firepower 7000 Series and 8000 Series devices incorrectly displayed some software errors as hardware errors. (140386/CSCze91939)
- Resolved an issue where the system did not display the number of failed login attempts. (140400/CSCze87152)
- Improved data pruning. (141894/ CSCze92576)
- Improved link state propagation responsiveness for Firepower 7000 Series and 8000 Series devices. (143860/CSCze87386)
- Resolved an issue where, if you disabled an access control rule using an intrusion policy or variable set not used in any other rule and attempted to deploy the policy, deployment failed. (143872/CSCze87308)
- Improved URL filtering. (144198/CSCze94590, 144199/CSCze94758, 144685/CSCze94805)
- Resolved an issue where, if updating failed and you attempted to update again, some drives did not mount correctly during install. (144553/CSCze95696)
- Improved reporting. (145102/CSCze95656)
- Resolved an issue where the Discovery Statistics page did not include any events in the following rows of the statistics summary: Total Events , Total Events Last Hour , or Total Events Last Day . (145153/CSCze95751)
- Improved troubleshooting for Firepower 7000 Series and 8000 Series devices. (145187/CSCze95510)
- Resolved an issue where removing the URL Filtering license from your system caused a disruption in cloud connectivity. (144578/CSCze95183)
- Corrected the calculation used by the memory usage health monitor to prevent false alerts. (144593/CSCze94840)
- Resolved an issue where the passive interfaces on Firepower 7000 Series devices reported incorrect egress security zones and interfaces. (144624/CSCze95206)
- Resolved an issue where, if you edited the interface security zones on the Object Management page, the stacked device configuration appeared to be up-to-date when it wasn't. (144626/CSCze94847)
- Resolved an issue where, if you deployed to a cluster or device stack of Firepower 7000 Series or 8000 Series devices, the system only deployed to the primary device if the clustered or stacked devices contained out-of-date policies prior to latest policy apply. (144646/CSCze95167)
- Resolved an issue where, if you created an HTML report, the web browser incorrectly displayed the report as binary data. (144737/CSCze95180, 144738/CSCze95205)
- Resolved an issue where decrypted SSL sessions displayed URLs in connection logs as http:// instead of https://. (144785/CSCze95781)
- Resolved an issue where, if you created a custom network variable named identically to a default variable but with different capitalization, the system incorrectly assumed the custom variable and the default variable were the same and prevented you from deleting the custom variable. (44788/CSCze96160)
- Resolved an issue where the system treated DNS traffic as OpenVPN, QQ, and Viber traffic. (144789/CSCze96154)
- Resolved an issue where if you imported a policy that referenced a shared layer, importing the policy failed. (144946/CSCze96151)
- Improved disk space utilization. (145012/CSCze95309)
- Improved reliability of hardware acceleration in Firepower 7000 Series and 8000 Series devices. (145035/CSCze95433, 145509/CSCze95994, CSCus68624, CSCut53335, CSCut80043)
- Resolved an issue where, if you edited a local rule on the intrusion rule editor when viewing rule documentation, the system displayed the current local rule configuration for already-generated event data instead of the rule configuration that triggered it. (145118/CSCze95346)
- Resolved an issue where, if you generated an intrusion even performance graph with Last Hour set as the time range, the system incorrectly generated a blank graph. (145237/CSCze95774)
- Resolved an issue where, if you enabled remote storage and created a scheduled email alert response on your Firepower Management Center, the scheduled email alert disabled remote storage and remote storage backups failed. (145288/CSCze95993)
- Resolved an issue where, if you attempted to view the first or last event of an Indication of Compromise (IoC), the system did not locate the event. (145486/CSCze95786)
- Resolved an issue where the 40GB fiber NetMod traffic statistics incorrectly logged traffic on the wrong 40GB port. (145515/CSCze95830)
- Resolved an issue where access control rules containing web application conditions did not match against traffic if users on your network entered a URL into the address bar that was not all lowercase. (CSCur37364)
- Resolved an issue where the file trajectory page failed to load due to invalid subtypes. (CSCur38623)
- Resolved an issue where, in some cases, you were not able to retrieve URL category or URL reputation information. (CSCur38971)
- Resolved an issue where, if you did not deactivate a traffic profile before deleting it, the deleted profile continued to use resources when it should not. (CSCur48345)
- Resolved an issue where, if you created a custom workflow and attempted to open the packet view of an intrusion event, the system opened the incorrect intrusion event in the packet view. (CSCur48743)
- Resolved an issue where, in some cases, you could not edit your access control policy and the system generated an
Unknown Error (9999): Couldn't get a lock on /var/tmp/.ac_lockerror message. (CSCur55338)- Resolved an issue where, if you created a scheduled task to install a new version of the vulnerability database (VDB) on a Firepower Management Center already running that version of the VDB, the system reinstalled the VDB and switched from active mode to standby mode every time the task was scheduled. (CSCur59252)
- Resolved an issue where, if you created a correlation rule to trigger when an intrusion event or connection event occurred and the condition matched an ingress security zone, egress security zone, ingress interfaces, or egress interface as the condition, the system did not recognize the rule and failed to generate events for traffic matching the rule. (CSCur59840)
- Resolved an issue on Firepower 7000 Series and 8000 Series managed devices where the system lost inline connectivity for up to 25 seconds on bypass-enabled inline sets during device reboot. (CSCur64678)
- You can now disable session termination logging to decrease disk space requirements. (CSCur73008)
- Resolved an issue where the system did not display the associated hosts if you expanded a vulnerability based on a client application from the vulnerabilities tab of the Network Map. (CSCur86191)
- Resolved an issue where, if you configured a routed interface on clustered Firepower 7000 Series or 8000 Series managed devices to both a private IP address and a Cisco Redundancy Protocol (SFRP) IP address, the system did not recognize which IP address was the primary address and did not establish an Open Shortest Path First (OSPF) connection. (CSCur86355)
- Resolved an issue where, if you changed the selected time zone in the Time Zone Preference tab on the User Preferences page, the system did not include daylight savings time. (CSCur92028)
- Resolved an issue where the system did not generate complete troubleshoot files if the system contained a large database. (CSCur97450)
- Resolved an issue where, in some cases, the host did not always display the block page if one of your access control rule actions was set to Block or Interactive Block . (CSCus06868)
- Resolved an issue where the system incorrectly duplicated the number of registered targets on the Intrusion Policy page. (CSCus08840)
- Resolved an issue where the system occasionally experienced latency during Snort restart. (CSCus11068)
- Resolved an issue where, an ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, or ASA 5555-X device configured in monitor-only mode experienced a fail over if the device processed a high amount of traffic. (CSCus15229)
- Resolved an issue where the system did not support generating multiple report types when using Windows File Sharing (SMB) due to unsupported characters in the report name. (CSCus21871)
- Resolved an issue where, if you configured a domain name without a DNS entry, the web interface page did not load. (CSCus28155, CSCut89714)
- Resolved an issue where importing intrusion rules failed if you edited an intrusion policy. (CSCus29526)
- Resolved an issue where, if you created an SSL policy with the default actions set to Do Not Decrypt and attempted to establish a session, the system erroneously reported the session was blocked when it was not. (CSCus41127)
- Resolved an issue where, if you added a Cisco IOS remediation to your Cisco IOS Null Route instance and entered your password to log into the router, the device did not accept the password and remediation failed. (CSCus45769)
- Improved the optimization of certain event workflows. (CSCus52203)
- Resolved an issue where, if the intrusion policy had a sufficiently complex configuration, the system truncated the configuration and intrusion policy deployment failed. (CSCus53911)
- Improved memory utilization. (CSCus59008, CSCuu38535, CSCuu81679)
- Resolved an issue where, if you created an access control rule referencing a file policy with a Block Malware rule positioned after an access control rule containing a web application condition, the system did not identify malware files. (CSCus64393, CSCus6452)
- Resolved an issue where the system generated an
Internal Server Errormessage if the password for your registered ASA FirePOWER module included an unsupported character. (CSCus68604)- Resolved an issue where, if you configured both malware blocking and SSL decryption, you could not download files via HTTPS even if the files did not contain malware. (CSCus72505)
- Improved communication between Firepower Management Centers and managed devices. (CSCus79643)
- You can now deploy an access control policy containing both SSL policies and URL category conditions on a Firepower Management Center with a registered Firepower 7030 device. (CSCut02823)
- Resolved an issue where the system experienced latency when you deleted hosts from the network map. (CSCut02913)
- Improved pruning for correlation event tables. (CSCut02984)
- Resolved an issue where, if you created a file policy with Spero analysis and file capture enabled, the system did not capture files detected in incoming traffic. (CSCut06837)
- Resolved an issue where, if you restored a backup archive located on a Windows network file server (NFS), backup restoration failed. (CSCut08317)
- Resolved an issue where, if you deployed an access control policy referencing an SSL policy to a managed device with Inspect Local Router Traffic enabled, the system generated errors and experienced issues. (CSCut12631)
- Resolved an issue where deploying to a cluster of devices (in Version 6.0, known as high availability) caused the system to fail over when it should not. (CSCut12919)
- Resolved an issue where, if you created an access control rule configured to send connection events to an external syslog server and the rule matched an excessive amount of traffic, the managed device stopped sending events to the external syslog server. (CSCut14629)
- Resolved an issue where, if your intrusion policy layers shared identical names and you performed a system update, the system experienced issues. (CSCut16772)
- Improved network mapping generation when processing historical email and eStreamer events. (CSCut23688)
- Resolved an issue where, if you edited an access control rule with multiple URL category conditions and attempted to remove one of the conditions, the system removed only the first category condition listed. (CSCut25082)
- Resolved an issue where, in some cases, the Firepower Management Center experienced system issues and failed to load access control rules. (CSCut30047)
- Resolved an issue where, if you created a passive zone on a Firepower 8000 Series device and performed the
show fastpath-rulesCLI command, the system reported intrusion rules as inactive. (CSCut32479)- Improved the reliability of backup and restore. (CSCut34456)
- The system generates a
Having Inspect traffic during policy apply disabled may cause network disruptions until deployment completeswarning if you deploy without enabling Inpsect traffic during policy apply . (CSCut36078)- Resolved an issue where, if you created a file policy configured to Inspect Archives , the system experienced issues and stopped processing traffic. (CSCut39253, CSCuu14892)
- Resolved an issue where, if you selected one or more cells of the Original Client IP column in the intrusion events table view to review or copy, the system generated an error and did not display the rows you selected. (CSCut41458)
- Resolved an issue where the system experienced latency and did not match traffic if you created an access control rule targeting users in an LDAP group that contains a large number of access-controlled users. (CSCut56233)
- Resolved an issue where, if you created and edited a search for generated events, then canceled it before the search started, the system redirected you to the events page related to the search with the incorrect search name. (CSCut63265)
- Improved disk manager functionality. (CSCut65740)
- Resolved an issue where the system experienced issues if the last entry in the map list was a duplicate. (CSCut65738)
- Resolved an issue where importing intrusion rule updates caused system issues. (CSCut65772)
- Resolved an issue where, in some cases, the system dropped database communication and experienced errors. (CSCut71816)
- Resolved an issue where, in some cases, deploying on a Firepower Management Center with registered Firepower 7000 Series and 8000 Series devices in a high-availability pair caused a fail over. (CSCut72278)
- Improved health alert notifications for Cloud Lookup failures. (CSCut77594)
- Resolved an issue where, if your system experienced two sequential failures, the system was placed into bypass mode even if you did not enable bypass mode. (CSCut80892)
- Resolved an issue where the message column of the Retrospective Malware Events table view did not include the old disposition or the new disposition values of a retrospective malware event. (CSCut83512)
- Resolved an issue where, if you restarted your ASA 5585-X device with a large number of subinterfaces configured without also restarting the SFR5585-X service card, the SFR5585-X service card appeared to fail. (CSCut89619)
- Resolved an issue where using the
show managersCLI command on a device registered to a system with multiple interfaces configured caused the system displayed the incorrect IP address. (CSCut95947)- Resolved an issue where, in some cases, update failure did not get caught in time. (CSCuu01055)
- Resolved an issue where, if you experienced system issues, the cloud continuously checked for a new update. (CSCuu04844)
- Resolved an issue where, if you created an access control policy with a URL category condition and the network map failed to load a complete database, the system experienced issues. (CSCuu06714)
- Resolved an issue where the vulnerability database (VDB) install took an unexpectedly long time. (CSCuu06786)
- Resolved an issue where, in some cases, your Firepower Management Center stopped receiving health events from a registered device. (CSCuu18450)
- Resolved an issue where the system experienced latency if you created a link aggregation group (LAG) on a Firepower 7000 Series or 8000 Series device when connected to a Cisco Nexus 7000 switch. (CSCuu31626)
- Resolved an issue where, if you changed your system's time zone to a UTC+ zone and added a correlation rule with at least one inactive period to a correlation policy, activating the correlation rule failed. (CSCuu37600)
- Resolved an issue where you experienced connectivity issues if you created a routed interface on your clustered Firepower 7000 Series or 8000 Series device (known as high availability in Version 6.0). (CSCuu37668)
- Resolved an issue where the Cisco Redundancy Protocol (SFRP) router advertisement value appeared to be configurable when you added or edited a routed IP address when it was not. (CSCuu37687)
- Resolved an issue where, if you enabled two or more management interfaces and web client lost connectivity to one of the interfaces, the system defaulted to an incorrect gateway IP address and you could not access the interface. (CSCuu44020)
- Resolved an issue where, if you created an access control policy with a geolocation condition, traffic that should have matched the condition did not. (CSCuu48800)
- Improved network map generation. (CSCuu53215, CSCuu94784, CSCuv72386, CSCuw06359)
- Improved load time for access control rules with manual URL conditions referenced in an access control policy. (CSCuu55853)
- Resolved an issue where ASA Firepower modules (ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, and ASA 5516-X) running the minimum ASA version 9.3.2.2 or later did not enforce the mpf-policy-map-class mode. (CSCuu68273)
- Resolved an issue where creating a search for an intrusion event with an original client IP using a negated subnet IP address caused the system to incorrectly exclude intrusion events with no original client IP. (CSCuu68438)
- Resolved an issue where, in rare cases, the system appeared unstable and did not recover from a reboot. (CSCuu93154)
- Resolved an issue where a drive failure on some DC4000 appliances caused RAID controller failure and data loss. (CSCuu93159)
- Improved eStreamer performance. (CSCuu94902)
- Resolved an issue where the system did not display the correct number of bytes in the Top Web Applications Seen and Top Client Applications Seen widgets on the Summary Dashboard if you viewed high-volume media such as video streaming on your web browser. (CSCuu97036)
- Resolved an issue where, if you deployed an SSL policy set to Decrypt-Resign on a managed device, the decrypted traffic that egressed from one interface set switched or routed so the traffic ingressed into a different interface set on the same managed device and the system experienced a disruption in SSL traffic. (CSCuu97712)
- Resolved an issue where the Send email check box on the Report Templates tab of the Reporting page did not stay selected and you stopped receiving reports via email if you generated a report, navigated away from the Report Templates tab, and then generated another report. (CSCuu97750, CSCuu41580, CSCuv43116)
- Resolved an issue where clicking Continue on interactive block web page did not always redirect you to the blocked web page. (CSCuu97934, CSCuu97946)
- Resolved an issue where, in some cases, updating failed. (CSCuu99337)
- Resolved an issue where the system did not acknowledge users as members of their primary LDAP groups. (CSCuv03821)
- Resolved an issue where, if you generated a connection event report and modified the Maximum Results value, the system did not save the new value and generated the report with the default value. (CSCuv06557)
- Resolved an issue where, if you configured the system to use a remote NTP server to synchronize time to a system with a managed device running a version older than Version 5.4 and you experienced a leap second, your system used a high amount of CPU. (CSCuv11738)
- Resolved an issue where, if you created an access control rule configured with an Interactive Block action and you viewed a blocked webpage in a Chrome web browser, the Continue button to bypass the block page did not work. (CSCuv21748)
- Resolved an issue where generated internal CA certificates were valid for only 30 days instead of 10 years. (CSCuv29004)
- Resolved an issue where, if a host generated an Indication of Compromise (IoC) and you disabled the IoC for that host on the Host Profile page, the Indications of Compromise by Host dashboard widget incorrectly displayed the IoC when it should not. (CSCuv41376)
- Resolved an issue where, if you created an SSL policy default action set to Decrypt - Known Key or Decrypt - Resign on a 7000 Series or 8000 Series device and you choose to resume the SSL session with a different source IP address, SSL inspection failed and the connection log displayed an incorrect SSL policy default action. (CSCuv48689)
- Improved file detection and blocking. (CSCuv59181)
- Improved memory utilization for port ranges in access control rules. (CSCuv64114)
- Resolved an issue where, if you registered many devices or configured many interfaces on a managed device or created many VPN deployments, the system did not generate information for all of the devices or interfaces or VPN deployments on their respective pages. (CSCuv76287)
- Improved Health Monitor alerting. (CSCuv96121)
- Resolved an issue where merging intrusion policy layers generated errors. (CSCuw34380)
- Improved email notification reliability. (CSCuw36354)
- Resolved an issue where, in some cases, the system experienced errors caused by invalid username values. (CSCuw39725)
- Resolved an issue where, if you switched from Serial Over Lan (SOL) to Lights-out-Management (LOM) on a MC4000, or vice versa, the system’s console port did not work. (CSCuw67319)
- Resolved an issue where, if you enabled SSL debug logging via the s
ystem support ssl-debugorsystem support debug-DAQ-NSECLI command and your system experienced a high amount of traffic for an extended amount of time, the system experienced disk space issues. (CSCuw68004)Known Issues
You can view known issues reported in this release using the Cisco Bug Search Tool ( https://tools.cisco.com/bugsearch/ ). A Cisco account is required.
The following known issues are reported in Version 6.0.0.1:
- In some cases, if you click Advanced in the Report Templates tab of the Reporting page ( Overview > Reporting > Report Templates ) and enter a non-numeric value in the Device or Number fields, the system does not generate an error when it should. (CSCux08842)
- In some cases, if you create an access control rule and set an HTTP response page for the rule action Block or Block with Reset , the HTTP response page does not load a web browser on a computer running Windows OS. (CSCux58068, CSCux76910)
- In some cases, if you modify the device tab of the Device Management page ( Devices > Device Management ), the system incorrectly displays an extraneous
You have unapplied changesmessage. (CSCux64275)- In some cases, if you deploy an access control policy with the default action set to Block and execute the
configure network management-interface disable-event-channelCLI command, the system continues to generate intrusion and connection events when it should not. (CSCux64898)- In some cases, if you attempt to log into the system with the incorrect password, the system incorrectly locks you out of the system after two attempts instead of three attempts. (CSCux65770)
- If you execute the
debug pix aclCLI command, the output data does not include whether debug mode is enabled or not when it should. (CSCux68019)- The following CLI commands are not currently available in debug mode on ASA with Firepower Threat Defense devices:
debug code-sign,debug group,debug ppp,debug vpnlb,setup,packet-tracer. (CSCux68021)- The change-password command on the diagnostic CLI does not change the password when in enable mode. As a workaround use the
configure user password <username>config command on the management CLI to change the password. (CSCux69340)- In some cases, if you export an intrusion policy as a part of an access control policy from one domain and attempt to import that access control policy to a different domain and if the replace option is selected for the intrusion policy then importing the policy fails. As a workaround, recreate the access control policy in the secondary domain instead of importing the policy. (CSCux70595, CSCux70756)
- In some cases, if you create a port object on the Object Management page ( Objects > Object Management ) in a subdomain, the system incorrectly displays the port object in the global domain audit log instead of both the global domain and subdomain audit log. (CSCux71554)
- In some cases, if you delete an IP address from a domain blacklist, the system does not mark policies as out-of-date. As a workaround, manually redeploy policies if you delete an IP address from a domain blacklist. (CSCux76582)
- In some cases, if you apply a country filter in the context Explorer page ( Analysis > Context Explorer ) or select a geolocation in the context explorer via the Dashboards page ( Overview > Dashboards ), the system generates a new window that does not include geolocation data when it should. (CSCux76616, CSCux76624)
- In some cases, if you create a new network object using the create object icon (
+) from the network selector in the Standard Access List Entry page ( Object > Object Management > Access List > Standard Access List > Standard Access List Entry ), the system doesn’t generate a network object creation pop-up window when the same approach is followed the next time before refreshing the page. (CSCux79141)- If you configure BGP Neighbor routing settings and set the Min hold time field or the Hold time field in the Timers tab of the Device Management page ( Devices > Device Management ) with the integers between 0-2, the system generates a Hold time/Mind hold time must be 0 or greater than 2 error. As a workaround, use integers between 3-65535 for the Min hold time field and the Hold time field. (CSCux79162)
- In some cases, if you deploy an open shortest path first (OSPF) network and enable Routing Information Protocol (RIP) in the virtual router tab of the Device Management page ( Devices > Device Management ), and add a redistribution process in the Redistribution section of the OSPF tab, then disable the OSPF and RIP configuration and deploy, the system does not delete the old configuration and deployment fails. (CSCux79309)
- In some cases, if you create an access control policy for the first time on a system running Version 6.0.0.1, the system generates a global whitelist and global black list in Security Intelligence for subdomains but not in global domains. (CSCux81907)
- In some cases, if a registered device detects malware, the system incorrectly names all events as
Malwarein the File Name column of the Network File Trajectory page ( Analysis > Files > Network File Trajectory ). (CSCux82011)- If you update your system from Version 6.0.0 to Version 6.0.0.1 and immediately deploy an access control policy, the system may experience issues. (CSCux83689)
- You are unable to log into the Firepower Management Center interface during the upgrade process from Version 6.0.0. to Version 6.0.0.1. (CSCux85221)
- In some cases, if you create a correlation rule and select an event type from the Rule Management page ( Policies > Correlation > Rule Management ), then click Add condition and select Security group from the drop-down menu, the system does not allow you to use a security group in a correlation rule. (CSCux85257)
- In some cases, if you view the network trajectory of a malware event generated by a policy located in a subdomain, the system does not generate the Detection Name field when it should. (CSCux85345, CSCux85925)
- In some cases, if you create an access control policy containing a DNS policy with a sinkhole object and enable connection logging on an ASA Firepower managed by ASDM, the system does not generate the follow on event triggered by the sinkhole server in the Security Intelligence Events page ( Analysis > Connections > Security Intelligence Events ). (CSCux86766)
- In some cases, if you create an access control policy containing a file policy and two identical access control rules, then change one of the access control rule's default action and enable Log files under the File Events option in the Logging tab, the system generates an erroneous Selecting this action will reset the intrusion Policy and File Policy to "None". Are you sure you want to continue? warning. Selecting Yes generates a Select at least one destination for connection Events to be logged to. error and removes the file policy from the access control policy. (CSCux86868)
- In some cases, if a user connecting to the Firepower Management Center using an IPv4 address and a user connecting to the Firepower Management Center using IPv6 address modify the same access control policy residing in a leaf domain, the Inspection tab of an access control rule included in the policy may become inaccessible when you try to edit the rule. (CSCux87615)
- In some cases, if you right click the Product Updates tab on the Updates page ( Configuration > ASA FirePOWER Configuration > Updates ) and Open in a new window on a Cisco ASA Firepower module managed by ASDM, the page does not load. (CSCux89860)
- In some cases, if you create a network object group and a URL object group and add URL or IP entries to both object groups, then create an access control policy containing the two object groups in a DNS policy or a security intelligence blacklist/whitelist and deploy, the system does not reflect the URL and IP entries within the Network and URL object groups. As a workaround, manually create an object group and add individual objects to the group, then reference the object group in an access control policy and redeploy. (CSCux89941)
- In some cases, if you attempt to filter the connection events view by the Context column in the Real Time Eventing page ( Monitoring > ASA FirePOWER Monitoring > Real Time Eventing ) of on a Cisco ASA Firepower managed by ASDM, the system does not generate any results when it should. (CSCux90148)
- If you edit the search editor on the Report Templates page ( Overview > Reporting > Report Templates ) with invalid characters and save, the system does not display a warning and saves the invalid search configuration when it should not. (CSCux91428)
- In some cases, if you click Report Designer on the Summary Dashboard page ( Overview > Summary Dashboard ) and generate a report after naming it, the generated report may not include all the custom analysis sections from the dashboard when it should. (CSCux91497)
- In some cases, if you create a RADIUS authenticated user profile, then backup and restore the Firepower Management Center, the system does not allow the RADIUS authenticated user to log in. As a workaround, log in with a different user and reapply the RADIUS authenticated user profile, then log in with your RADIUS authenticated user. (CSCux92967)
The following known issue were reported in previous releases:
- You may experience latency if you use Firefox version 38.0.1 to view your Firepower Management Center's interface. As a workaround, use Firefox 41 or later or use a different web browser. (CSCuv11830)
- In some cases, if you create an access control policy when registering a device on a subdomain, the system creates the access control policy in the global domain instead of the subdomain when it should not. (CSCut56951)
- In some cases, if you edit the default network access policy in the advanced tab of the Access Control page ( Policies > Access Control ), the system incorrectly displays the default network access policy as an intrusion policy on the deployment dialog window. (CSCuv48221)
- Online help does not open if you click the help icon on the Select Comparison page ( ASA FirePOWER Configuration > Policies > Files > Compare Policies ) of an ASA FirePOWER module managed via ASDM. (CSCuw21863)
- In some cases, if you view All Events (Not Dropped) in the Intrusion Events table view page of a Firepower 7000 Series or 8000 Series device and sort the table by a maximum of six fields including Review By and Count and then generate a report, report generation fails. As a workaround, exclude either the Review By and Count field values or, if you include both the Review By and Count fields, only nor more than three additional field values when generating a report from the intrusion events page. (CSCuw29993)
- You cannot name a device group with a name that includes the plus (
+) character even though the system generates aThis field contains invalid characters. Only alphanumerics, hyphen ( - ), underscore ( _ ), period ( . ), and plus ( + ) are allowedmessage. (CSCuw44373)- In some cases, if you edit the browser and shell timeout threshold values on the Shell Timeout page ( System > Configuration > Shell Timeout ) and redeploy, the system logs out of inactive Firepower Management Centers up to one minute after the configured threshold values. (CSCuw48568)
- The Device Management page ( Devices > Device Management ) does not display device override values in the tooltip for device objects. (CSCuw53371)
- External certificates from Version 5.4.x are not supported in Version 6.0: the only curves supported in Version 6.0 are
prime192v1,prime256v1,secp384r1andsecp521r1. You must update your system to Version 6.0 to obtain supported external certificates. (CSCuw54749)- In some cases, if you create an access control policy referencing both a file policy containing a file rule configured to Detect Files and an SSL policy configured to Decrypt--Resign or Decrypt--known key on a system sending and receiving emails with Outlook 2013, the Connection Events page ( Analysis > Connections > Events ) does not include email file attachments in generated events. (CSCuw65152)
- In some cases, if you refresh the tabs in the Device Management page ( Devices > Device Management ) or the NAT page ( Devices > NAT ) or the VPN page ( Devices > VPN ), the system does not clear the cache on the page being refreshed and the Save button is un-operational. As a workaround, cancel any edits made to the page or tab and select the device you want to edit again. (CSCuw75367)
- In some cases, if you create an SSL policy containing a certificate with more than one status, such as expired or revoked, the Certificate Status column of the Connection Events page ( Analysis > Connections > Events ) does not display a status. (CSCuw76040)
- In rare cases, if you create or edit a device interface on the Device Management page ( Devices > Devices Management ), the system generates a
No cache exists to discard and resumeerror and you cannot deploy. As a workaround, refresh the Device Management page and redeploy. (CSCuw77505)- In some cases, if you incorrectly configure OSPFv3, RIP or Border Gateway Protocol on a device's virtual router page ( Devices > Devices Management > Virtual Router ) and leave the configuration page without saving changes, the system generates a To revert back the configuration pop-up; click Yes to clean the virtual router configuration page of any edits or click No causes the system to generate the To revert back the configuration pop-up multiple times before saving the virtual router configuration page without any edits. (CSCuw78916)
- If you deploy a network discovery policy to a clustered or stacked Firepower 7000 Series or 8000 Series devices (in Version 6.0 known as a high availability pair), the system incorrectly counts all devices in the cluster or stack rather than indicating one device for the cluster or stack. (CSCuw79241, CSCuw79243)
- After initial setup on a Firepower Management Center, Firepower 7000 Series, or 8000 Series device, if you are connecting to the appliance from behind a network address translator (NAT) device, the system provides a redirect URL containing the IP address for the IP address you configured for the appliance rather than the NAT IP you are connecting to, and the session times out. As a workaround, correct the URL to use the NAT IP used to connect via web. (CSCuw79967)
- If you uninstall Version 5.4.1.3 or later to an earlier 5.4.x version and then update the system to Version 6.0, the update to Version 6.0 fails. Update your system to the latest version prior to updating your system to Version 6.0. (CSCuw81780)
- In some cases, if you do not select the required licenses for a device prior to device registration, the system generates an
Initial policy deployment not started due to validation errors. For details, redeploy manuallymessage. For more information on the correct licenses to select for your device, see the Licensing the FireSIGHT System chapter of the Firepower Management Center Configuration Guide . (CSCuw85743)- In some cases, if you deploy a NAT policy containing rules targeted to Firepower 7000 Series or 8000 Series managed devices' routed interfaces and then cluster the managed devices (known is Version 6.0 as a high-availability pair), some NAT rules continue to target a managed device's routed interface instead of changing to target a high availability interface when it should. As a workaround, edit the rule containing the individual interface, manually create a high availability interface, then redeploy. (CSCuw89223)
- The HTTP Listing page ( Device > Platform Settings > Firepower Threat Defense Platform Settings > HTTP ) lists Authentication Certificate as a configurable field when it is not. (CSCuw89605)
- In some cases, the system generates events for large amounts of HTTP traffic processed by a port that is not specified in the HTTP preprocessor rule. As a workaround, add the port to the HTTP preprocessor rule with GID
119and SID15. (CSCuw90033)- If you initiate deployment while backing up the Firepower Management Center, a message does not appear to indicate that the communication channel is blocked and the policy cannot deploy. Wait until backup process is complete and then deploy. (CSCuw90629)
- In some cases, if you create an access control policy that has an intrusion policy as the default action, the variable set icon next to the default action does not display properly. As a workaround, change the default action to use a different intrusion policy, which makes the icon show up, and then change your default action back to the previous intrusion policy. (CSCuw94067)
- In some cases, the Firepower Management Center's Deploy window displays an incorrect timestamp after you update the Firepower Management Center to Version 6.0 and deploy configuration changes. (CSCuw94083)
- In some cases, if you create an OSPFv3 router but do not configure a manual router-id in the Advanced Settings tab of the router page ( Devices > Device Management > Router ), the system does not use unnamed IPv4 IP addresses and generates an
OPSFv3 router process will not start as no router ID has been configured. Neither router ID in OSPFv3 nor IPv4 address configured in Interfaceserror message. (CSCuw95485)- If you create a correlation rule configured to match a MAC Vendor is condition, the system generates a
Warning: no vendors match this stringwarning and does not execute the correlation rule. As a workaround, update your vulnerability database (VDB). If the VDB update does not resolve the issue, use the MAC Vendor contains condition instead of the MAC Vendor is condition. (CSCuw96022)- The link to the Cisco Smart Software Manager from the Firepower Management Center Smart Licensing user interface page ( System > Local > System Policy ) directs to an updated link, which also redirects. As a workaround, if the redirect does not occur quickly enough, connect to https://software.cisco.com/#module/SmartLicensing . (CSCuw96552)
- In some cases, deploy fails on a device running Version 5.4.0 that is registered to a Firepower Management Center running Version 6.0 if you deploy an access control policy that references a file policy configured for malware protection. (CSCuw97809)
- In some cases, if you enable sensitive data detection in the Advanced Settings on the Intrusion Policy page ( Policies > Intrusion > Intrusion Policy ), then switch to another domain before saving, the system does not reload the Intrusion Policy page in the destination domain when it should. As a workaround, save or manually reload the Intrusion Policy page. (CSCuw97864)
- In some cases, if the time configured on a device running Version 6.0 is set ahead of the time configured on a Firepower Management Center, registering the managed device to the Firepower Management Center causes connectivity issues and the system may not be able to restore connectivity. As a workaround, execute the
/etc/rc.d/init.d/pm restartCLI command. If you continue to experience connectivity issues, contact Support. (CSCuw97948)- In some cases, if your user interface initiates a restore, the session will be disconnected and you must log in again to see the status of restore operation. (CSCuw98296)
- In some cases, if you create two subdomains on a Firepower Management Center running Version 6.0 and register a 7000 Series or 8000 Series device, create a network object override and deploy an access control policy, then move the device from one subdomain to another subdomain, the system deletes the override value from the Object page. (CSCuw98708)
- Version 6.0 does not support the Safari web browser on systems running the MAC OS. Use Firefox, Chrome, or Internet Explorer. (CSCuw98876)
- In some cases, if the system hosting a virtual device experiences a high amount of traffic, deploying to the virtual device may cause temporary network issues. (CSCux00380)
- In some cases, intrusion events do not display the correct source IP address or the correct destination IP address. As a workaround, view the Connection Events page ( Analysis > Connections > Events ) to view the correct source and destination IP addresses of an intrusion event. (CSCux00385)
- In some cases pinholes are not created for Real-time Transport Protocol (RTP) connections established by calls using the Session Initiation Protocol (SIP), which prevents the VOIP channel creation for the SIP call. (CSCux03758, CSCux09765)
- Although an application detector is available for the Skinny (SCCP) protocol, pinholes are not created for RTP connections established by SCCP packets. (CSCux05468)
- In some cases, when deploying policies to a large number of devices, policy deployment times out and fails when Snort fails to restart. (CSCux07861)
- If you deploy a NAT policy which resides in a subdomain to a Firepower 7000 Series or 8000 Series device and move the device to new domain, deploy fails. As a workaround, create a new NAT policy in a new domain and target the correct device, then redeploy. (CSCux10651)
- In some cases, if you create a VPN deployment on a registered device and move the device from one domain to another domain, then deploy, deploy fails and the system generates a
Pre-deploy Global Configuration Generation. Cannot find policy informationerror message. As a workaround, remove the VPN configuration prior to moving the device to another domain. An alternative workaround is to unregister and then register the device to the Firepower Management Center, then create a VPN deployment and deploy. (CSCux10820)- Use of a certificate with an RSASSA-PSS signature algorithm on a Firepower Management Centerr is not supported in Version 6.0. If you update a Firepower Management Center using such a certificate to Version 6.0 or add such a certificate in Version 6.0, the system does not allow you to log into the Management Center web interface and generates an
Unable to authorize access. If you continue to have difficulty accessing this device, please contact the system administratorerror. As a workaround, prior to update, generate and install an SSL certificate with either asha1WithRSAEncryptionorsha256WithRSAEncryptionalgorithm and restart the Firepower Management Center, or use the default Firepower Management Center certificate and restart the appliance. If you are unable to access the user interface on your Firepower Management Center, contact Support. (CSCux30610)- In some cases, if you create an access control policy referencing an SSL policy that contains a network object with multiple entries on a managed Firepower appliance running Version 5.4 or later and you update the system to Version 6.0, deploying the policy fails on a Firepower Management Center running Version 6.0. As a workaround, edit the SSL policy after updating the system to Version 6.0 and remove the network object, then add the network object and redeploy. (CSCux31618)
- If the certificate used by your Firepower Management Center was generated using a public server key larger than 2048 bits, you will not be able to log into the Firepower Management Center web interface after updating to Version 6.0. As a workaround, replace certificates that were created with larger public keys by generating a server certificate request and then applying a certificate generated using that request to the Firepower Management Center. You can do the server certificate request and the certificate upload through the local configuration settings on the Firepower Management Center ( System > Local > Configuration > HTTPS Certificate ). If you generate a certificate without using a CSR from the Firepower Management Center, use a public key of 2048 bits or less. If you generate a certificate that contains more than 2048 bits and lose access to the Management Center web interface, contact Support. (CSCux35430)
For Assistance
Thank you for choosing the Firepower System.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about the Firepower System, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html .
Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions or require assistance with the Firepower System, please contact Cisco Support:
- Visit the Cisco Support site at http://support.cisco.com/ .
- Email Cisco Support at tac@cisco.com .
- Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
Feedback