Cisco Secure Firewall Threat Defense Release Notes
This document contains release information for Version 7.4 of:
-
Cisco Secure Firewall Threat Defense
-
Cisco Secure Firewall Management Center (on-prem)
-
Cisco Secure Firewall device manager
For Cisco Defense Orchestrator (CDO) deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes or What's New for Cisco Defense Orchestrator.
Release Dates
Version |
Build |
Date |
Platforms |
---|---|---|---|
7.4.1.1 |
12 |
2024-04-15 |
All |
7.4.1 |
172 |
2023-12-13 |
All |
7.4.0 |
81 |
2023-09-07 |
Management center Secure Firewall 4200 series |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information.
For compatibility information, see:
Features
This document describes the new and deprecated features for Version 7.4.
For earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.
- Upgrade Impact
-
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part; this is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade; for example, if you must change a configuration.
- Snort
-
Snort 3 is the default inspection engine for threat defense. Snort 3 features for management center deployments also apply to device manager, even if they are not listed as new device manager features. However, keep in mind that the management center may offer more configurable options than device manager.
Important
If you are still using the Snort 2 inspection engine, switch to Snort 3 now for improved detection and performance. Snort 2 will be deprecated in a future release and will eventually prevent threat defense upgrade.
- Intrusion Rules and Keywords
-
Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.
- FlexConfig
-
Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.
The feature descriptions below include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.
Caution
Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues.
Management Center Features
Management Center Features in Version 7.4.1
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Reintroduced Features |
|||
Reintroduced features. |
Feature dependent |
Feature dependent |
Version 7.4.1 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x) or in Version 7.4.0. Reintroduced features include:
|
Platform |
|||
Network modules for the Secure Firewall 3130 and 3140. |
7.4.1 |
7.4.1 |
The Secure Firewall 3130 and 3140 now support these network modules:
See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide |
Optical transceivers for Firepower 9300 network modules. |
7.4.1 |
7.4.1 |
The Firepower 9300 now supports these optical transceivers:
On these network modules:
|
Performance profile support for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on threat defense virtual. |
Interfaces |
|||
Deploy without the diagnostic interface on threat defense virtual for Azure and GCP. |
7.4.1 |
7.4.1 |
You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:
Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Device Management |
|||
Device management services supported on user-defined VRF interfaces. |
7.4.1 |
Any |
Device management services configured in the threat defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. Platform restrictions: Not supported with container instances or clustered devices. See: Platform Settings |
High Availability/Scalability: Threat Defense |
|||
Multi-instance mode for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade). New/modified screens: New/modified threat defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6 New/modified FXOS CLI commands: create device-manager , set deploymode Platform restrictions: Not supported on the Secure Firewall 3105. |
16-node clusters for threat defense virtual for VMware and KVM. |
7.4.1 |
7.4.1 |
You can now configure 16-node clusters for threat defense virtual for VMware and threat defense virtual for KVM. |
Target failover for clustered threat defense virtual devices for AWS. |
7.4.1 |
7.4.1 |
You can now configure target failover for clustered threat defense virtual devices for AWS using the AWS Gateway Load Balancer (GWLB). Platform restrictions: Not available with five and ten-device licenses. |
Detect configuration mismatches in threat defense high availability pairs. |
7.4.1 |
7.4.1 |
You can now use the CLI to detect configuration mismatches in threat defense high availability pairs. New/modified CLI commands: show failover config-sync error , show failover config-sync stats |
High Availability: Management Center |
|||
Management center high availability synchronization enhancements. |
7.4.1 |
Any |
Management center high availability (HA) includes the following synchronization enhancements:
New/modified screens: You can view these alerts on the following screens:
|
SD-WAN |
|||
Application monitoring on the SD-WAN Summary dashboard. |
7.4.1 |
7.4.1 |
You can now monitor WAN interface application performance on the SD-WAN Summary dashboard. New/modified screens: |
VPN |
|||
IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
Upgrade impact. Qualifying connections start being offloaded. On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade. You can change the configuration using FlexConfig and the flow-offload-ipsec command. See: IPsec Flow Offload |
Crypto debugging enhancements for the Secure Firewall 3100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
The crypto debugging enhancements introduced in Version 7.4.0 now apply to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they were only supported on the Secure Firewall 4200. |
View details of the VTIs in route-based VPNs. |
7.4.1 |
Any |
You can now view the details of route-based VPNs' virtual tunnel interfaces (VTI) on your managed devices. You can also view details of all the dynamically created virtual access interfaces of the dynamic VTIs. New/modified screens: Device > Device Management > Edit a device > Interfaces > Virtual Tunnels tab. |
Routing |
|||
Configure BFD routing on IS-IS interfaces with FlexConfig. |
7.4.1 |
7.4.1 |
You can now use FlexConfig to configure Bidirectional Forwarding Detection (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces. |
Access Control: Threat Detection and Application Identification |
|||
Zero trust access enhancements. |
7.4.1 |
7.4.1 with Snort 3 |
Management center now includes the following zero trust access enhancements:
New/modified screens: New/modified CLI commands: show running-config zero-trust , show zero-trust statistics See: |
CIP detection. |
7.4.1 |
7.4.1 with Snort 3 |
You can now detect and handle Common Industrial Protocol (CIP) by using CIP and Ethernet/IP (ENIP) application conditions in your security policies. |
CIP safety detection. |
7.4.1 |
7.4.1 with Snort 3 |
CIP Safety is a CIP extension that enables the safe operation of industrial automation applications. The CIP inspector can now detect the CIP Safety segments in the CIP traffic. To detect and take action on the CIP Safety segments, enable the CIP inspector in the management center's network Analysis policy and assign it to an access control policy. New/modified screens: Policies > Access Control > Edit a policy > Add Rule > Applications tab > Search for CIP Safety in the search box. See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
Access Control: Identity |
|||
Captive portal support for multiple Active Directory realms (realm sequences). |
7.4.1 |
7.4.1 |
Upgrade impact. Update custom authentication forms. You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules. In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously. If you use the HTTP Response Page authentication type, after you upgrade threat defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms. Restrictions: Not supported with Microsoft Azure Active Directory. New/modified screens: |
Share captive portal active authentication sessions across firewalls. |
7.4.1 |
7.4.1 |
Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.
New/modified screens: |
Merge downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources, using the management center web interface. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. New/modified screens: New CLI commands:
|
Health Monitoring |
|||
Chassis-level health alerts for the Firepower 4100/9300. |
7.4.1 |
Any with FXOS 2.14.1 |
Upgrade impact. Enable the new health module and apply device health policy after upgrade. You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the management center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view. You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the management center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI. New/modified screens: |
Improved management center memory usage calculation, alerting, and swap memory monitoring. |
7.4.1 |
Any |
Upgrade impact. Memory usage alert thresholds may be lowered. We improved the accuracy of management center memory usage and have lowered the default alert thresholds to 88% warning/90% critical. If your thresholds were higher than the new defaults, the upgrade lowers them automatically—you do not have to apply health policies for this change to take place. Note that the management center may now reboot in extremely critical system memory condition if terminating high-memory processes does not work. You can also add new swap memory usage metrics to a new or existing management center health dashboard. Make sure you choose the Memory metric group. New/modified screens:
|
Deployment and Policy Management |
|||
Change management. |
7.4.1 |
Any |
You can enable change management if your organization needs to implement more formal processes for configuration changes, including audit tracking and official approval before changes are deployed. We added the System () page to enable the feature. When enabled, there is a System () page, and a new Ticket () quick access icon in the menu. See: Change Management |
Upgrade |
|||
Firmware upgrades included in FXOS upgrades. |
7.4.1 |
Any |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
Automatically generate configuration change reports after management center upgrade. |
7.4.1 |
Any |
You can automatically generate reports on configuration changes after major and maintenance management center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center. Other version restrictions: Only supported for management center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version. New/modified screens: System () |
Administration |
|||
Erase the hard drives on a hardware management center. |
7.4.1 |
Any |
You can use the management center CLI to reboot and permanently erase its own hard drive data. After the erase is completed, you can install a fresh software image. New/modified CLI commands: secure erase See: Secure Firewall Management Center Command Line Reference |
Usability, Performance, and Troubleshooting |
|||
Troubleshooting file generation and download available from Device and Cluster pages. |
7.4.1 |
7.4.1 |
You can generate and download troubleshooting files for each device on the Device page and also for all cluster nodes on the Cluster page. For a cluster, you can download all files as a single compressed file. You can also include cluster logs for the cluster for cluster nodes. You can alternatively trigger file generation from the More () > Troubleshoot Files menu. >New/modified screens: |
Automatic generation of a troubleshooting file on a node when it fails to join the cluster. |
7.4.1 |
7.4.1 |
If a node fails to join the cluster, a troubleshooting file is automatically generated for the node. You can download the file from Tasks or from the Cluster page. |
View CLI output for a device or device cluster. |
7.4.1 |
Any |
You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output. New/modified screens: See: View CLI Output |
Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
If the data plane process crashes, the system now reloads only the data plane process instead of rebooting the device. Along with the data plane process reload, Snort and a few other processes also get reloaded. However, if the data plane process crashes during bootup, the device follows the normal reload/reboot sequence, which helps avoid a reload process loop from occurring. This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig. New/modified CLI commands: data-plane quick-reload , no data-plane quick-reload , show data-plane quick-reload status Supported platforms: Firepower 1000/2100, Firepower 4100/9300 Platform restrictions: Not supported in multi-instance mode. See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference. |
Deprecated Features |
|||
Deprecated: frequent drain of events health alerts. |
7.4.1 |
7.4.1 |
The Disk Usage health module no longer alerts with
|
Deprecated: VPN Tunnel Status health module. |
7.4.1 |
Any |
We deprecated the VPN Tunnel Status health module. Use the VPN dashboards instead. |
Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. This feature is now supported in the management center web interface. |
Management Center Features in Version 7.4.0
Note |
Version 7.4.0 is available only on the Secure Firewall Management Center and the Secure Firewall 4200. A Version 7.4.0 management center can manage older versions of other device models, but you must use a Secure Firewall 4200 for features that require threat defense 7.4.0. Support for all other device platforms resumes in Version 7.4.1. |
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
||
---|---|---|---|---|---|
Reintroduced Features |
|||||
Reintroduced features. |
7.4.0 |
Feature dependent |
Version 7.4.0 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x). Reintroduced features include: |
||
Platform |
|||||
Management center 1700, 2700, 4700. |
7.4.0 |
Any |
We introduced the Secure Firewall Management Center 1700, 2700, and 4700, which can manage up to 300 devices. Management center high availability is supported. See: Cisco Secure Firewall Management Center 1700, 2700, and 4700 Getting Started Guide |
||
Management center virtual for Microsoft Hyper-V. |
7.4.0 |
Any |
We introduced Secure Firewall Management Center Virtual for Microsoft Hyper-V, which can manage up to 25 devices. Management center high availability is supported. See: Cisco Secure Firewall Management Center Virtual Getting Started Guide |
||
Secure Firewall 4200. |
7.4.0 |
7.4.0 |
We introduced the Secure Firewall 4215, 4225, and 4245. You must manage these devices with a management center. They do not support device manager. These devices support the following new network modules:
See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide |
||
Performance profile support for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on threat defense virtual. |
||
Platform Migration |
|||||
Migrate from Firepower 1000/2100 to Secure Firewall 3100. |
7.4.0 |
Any |
You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100. New/modified screens: Platform restrictions: Migration not supported from the Firepower 1010 or 1010E. |
||
Migrate from Firepower Management Center 4600 to Secure Firewall Management Center for AWS. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
Migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
Migrate from Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 only |
7.0.0 |
You can migrate Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. To migrate, you must temporarily upgrade the old management center from Version 7.0 to Version 7.4.0.
To summarize the migration process:
See:
If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
Migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center. |
7.4.0 only |
7.0.3 |
You can migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center. To migrate devices, you must temporarily upgrade the on-prem management center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 management centers do not support device migration to the cloud. Additionally, only standalone and high availability threat defense devices running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.
To summarize the migration process:
See: If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
Device Management |
|||||
Low-touch provisioning to register the Firepower 1000/2100 and Secure Firewall 3100 to the management center using a serial number. |
7.4.0 |
Mgmt. center is publicly reachable: 7.2.0 Mgmt. center is not publicly reachable: 7.2.4 |
Low-touch provisioning lets you register Firepower 1000/2100 and Secure Firewall 3100 devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with SecureX and Cisco Defense Orchestrator for this functionality. New/modified screens: Other version restrictions: This feature is not supported on Version 7.3.x or 7.4.0 threat defense devices when the management center is not publicly reachable. Support returns in Version 7.4.1. See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning) |
||
Interfaces |
|||||
Merged management and diagnostic interfaces. |
7.4.0 |
7.4.0 |
Upgrade impact. Merge interfaces after upgrade. For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later and:
Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration. For platform settings, this means:
New/modified screens: New/modified commands: show management-interface convergence |
||
VXLAN VTEP IPv6 support. |
7.4.0 |
7.4.0 |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation. New/modified screens: |
||
Loopback interface support for BGP and management traffic. |
7.4.0 |
7.4.0 |
You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog. New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface |
||
Loopback and management type interface group objects. |
7.4.0 |
7.4.0 |
You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces. New/modified screens: See: Interface |
||
High Availability/Scalability |
|||||
Manage threat defense high availability pairs using a data interface. |
7.4.0 |
7.4.0 |
Threat defense high availability now supports using a regular data interface for communication with the management center. Previously, only standalone devices supported this feature. |
||
SD-WAN |
|||||
WAN summary dashboard. |
7.4.0 |
7.2.0 |
The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures. New/modified screens: Overview > WAN Summary |
||
Policy-based routing using HTTP path monitoring. |
7.4.0 |
7.2.0 |
Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination. New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box. Platform restrictions: Not supported for clustered devices. |
||
Policy-based routing with user identity and SGTs. |
7.4.0 |
7.4.0 |
You can now classify the network traffic based on users and user groups, and SGTs in PBR policies. You can select the identity and SGT objects while defining the extended ACLs for the PBR policies. New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag |
||
VPN |
|||||
IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100. You can change the configuration using FlexConfig and the flow-offload-ipsec command. Other requirements: FPGA firmware 6.2+ See: IPsec Flow Offload |
||
Crypto debugging enhancements for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
We made the following enhancements to crypto debugging:
New/modified CLI commands: show counters |
||
VPN: Remote Access |
|||||
Customize Secure Client messages, icons, images, and connect/disconnect scripts. |
7.4.0 |
7.1.0 |
You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:
Threat defense distributes these customizations to the endpoint when an end user connects from the Secure Client. New/modified screens:
|
||
VPN: Site to Site |
|||||
Easily view IKE and IPsec session details for VPN nodes. |
7.4.0 |
Any |
You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard. New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab. |
||
Site-to-site VPN information in connection events. |
7.4.0 |
7.4.0 with Snort 3 |
Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by. New/modified screens: |
||
Easily exempt site-to-site VPN traffic from NAT translation. |
7.4.0 |
Any |
We now make it easier to exempt site-to-site VPN traffic from NAT translation. New/modified screens:
See: NAT Exemption |
||
Routing |
|||||
Configure graceful restart for BGP on IPv6 networks. |
7.4.0 |
7.3.0 |
You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later. New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor. |
||
Virtual routing with dynamic VTI. |
7.4.0 |
7.4.0 |
You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN. New/modified screens: Devices > Device Management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices. |
||
Access Control: Threat Detection and Application Identification |
|||||
Clientless zero-trust access. |
7.4.0 |
7.4.0 with Snort 3 |
We introduced Zero Trust Access that allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy. The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications. New/modified screens: New/modified CLI commands:
See: Zero Trust Access |
||
Encrypted visibility engine enhancements. |
7.4.0 |
7.4.0 with Snort 3 |
Encrypted Visibility Engine (EVE) can now:
New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings. |
||
Exempt specific networks and ports from bypassing or throttling elephant flows. |
7.4.0 |
7.4.0 with Snort 3 |
You can now exempt specific networks and ports from bypassing or throttling elephant flows. New/modified screens:
Platform restrictions: Not supported on the Firepower 2100 series. |
||
First-packet application identification using custom application detectors. |
7.4.0 |
7.4.0 with Snort 3 |
A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector. |
||
Sensitive data detection and masking. |
7.4.0 |
7.4.0 with Snort 3 |
Upgrade impact. New rules in default policies take effect. Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns. Disabling data masking is not supported. |
||
Improved JavaScript inspection. |
7.4.0 |
7.4.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
||
MITRE information in file and malware events. |
7.4.0 |
7.4.0 |
The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views. See: Local Malware Analysis and File and Malware Event Fields |
||
Smaller VDB for lower memory Snort 2 devices. |
6.4.0.17 7.0.6 7.2.4 7.3.1.1 7.4.0 |
Any with Snort 2 |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
||
Access Control: Identity |
|||||
Cisco Secure Dynamic Attributes Connector on the management center. |
7.4.0 |
Any |
You can now configure the Cisco Secure Dynamic Attributes Connector on the management center. Previously, it was only available as a standalone application. |
||
Microsoft Azure AD as a user identity source. |
7.4.0 |
7.4.0 |
You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control. New/modified screens:
Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level) |
||
Event Logging and Analysis |
|||||
Configure threat defense devices as NetFlow exporters from the management center web interface. |
7.4.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. NetFlow is a Cisco application that provides statistics on packets flows. You can now use the management center web interface to configure threat defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs. New/modified screens: See: Configure NetFlow |
||
More information about "unknown" SSL actions in logged encrypted connections. |
7.4.0 |
7.4.0 |
Serviceability improvements to the event reporting and decryption rule matching.
New/modified screens:
See: Connection and Security-Related Connection Event Fields. |
||
Health Monitoring |
|||||
Stream telemetry to an external server using OpenConfig. |
7.4.0 |
7.4.0 |
You can now send metrics and health monitoring information from your threat defense devices to an external server (gNMI collector) using OpenConfig. You can configure either threat defense or the collector to initiate the connection, which is encrypted by TLS. New/modified screens: System () |
||
New asp drop metrics. |
7.4.0 |
7.4.0 |
You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group. New/modified screens: System () |
||
Administration |
|||||
Send detailed management center audit logs to syslog. |
7.4.0 |
Any |
You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The management center supports backup and restore of the audit configuration log. New/modified screens: System () > Configuration > Audit Log > Send Configuration Changes |
||
Granular permissions for modifying access control policies and rules. |
7.4.0 |
Any |
You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams. When defining user roles, you can select the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions. option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the |
||
Support for IPv6 URLs when checking certificate revocation. |
7.4.0 |
7.4.0 |
Previously, threat defense supported only IPv4 OCSP URLs. Now, threat defense supports both IPv4 and IPv6 OCSP URLs. See: Requiring Valid HTTPS Client Certificates and Certificate Enrollment Object Revocation Options |
||
Default NTP server updated. |
7.4.0 |
Any |
The default NTP server for new management center deployments changed from sourcefire.pool.ntp.org to time.cisco.com. We recommend you use the management center to serve time to its own devices. You can update the management center's NTP server on System () . |
||
Usability, Performance, and Troubleshooting |
|||||
Usability enhancements. |
7.4.0 |
Any |
You can now:
|
||
Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, you can use a new direction keyword with the capture command. New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ] |
||
Snort 3 restarts when it becomes unresponsive, which can trigger HA failover. |
7.4.0 |
7.4.0 with Snort 3 |
To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.) This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts. New/modified CLI commands: configure snort3-watchdog |
||
Cisco Success Network telemetry. |
7.4.0 |
Any |
For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.4.x. |
||
Management Center REST API |
|||||
Management center REST API. |
7.4.0 |
Any |
For information on changes to the management center REST API, see What's New in Version 7.4 in the API quick start guide. |
||
Deprecated Features |
|||||
Temporarily deprecated features. |
7.4.0 |
Any |
Although upgrading to Version 7.4.0 is supported, the upgrade will remove critical features, fixes, and enhancements that may be included in your current version. Instead, upgrade to Version 7.4.1+. From Version 7.2.5–7.2.x, upgrading removes:
From Version 7.2.6–7.2.x, upgrading removes:
|
||
Deprecated: NetFlow with FlexConfig. |
7.4.0 |
Any |
You can now configure threat defense devices as NetFlow exporters from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs. See: Configure NetFlow |
Device Manager Features
Device Manager Features in Version 7.4.x
Note |
Device manager support for Version 7.4 features begins with Version 7.4.1. This is because Version 7.4.0 is not available on any platforms that support device manager. |
Feature |
Description |
---|---|
Platform Features |
|
Firepower 1010E support returns.. |
Support returns for the Firepower 1010E, which was introduced in Version 7.2.3 and temporarily deprecated in Version 7.3. |
Network modules for the Secure Firewall 3130 and 3140. |
We introduced these network modules for the Secure Firewall 3130 and 3140:
See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide |
VPN Features |
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100. |
Upgrade impact. Qualifying connections start being offloaded. On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade. You can change the configuration using FlexConfig and the flow-offload-ipsec command. |
Interface Features |
|
Merged management and diagnostic interfaces. |
Upgrade impact. Merge interfaces after upgrade. For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later, and you did not have any configuration for the diagnostic interface, then the interfaces will merge automatically. If you upgraded to 7.4 or later, and you have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible. Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including management) in the configuration. New/modified screens:
New/modified commands: show management-interface convergence |
Deploy without the diagnostic interface on threat defense virtual for Azure and GCP. |
You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Azure deployments still require at least two data interfaces, but GCP requires that you replace the diagnostic interface with a data interface, for a new minimum of three. (Previously, threat defense virtual deployments required one management, one diagnostic, and at least two data interfaces.) Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Inline sets for Firepower 1000 series, Firepower 2100, and Secure Firewall 3100. |
You can configure inline sets on Firepower 1000 series, Firepower 2100, and Secure Firewall 3100 devices. We added the inline sets tab to the Interface page. |
Licensing Features |
|
Changes to license names and support for the Carrier license. |
Licenses have been renamed:
In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections. Use FlexConfig to configure these features. See: Licensing the System |
Administrative and Troubleshooting Features |
|
Default NTP server updated. |
Upgrade impact. The system connects to new resources. The default NTP servers have changed from sourcefire.pool.ntp.org to time.cisco.com. To use a different NTP server, select Device, then click Time Services in the System Settings panel. |
SAML servers for HTTPS management user access. |
You can configure a SAML server to provide external authentication for HTTPS management access. You can configure external users with the following types of authorization access: Administrator, Audit Admin, Cryptographic Admin, Read-Write User, Read-Only User. You can use Common Access Card (CAC) for login when using a SAML server. We updated the SAML identity source object configuration, and the page to accept them. |
Detect configuration mismatches in threat defense high availability pairs. |
You can now use the CLI to detect configuration mismatches in threat defense high availability pairs. New/modified CLI commands: show failover config-sync error , show failover config-sync stats |
Capture dropped packets with the Secure Firewall 3100. |
Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100 can now capture these dropped packets. New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command. |
Firmware upgrades included in FXOS upgrades. |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1+ now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300. |
When the data plane process on the Firepower 1000/2100 or the Firepower 4100/9300 crashes, the system reloads the process instead of rebooting the device. Reloading the data plane also restarts other processes, including Snort. If the data plane crashes during bootup, the device follows the normal reload/reboot sequence; this avoids a reload loop. This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig. New/modified ASA CLI commands: data-plane quick-reload , show data-plane quick-reload status New/modified threat defense CLI commands: show data-plane quick-reload status Supported platforms: Firepower 1000/2100, Firepower 4100/9300 See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference. |
Upgrade
Upgrade Path
Planning your upgrade path is especially important for large high availability deployments, multi-hop upgrades, and situations where you need to coordinate related upgrades—operating systems, firmware, chassis, hosting environments, and so on.
Upgrade Path for Management Center
This table lists the minimum version to upgrade management center. The management center must run the same or newer version as its managed devices. Upgrade the management center to your target version first, then upgrade devices. If you begin with devices running a much older version than the management center, further management center upgrades can be blocked. In this case you will need to perform a three (or more) step upgrade: devices first, then the management center, then devices again.
Target Version |
Minimum Version to Upgrade |
Oldest Device You Can Manage |
---|---|---|
7.4 |
7.0 |
7.0 |
7.3 |
7.0 |
6.7 |
7.2 |
6.6 |
6.6 |
Upgrade Path for Threat Defense
Target Version |
Minimum Version to Upgrade |
---|---|
7.4 |
7.0 |
7.3 |
7.0 |
7.2 |
6.6 |
Upgrade Path for Threat Defense with Chassis Upgrade
You may need to upgrade the chassis (FXOS and firmware) before you upgrade threat defense. Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case you will need to perform a three (or more) step upgrade: devices first, then the chassis, then devices again. In high availability or clustered deployments, upgrade one chassis at a time.
This table lists the minimum versions to upgrade when a chassis upgrade is required (usually major upgrades). Chassis upgrades to FXOS 2.14.1+ include firmware, otherwise, see the Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.
Target Versions |
Minimum Versions to Upgrade |
---|---|
Threat Defense 7.4.1 on FXOS 2.14.1.131+ |
Threat Defense 7.0 on FXOS 2.10 |
Threat Defense 7.3 on FXOS 2.13.0.198+ |
Threat Defense 7.0 on FXOS 2.10 |
Threat Defense 7.2 on FXOS 2.12.0.31+ |
Threat Defense 6.6 on FXOS 2.8 |
Upgrade Guidelines
The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade, see the upgrade guide: For Assistance.
Upgrade Guidelines for Management Center
Check all releases between your current and target version.
Target Version |
Current Version |
Guideline |
Details |
||
---|---|---|---|---|---|
7.4.1.x |
7.4.1 |
Migration failure: do not migrate to management center Version 7.4.1 if you are using Security Intelligence. |
Patch the target management center to Version 7.4.1.1 before you begin migration. The source management center can continue to run Version 7.4.1.
For more information on model migration, see the Cisco Secure Firewall Management Center Model Migration Guide. |
||
7.3.x–7.4.0 |
7.2.6–7.2.x |
Upgrade not recommended: Version 7.2.6–7.2.x to Version 7.3.x–7.4.0. |
Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. Instead, upgrade to Version 7.4.1+. |
||
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
||
7.1.0 |
7.0.4–7.0.x |
Upgrade prohibited: Version 7.0.4+ to Version 7.1.0. |
Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4–7.0.x to Version 7.1.0. Instead, upgrade to Version 7.2.0+. |
||
7.0.0–7.2.x |
6.4.0–6.7.x |
Reconnect with Threat Grid for high availability management centers. |
Version 7.0.0 fixes an issue with management center high availability and malware detection where, after failover, the system stopped submitting files for dynamic analysis (CSCvu35704). For the fix to take effect, you must reassociate with the Cisco Threat Grid public cloud after upgrading. After you upgrade the high availability pair to Version 7.0.0+, on the primary management center:
|
||
6.7.0 |
6.6.5–6.6.x |
Upgrade prohibited: management center Version 6.6.5+ to Version 6.7.0. |
Due to datastore incompatibilities, you cannot upgrade the management center from Version 6.6.5–6.6.x to Version 6.7.0. Instead, upgrade to Version 7.0.0+. |
Upgrade Guidelines for Threat Defense with Device Manager
Check all releases between your current and target version.
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
7.1.0 |
7.0.4–7.0.x |
Upgrade prohibited: Version 7.0.4+ to Version 7.1.0. |
Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. Instead, upgrade to Version 7.2.0+. |
6.7.0–7.2.x |
6.4.0–6.6.x |
Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs. |
For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only. |
Upgrade Guidelines for Threat Defense with Management Center
Check all releases between your current and target version.
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.4.1 |
7.1.x 7.0.0–7.0.2 |
Unregister and reregister devices after reverting threat defense. |
If you revert from Version 7.4.1 to Version 7.0.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680). |
7.3.x |
7.2.6–7.2.x |
Upgrade not recommended: Version 7.2.6–7.2.x to Version 7.3.x. |
Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. Instead, upgrade to Version 7.4.1+. |
7.3.x |
7.1.x 6.7.0–7.0.2 |
Unregister and reregister devices after reverting threat defense. |
If you revert from Version 7.3.x to Version 6.7.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680). |
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
7.2.0+ |
6.7.0–7.1.x |
Upgrade prohibited: threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. |
You cannot upgrade threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. You must deploy a new instance. |
7.2.0–7.2.6 |
7.1.x 6.6.0–7.0.2 |
Unregister and reregister devices after reverting threat defense. |
If you revert from Version 7.2.0–7.2.6 to Version 6.6.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680). |
7.1.0 |
7.0.4–7.0.x |
Upgrade prohibited: Version 7.0.4+ to Version 7.1.0. |
Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. Instead, upgrade to Version 7.2.0+. |
6.7.0–7.2.x |
6.4.0–6.6.x |
Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs. |
For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only. |
Upgrade Guidelines for the Firepower 4100/9300 Chassis
FXOS Upgrade Guidelines
For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version.
Target Threat Defense |
Target FXOS |
Release Notes |
---|---|---|
7.4 |
2.14 |
|
7.3 |
2.13 |
|
7.2 |
2.12 |
|
7.1 |
2.11 |
|
7.0 |
2.10 |
|
6.7 |
2.9 |
|
6.6 |
2.8 |
Firmware Upgrade Guidelines
For firmware upgrade guidelines, see the firmware upgrade guide: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.
Upgrade Impact Features
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part; this is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade; for example, if you must change a configuration.
Upgrade Impact Features for Management Center
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
7.4.1+ |
|
7.4.0+ |
|
7.3.1.1–7.3.1.x |
|
7.3.0+ |
|
7.2.6–7.2.x |
|
7.2.5-7.2.x |
|
7.2.4–7.2.x |
|
7.2.4–7.2.5 |
|
7.2.0+ |
|
7.1.0.3–7.1.0.x |
|
7.1.0+ |
|
7.0.6–7.0.x |
|
7.0.5-7.0.x |
|
7.0.0+ |
|
6.7.0+ |
|
Upgrade Impact Features for Threat Defense with Management Center
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
7.4.1+ |
|
7.3.0+ |
|
7.2.4–7.2.x |
|
7.2.0+ |
|
7.1.0.3–7.1.0.x |
|
7.1.0+ |
|
7.0.5+ |
|
7.0.0+ |
|
6.7.0+ |
Upgrade Impact Features for Threat Defense with Device Manager
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
7.4.1+ |
|
7.3.0+ |
|
7.2.4–7.2.x |
|
7.1.0.3–7.1.0.x |
|
7.1.0+ |
|
7.0.6–7.0.x |
|
7.0.5-7.0.x |
|
7.0.0+ |
|
6.7.0+ |
Upgrade and Install Guides
Upgrade Guides
In management center deployments, the management center must run the same or newer version as its managed devices. Upgrade the management center first, then devices. Note that you always want to use the upgrade guide for the version of management center or device manager that you are currently running—not your target version.
Platform |
Upgrade Guide |
Link |
---|---|---|
Management center |
Management center version you are currently running. |
https://www.cisco.com/go/fmc-upgrade |
Threat defense with management center |
Management center version you are currently running. |
https://www.cisco.com/go/ftd-fmc-upgrade |
Threat defense with device manager |
Threat defense version you are currently running. |
https://www.cisco.com/go/ftd-fdm-upgrade |
Threat defense with cloud-delivered Firewall Management Center |
Cloud-delivered Firewall Management Center. |
Install Guides
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases. This is also called reimaging. You cannot reimage to a patch. Install the appropriate major or maintenance release, then apply the patch. If you are reimaging to an earlier threat defense version on an FXOS device, perform a full reimage—even for devices where the operating system and software are bundled.
Platform |
Install Guide |
Link |
---|---|---|
Management center hardware |
Getting started guide for your management center hardware model. |
|
Management center virtual |
Getting started guide for the management center virtual. |
|
Threat defense hardware |
Getting started or reimage guide for your device model. |
|
Threat defense virtual |
Getting started guide for your threat defense virtual version. |
|
FXOS for the Firepower 4100/9300 |
Configuration guide for your FXOS version, in the Image Management chapter. |
|
FXOS for the Firepower 1000/2100 and Secure Firewall 3100/4200 |
Troubleshooting guide, in the Reimage Procedures chapter. |
Bugs
This document lists open and resolved bugs for threat defense and management center Version 7.4. For bugs in earlier releases, see the release notes for those versions. For cloud-delivered Firewall Management Center bugs, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.
Important |
We do not list open bugs for most maintenance releases or patches. Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool. |
Open Bugs
Open Bugs in Version 7.4.0
Table last updated: 2023-09-11
Bug ID |
Headline |
---|---|
Deploy failure when flow export destinations are swapped or port value changed |
|
IDP SAML missing filter in Zero Trust Policy shows all groups have missing IDP data |
|
New User activity page does not display events for Special Identities Realm |
|
Azure AD sessions do not get removed after disabling subscription or changing ise configuration |
|
Importing a realm with a proxy will fail |
|
Editing CSDAC dynamic attribute filter throwing Internal Error |
|
OSPFv3 BFD sessions not coming up for more than 7 |
|
PBR configuration using User Identity is not migrated during FTD migration to cdFMC |
|
Save button disabled when updating Zero Trust Policy |
|
New SRU is not immediately installed upon management center upgrade |
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
EventHandler should not log warning if it fails to open a unified file when the file doesn't exist |
Resolved Bugs
Resolved Bugs in Version 7.4.1.1
Table last updated: 2024-04-24
Bug ID |
Headline |
---|---|
HA CP clients statistics doesn't show actual Tx/Rx and Reliable Tx/Rx |
|
Readiness check failed on vFTD during upgrade from 741-172 to 760-1270 |
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
Resolved Bugs in Version 7.4.1
Table last updated: 2023-12-13
Bug ID |
Headline |
---|---|
FMC should monitor only named interfaces on FTD |
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
FMC fails to connect to SSM with error "Failed to send the message to the server" |
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
deployment failing with - Unable to load container |
|
BGP table not removing connected route when interface goes down |
|
IPTables.conf file is disappearing resulting in backup and restore failure. |
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows |
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
FMC is pushing SLA monitor commands in an incorrect order causing deployment failure. |
|
"Number of interfaces on Active and Standby are not consistent" should trigger warning syslog |
|
Standby unit failed to join failover due to large config size. |
|
FTD with Inline TAP re-writes frame with wrong MAC Address leading to connectivity problems. |
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
Unable to push extra domains >1024 Character, as part of Custom Attribute under Anyconnect VPN |
|
user-name from certificate feature does not work with SER option |
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
Disable NLP rules installation workaround after mgmt-access into NLP is enabled |
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
ASA Failover does not detect context mismatch before declaring joining node as "Standby ready" |
|
ISA3000 in boot loop after powercycle |
|
ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress |
|
ASA/FTD: DF bit is being set on packets routed into VTI |
|
Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server. |
|
When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple |
|
FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated |
|
ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url |
|
ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks OSPF MD5 |
|
FW traceback in timer infra / netflow timer |
|
PBR not working on ASA routed mode with zone-members |
|
FMC GUI not displaying correct count of unused network objects |
|
RIP is advertising all connected Anyconnect users and not matching route-map for redistribution |
|
ASA/FTD traceback and reload due to the initiated capture from FMC |
|
Lina traceback and reload during EIGRP route update processing. |
|
ASA Traceback & reload in thread name: Datapath |
|
ASA/FTD traceback and reload on NAT related function nat_policy_find_location |
|
Network Object not visible after Flex migration and unable to save interface change in EIGRP->Setup |
|
We can't monitor the interface via "snmpwalk" once interface is removed from context. |
|
ASA/FTD failover pair traceback and reload due to connection replication race condition |
|
ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled. |
|
Unable to apply SSH settings to ASA version 9.16 or later |
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
Snort down due to missing lua files because of disabled application detectors (PM side) |
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
No-buffer drops on Internal Data interfaces despite little evidence of CPU hog |
|
AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser |
|
Standby ASA goes to booting loop during configuration replication after upgrade to 9.16(3). |
|
User without password prompted to change password when logged in from SSH Client |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL listening socket" |
|
Temporary HA split-brain following upgrade or device reboot |
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
FTD: SNMP failures after upgrade to 7.0.2 |
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
ASA traceback and reload when modifying DNS inspection policy via CSM or CLI |
|
Digitally signed ASDM image verification error on FPR3100 platforms |
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
ASA - Restore not remove the new configuration for an interface setup after backup |
|
"show nat pool cluster" commands run within EEM scripts lead to traceback and reload |
|
ASA/FTD Voltage information is missing in the command "show environment" |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695' |
|
ASA/FTD can not parse UPN from SAN field of user's certificate |
|
AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert has empty subject |
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
ASA/FTD Traceback and Reload in Thread name Lina or Datatath |
|
Traceback and Reload while HA sync after upgrading and reloading. |
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
MI hangs and not repsonding when FTD container instance is reloaded |
|
ASA Traceback and Reload on process name Lina |
|
Incorrect IF-MIB response when failover is configured on multiple contexts |
|
ASA: SLA debugs not showing up on VTY sessions |
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
Snort leaking file descriptors with each u2 file created |
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
SSL AnyConnect access blocked after upgrade |
|
Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards |
|
ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled |
|
FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations |
|
ASA/FTD: GTP inspection causing 9344 sized blocks leak |
|
ASA HA - Restore in primary not remove new interface configuration done after backup |
|
ASA/FTD traceback and reload when ssh using username with nopassword keyword |
|
Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
ASA/FTD 2100 platform traceback and reload when fragments are coalesced and sent to PDTS |
|
FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
MPLS tagging removed by FTD |
|
FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks |
|
ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP |
|
ASA parser accepts incomplete network statement under OSPF process and is present in show run |
|
syslog related to failover is not outputted in FPR2140 |
|
IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response |
|
ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context |
|
ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6 |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
vti hub with NAT-T enabled pinholes connections are looping and causing snort busy drops |
|
ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread' |
|
FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure |
|
ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb" |
|
TACACS Accounting includes an incorrect IPv6 address of the client |
|
Call home configuration on standby device is lost after reload |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591' |
|
FTD - Traceback in Thread Name: DATAPATH |
|
FTD may traceback and reload in Thread Name 'DATAPATH-0-4948' |
|
CGroups errors in ASA syslog after startup |
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
During the deployment time, device got stuck processing the config request. |
|
"inspect snmp" config difference between active and standby |
|
ASA/FTD traceback and reload caused by SNMP process failure |
|
Traffic on data unit gets dropped with "LU allocate xlate failed" on GCP cluster with interface NAT |
|
Unable to configure 'match ip address' under route-map when using object-group in access list |
|
FTD Traceback and reload when applying long commands from FMC UI or CLISH |
|
ASA/FTD Traceback and reload in Threadname: IKE Daemon |
|
ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy |
|
ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility. |
|
Using write standby in a user context leaves secondary firewall license status in an invalid state |
|
Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5. |
|
ASA/FTD memory leak and tracebacks due to ctm_n5 resets |
|
Lina Traceback and reload when issuing 'debug menu fxos_parser 4' |
|
ESP rule missing in vpn-context may cause IPSec traffic drop |
|
traceback and reload due to tcp intercept stat in thread unicorn |
|
ISA3000 LACP channel member SFP port suspended after reload |
|
ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all" |
|
ifAdminStatus output is abnormal via snmp polling |
|
logging/syslog is impacted by SNMP traps and logging history |
|
FTD Traceback and reload |
|
ASA Custom login page is not working through webvpn after an upgrade |
|
Snort3 unexpectedly dropping packets after 4MB when using file inspection with detection mode NAP |
|
User/group download may fail if a different realm is changed and saved |
|
Unable to add on-board and netmod interfaces to the same port-channel on Firepower 3110 |
|
FTD traceback on Lina due to syslog component. |
|
ASA/FTD Cluster Traceback and Reload during node leave |
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
cacert.pem on FMC expired and all the devices showing as disabled. |
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
ASA might generate traceback in ikev2 process and reload |
|
ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event' |
|
ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread |
|
GTP inspection drops packets for optional IE Header Length being too short |
|
ASA/FTD traceback due to block data corruption |
|
ASA/FTD: NAT configuration deployment failure |
|
ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication certificate" enabled |
|
ASA/FTD High CPU in SNMP Notify Thread |
|
FTD in HA traceback multiple times after adding a BGP neighbour with prefix list. |
|
ASA/FTD SNMP traps enqueued when no SNMP trap server configured |
|
ASA/FTD Transactional Commit may result in mismatched rules and traffic loss |
|
Device should not move to Active state once Reboot is triggered |
|
TPK: No nameif during traffic causes the device traceback, lina core is generated. |
|
Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel |
|
ASAv show crashinfo printing in loop continuously |
|
Management access over VPN not working when custom NAT is configured |
|
Cluster registration is failing because DATA_NODE isn't joining the cluster |
|
3130 HA assert: mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE |
|
FTD: Traceback & reload in process name lina |
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
Syslog 106016 is not rate-limited by default |
|
Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD |
|
ASA traceback and reload due to DNS inspection |
|
PIM register packets are not sent to Rendezvous Point (RP) due to PIM tunnel interface down state |
|
Blade remains online for more than 600 secs after deleting Native logical device on 92.14.0 |
|
FMC: Script to change hostname/IP on FTD's when FMC's Ip/hostname is changed |
|
Not able to ping Virtual IP of FTDv cluster |
|
FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue |
|
FDM FPR2k Netmork module interfaces are greyed out post 7.1.0 update |
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
Fix Bootup Warning: Counter ID 'TLS13_DOWNSTREAM_CLIENT_CERTIFICATE_VERIFY' is too long |
|
Device API healthStatus for cluster devices not aligned with health status on device listing |
|
Snort3 stream core found init_tcp_packet_analysis |
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
Unable to register new devices to buildout FMC 2700 (FMC HA Active) |
|
FTD-HA upgrade failed |
|
Internal Error while editing PPPoE configurations |
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
FMC-HA Sync loss for more then hr due to MariaDB replication is not in good state and recovered |
|
Azure FMC not accessible after upgrading from 7.3.0 to 7.4.0 |
|
8x10Gb netmod fails to come online |
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
Azure D5v2 FTDv unable to send traffic - underruns and deplete DPDK buffers observed |
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
Traffic drops for several minutes during deployment |
|
FTD: The upgrade was unsuccessful because the httpd process was not running |
|
The interface is deleted from interface group if the user change the name of it [API] |
|
v1_message* and abp* files & sxp bookmark are not cleaned in user_enforcement on device registration |
|
FMC search error: "Error Loading Data Search Service Please Try Again." |
|
EventHandler warnings if syslog facility is CONSOLE |
|
FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version |
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
FMC: Domain creation fails with error "Index 'netmap_num' for table 'domain_control_info'" |
|
FMC: GEOLOCATION size is causing upgrade failures |
|
FTD upgrade from 7.0 to 7.2.x and beyond crashes due to management-access enabled |
|
Cannot create two RA-VPN profiles with different SAML servers that have the same IDP
 |
|
Memory leak in the MessageService |
|
Readiness Check Failed [ERROR] Fatal error: Enterprise Object integrity check failed with 7 errors |
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
Create Identity Services Engine via API returns 404 Client Error: Not Found |
|
Cluster hardening fixes |
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh. |
|
FTD HA app-sync failure, due to corruption in cache files. |
|
add syslog ids the range 805003 ? 852002 for rate limit under fmc |
|
validation check on FMC GUI causing issue and throwing error when adding new NAT objects |
|
Connections not replicated to Standby FTD |
|
FTD Crash in Thead Name: CP Processing |
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
Cannot Force Break FTD HA Pair |
|
User Group Download fetches less data than available or fails with "Size limit exceeded" error |
|
FMC device search page removes FTD from the groups and put them back to ungrouped |
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
asa_snmp.log is not rotated, resulting in large file size |
|
FMC/FTD Dynamic VPN. Possibility to choose default preshared key from the dropdown list. |
|
FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state |
|
Lina core created during high traffic testing |
|
FTD readiness and upgrade passed with exception log as ProgressReport' has no attribute 'KB_UNIT' |
|
Unable to Access FMC GUI when using Certificate Authentication |
|
Phase 2 NAP delay seen in 7.0.1 while deploying policy |
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
Selective policy deploy with Identity Policy (captive-portal) and SSL Policy (dp-tcp-proxy) CLI |
|
EventHandler occasional corrupt bundle record - SFDataCorrelator logs "Error deserializing" |
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
FMC Restore of remote backup fails due to no space left on the device |
|
Deployments can cause certain RAVPN users mapping to get removed. |
|
Snort down due to missing lua files because of disabled application detectors (VDB side) |
|
getting wrong destination zone on traffic causing traffic to match wrong AC rule |
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
getReadinessStatusTaskList pjb request is very frequent when user in Upgrade sensor list page |
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
Unable to edit name or inspection mode of intrusion policy |
|
DBCheck shouldn't run against MonetDB if user is collecting config backup alone |
|
MYSQL, or any TCP high traffic, getting blocked by snort3, with snort-block as Drop-reason |
|
Network Object Group overrides not visible or be edited from FMC GUI |
|
Unable to change admin user password after FMC migration if it had LOM access |
|
FMC - Import SSL Certificate Pinning from a CSV file may result in a failure to deploy policy on FTD |
|
Device list takes longer to load while creating new AC policy |
|
High Disk Utilization and Performance issue due to large MariaDB Undo Logs |
|
User is not informed of the dependent IPS when policy import fails. |
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
[IMS_7_5_MAIN]High CPU usage on multiple appliances |
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
The interface configuration is missing after the FTD upgrade |
|
access-list: Cannot mix different types of access lists. |
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
FTD: High-Availability unit struck at CD App Sync error due to error ngfwManager restart on peer |
|
WINSCP and SFTP detectors do not work as expected |
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
S2S dashboard SVTI tunnel details are missing after upgrade |
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
Snort3 matches SMTP_RESPONSE_OVERFLOW (IPS rule 124:3) when SMTPS hosts exchange certificates |
|
Priority-queue command causes silent egress packet drops on all port-channel interfaces |
|
store_*list_history.pl task is created every 5min without getting closed causing FMC slowness. |
|
DNS cache entry exhaustion leads to traceback |
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
Unable to delete custom rule group even when excluded from all the ips policies |
|
vFTD runs out of memory and goes to failed state |
|
ASA Traceback & reload on process name lina due to memory header validation |
|
FTD: HA App sync failure due to fover interface flap on standby unit |
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
Failover: standby unit traceback and reload during modifying access-lists |
|
FTD Diskmanager.log is corrupt causing hm_du module to alert false high disk usage |
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
vFMC: Scheduled deployment failing |
|
Correlation events for Connection Tracker <, <=, = or != rules show data for unrelated connections |
|
FP3110 7.2.4 Unexpected reboot of Firepower 3110 Device |
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
FMC not generating FTD S2S VPN alerts when down or idle |
|
Add meaningful logs when the maximums system limit rules are hit |
|
Dumping of last 20 rmu request response packets failed |
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
Duplicate FTD cluster has been created when multiple cluster events comes at same time |
|
Packet data is still dropped after upgrade |
|
False critical high CPU alerts for FTD device system cores running diskmanager/Pruner |
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
after HA break, selected list shows both the devices when 1 device selected for upgrade |
|
Critical Alert Smart Agent is not registered with Smart Licensing Cloud |
|
Snort3 core in navl seen during traffic flow |
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
Editing identity nat rule disables "perform route lookup" silently |
|
FTD: SNMP not working on management interface |
|
Snort2 engine is crashing after enabling TLS Server Identity Discovery feature |
|
Snort core while running IP Flow Statistics |
|
FMC displays VPN status as unknown even if the status is up if one of the peer is extranet |
|
Decrypting engine/ssl connections hang with PKI Interface Error seen |
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
FMC pushes the "shutdown" command on the management interface for the logical device |
|
switch ports in Trunk mode do not pass vlan traffic after power loss |
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
import of .SFO to FMC failed due to included local/custom rules having a blank rule message field |
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
LDAP missing files after upgrade when the Vault token is corrupted |
|
FMC: Should not be able to add the same interface to the same ECMP zone |
|
FTD Lina traceback Thread Name: DATAPATH-3-11917 due to double free |
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
FTD /ngfw disk space full from Snort3 url db files |
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
Port-channel interface speed changes from 10G to 1G after a policy deployment |
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
ASA traceback on Lina process with FREEB and VPN functions |
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
core-compressor fails due to core filename with white space |
|
Snort blacklisting traffic during deployment |
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
Encrypted Visibility Engine (EVE) FMC dashboard tab and widgets not renamed after 7.1 > 7.2+ upgrade |
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
File sizes bigger than 100MB for AnyConnect/Secure Client images cannot be uploaded on FMC |
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
SRU installation gets stuck at 602_log_package.pl script, causing deployment failure |
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
Intermittently flow is getting white-listed by the snort for the unknow app-id traffic. |
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
The FMC preview deployment shows a wrong information. |
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
ASA traceback when re-configuring access-list |
|
sfdatacorrelator crashing due to table corruption 'rua_event_xxxxx' |
|
PAC Key file missing on standby on reload |
|
FMC upgrade stuck at 1039_fmc_rabbitmq_enable |
|
'Frequent drain of events (not unprocessed events) to be removed from FMC |
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
FMC userrole missing permissions may cause Tomcat to continuously restart after upgrade to 7.2.4 |
|
SQL packets involved in large query is drop by SNORT3 with reason snort-block |
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
While editing AC-policy rules, the rule order number becomes misaligned. |
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
dl_task.pl tasks keep getting created every hour when a database query is blocked |
|
Firewall Blocking packets after failover due to IP <-> SGT mappings |
|
Syslog not updating when prefilter rule name changes |
|
FTD (FDM) fails when executing script 800_post/100_ftd_onbox_data_import.sh |
|
FTD - Upgrade triggers persistent VPN Tunnel health monitor alarm |
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
FTD not generating end of connection event after "Deleting Firewall session" |
|
DAP: FMC adds 
 characters in a LUA script |
|
Removal of msie-proxy commands during flexconfig rollback |
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
FMC7.2.x EIGRP flexconfig migration fails with internal error due to interface config mismatch |
|
FMC Restore is stuck in vault clear stage after mysql restore completed |
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
Cisco_Firepower_GEODB_FMC_Update* are not included in diskmanager |
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
Configuration archive creation failing and causing deployment preview to throw error |
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
Extended Access List Object does not allow IP range configuration |
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
ASA/FTD may traceback and reload while running show inventory all |
|
AMP Cloud look up timeout frequently. |
|
FMC SSO timesout when user session is active for more than 1 hr (idle timeout) |
|
Initiator Country and Continent missing on Custom View on Event viewer |
|
ASA:Management access via IPSec tunnel is NOT working |
|
FMC: query_engine.log Growing More Quickly Than Expected, Resulting In High Disk Utilization |
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
ASA: Traceback and reload during 6 nodes cluster synchronization after CCL link failure/recovery |
|
SFDataCorrelator crashing repeatedly in RNA_DB_InsertServiceInfo |
|
Devices with classic licenses are failed to register with FMC running version 7.2.X |
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
SNORT3 - FTD - TSID high cpu, daq polling when ssl enabled is not pulling enough packets |
|
Source NAT Rule performing incorrect translation due to interface overload |
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
VPN Load Balancing Cluster IP address/host name is not on the same subnet as the public interface |
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
additional command outputs needed in FTD troubleshoot for blocks and ssl cache |
|
FMC HA: When logging into the standby FMC stacktraces are always present. |
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
Cannot use .k12 domain on realm AD Primary Domain configuration |
|
Fixing the regression caused while handling web UI is not getting FTDv Variable |
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
Configuring and unconfiguring "match ip address test" may lead to crash |
|
sshd restarting during upgrade leading to have /new-root as default root partition |
|
Configuration to disable TLS1.3 |
|
Diskmanager process terminated unexpectedly |
|
Prefilter cannot add Tunnel Endpoints in Tunnel Rule on FMC |
|
ASA: Traceback and reload when restore configuration using CLI |
|
FTDvs through put got changed to 100Kbps after upgrade |
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
Community string sent from router is not matching ASA |
|
spin lock and watch dog crash in kp 741-1146 - ctm_ipsec_get_sa_lock+112 |
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
Unable to create VRF via FDM in Firepower 3105 device |
|
Snort3 dropping IP protocol 51 |
|
Unexpected high values for DAQ outstanding counter |
|
FMC does not save changes made on access list. |
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
FMC should report user whether it supports or not while configuring remote storage |
|
SNMP fails to poll accurate hostname from FMC |
|
Every HA sync attempts to disable URL filtering if already disabled. |
|
eStreamer JSON parse error and memory leak |
|
Snort is getting reloaded during deploy due to diff in timerange and nap conf contents in each run |
|
FTD unregisters the standby FMC immediately after a successful registration |
|
FDM Upgrade failure due to expired certificates |
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
CPOC: 4245 ASA Crashed with CPS test |
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
FMC missing validation for syslog port setting |
|
Node kicked out of cluster while enabling or disabling rule profiling |
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
Resolved Bugs in Version 7.4.0
Table last updated: 2023-09-07
Bug ID |
Headline |
---|---|
Improve logging of Secure Firewall (Firepower)backups and retry for gzip when using remote storage |
|
Flex config Preview of $SYS_FW_ENABLED_INSPECT_PROTOCOL_LIST throws error |
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
Filtering Network objects is not working, getting 'Error Loading Data' |
|
Radius Key with the ASCII character " configured on FXOS does not work after chassis reload. |
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
Upgrade to 6.6.1 got failed at 800_post/1025_vrf_policy_upgrade.pl |
|
Observed few snort instances stuck at 100% |
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
File list preview: Deleting two list having few similar contents throws stacktrace on FMC-UI |
|
Error Loading Data: Couldnt resolve few of the STDACE BBs |
|
"Warning:Update failed/in-progress." Cosmetic after successful update |
|
Crashinfo script is invoked on SFR running snort2 and device fails to upgrade to 7.0 |
|
SNORT2: FTD is performing Full proxy even when SSL rule has DND action. |
|
ENH:FMC Removal and manual reconfiguration of changes for CAC-authenticated users should not happen |
|
IPS policy should be imported when its referred in Access Control policy |
|
Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via "/"URI |
|
FMC4500/4600 shows virtual license |
|
FDM IKEv2 S2S PSK Not Deploying Correctly (Changing Asymmetric to Symmetric PSK) |
|
API key corrupted for FMC with multiple interfaces |
|
FMC NFS configuration failling after upgrade from 6.4.0.4 to 7.0.1 |
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
Modify /800_post/1027_ldap_external_auth_fix.pl to not fail FMC upgrade when objects are corrupt |
|
Microsoft update traffic blocked with Snort version 3 Malware inspection |
|
FDM: Policy deployment failure after upgrade due to unused IKEv1 policies |
|
ASA/FTD Traceback and reload in Process Name: lina |
|
Disk usage errors on Firepower Azure device due to large backup unified files under ngfw directory |
|
FDM bootstrap could be skipped if device rebooted when bootstrap is not completed |
|
FMC backup may fail due to monetdb backup failure with return code 102 |
|
upgrade with a large amount of unmonitored disk space used can cause failed upgrade and hung device |
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
FTD on FP2100 can take over as HA active unit during reboot process |
|
FMC | Interface update Failed. Could not find source interface |
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
Snort3: NFSv3 mount may fail for traffic through FTD |
|
Deployment/Tasks Button not seen FMC_UI while doing upgrade tests configured in Light theme |
|
FMC: Validation check to prevent exponential expansion of NAT rules |
|
Selective deployment of IPS may cause outage due to incorrectly written FTD configuration files |
|
Connection Events seen on FMC even though the rule is not configured to send events to FMC |
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
FMC 7.2.0|7.3.0 Integration > Identity Sources page does not load, keeps spinning |
|
Excessive logging from hm_du.pm may lead to syslog-ng process restarts |
|
Failing to generate FMC Backup/Restore via SMB/SSH |
|
Estreamer page fails to load in ASDM |
|
Snort3 crash with TLS 1.3 |
|
Fix multiple crash handler issues |
|
FTD unable to sync HA due to snort validation failed |
|
ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
|
sybase related modules should be removed |
|
snort3 hangs in Crash handler which can lead to extended outage time during a snort crash |
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
FPR2140 ASA Clock Timezone reverts to UTC after appliance restart/reload |
|
Auth-Daemon process is getting restarted continuously when SSO disabled |
|
FMC RSS Feed broken because FeedBurner is no longer active - "Unable to parse feed" |
|
25G-SR should default to RS-FEC (IEEE CL108) instead of FC-FEC |
|
link state propagation stops working when performing full chassis reboot |
|
FPR1000 ASA/FTD: Primary takes active role after reloading |
|
Database may fail to shut down and/or start up properly during upgrade |
|
Cannot save realm configuration unless AD Join Password is empty |
|
Snort process may trace back in ssl_debug_log_config and generate core file |
|
Intrusion events intermittently stop appearing in FMC when using snort3 |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36) |
|
ASAv "Unable to retrieve license info. Please try again later" |
|
FTD misses diagnostic data required for investigation of "Communication with NPU lost" error |
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
ASA using WebVPN tracebacks in Unicorn thread during memory tracking |
|
Captive portal support in cross domain |
|
FMC module specific health exclusion disables all health checks |
|
SNMP 'Confirm Community String' string is not auto-populated after the FMC upgrade |
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
PDTS write from Daq can fail when PDTS buffer is full eventually leads to block depletion |
|
multiple snort3 crashes after upgrading FTD from 7.2.0 to 7.2.0.1 |
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
Deployment Fails with stacktrace: Invalid type (LocalIdentitySource) |
|
FTD sensor rules missing from ngfw.rules file after a sensor backup restore execution |
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on 2100/3100 devices |
|
Missing fqdns_old.conf file causes FTD HA app sync failure |
|
FMC - Unable to initiate deployment due to incorrect threat license validation |
|
during download from file event on FMC, high CPU use on FMC for 20 minutes before download fails |
|
FTD upgrade failure due to Syslog files getting generated/deleted rapidly |
|
FTD Unable to bind to port 8305 after management IP change |
|
ASA/FTD: Using Round Robin with PAT rules on two or more interfaces breaks IP stickiness |
|
Object edit slowness when it is associated with NAT rules |
|
GTP drops not always logged on buffer and syslog |
|
File events show Action as "Malware Block" for files with correct disposition of unknown |
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
HA did not failover due to misleading status updates from NDClient |
|
FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb index" |
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
HTTP Block Response and Interactive Block response pages not being displayed by Snort3 |
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA. |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
All traffic blocked due to access-group command missing from FTD config |
|
standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
|
log rotate failing to cycle files, resulting in large file sizes |
|
FTD: FTPS Data Channel connection impacted by TLS Server Identity and Discovery Probe sent by FTD |
|
FMC HA - files in tmp/Sync are left on secondary when synchronisation task fails |
|
lost cac.conf after upgrade to 7.2.1 for FMC smart-card auth |
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
Duplicate SMB session id packets causing snort3 crash |
|
LTS18 and LTS21 commit id update in CCM layer (seq 39) |
|
Cisco FXOS Software Arbitrary File Write Vulnerability |
|
Filtering of jobs in deploy history page is applying the criteria only on Top50 jobs |
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
Proxy is engaged even when we have a Definitive DND rule match |
|
FMC can allow deployment of NAP in test mode with Decrypt policy |
|
SSL Policy DND default Rule fails on error unsupported cipher suite and SKE error. |
|
Firepower Management Center GUI view for Snort2 Local Intrusion Rules is missing |
|
Very long validation time during Policy Deployment due to big network object in SSL policy |
|
FMC HA webUI is not getting FTDv Variable tier assigned FTDv - Variable |
|
Re-downloaded users from a forest with trusted domains may become unresolved/un-synchronized |
|
deployment failed with OOM (out of memory) for policy_apply.pl process |
|
Packet-Tracer interfaces not showing up in UI after updating interface name from lower to upper case |
|
SRU installation failure. |
|
FMC not showing any alerts/warnings when deploying changes of prefix list with same seq # |
|
Expected snmp output is not found in 'show run | in fxos snmp' |
|
Deploying objects with escaped values in the description might cause all future deployments to fail |
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
FTDv Cluster Health Monitor fails with "Error fetching live status of the cluster" |
|
Object NAT edit is failing |
|
Pre-login banner on FCM webUI shows extra characters on 92.14.0 |
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
Periodic sync failures are not reported to users |
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
FXOS: memory leak in svc_sam_envAG process |
|
800_post/1027_ldap_external_auth_fix.pl upgrade error -- reference to missing authentication object |
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40) |
|
ASA - traceback and reload when Webvpn Portal is used |
|
Port-channel interface went down post deployment |
|
FMC UI showing disabled/offline for multiple devices as health events are not processed |
|
Missing SSL MEMCAP causes deployment failure due timeout waiting for snort detection engines |
|
Pre-deployment failure seen in FMC due to huge number policies |
|
Upgrades are not cleaning up mysql files leading to alert for 'High unmanaged disk usage on /ngfw' |
|
ASA restore is not applying vlan configuration |
|
Unable to get polling results using snmp GET for connection rate OID’s |
|
Add validation in lua detector api to check for empty patterns for service apps |
|
FMC not opening deployment preview window |
|
ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
|
FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
Data migration from Sybase to MariaDB taking more time due to large data size of POLICY_SNAPSHOT |
|
FMC gives an irrelevant error message for Snort2 to Snort3 rules conversion failure |
|
Stale CPU core health events seen on FMC UI post upgrade to 7.0.0+. |
|
Need corrections in log_handler_file watchdog crash fix |
|
Deployment failure with localpool overlap error after upgrade |
|
"show tech-support" generation does not include "show inventory" when run on FTD |
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
Misleading drop reason in "show asp drop" |
|
Clientless Accessing Web Contents using application/octet-stream vs text/plain |
|
Recursive panic under lina_duart_write |
|
FMC UI may become unavailable and show "System processes are starting" message after upgrade |
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
allocate more cgroup memory for policy deployment subgroup |
|
HA Periodic sync is failing due to cfg files are missing |
|
At times AC Policy save takes longer time, may be around 10 or above mins |
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
|
FMC UI Showing inaccurate data in S2S VPN Monitoring page |
|
FTDv: Policy Deployment failure due to interface setting on failover interface |
|
ASA Connections stuck in idle state when DCD is enabled |
|
Cross-domain users with non-ASCII characters are not resolved |
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
AC clients fail to match DAP rules due to attribute value too large |
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
FXOS is not rotating PoE logs |
|
FP4125 2.10.1.166 FTD applications in HA went into not responding state |
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
FMC Connection Event stop displaying latest event |
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
FMC should not accept carriage return in the interface description field of a managed device |
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
S2S VPN dashboard shows ipv4 SVTI tunnel down between KP-HA and WA-HA after KP-HA Switch role. |
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
FMC 7.1.0.1 Doesn't throw warning that S2S VPN Configs contain deprecated MD5 Hash during deployment |
|
FMC: Updates page takes more than 5 minutes to load |
|
S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
|
30+ seconds data loss when unit re-join cluster |
|
Predefined FlexConfig Text Objects are not exported by Import-Export |
|
FMC External Auth test error "Encryption method is configured but you did not upload a certificate." |
|
FTD with Snort3 might have memory corruption BT in snort file with same IP traffic scaling |
|
FMC import takes too long |
|
FPR3110 Fans' SN in label are different from show inventory cli output |
|
Snort crashes while reloading mercury library with any VDB install on 7.3.0 and 7.4.0 |
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
intrusion events fail to migrate from MariaDB to MonetDB following FMC upgrade from 7.0.3 to 7.1.0 |
|
Import/export fails with backend error |
|
MI FTD running 7.0.4 is on High disk utilization |
|
Snort drops Bomgar application packets with Early Application Detection enabled |
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
Snort3 crash seen sometimes while processing a future flow connection after appid detectors reload |
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
Snort outputs massive volume of packet events - IPS event view may show "No Packet Information" |
|
FMC should display the status of physical FTD interfaces bundled in port-channel |
|
FTD -Snort match incorrect NAP id for traffic |
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
Snort mem used alert should read the value from perfstats for snort instance rather than cgroups |
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
FTDs running 6.6.x show as disconnected on new HM (6.7+) but checks are running and updating |
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
Unable to access Dynamic Access policy |
|
Number of objects are not getting updated under policies>>>Security intelligence >>>Block list |
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
Disabling NAVL guids from userappid.conf doesn't work |
|
Cut-Through Proxy does not work with HTTPS traffic |
|
seeing error on access policies on FMC - "Error during policy validation" |
|
Enhance logging mechanism for syslogs |
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
Deployment changes to push VDB package based on Device model and snort engine |
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
MariaDB crash (segmentation fault) related to netmap query |
|
Software upgrade on FDM fails due to improver next-hop validation |
|
FMC | Deployment failure in csm_snapshot_error |
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
Incorrect Paging and count value for Time Range Object Get API |
|
FAN LED flashing amber on FPR2100 |
|
No Inspect Interruption warning when deploy after FMC upgrade |
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
SFDataCorrelator performance degradation involving hosts with many discovered MAC addresses |
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
Can't modify RA vpn group policy on FDM 7.3 |
|
Primary ASA traceback upon rebooting the secondary |
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
FMC SecureX via proxy stops working after upgrade to 7.x |
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
ASA is unexpected reload when doing backup |
|
41xx: Blade does not capture or log a reboot signal |
|
High FMC backup file size due to configurations snapshot for all managed devices |
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
Summary status dashboard takes more than 3 mins to load upon login |
|
Interactive Block action doesn't work when websites are redirected to https |
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
FTD traceback and reload while deploying PAT POOL |
|
Need to provide rate-limit on "logging history <mode>" |
|
collection of top.log.gz in troubleshoot can be corrupt due to race condition |
|
Unexpected "No Traffic" health alert on Standby HA Data Interface where no data flows |
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
Database table optimization not working for some of the tables |
|
Email alert incorrectly send for a successful database backup |
|
FMC HA Synchronization can hang forever if no response from SendUserReloadSGTAndEndpointsEvent |
|
FMC: Upgrade fails at DB Integrity check due to large number of EO warnings for "rule_comments" |
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
On a cloud-delivered FMC there is no way to send events to syslog without sending to SAL/CDO as well |
|
FPR1120:connections are getting teardown after switchover in HA |
|
Threatgrid integration configuration is not sync'd as part of the FMC HA Synchronisation |
|
None option under trustpoint doesn't work when CRL check is failing |
|
FTD Deployment failures due to "snort3.validation.lua:5: '=' expected near 'change'" |
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
FTD is dropping GRE traffic from WSA |
|
ASA binding with LDAP as authorization method with missing configuration |
|
ASA: Traceback and reload while processing SNMP packets |
|
Purging of Config Archive failed for all the devices if one device has no versions |
|
High Lina memory use due to leaked SSL handles |
|
FMC Unable to fetch VPN troubleshooting logs. |
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
FTD: IPSLA Pre-emption not working even when destination becomes reachable |
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
FMC deployment preview showing full config instead of delta. |
|
FMC is not taking BGP default originate configuration via API PUT request. |
|
TLS sessions dropped under certain conditions after a fragmented Client Hello |
|
FMC Health Monitor does not report alerts for the Interface Status module |
|
Deployment failing - "Error while printing show-xml-response file contents" XML response too big |
|
FMC HA info is not sync'ed reliably to FTD to support CLOUD_SERVICE |
|
FMC deployment failure:"Validation failed: This is a slav*/ha standby device, rejecting deployment." |
|
null connection error seen in logs |
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
FTD High unmanaged disk usage alert is triggered due to stored files located on /ngfw/Volume/root1/ |
|
Policy deploy failure "error executing /*!40101 SET character_set_client = @saved_cs_client */; *" |
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
Traffic drop when primary device is active |
|
Snort mem used alert should be consistent with value from top.log |
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
Multicast connection built or teardown syslog messages may not always be generated |
|
add warning to FTD platform settings when VPN Logging Settings logging level is informational |
|
Snort3: Process in D state resulting in OOM with jemalloc memory manager |
|
After disabling malware analysis, high disk usage on /dev/shm/snort |
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
Unexpected firewalls reloads with traceback. |
|
Slow UI loading for Table View of Hosts |
|
Database integrity check takes several minutes to complete |
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
FPR2100: Mulitple snort3 & snort2 cores got generated and sensor goes down in KP platform |
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
FMC External authentication getting "Internal error" |
|
rpc service detector causing snort traceback due to universal address being an empty string |
|
ASA Traceback & reload citing thread name: asacli/0 |
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
Copy and pasting rules is broken and give blank error message in ID policy |
|
LINA traceback with icmp_thread |
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
occasional failure to load light-modal-ac-rule-xx.css with a net::ERR_TOO_MANY_RETRIES error |
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
ASA/FTD Show chunkstat top command implementation |
|
SFDataCorrelator cores due to stuck database query after 1 hour deadlock timeout |
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
Workaround to set hwclock from ntp logs on low end platforms |
|
changing time window settings in FMC GUI event viewers may not work with FMC integrated with SecureX |
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79 |
|
Active authentication sessions are showing in VPN dashboard |
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
TLS Server Identity may cause certain clients to produce mangled Client Hello |
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
Multiple traceback seen on standby unit. |
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
FMC Upgrade: generation of sftunnel.json file per FTD does not check for duplicate names |
|
FMC: Backup to an unavailable remote host results in the inability to restart the appliance. |
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
Remove the limit of 30characters in the rule name which a rule is moved from ACP to Prefilter |
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
Question mark in NAT description causes config mismatch on Data members of an FTD cluster |
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
IMS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
Need to Warn the users before triggering a full deployment on FTD managed by FDM |
|
Snort3 crashes are seen under Dce2Smb2FileTracker processing of data |
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
Frequent errors seen regarding failures to load bulkcsv files that don't exist |
|
Remove FMC drop_cache trigger to prevent Disk I/O increase due to file cache thrashing |
|
Unable to save Access Control Policy changes due to Internal error |
|
Management interface link status not getting synced between FXOS and ASA |
|
SNMP on SFR module goes down and won't come back up |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Not able to remove group policy from RAVPN via REST API |
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
NGIPSv syslog-tls.conf.tt needs filters removed when in CC mode |
|
The user belonging to a subdomain, is unable to collect packet tracer |
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
Manager gets unregistered on its own from the FTD, show manager shows 'No managers configured' |
|
BGP IPv6 configuration : route-map association with neighbour not getting deployed |
|
FMC: Incorrect FTD cluster role status leading to inability to upgrade FTD |
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
FTD:Node not joining cluster with "Health check detected that control left cluster" due to SSL error |
|
After FMC upgrade, SecureX ribbon redirects to US cloud region regardless of the set cloud region |
|
/var/sf/QueryPoolData fills up with warehouse directories |
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
DAP policy created in FMC Gui, to detect a Windows OS with a hotfix, will not work as expected |
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
FXOS fault F0853 and F0855 seen despite keyring reporting renewed |
|
FTD 2100 -Update daq-ioq mempool to help protect against buffer corruption |
|
Unable to delete custom anyconnect attribute --dynamic-split-tunnel from group-policy |
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
ASA reboots due to heartbeat loss and "Communication with NPU lost" |
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
DCCSM session authorization failure cause multiple issues across FMC |
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
ASA/FTD traceback in snp_tracer_format_route |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
Need fault/error for invalid firmware MF-111-234949 |
|
Pri-Active FMC NOT triggering registration TASK for FTD to configure standby manager |
|
Post backup restore multiple processes are not up. No errors are observed during backup or restore. |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
Deployment failed in snapshot generation after upgrading FMC to 7.3 |
|
ASA/FTD may traceback and reload after changing IP of authentication server |
|
TID python processes stuck at 100% CPU |
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
Snort3 fails to match SMTPS traffic to ACP rules |
|
FMC should push the AnyConnect Custom attribute defer keyword as lowercase instead of capitalized |
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
FTD: unable to run any commands on CLISH prompt |
|
Snort high memory alerts still seen despite fix for CSCwd84942 |
|
Deployment is blocked due to Pre-deploy Validation Error - Invalid endpoint |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
Selective deployment negating the route configs |
|
Selective deployment removing the prefilter-configs |
|
Selective deployment removing the Group policy |
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
Unable to login to FTD using external authentication |
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
FMC runs out of space when Snort sends massive numbers of packet logs |
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
SFDataCorrelator spam seen in /var/log/messages |
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
CD App Sync error is App Config Apply Failed on Secondary/Standby after backup restore on RMA device |
|
Interface remains DOWN in an Inline-set with propagate link state |
|
Snort2 rule recommendations increases disabled rule count drastically |
|
[FMC model migration] Health monitoring on FMC reporting errors |
|
Upgraded FMC didn't mark FTD's with Hot Fix as light registered - failed FMC HA sync |
|
High rate of network map updates can cause large delays and backlogs in event processing |
|
ndclientd error message 'Local Disk is full' needs to provide mount details which is full |
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
Improve Azure AD realm documentation |
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
Deployment for eigrp / bgp change may cause temporary outage during policy apply |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
LDAP External auth config fails to deploy to FTD if same LDAP server is added as Primary and backup |
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
FMC isn't allowing to create more than 30 VLAN interfaces |
|
FMC Upgrade from Active-Primary FMC is failed with "Installation failed: Peer Discovery incomplete." |
|
Fix Snort3 Memory Utilisation Value |
|
Prune target should account for the allocated memory from the thread pruned |
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
FMC system restore authentication error during FMC re-image when using FTP/SCP protocol |
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
email alert to scheduled activity is not working after upgrading to 7.2 |
|
"Failed to convert snort 2 custom rules. Refer /var/sf/htdocs/ips/snort.rej for more details." |
|
ASA traceback and reload with process name: cli_xml_request_process |
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
vFMC300 to FMC2600 migration failure with error "migration from R to N is not allowed" |
|
Notification Daemon false alarm of Service Down |
|
CVIM Console getting stuck in "Booting the kernel" page |
|
Username-from-certificate feature cannot extract the email attribute |
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
Missing Instance ID in unified_events-2.log |
|
Elephant flow detection disabled on FMC, getting enabled on FTD after random deployment |
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
correlation events based on connection events do not contain Security Intelligence Category content |
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
FTD returns no output of "show elephant-flow status" when efd.lua file's content is empty |
|
FP1140 7.0.4 Deployment keep failing with error "Can\'t use an undefined value as a HASH reference" |
|
Snort2 rule assignments missing from ngfw.rules (assignment_data table ) after FMC upgrade. |
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
Threat-detection does not allow to clear individual IPv6 entries |
|
need to turn off default TLS 1.1 (deprecated) support for the FDM GUI |
|
ASA not updating Timezone despite taking commands |
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
Umbrella DNS Negate of Bypass Domain Field is not generated from FMC |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
FMC error displaying users page due to wide characters in real name field |
|
FDM Cannot create self-signed certificates due to Expiration Date format |
|
AC policy deploy failing on 7.2.4 FMC to 6.7 FTD |
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
Add knob to pause/resume file specific logging in asa log infra. |
|
DOC: Misleading Documentation of Cisco Firepower 2100 GLC-T and GLC-TE SFP Support |
|
FTD: Unable to process a TLS1.2 website with TLS Server Identity with client generating SSL Errors |
|
Found Orphaned SFTop10Cacher processes |
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
standby in disabled state after QP-MI HA 7.0.3 to 7.2.4-126, APPLY_APP_CONFIG_APPLICATION_FAILURE |
|
TCP ping is completely broken starting in 9.18.2 |
|
FTD: ADI.conf - send_s2s_vpn_events is set to 0, even after applying s2s vpn health policy |
|
Snort3 Crash in SslServiceDetector after call from nss_passwd_lookup |
|
Prune symmetric triggers that existed in sfsnort schema before FMC upgrade to 7.3 version or later |
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
Readiness check needs to be allowed to run without pausing FMC HA |
|
Setting heartbeat timeout to 6sec for BS and QP |
|
Upgrade Device listing page is taking more than 15 mins to load page fully with 25 FTDs registered |
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
Lina traceback and reload due to fragmented packets |
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
"Security Intelligence feed download failed" displayed even though it succeeded |
|
ISE Integration Network filter not accepting multiple comma separated networks |
|
FTD : Traceback in ZMQ running 7.3.0 |
|
ASA sends OCSP request without user-agent and host |
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
Unable to load intrusion policy page on FMC GUI |
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
ASA Traceback and reload citing process name 'lina' |
|
FTD container restored from backup fails to register to FMC due to Peer send bad hash error |
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
TCP normalizer needs stats that show actions like packet drops |
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
ASAv in Hyper-V drops packets on management interface |
|
When enabling backup peer ip on FMC 7.3.1 with a space the VPN IPSec profile would be removed |
|
Failure to remove snort stat files older than 70 days |
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
Changes to lamplighter logs written to /var/log/tid_process.log |
|
FATAL errors in DBCheck due to missing columns in eventdb table |
|
admin user should be excluded from CLI shell access filter |
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
No logrotate and max size is configured for Health.log file |
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
ASA Packet-tracer displays the first ACL rule always, though matches the right ACL |
|
FTD HA Creation fails resulting in devices showing up in an inconsistent state on the FMC |
|
Not able to add files with file names which has '\u' to clean list from Malware Summary page |
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
SFDataCorrelator process crashing very frequently on the FMC. |
|
crashhandler running with test mode snort |
|
FMC backup management page showing "Verifying Backup" for FTD sensors. |
|
FMC backup restore page takes around 5 mins to load when remote storage is unreachable |
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
In some specific scenarios, object optimizer can cause incorrect rules to be deployed to the device |
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
Firewall may drop packets when routing between global or user VRFs |
|
Standby FMC SSH connection getting disconnected frequently. |
|
ASA access-list entries have the same hash after upgrade |
|
Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
FMC Fails to deploy or register new FTDs due to SFTunnel Establishment Failure. |
|
Snort3 crash after the consequent snort restart if duplicate custom apps are present |
|
FTD: GRE traffic is load balanced between CPU cores |
|
SFTunnel Fails to Properly Establish due to running_config.conf file misconfiguration |
|
ASA: Traceback and reload while updating ACLs on ASA |
|
FMC should handle error appropriately when ISE reports error during SXP download |
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
FMC UI related issue in Object management page |
|
ASA/FTD may traceback and reload citing process name "lina" |
|
NMAP Remediation scan tasks remain in pending state in action queue table, does not clear out |
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
Adding verify check for networks added under network object group in FMC |
|
Old LSP packages are not pruned causing high disk utilization |
|
CSM backup failed due to modification of CSM audit log file while tar was reading it |
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
FMC config archives retention reverts to default if ca_purge tool was used prior to 7.2.4 upgrade |
|
TelemetryApp process keeps exiting every minute after upgrading the FMC |
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory in low end platforms |
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
Health Monitoring to NOT collect route stats for transparent mode FTD |
|
FMC needs to properly validate QoS policy rules before allowing deployment to FTD |
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
Unable to list down the interface under the device exclude policy |
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
Avoid both the devices in HA sends events to FMC |
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
Include a warning during break HA when secondary unit is active |
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
FMC 1600 process ssp_snmp_trap_fwdr high memory utilization |
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
Unable to configure and deploy IPv6 DNS server for RAVPN in FMC 7.2.4 |
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
Disable TLS 1.1 permanently for sftunnel communication |
|
[Snort 3] IPS Policy Overrides not working on Chained Intrusion Policies |
|
FMC GUI | ACP page gets blank and hang while doing search in rules and moving to last pages |
|
Copy of Policy causes all devices to be marked as dirty |
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
EOStore failed error is outputted after deleting shared rule layer. |
|
Encrypted Visibility Engine (EVE) dashboard tab and widgets not added to FMC GUI upon upgrade |
|
The authentication object names should not contain white spaces |
|
FTD - Issue with the LSP package code during deploy rollback. |
|
Unable to save intrusion policy after upgrade to 7.x as the name exceeds 40 characters |
|
Rule update filter in Intrusion policy shows inconsistent results |
Release Dates
Version |
Build |
Date |
Platforms |
---|---|---|---|
7.4.1.1 |
12 |
2024-04-15 |
All |
7.4.1 |
172 |
2023-12-13 |
All |
7.4.0 |
81 |
2023-09-07 |
Management center Secure Firewall 4200 series |
For Assistance
Upgrade Guides
In management center deployments, the management center must run the same or newer version as its managed devices. Upgrade the management center first, then devices. Note that you always want to use the upgrade guide for the version of management center or device manager that you are currently running—not your target version.
Platform |
Upgrade Guide |
Link |
---|---|---|
Management center |
Management center version you are currently running. |
https://www.cisco.com/go/fmc-upgrade |
Threat defense with management center |
Management center version you are currently running. |
https://www.cisco.com/go/ftd-fmc-upgrade |
Threat defense with device manager |
Threat defense version you are currently running. |
https://www.cisco.com/go/ftd-fdm-upgrade |
Threat defense with cloud-delivered Firewall Management Center |
Cloud-delivered Firewall Management Center. |
Install Guides
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases. This is also called reimaging. You cannot reimage to a patch. Install the appropriate major or maintenance release, then apply the patch. If you are reimaging to an earlier threat defense version on an FXOS device, perform a full reimage—even for devices where the operating system and software are bundled.
Platform |
Install Guide |
Link |
---|---|---|
Management center hardware |
Getting started guide for your management center hardware model. |
|
Management center virtual |
Getting started guide for the management center virtual. |
|
Threat defense hardware |
Getting started or reimage guide for your device model. |
|
Threat defense virtual |
Getting started guide for your threat defense virtual version. |
|
FXOS for the Firepower 4100/9300 |
Configuration guide for your FXOS version, in the Image Management chapter. |
|
FXOS for the Firepower 1000/2100 and Secure Firewall 3100/4200 |
Troubleshooting guide, in the Reimage Procedures chapter. |
More Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.
-
Documentation: http://www.cisco.com/go/threatdefense-74-docs
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts