Cisco Secure Firewall Threat Defense Release Notes
This document contains release information for:
-
Cisco Secure Firewall Threat Defense
-
Cisco Secure Firewall Management Center (on-prem)
-
Cisco Secure Firewall device manager
For cloud deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes or What's New for Cisco Defense Orchestrator.
Release Dates
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
7.4.2.1 |
30 |
2024-10-09 |
All |
|
7.4.2 |
172 |
2024-07-31 |
All |
|
7.4.1.1 |
12 |
2024-04-15 |
All |
|
7.4.1 |
172 |
2023-12-13 |
All |
|
7.4.0 |
81 |
2023-09-07 |
Management center Secure Firewall 4200 series |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information.
For compatibility information, see:
Features
For features in earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.
 Note |
Patches are largely limited to urgent bug fixes: Bugs. If a patch does include a feature or behavior change, it is described in the section for the "parent" release. |
Upgrade Impact
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration. Having to enable a new setting or deploy a policy post-upgrade to take advantage of a new feature does not count as upgrade impact.
The feature descriptions below include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.
Snort 3
Snort 3 is the default inspection engine for threat defense.
Snort 3 features for management center deployments also apply to device manager, even if they are not listed as new device manager features. However, keep in mind that the management center may offer more configurable options than device manager.
Important |
If you are still using the Snort 2 inspection engine, switch to Snort 3 now for improved detection and performance. Snort 2 will be deprecated in a future release and will eventually prevent threat defense upgrade. |
Intrusion Rules and Keywords
Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.
FlexConfig
Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.
The feature descriptions below include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.
 Caution |
Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues. |
REST API
For information on what's new in the REST API, see the Secure Firewall Management Center REST API Quick Start Guide or the Cisco Secure Firewall Threat Defense REST API Guide.
Cisco Success Network Telemetry
Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support. For information on what's new with telemetry, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center.
Language Preferences
If you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.
Management Center Features in Version 7.4.2
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Platform |
|||
|
Management center virtual 300 for Azure. |
7.4.2 |
Any |
We introduced the mangement center virtual 300 for Azure. The FMCv300 can manage up to 300 devices, and high availability is supported. Migration from the FMCv25 for Azure is also supported. See: Cisco Secure Firewall Management Center Virtual Getting Started Guide and Cisco Secure Firewall Management Center Model Migration Guide |
|
Threat defense virtual for VMware vSphere/VMware ESXi 8.0. |
7.4.2 |
7.4.2 |
You can now deploy threat defense virtual for VMware on VMware vSphere/VMware ESXi 8.0. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
High Availability: Management Center |
|||
|
High availability for management center virtual for Azure. |
7.4.2 |
Any |
We now support high availability for management center virtual for Azure. In a threat defense deployment, you need two identically licensed management centers, as well as one threat defense entitlement for each managed device. For example, to manage 10 devices with an FMCv10 high availability pair, you need two FMCv10 entitlements and 10 threat defense entitlements. If you are managing Version 7.0.x Classic devices only (NGIPSv or ASA FirePOWER), you do not need FMCv entitlements. Platform restrictions: Not supported with FMCv2 See: Cisco Secure Firewall Management Center Virtual Getting Started Guide and High Availability |
|
Access Control: Threat Detection and Application Identification |
|||
|
Asymmetric traffic handling. |
7.4.2 |
7.4.2 with Snort 3 |
Upgrade impact. Qualifying connections are now inspected and handled. In asymmetric routing deployments, the system now inspects the side of the connection seen by threat defense. No additional configurations are required. |
Management Center Features in Version 7.4.1
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Reintroduced Features |
|||
|
Reintroduced features. |
Feature dependent |
Feature dependent |
Version 7.4.1 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x) or in Version 7.4.0. Reintroduced features include:
|
|
Platform |
|||
|
Network modules for the Secure Firewall 3130 and 3140. |
7.4.1 |
7.4.1 |
The Secure Firewall 3130 and 3140 now support these network modules:
See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide |
|
Optical transceivers for Firepower 9300 network modules. |
7.4.1 |
7.4.1 |
The Firepower 9300 now supports these optical transceivers:
On these network modules:
|
|
Performance profile support for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on threat defense virtual. |
|
Interfaces |
|||
|
Deploy without the diagnostic interface on threat defense virtual for Azure and GCP. |
7.4.1 |
7.4.1 |
You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:
Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Device Management |
|||
|
Device management services supported on user-defined VRF interfaces. |
7.4.1 |
Any |
Device management services configured in the threat defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces. Platform restrictions: Not supported with container instances or clustered devices. See: Platform Settings |
|
High Availability/Scalability: Threat Defense |
|||
|
Multi-instance mode for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade). New/modified screens: New/modified threat defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6 New/modified FXOS CLI commands: create device-manager , set deploymode Platform restrictions: Not supported on the Secure Firewall 3105. |
|
16-node clusters for threat defense virtual for VMware and KVM. |
7.4.1 |
7.4.1 |
You can now configure 16-node clusters for threat defense virtual for VMware and threat defense virtual for KVM. |
|
Target failover for clustered threat defense virtual devices for AWS. |
7.4.1 |
7.4.1 |
You can now configure target failover for clustered threat defense virtual devices for AWS using the AWS Gateway Load Balancer (GWLB). Platform restrictions: Not available with five and ten-device licenses. |
|
Detect configuration mismatches in threat defense high availability pairs. |
7.4.1 |
7.4.1 |
You can now use the CLI to detect configuration mismatches in threat defense high availability pairs. New/modified CLI commands: show failover config-sync error , show failover config-sync stats |
|
High Availability: Management Center |
|||
|
Management center high availability synchronization enhancements. |
7.4.1 |
Any |
Management center high availability (HA) includes the following synchronization enhancements:
New/modified screens: You can view these alerts on the following screens:
|
|
SD-WAN |
|||
|
Application monitoring on the SD-WAN Summary dashboard. |
7.4.1 |
7.4.1 |
You can now monitor WAN interface application performance on the SD-WAN Summary dashboard. New/modified screens: |
|
VPN |
|||
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100. |
7.4.1 |
7.4.1 |
Upgrade impact. Qualifying connections start being offloaded. On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade. You can change the configuration using FlexConfig and the flow-offload-ipsec command. See: IPsec Flow Offload |
|
Crypto debugging enhancements for the Secure Firewall 3100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
The crypto debugging enhancements introduced in Version 7.4.0 now apply to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they were only supported on the Secure Firewall 4200. |
|
View details of the VTIs in route-based VPNs. |
7.4.1 |
Any |
You can now view the details of route-based VPNs' virtual tunnel interfaces (VTI) on your managed devices. You can also view details of all the dynamically created virtual access interfaces of the dynamic VTIs. New/modified screens: Device > Device Management > Edit a device > Interfaces > Virtual Tunnels tab. |
|
Routing |
|||
|
Configure BFD routing on IS-IS interfaces with FlexConfig. |
7.4.1 |
7.4.1 |
You can now use FlexConfig to configure Bidirectional Forwarding Detection (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces. |
|
Access Control: Threat Detection and Application Identification |
|||
|
Zero trust access enhancements. |
7.4.1 |
7.4.1 with Snort 3 |
Management center now includes the following zero trust access enhancements:
New/modified screens: New/modified CLI commands: show running-config zero-trust , show zero-trust statistics See: |
|
CIP detection. |
7.4.1 |
7.4.1 with Snort 3 |
You can now detect and handle Common Industrial Protocol (CIP) by using CIP and Ethernet/IP (ENIP) application conditions in your security policies. |
|
CIP safety detection. |
7.4.1 |
7.4.1 with Snort 3 |
CIP Safety is a CIP extension that enables the safe operation of industrial automation applications. The CIP inspector can now detect the CIP Safety segments in the CIP traffic. To detect and take action on the CIP Safety segments, enable the CIP inspector in the management center's network Analysis policy and assign it to an access control policy. New/modified screens: Policies > Access Control > Edit a policy > Add Rule > Applications tab > Search for CIP Safety in the search box. See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
|
Access Control: Identity |
|||
|
Captive portal support for multiple Active Directory realms (realm sequences). |
7.4.1 |
7.4.1 |
Upgrade impact. Update custom authentication forms. You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules. In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously. If you use the HTTP Response Page authentication type, after you upgrade threat defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms. Restrictions: Not supported with Microsoft Azure Active Directory. New/modified screens: |
|
Share captive portal active authentication sessions across firewalls. |
7.4.1 |
7.4.1 |
Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.
New/modified screens: |
|
Merge downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources, using the management center web interface. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. New/modified screens: New CLI commands:
|
|
Health Monitoring |
|||
|
Chassis-level health alerts for the Firepower 4100/9300. |
7.4.1 |
Any with FXOS 2.14.1 |
You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the management center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view. You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the management center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI. New/modified screens: |
|
Improved management center memory usage calculation, alerting, and swap memory monitoring. |
7.4.1 |
Any |
Upgrade impact. Memory usage alert thresholds may be lowered. We improved the accuracy of management center memory usage and have lowered the default alert thresholds to 88% warning/90% critical. If your thresholds were higher than the new defaults, the upgrade lowers them automatically—you do not have to apply health policies for this change to take place. Note that the management center may now reboot in extremely critical system memory condition if terminating high-memory processes does not work. You can also add new swap memory usage metrics to a new or existing management center health dashboard. Make sure you choose the Memory metric group. New/modified screens:
|
|
Deployment and Policy Management |
|||
|
Change management. |
7.4.1 |
Any |
You can enable change management if your organization needs to implement more formal processes for configuration changes, including audit tracking and official approval before changes are deployed. We added the System ( See: Change Management |
|
Upgrade |
|||
|
Firmware upgrades included in FXOS upgrades. |
7.4.1 |
Any |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
|
Automatically generate configuration change reports after management center upgrade. |
7.4.1 |
Any |
You can automatically generate reports on configuration changes after major and maintenance management center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center. Other version restrictions: Only supported for management center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version. New/modified screens: System ( |
|
Administration |
|||
|
Erase the hard drives on a hardware management center. |
7.4.1 |
Any |
You can use the management center CLI to reboot and permanently erase its own hard drive data. After the erase is completed, you can install a fresh software image. New/modified CLI commands: secure erase See: Secure Firewall Management Center Command Line Reference |
|
Troubleshooting |
|||
|
Troubleshooting file generation and download available from Device and Cluster pages. |
7.4.1 |
7.4.1 |
You can generate and download troubleshooting files for each
device on the Device page and also for all cluster nodes on the
Cluster page. For a cluster, you can download all files as a
single compressed file. You can also include cluster logs for
the cluster for cluster nodes. You can alternatively trigger
file generation from the > More ( New/modified screens: |
|
Automatic generation of a troubleshooting file on a node when it fails to join the cluster. |
7.4.1 |
7.4.1 |
If a node fails to join the cluster, a troubleshooting file is automatically generated for the node. You can download the file from Tasks or from the Cluster page. |
|
View CLI output for a device or device cluster. |
7.4.1 |
Any |
You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output. New/modified screens: See: View CLI Output |
|
Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300. |
7.4.1 |
7.4.1 |
If the data plane process crashes, the system now reloads only the data plane process instead of rebooting the device. Along with the data plane process reload, Snort and a few other processes also get reloaded. However, if the data plane process crashes during bootup, the device follows the normal reload/reboot sequence, which helps avoid a reload process loop from occurring. This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig. New/modified CLI commands: data-plane quick-reload , no data-plane quick-reload , show data-plane quick-reload status Supported platforms: Firepower 1000/2100, Firepower 4100/9300 Platform restrictions: Not supported in multi-instance mode. See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference. |
|
Deprecated Features |
|||
|
Deprecated: Health alerts for frequent drain of events. |
7.4.1 |
7.4.1 |
The Disk Usage health module no longer alerts with
|
|
Deprecated: VPN Tunnel Status health module. |
7.4.1 |
Any |
We deprecated the VPN Tunnel Status health module. Use the VPN dashboards instead. |
|
Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig. |
7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. This feature is now supported in the management center web interface. |
Management Center Features in Version 7.4.0
Note |
Version 7.4.0 is available only on the Secure Firewall Management Center and the Secure Firewall 4200. A Version 7.4.0 management center can manage older versions of other device models, but you must use a Secure Firewall 4200 for features that require threat defense 7.4.0. Support for all other device platforms resumes in Version 7.4.1. |
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
||
|---|---|---|---|---|---|
|
Reintroduced Features |
|||||
|
Reintroduced features. |
7.4.0 |
Feature dependent |
Version 7.4.0 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x). Reintroduced features include: |
||
|
Platform |
|||||
|
Management center 1700, 2700, 4700. |
7.4.0 |
Any |
We introduced the Secure Firewall Management Center 1700, 2700, and 4700, which can manage up to 300 devices. Management center high availability is supported. See: Cisco Secure Firewall Management Center 1700, 2700, and 4700 Getting Started Guide |
||
|
Management center virtual for Microsoft Hyper-V. |
7.4.0 |
Any |
We introduced Secure Firewall Management Center Virtual for Microsoft Hyper-V, which can manage up to 25 devices. Management center high availability is supported. See: Cisco Secure Firewall Management Center Virtual Getting Started Guide |
||
|
Secure Firewall 4200. |
7.4.0 |
7.4.0 |
We introduced the Secure Firewall 4215, 4225, and 4245. You must manage these devices with a management center. They do not support device manager. These devices support the following new network modules:
See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide |
||
|
Performance profile support for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on threat defense virtual. |
||
|
Platform Migration |
|||||
|
Migrate from Firepower 1000/2100 to Secure Firewall 3100. |
7.4.0 |
Any |
You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100. New/modified screens: Platform restrictions: Migration not supported from the Firepower 1010 or 1010E. |
||
|
Migrate from Firepower Management Center 4600 to Secure Firewall Management Center for AWS. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
|
Migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 |
Any |
You can migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700. See: Cisco Secure Firewall Management Center Model Migration Guide |
||
|
Migrate from Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. |
7.4.0 only |
7.0.0 |
You can migrate Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. To migrate, you must temporarily upgrade the old management center from Version 7.0 to Version 7.4.0.
To summarize the migration process:
See:
If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
|
Migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center. |
7.4.0 only |
7.0.3 |
You can migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center. To migrate devices, you must temporarily upgrade the on-prem management center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 management centers do not support device migration to the cloud. Additionally, only standalone and high availability threat defense devices running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.
To summarize the migration process:
See: If you have questions or need assistance at any point in the migration process, contact Cisco TAC. |
||
|
Device Management |
|||||
|
Zero-Touch Provisioning to register the Firepower 1000/2100 and Secure Firewall 3100 to the management center using a serial number. |
7.4.0 |
Mgmt. center is publicly reachable: 7.2.0 Mgmt. center is not publicly reachable: 7.2.4 |
Zero-Touch Provisioning (also called low-touch provisioning) lets you register Firepower 1000/2100 and Secure Firewall 3100 devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with SecureX and Cisco Defense Orchestrator for this functionality. New/modified screens: Other version restrictions: This feature is not supported on Version 7.3.x or 7.4.0 threat defense devices when the management center is not publicly reachable. Support returns in Version 7.4.1. See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning) |
||
|
Interfaces |
|||||
|
Merged management and diagnostic interfaces. |
7.4.0 |
7.4.0 |
Upgrade impact. Merge interfaces after upgrade. For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later and:
Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration. For platform settings, this means:
New/modified screens: New/modified commands: show management-interface convergence |
||
|
VXLAN VTEP IPv6 support. |
7.4.0 |
7.4.0 |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation. New/modified screens: |
||
|
Loopback interface support for BGP and management traffic. |
7.4.0 |
7.4.0 |
You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog. New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface |
||
|
Loopback and management type interface group objects. |
7.4.0 |
7.4.0 |
You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces. New/modified screens: See: Interface |
||
|
High Availability/Scalability: Threat Defense |
|||||
|
Manage threat defense high availability pairs using a data interface. |
7.4.0 |
7.4.0 |
Threat defense high availability now supports using a regular data interface for communication with the management center. Previously, only standalone devices supported this feature. |
||
|
SD-WAN |
|||||
|
WAN summary dashboard. |
7.4.0 |
7.2.0 |
The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures. New/modified screens: Overview > WAN Summary |
||
|
Policy-based routing using HTTP path monitoring. |
7.4.0 |
7.2.0 |
Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination. New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box. Platform restrictions: Not supported for clustered devices. |
||
|
Policy-based routing with user identity and SGTs. |
7.4.0 |
7.4.0 |
You can now classify network traffic based on users, user groups, and SGTs in PBR policies. Select the identity and SGT objects while defining the extended ACLs for the PBR policies. New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag |
||
|
VPN |
|||||
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100. You can change the configuration using FlexConfig and the flow-offload-ipsec command. Other requirements: FPGA firmware 6.2+ See: IPsec Flow Offload |
||
|
Crypto debugging enhancements for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
We made the following enhancements to crypto debugging:
New/modified CLI commands: show counters |
||
|
VPN: Remote Access |
|||||
|
Customize Secure Client messages, icons, images, and connect/disconnect scripts. |
7.4.0 |
7.1.0 |
You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:
Threat defense distributes these customizations to the endpoint when an end user connects from the Secure Client. New/modified screens:
|
||
|
VPN: Site to Site |
|||||
|
Easily view IKE and IPsec session details for VPN nodes. |
7.4.0 |
Any |
You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard. New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab. |
||
|
Site-to-site VPN information in connection events. |
7.4.0 |
7.4.0 with Snort 3 |
Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by. New/modified screens: |
||
|
Easily exempt site-to-site VPN traffic from NAT translation. |
7.4.0 |
Any |
We now make it easier to exempt site-to-site VPN traffic from NAT translation. New/modified screens:
See: NAT Exemption |
||
|
Routing |
|||||
|
Configure graceful restart for BGP on IPv6 networks. |
7.4.0 |
7.3.0 |
You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later. New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor. |
||
|
Virtual routing with dynamic VTI. |
7.4.0 |
7.4.0 |
You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN. New/modified screens: Devices > Device Management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices. |
||
|
Access Control: Threat Detection and Application Identification |
|||||
|
Clientless zero-trust access. |
7.4.0 |
7.4.0 with Snort 3 |
We introduced Zero Trust Access that allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy. The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications. New/modified screens: New/modified CLI commands:
See: Zero Trust Access |
||
|
Encrypted visibility engine enhancements. |
7.4.0 |
7.4.0 with Snort 3 |
Encrypted Visibility Engine (EVE) can now:
New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings. |
||
|
Exempt specific networks and ports from bypassing or throttling elephant flows. |
7.4.0 |
7.4.0 with Snort 3 |
You can now exempt specific networks and ports from bypassing or throttling elephant flows. New/modified screens:
Platform restrictions: Not supported on the Firepower 2100 series. |
||
|
First-packet application identification using custom application detectors. |
7.4.0 |
7.4.0 with Snort 3 |
A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector. |
||
|
Sensitive data detection and masking. |
7.4.0 |
7.4.0 with Snort 3 |
Upgrade impact. New rules in default policies take effect. Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns. Disabling data masking is not supported. |
||
|
Improved JavaScript inspection. |
7.4.0 |
7.4.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide |
||
|
MITRE information in file and malware events. |
7.4.0 |
7.4.0 |
The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views. See: Local Malware Analysis and File and Malware Event Fields |
||
|
Smaller VDB for lower memory Snort 2 devices. |
6.4.0.17 7.0.6 7.2.4 7.3.1.1 7.4.0 |
Any with Snort 2 |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
||
|
Access Control: Identity |
|||||
|
Cisco Secure Dynamic Attributes Connector on the management center. |
7.4.0 |
Any |
You can now configure the Cisco Secure Dynamic Attributes Connector on the management center. Previously, it was only available as a standalone application. |
||
|
Microsoft Azure AD as a user identity source. |
7.4.0 |
7.4.0 |
You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control. New/modified screens:
Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level) |
||
|
Event Logging and Analysis |
|||||
|
Configure threat defense devices as NetFlow exporters from the management center web interface. |
7.4.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. NetFlow is a Cisco application that provides statistics on packets flows. You can now use the management center web interface to configure threat defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs. New/modified screens: See: Configure NetFlow |
||
|
More information about "unknown" SSL actions in logged encrypted connections. |
7.4.0 |
7.4.0 |
Serviceability improvements to the event reporting and decryption rule matching.
New/modified screens:
See: Connection and Security-Related Connection Event Fields. |
||
|
Health Monitoring |
|||||
|
Stream telemetry to an external server using OpenConfig. |
7.4.0 |
7.4.0 |
You can now send metrics and health monitoring information from your threat defense devices to an external server (gNMI collector) using OpenConfig. You can configure either threat defense or the collector to initiate the connection, which is encrypted by TLS. New/modified screens: System ( |
||
|
New asp drop metrics. |
7.4.0 |
7.4.0 |
You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group. New/modified screens: System ( |
||
|
Administration |
|||||
|
Send detailed management center audit logs to syslog. |
7.4.0 |
Any |
You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The management center supports backup and restore of the audit configuration log. New/modified screens: System ( |
||
|
Granular permissions for modifying access control policies and rules. |
7.4.0 |
Any |
You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams. When defining user roles, you can select the option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions. |
||
|
Support for IPv6 URLs when checking certificate revocation. |
7.4.0 |
7.4.0 |
Previously, threat defense supported only IPv4 OCSP URLs. Now, threat defense supports both IPv4 and IPv6 OCSP URLs. See: Requiring Valid HTTPS Client Certificates and Certificate Enrollment Object Revocation Options |
||
|
Default NTP server updated. |
7.4.0 |
Any |
The default NTP server for new management center deployments
changed from sourcefire.pool.ntp.org to time.cisco.com. We
recommend you use the management center to serve time to its own
devices. You can update the management center's NTP server on
System ( |
||
|
Usability, Performance, and Troubleshooting |
|||||
|
Usability enhancements. |
7.4.0 |
Any |
You can now:
|
||
|
Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200. |
7.4.0 |
7.4.0 |
On the Secure Firewall 4200, you can use a new direction keyword with the capture command. New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ] |
||
|
Snort 3 restarts when it becomes unresponsive, which can trigger HA failover. |
7.4.0 |
7.4.0 with Snort 3 |
To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.) This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts. New/modified CLI commands: configure snort3-watchdog |
||
|
Deprecated Features |
|||||
|
Temporarily deprecated features. |
7.4.0 |
Any |
Although upgrading to Version 7.4.0 is supported, the upgrade will remove critical features, fixes, and enhancements that may be included in your current version. Instead, upgrade to Version 7.4.1+. From Version 7.2.5–7.2.x, upgrading removes:
From Version 7.2.6–7.2.x, upgrading removes:
|
||
|
Deprecated: NetFlow with FlexConfig. |
7.4.0 |
Any |
You can now configure threat defense devices as NetFlow exporters from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs. See: Configure NetFlow |
||
Device Manager Features in Version 7.4.x
Note |
Device manager support for Version 7.4 features begins with Version 7.4.1. This is because Version 7.4.0 is not available on any platforms that support device manager. |
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Threat defense virtual for VMware on VMware vSphere/VMware ESXi 8.0 |
You can now deploy threat defense virtual for VMware on VMware vSphere/VMware ESXi 8.0. Minimum threat defense: Version 7.4.2 See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Firepower 1010E support returns. |
Support returns for the Firepower 1010E, which was introduced in Version 7.2.3 and temporarily deprecated in Version 7.3. |
|
Network modules for the Secure Firewall 3130 and 3140. |
We introduced these network modules for the Secure Firewall 3130 and 3140:
See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide |
|
VPN Features |
|
|
IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100. |
Upgrade impact. Qualifying connections start being offloaded. On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade. You can change the configuration using FlexConfig and the flow-offload-ipsec command. |
|
Interface Features |
|
|
Merged management and diagnostic interfaces. |
Upgrade impact. Merge interfaces after upgrade. For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later, and you did not have any configuration for the diagnostic interface, then the interfaces will merge automatically. If you upgraded to 7.4 or later, and you have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible. Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including management) in the configuration. New/modified screens:
New/modified commands: show management-interface convergence |
|
Deploy without the diagnostic interface on threat defense virtual for Azure and GCP. |
You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Azure deployments still require at least two data interfaces, but GCP requires that you replace the diagnostic interface with a data interface, for a new minimum of three. (Previously, threat defense virtual deployments required one management, one diagnostic, and at least two data interfaces.) Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
|
Inline sets for Firepower 1000 series, Firepower 2100, and Secure Firewall 3100. |
You can configure inline sets on Firepower 1000 series, Firepower 2100, and Secure Firewall 3100 devices. We added the inline sets tab to the Interface page. |
|
Licensing Features |
|
|
Changes to license names and support for the Carrier license. |
Licenses have been renamed:
In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections. Use FlexConfig to configure these features. See: Licensing the System |
|
Administrative and Troubleshooting Features |
|
|
Default NTP server updated. |
Upgrade impact. The system connects to new resources. The default NTP servers have changed from sourcefire.pool.ntp.org to time.cisco.com. To use a different NTP server, select Device, then click Time Services in the System Settings panel. |
|
SAML servers for HTTPS management user access. |
You can configure a SAML server to provide external authentication for HTTPS management access. You can configure external users with the following types of authorization access: Administrator, Audit Admin, Cryptographic Admin, Read-Write User, Read-Only User. You can use Common Access Card (CAC) for login when using a SAML server. We updated the SAML identity source object configuration, and the page to accept them. |
|
Detect configuration mismatches in threat defense high availability pairs. |
You can now use the CLI to detect configuration mismatches in threat defense high availability pairs. New/modified CLI commands: show failover config-sync error , show failover config-sync stats |
|
Capture dropped packets with the Secure Firewall 3100. |
Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100 can now capture these dropped packets. New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command. |
|
Firmware upgrades included in FXOS upgrades. |
Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot. For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1+ now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware. Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade. |
|
Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300. |
When the data plane process on the Firepower 1000/2100 or the Firepower 4100/9300 crashes, the system reloads the process instead of rebooting the device. Reloading the data plane also restarts other processes, including Snort. If the data plane crashes during bootup, the device follows the normal reload/reboot sequence; this avoids a reload loop. This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig. New/modified ASA CLI commands: data-plane quick-reload , show data-plane quick-reload status New/modified threat defense CLI commands: show data-plane quick-reload status Supported platforms: Firepower 1000/2100, Firepower 4100/9300 See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference. |
Upgrade Impact Features
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration. Having to enable a new setting or deploy a policy post-upgrade to take advantage of a new feature does not count as upgrade impact.
Note |
Deploying can affect traffic flow and inspection; see the appropriate upgrade guide for details: Cisco Secure Firewall Threat Defense: Install and Upgrade Guides. |
 Tip |
Features, enhancements, and critical fixes can skip releases; these skipped releases are usually short-term major versions or early maintenance releases for long-term major versions. To minimize upgrade impact, do not upgrade to a release that deprecates features. In most cases, you can upgrade directly to the latest maintenance release for any major version. |
Upgrade Impact Features for Management Center
Check all releases between your current and target version.
|
Target Version |
Features with Upgrade Impact |
|---|---|
|
7.4.1+ |
|
|
7.4.0+ |
|
|
7.3.0+ |
|
|
7.2.4+ |
|
|
7.2.0+ |
|
|
7.1.0+ |
Upgrade Impact Features for Threat Defense with Management Center
Check all releases between your current and target version.
|
Target Version |
Features with Upgrade Impact |
|---|---|
|
7.4.1+ |
|
|
7.3.0+ |
|
|
7.2.4+ |
|
|
7.2.0+ |
|
|
7.1.0+ |
|
|
7.0.5–7.0.x |
Upgrade Impact Features for Threat Defense with Device Manager
Check all releases between your current and target version.
|
Target Version |
Features with Upgrade Impact |
|---|---|
|
7.4.1+ |
|
|
7.3.0+ |
|
|
7.2.4+ |
|
|
7.1.0+ |
Upgrade Guidelines
The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade, see the appropriate upgrade guide: For Assistance.
Upgrade Guidelines for Management Center
|
Target Version |
Current Version |
Guideline |
Details |
||
|---|---|---|---|---|---|
|
7.4.1.x |
7.4.1 |
Migration failure: do not migrate to management center Version 7.4.1 if you are using Security Intelligence. |
Patch the target management center to Version 7.4.1.1 before you begin migration. The source management center can continue to run Version 7.4.1.
For more information on model migration, see the Cisco Secure Firewall Management Center Model Migration Guide. |
||
|
7.3.x–7.4.0 |
7.2.6–7.2.x |
Upgrade not recommended: Version 7.2.6–7.2.x to Version 7.3.x–7.4.0. |
Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. Instead, upgrade to Version 7.4.1+. |
Upgrade Guidelines for Threat Defense with Device Manager
|
Target Version |
Current Version |
Guideline |
Details |
|---|---|---|---|
|
7.4.x |
7.0.0–7.4.x |
Reimage prohibited: Firepower 4100/9300 to Version 7.4.2+ on FXOS 2.14.1.131 or 2.14.1.143. |
Although we document that FXOS 2.14.1.163+ is required for threat defense 7.4.x, this is for reimaging to 7.4.2+. If you are already running an earlier FXOS 2.14.1 build, you can successfully upgrade to 7.4.2+ without upgrading FXOS (CSCwf64429). Note that in most cases, we recommend the latest FXOS build for reimages and upgrades. For more information, see the Cisco Firepower 4100/9300 FXOS Release Notes. |
Upgrade Guidelines for Threat Defense with Management Center
|
Target Version |
Current Version |
Guideline |
Details |
|---|---|---|---|
|
7.4.x |
7.0.0–7.4.x |
Reimage prohibited: Firepower 4100/9300 to Version 7.4.2+ on FXOS 2.14.1.131 or 2.14.1.143. |
Although we document that FXOS 2.14.1.163+ is required for threat defense 7.4.x, this is for reimaging to 7.4.2+. If you are already running an earlier FXOS 2.14.1 build, you can successfully upgrade to 7.4.2+ without upgrading FXOS (CSCwf64429). Note that in most cases, we recommend the latest FXOS build for reimages and upgrades. For more information, see the Cisco Firepower 4100/9300 FXOS Release Notes. |
|
7.4.1 |
7.1.x 7.0.0–7.0.2 |
Unregister and reregister devices after reverting threat defense. |
If you revert from Version 7.4.1 to Version 7.0.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680). |
|
7.2.0–7.6.x |
6.7.0–7.1.x |
Upgrade prohibited: threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. |
You cannot upgrade threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. You must deploy a new instance. |
Upgrade Guidelines for the Firepower 4100/9300 Chassis
In most cases, we recommend you use the latest FXOS build in each major version. For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.
Upgrade Path
Planning your upgrade path is especially important for large deployments, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment or other upgrades.
Upgrading the Management Center
The management center must run the same or newer version as its devices. Upgrade the management center to your target version first, then upgrade devices. If you begin with devices running a much older version than the management center, further management center upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the management center, then devices again.
Upgrading Threat Defense with Chassis Upgrade
Some devices may require a chassis upgrade (FXOS and firmware) before you upgrade the software:
-
Secure Firewall 3100/4200 in multi-instance mode: Any upgrade can require a chassis upgrade. Although you upgrade the chassis and threat defense separately, one package contains the chassis and threat defense upgrades and you perform both from the management center. The compatibility work is done for you. It is possible to have a chassis-only upgrade or a threat defense-only upgrade.
-
Firepower 4100/9300: Major versions require a chassis upgrade.
Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability or clustered deployments, upgrade one chassis at a time.
Supported Direct Upgrades
This table shows the supported direct upgrades for management center and threat defense software. Note that although you can upgrade directly to major and maintenance releases, patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release.
For the Firepower 4100/9300, the table also lists companion FXOS versions. If a chassis upgrade is required, threat defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
|
Current Version |
Target Software Version |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
7.6 |
7.4 |
7.3 |
7.2 |
7.1 |
7.0 |
6.7 |
6.6 |
6.5 |
6.4 |
6.3 |
|
| Firepower 4100/9300 FXOS Version for Chassis Upgrades | |||||||||||
|
2.16 |
2.14 |
2.13 |
2.12 |
2.11 |
2.10 |
2.9 |
2.8 |
2.7 |
2.6 |
2.4 |
|
|
7.6 |
YES |
— |
— |
— |
— |
— |
— |
— |
— |
— |
— |
|
7.4 |
YES |
YES † |
— |
— |
— |
— |
— |
— |
— |
— |
— |
|
7.3 |
YES |
YES |
YES |
— |
— |
— |
— |
— |
— |
— |
— |
|
7.2 |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
— |
— |
|
7.1 |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
— |
|
7.0 |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
6.7 |
— |
— |
— * |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
|
6.6 |
— |
— |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
|
6.5 |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
— |
— |
— |
|
6.4 |
— |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
— |
— |
|
6.3 |
— |
— |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
— |
|
6.2.3 |
— |
— |
— |
— |
— |
— |
— |
YES |
YES |
YES |
YES |
* You cannot upgrade from Version 6.7.x to 7.3.x. You can, however, manage Version 6.7.x devices with a Version 7.3.x management center.
† You cannot upgrade threat defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only. Instead, upgrade your management center and devices to Version 7.4.1+.
Bugs
For bugs in earlier releases, see the release notes for those versions. For cloud deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.
Important |
We do not list open bugs for most maintenance releases or patches. Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool. |
Open Bugs in Version 7.4.0
Table last updated: 2023-09-11
|
Bug ID |
Headline |
|---|---|
|
Deploy failure when flow export destinations are swapped or port value changed |
|
|
IDP SAML missing filter in Zero Trust Policy shows all groups have missing IDP data |
|
|
New User activity page does not display events for Special Identities Realm |
|
|
Azure AD sessions do not get removed after disabling subscription or changing ise configuration |
|
|
Importing a realm with a proxy will fail |
|
|
Editing CSDAC dynamic attribute filter throwing Internal Error |
|
|
OSPFv3 BFD sessions not coming up for more than 7 |
|
|
PBR configuration using User Identity is not migrated during FTD migration to cdFMC |
|
|
Save button disabled when updating Zero Trust Policy |
|
|
New SRU is not immediately installed upon management center upgrade |
|
|
4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode |
|
|
EventHandler should not log warning if it fails to open a unified file when the file doesn't exist |
Resolved Bugs in Version 7.4.2.1
Table last updated: 2024-10-09
|
Bug ID |
Headline |
|---|---|
|
Time sync status and error message do not elaborate NTP server rejection case |
|
|
FTW no longer working in NM3 on Warwick |
|
|
Cisco Secure Client Unable to complete connection. Cisco Secure Desktop not installed on the client. |
|
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
|
FMC on upgrade results in FTDv losing its performance tier |
|
|
Snort2 SSL decryption with known key fails on Chrome v124 and above. |
|
|
Snort2 - SSL decryption failing and some websites not loading on Chrome v124+ |
|
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
|
NTP is not synchronising when using SHA-1 authentication |
|
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
|
DAP policies not working with attribute TRUE/FALSE |
|
|
Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA) |
|
|
Unable to create MI FTD in TPK chassis |
|
|
FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1 |
|
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
|
HW: 3110 not rebooting after power outage, requiring manual power cycle |
|
|
FTD - Â Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16 |
|
|
FMC4700 displays premature fan speed alerts |
|
|
After FMC upgrade results in standby FTDv losing its performance tier for FTD HA |
|
|
Crash handler notification for snort3 failure not being sent in MI setup. |
Resolved Bugs in Version 7.4.2
Table last updated: 2024-07-31
|
Bug ID |
Headline |
|---|---|
|
FMC HA synchronisation task failures should generate alarms |
|
|
Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
|
|
FXOS does not retry NTP sync with servers |
|
|
IKEv2 debugs: Received Policies and Expected Policies are empty |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
Prevention of RSA private key leaks regardless of root cause. |
|
|
mgmt interface taking long time to come up and causing cluster registration issues |
|
|
Deleting a routed mode Etherchannel interface changes member interfaces to switch port mode |
|
|
FMC 7.0.2 Deployment error message is irrelevant | Deployment Failed due to configuration error |
|
|
Unnecessary FAN error logs needs to be removed from thermal file |
|
|
ssl policy errors: Unable to get server certificate's internal cached status |
|
|
ASA traceback and reload on Datapath process |
|
|
Device Management Applied Policies Widget Defaulting to classic theme when editting |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ENH: Combine firmware bundle packages into FXOS MIO update packages |
|
|
ASA/FTD: Improve GTP Inspection Logging |
|
|
ASA/FTD: GTP Inspection engine serviceability |
|
|
Classic and Unified Events should handle cases when SMC is unreachable |
|
|
FTD: CLISH slowness due to command execution locking LINA prompt |
|
|
Cisco-Intelligence-Feed - Failed to download due to timeout |
|
|
Consul and Consul Enterprise allowed an authenticated user with service: |
|
|
Snort3 is crashing frequently on cd_pdts.so |
|
|
Deployment fails to FTD when reusing/reassigning existing vlan id to diff interface |
|
|
Cannot copy rules from one policy to another policy using the new AC policy UI |
|
|
ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
|
|
FTD: ADI.conf - send_s2s_vpn_events is set to 0, even after applying s2s vpn health policy |
|
|
HashiCorp Vault's implementation of Shamir's secret sharing used precomp |
|
|
FMC deploy logs rotating faster because of /internal_rest_api/accesscontrol/rapplicationsavailable |
|
|
Error loading data in NAT page - When unused port object is used |
|
|
AC policy change is not reflected in instance page on edit |
|
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
|
show version system prints errors about PM_Control.sock |
|
|
Identity Policy Active auth snort3 redirect hostname doesn't list all FQDN objects\u0009 |
|
|
Failing to dowload FTD image via SAML SSO login |
|
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
|
Incorrect exit interface choose for VTI traffic next-hop |
|
|
SNMP is not working on the primary active ASA unit in multi-context environment |
|
|
ASA crashed with Saml scenarios |
|
|
FXOS: Remove enforcement of blades going into degraded state after multiple DIMM correctable errors |
|
|
ASA: Traceback and reload when switching from single to multiple mode |
|
|
snort3 crashes observed due to memory corruption in file api |
|
|
ASA/FTD: 1 Second failover delay for each NLP NAT rule |
|
|
Getting an exception on the UI while editing and saving the intrusion policy |
|
|
Extensive logging for a problematic deployment caused logs to rollover important logs |
|
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
|
Save button disabled when updating ZTNA policy |
|
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
|
Vulnerabilities in linux-kernel 5.10.79 CVE-2023-3111 and others |
|
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
|
The html/template package does not apply the proper rules for handling o |
|
|
Improve CPU utilization in ssl inspection for supported signature algorithm handling |
|
|
FMC Deployment failure in csm_snapshot_error |
|
|
ASA does not sent 'warmstart' snmp trap |
|
|
FMC Deployment failed due to internal errors after upgrade |
|
|
LINA would randomly generate a traceback and reload on FPR-1K |
|
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
|
FDM: Allow turn on/off GSP mempool polling via Flexconfig |
|
|
FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
|
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
|
A flaw was found in QEMU. The async nature of hot-unplug enables a rac |
|
|
ENH: FMC - Ability to Filter Security Zone in Interface Drop Down Selection |
|
|
ASA traceback under match_partial_keyword during CPU profiling |
|
|
Reload takes forever when reload command is issued on the lina prompt when devices are on HA |
|
|
FMC Primary disk degraded error |
|
|
In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a |
|
|
No error message is given when deleting object referred in new object created in another ticket |
|
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
|
ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
|
|
Cannot configure Correlation rule because there are no values for GID that exceed 2000 |
|
|
In FPR4200/FPR3100-cluster observed core file ?core.lina? observed on device reboot. |
|
|
Disconnecting RA VPN users from the FMC gui fails. |
|
|
Backup restore: silent failure when the device managed locally |
|
|
FTD: Internal certificate generation results to certificate and private key mismatch |
|
|
Need ability to configure SSH public key auth without using root shell |
|
|
FMC plain-text passwords for radius server and certificate passphrase |
|
|
FTD: Traceback in threadname cli_xml_request_process |
|
|
crypto_archive file generated after the software upgrade. |
|
|
Random FTD snort3 traceback |
|
|
Last Rule hit shows a hex value ahead of current time in ASA and ASDM |
|
|
An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c i |
|
|
Init process spikes to 100% CPU usage after a failed backup |
|
|
Unexpected traceback on thread name Lina and device experienced reboot |
|
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
|
syslog not generated "ASA-3-202010: NAT pool exhausted" while passing traffic from iLinux to oLinux |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
|
Event search with URL object ${example} is displaying no results |
|
|
FTD VMWare tracebacks at PTHREAD-3587 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Connection drops during file transfers due to HeartBeat failures |
|
|
Thirty-day automatic upgrade revert-info deletion is not resilient to communication failures |
|
|
FMC clean_revert_backup script fails silently without creating any logs |
|
|
FTD sends multiple replicated NetFlow records for the same flow event |
|
|
SSX Eventing continues to go to old tenant upon FTD migration to CDO. |
|
|
FTD 1120 standby sudden reboot |
|
|
SNMP Unresponsive when snmp-server host specified |
|
|
Traceback on FP2140 without any trigger point. |
|
|
Daily Change Reconciliation Report Randomly Generating Reports with the same time periods |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
FMC backup fails with "Registration Blocking" failure caused by DCCSM issues |
|
|
FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
|
|
HTTP/2 Rapid Reset Attack Affecting Cisco Products: October 2023 - Golang |
|
|
ASA cluster traceback Thread Name: DATAPATH-8-17824 |
|
|
Debug messages seen on console on executing show tech-support fprm detail |
|
|
Hardware bypass not working as expected in FP3140 |
|
|
Source of the VTI interface is getting empty |
|
|
ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
|
ASA traceback and reload during ACL configuration modification |
|
|
FMC does not generate email health notifications for Database Integrity Check failures. |
|
|
CP Session Handling for per site auth is inaccurate for Cluster break and join scenarios |
|
|
Error Text is repeated twice for Interface config if pool range is less than Cluster Nodes plus 1 |
|
|
Firewall traceback and reload due to SSH thread |
|
|
FMC-4600: Pre-Filter policy is showing as none |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
|
|
Fail open snort-down is off in inline pairs despite it being enabled and deployed from FMC |
|
|
VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
|
ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
|
|
FTD with may traceback in data-path during deployment when enabling TAP mode |
|
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
|
HA CP clients statistics doesn't show actual Tx/Rx and Reliable Tx/Rx |
|
|
Python 3.x through 3.10 has an open redirection vulnerability in lib/h |
|
|
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.Th |
|
|
An issue was discovered in the Linux kernel before 6.5.9, exploitable |
|
|
A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` |
|
|
A heap out-of-bounds write vulnerability in the Linux kernel's Linux K |
|
|
Standby manager addition is failed on Primary FMC due to previous entries in table |
|
|
Stale HA transactions need to be moved to failed and subsequent HA transaction needs to be created |
|
|
Device/port-channel goes down with a core generated for portmanager |
|
|
In FIPS mode, External auth with TLS config enabled, CLI logins are not working (FMC & FTDs) |
|
|
FMC Analysis Vulnerabilities error "Unable to process this query. Please try the query again." |
|
|
ASA : Modifying a route-map in one context affects other contexts |
|
|
ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
|
|
Stale asp entry for TCP 443 remains on standby after changing default port |
|
|
User assigned to a read only custom role is not able to view content of intrusion policy for snort2 |
|
|
EIGRP migration failed using 'FlexConfig Policiies' script failed generating database corruption |
|
|
Cisco FXOS Software Link Layer Discovery Protocol Denial of Service Vulnerability |
|
|
Error Fetching Data in Exclude Policy Page when non permanent exclude periods are selected |
|
|
Deployment stuck on FMC when device goes down during deploy and doesn't boot up |
|
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
|
file-extracts.logs are not recognised by the diskmanager leading to High disk space |
|
|
cdFMC: Table View of Rule Update Import Log UI is throwing error, unable to check SRU update log |
|
|
PSU fan shows critical in show environment output while operating normally |
|
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
|
ASA/FTD: SSL VPN Second Factor Fields Disappear |
|
|
Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
|
|
ipv6 table flush exception when cli_firstboot installs bootstrap configuration multi instance |
|
|
ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
|
After importing AC policy, Realm is not present in UI causing validation error for Azure AD users |
|
|
Unable to SSH into FTD device using External authentication with Radius |
|
|
tls website decryption breaks with ERR_HTTP2_PROTOCOL_ERROR |
|
|
FTD Upgrade logs should contain the certificate name or files |
|
|
TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
|
|
use kill tree function in SMA instead of SIGTERM |
|
|
Detailed logging related to reason behind sub-interfce admin state change during operations |
|
|
ASA/FTD traceback and reload due to file descriptor limit being exceeded |
|
|
Health Monitor Alerts set in Global are not sending alert from devices assigned in leaf domain |
|
|
Hostnames are replaced with IP addresses in alert email content |
|
|
Module name displayed in the alert got changed and it is differ from the one set in FMC |
|
|
FTD HA should not be created partially on FMC |
|
|
FDM deployment failure |
|
|
Policy Apply failed moving from FDM to FMC |
|
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
|
Deployment fails on new AWS FTDv device with "no username admin" |
|
|
FTD HA Failure after SNORT crash. |
|
|
ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
|
|
Umbrella Profile and others cleared incorrectly when editing group policy in the UI |
|
|
MonetDB startup enhancement to clean up large files |
|
|
Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
|
|
installing GeoDB country code package update to FMC does not automatically push updates to FTDs |
|
|
ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
|
|
Deployment fails if Network Discovery policy reference is missing from FMC Database |
|
|
ASA traceback and reload on Thread Name: DATAPATH |
|
|
GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
|
|
FMC Validation failure for large object range and success for object network in NAT64 |
|
|
low memory/stress causing traceback in SNMP |
|
|
Monetdb having 14GB of unknown BAT data causing "High unmanaged disk usage on /Volume" |
|
|
Snort3 traceback with fqdn traffics |
|
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
|
ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
|
|
FTD drops double tagged BPDUs. |
|
|
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11. |
|
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
|
API:/operational/commands not working as swagger indicate |
|
|
"Update file is corrupted" for "Download Latest Cisco Firepower Geolocation Database Update." in FMC |
|
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
|
Sftunnel DEBUG level not logged on FMC/FTD after running DEBUG script |
|
|
Update logs - SSP object serialization during HA |
|
|
A flaw was found in the 9p passthrough filesystem (9pfs) implementatio |
|
|
Before Go 1.20, the RSA based TLS key exchanges used the math/big libr |
|
|
ASA|FTD Traceback & reload in thread name Datapath |
|
|
Event Searching with Objects and Networks Leads to only showing events matching Objects |
|
|
Threat Defense Service Policy - Reset Connection Upon Timeout not working |
|
|
Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
|
Error while trying to push SNMP configuration using API |
|
|
Snort3 crash with race conditions |
|
|
Filtering the Malware Events table by IP address removes events which should remain in the results. |
|
|
Service object-group protocol type mismatch error seen while access-list referencing already |
|
|
Unable to Synch more then 100 environment-data with data unit |
|
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
|
Decryption policy page is empty if user that modified/created policy was deleted. |
|
|
413 Request Entity Too Large error due to cookies added by FMC/Amplitude |
|
|
ASA/FTD : Port-channels remain down on Firepower 1010 devices after upgrade |
|
|
7.4 - If policy save in progress deploy might indicate failure for only few devices |
|
|
The "show asp drop" command usage requires better updates for cluster-related drops |
|
|
Interface fragment queue may get stuck at 2/3 of fragment database size |
|
|
Readiness check failed on vFTD during upgrade from 741-172 to 760-1270 |
|
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
|
Internal error when attempting to configure PBR in FMC |
|
|
HMS process crash - "interface conversion: interface {} is nil, not map[string]interface {}" |
|
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
|
Suppress "End of script output before headers" syslog on FXOS |
|
|
Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
High disk usage caused by large write-ahead log in eventdb |
|
|
ZTNA: FMC doesn't accept IdP with local domain |
|
|
A malicious HTTP sender can use chunk extensions to cause a receiver r |
|
|
strongSwan before 5.9.12 has a buffer overflow and possible unauthenti |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
|
Debugs failed to be enabled on SSH session |
|
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
|
SFDataCorrelator timeout thread deadlock detection core on busy FMC |
|
|
Threat Defense Upgrade wizard might incorrectly show clusters/HAs as disabled |
|
|
Null pointer dereference in SNMP that results in traceback and reload |
|
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
|
MonetDB memory usage grows slowly over time |
|
|
traceback and reload around function HA |
|
|
Correlation policy not work when condition of the rule is "Intrusion Policy" is XXX |
|
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
|
Lina traceback on RAVPN connection after enabling webvpn debug |
|
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
|
The report doesn't include "Default Variables" information after change "Variable Sets" name |
|
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
|
FMC: Packet-tracer showing a "Interface not supported" error for VLAN interfaces |
|
|
Devices might change status to "missing the upgrade package" after Readiness Check is initiated |
|
|
FMC configured DAP rule with Azure IDP SAML attributes does not match |
|
|
Product Upgrades page: Download action creates a lot of "uninitialized value" error messages in log |
|
|
A heap out-of-bounds write vulnerability in the Linux kernel's Perform |
|
|
A use-after-free vulnerability in the Linux kernel's ipv4: igmp compon |
|
|
A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classifie |
|
|
During FMC hardware migration failure encountered due to missing prometheus directories |
|
|
Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
|
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
upgrade of FMC to 7.2.x removes FlexConfig-provided EIGRP authentication from interfaces on FTDs |
|
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
|
standard error (stderr) not inserted into restore.log when restoring FMC backups |
|
|
Download failed for Available Upgrade Packages |
|
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
|
Unable to delete custom DNS Server Group Object post upgrade 7.2.x |
|
|
FTD: Improve or optimize LSP package verification logic to run it faster |
|
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
|
Configuring MTU value via CLI does not apply |
|
|
Standby FTD experiencing periodic traceback and reload |
|
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
|
ASDM connection lost issue is observed in ASAv device due to config issue |
|
|
It was discovered that when exec'ing from a non-leader thread, armed P |
|
|
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL |
|
|
An out-of-bounds memory write flaw was found in the Linux kernel\u2019s Tra |
|
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
|
tds-cloud-events.json getting updated from both cdFMCs (ftd migration from 1 tenant to another) |
|
|
FDM deployment fails with error "Some interfaces have been added to or removed from the device" |
|
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
|
FMC: Add logging for PM functions |
|
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
|
FMC API Call for Network Object Overrides Returns Different Results for Active vs Standby FW |
|
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
|
Snort stripping packet information and injects its packet with 0 bytes data |
|
|
singlevar in lparser.c in Lua from (including) 5.4.0 up to 5.4.4 |
|
|
An issue in the component luaG_runerror of Lua v5.4.4 and below leads to ... |
|
|
HTTP/HTTPS detection for application needs to fail it's detection earlier |
|
|
ACP page goes blank or error thrown if one of the ACP rules has user created app filter |
|
|
MonetDB Monitor triggers for restarting MonetDB based on WAL size are not effective |
|
|
ASA CLI hangs with 'show run' on multiple SSH |
|
|
Incorrect Variable set in derived policy when derived policy is same as default. |
|
|
Upgrade Failed with error "Upgrade failed because of undeployed changes present on the device" |
|
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
|
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super |
|
|
External Radius authentication fails post upgrade if radius key includes special characters |
|
|
SFData correlator keep terminating on FTDs configured for IDS |
|
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
|
Every realm sync indicates an access control policy change |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
FTD/ASA system clock resets to year 2023 |
|
|
Access to website via Clientless SSL VPN Fails |
|
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
|
Heap-use-after-free in Discovery Filter on Snort shutdown |
|
|
7.2 - Deployment doesn't timeout, runs for hours after LSP install |
|
|
Check metadata cache size when generating retrospective events |
|
|
A flaw was found in the networking subsystem of the Linux kernel withi |
|
|
Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulner |
|
|
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab |
|
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
|
FTD: Hostname Missing from Syslog Message |
|
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
|
SSH/SNMP connections to non-admin contexts fail after software upgrade |
|
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
|
Tomcat restarts in the middle of the LTP flow due to certificate update |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
|
FMC: Multiple Email address in Email Alert not working |
|
|
Snort process spamming syslog-ng messages so our on KP platform syslog-ng is being killed |
|
|
Backup failures needs to be displayed with the correct state on GUI |
|
|
ASA Checkheaps traceback while entering same engineID twice |
|
|
Backup generation on FDM fails with the error "Unable to backup Legacy data." |
|
|
pmtool restart of monetdb fails to bring up monetdb, too many files in monetdb Volume directory |
|
|
SFDataCorrelator creates huge numbers of to_import files when MonetDB table partition creation fails |
|
|
FMC : Health Monitor Alert is not properly issued regarding disk usage |
|
|
vFMC25 OCI to vFMC300 OCI migration failed 'Migration from Y to a is not allowed.' |
|
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
|
FMC Server Certificate shows Only First 20 Objects |
|
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
|
"pmtool restartbyid <invalid id>" should give some indication of error |
|
|
Deployment failure due to exceeding logging event list name size |
|
|
libuv is a multi-platform support library with a focus on asynchronous |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
FMC: fireamp generating too many logs |
|
|
FTD: HostScan scanning results not processed in version 7.4.1 |
|
|
cdFMC Multiple health monitor widgets throwing Error while fetching data |
|
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
|
BBManager text based search - lucene |
|
|
User not entitled for packet captures, is still able to open it from the Device Management |
|
|
Unable to remove suppression from snort3 rule once added |
|
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
|
In Snort 3 policy editor, selecting a Rule Action of \u201cRule Action\u201d causes UI to spin indefinitely |
|
|
The secondary device reloaded while rebooting the primary device. |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
Bailout when lina_io_write fails persistent with EPIPE errno. |
|
|
Never expiring machine user not logged out at various places |
|
|
Policy cache cleanup thread should cleanup any cache that is left open for a logged out session |
|
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
|
fpr1k/2k/3k/4200:Need ability to configure SSH public key auth without using root shell |
|
|
FMC: Upgrade fails at "800_post/991_update_scheduled_tasks.pl" |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
|
Page getting expaned while getting continuous task notifications |
|
|
FP2110: When Leaving On-Box (FDM) Mode Platform API Fails |
|
|
Issues with FMC Deployment preview (Advanced Preview) |
|
|
PM restart needs to be blocked or warned the user that it may go for reboot |
|
|
FMC - Inheritance Settings Select Base Policy Menu disappears while scrolling using Light or Dusk UI |
|
|
In Object page able to delete and create system provided object |
|
|
Object optimisation gets disabled on FMC if next deployment is after two hours |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
|
FTDv reloads and generate backtrace after push EIGRP config |
|
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
|
After upgrading the ASA, \u201cSlot 1: ATA Compact Flash memory\u201d shows a ditterent value |
|
|
extra file check is not reporting with pmtool SecureLSP lsp-rel-xxx command |
|
|
LSP Deployment fails in multi instance FP 41xx / 93xx |
|
|
Rabbitmq queues on FMC vHost may not be cleaned up after element removal |
|
|
CCM ID 68 - LTS21 - CISCO_LTS21_R2160 release branch |
|
|
FTD/ASA : CSR generation with comma between \u201cCompany Name\u201d attribute does not work expected |
|
|
FMC shows a non-User-Friendly Error during a Policy Deployment failure due to snapshot failure |
|
|
Rest API '/devices/devicerecords' is returning mismatch of values for (RA VPN) policy object id |
|
|
Identity Mapping Filter field gets updated with newly created network objects. |
|
|
Lina contains outdated libexpat source code |
|
|
Snort3: SQL traffic failure after upgrade due to large invalid sequence numbers and invalid ACKs |
|
|
Health Policy Configuration - Unable to remove device from the policy |
|
|
SFDataCorrelator memory leak after unregistering an active device |
|
|
3140 3 MI instances upgrade failed |
|
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
|
TLS Secure Client sessions cannot be established on ASA 9.19 and 9.20 |
|
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
|
Snort3 event PCAPs contain only header data when decrypting HTTP/2 |
|
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
|
Multiple context interfaces fail to pass traffic |
|
|
rsync is not happening to standby unit when perform oob changes in active unit. |
|
|
ASA traceback with thread name SSH |
|
|
High latency observed on FPR3120 |
|
|
SFDataCorrelator memory growth when pruning a huge number of old service identities |
|
|
Unable to approve ticket due to monitored int in HA and getting Error to contact Cisco Support. |
|
|
FMC 7.3 Deployment failed due to OOM in PBR Configuration |
|
|
Backups fail on multi-instance with error "Backup died unexpectedly" |
|
|
Additional memory tracking in SFDataCorrelator |
|
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
|
FTD-HA creation is failing because FMC takes longer time to save overrides. |
|
|
FTD-HA upgrade fails to start - Configuration is out of sync between active and standby |
|
|
CCM ID LTS21-100 with RCPL21 update |
|
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
|
Stale Health Alerts seen on the UMS after model migration |
|
|
ASA traceback and reload when accessing file system from ASDM |
|
|
SFDataCorrelator high memory usage when restart with large network map hosts |
|
|
4200s have high UDP latency at low packet rates. |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
SSE connection events, FirewallRuleList field is not sent in proper format |
|
|
All IPV6 BGP routes configured in device flapping |
|
|
Snort creating too many snort-unified log files when frequent policy deploys |
|
|
Large write-ahead log may leave monetdb in disabled state |
|
|
FMC backup remote server copy to Solar Winds remote server failing after upgrading to 7.x versions. |
|
|
Radius secret key of over 14 characters for external authentication does not get deployed (FPR3100) |
|
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
|
FPR3K loses connectivity to FMC via mgmt data interface on reboot of FPR3K |
|
|
FDM1010E 7.4.1 unable to register to SA, getting "Invalid entitlement tag" |
|
|
False positive ISE bulk download alert error seen on FMC |
|
|
FMC REST API not sending 'deploymentStatus' Attribute |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
|
FMC only accepts a maximum of 30 characters for shared secret key when connecting to RADIUS server |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
|
Snort3: MSSQL query traffic corrupted by stream_tcp overlap handling causing SQL HY000 |
|
|
OGO changing the order of custom object group contents causing an outage at static NAT |
|
|
Snort3 crashes due to processing pdf tokenizer with no limits. |
|
|
cdFMC : Support for new regions in Aus and India |
|
|
Autodeployment failing on cdFMC v20240307 when onboarding a 1010 v7.2.5 |
|
|
New User activity page does not load because the VPN bytes in and out are long. |
|
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
|
Snort dropping connections with reason blocked or blacklisted by the firewall preprocessor |
|
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
|
FTD LINA Traceback and Reload idfw_proc Thread |
|
|
Deployment fails on FTD HA while doing LINA ONLY DEPLOYMENT |
|
|
eStreamer memory leak when the FMC receives events from CDO-managed FTDs |
|
|
Access rule getting pushed with "deny tcp any any" on snort |
|
|
IP-SGT mappings on Lina-side are not being removed, when FMC pxGrid connection is disabled |
|
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
|
FPR might drop TLS1.3 connections when hybridized kyber cipher is enabled in web browser |
|
|
High LINA CPU observed due to NetFlow configuration |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
net-snmp provides various tools relating to the Simple Network Managem |
|
|
HTTP Response splitting in multiple modules in Apache HTTP Server allows |
|
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
|
ASA after upgrade to 9.18.4.24 not able to save config with error: "Configuration line too long" |
|
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
|
FMC got deregistered from Smart License after upgrade |
|
|
Captive portal returns bad request for snort 2 for FMC 7.4.x , FTD version < 7.4 |
|
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
|
"set ip next-hop" line deleted from config at reload if IP address is ma |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
command to print the debug menu setting of service worker |
|
|
LSP downloads are not using the Web proxy, when configured. |
|
|
TCP Session Interrupted if Keep-Alive with 1 Byte is Received |
|
|
TLS Client Hello packet is dropped by snort |
|
|
cdFMC Fails to configure-geneve-encapsulation on interface |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
|
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
|
It was discovered that a nft object or expression could reference a nf |
|
|
An out-of-bounds access vulnerability involving netfilter was reported |
Resolved Bugs in Version 7.4.1.1
Table last updated: 2024-04-24
|
Bug ID |
Headline |
|---|---|
|
HA CP clients statistics doesn't show actual Tx/Rx and Reliable Tx/Rx |
|
|
Readiness check failed on vFTD during upgrade from 741-172 to 760-1270 |
|
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
Resolved Bugs in Version 7.4.1
Table last updated: 2024-05-22
|
Bug ID |
Headline |
|---|---|
|
FMC should monitor only named interfaces on FTD |
|
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
|
FMC fails to connect to SSM with error "Failed to send the message to the server" |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
deployment failing with - Unable to load container |
|
|
BGP table not removing connected route when interface goes down |
|
|
IPTables.conf file is disappearing resulting in backup and restore failure. |
|
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
|
In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows |
|
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
|
FMC is pushing SLA monitor commands in an incorrect order causing deployment failure. |
|
|
"Number of interfaces on Active and Standby are not consistent" should trigger warning syslog |
|
|
Standby unit failed to join failover due to large config size. |
|
|
FTD with Inline TAP re-writes frame with wrong MAC Address leading to connectivity problems. |
|
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
|
Unable to push extra domains >1024 Character, as part of Custom Attribute under Anyconnect VPN |
|
|
user-name from certificate feature does not work with SER option |
|
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
|
Disable NLP rules installation workaround after mgmt-access into NLP is enabled |
|
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
|
ASA Failover does not detect context mismatch before declaring joining node as "Standby ready" |
|
|
ISA3000 in boot loop after powercycle |
|
|
ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress |
|
|
ASA/FTD: DF bit is being set on packets routed into VTI |
|
|
Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server. |
|
|
When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple |
|
|
FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated |
|
|
ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url |
|
|
ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks OSPF MD5 |
|
|
FW traceback in timer infra / netflow timer |
|
|
PBR not working on ASA routed mode with zone-members |
|
|
FMC GUI not displaying correct count of unused network objects |
|
|
RIP is advertising all connected Anyconnect users and not matching route-map for redistribution |
|
|
ASA/FTD traceback and reload due to the initiated capture from FMC |
|
|
Lina traceback and reload during EIGRP route update processing. |
|
|
ASA Traceback & reload in thread name: Datapath |
|
|
ASA/FTD traceback and reload on NAT related function nat_policy_find_location |
|
|
Network Object not visible after Flex migration and unable to save interface change in EIGRP->Setup |
|
|
We can't monitor the interface via "snmpwalk" once interface is removed from context. |
|
|
ASA/FTD failover pair traceback and reload due to connection replication race condition |
|
|
ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled. |
|
|
Unable to apply SSH settings to ASA version 9.16 or later |
|
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
|
Snort down due to missing lua files because of disabled application detectors (PM side) |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
|
No-buffer drops on Internal Data interfaces despite little evidence of CPU hog |
|
|
AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser |
|
|
Standby ASA goes to booting loop during configuration replication after upgrade to 9.16(3). |
|
|
User without password prompted to change password when logged in from SSH Client |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL listening socket" |
|
|
Temporary HA split-brain following upgrade or device reboot |
|
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
|
FTD: SNMP failures after upgrade to 7.0.2 |
|
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
|
ASA traceback and reload when modifying DNS inspection policy via CSM or CLI |
|
|
Digitally signed ASDM image verification error on FPR3100 platforms |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
ASA - Restore not remove the new configuration for an interface setup after backup |
|
|
"show nat pool cluster" commands run within EEM scripts lead to traceback and reload |
|
|
ASA/FTD Voltage information is missing in the command "show environment" |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695' |
|
|
ASA/FTD can not parse UPN from SAN field of user's certificate |
|
|
AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert has empty subject |
|
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
|
ASA/FTD Traceback and Reload in Thread name Lina or Datatath |
|
|
Traceback and Reload while HA sync after upgrading and reloading. |
|
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
MI hangs and not repsonding when FTD container instance is reloaded |
|
|
ASA Traceback and Reload on process name Lina |
|
|
Incorrect IF-MIB response when failover is configured on multiple contexts |
|
|
ASA: SLA debugs not showing up on VTY sessions |
|
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
|
Snort leaking file descriptors with each u2 file created |
|
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
|
SSL AnyConnect access blocked after upgrade |
|
|
Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards |
|
|
ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled |
|
|
FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations |
|
|
ASA/FTD: GTP inspection causing 9344 sized blocks leak |
|
|
ASA HA - Restore in primary not remove new interface configuration done after backup |
|
|
ASA/FTD traceback and reload when ssh using username with nopassword keyword |
|
|
Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
|
ASA/FTD 2100 platform traceback and reload when fragments are coalesced and sent to PDTS |
|
|
FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
|
MPLS tagging removed by FTD |
|
|
FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks |
|
|
ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP |
|
|
ASA parser accepts incomplete network statement under OSPF process and is present in show run |
|
|
syslog related to failover is not outputted in FPR2140 |
|
|
IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response |
|
|
ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context |
|
|
ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
vti hub with NAT-T enabled pinholes connections are looping and causing snort busy drops |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread' |
|
|
FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure |
|
|
ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb" |
|
|
TACACS Accounting includes an incorrect IPv6 address of the client |
|
|
Call home configuration on standby device is lost after reload |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591' |
|
|
FTD - Traceback in Thread Name: DATAPATH |
|
|
FTD may traceback and reload in Thread Name 'DATAPATH-0-4948' |
|
|
CGroups errors in ASA syslog after startup |
|
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
|
During the deployment time, device got stuck processing the config request. |
|
|
"inspect snmp" config difference between active and standby |
|
|
ASA/FTD traceback and reload caused by SNMP process failure |
|
|
Traffic on data unit gets dropped with "LU allocate xlate failed" on GCP cluster with interface NAT |
|
|
Unable to configure 'match ip address' under route-map when using object-group in access list |
|
|
FTD Traceback and reload when applying long commands from FMC UI or CLISH |
|
|
ASA/FTD Traceback and reload in Threadname: IKE Daemon |
|
|
ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy |
|
|
ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility. |
|
|
Using write standby in a user context leaves secondary firewall license status in an invalid state |
|
|
Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5. |
|
|
ASA/FTD memory leak and tracebacks due to ctm_n5 resets |
|
|
Lina Traceback and reload when issuing 'debug menu fxos_parser 4' |
|
|
ESP rule missing in vpn-context may cause IPSec traffic drop |
|
|
traceback and reload due to tcp intercept stat in thread unicorn |
|
|
ISA3000 LACP channel member SFP port suspended after reload |
|
|
ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all" |
|
|
ifAdminStatus output is abnormal via snmp polling |
|
|
logging/syslog is impacted by SNMP traps and logging history |
|
|
FTD Traceback and reload |
|
|
ASA Custom login page is not working through webvpn after an upgrade |
|
|
Snort3 unexpectedly dropping packets after 4MB when using file inspection with detection mode NAP |
|
|
User/group download may fail if a different realm is changed and saved |
|
|
Unable to add on-board and netmod interfaces to the same port-channel on Firepower 3110 |
|
|
FTD traceback on Lina due to syslog component. |
|
|
ASA/FTD Cluster Traceback and Reload during node leave |
|
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
|
cacert.pem on FMC expired and all the devices showing as disabled. |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
ASA might generate traceback in ikev2 process and reload |
|
|
ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event' |
|
|
ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread |
|
|
GTP inspection drops packets for optional IE Header Length being too short |
|
|
ASA/FTD traceback due to block data corruption |
|
|
ASA/FTD: NAT configuration deployment failure |
|
|
ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication certificate" enabled |
|
|
ASA/FTD High CPU in SNMP Notify Thread |
|
|
FTD in HA traceback multiple times after adding a BGP neighbour with prefix list. |
|
|
ASA/FTD SNMP traps enqueued when no SNMP trap server configured |
|
|
ASA/FTD Transactional Commit may result in mismatched rules and traffic loss |
|
|
Device should not move to Active state once Reboot is triggered |
|
|
TPK: No nameif during traffic causes the device traceback, lina core is generated. |
|
|
Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel |
|
|
ASAv show crashinfo printing in loop continuously |
|
|
Management access over VPN not working when custom NAT is configured |
|
|
Cluster registration is failing because DATA_NODE isn't joining the cluster |
|
|
3130 HA assert: mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE |
|
|
FTD: Traceback & reload in process name lina |
|
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
|
Syslog 106016 is not rate-limited by default |
|
|
Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD |
|
|
ASA traceback and reload due to DNS inspection |
|
|
PIM register packets are not sent to Rendezvous Point (RP) due to PIM tunnel interface down state |
|
|
Blade remains online for more than 600 secs after deleting Native logical device on 92.14.0 |
|
|
FMC: Script to change hostname/IP on FTD's when FMC's Ip/hostname is changed |
|
|
Not able to ping Virtual IP of FTDv cluster |
|
|
FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue |
|
|
Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability |
|
|
FDM FPR2k Netmork module interfaces are greyed out post 7.1.0 update |
|
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
|
Fix Bootup Warning: Counter ID 'TLS13_DOWNSTREAM_CLIENT_CERTIFICATE_VERIFY' is too long |
|
|
Device API healthStatus for cluster devices not aligned with health status on device listing |
|
|
Snort3 stream core found init_tcp_packet_analysis |
|
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
|
Unable to register new devices to buildout FMC 2700 (FMC HA Active) |
|
|
FTD-HA upgrade failed |
|
|
Internal Error while editing PPPoE configurations |
|
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
|
FMC-HA Sync loss for more then hr due to MariaDB replication is not in good state and recovered |
|
|
Azure FMC not accessible after upgrading from 7.3.0 to 7.4.0 |
|
|
8x10Gb netmod fails to come online |
|
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
|
Azure D5v2 FTDv unable to send traffic - underruns and deplete DPDK buffers observed |
|
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
|
Traffic drops for several minutes during deployment |
|
|
FTD: The upgrade was unsuccessful because the httpd process was not running |
|
|
The interface is deleted from interface group if the user change the name of it [API] |
|
|
v1_message* and abp* files & sxp bookmark are not cleaned in user_enforcement on device registration |
|
|
FMC search error: "Error Loading Data Search Service Please Try Again." |
|
|
EventHandler warnings if syslog facility is CONSOLE |
|
|
FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version |
|
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
|
FMC: Domain creation fails with error "Index 'netmap_num' for table 'domain_control_info'" |
|
|
FMC: GEOLOCATION size is causing upgrade failures |
|
|
FTD upgrade from 7.0 to 7.2.x and beyond crashes due to management-access enabled |
|
|
Cannot create two RA-VPN profiles with different SAML servers that have the same IDP
 |
|
|
Memory leak in the MessageService |
|
|
Readiness Check Failed [ERROR] Fatal error: Enterprise Object integrity check failed with 7 errors |
|
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
|
Create Identity Services Engine via API returns 404 Client Error: Not Found |
|
|
Cluster hardening fixes |
|
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
|
show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh. |
|
|
FTD HA app-sync failure, due to corruption in cache files. |
|
|
add syslog ids the range 805003 ? 852002 for rate limit under fmc |
|
|
validation check on FMC GUI causing issue and throwing error when adding new NAT objects |
|
|
Connections not replicated to Standby FTD |
|
|
FTD Crash in Thead Name: CP Processing |
|
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
|
Cannot Force Break FTD HA Pair |
|
|
User Group Download fetches less data than available or fails with "Size limit exceeded" error |
|
|
FMC device search page removes FTD from the groups and put them back to ungrouped |
|
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
asa_snmp.log is not rotated, resulting in large file size |
|
|
FMC/FTD Dynamic VPN. Possibility to choose default preshared key from the dropdown list. |
|
|
FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state |
|
|
Lina core created during high traffic testing |
|
|
FTD readiness and upgrade passed with exception log as ProgressReport' has no attribute 'KB_UNIT' |
|
|
Unable to Access FMC GUI when using Certificate Authentication |
|
|
Phase 2 NAP delay seen in 7.0.1 while deploying policy |
|
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
|
Selective policy deploy with Identity Policy (captive-portal) and SSL Policy (dp-tcp-proxy) CLI |
|
|
EventHandler occasional corrupt bundle record - SFDataCorrelator logs "Error deserializing" |
|
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
|
Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability |
|
|
FMC Restore of remote backup fails due to no space left on the device |
|
|
Deployments can cause certain RAVPN users mapping to get removed. |
|
|
Snort down due to missing lua files because of disabled application detectors (VDB side) |
|
|
getting wrong destination zone on traffic causing traffic to match wrong AC rule |
|
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
|
getReadinessStatusTaskList pjb request is very frequent when user in Upgrade sensor list page |
|
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
|
Unable to edit name or inspection mode of intrusion policy |
|
|
DBCheck shouldn't run against MonetDB if user is collecting config backup alone |
|
|
MYSQL, or any TCP high traffic, getting blocked by snort3, with snort-block as Drop-reason |
|
|
Network Object Group overrides not visible or be edited from FMC GUI |
|
|
Unable to change admin user password after FMC migration if it had LOM access |
|
|
FMC - Import SSL Certificate Pinning from a CSV file may result in a failure to deploy policy on FTD |
|
|
Device list takes longer to load while creating new AC policy |
|
|
High Disk Utilization and Performance issue due to large MariaDB Undo Logs |
|
|
User is not informed of the dependent IPS when policy import fails. |
|
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
|
[IMS_7_5_MAIN]High CPU usage on multiple appliances |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
|
The interface configuration is missing after the FTD upgrade |
|
|
access-list: Cannot mix different types of access lists. |
|
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
|
FTD: High-Availability unit struck at CD App Sync error due to error ngfwManager restart on peer |
|
|
WINSCP and SFTP detectors do not work as expected |
|
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
|
S2S dashboard SVTI tunnel details are missing after upgrade |
|
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
|
Snort3 matches SMTP_RESPONSE_OVERFLOW (IPS rule 124:3) when SMTPS hosts exchange certificates |
|
|
Priority-queue command causes silent egress packet drops on all port-channel interfaces |
|
|
store_*list_history.pl task is created every 5min without getting closed causing FMC slowness. |
|
|
DNS cache entry exhaustion leads to traceback |
|
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
|
Unable to delete custom rule group even when excluded from all the ips policies |
|
|
vFTD runs out of memory and goes to failed state |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
FTD: HA App sync failure due to fover interface flap on standby unit |
|
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
7.0.6 - Lina Crash in RAVPN interface with anomaly traffic in both non-FIPS and FIPS mode |
|
|
Failover: standby unit traceback and reload during modifying access-lists |
|
|
FTD Diskmanager.log is corrupt causing hm_du module to alert false high disk usage |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
|
vFMC: Scheduled deployment failing |
|
|
Correlation events for Connection Tracker <, <=, = or != rules show data for unrelated connections |
|
|
FP3110 7.2.4 Unexpected reboot of Firepower 3110 Device |
|
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
|
FMC not generating FTD S2S VPN alerts when down or idle |
|
|
Add meaningful logs when the maximums system limit rules are hit |
|
|
Dumping of last 20 rmu request response packets failed |
|
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
|
Duplicate FTD cluster has been created when multiple cluster events comes at same time |
|
|
Packet data is still dropped after upgrade |
|
|
False critical high CPU alerts for FTD device system cores running diskmanager/Pruner |
|
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
|
after HA break, selected list shows both the devices when 1 device selected for upgrade |
|
|
Critical Alert Smart Agent is not registered with Smart Licensing Cloud |
|
|
Snort3 core in navl seen during traffic flow |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
Editing identity nat rule disables "perform route lookup" silently |
|
|
FTD: SNMP not working on management interface |
|
|
Snort2 engine is crashing after enabling TLS Server Identity Discovery feature |
|
|
Snort core while running IP Flow Statistics |
|
|
FMC displays VPN status as unknown even if the status is up if one of the peer is extranet |
|
|
Decrypting engine/ssl connections hang with PKI Interface Error seen |
|
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
|
FMC pushes the "shutdown" command on the management interface for the logical device |
|
|
switch ports in Trunk mode do not pass vlan traffic after power loss |
|
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
|
import of .SFO to FMC failed due to included local/custom rules having a blank rule message field |
|
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
|
Cisco Firepower Management Center Software SQL Injection Vulnerability |
|
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
|
LDAP missing files after upgrade when the Vault token is corrupted |
|
|
FMC: Should not be able to add the same interface to the same ECMP zone |
|
|
FTD Lina traceback Thread Name: DATAPATH-3-11917 due to double free |
|
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
|
FTD /ngfw disk space full from Snort3 url db files |
|
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
|
Port-channel interface speed changes from 10G to 1G after a policy deployment |
|
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
|
ASA traceback on Lina process with FREEB and VPN functions |
|
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
|
core-compressor fails due to core filename with white space |
|
|
Snort blacklisting traffic during deployment |
|
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
|
Encrypted Visibility Engine (EVE) FMC dashboard tab and widgets not renamed after 7.1 > 7.2+ upgrade |
|
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
|
File sizes bigger than 100MB for AnyConnect/Secure Client images cannot be uploaded on FMC |
|
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
|
SRU installation gets stuck at 602_log_package.pl script, causing deployment failure |
|
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
Intermittently flow is getting white-listed by the snort for the unknow app-id traffic. |
|
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
|
The FMC preview deployment shows a wrong information. |
|
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
|
ASA traceback when re-configuring access-list |
|
|
sfdatacorrelator crashing due to table corruption 'rua_event_xxxxx' |
|
|
Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability |
|
|
PAC Key file missing on standby on reload |
|
|
FMC upgrade stuck at 1039_fmc_rabbitmq_enable |
|
|
'Frequent drain of events (not unprocessed events) to be removed from FMC |
|
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
|
FMC userrole missing permissions may cause Tomcat to continuously restart after upgrade to 7.2.4 |
|
|
SQL packets involved in large query is drop by SNORT3 with reason snort-block |
|
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
|
While editing AC-policy rules, the rule order number becomes misaligned. |
|
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
|
dl_task.pl tasks keep getting created every hour when a database query is blocked |
|
|
Firewall Blocking packets after failover due to IP <-> SGT mappings |
|
|
Syslog not updating when prefilter rule name changes |
|
|
FTD (FDM) fails when executing script 800_post/100_ftd_onbox_data_import.sh |
|
|
FTD - Upgrade triggers persistent VPN Tunnel health monitor alarm |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
|
FTD not generating end of connection event after "Deleting Firewall session" |
|
|
DAP: FMC adds 
 characters in a LUA script |
|
|
Removal of msie-proxy commands during flexconfig rollback |
|
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
|
FMC7.2.x EIGRP flexconfig migration fails with internal error due to interface config mismatch |
|
|
FMC Restore is stuck in vault clear stage after mysql restore completed |
|
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
|
Cisco_Firepower_GEODB_FMC_Update* are not included in diskmanager |
|
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
Configuration archive creation failing and causing deployment preview to throw error |
|
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
|
Extended Access List Object does not allow IP range configuration |
|
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
|
ASA/FTD may traceback and reload while running show inventory all |
|
|
AMP Cloud look up timeout frequently. |
|
|
FMC SSO timesout when user session is active for more than 1 hr (idle timeout) |
|
|
Initiator Country and Continent missing on Custom View on Event viewer |
|
|
ASA:Management access via IPSec tunnel is NOT working |
|
|
FMC: query_engine.log Growing More Quickly Than Expected, Resulting In High Disk Utilization |
|
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
|
ASA: Traceback and reload during 6 nodes cluster synchronization after CCL link failure/recovery |
|
|
SFDataCorrelator crashing repeatedly in RNA_DB_InsertServiceInfo |
|
|
Devices with classic licenses are failed to register with FMC running version 7.2.X |
|
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
|
SNORT3 - FTD - TSID high cpu, daq polling when ssl enabled is not pulling enough packets |
|
|
Source NAT Rule performing incorrect translation due to interface overload |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
|
VPN Load Balancing Cluster IP address/host name is not on the same subnet as the public interface |
|
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
|
additional command outputs needed in FTD troubleshoot for blocks and ssl cache |
|
|
FMC HA: When logging into the standby FMC stacktraces are always present. |
|
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
|
Cannot use .k12 domain on realm AD Primary Domain configuration |
|
|
Fixing the regression caused while handling web UI is not getting FTDv Variable |
|
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
|
Configuring and unconfiguring "match ip address test" may lead to crash |
|
|
sshd restarting during upgrade leading to have /new-root as default root partition |
|
|
Configuration to disable TLS1.3 |
|
|
Diskmanager process terminated unexpectedly |
|
|
Prefilter cannot add Tunnel Endpoints in Tunnel Rule on FMC |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
FTDvs through put got changed to 100Kbps after upgrade |
|
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
|
Community string sent from router is not matching ASA |
|
|
spin lock and watch dog crash in kp 741-1146 - ctm_ipsec_get_sa_lock+112 |
|
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
Unable to create VRF via FDM in Firepower 3105 device |
|
|
Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability |
|
|
Snort3 dropping IP protocol 51 |
|
|
Unexpected high values for DAQ outstanding counter |
|
|
FMC does not save changes made on access list. |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
FMC should report user whether it supports or not while configuring remote storage |
|
|
SNMP fails to poll accurate hostname from FMC |
|
|
Every HA sync attempts to disable URL filtering if already disabled. |
|
|
eStreamer JSON parse error and memory leak |
|
|
Snort is getting reloaded during deploy due to diff in timerange and nap conf contents in each run |
|
|
FTD unregisters the standby FMC immediately after a successful registration |
|
|
FDM Upgrade failure due to expired certificates |
|
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CPOC: 4245 ASA Crashed with CPS test |
|
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
|
FMC missing validation for syslog port setting |
|
|
Node kicked out of cluster while enabling or disabling rule profiling |
|
|
Cisco ASA and FTD Software Inactive-to-Active ACL Bypass Vulnerability |
|
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
Resolved Bugs in Version 7.4.0
Table last updated: 2024-05-22
|
Bug ID |
Headline |
|---|---|
|
Improve logging of Secure Firewall (Firepower)backups and retry for gzip when using remote storage |
|
|
Flex config Preview of $SYS_FW_ENABLED_INSPECT_PROTOCOL_LIST throws error |
|
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
|
Filtering Network objects is not working, getting 'Error Loading Data' |
|
|
Radius Key with the ASCII character " configured on FXOS does not work after chassis reload. |
|
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
|
Upgrade to 6.6.1 got failed at 800_post/1025_vrf_policy_upgrade.pl |
|
|
Observed few snort instances stuck at 100% |
|
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
|
File list preview: Deleting two list having few similar contents throws stacktrace on FMC-UI |
|
|
Error Loading Data: Couldnt resolve few of the STDACE BBs |
|
|
"Warning:Update failed/in-progress." Cosmetic after successful update |
|
|
Crashinfo script is invoked on SFR running snort2 and device fails to upgrade to 7.0 |
|
|
SNORT2: FTD is performing Full proxy even when SSL rule has DND action. |
|
|
ENH:FMC Removal and manual reconfiguration of changes for CAC-authenticated users should not happen |
|
|
IPS policy should be imported when its referred in Access Control policy |
|
|
Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via "/"URI |
|
|
FMC4500/4600 shows virtual license |
|
|
FDM IKEv2 S2S PSK Not Deploying Correctly (Changing Asymmetric to Symmetric PSK) |
|
|
API key corrupted for FMC with multiple interfaces |
|
|
FMC NFS configuration failling after upgrade from 6.4.0.4 to 7.0.1 |
|
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
|
Modify /800_post/1027_ldap_external_auth_fix.pl to not fail FMC upgrade when objects are corrupt |
|
|
Microsoft update traffic blocked with Snort version 3 Malware inspection |
|
|
FDM: Policy deployment failure after upgrade due to unused IKEv1 policies |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
Disk usage errors on Firepower Azure device due to large backup unified files under ngfw directory |
|
|
FDM bootstrap could be skipped if device rebooted when bootstrap is not completed |
|
|
FMC backup may fail due to monetdb backup failure with return code 102 |
|
|
upgrade with a large amount of unmonitored disk space used can cause failed upgrade and hung device |
|
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
|
FTD on FP2100 can take over as HA active unit during reboot process |
|
|
FMC | Interface update Failed. Could not find source interface |
|
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
|
Snort3: NFSv3 mount may fail for traffic through FTD |
|
|
Deployment/Tasks Button not seen FMC_UI while doing upgrade tests configured in Light theme |
|
|
FMC: Validation check to prevent exponential expansion of NAT rules |
|
|
Selective deployment of IPS may cause outage due to incorrectly written FTD configuration files |
|
|
Connection Events seen on FMC even though the rule is not configured to send events to FMC |
|
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
|
FMC 7.2.0|7.3.0 Integration > Identity Sources page does not load, keeps spinning |
|
|
Excessive logging from hm_du.pm may lead to syslog-ng process restarts |
|
|
Failing to generate FMC Backup/Restore via SMB/SSH |
|
|
Estreamer page fails to load in ASDM |
|
|
Snort3 crash with TLS 1.3 |
|
|
Fix multiple crash handler issues |
|
|
FTD unable to sync HA due to snort validation failed |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
|
|
sybase related modules should be removed |
|
|
snort3 hangs in Crash handler which can lead to extended outage time during a snort crash |
|
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
|
FPR2140 ASA Clock Timezone reverts to UTC after appliance restart/reload |
|
|
Auth-Daemon process is getting restarted continuously when SSO disabled |
|
|
FMC RSS Feed broken because FeedBurner is no longer active - "Unable to parse feed" |
|
|
25G-SR should default to RS-FEC (IEEE CL108) instead of FC-FEC |
|
|
link state propagation stops working when performing full chassis reboot |
|
|
FPR1000 ASA/FTD: Primary takes active role after reloading |
|
|
Database may fail to shut down and/or start up properly during upgrade |
|
|
Cannot save realm configuration unless AD Join Password is empty |
|
|
Snort process may trace back in ssl_debug_log_config and generate core file |
|
|
Intrusion events intermittently stop appearing in FMC when using snort3 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36) |
|
|
ASAv "Unable to retrieve license info. Please try again later" |
|
|
FTD misses diagnostic data required for investigation of "Communication with NPU lost" error |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
ASA using WebVPN tracebacks in Unicorn thread during memory tracking |
|
|
Captive portal support in cross domain |
|
|
FMC module specific health exclusion disables all health checks |
|
|
SNMP 'Confirm Community String' string is not auto-populated after the FMC upgrade |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
PDTS write from Daq can fail when PDTS buffer is full eventually leads to block depletion |
|
|
multiple snort3 crashes after upgrading FTD from 7.2.0 to 7.2.0.1 |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
Deployment Fails with stacktrace: Invalid type (LocalIdentitySource) |
|
|
FTD sensor rules missing from ngfw.rules file after a sensor backup restore execution |
|
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on 2100/3100 devices |
|
|
Missing fqdns_old.conf file causes FTD HA app sync failure |
|
|
FMC - Unable to initiate deployment due to incorrect threat license validation |
|
|
during download from file event on FMC, high CPU use on FMC for 20 minutes before download fails |
|
|
FTD upgrade failure due to Syslog files getting generated/deleted rapidly |
|
|
FTD Unable to bind to port 8305 after management IP change |
|
|
ASA/FTD: Using Round Robin with PAT rules on two or more interfaces breaks IP stickiness |
|
|
Object edit slowness when it is associated with NAT rules |
|
|
GTP drops not always logged on buffer and syslog |
|
|
File events show Action as "Malware Block" for files with correct disposition of unknown |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
|
HA did not failover due to misleading status updates from NDClient |
|
|
FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb index" |
|
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
|
HTTP Block Response and Interactive Block response pages not being displayed by Snort3 |
|
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
All traffic blocked due to access-group command missing from FTD config |
|
|
standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
|
|
log rotate failing to cycle files, resulting in large file sizes |
|
|
FTD: FTPS Data Channel connection impacted by TLS Server Identity and Discovery Probe sent by FTD |
|
|
FMC HA - files in tmp/Sync are left on secondary when synchronisation task fails |
|
|
lost cac.conf after upgrade to 7.2.1 for FMC smart-card auth |
|
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
|
Duplicate SMB session id packets causing snort3 crash |
|
|
LTS18 and LTS21 commit id update in CCM layer (seq 39) |
|
|
Cisco FXOS Software Arbitrary File Write Vulnerability |
|
|
Filtering of jobs in deploy history page is applying the criteria only on Top50 jobs |
|
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
|
Proxy is engaged even when we have a Definitive DND rule match |
|
|
FMC can allow deployment of NAP in test mode with Decrypt policy |
|
|
SSL Policy DND default Rule fails on error unsupported cipher suite and SKE error. |
|
|
Firepower Management Center GUI view for Snort2 Local Intrusion Rules is missing |
|
|
Very long validation time during Policy Deployment due to big network object in SSL policy |
|
|
FMC HA webUI is not getting FTDv Variable tier assigned FTDv - Variable |
|
|
Re-downloaded users from a forest with trusted domains may become unresolved/un-synchronized |
|
|
deployment failed with OOM (out of memory) for policy_apply.pl process |
|
|
Packet-Tracer interfaces not showing up in UI after updating interface name from lower to upper case |
|
|
SRU installation failure. |
|
|
FMC not showing any alerts/warnings when deploying changes of prefix list with same seq # |
|
|
Expected snmp output is not found in 'show run | in fxos snmp' |
|
|
Deploying objects with escaped values in the description might cause all future deployments to fail |
|
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
|
FTDv Cluster Health Monitor fails with "Error fetching live status of the cluster" |
|
|
Object NAT edit is failing |
|
|
Pre-login banner on FCM webUI shows extra characters on 92.14.0 |
|
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
|
Periodic sync failures are not reported to users |
|
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
FXOS: memory leak in svc_sam_envAG process |
|
|
800_post/1027_ldap_external_auth_fix.pl upgrade error -- reference to missing authentication object |
|
|
WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40) |
|
|
ASA - traceback and reload when Webvpn Portal is used |
|
|
Port-channel interface went down post deployment |
|
|
FMC UI showing disabled/offline for multiple devices as health events are not processed |
|
|
Missing SSL MEMCAP causes deployment failure due timeout waiting for snort detection engines |
|
|
Pre-deployment failure seen in FMC due to huge number policies |
|
|
Upgrades are not cleaning up mysql files leading to alert for 'High unmanaged disk usage on /ngfw' |
|
|
ASA restore is not applying vlan configuration |
|
|
Unable to get polling results using snmp GET for connection rate OID’s |
|
|
Add validation in lua detector api to check for empty patterns for service apps |
|
|
FMC not opening deployment preview window |
|
|
ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
|
|
FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
Data migration from Sybase to MariaDB taking more time due to large data size of POLICY_SNAPSHOT |
|
|
FMC gives an irrelevant error message for Snort2 to Snort3 rules conversion failure |
|
|
Stale CPU core health events seen on FMC UI post upgrade to 7.0.0+. |
|
|
Need corrections in log_handler_file watchdog crash fix |
|
|
Deployment failure with localpool overlap error after upgrade |
|
|
"show tech-support" generation does not include "show inventory" when run on FTD |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
Misleading drop reason in "show asp drop" |
|
|
Clientless Accessing Web Contents using application/octet-stream vs text/plain |
|
|
Recursive panic under lina_duart_write |
|
|
FMC UI may become unavailable and show "System processes are starting" message after upgrade |
|
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
|
allocate more cgroup memory for policy deployment subgroup |
|
|
HA Periodic sync is failing due to cfg files are missing |
|
|
At times AC Policy save takes longer time, may be around 10 or above mins |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
|
|
FMC UI Showing inaccurate data in S2S VPN Monitoring page |
|
|
FTDv: Policy Deployment failure due to interface setting on failover interface |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
Cross-domain users with non-ASCII characters are not resolved |
|
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
|
FXOS is not rotating PoE logs |
|
|
FP4125 2.10.1.166 FTD applications in HA went into not responding state |
|
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
|
Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability |
|
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
|
FMC Connection Event stop displaying latest event |
|
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
|
FMC should not accept carriage return in the interface description field of a managed device |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
S2S VPN dashboard shows ipv4 SVTI tunnel down between KP-HA and WA-HA after KP-HA Switch role. |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
FMC 7.1.0.1 Doesn't throw warning that S2S VPN Configs contain deprecated MD5 Hash during deployment |
|
|
FMC: Updates page takes more than 5 minutes to load |
|
|
S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
|
|
30+ seconds data loss when unit re-join cluster |
|
|
Predefined FlexConfig Text Objects are not exported by Import-Export |
|
|
FMC External Auth test error "Encryption method is configured but you did not upload a certificate." |
|
|
FTD with Snort3 might have memory corruption BT in snort file with same IP traffic scaling |
|
|
FMC import takes too long |
|
|
FPR3110 Fans' SN in label are different from show inventory cli output |
|
|
Snort crashes while reloading mercury library with any VDB install on 7.3.0 and 7.4.0 |
|
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
|
intrusion events fail to migrate from MariaDB to MonetDB following FMC upgrade from 7.0.3 to 7.1.0 |
|
|
Import/export fails with backend error |
|
|
MI FTD running 7.0.4 is on High disk utilization |
|
|
Snort drops Bomgar application packets with Early Application Detection enabled |
|
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
|
Snort3 crash seen sometimes while processing a future flow connection after appid detectors reload |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
Snort outputs massive volume of packet events - IPS event view may show "No Packet Information" |
|
|
FMC should display the status of physical FTD interfaces bundled in port-channel |
|
|
FTD -Snort match incorrect NAP id for traffic |
|
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
Snort mem used alert should read the value from perfstats for snort instance rather than cgroups |
|
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
|
FTDs running 6.6.x show as disconnected on new HM (6.7+) but checks are running and updating |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
Unable to access Dynamic Access policy |
|
|
Number of objects are not getting updated under policies>>>Security intelligence >>>Block list |
|
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
|
Disabling NAVL guids from userappid.conf doesn't work |
|
|
Cut-Through Proxy does not work with HTTPS traffic |
|
|
seeing error on access policies on FMC - "Error during policy validation" |
|
|
Enhance logging mechanism for syslogs |
|
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
|
Deployment changes to push VDB package based on Device model and snort engine |
|
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
|
MariaDB crash (segmentation fault) related to netmap query |
|
|
Software upgrade on FDM fails due to improver next-hop validation |
|
|
FMC | Deployment failure in csm_snapshot_error |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
Incorrect Paging and count value for Time Range Object Get API |
|
|
FAN LED flashing amber on FPR2100 |
|
|
No Inspect Interruption warning when deploy after FMC upgrade |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
SFDataCorrelator performance degradation involving hosts with many discovered MAC addresses |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
|
Can't modify RA vpn group policy on FDM 7.3 |
|
|
Primary ASA traceback upon rebooting the secondary |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
FMC SecureX via proxy stops working after upgrade to 7.x |
|
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
|
ASA is unexpected reload when doing backup |
|
|
41xx: Blade does not capture or log a reboot signal |
|
|
High FMC backup file size due to configurations snapshot for all managed devices |
|
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
|
Summary status dashboard takes more than 3 mins to load upon login |
|
|
Interactive Block action doesn't work when websites are redirected to https |
|
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
|
FTD traceback and reload while deploying PAT POOL |
|
|
Need to provide rate-limit on "logging history <mode>" |
|
|
collection of top.log.gz in troubleshoot can be corrupt due to race condition |
|
|
Unexpected "No Traffic" health alert on Standby HA Data Interface where no data flows |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
|
Database table optimization not working for some of the tables |
|
|
Email alert incorrectly send for a successful database backup |
|
|
FMC HA Synchronization can hang forever if no response from SendUserReloadSGTAndEndpointsEvent |
|
|
FMC: Upgrade fails at DB Integrity check due to large number of EO warnings for "rule_comments" |
|
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
|
On a cloud-delivered FMC there is no way to send events to syslog without sending to SAL/CDO as well |
|
|
FPR1120:connections are getting teardown after switchover in HA |
|
|
Threatgrid integration configuration is not sync'd as part of the FMC HA Synchronisation |
|
|
None option under trustpoint doesn't work when CRL check is failing |
|
|
FTD Deployment failures due to "snort3.validation.lua:5: '=' expected near 'change'" |
|
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
|
FTD is dropping GRE traffic from WSA |
|
|
ASA binding with LDAP as authorization method with missing configuration |
|
|
ASA: Traceback and reload while processing SNMP packets |
|
|
Purging of Config Archive failed for all the devices if one device has no versions |
|
|
High Lina memory use due to leaked SSL handles |
|
|
FMC Unable to fetch VPN troubleshooting logs. |
|
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
|
FTD: IPSLA Pre-emption not working even when destination becomes reachable |
|
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
|
FMC deployment preview showing full config instead of delta. |
|
|
FMC is not taking BGP default originate configuration via API PUT request. |
|
|
TLS sessions dropped under certain conditions after a fragmented Client Hello |
|
|
FMC Health Monitor does not report alerts for the Interface Status module |
|
|
Deployment failing - "Error while printing show-xml-response file contents" XML response too big |
|
|
FMC HA info is not sync'ed reliably to FTD to support CLOUD_SERVICE |
|
|
FMC deployment failure:"Validation failed: This is a slav*/ha standby device, rejecting deployment." |
|
|
null connection error seen in logs |
|
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
|
FTD High unmanaged disk usage alert is triggered due to stored files located on /ngfw/Volume/root1/ |
|
|
Policy deploy failure "error executing /*!40101 SET character_set_client = @saved_cs_client */; *" |
|
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
Traffic drop when primary device is active |
|
|
Snort mem used alert should be consistent with value from top.log |
|
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or teardown syslog messages may not always be generated |
|
|
add warning to FTD platform settings when VPN Logging Settings logging level is informational |
|
|
Snort3: Process in D state resulting in OOM with jemalloc memory manager |
|
|
After disabling malware analysis, high disk usage on /dev/shm/snort |
|
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
|
Unexpected firewalls reloads with traceback. |
|
|
Slow UI loading for Table View of Hosts |
|
|
Database integrity check takes several minutes to complete |
|
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
|
FPR2100: Mulitple snort3 & snort2 cores got generated and sensor goes down in KP platform |
|
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
|
FMC External authentication getting "Internal error" |
|
|
rpc service detector causing snort traceback due to universal address being an empty string |
|
|
ASA Traceback & reload citing thread name: asacli/0 |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
|
Copy and pasting rules is broken and give blank error message in ID policy |
|
|
LINA traceback with icmp_thread |
|
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
|
occasional failure to load light-modal-ac-rule-xx.css with a net::ERR_TOO_MANY_RETRIES error |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
|
ASA/FTD Show chunkstat top command implementation |
|
|
SFDataCorrelator cores due to stuck database query after 1 hour deadlock timeout |
|
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
|
Workaround to set hwclock from ntp logs on low end platforms |
|
|
changing time window settings in FMC GUI event viewers may not work with FMC integrated with SecureX |
|
|
Supervisor does not reboot unresponsive module/blade due to IERR with minor severity sensor ID 79 |
|
|
Active authentication sessions are showing in VPN dashboard |
|
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
|
TLS Server Identity may cause certain clients to produce mangled Client Hello |
|
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
|
Multiple traceback seen on standby unit. |
|
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
|
FMC Upgrade: generation of sftunnel.json file per FTD does not check for duplicate names |
|
|
FMC: Backup to an unavailable remote host results in the inability to restart the appliance. |
|
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Remove the limit of 30characters in the rule name which a rule is moved from ACP to Prefilter |
|
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
|
Question mark in NAT description causes config mismatch on Data members of an FTD cluster |
|
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
|
IMS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Need to Warn the users before triggering a full deployment on FTD managed by FDM |
|
|
Snort3 crashes are seen under Dce2Smb2FileTracker processing of data |
|
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
|
Frequent errors seen regarding failures to load bulkcsv files that don't exist |
|
|
Remove FMC drop_cache trigger to prevent Disk I/O increase due to file cache thrashing |
|
|
Unable to save Access Control Policy changes due to Internal error |
|
|
Management interface link status not getting synced between FXOS and ASA |
|
|
SNMP on SFR module goes down and won't come back up |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Not able to remove group policy from RAVPN via REST API |
|
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
|
NGIPSv syslog-tls.conf.tt needs filters removed when in CC mode |
|
|
The user belonging to a subdomain, is unable to collect packet tracer |
|
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
|
Manager gets unregistered on its own from the FTD, show manager shows 'No managers configured' |
|
|
BGP IPv6 configuration : route-map association with neighbour not getting deployed |
|
|
FMC: Incorrect FTD cluster role status leading to inability to upgrade FTD |
|
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
|
FTD:Node not joining cluster with "Health check detected that control left cluster" due to SSL error |
|
|
After FMC upgrade, SecureX ribbon redirects to US cloud region regardless of the set cloud region |
|
|
/var/sf/QueryPoolData fills up with warehouse directories |
|
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
|
DAP policy created in FMC Gui, to detect a Windows OS with a hotfix, will not work as expected |
|
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
|
FXOS fault F0853 and F0855 seen despite keyring reporting renewed |
|
|
FTD 2100 -Update daq-ioq mempool to help protect against buffer corruption |
|
|
Unable to delete custom anyconnect attribute --dynamic-split-tunnel from group-policy |
|
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
|
ASA reboots due to heartbeat loss and "Communication with NPU lost" |
|
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
|
DCCSM session authorization failure cause multiple issues across FMC |
|
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
|
ASA/FTD traceback in snp_tracer_format_route |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
|
Need fault/error for invalid firmware MF-111-234949 |
|
|
Pri-Active FMC NOT triggering registration TASK for FTD to configure standby manager |
|
|
Post backup restore multiple processes are not up. No errors are observed during backup or restore. |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
Deployment failed in snapshot generation after upgrading FMC to 7.3 |
|
|
ASA/FTD may traceback and reload after changing IP of authentication server |
|
|
TID python processes stuck at 100% CPU |
|
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
|
Snort3 fails to match SMTPS traffic to ACP rules |
|
|
FMC should push the AnyConnect Custom attribute defer keyword as lowercase instead of capitalized |
|
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
|
FTD: unable to run any commands on CLISH prompt |
|
|
Snort high memory alerts still seen despite fix for CSCwd84942 |
|
|
Deployment is blocked due to Pre-deploy Validation Error - Invalid endpoint |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
|
Selective deployment negating the route configs |
|
|
Selective deployment removing the prefilter-configs |
|
|
Selective deployment removing the Group policy |
|
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
|
Unable to login to FTD using external authentication |
|
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
|
FMC runs out of space when Snort sends massive numbers of packet logs |
|
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
|
SFDataCorrelator spam seen in /var/log/messages |
|
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
|
CD App Sync error is App Config Apply Failed on Secondary/Standby after backup restore on RMA device |
|
|
Interface remains DOWN in an Inline-set with propagate link state |
|
|
Snort2 rule recommendations increases disabled rule count drastically |
|
|
[FMC model migration] Health monitoring on FMC reporting errors |
|
|
Upgraded FMC didn't mark FTD's with Hot Fix as light registered - failed FMC HA sync |
|
|
High rate of network map updates can cause large delays and backlogs in event processing |
|
|
ndclientd error message 'Local Disk is full' needs to provide mount details which is full |
|
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
|
Improve Azure AD realm documentation |
|
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
|
Deployment for eigrp / bgp change may cause temporary outage during policy apply |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
LDAP External auth config fails to deploy to FTD if same LDAP server is added as Primary and backup |
|
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
|
FMC isn't allowing to create more than 30 VLAN interfaces |
|
|
FMC Upgrade from Active-Primary FMC is failed with "Installation failed: Peer Discovery incomplete." |
|
|
Fix Snort3 Memory Utilisation Value |
|
|
Prune target should account for the allocated memory from the thread pruned |
|
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
FMC system restore authentication error during FMC re-image when using FTP/SCP protocol |
|
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
|
email alert to scheduled activity is not working after upgrading to 7.2 |
|
|
"Failed to convert snort 2 custom rules. Refer /var/sf/htdocs/ips/snort.rej for more details." |
|
|
ASA traceback and reload with process name: cli_xml_request_process |
|
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
|
vFMC300 to FMC2600 migration failure with error "migration from R to N is not allowed" |
|
|
Notification Daemon false alarm of Service Down |
|
|
CVIM Console getting stuck in "Booting the kernel" page |
|
|
Username-from-certificate feature cannot extract the email attribute |
|
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
|
Missing Instance ID in unified_events-2.log |
|
|
Elephant flow detection disabled on FMC, getting enabled on FTD after random deployment |
|
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
|
correlation events based on connection events do not contain Security Intelligence Category content |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
|
FTD returns no output of "show elephant-flow status" when efd.lua file's content is empty |
|
|
FP1140 7.0.4 Deployment keep failing with error "Can\'t use an undefined value as a HASH reference" |
|
|
Snort2 rule assignments missing from ngfw.rules (assignment_data table ) after FMC upgrade. |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
|
Threat-detection does not allow to clear individual IPv6 entries |
|
|
need to turn off default TLS 1.1 (deprecated) support for the FDM GUI |
|
|
ASA not updating Timezone despite taking commands |
|
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
|
Umbrella DNS Negate of Bypass Domain Field is not generated from FMC |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
|
FMC error displaying users page due to wide characters in real name field |
|
|
FDM Cannot create self-signed certificates due to Expiration Date format |
|
|
AC policy deploy failing on 7.2.4 FMC to 6.7 FTD |
|
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
|
Add knob to pause/resume file specific logging in asa log infra. |
|
|
DOC: Misleading Documentation of Cisco Firepower 2100 GLC-T and GLC-TE SFP Support |
|
|
FTD: Unable to process a TLS1.2 website with TLS Server Identity with client generating SSL Errors |
|
|
Found Orphaned SFTop10Cacher processes |
|
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
|
standby in disabled state after QP-MI HA 7.0.3 to 7.2.4-126, APPLY_APP_CONFIG_APPLICATION_FAILURE |
|
|
TCP ping is completely broken starting in 9.18.2 |
|
|
FTD: ADI.conf - send_s2s_vpn_events is set to 0, even after applying s2s vpn health policy |
|
|
Snort3 Crash in SslServiceDetector after call from nss_passwd_lookup |
|
|
Prune symmetric triggers that existed in sfsnort schema before FMC upgrade to 7.3 version or later |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
|
Readiness check needs to be allowed to run without pausing FMC HA |
|
|
Setting heartbeat timeout to 6sec for BS and QP |
|
|
Upgrade Device listing page is taking more than 15 mins to load page fully with 25 FTDs registered |
|
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
|
Lina traceback and reload due to fragmented packets |
|
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
|
"Security Intelligence feed download failed" displayed even though it succeeded |
|
|
ISE Integration Network filter not accepting multiple comma separated networks |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
ASA sends OCSP request without user-agent and host |
|
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
|
Unable to load intrusion policy page on FMC GUI |
|
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
|
ASA Traceback and reload citing process name 'lina' |
|
|
FTD container restored from backup fails to register to FMC due to Peer send bad hash error |
|
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
|
TCP normalizer needs stats that show actions like packet drops |
|
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
|
ASAv in Hyper-V drops packets on management interface |
|
|
When enabling backup peer ip on FMC 7.3.1 with a space the VPN IPSec profile would be removed |
|
|
Failure to remove snort stat files older than 70 days |
|
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
|
Changes to lamplighter logs written to /var/log/tid_process.log |
|
|
FATAL errors in DBCheck due to missing columns in eventdb table |
|
|
admin user should be excluded from CLI shell access filter |
|
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
|
No logrotate and max size is configured for Health.log file |
|
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
|
ASA Packet-tracer displays the first ACL rule always, though matches the right ACL |
|
|
FTD HA Creation fails resulting in devices showing up in an inconsistent state on the FMC |
|
|
Not able to add files with file names which has '\u' to clean list from Malware Summary page |
|
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
SFDataCorrelator process crashing very frequently on the FMC. |
|
|
crashhandler running with test mode snort |
|
|
FMC backup management page showing "Verifying Backup" for FTD sensors. |
|
|
FMC backup restore page takes around 5 mins to load when remote storage is unreachable |
|
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
|
In some specific scenarios, object optimizer can cause incorrect rules to be deployed to the device |
|
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
|
Firewall may drop packets when routing between global or user VRFs |
|
|
Standby FMC SSH connection getting disconnected frequently. |
|
|
ASA access-list entries have the same hash after upgrade |
|
|
Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
FMC Fails to deploy or register new FTDs due to SFTunnel Establishment Failure. |
|
|
Snort3 crash after the consequent snort restart if duplicate custom apps are present |
|
|
FTD: GRE traffic is load balanced between CPU cores |
|
|
SFTunnel Fails to Properly Establish due to running_config.conf file misconfiguration |
|
|
ASA: Traceback and reload while updating ACLs on ASA |
|
|
FMC should handle error appropriately when ISE reports error during SXP download |
|
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
|
FMC UI related issue in Object management page |
|
|
ASA/FTD may traceback and reload citing process name "lina" |
|
|
NMAP Remediation scan tasks remain in pending state in action queue table, does not clear out |
|
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
|
Adding verify check for networks added under network object group in FMC |
|
|
Old LSP packages are not pruned causing high disk utilization |
|
|
CSM backup failed due to modification of CSM audit log file while tar was reading it |
|
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
|
FMC config archives retention reverts to default if ca_purge tool was used prior to 7.2.4 upgrade |
|
|
TelemetryApp process keeps exiting every minute after upgrading the FMC |
|
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory in low end platforms |
|
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
|
Health Monitoring to NOT collect route stats for transparent mode FTD |
|
|
FMC needs to properly validate QoS policy rules before allowing deployment to FTD |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
|
Unable to list down the interface under the device exclude policy |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
|
Avoid both the devices in HA sends events to FMC |
|
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
|
Include a warning during break HA when secondary unit is active |
|
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
|
FMC 1600 process ssp_snmp_trap_fwdr high memory utilization |
|
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
|
Unable to configure and deploy IPv6 DNS server for RAVPN in FMC 7.2.4 |
|
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
|
Disable TLS 1.1 permanently for sftunnel communication |
|
|
[Snort 3] IPS Policy Overrides not working on Chained Intrusion Policies |
|
|
FMC GUI | ACP page gets blank and hang while doing search in rules and moving to last pages |
|
|
Copy of Policy causes all devices to be marked as dirty |
|
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
|
EOStore failed error is outputted after deleting shared rule layer. |
|
|
Encrypted Visibility Engine (EVE) dashboard tab and widgets not added to FMC GUI upon upgrade |
|
|
The authentication object names should not contain white spaces |
|
|
FTD - Issue with the LSP package code during deploy rollback. |
|
|
Unable to save intrusion policy after upgrade to 7.x as the name exceeds 40 characters |
|
|
Rule update filter in Intrusion policy shows inconsistent results |
For Assistance
Upgrade Guides
In management center deployments, the management center must run the same or newer version as its managed devices. Upgrade the management center first, then devices. Note that you always want to use the upgrade guide for the version of management center or device manager that you are currently running—not your target version.
|
Platform |
Upgrade Guide |
Link |
|---|---|---|
|
Management center |
Management center version you are currently running. |
https://www.cisco.com/go/fmc-upgrade |
|
Threat defense with management center |
Management center version you are currently running. |
https://www.cisco.com/go/ftd-fmc-upgrade |
|
Threat defense with device manager |
Threat defense version you are currently running. |
https://www.cisco.com/go/ftd-fdm-upgrade |
|
Threat defense with cloud-delivered Firewall Management Center |
Cloud-delivered Firewall Management Center. |
Install Guides
If you cannot or do not want to upgrade, you can freshly install major and maintenance releases. This is also called reimaging. You cannot reimage to a patch. Install the appropriate major or maintenance release, then apply the patch. If you are reimaging to an earlier threat defense version on an FXOS device, perform a full reimage—even for devices where the operating system and software are bundled.
|
Platform |
Install Guide |
Link |
|---|---|---|
|
Management center hardware |
Getting started guide for your management center hardware model. |
|
|
Management center virtual |
Getting started guide for the management center virtual. |
|
|
Threat defense hardware |
Getting started or reimage guide for your device model. |
|
|
Threat defense virtual |
Getting started guide for your threat defense virtual version. |
|
|
FXOS for the Firepower 4100/9300 |
Configuration guide for your FXOS version, in the Image Management chapter. |
|
|
FXOS for the Firepower 1000/2100 and Secure Firewall 3100/4200 |
Troubleshooting guide, in the Reimage Procedures chapter. |
More Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs; and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot and resolve technical issues.
-
Documentation: http://www.cisco.com/go/threatdefense-74-docs
-
Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
-
Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
-
Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
-
Email Cisco TAC: tac@cisco.com
-
Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
-
Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Feedback