Cisco Secure Firewall Threat Defense Release Notes

This document contains release information for:

  • Cisco Secure Firewall Threat Defense

  • Cisco Secure Firewall Management Center (on-prem)

  • Cisco Secure Firewall device manager

Release Dates

Table 1. Version 7.2 Dates

Version

Build

Date

Platforms

7.2.9

44

2024-10-22

All

7.2.8.1

17

2024-08-26

All

7.2.8

25

2024-06-24

All

7.2.7

500

2024-04-29

All

7.2.6

168

2024-04-22

No longer available.

167

2024-03-19

No longer available.

7.2.5.2

4

2024-05-06

All

7.2.5.1

29

2023-11-14

All

7.2.5

208

2023-07-27

All

7.2.4.1

43

2023-07-27

All

7.2.4

169

2023-05-10

Management center

165

2023-05-03

Devices

7.2.3.1

13

2023-04-18

Management center

7.2.3

77

2023-02-27

All

7.2.2

54

2022-11-29

All

7.2.1

40

2022-10-03

All

7.2.0.1

12

2022-08-10

All

7.2.0

82

2022-06-06

All

Features

For features in earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.

Upgrade Impact/Features in Maintenance Releases and Patches

A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.

The feature descriptions here include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.


Important


Features, enhancements, and critical fixes included in maintenance releases (third-digit) and patches (fourth-digit) can skip future releases, depending on release date, release type (short term vs. long term), and other factors. Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing a Maintenance Release.


If you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.

Snort 3

Snort 3 is the default inspection engine for threat defense.

Snort 3 features for management center deployments also apply to device manager, even if they are not listed as new device manager features. However, keep in mind that the management center may offer more configurable options than device manager.


Important


If you are still using the Snort 2 inspection engine, switch to Snort 3 now for improved detection and performance. Snort 2 will be deprecated in a future release and will eventually prevent threat defense upgrade.


Intrusion Rules and Keywords

Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.

For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.

FlexConfig

Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.

The feature descriptions here include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.


Caution


Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues.


REST API

For information on what's new in the REST API, see the Secure Firewall Management Center REST API Quick Start Guide or the Cisco Secure Firewall Threat Defense REST API Guide.

Telemetry

Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support. For information on what's new with telemetry, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center.

Management Center Features in Version 7.2.9

Table 2. Management Center Features in Version 7.2.9

Feature

Minimum FMC

Minimum FTD

Details

Reintroduced Features

Reintroduced features from previous maintenance releases.

Feature dependent

Feature dependent

Version 7.2.9 reintroduces:

  • Cisco Security Cloud regions: India and Australia.

Management Center Features in Version 7.2.8

Table 3. Management Center Features in Version 7.2.8

Feature

Minimum Management Center

Minimum Threat Defense

Details

Platform

Threat defense virtual for Megaport.

7.2.8

7.2.8

We introduced threat defense virtual for Megaport (Megaport Virtual Edge). High availability is supported; clustering is not.

Version restrictions: Initially, you may not be able to freshly deploy Versions 7.3.x or 7.4.x. Instead, deploy Version 7.2.8–7.2.x and upgrade.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Management Center Features in Version 7.2.7

This release introduces stability, hardening, and performance enhancements. See Resolved Bugs in Version 7.2.7.

Management Center Features in Version 7.2.6

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The features listed here are also available in Version 7.2.7.

Table 4. Management Center Features in Version 7.2.6

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Reintroduced features from previous maintenance releases.

7.2.6

Feature dependent

Version 7.2.6 reintroduces:

  • Updated web analytics provider. Upgrade impact.

Interfaces

Configure DHCP relay trusted interfaces from the management center web interface.

7.2.6

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them.

DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the threat defense DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then threat defense will drop that packet by default. You can preserve Option 82 and forward the packet by identifying an interface as a trusted interface.

New/modified screens: Devices > Device Management > Add/Edit Device > DHCP > DHCP Relay

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, redo your FlexConfigs.

See: Configure the DHCP Relay Agent

NAT

Create network groups while editing NAT rules.

7.2.6

7.4.1

Any

You can now create network groups in addition to network objects while editing a NAT rule.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Customizing NAT Rules for Multiple Devices

High Availability/Scalability: Threat Defense

Reduced "false failovers" for threat defense high availability.

7.2.6

7.4.0

7.2.6

7.4.0

Other version restrictions: Not supported with management center or threat defense Version 7.3.x.

See: Heartbeat Module Redundancy

High Availability: Management Center

Single backup file for high availability management centers.

7.2.6

7.4.1

Any

When performing a configuration-only backup of the active management center in a high availability pair, the system now creates a single backup file which you can use to restore either unit.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Unified Backup of Management Centers in High Availability

Event Logging and Analysis

Open the packet tracer from the unified event viewer.

7.2.6

7.4.1

Any

You can now open the packet tracer from the unified event view (Analysis > Unified Events). Click the ellipsis icon (...) next to the desired event and click Open in Packet Tracer.

Other version restrictions: In Version 7.2.x, use the Expand icon (>) icon instead of the ellipsis icon. Not supported with management center Version 7.3.x or 7.4.0.

See: Working with the Unified Event Viewer

Health Monitoring

Health alerts for excessive disk space used by deployment history (rollback) files.

7.2.6

7.4.1

Any

The Disk Usage health module now alerts if deployment history (rollback) files are using excessive disk space on theged management center. Deploy the management center health policy after upgrade.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Disk Usage for Device Configuration History Files Health Alert

Health alerts for NTP sync issues.

7.2.6

7.4.1

Any

A new Time Server Status health module reports issues with NTP synchronization. Deploy the management center health policy after upgrade.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Time Synchronization and Health Modules

Deployment and Policy Management

View and generate reports on configuration changes since your last deployment.

7.2.6

7.4.1

Any

You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:

  • A policy changes report for each device that previews the additions, changes, or deletions in the policy, or the objects that are to be deployed on the device.

  • A consolidated report that categorizes each device based on the status of policy changes report generation.

This is especially useful after you upgrade either the management center or threat defense devices, so that you can see the changes made by the upgrade before you deploy.

New/modified screens: Deploy > Advanced Deploy.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Download Policy Changes Report for Multiple Devices

Set the number of deployment history files to retain for device rollback.

7.2.6

7.4.1

Any

You can now set the number of deployment history files to retain for device rollback, up to ten (the default). This can help you save disk space on the management center.

New/modified screens: Deploy > Deployment History (deployment history icon) > Deployment Setting > Configuration Version Setting

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Set the Number of Configuration Versions

Upgrade

Improved upgrade starting page and package management.

7.2.6

7.4.1

Any

A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the management center, threat defense devices, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages.

Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes.

New/modified screens:

  • System(system gear icon) > Product Upgrades is now where you upgrade the management center and all managed devices, as well as manage upgrade packages.

  • System(system gear icon) > Content Updates is now where you update intrusion rules, the VDB, and the GeoDB.

  • Devices > Threat Defense Upgrade takes you directly to the threat defense upgrade wizard.

  • System(system gear icon) > Users > User Role > Create User Role > Menu-Based Permissions allows you to grant access to Content Updates (VDB, GeoDB, intrusion rules) without allowing access to Product Upgrades (system software).

Deprecated screens/options:

  • System(system gear icon) > Updates is deprecated. All threat defense upgrades now use the wizard.

  • The Add Upgrade Package button on the threat defense upgrade wizard has been replaced by a Manage Upgrade Packages link to the new upgrade page.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Enable revert from the threat defense upgrade wizard.

7.2.6

7.4.1

Any, if upgrading to 7.1+

You can now enable revert from the threat defense upgrade wizard.

Other version restrictions: You must be upgrading threat defense to Version 7.1+. Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Select devices to upgrade from the threat defense upgrade wizard.

7.2.6

Any

Use the wizard to select devices to upgrade.

You can now use the threat defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

View detailed upgrade status from the threat defense upgrade wizard.

7.2.6

7.4.1

Any

The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, Devices > Threat Defense Upgrade brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Unattended threat defense upgrades.

7.2.6

Any

The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Simultaneous threat defense upgrade workflows by different users.

7.2.6

Any

We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Skip pre-upgrade troubleshoot generation for threat defense devices.

7.2.6

Any

You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space.

To manually generate troubleshooting files for a threat defense device, choose System(system gear icon) > Health > Monitor, click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Suggested release notifications.

7.2.6

7.4.1

Any

The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Management Center New Features by Release

New upgrade wizard for the management center.

7.2.6

7.4.1

Any

A new upgrade starting page and wizard make it easier to perform management center upgrades. After you use System(system gear icon) > Product Upgrades to get the appropriate upgrade package onto the management center, click Upgrade to begin.

Other version restrictions: Only supported for management center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Hotfix high availability management centers without pausing synchronization.

7.2.6

7.4.1

Any

Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability management centers.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Administration

Updated internet access requirements for direct-downloading software upgrades.

7.2.6

7.4.1

Any

Upgrade impact. The system connects to new resources.

The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See:Internet Access Requirements

Scheduled tasks download patches and VDB updates only.

7.2.6

7.4.1

Any

Upgrade impact. Scheduled download tasks stop retrieving maintenance releases.

The Download Latest Update scheduled task no longer downloads maintenance releases; now it only downloads the latest applicable patches and VDB updates. To direct-download maintenance (and major) releases to the management center, use System(system gear icon) > Product Upgrades.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Software Update Automation

Usability, Performance, and Troubleshooting

Enable/disable access control object optimization.

7.2.6

7.4.1

Any

You can now enable and disable access control object optimization from the management center web interface.

New/modified screens: System > Configuration > Access Control Preferences > Object Optimization

Other version restrictions: Access control object optimization is automatically enabled on all management centers upgraded or reimaged to Versions 7.2.4–7.2.5 and 7.4.0, and automatically disabled on all management centers upgraded or reimaged to Version 7.3.x. It is configurable and enabled by default for management centers reimaged to Version 7.2.6+/7.4.1+, but respects your current setting when you upgrade to those releases.

See: Access Control Preferences and.

Cluster control link ping tool.

7.2.6

7.4.1

Any

You can check to make sure all the cluster nodes can reach each other over the cluster control link by performing a ping. One major cause for the failure of a node to join the cluster is an incorrect cluster control link configuration; for example, the cluster control link MTU may be set higher than the connecting switch MTUs.

New/modified screens: Devices > Device Management > More(more icon) > Cluster Live Status

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

Snort 3 restarts when it uses too much memory, which can trigger HA failover.

7.2.6

7.4.1

7.2.6 with Snort 3

7.4.1 with Snort 3

To improve continuity of operations, excessive memory use by Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process uses too much memory. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.)

This feature is enabled by default. You can use the CLI to disable it, or configure the memory threshold.

Platform restrictions: Not supported with clustered devices.

New/modified CLI commands: configure snort3 memory-monitor , show snort3 memory-monitor-status

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Set the frequency of Snort 3 core dumps.

7.2.6

7.4.1

7.2.6 with Snort 3

7.4.1 with Snort 3

You can now set the frequency of Snort 3 core dumps. Instead of generating a core dump every time Snort crashes, you can generate one the next time Snort crashes only. Or, generate one if a crash has not occurred in the last day, or week.

Snort 3 core dumps are disabled by default for standalone devices. For high availability and clustered devices, the default frequency is now once per day instead of every time.

New/modified CLI commands: configure coredump snort3 , show coredump

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Capture dropped packets with the Secure Firewall 3100/4200.

7.2.6

7.4.1

7.2.6 (no 4200)

7.4.1

Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100/4200 can now capture these dropped packets.

New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command.

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Deprecated Features

Deprecated: DHCP relay trusted interfaces with FlexConfig.

7.2.6

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them.

Other version restrictions: This feature is not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, also redo your FlexConfigs.

See: Configure the DHCP Relay Agent

Management Center Features in Version 7.2.5

Table 5. Management Center Features in Version 7.2.5

Feature

Minimum Management Center

Minimum Threat Defense

Details

Interfaces

Management center detects interface sync errors.

7.2.5

7.4.1

Any

Upgrade impact. You may need to sync interfaces after upgrade.

In some cases, the management center can be missing a configuration for an interface even though the interface is correctly configured and functioning on the device. If this happens, and your management center is running:

  • Version 7.2.5: Deploy is blocked until you edit the device and sync from the Interfaces page

  • Version 7.2.6+/7.4.1+: Deploy is allowed with a warning, but you cannot edit interface settings without syncing first.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. The management center will neither block deploy nor warn you of missing configurations. You can still sync interfaces manually if you think you are having an issue.

Management Center Features in Version 7.2.4

Table 6. Management Center Features in Version 7.2.4

Feature

Minimum Management Center

Minimum Threat Defense

Details

Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to Clause 108 RS-FEC from Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

7.2.4

Any

When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

See: Interface Overview.

Automatically update CA bundles.

7.0.5

7.1.0.3

7.2.4

7.0.5

7.1.0.3

7.2.4

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.

See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference

Access control performance improvements (object optimization).

7.2.4

7.4.0

Any

Upgrade impact. First deployment after management center upgrade to 7.2.4–7.2.5 or 7.4.0 can take a long time and increase CPU use on managed devices.

Access control object optimization improves performance and consumes fewer device resources when you have access control rules with overlapping networks. The optimizations occur on the managed device on the first deploy after the feature is enabled on the management center (including if it is enabled by an upgrade). If you have a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform object optimization. During this time, you may also see higher CPU use on your devices. A similar thing occurs on the first deploy after the feature is disabled (including if it is disabled by upgrade). After this feature is enabled or disabled, we recommend you deploy when it will have the least impact, such as a maintenance window or a low-traffic time.

New/modified screens (requires Version 7.2.6): System(system gear icon) > Configuration > Access Control Preferences > Object-group optimization.

Version restrictions: Not supported with management center Version 7.3.x.

Smaller VDB for lower memory Snort 2 devices.

6.4.0.17

7.0.6

7.2.4

7.3.1.1

7.4.0

Any with Snort 2

Upgrade impact. Application identification on lower memory devices is affected.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Management Center Features in Version 7.2.3

Table 7. Management Center Features in Version 7.2.3

Feature

Minimum Management Center

Minimum Threat Defense

Details

Firepower 1010E.

7.2.3.1

7.3.1.1

7.2.3

We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center.

Version restrictions: These devices do not support Version 7.3.x or 7.4.0. Support returns in Version 7.4.1.

See: Regular Firewall Interfaces

Management Center Features in Version 7.2.2

This release introduces stability, hardening, and performance enhancements. See Resolved Bugs in Version 7.2.2.

Management Center Features in Version 7.2.1

Table 8. Management Center Features in Version 7.2.1

Feature

Minimum Management Center

Minimum Threat Defense

Details

Hardware bypass ("fail-to-wire") network modules for the Secure Firewall 3100.

7.2.1

7.2.1

We introduced these hardware bypass network modules for the Secure Firewall 3100:

  • 6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR-X-NM-6X1SX-F)

  • 6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-6X10SR-F)

  • 6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X10LR-F)

  • 6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-X25SR-F)

  • 6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X25LR-F)

  • 8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper) (FPR-X-NM-8X1G-F)

New/modified screens: Devices > Device Management > Interfaces > Edit Physical Interface

For more information, see Inline Sets and Passive Interfaces.

Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

7.2.1

7.2.1

We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

For more information, see Getting Started with Secure Firewall Threat Defense Virtual and KVM.

Management Center Features in Version 7.2.0

Table 9. Management Center Features in Version 7.2.0

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Reintroduced features from previous maintenance releases.

Feature dependent

Feature dependent

Version 7.2.0 reintroduces:

  • ISA 3000 support for shutting down.

  • Improved SecureX integration, SecureX orchestration. Upgrade impact.

  • Web interface changes: SecureX, threat intelligence, and other integrations.

Platform

Snapshots allow quick deploy of threat defense virtual for AWS and Azure.

7.2.0

7.2.0

You can now take a snapshot of a threat defense virtual for AWS or Azure instance, then use that snapshot to quickly deploy new instances. This feature also improves the performance of the autoscale solutions for AWS and Azure.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Analytics mode for cloud-managed threat defense devices.

7.2.0

7.0.3

7.2.0

Concurrently with Version 7.2, we introduced the cloud-delivered Firewall Management Center, which uses the Cisco Defense Orchestrator platform and unites management across multiple Cisco security solutions. We take care of feature updates.

On-prem hardware and virtual management centers running Version 7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging and analytics purposes only. You cannot deploy policy to these devices from an on-prem management center.

New/modified screens:

  • When you add a cloud-managed device to an on-prem management center, use the new CDO Managed Device check box to specify that it is analytics-only.

  • View which devices are analytics-only on Devices > Device Management.

New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers

Version restrictions: Not supported with threat defense Version 7.1.

For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.

High Availability/Scalability: Threat Defense

Clustering for threat defense virtual in both public and private clouds.

7.2.0

7.2.0

You can now configure clustering for the following threat defense virtual platforms:

  • Threat defense virtual for AWS: 16-node clusters

  • Threat defense virtual for GCP: 16-node clusters

  • Threat defense virtual for KVM: 4-node clusters

  • Threat defense virtual for VMware: 4-node clusters

New/modified screens:

  • Devices > Device Management > Add Cluster

  • Devices > Device Management > More menu

  • Devices > Device Management > Cluster

For more information, see Clustering for Threat Defense Virtual in a Public Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM, VMware).

16-node clusters for the Firepower 4100/9300, and for threat defense virtual for AWS and GCP.

7.2.0

7.2.0

You can now configure 16-node clusters for the Firepower 4100/9300, and for threat defense virtual for AWS and GCP. Note that the Secure Firewall 3100 still only supports 8 nodes.

For more information, see Clustering for the Firepower 4100/9300 or Clustering for Threat Defense Virtual in a Public Cloud.

High availability for threat defense virtual for Nutanix.

7.2.0

7.2.0

We now support high availability for threat defense virtual for Nutanix.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Autoscale for threat defense virtual for AWS gateway load balancers.

7.2.0

7.2.0

We now support autoscale for threat defense virtual for AWS gateway load balancers, using a CloudFormation template.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Autoscale for threat defense virtual for GCP.

7.2.0

7.2.0

Upgrade impact. Threat defense virtual for GCP cannot upgrade across Version 7.2.0.

We now support autoscale for threat defense virtual for GCP, by positioning a threat defense virtual instance group between a GCP internal load balancer (ILB) and a GCP external load balancer (ELB).

Version restrictions: Due to interface changes required to support this feature, threat defense virtual for GCP upgrades cannot cross Version 7.2.0. That is, you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must deploy a new instance and redo any device-specific configurations.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Interfaces

LLDP support for the Firepower 2100 and Secure Firewall 3100.

7.2.0

7.2.0

You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100 and Secure Firewall 3100 series interfaces.

New/modified screens: Devices > Device Management > Interfaces > > Hardware Configuration > LLDP

New/modified commands: show lldp status , show lldp neighbors , show lldp statistics

For more information, see Interface Overview.

Pause frames for flow control for the Secure Firewall 3100.

7.2.0

7.2.0

If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue.

New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Network Connectivity

For more information, see Interface Overview.

Breakout ports for the Secure Firewall 3130 and 3140.

7.2.0

7.2.0

You can now configure four 10 GB breakout ports for each 40 GB interface on the Secure Firewall 3130 and 3140.

New/modified screens: Devices > Device Management > Chassis Operations

For more information, see Interface Overview.

Configure VXLAN from the management center web interface.

7.2.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

You can now use the management center web interface to configure VXLAN interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical network to stretch the Layer 2 network.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

New/modified screens:

  • Configure the VTEP source interface: Devices > Device Management > VTEP

  • Configure the VNI interface: Devices > Device Management > Interfaces > Add VNI Interface

For more information, see Regular Firewall Interfaces.

NAT

Enable, disable, or delete more than one NAT rule at a time.

7.2.0

Any

You can select multiple NAT rules and enable, disable, or delete them all at the same time. Enable and disable apply to manual NAT rules only, whereas delete applies to any NAT rule.

For more information, see Network Address Translation.

VPN

Certificate and SAML authentication for RA VPN connection profiles.

7.2.0

7.2.0

We now support certificate and SAML authentication for RA VPN connection profiles. You can authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes.

New/modified screens: You can now choose Certificate & SAML option when choosing the authentication method for the connection profile in an RA VPN policy.

For more information, see Remote Access VPN.

Route-based site-to-site VPN with hub and spoke topology.

7.2.0

7.2.0

We added support for route-based site-to-site VPNs in a hub and spoke topology. Previously, that topology only supported policy-based (crypto map) VPNs.

New/modified screens: When you add a new VPN topology and choose Route Based (VTI), you can now also choose Hub and Spoke.

For more information, see Site-to-Site VPNs.

IPsec flow offload for the Secure Firewall 3100.

7.2.0

7.2.0

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

For more information, see Site-to-Site VPNs.

Routing

Configure EIGRP from the management center web interface.

7.2.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

You can now use the management center web interface to configure EIGRP. Note that you can only enable EIGRP on interfaces belonging to the device's Global virtual router.

If you configured EIGRP with FlexConfig in a previous version, the system allows you to deploy post-upgrade, but also warns you to redo your EIGRP configurations in the web interface. When you are satisfied with the new configuration, you can delete the deprecated FlexConfig objects or commands. To help you with this process, we provide a command-line migration tool.

New/modified screens: Devices > Device Management > Routing > EIGRP

For more information, see EIGRP and Migrating FlexConfig Policies.

Virtual router support for the Firepower 1010.

7.2.0

7.2.0

You can now configure up to five virtual routers on the Firepower 1010.

For more information, see Virtual Routers.

Support for VTIs in user-defined virtual routers.

7.2.0

7.2.0

You can now assign virtual tunnel interfaces to user-defined virtual routers. Previously, you could only assign VTIs to Global virtual routers.

New/modified screens: Devices > Device Management > Routing > Virtual Router Properties

For more information, see Virtual Routers.

Policy-based routing with path monitoring.

7.2.0

7.2.0

You can now use path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use these metrics to determine the best path for policy based routing.

New/modified screens:

  • Enable path monitoring and choose metrics to collect: Devices > Device Management > Interfaces > Path Monitoring

  • Use the new Interface Ordering option when you are adding a policy based route and specifying a forwarding action: Devices > Device Management > Routing > Policy Based Routing

  • Monitor path metrics in each device's health monitoring dashboard: System(system gear icon) > Health > Monitor > add dashboard > Interface - Path Metrics.

New/modified CLI commands: show policy route , show path-monitoring , clear path-monitoring

For more information, see Policy Based Routing.

Threat Intelligence

DNS-based threat intelligence from Cisco Umbrella.

7.2.0

Any

We now support DNS-based Security Intelligence using regularly updated information from Cisco Umbrella. You can use both a local DNS policy and an Umbrella DNS policy, for two layers of protection.

New/modified screens:

  • Configure connection to Umbrella: Integration > Other Integrations > Cloud Services > Cisco Umbrella Connection

  • Configure Umbrella DNS policy: Policies > DNS > Add DNS Policy > Umbrella DNA Policy

  • Associate Umbrella DNS policy with access control: Policies > Access Control > Edit Policy > Security Intelligence > Umbrella DNS Policy

For more information, see DNS Policies.

IP-based threat intelligence from Amazon GuardDuty.

7.2.0

Any

You can now handle traffic based on malicious IP addresses detected by Amazon GuardDuty, when integrated with management center virtual for AWS. The system consumes this threat intelligence via a custom Security Intelligence feed, or via a regularly updated network object group, which you can then use in your security policies.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Access Control: Threat Detection and Application Identification

Dynamic object management with:

  • Cloud-delivered Cisco Secure Dynamic Attributes Connector

  • On-prem Cisco Secure Dynamic Attributes Connector 2.0

7.2.0

Any

Concurrently with Version 7.2, we released the following updates to the Cisco Secure Dynamic Attributes Connector:

Bypass inspection or throttle elephant flows on Snort 3 devices.

7.2.0

7.2.0 with Snort 3

You can now detect and optionally bypass inspection or throttle elephant flows. By default, access control policies are set to generate an event when the system sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is configurable.

For the Firepower 2100 series, you can detect elephant flows but not bypass inspection or throttle. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB).

New/modified screens: We added Elephant Flow Settings to the access control policy's Advanced tab.

For more information, see Elephant Flow Detection.

Encrypted visibility engine enhancements.

7.2.0

7.2.0 with Snort 3

We made the following enhancements to the encrypted visibility engine (EVE):

  • EVE can detect the operating system used by the host, which is reported in events and the network map.

  • EVE can detect application traffic by assigning EVE processes that were identified with high confidence to applications, which you can then use in access control rules to control network traffic. (In Version 7.1, you could see EVE processes for connections, but you could not act on that knowledge.)

    To add additional assignments, create custom applications/custom application detectors. When adding a detection pattern to your custom detector, choose Encrypted Visibility Engine as the application. Then, specify the process name and confidence level.

  • EVE now works with QUIC traffic.

The following connection event fields have changed along with these enhancements:

TLS Fingerprint Process Name

is now

Encrypted Visibility Process Name

TLS Fingerprint Process Confidence Score

is now

Encrypted Visibility Process Confidence Score

TLS Fingerprint Malware Confidence

is now

Encrypted Visibility Threat Confidence

TLS Fingerprint Malware Confidence Score

is now

Encrypted Visibility Threat Confidence Score

Detection Type: TLS Fingerprint

is now

Detection Type: Encrypted Visibility

This feature now requires a Threat license.

For more information, see Access Control Policies and Application Detection.

TLS 1.3 inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of TLS 1.3 traffic.

New/modified screens: We added the Enable TLS 1.3 Decryption option to the Advanced Settings tab in SSL policies. Note that this option is disabled by default.

For more information, see SSL Policies.

Improved portscan detection.

7.2.0

7.2.0 with Snort 3

With an improved portscan detector, you can easily configure the system to detect or prevent portscans. You can refine the networks you want to protect, set the sensitivity, and so on. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use the network analysis policy for portscan detection.

New/modified screens: We added Threat Detection to the access control policy's Advanced tab.

For more information, see Threat Detection.

VBA macro inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of VBA (Visual Basic for Applications) macros in Microsoft Office documents, which is done by decompressing the macros and matching rules against the decompressed content.

By default, VBA macro decompression is disabled in all system-provided network analysis policies. To enable it use the decompress_vba setting in the imap, smtp, http_inspect, and pop Snort 3 inspectors.

To configure custom intrusion rules to match against decompressed macros, use the vba_data option.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved JavaScript inspection.

7.2.0

7.2.0 with Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. A new normalizer's enhancements include improved white-space normalization, semicolon insertions, cross-site script handling, identifier normalization and dealiasing, just-in-time (JIT) inspection, and the ability to inspect external scripts.

By default, the new normalizer is enabled in all system-provided network analysis policies. To tweak performance or disable the feature in a custom network analysis policy, use the js_norm (improved normalizer) and normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3 inspector.

To configure custom intrusion rules to match against normalized JavaScript, use the js_data option, for example:

alert tcp any any -> any any (msg:"Script detected!"; 
js_data; content:"var var_0000=1;"; sid:1000001;)

For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved SMB 3 inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of SMB 3 traffic in the following situations:

  • During file server node failover for clusters configured for SMB Transparent Failover.

  • In multiple file server nodes for clusters using SMB Scale-Out.

  • Through directory information changes due to SMB Directory Leasing.

  • Spread across multiple connections due to SMB Multichannel.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Event Logging and Analysis

Log security events to multiple Secure Network Analytics on-prem data stores.

7.2.0

7.0.0

When you configure a Secure Network Analytics Data Store (multi-node) integration, you can now add multiple flow collectors for security events. You assign each flow collector to one or more threat defense devices running Version 7.0+.

New/modified screens:

  • Setup: Integration > Security Analytics & Logging > Secure Network Analytics Data Store

  • Modify: Integration > Security Analytics & Logging > Update Device Assignments

This feature requires Secure Network Analytics Version 7.1.4.

For more information, see the Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide.

Database access changes.

7.2.0

Any

We added ten new tables, deprecated one table, and prohibited joins in six tables. We also added fields to various tables for Snort 3 support and to provide timestamps and IP addresses in human-readable format.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Database Access Guide, Version 7.2.

eStreamer changes.

7.2.0

Any

A new Python-based reference client has been added to the SDK. Also, you can now request fully qualified events.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2.

Deployment and Policy Management

Auto rollback of a deployment that causes a loss of management connectivity.

7.2.0

7.2.0

You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and threat defense to go down. Previously, you could only manually roll back a configuration using the configure policy rollback command.

New/modified screens:

  • Devices > Device Management > Device > Deployment Settings

  • Deploy > Advanced Deploy > Preview

  • Deploy > Deployment History > Preview

For more information, see Device Management.

Generate and email a report when you deploy configuration changes.

7.2.0

Any

You can now generate a report for any deploy task. The report contains details about the deployed configuration.

New/modified pages: Deploy > Deployment History (deployment history icon) icon > More (more icon)Generate Report

For more information, see Configuration Deployment.

Access control policy locking.

7.2.0

Any

You can now lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Any user who has permission to modify the access control policy has permission to lock it.

We added an icon to lock or unlock a policy next to the policy name while editing the policy. In addition, there is a new permission to allow users to unlock policies locked by other administrators: Override Access Control Policy Lock. This permission is enabled by default in the Administrator, Access Admin, and Network Admin roles.

For more information, see Access Control Policies.

Object group search is enabled by default.

7.2.0

Any

The Object Group Search setting is now enabled by default when you add a device to the management center.

New/modified screens: Devices > Device Management > Device > Advanced Settings

For more information, see Device Management.

Access control rule hit counts persist over reboot.

7.2.0

7.2.0

Rebooting a managed device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node.

New/modified CLI commands: show rule hits

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

New user interface for the access control policy.

7.2.0

Any

There is a new experimental user interface available for the access control policy. You can continue to use the legacy user interface, or you can try out the new user interface.

The new interface has both a table and a grid view for the rules list, the ability to show or hide columns, enhanced search, infinite scroll, a clearer view of the packet flow related to policies associated with the access control policy, and a simplified add/edit dialog box for creating rules. You can freely switch back and forth between the legacy and new user interfaces while editing an access control policy.

Note

 

The new interface does not have all the features available in the legacy interface, and may have performance issues when displaying a large number of rules. If you experience issues with the new UI, switch back to the legacy UI. Additionally, Cisco TAC welcomes your feedback. If your organization allows it, you can help us improve this feature by making sure web analytics is enabled: System (system gear icon) > Configuration > Web Analytics.

For more information, see Access Control Policies.

Upgrade

Copy upgrade packages ("peer-to-peer sync") from device to device.

7.2.0

7.2.0

Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.

This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone management center. It is not supported for:

  • Container instances.

  • Device high availability pairs and clusters. These devices get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.

  • Devices managed by high availability management centers.

  • Devices in different domains, or devices separated by a NAT gateway.

  • Devices upgrading from Version 7.1 or earlier, regardless of management center version.

  • Devices running Version 7.6+.

New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

Auto-upgrade to Snort 3 after successful threat defense upgrade.

7.2.0

7.2.0

When you use a Version 7.2+ management center to upgrade threat defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3.

After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Version restrictions: Not supported for threat defense upgrades to Version 7.0.x or 7.1.x.

Upgrade for single-node clusters.

7.2.0

Any

You can now use the device upgrade page (Devices > Device Upgrade) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page (System(system gear icon)Updates).

Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

Revert threat defense upgrades from the CLI.

7.2.0

7.2.0

You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.

Caution

 

Reverting from the CLI can cause configurations between the device and the management center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.

New/modified CLI commands: upgrade revert , show upgrade revert-info .

For more information, see Revert the Upgrade.

Administration

Multiple DNS server groups for resolving DNS requests.

7.2.0

Any

You can configure multiple DNS groups for the resolution of DNS requests from client systems. You can use these DNS server groups to resolve requests for different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers.

New/modified screens: Platform Settings > DNS

For more information, see Platform Settings.

Configure certificate validation with threat defense by usage type.

7.2.0

7.2.0

You can now specify the usage types where validation is allowed with the trustpoint (the threat defense device): IPsec client connections, SSL client connections, and SSL server certificates.

New/modified screens: We added a Validation Usage option to certificate enrollment objects: Objects > Object Manager > PKI > Cert Enrollment.

For more information, see Object Management.

French language option for web interface.

7.2.0

Any

You can now switch the management center web interface to French.

New/modified screens: System (system gear icon) > Configuration > Language

For more information, see System Configuration.

Web interface changes: deployment and user activity integrations.

7.2.0

Any

Version 7.2 changes these management center menu options in all cases.

Deploy > Deployment History

is now

Deploy > Deployment History (deployment history icon) (bottom right corner)

Deploy > Deployment

is now

Deploy > Advanced Deploy

Analysis > Users > Active Sessions

is now

Integration > Users > Active Sessions

Analysis > Users > Users

is now

Integration > Users > Users

Analysis > Users > User Activity

is now

Integration > Users > User Activity

Troubleshooting

Dropped packet statistics for the Secure Firewall 3100.

7.2.0

7.2.0

The new show packet-statistics threat defense CLI command displays comprehensive information about non-policy related packet drops. Previously this information required using several commands.

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

Deprecated Features

Deprecated: EIGRP with FlexConfig.

7.2.0

Any

You can now configure EIGRP routing from the management center web interface.

You no longer need these FlexConfig objects: Eigrp_Configure, Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all.

And these associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon.

The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. For details, see Migrating FlexConfig Policies .

Deprecated: VXLAN with FlexConfig.

7.2.0

Any

You can now configure VXLAN interfaces from the management center web interface.

You no longer need these FlexConfig objects: VxLAN_Clear_Nve, VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve, VxLAN_Make_Nve_Only, VxLAN_Make_Vni.

And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only, vxlan_Vni.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

Deprecated: Automatic pre-upgrade troubleshooting.

7.2.0

Any

To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.

To manually generate troubleshooting files for the management center, choose System(system gear icon) > Health > Monitor, click Firewall Management Center in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

Deprecated: Geolocation details.

Any

Any

In May 2022 we split the GeoDB into two packages: a country code package mapping IP addresses to countries/continents, and an IP package containing additional contextual data associated with routable IP addresses. In January 2024, we stopped providing the IP package. This saves disk space and does not affect geolocation rules or traffic handling in any way. Any contextual data is now stale, and upgrading to most later versions deletes the IP package. Options to download the IP package or view contextual data have no effect, and are removed in later versions.

Device Manager Features in Version 7.2.x

Table 10. Device Manager Features in Version 7.2.x

Feature

Description

Platform Features

Firepower 1010E.

We introduced the Firepower 1010E, which does not support power over Ethernet (PoE).

Minimum threat defense: 7.2.3

See: Cabling for the Firepower 1010

Threat defense virtual for GCP.

You can now use device manager to configure threat defense virtual for GCP.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Threat defense virtual for Megaport.

You can now use device manager to configure threat defense virtual for Megaport (Megaport Virtual Edge). High availability is supported.

Minimum threat defense: 7.2.8

Other version restrictions: Initially, you may not be able to freshly deploy Versions 7.3.x or 7.4.x. Instead, deploy Version 7.2.8–7.2.x and upgrade.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Network modules for the Secure Firewall 3100.

We introduced these network modules for the Secure Firewall 3100:

  • 6-port 1G SFP Network Module, SX (multimode) (FPR-X-NM-6X1SX-F)

  • 6-port 10G SFP Network Module, SR (multimode) (FPR-X-NM-6X10SR-F)

  • 6-port 10G SFP Network Module, LR (single mode) (FPR-X-NM-6X10LR-F)

  • 6-port 25G SFP Network Module, SR (multimode) (FPR-X-NM-X25SR-F)

  • 6-port 25G Network Module, LR (single mode) (FPR-X-NM-6X25LR-F)

  • 8-port 1G Copper Network Module, RJ45 (copper) (FPR-X-NM-8X1G-F)

Minimum threat defense: 7.2.1

Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

Minimum threat defense: 7.2.1

See: Deploy the Threat Defense Virtual on KVM

ISA 3000 support for shutting down.

Support returns for shutting down the ISA 3000. This feature was introducted in Version 7.0.2 but was temporarily deprecated in Version 7.1.

Firewall and IPS Features

Object-group search is enabled by default for access control.

The CLI configuration command object-group-search access-control is now enabled by default for new deployments. If you are configuring the command using FlexConfig, you should evaluate whether that is still needed. If you need to disable the feature, use FlexConfig to implement the no object-group-search access-control command.

See: Cisco Secure Firewall ASA Series Command Reference

Rule hit counts persist over reboot.

Rebooting a device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node.

We modified the following threat defense CLI command: show rule hits .

See: Examining Rule Hit Counts

VPN Features

IPsec flow offload.

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

See: IPSec Flow Offload

Interface Features

Breakout port support for the Secure Firewall 3130 and 3140.

You can now configure four 10GB breakout ports for each 40GB interface on the Secure Firewall 3130 and 3140.

New/modified screens: Devices > Interfaces

See: Manage the Network Module for the Secure Firewall 3100

Enabling or disabling Cisco Trustsec on an interface.

You can enable or disable Cisco Trustsec on physical, subinterface, EtherChannel, VLAN, Management, or BVI interfaces, whether named or unnamed. By default, Cisco Trustsec is enabled automatically when you name an interface.

We added the Propagate Security Group Tag attribute to the interface configuration dialog boxes, and the ctsEnabled attribute to the various interface APIs.

See: Configure Advanced Options

Licensing Features

Permanent License Reservation Support for ISA 3000.

ISA 3000 now supports Universal Permanent License Reservation for approved customers.

See: Applying Permanent Licenses in Air-Gapped Networks

Administrative and Troubleshooting Features

Ability to force full deployment.

When you deploy changes, the system normally deploys just the changes made since the last successful deployment. However, if you are experiencing problems, you can elect to force a full deployment, which completely refreshes the configuration on the device. We added the Apply Full Deployment option to the deployment dialog box.

See: Deploying Your Changes

Automatically update CA bundles.

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.

See: Cisco Secure Firewall Threat Defense Command Reference

Threat defense REST API version 6.3 (v6).

The threat defense REST API for software version 7.2 is version 6.3. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device. Note that the URL version path element for 6.3 is the same as 6.0, 6.1, and 6.2: v6.

Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into device manager, then click the more options button (More options button.) and choose API Explorer.

See: Cisco Secure Firewall Threat Defense REST API Guide

Upgrade Impact Features

A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.


Important


Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing a Maintenance Release.


Upgrade Impact Features for Management Center

Check all releases between your current and target version.

Table 11. Upgrade Impact Features for Management Center

Target Version

Features with Upgrade Impact

7.2.6–7.2.x

  • Configure DHCP relay trusted interfaces from the management center web interface.

  • Updated internet access requirements for direct-downloading software upgrades.

  • Scheduled tasks download patches and VDB updates only.

  • Updated web analytics provider.

7.2.5-7.2.x

  • Management center detects interface sync errors.

7.2.4+

  • Automatically update CA bundles.

7.2.4–7.2.x

  • Smaller VDB for lower memory Snort 2 devices.

7.2.4–7.2.5

  • Access control performance improvements (object optimization).

7.2.0+

  • Configure VXLAN from the management center web interface.

  • Configure EIGRP from the management center web interface.

7.1.0+

  • Configure Equal-Cost-Multi-Path (ECMP) from the FMC web interface.

  • Configure policy based routing from the FMC web interface.

  • Send intrusion events and retrospective malware events to the Secure Network Analytics cloud from the FMC.

  • Deprecated (temporary): Improved SecureX integration, SecureX orchestration.

  • Deprecated: Intrusion incidents and the intrusion event clipboard.

  • Deprecated: Custom tables for intrusion events.

6.7.0+

  • End of support: VMware vSphere/VMware ESXi 6.0.

  • Deprecated: Port 32137 comms with AMP clouds.

6.7.0+

  • Changes to PAT address allocation in clustering.

  • pxGrid 2.0 with ISE/ISE-PIC.

  • Improved preclassification of files for dynamic analysis.

  • National Vulnerability Database (NVD) replaces Bugtraq.

  • Pre-upgrade compatibility check.

  • Upgrades postpone scheduled tasks.

  • Upgrades remove PCAP files to save disk space.

  • Deprecated: Cisco Firepower User Agent software and identity source.

  • Deprecated: Cisco ISE Endpoint Protection Services (EPS) remediation.

  • Deprecated: Less secure Diffie-Hellman groups, and encryption and hash algorithms.

  • Deprecated: Appliance Configuration Resource Utilization heath module (temporary).

Upgrade Impact Features for Threat Defense with Management Center

Check all releases between your current and target version.

Table 12. Upgrade Impact Features for Threat Defense with Management Center

Target Version

Features with Upgrade Impact

7.2.4+

  • Automatically update CA bundles.

7.2.0+

  • Autoscale for threat defense virtual for GCP.

7.1.0+

  • Snort 3 support for inspection of DCE/RPC over SMB2.

  • Snort 3 support for ssl_version and ssl_state keywords.

7.0.0+

  • End of support: VMware vSphere/VMware ESXi 6.0.

  • FTDv performance tiered Smart Licensing.

  • Deprecated: RSA certificates with keys smaller than 2048 bits, or that use SHA-1 in their signature algorithm.

  • Deprecated: MD5 authentication algorithm and DES encryption for SNMPv3 users.

6.7.0+

  • Firepower 1100/2100 series SFP interfaces now support disabling auto-negotiation.

  • ClientHello modification for Decrypt - Known Key TLS/SSL rules.

  • Pre-upgrade compatibility check.

  • Improved readiness checks.

  • Improved FTD upgrade status reporting and cancel/retry options.

  • Upgrades remove PCAP files to save disk space.

Upgrade Impact Features for Threat Defense with Device Manager

Check all releases between your current and target version.

Table 13. Upgrade Impact Features for Threat Defense with Device Manager

Target Version

Features with Upgrade Impact

7.2.4+

  • Automatically update CA bundles.

7.1.0+

  • Dynamic Domain Name System (DDNS) support for updating fully-qualified domain name (FQDN) to IP address mappings for system interfaces.

  • Snort 3 support for inspection of DCE/RPC over SMB2.

  • Snort 3 support for ssl_version and ssl_state keywords.

7.0.0+

  • End of support: VMware vSphere/VMware ESXi 6.0.

  • DHCP relay configuration using the threat defense API.

6.7.0+

  • Support removed for less secure Diffie-Hellman groups, and encryption and hash algorithms.

  • EIGRP support using Smart CLI.

  • Threat Defense API support for SNMP configuration.

Upgrade Guidelines

The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade—which can include interruptions to traffic flow and inspection—see the appropriate upgrade guide: For Assistance.

Upgrade Guidelines for Management Center

Table 14. Upgrade Guidelines for Management Center

Target Version

Current Version

Guideline

Details

7.2.8.x

7.2.8.0

Patch uninstall not supported: Version 7.2.8.x to Version 7.2.8.0.

Uninstall is not supported for the Version 7.2.8.1 management center patch.

Because patches are cumulative, and because uninstalling returns you to the patch level you upgraded from, this means that uninstall is not supported from any Version 7.2.8.x patch back to Version 7.2.8 (the base version).

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.0.0–7.2.x

6.4.0–6.7.x

Reconnect with Threat Grid for high availability management centers.

Version 7.0.0 fixes an issue with management center high availability and malware detection where, after failover, the system stopped submitting files for dynamic analysis (CSCvu35704). For the fix to take effect, you must reassociate with the Cisco Threat Grid public cloud after upgrading.

After you upgrade the high availability pair to Version 7.0.0+, on the primary management center:

  1. Choose AMP > Dynamic Analysis Connections.

  2. Click Associate in the table row corresponding to the public cloud. A portal window opens. You do not have to sign in. The reassociation happens in the background, within a few minutes.

Upgrade Guidelines for Threat Defense with Management Center

Table 15. Upgrade Guidelines for Threat Defense with Management Center

Target Version

Current Version

Guideline

Details

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.2.0–7.6.x

6.7.0–7.1.x

Upgrade prohibited: threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+.

You cannot upgrade threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. You must deploy a new instance.

7.2.0–7.2.6

7.1.x

6.6.0–7.0.2

Unregister and reregister devices after reverting threat defense.

If you revert from Version 7.2.0–7.2.6 to Version 6.6.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680).

6.7.0–7.2.x

6.4.0–6.6.x

Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs.

For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only.

Upgrade Guidelines for Threat Defense with Device Manager

Table 16. Upgrade Guidelines for Threat Defense with Device Manager

Target Version

Current Version

Guideline

Details

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

6.7.0–7.2.x

6.4.0–6.6.x

Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs.

For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only.

Upgrade Guidelines for the Firepower 4100/9300 Chassis

In most cases, we recommend you use the latest FXOS build in each major version. For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.

For firmware upgrade guidelines (for upgrades to FXOS 2.13 and earlier), see the firmware upgrade guide: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.

Upgrade Path

Planning your upgrade path is especially important for large deployments, high availability/clustering, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment or other upgrades. Those scenarios are covered in more detail in the upgrade guide: For Assistance.

Supported Direct Upgrades

This table shows the supported direct upgrades for management center and threat defense software. Note that although you can upgrade directly to maintenance (third-digit) releases, patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release.

For the Firepower 4100/9300, the table also lists companion FXOS versions. If a chassis upgrade is required, threat defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.

Table 17. Supported Direct Upgrades for Major and Maintenance Releases

Current Version

Target Software Version

to 7.6

7.4

7.3

7.2

7.1

7.0

6.6

6.4

Firepower 4100/9300 FXOS Version for Chassis Upgrades

2.16

2.14

2.13

2.12

2.11

2.10

2.8

2.6

from 7.6

YES

7.4

YES

YES *

7.3

YES

YES

YES

7.2

YES

YES

YES

YES

7.1

YES

YES

YES

YES

YES

7.0

YES

YES

YES

YES

YES

6.6

YES

YES

YES

YES

6.4

YES

YES

6.2.3

YES

YES

* You cannot upgrade threat defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only. Instead, upgrade your management center and devices to Version 7.4.1+.

Choosing a Maintenance Release


Important


In most cases, we recommend you go directly to the latest maintenance release in your chosen major version.


Features, enhancements, and critical fixes included in maintenance releases (third-digit) and patches (fourth-digit) can skip future releases, depending on release date, release type (short term vs. long term), and other factors. To minimize upgrade and other impact, do not upgrade to a release that deprecates features or fixes. If you cannot go to the latest maintenance release, at least make sure your target version was released on a date after your current version. If you are running a patch, you may also want to check that the patch was also released after your target version, depending on the included fixes. For a full list of release dates including patches, see Cisco Secure Firewall Management Center New Features by Release or Cisco Secure Firewall Device Manager New Features by Release.

If your current version is not listed next to your target version here, choose a later target.

Table 18. Released Before Version 7.2.x, by Date

Target Version

Current Version: is yours listed?

from 6.6

6.7 (EOS)

7.0

7.1

7.2

to 7.2.9

2024-10-22

6.6.0–6.6.7

6.7.0

7.0.0–7.0.6

7.1.0

7.2.0–7.2.8

7.2.8

2024-06-24

6.6.0–6.6.7

6.7.0

7.0.0–7.0.6

7.1.0

7.2.0–7.2.7

7.2.7

2024-04-29

6.6.0–6.6.7

6.7.0

7.0.0–7.0.6

7.1.0

7.2.0–7.2.6

7.2.6 *

2024-03-19

7.2.5

2023-07-27

6.6.0–6.6.7

6.7.0

7.0.0–7.0.6

7.1.0

7.2.0–7.2.4

7.2.4

2023-05-03

6.6.0–6.6.7

6.7.0

7.0.0–7.0.5

7.1.0

7.2.0–7.2.3

7.2.3

2023-02-27

6.6.0–6.6.7

6.7.0

7.0.0–7.0.5

7.1.0

7.2.0–7.2.2

7.2.2

2022-11-29

6.6.0–6.6.7

6.7.0

7.0.0–7.0.5

7.1.0

7.2.0–7.2.1

7.2.1

2022-10-03

6.6.0–6.6.7

6.7.0

7.0.0–7.0.4

7.1.0

7.2.0

7.2.0

2022-06-06

6.6.0–6.6.5

6.7.0

7.0.0–7.0.2

7.1.0

* No longer available.

Management Center Before Devices

The management center should run the same or newer version as its devices. This is because features and resolved issues often require the latest version on both the management center and its devices, including patches.

Upgrade the management center first—you will still be able to manage older devices, usually a few major versions back. If you begin with devices running a much older version than the management center, further management center upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the management center, then devices again.


Note


You cannot upgrade a device past the management center to a newer major or maintenance version. Although a patched device (fourth-digit) can be managed with an unpatched management center, fully patched deployments undergo enhanced testing.


Chassis Before Threat Defense

For the Firepower 4100/9300, major versions require a FXOS upgrade. You should also check for firmware upgrades.

Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability or clustered deployments, upgrade one chassis at a time.

Bugs

For bugs in earlier releases, see the release notes for those versions. For cloud deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.


Important


We do not list open bugs for maintenance releases or patches.

Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool.


Open Bugs in Version 7.2.0

Table last updated: 2024-05-02

Table 19. Open Bugs in Version 7.2.0

Bug ID

Headline

CSCwb43433

Jumbo frame performance has degraded up to -45% on Firepower 2100 series

CSCwb78233

7.2.0 1984 Nutanix vFMC not accessible after upgrade from 7.1.0

CSCwb80789

TLS 1.3 connections to sites previously decrypted may fail

CSCwb87724

Evicted units re-joined existing Cluster but not listed on Control and other evicted vFTD Cluster

CSCwb88887

snp_fp_vxlan_encap_and_grp_send_common: failed to find adj. bp->l3_type = 8, inner_sip message

CSCwb89905

vFTD installed with JF but still FMC shows info about JF getting enabled and to reboot vFTD

CSCwb90105

Upgrade to 7.2 on FTDv for Nutanix is stuck after reboot

CSCwb96990

Early data may cause xtls to not wait for probe response

CSCwb97486

FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports

CSCwb99960

onPremFMC with only CDO Managed devices registered, Malware Event pages shows license warning

CSCwd07838

User cannot filter by device in the new AC policy UI

CSCwd16602

Inconsistencies seen after switching from old UI to new UI without saving the policy

CSCwd47149

New AC Policy UI: ACP rule list takes a long time to load in case of large rule set

CSCwe14714

Search is slow and semantic based searches are not working in new ACP UI

CSCwe96560

Cannot copy rules from one policy to another policy using new AC policy UI

CSCwh15444

Fetching hit counts takes longer in NEW ACP UI when compared to the legacy ACP UI

CSCwi22693

ACP rule is deleted when discarding changes, post rule reposition.

Resolved Bugs in Version 7.2.9

Table last updated: 2024-10-22

Table 20. Resolved Bugs in Version 7.2.9

Bug ID

Headline

CSCvx74133

App-instance showing as Started instead of Online

CSCvy51481

[ENH] FTD should show error/warning when attaching a not valid certificate to the interface for VPN

CSCvz59859

FXOS fault F1758 description should not be specific to subinterfaces

CSCvz70310

ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports."

CSCwa82791

ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low

CSCwb02701

FXOS does not retry NTP sync with servers

CSCwb02741

Time sync status and error message do not elaborate NTP server rejection case

CSCwb03293

IKEv2 debugs: Received Policies and Expected Policies are empty

CSCwc01843

For FTD HA or cluster, incorrect device name may be shown in eventing UI and dashboard statistics

CSCwd65732

2X100G netmod card shows 10 Mbps on first member of port channel when second interface added

CSCwd67100

ASA traceback and reload on Datapath process

CSCwe02012

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwe18462

ASA/FTD: Improve GTP Inspection Logging

CSCwe18467

ASA/FTD: GTP Inspection engine serviceability

CSCwe21884

Write wrapper around "kill" command to log who is calling it

CSCwe34826

Intrusion user not able to change intrusion action and File Policy

CSCwe82107

health alert for [FSM:STAGE:FAILED]: external aaa server configuration

CSCwf16001

HashiCorp Vault's implementation of Shamir's secret sharing used precomp

CSCwf27337

KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall

CSCwf39108

Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used

CSCwf64429

Unable to upload FTD version image to FCM

CSCwf69880

Firewall Traceback and reload due to SNMP thread

CSCwf70275

FTD: TLS Server Identity does not work if size of client hello more than TCP MSS bytes

CSCwf75694

ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0

CSCwf77994

False critical high CPU alerts for FTD device system cores running instantaneous high usage

CSCwf84318

ASA/FTD traceback and reload on thread DATAPATH

CSCwf99434

Failed to transfer new image file to FPR2130 and traceback was observed

CSCwh09968

ASA/FTD: Traceback and reload due to NAT change and DVTI in use

CSCwh10931

ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command

CSCwh13040

Incomplete rootwalk. snmpwalk on 816 MIB is getting timeout.

CSCwh14475

FTD events stopped being sent to FMC, EventHandler logs "publishing blocked"

CSCwh19475

Intermittently flow is getting white-listed by the snort for the unknow app-id traffic.

CSCwh19613

ASA crashed with Saml scenarios

CSCwh27886

Chassis Manager shows HTTP 500 Internal Server error in specific cases

CSCwh28218

Syslog not updating when prefilter rule name changes

CSCwh29276

ASA: Traceback and reload when switching from single to multiple mode

CSCwh40294

ASA traceback due to panic event during SNMP configuration

CSCwh43230

Strong Encryption license is not getting applied to ASA firewalls in HA.

CSCwh45450

2100: Interfaces missing from FTD after removing interfaces as members of a port-channel

CSCwh45935

Lina core observed in 6.4.0.17-22 in Kp with scaled traffic

CSCwh48776

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18,

CSCwh51872

Message asa_log_client exited 1 time(s) seen multiple times

CSCwh52710

evaluate open-vm-tools / VMware Tools on FMC for VMware -- CVE-2023-20900 and VMSA-2023-0019

CSCwh57814

The html/template package does not apply the proper rules for handling o

CSCwh60971

NAT pool is not working properly despite is not reaching the 32k object ID limit.

CSCwh62080

additional command outputs needed in FTD troubleshoot for blocks and ssl cache

CSCwh63211

Lina core at snp_nat_xlate_verify_magic.part and soft traces

CSCwh68068

Firepower WCCP router-id changes randomly when VRFs are configured

CSCwh69156

FTD-HA does not fail over sometimes when snort3 crashes

CSCwh69843

WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes

CSCwh71262

A flaw was found in glibc. In an uncommon situation, the gaih_inet fun

CSCwh72070

Reload takes forever when reload command is issued on the lina prompt when devices are on HA

CSCwh78118

ASA/FTD traceback and reload on process fsm_send_config_info_initiator

CSCwh81366

[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use

CSCwh83517

VTI tunnel goes down due to route change detected in VRF scenario

CSCwh91065

Lina Traceback : Thread Name: DATAPATH during session terminate

CSCwh92345

crypto_archive file generated after the software upgrade.

CSCwh94029

A flaw was found in the Netfilter subsystem in the Linux kernel. The n

CSCwh94116

A flaw was found in the Netfilter subsystem in the Linux kernel. The x

CSCwh94193

urllib3 is a user-friendly HTTP client library for Python. urllib3 doe

CSCwh95025

GTP connections, under certain circumstances do not get cleared on issuing clear conn.

CSCwh95277

FTD traceback due to system memory exhaustion

CSCwh95443

Datapath hogs causing clustering units to get kicked out of the cluster

CSCwh96055

Management DNS Servers may be unreacheable if data interface is used as the gateway

CSCwh99398

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852'

CSCwi00713

A memory leak flaw was found in Libtiff's tiffcrop utility. This issue

CSCwi01323

SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero

CSCwi02754

FTD 1120 standby sudden reboot

CSCwi03407

Traceback on FP2140 without any trigger point.

CSCwi04351

FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh

CSCwi05240

ASA - Traceback the standby device while HA sync ACL-DAP

CSCwi06797

ASA/FTD traceback and reload on thread DATAPATH

CSCwi20045

ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code

CSCwi23964

Python 3.x through 3.10 has an open redirection vulnerability in lib/h

CSCwi24007

An issue was discovered in the Linux kernel before 6.3.3. There is an

CSCwi24116

Twisted is an event-based framework for internet applications. Prior t

CSCwi31480

Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge

CSCwi31558

File-extracts.logs are not recognised by the diskmanager leading to high disk space

CSCwi31966

FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions

CSCwi36244

In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scrip

CSCwi36311

use kill tree function in SMA instead of SIGTERM

CSCwi36843

Detailed logging related to reason behind sub-interface admin state change during operations

CSCwi38662

FTD HA should not be created partially on FMC

CSCwi40193

Hairpinning of DCE/RPC traffic during the suboptimal lookup

CSCwi40302

Deployment fails on new AWS FTDv device with "no username admin"

CSCwi43492

ASA traceback and reload on Thread Name: DATAPATH

CSCwi44208

low memory/stress causing traceback in SNMP

CSCwi44912

ISA3000 Traceback and reload boot loop

CSCwi45878

ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing

CSCwi48699

ASA traceback and reload on Thread Name: pix_flash_config_thread

CSCwi49770

ASA|FTD Traceback & reload in thread name Datapath

CSCwi49884

TCP MSS is changed back to the default value when a VTI or loopback interface is created

CSCwi52008

Snort3 traceback and restarts with race conditions

CSCwi53949

Snot3 traceback in TcpReassembler::scan_data_post_ack

CSCwi53987

SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1

CSCwi55938

The "show asp drop" command usage requires better updates for cluster-related drops

CSCwi56499

Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic

CSCwi56667

ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes

CSCwi56743

MSP Quota setting for instances is not correct

CSCwi57670

RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion

CSCwi59271

Suppress "End of script output before headers" syslog on FXOS

CSCwi60285

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwi61135

Debugs failed to be enabled on SSH session

CSCwi62796

ASA/FTD Traceback and reload related to SSL/DTLS traffic processing

CSCwi63743

ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert.

CSCwi64829

traceback and reload around function HA

CSCwi65116

DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT.

CSCwi66461

WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE

CSCwi66676

ASA/FTD may traceback and reload in Thread Name 'webvpn_task'

CSCwi68833

ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow

CSCwi69091

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwi70492

Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit

CSCwi71998

"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used

CSCwi72294

FTD: Improve or optimize LSP package verification logic to run it faster

CSCwi74214

ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA

CSCwi75198

Standby FTD experiencing periodic traceback and reload

CSCwi75967

CCM ID 62 - LTS18

CSCwi76361

Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently

CSCwi78191

An issue was discovered in drivers/input/input.c in the Linux kernel b

CSCwi78193

An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl

CSCwi78200

A vulnerability was found in GnuTLS. The response times to malformed c

CSCwi78206

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL

CSCwi78370

41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795

CSCwi79037

IKEv2 client services is not getting enabled - XML profile is not downloaded

CSCwi79042

FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy

CSCwi79120

some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI

CSCwi79393

Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence

CSCwi80979

Snort stripping packet information and injects its packet with 0 bytes data

CSCwi81503

HTTP/HTTPS detection for application needs to fail it's detection earlier

CSCwi81771

Unable to send unknown file disposition to ThreatGrid due to mem cache issue

CSCwi83890

Report file generated for AC policy is empty

CSCwi84314

ASA CLI hangs with 'show run' on multiple SSH

CSCwi84615

some stdout logs not rotated by logrotate

CSCwi85689

TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries

CSCwi85951

A use-after-free flaw was found in the __ext4_remount in fs/ext4/super

CSCwi85953

In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro

CSCwi87382

Traceback and reload on Primary unit while running debugs over the SSH session

CSCwi90571

Access to website via Clientless SSL VPN Fails

CSCwi90751

FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces

CSCwi90998

ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2)

CSCwi92875

Check metadata cache size when generating retrospective events

CSCwi92924

A memory leak problem was found in ctnetlink_create_conntrack in net/n

CSCwi92927

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab

CSCwi92930

linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den

CSCwi92932

copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1

CSCwi95228

"crypto ikev2 limit queue sa_init" resets after reboot

CSCwi95796

FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average

CSCwi95994

Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall.

CSCwi97836

ASA traceback and reload after configuring capture on nlp_int_tap and deleting context

CSCwi97839

FTD traceback assert in vni_idb_get_mode and reloaded

CSCwi98274

unzip 5.52 is from 2005 is contains multiple vulnerabilities

CSCwi99429

Policy deployment failure rollback didnt reconfigure the FTD devices

CSCwj00956

Snort process spamming syslog-ng messages so our on KP platform syslog-ng is being killed

CSCwj02505

ASA Checkheaps traceback while entering same engineID twice

CSCwj03764

In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping.

CSCwj05151

ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion

CSCwj05484

ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\'

CSCwj08021

The DNS message parsing code in 'named' includes a section whose compu

CSCwj08023

Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6

CSCwj08030

libexpat through 2.5.0 allows a resource consumption denial of service event

CSCwj08031

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DT

CSCwj08066

A denial of service vulnerability due to a deadlock was found in sctp_

CSCwj08083

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1

CSCwj08153

An out-of-memory flaw was found in libtiff that could be triggered by

CSCwj08667

ASA/FTD Traceback and Reload during ssl session establishment

CSCwj09110

Upload files through Clientless portal is not working as expected after the ASA upgrade

CSCwj09999

FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU)

CSCwj10451

The secondary device reloaded while rebooting the primary device.

CSCwj12131

Bailout when lina_io_write fails persistent with EPIPE errno.

CSCwj12173

Policy cache cleanup thread should cleanup any cache that is left open for a logged out session

CSCwj12924

A flaw was found in the Netfilter subsystem in the Linux kernel. The i

CSCwj13910

Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled

CSCwj14028

CCM ID 67 - LTS18

CSCwj14624

Backup exits with memory allocation error on 4115

CSCwj14832

SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication

CSCwj14927

FTD: Primary takes active role after reloading

CSCwj15125

ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra

CSCwj17447

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174'

CSCwj19653

FTD - Trace back and reload due to NAT involving fqdn objects

CSCwj20067

ASA: Warning messages not displayed when Static interface NAT are configured

CSCwj21880

FTD with Interface object optimization enabled is blocking traffic after renaming of zone names

CSCwj22086

Active unit goes to disabled state when there is a mismatch in firewall mode

CSCwj22235

Lina traceback and reload due to mps_hash_memory pointing to null hash table

CSCwj22990

After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value

CSCwj23192

extra file check is not reporting with pmtool SecureLSP lsp-rel-xxx command

CSCwj24828

Issue when two FQDN objects with same IP are added in source or destination (FTD/ASA)

CSCwj25975

FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected

CSCwj28153

Lina contains outdated libexpat source code

CSCwj28437

Snort3: SQL traffic failure after upgrade due to large invalid sequence numbers and invalid ACKs

CSCwj30825

SFDataCorrelator memory leak after unregistering an active device

CSCwj30980

Addition of debugs & a show command to capture the ID usage in the CTS SXP flow.

CSCwj31918

Segmentation fault with "logger_msg_dispatch" while HA sync

CSCwj32035

Clientless VPN users are unable to reach pages with HTTP Basic Authentication

CSCwj33487

ASA/FTD may traceback and reload while handling DTLS traffic

CSCwj33580

IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal

CSCwj33891

ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations

CSCwj34881

Command to show counters for access-policy filtered with a source IP address gives incorrect result

CSCwj34975

Multiple context interfaces fail to pass traffic

CSCwj35701

Dns-guard prematurely closing conn due to timing condition

CSCwj38871

ASA traceback with thread name SSH

CSCwj38928

High latency observed on FPR31xx or FPR42xx

CSCwj39107

SFDataCorrelator memory growth when pruning a huge number of old service identities

CSCwj40597

FTD: Backups fail on Multi-Instance or standalone with error "Backup died unexpectedly"

CSCwj40665

Additional memory tracking in SFDataCorrelator

CSCwj40761

ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler**

CSCwj43345

SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets

CSCwj43355

A bug in QEMU could cause a guest I/O operation otherwise addressed to

CSCwj43379

libexpat through 2.6.1 allows an XML Entity Expansion attack when ther

CSCwj43466

A heap-buffer-overflow vulnerability was found in LibTIFF, in extractI

CSCwj44398

when set the route-map in route RIP on FTD, routes update is not working after FTD reload

CSCwj45822

Cisco Secure Client Unable to complete connection. Cisco Secure Desktop not installed on the client.

CSCwj48704

ASA traceback and reload when accessing file system from ASDM

CSCwj48754

SFDataCorrelator high memory usage when restart with large network map hosts

CSCwj49958

Crypto IPSEC Negotiation Failing At "Failed to compute a hash value"

CSCwj50406

All IPV6 BGP routes configured in device flapping

CSCwj53725

Traceback observed while applying 'no failover' and 'failover' in the ASA standby

CSCwj55036

ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload.

CSCwj59861

ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process

CSCwj60265

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803'

CSCwj61885

File descriptor leak when validating upgrade images

CSCwj62723

Error message spammed to console on Firepower 2100 devices while enabling SSH config

CSCwj62984

Snort3: MSSQL query traffic corrupted by stream_tcp overlap handling causing SQL HY000

CSCwj68096

Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56

CSCwj68385

Snort3 continuous traceback & reload with each deployment

CSCwj68783

FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars

CSCwj69632

Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110

CSCwj72022

Deployment time increased by 30-45 seconds after the upgrade when applying specific Platform Setting

CSCwj72369

sync call got stuck resulting in boot loop

CSCwj72683

ASA - Bookmarks on the WebVPN portal are unreachable after successful login.

CSCwj73053

ASA may traceback and reload in Thread Name 'DATAPATH-21-16432'

CSCwj73061

SNMP OID for CPUTotal1min omits snort cpu cores entries when polled

CSCwj74323

ASAv Memory leak involving PKI/Crypto for VPN

CSCwj76503

Syslogs continue to be sent after disabling logging class on ASA

CSCwj81743

FTD - Trace back and reload due to NAT involving fqdn objects

CSCwj82285

ASA/FTD may traceback and reload in Thread Name 'sdi_work'

CSCwj82736

TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order

CSCwj82903

FDM HA deployment fails with 'ApplicationException: Unable to export to database' error

CSCwj83185

FTD/ASA : Standby FTD traceback and reload after enabling memory tracking

CSCwj83634

Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed"

CSCwj85106

FMC on upgrade results in FTDv losing its performance tier

CSCwj85333

FPR might drop TLS1.3 connections when hybridized kyber cipher is enabled in web browser

CSCwj86527

SNMP v1 and v2c traps from diagnostic and data ints stop working on a KP/vFTD after product upgrade

CSCwj87501

ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread'

CSCwj88400

FTD may traceback and reload in process name lina while processing appAgent msg reply

CSCwj89050

Faulty input validation in the core of Apache allows malicious or expl

CSCwj89051

In GNU tar before 1.35, mishandled extension attributes in a PAX archi

CSCwj89054

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of

CSCwj89264

FTD HA: Traceback and reload in netsnmp_oid_compare_ll

CSCwj89315

HTTP Response splitting in multiple modules in Apache HTTP Server allo

CSCwj89402

In the Linux kernel, the following vulnerability has been resolved: n

CSCwj89404

In the Linux kernel, the following vulnerability has been resolved: b

CSCwj89406

In the Linux kernel, the following vulnerability has been resolved: b

CSCwj89417

In the Linux kernel, the following vulnerability has been resolved: d

CSCwj89425

In the Linux kernel, the following vulnerability has been resolved: B

CSCwj89432

HTTP/2 incoming headers exceeding the limit are temporarily buffered i

CSCwj89434

wall in util-linux through 2.40, often installed with setgid tty permi

CSCwj89445

The iconv() function in the GNU C Library versions 2.39 and older may

CSCwj89447

less through 653 allows OS command execution via a newline character i

CSCwj90826

Snort2 SSL decryption with known key fails on Chrome v124 and above.

CSCwj93921

ASA after upgrade to 9.18.4.24 not able to save config with error: "Configuration line too long"

CSCwj95322

disable stat check for file

CSCwj95590

Browser redirects to logon page when the user clicks the WebVPN bookmark

CSCwk00604

ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client

CSCwk02332

Snort2 - SSL decryption failing and some websites not loading on Chrome v124+

CSCwk02804

WebVPN connections stuck in CLOSEWAIT state

CSCwk02928

ASA/FTD may traceback and reload in Thread Name PTHREAD

CSCwk04290

FPR 21xx - Traceback in Process Name: lina-mps during normal operations

CSCwk04492

ASA CLI hangs with 'show run' with multiple ssh sessions

CSCwk05800

ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group

CSCwk05826

nscd: Stack-based buffer overflow in netgroup cache If the Name Servi

CSCwk05828

nscd: netgroup cache may terminate daemon on memory allocation failure

CSCwk05851

"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME

CSCwk06564

Add New Syslog for Routes for NP add/delete

CSCwk06573

Serviceablity : Improve routing infra debugs and add new for error conditions

CSCwk07934

Clock skew between FXOS and Lina causes SAML assertion processing failure

CSCwk08241

FTD is not resolving FQDN for ACLs intermittently

CSCwk08476

FTD/ASA traceback and reload due to 'show bgp summary' memory leak

CSCwk08576

command to print the debug menu setting of service worker

CSCwk10884

Connectivity failure due to mismatch between l2_table and subinterface mac address

CSCwk11983

High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration

CSCwk12497

Traceback and reload on active unit due to HA break operation.

CSCwk12673

TCP Session Interrupted if Keep-Alive with 1 Byte is Received

CSCwk12698

SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts

CSCwk13631

Traceback and reload during FTD upgrade due to FQDN network object NAT

CSCwk13812

ASA/FTD incorrectly forwards extended community attribute after upgrade.

CSCwk14685

FTD : Management interface showing down despite being up and operational

CSCwk14909

Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode

CSCwk17637

State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA

CSCwk17854

FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query.

CSCwk20823

High Snort3 CPU as encrypted traffic isn't allow listed when TSID enabled

CSCwk20882

ESP sequence number of 0 being sent after SA establishment/rekey

CSCwk21561

Add warning message when configuring CCL MTU

CSCwk22034

Snmpwalk displays incorrect interface speeds for values greater or equal than 10G

CSCwk22574

Remove SGT frames/packets to allow VTI decryption

CSCwk22759

Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode

CSCwk22993

In the Linux kernel, the following vulnerability has been resolved: t

CSCwk24176

FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads.

CSCwk25117

ENH: Add application support for blocking consecutive AAA failures on LINA

CSCwk25755

In the Linux kernel, the following vulnerability has been resolved: n

CSCwk25756

Requests is a HTTP library. Prior to 2.32.0, when making requests thro

CSCwk25759

In the Linux kernel, the following vulnerability has been resolved: B

CSCwk25761

In the Linux kernel, the following vulnerability has been resolved: b

CSCwk25762

In the Linux kernel, the following vulnerability has been resolved: i

CSCwk25764

In the Linux kernel, the following vulnerability has been resolved: H

CSCwk26968

Backup feature does not save/restore DAP configuration in multiple context mode.

CSCwk27175

ASA/FTD: Substantial increase in the time taken to load configuration

CSCwk27830

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwk27965

Safety Net for Infinite Recursion Crashes due to Bad Stream TCP State in Post-ACK mode

CSCwk31371

NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any

CSCwk32501

256/1550 block depletion process fover_thread

CSCwk35710

FTD/LINA may traceback and reload when "show capture" command is executed in EEM script

CSCwk36312

High cpu on "update block depletion" causing BGP flap terminated on FTD

CSCwk39974

Umbrella registration status is not synced to newly added data nodes

CSCwk40726

FMC REST API calls to get AC policy data times out, AC policy GUI slowness with larger rule query

CSCwk41065

Product Upgrades page showing 'Unknown Family 66' for FMC upgrade packages

CSCwk44245

In the Linux kernel, the following vulnerability has been resolved: i

CSCwk44246

In the Linux kernel, the following vulnerability has been resolved: i

CSCwk45975

TLS1.3 Decryption configuration on SSL policy is affecting DND traffic.

CSCwk48975

Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group

CSCwk50044

The various Is methods (IsPrivate, IsLoopback, etc) did not work as ex

CSCwk50055

url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo

CSCwk56388

GRE traffic getting dropped after failover

CSCwk56443

Network address API calls taking long time to complete

CSCwk57933

Vulnerabilities in linux-kernel CVE-2023-52439

CSCwk57949

Vulnerabilities in linux-kernel CVE-2023-52435

CSCwk59458

21xx: debug log process hangs preventing recovery from stuck writing operations

CSCwk61157

FTD LINA Traceback and Reload dhcp_daemon Thread

CSCwk62297

Evaluation of ssp for OpenSSH regreSSHion vulnerability

CSCwk62381

ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP.

CSCwk63733

HA-monitored interfaces are going into "waiting" state and subsequently to "Failed"

CSCwk64418

NTP is not synchronising when using SHA-1 authentication

CSCwk64709

FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space)

CSCwk68759

Split brain issue in HA failover due to which outage happened on customer network

CSCwk71866

ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down'

CSCwk71992

BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator

CSCwk75030

The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/

CSCwk75033

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause inva

CSCwk75035

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul

CSCwk75036

null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and

CSCwk75956

ASA/FTD may traceback and reload in Thread Name SSH

CSCwk76142

ASA crashing in thread PIX Garbage Collector with inspect-rtsp enabled.

CSCwk77241

Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA)

CSCwk87457

ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded

CSCwk88182

FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue

CSCwk89836

ASA/FTD may traceback and reload in Thread Name 'strlen'

CSCwk90679

Radius Authentication test fails due to missing radclient command

CSCwk94382

FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments

CSCwk98990

Large number of stats files can cause events to be delayed

CSCwm01544

Lina traceback and reload in data-path thread

CSCwm02801

Unstable HA causing depolyment failure

CSCwm04650

Increase memory usage leading to tracebacks in Lina.

CSCwm05155

Snort AppID incorrectly identifies SSH traffic as Unknown

CSCwm05520

Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set

CSCwm07389

CGroups errors in ASA Syslog during every reboot

CSCwm12434

Readiness check should be in place for larger undo/ibdata log files

CSCwm12751

In the Linux kernel, the following vulnerability has been resolved: a

CSCwm12757

In the Linux kernel, the following vulnerability has been resolved: t

CSCwm12909

An issue was discovered in the C AMQP client library (aka rabbitmq-c)

CSCwm13141

FTD CLISH/CLI gets locked up when trying to run any show command

CSCwm13199

SIP traffic is affected due to unexpected behavior with NAT untranslations.

CSCwm14509

Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection

CSCwm14561

ASA/FTD may traceback and reload in Thread Name 'fover_parse'

CSCwm14729

HW: 3110 not rebooting after power outage, requiring manual power cycle

CSCwm29469

FMC GUI has a limitation to display only 50 SSH rules for FTD (Under platform settings >> SSH)

CSCwm31193

Events or stats are missing after EventHandler logs "Error loading input module"

CSCwm36646

After FMC upgrade results in standby FTDv losing its performance tier for FTD HA

CSCwm42745

Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed

Resolved Bugs in Version 7.2.8.1

Table last updated: 2024-08-26

Table 21. Resolved Bugs in Version 7.2.8.1

Bug ID

Headline

CSCwk62296

Address SSP OpenSSH regreSSHion vulnerability

Resolved Bugs in Version 7.2.8

Table last updated: 2024-06-24

Table 22. Resolved Bugs in Version 7.2.8

Bug ID

Headline

CSCwh83021

ASA/FTD HA pair EIGRP routes getting flushed after failover

CSCwj86116

High LINA CPU observed due to NetFlow configuration

CSCwj86341

Threat Defense Upgrade wizard is unable to initiate hotfix installation on FTD clusters

Resolved Bugs in Version 7.2.7

Table last updated: 2024-04-29

Table 23. Resolved Bugs in Version 7.2.7

Bug ID

Headline

CSCwi63113

FTD Boot Loop with SNMP Enabled after reload/upgrade

Resolved Bugs in Version 7.2.6

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The bugs listed here are also fixed in Version 7.2.7.

Table last updated: 2024-04-22

Table 24. Additional Resolved Bugs in Version 7.2.6-168 (Management Center Only)

Bug ID

Headline

CSCwj66339

OGO changing the order of custom object group contents causing an outage at static NAT

Table last updated: 2024-07-26

Table 25. Resolved Bugs in Version 7.2.6-167 (All Platforms)

Bug ID

Headline

CSCvg00130