Cisco Secure Firewall Threat Defense Release Notes

This document contains release information for Version 7.2 of:

  • Cisco Secure Firewall Threat Defense

  • Cisco Secure Firewall Management Center (on-prem)

  • Cisco Secure Firewall device manager

Release Dates

Table 1. Version 7.2 Dates

Version

Build

Date

Platforms

7.2.7

500

2024-04-29

All

7.2.6

168

2024-04-22

No longer available.

167

2024-03-19

No longer available.

7.2.5.2

4

2024-05-06

All

7.2.5.1

29

2023-11-14

All

7.2.5

208

2023-07-27

All

7.2.4.1

43

2023-07-27

All

7.2.4

169

2023-05-10

Management center

165

2023-05-03

Devices

7.2.3.1

13

2023-04-18

Management center

7.2.3

77

2023-02-27

All

7.2.2

54

2022-11-29

All

7.2.1

40

2022-10-03

All

7.2.0.1

12

2022-08-10

All

7.2.0

82

2022-06-06

All

Features

This document describes the new and deprecated features for Version 7.2.

For earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.

Upgrade Impact

A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part; this is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade; for example, if you must change a configuration.

The feature descriptions below include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.

Snort

Snort 3 is the default inspection engine for threat defense. Snort 3 features for management center deployments also apply to device manager, even if they are not listed as new device manager features. However, keep in mind that the management center may offer more configurable options than device manager.


Important


If you are still using the Snort 2 inspection engine, switch to Snort 3 now for improved detection and performance. Snort 2 will be deprecated in a future release and will eventually prevent threat defense upgrade.


Intrusion Rules and Keywords

Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.

For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.

FlexConfig

Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.

The feature descriptions below include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.


Caution


Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues.


Management Center Features in Version 7.2.7

This release introduces stability, hardening, and performance enhancements. See Resolved Bugs in Version 7.2.7.

Management Center Features in Version 7.2.6


Note


Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The features listed here are also available in Version 7.2.7.


Table 2. Management Center Features in Version 7.2.6

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Updated web analytics provider.

7.0.6

7.2.6

7.4.1

Any

Upgrade impact. Your browser connects to new resources.

While using the management center, your browser now contacts Amplitude (amplitude.com) instead of Google (google.com) for web analytics.

Version restrictions: Amplitude analytics are not supported in management center Version 7.0.0–7.0.5, 7.1.0–7.2.5, 7.3.x, or 7.4.0. Permanent support returns in Version 7.4.1 If you upgrade from a supported version to an unsupported version, your browser resumes contacting Google.

Interfaces

Configure DHCP relay trusted interfaces from the management center web interface.

7.2.6

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them.

DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the threat defense DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then threat defense will drop that packet by default. You can preserve Option 82 and forward the packet by identifying an interface as a trusted interface.

New/modified screens: Devices > Device Management > Add/Edit Device > DHCP > DHCP Relay

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, redo your FlexConfigs.

See: Configure the DHCP Relay Agent

NAT

Create network groups while editing NAT rules.

7.2.6

7.4.1

Any

You can now create network groups in addition to network objects while editing a NAT rule.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Customizing NAT Rules for Multiple Devices

High Availability/Scalability

Reduced "false failovers" for threat defense high availability.

7.2.6

7.4.0

7.2.6

7.4.0

Other version restrictions: Not supported with management center or threat defense Version 7.3.x.

See: Heartbeat Module Redundancy

Single backup file for high availability management centers.

7.2.6

7.4.1

Any

When performing a configuration-only backup of the active management center in a high availability pair, the system now creates a single backup file which you can use to restore either unit.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Unified Backup of Management Centers in High Availability

Event Logging & Analysis

Open the packet tracer from the unified event viewer.

7.2.6

7.4.1

Any

You can now open the packet tracer from the unified event view (Analysis > Unified Events). Click the ellipsis icon (...) next to the desired event and click Open in Packet Tracer.

Other version restrictions: In Version 7.2.x, use the Expand icon (>) icon instead of the ellipsis icon. Not supported with management center Version 7.3.x or 7.4.0.

See: Working with the Unified Event Viewer

Health Monitoring

Health alerts for excessive disk space used by deployment history (rollback) files.

7.2.6

7.4.1

Any

Upgrade impact. Deploy management center health policy after upgrade.

The Disk Usage health module now alerts if deployment history (rollback) files are using excessive disk space on theged management center.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Disk Usage for Device Configuration History Files Health Alert

Health alerts for NTP sync issues.

7.2.6

7.4.1

Any

Upgrade impact. Deploy management center health policy after upgrade.

A new Time Server Status health module reports issues with NTP synchronization.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Time Synchronization and Health Modules

Deployment and Policy Management

View and generate reports on configuration changes since your last deployment.

7.2.6

7.4.1

Any

You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:

  • A policy changes report for each device that previews the additions, changes, or deletions in the policy, or the objects that are to be deployed on the device.

  • A consolidated report that categorizes each device based on the status of policy changes report generation.

This is especially useful after you upgrade either the management center or threat defense devices, so that you can see the changes made by the upgrade before you deploy.

New/modified screens: Deploy > Advanced Deploy.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Download Policy Changes Report for Multiple Devices

Set the number of deployment history files to retain for device rollback.

7.2.6

7.4.1

Any

You can now set the number of deployment history files to retain for device rollback, up to ten (the default). This can help you save disk space on the management center.

New/modified screens: Deploy > Deployment History (deployment history icon) > Deployment Setting > Configuration Version Setting

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Set the Number of Configuration Versions

Upgrade

Improved upgrade starting page and package management.

7.2.6

7.4.1

Any

A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the management center, threat defense devices, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages.

Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes.

New/modified screens:

  • System (system gear icon) > Product Upgrades is now where you upgrade the management center and all managed devices, as well as manage upgrade packages.

  • System (system gear icon) > Content Updates is now where you update intrusion rules, the VDB, and the GeoDB.

  • Devices > Threat Defense Upgrade takes you directly to the threat defense upgrade wizard.

  • System (system gear icon) > Users > User Role > Create User Role > Menu-Based Permissions allows you to grant access to Content Updates (VDB, GeoDB, intrusion rules) without allowing access to Product Upgrades (system software).

Deprecated screens/options:

  • System (system gear icon) > Updates is deprecated. All threat defense upgrades now use the wizard.

  • The Add Upgrade Package button on the threat defense upgrade wizard has been replaced by a Manage Upgrade Packages link to the new upgrade page.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Enable revert from the threat defense upgrade wizard.

7.2.6

7.4.1

Any, if upgrading to 7.1+

You can now enable revert from the threat defense upgrade wizard.

Other version restrictions: You must be upgrading threat defense to Version 7.1+. Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Select devices to upgrade from the threat defense upgrade wizard.

7.2.6

Any

Use the wizard to select devices to upgrade.

You can now use the threat defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

View detailed upgrade status from the threat defense upgrade wizard.

7.2.6

7.4.1

Any

The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, Devices > Threat Defense Upgrade brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Unattended threat defense upgrades.

7.2.6

Any

The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Simultaneous threat defense upgrade workflows by different users.

7.2.6

Any

We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Skip pre-upgrade troubleshoot generation for threat defense devices.

7.2.6

Any

You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space.

To manually generate troubleshooting files for a threat defense device, choose System (system gear icon) > Health > Monitor, click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Suggested release notifications.

7.2.6

7.4.1

Any

The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Management Center New Features by Release

New upgrade wizard for the management center.

7.2.6

7.4.1

Any

A new upgrade starting page and wizard make it easier to perform management center upgrades. After you use System (system gear icon) > Product Upgrades to get the appropriate upgrade package onto the management center, click Upgrade to begin.

Other version restrictions: Only supported for management center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0.

To upgrade the management center to any version, see the upgrade guide for the version your management center is currently running: : Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center. If you are running Version 7.4.0, you can use the Version 7.3.x guide.

Hotfix high availability management centers without pausing synchronization.

7.2.6

7.4.1

Any

Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability management centers.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Administration

Updated internet access requirements for direct-downloading software upgrades.

7.2.6

7.4.1

Any

Upgrade impact. The system connects to new resources.

The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See:Internet Access Requirements

Scheduled tasks download patches and VDB updates only.

7.2.6

7.4.1

Any

Upgrade impact. Scheduled download tasks stop retrieving maintenance releases.

The Download Latest Update scheduled task no longer downloads maintenance releases; now it only downloads the latest applicable patches and VDB updates. To direct-download maintenance (and major) releases to the management center, use System (system gear icon) > Product Upgrades.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Software Update Automation

Download only the country code geolocation package.

7.2.6

7.4.0

Any

Upgrade impact. Upgrading can delete the IP package.

In Version 7.2.6+/7.4.0+, you can configure the system to download only the country code package of the geolocation database (GeoDB), which maps IP addresses to countries/continents. The larger IP package with contextual data is now optional.

IP package download is:

  • Version 7.2.0–7.2.5: Always enabled.

  • Version 7.2.6–7.2.x: Disabled by default, but you can enable it.

  • Version 7.3.x: Always enabled.

  • Version 7.4.0–7.4.1: Enabled by default, but you can disable it.

The first time you upgrade to any version where download is disabled by default, the system disables download and deletes any existing IP package. Without the IP package, you cannot view contextual geolocation data for IP addresses until you manually enable the option and update the GeoDB.

New/modified screens:

  • Version 7.2.6/7.4.1: System (system gear icon) > Content Updates > Geolocation Updates

  • Version 7.4.0: System (system gear icon) > Updates > Geolocation Updates

See : Update the Geolocation Database

Usability, Performance, and Troubleshooting

Enable/disable access control object optimization.

7.2.6

7.4.1

Any

You can now enable and disable access control object optimization from the management center web interface.

New/modified screens: System (system gear icon) > Configuration > Access Control Preferences > Object Optimization

Other version restrictions: Access control object optimization is automatically enabled on all management centers upgraded or reimaged to Versions 7.2.4–7.2.5 and 7.4.0, and automatically disabled on all management centers upgraded or reimaged to Version 7.3.x. It is configurable and enabled by default for management centers reimaged to Version 7.2.6+/7.4.1+, but respects your current setting when you upgrade to those releases.

See: Access Control Preferences and.

Cluster control link ping tool.

7.2.6

7.4.1

Any

You can check to make sure all the cluster nodes can reach each other over the cluster control link by performing a ping. One major cause for the failure of a node to join the cluster is an incorrect cluster control link configuration; for example, the cluster control link MTU may be set higher than the connecting switch MTUs.

New/modified screens: Devices > Device Management > More (more icon) > Cluster Live Status

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

Snort 3 restarts when it uses too much memory, which can trigger HA failover.

7.2.6

7.4.1

7.2.6 with Snort 3

7.4.1 with Snort 3

To improve continuity of operations, excessive memory use by Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process uses too much memory. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.)

This feature is enabled by default. You can use the CLI to disable it, or configure the memory threshold.

Platform restrictions: Not supported with clustered devices.

New/modified CLI commands: configure snort3 memory-monitor , show snort3 memory-monitor-status

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Set the frequency of Snort 3 core dumps.

7.2.6

7.4.1

7.2.6 with Snort 3

7.4.1 with Snort 3

You can now set the frequency of Snort 3 core dumps. Instead of generating a core dump every time Snort crashes, you can generate one the next time Snort crashes only. Or, generate one if a crash has not occurred in the last day, or week.

Snort 3 core dumps are disabled by default for standalone devices. For high availability and clustered devices, the default frequency is now once per day instead of every time.

New/modified CLI commands: configure coredump snort3 , show coredump

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Capture dropped packets with the Secure Firewall 3100/4200.

7.2.6

7.4.1

7.2.6 (no 4200)

7.4.1

Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100/4200 can now capture these dropped packets.

New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command.

Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Command Reference

Deprecated Features

Deprecated: DHCP relay trusted interfaces with FlexConfig.

7.2.6

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them.

Other version restrictions: This feature is not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, also redo your FlexConfigs.

See: Configure the DHCP Relay Agent

Management Center Features in Version 7.2.5

Table 3. Management Center Features in Version 7.2.5

Feature

Minimum Management Center

Minimum Threat Defense

Details

Interfaces

Management center detects interface sync errors.

7.2.5

7.4.1

Any

Upgrade impact. You may need to sync interfaces after upgrade.

In some cases, the management center can be missing a configuration for an interface even though the interface is correctly configured and functioning on the device. If this happens, and your management center is running:

  • Version 7.2.5: Deploy is blocked until you edit the device and sync from the Interfaces page

  • Version 7.2.6+/7.4.1+: Deploy is allowed with a warning, but you cannot edit interface settings without syncing first.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. The management center will neither block deploy nor warn you of missing configurations. You can still sync interfaces manually if you think you are having an issue.

Management Center Features in Version 7.2.4

Table 4. Management Center Features in Version 7.2.4

Feature

Minimum Management Center

Minimum Threat Defense

Details

Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to Clause 108 RS-FEC from Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

7.2.4

Any

When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers.

See: Interface Overview.

Automatically update CA bundles.

7.0.5

7.1.0.3

7.2.4

7.0.5

7.1.0.3

7.2.4

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.

See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference

Access control performance improvements (object optimization).

7.2.4

Any

Upgrade impact. First deployment after management center upgrade to 7.2.4–7.2.5 or 7.4.0 can take a long time and increase CPU use on managed devices.

Access control object optimization improves performance and consumes fewer device resources when you have access control rules with overlapping networks. The optimizations occur on the managed device on the first deploy after the feature is enabled on the management center (including if it is enabled by an upgrade). If you have a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform object optimization. During this time, you may also see higher CPU use on your devices. A similar thing occurs on the first deploy after the feature is disabled (including if it is disabled by upgrade). After this feature is enabled or disabled, we recommend you deploy when it will have the least impact, such as a maintenance window or a low-traffic time.

New/modified screens (requires Version 7.2.6): System (system gear icon) > Configuration > Access Control Preferences > Object-group optimization.

Other version restrictions: Not supported with management center Version 7.3.x.

Smaller VDB for lower memory Snort 2 devices.

6.4.0.17

7.0.6

7.2.4

7.3.1.1

7.4.0

Any with Snort 2

Upgrade impact. Application identification on lower memory devices is affected.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Management Center Features in Version 7.2.3

Table 5. Management Center Features in Version 7.2.3

Feature

Minimum Management Center

Minimum Threat Defense

Details

Firepower 1010E.

7.2.3.1

7.3.1.1

7.2.3

We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center.

Version restrictions: These devices do not support Version 7.3.x or 7.4.0. Support returns in Version 7.4.1.

See: Regular Firewall Interfaces

Management Center Features in Version 7.2.2

This release introduces stability, hardening, and performance enhancements. See Resolved Bugs in Version 7.2.2.

Management Center Features in Version 7.2.1

Table 6. Management Center Features in Version 7.2.1

Feature

Minimum Management Center

Minimum Threat Defense

Details

Hardware bypass ("fail-to-wire") network modules for the Secure Firewall 3100.

7.2.1

7.2.1

We introduced these hardware bypass network modules for the Secure Firewall 3100:

  • 6-port 1G SFP Hardware Bypass Network Module, SX (multimode) (FPR-X-NM-6X1SX-F)

  • 6-port 10G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-6X10SR-F)

  • 6-port 10G SFP Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X10LR-F)

  • 6-port 25G SFP Hardware Bypass Network Module, SR (multimode) (FPR-X-NM-X25SR-F)

  • 6-port 25G Hardware Bypass Network Module, LR (single mode) (FPR-X-NM-6X25LR-F)

  • 8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper) (FPR-X-NM-8X1G-F)

New/modified screens: Devices > Device Management > Interfaces > Edit Physical Interface

For more information, see Inline Sets and Passive Interfaces.

Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

7.2.1

7.2.1

We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

For more information, see Getting Started with Secure Firewall Threat Defense Virtual and KVM.

Management Center Features in Version 7.2.0

Table 7. Management Center Features in Version 7.2.0

Feature

Minimum Management Center

Minimum Threat Defense

Details

Platform

Snapshots allow quick deploy of threat defense virtual for AWS and Azure.

7.2.0

7.2.0

You can now take a snapshot of a threat defense virtual for AWS or Azure instance, then use that snapshot to quickly deploy new instances. This feature also improves the performance of the autoscale solutions for AWS and Azure.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Analytics mode for cloud-managed threat defense devices.

7.2.0

7.0.3

7.2.0

Concurrently with Version 7.2, we introduced the Cisco Cloud-delivered Firewall Management Center. The cloud-delivered Firewall Management Center uses the Cisco Defense Orchestrator (CDO) platform and unites management across multiple Cisco security solutions. We take care of feature updates.

On-prem hardware and virtual management centers running Version 7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging and analytics purposes only. You cannot deploy policy to these devices from an on-prem management center.

New/modified screens:

  • When you add a cloud-managed device to an on-prem management center, use the new CDO Managed Device check box to specify that it is analytics-only.

  • View which devices are analytics-only on Devices > Device Management.

New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers

Version restrictions: Not supported with threat defense Version 7.1.

For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.

ISA 3000 support for shutting down.

7.2.0

7.2.0

Support returns for shutting down the ISA 3000. This feature was introduced in Version 7.0.2 but was temporarily deprecated in Version 7.1.

High Availability/Scalability

Clustering for threat defense virtual in both public and private clouds.

7.2.0

7.2.0

You can now configure clustering for the following threat defense virtual platforms:

  • Threat defense virtual for AWS: 16-node clusters

  • Threat defense virtual for GCP: 16-node clusters

  • Threat defense virtual for KVM: 4-node clusters

  • Threat defense virtual for VMware: 4-node clusters

New/modified screens:

  • Devices > Device Management > Add Cluster

  • Devices > Device Management > More menu

  • Devices > Device Management > Cluster

For more information, see Clustering for Threat Defense Virtual in a Public Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM, VMware).

Support for 16-node clusters.

7.2.0

7.2.0

You can now configure 16-node clusters for the following platforms:

  • Firepower 4100/9300

  • Threat defense virtual for AWS

  • Threat defense virtual for GCP

The Secure Firewall 3100 still only supports 8 nodes.

For more information, see Clustering for the Firepower 4100/9300 or Clustering for Threat Defense Virtual in a Public Cloud.

Autoscale for threat defense virtual for AWS gateway load balancers.

7.2.0

7.2.0

We now support autoscale for threat defense virtual for AWS gateway load balancers, using a CloudFormation template.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Autoscale for threat defense virtual for GCP.

7.2.0

7.2.0

Upgrade impact. Threat defense virtual for GCP cannot upgrade across Version 7.2.0.

We now support autoscale for threat defense virtual for GCP, by positioning a threat defense virtual instance group between a GCP internal load balancer (ILB) and a GCP external load balancer (ELB).

Version restrictions: Due to interface changes required to support this feature, threat defense virtual for GCP upgrades cannot cross Version 7.2.0. That is, you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must deploy a new instance and redo any device-specific configurations.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Interfaces

LLDP support for the Firepower 2100 and Secure Firewall 3100.

7.2.0

7.2.0

You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100 and Secure Firewall 3100 series interfaces.

New/modified screens: Devices > Device Management > Interfaces > > Hardware Configuration > LLDP

New/modified commands: show lldp status , show lldp neighbors , show lldp statistics

For more information, see Interface Overview.

Pause frames for flow control for the Secure Firewall 3100.

7.2.0

7.2.0

If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue.

New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Network Connectivity

For more information, see Interface Overview.

Breakout ports for the Secure Firewall 3130 and 3140.

7.2.0

7.2.0

You can now configure four 10 GB breakout ports for each 40 GB interface on the Secure Firewall 3130 and 3140.

New/modified screens: Devices > Device Management > Chassis Operations

For more information, see Interface Overview.

Configure VXLAN from the management center web interface.

7.2.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

You can now use the management center web interface to configure VXLAN interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical network to stretch the Layer 2 network.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

New/modified screens:

  • Configure the VTEP source interface: Devices > Device Management > VTEP

  • Configure the VNI interface: Devices > Device Management > Interfaces > Add VNI Interface

For more information, see Regular Firewall Interfaces.

NAT

Enable, disable, or delete more than one NAT rule at a time.

7.2.0

Any

You can select multiple NAT rules and enable, disable, or delete them all at the same time. Enable and disable apply to manual NAT rules only, whereas delete applies to any NAT rule.

For more information, see Network Address Translation.

VPN

Certificate and SAML authentication for RA VPN connection profiles.

7.2.0

7.2.0

We now support certificate and SAML authentication for RA VPN connection profiles. You can authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes.

New/modified screens: You can now choose Certificate & SAML option when choosing the authentication method for the connection profile in an RA VPN policy.

For more information, see Remote Access VPN.

Route-based site-to-site VPN with hub and spoke topology.

7.2.0

7.2.0

We added support for route-based site-to-site VPNs in a hub and spoke topology. Previously, that topology only supported policy-based (crypto map) VPNs.

New/modified screens: When you add a new VPN topology and choose Route Based (VTI), you can now also choose Hub and Spoke.

For more information, see Site-to-Site VPNs.

IPsec flow offload for the Secure Firewall 3100.

7.2.0

7.2.0

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

For more information, see Site-to-Site VPNs.

Routing

Configure EIGRP from the management center web interface.

7.2.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

You can now use the management center web interface to configure EIGRP. Note that you can only enable EIGRP on interfaces belonging to the device's Global virtual router.

If you configured EIGRP with FlexConfig in a previous version, the system allows you to deploy post-upgrade, but also warns you to redo your EIGRP configurations in the web interface. When you are satisfied with the new configuration, you can delete the deprecated FlexConfig objects or commands. To help you with this process, we provide a command-line migration tool.

New/modified screens: Devices > Device Management > Routing > EIGRP

For more information, see EIGRP and Migrating FlexConfig Policies.

Virtual router support for the Firepower 1010.

7.2.0

7.2.0

You can now configure up to five virtual routers on the Firepower 1010.

For more information, see Virtual Routers.

Support for VTIs in user-defined virtual routers.

7.2.0

7.2.0

You can now assign virtual tunnel interfaces to user-defined virtual routers. Previously, you could only assign VTIs to Global virtual routers.

New/modified screens: Devices > Device Management > Routing > Virtual Router Properties

For more information, see Virtual Routers.

Policy-based routing with path monitoring.

7.2.0

7.2.0

You can now use path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use these metrics to determine the best path for policy based routing.

New/modified screens:

  • Enable path monitoring and choose metrics to collect: Devices > Device Management > Interfaces > Path Monitoring

  • Use the new Interface Ordering option when you are adding a policy based route and specifying a forwarding action: Devices > Device Management > Routing > Policy Based Routing

  • Monitor path metrics in each device's health monitoring dashboard: System (system gear icon) > Health > Monitor > add dashboard > Interface - Path Metrics.

New/modified CLI commands: show policy route , show path-monitoring , clear path-monitoring

For more information, see Policy Based Routing.

Threat Intelligence

DNS-based threat intelligence from Cisco Umbrella.

7.2.0

Any

We now support DNS-based Security Intelligence using regularly updated information from Cisco Umbrella. You can use both a local DNS policy and an Umbrella DNS policy, for two layers of protection.

New/modified screens:

  • Configure connection to Umbrella: Integration > Other Integrations > Cloud Services > Cisco Umbrella Connection

  • Configure Umbrella DNS policy: Policies > DNS > Add DNS Policy > Umbrella DNA Policy

  • Associate Umbrella DNS policy with access control: Policies > Access Control > Edit Policy > Security Intelligence > Umbrella DNS Policy

For more information, see DNS Policies.

IP-based threat intelligence from Amazon GuardDuty.

7.2.0

Any

You can now handle traffic based on malicious IP addresses detected by Amazon GuardDuty, when integrated with management center virtual for AWS. The system consumes this threat intelligence via a custom Security Intelligence feed, or via a regularly updated network object group, which you can then use in your security policies.

For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide.

Access Control and Threat Detection

Dynamic object management with:

  • Cloud-delivered Cisco Secure Dynamic Attributes Connector

  • On-prem Cisco Secure Dynamic Attributes Connector 2.0

7.2.0

Any

Concurrently with Version 7.2, we released the following updates to the Cisco Secure Dynamic Attributes Connector:

Bypass inspection or throttle elephant flows on Snort 3 devices.

7.2.0

7.2.0 with Snort 3

You can now detect and optionally bypass inspection or throttle elephant flows. By default, access control policies are set to generate an event when the system sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is configurable.

For the Firepower 2100 series, you can detect elephant flows but not bypass inspection or throttle. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB).

New/modified screens: We added Elephant Flow Settings to the access control policy's Advanced tab.

For more information, see Elephant Flow Detection.

Encrypted visibility engine enhancements.

7.2.0

7.2.0 with Snort 3

We made the following enhancements to the encrypted visibility engine (EVE):

  • EVE can detect the operating system used by the host, which is reported in events and the network map.

  • EVE can detect application traffic by assigning EVE processes that were identified with high confidence to applications, which you can then use in access control rules to control network traffic. (In Version 7.1, you could see EVE processes for connections, but you could not act on that knowledge.)

    To add additional assignments, create custom applications/custom application detectors. When adding a detection pattern to your custom detector, choose Encrypted Visibility Engine as the application. Then, specify the process name and confidence level.

  • EVE now works with QUIC traffic.

The following connection event fields have changed along with these enhancements:

TLS Fingerprint Process Name

is now

Encrypted Visibility Process Name

TLS Fingerprint Process Confidence Score

is now

Encrypted Visibility Process Confidence Score

TLS Fingerprint Malware Confidence

is now

Encrypted Visibility Threat Confidence

TLS Fingerprint Malware Confidence Score

is now

Encrypted Visibility Threat Confidence Score

Detection Type: TLS Fingerprint

is now

Detection Type: Encrypted Visibility

This feature now requires a Threat license.

For more information, see Access Control Policies and Application Detection.

TLS 1.3 inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of TLS 1.3 traffic.

New/modified screens: We added the Enable TLS 1.3 Decryption option to the Advanced Settings tab in SSL policies. Note that this option is disabled by default.

For more information, see SSL Policies.

Improved portscan detection.

7.2.0

7.2.0 with Snort 3

With an improved portscan detector, you can easily configure the system to detect or prevent portscans. You can refine the networks you want to protect, set the sensitivity, and so on. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use the network analysis policy for portscan detection.

New/modified screens: We added Threat Detection to the access control policy's Advanced tab.

For more information, see Threat Detection.

VBA macro inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of VBA (Visual Basic for Applications) macros in Microsoft Office documents, which is done by decompressing the macros and matching rules against the decompressed content.

By default, VBA macro decompression is disabled in all system-provided network analysis policies. To enable it use the decompress_vba setting in the imap, smtp, http_inspect, and pop Snort 3 inspectors.

To configure custom intrusion rules to match against decompressed macros, use the vba_data option.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved JavaScript inspection.

7.2.0

7.2.0 with Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. A new normalizer's enhancements include improved white-space normalization, semicolon insertions, cross-site script handling, identifier normalization and dealiasing, just-in-time (JIT) inspection, and the ability to inspect external scripts.

By default, the new normalizer is enabled in all system-provided network analysis policies. To tweak performance or disable the feature in a custom network analysis policy, use the js_norm (improved normalizer) and normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3 inspector.

To configure custom intrusion rules to match against normalized JavaScript, use the js_data option, for example:

alert tcp any any -> any any (msg:"Script detected!"; 
js_data; content:"var var_0000=1;"; sid:1000001;)

For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Improved SMB 3 inspection.

7.2.0

7.2.0 with Snort 3

We now support inspection of SMB 3 traffic in the following situations:

  • During file server node failover for clusters configured for SMB Transparent Failover.

  • In multiple file server nodes for clusters using SMB Scale-Out.

  • Through directory information changes due to SMB Directory Leasing.

  • Spread across multiple connections due to SMB Multichannel.

For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

Event Logging and Analysis

Improved SecureX integration, SecureX orchestration.

7.2.0

Any

We have streamlined the SecureX integration process. Now, as long as you already have a SecureX account, you just choose your cloud region on the new Integration > SecureX page, click Enable SecureX, and authenticate to SecureX. The option to send events to the cloud, as well as to enable Cisco Success Network and Cisco Support Diagnostics, are also moved to this new page.

When you enable SecureX integration on this new page, licensing and management for the system's cloud connection switches from Cisco Smart Licensing to SecureX. If you already enabled SecureX the "old" way, you must disable and re-enable to get the benefits of this cloud connection management.

Note that this page also governs the cloud region for and event types sent to the Secure Network Analytics (Stealthwatch) cloud using Security Analytics and Logging (SaaS), even though the web interface does not indicate this. Previously, these options were on System (system gear icon) > Integration > Cloud Services. Enabling SecureX does not affect communications with the Secure Network Analytics cloud; you can send events to both.

The management center also now supports SecureX orchestration—a powerful drag-and-drop interface you can use to automate workflows across security tools. After you enable SecureX, you can enable orchestration.

As part of this feature, you can no longer use the REST API to configure SecureX integration. You must use the FMC web interface.

Version restrictions: This feature is included in Versions 7.0.2+ and 7.2+. It is not supported in Version 7.1. If you use the new method to enable SecureX integration in Version 7.0.x, you cannot upgrade to Version 7.1 unless you disable the feature. We recommend you upgrade to Version 7.2+.

See: Cisco Secure Firewall Management Center (7.0.2 and 7.2) and SecureX Integration Guide

Log security events to multiple Secure Network Analytics on-prem data stores.

7.2.0

7.0.0

When you configure a Secure Network Analytics Data Store (multi-node) integration, you can now add multiple flow collectors for security events. You assign each flow collector to one or more threat defense devices running Version 7.0+.

New/modified screens:

  • Setup: Integration > Security Analytics & Logging > Secure Network Analytics Data Store

  • Modify: Integration > Security Analytics & Logging > Update Device Assignments

This feature requires Secure Network Analytics Version 7.1.4.

For more information, see the Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide.

Database access changes.

7.2.0

Any

We added ten new tables, deprecated one table, and prohibited joins in six tables. We also added fields to various tables for Snort 3 support and to provide timestamps and IP addresses in human-readable format.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Database Access Guide, Version 7.2.

eStreamer changes.

7.2.0

Any

A new Python-based reference client has been added to the SDK. Also, you can now request fully qualified events.

For more information, see the What's New topic in the Cisco Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2.

Deployment and Policy Management

Auto rollback of a deployment that causes a loss of management connectivity.

7.2.0

7.2.0

You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and threat defense to go down. Previously, you could only manually roll back a configuration using the configure policy rollback command.

New/modified screens:

  • Devices > Device Management > Device > Deployment Settings

  • Deploy > Advanced Deploy > Preview

  • Deploy > Deployment History > Preview

For more information, see Device Management.

Generate and email a report when you deploy configuration changes.

7.2.0

Any

You can now generate a report for any deploy task. The report contains details about the deployed configuration.

New/modified pages: Deploy > Deployment History (deployment history icon) icon > More (more icon)Generate Report

For more information, see Configuration Deployment.

Access control policy locking.

7.2.0

Any

You can now lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Any user who has permission to modify the access control policy has permission to lock it.

We added an icon to lock or unlock a policy next to the policy name while editing the policy. In addition, there is a new permission to allow users to unlock policies locked by other administrators: Override Access Control Policy Lock. This permission is enabled by default in the Administrator, Access Admin, and Network Admin roles.

For more information, see Access Control Policies.

Object group search is enabled by default.

7.2.0

Any

The Object Group Search setting is now enabled by default when you add a device to the management center.

New/modified screens: Devices > Device Management > Device > Advanced Settings

For more information, see Device Management.

Access control rule hit counts persist over reboot.

7.2.0

7.2.0

Rebooting a managed device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node.

New/modified CLI commands: show rule hits

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

New user interface for the access control policy.

7.2.0

Any

There is a new experimental user interface available for the access control policy. You can continue to use the legacy user interface, or you can try out the new user interface.

The new interface has both a table and a grid view for the rules list, the ability to show or hide columns, enhanced search, infinite scroll, a clearer view of the packet flow related to policies associated with the access control policy, and a simplified add/edit dialog box for creating rules. You can freely switch back and forth between the legacy and new user interfaces while editing an access control policy.

Note

 

The new interface does not have all the features available in the legacy interface, and may have performance issues when displaying a large number of rules. If you experience issues with the new UI, switch back to the legacy UI. Additionally, Cisco TAC welcomes your feedback. If your organization allows it, you can help us improve this feature by making sure web analytics is enabled: System (system gear icon) > Configuration > Web Analytics.

For more information, see Access Control Policies.

Upgrade

Copy upgrade packages ("peer-to-peer sync") from device to device.

7.2.0

7.2.0

Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.

This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone management center. It is not supported for:

  • Container instances.

  • Device high availability pairs and clusters. These devices get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.

  • Devices managed by high availability management centers.

  • Devices managed by the cloud-delivered Firewall Management Center, but added to an on-prem management center in analytics mode.

  • Devices in different domains, or devices separated by a NAT gateway.

  • Devices upgrading from Version 7.1 or earlier, regardless of management center version.

New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

For more information, see Copy Threat Defense Upgrade Packages between Devices.

Auto-upgrade to Snort 3 after successful threat defense upgrade.

7.2.0

7.2.0

When you use a Version 7.2+ management center to upgrade threat defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3.

After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Version restrictions: Not supported for threat defense upgrades to Version 7.0.x or 7.1.x.

Upgrade for single-node clusters.

7.2.0

Any

You can now use the device upgrade page (Devices > Device Upgrade) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page (System (system gear icon)Updates).

Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

Revert threat defense upgrades from the CLI.

7.2.0

7.2.0

You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.

Caution

 

Reverting from the CLI can cause configurations between the device and the management center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.

New/modified CLI commands: upgrade revert , show upgrade revert-info .

For more information, see Revert the Upgrade.

Administration

Back up and restore threat defense virtual for AWS.

7.2.0

Any

You can now use the management center to back up threat defense virtual for AWS, except device clusters. To restore, use the device CLI.

For more information, see Backup/Restore.

Multiple DNS server groups for resolving DNS requests.

7.2.0

Any

You can configure multiple DNS groups for the resolution of DNS requests from client systems. You can use these DNS server groups to resolve requests for different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers.

New/modified screens: Platform Settings > DNS

For more information, see Platform Settings.

Configure certificate validation with threat defense by usage type.

7.2.0

7.2.0

You can now specify the usage types where validation is allowed with the trustpoint (the threat defense device): IPsec client connections, SSL client connections, and SSL server certificates.

New/modified screens: We added a Validation Usage option to certificate enrollment objects: Objects > Object Manager > PKI > Cert Enrollment.

For more information, see Object Management.

GeoDB is split into two packages.

7.2.0

Any

In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

If your Version 7.2.0–7.2.5 management center has internet access and you enable recurring updates or you manually kick off a one-time update from the Cisco Support & Download site, the system automatically obtains both packages. In Version 7.2.6+/7.4.0+, you can configure whether you want the system to obtain the IP package.

If you manually download updates—for example, in an air-gapped deployment—you must import the packages separately:

  • Country code package: Cisco_GEODB_Update-date-build.sh.REL.tar​

  • IP package: Cisco_IP_GEODB_Update-date-build.sh.REL.tar​

Help (help icon) > About lists the versions of the packages currently being used by the system.

For more information, see Updates.

French language option for web interface.

7.2.0

Any

You can now switch the management center web interface to French.

New/modified screens: System (system gear icon) > Configuration > Language

For more information, see System Configuration.

Web interface changes: deployment and user activity integrations.

7.2.0

Any

Version 7.2 changes these management center menu options in all cases.

Deploy > Deployment History

is now

Deploy > Deployment History (deployment history icon) (bottom right corner)

Deploy > Deployment

is now

Deploy > Advanced Deploy

Analysis > Users > Active Sessions

is now

Integration > Users > Active Sessions

Analysis > Users > Users

is now

Integration > Users > Users

Analysis > Users > User Activity

is now

Integration > Users > User Activity

Web interface changes: SecureX, threat intelligence, and other integrations.

7.2.0

Any

Version 7.2 changes these management center menu options if you are upgrading from Version 7.0.1 or earlier, or from Version 7.1.

Note

 

If you are upgrading from Version 7.0.2 or any later Version 7.0.x maintenance release, your menu structure already looks like this.

AMP > AMP Management

is now

Integration > AMP > AMP Management

AMP > Dynamic Analysis Connections

is now

Integration > AMP > Dynamic Analysis Connections

Intelligence > Sources

is now

Integration > Intelligence > Sources

Intelligence > Elements

is now

Integration > Intelligence > Elements

Intelligence > Settings

is now

Integration > Intelligence > Settings

Intelligence > Incidents

is now

Integration > Intelligence > Incidents

System (system gear icon) > Integration

is now

Integration > Other Integrations

System (system gear icon) > Logging > Security Analytics & Logging

is now

Integration > Security Analytics & Logging

System (system gear icon) > SecureX

is now

Integration > SecureX

Usability, Performance, and Troubleshooting

Dropped packet statistics for the Secure Firewall 3100.

7.2.0

7.2.0

The new show packet-statistics threat defense CLI command displays comprehensive information about non-policy related packet drops. Previously this information required using several commands.

For more information, see the Cisco Secure Firewall Threat Defense Command Reference.

Cisco Success Network telemetry.

7.2.0

Any

For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.2.

Management Center REST API

Management center REST API.

7.2.0

Any

For information on changes to the FMC REST API, see What's New in 7.2 in the REST API quick start guide.

Deprecated Features

Deprecated: EIGRP with FlexConfig.

7.2.0

Any

You can now configure EIGRP routing from the management center web interface.

You no longer need these FlexConfig objects: Eigrp_Configure, Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all.

And these associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon.

The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. For details, see Migrating FlexConfig Policies .

Deprecated: VXLAN with FlexConfig.

7.2.0

Any

You can now configure VXLAN interfaces from the management center web interface.

You no longer need these FlexConfig objects: VxLAN_Clear_Nve, VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve, VxLAN_Make_Nve_Only, VxLAN_Make_Vni.

And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only, vxlan_Vni.

If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings.

Deprecated: Automatic pre-upgrade troubleshooting.

7.2.0

Any

To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.

To manually generate troubleshooting files for the management center, choose System (system gear icon) > Health > Monitor, click Firewall Management Center in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

Device Manager Features in Version 7.2.x

Table 8. Device Manager Features in Version 7.2.x

Feature

Description

Platform Features

Firepower 1010E.

We introduced the Firepower 1010E, which does not support power over Ethernet (PoE).

Minimum threat defense: 7.2.3

See: Cabling for the Firepower 1010

Threat defense virtual for GCP.

You can now use device manager to configure threat defense virtual for GCP.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Network modules for the Secure Firewall 3100.

We introduced these network modules for the Secure Firewall 3100:

  • 6-port 1G SFP Network Module, SX (multimode) (FPR-X-NM-6X1SX-F)

  • 6-port 10G SFP Network Module, SR (multimode) (FPR-X-NM-6X10SR-F)

  • 6-port 10G SFP Network Module, LR (single mode) (FPR-X-NM-6X10LR-F)

  • 6-port 25G SFP Network Module, SR (multimode) (FPR-X-NM-X25SR-F)

  • 6-port 25G Network Module, LR (single mode) (FPR-X-NM-6X25LR-F)

  • 8-port 1G Copper Network Module, RJ45 (copper) (FPR-X-NM-8X1G-F)

Minimum threat defense: 7.2.1

Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM.

Minimum threat defense: 7.2.1

See: Deploy the Threat Defense Virtual on KVM

ISA 3000 support for shutting down.

Support returns for shutting down the ISA 3000. This feature was introducted in Version 7.0.2 but was temporarily deprecated in Version 7.1.

Firewall and IPS Features

Object-group search is enabled by default for access control.

The CLI configuration command object-group-search access-control is now enabled by default for new deployments. If you are configuring the command using FlexConfig, you should evaluate whether that is still needed. If you need to disable the feature, use FlexConfig to implement the no object-group-search access-control command.

See: Cisco Secure Firewall ASA Series Command Reference

Rule hit counts persist over reboot.

Rebooting a device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node.

We modified the following threat defense CLI command: show rule hits .

See: Examining Rule Hit Counts

VPN Features

IPsec flow offload.

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

See: IPSec Flow Offload

Interface Features

Breakout port support for the Secure Firewall 3130 and 3140.

You can now configure four 10GB breakout ports for each 40GB interface on the Secure Firewall 3130 and 3140.

New/modified screens: Devices > Interfaces

See: Manage the Network Module for the Secure Firewall 3100

Enabling or disabling Cisco Trustsec on an interface.

You can enable or disable Cisco Trustsec on physical, subinterface, EtherChannel, VLAN, Management, or BVI interfaces, whether named or unnamed. By default, Cisco Trustsec is enabled automatically when you name an interface.

We added the Propagate Security Group Tag attribute to the interface configuration dialog boxes, and the ctsEnabled attribute to the various interface APIs.

See: Configure Advanced Options

Licensing Features

Permanent License Reservation Support for ISA 3000.

ISA 3000 now supports Universal Permanent License Reservation for approved customers.

See: Applying Permanent Licenses in Air-Gapped Networks

Administrative and Troubleshooting Features

Ability to force full deployment.

When you deploy changes, the system normally deploys just the changes made since the last successful deployment. However, if you are experiencing problems, you can elect to force a full deployment, which completely refreshes the configuration on the device. We added the Apply Full Deployment option to the deployment dialog box.

See: Deploying Your Changes

Automatically update CA bundles.

Upgrade impact. The system connects to Cisco for something new.

The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature.

New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update

Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco.

See: Cisco Secure Firewall Threat Defense Command Reference

Threat defense REST API version 6.3 (v6).

The threat defense REST API for software version 7.2 is version 6.3. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device. Note that the URL version path element for 6.3 is the same as 6.0, 6.1, and 6.2: v6.

Please re-evaluate all existing calls, as changes might have been mode to the resource models you are using. To open the API Explorer, where you can view the resources, log into device manager, then click the more options button (More options button.) and choose API Explorer.

See: Cisco Secure Firewall Threat Defense REST API Guide

Upgrade Impact Features

A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part; this is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade; for example, if you must change a configuration.

Upgrade Impact Features for Management Center

Check all releases between your current and target version.

Table 9. Upgrade Impact Features for Management Center

Target Version

Features with Upgrade Impact

7.2.6–7.2.x

7.2.5-7.2.x

7.2.4–7.2.x

7.2.4–7.2.5

7.2.0+

7.1.0.3–7.1.0.x

7.1.0+

7.0.6–7.0.x

7.0.5-7.0.x

7.0.0+

6.7.0+

Upgrade Impact Features for Threat Defense with Management Center

Upgrade Impact Features for Threat Defense with Device Manager

Upgrade Guidelines

The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade, see the upgrade guide: For Assistance.

Upgrade Guidelines for Management Center

Check all releases between your current and target version.

Table 12. Upgrade Guidelines for Management Center

Target Version

Current Version

Guideline

Details

7.3.x–7.4.0

7.2.6–7.2.x

Upgrade not recommended: Version 7.2.6–7.2.x to Version 7.3.x–7.4.0.

Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. Instead, upgrade to Version 7.4.1+.

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.1.0

7.0.4–7.0.x

Upgrade prohibited: Version 7.0.4+ to Version 7.1.0.

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4–7.0.x to Version 7.1.0. Instead, upgrade to Version 7.2.0+.

7.0.0–7.2.x

6.4.0–6.7.x

Reconnect with Threat Grid for high availability management centers.

Version 7.0.0 fixes an issue with management center high availability and malware detection where, after failover, the system stopped submitting files for dynamic analysis (CSCvu35704). For the fix to take effect, you must reassociate with the Cisco Threat Grid public cloud after upgrading.

After you upgrade the high availability pair to Version 7.0.0+, on the primary management center:

  1. Choose AMP > Dynamic Analysis Connections.

  2. Click Associate in the table row corresponding to the public cloud. A portal window opens. You do not have to sign in. The reassociation happens in the background, within a few minutes.

6.7.0

6.6.5–6.6.x

Upgrade prohibited: management center Version 6.6.5+ to Version 6.7.0.

Due to datastore incompatibilities, you cannot upgrade the management center from Version 6.6.5–6.6.x to Version 6.7.0. Instead, upgrade to Version 7.0.0+.

Upgrade Guidelines for Threat Defense with Management Center

Check all releases between your current and target version.

Table 13. Upgrade Guidelines for Threat Defense with Management Center

Target Version

Current Version

Guideline

Details

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.2.0+

6.7.0–7.1.x

Upgrade prohibited: threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+.

You cannot upgrade threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. You must deploy a new instance.

7.2.0–7.2.6

7.1.x

6.6.0–7.0.2

Unregister and reregister devices after reverting threat defense.

If you revert from Version 7.2.0–7.2.6 to Version 6.6.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680).

7.1.0

7.0.4–7.0.x

Upgrade prohibited: Version 7.0.4+ to Version 7.1.0.

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. Instead, upgrade to Version 7.2.0+.

6.7.0–7.2.x

6.4.0–6.6.x

Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs.

For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only.

Upgrade Guidelines for Threat Defense with Device Manager

Check all releases between your current and target version.

Table 14. Upgrade Guidelines for Threat Defense with Device Manager

Target Version

Current Version

Guideline

Details

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.1.0

7.0.4–7.0.x

Upgrade prohibited: Version 7.0.4+ to Version 7.1.0.

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. Instead, upgrade to Version 7.2.0+.

6.7.0–7.2.x

6.4.0–6.6.x

Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs.

For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only.

Upgrade Guidelines for the Firepower 4100/9300 Chassis

FXOS Upgrade Guidelines

For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version.

Table 15. Cisco Firepower 4100/9300 FXOS Release Notes

Target Threat Defense

Target FXOS

Release Notes

7.2

2.12

Cisco Firepower 4100/9300 FXOS Release Notes, 2.12(1)

7.1

2.11

Cisco Firepower 4100/9300 FXOS Release Notes, 2.11(1)

7.0

2.10

Cisco Firepower 4100/9300 FXOS Release Notes, 2.10(1)

6.7

2.9

Cisco Firepower 4100/9300 FXOS Release Notes, 2.9(1)

6.6

2.8

Cisco Firepower 4100/9300 FXOS Release Notes, 2.8(1)

Firmware Upgrade Guidelines

For firmware upgrade guidelines, see the firmware upgrade guide: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.

Upgrade Path

Planning your upgrade path is especially important for large high availability deployments, multi-hop upgrades, and situations where you need to coordinate related upgrades—operating systems, firmware, chassis, hosting environments, and so on.

Upgrade Path for Management Center

This table lists the minimum version to upgrade management center. The management center must run the same or newer version as its managed devices. Upgrade the management center to your target version first, then upgrade devices. If you begin with devices running a much older version than the management center, further management center upgrades can be blocked. In this case you will need to perform a three (or more) step upgrade: devices first, then the management center, then devices again.

Table 16. Minimum Version to Upgrade Management Center

Target Version

Minimum Version to Upgrade

Oldest Device You Can Manage

7.2

6.6

6.6

Upgrade Path for Threat Defense

This table lists the minimum version to upgrade threat defense. If you are not running the minimum version, you will need to perform a multi-step upgrade. If a chassis upgrade is required, threat defense upgrade is blocked; see Upgrade Path for Threat Defense with Chassis Upgrade.
Table 17. Minimum Version to Upgrade Threat Defense

Target Version

Minimum Version to Upgrade

7.3

7.0

7.2

6.6

Upgrade Path for Threat Defense with Chassis Upgrade

You may need to upgrade the Firepower 4100/9300 chassis (FXOS and firmware) before you upgrade threat defense. Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case you will need to perform a three (or more) step upgrade: devices first, then the chassis, then devices again. In high availability or clustered deployments, upgrade one chassis at a time.

This table lists the minimum versions to upgrade when a chassis upgrade is required (usually major upgrades). Chassis upgrades to FXOS 2.14.1+ include firmware, otherwise, see the Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.

Table 18. Minimum Versions to Upgrade the Firepower 4100/9300

Target Versions

Minimum Versions to Upgrade

Threat Defense 7.2 on FXOS 2.12.0.31+

Threat Defense 6.6 on FXOS 2.8

Bugs

This document lists open and resolved bugs for threat defense and management center Version 7.2. For bugs in earlier releases, see the release notes for those versions. For cloud-delivered Firewall Management Center bugs, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.


Important


We do not list open bugs for maintenance releases or patches.

Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool.


Open Bugs in Version 7.2.0

Table last updated: 2024-05-02

Table 19. Open Bugs in Version 7.2.0

Bug ID

Headline

CSCwb43433

Jumbo frame performance has degraded up to -45% on Firepower 2100 series

CSCwb78233

7.2.0 1984 Nutanix vFMC not accessible after upgrade from 7.1.0

CSCwb80789

TLS 1.3 connections to sites previously decrypted may fail

CSCwb87724

Evicted units re-joined existing Cluster but not listed on Control and other evicted vFTD Cluster

CSCwb88887

snp_fp_vxlan_encap_and_grp_send_common: failed to find adj. bp->l3_type = 8, inner_sip message

CSCwb89905

vFTD installed with JF but still FMC shows info about JF getting enabled and to reboot vFTD

CSCwb90105

Upgrade to 7.2 on FTDv for Nutanix is stuck after reboot

CSCwb96990

Early data may cause xtls to not wait for probe response

CSCwb97486

FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports

CSCwb99960

onPremFMC with only CDO Managed devices registered, Malware Event pages shows license warning

CSCwd07838

User cannot filter by device in the new AC policy UI

CSCwd16602

Inconsistencies seen after switching from old UI to new UI without saving the policy

CSCwd47149

New AC Policy UI: ACP rule list takes a long time to load in case of large rule set

CSCwe14714

Search is slow and semantic based searches are not working in new ACP UI

CSCwe96560

Cannot copy rules from one policy to another policy using new AC policy UI

CSCwh15444

Fetching hit counts takes longer in NEW ACP UI when compared to the legacy ACP UI

CSCwi22693

ACP rule is deleted when discarding changes, post rule reposition.

Resolved Bugs in Version 7.2.7

Table last updated: 2024-04-29

Table 20. Resolved Bugs in Version 7.2.7

Bug ID

Headline

CSCwi63113

FTD Boot Loop with SNMP Enabled after reload/upgrade

Resolved Bugs in Version 7.2.6


Note


Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The bugs listed here are also fixed in Version 7.2.7.


Table last updated: 2024-04-22

Table 21. Additional Resolved Bugs in Version 7.2.6-168 (Management Center Only)

Bug ID

Headline

CSCwj66339

OGO changing the order of custom object group contents causing an outage at static NAT

Table last updated: 2024-05-22

Table 22. Resolved Bugs in Version 7.2.6-167

Bug ID

Headline

CSCvg00130

FTD RA VPN: Rename of IP Address Pool and connection Profile name together causes deployment failure

CSCvj09334

ASA syslog 113005 does not show the user's IP address

CSCvo58100

Incorrect validation msg - Invalid value supplied for input parameter : "?"

CSCvo67978

'test aaa authentication' command shows wrong timeout value

CSCvr50778

FDM does not deploy 'crypto ikev1 am-disable' when aggressive mode is to be disabled

CSCvt43334

Cores generated due to expected/graceful shutdown need to be cleaned up

CSCvu95526

Disable "ca-check" option should be available on FDM

CSCvw31514

ASA is unable to establish SSL connectivity to servers using Self-signed certificate

CSCvx09047

Enabling SSO feature with no/wrong configuration restarts auth-daemon process constantly

CSCvx21458

FMC shows error when editing prefix-list attached to active route-map within BGP protocol

CSCvx37329

Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense

CSCvx44261

SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors

CSCvx52042

Upgrade to 6.6.1 got failed at 800_post/1025_vrf_policy_upgrade.pl

CSCvx52944

ASA show tech should include recent messages from dpdk.log in the flash

CSCvx69675

FXOS Major Faults about adapter host and virtual interface being down

CSCvy11606

Error Loading Data: Couldnt resolve few of the STDACE BBs

CSCvy79686

FMC does not broadcast administrator user session end for Realms in a non-leaf FMC Domain

CSCvz56980

Getting Unprocessable URL categories objects when using API call

CSCvz71215

FMC is pushing SLA monitor commands in an incorrect order causing deployment failure.

CSCvz92730

Block snmpd process from getting spawned under FTD pmtool

CSCwa22766

FMC4500/4600 shows virtual license

CSCwa36703

Post FMC upgrade, event data migration task never ends, and shows no progress

CSCwa70323

Unable to push extra domains >1024 Character, as part of Custom Attribute under Anyconnect VPN

CSCwa93215

Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup

CSCwa95060

"SFDataCorrelator:Parser [ERROR] Syntax error" on FTD device

CSCwb06575

Windows 11 OS is not selectable when creating a DAP record via FMC

CSCwb41189

LINA time-sync correction

CSCwb55243

snort3 crashinfo sometimes fails to collect all frames

CSCwb61402

FMC: LDAP shell login may fail if LDAP server is slow to query the DNS servers for users

CSCwb61408

FMC: Did not remove unneeded shell external auth users from /etc/passwd

CSCwb71519

ENH: F1661 More details on failure reason and log location

CSCwb79062

FMC GUI not displaying correct count of unused network objects

CSCwb80789

TLS 1.3 connections to sites previously decrypted may fail

CSCwb85132

The Device Upgrade page might fail to load when device selection has FTD clusters / HA pairs

CSCwb94431

MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null

CSCwb95850

Snort down due to missing lua files because of disabled application detectors (PM side)

CSCwc13477

FMC | Interface update Failed. Could not find source interface

CSCwc15032

Unable to configure suppression/threshold for an intrusion rule

CSCwc30573

Deployment/Tasks Button not seen FMC_UI while doing upgrade tests configured in Light theme

CSCwc31953

Prevention of RSA private key leaks regardless of root cause.

CSCwc39525

FMC HA status alert "degraded - maintenance" seen periodically after upgrade

CSCwc41805

Correlation events matching on Intrusion Event Inline Result does not work properly

CSCwc49655

FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules

CSCwc60227

FMC-GUI bypass session timeout while staying in any Event tab if Refresh Interval is enabled

CSCwc74271

Auth-Daemon process is getting restarted continuously when SSO disabled

CSCwc78689

Cannot save realm configuration unless AD Join Password is empty

CSCwc78697

Device is not marked as dirty when Store Fewer Events on FMC or data plane logging is enabled in SAL

CSCwc88118

Identity policy took long time to display the available port menu

CSCwc93687

Error message while editing ACP

CSCwc94148

Deploy page fails to load if any FTD cluster or HA device state is not proper in DB

CSCwc98050

ASAv- management interface config from controller Node not replicated to newly joined data Node

CSCwd03246

UI does not respect session timeout when in real time mode

CSCwd04436

User/group download may fail if a different realm is changed and saved

CSCwd07098

25G CU SFPs not working in Brentwood 8x25G netmod

CSCwd10121

Invalid query seen in MonetDB merovingian.log

CSCwd10822

Failover trigger due to Inspection engine in other unit has failed due to disk failure

CSCwd14432

"Inspection Interruption" is seen as YES but snort3 didn't restart

CSCwd24106

ISE Connection Monitor shows inaccurate alert status

CSCwd29891

No events for FPR1010 chassis temperature on health monitor

CSCwd30298

FTD: FTPS Data Channel connection impacted by TLS Server Identity and Discovery Probe sent by FTD

CSCwd31806

ASAv show crashinfo printing in loop continuously

CSCwd32952

Active and Standby device details not available in FMC logs during FTD HA break

CSCwd34079

FTD: Traceback & reload in process name lina

CSCwd34413

SEC-WEB-CLCKJACK failure on FMC: frame ancestors directive missing

CSCwd39506

SSL Policy DND default Rule fails on error unsupported cipher suite and SKE error.

CSCwd41986

Packet-Tracer interfaces not showing up in UI after updating interface name from lower to upper case

CSCwd42072

SRU installation failure.

CSCwd42347

FMC not showing any alerts/warnings when deploying changes of prefix list with same seq #

CSCwd45451

FMC: Script to change hostname/IP on FTD's when FMC's Ip/hostname is changed

CSCwd46182

Periodic sync failures are not reported to users

CSCwd46780

ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread

CSCwd53635

AWS: SSL decryption failing with Geneve tunnel interface

CSCwd55642

Stale CPU core health events seen on FMC UI post upgrade to 7.0.0+.

CSCwd56296

FTD Lina traceback and reload in Thread Name 'IP Init Thread'

CSCwd57927

FMC UI may become unavailable and show "System processes are starting" message after upgrade

CSCwd62729

FDM QW/QP: All URL traffic blocked in BAT/BQT test

CSCwd65598

cdFMC: SFDataCorrelator cores and user to group map not updated on sensor

CSCwd65781

Saving capture with special characters fails to download - Error Timed out

CSCwd66815

Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic

CSCwd66820

Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability

CSCwd75782

FMC External Auth test error "Encryption method is configured but you did not upload a certificate."

CSCwd77581

Cisco ASA and FTD ICMPv6 Message Processing Denial of Service Vulnerability

CSCwd78940

Traps are not getting generated in UUT for config change in multicontext

CSCwd80284

Import/export fails with backend error

CSCwd81538

FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q

CSCwd83141

CCL/CLU filters are not working correctly

CSCwd83441

FMC should display the status of physical FTD interfaces bundled in port-channel

CSCwd84046

Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7

CSCwd85073

Snort3 stream core found init_tcp_packet_analysis

CSCwd86226

Standby FMC show FMC-HA as healthy when Active unit Sybase is down

CSCwd86783

Disabling NAVL guids from userappid.conf doesn't work

CSCwd87129

seeing error on access policies on FMC - "Error during policy validation"

CSCwd87438

Enhance logging mechanism for syslogs

CSCwd89811

Traffic fails in Azure ASAv Clustering after "timeout conn" seconds

CSCwd91013

FMC | Deployment failure in csm_snapshot_error

CSCwd93316

No Inspect Interruption warning when deploy after FMC upgrade

CSCwd93376

Clientless VPN users are unable to download large files through the WebVPN portal

CSCwd95043

Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability

CSCwd97020

ASA/FTD: External IDP SAML authentication fails with Bad Request message

CSCwd99592

Optimization of Side Bar loading for HealthMon page

CSCwe01977

ASA/FTD may traceback and reload after a reload with DHCPv6 configured

CSCwe03631

Need to provide rate-limit on "logging history <mode>"

CSCwe04746

Unexpected "No Traffic" health alert on Standby HA Data Interface where no data flows

CSCwe06826

Email alert incorrectly send for a successful database backup

CSCwe10872

Internal Error while editing PPPoE configurations

CSCwe13627

FMC Unable to fetch VPN troubleshooting logs.

CSCwe14062

FTD/Lina or ASA traceback and reload related to thread ctm_qat_engine

CSCwe14590

FMC deployment preview showing full config instead of delta.

CSCwe16730

Deployment failing - "Error while printing show-xml-response file contents" XML response too big

CSCwe18446

Support cluster pending_rejoin in virtual platform FTDv

CSCwe18472

[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs

CSCwe19051

FTD High unmanaged disk usage alert is triggered due to stored files located on /ngfw/Volume/root1/

CSCwe19830

Policy deploy failure "error executing /*!40101 SET character_set_client = @saved_cs_client */; *"

CSCwe21037

Snort mem used alert should be consistent with value from top.log

CSCwe21831

add warning to FTD platform settings when VPN Logging Settings logging level is informational

CSCwe21884

Write wrapper around "kill" command to log who is calling it

CSCwe22254

After disabling malware analysis, high disk usage on /dev/shm/snort

CSCwe22431

[SXP-UserIP Muted Leader]FMC HA Join flushes FW IP_SGT Mapping and restreams in registered sensors.

CSCwe25154

KP - core.SAMsgThread core created while HA switchover in multicontext

CSCwe25187

FMC External authentication getting "Internal error"

CSCwe26342

ASA Traceback & reload citing thread name: asacli/0

CSCwe26612

FTD taking longer than expected to form OSPF adjacencies after a failover switchover

CSCwe27503

Logging class Support for routing

CSCwe28362

Copy and pasting rules is broken and give blank error message in ID policy

CSCwe28912

FPR 4115- primary unit lost all HA config after ftd HA upgrade

CSCwe29381

Sybase arbiter is not up on FMC HA

CSCwe29498

occasional failure to load light-modal-ac-rule-xx.css with a net::ERR_TOO_MANY_RETRIES error

CSCwe30359

Traffic drops with huge rule evaluation on snort

CSCwe30687

dvti memory leak on mp_counter_alloc

CSCwe33282

FTD: The upgrade was unsuccessful because the httpd process was not running

CSCwe34269

DBCheck error is unclear when monetdb is in a 'crashed' state

CSCwe34664

The interface is deleted from interface group if the user change the name of it [API]

CSCwe38353

stream_tcp PDUs does not capture vlan ID

CSCwe39514

Host cache logs flooding the box

CSCwe41766

FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version

CSCwe42582

Error thrown on AC Rule creation/update and save after index creation

CSCwe43965

Remove the limit of 30characters in the rule name which a rule is moved from ACP to Prefilter

CSCwe45211

Need to Warn the users before triggering a full deployment on FTD managed by FDM

CSCwe45879

Frequent errors seen regarding failures to load bulkcsv files that don't exist

CSCwe47485

FTD: CLISH slowness due to command execution locking LINA prompt

CSCwe48997

FDM: Cannot create multiple RA-VPN profiles with different SAML servers that have the same SAML IDP\u2028

CSCwe49185

Generate password does not meet requirements while in CC mode

CSCwe51296

Not able to remove group policy from RAVPN via REST API

CSCwe51489

Unable to process query error on events; FMC UI; monetdb maximum connections reached

CSCwe52499

NGIPSv syslog-tls.conf.tt needs filters removed when in CC mode

CSCwe53089

The user belonging to a subdomain, is unable to collect packet tracer

CSCwe55556

logging is getting disabled if ssl rules are reordered

CSCwe56452

BGP IPv6 configuration : route-map association with neighbour not getting deployed

CSCwe57218

FMC: Incorrect FTD cluster role status leading to inability to upgrade FTD

CSCwe58207

Memory leak observed on ASA/FTD when logging history is enabled

CSCwe58323

FMC EIGRP 'For input string: "route-map"' error when configuring EIGRP post 7.2 upgrade

CSCwe58620

FMC Connection Events page "Error: Unable to process this query. Please contact support."

CSCwe58635

Readiness Check Failed [ERROR] Fatal error: Enterprise Object integrity check failed with errors

CSCwe58980

/var/sf/QueryPoolData fills up with warehouse directories

CSCwe59664

DAP policy created in FMC Gui, to detect a Windows OS with a hotfix, will not work as expected

CSCwe59889

Create Identity Services Engine via API returns 404 Client Error: Not Found

CSCwe61599

FTD 2100 -Update daq-ioq mempool to help protect against buffer corruption

CSCwe61703

Unable to delete custom anyconnect attribute --dynamic-split-tunnel from group-policy

CSCwe62951

FSIC db include Python byte-code files and can result in health alert and system integrity failure.

CSCwe63493

Post backup restore multiple processes are not up. No errors are observed during backup or restore.

CSCwe63759

Cluster hardening fixes

CSCwe66137

SSO user gets logged in to FMC UI if a valid local user credentials are pre-populated in the browser

CSCwe66360

Snort3 out of memory and process exit unexpectedly due to memory not released by flows

CSCwe67180

FTD HA app-sync failure, due to corruption in cache files.

CSCwe69388

FMC should push the AnyConnect Custom attribute defer keyword as lowercase instead of capitalized

CSCwe69824

validation check on FMC GUI causing issue and throwing error when adding new NAT objects

CSCwe71084

IN clause does not work for externalization queries after upgrading to 7.0.x

CSCwe71238

Requests from intelligence page fail after RMQ was stopped for some time

CSCwe72330

FTD LINA traceback and reload in Datapath thread after adding Static Routing

CSCwe74899

CD App Sync error is App Config Apply Failed on Secondary/Standby after backup restore on RMA device

CSCwe75055

[FMC model migration] Health monitoring on FMC reporting errors

CSCwe75267

Cannot Force Break FTD HA Pair

CSCwe76036

ndclientd error message 'Local Disk is full' needs to provide mount details which is full

CSCwe78377

Network Discovery: Performance issues caused by the use of \u2018any\u2019 network object in the rules

CSCwe78674

User Group Download fetches less data than available or fails with "Size limit exceeded" error

CSCwe79954

LDAP External auth config fails to deploy to FTD if same LDAP server is added as Primary and backup

CSCwe80273

FMC device search page removes FTD from the groups and put them back to ungrouped

CSCwe80915

Intrusion Event Information under statistics tab is empty

CSCwe81135

ac-policy rule section showing non-existing index page in old ac-policy UI

CSCwe81449

Moving the app-agent logging to asynchronous logging mechanism(Same as SNMP).

CSCwe81841

FXOS needs to provide a command that will display the total power on hours of chassis/blade

CSCwe82631

FMC isn't allowing to create more than 30 VLAN interfaces

CSCwe82766

[Azure FMCv] Deployment with SSH key option is not adding the keys correctly.

CSCwe85156

FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state

CSCwe85439

Change color codes to represent processes in 'Waiting' state

CSCwe86029

FMC system restore authentication error during FMC re-image when using FTP/SCP protocol

CSCwe86350

email alert to scheduled activity is not working after upgrading to 7.2

CSCwe86687

Apache Commons FileUpload before 1.5 does not limit the number of reques

CSCwe86690

In Apache MINA, a specifically crafted, malformed HTTP request may cause

CSCwe86693

An issue in protobuf-java allowed the interleaving of com.google.protobu

CSCwe86923

In Apache MINA, a specifically crafted, malformed HTTP request may cause

CSCwe87134

ASA/FTD: Traceback and reload due to high rate of SCTP traffic

CSCwe87789

Script to trigger HA when RSS memory threshold exceeds configurable threshold

CSCwe87831

FMC UI response is very slow: Add health module monitoring FMC ntpd server(s) accessibility

CSCwe88496

"Failed to convert snort 2 custom rules. Refer /var/sf/htdocs/ips/snort.rej for more details."

CSCwe88802

FTD readiness and upgrade passed with exception log as ProgressReport' has no attribute 'KB_UNIT'

CSCwe88808

FMC UI stuck after completing compatibility check

CSCwe89024

FTS under AC Policy Listing page with 'obj' gives Error Moving Data error with CTS DB

CSCwe89305

vFMC300 to FMC2600 migration failure with error "migration from R to N is not allowed"

CSCwe89818

External Auth on FMC may throw err "Can't use string ("") as a HASH ref while "strict refs" in use"

CSCwe90168

Unable to Access FMC GUI when using Certificate Authentication

CSCwe90195

Local rules are not seen in the UI after converting from Snort2 to Snort3 in 7.2.4-82 FMC

CSCwe90596

Elephant flow detection disabled on FMC, getting enabled on FTD after random deployment

CSCwe91652

Database backup failed on KVM FMC

CSCwe91738

improve serviceability to handle TLS 1.3 only flows when TLS 1.3 decryption is not enabled

CSCwe91958

correlation events based on connection events do not contain Security Intelligence Category content

CSCwe92723

Phase 2 NAP delay seen in 7.0.1 while deploying policy

CSCwe93061

FTD returns no output of "show elephant-flow status" when efd.lua file's content is empty

CSCwe93137

KP - multimode: ASA traceback observed during HA node break and rejoin.

CSCwe93162

FP1140 7.0.4 Deployment keep failing with error "Can\'t use an undefined value as a HASH reference"

CSCwe93489

Threat-detection does not recognize exception objects with a prefix in IPv6

CSCwe93566

need to turn off default TLS 1.1 (deprecated) support for the FDM GUI

CSCwe93736

ASA not updating Timezone despite taking commands

CSCwe94789

Umbrella DNS Negate of Bypass Domain Field is not generated from FMC

CSCwe95729

Cisco ASA & FTD SAML Authentication Bypass Vulnerability

CSCwe95797

SecureX page in FMC GUI blank after FMC upgrade

CSCwe97939

ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec

CSCwe98319

ASAConfig multiple restarts are leaking 16K memory in every Restart leading to ZMQ Out Of Memory.

CSCwe98430

AC policy deploy failing on 7.2.4 FMC to 6.7 FTD

CSCwe98435

Selective policy deploy with Identity Policy (captive-portal) and SSL Policy (dp-tcp-proxy) CLI

CSCwe99905

Getting an error while saving report template

CSCwf00483

Found Orphaned SFTop10Cacher processes

CSCwf00514

RRD files cannot be updated if the timestamp is ahead of time as a result of a system clock drift

CSCwf00736

CSM backup failed within FMC backup due to modification of file while tar was reading it

CSCwf00804

EventHandler occasional corrupt bundle record - SFDataCorrelator logs "Error deserializing"

CSCwf02005

ActionQueue task sandbox data update throws SQL Error post 7.2.4 upgrade

CSCwf02453

reload-threshold should not be an option under show memory

CSCwf03345

Recovery from RMU failures due to control link going to bad state

CSCwf03912

New CLI for config clu_update/keepalive interval

CSCwf04915

FP1000:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames

CSCwf06255

7.2.4-129 - GCP cluster - health check failures

CSCwf06261

Health Monitoring exports negative snort swap memory metric value

CSCwf06318

Readiness check needs to be allowed to run without pausing FMC HA

CSCwf08320

SSE does not update relevant information after first discovery of an asset.

CSCwf08387

LSP version not updated to latest in LINA Prompt in SSP_CLUSTER with 7.2.4 build.

CSCwf08790

FMC Restore of remote backup fails due to no space left on the device

CSCwf09024

Misleading trace log about state transition

CSCwf10295

Snort3 is not closing the pcap file handle and disk is getting full

CSCwf10422

"Security Intelligence feed download failed" displayed even though it succeeded

CSCwf11877

TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144

CSCwf12521

Unable to load intrusion policy page on FMC GUI

CSCwf13674

Deployments can cause certain RAVPN users mapping to get removed.

CSCwf14031

Snort down due to missing lua files because of disabled application detectors (VDB side)

CSCwf14257

FTD container restored from backup fails to register to FMC due to Peer send bad hash error

CSCwf15532

HA Sync Failed health alert generated for both FMC units in HA pair - HA subsequently recovered

CSCwf15863

Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects

CSCwf15978

xml2js version 0.4.23 allows an external attacker to edit or add new pro

CSCwf16679

HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync

CSCwf17389

ASA accepts replayed SAML assertions for RA VPN authentication

CSCwf18144

Firepower hotfixes should not be allowed to install when already installed previously

CSCwf19562

Changes to lamplighter logs written to /var/log/tid_process.log

CSCwf19621

Unable to edit name or inspection mode of intrusion policy

CSCwf19681

Secondary FMC should allow edit of FTD IP/hostname details under device tab

CSCwf20215

admin user should be excluded from CLI shell access filter

CSCwf20958

No logrotate and max size is configured for Health.log file

CSCwf21204

DBCheck shouldn't run against MonetDB if user is collecting config backup alone

CSCwf22241

Security zones are not showing in AC policy UI

CSCwf22568

FTD HA Creation fails resulting in devices showing up in an inconsistent state on the FMC

CSCwf22637

Network Object Group overrides not visible or be edited from FMC GUI

CSCwf22854

Not able to add files with file names which has '\u' to clean list from Malware Summary page

CSCwf23997

Upgrade readiness check shows failed in GUI for all sensors due to sensor display name characters.

CSCwf24818

Unable to change admin user password after FMC migration if it had LOM access

CSCwf25144

FMC backup management page showing "Verifying Backup" for FTD sensors.

CSCwf25402

FMC - Import SSL Certificate Pinning from a CSV file may result in a failure to deploy policy on FTD

CSCwf25563

Device list takes longer to load while creating new AC policy

CSCwf25642

High Disk Utilization and Performance issue due to large MariaDB Undo Logs

CSCwf26264

FMC backup restore page takes around 5 mins to load when remote storage is unreachable

CSCwf26350

User is not informed of the dependent IPS when policy import fails.

CSCwf28063

SSE disconnect breaks cloud lookups after restoration.

CSCwf30542

Snort3 crash found during cleaning up a CHP object

CSCwf30824

Add CIMC reset as auto-recovery for CIMC IPMI hung issues

CSCwf32890

Standby FMC SSH connection getting disconnected frequently.

CSCwf33904

[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby

CSCwf34123

Reordering columns in report designer is glitchy when using Atomic

CSCwf34892

Flooding log in trace file , fo_chk_peer_down_ifcs

CSCwf35173

SFTunnel Fails to Properly Establish due to running_config.conf file misconfiguration

CSCwf35223

SGT Troubleshooting the ability to correlate to IP Address

CSCwf35233

Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS

CSCwf35346

FMC should handle error appropriately when ISE reports error during SXP download

CSCwf35500

FXOS/SSP: System should provide better visibility of DIMM Correctable error events

CSCwf36011

Drop rule is not being removed when snmp unification on blade is removed.

CSCwf36391

Third heartbeat packet is not sent before declaring the application health failure

CSCwf36419

ASA/FTD: Traceback and reload with Thread Name 'PTHREAD'

CSCwf36621

access-list: Cannot mix different types of access lists.

CSCwf38782

Change in syslog message ASA-3-202010

CSCwf39163

ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk

CSCwf39821

FTD: High-Availability unit struck at CD App Sync error due to error ngfwManager restart on peer

CSCwf40594

Wyoming/SFCN ASA: Wrong values shown DBRG in show crypto ssl objects CLI

CSCwf40674

REST API [PUT]: PC called without h/w config, existing h/w config is set to null in the DB

CSCwf41187

WINSCP and SFTP detectors do not work as expected

CSCwf41433

ASA/FTD client IP missing from TACACS+ request in SSH authentication

CSCwf42012

Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200

CSCwf42234

S2S dashboard SVTI tunnel details are missing after upgrade

CSCwf43033

diskmanager silo covering /var/sf/htdocs/img/dashboard/no-cache/ needs much lower hwm and lwm

CSCwf43247

NMAP Remediation scan tasks remain in pending state in action queue table, does not clear out

CSCwf43850

ECMP + NAT for ipsec sessions support request for Firepower.

CSCwf44621

Traceback and reload on Thread DATAPATH-6-21369 and linked to generation of syslog message ID 202010

CSCwf45091

Snort3 matches SMTP_RESPONSE_OVERFLOW (IPS rule 124:3) when SMTPS hosts exchange certificates

CSCwf45094

MariaDB Process in FMC should use jemalloc instead of glibc

CSCwf45106

securex sse integration needs instructions updated

CSCwf49254

cannot unregister FTD from Cisco Cloud in FDM if already unregistered/unenrolled from cloud side

CSCwf49640

Show dns ip-cache has old bids after switching snort versions, which affects path-monitoring output.

CSCwf52810

ASA SNMP polling not working and showing "Unable to honour this request now" on show commands

CSCwf53210

[Enhancement] No of config archives should be configurable from UI

CSCwf55014

serviceability improvement for CSCwe28912 where HA state in failed state.

CSCwf55236

Unable to delete custom rule group even when excluded from all the ips policies

CSCwf56291

FMC config archives retention reverts to default if ca_purge tool was used prior to 7.2.4 upgrade

CSCwf56404

ca_purge tool needs to restart Tomcat

CSCwf57315

Reconcile FMC state: FMC Upgrade needs to create upgrade status file to support FTD Upgrade guards.

CSCwf57850

TelemetryApp process keeps exiting every minute after upgrading the FMC

CSCwf57856

FXOS Traceback and reload caused by leak on MTS buffer queue

CSCwf59176

FXOS raises a fault for administratively disabled management interface

CSCwf59571

FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory on certain platforms

CSCwf59643

FTD: HA App sync failure due to fover interface flap on standby unit

CSCwf62103

FMC needs to properly validate QoS policy rules before allowing deployment to FTD

CSCwf62729

7.0.6 - Lina Crash in RAVPN interface with anomaly traffic in both non-FIPS and FIPS mode

CSCwf63358

FTD Diskmanager.log is corrupt causing hm_du module to alert false high disk usage

CSCwf63589

FTD snmpd process traceback and restart

CSCwf63872

FTD taking longer than expected to form OSPF adjacencies after a failover switchover

CSCwf64590

Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220

CSCwf66271

Unable to list down the interface under the device exclude policy

CSCwf66307

The exclude policy to exclude interface status will be removed on FMC after a while

CSCwf66333

Selecting "All interfaces " under FTD exclude policy for interface status module doesn't work

CSCwf66387

[IMS_7_4_0] FTD revert fails "The management state validation cannot be done, Cannot revert"

CSCwf67337

FMC taking long times to save override objects even if not modified

CSCwf68335

vFMC: Scheduled deployment failing

CSCwf69313

Correlation events for Connection Tracker <, <=, = or != rules show data for unrelated connections

CSCwf69475

Transfer Packets option change to NO automatically when change the device name in device management

CSCwf71602

FMC not generating FTD S2S VPN alerts when down or idle

CSCwf73773

Dumping of last 20 rmu request response packets failed

CSCwf74319

Health alert for significant difference of record numbers received with bulk download

CSCwf75214

ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload

CSCwf75695

Duplicate FTD cluster has been created when multiple cluster events comes at same time

CSCwf77995

Azure FTDv, managed locally by FDM, goes in boot cycle/reload loop after the first deployment

CSCwf79372

after HA break, selected list shows both the devices when 1 device selected for upgrade

CSCwf80163

Critical Alert Smart Agent is not registered with Smart Licensing Cloud

CSCwf81320

Unable to configure and deploy IPv6 DNS server for RAVPN in FMC 7.2.4

CSCwf82093

When communications are disabled for FTD from FMC UI backend shows connection is staying enabled.

CSCwf82279

Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages

CSCwf82447

Editing identity nat rule disables "perform route lookup" silently

CSCwf82644

SI Feeds get downloaded despite the feed updates being user disabled

CSCwf84588

Disable TLS 1.1 permanently for sftunnel communication

CSCwf86519

FMC displays VPN status as unknown even if the status is up if one of the peer is extranet

CSCwf86557

Decrypting engine/ssl connections hang with PKI Interface Error seen

CSCwf86860

FMC GUI | ACP page gets blank and hang while doing search in rules and moving to last pages

CSCwf87070

WM RM - SFP port status of 9 follows port of state of SFP 10|11|12

CSCwf87348

When state-link is flapped HA state changed from Standby-ready to Bulk-sync without failover reason

CSCwf88124

Switch ports in trunk mode may not pass vlan traffic after power loss or reboot

CSCwf89959

ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls

CSCwf91282

import of .SFO to FMC failed due to included local/custom rules having a blank rule message field

CSCwf91381

Adi: Log specific host FQDN used for bulk download and websocket connections

CSCwf92047

ENH: FMC, Disable 'create client' under eStremer tab in the GUI when it is running in UCAPL mode

CSCwf92182

Cisco Firepower Management Center Software SQL Injection Vulnerability

CSCwf92661

ASA|FTD: Traceback & reload due to a free buffer corruption

CSCwf94450

FTD Lina traceback Thread Name: DATAPATH due to memory corruption

CSCwf94677

"failover standby config-lock" config is lost after both HA units are reloaded simultaneously

CSCwf95288

FPR1k Switchport passing CDP traffic

CSCwf98546

snort minidumps no longer managed by diskmanager after moving to var/common

CSCwf99303

Management UI presents self-signed cert rather than custom CA signed one after upgrade

CSCwh00123

In Multi-manager scenario,cdFMC&Analytics FMC,FTD should only receive identity feeds from Config FMC

CSCwh00692

Traceback @<capture_file_show+605 at ../infrastructure/capture/capture_file_finesse.c:282>

CSCwh02561

Port-channel interface speed changes from 10G to 1G after a policy deployment

CSCwh04185

Snort crash on FTD version 7.2.4

CSCwh04730

ASA/FTD HA checkheaps crash where memory buffers are corrupted

CSCwh05863

ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80

CSCwh06452

Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2

CSCwh08215

Upgrade from 7.2.x to 7.2.5 may fail if there is null value observed in speed/duplex in interface

CSCwh08388

FMC GUI Not Saving Interface Settings

CSCwh08403

FMC HA - Health Policy - Applied count shows "0" appliance

CSCwh08481

ASA traceback on Lina process with FREEB and VPN functions

CSCwh08683

FTDv/AWS - NTP clock offset between Lina and FTD cluster

CSCwh09113

FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop"

CSCwh10087

core-compressor fails due to core filename with white space

CSCwh12009

EOStore failed error is outputted after deleting shared rule layer.

CSCwh13474

PSEQ (Power-Sequencer) firmware - remove device-id check

CSCwh13551

Encrypted Visibility Engine (EVE) dashboard tab and widgets not added to FMC GUI upon upgrade

CSCwh13625

Encrypted Visibility Engine (EVE) FMC dashboard tab and widgets not renamed after 7.1 > 7.2+ upgrade

CSCwh13821

ASA/FTD may traceback and reload in when changing capture buffer size

CSCwh14352

Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a

CSCwh14731

External authentication fails if the object name contains space characters

CSCwh14863

FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn

CSCwh16301

Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output

CSCwh16759

SNMP is not working on the primary active ASA unit in multi-context environment

CSCwh17052

Lack of validation of string length creating object/category names using API

CSCwh17576

Site-to-Site VPN tunnel status on FMC shows down even though it is UP from FTD side

CSCwh18967

Include "show env tech" in FXOS FPRM troubleshoot

CSCwh19613

ASA crashed with Saml scenarios

CSCwh19897

ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple

CSCwh21337

FTD - Issue with the LSP package code during deploy rollback.