Cisco Secure Firewall Threat Defense Release Notes
This document contains release information for:
-
Cisco Secure Firewall Threat Defense
-
Cisco Secure Firewall Management Center (on-prem)
-
Cisco Secure Firewall device manager
For cloud deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes or What's New for Cisco Defense Orchestrator.
Release Dates
Version |
Build |
Date |
Platforms |
---|---|---|---|
7.2.9 |
44 |
2024-10-22 |
All |
7.2.8.1 |
17 |
2024-08-26 |
All |
7.2.8 |
25 |
2024-06-24 |
All |
7.2.7 |
500 |
2024-04-29 |
All |
7.2.6 |
168 |
2024-04-22 |
No longer available. |
167 |
2024-03-19 |
No longer available. |
|
7.2.5.2 |
4 |
2024-05-06 |
All |
7.2.5.1 |
29 |
2023-11-14 |
All |
7.2.5 |
208 |
2023-07-27 |
All |
7.2.4.1 |
43 |
2023-07-27 |
All |
7.2.4 |
169 |
2023-05-10 |
Management center |
165 |
2023-05-03 |
Devices |
|
7.2.3.1 |
13 |
2023-04-18 |
Management center |
7.2.3 |
77 |
2023-02-27 |
All |
7.2.2 |
54 |
2022-11-29 |
All |
7.2.1 |
40 |
2022-10-03 |
All |
7.2.0.1 |
12 |
2022-08-10 |
All |
7.2.0 |
82 |
2022-06-06 |
All |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner contact for refresh information.
For compatibility information, see:
Features
For features in earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.
Upgrade Impact/Features in Maintenance Releases and Patches
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
The feature descriptions here include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.
![]() Important |
Features, enhancements, and critical fixes included in maintenance releases (third-digit) and patches (fourth-digit) can skip future releases, depending on release date, release type (short term vs. long term), and other factors. Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing a Maintenance Release. |
If you are using the web interface in a language other than English, features introduced in maintenance releases and patches may not be translated until the next major release.
Snort 3
Snort 3 is the default inspection engine for threat defense.
Snort 3 features for management center deployments also apply to device manager, even if they are not listed as new device manager features. However, keep in mind that the management center may offer more configurable options than device manager.
![]() Important |
If you are still using the Snort 2 inspection engine, switch to Snort 3 now for improved detection and performance. Snort 2 will be deprecated in a future release and will eventually prevent threat defense upgrade. |
Intrusion Rules and Keywords
Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.
For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.
FlexConfig
Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.
The feature descriptions here include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.
![]() Caution |
Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues. |
REST API
For information on what's new in the REST API, see the Secure Firewall Management Center REST API Quick Start Guide or the Cisco Secure Firewall Threat Defense REST API Guide.
Telemetry
Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you with technical support. For information on what's new with telemetry, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center.
Management Center Features in Version 7.2.9
Feature |
Minimum FMC |
Minimum FTD |
Details |
---|---|---|---|
Reintroduced Features |
|||
Reintroduced features from previous maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.2.9 reintroduces:
|
Management Center Features in Version 7.2.8
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Platform |
|||
Threat defense virtual for Megaport. |
7.2.8 |
7.2.8 |
We introduced threat defense virtual for Megaport (Megaport Virtual Edge). High availability is supported; clustering is not. Version restrictions: Initially, you may not be able to freshly deploy Versions 7.3.x or 7.4.x. Instead, deploy Version 7.2.8–7.2.x and upgrade. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Management Center Features in Version 7.2.7
This release introduces stability, hardening, and performance enhancements. See Resolved Bugs in Version 7.2.7.
Management Center Features in Version 7.2.6
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The features listed here are also available in Version 7.2.7.
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Reintroduced Features |
|||
Reintroduced features from previous maintenance releases. |
7.2.6 |
Feature dependent |
Version 7.2.6 reintroduces:
|
Interfaces |
|||
Configure DHCP relay trusted interfaces from the management center web interface. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the threat defense DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then threat defense will drop that packet by default. You can preserve Option 82 and forward the packet by identifying an interface as a trusted interface. New/modified screens: Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, redo your FlexConfigs. |
NAT |
|||
Create network groups while editing NAT rules. |
7.2.6 7.4.1 |
Any |
You can now create network groups in addition to network objects while editing a NAT rule. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
High Availability/Scalability: Threat Defense |
|||
Reduced "false failovers" for threat defense high availability. |
7.2.6 7.4.0 |
7.2.6 7.4.0 |
Other version restrictions: Not supported with management center or threat defense Version 7.3.x. |
High Availability: Management Center |
|||
Single backup file for high availability management centers. |
7.2.6 7.4.1 |
Any |
When performing a configuration-only backup of the active management center in a high availability pair, the system now creates a single backup file which you can use to restore either unit. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Unified Backup of Management Centers in High Availability |
Event Logging and Analysis |
|||
Open the packet tracer from the unified event viewer. |
7.2.6 7.4.1 |
Any |
You can now open the packet tracer from the unified event view (...) next to the desired event and click Open in Packet Tracer. ). Click the ellipsis icon (Other version restrictions: In Version 7.2.x, use the Expand icon (>) icon instead of the ellipsis icon. Not supported with management center Version 7.3.x or 7.4.0. |
Health Monitoring |
|||
Health alerts for excessive disk space used by deployment history (rollback) files. |
7.2.6 7.4.1 |
Any |
The Disk Usage health module now alerts if deployment history (rollback) files are using excessive disk space on theged management center. Deploy the management center health policy after upgrade. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Disk Usage for Device Configuration History Files Health Alert |
Health alerts for NTP sync issues. |
7.2.6 7.4.1 |
Any |
A new Time Server Status health module reports issues with NTP synchronization. Deploy the management center health policy after upgrade. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Time Synchronization and Health Modules |
Deployment and Policy Management |
|||
View and generate reports on configuration changes since your last deployment. |
7.2.6 7.4.1 |
Any |
You can generate, view, and download (as a zip file) the following reports on configuration changes since your last deployment:
This is especially useful after you upgrade either the management center or threat defense devices, so that you can see the changes made by the upgrade before you deploy. New/modified screens: .Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Set the number of deployment history files to retain for device rollback. |
7.2.6 7.4.1 |
Any |
You can now set the number of deployment history files to retain for device rollback, up to ten (the default). This can help you save disk space on the management center. New/modified screens: Deploy > Deployment History ( Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Upgrade |
|||
Improved upgrade starting page and package management. |
7.2.6 7.4.1 |
Any |
A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the management center, threat defense devices, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages. Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes. New/modified screens:
Deprecated screens/options:
Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Enable revert from the threat defense upgrade wizard. |
7.2.6 7.4.1 |
Any, if upgrading to 7.1+ |
You can now enable revert from the threat defense upgrade wizard. Other version restrictions: You must be upgrading threat defense to Version 7.1+. Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Select devices to upgrade from the threat defense upgrade wizard. |
7.2.6 |
Any |
Use the wizard to select devices to upgrade. You can now use the threat defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
View detailed upgrade status from the threat defense upgrade wizard. |
7.2.6 7.4.1 |
Any |
The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Unattended threat defense upgrades. |
7.2.6 |
Any |
The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Simultaneous threat defense upgrade workflows by different users. |
7.2.6 |
Any |
We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Skip pre-upgrade troubleshoot generation for threat defense devices. |
7.2.6 |
Any |
You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space. To manually generate troubleshooting files for a threat defense device, choose System( See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Suggested release notifications. |
7.2.6 7.4.1 |
Any |
The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Management Center New Features by Release |
New upgrade wizard for the management center. |
7.2.6 7.4.1 |
Any |
A new upgrade starting page and wizard make it easier to perform management center upgrades. After you use System( Other version restrictions: Only supported for management center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Hotfix high availability management centers without pausing synchronization. |
7.2.6 7.4.1 |
Any |
Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability management centers. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center |
Administration |
|||
Updated internet access requirements for direct-downloading software upgrades. |
7.2.6 7.4.1 |
Any |
Upgrade impact. The system connects to new resources. The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com. Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Scheduled tasks download patches and VDB updates only. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Scheduled download tasks stop retrieving maintenance releases. The Download Latest Update scheduled task no longer downloads maintenance releases; now it only downloads the latest applicable patches and VDB updates.
To direct-download maintenance (and major) releases to the management center, use System( Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Usability, Performance, and Troubleshooting |
|||
Enable/disable access control object optimization. |
7.2.6 7.4.1 |
Any |
You can now enable and disable access control object optimization from the management center web interface. New/modified screens: Other version restrictions: Access control object optimization is automatically enabled on all management centers upgraded or reimaged to Versions 7.2.4–7.2.5 and 7.4.0, and automatically disabled on all management centers upgraded or reimaged to Version 7.3.x. It is configurable and enabled by default for management centers reimaged to Version 7.2.6+/7.4.1+, but respects your current setting when you upgrade to those releases. See: Access Control Preferences and. |
Cluster control link ping tool. |
7.2.6 7.4.1 |
Any |
You can check to make sure all the cluster nodes can reach each other over the cluster control link by performing a ping. One major cause for the failure of a node to join the cluster is an incorrect cluster control link configuration; for example, the cluster control link MTU may be set higher than the connecting switch MTUs. New/modified screens: More( Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. |
Snort 3 restarts when it uses too much memory, which can trigger HA failover. |
7.2.6 7.4.1 |
7.2.6 with Snort 3 7.4.1 with Snort 3 |
To improve continuity of operations, excessive memory use by Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process uses too much memory. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.) This feature is enabled by default. You can use the CLI to disable it, or configure the memory threshold. Platform restrictions: Not supported with clustered devices. New/modified CLI commands: configure snort3 memory-monitor , show snort3 memory-monitor-status Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
Set the frequency of Snort 3 core dumps. |
7.2.6 7.4.1 |
7.2.6 with Snort 3 7.4.1 with Snort 3 |
You can now set the frequency of Snort 3 core dumps. Instead of generating a core dump every time Snort crashes, you can generate one the next time Snort crashes only. Or, generate one if a crash has not occurred in the last day, or week. Snort 3 core dumps are disabled by default for standalone devices. For high availability and clustered devices, the default frequency is now once per day instead of every time. New/modified CLI commands: configure coredump snort3 , show coredump Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
Capture dropped packets with the Secure Firewall 3100/4200. |
7.2.6 7.4.1 |
7.2.6 (no 4200) 7.4.1 |
Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100/4200 can now capture these dropped packets. New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command. Other version restrictions: Not supported with management center or threat defense Version 7.3.x or 7.4.0. |
Deprecated Features |
|||
Deprecated: DHCP relay trusted interfaces with FlexConfig. |
7.2.6 7.4.1 |
Any |
Upgrade impact. Redo any related FlexConfigs after upgrade. You can now use the management center web interface to configure interfaces as trusted interfaces to preserve DHCP Option 82. If you do this, these settings override any existing FlexConfigs, although you should remove them. Other version restrictions: This feature is not supported with management center Version 7.3.x or 7.4.0. If you upgrade to an unsupported version, also redo your FlexConfigs. |
Management Center Features in Version 7.2.5
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Interfaces |
|||
Management center detects interface sync errors. |
7.2.5 7.4.1 |
Any |
Upgrade impact. You may need to sync interfaces after upgrade. In some cases, the management center can be missing a configuration for an interface even though the interface is correctly configured and functioning on the device. If this happens, and your management center is running:
Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0. The management center will neither block deploy nor warn you of missing configurations. You can still sync interfaces manually if you think you are having an issue. |
Management Center Features in Version 7.2.4
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to Clause 108 RS-FEC from Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers. |
7.2.4 |
Any |
When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+ SR, CSR, and LR transceivers. See: Interface Overview. |
Automatically update CA bundles. |
7.0.5 7.1.0.3 7.2.4 |
7.0.5 7.1.0.3 7.2.4 |
Upgrade impact. The system connects to Cisco for something new. The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature. New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco. See: Firepower Management Center Command Line Reference and Cisco Secure Firewall Threat Defense Command Reference |
Access control performance improvements (object optimization). |
7.2.4 7.4.0 |
Any |
Upgrade impact. First deployment after management center upgrade to 7.2.4–7.2.5 or 7.4.0 can take a long time and increase CPU use on managed devices. Access control object optimization improves performance and consumes fewer device resources when you have access control rules with overlapping networks. The optimizations occur on the managed device on the first deploy after the feature is enabled on the management center (including if it is enabled by an upgrade). If you have a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform object optimization. During this time, you may also see higher CPU use on your devices. A similar thing occurs on the first deploy after the feature is disabled (including if it is disabled by upgrade). After this feature is enabled or disabled, we recommend you deploy when it will have the least impact, such as a maintenance window or a low-traffic time. New/modified screens (requires Version 7.2.6): System( Version restrictions: Not supported with management center Version 7.3.x. |
Smaller VDB for lower memory Snort 2 devices. |
6.4.0.17 7.0.6 7.2.4 7.3.1.1 7.4.0 |
Any with Snort 2 |
Upgrade impact. Application identification on lower memory devices is affected. For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB. Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641. |
Management Center Features in Version 7.2.3
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Firepower 1010E. |
7.2.3.1 7.3.1.1 |
7.2.3 |
We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1.1+ management center. Version restrictions: These devices do not support Version 7.3.x or 7.4.0. Support returns in Version 7.4.1. |
Management Center Features in Version 7.2.2
This release introduces stability, hardening, and performance enhancements. See Resolved Bugs in Version 7.2.2.
Management Center Features in Version 7.2.1
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
---|---|---|---|
Hardware bypass ("fail-to-wire") network modules for the Secure Firewall 3100. |
7.2.1 |
7.2.1 |
We introduced these hardware bypass network modules for the Secure Firewall 3100:
New/modified screens: Devices > Device Management > Interfaces > Edit Physical Interface For more information, see Inline Sets and Passive Interfaces. |
Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. |
7.2.1 |
7.2.1 |
We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. For more information, see Getting Started with Secure Firewall Threat Defense Virtual and KVM. |
Management Center Features in Version 7.2.0
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reintroduced Features |
||||||||||||||||||
Reintroduced features from previous maintenance releases. |
Feature dependent |
Feature dependent |
Version 7.2.0 reintroduces:
|
|||||||||||||||
Platform |
||||||||||||||||||
Snapshots allow quick deploy of threat defense virtual for AWS and Azure. |
7.2.0 |
7.2.0 |
You can now take a snapshot of a threat defense virtual for AWS or Azure instance, then use that snapshot to quickly deploy new instances. This feature also improves the performance of the autoscale solutions for AWS and Azure. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||
Analytics mode for cloud-managed threat defense devices. |
7.2.0 |
7.0.3 7.2.0 |
Concurrently with Version 7.2, we introduced the cloud-delivered Firewall Management Center, which uses the Cisco Defense Orchestrator platform and unites management across multiple Cisco security solutions. We take care of feature updates. On-prem hardware and virtual management centers running Version 7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging and analytics purposes only. You cannot deploy policy to these devices from an on-prem management center. New/modified screens:
New/modified CLI commands: configure manager add , configure manager delete , configure manager edit , show managers Version restrictions: Not supported with threat defense Version 7.1. For more information, see Managing Firewall Threat Defense with Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator. |
|||||||||||||||
High Availability/Scalability: Threat Defense |
||||||||||||||||||
Clustering for threat defense virtual in both public and private clouds. |
7.2.0 |
7.2.0 |
You can now configure clustering for the following threat defense virtual platforms:
New/modified screens:
For more information, see Clustering for Threat Defense Virtual in a Public Cloud (AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM, VMware). |
|||||||||||||||
16-node clusters for the Firepower 4100/9300, and for threat defense virtual for AWS and GCP. |
7.2.0 |
7.2.0 |
You can now configure 16-node clusters for the Firepower 4100/9300, and for threat defense virtual for AWS and GCP. Note that the Secure Firewall 3100 still only supports 8 nodes. For more information, see Clustering for the Firepower 4100/9300 or Clustering for Threat Defense Virtual in a Public Cloud. |
|||||||||||||||
High availability for threat defense virtual for Nutanix. |
7.2.0 |
7.2.0 |
We now support high availability for threat defense virtual for Nutanix. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||
Autoscale for threat defense virtual for AWS gateway load balancers. |
7.2.0 |
7.2.0 |
We now support autoscale for threat defense virtual for AWS gateway load balancers, using a CloudFormation template. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||
Autoscale for threat defense virtual for GCP. |
7.2.0 |
7.2.0 |
Upgrade impact. Threat defense virtual for GCP cannot upgrade across Version 7.2.0. We now support autoscale for threat defense virtual for GCP, by positioning a threat defense virtual instance group between a GCP internal load balancer (ILB) and a GCP external load balancer (ELB). Version restrictions: Due to interface changes required to support this feature, threat defense virtual for GCP upgrades cannot cross Version 7.2.0. That is, you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must deploy a new instance and redo any device-specific configurations. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||
Interfaces |
||||||||||||||||||
LLDP support for the Firepower 2100 and Secure Firewall 3100. |
7.2.0 |
7.2.0 |
You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100 and Secure Firewall 3100 series interfaces. New/modified screens: New/modified commands: show lldp status , show lldp neighbors , show lldp statistics For more information, see Interface Overview. |
|||||||||||||||
Pause frames for flow control for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue. New/modified screens: Devices > Device Management > Interfaces > Hardware Configuration > Network Connectivity For more information, see Interface Overview. |
|||||||||||||||
Breakout ports for the Secure Firewall 3130 and 3140. |
7.2.0 |
7.2.0 |
You can now configure four 10 GB breakout ports for each 40 GB interface on the Secure Firewall 3130 and 3140. New/modified screens: Devices > Device Management > Chassis Operations For more information, see Interface Overview. |
|||||||||||||||
Configure VXLAN from the management center web interface. |
7.2.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. You can now use the management center web interface to configure VXLAN interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical network to stretch the Layer 2 network. If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings. New/modified screens:
For more information, see Regular Firewall Interfaces. |
|||||||||||||||
NAT |
||||||||||||||||||
Enable, disable, or delete more than one NAT rule at a time. |
7.2.0 |
Any |
You can select multiple NAT rules and enable, disable, or delete them all at the same time. Enable and disable apply to manual NAT rules only, whereas delete applies to any NAT rule. For more information, see Network Address Translation. |
|||||||||||||||
VPN |
||||||||||||||||||
Certificate and SAML authentication for RA VPN connection profiles. |
7.2.0 |
7.2.0 |
We now support certificate and SAML authentication for RA VPN connection profiles. You can authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes. New/modified screens: You can now choose Certificate & SAML option when choosing the authentication method for the connection profile in an RA VPN policy. For more information, see Remote Access VPN. |
|||||||||||||||
Route-based site-to-site VPN with hub and spoke topology. |
7.2.0 |
7.2.0 |
We added support for route-based site-to-site VPNs in a hub and spoke topology. Previously, that topology only supported policy-based (crypto map) VPNs. New/modified screens: When you add a new VPN topology and choose Route Based (VTI), you can now also choose Hub and Spoke. For more information, see Site-to-Site VPNs. |
|||||||||||||||
IPsec flow offload for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance. You can change the configuration using FlexConfig and the flow-offload-ipsec command. For more information, see Site-to-Site VPNs. |
|||||||||||||||
Routing |
||||||||||||||||||
Configure EIGRP from the management center web interface. |
7.2.0 |
Any |
Upgrade impact. Redo FlexConfigs after upgrade. You can now use the management center web interface to configure EIGRP. Note that you can only enable EIGRP on interfaces belonging to the device's Global virtual router. If you configured EIGRP with FlexConfig in a previous version, the system allows you to deploy post-upgrade, but also warns you to redo your EIGRP configurations in the web interface. When you are satisfied with the new configuration, you can delete the deprecated FlexConfig objects or commands. To help you with this process, we provide a command-line migration tool. New/modified screens: For more information, see EIGRP and Migrating FlexConfig Policies. |
|||||||||||||||
Virtual router support for the Firepower 1010. |
7.2.0 |
7.2.0 |
You can now configure up to five virtual routers on the Firepower 1010. For more information, see Virtual Routers. |
|||||||||||||||
Support for VTIs in user-defined virtual routers. |
7.2.0 |
7.2.0 |
You can now assign virtual tunnel interfaces to user-defined virtual routers. Previously, you could only assign VTIs to Global virtual routers. New/modified screens: For more information, see Virtual Routers. |
|||||||||||||||
Policy-based routing with path monitoring. |
7.2.0 |
7.2.0 |
You can now use path monitoring to collect the performance metrics (RTT, jitter, packet-lost, and MOS) of a device's egress interfaces. Then, you can use these metrics to determine the best path for policy based routing. New/modified screens:
New/modified CLI commands: show policy route , show path-monitoring , clear path-monitoring For more information, see Policy Based Routing. |
|||||||||||||||
Threat Intelligence |
||||||||||||||||||
DNS-based threat intelligence from Cisco Umbrella. |
7.2.0 |
Any |
We now support DNS-based Security Intelligence using regularly updated information from Cisco Umbrella. You can use both a local DNS policy and an Umbrella DNS policy, for two layers of protection. New/modified screens:
For more information, see DNS Policies. |
|||||||||||||||
IP-based threat intelligence from Amazon GuardDuty. |
7.2.0 |
Any |
You can now handle traffic based on malicious IP addresses detected by Amazon GuardDuty, when integrated with management center virtual for AWS. The system consumes this threat intelligence via a custom Security Intelligence feed, or via a regularly updated network object group, which you can then use in your security policies. For more information, see the Cisco Secure Firewall Threat Defense Virtual Getting Started Guide. |
|||||||||||||||
Access Control: Threat Detection and Application Identification |
||||||||||||||||||
Dynamic object management with:
|
7.2.0 |
Any |
Concurrently with Version 7.2, we released the following updates to the Cisco Secure Dynamic Attributes Connector:
|
|||||||||||||||
Bypass inspection or throttle elephant flows on Snort 3 devices. |
7.2.0 |
7.2.0 with Snort 3 |
You can now detect and optionally bypass inspection or throttle elephant flows. By default, access control policies are set to generate an event when the system sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is configurable. For the Firepower 2100 series, you can detect elephant flows but not bypass inspection or throttle. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use Intelligent Application Bypass (IAB). New/modified screens: We added Elephant Flow Settings to the access control policy's Advanced tab. For more information, see Elephant Flow Detection. |
|||||||||||||||
Encrypted visibility engine enhancements. |
7.2.0 |
7.2.0 with Snort 3 |
We made the following enhancements to the encrypted visibility engine (EVE):
The following connection event fields have changed along with these enhancements:
This feature now requires a Threat license. For more information, see Access Control Policies and Application Detection. |
|||||||||||||||
TLS 1.3 inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of TLS 1.3 traffic. New/modified screens: We added the Enable TLS 1.3 Decryption option to the Advanced Settings tab in SSL policies. Note that this option is disabled by default. For more information, see SSL Policies. |
|||||||||||||||
Improved portscan detection. |
7.2.0 |
7.2.0 with Snort 3 |
With an improved portscan detector, you can easily configure the system to detect or prevent portscans. You can refine the networks you want to protect, set the sensitivity, and so on. For devices running Snort 2 and for devices running Version 7.1 and earlier, continue to use the network analysis policy for portscan detection. New/modified screens: We added Threat Detection to the access control policy's Advanced tab. For more information, see Threat Detection. |
|||||||||||||||
VBA macro inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of VBA (Visual Basic for Applications) macros in Microsoft Office documents, which is done by decompressing the macros and matching rules against the decompressed content. By default, VBA macro decompression is disabled in all system-provided network analysis policies. To enable it use the decompress_vba setting in the imap, smtp, http_inspect, and pop Snort 3 inspectors. To configure custom intrusion rules to match against decompressed macros, use the vba_data option. For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||
Improved JavaScript inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content. A new normalizer's enhancements include improved white-space normalization, semicolon insertions, cross-site script handling, identifier normalization and dealiasing, just-in-time (JIT) inspection, and the ability to inspect external scripts. By default, the new normalizer is enabled in all system-provided network analysis policies. To tweak performance or disable the feature in a custom network analysis policy, use the js_norm (improved normalizer) and normalize_javascript (legacy normalizer) settings in the https_inspect Snort 3 inspector. To configure custom intrusion rules to match against normalized JavaScript, use the js_data option, for example:
For more information, see HTTP Inspect Inspector in the Snort 3 Inspector Reference, as well as the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||
Improved SMB 3 inspection. |
7.2.0 |
7.2.0 with Snort 3 |
We now support inspection of SMB 3 traffic in the following situations:
For more information, see the Snort 3 Inspector Reference and the Cisco Secure Firewall Management Center Snort 3 Configuration Guide. |
|||||||||||||||
Event Logging and Analysis |
||||||||||||||||||
Log security events to multiple Secure Network Analytics on-prem data stores. |
7.2.0 |
7.0.0 |
When you configure a Secure Network Analytics Data Store (multi-node) integration, you can now add multiple flow collectors for security events. You assign each flow collector to one or more threat defense devices running Version 7.0+. New/modified screens:
This feature requires Secure Network Analytics Version 7.1.4. For more information, see the Cisco Security Analytics and Logging (On Premises): Firewall Event Integration Guide. |
|||||||||||||||
Database access changes. |
7.2.0 |
Any |
We added ten new tables, deprecated one table, and prohibited joins in six tables. We also added fields to various tables for Snort 3 support and to provide timestamps and IP addresses in human-readable format. For more information, see the What's New topic in the Cisco Secure Firewall Management Center Database Access Guide, Version 7.2. |
|||||||||||||||
eStreamer changes. |
7.2.0 |
Any |
A new Python-based reference client has been added to the SDK. Also, you can now request fully qualified events. For more information, see the What's New topic in the Cisco Secure Firewall Management Center Event Streamer Integration Guide, Version 7.2. |
|||||||||||||||
Deployment and Policy Management |
||||||||||||||||||
Auto rollback of a deployment that causes a loss of management connectivity. |
7.2.0 |
7.2.0 |
You can now enable auto rollback of the configuration if a deployment causes the management connection between the management center and threat defense to go down. Previously, you could only manually roll back a configuration using the configure policy rollback command. New/modified screens:
For more information, see Device Management. |
|||||||||||||||
Generate and email a report when you deploy configuration changes. |
7.2.0 |
Any |
You can now generate a report for any deploy task. The report contains details about the deployed configuration. New/modified pages: Deployment History ( For more information, see Configuration Deployment. |
|||||||||||||||
Access control policy locking. |
7.2.0 |
Any |
You can now lock an access control policy to prevent other administrators from editing it. Locking the policy ensures that your changes will not be invalidated if another administrator edits the policy and saves changes before you save your changes. Any user who has permission to modify the access control policy has permission to lock it. We added an icon to lock or unlock a policy next to the policy name while editing the policy. In addition, there is a new permission to allow users to unlock policies locked by other administrators: Override Access Control Policy Lock. This permission is enabled by default in the Administrator, Access Admin, and Network Admin roles. For more information, see Access Control Policies. |
|||||||||||||||
Object group search is enabled by default. |
7.2.0 |
Any |
The Object Group Search setting is now enabled by default when you add a device to the management center. New/modified screens: For more information, see Device Management. |
|||||||||||||||
Access control rule hit counts persist over reboot. |
7.2.0 |
7.2.0 |
Rebooting a managed device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node. New/modified CLI commands: show rule hits For more information, see the Cisco Secure Firewall Threat Defense Command Reference. |
|||||||||||||||
New user interface for the access control policy. |
7.2.0 |
Any |
There is a new experimental user interface available for the access control policy. You can continue to use the legacy user interface, or you can try out the new user interface. The new interface has both a table and a grid view for the rules list, the ability to show or hide columns, enhanced search, infinite scroll, a clearer view of the packet flow related to policies associated with the access control policy, and a simplified add/edit dialog box for creating rules. You can freely switch back and forth between the legacy and new user interfaces while editing an access control policy.
For more information, see Access Control Policies. |
|||||||||||||||
Upgrade |
||||||||||||||||||
Copy upgrade packages ("peer-to-peer sync") from device to device. |
7.2.0 |
7.2.0 |
Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers. This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone management center. It is not supported for:
New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status |
|||||||||||||||
Auto-upgrade to Snort 3 after successful threat defense upgrade. |
7.2.0 |
7.2.0 |
When you use a Version 7.2+ management center to upgrade threat defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3. After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version. Version restrictions: Not supported for threat defense upgrades to Version 7.0.x or 7.1.x. |
|||||||||||||||
Upgrade for single-node clusters. |
7.2.0 |
Any |
You can now use the device upgrade page (System( Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices. Supported platforms: Firepower 4100/9300, Secure Firewall 3100 |
|||||||||||||||
Revert threat defense upgrades from the CLI. |
7.2.0 |
7.2.0 |
You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.
New/modified CLI commands: upgrade revert , show upgrade revert-info . For more information, see Revert the Upgrade. |
|||||||||||||||
Administration |
||||||||||||||||||
Multiple DNS server groups for resolving DNS requests. |
7.2.0 |
Any |
You can configure multiple DNS groups for the resolution of DNS requests from client systems. You can use these DNS server groups to resolve requests for different DNS domains. For example, you could have a catch-all default group that uses public DNS servers, for use with connections to the Internet. You could then configure a separate group to use internal DNS servers for internal traffic, for example, any connection to a machine in the example.com domain. Thus, connections to an FQDN using your organization’s domain name would be resolved using your internal DNS servers, whereas connections to public servers use external DNS servers. New/modified screens: For more information, see Platform Settings. |
|||||||||||||||
Configure certificate validation with threat defense by usage type. |
7.2.0 |
7.2.0 |
You can now specify the usage types where validation is allowed with the trustpoint (the threat defense device): IPsec client connections, SSL client connections, and SSL server certificates. New/modified screens: We added a Validation Usage option to certificate enrollment objects: . For more information, see Object Management. |
|||||||||||||||
French language option for web interface. |
7.2.0 |
Any |
You can now switch the management center web interface to French. New/modified screens: System ( For more information, see System Configuration. |
|||||||||||||||
Web interface changes: deployment and user activity integrations. |
7.2.0 |
Any |
Version 7.2 changes these management center menu options in all cases.
|
|||||||||||||||
Troubleshooting |
||||||||||||||||||
Dropped packet statistics for the Secure Firewall 3100. |
7.2.0 |
7.2.0 |
The new show packet-statistics threat defense CLI command displays comprehensive information about non-policy related packet drops. Previously this information required using several commands. For more information, see the Cisco Secure Firewall Threat Defense Command Reference. |
|||||||||||||||
Deprecated Features |
||||||||||||||||||
Deprecated: EIGRP with FlexConfig. |
7.2.0 |
Any |
You can now configure EIGRP routing from the management center web interface. You no longer need these FlexConfig objects: Eigrp_Configure, Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all. And these associated text objects: eigrpAS, eigrpNetworks, eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly, eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary, eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval, eigrpHoldTime, eigrpDisableSplitHorizon. The system does allow you to deploy post-upgrade, but also warns you to redo your EIGRP configurations. To help you with this process, we provide a command-line migration tool. For details, see Migrating FlexConfig Policies . |
|||||||||||||||
Deprecated: VXLAN with FlexConfig. |
7.2.0 |
Any |
You can now configure VXLAN interfaces from the management center web interface. You no longer need these FlexConfig objects: VxLAN_Clear_Nve, VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve, VxLAN_Make_Nve_Only, VxLAN_Make_Vni. And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only, vxlan_Vni. If you configured VXLAN interfaces with FlexConfig in a previous version, they continue to work. In fact, FlexConfig takes precedence in this case—if you redo your VXLAN configurations in the web interface, remove the FlexConfig settings. |
|||||||||||||||
Deprecated: Automatic pre-upgrade troubleshooting. |
7.2.0 |
Any |
To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files. To manually generate troubleshooting files for the management center, choose System( |
|||||||||||||||
Deprecated: Geolocation details. |
Any |
Any |
In May 2022 we split the GeoDB into two packages: a country code package mapping IP addresses to countries/continents, and an IP package containing additional contextual data associated with routable IP addresses. In January 2024, we stopped providing the IP package. This saves disk space and does not affect geolocation rules or traffic handling in any way. Any contextual data is now stale, and upgrading to most later versions deletes the IP package. Options to download the IP package or view contextual data have no effect, and are removed in later versions. |
Device Manager Features in Version 7.2.x
Feature |
Description |
---|---|
Platform Features |
|
Firepower 1010E. |
We introduced the Firepower 1010E, which does not support power over Ethernet (PoE). Minimum threat defense: 7.2.3 |
Threat defense virtual for GCP. |
You can now use device manager to configure threat defense virtual for GCP. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Threat defense virtual for Megaport. |
You can now use device manager to configure threat defense virtual for Megaport (Megaport Virtual Edge). High availability is supported. Minimum threat defense: 7.2.8 Other version restrictions: Initially, you may not be able to freshly deploy Versions 7.3.x or 7.4.x. Instead, deploy Version 7.2.8–7.2.x and upgrade. See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide |
Network modules for the Secure Firewall 3100. |
We introduced these network modules for the Secure Firewall 3100:
Minimum threat defense: 7.2.1 |
Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. |
We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with threat defense virtual for KVM. Minimum threat defense: 7.2.1 |
ISA 3000 support for shutting down. |
Support returns for shutting down the ISA 3000. This feature was introducted in Version 7.0.2 but was temporarily deprecated in Version 7.1. |
Firewall and IPS Features |
|
Object-group search is enabled by default for access control. |
The CLI configuration command object-group-search access-control is now enabled by default for new deployments. If you are configuring the command using FlexConfig, you should evaluate whether that is still needed. If you need to disable the feature, use FlexConfig to implement the no object-group-search access-control command. |
Rule hit counts persist over reboot. |
Rebooting a device no longer resets access control rule hit counts to zero. Hit counts are reset only if you actively clear the counters. In addition, counts are maintained by each unit in an HA pair or cluster separately. You can use the show rule hits command to see cumulative counters across the HA pair or cluster, or see the counts per node. We modified the following threat defense CLI command: show rule hits . |
VPN Features |
|
IPsec flow offload. |
On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance. You can change the configuration using FlexConfig and the flow-offload-ipsec command. See: IPSec Flow Offload |
Interface Features |
|
Breakout port support for the Secure Firewall 3130 and 3140. |
You can now configure four 10GB breakout ports for each 40GB interface on the Secure Firewall 3130 and 3140. New/modified screens: |
Enabling or disabling Cisco Trustsec on an interface. |
You can enable or disable Cisco Trustsec on physical, subinterface, EtherChannel, VLAN, Management, or BVI interfaces, whether named or unnamed. By default, Cisco Trustsec is enabled automatically when you name an interface. We added the Propagate Security Group Tag attribute to the interface configuration dialog boxes, and the ctsEnabled attribute to the various interface APIs. |
Licensing Features |
|
Permanent License Reservation Support for ISA 3000. |
ISA 3000 now supports Universal Permanent License Reservation for approved customers. |
Administrative and Troubleshooting Features |
|
Ability to force full deployment. |
When you deploy changes, the system normally deploys just the changes made since the last successful deployment. However, if you are experiencing problems, you can elect to force a full deployment, which completely refreshes the configuration on the device. We added the Apply Full Deployment option to the deployment dialog box. |
Automatically update CA bundles. |
Upgrade impact. The system connects to Cisco for something new. The local CA bundle contains certificates to access several Cisco services. The system now automatically queries Cisco for new CA certificates at a daily system-defined time. Previously, you had to upgrade the software to update CA certificates. You can use the CLI to disable this feature. New/modified CLI commands: configure cert-update auto-update , configure cert-update run-now , configure cert-update test , show cert-update Version restrictions: This feature is included in Versions 7.0.5+, 7.1.0.3+, and 7.2.4+. It is not supported in earlier 7.0, 7.1, or 7.2 releases. If you upgrade from a supported version to an unsupported version, the feature is temporarily disabled and the system stops contacting Cisco. |
Threat defense REST API version 6.3 (v6). |
The threat defense REST API for software version 7.2 is version 6.3. You can use v6 in the API URLs, or preferentially, use /latest/ to signify you are using the most recent API version that is supported on the device. Note that the URL version path element for 6.3 is the same as 6.0, 6.1, and 6.2: v6. Please re-evaluate all existing calls, as changes might have been
mode to the resource models you are using. To open the API Explorer,
where you can view the resources, log into device manager, then click the more options button ( |
Upgrade Impact Features
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
![]() Important |
Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing a Maintenance Release. |
Upgrade Impact Features for Management Center
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Upgrade Impact Features for Threat Defense with Management Center
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
|
|
|
|
|
|
|
|
|
Upgrade Impact Features for Threat Defense with Device Manager
Check all releases between your current and target version.
Target Version |
Features with Upgrade Impact |
---|---|
|
|
|
|
|
|
|
Upgrade Guidelines
The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade—which can include interruptions to traffic flow and inspection—see the appropriate upgrade guide: For Assistance.
Upgrade Guidelines for Management Center
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.2.8.x |
7.2.8.0 |
Patch uninstall not supported: Version 7.2.8.x to Version 7.2.8.0. |
Uninstall is not supported for the Version 7.2.8.1 management center patch. Because patches are cumulative, and because uninstalling returns you to the patch level you upgraded from, this means that uninstall is not supported from any Version 7.2.8.x patch back to Version 7.2.8 (the base version). |
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
7.0.0–7.2.x |
6.4.0–6.7.x |
Reconnect with Threat Grid for high availability management centers. |
Version 7.0.0 fixes an issue with management center high availability and malware detection where, after failover, the system stopped submitting files for dynamic analysis (CSCvu35704). For the fix to take effect, you must reassociate with the Cisco Threat Grid public cloud after upgrading. After you upgrade the high availability pair to Version 7.0.0+, on the primary management center:
|
Upgrade Guidelines for Threat Defense with Management Center
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
7.2.0–7.6.x |
6.7.0–7.1.x |
Upgrade prohibited: threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. |
You cannot upgrade threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. You must deploy a new instance. |
7.2.0–7.2.6 |
7.1.x 6.6.0–7.0.2 |
Unregister and reregister devices after reverting threat defense. |
If you revert from Version 7.2.0–7.2.6 to Version 6.6.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680). |
6.7.0–7.2.x |
6.4.0–6.6.x |
Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs. |
For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only. |
Upgrade Guidelines for Threat Defense with Device Manager
Target Version |
Current Version |
Guideline |
Details |
---|---|---|---|
7.2.6 |
6.6.0–7.2.5 |
Upgrade not recommended: Version 7.2.6. |
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. |
6.7.0–7.2.x |
6.4.0–6.6.x |
Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs. |
For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only. |
Upgrade Guidelines for the Firepower 4100/9300 Chassis
In most cases, we recommend you use the latest FXOS build in each major version. For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version: http://www.cisco.com/go/firepower9300-rns.
For firmware upgrade guidelines (for upgrades to FXOS 2.13 and earlier), see the firmware upgrade guide: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.
Upgrade Path
Planning your upgrade path is especially important for large deployments, high availability/clustering, multi-hop upgrades, and situations where you need to coordinate chassis, hosting environment or other upgrades. Those scenarios are covered in more detail in the upgrade guide: For Assistance.
Supported Direct Upgrades
This table shows the supported direct upgrades for management center and threat defense software. Note that although you can upgrade directly to maintenance (third-digit) releases, patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release.
For the Firepower 4100/9300, the table also lists companion FXOS versions. If a chassis upgrade is required, threat defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
Current Version |
Target Software Version |
|||||||
---|---|---|---|---|---|---|---|---|
to 7.6 |
7.4 |
7.3 |
7.2 |
7.1 |
7.0 |
6.6 |
6.4 |
|
Firepower 4100/9300 FXOS Version for Chassis Upgrades | ||||||||
2.16 |
2.14 |
2.13 |
2.12 |
2.11 |
2.10 |
2.8 |
2.6 |
|
from 7.6 |
YES |
— |
— |
— |
— |
— |
— |
— |
7.4 |
YES |
YES * |
— |
— |
— |
— |
— |
— |
7.3 |
YES |
YES |
YES |
— |
— |
— |
— |
— |
7.2 |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
7.1 |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
7.0 |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
6.6 |
— |
— |
— |
YES |
YES |
YES |
YES |
— |
6.4 |
— |
— |
— |
— |
— |
YES |
YES |
— |
6.2.3 |
— |
— |
— |
— |
— |
— |
YES |
YES |
* You cannot upgrade threat defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only. Instead, upgrade your management center and devices to Version 7.4.1+.
Choosing a Maintenance Release
![]() Important |
In most cases, we recommend you go directly to the latest maintenance release in your chosen major version. |
Features, enhancements, and critical fixes included in maintenance releases (third-digit) and patches (fourth-digit) can skip future releases, depending on release date, release type (short term vs. long term), and other factors. To minimize upgrade and other impact, do not upgrade to a release that deprecates features or fixes. If you cannot go to the latest maintenance release, at least make sure your target version was released on a date after your current version. If you are running a patch, you may also want to check that the patch was also released after your target version, depending on the included fixes. For a full list of release dates including patches, see Cisco Secure Firewall Management Center New Features by Release or Cisco Secure Firewall Device Manager New Features by Release.
If your current version is not listed next to your target version here, choose a later target.
Target Version |
Current Version: is yours listed? |
|||||
---|---|---|---|---|---|---|
from 6.6 |
6.7 (EOS) |
7.0 |
7.1 |
7.2 |
||
to 7.2.9 |
2024-10-22 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.6 |
7.1.0 |
7.2.0–7.2.8 |
7.2.8 |
2024-06-24 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.6 |
7.1.0 |
7.2.0–7.2.7 |
7.2.7 |
2024-04-29 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.6 |
7.1.0 |
7.2.0–7.2.6 |
7.2.6 * |
2024-03-19 |
— |
— |
— |
— |
— |
7.2.5 |
2023-07-27 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.6 |
7.1.0 |
7.2.0–7.2.4 |
7.2.4 |
2023-05-03 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.5 |
7.1.0 |
7.2.0–7.2.3 |
7.2.3 |
2023-02-27 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.5 |
7.1.0 |
7.2.0–7.2.2 |
7.2.2 |
2022-11-29 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.5 |
7.1.0 |
7.2.0–7.2.1 |
7.2.1 |
2022-10-03 |
6.6.0–6.6.7 |
6.7.0 |
7.0.0–7.0.4 |
7.1.0 |
7.2.0 |
7.2.0 |
2022-06-06 |
6.6.0–6.6.5 |
6.7.0 |
7.0.0–7.0.2 |
7.1.0 |
— |
* No longer available.
Management Center Before Devices
The management center should run the same or newer version as its devices. This is because features and resolved issues often require the latest version on both the management center and its devices, including patches.
Upgrade the management center first—you will still be able to manage older devices, usually a few major versions back. If you begin with devices running a much older version than the management center, further management center upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the management center, then devices again.
![]() Note |
You cannot upgrade a device past the management center to a newer major or maintenance version. Although a patched device (fourth-digit) can be managed with an unpatched management center, fully patched deployments undergo enhanced testing. |
Chassis Before Threat Defense
For the Firepower 4100/9300, major versions require a FXOS upgrade. You should also check for firmware upgrades.
Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case perform a three (or more) step upgrade: devices first, then the chassis, then devices again. Or, perform a full reimage. In high availability or clustered deployments, upgrade one chassis at a time.
Bugs
For bugs in earlier releases, see the release notes for those versions. For cloud deployments, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.
![]() Important |
We do not list open bugs for maintenance releases or patches. Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool. |
Open Bugs in Version 7.2.0
Table last updated: 2024-05-02
Bug ID |
Headline |
---|---|
Jumbo frame performance has degraded up to -45% on Firepower 2100 series |
|
7.2.0 1984 Nutanix vFMC not accessible after upgrade from 7.1.0 |
|
TLS 1.3 connections to sites previously decrypted may fail |
|
Evicted units re-joined existing Cluster but not listed on Control and other evicted vFTD Cluster |
|
snp_fp_vxlan_encap_and_grp_send_common: failed to find adj. bp->l3_type = 8, inner_sip message |
|
vFTD installed with JF but still FMC shows info about JF getting enabled and to reboot vFTD |
|
Upgrade to 7.2 on FTDv for Nutanix is stuck after reboot |
|
Early data may cause xtls to not wait for probe response |
|
FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports |
|
onPremFMC with only CDO Managed devices registered, Malware Event pages shows license warning |
|
User cannot filter by device in the new AC policy UI |
|
Inconsistencies seen after switching from old UI to new UI without saving the policy |
|
New AC Policy UI: ACP rule list takes a long time to load in case of large rule set |
|
Search is slow and semantic based searches are not working in new ACP UI |
|
Cannot copy rules from one policy to another policy using new AC policy UI |
|
Fetching hit counts takes longer in NEW ACP UI when compared to the legacy ACP UI |
|
ACP rule is deleted when discarding changes, post rule reposition. |
Resolved Bugs in Version 7.2.9
Table last updated: 2024-10-22
Bug ID |
Headline |
---|---|
App-instance showing as Started instead of Online |
|
[ENH] FTD should show error/warning when attaching a not valid certificate to the interface for VPN |
|
FXOS fault F1758 description should not be specific to subinterfaces |
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
FXOS does not retry NTP sync with servers |
|
Time sync status and error message do not elaborate NTP server rejection case |
|
IKEv2 debugs: Received Policies and Expected Policies are empty |
|
For FTD HA or cluster, incorrect device name may be shown in eventing UI and dashboard statistics |
|
2X100G netmod card shows 10 Mbps on first member of port channel when second interface added |
|
ASA traceback and reload on Datapath process |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
ASA/FTD: Improve GTP Inspection Logging |
|
ASA/FTD: GTP Inspection engine serviceability |
|
Write wrapper around "kill" command to log who is calling it |
|
Intrusion user not able to change intrusion action and File Policy |
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
HashiCorp Vault's implementation of Shamir's secret sharing used precomp |
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
Unable to upload FTD version image to FCM |
|
Firewall Traceback and reload due to SNMP thread |
|
FTD: TLS Server Identity does not work if size of client hello more than TCP MSS bytes |
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
False critical high CPU alerts for FTD device system cores running instantaneous high usage |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
Failed to transfer new image file to FPR2130 and traceback was observed |
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
Incomplete rootwalk. snmpwalk on 816 MIB is getting timeout. |
|
FTD events stopped being sent to FMC, EventHandler logs "publishing blocked" |
|
Intermittently flow is getting white-listed by the snort for the unknow app-id traffic. |
|
ASA crashed with Saml scenarios |
|
Chassis Manager shows HTTP 500 Internal Server error in specific cases |
|
Syslog not updating when prefilter rule name changes |
|
ASA: Traceback and reload when switching from single to multiple mode |
|
ASA traceback due to panic event during SNMP configuration |
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
Lina core observed in 6.4.0.17-22 in Kp with scaled traffic |
|
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, |
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
evaluate open-vm-tools / VMware Tools on FMC for VMware -- CVE-2023-20900 and VMSA-2023-0019 |
|
The html/template package does not apply the proper rules for handling o |
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
additional command outputs needed in FTD troubleshoot for blocks and ssl cache |
|
Lina core at snp_nat_xlate_verify_magic.part and soft traces |
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
FTD-HA does not fail over sometimes when snort3 crashes |
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
A flaw was found in glibc. In an uncommon situation, the gaih_inet fun |
|
Reload takes forever when reload command is issued on the lina prompt when devices are on HA |
|
ASA/FTD traceback and reload on process fsm_send_config_info_initiator |
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
VTI tunnel goes down due to route change detected in VRF scenario |
|
Lina Traceback : Thread Name: DATAPATH during session terminate |
|
crypto_archive file generated after the software upgrade. |
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The n |
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The x |
|
urllib3 is a user-friendly HTTP client library for Python. urllib3 doe |
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
FTD traceback due to system memory exhaustion |
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue |
|
SNMP OID ifOutDiscards on MIO are always zero despite show interface are non-zero |
|
FTD 1120 standby sudden reboot |
|
Traceback on FP2140 without any trigger point. |
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
Python 3.x through 3.10 has an open redirection vulnerability in lib/h |
|
An issue was discovered in the Linux kernel before 6.3.3. There is an |
|
Twisted is an event-based framework for internet applications. Prior t |
|
Alert: Decommission failed, reason: Internal error is not cleared from FCM or CLI after acknowledge |
|
File-extracts.logs are not recognised by the diskmanager leading to high disk space |
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper scrip |
|
use kill tree function in SMA instead of SIGTERM |
|
Detailed logging related to reason behind sub-interface admin state change during operations |
|
FTD HA should not be created partially on FMC |
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
Deployment fails on new AWS FTDv device with "no username admin" |
|
ASA traceback and reload on Thread Name: DATAPATH |
|
low memory/stress causing traceback in SNMP |
|
ISA3000 Traceback and reload boot loop |
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
ASA|FTD Traceback & reload in thread name Datapath |
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
Snort3 traceback and restarts with race conditions |
|
Snot3 traceback in TcpReassembler::scan_data_post_ack |
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
The "show asp drop" command usage requires better updates for cluster-related drops |
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
MSP Quota setting for instances is not correct |
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
Suppress "End of script output before headers" syslog on FXOS |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Debugs failed to be enabled on SSH session |
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
traceback and reload around function HA |
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
FTD: Improve or optimize LSP package verification logic to run it faster |
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
Standby FTD experiencing periodic traceback and reload |
|
CCM ID 62 - LTS18 |
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
An issue was discovered in drivers/input/input.c in the Linux kernel b |
|
An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl |
|
A vulnerability was found in GnuTLS. The response times to malformed c |
|
A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL |
|
41xx/93xx : Update CiscoSSH (Chassis Manager FXOS) to address CVE-2023-48795 |
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
some ssh sessions not timing out, leading to ssh and console unable to connect to the FXOS CLI |
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
Snort stripping packet information and injects its packet with 0 bytes data |
|
HTTP/HTTPS detection for application needs to fail it's detection earlier |
|
Unable to send unknown file disposition to ThreatGrid due to mem cache issue |
|
Report file generated for AC policy is empty |
|
ASA CLI hangs with 'show run' on multiple SSH |
|
some stdout logs not rotated by logrotate |
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
A use-after-free flaw was found in the __ext4_remount in fs/ext4/super |
|
In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro |
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
Access to website via Clientless SSL VPN Fails |
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
Check metadata cache size when generating retrospective events |
|
A memory leak problem was found in ctnetlink_create_conntrack in net/n |
|
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab |
|
linux-pam (aka Linux PAM) before 1.6.0 allows attackers to cause a den |
|
copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 |
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
Snort process spamming syslog-ng messages so our on KP platform syslog-ng is being killed |
|
ASA Checkheaps traceback while entering same engineID twice |
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
The DNS message parsing code in 'named' includes a section whose compu |
|
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6 |
|
libexpat through 2.5.0 allows a resource consumption denial of service event |
|
libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DT |
|
A denial of service vulnerability due to a deadlock was found in sctp_ |
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
An out-of-memory flaw was found in libtiff that could be triggered by |
|
ASA/FTD Traceback and Reload during ssl session establishment |
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
The secondary device reloaded while rebooting the primary device. |
|
Bailout when lina_io_write fails persistent with EPIPE errno. |
|
Policy cache cleanup thread should cleanup any cache that is left open for a logged out session |
|
A flaw was found in the Netfilter subsystem in the Linux kernel. The i |
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
CCM ID 67 - LTS18 |
|
Backup exits with memory allocation error on 4115 |
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
FTD: Primary takes active role after reloading |
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value |
|
extra file check is not reporting with pmtool SecureLSP lsp-rel-xxx command |
|
Issue when two FQDN objects with same IP are added in source or destination (FTD/ASA) |
|
FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected |
|
Lina contains outdated libexpat source code |
|
Snort3: SQL traffic failure after upgrade due to large invalid sequence numbers and invalid ACKs |
|
SFDataCorrelator memory leak after unregistering an active device |
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
Segmentation fault with "logger_msg_dispatch" while HA sync |
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
Multiple context interfaces fail to pass traffic |
|
Dns-guard prematurely closing conn due to timing condition |
|
ASA traceback with thread name SSH |
|
High latency observed on FPR31xx or FPR42xx |
|
SFDataCorrelator memory growth when pruning a huge number of old service identities |
|
FTD: Backups fail on Multi-Instance or standalone with error "Backup died unexpectedly" |
|
Additional memory tracking in SFDataCorrelator |
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
A bug in QEMU could cause a guest I/O operation otherwise addressed to |
|
libexpat through 2.6.1 allows an XML Entity Expansion attack when ther |
|
A heap-buffer-overflow vulnerability was found in LibTIFF, in extractI |
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
Cisco Secure Client Unable to complete connection. Cisco Secure Desktop not installed on the client. |
|
ASA traceback and reload when accessing file system from ASDM |
|
SFDataCorrelator high memory usage when restart with large network map hosts |
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
All IPV6 BGP routes configured in device flapping |
|
Traceback observed while applying 'no failover' and 'failover' in the ASA standby |
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
File descriptor leak when validating upgrade images |
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
Snort3: MSSQL query traffic corrupted by stream_tcp overlap handling causing SQL HY000 |
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
Snort3 continuous traceback & reload with each deployment |
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
Default Hashing Algorithm is SHA1 for Firepower Chassis Manager Certificate on 4110 |
|
Deployment time increased by 30-45 seconds after the upgrade when applying specific Platform Setting |
|
sync call got stuck resulting in boot loop |
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
Syslogs continue to be sent after disabling logging class on ASA |
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
FDM HA deployment fails with 'ApplicationException: Unable to export to database' error |
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
FMC on upgrade results in FTDv losing its performance tier |
|
FPR might drop TLS1.3 connections when hybridized kyber cipher is enabled in web browser |
|
SNMP v1 and v2c traps from diagnostic and data ints stop working on a KP/vFTD after product upgrade |
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
Faulty input validation in the core of Apache allows malicious or expl |
|
In GNU tar before 1.35, mishandled extension attributes in a PAX archi |
|
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of |
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
HTTP Response splitting in multiple modules in Apache HTTP Server allo |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
In the Linux kernel, the following vulnerability has been resolved: d |
|
In the Linux kernel, the following vulnerability has been resolved: B |
|
HTTP/2 incoming headers exceeding the limit are temporarily buffered i |
|
wall in util-linux through 2.40, often installed with setgid tty permi |
|
The iconv() function in the GNU C Library versions 2.39 and older may |
|
less through 653 allows OS command execution via a newline character i |
|
Snort2 SSL decryption with known key fails on Chrome v124 and above. |
|
ASA after upgrade to 9.18.4.24 not able to save config with error: "Configuration line too long" |
|
disable stat check for file |
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
Snort2 - SSL decryption failing and some websites not loading on Chrome v124+ |
|
WebVPN connections stuck in CLOSEWAIT state |
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
nscd: Stack-based buffer overflow in netgroup cache If the Name Servi |
|
nscd: netgroup cache may terminate daemon on memory allocation failure |
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
Add New Syslog for Routes for NP add/delete |
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
FTD is not resolving FQDN for ACLs intermittently |
|
FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
|
command to print the debug menu setting of service worker |
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration |
|
Traceback and reload on active unit due to HA break operation. |
|
TCP Session Interrupted if Keep-Alive with 1 Byte is Received |
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
Traceback and reload during FTD upgrade due to FQDN network object NAT |
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
FTD : Management interface showing down despite being up and operational |
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
High Snort3 CPU as encrypted traffic isn't allow listed when TSID enabled |
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
Add warning message when configuring CCL MTU |
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
Remove SGT frames/packets to allow VTI decryption |
|
Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
In the Linux kernel, the following vulnerability has been resolved: n |
|
Requests is a HTTP library. Prior to 2.32.0, when making requests thro |
|
In the Linux kernel, the following vulnerability has been resolved: B |
|
In the Linux kernel, the following vulnerability has been resolved: b |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: H |
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
ASA/FTD: Substantial increase in the time taken to load configuration |
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
Safety Net for Infinite Recursion Crashes due to Bad Stream TCP State in Post-ACK mode |
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
256/1550 block depletion process fover_thread |
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
High cpu on "update block depletion" causing BGP flap terminated on FTD |
|
Umbrella registration status is not synced to newly added data nodes |
|
FMC REST API calls to get AC policy data times out, AC policy GUI slowness with larger rule query |
|
Product Upgrades page showing 'Unknown Family 66' for FMC upgrade packages |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
In the Linux kernel, the following vulnerability has been resolved: i |
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
The various Is methods (IsPrivate, IsLoopback, etc) did not work as ex |
|
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo |
|
GRE traffic getting dropped after failover |
|
Network address API calls taking long time to complete |
|
Vulnerabilities in linux-kernel CVE-2023-52439 |
|
Vulnerabilities in linux-kernel CVE-2023-52435 |
|
21xx: debug log process hangs preventing recovery from stuck writing operations |
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
Evaluation of ssp for OpenSSH regreSSHion vulnerability |
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
NTP is not synchronising when using SHA-1 authentication |
|
FXOS upgrade failure due to insufficient free space in /mnt/pss (isan.log consumes most of space) |
|
Split brain issue in HA failover due to which outage happened on customer network |
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/ |
|
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause inva |
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and |
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
ASA crashing in thread PIX Garbage Collector with inspect-rtsp enabled. |
|
Traffic outage due to 9k block depletion (tcpmod proc) observed on FPR 3100 (HA) |
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
Radius Authentication test fails due to missing radclient command |
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
Large number of stats files can cause events to be delayed |
|
Lina traceback and reload in data-path thread |
|
Unstable HA causing depolyment failure |
|
Increase memory usage leading to tracebacks in Lina. |
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
CGroups errors in ASA Syslog during every reboot |
|
Readiness check should be in place for larger undo/ibdata log files |
|
In the Linux kernel, the following vulnerability has been resolved: a |
|
In the Linux kernel, the following vulnerability has been resolved: t |
|
An issue was discovered in the C AMQP client library (aka rabbitmq-c) |
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
HW: 3110 not rebooting after power outage, requiring manual power cycle |
|
FMC GUI has a limitation to display only 50 SSH rules for FTD (Under platform settings >> SSH) |
|
Events or stats are missing after EventHandler logs "Error loading input module" |
|
After FMC upgrade results in standby FTDv losing its performance tier for FTD HA |
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
Resolved Bugs in Version 7.2.8.1
Table last updated: 2024-08-26
Bug ID |
Headline |
---|---|
Address SSP OpenSSH regreSSHion vulnerability |
Resolved Bugs in Version 7.2.8
Table last updated: 2024-06-24
Bug ID |
Headline |
---|---|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
High LINA CPU observed due to NetFlow configuration |
|
Threat Defense Upgrade wizard is unable to initiate hotfix installation on FTD clusters |
Resolved Bugs in Version 7.2.7
Table last updated: 2024-04-29
Bug ID |
Headline |
---|---|
FTD Boot Loop with SNMP Enabled after reload/upgrade |
Resolved Bugs in Version 7.2.6
Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade. The bugs listed here are also fixed in Version 7.2.7.
Table last updated: 2024-04-22
Bug ID |
Headline |
---|---|
OGO changing the order of custom object group contents causing an outage at static NAT |
Table last updated: 2024-07-26
Bug ID |
Headline |
---|---|