Cisco Secure Firewall Threat Defense Release Notes

This document contains release information for Version 7.4 of:

  • Cisco Secure Firewall Threat Defense

  • Cisco Secure Firewall Management Center (on-prem)

  • Cisco Secure Firewall device manager

Release Dates

Table 1. Version 7.4 Dates

Version

Build

Date

Platforms

7.4.1.1

12

2024-04-15

All

7.4.1

172

2023-12-13

All

7.4.0

81

2023-09-07

Management center

Secure Firewall 4200 series

Features

This document describes the new and deprecated features for Version 7.4.

For earlier releases, see Cisco Secure Firewall Management Center New Features by Release and Cisco Secure Firewall Device Manager New Features by Release.

Upgrade Impact

A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part; this is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade; for example, if you must change a configuration.

The feature descriptions below include upgrade impact where appropriate. For a more complete list of features with upgrade impact by version, see Upgrade Impact Features.

Snort

Snort 3 is the default inspection engine for threat defense. Snort 3 features for management center deployments also apply to device manager, even if they are not listed as new device manager features. However, keep in mind that the management center may offer more configurable options than device manager.


Important


If you are still using the Snort 2 inspection engine, switch to Snort 3 now for improved detection and performance. Snort 2 will be deprecated in a future release and will eventually prevent threat defense upgrade.


Intrusion Rules and Keywords

Upgrades can import and auto-enable new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords that are not supported in your current version, that rule is not imported when you update the SRU/LSP. After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic flow.

For details on new keywords, see the Snort release notes: https://www.snort.org/downloads.

FlexConfig

Upgrades can add web interface or Smart CLI support for features that previously required FlexConfig. The upgrade does not convert FlexConfigs. After upgrade, configure the newly supported features in the web interface or Smart CLI. When you are satisfied with the new configuration, delete the deprecated FlexConfigs.

The feature descriptions below include information on deprecated FlexConfigs when appropriate. For a full list of deprecated FlexConfigs, see your configuration guide.


Caution


Although you cannot newly assign or create FlexConfig objects using deprecated commands, in most cases existing FlexConfigs continue to work and you can still deploy. However, sometimes, using deprecated commands can cause deployment issues.


Management Center Features in Version 7.4.1

Table 2. Management Center Features in Version 7.4.1

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Reintroduced features.

Feature dependent

Feature dependent

Version 7.4.1 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x) or in Version 7.4.0.

Reintroduced features include:

Platform

Network modules for the Secure Firewall 3130 and 3140.

7.4.1

7.4.1

The Secure Firewall 3130 and 3140 now support these network modules:

  • 2-port 100G QSFP+ network module (FPR3K-XNM-2X100G)

See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide

Optical transceivers for Firepower 9300 network modules.

7.4.1

7.4.1

The Firepower 9300 now supports these optical transceivers:

  • QSFP-40/100-SRBD

  • QSFP-100G-SR1.2

  • QSFP-100G-SM-SR

On these network modules:

  • FPR9K-NM-4X100G

  • FPR9K-NM-2X100G

  • FPR9K-DNM-2X100G

See: Cisco Firepower 9300 Hardware Installation Guide

Performance profile support for the Secure Firewall 3100.

7.4.1

7.4.1

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 3100. Previously, this feature was supported on the Firepower 4100/9300, the Secure Firewall 4200, and on threat defense virtual.

Interfaces

Deploy without the diagnostic interface on threat defense virtual for Azure and GCP.

7.4.1

7.4.1

You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Previously, we required one management, one diagnostic, and at least two data interfaces. New interface requirements are:

  • Azure: one management, two data (max eight)

  • GCP: one management, three data (max eight)

Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Device Management

Device management services supported on user-defined VRF interfaces.

7.4.1

Any

Device management services configured in the threat defense platform settings (NetFlow, SSH access, SNMP hosts, syslog servers) are now supported on user-defined Virtual Routing and Forwarding (VRF) interfaces.

Platform restrictions: Not supported with container instances or clustered devices.

High Availability/Scalability: Threat Defense

Multi-instance mode for the Secure Firewall 3100.

7.4.1

7.4.1

You can deploy the Secure Firewall 3100 as a single device (appliance mode) or as multiple container instances (multi-instance mode). In multi-instance mode, you can deploy multiple container instances on a single chassis that act as completely independent devices. Note that in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade).

New/modified screens:

  • Devices > Device Management > Add > Chassis

  • Devices > Device Management > Device > Chassis Manager

  • Devices > Platform Settings > New Policy > Chassis Platform Settings

  • Devices > Chassis Upgrade

New/modified threat defense CLI commands: configure multi-instance network ipv4 , configure multi-instance network ipv6

New/modified FXOS CLI commands: create device-manager , set deploymode

Platform restrictions: Not supported on the Secure Firewall 3105.

16-node clusters for threat defense virtual for VMware and KVM.

7.4.1

7.4.1

You can now configure 16-node clusters for threat defense virtual for VMware and threat defense virtual for KVM.

Target failover for clustered threat defense virtual devices for AWS.

7.4.1

7.4.1

You can now configure target failover for clustered threat defense virtual devices for AWS using the AWS Gateway Load Balancer (GWLB).

Platform restrictions: Not available with five and ten-device licenses.

Detect configuration mismatches in threat defense high availability pairs.

7.4.1

7.4.1

You can now use the CLI to detect configuration mismatches in threat defense high availability pairs.

New/modified CLI commands: show failover config-sync error , show failover config-sync stats

High Availability: Management Center

Management center high availability synchronization enhancements.

7.4.1

Any

Management center high availability (HA) includes the following synchronization enhancements:

  • Large configuration history files can cause synchronization to fail in high-latency networks. To prevent this from happening, the device configuration history files are now synchronized in parallel with other configuration data. This enhancement also reduces the synchronization time.

  • The management center now monitors the configuration history file synchronization process and displays a health alert if the synchronization times out.

New/modified screens: You can view these alerts on the following screens:

  • Notifications > Message Center > Health

  • Integration > Other Integrations > High Availability > Status (under Summary)

See: Viewing Management Center High Availability Status

SD-WAN

Application monitoring on the SD-WAN Summary dashboard.

7.4.1

7.4.1

You can now monitor WAN interface application performance on the SD-WAN Summary dashboard.

New/modified screens: Overview > SD-WAN Summary > Application Monitoring

VPN

IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100.

7.4.1

7.4.1

Upgrade impact. Qualifying connections start being offloaded.

On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Crypto debugging enhancements for the Secure Firewall 3100 and Firepower 4100/9300.

7.4.1

7.4.1

The crypto debugging enhancements introduced in Version 7.4.0 now apply to the Secure Firewall 3100 and the Firepower 4100/9300. Previously, they were only supported on the Secure Firewall 4200.

View details of the VTIs in route-based VPNs.

7.4.1

Any

You can now view the details of route-based VPNs' virtual tunnel interfaces (VTI) on your managed devices. You can also view details of all the dynamically created virtual access interfaces of the dynamic VTIs.

New/modified screens: Device > Device Management > Edit a device > Interfaces > Virtual Tunnels tab.

Routing

Configure BFD routing on IS-IS interfaces with FlexConfig.

7.4.1

7.4.1

You can now use FlexConfig to configure Bidirectional Forwarding Detection (BFD) routing on physical, subinterface, and EtherChannel IS-IS interfaces.

Access Control: Threat Detection and Application Identification

Zero trust access enhancements.

7.4.1

7.4.1 with Snort 3

Management center now includes the following zero trust access enhancements:

  • You can configure source NAT for an application. The configured network object or object group translates the incoming request's public network source IP address to a routable IP address inside the application network.

  • You can troubleshoot the zero trust configuration issues using the diagnostics tool.

  • To enhance your experience, we now collect zero trust application policy telemetry data.

New/modified screens: Policies > Access Control > Zero Trust Application

New/modified CLI commands: show running-config zero-trust , show zero-trust statistics

See:

CIP detection.

7.4.1

7.4.1 with Snort 3

You can now detect and handle Common Industrial Protocol (CIP) by using CIP and Ethernet/IP (ENIP) application conditions in your security policies.

CIP safety detection.

7.4.1

7.4.1 with Snort 3

CIP Safety is a CIP extension that enables the safe operation of industrial automation applications. The CIP inspector can now detect the CIP Safety segments in the CIP traffic. To detect and take action on the CIP Safety segments, enable the CIP inspector in the management center's network Analysis policy and assign it to an access control policy.

New/modified screens: Policies > Access Control > Edit a policy > Add Rule > Applications tab > Search for CIP Safety in the search box.

See: Cisco Secure Firewall Management Center Snort 3 Configuration Guide

Access Control: Identity

Captive portal support for multiple Active Directory realms (realm sequences).

7.4.1

7.4.1

Upgrade impact. Update custom authentication forms.

You can configure active authentication for either an LDAP realm; or a Microsoft Active Directory realm or a realm sequence. In addition, you can configure a passive authentication rule to fall back to active authentication using either a realm or a realm sequence. You can optionally share sessions between managed devices that share the same identity policy in access control rules.

In addition, you have the option to require users to authenticate again when they access the system using a different managed device than they accessed previously.

If you use the HTTP Response Page authentication type, after you upgrade threat defense, you must add <select name="realm" id="realm"></select> to your custom authentication form. This allows the user to choose between realms.

Restrictions: Not supported with Microsoft Azure Active Directory.

New/modified screens:

  • Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

  • Identity policy > (edit) > Add Rule > Passive Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

  • Identity policy > (edit) > Add Rule > Active Authentication > Realms & Settings > Use active authentication if passive or VPN identity cannot be established

Share captive portal active authentication sessions across firewalls.

7.4.1

7.4.1

Determines whether or not users are required to authenticate when their authentication session is sent to a different managed device than one they previously connected to. If your organization requires users to authenticate every time they change locations or sites, you should disable this option.

  • (Default.) Enable to allow users to authenticate with any managed device associated with the active authentication identity rule.

  • Disable to require the user to authenticate with a different managed device, even if they have already authenticated with another managed device to which the active authentication rule is deployed.

New/modified screens: Policies > Identity > (edit policy) > Active Authentication > Share active authentication sessions across firewalls

Merge downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources, using the management center web interface.

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

New/modified screens: Objects > Object Management > AAA Server > RADIUS Server Group > Add RADIUS Server Group > Merge Downloadable ACL with Cisco AV Pair ACL

New CLI commands:

  • sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl after-avpair

  • sh run aaa-server aaa-server ISE-Server protocol radius merge-dacl before-avpair

Health Monitoring

Chassis-level health alerts for the Firepower 4100/9300.

7.4.1

Any with FXOS 2.14.1

Upgrade impact. Enable the new health module and apply device health policy after upgrade.

You can now view chassis-level health alerts for Firepower 4100/9300 by registering the chassis to the management center as a read-only device. You must also enable the Firewall Threat Defense Platform Faults health module and apply the health policy. The alerts appear in the Message Center, the health monitor (in the left pane, under Devices, select the chassis), and in the health events view.

You can also add a chassis (and view health alerts for) the Secure Firewall 3100 in multi-instance mode. For those devices, you use the management center to manage the chassis. But for the Firepower 4100/9300 chassis, you still must use the chassis manager or the FXOS CLI.

New/modified screens: Devices > Device Management > Add > Chassis

See: Add a Chassis to the Management Center

Improved management center memory usage calculation, alerting, and swap memory monitoring.

7.4.1

Any

Upgrade impact. Memory usage alert thresholds may be lowered.

We improved the accuracy of management center memory usage and have lowered the default alert thresholds to 88% warning/90% critical. If your thresholds were higher than the new defaults, the upgrade lowers them automatically—you do not have to apply health policies for this change to take place. Note that the management center may now reboot in extremely critical system memory condition if terminating high-memory processes does not work.

You can also add new swap memory usage metrics to a new or existing management center health dashboard. Make sure you choose the Memory metric group.

New/modified screens:

  • System (system gear icon) > Health > Monitoring > Firewall Management CenterAdd/Edit DashboardMemory

  • System (system gear icon) > Health > Policy > Management Center Health Policy > Memory

Deployment and Policy Management

Change management.

7.4.1

Any

You can enable change management if your organization needs to implement more formal processes for configuration changes, including audit tracking and official approval before changes are deployed.

We added the System (system gear icon) > Configuration > Change Management page to enable the feature. When enabled, there is a System (system gear icon) > Change Management Workflow page, and a new Ticket (Ticket icon) quick access icon in the menu.

See: Change Management

Upgrade

Firmware upgrades included in FXOS upgrades.

7.4.1

Any

Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.

For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware.

Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade.

See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide

Automatically generate configuration change reports after management center upgrade.

7.4.1

Any

You can automatically generate reports on configuration changes after major and maintenance management center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center.

Other version restrictions: Only supported for management center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version.

New/modified screens: System (system gear icon) > Configuration > Upgrade Configuration > Enable Post-Upgrade Report

Administration

Erase the hard drives on a hardware management center.

7.4.1

Any

You can use the management center CLI to reboot and permanently erase its own hard drive data. After the erase is completed, you can install a fresh software image.

New/modified CLI commands: secure erase

See: Secure Firewall Management Center Command Line Reference

Usability, Performance, and Troubleshooting

Troubleshooting file generation and download available from Device and Cluster pages.

7.4.1

7.4.1

You can generate and download troubleshooting files for each device on the Device page and also for all cluster nodes on the Cluster page. For a cluster, you can download all files as a single compressed file. You can also include cluster logs for the cluster for cluster nodes. You can alternatively trigger file generation from the Devices > Device Management > More (more icon) > Troubleshoot Files menu.

New/modified screens:

  • Devices > Device Management > Device > General

  • Devices > Device Management > Cluster > General

Automatic generation of a troubleshooting file on a node when it fails to join the cluster.

7.4.1

7.4.1

If a node fails to join the cluster, a troubleshooting file is automatically generated for the node. You can download the file from Tasks or from the Cluster page.

View CLI output for a device or device cluster.

7.4.1

Any

You can view a set of pre-defined CLI outputs that can help you troubleshoot the device or cluster. You can also enter any show command and see the output.

New/modified screens: Devices > Device Management > Cluster > General

Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300.

7.4.1

7.4.1

If the data plane process crashes, the system now reloads only the data plane process instead of rebooting the device. Along with the data plane process reload, Snort and a few other processes also get reloaded.

However, if the data plane process crashes during bootup, the device follows the normal reload/reboot sequence, which helps avoid a reload process loop from occurring.

This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig.

New/modified CLI commands: data-plane quick-reload , no data-plane quick-reload , show data-plane quick-reload status

Supported platforms: Firepower 1000/2100, Firepower 4100/9300

Platform restrictions: Not supported in multi-instance mode.

See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference.

Deprecated Features

Deprecated: frequent drain of events health alerts.

7.4.1

7.4.1

The Disk Usage health module no longer alerts with frequent drain of events. You may continue to see these alerts after management center upgrade until you either deploy health policies to managed devices (stops the display of alerts) or upgrade devices to Version 7.4.1+ (stops the sending of alerts).

Deprecated: VPN Tunnel Status health module.

7.4.1

Any

We deprecated the VPN Tunnel Status health module. Use the VPN dashboards instead.

Deprecated: Merging downloadable access control list with a Cisco attribute-value pair ACL for RADIUS identity sources with FlexConfig.

7.4.1

Any

Upgrade impact. Redo any related FlexConfigs after upgrade.

This feature is now supported in the management center web interface.

Management Center Features in Version 7.4.0


Note


Version 7.4.0 is available only on the Secure Firewall Management Center and the Secure Firewall 4200. A Version 7.4.0 management center can manage older versions of other device models, but you must use a Secure Firewall 4200 for features that require threat defense 7.4.0. Support for all other device platforms resumes in Version 7.4.1.


Table 3. Management Center Features in Version 7.4.0

Feature

Minimum Management Center

Minimum Threat Defense

Details

Reintroduced Features

Reintroduced features.

7.4.0

Feature dependent

Version 7.4.0 reintroduces features, enhancements, and critical fixes that were included in maintenance releases to even-numbered versions (7.0.x, 7.2.x), but that were not included in odd-numbered versions (7.1.x, 7.3.x).

Reintroduced features include:

Platform

Management center 1700, 2700, 4700.

7.4.0

Any

We introduced the Secure Firewall Management Center 1700, 2700, and 4700, which can manage up to 300 devices. Management center high availability is supported.

See: Cisco Secure Firewall Management Center 1700, 2700, and 4700 Getting Started Guide

Management center virtual for Microsoft Hyper-V.

7.4.0

Any

We introduced Secure Firewall Management Center Virtual for Microsoft Hyper-V, which can manage up to 25 devices. Management center high availability is supported.

See: Cisco Secure Firewall Management Center Virtual Getting Started Guide

Secure Firewall 4200.

7.4.0

7.4.0

We introduced the Secure Firewall 4215, 4225, and 4245. You must manage these devices with a management center. They do not support device manager.

These devices support the following new network modules:

  • 2-port 100G QSFP+ network module (FPR4K-XNM-2X100G)

  • 4-port 200G QSFP+ network module (FPR4K-XNM-4X200G)

See: Cisco Secure Firewall 4215, 4225, and 4245 Hardware Installation Guide

Performance profile support for the Secure Firewall 4200.

7.4.0

7.4.0

The performance profile settings available in the platform settings policy now apply to the Secure Firewall 4200. Previously, this feature was supported only on the Firepower 4100/9300 and on threat defense virtual.

See: Configure the Performance Profile

Platform Migration

Migrate from Firepower 1000/2100 to Secure Firewall 3100.

7.4.0

Any

You can now easily migrate configurations from the Firepower 1000/2100 to the Secure Firewall 3100.

New/modified screens: Devices > Device Management > Migrate

Platform restrictions: Migration not supported from the Firepower 1010 or 1010E.

See: About Secure Firewall Threat Defense Model Migration

Migrate from Firepower Management Center 4600 to Secure Firewall Management Center for AWS.

7.4.0

Any

You can migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual for AWS with a 300-device license.

See: Cisco Secure Firewall Management Center Model Migration Guide

Migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700.

7.4.0

Any

You can migrate from Firepower Management Center 1600/2600/4600 to Secure Firewall Management Center 1700/2700/4700.

See: Cisco Secure Firewall Management Center Model Migration Guide

Migrate from Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700.

7.4.0 only

7.0.0

You can migrate Firepower Management Center 1000/2500/4500 to Secure Firewall Management Center 1700/2700/4700. To migrate, you must temporarily upgrade the old management center from Version 7.0 to Version 7.4.0.

Important

 

Version 7.4 is only supported on the 1000/2500/4500 during the migration process. You should minimize the time between management center upgrade and device migration.

To summarize the migration process:

  1. Prepare for upgrade and migration. Read, understand, and meet all the prerequisites outlined in the release notes, upgrade guides, and migration guide. Make sure the old management center is ready to go: freshly deployed, fully backed up, all appliances in good health, etc. You should also set up the new management center.

  2. Upgrade the old management center and all its managed devices to at least Version 7.0.0 (7.0.5 recommended). If you are already running the minimum version, you can skip this step.

  3. Upgrade the old management center to Version 7.4.0. Unzip (but do not untar) the upgrade package before uploading it to the management center. Download from: Special Release.

  4. Migrate the management center as described in the model migration guide.

  5. Verify migration success. If the migration does not function to your expectations and you want to switch back, note that Version 7.4 is unsupported for general operations on the 1000/2500/4500. To return the old management center to a supported version you must reimage back to Version 7.0, restore from backup, and reregister devices.

See:

If you have questions or need assistance at any point in the migration process, contact Cisco TAC.

Migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center.

7.4.0 only

7.0.3

You can migrate devices from Firepower Management Center 1000/2500/4500 to cloud-delivered Firewall Management Center.

To migrate devices, you must temporarily upgrade the on-prem management center from Version 7.0.3 (7.0.5 recommended) to Version 7.4.0. This temporary upgrade is required because Version 7.0 management centers do not support device migration to the cloud. Additionally, only standalone and high availability threat defense devices running Version 7.0.3+ (7.0.5 recommended) are eligible for migration. Cluster migration is not supported at this time.

Important

 

Version 7.4.0 is only supported on the 1000/2500/4500 during the migration process. You should minimize the time between management center upgrade and device migration.

To summarize the migration process:

  1. Prepare for upgrade and migration. Read, understand, and meet all the prerequisites outlined in the release notes, upgrade guides, and migration guide.

    Before you upgrade, it is especially important that the on-prem management center is "ready to go," that is, managing only the devices you want to migrate, configuration impact assessed (such as VPN impact), freshly deployed, fully backed up, all appliances in good health, and so on.

    You should also provision, license, and prepare the cloud tenant. This must include a strategy for security event logging; you cannot retain the on-prem management center for analytics because it will be running an unsupported version.

  2. Upgrade the on-prem management center and all its managed devices to at least Version 7.0.3 (Version 7.0.5 recommended).

    If you are already running the minimum version, you can skip this step.

  3. Upgrade the on-prem management center to Version 7.4.0.

    Unzip (but do not untar) the upgrade package before uploading it to the management center. Download from: Special Release.

  4. Onboard the on-prem management center to CDO.

  5. Migrate all devices from the on-prem management center to the cloud-delivered Firewall Management Center as described in the migration guide.

    When you select devices to migrate, make sure you choose Delete FTD from On-Prem FMC. Note that the device is not fully deleted unless you commit the changes or 14 days pass.

  6. Verify migration success.

    If the migration does not function to your expectations, you have 14 days to switch back or it is committed automatically. However, note that Version 7.4.0 is unsupported for general operations. To return the on-prem management center to a supported version you must remove the re-migrated devices, re image back to Version 7.0.x, restore from backup, and reregister the devices.

See:

If you have questions or need assistance at any point in the migration process, contact Cisco TAC.

Device Management

Low-touch provisioning to register the Firepower 1000/2100 and Secure Firewall 3100 to the management center using a serial number.

7.4.0

Mgmt. center is publicly reachable: 7.2.0

Mgmt. center is not publicly reachable: 7.2.4

Low-touch provisioning lets you register Firepower 1000/2100 and Secure Firewall 3100 devices to the management center by serial number without having to perform any initial setup on the device. The management center integrates with SecureX and Cisco Defense Orchestrator for this functionality.

New/modified screens: Devices > Device Management > Add > Device > Serial Number

Other version restrictions: This feature is not supported on Version 7.3.x or 7.4.0 threat defense devices when the management center is not publicly reachable. Support returns in Version 7.4.1.

See: Add a Device to the Management Center Using the Serial Number (Low-Touch Provisioning)

Interfaces

Merged management and diagnostic interfaces.

7.4.0

7.4.0

Upgrade impact. Merge interfaces after upgrade.

For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available.

If you upgraded to 7.4 or later and:

  • You did not have any configuration for the diagnostic interface, then the interfaces will merge automatically.

  • You have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible.

Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including Management) in the configuration.

For platform settings, this means:

  • You can no longer enable HTTP, ICMP, or SMTP for diagnostic.

  • For SNMP, you can allow hosts on management instead of diagnostic.

  • For Syslog servers, you can reach them on management instead of diagnostic.

  • If Platform Settings for syslog servers or SNMP hosts specify the diagnostic interface by name, then you must use separate Platform Settings policies for merged and non-merged devices.

  • DNS lookups no longer fall back to the management-only routing table if you do not specify interfaces.

New/modified screens: Devices > Device Management > Interfaces

New/modified commands: show management-interface convergence

See: Merge the Management and Diagnostic Interfaces

VXLAN VTEP IPv6 support.

7.4.0

7.4.0

You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the threat defense virtual cluster control link or for Geneve encapsulation.

New/modified screens:

  • Devices > Device Management > Edit Device > VTEP > Add VTEP

  • Devices > Device Management > Edit Devices > Interfaces > Add Interfaces > VNI Interface

See: Configure Geneve Interfaces

Loopback interface support for BGP and management traffic.

7.4.0

7.4.0

You can now use loopback interfaces for AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH, and syslog.

New/modified screens: Devices > Device Management > Edit device > Interfaces > Add Interfaces > Loopback Interface

See: Configure Loopback Interfaces

Loopback and management type interface group objects.

7.4.0

7.4.0

You can create interface group objects with only management-only or loopback interfaces. You can use these groups for management features such as DNS servers, HTTP access, or SSH. Loopback groups are available for any feature that can utilize loopback interfaces. However, it's important to note that DNS does not support management interfaces.

New/modified screens: Objects > Object Management > Interface > Add > Interface Group

See: Interface

High Availability/Scalability

Manage threat defense high availability pairs using a data interface.

7.4.0

7.4.0

Threat defense high availability now supports using a regular data interface for communication with the management center. Previously, only standalone devices supported this feature.

See: Using the Threat Defense Data Interface for Management

SD-WAN

WAN summary dashboard.

7.4.0

7.2.0

The WAN Summary dashboard provides a snapshot of your WAN devices and their interfaces. It provides insight into your WAN network and information about device health, interface connectivity, application throughput, and VPN connectivity. You can monitor the WAN links and take proactive and prompt recovery measures.

New/modified screens: Overview > WAN Summary

See: WAN Summary Dashboard

Policy-based routing using HTTP path monitoring.

7.4.0

7.2.0

Policy-based routing (PBR) can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination.

New/modified screens: Devices > Device Management > Edit device > Edit interface > Path Monitoring > Enable HTTP based Application Monitoring check box.

Platform restrictions: Not supported for clustered devices.

See: Configure Path Monitoring Settings

Policy-based routing with user identity and SGTs.

7.4.0

7.4.0

You can now classify the network traffic based on users and user groups, and SGTs in PBR policies. You can select the identity and SGT objects while defining the extended ACLs for the PBR policies.

New/modified screens: Objects > Object Management > Access List > Extended > Add/Edit Extended Access List > Add/Edit Extended Access List Entry > Users and Security Group Tag

See: Configure Extended ACL Objects

VPN

IPsec flow offload on the VTI loopback interface for the Secure Firewall 4200.

7.4.0

7.4.0

On the Secure Firewall 4200, qualifying IPsec connections through the VTI loopback interface are offloaded by default. Previously, this feature was supported for physical interfaces on the Secure Firewall 3100.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Other requirements: FPGA firmware 6.2+

See: IPsec Flow Offload

Crypto debugging enhancements for the Secure Firewall 4200.

7.4.0

7.4.0

We made the following enhancements to crypto debugging:

  • The crypto archive is now available in text and binary formats.

  • Additional SSL counters are available for debugging.

  • Remove stuck encrypt rules from the ASP table without rebooting the device.

New/modified CLI commands: show counters

VPN: Remote Access

Customize Secure Client messages, icons, images, and connect/disconnect scripts.

7.4.0

7.1.0

You can now customize Secure Client and deploy these customizations to the VPN headend. The following are the supported Secure Client customizations:

  • GUI text and messages

  • Icons and images

  • Scripts

  • Binaries

  • Customized Installer Transforms

  • Localized Installer Transforms

Threat defense distributes these customizations to the endpoint when an end user connects from the Secure Client.

New/modified screens:

  • Objects > Object Management > VPN > Secure Client Customization

  • Devices > Remote Access > Edit VPN policy > Advanced > Secure Client Customization

See: Customize Cisco Secure Client

VPN: Site to Site

Easily view IKE and IPsec session details for VPN nodes.

7.4.0

Any

You can view the IKE and IPsec session details of VPN nodes in a user-friendly format in the Site-to-Site VPN dashboard.

New/modified screens: Overview > Site to Site VPN > Under the Tunnel Status widget, hover over a topology, click View, and then click the CLI Details tab.

See: Monitoring the Site-to-Site VPNs

Site-to-site VPN information in connection events.

7.4.0

7.4.0 with Snort 3

Connection events now contain three new fields: Encrypt Peer, Decrypt Peer, and VPN Action. For policy-based and route-based site-to-site VPN traffic, these fields indicate whether a connection was encrypted or decrypted (or both, for transiting connections), and who by.

New/modified screens: Analysis > Connections > Events > Table View of Events

See: Site to Site VPN Connection Event Monitoring

Easily exempt site-to-site VPN traffic from NAT translation.

7.4.0

Any

We now make it easier to exempt site-to-site VPN traffic from NAT translation.

New/modified screens:

  • Enable NAT exemptions for an endpoint: Devices > VPN > Site To Site > Add/Edit Site to Site VPN > Add/Edit Endpoint > Exempt VPN traffic from network address translation

  • View NAT exempt rules for devices that do not have a NAT policy: Devices > NAT > NAT Exemptions

  • View NAT exempt rules for a single device: Devices > NAT > Threat Defense NAT Policy > NAT Exemptions

See: NAT Exemption

Routing

Configure graceful restart for BGP on IPv6 networks.

7.4.0

7.3.0

You can now configure BGP graceful restart for IPv6 networks on managed devices version 7.3 and later.

New/modified screens: Devices > Device Management > Edit device > Routing > BGP > IPv6 > Neighbor > Add/Edit Neighbor.

See: Configure BGP Neighbor Settings

Virtual routing with dynamic VTI.

7.4.0

7.4.0

You can now configure a virtual router with a dynamic VTI for a route-based site-to-site VPN.

New/modified screens: Devices > Device Management > Edit Device > Routing > Virtual Router Properties > Dynamic VTI interfaces under Available Interfaces

Platform restrictions: Supported only on native mode standalone or high availability devices. Not supported for container instances or clustered devices.

See: About Virtual Routers and Dynamic VTI

Access Control: Threat Detection and Application Identification

Clientless zero-trust access.

7.4.0

7.4.0 with Snort 3

We introduced Zero Trust Access that allows you to authenticate and authorize access to protected web based resources, applications, or data from inside (on-premises) or outside (remote) the network using an external SAML Identity Provider (IdP) policy.

The configuration consists of a Zero Trust Application Policy (ZTAP), Application Group, and Applications.

New/modified screens:

  • Policies > Zero Trust Application

  • Analysis > Connections > Events

  • Overview > Dashboard > Zero Trust

New/modified CLI commands:

  • show running-config zero-trust application

  • show running-config zero-trust application-group

  • show zero-trust sessions

  • show zero-trust statistics

  • show cluster zero-trust statistics

  • clear zero-trust sessions application

  • clear zero-trust sessions user

  • clear zero-trust statistics

Encrypted visibility engine enhancements.

7.4.0

7.4.0 with Snort 3

Encrypted Visibility Engine (EVE) can now:

  • Block malicious communications in encrypted traffic based on threat score.

  • Determine client applications based on EVE-detected processes.

  • Reassemble fragmented Client Hello packets for detection purposes.

New/modified screens: Use the access control policy's advanced settings to enable EVE and configure these settings.

See: Encrypted Visibility Engine

Exempt specific networks and ports from bypassing or throttling elephant flows.

7.4.0

7.4.0 with Snort 3

You can now exempt specific networks and ports from bypassing or throttling elephant flows.

New/modified screens:

  • When you configure elephant flow detection in the access control policy's advanced settings, if you enable the Elephant Flow Remediation option, you can now click Add Rule and specify traffic that you want to exempt from bypass or throttling.

  • When the system detects an elephant flow that is exempted from bypass or throttling, it generates a mid-flow connection event with the reason Elephant Flow Exempted.

Platform restrictions: Not supported on the Firepower 2100 series.

First-packet application identification using custom application detectors.

7.4.0

7.4.0 with Snort 3

A new Lua detector API is now introduced, which maps the IP address, port, and protocol on the very first packet of a TCP session to application protocol (service AppID), client application (client AppID), and web application (payload AppID). This new Lua API addHostFirstPktApp is used for performance improvements, reinspection, and early detection of attacks in the traffic. To use this feature, you must upload the Lua detector by specifying the detection criteria in advanced detectors in your custom application detector.

See: Custom Application Detectors

Sensitive data detection and masking.

7.4.0

7.4.0 with Snort 3

Upgrade impact. New rules in default policies take effect.

Sensitive data such as social security numbers, credit card numbers, emails, and so on may be leaked onto the internet, intentionally or accidentally. Sensitive data detection is used to detect and generate events on possible sensitive data leakage and generates events only if there is a transfer of significant amount of Personally Identifiable Information (PII) data. Sensitive data detection can mask PII in the output of events, using built-in patterns.

Disabling data masking is not supported.

See: Custom Rules in Snort 3

Improved JavaScript inspection.

7.4.0

7.4.0 with Snort 3

We improved JavaScript inspection, which is done by normalizing the JavaScript and matching rules against the normalized content.

See: HTTP Inspect Inspector and Cisco Secure Firewall Management Center Snort 3 Configuration Guide

MITRE information in file and malware events.

7.4.0

7.4.0

The system now includes MITRE information (from local malware analysis) in file and malware events. Previously, this information was only available for intrusion events. You can view MITRE information in both the classic and unified events views. Note that the MITRE column is hidden by default in both event views.

See: Local Malware Analysis and File and Malware Event Fields

Smaller VDB for lower memory Snort 2 devices.

6.4.0.17

7.0.6

7.2.4

7.3.1.1

7.4.0

Any with Snort 2

Upgrade impact. Application identification on lower memory devices is affected.

For VDB 363+, the system now installs a smaller VDB (also called VDB lite) on lower memory devices running Snort 2. This smaller VDB contains the same applications, but fewer detection patterns. Devices using the smaller VDB can miss some application identification versus devices using the full VDB.

Lower memory devices: ASA 5506-X series, ASA-5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X

Version restrictions: The ability to install a smaller VDB depends on the version of the management center, not managed devices. If you upgrade the management center from a supported version to an unsupported version, you cannot install VDB 363+ if your deployment includes even one lower memory device. For a list of affected releases, see CSCwd88641.

Access Control: Identity

Cisco Secure Dynamic Attributes Connector on the management center.

7.4.0

Any

You can now configure the Cisco Secure Dynamic Attributes Connector on the management center. Previously, it was only available as a standalone application.

See: Cisco Secure Dynamic Attributes Connector

Microsoft Azure AD as a user identity source.

7.4.0

7.4.0

You can use a Microsoft Azure Active Directory (Azure AD) realm with ISE to authenticate users and get user sessions for user control.

New/modified screens:

  • Integration > Other Integrations > Realms > Add Realm > Azure AD

  • Integration > Other Integrations > Realms > Actions, such as downloading users, copying, editing, and deleting

Supported ISE versions: 3.0 patch 5+, 3.1 (any patch level), 3.2 (any patch level)

See: Create a Microsoft Azure Active Directory Realm

Event Logging and Analysis

Configure threat defense devices as NetFlow exporters from the management center web interface.

7.4.0

Any

Upgrade impact. Redo FlexConfigs after upgrade.

NetFlow is a Cisco application that provides statistics on packets flows. You can now use the management center web interface to configure threat defense devices as NetFlow exporters. If you have an existing NetFlow FlexConfig and redo your configurations in the web interface, you cannot deploy until you remove the deprecated FlexConfigs.

New/modified screens: Devices > Platform Settings > Threat Defense Settings Policy > NetFlow

See: Configure NetFlow

More information about "unknown" SSL actions in logged encrypted connections.

7.4.0

7.4.0

Serviceability improvements to the event reporting and decryption rule matching.

  • New SSL Status to indicate if the SSL handshake is not complete for an encrypted connection. The SSL Status column of the connection event displays “Unknown (Incomplete Handshake)” when the SSL handshake of the logged connection is not complete.

  • Subject Alternative Names (SANs) for certificates are now used when matching Certificate Authority (CA) names for improved decryption rule matching.

New/modified screens:

  • Analysis > Connections > Events > SSL Status

  • Analysis > Connections > Security-Related Events > SSL Status

See: Connection and Security-Related Connection Event Fields.

Health Monitoring

Stream telemetry to an external server using OpenConfig.

7.4.0

7.4.0

You can now send metrics and health monitoring information from your threat defense devices to an external server (gNMI collector) using OpenConfig. You can configure either threat defense or the collector to initiate the connection, which is encrypted by TLS.

New/modified screens: System (system gear icon) > Health > Policy > Firewall Threat Defense Policies > Settings > OpenConfig Streaming Telemetry

See: Send Vendor-Neutral Telemetry Streams Using OpenConfig

New asp drop metrics.

7.4.0

7.4.0

You can add over 600 new asp (accelerated security path) drop metrics to a new or existing device health dashboard. Make sure you choose the ASP Drops metric group.

New/modified screens: System (system gear icon) > Health > Monitor > Device

See: show asp drop Command Usage

Administration

Send detailed management center audit logs to syslog.

7.4.0

Any

You can stream configuration changes as part of audit log data to syslog by specifying the configuration data format and the hosts. The management center supports backup and restore of the audit configuration log.

New/modified screens: System (system gear icon) > Configuration > Audit Log > Send Configuration Changes

See: Stream Audit Logs to Syslog

Granular permissions for modifying access control policies and rules.

7.4.0

Any

You can define custom user roles to differentiate between the intrusion configuration in access control policies and rules and the rest of the access control policy and rules. Using these permissions, you can separate the responsibilities of your network administration team and your intrusion administration teams.

When defining user roles, you can select the Policies > Access Control > Access Control Policy > Modify Access Control Policy > Modify Threat Configuration option to allow the selection of intrusion policy, variable set, and file policy in a rule, the configuration of the advanced options for Network Analysis and Intrusion Policies, the configuration of the Security Intelligence policy for the access control policy, and intrusion actions in the policy default action. You can use the Modify Remaining Access Control Policy Configuration to control the ability to edit all other aspects of the policy. The existing pre-defined user roles that included the Modify Access Control Policy permission continue to support all sub-permissions; you need to create your own custom roles if you want to apply granular permissions.

See: Create Custom User Roles

Support for IPv6 URLs when checking certificate revocation.

7.4.0

7.4.0

Previously, threat defense supported only IPv4 OCSP URLs. Now, threat defense supports both IPv4 and IPv6 OCSP URLs.

See: Requiring Valid HTTPS Client Certificates and Certificate Enrollment Object Revocation Options

Default NTP server updated.

7.4.0

Any

The default NTP server for new management center deployments changed from sourcefire.pool.ntp.org to time.cisco.com. We recommend you use the management center to serve time to its own devices. You can update the management center's NTP server on System (system gear icon) > Configuration > Time Synchronization.

See: Internet Access Requirements

Usability, Performance, and Troubleshooting

Usability enhancements.

7.4.0

Any

You can now:

  • Manage Smart Licensing for threat defense clusters from System (system gear icon) > Smart Licenses. Previously, you had to use the Device Management page.

    See: Licensing for Device Clusters

  • Download a report of Message Center notifications. In the Message Center, click the new Download Report icon, next to the Show Notifications slider.

    See: Managing System Messages

  • Download a report of all registered devices. On Devices > Device Management, click the new Download Device List Report link, at the top right of the page.

    See: Download the Managed Device List

  • Clone network and port objects. In the object manager (Objects > Object Management), click the new Clone icon next to a port or network object. You can then change the new object's properties and save it using a new name.

    See: Creating Network Objects and Creating Port Objects

  • Easily create custom health monitoring dashboards, and easily edit existing dashboards.

    See: Correlating Device Metrics

Specify the direction of traffic to be captured with packet capture for the Secure Firewall 4200.

7.4.0

7.4.0

On the Secure Firewall 4200, you can use a new direction keyword with the capture command.

New/modified CLI commands: capturecapture_nameswitchinterfaceinterface_name[ direction{ both| egress| ingress} ]

See: Cisco Secure Firewall Threat Defense Command Reference

Snort 3 restarts when it becomes unresponsive, which can trigger HA failover.

7.4.0

7.4.0 with Snort 3

To improve continuity of operations, an unresponsive Snort can now trigger high availability failover. This happens because Snort 3 now restarts if the process becomes unresponsive. Restarting the Snort process briefly interrupts traffic flow and inspection on the device, and in high availability deployments can trigger failover. (In a standalone deployment, interface configurations determine whether traffic drops or passes without inspection during the interruption.)

This feature is enabled by default. You can use the CLI to disable it, or configure the time or number of unresponsive threads before Snort restarts.

New/modified CLI commands: configure snort3-watchdog

See: Cisco Secure Firewall Threat Defense Command Reference

Cisco Success Network telemetry.

7.4.0

Any

For telemetry changes, see Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center, Version 7.4.x.

Management Center REST API

Management center REST API.

7.4.0

Any

For information on changes to the management center REST API, see What's New in Version 7.4 in the API quick start guide.

Deprecated Features

Temporarily deprecated features.

7.4.0

Any

Although upgrading to Version 7.4.0 is supported, the upgrade will remove critical features, fixes, and enhancements that may be included in your current version. Instead, upgrade to Version 7.4.1+.

From Version 7.2.5–7.2.x, upgrading removes:

From Version 7.2.6–7.2.x, upgrading removes:

Deprecated: NetFlow with FlexConfig.

7.4.0

Any

You can now configure threat defense devices as NetFlow exporters from the management center web interface. If you do this, you cannot deploy until you remove any deprecated FlexConfigs.

See: Configure NetFlow

Device Manager Features in Version 7.4.x


Note


Device manager support for Version 7.4 features begins with Version 7.4.1. This is because Version 7.4.0 is not available on any platforms that support device manager.


Table 4. Device Manager Features in Version 7.4.x

Feature

Description

Platform Features

Firepower 1010E support returns..

Support returns for the Firepower 1010E, which was introduced in Version 7.2.3 and temporarily deprecated in Version 7.3.

See: Cabling for the Firepower 1010

Network modules for the Secure Firewall 3130 and 3140.

We introduced these network modules for the Secure Firewall 3130 and 3140:

  • 2-port 100G QSFP+ network module (FPR3K-XNM-2X100G)

See: Cisco Secure Firewall 3110, 3120, 3130, and 3140 Hardware Installation Guide

VPN Features

IPsec flow offload on the VTI loopback interface for the Secure Firewall 3100.

Upgrade impact. Qualifying connections start being offloaded.

On the Secure Firewall 3100, qualifying IPsec connections through the VTI loopback interface are now offloaded by default. Previously, this feature was only supported on physical interfaces. This feature is automatically enabled by the upgrade.

You can change the configuration using FlexConfig and the flow-offload-ipsec command.

Interface Features

Merged management and diagnostic interfaces.

Upgrade impact. Merge interfaces after upgrade.

For new devices using 7.4 and later, you cannot use the legacy diagnostic interface. Only the merged management interface is available. If you upgraded to 7.4 or later, and you did not have any configuration for the diagnostic interface, then the interfaces will merge automatically.

If you upgraded to 7.4 or later, and you have configuration for the diagnostic interface, then you have the choice to merge the interfaces manually, or you can continue to use the separate diagnostic interface. Note that support for the diagnostic interface will be removed in a later release, so you should plan to merge the interfaces as soon as possible.

Merged mode also changes the behavior of AAA traffic to use the data routing table by default. The management-only routing table can now only be used if you specify the management-only interface (including management) in the configuration.

New/modified screens:

  • Devices > Interfaces > Management interface

  • (Moved to Interfaces) System Settings > Management Interface

  • Devices > Interfaces > Merge Interface action needed > Management Interface Merge

New/modified commands: show management-interface convergence

Deploy without the diagnostic interface on threat defense virtual for Azure and GCP.

You can now deploy without the diagnostic interface on threat defense virtual for Azure and GCP. Azure deployments still require at least two data interfaces, but GCP requires that you replace the diagnostic interface with a data interface, for a new minimum of three. (Previously, threat defense virtual deployments required one management, one diagnostic, and at least two data interfaces.)

Restrictions: This feature is supported for new deployments only. It is not supported for upgraded devices.

See: Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

Inline sets for Firepower 1000 series, Firepower 2100, and Secure Firewall 3100.

You can configure inline sets on Firepower 1000 series, Firepower 2100, and Secure Firewall 3100 devices. We added the inline sets tab to the Interface page.

Licensing Features

Changes to license names and support for the Carrier license.

Licenses have been renamed:

  • Threat is now IPS

  • Malware is now Malware Defense

  • Base is now Essentials

  • AnyConnect Apex is now Secure Client Premier

  • AnyConnect Plus is now Secure Client Advantage

  • AnyConnect VPN Only is now Secure Client VPN Only

In addition, you can now apply the Carrier license, which allows you to configure GTP/GPRS, Diameter, SCTP, and M3UA inspections. Use FlexConfig to configure these features.

See: Licensing the System

Administrative and Troubleshooting Features

Default NTP server updated.

Upgrade impact. The system connects to new resources.

The default NTP servers have changed from sourcefire.pool.ntp.org to time.cisco.com. To use a different NTP server, select Device, then click Time Services in the System Settings panel.

SAML servers for HTTPS management user access.

You can configure a SAML server to provide external authentication for HTTPS management access. You can configure external users with the following types of authorization access: Administrator, Audit Admin, Cryptographic Admin, Read-Write User, Read-Only User. You can use Common Access Card (CAC) for login when using a SAML server.

We updated the SAML identity source object configuration, and the System Settings > Management Access page to accept them.

Detect configuration mismatches in threat defense high availability pairs.

You can now use the CLI to detect configuration mismatches in threat defense high availability pairs.

New/modified CLI commands: show failover config-sync error , show failover config-sync stats

See: Cisco Secure Firewall Threat Defense Command Reference

Capture dropped packets with the Secure Firewall 3100.

Packet losses resulting from MAC address table inconsistencies can impact your debugging capabilities. The Secure Firewall 3100 can now capture these dropped packets.

New/modified CLI commands: [drop{ disable| mac-filter} ] in the capture command.

See: Cisco Secure Firewall Threat Defense Command Reference

Firmware upgrades included in FXOS upgrades.

Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.

For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1+ now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware.

Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade.

See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide

Quick recovery after data plane failure for the Firepower 1000/2100 and Firepower 4100/9300.

When the data plane process on the Firepower 1000/2100 or the Firepower 4100/9300 crashes, the system reloads the process instead of rebooting the device. Reloading the data plane also restarts other processes, including Snort. If the data plane crashes during bootup, the device follows the normal reload/reboot sequence; this avoids a reload loop.

This feature is enabled by default for both new and upgraded devices. To disable it, use FlexConfig.

New/modified ASA CLI commands: data-plane quick-reload , show data-plane quick-reload status

New/modified threat defense CLI commands: show data-plane quick-reload status

Supported platforms: Firepower 1000/2100, Firepower 4100/9300

See: Cisco Secure Firewall Threat Defense Command Reference and Cisco Secure Firewall ASA Series Command Reference.

Upgrade Impact Features

A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part; this is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade; for example, if you must change a configuration.

Upgrade Impact Features for Management Center

Check all releases between your current and target version.

Table 5. Upgrade Impact Features for Management Center

Target Version

Features with Upgrade Impact

7.4.1+

7.4.0+

7.3.1.1–7.3.1.x

7.3.0+

7.2.6–7.2.x

7.2.5-7.2.x

7.2.4–7.2.x

7.2.4–7.2.5

7.2.0+

7.1.0.3–7.1.0.x

7.1.0+

7.0.6–7.0.x

7.0.5-7.0.x

7.0.0+

6.7.0+

Upgrade Impact Features for Threat Defense with Management Center

Check all releases between your current and target version.

Table 6. Upgrade Impact Features for Threat Defense with Management Center

Target Version

Features with Upgrade Impact

7.4.1+

7.3.0+

7.2.4–7.2.x

7.2.0+

7.1.0.3–7.1.0.x

7.1.0+

7.0.5+

7.0.0+

6.7.0+

Upgrade Impact Features for Threat Defense with Device Manager

Upgrade Guidelines

The following sections contain release-specific upgrade warnings and guidelines. You should also check for features and bugs with upgrade impact. For general information on time/disk space requirements and on system behavior during upgrade, see the upgrade guide: For Assistance.

Upgrade Guidelines for Management Center

Check all releases between your current and target version.

Table 8. Upgrade Guidelines for Management Center

Target Version

Current Version

Guideline

Details

7.4.1.x

7.4.1

Migration failure: do not migrate to management center Version 7.4.1 if you are using Security Intelligence.

Patch the target management center to Version 7.4.1.1 before you begin migration. The source management center can continue to run Version 7.4.1.

Note

 

Version 7.4.1 is not supported on the Firepower Management Center 1000/2500/4500, even during the migration process. To migrate to Secure Firewall Management Center 1700/2700/4700, use Version 7.4.0.

For more information on model migration, see the Cisco Secure Firewall Management Center Model Migration Guide.

7.3.x–7.4.0

7.2.6–7.2.x

Upgrade not recommended: Version 7.2.6–7.2.x to Version 7.3.x–7.4.0.

Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. Instead, upgrade to Version 7.4.1+.

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.1.0

7.0.4–7.0.x

Upgrade prohibited: Version 7.0.4+ to Version 7.1.0.

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4–7.0.x to Version 7.1.0. Instead, upgrade to Version 7.2.0+.

7.0.0–7.2.x

6.4.0–6.7.x

Reconnect with Threat Grid for high availability management centers.

Version 7.0.0 fixes an issue with management center high availability and malware detection where, after failover, the system stopped submitting files for dynamic analysis (CSCvu35704). For the fix to take effect, you must reassociate with the Cisco Threat Grid public cloud after upgrading.

After you upgrade the high availability pair to Version 7.0.0+, on the primary management center:

  1. Choose AMP > Dynamic Analysis Connections.

  2. Click Associate in the table row corresponding to the public cloud. A portal window opens. You do not have to sign in. The reassociation happens in the background, within a few minutes.

6.7.0

6.6.5–6.6.x

Upgrade prohibited: management center Version 6.6.5+ to Version 6.7.0.

Due to datastore incompatibilities, you cannot upgrade the management center from Version 6.6.5–6.6.x to Version 6.7.0. Instead, upgrade to Version 7.0.0+.

Upgrade Guidelines for Threat Defense with Device Manager

Check all releases between your current and target version.

Table 9. Upgrade Guidelines for Threat Defense with Device Manager

Target Version

Current Version

Guideline

Details

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.1.0

7.0.4–7.0.x

Upgrade prohibited: Version 7.0.4+ to Version 7.1.0.

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. Instead, upgrade to Version 7.2.0+.

6.7.0–7.2.x

6.4.0–6.6.x

Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs.

For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only.

Upgrade Guidelines for Threat Defense with Management Center

Check all releases between your current and target version.

Table 10. Upgrade Guidelines for Threat Defense with Management Center

Target Version

Current Version

Guideline

Details

7.4.1

7.1.x

7.0.0–7.0.2

Unregister and reregister devices after reverting threat defense.

If you revert from Version 7.4.1 to Version 7.0.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680).

7.3.x

7.2.6–7.2.x

Upgrade not recommended: Version 7.2.6–7.2.x to Version 7.3.x.

Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. Instead, upgrade to Version 7.4.1+.

7.3.x

7.1.x

6.7.0–7.0.2

Unregister and reregister devices after reverting threat defense.

If you revert from Version 7.3.x to Version 6.7.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680).

7.2.6

6.6.0–7.2.5

Upgrade not recommended: Version 7.2.6.

Due to CSCwi63113, Version 7.2.6 was deferred on 2024-04-29 and is no longer available for download. If you downloaded it, do not use it. If you are running this version, upgrade.

7.2.0+

6.7.0–7.1.x

Upgrade prohibited: threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+.

You cannot upgrade threat defense virtual for GCP from Version 7.1.x and earlier to Version 7.2.0+. You must deploy a new instance.

7.2.0–7.2.6

7.1.x

6.6.0–7.0.2

Unregister and reregister devices after reverting threat defense.

If you revert from Version 7.2.0–7.2.6 to Version 6.6.0–7.0.2 or to Version 7.1.x, unregister and reregister devices after the revert completes (CSCwi31680).

7.1.0

7.0.4–7.0.x

Upgrade prohibited: Version 7.0.4+ to Version 7.1.0.

Due to datastore incompatibilities, you cannot upgrade from Version 7.0.4+ to Version 7.1.0. Instead, upgrade to Version 7.2.0+.

6.7.0–7.2.x

6.4.0–6.6.x

Upgrade failure: Firepower 1010 switch ports with invalid VLAN IDs.

For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with a VLAN ID in the 3968–4047 range. These IDs are for internal use only.

Upgrade Guidelines for the Firepower 4100/9300 Chassis

FXOS Upgrade Guidelines

For release-specific FXOS upgrade warnings and guidelines, as well as features and bugs with upgrade impact, see the FXOS release notes. Check all release notes between your current and target version.

Table 11. Cisco Firepower 4100/9300 FXOS Release Notes

Target Threat Defense

Target FXOS

Release Notes

7.4

2.14

Cisco Firepower 4100/9300 FXOS Release Notes, 2.14(1)

7.3

2.13

Cisco Firepower 4100/9300 FXOS Release Notes, 2.13

7.2

2.12

Cisco Firepower 4100/9300 FXOS Release Notes, 2.12(1)

7.1

2.11

Cisco Firepower 4100/9300 FXOS Release Notes, 2.11(1)

7.0

2.10

Cisco Firepower 4100/9300 FXOS Release Notes, 2.10(1)

6.7

2.9

Cisco Firepower 4100/9300 FXOS Release Notes, 2.9(1)

6.6

2.8

Cisco Firepower 4100/9300 FXOS Release Notes, 2.8(1)

Firmware Upgrade Guidelines

For firmware upgrade guidelines, see the firmware upgrade guide: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.

Upgrade Path

Planning your upgrade path is especially important for large high availability deployments, multi-hop upgrades, and situations where you need to coordinate related upgrades—operating systems, firmware, chassis, hosting environments, and so on.

Upgrade Path for Management Center

This table lists the minimum version to upgrade management center. The management center must run the same or newer version as its managed devices. Upgrade the management center to your target version first, then upgrade devices. If you begin with devices running a much older version than the management center, further management center upgrades can be blocked. In this case you will need to perform a three (or more) step upgrade: devices first, then the management center, then devices again.

Table 12. Minimum Version to Upgrade Management Center

Target Version

Minimum Version to Upgrade

Oldest Device You Can Manage

7.4

7.0

7.0

7.3

7.0

6.7

7.2

6.6

6.6

Upgrade Path for Threat Defense

This table lists the minimum version to upgrade threat defense. If you are not running the minimum version, you will need to perform a multi-step upgrade. If a chassis upgrade is required, threat defense upgrade is blocked; see Upgrade Path for Threat Defense with Chassis Upgrade.
Table 13. Minimum Version to Upgrade Threat Defense

Target Version

Minimum Version to Upgrade

7.4

7.0

7.3

7.0

7.2

6.6

Upgrade Path for Threat Defense with Chassis Upgrade

You may need to upgrade the chassis (FXOS and firmware) before you upgrade threat defense. Because you upgrade the chassis first, you will briefly run a supported—but not recommended—combination, where the operating system is "ahead" of threat defense. If the chassis is already well ahead of its devices, further chassis upgrades can be blocked. In this case you will need to perform a three (or more) step upgrade: devices first, then the chassis, then devices again. In high availability or clustered deployments, upgrade one chassis at a time.

This table lists the minimum versions to upgrade when a chassis upgrade is required (usually major upgrades). Chassis upgrades to FXOS 2.14.1+ include firmware, otherwise, see the Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.

Table 14. Minimum Versions to Upgrade the Firepower 4100/9300

Target Versions

Minimum Versions to Upgrade

Threat Defense 7.4.1 on FXOS 2.14.1.131+

Threat Defense 7.0 on FXOS 2.10

Threat Defense 7.3 on FXOS 2.13.0.198+

Threat Defense 7.0 on FXOS 2.10

Threat Defense 7.2 on FXOS 2.12.0.31+

Threat Defense 6.6 on FXOS 2.8

Bugs

This document lists open and resolved bugs for threat defense and management center Version 7.4. For bugs in earlier releases, see the release notes for those versions. For cloud-delivered Firewall Management Center bugs, see the Cisco Cloud-Delivered Firewall Management Center Release Notes.


Important


We do not list open bugs for most maintenance releases or patches.

Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated' date does not mean that the list was fully accurate on that date—only that some change was made. Depending on how and when a bug was categorized or updated in our system, it may not appear in the release notes. If you have a support contract, you can obtain up-to-date bug lists with the Cisco Bug Search Tool.


Open Bugs in Version 7.4.0

Table last updated: 2023-09-11

Table 15. Open Bugs in Version 7.4.0

Bug ID

Headline

CSCwd87510

Deploy failure when flow export destinations are swapped or port value changed

CSCwe36422

IDP SAML missing filter in Zero Trust Policy shows all groups have missing IDP data

CSCwf93776

New User activity page does not display events for Special Identities Realm

CSCwh00002

Azure AD sessions do not get removed after disabling subscription or changing ise configuration

CSCwh04354

Importing a realm with a proxy will fail

CSCwh38213

Editing CSDAC dynamic attribute filter throwing Internal Error

CSCwh41164

OSPFv3 BFD sessions not coming up for more than 7

CSCwh45488

PBR configuration using User Identity is not migrated during FTD migration to cdFMC

CSCwh46657

Save button disabled when updating Zero Trust Policy

CSCwh49918

New SRU is not immediately installed upon management center upgrade

CSCwh50221

4200 Series: Portchannel in cluster may stay down sometimes when LACP is in active mode

CSCwh50259

EventHandler should not log warning if it fails to open a unified file when the file doesn't exist

Resolved Bugs in Version 7.4.1.1

Table last updated: 2024-04-24

Table 16. Resolved Bugs in Version 7.4.1.1

Bug ID

Headline

CSCwi23545

HA CP clients statistics doesn't show actual Tx/Rx and Reliable Tx/Rx

CSCwi56441

Readiness check failed on vFTD during upgrade from 741-172 to 760-1270

CSCwi58754

Blocking SMB traffic with reason "Blocked by the firewall preprocessor"

CSCwi70371

Intermittent Packet Losses When VTI Is Sourced From Loopback

CSCwi90040

Cisco ASA and FTD Software Command Injection Vulnerability

CSCwi98284

Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability

CSCwj10955

Cisco ASA and FTD Software Web Services Denial of Service Vulnerability

CSCwj14832

SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication

Resolved Bugs in Version 7.4.1

Table last updated: 2024-05-22

Table 17. Resolved Bugs in Version 7.4.1

Bug ID

Headline

CSCvc06888

FMC should monitor only named interfaces on FTD

CSCvq48086

ASA concatenates syslog event to other syslog event while sending to the syslog server

CSCvu22491

FMC fails to connect to SSM with error "Failed to send the message to the server"

CSCvx44261

SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors

CSCvy31169

deployment failing with - Unable to load container

CSCvy50598

BGP table not removing connected route when interface goes down

CSCvz03407

IPTables.conf file is disappearing resulting in backup and restore failure.

CSCvz22945

ERROR: Deleted IDB found in in-use queue - message misleading

CSCvz34289

In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows

CSCvz36903

ASA traceback and reload while allocating a new block for cluster keepalive packet

CSCvz71215

FMC is pushing SLA monitor commands in an incorrect order causing deployment failure.

CSCvz71596

"Number of interfaces on Active and Standby are not consistent" should trigger warning syslog

CSCwa36535

Standby unit failed to join failover due to large config size.

CSCwa53186

FTD with Inline TAP re-writes frame with wrong MAC Address leading to connectivity problems.

CSCwa59907

LINA observed traceback on thread name "snmp_client_callback_thread"

CSCwa70323

Unable to push extra domains &gt;1024 Character, as part of Custom Attribute under Anyconnect VPN

CSCwa72528

user-name from certificate feature does not work with SER option

CSCwa72929

SNMPv3 polling may fail using privacy algorithms AES192/AES256

CSCwa74063

Disable NLP rules installation workaround after mgmt-access into NLP is enabled

CSCwa82791

ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low

CSCwa82850

ASA Failover does not detect context mismatch before declaring joining node as "Standby ready"

CSCwa97917

ISA3000 in boot loop after powercycle

CSCwb00871

ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress

CSCwb04000

ASA/FTD: DF bit is being set on packets routed into VTI

CSCwb17963

Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server.

CSCwb31551

When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple

CSCwb53172

FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated

CSCwb53328

ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url

CSCwb66382

ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks OSPF MD5

CSCwb73248

FW traceback in timer infra / netflow timer

CSCwb74571

PBR not working on ASA routed mode with zone-members

CSCwb79062

FMC GUI not displaying correct count of unused network objects

CSCwb79812

RIP is advertising all connected Anyconnect users and not matching route-map for redistribution

CSCwb83691

ASA/FTD traceback and reload due to the initiated capture from FMC

CSCwb87498

Lina traceback and reload during EIGRP route update processing.

CSCwb89963

ASA Traceback & reload in thread name: Datapath

CSCwb90532

ASA/FTD traceback and reload on NAT related function nat_policy_find_location

CSCwb92320

Network Object not visible after Flex migration and unable to save interface change in EIGRP-&gt;Setup

CSCwb92709

We can't monitor the interface via "snmpwalk" once interface is removed from context.

CSCwb93932

ASA/FTD failover pair traceback and reload due to connection replication race condition

CSCwb94190

ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled.

CSCwb94312

Unable to apply SSH settings to ASA version 9.16 or later

CSCwb95784

cache and dump last 20 rmu request response packets in case failures/delays while reading registers

CSCwb95850

Snort down due to missing lua files because of disabled application detectors (PM side)

CSCwb97251

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCwc02488

ASA/FTD may traceback and reload in Thread Name 'None'

CSCwc03069

Interface internal data0/0 is up/up from cli but up/down from SNMP polling

CSCwc03507

No-buffer drops on Internal Data interfaces despite little evidence of CPU hog

CSCwc05375

AnyConnect SAML - Client Certificate Prompt incorrectly appears within External Browser

CSCwc07262

Standby ASA goes to booting loop during configuration replication after upgrade to 9.16(3).

CSCwc08646

User without password prompted to change password when logged in from SSH Client

CSCwc09414

ASA/FTD may traceback and reload in Thread Name 'ci/console'

CSCwc10145

FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL listening socket"

CSCwc10241

Temporary HA split-brain following upgrade or device reboot

CSCwc10483

ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread

CSCwc11511

FTD: SNMP failures after upgrade to 7.0.2

CSCwc11597

ASA tracebacks after SFR was upgraded to 6.7.0.3

CSCwc11663

ASA traceback and reload when modifying DNS inspection policy via CSM or CLI

CSCwc12322

Digitally signed ASDM image verification error on FPR3100 platforms

CSCwc13017

FTD/ASA traceback and reload at at ../inspect/proxy.h:439

CSCwc13994

ASA - Restore not remove the new configuration for an interface setup after backup

CSCwc18312

"show nat pool cluster" commands run within EEM scripts lead to traceback and reload

CSCwc18524

ASA/FTD Voltage information is missing in the command "show environment"

CSCwc23356

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695'

CSCwc23695

ASA/FTD can not parse UPN from SAN field of user's certificate

CSCwc24422

AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert has empty subject

CSCwc24906

ASA/FTD traceback and reload on Thread id: 1637

CSCwc26648

ASA/FTD Traceback and Reload in Thread name Lina or Datatath

CSCwc27846

Traceback and Reload while HA sync after upgrading and reloading.

CSCwc28532

9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing

CSCwc28684

MI hangs and not repsonding when FTD container instance is reloaded

CSCwc28806

ASA Traceback and Reload on process name Lina

CSCwc28854

Incorrect IF-MIB response when failover is configured on multiple contexts

CSCwc28928

ASA: SLA debugs not showing up on VTY sessions

CSCwc32246

NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used

CSCwc35583

Snort leaking file descriptors with each u2 file created

CSCwc36905

ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c

CSCwc37256

SSL AnyConnect access blocked after upgrade

CSCwc40352

Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards

CSCwc40381

ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled

CSCwc44289

FTD - Traceback and reload when performing IPv4 &lt;&gt; IPv6 NAT translations

CSCwc45108

ASA/FTD: GTP inspection causing 9344 sized blocks leak

CSCwc45397

ASA HA - Restore in primary not remove new interface configuration done after backup

CSCwc45575

ASA/FTD traceback and reload when ssh using username with nopassword keyword

CSCwc48375

Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa"

CSCwc49095

ASA/FTD 2100 platform traceback and reload when fragments are coalesced and sent to PDTS

CSCwc50887

FTD - Traceback and reload on NAT IPv4&lt;&gt;IPv6 for UDP flow redirected over CCL link

CSCwc50891

MPLS tagging removed by FTD

CSCwc51326

FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks

CSCwc52351

ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP

CSCwc53280

ASA parser accepts incomplete network statement under OSPF process and is present in show run

CSCwc54217

syslog related to failover is not outputted in FPR2140

CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

CSCwc60037

ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context

CSCwc61912

ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6

CSCwc66757

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwc67031

vti hub with NAT-T enabled pinholes connections are looping and causing snort busy drops

CSCwc67886

ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread'

CSCwc70962

FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure

CSCwc72155

ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb"

CSCwc72284

TACACS Accounting includes an incorrect IPv6 address of the client

CSCwc73224

Call home configuration on standby device is lost after reload

CSCwc74103

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591'

CSCwc74858

FTD - Traceback in Thread Name: DATAPATH

CSCwc77680

FTD may traceback and reload in Thread Name 'DATAPATH-0-4948'

CSCwc77892

CGroups errors in ASA syslog after startup

CSCwc78781

ASA/FTD may traceback and reload during ACL changes linked to PBR config

CSCwc79366

During the deployment time, device got stuck processing the config request.

CSCwc80234

"inspect snmp" config difference between active and standby

CSCwc81184

ASA/FTD traceback and reload caused by SNMP process failure

CSCwc81945

Traffic on data unit gets dropped with "LU allocate xlate failed" on GCP cluster with interface NAT

CSCwc81960

Unable to configure 'match ip address' under route-map when using object-group in access list

CSCwc82188

FTD Traceback and reload when applying long commands from FMC UI or CLISH

CSCwc83346

ASA/FTD Traceback and reload in Threadname: IKE Daemon

CSCwc88897

ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy

CSCwc90091

ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility.

CSCwc93166

Using write standby in a user context leaves secondary firewall license status in an invalid state

CSCwc94085

Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5.

CSCwc94501

ASA/FTD memory leak and tracebacks due to ctm_n5 resets

CSCwc94547

Lina Traceback and reload when issuing 'debug menu fxos_parser 4'

CSCwc95290

ESP rule missing in vpn-context may cause IPSec traffic drop

CSCwc96805

traceback and reload due to tcp intercept stat in thread unicorn

CSCwc99242

ISA3000 LACP channel member SFP port suspended after reload

CSCwd00386

ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all"

CSCwd00778

ifAdminStatus output is abnormal via snmp polling

CSCwd02864

logging/syslog is impacted by SNMP traps and logging history

CSCwd03793

FTD Traceback and reload

CSCwd03810

ASA Custom login page is not working through webvpn after an upgrade

CSCwd04135

Snort3 unexpectedly dropping packets after 4MB when using file inspection with detection mode NAP

CSCwd04436

User/group download may fail if a different realm is changed and saved

CSCwd04494

Unable to add on-board and netmod interfaces to the same port-channel on Firepower 3110

CSCwd05756

FTD traceback on Lina due to syslog component.

CSCwd06005

ASA/FTD Cluster Traceback and Reload during node leave

CSCwd07098

25G CU SFPs not working in Brentwood 8x25G netmod

CSCwd08098

cacert.pem on FMC expired and all the devices showing as disabled.

CSCwd10822

Failover trigger due to Inspection engine in other unit has failed due to disk failure

CSCwd11303

ASA might generate traceback in ikev2 process and reload

CSCwd11855

ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event'

CSCwd14972

ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread

CSCwd16294

GTP inspection drops packets for optional IE Header Length being too short

CSCwd16689

ASA/FTD traceback due to block data corruption

CSCwd20627

ASA/FTD: NAT configuration deployment failure

CSCwd22349

ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication certificate" enabled

CSCwd22907

ASA/FTD High CPU in SNMP Notify Thread

CSCwd23913

FTD in HA traceback multiple times after adding a BGP neighbour with prefix list.

CSCwd25201

ASA/FTD SNMP traps enqueued when no SNMP trap server configured

CSCwd25256

ASA/FTD Transactional Commit may result in mismatched rules and traffic loss

CSCwd26867

Device should not move to Active state once Reboot is triggered

CSCwd28037

TPK: No nameif during traffic causes the device traceback, lina core is generated.

CSCwd31181

Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel

CSCwd31806

ASAv show crashinfo printing in loop continuously

CSCwd31960

Management access over VPN not working when custom NAT is configured

CSCwd33811

Cluster registration is failing because DATA_NODE isn't joining the cluster

CSCwd33962

3130 HA assert: mh-&gt;mh_mem_pool &gt; MEMPOOL_UNDEFINED && mh-&gt;mh_mem_pool &lt; MEMPOOL_MAX_TYPE

CSCwd34079

FTD: Traceback & reload in process name lina

CSCwd38583

ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades

CSCwd38805

Syslog 106016 is not rate-limited by default

CSCwd40260

Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD

CSCwd41083

ASA traceback and reload due to DNS inspection

CSCwd41553

PIM register packets are not sent to Rendezvous Point (RP) due to PIM tunnel interface down state

CSCwd43622

Blade remains online for more than 600 secs after deleting Native logical device on 92.14.0

CSCwd45451

FMC: Script to change hostname/IP on FTD's when FMC's Ip/hostname is changed

CSCwd49402

Not able to ping Virtual IP of FTDv cluster

CSCwd54360

FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue

CSCwd66820

Cisco Firepower Management Center Object Group Access Control List Bypass Vulnerability

CSCwd66822

FDM FPR2k Netmork module interfaces are greyed out post 7.1.0 update

CSCwd68745

QEMU KVM console got stuck in "Booting the kernel" page

CSCwd73020

Fix Bootup Warning: Counter ID 'TLS13_DOWNSTREAM_CLIENT_CERTIFICATE_VERIFY' is too long

CSCwd79150

Device API healthStatus for cluster devices not aligned with health status on device listing

CSCwd85073

Snort3 stream core found init_tcp_packet_analysis

CSCwd89095

Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload

CSCwd98070

Unable to register new devices to buildout FMC 2700 (FMC HA Active)

CSCwe04043

FTD-HA upgrade failed

CSCwe10872

Internal Error while editing PPPoE configurations

CSCwe12705

multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa

CSCwe15924

FMC-HA Sync loss for more then hr due to MariaDB replication is not in good state and recovered

CSCwe21301

Azure FMC not accessible after upgrading from 7.3.0 to 7.4.0

CSCwe25025

8x10Gb netmod fails to come online

CSCwe25342

ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured

CSCwe25412

Azure D5v2 FTDv unable to send traffic - underruns and deplete DPDK buffers observed

CSCwe28912

FPR 4115- primary unit lost all HA config after ftd HA upgrade

CSCwe30359

Traffic drops for several minutes during deployment

CSCwe33282

FTD: The upgrade was unsuccessful because the httpd process was not running

CSCwe34664

The interface is deleted from interface group if the user change the name of it [API]

CSCwe37941

v1_message* and abp* files & sxp bookmark are not cleaned in user_enforcement on device registration

CSCwe38601

FMC search error: "Error Loading Data Search Service Please Try Again."

CSCwe38640

EventHandler warnings if syslog facility is CONSOLE

CSCwe41766

FTD may not reboot as expect post upgrade if bundled FXOS version is the same on old and new version

CSCwe42061

Deleting a BVI in FTD interfaces is causing packet drops in other BVIs

CSCwe42236

FMC: Domain creation fails with error "Index 'netmap_num' for table 'domain_control_info'"

CSCwe44571

FMC: GEOLOCATION size is causing upgrade failures

CSCwe45569

FTD upgrade from 7.0 to 7.2.x and beyond crashes due to management-access enabled

CSCwe48997

Cannot create two RA-VPN profiles with different SAML servers that have the same IDP


CSCwe55308

Memory leak in the MessageService

CSCwe58635

Readiness Check Failed [ERROR] Fatal error: Enterprise Object integrity check failed with 7 errors

CSCwe58700

ASA/FTD: Revision of cluster event message "Health check detected that control left cluster"

CSCwe59889

Create Identity Services Engine via API returns 404 Client Error: Not Found

CSCwe63759

Cluster hardening fixes

CSCwe65492

KP Generating invalid core files which cannot be decoded 7.2.4-64

CSCwe65516

show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh.

CSCwe67180

FTD HA app-sync failure, due to corruption in cache files.

CSCwe68840

add syslog ids the range 805003 ? 852002 for rate limit under fmc

CSCwe69824

validation check on FMC GUI causing issue and throwing error when adding new NAT objects

CSCwe70378

Connections not replicated to Standby FTD

CSCwe71220

FTD Crash in Thead Name: CP Processing

CSCwe73933

SNMPv3 polling may fail using privacy algorithms AES192/AES256

CSCwe75267

Cannot Force Break FTD HA Pair

CSCwe78674

User Group Download fetches less data than available or fails with "Size limit exceeded" error

CSCwe80273

FMC device search page removes FTD from the groups and put them back to ungrouped

CSCwe82704

PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting"

CSCwe83255

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwe84079

asa_snmp.log is not rotated, resulting in large file size

CSCwe84695

FMC/FTD Dynamic VPN. Possibility to choose default preshared key from the dropdown list.

CSCwe85156

FTD: 10Gbps/full interfaces changed to 1Gbps/Auto after upgrade and going to down state

CSCwe87134

Lina core created during high traffic testing

CSCwe88802

FTD readiness and upgrade passed with exception log as ProgressReport' has no attribute 'KB_UNIT'

CSCwe90168

Unable to Access FMC GUI when using Certificate Authentication

CSCwe92723

Phase 2 NAP delay seen in 7.0.1 while deploying policy

CSCwe93137

KP - multimode: ASA traceback observed during HA node break and rejoin.

CSCwe95729

Cisco ASA & FTD SAML Authentication Bypass Vulnerability

CSCwe97277

Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running

CSCwe98435

Selective policy deploy with Identity Policy (captive-portal) and SSL Policy (dp-tcp-proxy) CLI

CSCwf00804

EventHandler occasional corrupt bundle record - SFDataCorrelator logs "Error deserializing"

CSCwf05295

FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message.

CSCwf06818

Cisco Firepower Threat Defense Software Encrypted Archive File Policy Bypass Vulnerability

CSCwf08790

FMC Restore of remote backup fails due to no space left on the device

CSCwf13674

Deployments can cause certain RAVPN users mapping to get removed.

CSCwf14031

Snort down due to missing lua files because of disabled application detectors (VDB side)

CSCwf14411

getting wrong destination zone on traffic causing traffic to match wrong AC rule

CSCwf15863

Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects

CSCwf16559

getReadinessStatusTaskList pjb request is very frequent when user in Upgrade sensor list page

CSCwf16679

HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync

CSCwf17042

ASDM replaces custom policy-map with default map on class inspect options at backup restore.

CSCwf19621

Unable to edit name or inspection mode of intrusion policy

CSCwf21204

DBCheck shouldn't run against MonetDB if user is collecting config backup alone

CSCwf22045

MYSQL, or any TCP high traffic, getting blocked by snort3, with snort-block as Drop-reason

CSCwf22637

Network Object Group overrides not visible or be edited from FMC GUI

CSCwf24818

Unable to change admin user password after FMC migration if it had LOM access

CSCwf25402

FMC - Import SSL Certificate Pinning from a CSV file may result in a failure to deploy policy on FTD

CSCwf25563

Device list takes longer to load while creating new AC policy

CSCwf25642

High Disk Utilization and Performance issue due to large MariaDB Undo Logs

CSCwf26350

User is not informed of the dependent IPS when policy import fails.

CSCwf27337

KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall

CSCwf31050

[IMS_7_5_MAIN]High CPU usage on multiple appliances

CSCwf35233

Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS

CSCwf35573

Traffic may be impacted if TLS Server Identity probe timeout is too long

CSCwf36563

The interface configuration is missing after the FTD upgrade

CSCwf36621

access-list: Cannot mix different types of access lists.

CSCwf39163

ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk

CSCwf39821

FTD: High-Availability unit struck at CD App Sync error due to error ngfwManager restart on peer

CSCwf41187

WINSCP and SFTP detectors do not work as expected

CSCwf41433

ASA/FTD client IP missing from TACACS+ request in SSH authentication

CSCwf42012

Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200

CSCwf42097

PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade

CSCwf42234

S2S dashboard SVTI tunnel details are missing after upgrade

CSCwf43537

Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade

CSCwf43850

ECMP + NAT for ipsec sessions support request for Firepower.

CSCwf44537

99.20.1.16 lina crash on nat_remove_policy_from_np

CSCwf45091

Snort3 matches SMTP_RESPONSE_OVERFLOW (IPS rule 124:3) when SMTPS hosts exchange certificates

CSCwf47227

Priority-queue command causes silent egress packet drops on all port-channel interfaces

CSCwf49486

store_*list_history.pl task is created every 5min without getting closed causing FMC slowness.

CSCwf50497

DNS cache entry exhaustion leads to traceback

CSCwf52810

ASA SNMP polling not working and showing "Unable to honour this request now" on show commands

CSCwf54510

ASA traceback and reload on Thread Name: DHCPRA Monitor

CSCwf55236

Unable to delete custom rule group even when excluded from all the ips policies

CSCwf56386

vFTD runs out of memory and goes to failed state

CSCwf56811

ASA Traceback & reload on process name lina due to memory header validation

CSCwf59643

FTD: HA App sync failure due to fover interface flap on standby unit

CSCwf60590

"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish.

CSCwf62729

7.0.6 - Lina Crash in RAVPN interface with anomaly traffic in both non-FIPS and FIPS mode

CSCwf62820

Failover: standby unit traceback and reload during modifying access-lists

CSCwf63358

FTD Diskmanager.log is corrupt causing hm_du module to alert false high disk usage

CSCwf63872

FTD taking longer than expected to form OSPF adjacencies after a failover switchover

CSCwf64590

Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220

CSCwf68335

vFMC: Scheduled deployment failing

CSCwf69313

Correlation events for Connection Tracker &lt;, &lt;=, = or != rules show data for unrelated connections

CSCwf69880

FP3110 7.2.4 Unexpected reboot of Firepower 3110 Device

CSCwf69901

FTD: Traceback and reload during OSPF redistribution process execution

CSCwf71602

FMC not generating FTD S2S VPN alerts when down or idle

CSCwf72434

Add meaningful logs when the maximums system limit rules are hit

CSCwf73773

Dumping of last 20 rmu request response packets failed

CSCwf75214

ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload

CSCwf75695

Duplicate FTD cluster has been created when multiple cluster events comes at same time

CSCwf76945

Packet data is still dropped after upgrade

CSCwf77994

False critical high CPU alerts for FTD device system cores running diskmanager/Pruner

CSCwf78321

ASA: Checkheaps traceback and reload due to Clientless WebVPN

CSCwf79372

after HA break, selected list shows both the devices when 1 device selected for upgrade

CSCwf80163

Critical Alert Smart Agent is not registered with Smart Licensing Cloud

CSCwf80183

Snort3 core in navl seen during traffic flow

CSCwf82279

Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages

CSCwf82447

Editing identity nat rule disables "perform route lookup" silently

CSCwf82742

FTD: SNMP not working on management interface

CSCwf82970

Snort2 engine is crashing after enabling TLS Server Identity Discovery feature

CSCwf84200

Snort core while running IP Flow Statistics

CSCwf86519

FMC displays VPN status as unknown even if the status is up if one of the peer is extranet

CSCwf86557

Decrypting engine/ssl connections hang with PKI Interface Error seen

CSCwf87070

WM RM - SFP port status of 9 follows port of state of SFP 10|11|12

CSCwf88030

FMC pushes the "shutdown" command on the management interface for the logical device

CSCwf88124

switch ports in Trunk mode do not pass vlan traffic after power loss

CSCwf89959

ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls

CSCwf91282

import of .SFO to FMC failed due to included local/custom rules having a blank rule message field

CSCwf92135

ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer

CSCwf92182

Cisco Firepower Management Center Software SQL Injection Vulnerability

CSCwf92646

ECDSA Self-signed certificate using SHA384 for EC521

CSCwf92661

ASA|FTD: Traceback & reload due to a free buffer corruption

CSCwf92726

LDAP missing files after upgrade when the Vault token is corrupted

CSCwf94194

FMC: Should not be able to add the same interface to the same ECMP zone

CSCwf94450

FTD Lina traceback Thread Name: DATAPATH-3-11917 due to double free

CSCwf94677

"failover standby config-lock" config is lost after both HA units are reloaded simultaneously

CSCwf95147

OSPFv3 Traffic is Centralized in Transparent Mode

CSCwf96938

FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment

CSCwh01673

FTD /ngfw disk space full from Snort3 url db files

CSCwh02457

Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2

CSCwh02561

Port-channel interface speed changes from 10G to 1G after a policy deployment

CSCwh04365

ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix

CSCwh04395

ASDM application randomly exits/terminates with an alert message on multi-context setup

CSCwh04730

ASA/FTD HA checkheaps crash where memory buffers are corrupted

CSCwh05863

ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80

CSCwh06452

Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2

CSCwh08481

ASA traceback on Lina process with FREEB and VPN functions

CSCwh08683

FTDv/AWS - NTP clock offset between Lina and FTD cluster

CSCwh09968

ASA/FTD: Traceback and reload due to NAT change and DVTI in use

CSCwh10087

core-compressor fails due to core filename with white space

CSCwh11411

Snort blacklisting traffic during deployment

CSCwh11764

ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms

CSCwh13625

Encrypted Visibility Engine (EVE) FMC dashboard tab and widgets not renamed after 7.1 &gt; 7.2+ upgrade

CSCwh13821

ASA/FTD may traceback and reload in when changing capture buffer size

CSCwh14467

File sizes bigger than 100MB for AnyConnect/Secure Client images cannot be uploaded on FMC

CSCwh14863

FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn

CSCwh15109

SRU installation gets stuck at 602_log_package.pl script, causing deployment failure

CSCwh15223

Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header

CSCwh16301

Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output

CSCwh18967

Include "show env tech" in FXOS FPRM troubleshoot

CSCwh19475

Intermittently flow is getting white-listed by the snort for the unknow app-id traffic.

CSCwh19897

ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple

CSCwh21141

The FMC preview deployment shows a wrong information.

CSCwh21360

741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations

CSCwh21420

ASA unexpected HA failover due to MIO blade heartbeat failure

CSCwh21474

ASA traceback when re-configuring access-list

CSCwh22348

sfdatacorrelator crashing due to table corruption 'rua_event_xxxxx'

CSCwh22565

Snort 3 HTTP Intrusion Prevention System Rule Bypass Vulnerability

CSCwh23567

PAC Key file missing on standby on reload

CSCwh24826

FMC upgrade stuck at 1039_fmc_rabbitmq_enable

CSCwh24901

'Frequent drain of events (not unprocessed events) to be removed from FMC

CSCwh25351

FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption

CSCwh25928

FMC userrole missing permissions may cause Tomcat to continuously restart after upgrade to 7.2.4

CSCwh26526

SQL packets involved in large query is drop by SNORT3 with reason snort-block

CSCwh27230

Connections are not cleared after idle timeout when the interfaces are in inline mode.

CSCwh28007

While editing AC-policy rules, the rule order number becomes misaligned.

CSCwh28144

Specific OID 1.3.6.1.2.1.25 should not be responding

CSCwh28185

dl_task.pl tasks keep getting created every hour when a database query is blocked

CSCwh28206

Firewall Blocking packets after failover due to IP &lt;-&gt; SGT mappings

CSCwh28218

Syslog not updating when prefilter rule name changes

CSCwh29092

FTD (FDM) fails when executing script 800_post/100_ftd_onbox_data_import.sh

CSCwh30111

FTD - Upgrade triggers persistent VPN Tunnel health monitor alarm

CSCwh30891

ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config

CSCwh31495

FTD - Traceback and reload due to nat rule removed by CPU core

CSCwh32118

ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT

CSCwh34344

FTD not generating end of connection event after "Deleting Firewall session"

CSCwh36167

DAP: FMC adds &#13 characters in a LUA script

CSCwh37475

Removal of msie-proxy commands during flexconfig rollback

CSCwh37733

FTD responding to UDP500 packet with a Mac Address of 0000.000.000

CSCwh37737

FMC7.2.x EIGRP flexconfig migration fails with internal error due to interface config mismatch

CSCwh38492

FMC Restore is stuck in vault clear stage after mysql restore completed

CSCwh38708

ASA "pager line 25" command doesn't work as expected on few terminal applications

CSCwh40106

FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze

CSCwh41127

ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA

CSCwh42077

Cisco_Firepower_GEODB_FMC_Update* are not included in diskmanager

CSCwh42412

FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing

CSCwh44479

Configuration archive creation failing and causing deployment preview to throw error

CSCwh45450

2100: Interfaces missing from FTD after removing interfaces as members of a port-channel

CSCwh47395

Extended Access List Object does not allow IP range configuration

CSCwh47701

ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces

CSCwh48844

FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible

CSCwh49244

"show aaa-server" command always shows the Average round trip time 0ms.

CSCwh49483

ASA/FTD may traceback and reload while running show inventory all

CSCwh52420

AMP Cloud look up timeout frequently.

CSCwh52526

FMC SSO timesout when user session is active for more than 1 hr (idle timeout)

CSCwh53116

Initiator Country and Continent missing on Custom View on Event viewer

CSCwh53143

ASA:Management access via IPSec tunnel is NOT working

CSCwh54228

FMC: query_engine.log Growing More Quickly Than Expected, Resulting In High Disk Utilization