FMC Unified Events Search Fails with Network Object Names in Firepower 7.7

Issue

When using Cisco Secure Firewall Management Center (FMC) version 7.7.10.1, network objects and object groups cannot be used as search criteria in the Unified Events page. When attempting to search for events using specific object or group names under Source IP in Unified Event search, the FMC either returns no results or displays an error message:

The query contains an invalid constraint on the provided field: "Source IP" with value "${000_ALL-USER_GRP}"

The objects are visible and usable under Object Management, and searches by raw IP address work as expected. This behavior affects both existing and newly created network objects, making it difficult to search for events using object names or group names in the Unified Events interface.

Environment

• Cisco Secure Firewall Management Center for VMware (FMCv)

• Software Version: 7.7.10.1

• Technology: Cisco Secure Firewall Firepower - 7.7

• Sub-Technology: Cisco Secure Firewall - Monitoring / Eventing / Logging - 7.7

• Deployment: Standalone FMC configuration

• FMC contains over 1000 network objects

• Environment includes migration history from on-premises FMC to cdFMC and back to on-premises

Resolution

This issue is caused by a known software defect and cannot be fully resolved through configuration changes on the current software version. It is recommended to implement this resolution approach.

Immediate Workaround

Use IP address fields in Unified Event searches instead of object names or groups as an interim workaround. When investigating events related to affected objects or groups:

1. Navigate to Analysis > Unified Events.

2. In the search criteria, use the actual IP addresses instead of object names.

3. Enter the specific IP address or IP range in the Source IP or Destination IP fields.

4. Execute the search to retrieve the desired events.

Long-term Solution

The permanent fix requires upgrading to a future FMC software release that includes the resolution for Cisco Bug ID CSCws52418. Take these steps:

1. Subscribe to defect CSCws52418 notifications to receive alerts when fixed FMC versions become available.

2. Monitor the bug status for updates on the fix availability, tentatively scheduled for May 2026.

3. Plan a maintenance window to upgrade FMC and managed devices to a release that includes the fix for CSCws52418 once it is published.

Prevention and Recommendations

Until the software upgrade is completed:

• Use IP-based search criteria in Unified Events (Source/Destination IP) when investigating events related to affected objects or groups.

• When creating new operational workflows, avoid relying solely on object-name searches in Unified Events for operational or audit processes on this version.

• Document affected object names and their corresponding IP addresses for reference during troubleshooting.

Cause

The behavior is caused by Cisco Bug ID CSCws52418, where the internal handling of object lookups for event searches is constrained by an internal limit of approximately 1000 object entries. Objects outside this limit are not correctly indexed or returned in Unified Event searches by name, resulting in missing results or "invalid constraint" errors. The monetdb event database rebuild does not resolve this behavior as it is a coded, software limitation rather than a database corruption issue.

Related Content

• Cisco Bug ID CSCws52418 - Some Objects Not Available for Selection in Event Search Filters
• Cisco Bug ID CSCwt05296 - Unable to use newly created or system defined object IPv4-Private-All-RFC1918 as a filter in events
• Cisco Technical Support & Downloads