- Introduction
- Supported Platforms and Environments in Version 6.2.0.x
- Management Capability in Version 6.2.0.x
- Features and Functionality
- Terminology and Documentation for Version 6.2.0.x
- Product Compatibility in Version 6.2.0.x
- Update vs. Reimage vs. Deploy
- Important Update Notes
- Update to Version 6.2.0.x
- Uninstall Version 6.2.0.x
- Resolved Issues
- Known Issues
- For Assistance
Resolved Issues
For devices running or hosted on a non-Firepower appliance (for example, ASA OS or FXOS), resolving an issue may require that you update the operating system in addition to Firepower. We recommend you update to the latest supported version.
The following defects are resolved in Version 6.2.0.x:
- Issues Resolved in Version 6.2.0.3
- Issues Resolved in Version 6.2.0.2
- Issues Resolved in Version 6.2.0.1
- Issues Resolved in Version 6.2.0
Issues Resolved in Version 6.2.0.3
The following table addresses resolved caveats at the time of publication of these release notes. If you have a Cisco support contract, use the following dynamic queries for an updated list of resolved caveats, run the provided query in the Bug Search Tool:
-
Resolved Firepower Management Center caveats in Version 6.2.0.3
-
Resolved Firepower Management Center caveats in Version 6.2.0.3
|
Security Issue |
Cisco Firepower SSL Logging Denial of Service Vulnerability |
|
Security Issue |
Cisco Firepower System Software Secure Sockets Layer Policy Bypass Vulnerability |
|
Caveat ID Number |
Description |
|---|---|
|
Inline result showing would have dropped |
|
|
spurious high unmanaged disk usage on /dev/shm alerts |
|
|
SFDCNotificationd dumps core if stopped after SFDataCorrelator |
|
|
access control policy search highlight incorrectly highlights |
|
|
ASA 5506-X Firepower Threat Defense Reset Button |
|
|
Mperf causing high CPU and stays constantly high . |
|
|
Proxy configuration can't be saved from UI, under some circumstances |
|
|
Firepower Management Center freezes when attempt is made to sort the App Detectors |
|
|
Upgrade ASA on Firepower Threat Defense managed by Management Center breaks Malware cloud lookup |
|
|
Show Nat flows on Firepower 7000/8000 series devices displays incorrect data |
|
|
Unable to expand or scroll if more than 11 DHCP relay agents configured in Management Center |
|
|
Error message Unable to translate SSL cipher suite 65535 needs cleaning up |
|
|
Rule copy and paste reset to top instead of the rule being edited |
|
|
Diskmanager not managing /var/cisco/umpd properly |
|
|
Unclear to user that DB check is running after ungraceful shutdown |
|
|
Sub-interface entries not getting removed from bridge group interface after net-mode change |
|
|
Search in access control policy returning incorrect results. |
|
|
Mismatched VLAN tagged traffic has inconsistent access control rule matches. |
|
|
Mishandled rule index numbers on multipage access control policies with collapsed rule categories |
|
|
logrotate fails if permission on .conf file is incorrect - perm should be checked |
|
|
Making minor changes to included/excluded users in a realm may cause unexpected behavior |
|
|
Use of manage_procs.pl can result in a stack coming out of maintenance mode |
|
|
Evaluation of sfims for OpenSSL Jan 2017 |
|
|
Route cannot be added under Management Interface |
|
|
Management Interfaces Proxy settings disabled after 6.1.0 Management Center upgrade |
|
|
Possible error in PDF/SWF decompression |
|
|
Health monitoring for 8000 series firmware needs to try again for comms failure |
|
|
DHCP server : Not able to configure DHCP server on BVI member (Redundant) - Transparent mode. |
|
|
Excessive logging from sip preprocessor function SipSessionSnortCallback |
|
|
Firepower Threat Defense high availability creation failed due to DB lock issue |
|
|
PerlMessageHand_11 core on Firepower Management Center Virtual while system is shutting down |
|
|
modbus false postive on MODBUS_BAD_LENGTH |
|
|
upgraded 6.x Management Center incorrectly deploys obsoleted detectors to 6.x devices |
|
|
Snort is unable to map the filename if there are unsupported characters. |
|
|
ADI discards all but one IP address from a session notification |
|
|
Snort reloads cause memory leaks and CPU increase |
|
|
When import HTTPS Server Certificate fails, UI is blank without error |
|
|
Custom NAP rule with inline normalization enabled does not enable normalization |
|
|
Mismatch between internal database entries prevents correct session propagation |
|
|
Repeated same DiskMgr logs flooding messages log - causing small log retention period |
|
|
Query Cisco CSI for Unknown URLs option is not properly synchronized in Management Center pairs |
|
|
Access Control Policy page conflict detection can show conflicts when there are none. |
|
|
Correlation Events and Syslog Events show incorrect local rule SID |
|
|
Need ability to enable PPTP inspection |
|
|
Policy deploy hangs at 40% with the object names end with [ _ ] |
|
|
Unable to delete third party vulnerabilities when the host count associated with them is > 100 |
|
|
7000 and 8000 Series Device with Passive Interface does not Failover when Active device powers off |
|
|
Data channel traffic on windows FTP server aren't matching the pin hole session as expected |
|
|
CSM backup failed on Secondary Firepower Management Center |
|
|
Unable to import if Access Control rules has Realm as matching condition |
|
|
Snort process at 100% and takes excessive amount of time to parse IPS rules. |
|
|
2048 byte block depletion with continuous SSL traffic and decrypt resign enabled on Threat Defense |
|
|
eStreamer certificate generates errors with a McAfee ESM generationQualifier verification failed |
|
|
Maximum File Events limit reduces to smaller number after upgrade to 6.1.0 |
|
|
Stack entering bypass due to disk space health alert |
|
|
SFDataCorrelator will not stop on Threat Defense device due to database connection corruption |
|
|
Upgrade file-transfer from Firepower Management Center to Firepower device times out after one hour |
|
|
POP3 payload inspection not proper on snort with the file detection policy |
|
|
Host input operations can overwhelm high availability transactions |
|
|
Access control rule is not matched correctly if src zone and dst zone have different types |
|
|
Nothing is shown when clicked on Policy Assignements |
|
|
Static URL/DNS lists are not included in backup |
|
|
When expanding individual categories in Access Control Policy rule ID changes |
|
|
Running Patch Uninstaller causes cc-integrity.sh to fail; no UI. |
|
|
SFDataCorrelator segfault due to null pointer dereference in handle_host_address_changes() |
|
|
Multiple login messages different username and same realm/IP/timestamp scrambles SFDaco |
|
|
Firepower Management Center Interface Type Mismatch with Syslog Server Ip Type error |
|
|
eStreamer service sends corrupt messages and spams log files with Not connected |
|
|
SFDataCorrelator segfault due to null field in internally generated logoff event |
|
|
Snort memcals for startup memory incorrect on Firepower Threat Defense |
|
|
Management Center not deactivating smart licenses for Firepower Threat Defense devices |
|
|
Port Scan: IP Protocol scanning not getting detected. |
|
|
Snort not triggering Event 123:7 FRAG3_ANOMALY_BADSIZE_LG |
|
|
eStreamer log spam Unable to open directory |
|
|
record_count for interface stats from the sensor are being set to 0, coring SFDatacorrelator. |
|
|
Firepower Management Center high availability sync fails if file name contains 2 dots [ .. ] |
|
|
BitTorrent traffic not blocked consistently on resumed sessions. |
|
|
Migration lock not removed even if migration fails |
|
|
REST API internal error when removing AP rule from API that moved via GUI |
|
|
Missing column netmap_num from the join on event_extra_data table. |
|
|
Platform settings applied to more than 1 Threat Defense device do not vary |
|
|
Threat Defense: Blocking Facebook post/chat/comments/likes application not working for Firefox |
|
|
SFDataCorrelator crash or exit when event table contains large highest index |
|
|
REST identity application and ADI leak File Descriptors |
|
|
Poor performance of packet logs UI due to query not using index |
|
|
Configuring an IP pool for a diagnostic port channel interface on an Threat Defense cluster fails |
|
|
Access control policy uneditable if copying large Policy, insert/move 50+ rules into category |
|
|
DNS Security Intelligence feeds are not automatically push to sensors |
|
|
SFDataCorrelator coring due to ids_event_msg_map message being null |
|
|
MC2000 and MC4000 can rarely hang during boot |
|
|
ids_event_alerter causes high CPU on Threat Defense device when UUID is missing from EOAttributes |
|
|
Unicode file support over SMB on Firepwer Threat Defense |
|
|
Multiple CLAM update tasks created in the AQ ,during device registration. |
|
|
Access control policy/Pre-filter rules are negated and readded on usage of icmp objects |
|
|
256 low block count leads to traffic failures due to alloc to inspect snort |
|
|
Intrusion event of old session is missing after update and config deploy |
|
|
Management Center: Deleting 1 category in nested access control policy deletes all categories |
|
|
Firepower Threat Defense management interface link flaps when IPv6 gateway is configured |
|
|
Performance graphs are inconsistent when processed_total_packets is 0 |
|
|
Incorrect access control rule is matched in Threat Defense device when it is setup in passive mode |
|
|
SFDataCorrelator segfaults repeatedly when processing SSL certificate details |
|
|
When SSL rules are enabled and sensor is over subscribed, rules are not correctly enforced. |
|
|
SFDataCorrelator takes a long time to start due to large firewall_rule_cache table |
|
|
after captive portal authentication, packet is incorrectly associated with realm ID 0 |
|
|
DH Ephemeral Keys with Known Key SSL Policy and session reuse causes client to close session. |
|
|
Long traffic connections matching Do Not Decrypt SSL rules may be blocked |
|
|
Management interface bootstrap fails with IPv6 only configuratiom and no available DHCPv4 servers |
|
|
SFDataCorrelator segfaults during loading of compliance rules |
|
|
SSL flows failing due to Flow tables and Flow ID's overflowing |
|
|
SSL policy Category lookup fails for URLs that aren't in local database |
|
|
Rules getting pushed after the Default Block All Rule on Firepower Threat Defense device |
|
|
Estreamer Cores - SSLCert length handling |
|
|
Large database size for devices upgraded from 6.1.0.x to 6.2.0.x |
|
|
access-list rules missing after policy deployment on Firepower Threat Defense |
|
|
Port-channel cannot be configured as a passive interface |
|
|
Firepower Threat Defense device may leave cluster due to disk space alert |
Issues Resolved in Version 6.2.0.2
The following table addresses resolved caveats at the time of publication of these release notes. If you have a Cisco support contract, use the following dynamic queries for an updated list of resolved caveats, run the provided query in the Bug Search Tool:
-
Resolved Firepower Management Center Virtual caveats in Version 6.2.0.2
-
Resolved Firepower Management Center Virtual caveats in Version 6.2.0.2
|
Caveat ID Number |
Description |
|---|---|
|
'Search' in access control policy returning incorrect results. |
|
|
access control Policy Report Differs from access control Policy Web Interface |
|
|
Firepower Management Center not providing options to restrict ICMP types for certain codes |
|
|
Network range with a space after the dash removes current and subsequent ACP rules |
|
|
SFDataCorrelator polling for status of file analysis can fail in certain circumstances |
|
|
Communication channel is blocked if recurring backup fails due to disk space on remote server |
|
|
Show Nat flows on series 3 displays incorrect data |
|
|
Fail to create Threat Defense high availability due to previous failed attempt |
|
|
Firepower Management Center high availability Sync can delete csm config files |
|
|
Performance issue with Device listing page |
|
|
Threat Defense DHCP Client tries to request a DHCP address instead of declining |
|
|
eStreamer log spam "Unable to open directory" |
|
|
eStreamer service sends corrupt messages and spams log files with "Not connected" |
|
|
In Task Status page the task is stucked/spinning |
|
|
ASA may traceback while loading a large context config during bootup |
|
|
PBR config is blocked in FlexConfig |
|
|
Interfaces not interpreted in hardware when contexts have 'lag' in their name |
|
|
nse interface intialization has not occurred, but still receiving packets |
|
|
Policy deploy fails due to inconsistency in HA Primary Threat Defense device in the backend |
|
|
Altering logging settings like disabling syslog causes IPS and File policies to become disabled |
|
|
Comparison reports for intrusion policy between 2 revisions is not working correctly |
|
|
Discard does not rollback the updated Firepower Recommendation. |
|
|
During backup intrusion policy error message on save should be intuitive. |
|
|
Flowbit auto-resolution not working properly |
|
|
Intrusion policy commit is slow because prepare statement is called multiple times |
|
|
change impact_flag on IPS/snort rule to red/orange/yellow/blue/gray |
|
|
False warnings in DB Integrity Check for rule_comments/rule_comment_map |
|
|
Unable to use objects inside IPS rules |
|
|
Cannot re-arrange order of Network Analysis Rules |
|
|
Policy deploy with NAP fails when adaptive profiles or auto detect setting is disabled in NAP |
|
|
Search Option does not work for network objects under NAP editor |
|
|
Encapsulated traffic not matching hardware rules |
|
|
Message "CSR access problem for ME 25" flooding dmesg |
|
|
Default inspect statements are missing on ASA 5500-x and 2100 device running Threat Defense |
|
|
Firepower: With SafeSearch on, users can't access multiple websites. |
|
|
Snort segfault while processing malware cache. |
|
|
With Safesearch configured but disabled, can lead to cores |
|
|
Able to create Bridge group interface from global domain but device is in leaf domain |
|
|
Deployment failed and internal error occurred when deleting Port channel inline set and deploy |
|
|
Deployment is getting failed in high availability pair due to cluster inline-set interface. |
|
|
IP Address/Mask validation for Stanby Address missing during high availability formation |
|
|
PPPoE User Name field should allow more characters |
|
|
Firepower Management Center 'Interface Type Mismatch with Syslog Server Ip Type' error |
|
|
Unable to edit network objects when they are shared between devices |
|
|
Standard ACL elements deployed in wrong order |
|
|
Pseudo rule IDs are not unique when multiple DNS policies are deployed simultaneously |
|
|
Checking for conflicts in variable sets doesn't work on network groups |
|
|
Too many addresses in HOME_NET results in failed deployment |
|
|
C-groups modification during policy apply causes AAB to trigger. |
|
|
Not able to login to Firepower 4100 using 'connect ftd' CLI |
|
|
Qos Rule and interface widget doesn't display stats for QoS rules |
|
|
Default "global_policy" service-policy removed after reboot |
|
|
SFDataCorrelator segfault due to multi-threaded curl on HTTPS |
|
|
Suspected latency during shared memory lookup (with URL Retry enabled) |
|
|
URL Filtering stopped working due to major version change in the BC database |
|
|
Webpages loads very slowly when URL retry is enabled |
|
|
Report generation fails if the remote storage device is unmounted by another action |
|
|
Security Intelligence category goes missing from Security Intelligence events after time |
|
|
SFDataCorrelator segfault due to null pointer dereference in handle_host_address_changes() |
|
|
Unchecked host count growth after SFDataCorrelator reconfigure |
|
|
Scheduler Queue Corruption leads to connectivity failures or failover problems after 9.6(2) |
|
|
snort core in alert action. |
|
|
Unable to block bittorent traffic when download is resumed after moving to a new network |
|
|
Cisco Firepower Threat Defense and Cisco ASA with FirePOWER Module Denial of Service Vulnerability |
|
|
Enabling SSL Policy may result in detection engine exits |
|
|
2048 byte block depletion with continuous SSL traffic and decrypt resign enabled on Threat Defense. |
|
|
SSL Block action when Extended Master Secret is used with SSL Policy Known Key Decrypt |
|
|
SSL Trusted CAs not deployed to sensor in some cases |
|
|
Unable to disable Proxy Auth on Management Center by un-checking the proxy auth box |
|
|
Database settings for a fresh deployment were not saved |
|
|
ICMP Any in dst/src ports are saved incorrectly, which can result in broken pre-filter policy |
|
|
After upgrading to 6.0, you cannot remove tasks from the taskbar |
|
|
captive portal ntlm needs to handle token received in POST in addition to GET. |
|
|
Firepower doesn't support userPrincipalName attribute for login with ISE / Active authentication |
|
|
Intermittent failure in User Group lookup. |
|
|
Management Center deployment fails due to error after creating a domain with devices |
|
|
Only 1500 Group Members are downloaded per group for an AD Realm |
|
|
PxGrid sent MAB and internal ISE DB info to /var/log/messages cause outage on Management Center |
|
|
Show user information in connection events for flows hitting early deny |
|
|
UIMP fails importing all users if any user in the import list has been deleted |
|
|
Users are removed from groups after scheduled user/group download |
|
|
Trying to delete an identity realm that is in use breaks the identity realm |
|
|
"Failed to set user name for lights-out management" error when trying to change admin pw on FMC1500 |
Issues Resolved in Version 6.2.0.1
The following table addresses resolved caveats at the time of publication of these release notes. If you have a Cisco support contract, use the following dynamic queries for an updated list of resolved caveats, run the provided query in the Bug Search Tool:
-
Resolved Firepower Management Center caveats in Version 6.2.0.1
-
Resolved Firepower Management Center Virtual caveats in Version 6.2.0.1
|
Caveat ID Number |
Description |
|---|---|
|
Import of Access control Policy fails after upgrade to 6.1 |
|
|
Files not Sandboxed even when they are under file limit. |
|
|
Policy Export fails partially in Firepower ASDM 6.1 |
|
|
SafeSearch breaks for retransmitted packets |
|
|
FR Scale: Large File Copy (>4GB) Fails In SFTunnel |
|
|
AC policy:Deployment failure is happening due to rule update issue |
|
|
Policy cant be applied when SRU and automated deploys run in parallel |
|
|
Passive Authentication with User Agent is not working for some users |
|
|
Intrusion Email Alert is not working |
|
|
Intrusion Emails no longer send after upgrading to 6.1 |
|
|
After 6.1 upgrade, stale entries in fireamp_cloud table cause UI problem |
|
|
ASA to FTD migration may fail when invalid characters are used in an access-list name |
|
|
ASA to FTD migration script creates nested port group objects, which causes deployment to fail |
|
|
Cannot delete multiple rules at a time from ASA migrated Prefilter Policies |
|
|
FQDN objects getting imported in FMC from migration tool generated .sfo |
|
|
Having "0" at the object service PING service icmp echo 0 causes migration to fail |
|
|
Migration fails when SLA monitor configuration is present |
|
|
Migration report succeed but sfo creation & cleanup fails intermittently |
|
|
Unable to import ASA config file in migration tool i.e 6.1.0-330 |
|
|
When a migration activity in progress new migration need to be blocked |
|
|
Backup done remotely can't be restored locally |
|
|
Cardmanager on ASA5585-SSP-40 SFR exits due to a SIGPIPE signal |
|
|
system support capture traffic parser rejects slash used in net filter |
|
|
Device goes into reboot loop one after another until failover cable is removed |
|
|
Unable to deploy AC policy to an FTD HA pair due to an object description with the '&' character |
|
|
Context Explorer performance issues due to query incorrectly joining two event tables |
|
|
Add ability to enable or disable default inspect configuration |
|
|
FTD:Not able to login to converged cli using SSH |
|
|
DB error after trying to add and survey network in whitelist profile |
|
|
Cisco Firepower Malware Detection Bypass Vulnerability |
|
|
snort core file when processing bltd packets |
|
|
SSL widgets lack data labels in 6.1 |
|
|
some perl processes leak semaphores |
|
|
Time-ordered EQE queries against partitioned event tables are not optimized |
|
|
FMC Database issues causing Missing Passive User Sessions via User Agent failure |
|
|
OptimizeTables.pl always fails on 6.1.0 |
|
|
Upgrade 6.0.1.2 to 6.1.0-330 fails at 560_install_version_masked_apps.pl |
|
|
Policy deployment failing on FMC for VMWare |
|
|
Frangelico: FMC HA: HA establishment fails due to large database files copy |
|
|
eStreamer 5.4 clients are unable to process userID info on 6.0 Firepower Management Center metadata |
|
|
Estreamer cores found in DC-HA setup |
|
|
estreamer should use correct datastore for user identity mapping. |
|
|
High unmanaged disk usage due to large flow_chunk table |
|
|
snort is restarting and filling the disk with logs. |
|
|
Adding syslog to Access Control Rule may result in loss of Real Time Eventing |
|
|
ids_event_alert coring on 6.1.0 |
|
|
ids_event_alerter can crash or infinite-loop |
|
|
Latency in FMC HA synchronization |
|
|
access control Policy Deployment failed after patch installation(6.1.0.330 to 6.1.0.1.30) |
|
|
Attempting to change copper SFP interfeace type (inline/switched/routed) results in error |
|
|
SCALE: Health alarms are not displayed in UMS |
|
|
Import fails with duplicate object name when the object names differs by case only |
|
|
Import with config involving inline values fails |
|
|
adaptive profiling performance scales badly in some cases |
|
|
Firepower Management Center Smart Licensing bypasses Proxy Configuration when in eval mode |
|
|
Upgrade on Off-box ASA-FTD breaks Malware cloud lookup. |
|
|
Network Object not listed under the custom rule editor in NAP |
|
|
Enable flow control on stacking interfaces |
|
|
Network Discovery fails to parse zones in ND rules under certain conditions |
|
|
Event QoS in legacy mode does not have an entry for interface stats |
|
|
Incorrect rule being logged for application rules that go pending. |
|
|
Network based AC rules don't always match if preceded by a rule with application/url |
|
|
SafeSearch dropping legitimate traffic since paf not marking packet flags |
|
|
Segmentation fault at HttpPacketModification, httpModProcess |
|
|
Snort process segfaults processing traffic in firewall (ngfw). |
|
|
Traffic misses matching AC rule |
|
|
URL not extracted from reassembled requests |
|
|
Security Zone is "Unknown" after upgrade to 6.1 |
|
|
DHCP Relay configuration does not display in UI after 6.1 upgrade |
|
|
platform settings page fails to load when applied to multiple stacks |
|
|
Security Intelligence DNS Feed based logs not sent to external Syslog |
|
|
Constant failovers on ASA high availability pair due to SSP module failure |
|
|
Evaluation of sfims for CVE-2016-5195 (DIRTY CoW) |
|
|
FP or AMP 7000/8000 series sensor kernel deadlock on 6.1 |
|
|
oom condition leads to repeated RCU stall warnings |
|
|
SFR upgrade to 6.1.0 causes erroneous HA failovers and/or traffic loss under load on 5585-40,60 |
|
|
CWE-200 - M4-FMC - TLS/SSL Birthday attacks on 64-bit block ciphers |
|
|
Evaluation of sfims for NTP November 2016 |
|
|
FR - CVE-2011-3389 -TLS/SSL is enabling BEAST attack |
|
|
ASAConfig uses wrong interface IDs after module unit rejoins multi context ASA cluster |
|
|
Bird fix for segfault needs to be ported to EC and FR |
|
|
Interfaces get deleted on SFR during Multi-context HA configuration sync |
|
|
OOM keeps running, series3 units keep crashing, requiring reboot |
|
|
PM generated commands can break dhcrelay if using more than 22 lifs |
|
|
Reservation of core 0 for system processes in arc.conf is ignored by ARC.pm |
|
|
Deploy during intrusion rule update install may cause all subsequent policy applies to fail |
|
|
Httpmod preprocessor does not get disabled when safesearch rules are disabled |
|
|
Policy Deployment may fail due to delta splitting logic fail |
|
|
Removing special characters from UI in AC rule does not remove characters from lina config |
|
|
Two PM instances running simultaneously |
|
|
spurious high unmanaged disk usage on /dev/shm alerts |
|
|
Cannot load proxy information for dynamical analysis (sandbox) |
|
|
URL Filtering option on GUI being unset/disabled intermittenly |
|
|
Firepower FMC Risk Reporting has spelling mistakes! |
|
|
SFDataCorrelator malware lookups take too long - UI shows timeout action |
|
|
Cisco Firepower System Software FTP Malware Vulnerability |
|
|
File policy oversubscription when many hosts process file. |
|
|
FTD gets into a bad state in which it has severe performance degradation |
|
|
Inline result showing "would have dropped" |
|
|
Retry packets never time out and keep being sent to Snort |
|
|
Snort core is seen on FTD during rate limiting test |
|
|
Snort crash during SMB inspection in file_capture_stop |
|
|
some application and file policy combinations can cause snort to core |
|
|
unexpected ACK packet for MDI malware file traffic connection |
|
|
Cisco Firepower Detection Engine SSL Denial of Service Vulnerability |
|
|
HTTPS pages take 30+ sec to load with SSL decryption and URL category rules enabled together |
|
|
IPS and File detection is not working if Applications are FTP, FTP Data |
|
|
Seg fault on SSL after policy apply |
|
|
segfault in ns_net_mbrwq_release while processing SSL flow. |
|
|
Snort segfault in process_ssl |
|
|
SSL Handshake not completing for "Do Not Decrypt" action with large server certificate |
|
|
SSL policy rules may match undecryptable actions too early in certain configurations |
|
|
SSL rules with URL categories defined are not processed correctly |
|
|
Platform settings policy so not appear to work for Firepower stacks |
|
|
Changing admin user password may fail for systems not using LOM. |
|
|
"Failed to run troubleshoot script / failed (256)" on secondary DC. |
|
|
'Available Ports' tab hangs when editing prefilter rule ports |
|
|
Default Prefilter Policies are not imported properly on FMC2000 |
|
|
PrefilterPolicy DefaultAction Issue with 6.1.x FMC upgraded from 6.0.x managing 6.0.x FTD Device |
|
|
Rules from prefilter policy do not retain order when saving policy |
|
|
Don't allow different upgrade to start when upgrade is in failed state |
|
|
bltd segfault processing checksum (computeChecksum). |
|
|
captive portal support for ips on a stick |
|
|
Deleting users from analysis->users doesn't remove sessions from sensor |
|
|
Firepower Management Center does not handle Postured user session updates from ISE servers |
|
|
Users are removed from groups after scheduled user/group download (database problem) |
|
|
user_ip_map files being skipped while pushed from FMC to Sensor due to DaCo crash |
Issues Resolved in Version 6.2.0
|
Caveat ID Number |
Description |
|---|---|
|
Resolved multiple vulnerabilities within the third party Open SSH, as described in CVE-2015-5600, CVE-2015-6565, CVE-2016-0777, and CVE-2016-0778. |
|
|
Addressed a cross-site scripting (XSS) vulnerability, as described in CVE-2015-6363 and CVE-2016-1294. |
|
|
CSCux41304, CSCuz52366, CSCvb24543, CSCvb48536 |
Addressed multiple vulnerabilities that generated denial of service in OpenSSL, as described in CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2016-2105, CVE-2016-2106 CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306 CVE-2016-6307 CVE-2016-6308 CVE-2016-6309 CVE-2016-7052 CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196. |
|
Addressed a vulnerability issue in the third party Java, as described in CVE-2015-6420. |
|
|
Resolved a vulnerability where a user without Admin without privileges could delete other users' scheduled tasks. |
|
|
Addressed a vulnerability in the third party GNU C Library, as described in CVE-2015-7547. |
|
|
Addressed multiple vulnerabilities in the third party product Libxml2, as described in CVE-2016-2073, CVE-2016-444, and CVE-2016-4448. |
|
|
Addressed multiple vulnerabilities in the third party product NTP, as described in CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, and CVE-2016-4957. |
|
| CSCvb24566, CSCvb24564 CSCuz52935 |
Address multiple vulnerabilities in the Libarchive, as described in CVE-2016-1541, CVE-2016-5844, and CVE-2016-6250. |
|
CSCuu96447 |
In some cases, if you deleted the permanent license from the Licenses page , the Device Management page did not display Unlicensed for devices the permanent license was deleted from when it should have, and policy deploy would fail. |
|
CSCux64898 |
In some cases, if you deployed an access control policy with the default action set to Block and executed the configure network management-interface disable-event-channel CLI command, Firepower continued to generate intrusion and connection events when it should not have. |
|
CSCux78211 |
Resolved an issue where, if an ASA FirePOWER module in high availability experienced a partial failure, the device did not failover when it should have. |
|
CSCux91934 |
Resolved an issue where, if you deployed an SSL policy configured with a rule associated with an expired SSL certificate, Firepower used an incorrect SSL rule. |
|
Cannot apply FP8130-CTRL-LIC to AMP8050. |
|
|
If you clicked Create Email Alert on the Alerts page and enabled Retrospective Events configuration on the Advanced Malware Protection Alerts tab, then saved and applied, the email alerts generated by Firepower when the alert was triggered were truncated. Emails should not have been truncated. |
|
|
CSCuy51566 |
If you updated a Firepower Management Center from Version 5.4.x to Version 6.0.0 or later and created a new sub domain and deployed a network discovery policy, you could not delete any objects or object groups referenced by the network discovery policy in the global domain. |
|
CSCuy57756 |
In some cases, if you broke a Firepower Threat Defense high availability pair, one of the devices in the pair stayed in standalone mode and Firepower could not recreate the high availability pair. |
|
Not able to disable notifications on the Firesight manager Web interface. |
|
|
Resolved an issue where, if you added a security zone on a Firepower Management Center running Version 5.4.0 or later and updated Firepower to Version 6.0.0 or later and deleted the security zone, Firepower generated an Object deletion restricted. Remove object from the following: Access control policies error even if the security zone was not referenced within a rule. |
|
|
Fatal errors on applying policy from 6.0.0.1 with different vulnerability database. |
|
|
CSCuz17315 |
Resolved an issue where Firepower generated erroneous Error found during SSL flow after server certificate messages for evicted SSL flows. |
|
Firepower 9300 devices' high availability status is displayed incorrectly/inconsistent in the Firepower Management Center. |
|
|
Original Client IP does not populate for dropped events when inline normalization enabled. |
|
|
CSCuz46366 |
Firepower incorrectly allowed you configure sandbox file sizes from 0 MB to 100 MB on the Files and Malware Settings section on the Advanced tab of the access control editor. Firepower only supports capturing files as large as 10 MB. If you configured the sandbox environment to a file size larger than 10 MB, Firepower did not capture the file. |
|
CSCuz49023 |
Resolved an issue where despite configuration of impact flag alerting for an eStreamer client, Firepower did not stream impact flag data. |
|
CSCuz54417 |
If you deployed an SSL policy containing application rule conditions for SMTPS, POP3S, and IMAPS traffic, Firepower might have incorrectly displayed Unknown as the application protocol in the Connection Events page . |
|
DLL-Load vulnerability in Snort on Windows platforms. |
|
|
CSCuz92255 |
Resolved an issue where, if you tested the default storage type on the Remote Stage Device section of the Configuration page , Firepower incorrectly generated a Please enter valid host. Please enter a valid Directory path. error message. |
|
Policy deployment fails with mode 10 Gbit Full-Duplex for lag interface. |
|
|
CSCuz94444 |
Resolved an issue where the associated client incorrectly rejected resigned certificates for Apple related products and you could not log into iTunes. |
|
CSCuz95008 |
Resolved an issue where, if you requested pre 6.0.0 metadata from a Firepower Management Center with eStreamer running Version 6.0.0. or later, Firepower incorrectly sent the userID field to the eStreamer client instead of the configured LDAP username. |
|
CSCuz99677 |
Resolved an issue where, if you created a new user with an administrator role and deployed configuration, Firepower incorrectly displayed the default admin user as the user deploying the configuration instead of the newly created user. |
|
CSCva00234 |
Resolved an issue where policy comparison did not include the high availability health modules when it should have. |
|
sfestreamer crashes when we have 4 management interfaces on Firepower Management Center. |
|
|
Disk manager marks conn-unified as deleted. |
|
|
CSCva28854 |
Under rare conditions, when 7000 and 8000 Series devices where firstboot policy apply failed, file handles are depleted on the device which caused health/hardware alarms and a variety of malfunctions. |
|
CSCva29636 |
Resolved an issue where, if you configure network management for a Firepower Threat Defense virtual device, the console incorrectly provided an HTTPS address to complete the installation when it should not have. |
|
CSCva37443 |
If your ASA configuration file contained an invalid ICMP service object, the ASA-to-Firepower Threat Defense migration tool failed, but did not log adequate information to troubleshooting logs. Migration no longer fails under this condition. Instead, the tool excludes the invalid ICMP objects from the conversion, converts the related ASA access rules to disabled Firepower Threat Defense rules, and adds a comment to the rules describing the unsupported case. |
|
CSCva38608 |
Resolved an issue where SHA1 signed certificate with a modern browser and Firepower generated untrusted certificate errors for modern browser. |
|
CSCva41164 |
Version 6.2.0 does not support access control policy names including the $ character. |
|
CSCva47456 |
Resolved an issue where, if Firepower requested a URL lookup and the cloud did not immediately return a URL category, the cached request incorrectly remained marked as Pending instead of updating the URL type to Uncategorzied. |
|
Report generation did not give a failed message, continues in queue for week. |
|
|
CSCva51022 |
If you deployed a pair of network object groups to a Firepower Threat Defense high availability pair and the network object group IP addresses on either the active and standby device overlapped with the IP addresses on the other device within the pair, deployment failed and Firepower generated a Deployment failed due to configuration error message in the Message Center. |
|
CSCva51662 |
Resolved an issue where, if you clicked Launch Readiness Check while another readiness check is in the queue and closed the dialog window, Firepower incorrectly started a new readiness check task . |
|
CSCva57174 |
On a Firepower Threat Defense Virtual with RIP and redistribution configured, even if you disabled RIP and redeployed, the device continued to use RIP. |
|
CSCva58269 |
Resolved an issue where, if you created alerts associated with a domain and then deleted the domain, Firepower did not remove the alerts from the database when it should have. |
|
User is able to apply smart licenses on AWS HB device. |
|
|
CSCva58411 |
Resolved an issue where, if you added smart licenses to a Firepower Threat Defense high availability pair, the smart licensing widget on the dashboard page did not load. |
|
CSCva59135 |
The ASA-to-Firepower Threat Defense migration tool can convert only one ASA configuration file at a time. If you started a conversion while a conversion task was in progress, Firepower displayed an Error 500 Internal server error message. Firepower now displays a warning message that a migration is already in progress. |
|
CSCva63604 |
Resolved an issue where, if a security module on a Firepower Threat Defense cluster with an access control policy containing more than 10,000 rules reloaded, the security module failed to re-join the cluster and generated a All data interfaces have been shutdown due to clustering being disabled. To recover either enable clustering or remove cluster group configuration warning. |
|
CSCva67943 |
Resolved an issue where, if you enabled common criteria (CC) mode on an appliance for security certifications compliance and the syslog server certificate did not contain serverAuth, Firepower incorrectly passed connections to the syslog server when they should have failed. |
|
Access control policy report fails if category has span across 50 rules. |
|
|
CSCva81548 |
Improved configuration deployment performance. |
|
CSCva82945 |
The Interfaces tab of the device management page for a Firepower Threat Defense device now displays the current status for interfaces on the device. |
|
Resolved an issue where, if you deployed an intrusion rule containing an AppID web application condition and a managed device experienced a high volume of traffic containing an excessive amount of similar connection types that did not apply to the AppID application, the application detection process took more time than it normally should and caused latency for other traffic matches. |
|
|
CSCva89342 |
If you created an ASA Firepower module high available pair configured for multi-context mode and deployed one or more security zone from the managing Firepower Management Center, then the standby ASA Firepower module within the pair restarted, the standby ASA Firepower module incorrectly removed all security zones and interfaces. |
|
CSCva93408, CSCva93158 |
Improved the RPC decoder. |
|
CSCva99998 |
Resolved an issue where Firepower did not restrict read-only users from editing the blacklist page when it should have. |
|
Adaptive profiling performance scales badly in some cases. |
|
|
CSCvb02846 |
Resolved a rare issue where, if you switched Firepower Management Center high availability peers twice and viewed the Smart Licenses page , the table of devices and any edit windows failed to load. |
|
Resolved an issue where, if you deployed an SSL policy and traffic with an HTTP tunnel matched the SSL policy, Firepower dropped some traffic and experienced high CPU use and overall latency. |
|
|
CSCvb08840 |
Resolved an issue where, if you enabled automated intrusion rule updates for an ASA Firepower module managed by ASDM, and the device simultaneously deployed automated deployments, the device experienced issues. |
|
CSCvb11574 |
Resolved an issue where, if you deployed an access control policy containing a custom application detector and deleted the application detector, Firepower did not generate a warning that the application detector must be removed from the access control policy prior to deletion. |
|
Resolved an issue where, if you created a network discovery policy configured to detect hosts and a correlation policy containing a rule set to trigger if discovery event occurs and the OS information for a host has changed, then added a condition for if OS name is unknown and added a remediation Nmap scan, discovery events matching the rules did not generated corresponding Nmap scans. |
|
|
Resolved an issue where, if Firepower experienced an issue processing the first session of SMTP traffic between a client and an SMTP server, Firepower did not correctly identify the subsequent SMTP sessions as SMTP for the client-server pair and displayed Unknown in the Application Protocol column of the Connection Events page . |
|
|
CSCvb12453 |
Resolved an issue where, if you enabled common criteria (CC) mode on an appliance for security certifications compliance and the syslog server certificate did not contain host name matching the name of the server, connections to the syslog server incorrectly passed when they should have failed. |
|
CSCvb12791 |
Resolved an issue where, if you enabled Common Criteria (CC) mode on an appliance for security certifications compliance and the syslog server certificate and/or intermediate certificate(s) have been revoked, Firepower incorrectly established a TLS connection with the syslog server without checking the revocation status. |
|
Traffic by Initiator Report for User Renders No Output. |
|
|
Cisco Firepower Management Center Information Disclosure Vulnerability. |
|
|
Resolved an issue where Firepower Management Center high availability synchronization failed if the total size of the database files and logs totaled more than 4GB. |
|
|
CSCvb20859 |
Intermittently, if the ASA-to-Firepower Threat Defense migration tool could not migrate an ASA configuration because the access control list was not applied via a valid access-group command, Firepower did not complete internal operations related to that migration, and you could not start another migration. |
|
CSCvb24378 |
You can now enable or disable default inspection with the command line interface on a Firepower Threat Defense device using configure inspection <inspection_name> enable|disable. |
|
CSCvb24768 |
Resolved an issue where, in some cases, if you updated a system containing at least one security zone to Version 6.1 or later, the Interfaces page might incorrectly displayed the security zone state as Unknown . |
|
CSCvb24807 |
In rare cases, after you updated the Firepower Management Center to Version 6.10, the dynamic analysis page would not load. |
|
Resolved an issue where, if you formed a Firepower 4100 series series or Firepower 9300 high availability pair with devices containing named interfaces and assigned a portchannel from the FXOS chassis manager, then edited the Interfaces tab of the high availability pair listed on the Device Management page and saved, Firepower did not include the interfaces created for the high availability pair when it should and, in some cases, deployment failed. |
|
|
Resolved an issue where, if you enabled captive portal on a system and updated to Version 6.1.0, captive portal did not work. |
|
|
Workflow set with User Preferences not honored by Search Constraints. |
|
|
False warnings in database Integrity Check for PlatformSettings object. |
|
|
Upgrade to 6.1 fails at 600_schema/000_install_csm.sh. |
|
|
Cannot create new Application Filter Objects 6.1 on ASA managed by ASDM. |
|
|
Resolved an issue where, in some cases, if you updated a system from Version 6.1.0 to Version 6.1.0.x, the update failed. |
|
|
Resolved an issue where, if you created a high availability pair and synchronization requests overload the Tasks tab in the Message Center, Firepower experienced disk space issues and intermittent login issues. |
|
|
Resolved an issue where, if incoming HTTP, TCP, or SSH traffic did not contain an SGT value in the header, traffic matched against the default access control policy instead of any other configured policy. |
|
|
Event QoS in legacy mode does not have an entry for interface stats. |
|
|
Resolved an issue where incoming HTTP and HTTPS traffic containing XFF fields caused system issues. |
|
|
If you updated Firepower from a version earlier than Version 6.1.0 to Version 6.1.0 and immediately exported the access control policy, then imported the policy, importing the access control policy failed. |
|
|
CSCvb40344 |
If you deployed a file policy to a device with an excessive amount of endpoints configured, Firepower experienced high CPU and memory use. As a workaround, you could redeploy configuration. |
|
CSCvb41047 |
Resolved an issue where Firepower generated an incorrect Health monitoring running behind schedule health warning if the Firepower Management Center did not receive any health events from registered devices. |
|
Firepower Management Center Smart Licensing bypasses Proxy Configuration when in evaluation mode. |
|
|
Upgrade failing for v6.0.1 at 600_schema/000_install_csm.sh. |
|
|
CSCvb44812 |
Resolved an issue where Firepower 4100 series series devices generated excessive logging and experienced storage space issues. |
|
CSCvb44268 |
Resolved an issue where the Appliance Status widget did not load if you had 400 or more devices attached to a Firepower Management Center. |
|
CSCvb46146 |
If updating Firepower failed and you attempted to update to a different version from the one that failed without resolving the original failure, the new install also failed and could cause Firepower to become unrecoverable. |
|
Resolved an issue where, if you enabled Safe Search in an access control policy and deployed, Firepower incorrectly generated Primary Detection Engine Exiting health alerts. |
|
|
Resolved an issue where, if you updated a system from Version 6.0.1.1 or later to Version 6.1.0, Firepower experienced a variety of issues such as update failure or Firepower Management Center login failure. |
|
|
CSCvb51077 |
Resolved an issue where, if you added a remediation as a response to a rule in a correlation policy on a Firepower Management Center and created a high availability pair, then switch high availability peers, the new active Firepower Management Center did not correctly synchronize the correlation policy and the remediation experienced issues. |
|
Resolved an issue where, if you deployed an access control policy containing rules with Safe Search enabled, some websites experienced latency when loading. |
|
|
Firepower Management Center/Firepower Threat Defense - Multiple default routes with same metric or gateway exists. |
|
|
Deploy during intrusion rule update install may cause all subsequent policy applies to fail. |
|
|
Firepower Threat Defense policy deployment fails with Syslog Event class All. |
|
|
Security Intelligence synchronization failure results in disk becoming full. |
|
|
Resolved an issue where, if a Firepower Management Center running Version 6.1.0 managed a device running a version earlier than Version 6.1.0, Firepower did not generate any new discovery events and removed the network map several days after the Firepower Management Center updated to Version 6.1.0. |
|
|
In some cases, if Firepower processed SIP packets, traffic containing voice or video content might have appeared distorted or experienced latency. |
|
|
Resolved an issue where Firepower logged extraneous policy information during deployment and, in some cases, deploying large policies failed. |
|
|
Resolved an issue where, if you deployed an access control policy containing an identity policy that referenced a realm or access control rules containing groups or users from the realm and you deleted the realm, Firepower incorrectly generated a System defined Objects cannot be Altered. Please use a different Object error and you could not edit the access control policy. |
|
|
If you configured a realm for an Active Directory (AD) server to download users and groups, then created a Firepower Management Center high availability pair and the downloads contained large amounts of users and groups, Firepower Management Center high availability registration failed. |
|
|
CSCvb67568 |
Resolved a rare issue where, if you created a realm and deployed an access control policy containing rules, then clicked Download users and groups and configured a User Agent connection, the user to group mapping became incorrect and access control rules using groups did not match when it should. |
|
SFR upgrade to 6.1 causes constant failover between ASA FirePOWER module high availability pair. |
|
|
6.0.0 pre install 5.4.0.999 nfp kernel modules fail to unload followed by outage. |
|
|
Intermittently, if you created a realm and deployed an access control policy containing rules, then downloaded users and groups (including scheduled downloads), the user-to-group mapping could become incorrect, and access control rules using groups might not have matched when they should have. |
|
|
CSCvb70125 |
Resolved an issue where policy deploy failed if you configured captive portal on a Firepower Management Center then updated the Firepower Management Center and its managed devices, then tried to redeploy. |
|
CSCvb74873 |
If you enabled SMB File Inspection in a file policy and deployed to a device managed by theFirepower Management Center, Firepower generated Primary detection engine exited unexpectedly warning messages, and Firepower could experience issues. |
|
If you deployed a DNS rule with a blacklist action containing a Security Intelligence DNS feed, Firepower did not send the Security Intelligence events to the external syslog if one was configured. |
|
|
Firepower ignored security zone constraints on network discovery rules if the network discovery policy contained rules constrained by zones that included interfaces from multiple devices. This condition was present if the rules used single zones with interfaces from multiple devices (for example, Zone 1 included interfaces from Device 1 and Device 2) or multiple rules used different zones (for example if Rule 1 used Zone 1, which included interfaces from Device 1, and Rule 2 used Zone 2, which included interfaces from Device 2). |
|
|
Resolved an issue where, if you added a syslog alert to an access control rule and deployed on an ASA FirePOWER module managed by ASDM, the device incorrectly generated excessive logging from prefilter policies. |
|
|
Resolved an issue where, in some cases, updating a system to Version 6.1.0 and deploying to a registered device generated a Deployment failed in policy and object collection. If problem persists after retrying, contact TAC error message. |
|
|
Resolved an issue where, if Firepower processed HTTP traffic containing XFF headers, Firepower experienced issues and generated erroneous detection engine health warnings. |
|
|
Attempting to change copper SFP interface type (inline/switched/routed) results in error. |
|
|
Snort cores after reload when processing XFF addresses. |
|
|
In some cases, if you deployed an SSL policy containing an SSL rule with the action set to Do Not Decrypt placed above an SSL rule with the action set to Decrypt - Resign, Firepower incorrectly identified the sessions as undecryptable and matched against the wrong rule with an undecryptable action instead of the correct rule. |
|
|
CSCvb97742 |
7000 and 8000 Series devices with low memory could experience a traffic outage and not recover. |
|
CSCvc05323 |
Resolved an issue where snort restarts caused Firepower to generate extraneous NGFW Rule Engine Failed to write connection event log messages. |
|
CSCvc08057 |
Resolved an issue where Firepower Threat Defense devices experienced Snort cores while performing QoS rate limiting on destination interface objects. |
|
No input validation on Firepower Threat Defense Platform Setting syslog Logging Filter. |
|
|
Cannot delete multiple rules at a time from ASA migrated Prefilter Policies. |
|
|
CSCvc10655 |
Resolved an issue where deploying policies to a Firepower Threat Defense device failed after updating to a new Firepower version. |
|
CSCvc14561 |
Resolved an issue where the Firepower Management Center web interface was not available after enabling compliance mode. |
|
CSCvc26880 |
Resolved an issue where, if a Firepower 8350 device or AMP8350 device produced an unusually large stream of messages on the serial port console or, if you enabled it, the Lights-out Management (LOM) console, the device became unresponsive. |
|
eStreamer should use correct datastore for user identity mapping. |
|
|
CSCvc31852 |
Resolved an issue where the Firepower Management Center Tasks tab displayed an incorrect amount of time taken for policy deployment. |
|
Having 0 at the object service PING service icmp echo 0 causes migration to fail. |
|
|
CSCvc37923 |
Resolved an issue where Firepower did not recover from a disk write error caused by disk full even after the disk full issue was resolved, causing excessive logging. |
|
Import fails with duplicate object name when the object names differs by case only. |
|
|
URL not extracted from reassembled requests. |
|
|
Snort process segfaults processing traffic in firewall. |
|
|
OptimizeTables.pl always fails on 6.1.0. |
|
|
Available Ports tab hangs when editing prefilter rule ports. |
|
|
Resolved an issue where, when a Firepower Threat Defense high availability pair simultaneously rebooted, the pair continuously rebooted until the failover cable was removed. |
|
|
Firepower Management Center login stops working if resume sync is selected after upgrade. |
|
|
Firepower Management Center warnings needed during high availability configuration that configuration on the standby Firepower Management Center will be wiped. |
|
|
Resolved an issue where the Firepower Threat Defense device running Version 6.1.0.1 or Version 6.1.0.2 stopped passing traffic after 213 days of uptime and experienced a range of issues from limited connectivity to a traffic outage. |
Feedback