Guidelines and Warnings for Version 6.2.3
These important upgrade guidelines and warnings are new for Version 6.2.3.
Note |
If your upgrade path skips one or more major versions—that is, you are not upgrading from the last major version or one of its patches—you must also review Previously Published Guidelines and Warnings. |
Use the table as a checklist by printing, then marking the column next to the guidelines that apply to you.
✓ | Platforms | Upgrading From | Directly To | Guideline |
---|---|---|---|---|
FTD clusters |
6.1.x |
6.2.3+ |
Remove Site IDs from Version 6.1.x FTD Clusters Before Upgrade |
|
FMC |
6.1.0 through 6.2.2.x |
6.2.3+ |
||
FTD with FDM |
6.2.0 through 6.2.2.x |
6.2.3+ |
||
Any |
6.1.0+ |
6.2.3+ |
||
Any |
6.1.0 through 6.2.2.x |
6.2.3 only |
||
FTD with FDM |
6.2.0 through 6.2.2.x |
6.2.3 only |
||
Firepower 2100 series with FDM |
6.2.2.5 |
6.2.3 only |
Remove Site IDs from Version 6.1.x FTD Clusters Before Upgrade
Deployments: Firepower Threat Defense clusters
Upgrading from: Version 6.1.x
Directly to: Version 6.2.3+
Firepower Threat Defense Version 6.1.x clusters do not support inter-site clustering (you can configure inter-site features using FlexConfig starting in Version 6.2.0).
If you deployed or redeployed a Version 6.1.x cluster in FXOS 2.1.1, and you entered a value for the (unsupported) site ID, remove the site ID (set to 0) on each unit in FXOS before you upgrade. Otherwise, the units cannot rejoin the cluster after the upgrade.
If you already upgraded, remove the site ID from each unit, then reestablish the cluster. To view or change the site ID, see the Cisco FXOS CLI Configuration Guide.
Changes to Result Limits in Reports
Deployments: Firepower Management Center
Upgrading from: Version 6.1 through 6.2.2.x
Directly to: Version 6.2.3+
Version 6.2.3 limits the number of results you can use or include in a report section, as follows. For table and detail views, you can include fewer records in a PDF report than in an HTML/CSV report.
Report Section Type | Max Records: HTML/CSV Report Section | Max Records: PDF Report Section |
---|---|---|
Bar chart Pie chart |
100 (top or bottom) |
100 (top or bottom) |
Table view |
400,000 |
100,000 |
Detail view |
1,000 |
500 |
If, before you upgrade a Firepower Management Center, a section in a report template specifies a larger number of results than the HTML/CSV maximum, the upgrade process lowers the setting to the new maximum value.
For report templates that generate PDF reports, if you exceed the PDF limit in any template section, the upgrade process changes the output format to HTML. To continue generating PDFs, lower the results limit to the PDF maximum. If you do this after the upgrade, set the output format back to PDF.
Upgrade Can Unregister FTD/FDM from CSSM
Deployments: FTD with FDM
Upgrading from: Version 6.2 through 6.2.2.x
Directly to: Version 6.2.3+
Upgrading a Firepower Threat Defense device managed by Firepower Device Manager may unregister the device from the Cisco Smart Software Manager. After the upgrade completes, check your license status.
Procedure
Step 1 |
Click Device, then click View Configuration in the Smart License summary. |
Step 2 |
If the device is not registered, click Register Device. |
Sharing Data with Cisco During and After Upgrade
Deployments: Any
Upgrading from: Version 6.1.0+
Directly to: Version 6.2.3+
Features in Version 6.2.3+ involve sharing data with Cisco.
Cisco Network Participation and Cisco Success Network send usage information and statistics to Cisco, which are essential to provide you with technical support. During the upgrade, you accept or decline participation in these programs. You can also opt in or out at any time.
Web analytics tracking sends non-personally-identifiable usage data to Cisco, including but not limited to pages viewed, the time spent on a page, browser versions, product versions, user location, and management IP addresses or hostnames of your FMCs.
Edit/Resave Access Control Policies After Upgrade
Deployments: Any
Upgrading from: Version 6.1 through 6.2.2.x
Directly to: Version 6.2.3 only
If you configured network or port objects that are used only in intrusion policy variable sets, deploying associated access control policies after the upgrade fails. If this happens, edit the access control policy, make a change (such as editing the description), save, and redeploy.
Edit/Resave Realms After FTD/FDM Upgrade
Deployments: FTD with FDM
Upgrading from: Version 6.2.0 through Version 6.2.2.x
Directly to: Version 6.2.3 only
Before Version 6.2.3, users were not automatically logged out after 24 hours of inactivity. After you upgrade Firepower Threat Defense to Version 6.2.3 when using Firepower Device Manager, if you are using identity policies with active authentication, update your realm before you deploy configurations. Choose , edit the realm (no changes are needed), and save it. Then, deploy.
Firepower 2100 Series Upgrade from Version 6.2.2.5 Can Fail
Deployments: Firepower 2100 series with FTD, managed by FDM
Upgrading from: Version 6.2.2.5
Directly to: Version 6.2.3 only
If you change the DNS settings on a Firepower 2100 series device running Version 6.2.2.5, and then upgrade to Version 6.2.3 without an intermediate deployment, the upgrade fails. You must deploy or execute an action that triggers a deployment, such as an SRU update, before you upgrade the device.
Previously Published Guidelines and Warnings
You can upgrade to Version 6.2.3 from several previous major versions; see Minimum Version to Upgrade. If your upgrade path skips one or more major versions, review these previously published guidelines and warnings. Use the table as a checklist by printing, then marking the column next to the guidelines that apply to you.
✓ | Platforms | Upgrading From | Guideline |
---|---|---|---|
Any |
6.1.0 through 6.2.2.x |
||
FMC |
6.1.x |
||
FMC |
6.1.x |
Access Control Can Get Latency-Based Performance Settings from SRUs |
|
FTD with FMC |
6.1.x |
||
FTD with FDM |
6.2.0 only |
FDM Upgrades from Version 6.2.0 Can Fail
Deployments: FTD with FDM, running on a lower-memory ASA 5500-X series device
Upgrading from: Version 6.2.0
Directly to: Version 6.2.2+
If you are upgrading from Version 6.2.0, the upgrade may fail with an error of: Uploaded file is not a valid system upgrade file. This can occur even if you are using the correct file.
If this happens, you can try the following workarounds:
-
Try again.
-
Use the CLI to upgrade.
-
Upgrade to 6.2.0.1 first.
EOS: Nested Correlation Rules
Deployments: FMC
Upgrading from: Version 6.1.x
Directly to: Version 6.2+
Version 6.2 ends support for nested correlation rules. Before you upgrade to Version 6.2+, make sure that any nested correlation rules can be "flattened." Otherwise, the upgrade will fail.
What are Nested Correlation Rules?
A correlation rule is nested if it serves as a trigger for another correlation rule. For example, if you create Rule A and Rule B, which both trigger on an intrusion event, you can use 'Rule A is true' as a constraint for Rule B. In this configuration, Rule A is nested inside Rule B.
Automatic Configuration Changes
The upgrade process flattens certain nested correlation rules by copying settings from the nested correlation rule (Rule A) to the nesting correlation rule (Rule B) and deleting the nested rule. The upgrade also copies the host profile/user qualifications and the snooze/inactive periods from the nested rule to the nesting rule.
For all of these settings except inactive periods, the system can copy the settings from the nested rule to the nesting rule only if the settings are absent from the nesting rule. When the system copies inactive periods from the nested rule to the nesting rule, it retains inactive periods from the nesting rule, so that the resulting rule uses settings from both rules originally involved in the nesting configuration.
Avoiding Upgrade Failure
The upgrade cannot flatten nested rules if the nested and nesting rule have specific types of conflict. To avoid upgrade failure, modify your correlation rules as follows before you run the upgrade:
-
Remove the host profile qualification, user qualification, and snooze period settings from either the nested rule or the nesting rule, so that only one rule in the nested configuration specifies these settings.
-
Remove connection trackers from any nested rules.
-
Remove host profile qualifications, user qualifications, snooze periods, and inactive periods from nested rules that do not have to be true; that is, remove those elements from nested rules that are linked to other rule conditions using the OR operator, within the nesting rule.
Access Control Can Get Latency-Based Performance Settings from SRUs
Deployments: FMC
Upgrading from: 6.1.x
Directly to: 6.2+
New access control policies in Version 6.2+ by default get their latency-based performance settings from the latest intrusion rule update (SRU). This behavior is controlled by a new Apply Settings From option. To configure this option, edit or create an access control policy, click Advanced, and edit the Latency-Based Performance Settings.
When you upgrade to Version 6.2+, the new option is set according to your current (Version 6.1.x) configuration. If your current settings are:
-
Default: The new option is set to Installed Rule Update. When you deploy after the upgrade, the system uses the latency-based performance settings from the latest SRU. It is possible that traffic handling could change, depending on what the latest SRU specifies.
-
Custom: The new option is set to Custom. The system retains its current performance settings. There should be no behavior change due to this option.
We recommend you review your configurations before you upgrade. From the Version 6.1.x FMC web interface, view your policies' Latency-Based Performance Settings as described earlier, and see whether the Revert to Defaults button is dimmed. If the button is dimmed, you are using the default settings. If it is active, you have configured custom settings.
'Snort Fail Open' Replaces 'Failsafe' on FTD
Deployments: FTD with FMC
Upgrading from: Version 6.1.x
Directly to: Version 6.2+
In Version 6.2, the Snort Fail Open configuration replaces the Failsafe option on FMC-managed Firepower Threat Defense devices. While Failsafe allows you to drop traffic when Snort is busy, traffic automatically passes without inspection when Snort is down. Snort Fail Open allows you to drop this traffic.
When you upgrade an FTD device, its new Snort Fail Open setting depends on its old Failsafe setting, as follows. Although the new configuration should not change traffic handling, we still recommend that you consider whether to enable or disable Failsafe before you upgrade.
Version 6.1 Failsafe | Version 6.2 Snort Fail Open | Behavior |
---|---|---|
Disabled (default behavior) |
Busy: Disabled Down: Enabled |
New and existing connections drop when the Snort process is busy and pass without inspection when the Snort process is down. |
Enabled |
Busy: Enabled Down: Enabled |
New and existing connections pass without inspection when the Snort process is busy or down. |
Note that Snort Fail Open requires Version 6.2 on the device. If you are managing a Version 6.1.x device, the FMC web interface displays the Failsafe option.
Patch/Hotfix for Dynamic Analysis CA Certificates
Deployments: AMP for Networks (malware detection) deployments where you submit files for dynamic analysis
Affected Versions: Version 6.0+
Resolves: CSCvj07038
On June 15, 2018, some Firepower deployments stopped being able to submit files for dynamic analysis. This occurred due to an expired CA certificate that was required for communications with the AMP Threat Grid cloud. Version 6.3.0 is the first major version with the new certificate.
Note |
If you do not want to upgrade to Version 6.3.0+, you must patch or hotfix to obtain the new certificate and reenable dynamic analysis. However, subsequently upgrading a patched or hotfixed deployment to either Version 6.2.0 or Version 6.2.3 reverts to the old certificate and you must patch or hotfix again. |
If this is your first time installing the patch or hotfix, make sure your firewall allows outbound connections to fmc.api.threatgrid.com
(replacing panacea.threatgrid.com
) from both the FMC and its managed devices. Managed devices submit files to the cloud for dynamic analysis; the FMC queries for results.
The following table lists the versions with the old certificates, as well as the patches and hotfixes that contain the new certificates, for each major version sequence and platform. Patches and hotfixes are available on the Cisco Support & Download site. For release notes, see Firepower Release Notes.
Versions with Old Cert | First Patch with New Cert | Hotfix with New Cert | |
---|---|---|---|
6.2.3 through 6.2.3.3 |
6.2.3.4 |
FTD devices |
|
FMC, NGIPS devices |
|||
6.2.2 through 6.2.2.3 |
6.2.2.4 |
All platforms |
|
6.2.1 |
None. You must upgrade. |
None. You must upgrade. |
|
6.2.0 through 6.2.0.5 |
6.2.0.6 |
FTD devices |
|
FMC, NGIPS devices |
|||
6.1.0 through 6.1.0.6 |
6.1.0.7 |
All platforms |
|
6.0.x |
None. You must upgrade. |
None. You must upgrade. |
Blacklisted FlexConfig Commands for FTD
Some Firepower Threat Defense features are configured using ASA configuration commands. Beginning with Version 6.2, you can use Smart CLI or FlexConfig to manually configure various ASA features that are not otherwise supported in the web interface.
FTD upgrades can add GUI or Smart CLI support for features that you previously configured using FlexConfig. This can blacklist FlexConfig commands that you are currently using. Although your existing configurations continue to work and you can still deploy, you cannot assign or create FlexConfig objects using the newly blacklisted commands.
After the upgrade, examine your FlexConfig policies and objects. If any contain commands that are now blacklisted, messages indicate the problem. We recommend you redo your configuration. After you are satisfied with the new configuration, you can delete the problematic FlexConfig objects or commands.
For full lists, see the FlexConfig topics in your configuration guide or online help.