Cisco Secure Firewall Threat Defense with Firewall Management Center, Version 10
This document contains release information for Cisco Secure Firewall Threat Defense with Secure Firewall Management Center (on-prem).
 Note |
Version 10 begins a new release numbering scheme and cadence. For more information, see the Cisco's Next Generation Firewall Product Line Software Release and Sustaining Bulletin. |
Release Dates
|
Version |
Build |
Date |
Platforms |
|---|---|---|---|
|
10.0.0 |
140 |
2025-12-03 |
All |
Features
Features in Version 10.0.0
This section provides a brief description of the new features introduced in this release.
Highlights
Feature highlights in Version 10.0.0 include:
Reintroduced features
These Version 10.0.0 features were actually introduced in earlier releases, but may be new to you depending on your current version:
Deployment and policy management
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Dynamic security policy enforcement with the Cisco ACI Endpoint Update App and Dynamic Attributes Connector |
10.0.0 |
Any |
The dynamic attributes connector enables you to send Cisco APIC dynamic endpoint group (EPG) and endpoint security group (ESG) data from Cisco APIC tenants to the Firewall Management Center. Cisco APIC defines endpoint groups (EPGs) and endpoint security groups (ESGs) that have network object groups. Create a connector in the dynamic attributes connector that pulls that data from Cisco APIC tenants to the Firewall Management Center on which you can use those objects in access control rules. |
|
Simultaneous editing of access control policies by multiple users |
10.0.0 |
Any |
In previous releases, if two or more users simultaneously edited an access control policy, the first user who saved would retain their changes, and all other users would immediately lose all of their edits. Now, these users have the ability to selectively merge their changes, and changes that do not conflict with the first user’s saved changes will automatically be accepted. This improves collaboration between users and reduces the need to lock the policy during edits. |
Encrypted traffic handling
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
New decryption policy user interface, including basic and advanced policy creation |
10.0.0 |
Any |
Easily create standard decryption policies using a new interface tailored to the most common and effective scenarios, with single-page certificate management. Or, stick with the legacy wizard and advanced rules-based policy editor. After Firewall Management Center upgrade, existing policies are labeled as legacy policies and continue to work as before. You can switch from a standard policy to legacy, but not from legacy to standard. |
|
Change server certificates without impacting decryption by using an internal certificate to decrypt/reencrypt traffic |
10.0.0 |
10.0.0 |
You can now use a certificate and key defined in the decryption rule to decrypt traffic. This certificate and key can be the internal server's certificate or it can be a different certificate; in addition, you can change the certificate and key at any time. You can replace the certificate using the API, a system like the Automated Certificate Management Environment (ACME), or using Object Management. |
Hardware
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Firewall Management Center 1800, 2800, 4800 |
10.0.0 |
Any |
We introduced the Firewall Management Center 1800, 2800, and 4800, with better performance and more event storage than current models. For these new models, eth0 is the main management port. You can use eth1, eth2, and eth3 as secondary management ports. The SFP ports are eth0 and eth1. This is different from earlier models. |
|
Secure Firewall 200 |
10.0.0 |
10.0.0 |
The Secure Firewall 200 is an affordable security appliance for branch offices and remote locations that balances cost and features. During deployment, the system alerts you to any unsupported configurations. Limitations include:
Version restrictions: In Version 10.0.0, the Secure Firewall 220 is the only supported device in the Secure Firewall 200 series. |
|
Secure Firewall 6100 |
10.0.0 |
10.0.0 |
The Secure Firewall 6100 is an ultra-high-end firewall for demanding data center and telecom networks. It has exceptional price-to-performance, modular capability, and high throughput. The Secure Firewall 6100 supports Spanned EtherChannel and Individual interface clustering for up to 4 nodes. You must manage these devices with a Firewall Management Center. They do not support Firewall Device Manager. |
|
View field-replaceable memory module details for the Secure Firewall 6100 |
10.0.0 |
10.0.0 |
You can view details, including operational status, for the field-replaceable memory module on the Secure Firewall 6100. New/modified screens: Choose , then edit the device and select the Device tab. In the System section, click View next to . New/modified Firewall Threat Defense commands: show inventory New/modified FXOS commands: show dimm detail |
|
DC power supply for the Secure Firewall 4200 |
7.4.3 7.6.2 7.7.0 |
7.4.3 7.6.2 7.7.0 |
The FPR4200-PWR-DC for Secure Firewall 4200 is a 1500 W DC power supply. The dual power supply modules can supply up to 1500 W power across the input voltage range (48 VDC to 60 VDC). The load is shared when both power supply modules are plugged in and running at the same time. |
|
Network module for the Secure Firewall 4200 |
10.0.0 |
10.0.0 |
The FPR4K-XNM-6X1SXF for the Secure Firewall 4200 is a 6-port 1-Gbps SFP hardware bypass network module that operates in SX multimode. This network module has built-in SFP transceivers. |
Health monitoring
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Event datastore alerts when connections fail |
10.0.0 |
Any |
The MonetDB Statistics health module now alerts when there are no active connections to the event database, which can indicate connection failure. |
High availability/scalability
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
More container instances (21) on the Secure Firewall 4225 in multi-instance mode |
10.0.0 |
10.0.0 |
The Secure Firewall 4225 in multi-instance mode now supports 21 container instances. The previous limit was 14. |
|
Cluster redirect: flow offload support for the Secure Firewall 4200 asymmetric cluster traffic |
10.0.0 |
10.0.0 |
For asymmetric flows, cluster redirect lets the forwarding node offload flows to hardware. This feature is enabled by default but can be configured using FlexConfig. When traffic for an existing flow is sent to a different node, then that traffic is redirected to the owner node over the cluster control link. Because asymmetric flows can create a lot of traffic on the cluster control link, letting the forwarder offload these flows can improve performance. Added/modified commands: flow-offload cluster-redirect (FlexConfig), show conn , show flow-offload flow , show flow-offload info |
|
IPsec flow offload for traffic on the cluster control link on the Secure Firewall 4200 in distributed site-to-site VPN mode |
10.0.0 |
10.0.0 |
For asymmetric flows in distributed site-to-site VPN mode, IPsec flow offload now lets the flow owner decrypt IPsec traffic in hardware that was forwarded over the cluster control link. This feature is not configurable and is always available with IPsec flow offload. Added/modified commands: show crypto ipsec sa detail |
Identity
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Identity-based dynamic access control |
10.0.0 |
7.3.0 (AD realm) 7.4.0 (Azure AD realm) |
Handle traffic based on real-time user posture and risk by correlating identity and device context (from Cisco ISE or pxGrid Cloud) with Cisco Identity Intelligence (from Microsoft Entra ID or Cisco Duo). |
|
pxGrid Cloud identity source |
10.0.0 |
7.3.0 (AD realm) 7.4.0 (Azure AD realm) |
The Cisco Identity Services Engine (Cisco ISE) pxGrid Cloud Identity Source enables you to use subscription and user data from a Cisco ISE server or cluster Cisco ISE in access control rules. |
Logging and analysis
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Send security events to Splunk or other SIEM via syslog |
10.0.0 |
10.0.0 |
A new Splunk integration wizard () and updated logging options in access control make it easier to send security events to Splunk (or any other SIEM via syslog).. |
|
Generate and send protocol-aware (enriched) inspector logs via syslog |
10.0.0 |
10.0.0 |
You can generate protocol-aware (enriched) inspector logs for traffic that you specify. Send these logs via syslog to Splunk or to any syslog server configured as an alert. To use this feature, enable advanced logging in your access control policy's advanced settings. Then, use access control rules to pinpoint the traffic where you want advanced logs. In those rules, enable the protocols you want to inspect. To receive alerts when there are communication issues between devices and the syslog server, enable the Snort 3 Statistics module in the device health policy. |
|
Packet data included with intrusion events sent to Security Cloud Control |
10.0.0 |
10.0.0 |
Packet data is now included with intrusion events sent to Security Cloud Control. |
Model migration
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Firewall Management Center model migration wizard |
10.0.0 |
7.3.0 |
A new wizard allows you to easily migrate from one Firewall Management Center model to another. See: Cisco Secure Firewall Management Center Model Migration Guide |
|
Migrate Firewall Management Center 1600/2600/4600 to 1800/2800/4800 |
10.0.0 |
7.3.0 |
Migrate from Firepower Management Center 1600/2600/4600 to Firewall Management Center 1800/2800/4800. See: Cisco Secure Firewall Management Center Model Migration Guide |
|
Migrate Firewall Management Center 4600 to Firewall Management Center Virtual 300 for Azure |
10.0.0 |
7.3.0 |
Migrate from Firepower Management Center 4600 to Secure Firewall Management Center Virtual 300 for Azure. See: Cisco Secure Firewall Management Center Model Migration Guide |
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Migrate Firepower 4100/9300 to Secure Firewall 3100, 4200, and 6100 |
10.0.0 |
Any (source) 7.4.1 (target) |
Migrate to the Secure Firewall 3100, 4200, and 6100 from:
|
|
Migrate Firepower 1010 to Secure Firewall 200 and 1200 |
10.0.0 |
Any (source) 7.6.0 (target) |
Migrate the Firepower 1010 and 1010E to the Secure Firewall 200 and 1200. |
Performance and resiliency
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Block depletion autorecovery for clusters |
10.0.0 |
10.0.0 |
The firewall block depletion fault manager introduced in Version 7.7.0 now supports clustered devices. Fault monitoring is automatically enabled on new and upgraded devices. To disable, use FlexConfig. |
|
Other performance and resiliency improvements |
Feature dependent |
Feature dependent |
We made performance and resiliency improvements to:
|
Public and private cloud
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Firewall Threat Defense Virtual for Microsoft Hyper-V |
10.0.0 |
10.0.0 |
Firewall Threat Defense Virtual now supports Microsoft Hyper-V. |
|
High availability for Firewall Management Center Virtual for OpenStack |
10.0.0 |
Any |
Firewall Management Center Virtual for OpenStack now supports high availability. Platform restrictions: Not supported with FMCv2 |
|
Larger default disk size and the ability to resize the disk post-deployment |
10.0.0 |
10.0.0 |
Firewall Threat Defense Virtual supports dynamic disk expansion on all virtual platforms. This capability optimizes disk utilization on high-capacity systems (for example, systems with 64 vCPUs and 128 GB RAM), ensuring that large core dump files do not trigger disk-space alerts. |
|
Unlimited performance tier (FTDvU) for VMware and KVM |
10.0.0 |
10.0.0 |
Firewall Threat Defense Virtual for VMware and KVM now support an unlimited performance tier (FTDvU). This tier does not rate limit and the RA VPN session limit depends on the allocated resources:
|
|
AWS two-arm Multi-AZ cluster support |
10.0.0 |
10.0.0 |
FTDv for AWS in two-arm-mode now supports Multi-AZ clustering. The GWLB in each AZ (availability zone) steers traffic to local firewalls for inspection and NAT. If one AZ or firewall fails, workloads in other AZs continue with minimal disruption, and you can scale throughput by adding members per AZ. Platform restrictions: Not supported with FTDv5 or FTDv10. |
|
Azure MANA NIC support |
10.0.0 |
10.0.0 |
Firewall Threat Defense Virtual for Microsoft Azure now supports MANA NIC hardware, which is optimized for enhanced networking performance. Supported instances: Standard_D8s_v5, Standard_D16s_v5 |
|
GCP autoscale with clustered devices |
10.0.0 |
10.0.0 |
Firewall Threat Defense Virtual now supports GCP autoscale (dynamic scaling) with clustered devices, using a Terraform template. |
|
Nutanix AOS 6.8 support |
10.0.0 |
10.0.0 |
Firewall Management Center Virtual and Firewall Threat Defense Virtual for Nutanix now support Nutanix AOS 6.8. This includes Virtual Private Cloud (VPC) support, whose flexible and cloud-like network segmentation and isolation allows you to effectively design and scale secure multi-tenant architectures. |
|
OpenStack Caracal support |
10.0.0 |
10.0.0 |
Firewall Management Center Virtual and Firewall Threat Defense Virtual for OpenStack now support the Caracal release. |
|
OCI Ampere Compute instances |
10.0.0 |
10.0.0 |
Firewall Threat Defense Virtual for OCI now supports Flex instances powered by an Ampere ARM-based processor. ARM architecture provides high performance with lower power consumption, enabling cost-efficient scaling. Supported instances: VM.Standard.A1.Flex, VM.Standard.A2.Flex |
|
Secure Boot and UEFI firmware support |
10.0.0 |
10.0.0 |
Firewall Threat Defense Virtual is now compatible with UEFI-based virtual machines. This modern firmware interface replaces legacy BIOS, improves boot performance, and provides enhanced hardware/VM compatibility. Secure Boot ensures that only signed and trusted bootloaders, kernel modules, and drivers are executed when the VM starts. It improves the virtual appliances security. |
Routing
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Use PBR to handle traffic based on custom application patterns. |
10.0.0 |
10.0.0 |
You can now use policy based routing to handle traffic using custom application patterns (basic supported from Version 7.7.0). Create an advanced custom application detector by uploading a Lua file with your detection pattern. Then, use the detector in an extended ACL in your PBR policy. See: Policy Based Routing |
|
IPv6 router advertisements assign RDNSS/DNSSL |
10.0.0 |
10.0.0 |
You can now configure recursive DNS server (RDNSS) and DNS search list (DNSSL) options to provide DNS servers and domains to SLAAC clients using router advertisements. New/modified screens: New/modified commands: show ipv6 nd detail , show ipv6 nd ra dns-search-list , show ipv6 nd ra dns server , show ipv6 nd summary |
Threat detection and application identification
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
EVE improvements |
10.0.0 |
10.0.0 (widgets) Any (all others) |
Upgrade impact. Upgrade merges EVE exceptions, changes the EVE blocking level, and begins using EVE for application detection. EVE improvements include:
|
|
Default ports in application-based access control rules |
10.0.0 |
Any with Snort 3 |
For access control rules, a new Application Default option on the Applications tab lets you limit the rule to the application's default ports. You can also specify that the application be identified on Any port, which is the system's previous behavior. Note that any specification on the Ports tab overrides these options. You can use the Ports tab to limit the rule to one, multiple, or a range of ports. After Firewall Management Center upgrade, existing application-based rules that do not have manual port conditions are applied to Any port. To take advantage of this feature, edit the rules you want to limit. |
|
Dynamic objects and security group tags in DNS rules |
10.0.0 |
10.0.0 |
You can configure DNS rules in the DNS policy to use dynamic objects or security group tags (SGT). If you are using these types of objects in access control rules already, you can now extend their use to your DNS policy. We added the Dynamic Attributes tab to the add/edit DNS rule dialog box. |
|
HTTP command line injection attack detection with Snort ML |
10.0.0 |
10.0.0 |
Snort ML now detects HTTP command line injection attacks. The snort_ml inspector is currently disabled in all default policies except maximum detection. The intrusion rule the generates an event when the snort_ml detects an attack (GID:411 SID:1) is also currently disabled in all default policies except maximum detection. |
|
Portscan detection for clusters |
10.0.0 |
10.0.0 |
You can configure threat detection at the cluster level. For nodes in a cluster, detection and prevention happen at the cluster level. Portscans can be detected when they happen across nodes or in an individual node. Shunned hosts are shunned on all devices in the cluster. Shuns are released at the same time on all nodes. Statistics are available at the cluster level. |
|
Unauthorized privacy technology (shadow traffic) detection |
10.0.0 |
10.0.0 |
A new Shadow Traffic dashboard () monitors unauthorized privacy technology such as encrypted DNS, evasive private VPNs, multi-hop proxies, domain fronting, and fake TLS. Also, connection and unified events now have a Shadow Traffic Type field. Shadow traffic monitoring is auto-enabled by the upgrade. To disable it, use the access control policy advanced settings. |
|
Updated internet access requirements for security intelligence feeds |
10.0.0 |
Any |
Upgrade impact. The system connects to new resources. The system now gets Security Intelligence feeds from:
If you are using regular Smart Licensing, registering with Smart Software Manager (CSSM) sets up SSE integration. If you are using Specific License Reservation in a non-airgapped deployment, enable Security Cloud Control for access to the Security Services Exchange regional cloud. The system no longer requires access to intelligence.sourcefire.com. |
Troubleshooting and serviceability
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
MTU ping test on cluster node join provides more information by trying smaller MTUs |
10.0.0 |
Any |
When a node joins the cluster, it checks MTU compatibility by sending a ping to the control node with a packet size matching the cluster control link MTU. If the ping fails, it tries the MTU divided by 2 and keeps dividing by 2 until an MTU ping is successful. A notification is generated so you can fix the MTU to a working value and try again. We recommend increasing the switch MTU size to the recommended value, but if you can't change the switch configuration, a working value for the cluster control link will let you form the cluster. New/modified commands: show cluster history |
|
Improved cluster control link health check with high CPU |
10.0.0 |
Any |
When a cluster node CPU usage is high, the health check will be suspended, and the node will not be marked as unhealthy. This feature is enabled by default when the CPU usage reaches 90% but can be configured using FlexConfig. New/modified FlexConfig commands: cpu-healthcheck-threshold |
|
Ensure temporarily unavailable nodes can rejoin an oversubscribed cluster |
10.0.0 |
10.0.0 |
Prioritizing critical control traffic increases resiliency in high availability and clustered deployments, especially when forming high availability or rejoining a cluster during times of heavy load. New/modified commands: show asp priority-polling , show cluster info trace , show failover trace Deployment restrictions: Not supported with container instances Platform restrictions: Supported with Secure Firewall 3100, 4200, and 6100 only |
|
Use the packet tracer to modify PCAPs |
10.0.0 |
Any |
You can now use the packet tracer to modify the source and destination IP address, source and destination port, and VLAN ID of a PCAP. In transparent mode, you can also modify the destination MAC address. You can then run a trace with the modified PCAP. |
|
Generate a kernel dump on demand, or automatically on crash |
10.0.0 |
10.0.0 |
You can now use the CLI to configure most hardware devices to generate a Linux kernel dump on crash. After you enable this feature, the device must reboot for it to take effect. Using the force keyword reboots the device and generates a kernel dump immediately. Or, manually reboot the device later. The upgrade automatically enables this feature. New CLI command: system support kernel-crash-dump Platform restrictions: Supported on all hardware devices except the Secure Firewall 200 and ISA 3000. |
|
Recovery-config mode support for NAT and other interface commands |
10.0.0 |
10.0.0 |
Recovery-config mode now supports NAT and related object and object-group commands. It also supports the following interface commands:
These interface commands, in addition to shutdown, are not supported in recovery-config mode on the cluster control link or failover link. New/modified diagnostic CLI (system support diagnostic-cli ) command: configure recovery-config Platform restrictions: Not supported with the Firepower 4100/9300, ISA 3000, or virtual firewall. Not supported for the Secure Firewall 3100/4200 in multi-instance mode. |
|
Minimal system logging |
10.0.0 |
10.0.0 |
You can now configure minimal (notice and above) system logging. For most devices, the default is full logging. For the new Secure Firewall 220, the default is minimal logging. New/modified CLI commands: system support logging-show , system support logging-full , system support logging-minimal |
Upgrade
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
New device and chassis upgrade wizard |
10.0.0 |
Any |
A new, streamlined upgrade wizard makes it easier to select and prepare devices for upgrade, and to identify issues preventing upgrade. Note that the Firewall Threat Defense wizard takes advantage of a new prepare-only option for unattended mode. This means that while the wizard copies packages and checks readiness, you may see messages about unattended mode running even if you did not explicitly start it. |
|
Prepare-only and skip-checks options for unattended Firewall Threat Defense upgrade |
10.0.0 |
Any |
With unattended Firewall Threat Defense upgrades:
These new options are available when you start unattended mode. |
|
New options for downloading upgrade packages |
10.0.0 |
Any |
You can now:
New/modified screens: |
|
Auto-replace outdated Firewall Management Center upgrade scripts |
10.0.0 |
Any |
The Firewall Management Center can get new upgrade scripts for itself from the internet, fixing late-breaking upgrade issues without replacing the whole upgrade package. If the Firewall Management Center cannot download new scripts for any reason, the upgrade proceeds as it would have without them. If you encounter issues with Firewall Management Center upgrade, including a failed upgrade or unresponsive system, contact Cisco TAC. Download location: cdo-ftd-images.s3-us-west-2.amazonaws.com |
Usability
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Redesigned menus for the Firewall Management Center |
10.0.0 |
Any |
We redesigned the Firewall Management Center menus to be more intuitive and consistent with the Security Cloud Control user interface. A main, single-column menu provides a subset of your most used items, while all items are visible in expanded mode. You can customize which items to include on the main menu to suit your priorities. Preferences are per user. Existing and renamed top-level menus include:
New top-level menus include:
Some submenus were moved to new main menu locations. |
VPN
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
ACME-based TLS certificate management for remote access VPN |
10.0.0 |
10.0.0 |
You can now use an ACME certificate to authenticate a managed device as an RA VPN gateway. New/modified screens: Objects > PKI > Cert Enrollment > Add Cert Enrollment > Enrollment Type > ACME New/modified commands: crypto ca trustpoint |
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Site-to-site VPN tunnels over IPsec VTIs preserve SGT metadata |
10.0.0 |
10.0.0 |
Cisco TrustSec uses security group tags (SGTs) to control access and enforce traffic on a network. This option enables SGT propagation over SVTIs and DVTIs of route-based and SD-WAN VPN topologies. To enable SGT propagation on a specific SVTI or DVTI, configure it in individual devices. New/modified screens: |
|
Site-to-site VPN hub support for ECMP load balancing with dynamic VTIs |
10.0.0 |
10.0.0 |
You can now enable Equal Cost Multi-Path (ECMP) on the dynamic VTIs of hub devices. All virtual access interfaces on the hub connecting to the same spoke are grouped into an ECMP zone. New/modified screens: |
|
Site-to-site VPN support for BFD-based failover |
10.0.0 |
10.0.0 |
You can now enable the BFD routing protocol on the SVTIs and DVTIs of route-based and SD-WAN VPN topologies. New/modified screens: |
|
Distributed site-to-site VPN with clustering for the Secure Firewall 4200 |
10.0.0 |
10.0.0 |
A cluster on the Secure Firewall 4200 supports site-to-site VPN in distributed mode. Distributed mode provides the ability to have many site-to-site IPsec IKEv2 VPN connections distributed across members of a cluster, not just on the control node (as in centralized mode). This significantly scales VPN support beyond centralized VPN capabilities and provides high availability. Added/modified commands: cluster redistribute vpn-sessiondb , show cluster vpn-sessiondb , cluster vpn-mode , show cluster resource usage , show vpn-sessiondb , show conn detail , show crypto ikev2 stats |
Zero trust access
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
ACME trustpoint as identity certificate for zero trust access |
10.0.0 |
10.0.0 |
You can choose an ACME certificate for authenticating a managed device as a SAML SP for a zero-trust application policy. ACME certificates automate the lifecycle management of SSL and TLS certificates, including their auto-renewal. New/modified screens: New/modified commands: crypto ca trustpoint |
|
IPv6 support for zero trust access |
10.0.0 |
10.0.0 |
Clientless ZTNA now provides secure access to applications connected over IPv6 networks. Limitations: IPv6 source NAT for applications is only for homogeneous scenarios such as NAT66 and NAT44. NAT64 and NAT46 are not supported. New/modified screens: New/modified CLIs: show running-config zero-trust |
Deprecated features
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Deprecated: Legacy screens used to register a device with a registration key |
10.0.0 |
Any |
The legacy screens used to register a device with a registration key are deprecated. On the Device Management page, now launches the wizard and was removed. |
|
Deprecated: Enable a DHCP server on the firewall management interface |
10.0.0 |
10.0.0 |
We deprecated these firewall CLI commands:
|
|
Deprecated: Secure Network Analytics manager-only deployments |
10.0.0 |
Any |
You can no longer configure a Secure Network Analytics manager-only deployment to store events. Note that manager-only deployments are deprecated in Secure Network Analytics Version 7.5.1. Although existing manager-only integrations continue to work, we recommend you switch to a single-node data store deployment with the latest supported version of Secure Network Analytics. This allows you to take advantage of new features, resolved issues, and performance improvements. |
|
Deprecated: database access |
10.0.0 |
Any |
External access to the Firewall Management Center database is no longer supported. After upgrade, all integrations stop working. The option to enable database access is removed. The External Database User role and users remain, but cannot be used except to access the online help. We recommend you remove this role from existing users and do not enable it for new users. |
|
End of support: VMware vSphere/VMware ESXi 6.5, 6.7, 7.0, and 7.5 |
10.0.0 |
10.0.0 |
Upgrade impact. Upgrade VMware before you upgrade the software. We discontinued support for virtual deployments on VMware vSphere/VMware ESXi 6.5, 6.7, 7.0, and 7.5. Upgrade your hosting environment to Version 8.0 before you upgrade any virtual appliance. Version restrictions: Versions 7.3.x and 7.4.0–7.4.1 are not qualified on VMware 8.0. If you run any of these versions, upgrade to VMware 8.0 first. Move to the next step as soon as possible. For best results, perform a multi-step upgrade: first the virtual appliance to 7.4.2–7.7.x, then VMware, then the virtual appliances again. |
|
Deprecated: Monitor device revert in the Message Center |
10.0.0 |
Any |
You can no longer monitor device revert from the Message Center. Instead, use the Device Management page (). On the Upgrade tab, click View Details next to the device you are reverting. |
|
Deprecated: Legacy theme |
10.0.0 |
Any |
We deprecated the Legacy theme. If you were using the Legacy theme, the upgrade switches you to the Light theme. |
|
Deprecated: Selected walkthroughs |
10.0.0 |
Any |
Some walkthroughs are no longer available. For a list of supported walkthroughs by version, see Walkthroughs in Secure Firewall Management Center. |
Branding
|
Feature |
Minimum Management Center |
Minimum Threat Defense |
Details |
|---|---|---|---|
|
Cisco Security Cloud is now Cisco Security Cloud Control |
10.0.0 |
Any |
Cisco Security Cloud is now Cisco Security Cloud Control. Integration allows you to leverage cloud-delivered intelligence, unified visibility, and simplified management. |
Related updates and deprecations
Resolved issues
This table lists the resolved security issues in this specific software release.
Table last updated: 2025-12-03
|
ID |
Headline |
|---|---|
|
Order of access-list/ access-group is different in standby unit. Full sync happens during node-join. |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
Custom rule with "metadata:impact_flag red" in Snort3 not detected as Impact Level 1 |
|
|
Additional tab/space added in ACL logging messages in EMBLEM format causing ingestion issues |
|
|
Evaluation of multiple Azul Zulu vulnerabilities on openjre ASDM |
|
|
[FMC HA] Follower accepts data only from 1 leader |
|
|
Redis is an open source, in-memory database that persists on disk. An |
|
|
In the Linux kernel, the following vulnerability has been resolved: s |
|
|
ASA block depletion due to SSL pre auth connections |
|
|
FMC GUI does not Accept "@" in the username for remote storage used for backups |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
FMC Legacy UI allows you to create time range objects in past time in ACL |
|
|
FTD native: ldap configuration fails to deploy to ftd when using same user as radius |
|
|
Unable to load Extended ACL objects if the count is more than few hundreds |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
FMC API put taking long time to update Extended ACL objects when count is huge like hundreds |
|
|
Firepower wiping SSL trustpoint config after reloading. |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
|
|
Unable to save the Ext ACL object - "Only Host and Network in IPv4 and IPv6 format are supported." |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, Secure Firewall Threat Defense Software HTTP Server Remote Code Execution Vulnerability |
|
|
Cisco Secure Firewall Management Center Software Command Injection Vulnerability |
|
|
IPv6 Management communication is lost due to a missing management-only multicast route. |
|
|
ARP is silently dropping packet for an unreachable next hop |
|
|
Traceback & Reload in Thread Name Unicorn Admin Handler |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Duplicate ACLs seen on FMC UI when Access Rules are created through API |
|
|
Cisco Secure Firewall Threat Defense Software Geolocation Remote Access VPN Bypass Vulnerability |
|
|
Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities |
|
|
Traffic hits incorrect ACP rules during policy deployment on FTD with dynamic objects |
|
|
Cisco Secure Firewall Management Center Software Radius Remote Code Execution Vulnerability |
|
|
Lina: Traceback in thread name ssh on executing show access-list after ACL deletion |
|
|
Route map object ACL match clause overwrited in all route maps objects after saving changes. |
|
|
ACL: ASA may show false "OOB Access-list config change detected" warning after AAA authorization command is applied |
|
|
Cleaning of /var/temp backup files post Backup completion not cleaning |
|
|
Policy Deployment: When using MD5 in Site-to-Site VPN, manual deployment fails with validation error, but schedule deployment succeeds. |
|
|
Packet-tracer displaying incorrect ACL even though traffic action is taken based on the expected ACL. |
|
|
Reverting FTD upgrade silently removes object overrides on the FMC for the reverted FTD |
|
|
PAO logic for access rules POST/PUT api call for spaces in ip addresses in ACL rules |
|
|
External auth login with RADIUS to FMC UI may fail if Class attribute is used |
|
|
FMC RADIUS external authentication access requests missing 6 attributes after FMC upgrade |
|
|
Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities |
|
|
ASA from CSM/CLI - no access-list ACL_name line line_nr remark on last ACL line shows message - "Specified remark does not exist" |
|
|
Invalid host header reveals ASA interface IP address |
|
|
CVE-2025-32462: sudo: Before 1.9.17p1, allows users to execute commands on unintended machines. |
|
|
Inbound IPsec packets are dropped by IPsec offload when the crypto map ACL is using specific ports. |
|
|
RAVPN SSL/IKEV2 AUTH FAILURE: AAA PROCESS MISHANDLING BROKEN FIBER CLASS |
|
|
FMC: Copy/Cut/Paste or drag/drop ACE in Extended ACL object, deletes existing Rules |
|
|
Firewall joins a cluster although gets incomplete ACL policy rules during replication |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
|
|
SAML response rejected with message for certain IDPs |
|
|
Drop counter doesn't increment for embryonic related drops in 'show service policy' |
|
|
Invalid OSPF process popup blocking route-map configuration |
|
|
FMC: Realm sync after import, un assigns IPS policies configured in ACEs |
|
|
Deployment failure or traffic not matching configured rules after renaming several objects |
|
|
uZTNA Private resource not working due to hztna CRT expiration on FTD |
|
|
SFDataCorrelator backtrace every 1 hour after VDB update on FMC |
|
|
FMC UI route-map access list stuck |
This table lists the resolved functional issues in this specific software release.
Table last updated: 2025-12-03
|
ID |
Headline |
|---|---|
|
"logging debug-trace persistent" fails for "debug ip ..." related debugs |
|
|
DP-CP arp-in and adj-absent queues need to be separated |
|
|
User-Role permission for Object-MGMT "Find-Usage" |
|
|
Write cache is disabled on some FMC M5 appliances |
|
|
Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
|
|
Add UI message when user attempts to switch role from standby FMC with pending device registration: Chassis and Device |
|
|
Inline pair has incorrect FTW bypass operation mode of 'Phy Bypass' |
|
|
ASA/FTD : High LINA memory observed after configuring multiple AnyConnect packages |
|
|
Last Synchronized date in FMC smart license status is not always accurate |
|
|
New realm user are incorrectly getting mapped to discovered user |
|
|
scheduled task may not run at all if UTC start times (based on DST) are on different calendar days |
|
|
FMC does not support Umbrella with proxy setting |
|
|
on 2k platform, external authentication fails for users starting with number |
|
|
Snort3 Rule Recommendations - add error message if Network Discovery is not configured |
|
|
Misleading error message while attemtping to revert upgrade on inelligible device |
|
|
External Auth on FMC may throw err "Can't use string ("") as a HASH ref while "strict refs" in use" |
|
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
|
Stale anyconnect entries causing issues with routing |
|
|
Edit search page and unified event viewer very slow to load due to high number of search-related EOs |
|
|
DAP: debug dap trace not fully shown after 3000+ lines |
|
|
ENH: Add a command or a script to regenerate CA Certificate on FTD |
|
|
snort3 crashes observed due to memory corruption in file api |
|
|
Lina traceback in ZMQ Proxy caused service loss. |
|
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
|
ENH : ASDM does not accept VTI Interface for routes, CLI works |
|
|
3100/4200: qdma driver watchdog timeout |
|
|
FTD 7.4.1 Snort shows 100% utilization even at a low traffic rate |
|
|
Snort3 traceback and restarts with race conditions |
|
|
Fault "Adapter 1/x/y is unreachable" due to connectivity failure between supervisor and VIC adapter |
|
|
Applications are incorrectly identified as TOR and blocked by Snort3 |
|
|
Snort creating too many snort-unified log files when frequent policy deploys |
|
|
Snort3 traceback and reload due to memory corruption in file module |
|
|
Snort3 crashes due to processing pdf tokenizer with no limits. |
|
|
Snort3 crashes while collecting flow-ip-profiling |
|
|
Incorrect syslog generated on failure to process SGT from ISE during RA authentication |
|
|
FMC - Add warning message when configuring CCL MTU |
|
|
SNMP for mgmt0/diagnostic outgoing traffic is missing |
|
|
WebEx traffic not getting bypassed in snort3 (allow rules) |
|
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
|
ASDM- Unable to edit Secure Client Profile |
|
|
FMC : DAP configuration "laggy/hangs" when trying to configure via FMC. |
|
|
Increase sftunnel AUTH_TIMEOUT to 60 |
|
|
debug menu command to prevent 1550 block depletion due to sendinglogs to TCP syslog server |
|
|
Snort AppID incorrectly identifies SSH traffic as Unknown |
|
|
Creating cluster bundle tar files for cluster failing with remote storage SSH configured |
|
|
FMC unable to search Objects when there is a DNS configured |
|
|
Add timestamps into bash_history |
|
|
S2S VPN config removed unexpectedly after deployment |
|
|
File Download fails intermittently with malware & file policy configured |
|
|
SSH access with public key authentication fails after FXOS upgrade |
|
|
FXOS: Directory /var/tmp Triggering FXOS Fault F0182 due to vdc.log (Excessive Logging,Log Rotation) |
|
|
Set Weight option missing in UI when FTD sensor reverted and re-upgraded |
|
|
Propogate SGT deployed to FTD if copy deviceconfiguration(SGT configuration UI andLINA doesnt match) |
|
|
FMC GUI does not allow saving ECMP configuration when there is a route leak for a VRF |
|
|
FMC find usage feature not showing all associated access control policies for random objects |
|
|
NAT traps have to be rate-limited |
|
|
FMC/FTD: Policy Deployment Fails For Existing FTDv Deployments on Cloud with VNI interfaces |
|
|
Alert user that FDM is not Supported for FTDv in Openstack if they try to enable it |
|
|
snort "exits normally" in loop every 1 min resulting in complete outage |
|
|
FMC displays VPN tunnel status as unknown even when the tunnels are up |
|
|
Invalid Name Warning Missing from FMC after upgrade and Save greyed out (Configure DAP records through Rest API) |
|
|
Unused objects deletion taking longer time |
|
|
Discrepency in the unused object count between the FMC UI and API results |
|
|
Secure Client Connection Profile Address Pool not Shown |
|
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
|
MariaDB import failure that lead to FMC-HA Synchronization Incomplete |
|
|
Use of Named interface in SLA Monitor causing cdFMC migration failure |
|
|
Switch FMC-HA fails: MariaDB replication is not in good state - can not sync |
|
|
FTD running on FPR2k devices, using CMI, has no ARP for 203.0.113.129 |
|
|
FTD deployment fails with error "Snort command failed due to bad config" |
|
|
Memory fragmentation resulted in huge pages unavailable for lina |
|
|
Snort3 Crashinfo not decoding certain lines with "no unwind info found" |
|
|
FMCv300 not consuming any FMCv300 device license |
|
|
fs-daemon hap reset with core generation |
|
|
Secure Client External Browser package Image shown 2 same packages |
|
|
policy_deployment.db does not get updated with the correct anyconnect/secure client version |
|
|
Big chunk of Memory of around 25KB is being allocated on Stack in "eigrp_interface_ioctl" API |
|
|
FMC not using configured proxy for smart licensing |
|
|
Traceback and reload in Thread Name Datapath |
|
|
Primary FTD instance MAC address is not updated correctly in FXOS during failover |
|
|
NAT divert for 8305 on standby not updating post failover causing the Primary, standby FTD to show offline on FMC |
|
|
ACP copy not possible in Firepower Management Center |
|
|
Longevity setup:TPK cluster node is displayed as empty cluster in device mgmt page |
|
|
SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
|
|
Unreachable Hosts and URLs of syslog configuration Block Device Management Page Loading |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
ASA traceback and reload in freeb_core_local_internal |
|
|
FDM Order of reading nested object group indexing is causing deployment failure |
|
|
Intrusion policy having same name in different Domains causes IPS policy corruption |
|
|
Coverity System SA warnings 2024-09-09, Coverity Defects 922530 922529 922528 922630 921809 921808 |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
Frequent traceback after upgrading FTD HA |
|
|
Remove the File Capture Disk Manager SILO to prevent captured files from overwhelming the Disk Mgr |
|
|
On FMC, Backend server JVM is running out of memory when policies and objects are huge |
|
|
ASA Traceback after upgrade to 9.20.3.7 |
|
|
Send Virtual Tunnel Interface enabled by default on SVTI |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
FCM GUI became inaccessible after upgrading to ASA 9.18.4.22 | FPR 2130 Platform Mode |
|
|
Bandwidth information of a port-channel is not getting updated if an interface member goes down. |
|
|
FDM RA VPN SAML UI does not set port in base-url when custom webvpn port is used |
|
|
“Copy when complete” option not working for SSH Public Shared Key Authentication on FMC |
|
|
Traceback and reload with Thread Name: vtemplate process |
|
|
Traceback and reload during clear bgp * ipv6 unicast involving watchdog |
|
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
|
ASA: IPv6 EIGRP routes learned from other neighbors are missing in updates after failover |
|
|
FMC1600-K9 PDF download failed in deploy tab |
|
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
|
cdFMC - Unable to save network group object |
|
|
ASA/FTD - Traceback and Reload in Threadname IP RIB Update |
|
|
Clearing all non applicable alerts post license registration success |
|
|
Intf Link down (Init, mac-link-down) seen - EtherChannel Membership in Down/Down/Down state after unplug/replug of the cable |
|
|
show blocks old core local can lead to unexpected reload. |
|
|
Smart license UI on cdFMC and FMC showing duplicate license count for Malware , IPS , URLFilter and Apex |
|
|
RA VPN Config Error -- Import PKCS12 operation failed - Deployment Failure |
|
|
Asia/Bangkok timezone option not listed in ASA running on firepower1k |
|
|
Banner motd does not display when configured |
|
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
|
Event-list not deployed when using Enable All Syslog Messages |
|
|
Block S2S and remote access configurations for public cloud cluster |
|
|
FMC UI login fails with "Unable to authorize access." |
|
|
loading an ECDSA certificate into the FMC causes Auth Daemon to crash and reload repeatedly |
|
|
FMC: OSPF NSF-awareness (helper mode) cannot be configured on a standalone FTD |
|
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
|
Need the SVC Rx/Tx queue as a configurable option |
|
|
FMC does not remove community list override when this is modified. |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
RTSP packets getting stuck in transmit queue leading to 9k blocks exhaustion. |
|
|
FMC Does not throw error with duplicate entries in input while modifying prefix list through API |
|
|
Choosing clause 91 FEC via the FMC sets fec 544 instead of fec 528 on QSFP-100G-CU3M |
|
|
Traceback and Reload caused by Memory corruption with SNMP inspection enabled |
|
|
Realm with greater than 16 directories cannot be deployed in RA-VPN for LDAP |
|
|
Confusing Verdict for Snort Injects - Change From Block to "Replaced"/"Injected" |
|
|
FDM - All IPSec tunnels get reset after changing PFS value for one tunnel |
|
|
User EO revisions accumulate forever, eventually overflowing Pruner's ability to do its job |
|
|
ipv6 ping Vrf name changed after xml processing |
|
|
core corruption still seen with switching to quick core feature |
|
|
snort3 : FMC connection event logs do not show URL in DNS query using TCP |
|
|
ASA clock is out of sync 2 hours when timezone is configured to Europe/Dublin which is GMT. |
|
|
Identity NAT should not throw error due to exceeding threshold if destination only objects expand |
|
|
FP1150 ASA/FTD - Traceback and reload triggered by watchdog timer |
|
|
lucene directory missing from FDM backup |
|
|
High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
|
|
WM-DT-7.7.0-40:: Observed switch config failed and switch Mac error on device console |
|
|
FTD Clish: "more.fxos" process is left running when the ssh terminal session is abruptly terminated |
|
|
FMC Not listing the any connect images in RAVPN Wizard and FMT tool |
|
|
Occasionally, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
FXOS reset and reload due to snmpd service failure |
|
|
Create report option should be hidden from Health Events Page on CDFMC |
|
|
Generate syslog if received CRL is older than cached CRL |
|
|
Generate syslog if received CRL signature validation fails |
|
|
URL getting allowed even with block rule in place. |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
FTD generates syslog 430002 as VPN Routing without VPN hairpin |
|
|
Policy Deployment Failure Due to Special Characters in AC Policy Rule Names |
|
|
FTD reboot and traceback in DATAPATH due to IPv6 packet processing |
|
|
Error thrown for individual rule hitcount if rule name contains certain special characters |
|
|
Debuggability: FP2100 port-channel interfaces flap after upgrade |
|
|
Tunnel Summary and Topology View in S2S monitoring doesn't display the right status. |
|
|
Dynamic Analysis Status Changed time only changes upon submission of a file for dynamic analysis |
|
|
Use of browser Refresh button on the Captured File Summary page may result in an unexpected warning |
|
|
FTD Upgrade Failure on Script 800_post/020_710_fix_users_and_roles.pl |
|
|
Warning messages from using Analyze button on Captured File Summary page need to be more specific |
|
|
Snort3 trimming packets with invalid sequence number due to bad window size information received |
|
|
VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade |
|
|
Nitrox Engine (Crypto Accelerator) problem affecting crypto hardware offload on FPR3100/4200 platforms |
|
|
Community lists should not throw an error until the last item in the list is being deleted |
|
|
sfipproxy prometheus configuration is attempted for not supported models and replaces sfipproxy.conf |
|
|
Unable to login to FMC GUI due to HTTP 401 UNAUTHORIZED error |
|
|
Aggressive scale down and scale up of nodes causing the failure |
|
|
Serviceability Enhancement - Make FXOS disk errors more descriptive |
|
|
SNMP walk on FXOS 2.14.1.167 causing warning loop |
|
|
ZIP files are not being transferred when Archive category is selected from File Policy using snort3 |
|
|
Exclude perf monitoring files from device backup |
|
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
|
Command authorization fallback to Local only works for users with privilege 15. |
|
|
Active HA unit goes into failed state before peer unit gets into a ready state during snort failure |
|
|
SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-3-4280' |
|
|
Enabling debugs with EEM fails |
|
|
The whois lookup command for the FMC GUI does not properly handle errors |
|
|
Detectors sync issue on FMC upgraded to 7.7 |
|
|
Dispatch queue drops have no snapshot or tuple view for dropped flows |
|
|
Snort3 crashed because don't fragment bit was set and it did not treat ipv4 fragments as fragments |
|
|
FDM: De Registration stuck with this error: Licensing task is in progress |
|
|
Buffer calculation for new app_bin missing in the upgrade framework |
|
|
Prune the older files in /ngfw/var/cisco/deploy/pkg/var/cisco/packages |
|
|
FTD - LSP Installation/ Deployment Failure |
|
|
FMC upgrade page shows upgrade failed but the device is upgraded |
|
|
Backup may fail with generic "Backup died unexpectedly" error message |
|
|
IKEv2 Rekeys fail due to fragmentation during the IKE Rekey |
|
|
Importing SFO fails with the error "No UUID Provided" |
|
|
False alert "Terminating long running backup" on FMC due to UI backup timeout error. |
|
|
FXOS allows booting and starting an image installation using a Patch image |
|
|
Snort3 restart on the first deployment post FMC upgrade. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
|
|
FMC removes prefix-list overides used for BGP and installs defaults values by itself. |
|
|
Unable to rejoin data node in cluster after re-enabling mac-address auto in multi-context mode |
|
|
FTD TS is collecting duplicated data |
|
|
Better handling of invalid/bad data in fleet upgrade workflow. |
|
|
process_stderr.log: Could not open link aggregation log file '/ngfw/var/log/link_aggregation.log' |
|
|
Port scan alerts not getting generated for custom configuration |
|
|
Reduce TS package size |
|
|
FTD sending "0.0.0.0" NAS-IP-Address attribute when authenticating/authorizing using Radius |
|
|
debug packet-condition does not work as expected |
|
|
9K block depletion causing slowdown of all traffic through firewall |
|
|
Suddenly customer lost SSH access to the ASA |
|
|
Empty snapshot being sent when when auth-daemon restarts causing user logout |
|
|
DNS and default gateway are removed on FTD managed through data interface - DNS |
|
|
auth-daemon process restarts due to race condition |
|
|
Deployment failure due to invalid AnyConnect Images and Secure Client Profile references |
|
|
REST Api allows to create a realm without a directory configuration |
|
|
Enhance Backup Status Notifications for Unified Backup Failures on FMC |
|
|
Upgrade failure after RMA due to Sensor table having incorrect serial number |
|
|
Unexpected SFDataCorrelator exit after deployment to managed devices following VDB install on FMC |
|
|
Default Route Changes from Management0 to Management1 After Reload or Upgrade on FPR 4200 Series |
|
|
Management1 Gateway Configuration Should Be Optional on FPR 4200 Series |
|
|
FMC Site-to-Site Monitoring Dashboard is not working at all |
|
|
Unit taking ~13 secs to become active |
|
|
FMC remote storage test sometimes fails when configured to a server running Solar Winds SCP/SFTP |
|
|
Virtual ASA Traceback and Reload Caused by Disk Access Issues with NFS Enabled |
|
|
AC policy with Network Group Override object causes deployment failure/rules missing |
|
|
TLS.- Outlook only supports TLS 1.2 and not 1.3- FMC uses TLS 1.3 by default |
|
|
LSP upload/download + auto-deploy is failing |
|
|
Disable Reverse Path Filter for Dual Management Interfaces on FPR 4200 Series |
|
|
Active FMC - False alerts of FMC HA in degraded sync state |
|
|
FMC Alert: Discover Health Module Compilation Error |
|
|
CIMC Password length restricted to 16 characters with LOM enabled |
|
|
FMC: Deployment takes longer than expected when removing SNMP hosts from Platform Settings |
|
|
FTD upgrade allowed with dirty policy after FMC upgrade |
|
|
Random QOS policies are getting negatted and added with subsequent deployment |
|
|
First cycle of FMC HA periodic sync may fail after resuming sync following FMC software upgrade |
|
|
Remote storage server password showing in plaintext in httpsd_error_log |
|
|
AMP related health alert during upgrade and typo in the alert message |
|
|
Enhance Debugging for add/update/withdraw of routes with neighbors |
|
|
Deployment due to system upgrade is failing at PREPARE phase in FDM-HA |
|
|
Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
|
|
ASA/FTD traceback and reload in vaccess_nameif_action thread |
|
|
FMC: Media type displayed on the FMC's FCM is not matching CLI after swapping sfps |
|
|
Remote backup generated successfully but configuration database backup is empty |
|
|
Smart license UI showing variable performance tier when stand by FMC is made active |
|
|
cdFMC does not show more than 25 realms in the GUI |
|
|
sftunnel and sfipproxy configuration files updates are not atomic |
|
|
Getting " Realm is disabled, enable it on the Realms page " while adding dynamic attributes |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
SSL Debug Logs Persist After Debug Reset |
|
|
show tech-support fprm detail command is getting stuck for longer duration |
|
|
Snort3 traceback and deployment failure with VDB upgrade |
|
|
Memory leak leading to split brain |
|
|
ENH: Include SystemID in "show system detail" in techsupport file |
|
|
Module show tech generation fails with external authentication |
|
|
Ensure the watchdog triggers even if a single snort3 thread becomes unresponsive. |
|
|
Counter from IKEV2 stats does not match the number of tunnels in VPN-Sessiondb |
|
|
SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error |
|
|
Port-channel member interface flap renders it as an inactive member |
|
|
sfipproxy may not restart and fail services like User Identities when enable file is not detected |
|
|
Disabling OSPFv3 on FMC does not clear passive interface and area config from FTD interfaces |
|
|
FMC IPsec SA remaining key lifetime incorrect conversion of seconds to hh:mm:ss |
|
|
Cluster node got deleted partially and devices have become Standalone on FMC UI |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
syslog-ng may not immediately restart on FTD as expected upon changing FTD host name |
|
|
Installation of Hotfix may fail at 800_post/998_expire_ac_policy.pl on the standby FMC |
|
|
Deployment is failing due to the policy changes report request in progress |
|
|
FMC - Health Monitor shows 'No Data Available' due to too many open files |
|
|
Logging recipient-address not overriding the logging mail message severity levels |
|
|
After upgrade from newer lower MR to Old Higher MR seeing health module compilation error |
|
|
DNS and default gateway are removed on FTD managed through data interface |
|
|
Warwick Avenue: LLDP neighbours are not discovered if MGMT 1/2 interface is down |
|
|
Decryption policy failed to migrate to cdFMC from on-prem FMC. |
|
|
/mnt/disk0/log folder duplicated on troubleshooting package |
|
|
Generic or irrelevant error for remote storage device test/save failures |
|
|
Error after logging out from FMC UI using SSO with PingId |
|
|
FTD health metrics show "No data available" on the FMC |
|
|
Upgrading a 7.0.x sensor to 7.0.7 when managed by an FMC via hostname results in errors |
|
|
Serviceability enhancement for "system support trace" capabilities |
|
|
Traffic failure due to 9344 blocks leak |
|
|
FMC Rest API returns only the first 1000 network object entries |
|
|
Snort3 Traceback due to watchdog during appid NAVL instantiation |
|
|
'${dsk_a} missing or inoperable. Rebooting Blade.' error does not specify missing or inoperable disk |
|
|
Overrides not working on chained/inherited custom IPS policies |
|
|
[Cluster] CPU Utilization of 100% when NAT Pool exhaustion happens in a context. |
|
|
FTD: Large Delay in packets being inspected by snort |
|
|
Add "built" and "teardown" messages for the GRE | IPinIP connections to the Lina syslog |
|
|
FTD does not synchronize via NTP from Secondary Management Center in HA when the Primary is down |
|
|
DNS doctoring not working correctly if the doctoring rule is of type dynamic and has any interface |
|
|
After renewal FMC CA, the certificate cannot be used for ArcSight integration |
|
|
Logical App Stuck in 'Start Failed' Due to checkSystemCPUs Failure |
|
|
Failover and state link not accepting valid subnet mask |
|
|
Default Pass action for rules in Snort 3 local rule groups may cause blank error in IPS policies |
|
|
mix of major versions between FMC and FTD causes per-core CPU use health module to not work on FTD |
|
|
FMC/FDM Client side certificate used to communicate to Talos did not auto-renew correctly |
|
|
CPU core numbers not specified in results from operational/metrics FMC REST API endpoint |
|
|
FPR9K-SM-56 Cluster - FTD Stuck in an application install loop & error 'pooled address is unknown' |
|
|
FTD HA | Same MAC for port-channels causing network outage. |
|
|
Deployment to FTD Fails at 5% due to corruption with interface object |
|
|
Network Outage when Primary FTD Instance is Disabled from FCM |
|
|
snmp_logging_thread is utilizing high CPU in control plane |
|
|
FMC health policy and Default Health Policy do not have correct moduleList |
|
|
FPR9K-SM-56 Cluster Node APP_SYNC timeout twice before joining "6" member inter-chassis cluster |
|
|
Refresh Icon on Inventory Details Fails to Update Chassis Information for All Models |
|
|
/objects/fqdn filter paramaters not working |
|
|
FPR1010 Ethernet1/1 trunk port is not passing Vlan traffic after a reload |
|
|
The NAS-IP-Address attribute is missing from the Access-Request in FMC |
|
|
Captured file status is not updated if threat score is cached on FTDs |
|
|
Bulk Edit Rules - Security Zone Search does not yield all zones if zone count is more than 1000 |
|
|
Deployment Failure in Hub and Spoke VTI Topology with DHCP Configured VPN Interfaces |
|
|
BFD flap due to ASA not processing incoming BFD packets after unrelated BFD peers go down |
|
|
SNMP polling to chassis is unsuccessful with FTD Multi-instance in HA used as SNMP agent |
|
|
SNMP configuration is not applied consistently across same FTDs type and version |
|
|
Deployment failure due to rsync |
|
|
3100 Marvell 4.3.14 CPSS patch for the interface mac stuck issue seen with peer switch reloads |
|
|
TLS handshake fails with reverse SSL flow and TSID (TLS Server Identity) enabled |
|
|
ASA/FTD traceback and reload with SNMP Notify Thread seen on 3110 |
|
|
FMC getting health alert - cgroup_monitor exited 5 time(s) |
|
|
Passive Agent core containers like BEE does not come up beyond 3 crashes. |
|
|
Certain special characters or spaces in RADIUS user passwords cause login failure in FMC |
|
|
Portscan event in FMC displays incorrect source/destination when set to 'low' setting |
|
|
Object search failing due to BB invalid data |
|
|
Deploy failure seen when we use same vlan id in vlan intf and sub intf |
|
|
Traceback in thread name DATAPATH when a unit is re-joining the cluster |
|
|
deployment slowness seen when huge number of policies are present |
|
|
Post-Failover FQDN Resolution Deferred Until Next DNS Poll Interval |
|
|
Post reposition or move operation fails then if user saves, it would lead to loss of rules & may cause an outage |
|
|
Cryptochecksum changed after reloading. |
|
|
BFD packets are not dropped for single-hop BFD sessions received via alternate path |
|
|
Saving changes under Policy > Alerts > Intrusion Emails in FMC GUI multiple times removes old changes |
|
|
Local user details not replicated to data nodes in a cluster setup. |
|
|
ASDM: Displays Error of Keypair already exists when adding an identity certificate. |
|
|
Difference in RSA key length at multiple spots in FXOS |
|
|
L3 Clustering where BGP immediately comes up while DATA node is still in bulk sync |
|
|
Deployment failure not updated on databases of data node |
|
|
FMC page may get stuck in loading state while trying to fetch BGP configuration |
|
|
Unidirectional communication over ccl leading to split-cluster. |
|
|
FTD Hub-and-Spoke VPN Topology – Backup VTI Fails When DHCP is Used for External IP |
|
|
SMB remote FMC backups are failing due to relam sync |
|
|
FTD Dashboard queries only primary device for FTD HA |
|
|
Boot-Time warning if CPU core count is below minimum requirement |
|
|
ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
|
|
backout change preventing enabling clustering in FIPS mode |
|
|
ASA/FTD traceback and reload triggered by the Smart Call Home process in sch_dispatch_to_url. |
|
|
If command replication fails to any nodes in cluster, send kick the node out from cluster to fmc |
|
|
Policy deploy would not write entries when referenced object is missing |
|
|
Command replication failure to cluster nodes on command commit noconfirm revert-save after access-list, additional debugs |
|
|
FMC Custom widget to display host count per sensor shows incorrect sensor name |
|
|
"Error during policy validation An internal error is preventing the system... "due to stale sensor ref in security zones |
|
|
Missing RADIUS accounting response messages may result in delays or failures of connectivity from chassis to instances |
|
|
fover_trace.log not rotating and growing to a massive size |
|
|
FPR 4125 Multi instance: High Snort and System Core CPU Usage (100%) Triggering FMC Critical Alerts |
|
|
FMC Unable to Download User Groups from AD Realm via LDAP |
|
|
ASAv restarts unexpectedly |
|
|
ASA: asacli Processes Not Terminated When SSH Sessions Are Closed |
|
|
cdFMC Not Displaying Interfaces and Security Zones When HA Secondary Device Is Active |
|
|
FMC Displays SSE Enrollment Failure Alarm Despite No Active Integration with SecureX |
|
|
Duplicate VTI cause VPN Flaps |
|
|
FTD Cluster: Incorrect log when snort engine restart times out |
|
|
FTD: SGT Inline tag stripped from SIP packets |
|
|
FP4100/9300 Fatal error: Incomplete chain observed before watchdogs with reset code 0x0040 |
|
|
LINA stays inactive without reloading after traceback on non-CP thread |
|
|
Users with "Modify Threat Configuration" permission are not able to modify Intrusion/File Policies within the Access Control Policy (ACP) rules |
|
|
Unified Event Viewer does not work with certain filters |
|
|
Secondary Address should only be configurable for FMC-managed FTDs when using data interfaces for management |
|
|
Unable to Edit or Break FTD-HA via FMC GUI because of UI lock issues during create |
|
|
The total disk keep on increasing on the disk status wizard on the Health Monitor page. |
|
|
FTD MI: SNMP polling fails to work after upgrade |
|
|
Excessive number of AD users in FTD External Authentication could lead to deployment failure when disabled. |
|
|
Error Encountered While Disabling the 'Call-Home Reporting Anonymous' Option in Call-Home Configuration |
|
|
Devices show offline due to "Appliance unreachable" due to HMS deadlock inserting to DB |
|
|
FTD Intermittent Syslog Alert: mcelog daemon is not running. Restarting the daemon. |
|
|
ASA/FTD traceback and reload in function mp_percore |
|
|
FPR failover split brain when upgrade primary/standby device's FXOS version |
|
|
Snort2 crashes in loop after FMC upgrade |
|
|
Subsequent DNS packets are dropped in a single flow if one domain hits the custom DNS SI block list |
|
|
ASA traceback and reload |
|
|
high CPU usage after ASA upgrade from 9.20.3.9 to 9.20.3.16 running on Hyper-V |
|
|
SFF_SFP_10G_25G_CSR_S V03 modules from Finisar ports bouncing when connected. |
|
|
FMC Restore of remote Unified backup fails due to no space left on the device |
|
|
Error 500: Internal Server Error in FMC when generating report for global domain intrusion policy used in child domain ACP |
|
|
ASA: tls-proxy maximum-session command error |
|
|
SSL error causing connection to Cisco Smart Software Manager (CSSM) to terminate |
|
|
ASA/FTD: the ssl trust-point command deleted after a reload |
|
|
User Creation Fails with RADIUS Dynamic Provisioning Enabled on Firepower device. |
|
|
FMC GUI Inaccessibility and blank due to 'Malformed JSON String' Exception |
|
|
Deployment is mandatory after FMC upgrade condition should be included in Upgrade code |
|
|
FMC UI breaks when configuring Client-side interface settings for DHCP Relay |
|
|
Collecting "show tech-support fprm" results into core for tar itself |
|
|
No log file present for troubleshoot generation, if there is any issue with TS generation |
|
|
Wrong URL incorrectly displayed for file upload with Japanese text in file path for client-less VPN |
|
|
Tmatch memory is mostly consumed by ARP-DP. |
|
|
The Firepower bandwidth_analyzer.pl script does not perform proper input validation for the '--size' option |
|
|
Unable to change few IPS rule actions after upgrading from snort2 to snort3 |
|
|
FMC Audit tcp-tls syslog is truncated or incorrectly formatted |
|
|
Negative value displayed for buffer drops when using " show cluster info load-monitor details" |
|
|
Tunnel Status shows "No Active Data" when spoke behind NAT on S2S Monitoring UI |
|
|
ASA crashinfo files not generated on FP4200 devices |
|
|
Syslog format is not properly printed when EMBLEM format is enabled at least in one syslog host |
|
|
ADI cores reading corrupt SXP file |
|
|
FP9300/4100 may traceback & reload due to a "Kernel Panic" |
|
|
Multiple mail drops and enq failures are seen while traffic is going through the box. |
|
|
depoyment failure reason and transcript to be updated on FMC |
|
|
Policy deploy failing on FTD when trying to remove Umbrella DNS Configuration |
|
|
wpk - 1gsx link remains up on wpk but on switch side it shows as not connected |
|
|
Error while downloading lsp from support site because VaultApp could not unseal Vault on FMC |
|
|
FDM stuck deployment task in Queued state |
|
|
An ICMP not reachable storm might cause high CPU on a two units FTD cluster |
|
|
Secure firewall posture image is not available in the ASA device backup when generated from ASDM |
|
|
CPU usage by "WebVPN Timer Process" on standby ASA device |
|
|
cdFMC returns 403 forbidden error while configuring webhook alerts |
|
|
FMC deployment hungs and fail due to "NGFW_UPGRADE is missing in map" |
|
|
Case differences in SAML SSO usernames cause login loop |
|
|
FMC reporting IPv6 non overlapped host object-group as fully overlapped object-group |
|
|
Deploy failure when Indexing is not working |
|
|
Error : Msglyr::ZMQWrapper::registerSender() : Failed to bind ZeroMQ Socket |
|
|
Deployment failure when selecting ECMP zone member interface in ZTNA policy |
|
|
SAML IdP entityID increase from capped 128 character maximum |
|
|
dmesg and kern.log file flooded with Tx Queue=0 logs |
|
|
IKEv2-EAP Authentication Fails with Windows and MacOS Native VPN Clients |
|
|
Clarify the working of Fallthrough to Interface PAT (Destination Interface) as it is not working as expected |
|
|
The estreamer debug command is not producing the expected output |
|
|
"CSRF Token Mismatch" error seen when users click logout from Clientless VPN page |
|
|
Internal error is seen when editing the rule with IPV6 contents |
|
|
The chassis serial number is empty post registration in FMC |
|
|
If a user_ip_map.snapshot exists with an low timestamp value, snapshots are created frequently |
|
|
Traffic drops post deployment when secondary skips app sync and become active immediately after bootstrap config apply |
|
|
ASA Memory leak while processing large CRLs. |
|
|
LDAP users in ACP always show realm out of sync. |
|
|
Capture the reason of reboot in FTD logs |
|
|
FTD Active Authentication hostname value not included in cp_redirect_params.conf file |
|
|
ASA Core file generated is corrupted |
|
|
ASA Clock reverts to UTC after device reload |
|
|
ASA/FTD: ASP drop capture for 'invalid-ip-length' or 'sp-security-failed' does not work with match criteria |
|
|
Customer DU CONSULT, NPS 6 - ACP search toggle for exact IP or Port match |
|
|
Memory leak in SSL crypto causing high Lina memory usage on lower-end devices running FTD 7.7.0 |
|
|
HA state should not transition from ColdStandby to Active |
|
|
FMC Auto Deployment Task fails to run repeatedly |
|
|
URL filtering download failure - talosAgent keeps exiting on FMC |
|
|
Cluster: Multi-blade chassis not transmitting broadcast traffic outbound to specific vlan |
|
|
SSL - Issues with DND a particular site after FTD upgrade on Chrome and Edge post upgrade |
|
|
TCP RST Packets Fail to Match Configured Geolocation-Based Rules |
|
|
Data Node Deregisters from With No Clear Error Message on vFMC in AWS When Deploying Stack Using Private IP's |
|
|
FP1140 Critical FXOS fault alerts (F1000413) after upgrade |
|
|
Prolonged delays in firewall restart/reboot completion |
|
|
Restoring .tgz context file causes allocated interfaces to be removed from 'system' configuration |
|
|
High disk usage due to snort-unified.log |
|
|
FTD - SNMP Walk of FXOS FTD OID Tree Returns Empty or Times Out |
|
|
SFDataCorrelator_user_id_mismatch.log overconsumption of disk |
|
|
Adding interface taking more than 30 sec with loading security zones |
|
|
FMC Dynamic Objects Limited to 1000 |
|
|
LINA traceback Observed on FTDv Firewalls Deployed in Azure: snp_vxlan_encap_and_send_to_remote_peer |
|
|
Threat/AMP Upgrade tasks are being created soon after HF installation completed |
|
|
WA: Traceback and reload due to lock contention on the tmatch table during deployment with large snmp config |
|
|
Missing Security Zones in zones.conf Affecting ngfw.rules Functionality |
|
|
If failover IPSEC PSK is 78 characters or greater HA breaks with "Could not set failover ipsec pre-shared-key" |
|
|
Inventory details on FMC GUI shows the incorrect compliance mode |
|
|
Files missing from FTD troubleshoot file |
|
|
FPR42xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
FMC dashboard dynamic analysis over time is shown as "No Data" |
|
|
Stop generating health alerts for transient high CPU utilization |
|
|
Issue with interface status visibility in Firepower Chassis Manager 4225 managed by FMC |
|
|
Memory Leak observed on FP2110 running ASA due to monitoring interface configured in HA |
|
|
FP3105 Traceback and Reload after changing the speed on Ethernet interface |
|
|
Snort may drop SCTP packets and block SCTP connections |
|
|
Schema Validation Error Encountered While Editing AnyConnect/Secure Client Profiles |
|
|
The syslog server called fluentbit can't recognize the fox syslog format and print it |
|
|
3100/4200: 1G Management interface flapping after upgrade |
|
|
CA Certificate Generation Issue Post restoring the Sanitised FMC Backup |
|
|
Audit Logs Display Repeated Session Expiration Entries Even When the System is Idle |
|
|
RAVPN Geolocation: Deployment failing by enabling all or specific countries in service access object |
|
|
Traceback and Reload while two processes attempt to free a TD subnet structure |
|
|
Misleading "failover reset" log printed on console when reload triggered by HA. |
|
|
management-data-interface commands fail with "Enable of interface failed" error due to case-sensitive interface name |
|
|
3RU MI instances offline after baseline/creation |
|
|
FTD: Injected/Trimmed packets dropped by LINA due to invalid-ip-length |
|
|
FDM Intrusion Events Not Displayed When Browser Language Is Set to Japanese |
|
|
VPN lost during a rekey with 'IKEv2 negotiation aborted due to ERROR: Platform errors' |
|
|
Security module reboot triggered by a CIMC reset. |
|
|
Policy Deployment tasks should not be stuck indefinitely |
|
|
ASA: Traceback and reload on threat detection, interfaces unstable after that |
|
|
Deployment fails deployment with "Deployment failed due to failure in retrieving running configuration information from device." |
|
|
Duplicate messages during deployment to be discarded by CD to avoid further deployment failures |
|
|
Flash Device error: Azure FMC |
|
|
Snort3 blocking ESMTP traffic intermittently and trigger IPS signatures: 124:1:2 |
|
|
ASA/FTD - Assert triggered during FP_PUNT replace (aaa account match) |
|
|
Traceback and reload after editing SNMP config, with tmatch |
|
|
Local FTD backups are failing due to a lack of disk space on /tmp. |
|
|
Long running AQ task got killed after timeout on FMC but corresponding backup task on FTD is still running |
|
|
Backup Timeout is not sufficient when FTD backups are huge and low bandwidth |
|
|
FTD backups sizes are huge like close to GB and above |
|
|
Firepower 9300 - DNM-2X100G Interfaces not passing traffic post upgrade to FXOS 2.17.0.518 |
|
|
FP3100/4200 rebooting after generating crypto_archive with error on console "KC ILK issue detected" |
|
|
Post FTD HA device deletion, RAVPN VPN references were still present causing deploy failures for existing ones |
|
|
OSPF: Lina Traceback and Reload on Both Units in High Availability Setup. |
|
|
Secondary FMC-HA Peer Exclusion list not taking effect for Network Discovery |
|
|
Rule action 'Disabled' of rule 1:23858 in Secure Firewall Management Center does not align with snort.lua in Firepower |
|
|
Need to remove compatibility popup added by CSCut04399 on ASDM |
|
|
Dynamic Attributes Connector Status shows One or more services are unhealthy |
|
|
Idle SSH sessions persist beyond the configured timeout without graceful termination by Fin flag |
|
|
Intrusion Event Packet Data via syslog/estreamer show no packet data for large packets |
|
|
update the health alert to specify invalid proxy characters |
|
|
ASA SNMP Response Issue - Responses Sent Only for Odd OIDs, Not for Even |
|
|
debug menu tls-offload option <> to be provided to resolve slow download speed using curl to download large file with SSL Decrypt Resign Policy |
|
|
Lina Traceback and Reload after enabling 'TLS Server Identity Discovery' |
|
|
Unable to use the plus sign in the email-id for the identity when configuring an S2S VPN |
|
|
Deployment failure soon after forming FTD HA |
|
|
FTD: Packets Dropped due to tcp-seq-past-win due to delayed packet through Snort |
|
|
ASAv deploy failed - console stuck at continuous |
|
|
Multiple System Configurations Missing from FMC GUI Post-Upgrade |
|
|
ASA/FTD in HA, snmptranslate process during the boot-up causing High CPU and IPC timeouts, causing split-brain. |
|
|
FTD packer-tracer showing remark rule id in access-list for a rule not getting hit |
|
|
FTD Traceback while executing 'asp load-balance per-packet' |
|
|
SSH login to FTD management IP address lands in FXOS shell instead of FTD CLISH due to missing /mnt/boot/application/*.def file |
|
|
Multicast and unicast packets do not reach the correct instance for random subinterfaces |
|
|
FTD 3130 HA Lina tracebacks at ikev2_bin2hex_str |
|
|
FMC Upgrade stalls Indefinitely at 999_update_onpremfmc_diskcache.sh |
|
|
FMC 7.6 NAT Source and IP Not Populating within Unified Event Viewer |
|
|
7.6 - Firepower 3100 series - Upgrading an HA pair from a version without the fix for CSCwo00444 to 7.6 causes one firewall to go into a traceback/reload loop |
|
|
Unable to edit Dynamic Analysis Connection cloud settings when FMC cannot connect to the US cloud |
|
|
FMC uses old DNS server for resolution despite correct configuration |
|
|
FTD is not sending a reset packet when the incoming traffic hits "block with reset" rule |
|
|
FTD upgrade failed due to bundle image existence verification failure |
|
|
FMC does not allow to use IP address with 0 value in last octet as gateway while configuring static route for a device. Error: Enter valid IPv4 host value |
|
|
FTD does not generate any events for the Platform Faults health module if no platform faults are present |
|
|
FPR 4200: HA link arp packets getting dropped, internal uplink linkChange counters incrementing |
|
|
FMC ACP Top User Deleted When Deleting Users With Legacy UI |
|
|
Password Expiry Age does not reset after Password Change |
|
|
ASDM: Using the Secure Client VPN Wizard results in an incomplete configuration |
|
|
show asp rule-engine issues with complete and run time |
|
|
non-SSL traffic wrongly classified as SSLv2 causing drops with TSID enabled |
|
|
SNMP traps are not sent to one of multiple SNMP servers, in certain conditions |
|
|
FMC - Deployment Fails with "Deployment failed due to timeout during configuration generation" |
|
|
ASA : Performance and high CPU usage seen on Hyper-V |
|
|
IKEv1 L2Lvpn fails in phase 2 with "Rejecting IPsec tunnel: no matching crypto map entry" after upgrade |
|
|
ASDM fails to connect via ipv6 due to https hostname wrong error |
|
|
FTD: Instance stuck in Boot Loop |
|
|
IPv6 function is stalled, link-local address marked [DUPLICATE] and IPv6 traffic stopped after failover due to split-brain |
|
|
502 Proxy Error when regenerating certificate in ISE Quick Configuration tab |
|
|
Clustering : SNMP traffic drop due to cluster redirect offload |
|
|
SRU Upgrade Fails Due to Leaked Activity IDs from ClusterPostUpgradeHandler |
|
|
Remote Access Monitoring doesn't show client IP correctly. |
|
|
Send Email when complete emails not working with advanced deployment |
|
|
Intermittent Blank Screen When Loading Access Control Policy in New UI |
|
|
tunnel protection ipsec policy feature not working on backup VTI tunnel |
|
|
Possible unregistration when deploying during HA Switchover |
|
|
FTD MI: SNMP polling fails to work after the upgrade |
|
|
Not probing for http Opportunistic TLS |
|
|
Packet Captures show misleading information when blocked due to TCP server unavailable. |
|
|
FP4225: Interface with SFP - 10/25G_LR_S (or CSR_S) is not coming up after reboot of peer side. |
|
|
Number of sessions in cache for Tomcat are set incorrectly |
|
|
FMC UI displays upgrade failure despite successful firewall upgrade |
|
|
ASDM Parsing Failure on Two Contexts |
|
|
WA MI: Two apps went to Not Responding state with reason: Error in App Instance ftd. sma reported fault: Instance xxx is disabled due to restart loop. Please consider reinstalling this app-instance. |
|
|
ASA client IP missing from TACACS+ authorization request in SSH |
|
|
Http inspector support for OPPORTUNISTIC_TLS |
|
|
Reboots on FP2130 due to missing heimdall PID |
|
|
Unable to upload Secure Firewall Posture image file with a size over 200MB |
|
|
"no http server basic-auth-client ASDM" allows ASDM connections to ASA. |
|
|
Remove Object Overlaps can remove unrelated objects |
|
|
DNS-GUARD is not capable to be de-activated on FTD Devices |
|
|
MonetDB may fail to start on FMC if maximum parallel/concurrent logins per CLI user is set to 1 |
|
|
Interfaces are coming up when the Firepower is shutting down |
|
|
FlexConfig migration may cause sudden logout from FMC GUI session |
|
|
Policy deployment fails when inline-set is configured on FTD HA |
|
|
'Access token invalid' is prompted, if a stress test is made on the ACP |
|
|
Low RAM allocation on ASAv can trigger unexpected behavior in 'asdm image' command |
|
|
Flexconfig policy deletion left the stale references |
|
|
cdFMC: All Device Deploy Validations were failing post deletion of Flexconfig for one device |
|
|
Cannot delete interface objects with names over 30 characters. |
|
|
FPR4215 "Not supported" alarm occurred, when insert the SFPs |
|
|
FDM: UI gets stuck on upgrade progress at 9% when upgrade fails attempting to install an already installed hotfix |
|
|
Traceback in HA stby node while snmpwalk on natAddrMapTable |
|
|
FMC does not accept underscore characters for remote storage hostname settings |
|
|
ASA/FTD: Traceback in thread name CP Processing due to DCERPC inspection |
|
|
Database synchronization should auto-resume post network/checksum issues |
|
|
EventHandler wastes CPU re-scanning files that contain no requested events |
|
|
Connection blocking active although "logging permit-hostdown' is set |
|
|
Summary Dashboard widgets do not wrap or truncate text properly |
|
|
Timeout values not honored after "sftunnel_change_max_conn_check.pl" changes |
|
|
Sftunnel TLS13 connection goes down after upgrade when two interfaces configured with same IP on FMC GUI |
|
|
Standby FMC Fails to Sync ids_event_class_map Table, Resulting in Misclassified Intrusion Events |
|
|
Both the units in HA changed the encryption algorithm simultaneously |
|
|
FMC API is reporting Windows for all AnyConnect images while querying RA VPN policies |
|
|
add context for cmd-invalid-encap asp-drop type in the "show asp drop" command usage |
|
|
Block 80 depletion ssl_decrypt_cb |
|
|
4200 interface image in FMC does not match interface order in device |
|
|
FPR HA ESP sequence number discrepancy when standby changes to Active resulting in Anti-replay drops |
|
|
Use of FMC GUI features via user role escalation may cause user to lose all permissions during GUI session |
|
|
FTD port status not reflecting properly on FMC. |
|
|
Intermittent deployment stuck "in progress" for few devices |
|
|
Deployment changed performance profile, unable to retrieve running configuration |
|
|
Traceback seen while FQDN list expands more than 200 entries for a resolved ip |
|
|
Device doesn't boot and gets stuck after a successful upgrade |
|
|
SRU-triggered policy deployments occurred following initial/standby FMC during FMC HA & standalone upgrades |
|
|
Slow UI and inability to check disk usage on FMC due to NFS configuration |
|
|
File policy stops working due to SMB tcp conn terminated after 1hr for unknown reason despite not idle |
|
|
Anyconnect users incorrectly get the prompts, based on the previous tunnel-group |
|
|
ASA: Traceback and reload after saving asdm image |
|
|
Show crypto accelerator shows max crypto throughput is 6 Gbps For 3K & 225Mbps for FTDv |
|
|
Empty Dynamic Attribute IP mappings pushed to FTD from FMC Secondary Unit |
|
|
Deleting a domain using domain_manager --deleteDomain <domain_uuid> on FMC CLI brings down the estreamer service |
|
|
Secure Client SAML - External Browser May Prompt for a Certificate when using IKEv2-IPsec and Certificate Mapping |
|
|
FTD may generate a large number of "ssl-certs-unified" files. |
|
|
ndclient stops monitoring snort during deployment causing outage |
|
|
TLS audit syslog configuration and certificates not replicating to secondary FMC in HA deployment |
|
|
Continuous logs_archive.asa-interface-idb.log getting generated on ASA |
|
|
FMC GUI slow time to load web pages post upgrade to 7.6.x |
|
|
FMC may not complete Cisco Security Cloud integration when using on-prem Smart Software Manager for smart licensing |
|
|
FTD HA Upgrade Failed on Secondary Unit Due to HA Being in a Failed State From FMC's Perspective |
|
|
ASA/FTD may traceback and reload citing Thread Name 'lina' as the faulting thread. |
|
|
Dynamic Offloaded Flows Interrupted midstream |
|
|
FMC is returning status code 400s of GET request for Get Device Data |
|
|
Disabled certificate is easily accessible and the sanitisation alone is not fool-proof |
|
|
cdFMC 7.7 Fails to Display Health Data for specific FTD's |
|
|
Intermittent drop of self-originated ICMP TTL exceeded messages with reason "Unable to obtain connection lock (connection-lock)" |
|
|
FMC/FTD: Policy Deployment failure after disabling NVE Interface config in VTEP Tab of FTD Cluster |
|
|
FTD Policy deployment reported as failed incorrectly on FMC when communications disrupted |
|
|
Lina traceback due to the incorrect option being received in the packet. |
|
|
Secure client tunnel group authentication is affected when using SDI protocol |
|
|
Interlaken (ILK) link between the Nitrox and KC2 failure, causing traffic backpressure / traffic outage |
|
|
Device upgrade using direct downloads from support site doesn't work correctly when FMC is behind a proxy |
|
|
ASA/FTD: Wrong value shown for X509_STORE_CTX in 'show ssl objects' |
|
|
S2S VPN status shows Unknown for Extranet direction while managed direction shows Active (bidirectional tunnel status not synchronized) |
|
|
RTSP Flows are dropped with drop reason "First TCP packet not SYN" |
|
|
GUI: File upload shows generic 'Invalid file size' instead of actionable message with actual and maximum allowed sizes |
|
|
ASA/FTD - Traceback and Reload in Threadname DATAPATH |
|
|
Rate limit conn-limit SNMP traps |
|
|
Upgrade failure on FMC on GCP 000_start/112_CF_check.sh |
|
|
ASAv on Hyper-v encountering boot loop issues when running netvsc driver |
|
|
Detection engine Folder is huge in size for FTD backups |
|
|
ASA traceback and reload due to memory corruption in IPsec SA pointers |
|
|
GeoDB content is not restored when restoring a backup to a freshly deployed FMC |
|
|
High network latency observed on ASAv |
|
|
Unable to upload VPN client profile package under Objects > Object Management > VPN > Secure client File to FMC while logged in via External User. |
|
|
Device goes into bootloop due to missing librte_mbuf.so.22 and librte_ring.so.22 |
|
|
Enhance UI error messages to inform users that deployment is not allowed due to version mismatch. |
|
|
Add validation on FMC UI to prevent admin to configure more than allowed IKE policies - Regression CSCwf10137 |
|
|
ASA/FTD traceback and reload in Lina |
|
|
Few Chassis devices are not visible to assign the policies |
|
|
Deployment failure due to unrecognized command "vpn-simultaneous-logins none" |
|
|
ASA/FTD Traceback and reload in L2 table creation failure |
|
|
FTD silently drops out of order packets |
|
|
removing all usages of a DHCP IPv6 pool object from FTD interface config does not delete the object from FTD |
|
|
ASA may traceback during manual failover |
Open issues
This table lists the open issues in this specific software release.
Table last updated: 2025-12-03
|
ID |
Headline |
|---|---|
|
10.0: 1240/1250 VPN IKEv2 TCP 450B w/ AVC degraded ~4-5% |
|
|
FTD Performance down -8% on 1200 (Snort side) and 1010/ISA3k |
|
|
Move SQLite databases under /var/sf/sqlite folder to the high endurance partition of FTDs |
|
|
FMC UI not accessible for few min due to MySQLUtil [ERROR] UpdateTable: MySQL error 2002 |
|
|
Secure Firewall 200 not available after backup/restore when using an access control rule with URL categories |
|
|
Policy not marked out of date after a vdb upgrade as part of FMC upgrade |
Compatibility
Before you upgrade or reimage, make sure the target version is compatible with your deployment. If you cannot upgrade or reimage due to incompatibility, contact your Cisco representative or partner for refresh information.
Upgrade and downgrade
Choosing your upgrade target
Go directly to the latest Version 10 release possible to minimize upgrade and other impact.
Features, enhancements, and critical fixes can skip "future" releases that are ahead by version, but not by release date. For example, if you are up-to-date within major Version A, upgrading to dot-zero Version B can deprecate features and fixes.
If you cannot go to the latest release, at least make sure your current version was released on a date before your target version. In the following table, confirm your current version is listed next to your target version. If it is not, choose a later target.
|
Target version |
Current version: confirm yours is listed. |
|||||
|---|---|---|---|---|---|---|
|
from 7.3 |
from 7.4 |
from 7.6 |
from 7.7 |
from 10.0 |
||
|
to 10.0.0 |
2025-12-03 |
7.3.0–7.3.1 |
7.4.0–7.4.3 |
7.6.0–7.6.3 |
7.7.11 |
— |
Upgrading from a patched deployment
Critical fixes in patches/vulnerability (fourth-digit) releases can also skip future releases. If you depend on these critical fixes, verify that your target version contains them. For a full list of release dates, see Cisco Secure Firewall Management Center New Features by Release.
Supported upgrades and downgrades
This section summarizes upgrade and downgrade capability. For help with:
-
Choosing an upgrade target, see Choosing your upgrade target.
-
Upgrade and downgrade procedures, including general guidelines, best practices, and troubleshooting, see the upgrade guide for the version you are currently running: https://www.cisco.com/go/ftd-upgrade.
-
Any upgrade or downgrade issues for this specific release, see Open issues, Known issues with Firewall Management Center upgrade, and Known issues with Firewall Threat Defense upgrade.
Supported upgrades
This table shows the supported direct upgrades for Firewall Management Center and Firewall Threat Defense software.
Note |
You can upgrade directly to any major (first and second-digit) or maintenance (third digit) release. Patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or maintenance release. Although a patched device (fourth-digit) can be managed with an unpatched Firewall Management Center, fully patched deployments undergo enhanced testing. |
|
Current version |
Target software version |
|||||||
|---|---|---|---|---|---|---|---|---|
|
to 10.0 |
7.7 |
7.6 |
7.4 * |
7.3 |
7.2 |
7.1 |
7.0 |
|
|
from 10.0 |
YES |
— |
— |
— |
— |
— |
— |
— |
|
from 7.7 |
YES |
YES |
— |
— |
— |
— |
— |
— |
|
from 7.6 |
YES |
YES |
YES |
— |
— |
— |
— |
— |
|
from 7.4 |
YES |
YES |
YES |
YES |
— |
— |
— |
— |
|
from 7.3 |
YES |
YES |
YES |
YES |
YES |
— |
— |
— |
|
from 7.2 |
— |
YES |
YES |
YES |
YES |
YES |
— |
— |
|
from 7.1 |
— |
— |
YES |
YES |
YES |
YES |
YES |
— |
|
from 7.0 |
— |
— |
— |
YES |
YES |
YES |
YES |
YES |
|
from 6.4 |
— |
— |
— |
— |
— |
— |
— |
YES |
* You cannot upgrade Firewall Threat Defense to Version 7.4.0, which is available as a fresh install on the Secure Firewall 4200 only, and is not supported with Firewall Device Manager. It removes significant features, enhancements, and critical fixes included in earlier versions. Upgrade to a later release.
For the Firepower 4100/9300, this table lists companion FXOS versions. If a chassis upgrade is required, Firewall Threat Defense upgrade is blocked. In most cases we recommend the latest build in each version; for minimum builds see the Cisco Secure Firewall Threat Defense Compatibility Guide.
|
Target Firewall Threat Defense version |
Minimum FXOS version |
|---|---|
|
10.x |
2.18.0 |
|
7.7 |
2.17.0 |
|
7.6 |
2.16.0 |
|
7.4.1–7.4.x |
2.14.1 |
|
7.4.0 |
— |
|
7.3 |
2.13.0 |
|
7.2 |
2.12.0 |
|
7.1 |
2.11.1 |
|
7.0 |
2.10.1 |
|
6.7 |
2.9.1 |
|
6.6 |
2.8.1 |
|
6.4 |
2.6.1 |
Supported downgrades
If an upgrade or patch succeeds but the system does not function to your expectations, you may be able to revert (Firewall Threat Defense upgrades) or uninstall (Firewall Threat Defense and Firewall Management Center patches). For general information, particularly on common scenarios where returning to a previous version is not supported or recommended, see the upgrade guide: https://cisco.com/go/ftd-upgrade.
Known issues with Firewall Management Center upgrade
This section lists upgrade limitations and feature impact for this release. For general guidelines and best practices, see the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center.
Known issues with Firewall Management Center upgrade
This table lists upgrade limitations for this release.
|
Current version |
Issue |
Details |
|---|---|---|
|
Any |
— |
There are no known issues for this version right now, but you should still check for open issues and features with upgrade impact. |
Features with upgrade impact for Firewall Management Center
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.
This table lists and links to descriptions of features that may have upgrade impact. The first column is for your current version and the link indicates when the feature was originally introduced.
Important |
Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target. |
|
Current version |
Features with upgrade impact |
|---|---|
|
7.7.x and earlier |
|
|
7.6.x and earlier |
|
|
7.6.0 7.4.0–7.4.2 7.2.9 and earlier |
|
|
7.4.x and earlier |
|
|
7.4.0 and earlier |
|
|
7.4.0 7.3.x 7.2.5 and earlier |
|
|
7.4.0 7.3.x 7.2.0–7.2.5 7.1.x 7.0.5 and earlier |
|
|
7.3.x and earlier |
|
|
7.3.0–7.3.1 7.2.0–7.2.3 7.1.x 7.0.5 and earlier |
|
Known issues with Firewall Threat Defense upgrade
This section lists upgrade limitations and feature impact for this release. For general guidelines and best practices, see the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center.
Known issues with Firewall Threat Defense upgrade
This table lists upgrade limitations for this release.
|
Current version |
Issue |
Details |
|---|---|---|
|
7.7 or earlier |
Revert prohibited: Firewall Threat Defense Virtual Version 10+ to earlier versions. |
Security enhancements to the startup framework (bootloader firmware) mean that you cannot revert virtual firewalls from Version 10+ to earlier versions. After upgrade, we also recommend you migrate configurations to freshly deployed Version 10+ instances and decommission the old ones. |
Features with upgrade impact for Firewall Threat Defense
A feature has upgrade impact if upgrading and deploying can cause the system to process traffic or otherwise act differently without any other action on your part. This is especially common with new threat detection and application identification capabilities. A feature can also have upgrade impact if upgrading requires that you take action before or after upgrade to avoid an undesirable outcome; for example, if you must change a configuration.This table lists and links to descriptions of features that may have upgrade impact. The first column is for your current version and the link indicates when the feature was originally introduced.
Important |
Minimize upgrade and other impact by going directly to the latest maintenance release in your chosen version. See Choosing your upgrade target. |
|
Current version |
Features with upgrade impact |
|---|---|
|
7.6.0 and earlier |
|
|
7.6.0 7.4.0–7.4.2 7.3.x 7.2.9 and earlier |
|
|
7.4.0–7.4.1 7.3.x 7.2.9 and earlier |
|
|
7.4.0 and earlier |
|
|
7.3.x |
Feedback