cisco firepower release notes, version 6.4 · table1:version6.4.0releasedates build date platforms...

Cisco Firepower Release Notes, Version 6.4.0First Published: 2019-04-24

Last Modified: 2020-03-03

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationshipbetween Cisco and any other company. (1721R)

© 2019–2020 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/go/trademarks

C O N T E N T S

Welcome to Version 6.4.0 1C H A P T E R 1

About the Release Notes 1

Release Dates 1

Compatibility 3C H A P T E R 2

Firepower Management Centers 3

Firepower Devices 4

Manager-Device Compatibility 6

Web Browser Compatibility 7

Screen Resolution Requirements 8

Additional Compatibility Resources 9

Features and Functionality 11C H A P T E R 3

New Features 11

New Features in Firepower Management Center/Firepower Version 6.4.0 11

New Features in Firepower Device Manager/FTD Version 6.4.0 19

Deprecated Features 23

Deprecated FlexConfig Commands 25

FMC Menu Changes 27

FMC How-To Walkthroughs 28

Upgrade to Version 6.4.0 31C H A P T E R 4

Guidelines and Warnings for Version 6.4.0 31

EtherChannels on Firepower 1010 Devices Can Blackhole Egress Traffic 32

Upgrade Failure: Insufficient Disk Space on Container Instances 32

Upgrade Failure: NGIPS Devices Previously at Version 6.2.3.12 32

Cisco Firepower Release Notes, Version 6.4.0iii

TLS Crypto Acceleration Enabled/Cannot Disable 33

Firepower 4100/9300 Requires Version 6.2.0 for Upgrade 33

Previously Published Guidelines and Warnings 33

Timeouts for the URL Filtering Cache Can Change 35

Readiness Check May Fail on FMC, 7000/8000 Series, NGIPSv 35

RA VPN Default Setting Change Can Block VPN Traffic 35

Updated Security for Appliance Access 36

Security Intelligence Enables Application Identification 36

Update VDB after Upgrade to Enable CIP Detection 37

Invalid Intrusion Variable Sets Can Cause Deploy Failure 37

Syslog Behavior Changes for Connection and Intrusion Events 37

Upgrade Can Unregister FTD/FDM from CSSM 38

Changes to Result Limits in Reports 38

Remove Site IDs from Version 6.1.x FTD Clusters Before Upgrade 39

Upgrade Failure: FDM on ASA 5500-X Series from Version 6.2.0 39

Access Control Can Get Latency-Based Performance Settings from SRUs 39

'Snort Fail Open' Replaces 'Failsafe' on FTD 40

General Guidelines and Warnings 40

Minimum Version to Upgrade 42

Time Tests and Disk Space Requirements 43

About Time Tests 43

About Disk Space Requirements 44

Version 6.4.0 Time and Disk Space 45

Traffic Flow, Inspection, and Device Behavior 45

FTD Upgrade Behavior: Firepower 4100/9300 Chassis 45

FTD Upgrade Behavior: Other Devices 49

Firepower 7000/8000 Series Upgrade Behavior 50

ASA FirePOWER Upgrade Behavior 52

NGIPSv Upgrade Behavior 52

Upgrade Instructions 53

Upgrade Packages 53

Freshly Install Version 6.4.0 55C H A P T E R 5

Deciding to Freshly Install 55

Cisco Firepower Release Notes, Version 6.4.0iv

Contents

Guidelines and Limitations for Fresh Installs 56

Unregistering Smart Licenses 58

Unregister a Firepower Management Center 59

Unregister an FTD Device Using FDM 59

Installation Instructions 60

Documentation 63C H A P T E R 6

New and Updated Documentation 63

Documentation Roadmaps 65

Resolved Issues 67C H A P T E R 7

Searching for Resolved Issues 67

Resolved Issues in New Builds 67

Version 6.4.0 Resolved Issues 68

Known Issues 73C H A P T E R 8

Searching for Known Issues 73

Version 6.4.0 Known Issues 73

For Assistance 77C H A P T E R 9

Online Resources 77

Contact Cisco 77

Cisco Firepower Release Notes, Version 6.4.0v

Contents

Cisco Firepower Release Notes, Version 6.4.0vi

Contents

C H A P T E R 1Welcome to Version 6.4.0

Thank you for choosing Firepower.

• About the Release Notes, on page 1• Release Dates, on page 1

About the Release NotesThe release notes provide critical and release-specific information for Version 6.4.0, including upgradewarnings and behavior changes. Read this document even if you are familiar with Firepower releases andhave previous experience upgrading Firepower deployments.

Upgrading or freshly installing (reimaging) a Firepower deployment can be a complex process. Rather thanprovide instructions here, the release notes point you to the appropriate resources. For links to upgrade andinstallation instructions, see:

• Upgrade Instructions, on page 53

• Installation Instructions, on page 60

Release DatesFor a list of all platforms available with Version 6.4.0, see Compatibility, on page 3.

Sometimes Cisco releases updated builds. In most cases, only the latest build for each platform is availableon the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloadedan earlier build, do not use it. For more information, see Resolved Issues in New Builds, on page 67.

Table 1: Version 6.4.0 Release Dates

PlatformsDateBuild

FMC/FMCv2020-03-03113

Cisco Firepower Release Notes, Version 6.4.01

PlatformsDateBuild

Firepower 4115, 4125, 4145

Firepower 9300 with SM-40, SM-48, and SM-56 modules

2019-06-20102

Firepower 1010, 1120, 11402019-06-13

Firepower 2110, 2120, 2130, 2140

Firepower 4110, 4120, 4140, 4150

Firepower 9300 with SM-24, SM-36, and SM-44 modules

ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X

ASA 5585-X-SSP-10, -20, -40, -60

ISA 3000

FTDv

Firepower 7000/8000 series

NGIPSv

2019-04-24


Welcome to Version 6.4.0Release Dates

C H A P T E R 2Compatibility

This chapter provides compatibility information for Firepower Version 6.4.0.

• Firepower Management Centers, on page 3• Firepower Devices, on page 4• Manager-Device Compatibility, on page 6• Web Browser Compatibility, on page 7• Screen Resolution Requirements, on page 8• Additional Compatibility Resources, on page 9

Firepower Management CentersVersion 6.4.0 Firepower Management Center software is supported on physical and virtual platforms. AnyFMC can manage any Firepower device.

Firepower Management Center Physical Platforms

Version 6.4.0 supports:

• FMC 1600, 2600, 4600

• FMC 1000, 2500, 4500

• FMC 2000, 4000

• FMC 750, 1500, 3500

We recommend you keep the BIOS and RAID controller firmware up to date. For more information, see theCisco Firepower Compatibility Guide.

Firepower Management Center Virtual (FMCv) platforms:

Version 6.4.0 supports:

• FMCv on VMware vSphere/VMware ESXi 6.0 or 6.5

• FMCv on Kernel-based virtual machine (KVM)

• FMCv on Amazon Web Services (AWS)

• FMCv on Microsoft Azure


https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

For supported FMCv instances, see the Cisco Firepower Management Center Virtual Getting Started Guide.

Firepower DevicesAbout Firepower Devices

Version 6.4.0 Firepower device software is supported on a wide range of physical and virtual platforms.

• Software: Some Firepower devices run Firepower Threat Defense (FTD) software; some runNGIPS/ASAFirePOWER software. Some can run either — but not both at the same time.

• Remote Management:All Firepower devices support remotemanagement with a FirepowerManagementCenter, which can manage multiple devices.

• Local Management: Some Firepower devices support local, single-devicemanagement. You canmanageFTD with the Firepower Device Manager (FDM), or ASA FirePOWER with ASDM. You can use onlyone management method for a device at a time.

• OS/Hypervisor: Some Firepower implementations bundle the operating systemwith the software. Othersrequire that you upgrade the operating system yourself. For versions and builds of bundled operatingsystems, refer to the Bundled Components information in the Cisco Firepower Compatibility Guide.

Supported Firepower Devices

The following table provides compatibility information for Firepower devices running Version 6.4.0. Again,remember that all devices support remote FMC management.

Table 2: Firepower Devices in Version 6.4.0

OS/HypervisorLocal Mgmt.SoftwareDevice Platform

—FDMFTDFirepower 1010, 1120, 1140

Firepower 2110, 2120, 2130, 2140

FXOS 2.6.1.157 or later build.

Separate upgrade. Upgrade FXOS first.

To resolve issues, you may need to upgrade FXOSto the latest build. To help you decide, see the CiscoFirepower 4100/9300 FXOS Release Notes, 2.6(1).

—FTDFirepower 4110, 4120, 4140, 4150

Firepower 4115, 4125, 4145

Firepower 9300 with SM-24, SM-36,SM-44 modules

Firepower 9300 with SM-40, SM-48,SM-56 modules


CompatibilityFirepower Devices

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos261/release/notes/fxos261_rn.html



—FDMFTDISA 3000

ASA 5508-X, 5516-X

ASA 5515-X, 5525-X, 5545-X, 5555-XAny of:

• ASA 9.5(2), 9.5(3)

• ASA 9.6(x) through 9.13(x)

Except:

• ASA 5515-X devices running ASA 9.13(x)+do not support ASA FirePOWER.

Separate upgrade. See the Cisco ASA UpgradeGuide for order of operations.

There is wide compatibility between ASA and ASAFirePOWER versions. However, even if an ASAupgrade is not strictly required, resolving issues mayrequire an upgrade to the latest supported version.

We do recommend you upgrade the ASA 5508-Xand 5516-X to the latest ROMMON image; see theinstructions in the Cisco ASA and Firepower ThreatDefense Reimage Guide.

ASDMASAFirePOWER(NGIPS)

Any of:

• ASA 9.5(2), 9.5(3)

• ASA 9.6(x) through 9.12(x)

Separate upgrade. See the Cisco ASA UpgradeGuide for order of operations.

There is wide compatibility between ASA and ASAFirePOWER versions. However, even if an ASAupgrade is not strictly required, resolving issues mayrequire an upgrade to the latest supported version.

ASDMASAFirePOWER(NGIPS)

ASA 5585-X-SSP-10, -20, -40, -60

Any of:

• VMware vSphere/VMware ESXi 6.0 or 6.5

• KVM

• AWS

• Microsoft Azure

For supported instances, see the appropriate FTDvQuick Start/Getting Started guide.

FDM (VMwareand KVM only)

FTDFTDv


CompatibilityFirepower Devices

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html




https://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/products-installation-guides-list.html

https://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/products-installation-guides-list.html


VMware vSphere/VMware ESXi 6.0 or 6.5

For supported instances, see the Cisco FirepowerNGIPSv Quick Start Guide for VMware.

—NGIPSNGIPSv

—Limited localGUI for selectmanagementfunctions.

NGIPSFirepower 7010, 7020, 7030, 7050

Firepower 7110, 7115, 7120, 7125

Firepower 8120, 8130, 8140

Firepower 8250, 8260, 8270, 8290

Firepower 8350, 8360, 8370, 8390

AMP 7150, 8050, 8150

AMP 8350, 8360, 8370, 8390

Manager-Device CompatibilityThe FMC must run at least the same major version as the devices it manages. Although you can manage apatched device with an unpatched FMC, new features and resolved issues often require the latest patch onboth the FMC and its managed devices. We strongly recommend that you patch your entire deployment.

Table 3: Version 6.4.0 Manager-Device Compatibility

Firepower Management Center

Version 6.1 through 6.4.0.x devices.can manageVersion 6.4.0 FMC

Version 6.4.0 FMC.requireVersion 6.4.0 devices

Firepower Device Manager

One FTD device.can manageVersion 6.4.0 FDM

ASDM

Version 6.4.0.x and earlier ASA FirePOWERmodules.

can manageVersion 7.12.1 ASDM

Version 7.12.1 ASDM.requireVersion 6.4.0 ASAFirePOWER modules


CompatibilityManager-Device Compatibility

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/quick_start/ngips_virtual/NGIPSv-quick.html


Web Browser CompatibilityBrowsing the Web from a Firepower-Monitored Network

Many browsers use Transport Layer Security (TLS) v1.3 by default. If you are using an SSL policy to handleencrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites thatsupport TLS v1.3 may fail to load.

For more information, see the software advisory titled: Failures loading websites using TLS 1.3 with SSLinspection enabled.

Secure Communications with the FMC

SSL certificates allow the FMC (and 7000/8000 series devices) to establish an encrypted channel betweenthe appliance and your browser.

By default, the system comes with a self-signed HTTPS server certificate. We recommend that you replaceit with a certificate signed by a globally known or internally trusted certificate authority (CA). You can generatecustom server certificate requests and import custom server certificates on the HTTPS Certificates page;choose System > Configuration, then click HTTPS Certificates.

For more information, see the online help or the Firepower Management Center Configuration Guide.

Browsers Tested with Firepower Web Interfaces

Firepower web interfaces are tested with the latest versions of popular browsers: Google Chrome, MozillaFirefox, and Microsoft Internet Explorer, running on currently supported versions of macOS and MicrosoftWindows. If you encounter issues with any other browser, or are running an operating system that has reachedend of life, we ask that you switch or upgrade. If you continue to encounter issues, contact Cisco TAC.

Although we do not perform extensive testing with either Apple Safari or Microsoft Edge, Cisco TAC alsowelcomes feedback on issues you encounter with the latest version of these browsers.

Note

Table 4: Browsers Tested with Firepower Web Interfaces

Required Settings and Additional WarningsBrowser

JavaScript, cookies

Chrome does not cache static content, such as images, CSS, or JavaScript, withthe system-provided self-signed certificate. Especially in low bandwidthenvironments, this can extend page load times. If you do not want to replacethe self-signed certificate, you can instead add it to the trust store of thebrowser/OS.

Google Chrome


CompatibilityWeb Browser Compatibility

https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvh22181.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvh22181.html

http://www.cisco.com/go/firepower-config

Required Settings and Additional WarningsBrowser

JavaScript, cookies, TLS v1.2

When it updates, Firefox sometimes stops trusting the system-providedself-signed certificate. If you do not want to replace the certificate, and thelogin page does not load, refresh Firefox. Type about:support in theFirefox search bar and click Refresh Firefox. You will lose some settings; seethe Refresh Firefox support page.

Mozilla Firefox

JavaScript, cookies, TLS v1.2, 128-bit encryption

Also, you must:

• For the Check for newer versions of stored pages browsing historyoption, choose Automatically.

• Disable the Include local directory path when uploading files to servercustom security setting.

• Enable Compatibility View for the Firepower web interface IPaddress/URL.

Not tested with FMC walkthroughs.

Microsoft Internet Explorer11 (Windows only)

Browser Extension Compatibility

Some browser extensions (for example, Grammarly and Whatfix Editor) can prevent you from saving valuesin fields like the certificate and key in PKI objects. These extensions insert characters (such as HTML) in thefields, which causes the FMC to see them as invalid. We recommend you disable these extensions whileyou’re using the FMC.

Screen Resolution RequirementsTable 5: Screen Resolution Requirements for Firepower User Interfaces

ResolutionInterface

1280 x 720Firepower Management Center

1280 x 7207000/8000 series device (limited local interface)

1024 x 768Firepower Device Manager

1024 x 768ASDM managing an ASA FirePOWER module

1024 x 768Firepower Chassis Manager for Firepower 4100/9300 chassis


CompatibilityScreen Resolution Requirements

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

Additional Compatibility ResourcesThis table provides links to release notes and additional compatibility information. For full documentationroadmaps, see Documentation Roadmaps, on page 65.

Table 6: Additional Compatibility Resources

ResourcesDescription

Cisco Firepower Compatibility Guide

Cisco ASA Compatibility

Cisco Firepower 4100/9300 FXOS Compatibility

Compatibility guides provide detailed compatibilityinformation for supported hardware models andsoftware versions, including bundled components andintegrated products.

Cisco Firepower Release Notes

Cisco ASA Release Notes

Cisco Firepower 4100/9300 FXOS Release Notes

Release notes provide critical and release-specificinformation, including upgradewarnings and behaviorchanges.

Cisco NGFW Product Line Software Release andSustaining Bulletin

Sustaining bulletins provide support timelines forthe Cisco Next Generation Firewall product line,including management platforms and operatingsystems.


CompatibilityAdditional Compatibility Resources


https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

https://www.cisco.com/c/en/us/support/security/defense-center/products-release-notes-list.html

https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-release-notes-list.html

https://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-release-notes-list.html

https://www.cisco.com/c/en/us/products/collateral/security/firewalls/bulletin-c25-743178.html

https://www.cisco.com/c/en/us/products/collateral/security/firewalls/bulletin-c25-743178.html


CompatibilityAdditional Compatibility Resources

C H A P T E R 3Features and Functionality

Firepower Version 6.4.0 includes:

• New Features, on page 11• Deprecated Features, on page 23• Deprecated FlexConfig Commands, on page 25• FMC Menu Changes, on page 27• FMC How-To Walkthroughs, on page 28

New FeaturesThe following topics list the new features available in Firepower Version 6.4.0. If your upgrade path skipsone or more major versions, see the Cisco Firepower Release Notes for past new feature lists.

New Features in Firepower Management Center/Firepower Version 6.4.0The following table lists the new features available in Firepower Version 6.4.0 when configured using aFirepower Management Center.

Table 7: Version 6.4.0 New Features: FMC Deployments

DescriptionFeature

Hardware and Virtual Hardware

We introduced the Firepower Management Center models MC1600,2600, and 4600. Note that these models also support Version 6.3.x.

FMC models MC1600, 2600, and4600

We introduced Firepower Management Center Virtual on MicrosoftAzure.

FMCv on Azure

We introduced the Firepower 1010, 1120, and 1140.FTD on the Firepower 1010, 1120,and 1140

We introduced the Firepower 4115, 4125, and 4145.FTD on the Firepower 4115, 4125,and 4145


https://www.cisco.com/c/en/us/support/security/defense-center/products-release-notes-list.html

DescriptionFeature

We introduced three new securitymodules: SM-40, SM-48, and SM-56.Firepower 9300 SM-40, SM-48,and SM-56 support

You can now deploy ASA and FTD logical devices on the sameFirepower 9300. Requires FXOS 2.6.1.

ASA and FTD on the sameFirepower 9300

Licensing

For ASA FirePOWER and FTD deployments, the ISA 3000 nowsupports URL Filtering and Malware licenses and their associatedfeatures.

For FTD only, the ISA 3000 also now supports Specific LicenseReservation for approved customers.

Supported platforms: ISA 3000

New licensing capabilities for ISA3000

Firepower Threat Defense Routing

You can now use rotating (keychain) authentication when configuringOSPFv2 routing.

New/modified screens:

• Objects > Object Management > Key Chain object

• Devices > Device Management > edit device > Routing tab >OSPF settings > Interface tab > add/edit interface >Authentication option

• Devices > Device Management > edit device > Routing tab >OSPF settings > Area tab > add/edit area > Virtual Link sub-tab> add/edit virtual link > Authentication option

Supported platforms: FTD

Rotating (keychain) authenticationfor OSPFv2 routing

Firepower Threat Defense Encryption and VPN

Secondary authentication, also called double authentication, adds anadditional layer of security to RA VPN connections by using twodifferent authentication servers. With secondary authentication enabled,AnyConnect VPN users must provide two sets of credentials to log into the VPN gateway.

RAVPN supports secondary authentication for the AAAOnly and ClientCertificate and AAA authentication methods.

New/modified screens: Devices > VPN > Remote Access > add/editconfiguration > Connection Profile > AAA area


RAVPN: Secondary authentication


Features and FunctionalityNew Features in Firepower Management Center/Firepower Version 6.4.0

DescriptionFeature

You can now configure site to site VPNs to use a dynamic IP addressfor extranet endpoints. In hub-and-spoke deployments, you can use ahub as an extranet endpoint.

New/modified screens: Devices > VPN > Site To Site > add/edit FTDVPN topology > Endpoints tab > add endpoint > IP Address option


Site-to-site VPN: Dynamic IPaddresses for extranet endpoints

You can now use dynamic crypto maps in point-to-point as well as inhub-and-spoke VPN topologies. Dynamic crypto maps are still notsupported for full mesh topologies.

You specify the crypto map type when you configure a topology. Makesure you also specify a dynamic IP address for one of the peers in thetopology.

New/modified screens: Devices > VPN > Site To Site > add/edit FTDVPN topology > IPsec tab > Crypto Map Type option


Site-to-site VPN: Dynamic cryptomaps for point-to-point topologies

SSL hardware acceleration has been renamed TLS crypto acceleration.Depending on the device, TLS crypto acceleration might be performedin software or in hardware. The Version 6.4 upgrade processautomatically enables acceleration on all eligible devices, even if youpreviously disabled the feature manually.

In most cases you cannot configure this feature; it is automaticallyenabled and you cannot disable it. However, if you are using themulti-instance capability of the Firepower 4100/9300 chassis, you canenable TLS crypto acceleration for one container instance permodule/security engine. Acceleration is disabled for other containerinstances, but enabled for native instances.

New FXOS CLI commands for the Firepower 4100/9300 chassis:

• show hwCrypto

• config hwCrypto

New FTD CLI commands:

• show crypto accelerator status (replaces system supportssl-hw-status)

Removed FTD CLI commands:

• system support ssl-hw-accel

• system support ssl-hw-status

Supported platforms: Firepower 2100 series, Firepower 4100/9300chassis

TLS crypto acceleration

Events, Logging, and Analysis



DescriptionFeature

Fully qualified file and malware event data can now be sent frommanaged devices via syslog.

New/modified screens: Policies > Access Control > Access Control> add/edit policy > Logging tab > File and Malware Settings area

Supported platforms: Any

Improvements to syslog messagesfor file and malware events

You can now search for intrusion events generated as a result of aparticular CVE exploit.

New/modified screens: Analysis > Search

Supported platforms: FMC

Search intrusion events by CVE ID

Intrusion event syslog messages now specify the intrusion policy thattriggered the event.


IntrusionPolicy field is nowincluded in syslog

Cisco Threat Response is a new Cisco Cloud offering that helps yourapidly detect, investigate, and respond to threats. CTR lets you analyzeincidents using data aggregated from multiple products, includingFirepower Threat Defense. For more information, see the Firepowerand Cisco Threat Response Integration Guide.

New/modified screens: System > Integration > Cloud Services


Cisco Threat Response (CTR)integration

Splunk users can use a new, separate Splunk app, Cisco Firepower Appfor Splunk, to analyze events. Available functionality is affected by yourFirepower version.


Splunk integration

Administration

FTDv on VMware now defaults to vmxnet3 interfaces when you createa virtual device. Previously, the default was e1000. The vmxnet3 devicedrivers and network processing are integrated with the ESXi hypervisor,so they use fewer resources and offer better network performance.

If you are using e1000 interfaces, we strongly recommendyou switch. For more information, refer to the instructionson adding and configuring VMware interfaces in the CiscoFirepower Threat Defense Virtual for VMware GettingStarted Guide.

Note

Supported platforms: FTDv on VMware

FTDv on VMware defaults tovmxnet3 interfaces



https://www.cisco.com/c/en/us/td/docs/security/firepower/integrations/CTR/Firepower_and_Cisco_Threat_Response_Integration_Guide.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-gsg.html



DescriptionFeature

When you enable IPv6, you can disable DAD. Youmight want to disableDAD because using DAD opens up the possibility of denial of serviceattacks. If you disable this setting, you need check manually that thisinterface is not using an already-assigned address.

New/modified screens: System > Configuration > ManagementInterfaces > Interfaces area > edit interface > IPv6 DAD check box

Supported platforms: FMC, 7000 and 8000 Series

Ability to disable DuplicateAddress Detection (DAD) onmanagement interfaces

When you enable IPv6, you can now disable ICMPv6 Echo Reply andDestination Unreachable messages. You might want to disable thesepackets to guard against potential denial of service attacks. DisablingEcho Reply packets means you cannot use IPv6 ping to the devicemanagement interfaces for testing purposes.


System > Configuration > Management Interfaces > ICMPv6

New/modified commands:

• configure network ipv6 destination-unreachable

• configure network ipv6 echo-reply

Supported platforms: FMC (web interface only), managed devices (CLIonly)

Ability to disable ICMPv6 EchoReply andDestinationUnreachablemessages on managementinterfaces

For RADIUS authentication of FTD CLI users, you used to have topredefine the usernames in the RADIUS external authentication objectand manually make sure that the list matched usernames defined on theRADIUS server. You can now define CLI users on the RADIUS serverusing the Service-Type attribute and also define both Basic and Configuser roles. To use this method, be sure to leave the shell access filterblank in the external authentication object.

New/modified screens: System > Users > External Authenticationtab > add/edit external authentication object > Shell Access Filter


Support for the Service-Typeattribute for FTD users defined onthe RADIUS server

The object manager now allows you to see the policies, settings, andother objects where a network, port, VLAN, or URL object is used.

New/modified screens:Objects > Object Management > choose objecttype > Find Usage (binoculars) icon


View object use



DescriptionFeature

So Firepower can verify that you are using the correct update files,Version 6.4+ uses signed updates for intrusion rules (SRU), thevulnerability database (VDB), and the geolocation database (GeoDB).Earlier versions continue to use unsigned updates. Unless you manuallydownload updates from the Cisco Support & Download site—forexample, in an air-gapped deployment—you should not notice anydifference in functionality.

If, however, you do manually download and install SRU, VDB, andGeoDB updates, make sure you download the correct package for yourcurrent version. Signed update files for Version 6.4+ begin with 'Cisco'instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of .sh:

• SRU: Cisco_Firepower_SRU-date-build-vrt.sh.REL.tar

• VDB: Cisco_VDB_Fingerprint_Database-4.5.0-version.sh.REL.tar

• GeoDB: Cisco_GEODB_Update-date-build.sh.REL.tar

Update files for Version 5.x through 6.3 still use the old naming scheme:

• SRU: Sourcefire_Rule_Update-date-build-vrt.sh

• VDB: Sourcefire_VDB_Fingerprint_Database-4.5.0-version.sh

• GeoDB: Sourcefire_Geodb_Update-date-build.sh

We will provide both signed and unsigned updates until theend-of-support for versions that require unsigned updates. Do not untarsigned (.tar) packages.

If you accidentally upload a signed update to an older FMCor ASA FirePOWER device, you must manually delete it.Leaving the package takes up disk space, and also may causeissues with future upgrades.

Note


Signed SRU, VDB, and GeoDBupdates (security enhancement)

You can now use the FMC to schedule remote backups of certainmanaged devices. Previously, only Firepower 7000/8000 series devicessupported scheduled backups, and you had to use the device's local GUI.

New/modified screens: System > Tools > Scheduling > add/edit task> choose Job Type: Backup > choose a Backup Type

Supported platforms: FTD physical platforms, FTDv for VMware,Firepower 7000/8000 series

Exceptions: No support for FTD clustered devices or container instances

Scheduled remote backups ofmanaged devices

Monitoring and Troubleshooting



DescriptionFeature

You can now configure time thresholds for URL FilteringMonitor alerts.

New/modified screens: System > Health > Policy > add/edit policy >URL Filtering Monitor


URL Filtering Monitorimprovements

You can now access hit counts for access control and prefilter rules onyour FTD devices.


• Policies > Access Control > Access Control > add/edit policy >Analyze Hit Counts

• Policies >Access Control > Prefilter > add/edit policy > AnalyzeHit Counts

New commands:

• show rule hits

• clear rule hits

• cluster exec show rule hits

• cluster exec clear rule hits

• show cluster rule hits

Modified commands:

• show failover now contains object static counts related to syncinghit counts between HA peers


Hit counts for access control andprefilter rules

Connection-based troubleshooting or debugging provides uniformdebugging across modules to collect appropriate logs for a specificconnection. It also supports level-based debugging up to 7 levels andenables uniform log collection mechanism for lina and Snort logs.


• clear packet debugs

• debug packet start

• debug packet stop

• show packet debugs


Connection-based troubleshooting



DescriptionFeature

Added the following Cisco Success Network monitoring capabilities:

• CSPA (Cisco Security Packet Analyzer) query information

• Contextual cross-launch instances enabled on the FMC

• TLS/SSL inspection events

• Snort restarts

Cisco Success Network sends usage information and statistics to Cisco,which are essential to provide you with technical support. You can optin or out at any time.


New Cisco Success Networkmonitoring capabilities

Firepower Management Center REST API

Added REST API objects to support Version 6.4 features:

• cloudeventsconfigs: Manage Cisco Threat Response integration.

• ftddevicecluster: Manage chassis clustering.

• hitcounts:Manage hit count statistics for access control and prefilterrules.

• keychain:Manage key chain objects used for rotating authenticationwhen configuring OSPFv2 routing.

• loggingsettings:Manage logging settings for access control policies


New REST API capabilities

Version 6.4 uses a new API Explorer, based on the OpenAPISpecification (OAS). As part of the OAS, you now use CodeGen togenerate sample code. You can still access the legacy API Explorer ifyou prefer.


API Explorer based on OAS

Performance

Before Version 6.4, during Snort restarts, the system dropped encryptedconnections that matched a 'Do not decrypt' SSL rule or default policyaction. Now, routed/transparent traffic passes without inspection insteadof dropping, as long as you did not disable large flow offload or Snortpreserve-connection.

Supported platforms: Firepower 4100/9300

Snort restart improvements



DescriptionFeature

Egress optimization is a performance feature targeted for selected IPStraffic. The feature is enabled by default on all FTD platforms.

The Version 6.4 upgrade process enables egress optimization on eligibledevices. For more information, see the Cisco Firepower Threat DefenseCommand Reference. To troubleshoot issues with egress optimization,contact Cisco TAC.



• asp inspect-dp egress optimization

• show asp inspect-dp egress optimization

• clear asp inspect-dp egress optimization

• show conn state egress_optimization

Performance improvement forselected IPS traffic

Performance improvements when sending intrusion and connectionevents to an external SNMP trap server.


Faster SNMP event logging

Improvements to appliance communications and deploy framework.


Faster deploy

Improvements to the event database.


Faster upgrade

New Features in Firepower Device Manager/FTD Version 6.4.0Released: April 24, 2019

The following table lists the new features available in FTD 6.4.0 when configured using Firepower DeviceManager.

Table 8:

DescriptionFeature

You can configure Firepower Threat Defense on Firepower 1000 seriesdevices using Firepower Device Manager.

Note that you can configure and use the Power over Ethernet (PoE) portsas regular Ethernet ports, but you cannot enable or configure anyPoE-related properties.

Firepower 1000 series deviceconfiguration.


Features and FunctionalityNew Features in Firepower Device Manager/FTD Version 6.4.0

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense.html


DescriptionFeature

You can now configure hardware bypass for the ISA 3000 on theDevice > Interfaces page. In release 6.3, you needed to configurehardware bypass using FlexConfig. If you are using FlexConfig, pleaseredo the configuring on the Interfaces page and remove the hardwarebypass commands from FlexConfig. However, the portion of theFlexConfig devoted to disabling TCP sequence number randomizationis still recommended.

Hardware bypass for the ISA 3000.

You can now issue the reboot and shutdown commands through theCLI Console in FDM. Previously, you needed to open a separate SSHsession to the device to reboot or shut down the system. You must haveAdministrator privileges to use these commands.

Ability to reboot and shut down thesystem from the FDM CLIConsole.

You can use an external RADIUS server to authenticate and authorizeusers logging into the FTD CLI. You can give external users config(administrator) or basic (read-only) access.

We added the SSH configuration to the AAA Configuration tab on theDevice > System Settings > Management Access page.

External Authentication andAuthorization using RADIUS forFTD CLI Users.

You can now create network objects that specify a range of IPv4 or IPv6addresses, and network group objects that include other network groups(that is, nested groups).

We modified the network object and network group object Add/Editdialog boxes to include these features, and modified the various securitypolicies to allow the use of these objects, contingent on whether addressspecifications of that type make sense within the context of the policy.

Support for network range objectsand nested network group objects.

You can do a full-text search on objects and rules. By searching a policyor object list that has a large number of items, you can find all itemsthat include your search string anywhere within the rule or object.

We added a search box to all policies that have rules, and to all pageson theObjects list. In addition, you can use the filter=fts~search-stringoption on GET calls for supported objects in the API to retrieve itemsbased on a full-text search.

Full-text search options for objectsand rules.

You can use the GET /api/versions (ApiVersions) method to get a listof the API versions that are supported on a device. You can use yourAPI client to communicate and configure the device using commandsand syntax valid for any of the supported versions.

Obtaining a list of supported APIversions for an FDM-managed FTDdevice.

The FTD REST API for software version 6.4 has been incremented toversion 3. You must replace v1/v2 in the API URLs with v3. The v3API includes many new resources that cover all features added insoftware version 6.4. Please re-evaluate all existing calls, as changesmight have been mode to the resource models you are using. To openthe API Explorer, where you can view the resources, change the end ofthe Firepower Device Manager URL to /#/api-explorer after loggingin.

FTD REST API version 3 (v3).



DescriptionFeature

You can now view hit counts for access control rules. The hit countsindicate how often connections matched the rule.

We updated the access control policy to include hit count information.In the FTD API, we added the HitCounts resource and theincludeHitCounts and filter=fetchZeroHitCounts options to the GETAccess Policy Rules resource.

Hit counts for access control rules.

You can now configure site-to-site VPN connections to use certificatesinstead of preshared keys to authenticate the peers. You can alsoconfigure connections where the remote peer has an unknown (dynamic)IP address. We added options to the Site-to-Site VPN wizard and theIKEv1 policy object.

Site-to-Site VPN enhancements fordynamic addressing and certificateauthentication.

You can now use RADIUS servers for authenticating, authorizing, andaccounting remote access VPN (RAVPN) users. You can also configureChange of Authentication (CoA), also known as dynamic authorization,to alter a user’s authorization after authentication when you use a CiscoISE RADIUS server.

We added attributes to the RADIUS server and server group objects,and made it possible to select a RADIUS server group within an RAVPN connection profile.

Support for RADIUS servers andChange of Authorization in remoteaccess VPN.

You can configure more than one connection profile, and create grouppolicies to use with the profiles.

We changed the Device > Remote Access VPN page to have separatepages for connection profiles and group policies, and updated the RAVPN Connection wizard to allow the selection of group policies. Someitems that were previously configured in the wizard are now configuredin the group policy.

Multiple connection profiles andgroup policies for remote accessVPN.

You can use certificates for user authentication, and configure secondaryauthentication sources so that users must authenticate twice beforeestablishing a connection. You can also configure two-factorauthentication using RSA tokens or Duo passcodes as the second factor.

We updated the RAVPNConnectionwizard to support the configurationof these additional options.

Support for certificate-based,second authentication source, andtwo-factor authentication in remoteaccess VPN.

You can now configure address pools that have more than one addressrange by selecting multiple network objects that specify subnets. Inaddition, you can configure address pools in a DHCP server and use theserver to provide addresses to RA VPN clients. If you use RADIUS forauthorization, you can alternatively configure the address pools in theRADIUS server.

We updated the RAVPNConnectionwizard to support the configurationof these additional options. You can optionally configure the addresspool in the group policy instead of the connection profile.

Support for IP address pools withmultiple address ranges, andDHCPaddress pools, for remote accessVPN.



DescriptionFeature

You can now include up to 10 redundant Active Directory (AD) serversin a single realm. You can also create multiple realms and delete realmsthat you no longer need. In addition, the limit for downloading users ina realm is increased to 50,000 from the 2,000 limit in previous releases.

We updated the Objects > Identity Sources page to support multiplerealms and servers. You can select the realm in the user criteria of accesscontrol and SSL decryption rules, to apply the rule to all users withinthe realm. You can also select the realm in identity rules and RA VPNconnection profiles.

Active Directory realmenhancements.

When you configure Cisco Identity Services Engine (ISE) as an identitysource for passive authentication, you can now configure a secondaryISE server if you have an ISE high availability setup.

We added an attribute for the secondary server to the ISE identity object.

Redundancy support for ISEservers.

You can now configure an external syslog server to receive file/malwareevents, which are generated by file policies configured on access controlrules. File events use message ID 430004, malware events are 430005.

We added the File/Malware syslog server options to theDevice > SystemSettings > Logging Settings page.

File/malware events sent to externalsyslog servers.

You can now configure the internal buffer as a destination for systemlogging. In addition, you can create event log filters to customize whichmessages are generated for the syslog server and internal buffer loggingdestinations.

We added the Event Log Filter object to theObjects page, and the abilityto use the object on the Device > System Settings > Logging Settingspage. The internal buffer options were also added to the LoggingSettings page.

Logging to the internal buffer andsupport for custom event log filters.

You can now configure the certificate that is used for HTTPS connectionsto the Firepower DeviceManager configuration interface. By uploadinga certificate your web browsers already trust, you can avoid the UntrustedAuthority message you get when using the default internal certificate.We added the Device > System Settings > Management Access >Management Web Server page.

Certificate for the FirepowerDevice Manager Web Server.

You can configure the system to send intrusion events to the CiscoThreat Response cloud-based application. You can use Cisco ThreatResponse to analyze intrusions.

We added Cisco Threat Response to the Device > System Settings >Cloud Services page.

Cisco Threat Response support.



Deprecated FeaturesThis topic lists deprecated features and platforms by Firepower version. If your upgrade path skips one ormore major versions, you must review the information for intermediate releases.

For detailed compatibility information for all supported Firepower versions, including links to end-of-saleand end-of-life announcements for deprecated platforms, see the Cisco Firepower Compatibility Guide.

End of support is planned for the Cisco Firepower User Agent software and identity source. You should switchto Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC) now. This will also allow youto take advantage of features that are not available with the user agent. To convert your license, contact Sales.

For more information, see the appropriate Cisco Firepower User Agent Configuration Guide on the CiscoFirepower Management Center Configuration Guides page.

Note

Version 6.4.0 Deprecated Features

These features were deprecated in Version 6.4.0.

Table 9: Version 6.4.0 Deprecated Features

DescriptionFeature

As part of the TLS crypto acceleration feature, we removed the followingFTD CLI commands:

• system support ssl-hw-accel enable

• system support ssl-hw-accel disable

• system support ssl-hw-status

For information on their replacements, see the new featuredocumentation.

Affected platforms: FTD

SSL hardware acceleration FTDCLI commands




Features and FunctionalityDeprecated Features


https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html

https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html


DescriptionFeature

Version 6.3.0 discontinues EMS extension support, whichwas introducedin Version 6.2.3.8/6.2.3.9. This means that the Decrypt-Resign andDecrypt-Known Key SSL policy actions no longer support the EMSextension during ClientHello negotiation, which would enable moresecure communications. The EMS extension is defined by RFC 7627.

In FMC deployments, this feature depends on the device version.Upgrading the FMC to Version 6.3.0 does not discontinue support, aslong as the device is running a supported version. However, upgradingthe device to Version 6.3.0 does discontinue support.

Support is reintroduced in Version 6.3.0.1.

Affected platforms: Any

EMS extension support fordecryption

Version 6.3.0 ends support for decrypting traffic on interfaces in passiveor inline tap mode, even though the GUI allows you to configure it. Anyinspection of encrypted traffic is necessarily limited.

Decryption on passive and inlinetap Interfaces

Version 6.3.0+ virtual deployments have not been tested on VMwarevSphere/VMware ESXi 5.5. We recommend you upgrade the hostingenvironment before you upgrade the Firepower software.

Affected platforms: FMCv, FTDv, and NGIPSv for VMware

VMware 5.5 hosting

You cannot upgrade to or freshly install Version 6.3.0+ of the Firepowersoftware (both FTD and ASA FirePOWER) on these models:

• ASA 5506-X, 5506H-X, 5506W-X

• ASA 5512-X

You can, however, manage older devices (Version 6.1.0 through 6.2.3.x)with a Version 6.3.0 FMC.

ASA 5506-X series and ASA5512-X devices with Firepowersoftware




Features and FunctionalityDeprecated Features

https://tools.ietf.org/html/rfc7627


DescriptionFeature

Version 6.2.0 ends support for nested correlation rules. A correlationrule is nested if it serves as a trigger for another correlation rule. Forexample, if you create Rule A and Rule B, which both trigger on anintrusion event, you can use 'Rule A is true' as a constraint for Rule B.In this configuration, Rule A is nested inside Rule B.

Automatic Configuration Changes

The upgrade process "flattens" certain nested correlation rules by copyingsettings from the nested rule (Rule A) to the nesting rule (Rule B), thendeleting the nested rule. The upgrade also copies the host profile/userqualifications and the snooze/inactive periods from the nested rule tothe nesting rule.

For all of these settings except inactive periods, the system can copy thesettings from the nested rule to the nesting rule only if the settings areabsent from the nesting rule. When the system copies inactive periodsfrom the nested rule to the nesting rule, it retains inactive periods fromthe nesting rule, so that the resulting rule uses settings from both rulesoriginally involved in the nesting configuration.

Avoiding Upgrade Failure

Before you upgrade, make sure that any nested correlation rules can be"flattened." Otherwise, the upgrade will fail. Note that the upgrade cannotflatten nested rules if the nested and nesting rule have specific conflicts.To avoid upgrade failure, modify your correlation rules before theupgrade:

• Remove the host profile qualification, user qualification, and snoozeperiod settings from either the nested rule or the nesting rule, sothat only one rule in the nested configuration specifies these settings.

• Remove connection trackers from any nested rules.

• Remove host profile qualifications, user qualifications, snoozeperiods, and inactive periods from nested rules that do not have tobe true; that is, remove those elements from nested rules that arelinked to other rule conditions using the OR operator, within thenesting rule.

Affected platforms: FMC

Nested correlation rules

Deprecated FlexConfig CommandsSome Firepower Threat Defense features are configured using ASA configuration commands. BeginningwithVersion 6.2 (FMC deployments) or Version 6.2.3 (FDM deployments), you can use Smart CLI or FlexConfigto manually configure various ASA features that are not otherwise supported in the web interface.


Features and FunctionalityDeprecated FlexConfig Commands

FTD upgrades can add GUI or Smart CLI support for features that you previously configured using FlexConfig.This can deprecate FlexConfig commands that you are currently using. Although your existing configurationscontinue to work and you can still deploy, you cannot assign or create FlexConfig objects using the newlydeprecated commands.

After the upgrade, examine your FlexConfig policies and objects. If any contain commands that are nowdeprecated, messages indicate the problem.We recommend you redo your configuration. After you are satisfiedwith the new configuration, you can delete the problematic FlexConfig objects or commands.

FTD with Firepower Management Center

This table lists deprecated FlexConfig objects and their associated text objects. For a full list of predefinedobjects, see the Firepower Management Center Configuration Guide.

Table 12: FTD with FMC: Deprecated FlexConfig Objects

New LocationDetailsObjectsDeprecated

Configure DNS for the datainterfaces in the FTDplatform settings policy.

Configure the Default DNSgroup, which defines theDNS servers that can be usedwhen resolvingfully-qualified domain nameson the data interfaces. Thisallowed you to usecommands in the CLI, suchas ping, using host namesrather than IP addresses.

FlexConfig Objects:

• Default_DNS_Configure

Associated Text Objects:

• defaultDNSNameServerList

• defaultDNSParameters

6.3.0+

Configure these features inthe FTD service policy,which you can find on theAdvanced tab of the accesscontrol policy assigned to thedevice.

Configure embryonicconnection limits andtimeouts to protect againstSYNFloodDenial of Service(DoS) attacks.

FlexConfig Objects:

• TCP_Embryonic_Conn_Limit

• TCP_Embryonic_Conn_Timeout

Associated Text Objects:

• tcp_conn_misc

• tcp_conn_limit

• tcp_conn_timeout

6.3.0+

This table lists CLI commands that were newly deprecated for FTD with FDM, in Version 6.2.3+. For a fulllist of deprecated commands, including those deprecated when the feature was introduced in Version 6.2.0,see the Firepower Management Center Configuration Guide.

Table 13: FTD with FMC: Deprecated CLI Commands

DetailsCommandDeprecated

Configuration blocked.pager6.2.3+


Features and FunctionalityDeprecated FlexConfig Commands



FTD with Firepower Device Manager

This table lists CLI commands that were newly deprecated for FTD with FDM, in Version 6.3.0+. For a fulllist of deprecated commands, including those deprecated when the feature was introduced in Version 6.2.3,see the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager.

Table 14: FTD with FDM: Deprecated CLI Commands

DetailsCommandDeprecated

You can no longer create extended and standard access lists. Createthese ACLs using the Smart CLI Extended Access List or StandardAccess List objects. You can then use them on FlexConfig-supportedcommands that refer to the ACL by object name, such as matchaccess-list with an extended ACL for service policy traffic classes.

access-list6.3.0+

Create Smart CLI AS Path objects and use them in a Smart CLI BGPobject to configure an autonomous system path filter.

as-path6.3.0+

Create Smart CLI Expanded Community List or Standard CommunityList objects and use them in a Smart CLI BGP object to configure acommunity list filter.

community-list6.3.0+

Configure DNS groups using Objects > DNS Groups, and assign thegroups using Device > System Settings > DNS Server.

dns-group6.3.0+

Create Smart CLI Policy List objects and use them in a Smart CLI BGPobject to configure a policy list.

policy-list6.3.0+

Create Smart CLI IPv4 Prefix List objects and use them in a Smart CLIOSPF or BGP object to configure prefix list filtering for IPv4.

prefix-list6.3.0+

Create Smart CLI RouteMap objects and use them in a Smart CLI OSPFor BGP object to configure route maps.

route-map6.3.0+

Use the Smart CLI templates for BGP.router bgp6.3.0+

FMC Menu ChangesThis table lists changed Firepower Management Center menus (relocated pages). For new and removed menuoptions, see the documentation for new and deprecated features.

Table 15: Firepower Management Center Menu Changes

Old Menu PathNew Menu PathVersion

System > Integration > Cisco CSISystem > Integration > Cloud Services6.4.0

Analysis > Advanced > WhoisAnalysis > Lookup > Whois6.3.0

Analysis > Advanced > GeolocationAnalysis > Lookup > Geolocation6.3.0

Analysis > Advanced > URLAnalysis > Lookup > URL6.3.0


Features and FunctionalityFMC Menu Changes

https://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-and-configuration-guides-list.html

Old Menu PathNew Menu PathVersion

Analysis > Advanced > Custom WorkflowsAnalysis > Custom > Custom Workflows6.3.0

Analysis > Advanced > Custom TablesAnalysis > Custom > Custom Tables6.3.0

Analysis > Hosts > VulnerabilitiesAnalysis > Vulnerabilities > Vulnerabilities6.3.0

Analysis > Hosts > Third-PartyVulnerabilities

Analysis > Vulnerabilities > Third-PartyVulnerabilities

6.3.0

FMC How-To WalkthroughsVersion 6.3.0 introduces walkthroughs (also called how-tos) on the FMC, which guide you through a varietyof basic tasks such as device setup and policy configuration. Just click How To at the bottom of the browserwindow, choose a walkthrough, and follow the step-by-step instructions.

Walkthroughs are tested on the Firefox and Chrome browsers. If you encounter issues with a different browser,we ask that you switch to Firefox or Chrome. If you continue to encounter issues, contact Cisco TAC.

Note

The following table lists some common problems and solutions. To end a walkthrough at any time, click thex in the upper right corner.

Table 16: Troubleshooting Walkthroughs

SolutionProblem

Make sure walkthroughs are enabled. From the drop-down list under yourusername, select User Preferences then click How-To Settings.

Cannot find theHow To linkto start walkthroughs.

If a walkthrough appears when you do not expect it, end the walkthrough.Walkthrough appears whenyou do not expect it.

If a walkthrough disappears:

• Move your pointer.

Sometimes the FMC stops displaying an in-progress walkthrough. Forexample, pointing to a different top-level menu can make this happen.

• Navigate to a different page and try again.

If moving your pointer does not work, the walkthrough may have quit.

Walkthrough disappears orquits suddenly.


Features and FunctionalityFMC How-To Walkthroughs

SolutionProblem

If a walkthrough is out of sync, you can:

• Attempt to continue.

For example, if you enter an invalid value in a field and the FMC displaysan error, the walkthrough can prematurely move on. You may need to goback and resolve the error to complete the task.

• End the walkthrough, navigate to a different page, and try again.

Sometimes you cannot continue. For example, if you do not click Nextafter you complete a step, you may need to end the walkthrough.

Walkthrough is out of syncwith the FMC:

• Starts on the wrongstep.

• Advances prematurely.

• Will not advance.



C H A P T E R 4Upgrade to Version 6.4.0

This chapter provides critical and release-specific information for Version 6.4.0.

You should also read Features and Functionality, on page 11 for information on any new features andfunctionality, deprecated features and platforms, menu and terminology changes, blacklisted FlexConfigcommands, and so on.

• Guidelines and Warnings for Version 6.4.0, on page 31• Previously Published Guidelines and Warnings, on page 33• General Guidelines and Warnings, on page 40• Minimum Version to Upgrade, on page 42• Time Tests and Disk Space Requirements, on page 43• Traffic Flow, Inspection, and Device Behavior, on page 45• Upgrade Instructions, on page 53• Upgrade Packages, on page 53

Guidelines and Warnings for Version 6.4.0This checklist contains important upgrade guidelines and warnings that are new for Version 6.4.0. You shouldalso review Previously Published Guidelines andWarnings, on page 33 and General Guidelines andWarnings,on page 40.

Table 17: Version 6.4.0 New Guidelines

Directly ToUpgrading FromPlatformsGuideline✓

6.4.0.3 through6.4.0.5

6.4.0Firepower 1010EtherChannels on Firepower 1010Devices Can Blackhole Egress Traffic,on page 32

6.3.0.1 through6.5.0

6.3.0 through6.4.0.x

Firepower4100/9300

Upgrade Failure: Insufficient Disk Spaceon Container Instances, on page 32

6.4.0 only6.2.3 through6.3.0.x

Firepower7000/8000 series

ASA FirePOWER

NGIPSv

Upgrade Failure: NGIPS DevicesPreviously at Version 6.2.3.12, on page32



6.4.0+6.1.0 through6.3.0.x

Firepower 2100series

Firepower4100/9300

TLS Crypto AccelerationEnabled/Cannot Disable, on page 33

6.4.0 only6.1.0.xFirepower4100/9300

Firepower 4100/9300 Requires Version6.2.0 for Upgrade, on page 33

EtherChannels on Firepower 1010 Devices Can Blackhole Egress TrafficDeployments: Firepower 1010 with FTD

Affected Versions: Version 6.4.0 to 6.4.0.5

Related Bug: CSCvq81354

We strongly recommend you do not configure EtherChannels on Firepower 1010 devices running FTDVersion6.4.0 to Version 6.4.0.5. (Note that Versions 6.4.0.1 and 6.4.0.2 are not supported on this model.)

Due to an internal traffic hashing issue, some EtherChannels on Firepower 1010 devices may blackhole someegress traffic. The hashing is based on source/destination IP address so the behavior will be consistent for agiven source/destination IP pair. That is, some traffic consistently works and some consistently fails.

We will fix this issue in an upcoming 6.4.0.x patch. It is also fixed in Version 6.5.0.

Upgrade Failure: Insufficient Disk Space on Container InstancesDeployments: Firepower 4100/9300 with FTD

Upgrading from: Version 6.3.0 through 6.4.0.x

Directly to: Version 6.3.0.1 through Version 6.5.0

Most often during major upgrades — but possible while patching — FTD devices configured with containerinstances can fail in the precheck stage with an erroneous insufficient-disk-space warning.

If this happens to you, you can try to free up more disk space. If that does not work, contact Cisco TAC.

Upgrade Failure: NGIPS Devices Previously at Version 6.2.3.12Deployments: 7000/8000 series, ASA FirePOWER, NGIPSv

Related bug: CSCvp42398


Directly to: Version 6.4.0 only

You cannot upgrade an NGIPS device to Version 6.4.0 if:

• The device previously ran Version 6.2.3.12, and then

• You uninstalled the Version 6.2.3.12 patch, or upgraded to Version 6.3.0.x.


Upgrade to Version 6.4.0EtherChannels on Firepower 1010 Devices Can Blackhole Egress Traffic

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq81354

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp42398

This also includes scenarios where you uninstalled the Version 6.2.3.12 patch and then upgraded toVersion 6.3.0.x.

If this is your current situation, contact Cisco TAC.

TLS Crypto Acceleration Enabled/Cannot DisableDeployments: Firepower 2100 series, Firepower 4100/9300 chassis

Upgrading from: Version 6.1.0 through 6.3.x

Directly to: Version 6.4.0+

SSL hardware acceleration has been renamed TLS crypto acceleration.

Depending on the device, TLS crypto accelerationmight be performed in software or in hardware. The upgradeautomatically enables acceleration on all eligible devices, even if you previously disabled the feature manually.In most cases you cannot configure this feature; it is automatically enabled and you cannot disable it.

Upgrading to Version 6.4.0: If you are using the multi-instance capability of the Firepower 4100/9300 chassis,you can use the FXOS CLI to enable TLS crypto acceleration for one container instance per module/securityengine. Acceleration is disabled for other container instances, but enabled for native instances.

Upgrading to Version 6.5.0+: If you are using the multi-instance capability of the Firepower 4100/9300chassis, you can use the FXOS CLI to enable TLS crypto acceleration for multiple container instances (up to16) on a Firepower 4100/9300 chassis. New instances have this feature enabled by default. However, theupgrade does not enable acceleration on existing instances. Instead, use the config hwCrypto enable CLIcommand.

Firepower 4100/9300 Requires Version 6.2.0 for UpgradeDeployments: Firepower 4100/9300 with FTD

Upgrading from: Version 6.1.x

Directly to: Version 6.4.0 only

Unlike other FMC-managed devices, you cannot upgrade the Firepower Threat Defense software directlyfrom Version 6.1→ 6.4 on a Firepower 4100/9300 series device. This is because FXOS 2.6.1 is incompatiblewith FTD Version 6.1, but required for Version 6.4.

We recommend Version 6.2.3 on FXOS 2.3.1 as the intermediate version—and remember to upgrade FXOSfirst. Do not use Version 6.3 as an intermediate release; see the guidelines and warnings in the FirepowerRelease Notes, Version 6.3.0.

Previously Published Guidelines and WarningsReview this checklist if your upgrade path skips major versions. You can upgrade to Version 6.4.0 fromseveral previous major versions; see Minimum Version to Upgrade, on page 42.


Upgrade to Version 6.4.0TLS Crypto Acceleration Enabled/Cannot Disable

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/upgrade.html


Table 18: Version 6.4.0 Previously Published Guidelines


6.3.0+6.2.3.xAnyTimeouts for the URL Filtering CacheCan Change, on page 35

6.3.0+6.1.0 through6.1.0.6

6.2.0 through6.2.0.6

6.2.1

6.2.2 through6.2.2.4

6.2.3 through6.2.3.4

FMC

Firepower7000/8000 series

NGIPSv

Readiness Check May Fail on FMC,7000/8000 Series, NGIPSv, on page 35

6.3.0+6.2.0 through6.2.3.x

FTD with FMCRA VPN Default Setting Change CanBlock VPN Traffic, on page 35

6.3.0+6.1.0 through6.2.3.x

AnyUpdated Security for Appliance Access,on page 36

6.3.0+6.1.0 through6.2.3.x

FMC deploymentsSecurity Intelligence EnablesApplication Identification, on page 36

6.3.0+6.1.0 through6.2.3.x

AnyUpdate VDB after Upgrade to EnableCIP Detection, on page 37

6.3.0+6.1.0 through6.2.3.x

AnyInvalid Intrusion Variable Sets CanCause Deploy Failure, on page 37

6.3.0+6.1.0 through6.2.3.x

FMCSyslogBehavior Changes for Connectionand Intrusion Events, on page 37

6.2.3 through 6.4.06.2.0 through6.2.2.x

FTD with FDMUpgradeCanUnregister FTD/FDM fromCSSM, on page 38

6.2.3 through 6.4.06.1.0 through6.2.2.x

FMCChanges to Result Limits in Reports, onpage 38

6.2.3 through 6.4.06.1.0.xFTD clustersRemove Site IDs from Version 6.1.xFTD Clusters Before Upgrade, on page39

6.2.2 through 6.4.06.2.0 onlyFTD with FDMUpgrade Failure: FDM on ASA 5500-XSeries from Version 6.2.0, on page 39

6.2.0 through 6.4.06.1.0.xFMCAccess Control Can Get Latency-BasedPerformance Settings from SRUs, onpage 39


Upgrade to Version 6.4.0Previously Published Guidelines and Warnings


6.2.0 through 6.4.06.1.0.xFTD with FMC'Snort Fail Open' Replaces 'Failsafe' onFTD , on page 40

Timeouts for the URL Filtering Cache Can ChangeDeployments: Any

Upgrading from: Version 6.2.3.x


New for Version 6.3.0, the GUI allows you configure a timeout value for the URL filtering cache. Tominimizeinstances of URLs matching on stale data, you can set URLs in the cache to expire. If you worked with CiscoTAC to specify a timeout value for the URL filtering cache, the upgrade may change that value.

After the upgrade completes:

• FMC: Choose System > Integration, click the Cisco CSI tab, and evaluate the Cached URLs Expiresetting.

• FDM: Choose System Settings > Traffic Settings > URL Filtering Preferences and evaluate theURLTime to Live setting.

Readiness Check May Fail on FMC, 7000/8000 Series, NGIPSvDeployments: FMC, 7000/8000 series devices, NGIPSv

Upgrading from: Version 6.1.0 through 6.1.0.6, Version 6.2.0 through 6.2.0.6, Version 6.2.1, Version 6.2.2through 6.2.2.4, and Version 6.2.3 through 6.2.3.4


You cannot run the readiness check on the listed models when upgrading from one of the listed Firepowerversions. This occurs because the readiness check process is incompatible with newer upgrade packages.

Table 19: Patches with Readiness Checks for Version 6.3.0+

First Patch with FixReadiness Check Not Supported

6.1.0.76.1.0 through 6.1.0.6

6.2.0.76.2.0 through 6.2.0.6

None. Upgrade to Version 6.2.3.5+.6.2.1

6.2.2.56.2.2 through 6.2.2.4

6.2.3.56.2.3 through 6.2.3.4

RA VPN Default Setting Change Can Block VPN TrafficDeployments: Firepower Threat Defense configured for remote access VPN


Upgrade to Version 6.4.0Timeouts for the URL Filtering Cache Can Change


Directly to: Version 6.3+

Version 6.3 changes the default setting for a hidden option, sysopt connection permit-vpn. Upgrading cancause your remote access VPN to stop passing traffic. If this happens, use either of these techniques:

• Create a FlexConfig object that configures the sysopt connection permit-vpn command. The new defaultfor this command is no sysopt connection permit-vpn.

This is the more secure method to allow traffic in the VPN, because external users cannot spoof IPaddresses in the remote access VPN address pool. The downside is that the VPN traffic will not beinspected, which means that intrusion and file protection, URL filtering, or other advanced features willnot be applied to the traffic.

• Create access control rules to allow connections from the remote access VPN address pool.

This method ensures that VPN traffic is inspected and advanced services can be applied to the connections.The downside is that it opens the possibility for external users to spoof IP addresses and thus gain accessto your internal network.

Updated Security for Appliance AccessDeployments: Any

Upgrading from: Version 6.1 through 6.2.3.x


To enhance security, in Version 6.3 we updated the list of supported ciphers and cryptographic algorithmsfor secure SSH access. If your SSH client fails to connect with a Firepower appliance due to a cipher error,update your client to the latest version.

Security Intelligence Enables Application IdentificationDeployments: Firepower Management Center



In Version 6.3, Security Intelligence configurations enable application detection and identification. If youdisabled discovery in your current deployment, the upgrade process may enable it again. Disabling discoveryif you don't need it (for example, in an IPS-only deployment) can improve performance.

To disable discovery you must:

• Delete all rules from your network discovery policy.

• Use only simple network-based conditions to perform access control: zone, IP address, VLAN tag, andport. Do not perform any kind of application, user, URL, or geolocation control.

• (NEW) Disable network and URL-based Security Intelligence by deleting all whitelists and blacklistsfrom your access control policy's Security Intelligence configuration, including the default Global lists.

• (NEW)Disable DNS-based Security Intelligence by deleting or disabling all rules in the associated DNSpolicy, including the default Global Whitelist for DNS and Global Blacklist for DNS rules.


Upgrade to Version 6.4.0Updated Security for Appliance Access

Update VDB after Upgrade to Enable CIP DetectionDeployments: Any

Upgrading from: Version 6.1.0 through 6.2.3.x, with VDB 299+


If you upgrade while using vulnerability database (VDB) 299 or later, an issue with the upgrade processprevents you from using CIP detection post-upgrade. This includes every VDB released from June 2018 tonow, even the latest VDB.

Although we always recommend you update the vulnerability database (VDB) to the latest version after youupgrade, it is especially important in this case.

To check if you are affected by this issue, try to configure an access control rule with a CIP-based applicationcondition. If you cannot find any CIP applications in the rule editor, manually update the VDB.

Invalid Intrusion Variable Sets Can Cause Deploy FailureDeployments: Any



For network variables in an intrusion variable set, any IP addresses you exclude must be a subset of the IPaddresses you include. This table shows you examples of valid and invalid configurations.

InvalidValid

Include: 10.1.0.0/16

Exclude: 172.16.0.0/12

Exclude: 10.0.0.0/8

Include: 10.0.0.0/8

Exclude: 10.1.0.0/16

Before Version 6.3.0, you could successfully save a network variable with this type of invalid configuration.Now, these configurations block deploy with the error: Variable set has invalid excludedvalues.

If this happens, identify and edit the incorrectly configured variable set, then redeploy. Note that you mayhave to edit network objects and groups referenced by your variable set.

Syslog Behavior Changes for Connection and Intrusion EventsDeployments: Firepower Management Center



Version 6.3.0 changes and centralizes the way the system logs connection and intrusion events via syslog.You can access these settings on the new Logging tab in the access control policy.

The upgrade does not change your existing settings for connection event logging. However, youmay suddenlystart receiving intrusion events you did not "expect" via syslog. This is because after you upgrade to Version6.3.0+, the intrusion policy sends syslog events to the destination on the new Logging tab. (Before Version


Upgrade to Version 6.4.0Update VDB after Upgrade to Enable CIP Detection

6.3.0, you could configure syslog alerting in an intrusion policy to send events to the syslog on the manageddevice itself rather than to an external host.)

Also, messages sent from NGIPS devices (7000/8000 series, ASA FirePOWER, NGIPSv) now use the ISO8601 timestamp format as specified in RFC 5425.

Upgrade Can Unregister FTD/FDM from CSSMDeployments: FTD with FDM


Directly to: Version 6.2.3 through 6.4.0

Upgrading a Firepower Threat Defense device managed by Firepower Device Manager may unregister thedevice from the Cisco Smart Software Manager. After the upgrade completes, check your license status.

Step 1 Click Device, then click View Configuration in the Smart License summary.Step 2 If the device is not registered, click Register Device.

Changes to Result Limits in ReportsDeployments: Firepower Management Center



Version 6.2.3 limits the number of results you can use or include in a report section, as follows. For table anddetail views, you can include fewer records in a PDF report than in an HTML/CSV report.

Table 20: New Result Limits in Reports

Max Records: PDF Report SectionMax Records: HTML/CSV Report SectionReport Section Type

100 (top or bottom)100 (top or bottom)Bar chart

Pie chart

100,000400,000Table view

5001,000Detail view

If, before you upgrade a Firepower Management Center, a section in a report template specifies a largernumber of results than the HTML/CSVmaximum, the upgrade process lowers the setting to the newmaximumvalue.

For report templates that generate PDF reports, if you exceed the PDF limit in any template section, theupgrade process changes the output format to HTML. To continue generating PDFs, lower the results limitto the PDF maximum. If you do this after the upgrade, set the output format back to PDF.


Upgrade to Version 6.4.0Upgrade Can Unregister FTD/FDM from CSSM

Remove Site IDs from Version 6.1.x FTD Clusters Before UpgradeDeployments: Firepower Threat Defense clusters



Firepower Threat Defense Version 6.1.x clusters do not support inter-site clustering (you can configureinter-site features using FlexConfig starting in Version 6.2.0).

If you deployed or redeployed a Version 6.1.x cluster in FXOS 2.1.1, and you entered a value for the(unsupported) site ID, remove the site ID (set to 0) on each unit in FXOS before you upgrade. Otherwise, theunits cannot rejoin the cluster after the upgrade.

If you already upgraded, remove the site ID from each unit, then reestablish the cluster. To view or changethe site ID, see the Cisco FXOS CLI Configuration Guide.

Upgrade Failure: FDM on ASA 5500-X Series from Version 6.2.0Deployments: FTD with FDM, running on a lower-memory ASA 5500-X series device

Upgrading from: Version 6.2.0


If you are upgrading from Version 6.2.0, the upgrade may fail with an error of: Uploaded file is nota valid system upgrade file. This can occur even if you are using the correct file.

If this happens, you can try the following workarounds:

• Try again.

• Use the CLI to upgrade.

• Upgrade to 6.2.0.1 first.

Access Control Can Get Latency-Based Performance Settings from SRUsDeployments: FMC

Upgrading from: 6.1.x

Directly to: 6.2.0+

New access control policies in Version 6.2.0+ by default get their latency-based performance settings fromthe latest intrusion rule update (SRU). This behavior is controlled by a new Apply Settings From option. Toconfigure this option, edit or create an access control policy, click Advanced, and edit the Latency-BasedPerformance Settings.

When you upgrade to Version 6.2.0+, the new option is set according to your current (Version 6.1.x)configuration. If your current settings are:

• Default: The new option is set to Installed Rule Update. When you deploy after the upgrade, the systemuses the latency-based performance settings from the latest SRU. It is possible that traffic handling couldchange, depending on what the latest SRU specifies.


Upgrade to Version 6.4.0Remove Site IDs from Version 6.1.x FTD Clusters Before Upgrade

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221.html

• Custom: The new option is set to Custom. The system retains its current performance settings. Thereshould be no behavior change due to this option.

We recommend you review your configurations before you upgrade. From the Version 6.1.x FMC webinterface, view your policies' Latency-Based Performance Settings as described earlier, and see whether theRevert to Defaults button is dimmed. If the button is dimmed, you are using the default settings. If it is active,you have configured custom settings.

'Snort Fail Open' Replaces 'Failsafe' on FTDDeployments: FTD with FMC



In Version 6.2, the Snort Fail Open configuration replaces the Failsafe option on FMC-managed FirepowerThreat Defense devices. While Failsafe allows you to drop traffic when Snort is busy, traffic automaticallypasses without inspection when Snort is down. Snort Fail Open allows you to drop this traffic.

When you upgrade an FTD device, its new Snort Fail Open setting depends on its old Failsafe setting, asfollows. Although the new configuration should not change traffic handling, we still recommend that youconsider whether to enable or disable Failsafe before you upgrade.

Table 21: Migrating Failsafe to Snort Fail Open

BehaviorVersion 6.2 Snort FailOpen

Version 6.1 Failsafe

New and existing connections drop when the Snortprocess is busy and pass without inspection when theSnort process is down.

Busy: Disabled

Down: Enabled

Disabled (defaultbehavior)

New and existing connections pass without inspectionwhen the Snort process is busy or down.

Busy: Enabled

Down: Enabled

Enabled

Note that Snort Fail Open requires Version 6.2 on the device. If you are managing a Version 6.1.x device, theFMC web interface displays the Failsafe option.

General Guidelines and WarningsThese important guidelines and warnings apply to every upgrade. However, this list is not comprehensive.For links to additional important information on the upgrade process, which can include planning upgradepaths, OS upgrades, readiness checks, backups, maintenance windows, and so on, see Upgrade Instructions,on page 53.

Back Up Event and Configuration Data

We strongly recommend you back up to an external location and verify transfer success. When you upgradean appliance, it purges locally stored backups. In FMC deployments, we also recommend you back up theFMC after you upgrade your deployment. This is so you have a new FMC backup file that 'knows' that itsdevices have been upgraded.


Upgrade to Version 6.4.0'Snort Fail Open' Replaces 'Failsafe' on FTD

As the first step in any backup, note the patch level and VDB version. This is important because if you needto restore the backup to a new or reimaged appliance, you must first update that new appliance to exactlythose versions. You can restore a backup only from an appliance of the same model and Firepower version,with the same VDB.

Verify NTP Synchronization

Before you upgrade, make sure Firepower appliances are synchronized with any NTP server you are usingto serve time. Being out of sync can cause upgrade failure. In FMC deployments, the Time SynchronizationStatus health module does alert if clocks are out of sync by more than 10 seconds, but you should still checkmanually.

To check time:

• FMC: Choose System > Configuration > Time.

• Devices: Use the show time CLI command.

Appliance Access

Firepower devices can stop passing traffic during the upgrade (depending on interface configurations), or ifthe upgrade fails. Before you upgrade a Firepower device, make sure traffic from your location does not haveto traverse the device itself to access the device's management interface. In Firepower Management Centerdeployments, you should also able to access the FMC management interface without traversing the device.

Signed Upgrade Packages

So that Firepower can verify that you are using the correct files, upgrade packages from (and hotfixes to)Version 6.2.1+ are signed tar archives (.tar). Upgrades from earlier versions continue to use unsigned packages.

When you manually download upgrade packages from the Cisco Support & Download site—for example,for a major upgrade or in an air-gapped deployment—make sure you download the correct package. Do notuntar signed (.tar) packages.

After you upload a signed upgrade package, the GUI can take several minutes to load as the system verifiesthe package. To speed up the display, remove signed packages after you no longer need them.

Note

Disable ASA REST API on ASA FirePOWER Devices

Before you upgrade an ASA FirePOWERmodule, make sure the ASA REST API is disabled. Otherwise, theupgrade could fail. From the ASA CLI: no rest api agent. You can reenable after the uninstall: rest-apiagent.

Sharing Data with Cisco

Some features involve sharing data with Cisco.

In Version 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essentialto provide you with technical support. During upgrades, you may be asked to accept or decline participation.You can also opt in or out at any time.

In Version 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, includingbut not limited to page interactions, browser versions, product versions, user location, and management IP


Upgrade to Version 6.4.0General Guidelines and Warnings

addresses or hostnames of your FMCs. If you are upgrading from Version 6.1 through 6.2.2.x, the upgradeenables web analytics tracking. If you do not want Cisco to collect this data, you can opt out after the upgrade.(If you are upgrading from Version 6.2.3.x or Version 6.3.0.x, the upgrade process respects your currentsetting.)

In Version 6.5.0+,Cisco Support Diagnostics (sometimes calledCisco Proactive Support) sends configurationand operational health data to Cisco, and processes that data through our automated problem detection system,allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essentialinformation from your devices during the course of a TAC case. During upgrades, you may be asked to acceptor decline participation. You can also opt in or out at any time.

Upgrades Can Import and Auto-Enable Intrusion Rules

If a newer intrusion rule uses keywords that are not supported in your current Firepower version, that rule isnot imported when you update the intrusion rule database (SRU).

After you upgrade the Firepower software and those keywords become supported, the new intrusion rules areimported and, depending on your IPS configuration, can become auto-enabled and thus start generating eventsand affecting traffic flow.

Supported keywords depend on the Snort version included with your Firepower software:

• FMC: Choose Help > About.

• FTD with FDM: Use the show summary CLI command.

• ASA FirePOWER with ASDM: Choose ASA FirePOWER Configuration > System Information.

You can also find your Snort version on the Bundled Components section of the Cisco Firepower CompatibilityGuide.

The Snort release notes contain details on new keywords. You can read the release notes on the Snort downloadpage: https://www.snort.org/downloads.

Unresponsive Upgrades

Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart anupgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If youencounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Minimum Version to UpgradeYou can upgrade directly to Version 6.4.0 from several previous major version sequences. You do not needto be running the latest patch of any previous version to upgrade.

Table 22: Minimum Version to Upgrade Firepower Software to Version 6.4.0

Minimum VersionPlatform

6.1.0Firepower Management Center

All managed devices in FMC deployments except Firepower4100/9300 series.


Upgrade to Version 6.4.0Minimum Version to Upgrade



https://www.snort.org/downloads

Minimum VersionPlatform

6.2.0 with FXOS 2.6.1.157+

You cannot upgrade FTD directly fromVersion6.1 to 6.4 on an FMC-managed Firepower4100/9300 series device. We recommendVersion 6.2.3 on FXOS 2.3.1 as the intermediateversion. See Firepower 4100/9300 RequiresVersion 6.2.0 for Upgrade, on page 33.

If you are upgrading a high availability orclustered deployment from Version 6.2.0.x,6.2.2.0, or 6.2.2.1 and you require a hitlessupgrade, see FTDUpgrade Behavior: Firepower4100/9300 Chassis, on page 45.

Firepower Threat Defense on Firepower 4100/9300 withFMC

6.2.0Firepower Threat Defense (all platforms) with FDM

6.2.0ASA FirePOWER with ASDM

Time Tests and Disk Space RequirementsTo upgrade a Firepower appliance, you must have enough free disk space or the upgrade fails. When you usethe Firepower Management Center to upgrade a managed device, the FMC requires additional disk space inits /Volume partition, for the device upgrade package. You must also have enough time to perform the upgrade.

We provide reports of in-house time and disk space tests for reference purposes.

About Time TestsTime values given here are based on in-house tests.

Although we report the slowest time of all upgrades tested for a particular platform/series, your upgrade willlikely take longer than the provided times for multiple reasons, provided below.

Note

Basic Test Conditions

• Deployment: Values are from tests in a Firepower Management Center deployment. This is because rawupgrade times for remotely and locally managed devices are similar, given similar conditions.

• Versions: For major upgrades, we test upgrades from all eligible previous major versions. For patches,we test upgrades from the base version and from the immediately preceding patch.

• Models: In most cases, we test on the lowest-end models in each series, and sometimes on multiplemodels in a series.

• Virtual settings: We test with the default settings for memory and resources.


Upgrade to Version 6.4.0Time Tests and Disk Space Requirements

Time Is For Upgrade Only

Values represent the time it took for the Firepower upgrade script to run on each platform. For releases afterearly 2020, we also provide our observed reboot time.

Values do not include time for:

• Transferring upgrade packages, including copying (pushing) upgrade packages from the FMC to devices.

• Readiness checks.

• VDB and SRU updates.

• Deploying configurations.

• Reboots, for releases before early 2020.

Note that in FMC deployments, insufficient bandwidth between the FMC and managed devices can extendupgrade time or even cause the upgrade to time out. Make sure you have the bandwidth to perform a largedata transfer from the FMC to its devices. For more information, see Guidelines for Downloading Data fromthe Firepower Management Center to Managed Devices (Troubleshooting TechNote).

Time Is For Single Devices

Values are per device. In a high availability or clustered configuration, devices upgrade one at a time topreserve continuity of operations, with each device operating inmaintenancemodewhile it upgrades. Upgradinga device pair or entire cluster, therefore, takes longer than upgrading a standalone device.

Note that stacked 8000 series devices upgrade simultaneously, with the stack operating in limited, mixed-versionstate until all devices complete the upgrade. This should not take significantly longer than upgrading astandalone device.

Affected Configurations and Data

We test on appliances with minimal configurations and traffic load. Upgrade time can increase with thecomplexity of your configurations, size of event databases, and whether/how those things are affected by theupgrade. For example, if you use a lot of access control rules and the upgrade needs to make a backend changeto how those rules are stored, the upgrade can take longer.

About Disk Space RequirementsSpace estimates are the largest reported for all upgrades. For releases after early 2020, they are:

• Not rounded up (under 1 MB).

• Rounded up to the next 1 MB (1 MB - 100 MB).

• Rounded up to the next 10 MB (100 MB - 1GB).

• Rounded up to the next 100 MB (greater than 1 GB).


Upgrade to Version 6.4.0About Disk Space Requirements

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html

Version 6.4.0 Time and Disk SpaceTable 23: Version 6.4.0 Time and Disk Space

TimeSpace on FMCSpace on /Space on /VolumePlatform

41 min—26 MB13.3 GBFMC

30 min—29 MB13.6 GBFMCv: VMware 6.0

20 min950 MB8.9 GB12 MBFirepower 2100 series

6 min920 MB7.5 GB10 MBFirepower 4100 series

7 min920 MB7.7 GB10 MBFirepower 9300

24 min1.1 GB110 KB9 GBASA 5500-X series with FTD

12 min1.1 GB100 KB7.5 GBFTDv: VMware 6.0

34 min980 MB19 MB7.7 GBFirepower 7000/8000 series

66 min1.3 GB22 MB11.5 GBASA FirePOWER

16 min840 MB19 MB6.5 GBNGIPSv: VMware 6.0

Traffic Flow, Inspection, and Device BehaviorYou must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:

• When a device is rebooted.

• When you upgrade the operating system or virtual hosting environment on a device.

• When you upgrade the Firepower software on a device, or uninstall a patch.

• When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).

Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive,IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing anyupgrade or uninstall in a maintenance window or at a time when any interruption will have the least impacton your deployment.

FTD Upgrade Behavior: Firepower 4100/9300 ChassisThis section describes device and traffic behavior when you upgrade a Firepower 4100/9300 chassis withFTD.


Upgrade to Version 6.4.0Version 6.4.0 Time and Disk Space

Firepower 4100/9300 Chassis: FXOS Upgrade

Upgrade FXOS on each chassis independently, even if you have inter-chassis clustering or high availabilitypairs configured. How you perform the upgrade determines how your devices handle traffic during the FXOSupgrade.

Table 24: Traffic Behavior During FXOS Upgrade

Traffic BehaviorMethodDeployment

Dropped—Standalone

UnaffectedBest Practice: Update FXOS on thestandby, switch active peers, upgrade thenew standby.

High availability

Dropped until one peer is onlineUpgrade FXOS on the active peer beforethe standby is finished upgrading.

UnaffectedBest Practice: Upgrade one chassis at atime so at least one module is alwaysonline.

Inter-chassis cluster(6.2+)

Dropped until at least one module is onlineUpgrade chassis at the same time, so allmodules are down at some point.

Passed without inspectionFail-to-wire enabled:Bypass: Standby orBypass-Force. (6.1+)

Intra-chassis cluster(Firepower 9300only)

Dropped until at least one module is onlineFail-to-wire disabled: Bypass: Disabled.(6.1+)

Dropped until at least one module is onlineNo fail-to-wire module.

Standalone FTD Device: Firepower Software Upgrade

Interface configurations determine how a standalone device handles traffic during the upgrade.

Table 25: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device

Traffic BehaviorInterface Configuration

DroppedRouted or switched includingEtherChannel, redundant, subinterfaces

Switched interfaces are also known asbridge group or transparent interfaces.

Firewall interfaces


Upgrade to Version 6.4.0FTD Upgrade Behavior: Firepower 4100/9300 Chassis


Either:

• Dropped (6.1 through 6.2.2.x)

• Passed without inspection (6.2.3+)

Inline set, fail-to-wire enabled: Bypass:Standby or Bypass-Force (6.1+)

IPS-only interfaces

DroppedInline set, fail-to-wire disabled: Bypass:Disabled (6.1+)

DroppedInline set, no fail-to-wire module

Egress packet immediately, copy notinspected

Inline set, tap mode

Uninterrupted, not inspectedPassive, ERSPAN passive

High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.

The standby device upgrades first. The devices switch roles, then the new standby upgrades.When the upgradecompletes, the devices' roles remain switched. If you want to preserve the active/standby roles, manuallyswitch the roles before you upgrade. That way, the upgrade process switches them back.

Clusters: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in Firepower Threat Defense clusters. To ensure continuity of operations, they upgrade one at atime. Devices operate in maintenance mode while they upgrade.

The slave security module or modules upgrade first, then the master. Security modules operate in maintenancemode while they upgrade.

During the master security module upgrade, although traffic inspection and handling continues normally, thesystem stops logging events. Events for traffic processed during the logging downtime appear with out-of-synctimestamps after the upgrade is completed. However, if the logging downtime is significant, the system mayprune the oldest events before they can be logged.

Upgrading an inter-chassis cluster fromVersion 6.2.0, 6.2.0.1, or 6.2.0.2 causes a 2-3 second traffic interruptionin traffic inspection when each module is removed from the cluster. Whether traffic drops during thisinterruption or passes without further inspection depends on how the device handles traffic.

Note

High Availability and Clustering Hitless Upgrade Requirements

Performing hitless upgrades have the following additional requirements.

Flow Offload: Due to bug fixes in the flow offload feature, some combinations of FXOS and FTD do notsupport flow offload; see the Cisco Firepower Compatibility Guide. To perform a hitless upgrade in a highavailability or clustered deployment, you must make sure you are always running a compatible combination.




If your upgrade path includes upgrading FXOS to 2.2.2.91, 2.3.1.130, or later (including FXOS 2.4.1.x, 2.6.1.x,and so on) use this path:

1. Upgrade FTD to 6.2.2.2 or later.

2. Upgrade FXOS to 2.2.2.91, 2.3.1.130, or later.

3. Upgrade FTD to your final version.

For example, if you are running FXOS 2.2.2.17/FTD 6.2.2.0, and you want to upgrade to FXOS 2.6.1/FTD6.4.0, then you can:

1. Upgrade FTD to 6.2.2.5.

2. Upgrade FXOS to 2.6.1.

3. Upgrade FTD to 6.4.0.

Version 6.1.0 Upgrades: Performing a hitless upgrade of an FTD high availability pair to Version 6.1.0requires a preinstallation package. For more information, see Firepower System Release Notes Version 6.1.0Preinstallation Package.

Traffic Behavior During Deployment

You deploy configurations multiple times during the upgrade process. Snort typically restarts during the firstdeployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,you modify specific policy or device configurations. For more information, see Configurations that Restartthe Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.

When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, includingthose configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.

Table 26: Traffic Behavior During FTD Deployment




Firewall interfaces

Passed without inspection

A few packets might drop if Failsafe isdisabled and Snort is busy but not down.

Inline set, Failsafe enabled or disabled(6.0.1 - 6.1.0.x)

IPS-only interfaces

DroppedInline set, Snort Fail Open: Down:disabled (6.2+)

Passed without inspectionInline set, Snort Fail Open: Down:enabled (6.2+)






https://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Pre_Installation_Package_Version_610.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Pre_Installation_Package_Version_610.html


FTD Upgrade Behavior: Other DevicesThis section describes device and traffic behavior when you upgrade Firepower Threat Defense on Firepower1000/2100 series, ASA 5500-X series, ISA 3000, and FTDv.

Standalone FTD Device: Firepower Software Upgrade


Table 27: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device




Firewall interfaces

Either:

• Dropped (6.1 through 6.2.2.x)

• Passed without inspection (6.2.3+)

Inline set, fail-to-wire enabled: Bypass:Standby or Bypass-Force (6.1+)

IPS-only interfaces

DroppedInline set, fail-to-wire disabled: Bypass:Disabled (6.1+)

DroppedInline set, no fail-to-wire module




High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.

The standby device upgrades first. The devices switch roles, then the new standby upgrades.When the upgradecompletes, the devices' roles remain switched. If you want to preserve the active/standby roles, manuallyswitch the roles before you upgrade. That way, the upgrade process switches them back.



When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, including


Upgrade to Version 6.4.0FTD Upgrade Behavior: Other Devices


those configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.

Table 28: Traffic Behavior During FTD Deployment




Firewall interfaces


A few packets might drop if Failsafe isdisabled and Snort is busy but not down.

Inline set, Failsafe enabled or disabled(6.0.1 - 6.1.0.x)

IPS-only interfaces

DroppedInline set, Snort Fail Open: Down:disabled (6.2+)

Passed without inspectionInline set, Snort Fail Open: Down:enabled (6.2+)




Firepower 7000/8000 Series Upgrade BehaviorThe following sections describe device and traffic behavior when you upgrade Firepower 7000/8000 seriesdevices.

Standalone 7000/8000 Series: Firepower Software Upgrade


Table 29: Traffic Behavior During Upgrade: Standalone 7000/8000 Series


Passed without inspection, although traffic is interrupted briefly at twopoints:

• At the beginning of the upgrade process as link goes down and up(flaps) and the network card switches into hardware bypass.

• After the upgrade finishes as link flaps and the network cardswitches out of bypass. Inspection resumes after the endpointsreconnect and reestablish link with the device interfaces.

Inline, hardware bypass enabled(Bypass Mode: Bypass)


Upgrade to Version 6.4.0Firepower 7000/8000 Series Upgrade Behavior


DroppedInline, no hardware bypassmodule,or hardware bypassdisabled (Bypass Mode:Non-Bypass)

Egress packet immediately, copy not inspectedInline, tap mode

Uninterrupted, not inspectedPassive

DroppedRouted, switched

7000/8000 Series High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading devices (or devicestacks) in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.

Which peer upgrades first depends on your deployment:

• Routed or switched: Standby upgrades first. The devices switch roles, then the new standby upgrades.When the upgrade completes, the devices' roles remain switched. If youwant to preserve the active/standbyroles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.

• Access control only: Active upgrades first.When the upgrade completes, the active and standbymaintaintheir old roles.

8000 Series Stacks: Firepower Software Upgrade

In an 8000 series stack, devices upgrade simultaneously. Until the primary device completes its upgrade andthe stack resumes operation, traffic is affected as if the stack were a standalone device. Until all devicescomplete the upgrade, the stack operates in a limited, mixed-version state.



When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, includingthose configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.

Table 30: Traffic Behavior During Deployment: 7000/8000 Series



A few packets might drop if Failsafe is disabled and Snort is busy butnot down.

Inline, Failsafe enabled or disabled


Upgrade to Version 6.4.0Firepower 7000/8000 Series Upgrade Behavior



Egress packet immediately, copy bypasses SnortInline, tap mode


DroppedRouted, switched

ASA FirePOWER Upgrade BehaviorYour ASA service policies for redirecting traffic to the ASA FirePOWER module determine how the modulehandles traffic during the Firepower software upgrade, including when you deploy certain configurations thatrestart the Snort process.

Table 31: Traffic Behavior During ASA FirePOWER Upgrade

Traffic BehaviorTraffic Redirection Policy

Passed without inspectionFail open (sfr fail-open)

DroppedFail closed (sfr fail-close)

Egress packet immediately, copy not inspectedMonitor only (sfr {fail-close}|{fail-open}monitor-only)

Traffic Behavior During ASA FirePOWER Deployment

Traffic behavior while the Snort process restarts is the same as when you upgrade the ASA FirePOWERmodule.


When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection. Your service policies determine whethertraffic drops or passes without inspection during the interruption.

NGIPSv Upgrade BehaviorThis section describes device and traffic behavior when you upgrade NGIPSv.

Firepower Software Upgrade

Interface configurations determine how NGIPSv handles traffic during the upgrade.

Table 32: Traffic Behavior During NGIPSv Upgrade


DroppedInline


Upgrade to Version 6.4.0ASA FirePOWER Upgrade Behavior



Egress packet immediately, copy not inspectedInline, tap mode




When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection. Interface configurations determinewhether traffic drops or passes without inspection during the interruption.

Table 33: Traffic Behavior During NGIPSv Deployment



A few packets might drop if Failsafe is disabled andSnort is busy but not down.

Inline, Failsafe enabled or disabled

Egress packet immediately, copy bypasses SnortInline, tap mode


Upgrade InstructionsThe release notes do not contain upgrade instructions. After you read the guidelines and warnings in theserelease notes, see one of:

• Cisco Firepower Management Center Upgrade Guide: Upgrade FMC deployments, including manageddevices and companion operating systems.

• Cisco ASA Upgrade Guide: Upgrade ASA FirePOWER modules with ASDM.

• Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager: Upgrade FTDwith FDM.

Upgrade PackagesUpgrade packages are available on the Cisco Support & Download site.

• Firepower Management Center, including FMCv: https://www.cisco.com/go/firepower-software

• Firepower Threat Defense (ISA 3000): https://www.cisco.com/go/isa3000-software

• Firepower Threat Defense (all other models, including FTDv): https://www.cisco.com/go/ftd-software


Upgrade to Version 6.4.0Upgrade Instructions


https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide.html


http://www.cisco.com/go/ftd-config

https://www.cisco.com/go/firepower-software

https://www.cisco.com/go/isa3000-software

https://www.cisco.com/go/ftd-software

• Firepower 7000 series: https://www.cisco.com/go/7000series-software

• Firepower 8000 series: https://www.cisco.com/go/8000series-software

• ASA with FirePOWER Services (ASA 5500-X series): https://www.cisco.com/go/asa-firepower-sw

• ASA with FirePOWER Services (ISA 3000): https://www.cisco.com/go/isa3000-software

• NGIPSv: https://www.cisco.com/go/ngipsv-software

Upgrade packages from Version 6.2.1+ are signed tar archives (.tar). Do not untar.

Table 34: Upgrade Packages from Version 6.2.1+

PackagePlatform

Cisco_Firepower_Mgmt_Center_Upgrade-version-build.sh.REL.tarFMC/FMCv

Cisco_FTD_SSP_FP2K_Upgrade-version-build.sh.REL.tarFirepower 2100 series

Cisco_FTD_SSP_Upgrade-version-build.sh.REL.tarFirepower 4100/9300 chassis

Cisco_FTD_Upgrade-version-build.sh.REL.tarASA 5500-X series with FTD

ISA 3000 with FTD

Firepower Threat Defense Virtual

Cisco_Firepower_NGIPS_Appliance_Upgrade-version-build.sh.REL.tarFirepower 7000/8000 series

Cisco_Network_Sensor_Upgrade-version-build.sh.REL.tarASA FirePOWER

Cisco_Firepower_NGIPS_Virtual_Upgrade-version-build.sh.REL.tarNGIPSv

Table 35: Upgrade Packages from Version 6.1.x or 6.2.0.x

PackagePlatform

Cisco_Firepower_Mgmt_Center_Upgrade-version-build.shFMC/FMCv

Cisco_FTD_SSP_Upgrade-version-build.shFirepower 4100/9300 chassis

Cisco_FTD_Upgrade-version-build.shASA 5500-X series with FTD

Firepower Threat Defense Virtual

Cisco_Firepower_NGIPS_Appliance_Upgrade-version-build.shFirepower 7000/8000 series

Cisco_Network_Sensor_Upgrade-version-build.shASA FirePOWER

Cisco_Firepower_NGIPS_Virtual_Upgrade-version-build.shNGIPSv


Upgrade to Version 6.4.0Upgrade Packages

https://www.cisco.com/go/7000series-software

https://www.cisco.com/go/8000series-software

https://www.cisco.com/go/asa-firepower-sw

https://www.cisco.com/go/isa3000-software

https://www.cisco.com/go/ngipsv-software

C H A P T E R 5Freshly Install Version 6.4.0

If you are unable to upgrade a Firepower appliance, or are disinclined to follow the required upgrade path,you can freshly install major Firepower releases.

• Deciding to Freshly Install, on page 55• Guidelines and Limitations for Fresh Installs, on page 56• Unregistering Smart Licenses, on page 58• Installation Instructions, on page 60

Deciding to Freshly InstallUse this table to identify scenarios where you need to freshly install (also called reimaging). In all of thesescenarios—including switching device management between local and remote—you will lose deviceconfigurations.

Always address licensing concerns before you reimage or switch management. If you are using Cisco SmartLicensing, you must unregister from the Cisco Smart Software Manager (CSSM) to avoid accruing orphanentitlements. These can prevent you from reregistering.

Note


Table 36: Scenarios: Do You Need a Fresh Install?

LicensingSolutionScenario

Removing devices from the FMCunregisters them. Reassign licenses afteryou re-add the devices.

The upgrade path from older versions can includeintermediate versions. Especially in larger deploymentswhere you must alternate FMC and device upgrade, thismulti-step process can be time consuming.

To save time, you can reimage older devices instead ofupgrading:

1. Remove the devices from the FMC.

2. Upgrade the FMC only to its target version.

3. Reimage the devices.

If you need to reimage a 7000/8000 series devicerunning Version 5.x, see Guidelines and Limitationsfor Fresh Installs, on page 56.

4. Re-add the devices to the FMC.

Upgrade FMC-manageddevices from a much olderFirepower version.

Unregister the device before you switchmanagement. Reassign its license after youadd it to the FMC.

Use the configure managerCLI command; see CommandReference for Firepower Threat Defense.

Change FTD managementfrom FDM to FMC (local toremote).

Remove the device from the FMC tounregister it. Reregister using FDM.

Use the configure managerCLI command; see CommandReference for Firepower Threat Defense.

Exception: The device is running or was upgraded fromVersion 6.0.1. In this case, reimage.

Change FTD managementfrom FMC to FDM (remoteto local).

Contact Sales for new Classic licenses.ASA FirePOWER licenses are associatedwith a specific manager.

Start using the other management method.Change ASA FirePOWERmanagement betweenASDM and FMC.

Convert Classic to Smart licenses; see theFirepower Management CenterConfiguration Guide.

Reimage.Replace ASAFirePOWERwith FTD onthe same physical device.

Contact Sales for new Smart licenses.Reimage.Replace NGIPSv withFTDv.

Guidelines and Limitations for Fresh InstallsCareful planning and preparation can help you avoid missteps. Even if you are familiar with Firepower releasesand have previous experience reimaging Firepower appliances, make sure you read these guidelines andlimitations, as well as the instructions linked in Installation Instructions, on page 60.


Freshly Install Version 6.4.0Guidelines and Limitations for Fresh Installs

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/fdm/fptd-fdm-config-guide-622.html






Back Up Event and Configuration Data

We strongly recommend you back up to an external locationand verify transfer success. Reimaging returnsmost settings to factory defaults, including the system password (Admin123).

Note, however, if you are reimaging so that you don't have to upgrade, you cannot use a backup to importyour old configurations. You can restore a backup only from an appliance of the same model and Firepowerversion, with the same VDB.

As the first step in any backup, note the patch level and VDB version. Before you restore a backup, you mustupdate the reimaged appliance to exactly those versions.

Remove Devices from the Firepower Management Center

Always remove devices from remote management before you reimage. If you are:

• Reimaging the FMC, remove all its devices from management.

• Reimaging a single device or switching from remote to local management, remove that one device.

Address Licensing Concerns

Before you reimage any Firepower appliance, address licensing concerns. You may need to unregister fromthe Cisco Smart SoftwareManager, or you may need to contact Sales for new licenses. See Deciding to FreshlyInstall to determine what you need to do, depending on your scenario.

For more information on licensing, see:

• Cisco Firepower System Feature Licenses Guide

• Frequently Asked Questions (FAQ) about Firepower Licensing

• The licensing chapter in your Configuration Guide.

Appliance Access

Reimaging returns most settings to factory defaults.

If you do not have physical access to an appliance, the reimage process lets you keep management networksettings. This allows you to connect to the appliance after you reimage to perform the initial configuration. Ifyou delete network settings, you must have physical access to the appliance. You cannot use Lights-OutManagement (LOM).

Reimaging to an earlier major version automatically deletes network settings. In this rare case, you must havephysical access.

Note

For devices, make sure traffic from your location does not have to traverse the device itself to access thedevice's management interface. In FMC deployments, you should also able to access the FMC managementinterface without traversing the device.

Sharing Data with Cisco

Some features involve sharing data with Cisco.


Freshly Install Version 6.4.0Guidelines and Limitations for Fresh Installs

http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-licenseroadmap.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/licensing/faq/firepower-licence-FAQ.html

In 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essential toprovide you with technical support. During initial setup, you may be asked to accept or decline participation.You can also opt in or out at any time.

In 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, including but notlimited to page interactions, browser versions, product versions, user location, and management IP addressesor hostnames of your FMCs. Web analytics tracking is on by default, but you can opt out at any time afteryou complete initial setup.

In 6.5.0+, Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration andoperational health data to Cisco, and processes that data through our automated problem detection system,allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essentialinformation from your devices during the course of a TAC case. During initial setup, you may be asked toaccept or decline participation. You can also opt in or out at any time.

Reimaging Firepower 1000/2100 Series Devices to Earlier Major Versions

We recommend that you perform a complete reimage if you need to revert a Firepower 1000/ 2100 seriesdevice to an earlier major version. If you use the erase configuration method, FXOS may not revert alongwith the Firepower Threat Defense software. This can cause failures, especially in high availability deployments.

For more information, see the reimage procedures in the Cisco FXOS Troubleshooting Guide for the Firepower1000/2100 Series Running Firepower Threat Defense.

Reimaging Version 5.x Hardware to Version 6.3.0+

The renamed installation packages in Version 6.3+ cause issues with reimaging older physical appliances:FMC 750, 1500, 2000, 3500, and 4000, as well as 7000/8000 series devices and AMP models. If you arecurrently running Version 5.x and need to freshly install Version 6.4.0, rename the installation package to the"old" name after you download it; see the Renamed Upgrade and Installation Packages information in theCisco Firepower Release Notes, Version 6.3.0.

After you reimage an FMC (Defense Center) from Version 5.x to a more recent version, it cannot manage itsolder devices. You should also reimage those devices, then re-add them to the FMC. Note that Series 2 devicesare EOL and cannot run Firepower software past Version 5.4.0.x. You must replace them.

Unregistering Smart LicensesFirepower Threat Defense devices, whether locally (Firepower Device Manager) or remotely (FirepowerManagement Center) managed, use Cisco Smart Licensing. To use licensed features, you must register withCisco Smart Software Manager (CSSM). If you later decide to reimage or switch management, you mustunregister to avoid accruing orphan entitlements. These can prevent you from reregistering.

Unregistering removes the appliance from your virtual account and releases associated licenses so they canbe can be reassigned.When you unregister an appliance, it enters Enforcement mode. Its current configurationand policies continue to work as-is, but you cannot make or deploy any changes.

Manually unregister from CSSM before you:

• Reimage a Firepower Management Center that manages FTD devices.

• Reimage a Firepower Threat Defense device that is locally managed by FDM.

• Switch a Firepower Threat Defense device from FDM to FMC management.


Freshly Install Version 6.4.0Unregistering Smart Licenses

https://www.cisco.com/c/en/us/td/docs/security/firepower/2100/troubleshoot_fxos/b_2100_CLI_Troubleshoot.html



Automatically unregister from CSSM when you remove a device from the FMC so you can:

• Reimage an Firepower Threat Defense device that is managed by an FMC.

• Switch a Firepower Threat Defense device from FMC to FDM management.

Note that in these two cases, removing the device from the FMC is what automatically unregisters the device.You do not have to unregister manually as long as you remove the device from the FMC.

Classic licenses for NGIPS devices are associatedwith a specific manager (ASDM/FMC), and are not controlledusing CSSM. If you are switching management of a Classic device, or if you are migrating from an NGIPSdeployment to an FTD deployment, contact Sales.

Tip

Unregister a Firepower Management CenterUnregister a Firepower Management Center from the Cisco Smart Software Manager before you reimage theFMC. This also unregisters any managed Firepower Threat Defense devices.

If the FMC is configured for high availability, licensing changes are automatically synchronized. You do notneed to unregister the other FMC.

Step 1 Log into the Firepower Management Center.Step 2 Choose System > Licenses > Smart Licenses.

Step 3 Next to Smart License Status, click the stop sign ( ).Step 4 Read the warning and confirm that you want to unregister.

Unregister an FTD Device Using FDMUnregister locally managed Firepower Threat Defense devices from the Cisco Smart SoftwareManager beforeyou either reimage or switch to remote (FMC) management.

If the device is configured for high availability, you must log into the other unit in the high availability pairto unregister that unit.

Step 1 Log into the Firepower Device Manager.Step 2 Click Device, then click View Configuration in the Smart License summary.Step 3 Select Unregister Device from the gear drop-down list.Step 4 Read the warning and confirm that you want to unregister.


Freshly Install Version 6.4.0Unregister a Firepower Management Center

Installation InstructionsNeither the release notes nor the upgrade guide contain installation instructions. Instead, see one of thefollowing documents. Installation packages are available on the Cisco Support & Download site.

Table 37: Firepower Management Center Installation Instructions

GuideFMC Platform

Cisco Firepower Management Center 1600, 2600, and 4600 HardwareInstallation Guide: Restoring a Firepower Management Center to FactoryDefaults

FMC 1600, 2600, 4600

Cisco Firepower Management Center Getting Started Guide for Models 750,1500, 2000, 3500 and 4000: Restoring a Firepower Management Center toFactory Defaults

FMC 750, 1500, 3500

FMC 2000, 4000

Cisco Firepower Management Center Virtual Getting Started GuideFMCv

Table 38: Firepower Threat Defense Installation Instructions

GuideFTD Platform

Cisco ASA and Firepower Threat Defense Reimage Guide

Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 SeriesRunning Firepower Threat Defense

Firepower 1000/2100 series

Cisco Firepower 4100/9300 FXOSConfigurationGuides: Image Managementchapters

Cisco Firepower 4100 Getting Started Guide

Cisco Firepower 9300 Getting Started Guide

Firepower 4100/9300 chassis

Cisco ASA and Firepower Threat Defense Reimage GuideASA 5500-X series

Cisco ASA and Firepower Threat Defense Reimage GuideISA 3000

Cisco Firepower Threat Defense Virtual for VMware Getting Started GuideFTDv: VMware

Cisco Firepower Threat DefenseVirtual for KVMDeployment Getting StartedGuide

FTDv: KVM

Cisco Firepower Threat Defense Virtual Quick Start Guide for the AWSCloud

FTDv: AWS

Cisco Firepower Threat Defense Virtual for theMicrosoft Azure Cloud QuickStart Guide

FTDv: Azure


Freshly Install Version 6.4.0Installation Instructions

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc-1600-2600-4600/hw/guide/install-fmc-1600-2600-4600.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-management-center/Firepower-MC-Getting-Started.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-management-center/Firepower-MC-Getting-Started.html





https://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-installation-and-configuration-guides-list.html

https://www.cisco.com/go/firepower4100-quick





https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/kvm/ftdv-kvm-gsg.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/aws/ftdv-aws-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/aws/ftdv-aws-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/azure/ftdv-azure-gsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/azure/ftdv-azure-gsg.html

Table 39: Firepower 7000/8000 Series, NGIPSv, and ASA FirePOWER Installation Instructions

GuideNGIPS Platform

Cisco Firepower 7000 Series Getting Started Guide: Restoring a Device toFactory Defaults

Firepower 7000 series

Cisco Firepower 8000 Series Getting Started Guide: Restoring a Device toFactory Defaults

Firepower 8000 series

Cisco Firepower NGIPSv Quick Start Guide for VMwareNGIPSv

Cisco ASA and Firepower Threat Defense Reimage Guide

ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide:Managing the ASA FirePOWER Module

ASA FirePOWER



https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-7000/FP7000-Getting-Started.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-8000/FP8000-Getting-Started.html



https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

C H A P T E R 6Documentation

The following topics provide links to Firepower documentation:

• New and Updated Documentation, on page 63• Documentation Roadmaps, on page 65

New and Updated DocumentationThe following Firepower documentation was updated or is newly available for Version 6.4.0. For links todocumentation not updated or newly available with this release, see the Documentation Roadmaps, on page65.

Firepower Configuration Guides and Online Help

• Firepower Management Center Configuration Guide, Version 6.4 and online help

• Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.4.0 andonline help

• Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.4 and onlinehelp

• Cisco Firepower Threat Defense Command Reference

FXOS Configuration Guides and Release Notes

• Cisco Firepower 4100/9300 FXOS Firepower Chassis Manager Configuration Guide, 2.6(1)

• Cisco Firepower 4100/9300 FXOS CLI Configuration Guide, 2.6(1)

• Cisco Firepower 4100/9300 FXOS Command Reference

• Cisco Firepower 4100/9300 FXOS Release Notes, 2.6(1)

Hardening Guides

• Cisco Firepower Management Center Hardening Guide, Version 6.4 NEW

• Cisco Firepower Threat Defense Hardening Guide, Version 6.4 NEW


https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/640/asa-fp-services/asafps-local-mgmt-config-guide-v64.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos261/web-guide/b_GUI_FXOS_ConfigGuide_261.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos261/cli-guide/b_CLI_ConfigGuide_FXOS_261.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/CLI_Reference_Guide/b_FXOS_CLI_reference.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/fmc/FMC_Hardening_Guide_v64.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

• Cisco Firepower 4100/9300 FXOS Hardening Guide NEW

Upgrade Guides

• Cisco Firepower Management Center Upgrade Guide

• Cisco Firepower 4100/9300 Upgrade Guide

• Cisco ASA Upgrade Guide

Hardware Installation Guides

• Cisco Firepower Management Center 1600, 2600, and 4600 Hardware Installation Guide NEW

• Cisco Firepower 1010 Hardware Installation Guide NEW

• Cisco Firepower 1100 Series Hardware Installation Guide NEW

• Cisco Firepower 4115, 4125, and 4145 Hardware Installation Guide NEW

• Cisco Firepower 9300 Hardware Installation Guide

Getting Started Guides

• Cisco Firepower Management Center Getting Started Guide for Models 1600, 2600, and 4600 NEW

• Cisco Firepower Management Center Virtual Getting Started Guide

• Cisco Firepower Threat Defense Virtual for VMware Getting Started Guide

• Cisco Firepower Threat Defense Virtual for KVM Deployment Getting Started Guide

• Cisco Firepower 1010 Getting Started Guide NEW

• Cisco Firepower 1100 Series Getting Started Guide NEW



API and Integration Guides

• Firepower Management Center REST API Quick Start Guide, Version 6.4.0

• Cisco Firepower Threat Defense REST API Guide

• Cisco Firepower App for Splunk User Guide NEW

• Firepower and Cisco Threat Response Integration Guide NEW

Compatibility Guides

• Cisco Firepower Compatibility Guide

• Cisco ASA Compatibility

• Cisco Firepower 4100/9300 FXOS Compatibility


DocumentationNew and Updated Documentation

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/hardening/b_FXOS_4100_9300_Hardening.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/upgrade/b_FXOSUpgrade.html



https://www.cisco.com/c/en/us/td/docs/security/firepower/1010/hw/guide/hw-install-1010.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/1100/hw/guide/hw-install-1100.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/41x5/hw/guide/install-41x5.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/9300/hw/guide/b_install_guide_9300.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/fmc-1600-2600-4600/fmc-1600-2600-4600-gsg.html




https://cisco.com/go/fmc-fp1010-quick

https://cisco.com/go/fmc-fp1100-quick



https://www.cisco.com/c/en/us/td/docs/security/firepower/640/api/REST/Firepower_Management_Center_REST_API_Quick_Start_Guide_640.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/ftd-api/guide/ftd-rest-api.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/splunk/Cisco_Firepower_App_for_Splunk_User_Guide.html



https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

Licensing

• Cisco Firepower System Feature Licenses

• Frequently Asked Questions (FAQ) about Firepower Licensing

Troubleshooting and Configuration Examples

• Cisco Firepower Threat Defense Syslog Messages

• Deploy a Cluster for Firepower Threat Defense for Scalability and High Availability

• Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 Series Running Firepower ThreatDefense

Documentation RoadmapsDocumentation roadmaps provide links to currently available and legacy documentation:

• Navigating the Cisco Firepower Documentation

• Navigating the Cisco ASA Series Documentation

• Navigating the Cisco FXOS Documentation


DocumentationDocumentation Roadmaps

https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-licenseroadmap.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/licensing/faq/firepower-license-FAQ.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/clustering/ftd-cluster-solution.html



https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asaroadmap.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/roadmap/fxos-roadmap.html


DocumentationDocumentation Roadmaps

C H A P T E R 7Resolved Issues

Bugs listed here were verified as resolved when this Firepower version was initially released.

For your convenience, this document provides a list of resolved bugs for this version. This list is auto-generatedonce and is not subsequently updated. Depending on how and when a particular resolved issue was categorizedor updated in our system, it may not appear in the release notes. You should regard the Cisco Bug SearchTool as the 'source of truth.'

Note

• Searching for Resolved Issues, on page 67• Resolved Issues in New Builds, on page 67• Version 6.4.0 Resolved Issues, on page 68

Searching for Resolved IssuesIf you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of resolvedbugs for Firepower products. These general queries display resolved bugs for Firepower products runningVersion 6.4.0:

• Firepower Management Center

• Firepower Management Center Virtual

• ASA with FirePOWER Services

• NGIPSv

You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also searchby bug ID, or for specific keywords.

Resolved Issues in New BuildsSometimes Cisco releases updated builds. In most cases, only the latest build for each platform is availableon the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloadedan earlier build, do not use it.


https://tools.cisco.com/bugsearch/



https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=286259685&rls=6.4&sb=afr&sts=fd&bt=custV


https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=6.4,9.12(1)&sb=afr&sts=fd&bt=custV


You cannot upgrade from one build to another for the same Firepower version. If a new build would fix yourissue, determine if an upgrade or hotfix would work instead. If not, contact Cisco TAC. See the Cisco FirepowerHotfix Release Notes for quicklinks to publicly available Firepower hotfixes.

Use this table to determine if a new Version 6.4.0 build is available for your platform.

Table 40: Version 6.4.0 New Builds

ResolvesPlatformsPackagesReleasedNew Build

CSCvr95287: Cisco Firepower Management CenterLDAP Authentication Bypass Vulnerability

If you are running an earlier build, apply the latestVersion 6.4.0.x patch. If you cannot or do not wantto patch, apply Hotfix T or Hotfix U.

FMC/FMCvUpgrade

Reimage

2020-03-03113

Version 6.4.0 Resolved IssuesTable 41: Version 6.4.0 Resolved Issues

HeadlineBug ID

Policy deployment failure causes momentary traffic drop and established connectionfailure

CSCvc56570

SYS_FW_INTERFACE_NAME_LIST andSYS_FW_NON_INLINE_INTERFACE_NAME_LIST not recognizing subinterface

CSCvf83504

Make sure cleanup happens after calls to for File::Tempwhen used byMOJO, Syncd.pl,etc

CSCvg11366

FMC should clean database itself if same device(same SN) with different ip try to getregistered

CSCvh93045

ssl inspection policy may cause sites using ECDSA signed certificates to failCSCvi01404

FirepowerManagement Center not accepting various characters in SNMPv3 passwordCSCvi16039

Firepower Management Center misleading errors when entering SNMPv3 passwordsCSCvi16074

Sybase upgrade: After SRU Install, zombie defunct process causes policy deploymentfailure

CSCvi25965

POST or PUT rule with application tag, search, or category filter -> Unable to accessACP rules GUI

CSCvi49522

Traceback in DATAPATH on standby FTDCSCvi71622

Cisco Firepower Threat Defense SSL/TLS Policy Bypass VulnerabilityCSCvi81022

disk space check omitted when upgrade is resumedCSCvi89202

User should be alerted that firstboot failedCSCvi93680


Resolved IssuesVersion 6.4.0 Resolved Issues

https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes.html

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr95287

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc56570

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf83504

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg11366

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh93045

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi01404









HeadlineBug ID

FMC: ibdata1 file is growing to large in size (From 300Gb to 2.4TB+ seen)CSCvj08826

seeing high CPU when SNMP is enabledCSCvj13960

FMC does not use correct time offset in summer.CSCvj27949

Unable to add a network object 0.0.0.0/32 on FMCCSCvj50451

ASDM: Disabled Rule state of layer policy is reverted to inherit after committing thechanges

CSCvj57511

API-Explorer needs to support 4096-bit certificatesCSCvj70886

External Auth for FMC not working for RADIUS object through ISE.CSCvk20209

Traceback loop seen on fresh ASAv Azure, KVM and VMWare deploymentsCSCvk20381

ip pool is getting negated before it is dereferenced from group policyCSCvk23653

FTD VPN : Disabling S2S option "Certificate OU field to determine the tunnel" won'ttake effect

CSCvk29558

Flexconfig ethertype command is not parsed which results in deployment failureCSCvk33503

Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN trafficCSCvk34648

Cisco Firepower Threat Defense Detection Engine Policy Bypass VulnerabilityCSCvk43854

Need better logging for deploy failure - bad character in VPN policyCSCvk45941

All health modules were marked as deleted in health module table after first boot scriptran twice

CSCvm04150

Required fields in https server certificateCSCvm05768

Policy Deployment page final 'deploy' click takes it back to 'Deploy' window.CSCvm41983

FMC - Deployment failure due to VPN split-tunnel extended ACL using manuallyentered ip range

CSCvm50153

6.4.0 - invalid IPV6 RA_VPN sessions are processed by ADI and put into user_ip_mapfiles

CSCvm54029

Action-queue task got stuck after a file copy from active to standby.CSCvm54062

After downloading custom DNS security intelligence feed, the webGUI timestamp isnot updated

CSCvm60056

tcp proxy: ASA traceback on DATAPATHCSCvm70274

FDM :- FTD does not send complete chain in SSL handshakeCSCvm72980

In KP FTD platform restapi post login is not happening giving "error-code":"backend-connect-error"

CSCvm75251



https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj08826






https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk20209








https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm04150










HeadlineBug ID

Unable to add 2 filters with same 'Traffic direction' & 'Filter on Route Type' in RIPconfiguration

CSCvm78028

bad call_home_ca file prevents smart licensing registrationCSCvm84459

FMC HA : SNMP traps not being sent from New Active FMC post the failoverCSCvm85453

ImageMagick package in Firepower software may be outdatedCSCvm90290

Unable to deploy anyconnect Group-Url in FTD if it contains user defined port numberCSCvm92210

DSA certificates are currently not supported for Active Authentication.CSCvm96642

Deploy getting stuck when trying to display errors and warningsCSCvn00312

Policy deploy fails on rna_attribute dup key for FMC HACSCvn12373

Unit traceback at Thread PIM IPv4 or IGMP IPv4 due to timer events when multicastrouting is enabled

CSCvn13880

'arp permit-nonconnected' is not supported by FlexConfigCSCvn14276

FMC does not accept curly brace (e.g. "{") in SNMP user authentication configurationCSCvn14511

Flex Object editor might introduce unexpected line breaks resulting in poliocydeployment failure

CSCvn19609

OSPFv3 interface authentication SPI must be unique for each interface of a deviceCSCvn23926

Flex configuration statements gets duplicated if Deployment mode is set to "Everytime"CSCvn31882

FMC Object Management to provide information about every ACP/Device that usesa given object

CSCvn36022

no ui check for nat overlap with standby addressCSCvn38101

Configuring protected networks for hub and spoke VPN in FMC doesn't take affecton lina CLI.

CSCvn39960

overloading of the lina msglyr infra due to the sending of VPN status messagesCSCvn46358

VMware balloon driver should be disabled for 6.xCSCvn47504

Reports generated in blank filtering on dashbordCSCvn58125

CVE Nmap Version on FMCCSCvn75713



FTD HA Interface Monitoring change does not take effect, when interface nameif iscase sensitive

CSCvn82823









https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn00312


















HeadlineBug ID

Multiple Vulnerabilities in httpdCSCvn82891

FMC Does not allow to create a secret key using special characters in object nameCSCvn85761

FMC GUI should not allow to create a certificate map with numeric name in Objects> VPN > Cert Maps

CSCvn91775

Ikev2 tunnel creation failsCSCvo04444

FMC upgrade from version 6.0.1 to 6.1.0 fails due to database being downCSCvo06383

Flexconfig document should specify the extent of effect from incorrect configCSCvo19433

28 Core instance is achieving 20% lower performance than expectedCSCvo19666

Active FTP fails through Cluster due to xlate allocation corruption upon syncCSCvo20847

Throughput drop when LINA capture is applied on various platformsCSCvo30697

Deleting a base policy does not delete the EOs of child policiesCSCvo31831

Need correction in epol_wait event handlingCSCvo35129

segfault in ctm_ipsec_pfkey_parse_msg at ctm_ipsec_pfkey.c:602CSCvo38051

6.4 FMC Dashboard is showing incorrect value as FMC latest product updatesCSCvo40478

Restoring backup fails due to incorrect TID directoryCSCvo65521

pxGrid connection broken with ISE 2.6 and ISE 2.4p6 and 2.3p6CSCvo66575

FDM policy deployment failure due to Lina Response timed out after 10000milliseconds

CSCvo74765

vFTD 6.4 fails to establish OSPF adjacency due to "ERROR: ip_multicast_ctl failedto get channel"

CSCvo80725

Network discovery not working with network groups containing literals - user or Ciscocreated.

CSCvp59960

ASA/FTD HA Data Interface Heartbeat dropped due to Reverse Path CheckCSCvp67392






https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo04444
















C H A P T E R 8Known Issues

Bugs listed here were known to exist when this Firepower version was initially released.

For your convenience, this document provides a list of known bugs for this version. However, depending onhow and when a particular known issue was categorized or updated in our system, it may not appear in therelease notes. You should regard the Cisco Bug Search Tool as the 'source of truth.'

Note

• Searching for Known Issues, on page 73• Version 6.4.0 Known Issues, on page 73

Searching for Known IssuesIf you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of openbugs for Firepower products. These general queries display open bugs for Firepower products running Version6.4.0:

• Firepower Management Center

• Firepower Management Center Virtual

• ASA with FirePOWER Services

• NGIPSv

You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also searchby bug ID, or for specific keywords.

Version 6.4.0 Known IssuesTable 42: Version 6.4.0 Known Issues

HeadlineBug ID

Lina CPU is low and traffic gets lost for FTDv ESXi 12 core and FTDv KVM 12 coreplatforms

CSCvo00852




https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=286259685&rls=6.4&sb=afr&sts=open&bt=custV


https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=6.4,9.12(1)&sb=afr&sts=open&bt=custV



HeadlineBug ID

App agent heart beat can miss in MI scenarioCSCvo03589

6.4 FMC Dashboard is showing incorrect value as FMC latest product updatesCSCvo40478

vFTD 6.4 fails to establish OSPF adjacency due to "ERROR: ip_multicast_ctl failedto get channel"

CSCvo80725

NAP policy/SSL policy name name unknown in syslog on 6.3 FTD managed by 6.4FMC

CSCvp06568

3504 wlc becomes unreachable when poe on port 4 is enabled along with port 3CSCvp14864

Users not showing correctly in FDM EventsCSCvp19669

Validation: Data Plane - Management Access does not handle RA-VPN port collissionCSCvp21403

first boot script S97compress-client-resources failed in FTD quietly.CSCvp23703

Unable to create RAVPN Conn-Profile if group-policy attr and FQDN are edited inthe same wizard flow

CSCvp25570

date command to change date displays an error on SM-48CSCvp27818

Fail to update login history when converting TempID to RealID. 1x log per ID, historylost

CSCvp29817

ASA SFR: seeing "Error importing SFO: Unable to load container" while trying toimport ACP with IPS

CSCvp30194

User with sessions on FMC not properly updated after user info is downloaded fromAD

CSCvp33797

Memory leak causing WLC to rebootCSCvp34148

few preprocessors won't be enabled if enable from 'My Changes' layer of Policy LayersCSCvp37229

If a custom app is added in sub domain, snort doesn't restart on registered devices atolder version

CSCvp45752

Generating troubleshooting files stopped in JapaneseCSCvp47260

Newly Added Application protocol are not able to view under HostsCSCvp47535

Access Policy doesn't reflect the modified user correctlyCSCvp48523

Unable to edit scheduled task on Task detailsCSCvp48525

Unable to add categories in intrusion ruleCSCvp48534

Unable to Create Alerts with Japanese NameCSCvp48545

VPN Troubleshooting logs setup takes abnormal time spanCSCvp48565

IPv6 DAD checkbox is enabled by defaultCSCvp48583


Known IssuesVersion 6.4.0 Known Issues

























HeadlineBug ID

WLC unresponsive to HTTP/HTTPS/SSH from certain hostsCSCvp53608

S2S VPN Wizard showing no pre-configured certificates availableCSCvp56916

FDM/FTDvirtual unable to support/deploy "ignore-ipsec-keyusage" flexconfig objectCSCvp56951

Upgrade to 6.4.0 may fail due to ids_event_msg_map table having NULL entries inthe msg field

CSCvp57096

Network discovery not working with network groups containing literals - user or Ciscocreated.

CSCvp59960

WLC Crash on emWebCSCvp67132









C H A P T E R 9For Assistance

Thank you for choosing Firepower.

• Online Resources, on page 77• Contact Cisco, on page 77

Online ResourcesCisco provides online resources to download documentation, software, and tools, to query bugs, and to openservice requests. Use these resources to install and configure Firepower software and to troubleshoot andresolve technical issues.

• Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html

• Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/

• Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact CiscoIf you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

• Email Cisco TAC: [email protected]

• Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447

• Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts


https://www.cisco.com/c/en/us/support/index.html


https://www.cisco.com/cisco/support/notifications.html

mailto:[email protected]

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html


For AssistanceContact Cisco

cisco firepower release notes, version 6.4 · table1:version6.4.0releasedates build date platforms...

Documents