Cisco Cisco Firepower Management Center 2000
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
Update Management Center HTTPS Certificates to Version 6.0
Use of a certificate with an
RSASSA-PSS
signature algorithm on a Firepower Management Center is not currently supported
in Version 6.0. If you update a Firepower Management Center using such a certificate to Version 6.0 or add such a
certificate in Version 6.0, the system does not allow you to log into the Management Center web interface and generates
an
certificate in Version 6.0, the system does not allow you to log into the Management Center web interface and generates
an
Unable to authorize access. If you continue to have difficulty accessing this device, please contact the
system administrator
error.
Prior to updating, generate and install an HTTPS certificate with either a
sha1WithRSAEncryption
or
sha256WithRSAEncryption
algorithm and restart the Firepower Management Center, or use the default Firepower
Management Center certificate and restart the appliance.
Similarly, if the certificate used by the Firepower Management Center was generated using a public server key larger than
2048 bits, you will not be able to log into the Management Center web interface after updating to Version 6.0.
2048 bits, you will not be able to log into the Management Center web interface after updating to Version 6.0.
If you are unable to log into the Management Center web interface with a public server key with more than 2048 bits,
replace certificates that were created with larger public keys by generating a server certificate request (CSR) and then
applying a certificate generated using that request to the Firepower Management Center. After installing the new
certificate, restart the appliance.
replace certificates that were created with larger public keys by generating a server certificate request (CSR) and then
applying a certificate generated using that request to the Firepower Management Center. After installing the new
certificate, restart the appliance.
Note:
For information on correctly generating a certificate on a Version 5.4.x appliance, see
in the FireSIGHT System User Guide, Version 5.4.1.
If you lose access to the web interface after updating to Version 6.0 or after uploading a certificate, contact Support.
Traffic Flow and Inspection During the Update
The update process reboots managed devices. and might restart the Snort process. Depending on how your devices are
configured and deployed, the following capabilities could be affected:
configured and deployed, the following capabilities could be affected:
traffic inspection, including application awareness and control, user control, URL filtering, Security Intelligence,
intrusion detection and prevention, and connection logging
intrusion detection and prevention, and connection logging
traffic flow, including switching, routing, NAT, VPN, and related functionality
link state
Note that when you update 8000 Series clusters or stack pairs, the system performs the update one device at a time to
avoid traffic interruption. When you update clustered Cisco ASA with FirePOWER Services devices, apply the update one
device at a time, allowing the update to complete before updating the second device.
avoid traffic interruption. When you update clustered Cisco ASA with FirePOWER Services devices, apply the update one
device at a time, allowing the update to complete before updating the second device.
The following table explains how Snort restarts affect traffic inspection. It is reasonable to anticipate that the product
update could affect traffic similarly.
update could affect traffic similarly.
Link State
In 7000 Series and 8000 Series inline deployments with Bypass enabled, network traffic is interrupted at two points
during the update:
during the update:
At the beginning of the update process, traffic is briefly interrupted while link goes down and up (flaps) and the
network card switches into hardware bypass. Traffic is not inspected during hardware bypass.
network card switches into hardware bypass. Traffic is not inspected during hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps and the network card switches out of
bypass. After the endpoints reconnect and reestablish link with the sensor interfaces, traffic is inspected again.
bypass. After the endpoints reconnect and reestablish link with the sensor interfaces, traffic is inspected again.
The configurable Bypass option is not supported on NGIPSv devices, Cisco ASA with FirePOWER Services, non-bypass
NetMods on Firepower 8000 Series devices, SFP transceivers on 71xx Family devices, or ASA Firepower modules
running Firepower Threat Defense.
NetMods on Firepower 8000 Series devices, SFP transceivers on 71xx Family devices, or ASA Firepower modules
running Firepower Threat Defense.