Cisco Cisco Firepower Management Center 4000 Release Notes
Version 5.3.0.5
Sourcefire 3D System Release Notes
33
Known Issues
•
In rare cases, revising and reapplying an intrusion policy hundreds of times
causes intrusion rule updates and system updates to require over 24 hours
to complete. (138333/CSCze90747)
•
If the latest version of the geolocation database (GeoDB) is installed on your
Defense Center and you attempt to update the GeoDB with the same
version, the system generates an error message. (138348/CSCze90813)
•
The Sourcefire 3D System User Guide incorrectly states that, in a high
availability deployment:
If a secondary device fails, the primary
device continues to sense traffic, generate alerts, and send
traffic to all secondary devices. On failed secondary devices,
traffic is dropped. A health alert is generated indicating
loss of link.
traffic to all secondary devices. On failed secondary devices,
traffic is dropped. A health alert is generated indicating
loss of link.
The documentation should specify that, if the secondary device in a stack
fails, by default, inline sets with configurable bypass enabled go into bypass
mode on the primary device. For all other configurations, the system
continues to load balance traffic to the failed secondary device. In either
case, a health alert is generated to indicate loss of link.
(138432/CSCze91093)
•
In some cases, if you apply more than one access control policy across your
deployment, searching for intrusion or connection events (Analysis > Search)
matching a specific access control rule may retrieve events generated by
unrelated rules in other policies. (138542/CSCze91690)
•
In some cases, rebooting a Series 3 managed device after a failed system
update causes a hardware issue. If a system update fails, contact Support
and do not reboot the appliance. (138684/CSCze90977)
•
You cannot cut and paste access control rules from one policy to another.
(138713/CSCze91012)
•
In the Security Intelligence Source/Destination metadata (rec_type:281),
the eStreamer server identifies the source as the destination and the
destination as the source. (138740/CSCze91402)
•
In an access control policy, the system processes certain Trust rules before
the policy’s Security Intelligence blacklist. Trust rules placed before either
the first Monitor rule or before a rule with an application, URL, user, or
geolocation-based network condition are processed before the blacklist.
That is, Trust rules that are near the top of an access control policy (rules
with a low number) or that are used in a simple policy allow traffic that
should have been blacklisted to pass uninspected instead. (138743, 139017)