Cisco Cisco Firepower Management Center 2000

In some cases, if you apply more than one access control policy across your deployment, searching 
for intrusion or connection events (

) matching a specific access control rule may 

retrieve events generated by unrelated rules in other policies. (138542/CSCze91690)

You cannot cut and paste access control rules from one policy to another. (138713/CSCze91012)

In the Security Intelligence Source/Destination metadata (rec_type:281), the eStreamer server 
identifies the source as the destination and the destination as the source. (138740/CSCze91402)

In an access control policy, the system processes certain Trust rules before the policy’s Security 
Intelligence blacklist. Trust rules placed before either the first Monitor rule or before a rule with an 
application, URL, user, or geolocation-based network condition are processed before the blacklist. 
That is, Trust rules that are near the top of an access control policy (rules with a low number) or that 
are used in a simple policy allow traffic that should have been blacklisted to pass uninspected 
instead. (138743, 139017)

If you disable 

 in your intrusion policy, inline normalization stops modifying packets 

seen in traffic and the system does not indicate what traffic would be modified. In some cases, other 
devices or applications on your network may not function in the same way after you re-enable 

. (139174/CSCze91149, 139177/CSCze91163)

Security Known Issue

 Sourcefire is aware of a vulnerability inherent in the Intelligent Platform 

Management Interface (IPMI) standard (CVE-2013-4786). Enabling Lights-Out Management 
(LOM) on an appliance exposes this vulnerability. To mitigate the vulnerability, deploy your 
appliances on a secure management network accessible only to trusted users. To prevent exposure 
to the vulnerability, do not enable LOM. (139286/CSCze91556)

In rare cases, the Task Status page (

) incorrectly reports that a failed 

system policy apply succeeded. (139428/CSCze92142)

If you configure and save three or more intrusion policies that reference each other through their 
base policies, the system does not update the Last Modified dates for all policies on the Intrusion 
Policy page (

). As a workaround, wait 5 to 10 minutes and refresh 

the Intrusion Policy page. (139647/CSCze91353)

In some cases, if you create a system policy on the primary Defense Center in a high availability 
configuration and then manually synchronize the secondary Defense Center, the system generates 
an 

ERROR 500 Internal Server Error

 message. (139685/CSCze95818)

In some cases, if you configure and save a report with a time window that includes the transition day 
from observing Daylight Saving Time (DST) to not observing DST, the system adjusts the time 
window to begin an hour earlier than you specified. As a workaround, set the time window to begin 
one hour later. (139713/CSCze91697)

If you remove an IP address from the global whitelist via the Object Manager page of the Defense 
Center web interface, the command line interface (CLI) on your Defense Center does not reflect the 
change. (139784/CSCze91728)

If you automatically download a patch update by clicking 

 on the Product Updates 

page (

), your Defense Center may download the incorrect patch. As a workaround, 

download patch updates manually by clicking 

 on the Product Updates page. 

(141056/CSCze92845)

If you use Internet Explorer 11 to add a report parameter to the report section title bar while creating 
a new report template (

), no report fields are added to the 

template. As a workaround, install and use Internet Explorer 10. (142950/CSCze94011)

In some cases, the syslog output seen from a managed device reports 

SNORT ALERT

 as a signature ID 

instead of the signature ID reported in syslog output seen from the Defense Center. (CSCur40263)