Cisco Cisco Firepower Management Center 2000
26
FireSIGHT System Release Notes
Version 5.3.1.6
Known Issues
•
In some cases, if you apply more than one access control policy across your deployment, searching
for intrusion or connection events (
for intrusion or connection events (
Analysis > Search
) matching a specific access control rule may
retrieve events generated by unrelated rules in other policies. (138542/CSCze91690)
•
You cannot cut and paste access control rules from one policy to another. (138713/CSCze91012)
•
In the Security Intelligence Source/Destination metadata (rec_type:281), the eStreamer server
identifies the source as the destination and the destination as the source. (138740/CSCze91402)
identifies the source as the destination and the destination as the source. (138740/CSCze91402)
•
In an access control policy, the system processes certain Trust rules before the policy’s Security
Intelligence blacklist. Trust rules placed before either the first Monitor rule or before a rule with an
application, URL, user, or geolocation-based network condition are processed before the blacklist.
That is, Trust rules that are near the top of an access control policy (rules with a low number) or that
are used in a simple policy allow traffic that should have been blacklisted to pass uninspected
instead. (138743, 139017)
Intelligence blacklist. Trust rules placed before either the first Monitor rule or before a rule with an
application, URL, user, or geolocation-based network condition are processed before the blacklist.
That is, Trust rules that are near the top of an access control policy (rules with a low number) or that
are used in a simple policy allow traffic that should have been blacklisted to pass uninspected
instead. (138743, 139017)
•
If you disable
Drop When Inline
in your intrusion policy, inline normalization stops modifying packets
seen in traffic and the system does not indicate what traffic would be modified. In some cases, other
devices or applications on your network may not function in the same way after you re-enable
devices or applications on your network may not function in the same way after you re-enable
Drop
When Inline
. (139174/CSCze91149, 139177/CSCze91163)
•
Security Known Issue
Sourcefire is aware of a vulnerability inherent in the Intelligent Platform
Management Interface (IPMI) standard (CVE-2013-4786). Enabling Lights-Out Management
(LOM) on an appliance exposes this vulnerability. To mitigate the vulnerability, deploy your
appliances on a secure management network accessible only to trusted users. To prevent exposure
to the vulnerability, do not enable LOM. (139286/CSCze91556)
(LOM) on an appliance exposes this vulnerability. To mitigate the vulnerability, deploy your
appliances on a secure management network accessible only to trusted users. To prevent exposure
to the vulnerability, do not enable LOM. (139286/CSCze91556)
•
In rare cases, the Task Status page (
System > Monitoring > Task Status
) incorrectly reports that a failed
system policy apply succeeded. (139428/CSCze92142)
•
If you configure and save three or more intrusion policies that reference each other through their
base policies, the system does not update the Last Modified dates for all policies on the Intrusion
Policy page (
base policies, the system does not update the Last Modified dates for all policies on the Intrusion
Policy page (
Policies > Intrusion > Intrusion Policy
). As a workaround, wait 5 to 10 minutes and refresh
the Intrusion Policy page. (139647/CSCze91353)
•
In some cases, if you create a system policy on the primary Defense Center in a high availability
configuration and then manually synchronize the secondary Defense Center, the system generates
an
configuration and then manually synchronize the secondary Defense Center, the system generates
an
ERROR 500 Internal Server Error
message. (139685/CSCze95818)
•
In some cases, if you configure and save a report with a time window that includes the transition day
from observing Daylight Saving Time (DST) to not observing DST, the system adjusts the time
window to begin an hour earlier than you specified. As a workaround, set the time window to begin
one hour later. (139713/CSCze91697)
from observing Daylight Saving Time (DST) to not observing DST, the system adjusts the time
window to begin an hour earlier than you specified. As a workaround, set the time window to begin
one hour later. (139713/CSCze91697)
•
If you remove an IP address from the global whitelist via the Object Manager page of the Defense
Center web interface, the command line interface (CLI) on your Defense Center does not reflect the
change. (139784/CSCze91728)
Center web interface, the command line interface (CLI) on your Defense Center does not reflect the
change. (139784/CSCze91728)
•
If you automatically download a patch update by clicking
Download Updates
on the Product Updates
page (
System > Updates
), your Defense Center may download the incorrect patch. As a workaround,
download patch updates manually by clicking
Upload Update
on the Product Updates page.
(141056/CSCze92845)
•
If you use Internet Explorer 11 to add a report parameter to the report section title bar while creating
a new report template (
a new report template (
Overview > Reporting > Report Templates
), no report fields are added to the
template. As a workaround, install and use Internet Explorer 10. (142950/CSCze94011)
•
In some cases, the syslog output seen from a managed device reports
SNORT ALERT
as a signature ID
instead of the signature ID reported in syslog output seen from the Defense Center. (CSCur40263)