Cisco Cisco Firepower Management Center 2000
Firepower System Release Notes
Known Issues
42
In some cases, if user IP and group mappings are being streamed to a managed device while the mappings
are being updated on the Firepower Management Center, the network map on the managed device may not
update correctly and may not match the network map on the Firepower Management Center. If your Firepower
Management Center and managed devices appear to have different network maps, contact Support.
(CSCux12245)
are being updated on the Firepower Management Center, the network map on the managed device may not
update correctly and may not match the network map on the Firepower Management Center. If your Firepower
Management Center and managed devices appear to have different network maps, contact Support.
(CSCux12245)
In some cases, the system incorrectly identifies Internet Control Message Protocol (ICMP) echo requests as
SSL Client application protocol requests and blocks the ICMP echo request. As a workaround, create an
access control rule set to Allow or Trust ICMP echo requests and order it before an access control rule set to
Block incoming traffic, then deploy. (CSCuz06203)
SSL Client application protocol requests and blocks the ICMP echo request. As a workaround, create an
access control rule set to Allow or Trust ICMP echo requests and order it before an access control rule set to
Block incoming traffic, then deploy. (CSCuz06203)
In some cases, if you configure a registered Firepower Threat Defense device's interface to passive mode and
deploy an SSL policy set to Decrypt Known - Key, and you download a file at least 100kb, the system may
generate an
deploy an SSL policy set to Decrypt Known - Key, and you download a file at least 100kb, the system may
generate an
Out of memory
error. (CSCuz54616)
The Firepower Management Center web interface incorrectly offers Sourcefire support. Sourcefire support
has been discontinued. (CSCva29671)
has been discontinued. (CSCva29671)
In some cases, if fragmented UDP packets with different VLAN tags go through the same inline set on a
7000 Series or 8000 Series device, the fragmented packets experience a 10 second delay and the system
may drop traffic. (CSCva03312)
7000 Series or 8000 Series device, the fragmented packets experience a 10 second delay and the system
may drop traffic. (CSCva03312)
Manually typing in a page number in the pagination field on the Intrusion Rules page (Policies > Access
control > Intrusion > Rules) other than the page being viewed does not redirect you to the page you typed
in. (CSCva35026)
control > Intrusion > Rules) other than the page being viewed does not redirect you to the page you typed
in. (CSCva35026)
In some cases, if you deploy an access control policy with logging to an SNMP server enabled to a Firepower
Threat Defense virtual device running AWS, SNMP traps are not generated for connection or intrusion events
when they should. (CSCva46557)
Threat Defense virtual device running AWS, SNMP traps are not generated for connection or intrusion events
when they should. (CSCva46557)
In some cases, if you deploy a NAT policy to an Amazon Web Services (AWS) Firepower Threat Defense Virtual
device and then disable the deployed NAT policy, the system does not disable the policy and generates a
device and then disable the deployed NAT policy, the system does not disable the policy and generates a
Named entry cannot be cast as <object name> Objectentry
error message. (CSCva45597)
You cannot edit the default system policy on the Device page (Configuration > ASA FirePOWER
Configuration > Device Management > Device) of an ASA 5500-X series device managed by ASDM. As a
workaround, edit the local System Policy page (Configuration > ASA FirePOWER Configuration > Local >
System Policy) and redeploy. (CSCva4580)
Configuration > Device Management > Device) of an ASA 5500-X series device managed by ASDM. As a
workaround, edit the local System Policy page (Configuration > ASA FirePOWER Configuration > Local >
System Policy) and redeploy. (CSCva4580)
In some cases, if you configure a DHCP interface with a pool of IP addresses in the DHCP tab on the Device
Management page (Devices > Device Management) of a registered Firepower Threat Defense and deploy,
then delete the DHCP configuration from the DHCP tab and add a new interface set to any interface type
except None in the Interfaces tab, redeploying configuration fails. As a workaround, save and deploy after
removing the DHCP configuration, then add a new interface and redeploy. (CSCva47372)
Management page (Devices > Device Management) of a registered Firepower Threat Defense and deploy,
then delete the DHCP configuration from the DHCP tab and add a new interface set to any interface type
except None in the Interfaces tab, redeploying configuration fails. As a workaround, save and deploy after
removing the DHCP configuration, then add a new interface and redeploy. (CSCva47372)
In some cases, if you add a managed device to a third level domain and deploy an access control policy, the
Domains page (System > Domains) displays None for the access control policy even though the device was
successfully added. As a workaround, navigate to the Policies page and then navigate back to the Device
Management page (Devices > Device Management). (CSCva47744)
Domains page (System > Domains) displays None for the access control policy even though the device was
successfully added. As a workaround, navigate to the Policies page and then navigate back to the Device
Management page (Devices > Device Management). (CSCva47744)
If you add a scheduling task from the Scheduling page (Configuration > Tools > Scheduling) of a ASA
FirePOWER module managed by ASDM and expand the Job Type drop-down menu more than once, the
drop-down menu is dimmed and you cannot select a job type for the scheduled task. (CSCva49386)
FirePOWER module managed by ASDM and expand the Job Type drop-down menu more than once, the
drop-down menu is dimmed and you cannot select a job type for the scheduled task. (CSCva49386)
If you deploy a pair of network object groups to a Firepower Threat Defense high availability pair and the
network object group IP addresses on either the primary and secondary device overlaps with the IP addresses
on the other device within the pair, deployment fails and the system generates a
network object group IP addresses on either the primary and secondary device overlaps with the IP addresses
on the other device within the pair, deployment fails and the system generates a
Deployment failed due to
configuration
error message in the Message Center. (CSCva51022)