Cisco Cisco Firepower Management Center 2000
3
Firepower System Release Notes
Known Issues
Resolved an issue where, if you deployed access control rules to a managed device configured with a security zone, the system incorrectly
deployed the access control rules out of order and incoming traffic triggered rules that would not have triggered in the desired configuration.
(CSCuy99274)
deployed the access control rules out of order and incoming traffic triggered rules that would not have triggered in the desired configuration.
(CSCuy99274)
Resolved an issue where, if fragmented UDP packets with different VLAN tags traveled through the same inline set on a Firepower 7000 Series
or Firepower 8000 Series device, the fragmented packets experienced a 10 second delay and the system dropped traffic. (CSCva03312)
or Firepower 8000 Series device, the fragmented packets experienced a 10 second delay and the system dropped traffic. (CSCva03312)
Resolved an issue where, if you updated an 5500-X series device while being registered to a Firepower Management Center, all Malware Cloud
Lookup requests timed out. (CSCva00693)
Lookup requests timed out. (CSCva00693)
Resolved an issue where, in some cases, Firepower 7000 Series or Firepower 8000 Series devices configured with static routes experienced
issues and used 100% of the CPU. (CSCva15195)
issues and used 100% of the CPU. (CSCva15195)
Improved the Devices page load time. (CSCva23498)
Improved memory usage on stacked 7000 and 8000 Series devices. (CSCva39997, CSCva54894)
Improved SSL inspection processes. (CSCva42950)
Known Issues
If you have a Cisco account, you can view known issues reported in this release using the Cisco Bug Search Tool:
https://tools.cisco.com/bugsearch/
.
The following defects are reported in Version 6.1.0:
Prefiltering is supported on Firepower Threat Defense devices only. Prefilter policies deployed to Classic devices (the 7000 and 8000 Series,
NGIPSv, and ASA FirePOWER) have no effect. Deploying a prefilter policy to a classic device generates an extraneous error indicating that
only devices running Firepower Threat Defense Version 6.1 support prefilter policies. You can safely ignore the message that appears when
you deploy to Classic devices.
NGIPSv, and ASA FirePOWER) have no effect. Deploying a prefilter policy to a classic device generates an extraneous error indicating that
only devices running Firepower Threat Defense Version 6.1 support prefilter policies. You can safely ignore the message that appears when
you deploy to Classic devices.
You cannot generate troubleshooting for the secondary Firepower Management Center in a high availability configuration from the primary
Firepower Management Center. As a workaround, generate troubleshooting from the secondary Firepower Management Center.
(CSCux46182)
Firepower Management Center. As a workaround, generate troubleshooting from the secondary Firepower Management Center.
(CSCux46182)
In some cases, if you update to Version 6.0 or later and deploy policies, the system generates cannot run validator error messages within /var
logs. If you experience multiple error messages in /var logs, redeploy configuration. (CSCuy22361)
logs. If you experience multiple error messages in /var logs, redeploy configuration. (CSCuy22361)
If a Firepower Management Center generates a health alert for a registered ASA FirePOWER module, the generated alert does not include
information about the available interfaces when it should. (CSCuy25731)
information about the available interfaces when it should. (CSCuy25731)
If you update a Firepower Management Center from Version 5.4.x to Version 6.0 or later and create a new subdomain and deploy a network
discovery policy, you cannot delete any objects or object groups referenced by the network discovery policy in the global domain. As a
workaround, before adding any subdomains, remove rules from the global network discovery policy. (CSCuy51566)
discovery policy, you cannot delete any objects or object groups referenced by the network discovery policy in the global domain. As a
workaround, before adding any subdomains, remove rules from the global network discovery policy. (CSCuy51566)
In some cases, if you deploy an access control policy configured to Log at Beginning of Connection and Log at End of Connection
containing the default Balanced Security and Connectivity network access policy, an access control rule set to Allow, and a file policy set to
Block Malware or Block with Reset, then you attempt to download a malicious file from FTP traffic more than once, the system successfully
downloads the malicious file after the first attempt to download when it should not. (CSCuy91156)
containing the default Balanced Security and Connectivity network access policy, an access control rule set to Allow, and a file policy set to
Block Malware or Block with Reset, then you attempt to download a malicious file from FTP traffic more than once, the system successfully
downloads the malicious file after the first attempt to download when it should not. (CSCuy91156)
The REST API explorer does not prompt you to terminate the existing session before starting a new session when it should. (CSCuy98740)
If you use Firefox to view multiple Firepower Management Center user interfaces with self-signed certificates, the Firepower Management
Center login screen may take more than several minutes to load. If you experience an extended load time for the login screen, enter
about:support in a Firefox web browser search bar and click the Refresh Firefox option, then view the Firepower Management Center
interface with self-signed certificates in the same Firefox browser. For more information, see
Center login screen may take more than several minutes to load. If you experience an extended load time for the login screen, enter
about:support in a Firefox web browser search bar and click the Refresh Firefox option, then view the Firepower Management Center
interface with self-signed certificates in the same Firefox browser. For more information, see