cisco firepower release notes, version 6.4.0.1, 6.4.0.2, 6.4.0.3, … · chapter 1 welcome to...

Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4,6.4.0.5, 6.4.0.7, and 6.4.0.8First Published: 2019-05-15

Last Modified: 2020-02-25

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.comgo trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and anyother company. (1721R)

© 2019–2020 Cisco Systems, Inc. All rights reserved.

www.cisco.com/go/trademarks

www.cisco.com/go/trademarks

C O N T E N T S

Welcome to Version 6.4.0.x 1C H A P T E R 1

About the Release Notes 1

Release Dates 1

Compatibility 3C H A P T E R 2

Firepower Management Centers 3

Firepower Devices 4

Manager-Device Compatibility 6

Web Browser Compatibility 7

Screen Resolution Requirements 8

Additional Compatibility Resources 9

Features and Functionality 11C H A P T E R 3

New Features 11

Deprecated Features 12

FMC How-To Walkthroughs 13

Upgrade to Version 6.4.0.x 15C H A P T E R 4

Guidelines and Warnings for Version 6.4.0.x 15

Upgrade Failure: Insufficient Disk Space on Container Instances 15

EtherChannels on Firepower 1010 Devices Can Blackhole Egress Traffic 16

Versions 6.4.0.1 and 6.4.0.2 Not Supported on Firepower 1000 Series 16

General Guidelines and Warnings 16

Minimum Version to Upgrade 18

Time Tests and Disk Space Requirements 19

About Time Tests 19

Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8iii

About Disk Space Requirements 20

Version 6.4.0.8 Time and Disk Space 20








Traffic Flow, Inspection, and Device Behavior 24

FTD Upgrade Behavior: Firepower 4100/9300 Chassis 24

FTD Upgrade Behavior: Other Devices 28

Firepower 7000/8000 Series Upgrade Behavior 29

ASA FirePOWER Upgrade Behavior 31

NGIPSv Upgrade Behavior 31

Upgrade Instructions 32

Upgrade Packages 32

Uninstall a Version 6.4.0.x Patch 35C H A P T E R 5

Guidelines and Limitations for Uninstalling 35

Uninstall Order for HA/Scalability Deployments 38

Uninstall Instructions 40

Uninstall from a Standalone FMC 40

Uninstall from High Availability FMCs 41

Uninstall from Any Device (FMC Managed) 42

Uninstall from ASA FirePOWER (ASDM Managed) 43

Uninstall Packages 45

Freshly Install Version 6.4.0 47C H A P T E R 6

Deciding to Freshly Install 47

Guidelines and Limitations for Fresh Installs 48

Unregistering Smart Licenses 50

Unregister a Firepower Management Center 51

Unregister an FTD Device Using FDM 51

Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8iv

Contents

Installation Instructions 52

Documentation 55C H A P T E R 7

Updated Documentation for Version 6.4.0.x 55

Documentation Roadmaps 55

Resolved Issues 57C H A P T E R 8

Searching for Resolved Issues 57

Resolved Issues in New Builds 58

Version 6.4.0.8 Resolved Issues 58








Known Issues 73C H A P T E R 9

Searching for Known Issues 73

For Assistance 75C H A P T E R 1 0

Online Resources 75

Contact Cisco 75

Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8v

Contents

Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8vi

Contents

C H A P T E R 1Welcome to Version 6.4.0.x

Thank you for choosing Firepower.

• About the Release Notes, on page 1• Release Dates, on page 1

About the Release NotesThe release notes provide critical and release-specific information for Version 6.4.0.x, including upgradewarnings and behavior changes. Read this document even if you are familiar with Firepower releases andhave previous experience upgrading Firepower deployments.

Upgrading or freshly installing (reimaging) a Firepower deployment can be a complex process. Rather thanprovide instructions here, the release notes point you to the appropriate resources. For links to upgrade andinstallation instructions, see:

• Upgrade Instructions, on page 32

• Installation Instructions, on page 52

Release DatesFor a list of all platforms available with Version 6.4.0.x, see Compatibility, on page 3.

Sometimes Cisco releases updated builds. In most cases, only the latest build for each platform is availableon the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloadedan earlier build, do not use it. For more information, see Resolved Issues in New Builds, on page 58.

Table 1: Version 6.4.0.x Release Dates

PlatformsDateBuildVersion

All2020-01-29286.4.0.8

All2019-12-19536.4.0.7

Not available. See Deprecated Features, on page 12.2019-10-16286.4.0.6

All2019-09-18236.4.0.5

Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.81

PlatformsDateBuildVersion

All2019-08-21346.4.0.4

All2019-07-17296.4.0.3

FMC/FMCv

FTD/FTDv, except Firepower 1000 series

2019-07-03356.4.0.2

—2019-06-2734

Firepower 7000/8000 series

ASA FirePOWER

NGIPSv

2019-06-26

FMC 1600, 2600, 46002019-06-27176.4.0.1

Firepower 4115, 4125, 4145

Firepower 9300 with SM-40, SM-48, and SM-56modules

2019-06-20

FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500

FMCv

Firepower 2110, 2120, 2130, 2140

Firepower 4110, 4120, 4140, 4150

Firepower 9300 with SM-24, SM-36, and SM-44modules

ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X,5555-X

ASA 5585-X-SSP-10, -20, -40, -60

ISA 3000

FTDv


NGIPSv

2019-05-15


Welcome to Version 6.4.0.xRelease Dates

C H A P T E R 2Compatibility

This chapter provides compatibility information for Firepower Version 6.4.0.x patches.

• Firepower Management Centers, on page 3• Firepower Devices, on page 4• Manager-Device Compatibility, on page 6• Web Browser Compatibility, on page 7• Screen Resolution Requirements, on page 8• Additional Compatibility Resources, on page 9

Firepower Management CentersVersion 6.4.0.x Firepower Management Center software is supported on physical and virtual platforms. AnyFMC can manage any Firepower device.

Firepower Management Center Physical Platforms

Version 6.4.0.x supports:

• FMC 1600, 2600, 4600

• FMC 1000, 2500, 4500

• FMC 2000, 4000

• FMC 750, 1500, 3500

We recommend you keep the BIOS and RAID controller firmware up to date. For more information, see theCisco Firepower Compatibility Guide.

Firepower Management Center Virtual (FMCv) platforms:

Version 6.4.0.x supports:

• FMCv on VMware vSphere/VMware ESXi 6.0 or 6.5

• FMCv on Kernel-based virtual machine (KVM)

• FMCv on Amazon Web Services (AWS)

• FMCv on Microsoft Azure


https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

For supported FMCv instances, see the Cisco Firepower Management Center Virtual Getting Started Guide.

Firepower DevicesAbout Firepower Devices

Version 6.4.0.x Firepower device software is supported on a wide range of physical and virtual platforms.

• Software: Some Firepower devices run Firepower Threat Defense (FTD) software; some runNGIPS/ASAFirePOWER software. Some can run either — but not both at the same time.

• Remote Management:All Firepower devices support remotemanagement with a FirepowerManagementCenter, which can manage multiple devices.

• Local Management: Some Firepower devices support local, single-devicemanagement. You canmanageFTD with the Firepower Device Manager (FDM), or ASA FirePOWER with ASDM. You can use onlyone management method for a device at a time.

• OS/Hypervisor: Some Firepower implementations bundle the operating systemwith the software. Othersrequire that you upgrade the operating system yourself. For versions and builds of bundled operatingsystems, refer to the Bundled Components information in the Cisco Firepower Compatibility Guide.

Supported Firepower Devices

The following table provides compatibility information for Firepower devices running Version 6.4.0.x. Again,remember that all devices support remote FMC management.

Table 2: Firepower Devices in Version 6.4.0.x

OS/HypervisorLocal Mgmt.SoftwareDevice Platform

—FDMFTDFirepower 1010, 1120, 1140

Firepower 2110, 2120, 2130, 2140

FXOS 2.6.1.157 or later build.

Separate upgrade. Upgrade FXOS first.

To resolve issues, you may need to upgrade FXOSto the latest build. To help you decide, see the CiscoFirepower 4100/9300 FXOS Release Notes, 2.6(1).

—FTDFirepower 4110, 4120, 4140, 4150

Firepower 4115, 4125, 4145

Firepower 9300 with SM-24, SM-36,SM-44 modules

Firepower 9300 with SM-40, SM-48,SM-56 modules


CompatibilityFirepower Devices

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos261/release/notes/fxos261_rn.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos261/release/notes/fxos261_rn.html


—FDMFTDISA 3000

ASA 5508-X, 5516-X

ASA 5515-X, 5525-X, 5545-X, 5555-XAny of:

• ASA 9.5(2), 9.5(3)

• ASA 9.6(x) through 9.13(x)

Except:

• ASA 5515-X devices running ASA 9.13(x)+do not support ASA FirePOWER.

Separate upgrade. See the Cisco ASA UpgradeGuide for order of operations.

There is wide compatibility between ASA and ASAFirePOWER versions. However, even if an ASAupgrade is not strictly required, resolving issues mayrequire an upgrade to the latest supported version.

We do recommend you upgrade the ASA 5508-Xand 5516-X to the latest ROMMON image; see theinstructions in the Cisco ASA and Firepower ThreatDefense Reimage Guide.

ASDMASAFirePOWER(NGIPS)

Any of:

• ASA 9.5(2), 9.5(3)

• ASA 9.6(x) through 9.12(x)

Separate upgrade. See the Cisco ASA UpgradeGuide for order of operations.

There is wide compatibility between ASA and ASAFirePOWER versions. However, even if an ASAupgrade is not strictly required, resolving issues mayrequire an upgrade to the latest supported version.

ASDMASAFirePOWER(NGIPS)

ASA 5585-X-SSP-10, -20, -40, -60

Any of:

• VMware vSphere/VMware ESXi 6.0 or 6.5

• KVM

• AWS

• Microsoft Azure

For supported instances, see the appropriate FTDvQuick Start/Getting Started guide.

FDM (VMwareand KVM only)

FTDFTDv


CompatibilityFirepower Devices

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html




https://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/products-installation-guides-list.html

https://www.cisco.com/c/en/us/support/security/firepower-ngfw-virtual/products-installation-guides-list.html


VMware vSphere/VMware ESXi 6.0 or 6.5

For supported instances, see the Cisco FirepowerNGIPSv Quick Start Guide for VMware.

—NGIPSNGIPSv

—Limited localGUI for selectmanagementfunctions.

NGIPSFirepower 7010, 7020, 7030, 7050

Firepower 7110, 7115, 7120, 7125

Firepower 8120, 8130, 8140

Firepower 8250, 8260, 8270, 8290

Firepower 8350, 8360, 8370, 8390

AMP 7150, 8050, 8150

AMP 8350, 8360, 8370, 8390

Manager-Device CompatibilityThe FMC must run at least the same major version as the devices it manages. Although you can manage apatched device with an unpatched FMC, new features and resolved issues often require the latest patch onboth the FMC and its managed devices. We strongly recommend that you patch your entire deployment.

Table 3: Version 6.4.0.x Manager-Device Compatibility

Firepower Management Center

Version 6.1 through 6.4.0.x devices.can manageVersion 6.4.0.x FMC

Version 6.4.0 FMC.requireVersion 6.4.0.x devices

Firepower Device Manager

One FTD device.can manageVersion 6.4.0.x FDM

ASDM

Version 6.4.0.x and earlier ASA FirePOWERmodules.

can manageVersion 7.12.1 ASDM

Version 7.12.1 ASDM.requireVersion 6.4.0.x ASAFirePOWER modules


CompatibilityManager-Device Compatibility

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/quick_start/ngips_virtual/NGIPSv-quick.html


Web Browser CompatibilityBrowsing the Web from a Firepower-Monitored Network

Many browsers use Transport Layer Security (TLS) v1.3 by default. If you are using an SSL policy to handleencrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites thatsupport TLS v1.3 may fail to load.

For more information, see the software advisory titled: Failures loading websites using TLS 1.3 with SSLinspection enabled.

Secure Communications with the FMC

SSL certificates allow the FMC (and 7000/8000 series devices) to establish an encrypted channel betweenthe appliance and your browser.

By default, the system comes with a self-signed HTTPS server certificate. We recommend that you replaceit with a certificate signed by a globally known or internally trusted certificate authority (CA). You can generatecustom server certificate requests and import custom server certificates on the HTTPS Certificates page;choose System > Configuration, then click HTTPS Certificates.

For more information, see the online help or the Firepower Management Center Configuration Guide.

Browsers Tested with Firepower Web Interfaces

Firepower web interfaces are tested with the latest versions of popular browsers: Google Chrome, MozillaFirefox, and Microsoft Internet Explorer, running on currently supported versions of macOS and MicrosoftWindows. If you encounter issues with any other browser, or are running an operating system that has reachedend of life, we ask that you switch or upgrade. If you continue to encounter issues, contact Cisco TAC.

Although we do not perform extensive testing with either Apple Safari or Microsoft Edge, Cisco TAC alsowelcomes feedback on issues you encounter with the latest version of these browsers.

Note

Table 4: Browsers Tested with Firepower Web Interfaces

Required Settings and Additional WarningsBrowser

JavaScript, cookies

Chrome does not cache static content, such as images, CSS, or JavaScript, withthe system-provided self-signed certificate. Especially in low bandwidthenvironments, this can extend page load times. If you do not want to replacethe self-signed certificate, you can instead add it to the trust store of thebrowser/OS.

Google Chrome


CompatibilityWeb Browser Compatibility

https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvh22181.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvh22181.html

http://www.cisco.com/go/firepower-config

Required Settings and Additional WarningsBrowser

JavaScript, cookies, TLS v1.2

When it updates, Firefox sometimes stops trusting the system-providedself-signed certificate. If you do not want to replace the certificate, and thelogin page does not load, refresh Firefox. Type about:support in theFirefox search bar and click Refresh Firefox. You will lose some settings; seethe Refresh Firefox support page.

Mozilla Firefox

JavaScript, cookies, TLS v1.2, 128-bit encryption

Also, you must:

• For the Check for newer versions of stored pages browsing historyoption, choose Automatically.

• Disable the Include local directory path when uploading files to servercustom security setting.

• Enable Compatibility View for the Firepower web interface IPaddress/URL.

Not tested with FMC walkthroughs.

Microsoft Internet Explorer11 (Windows only)

Browser Extension Compatibility

Some browser extensions (for example, Grammarly and Whatfix Editor) can prevent you from saving valuesin fields like the certificate and key in PKI objects. These extensions insert characters (such as HTML) in thefields, which causes the FMC to see them as invalid. We recommend you disable these extensions whileyou’re using the FMC.

Screen Resolution RequirementsTable 5: Screen Resolution Requirements for Firepower User Interfaces

ResolutionInterface

1280 x 720Firepower Management Center

1280 x 7207000/8000 series device (limited local interface)

1024 x 768Firepower Device Manager

1024 x 768ASDM managing an ASA FirePOWER module

1024 x 768Firepower Chassis Manager for Firepower 4100/9300 chassis


CompatibilityScreen Resolution Requirements

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

Additional Compatibility ResourcesThis table provides links to release notes and additional compatibility information. For full documentationroadmaps, see Documentation Roadmaps, on page 55.

Table 6: Additional Compatibility Resources

ResourcesDescription

Cisco Firepower Compatibility Guide

Cisco ASA Compatibility

Cisco Firepower 4100/9300 FXOS Compatibility

Compatibility guides provide detailed compatibilityinformation for supported hardware models andsoftware versions, including bundled components andintegrated products.

Cisco Firepower Release Notes

Cisco ASA Release Notes

Cisco Firepower 4100/9300 FXOS Release Notes

Release notes provide critical and release-specificinformation, including upgradewarnings and behaviorchanges.

Cisco NGFW Product Line Software Release andSustaining Bulletin

Sustaining bulletins provide support timelines forthe Cisco Next Generation Firewall product line,including management platforms and operatingsystems.


CompatibilityAdditional Compatibility Resources


https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html

https://www.cisco.com/c/en/us/support/security/defense-center/products-release-notes-list.html

https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-release-notes-list.html

https://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-release-notes-list.html

https://www.cisco.com/c/en/us/products/collateral/security/firewalls/bulletin-c25-743178.html

https://www.cisco.com/c/en/us/products/collateral/security/firewalls/bulletin-c25-743178.html


CompatibilityAdditional Compatibility Resources

C H A P T E R 3Features and Functionality

Firepower Version 6.4.0.x includes:

• New Features, on page 11• Deprecated Features, on page 12• FMC How-To Walkthroughs, on page 13

New FeaturesThis table summarizes the new features available in Version 6.4.0.x patches.

Table 7: Version 6.4.0.x New Features

DescriptionVersionFeature

After you upgrade to Version 6.4.0.2, you can no longer create FTDNAT policies with conflicting rules (often referred to as duplicate oroverlapping rules). This fixes an issue where conflicting NAT ruleswere applied out-of-order.

If you currently have conflicting NAT rules, you will be able to deploypost-upgrade. However, your NAT rules will continue to be appliedout-of-order.

Therefore, we recommend that after the upgrade, you inspect your FTDNAT policies by editing (no changes are needed) then attempting toresave. If you have rule conflicts, the system will prevent you fromsaving. Correct the issues, save, and then deploy.

Supported platforms: FTD with FMC

6.4.0.2Detection of rule conflictsin FTD NAT policies

A new health module, the ISE Connection Status Monitor, monitors thestatus of the server connections between the Cisco Identity ServicesEngine (ISE) and the FMC.

New/modified screens: System > Health > Policy > create or edit policy> ISE Connection Status Monitor

Supported platforms: FMC

6.4.0.2ISE Connection StatusMonitor health module



These new syslog fields collectively identify a unique connection event:

• Sensor UUID

• First Packet Time

• Connection Instance ID

• Connection Counter

These fields also appear in syslogs for intrusion, file, andmalware events,allowing connection events to be associated with those events.

Supported platforms: Any

6.4.0.4New syslog fields

Deprecated Features

End of support is planned for user control with the Cisco Firepower User Agent software and identity source.You should switch to Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC) now. Thiswill also allow you to take advantage of features that are not available with the user agent. To convert yourlicense, contact Sales.

For more information, see the appropriate Cisco Firepower User Agent Configuration Guide on the CiscoFirepower Management Center Configuration Guides page.

Note

These features were deprecated in Version 6.4.0.x patches.

Table 8: Version 6.4.0.x Deprecated Features


To mitigate CSCvq34340, patching an FTD device to Version 6.4.0.7turns off egress optimization processing. This happens regardless ofwhether the egress optimization feature is enabled or disabled.

Upgrading to Version 6.5.0 will turn egress optimization backon, if you left the feature 'enabled.' We recommend you patchto Version 6.5.0.2+. If you remain at Version 6.5.0 or 6.5.0.1,you should manually disable egress optimization from theFTD CLI: no asp inspect-dp egress-optimization.

Note

For more information, see the software advisory: FTD traffic outagedue to 9344 block size depletion caused by the egress optimizationfeature.

Affected platforms: FTD

6.4.0.7Egress optimization


Features and FunctionalityDeprecated Features

https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html

https://www.cisco.com/c/en/us/support/security/defense-center/tsd-products-support-series-home.html

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq34340

https://www.cisco.com/c/en/us/td/docs/security/firepower/SA/SW_Advisory_CSCvq34340.pdf




Version 6.4.0.6 was removed from the Cisco Support & Download siteon 2019-12-19. If you are running this version, we recommend youupgrade.

If you upgrade from Version 6.4.0.6 to a later patch, and then uninstallthat patch, you return to Version 6.4.0.6. At that point, you should eitherimmediately upgrade, or uninstall Version 6.4.0.6. Do not remain atVersion 6.4.0.6.

Affected platforms: All

6.4.0.6Version 6.4.0.6 no longeravailable

FMC How-To WalkthroughsVersion 6.3.0 introduces walkthroughs (also called how-tos) on the FMC, which guide you through a varietyof basic tasks such as device setup and policy configuration. Just click How To at the bottom of the browserwindow, choose a walkthrough, and follow the step-by-step instructions.

Walkthroughs are tested on the Firefox and Chrome browsers. If you encounter issues with a different browser,we ask that you switch to Firefox or Chrome. If you continue to encounter issues, contact Cisco TAC.

Note

The following table lists some common problems and solutions. To end a walkthrough at any time, click thex in the upper right corner.

Table 9: Troubleshooting Walkthroughs

SolutionProblem

Make sure walkthroughs are enabled. From the drop-down list under yourusername, select User Preferences then click How-To Settings.

Cannot find theHow To linkto start walkthroughs.

If a walkthrough appears when you do not expect it, end the walkthrough.Walkthrough appears whenyou do not expect it.

If a walkthrough disappears:

• Move your pointer.

Sometimes the FMC stops displaying an in-progress walkthrough. Forexample, pointing to a different top-level menu can make this happen.

• Navigate to a different page and try again.

If moving your pointer does not work, the walkthrough may have quit.

Walkthrough disappears orquits suddenly.


Features and FunctionalityFMC How-To Walkthroughs

SolutionProblem

If a walkthrough is out of sync, you can:

• Attempt to continue.

For example, if you enter an invalid value in a field and the FMC displaysan error, the walkthrough can prematurely move on. You may need to goback and resolve the error to complete the task.

• End the walkthrough, navigate to a different page, and try again.

Sometimes you cannot continue. For example, if you do not click Nextafter you complete a step, you may need to end the walkthrough.

Walkthrough is out of syncwith the FMC:

• Starts on the wrongstep.

• Advances prematurely.

• Will not advance.


Features and FunctionalityFMC How-To Walkthroughs

C H A P T E R 4Upgrade to Version 6.4.0.x

This chapter provides critical and release-specific information for Version 6.4.0.x.

You should also read Features and Functionality, on page 11 for information on any new, changed, ordeprecated features and functionality.

• Guidelines and Warnings for Version 6.4.0.x, on page 15• General Guidelines and Warnings, on page 16• Minimum Version to Upgrade, on page 18• Time Tests and Disk Space Requirements, on page 19• Traffic Flow, Inspection, and Device Behavior, on page 24• Upgrade Instructions, on page 32• Upgrade Packages, on page 32

Guidelines and Warnings for Version 6.4.0.xThis checklist contains important upgrade guidelines and warnings that apply to Version 6.4.0.x patches. Also,make sure to review General Guidelines and Warnings, on page 16.

Table 10: Version 6.4.0.x Guidelines

Directly ToUpgrading FromPlatformsGuideline✓

Later patches

6.5.0

6.4.0.xFirepower4100/9300

Upgrade Failure: Insufficient Disk Spaceon Container Instances, on page 15

6.4.0.3 through6.4.0.5

6.4.0 onlyFirepower 1010EtherChannels on Firepower 1010Devices Can Blackhole Egress Traffic,on page 16

6.4.0.1 or 6.4.0.26.4.0 onlyFirepower 1000series

Versions 6.4.0.1 and 6.4.0.2 NotSupported on Firepower 1000 Series, onpage 16

Upgrade Failure: Insufficient Disk Space on Container InstancesDeployments: Firepower 4100/9300 with FTD


Upgrading from: Version 6.3.0 through 6.4.0.x

Directly to: Version 6.3.0.1 through Version 6.5.0

Most often during major upgrades — but possible while patching — FTD devices configured with containerinstances can fail in the precheck stage with an erroneous insufficient-disk-space warning.

If this happens to you, you can try to free up more disk space. If that does not work, contact Cisco TAC.

EtherChannels on Firepower 1010 Devices Can Blackhole Egress TrafficDeployments: Firepower 1010 with FTD

Affected Versions: Version 6.4.0 to 6.4.0.5

Related Bug: CSCvq81354

We strongly recommend you do not configure EtherChannels on Firepower 1010 devices running FTDVersion6.4.0 to Version 6.4.0.5. (Note that Versions 6.4.0.1 and 6.4.0.2 are not supported on this model.)

Due to an internal traffic hashing issue, some EtherChannels on Firepower 1010 devices may blackhole someegress traffic. The hashing is based on source/destination IP address so the behavior will be consistent for agiven source/destination IP pair. That is, some traffic consistently works and some consistently fails.

We will fix this issue in an upcoming 6.4.0.x patch. It is also fixed in Version 6.5.0.

Versions 6.4.0.1 and 6.4.0.2 Not Supported on Firepower 1000 SeriesDeployments: Firepower 1000 series

Upgrading from: Version 6.4.0

Directly to: Version 6.4.0.1 or 6.4.0.2

You cannot upgrade a Firepower 1000 series device to Version 6.4.0.1 or 6.4.0.2.

General Guidelines and WarningsThese important guidelines and warnings apply to every upgrade. However, this list is not comprehensive.For links to additional important information on the upgrade process, which can include planning upgradepaths, OS upgrades, readiness checks, backups, maintenance windows, and so on, see Upgrade Instructions,on page 32.

Back Up Event and Configuration Data

We strongly recommend you back up to an external location and verify transfer success. When you upgradean appliance, it purges locally stored backups. In FMC deployments, we also recommend you back up theFMC after you upgrade your deployment. This is so you have a new FMC backup file that 'knows' that itsdevices have been upgraded.

As the first step in any backup, note the patch level and VDB version. This is important because if you needto restore the backup to a new or reimaged appliance, you must first update that new appliance to exactlythose versions. You can restore a backup only from an appliance of the same model and Firepower version,with the same VDB.


Upgrade to Version 6.4.0.xEtherChannels on Firepower 1010 Devices Can Blackhole Egress Traffic


Verify NTP Synchronization

Before you upgrade, make sure Firepower appliances are synchronized with any NTP server you are usingto serve time. Being out of sync can cause upgrade failure. In FMC deployments, the Time SynchronizationStatus health module does alert if clocks are out of sync by more than 10 seconds, but you should still checkmanually.

To check time:

• FMC: Choose System > Configuration > Time.

• Devices: Use the show time CLI command.

Appliance Access

Firepower devices can stop passing traffic during the upgrade (depending on interface configurations), or ifthe upgrade fails. Before you upgrade a Firepower device, make sure traffic from your location does not haveto traverse the device itself to access the device's management interface. In Firepower Management Centerdeployments, you should also able to access the FMC management interface without traversing the device.

Signed Upgrade Packages

So that Firepower can verify that you are using the correct files, upgrade packages from (and hotfixes to)Version 6.2.1+ are signed tar archives (.tar). Upgrades from earlier versions continue to use unsigned packages.

When you manually download upgrade packages from the Cisco Support & Download site—for example,for a major upgrade or in an air-gapped deployment—make sure you download the correct package. Do notuntar signed (.tar) packages.

After you upload a signed upgrade package, the GUI can take several minutes to load as the system verifiesthe package. To speed up the display, remove signed packages after you no longer need them.

Note

Disable ASA REST API on ASA FirePOWER Devices

Before you upgrade an ASA FirePOWERmodule, make sure the ASA REST API is disabled. Otherwise, theupgrade could fail. From the ASA CLI: no rest api agent. You can reenable after the uninstall: rest-apiagent.

Sharing Data with Cisco

Some features involve sharing data with Cisco.

In Version 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essentialto provide you with technical support. During upgrades, you may be asked to accept or decline participation.You can also opt in or out at any time.

In Version 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, includingbut not limited to page interactions, browser versions, product versions, user location, and management IPaddresses or hostnames of your FMCs. If you are upgrading from Version 6.1 through 6.2.2.x, the upgradeenables web analytics tracking. If you do not want Cisco to collect this data, you can opt out after the upgrade.(If you are upgrading from Version 6.2.3.x or Version 6.3.0.x, the upgrade process respects your currentsetting.)


Upgrade to Version 6.4.0.xGeneral Guidelines and Warnings

In Version 6.5.0+,Cisco Support Diagnostics (sometimes calledCisco Proactive Support) sends configurationand operational health data to Cisco, and processes that data through our automated problem detection system,allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essentialinformation from your devices during the course of a TAC case. During upgrades, you may be asked to acceptor decline participation. You can also opt in or out at any time.

Upgrades Can Import and Auto-Enable Intrusion Rules

If a newer intrusion rule uses keywords that are not supported in your current Firepower version, that rule isnot imported when you update the intrusion rule database (SRU).

After you upgrade the Firepower software and those keywords become supported, the new intrusion rules areimported and, depending on your IPS configuration, can become auto-enabled and thus start generating eventsand affecting traffic flow.

Supported keywords depend on the Snort version included with your Firepower software:

• FMC: Choose Help > About.

• FTD with FDM: Use the show summary CLI command.

• ASA FirePOWER with ASDM: Choose ASA FirePOWER Configuration > System Information.

You can also find your Snort version on the Bundled Components section of the Cisco Firepower CompatibilityGuide.

The Snort release notes contain details on new keywords. You can read the release notes on the Snort downloadpage: https://www.snort.org/downloads.

Unresponsive Upgrades

Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart anupgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If youencounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.

Minimum Version to UpgradeYou can patch Firepower software only within the current major version sequence. Patches are cumulative,so you can always skip directly to the latest patch.

Table 11: Minimum Version to Upgrade Firepower Software to Version 6.4.0.x

Minimum VersionPlatform

6.4.0Firepower Management Center

All managed devices in FMC deployments.

6.4.0Firepower Threat Defense (all platforms) with FDM

6.4.0ASA FirePOWER with ASDM


Upgrade to Version 6.4.0.xMinimum Version to Upgrade



https://www.snort.org/downloads

Time Tests and Disk Space RequirementsTo upgrade a Firepower appliance, you must have enough free disk space or the upgrade fails. When you usethe Firepower Management Center to upgrade a managed device, the FMC requires additional disk space inits /Volume partition, for the device upgrade package. You must also have enough time to perform the upgrade.

We provide reports of in-house time and disk space tests for reference purposes.

About Time TestsTime values given here are based on in-house tests.

Although we report the slowest time of all upgrades tested for a particular platform/series, your upgrade willlikely take longer than the provided times for multiple reasons, provided below.

Note

Basic Test Conditions

• Deployment: Values are from tests in a Firepower Management Center deployment. This is because rawupgrade times for remotely and locally managed devices are similar, given similar conditions.

• Versions: For major upgrades, we test upgrades from all eligible previous major versions. For patches,we test upgrades from the base version and from the immediately preceding patch.

• Models: In most cases, we test on the lowest-end models in each series, and sometimes on multiplemodels in a series.

• Virtual settings: We test with the default settings for memory and resources.

Time Is For Upgrade Only

Values represent the time it took for the Firepower upgrade script to run on each platform. For releases afterearly 2020, we also provide our observed reboot time.

Values do not include time for:

• Transferring upgrade packages, including copying (pushing) upgrade packages from the FMC to devices.

• Readiness checks.

• VDB and SRU updates.

• Deploying configurations.

• Reboots, for releases before early 2020.

Note that in FMC deployments, insufficient bandwidth between the FMC and managed devices can extendupgrade time or even cause the upgrade to time out. Make sure you have the bandwidth to perform a largedata transfer from the FMC to its devices. For more information, see Guidelines for Downloading Data fromthe Firepower Management Center to Managed Devices (Troubleshooting TechNote).


Upgrade to Version 6.4.0.xTime Tests and Disk Space Requirements

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html

Time Is For Single Devices

Values are per device. In a high availability or clustered configuration, devices upgrade one at a time topreserve continuity of operations, with each device operating inmaintenancemodewhile it upgrades. Upgradinga device pair or entire cluster, therefore, takes longer than upgrading a standalone device.

Note that stacked 8000 series devices upgrade simultaneously, with the stack operating in limited, mixed-versionstate until all devices complete the upgrade. This should not take significantly longer than upgrading astandalone device.

Affected Configurations and Data

We test on appliances with minimal configurations and traffic load. Upgrade time can increase with thecomplexity of your configurations, size of event databases, and whether/how those things are affected by theupgrade. For example, if you use a lot of access control rules and the upgrade needs to make a backend changeto how those rules are stored, the upgrade can take longer.

About Disk Space RequirementsSpace estimates are the largest reported for all upgrades. For releases after early 2020, they are:

• Not rounded up (under 1 MB).

• Rounded up to the next 1 MB (1 MB - 100 MB).

• Rounded up to the next 10 MB (100 MB - 1GB).

• Rounded up to the next 100 MB (greater than 1 GB).

Version 6.4.0.8 Time and Disk SpaceTable 12: Version 6.4.0.8 Time and Disk Space

Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform

44 min—170 MB5 GBFMC

32 min—170 MB5.1 GBFMCv: VMware 6.0

18 min530 MB3 GB3 GBFirepower 1000 series

18 min510 MB2.5 GB2.5 GBFirepower 2100 series


11 min310 MB2 GB2 GBFirepower 9300

17 min290 MB110 MB1.8 GBASA 5500-X series with FTD

12 min290 MB110 MB1.9 GBFTDv: VMware 6.0

25 min650 MB190 MB3.7 GBFirepower 7000/8000 series

16 min590 MB110 MB2.2 GBASA FirePOWER


Upgrade to Version 6.4.0.xAbout Disk Space Requirements


9 min450 MB150 MB2.1 GBNGIPSv: VMware 6.0



41 min—170 MB4.9 GBFMC





12 min310 MB2.4 GB2.4 GBFirepower 9300






Version 6.4.0.6 Time and Disk SpaceVersion 6.4.0.6 was removed from the Cisco Support & Download site on 2019-12-19. If you are runningthis version, we recommend you upgrade.



39 min—170 MB5 GBFMC





Upgrade to Version 6.4.0.xVersion 6.4.0.7 Time and Disk Space















12 min310 MB2 GB2 GBFirepower 4100 series





















28 min320 MB2.5 GB2.5 GBASA FirePOWER

8 min210 MB21 MB690 MBNGIPSv: VMware 6.0











34 min300 MB21 MB2 GBASA FirePOWER











16 min76 MB110 MB550 MBASA 5500-X series with FTD

15 min76 MB110 MB550 MBFTDv: VMware 6.0

14 min2 MB21 MB59 MBFirepower 7000/8000 series

30 min2 MB20 MB85 MBASA FirePOWER


Traffic Flow, Inspection, and Device BehaviorYou must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:

• When a device is rebooted.

• When you upgrade the operating system or virtual hosting environment on a device.

• When you upgrade the Firepower software on a device, or uninstall a patch.

• When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).

Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive,IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing anyupgrade or uninstall in a maintenance window or at a time when any interruption will have the least impacton your deployment.

FTD Upgrade Behavior: Firepower 4100/9300 ChassisThis section describes device and traffic behavior when you upgrade a Firepower 4100/9300 chassis withFTD.



Firepower 4100/9300 Chassis: FXOS Upgrade

Upgrade FXOS on each chassis independently, even if you have inter-chassis clustering or high availabilitypairs configured. How you perform the upgrade determines how your devices handle traffic during the FXOSupgrade.

Table 19: Traffic Behavior During FXOS Upgrade

Traffic BehaviorMethodDeployment

Dropped—Standalone

UnaffectedBest Practice: Update FXOS on thestandby, switch active peers, upgrade thenew standby.

High availability

Dropped until one peer is onlineUpgrade FXOS on the active peer beforethe standby is finished upgrading.

UnaffectedBest Practice: Upgrade one chassis at atime so at least one module is alwaysonline.

Inter-chassis cluster(6.2+)

Dropped until at least one module is onlineUpgrade chassis at the same time, so allmodules are down at some point.

Passed without inspectionFail-to-wire enabled:Bypass: Standby orBypass-Force. (6.1+)

Intra-chassis cluster(Firepower 9300only)

Dropped until at least one module is onlineFail-to-wire disabled: Bypass: Disabled.(6.1+)

Dropped until at least one module is onlineNo fail-to-wire module.

Standalone FTD Device: Firepower Software Upgrade

Interface configurations determine how a standalone device handles traffic during the upgrade.

Table 20: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device

Traffic BehaviorInterface Configuration

DroppedRouted or switched includingEtherChannel, redundant, subinterfaces

Switched interfaces are also known asbridge group or transparent interfaces.

Firewall interfaces


Upgrade to Version 6.4.0.xFTD Upgrade Behavior: Firepower 4100/9300 Chassis


Either:

• Dropped (6.1 through 6.2.2.x)

• Passed without inspection (6.2.3+)

Inline set, fail-to-wire enabled: Bypass:Standby or Bypass-Force (6.1+)

IPS-only interfaces

DroppedInline set, fail-to-wire disabled: Bypass:Disabled (6.1+)

DroppedInline set, no fail-to-wire module

Egress packet immediately, copy notinspected

Inline set, tap mode

Uninterrupted, not inspectedPassive, ERSPAN passive

High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.

The standby device upgrades first. The devices switch roles, then the new standby upgrades.When the upgradecompletes, the devices' roles remain switched. If you want to preserve the active/standby roles, manuallyswitch the roles before you upgrade. That way, the upgrade process switches them back.

Clusters: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in Firepower Threat Defense clusters. To ensure continuity of operations, they upgrade one at atime. Devices operate in maintenance mode while they upgrade.

The slave security module or modules upgrade first, then the master. Security modules operate in maintenancemode while they upgrade.

During the master security module upgrade, although traffic inspection and handling continues normally, thesystem stops logging events. Events for traffic processed during the logging downtime appear with out-of-synctimestamps after the upgrade is completed. However, if the logging downtime is significant, the system mayprune the oldest events before they can be logged.

Upgrading an inter-chassis cluster fromVersion 6.2.0, 6.2.0.1, or 6.2.0.2 causes a 2-3 second traffic interruptionin traffic inspection when each module is removed from the cluster. Whether traffic drops during thisinterruption or passes without further inspection depends on how the device handles traffic.

Note

High Availability and Clustering Hitless Upgrade Requirements

Performing hitless upgrades have the following additional requirements.

Flow Offload: Due to bug fixes in the flow offload feature, some combinations of FXOS and FTD do notsupport flow offload; see the Cisco Firepower Compatibility Guide. To perform a hitless upgrade in a highavailability or clustered deployment, you must make sure you are always running a compatible combination.




If your upgrade path includes upgrading FXOS to 2.2.2.91, 2.3.1.130, or later (including FXOS 2.4.1.x, 2.6.1.x,and so on) use this path:

1. Upgrade FTD to 6.2.2.2 or later.

2. Upgrade FXOS to 2.2.2.91, 2.3.1.130, or later.

3. Upgrade FTD to your final version.

For example, if you are running FXOS 2.2.2.17/FTD 6.2.2.0, and you want to upgrade to FXOS 2.6.1/FTD6.4.0, then you can:

1. Upgrade FTD to 6.2.2.5.

2. Upgrade FXOS to 2.6.1.

3. Upgrade FTD to 6.4.0.

Version 6.1.0 Upgrades: Performing a hitless upgrade of an FTD high availability pair to Version 6.1.0requires a preinstallation package. For more information, see Firepower System Release Notes Version 6.1.0Preinstallation Package.

Traffic Behavior During Deployment

You deploy configurations multiple times during the upgrade process. Snort typically restarts during the firstdeployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,you modify specific policy or device configurations. For more information, see Configurations that Restartthe Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.

When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, includingthose configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.

Table 21: Traffic Behavior During FTD Deployment




Firewall interfaces

Passed without inspection

A few packets might drop if Failsafe isdisabled and Snort is busy but not down.

Inline set, Failsafe enabled or disabled(6.0.1 - 6.1.0.x)

IPS-only interfaces

DroppedInline set, Snort Fail Open: Down:disabled (6.2+)

Passed without inspectionInline set, Snort Fail Open: Down:enabled (6.2+)






https://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Pre_Installation_Package_Version_610.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/610/relnotes/Firepower_System_Release_Notes_Pre_Installation_Package_Version_610.html


FTD Upgrade Behavior: Other DevicesThis section describes device and traffic behavior when you upgrade Firepower Threat Defense on Firepower1000/2100 series, ASA 5500-X series, ISA 3000, and FTDv.

Standalone FTD Device: Firepower Software Upgrade


Table 22: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device




Firewall interfaces

Either:

• Dropped (6.1 through 6.2.2.x)

• Passed without inspection (6.2.3+)

Inline set, fail-to-wire enabled: Bypass:Standby or Bypass-Force (6.1+)

IPS-only interfaces

DroppedInline set, fail-to-wire disabled: Bypass:Disabled (6.1+)

DroppedInline set, no fail-to-wire module




High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.

The standby device upgrades first. The devices switch roles, then the new standby upgrades.When the upgradecompletes, the devices' roles remain switched. If you want to preserve the active/standby roles, manuallyswitch the roles before you upgrade. That way, the upgrade process switches them back.



When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, including


Upgrade to Version 6.4.0.xFTD Upgrade Behavior: Other Devices


those configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.

Table 23: Traffic Behavior During FTD Deployment




Firewall interfaces


A few packets might drop if Failsafe isdisabled and Snort is busy but not down.

Inline set, Failsafe enabled or disabled(6.0.1 - 6.1.0.x)

IPS-only interfaces

DroppedInline set, Snort Fail Open: Down:disabled (6.2+)

Passed without inspectionInline set, Snort Fail Open: Down:enabled (6.2+)




Firepower 7000/8000 Series Upgrade BehaviorThe following sections describe device and traffic behavior when you upgrade Firepower 7000/8000 seriesdevices.

Standalone 7000/8000 Series: Firepower Software Upgrade


Table 24: Traffic Behavior During Upgrade: Standalone 7000/8000 Series


Passed without inspection, although traffic is interrupted briefly at twopoints:

• At the beginning of the upgrade process as link goes down and up(flaps) and the network card switches into hardware bypass.

• After the upgrade finishes as link flaps and the network cardswitches out of bypass. Inspection resumes after the endpointsreconnect and reestablish link with the device interfaces.

Inline, hardware bypass enabled(Bypass Mode: Bypass)


Upgrade to Version 6.4.0.xFirepower 7000/8000 Series Upgrade Behavior


DroppedInline, no hardware bypassmodule,or hardware bypassdisabled (Bypass Mode:Non-Bypass)

Egress packet immediately, copy not inspectedInline, tap mode

Uninterrupted, not inspectedPassive

DroppedRouted, switched

7000/8000 Series High Availability Pairs: Firepower Software Upgrade

You should not experience interruptions in traffic flow or inspection while upgrading devices (or devicestacks) in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.

Which peer upgrades first depends on your deployment:

• Routed or switched: Standby upgrades first. The devices switch roles, then the new standby upgrades.When the upgrade completes, the devices' roles remain switched. If youwant to preserve the active/standbyroles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.

• Access control only: Active upgrades first.When the upgrade completes, the active and standbymaintaintheir old roles.

8000 Series Stacks: Firepower Software Upgrade

In an 8000 series stack, devices upgrade simultaneously. Until the primary device completes its upgrade andthe stack resumes operation, traffic is affected as if the stack were a standalone device. Until all devicescomplete the upgrade, the stack operates in a limited, mixed-version state.



When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, includingthose configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.

Table 25: Traffic Behavior During Deployment: 7000/8000 Series



A few packets might drop if Failsafe is disabled and Snort is busy butnot down.

Inline, Failsafe enabled or disabled


Upgrade to Version 6.4.0.xFirepower 7000/8000 Series Upgrade Behavior



Egress packet immediately, copy bypasses SnortInline, tap mode


DroppedRouted, switched

ASA FirePOWER Upgrade BehaviorYour ASA service policies for redirecting traffic to the ASA FirePOWER module determine how the modulehandles traffic during the Firepower software upgrade, including when you deploy certain configurations thatrestart the Snort process.

Table 26: Traffic Behavior During ASA FirePOWER Upgrade

Traffic BehaviorTraffic Redirection Policy

Passed without inspectionFail open (sfr fail-open)

DroppedFail closed (sfr fail-close)

Egress packet immediately, copy not inspectedMonitor only (sfr {fail-close}|{fail-open}monitor-only)

Traffic Behavior During ASA FirePOWER Deployment

Traffic behavior while the Snort process restarts is the same as when you upgrade the ASA FirePOWERmodule.


When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection. Your service policies determine whethertraffic drops or passes without inspection during the interruption.

NGIPSv Upgrade BehaviorThis section describes device and traffic behavior when you upgrade NGIPSv.

Firepower Software Upgrade

Interface configurations determine how NGIPSv handles traffic during the upgrade.

Table 27: Traffic Behavior During NGIPSv Upgrade


DroppedInline


Upgrade to Version 6.4.0.xASA FirePOWER Upgrade Behavior



Egress packet immediately, copy not inspectedInline, tap mode




When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection. Interface configurations determinewhether traffic drops or passes without inspection during the interruption.

Table 28: Traffic Behavior During NGIPSv Deployment



A few packets might drop if Failsafe is disabled andSnort is busy but not down.

Inline, Failsafe enabled or disabled

Egress packet immediately, copy bypasses SnortInline, tap mode


Upgrade InstructionsThe release notes do not contain upgrade instructions. After you read the guidelines and warnings in theserelease notes, see one of:

• Cisco Firepower Management Center Upgrade Guide: Upgrade FMC deployments, including manageddevices and companion operating systems.

• Cisco ASA Upgrade Guide: Upgrade ASA FirePOWER modules with ASDM.

• Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager: Upgrade FTDwith FDM.

Upgrade PackagesUpgrade packages are available on the Cisco Support & Download site.

• Firepower Management Center, including FMCv: https://www.cisco.com/go/firepower-software

• Firepower Threat Defense (ISA 3000): https://www.cisco.com/go/isa3000-software

• Firepower Threat Defense (all other models, including FTDv): https://www.cisco.com/go/ftd-software


Upgrade to Version 6.4.0.xUpgrade Instructions


https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide.html


http://www.cisco.com/go/ftd-config

https://www.cisco.com/go/firepower-software

https://www.cisco.com/go/isa3000-software

https://www.cisco.com/go/ftd-software

• Firepower 7000 series: https://www.cisco.com/go/7000series-software

• Firepower 8000 series: https://www.cisco.com/go/8000series-software

• ASA with FirePOWER Services (ASA 5500-X series): https://www.cisco.com/go/asa-firepower-sw

• ASA with FirePOWER Services (ISA 3000): https://www.cisco.com/go/isa3000-software

• NGIPSv: https://www.cisco.com/go/ngipsv-software

Do not untar signed (.tar) packages.

Table 29: Upgrade Packages for Version 6.4.0.x

PackagePlatform

Cisco_Firepower_Mgmt_Center_Patch-version-build.sh.REL.tarFMC/FMCv

Cisco_FTD_SSP_FP1K_Patch-version-build.sh.REL.tarFirepower 1000 series

Cisco_FTD_SSP_FP2K_Patch-version-build.sh.REL.tarFirepower 2100 series

Cisco_FTD_SSP_Patch-version-build.sh.REL.tarFirepower 4100/9300 chassis

Cisco_FTD_Patch-version-build.sh.REL.tarASA 5500-X series with FTD

ISA 3000 with FTD

Firepower Threat Defense Virtual

Cisco_Firepower_NGIPS_Appliance_Patch-version-build.sh.REL.tarFirepower 7000/8000 series

Cisco_Network_Sensor_Patch-version-build.sh.REL.tarASA FirePOWER

Cisco_Firepower_NGIPS_Virtual_Patch-version-build.sh.REL.tarNGIPSv


Upgrade to Version 6.4.0.xUpgrade Packages

https://www.cisco.com/go/7000series-software

https://www.cisco.com/go/8000series-software

https://www.cisco.com/go/asa-firepower-sw

https://www.cisco.com/go/isa3000-software

https://www.cisco.com/go/ngipsv-software


Upgrade to Version 6.4.0.xUpgrade Packages

C H A P T E R 5Uninstall a Version 6.4.0.x Patch

You can uninstall Firepower patches from:

• FMCs and their managed devices

• ASA FirePOWER modules managed by ASDM

Uninstalling a patch results in an appliance running the version you upgraded from.

You cannot uninstall a patch from an FTD device managed by FDM. You also cannot uninstall a major versionof the Firepower software from any appliance. In those cases, you must freshly install.

Note

For more information, see:

• Guidelines and Limitations for Uninstalling, on page 35• Uninstall Order for HA/Scalability Deployments, on page 38• Uninstall Instructions, on page 40• Uninstall Packages, on page 45

Guidelines and Limitations for UninstallingThese important guidelines and limitations apply to uninstall.

Verify Uninstall is Supported for Your Patch

Uninstalling specific patches can cause issues on Firepower appliances, including:

• Inability to deploy configuration changes after uninstall.

• Incompatibilities between the operating system and the Firepower software.

• FSIC (file system integrity check) failure when the appliance reboots, if you patched with securitycertifications compliance enabled (CC/UCAPL mode).


If security certifications compliance is enabled and the FSIC fails, Firepower software does not start, remoteSSH access is disabled, and you can access the appliance only via local console. If this happens, contact CiscoTAC.

Caution

In these cases, if you need to revert to an earlier patch, we recommend you reimage and then upgrade.

The following table lists situations where you should not uninstall.

Table 30: Version 6.4.0.x Patches with Subsequent Issues on Uninstall

If Upgraded FromUninstalling FromPlatforms

6.4.0 through 6.4.0.16.4.0.2+FMC/FMCv


ASA FirePOWER

NGIPSv

6.4.0 through 6.4.0.26.4.0.3+FMC/FMCv


ASA FirePOWER

NGIPSv

6.4.0. through 6.4.0.36.4.0.4+Any

Uninstall from Devices First, Using the Shell

In FMC deployments, uninstall patches from managed devices first. We recommend that FMCs run a higherversion than their managed devices.

To uninstall a device patch, you must use the Linux shell, also called expert mode. This means that youuninstall from devices both individually and locally. In other words:

• You cannot batch-uninstall patches from clustered, stacked, or high availability (HA) Firepower devices,or from clustered or failover ASA with FirePOWER Services devices. To plan an uninstall order thatminimizes disruption, see Uninstall Order for HA/Scalability Deployments, on page 38.

• You cannot use an FMC, ASDM, or FDM to uninstall a patch from a device, nor can you use the localweb interface on a 7000/8000 series device.

• You cannot use an FMC user account to log into and uninstall the patch from one of its managed devices.Firepower appliances maintain their own user accounts.

• You must have access to the device shell as the admin user for the device, or as another local user withCLI configuration access. If you disabled shell access, you cannot uninstall device patches. Contact CiscoTAC to reverse the device lockdown.


Uninstall a Version 6.4.0.x PatchGuidelines and Limitations for Uninstalling

Uninstall from FMCs After Devices

Uninstall patches from FMCs after you uninstall from their managed devices. As with upgrade, you mustuninstall from high availability FMCs one at a time; see Uninstall Order for HA/Scalability Deployments, onpage 38.

We recommend you use the FMC web interface to uninstall FMC patches. You must have Administratoraccess. If you cannot use the web interface, you can use the Linux shell as either the admin user for the shell,or as an external user with shell access. If you disabled shell access, contact Cisco TAC to reverse the FMClockdown.

Verify NTP Synchronization

Before you uninstall, make sure Firepower appliances are synchronized with any NTP server you are usingto serve time. Being out of sync can cause uninstall failure. In FMC deployments, the Time SynchronizationStatus health module does alert if clocks are out of sync by more than 10 seconds, but you should still checkmanually.

To check time:

• FMC: Choose System > Configuration > Time.

• Devices: Use the show time CLI command.

Appliance Access

Firepower devices can stop passing traffic during the uninstall (depending on interface configurations), or ifthe uninstall fails. Before you uninstall a patch from a Firepower device, make sure traffic from your locationdoes not have to traverse the device itself to access the device's management interface. In FirepowerManagement Center deployments, you should also able to access the FMC management interface withouttraversing the device.

Disable ASA REST API on ASA FirePOWER Devices

Before you uninstall an ASA FirePOWER patch, make sure the ASA REST API is disabled. Otherwise, theuninstall could fail. From the ASA CLI: no rest api agent. You can reenable after the uninstall: rest-apiagent.

Unresponsive Uninstalls

Do not deploy changes to or from, manually reboot, or shut down an uninstalling appliance. Do not restart anuninstall in progress. The uninstall process may appear inactive at times; this is expected. If you encounterissues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.

A failed uninstall may require a reimage, which returns most settings to factory defaults. For this reason, westrongly recommend you back up event and configuration data to an external location before you reimage.

Traffic Flow, Inspection, and Device Behavior

Interruptions in traffic flow and inspection during an uninstall are the same as the interruptions that occurduring an upgrade. We strongly recommend performing any uninstall in a maintenance window or at a timewhen any interruption will have the least impact on your deployment. For more information, see Traffic Flow,Inspection, and Device Behavior, on page 24.


Uninstall a Version 6.4.0.x PatchGuidelines and Limitations for Uninstalling

Uninstall Order for HA/Scalability DeploymentsYou uninstall patches from Firepower appliances individually, even those that you upgraded as a unit. Especiallyin high availability (HA) and scalability deployments, you should plan an uninstall order that minimizesdisruption. Unlike upgrade, the system does not do this for you. The tables below outline uninstall order forHA/scalability deployments.

Note that in most cases, you will:

• Uninstall from the secondary/standby/slave units first, then the primary/active/master.

• Uninstall one at a time. Wait until the patch has fully uninstalled from one unit before you move on tothe next unit.

Table 31: Uninstall Order for FMCs in HA

Uninstall OrderFMC Deployment

With synchronization paused, which is a state called split-brain, uninstall fromFMC peers one at a time. Do not make or deploy configuration changes whilethe pair is split-brain.

1. Pause synchronization (enter split-brain).

2. Uninstall from the standby.

3. Uninstall from the active.

4. Restart synchronization (exit split-brain).

FMC high availability

Table 32: Uninstall Order for FTD devices in HA or Clusters

Uninstall OrderFTD Deployment

You cannot uninstall a patch from FTD devices configured for high availability.You must break high availability first.

1. Break high availability.

2. Uninstall from the former standby.

3. Uninstall from the former active.

4. Reestablish high availability.

FTD high availability

Uninstall from one unit at a time, leaving the master unit for last. Clustered unitsoperate in maintenance mode while the patch uninstalls.

1. Uninstall from the slave modules one at a time.

2. Make one of the slave modules the new master module.

3. Uninstall from the former master.

FTD cluster


Uninstall a Version 6.4.0.x PatchUninstall Order for HA/Scalability Deployments

Table 33: Uninstall Order for 7000/8000 Series Devices in HA or Stacks

Uninstall Order7000/8000 SeriesDeployment

Always uninstall from the standby. An 7000/8000 series device in an HA pairoperates in maintenance mode while the patch uninstalls.

1. Uninstall from the standby.

2. Switch roles.

3. Uninstall from the new standby.

7000/8000 series highavailability

Uninstall from all devices in the stack at the same time. Until you uninstall thepatch from all devices in a stack, the stack operates in a limited, mixed-versionstate.

8000 series stack

Table 34: Uninstall Order for ASA with FirePOWER Services Devices in ASA Failover Pairs/Clusters

Uninstall OrderASA Deployment

Always uninstall from the standby.

1. Uninstall from the ASA FirePOWER module on the standby ASA device.

2. Fail over.

3. Uninstall from theASAFirePOWERmodule on the new standbyASA device.

ASA active/standbyfailover pair, with ASAFirePOWER

Make both failover groups active on the unit you are not uninstalling.

1. Make both failover groups active on the primary ASA device.

2. Uninstall from the ASA FirePOWERmodule on the secondary ASA device.

3. Make both failover groups active on the secondary ASA device.

4. Uninstall from the ASA FirePOWER module on the primary ASA device.

ASA active/active failoverpair, with ASAFirePOWER

Disable clustering on each unit before you uninstall. Uninstall from one unit ata time, leaving the master unit for last.

1. On a slave unit, disable clustering.

2. Uninstall from the ASA FirePOWER module on that unit.

3. Reenable clustering. Wait for the unit to rejoin the cluster.

4. Repeat for each slave unit.

5. On the master unit, disable clustering. Wait for a new master to take over.

6. Uninstall from the ASA FirePOWER module on the former master.

7. Reenable clustering.

ASA cluster, with ASAFirePOWER


Uninstall a Version 6.4.0.x PatchUninstall Order for HA/Scalability Deployments

Uninstall InstructionsThe following sections explain how to uninstall Firepower patches from eligible appliances.

Uninstall from a Standalone FMCUse this procedure to uninstall a patch from a standalone FirepowerManagement Center, including FirepowerManagement Center Virtual.

Before you begin

Uninstall patches from managed devices. We recommend that FMCs run a higher version than their manageddevices.

Step 1 Deploy to managed devices whose configurations are out of date.

Deploying before you uninstall reduces the chance of failure.

Step 2 Perform prechecks.

• Check health: Use the Message Center on the FMC (click the System Status icon on the menu bar). Make surethe appliances in your deployment are successfully communicating and that there are no issues reported by thehealth monitor.

• Running tasks: Also in the Message Center, make sure essential tasks are complete. Tasks running when theuninstall begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed statusmessages later.

Step 3 Choose System > Updates.Step 4 Click the Install icon next to the uninstall package for the FMC, then choose the FMC.

If you do not have the correct uninstall package, contact Cisco TAC.

Step 5 Click Install to begin the uninstall.Confirm that you want to uninstall and reboot the FMC.

Step 6 Monitor progress in the Message Center until you are logged out.Do not make configuration changes or deploy to any device while the patch is uninstalling. Even if the Message Centershows no progress for several minutes or indicates that the uninstall has failed, do not restart the uninstall or reboot theFMC. Instead, contact Cisco TAC.

Step 7 Log back into the FMC after the patch uninstalls and the FMC reboots.Step 8 Verify success.

Choose Help > About to display current software version information.

Step 9 Use the Message Center to recheck deployment health.Step 10 Redeploy configurations.


Uninstall a Version 6.4.0.x PatchUninstall Instructions

Uninstall from High Availability FMCsUse this procedure to uninstall a patch from a Firepower Management Center in a high availability pair.

You uninstall from peers one at a time. With synchronization paused, first uninstall from the standby, thenthe active. When the standby FMC starts the uninstall, its status switches from standby to active, so that bothpeers are active. This temporary state is called split-brain and is not supported except during upgrade anduninstall. Do not make or deploy configuration changes while the pair is split-brain. Your changes will belost after you restart synchronization.

Before you begin

Uninstall patches from managed devices. We recommend that FMCs run a higher version than their manageddevices.

Step 1 On the active FMC, deploy to managed devices whose configurations are out of date.


Step 2 Use the Message Center to check deployment health before you pause synchronization.

Click the System Status icon on the FMC menu bar to display the Message Center. Make sure the appliances in yourdeployment are successfully communicating and that there are no issues reported by the health monitor.

Step 3 Pause synchronization.a) Choose System > Integration.b) On the High Availability tab, click Pause Synchronization.

Step 4 Uninstall the patch from the FMCs one at a time—first the standby, then the active.

Follow the instructions in Uninstall from a Standalone FMC, on page 40, but omit the initial deploy, and stop after youverify update success on each FMC. In summary, for each FMC:

a) Perform prechecks (health, running tasks).b) On the System > Updates page, uninstall the patch.c) Monitor progress until you are logged out, then log back in when you can.d) Verify uninstall success.

Do not make or deploy configuration changes while the pair is split-brain.

Step 5 On the FMC you want to make the active peer, restart synchronization.a) Choose System > Integration.b) On the High Availability tab, click Make-Me-Active.c) Wait until synchronization restarts and the other FMC switches to standby mode.



Uninstall a Version 6.4.0.x PatchUninstall from High Availability FMCs

Uninstall from Any Device (FMC Managed)Use this procedure to uninstall a patch from a single managed device in a Firepower Management Centerdeployment. This includes physical and virtual devices, security modules, and ASA FirePOWER modules.

Before you begin

• Make sure you are uninstalling from the correct device, especially in HA/scalability deployments. SeeUninstall Order for HA/Scalability Deployments, on page 38.

• For ASA FirePOWERmodules, make sure the ASA RESTAPI is disabled. From the ASACLI: no rest

api agent. You can reenable after the uninstall: rest-api agent.

Step 1 If the device's configurations are out of date, deploy now from the FMC.


Exception:Do not deploy to mixed-version stacks, clusters, or HA pairs. In an HA/scalability deployment, deploy beforeyou uninstall from the first device, but then not again until you have uninstalled the patch from all members.


• Check health: Use the Message Center on the FMC (click the System Status icon on the menu bar). Make sure theappliances in your deployment are successfully communicating and that there are no issues reported by the healthmonitor.

• Running tasks: Also in theMessage Center, make sure essential tasks are complete. Tasks running when the uninstallbegins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messageslater.

Step 3 Access the Firepower CLI on the device. Log in as admin or another Firepower CLI user with configuration access.

You can either SSH to the device's management interface (hostname or IP address) or use the console. Note that ASA5585-X series devices have a dedicated ASA FirePOWER console port.

If you use the console, some devices default to the operating systemCLI, and require an extra step to access the FirepowerCLI.

connect ftdFirepower 1000/2100 series

connect module slot_number console, then connect ftd (first login only)Firepower 4100/9300 chassis

session sfrASAFirePOWER, exceptASA5585-Xseries

Step 4 At the Firepower CLI prompt, use the expert command to access the Linux shell.Step 5 Run the uninstall command, entering your password when prompted.

sudo install_update.pl --detach /var/sf/updates/uninstall_package_name

The package name varies by platform; see Uninstall Packages, on page 45. Do not untar signed (.tar) packages.

Unless you are running the uninstall from the console, use the --detach option to ensure the uninstall does not stop ifyour user session times out. Otherwise, the uninstall runs as a child process of the user shell. If your connection isterminated, the process is killed, the check is disrupted, and the appliance may be left in an unstable state.


Uninstall a Version 6.4.0.x PatchUninstall from Any Device (FMC Managed)

The system does not ask you to confirm that you want to uninstall. Entering this command starts the uninstall,which includes a device reboot. Interruptions in traffic flow and inspection during an uninstall are the same asthe interruptions that occur during an upgrade. Make sure you are ready.

Caution

Step 6 Monitor the uninstall.

If you did not detach the uninstall, progress is displayed on the console or terminal. If you did detach, you can use tailor tailf to display logs:

• FTD devices: tail /ngfw/var/log/sf/update.status

• All other devices: tail /var/log/sf/update.status

Step 7 Verify success.

After the patch uninstalls and the device reboots, confirm that the device has the correct software version. On the FMC,choose Devices > Device Management.


Exception: In a HA/scalability deployment, do not deploy to mixed-version stacks, clusters, or HA pairs. Deploy onlyafter you repeat this procedure for all members.

What to do next

• For HA/scalability deployments, repeat this procedure for each device in your planned sequence. Then,make any final adjustments. For example, in an FTD HA deployment, reestablish HA after you uninstallfrom both peers.

• For ASA FirePOWER modules, reenable the ASA REST API if you disabled it earlier. From the ASACLI: rest-api agent.

Uninstall from ASA FirePOWER (ASDM Managed)Use this procedure to uninstall a patch from a locally managed ASA FirePOWER module. If you manageASA FirePOWER with an FMC, see Uninstall from Any Device (FMC Managed), on page 42.

Before you begin

• Make sure you are uninstalling from the correct device, especially in ASA failover/cluster deployments.See Uninstall Order for HA/Scalability Deployments, on page 38.

• Make sure the ASA REST API is disabled. From the ASA CLI: no rest api agent. You can reenableafter the uninstall: rest-api agent.

Step 1 If the device's configurations are out of date, deploy now from ASDM.




Uninstall a Version 6.4.0.x PatchUninstall from ASA FirePOWER (ASDM Managed)

• System status: Choose Monitoring > ASA FirePOWER Monitoring > Statistics and make sure everything is asexpected.

• Running tasks: Choose Monitoring > ASA FirePOWER Monitoring > Tasks and make sure essential tasks arecomplete. Tasks running when the uninstall begins are stopped, become failed tasks, and cannot be resumed. Youcan manually delete failed status messages later.

Step 3 Access the Firepower CLI on the ASA FirePOWER module. Log in as admin or another Firepower CLI user withconfiguration access.

You can either SSH to the module's management interface (hostname or IP address) or use the console. If you use theconsole, note that ASA 5585-X series devices have a dedicated ASA FirePOWER console port. On other ASA models,the console port defaults to the ASA CLI and you must use the session sfr command to access the Firepower CLI.

Step 4 At the Firepower CLI prompt, use the expert command to access the Linux shell.Step 5 Run the uninstall command, entering your password when prompted.

sudo install_update.pl --detach

/var/sf/updates/Cisco_Network_Sensor_Patch_Uninstaller-version-build.sh.REL.tar

Do not untar signed (.tar) packages.

Unless you are running the uninstall from the console, use the --detach option to ensure the uninstall does not stop ifyour user session times out. Otherwise, the uninstall runs as a child process of the user shell. If your connection isterminated, the process is killed, the check is disrupted, and the appliance may be left in an unstable state.

The system does not ask you to confirm that you want to uninstall. Entering this command starts the uninstall,which includes a device reboot. Interruptions in traffic flow and inspection during an uninstall are the same asthe interruptions that occur during an upgrade. Make sure you are ready.

Caution

Step 6 Monitor the uninstall.

If you did not detach the uninstall, progress is displayed on the console or terminal. If you did detach, you can use tailor tailf to display logs:

tail /var/log/sf/update.status

Do not deploy configurations to the device while the patch is uninstalling. Even if the log shows no progress for severalminutes or indicates that the uninstall has failed, do not restart the uninstall or reboot the device. Instead, contact CiscoTAC.

Step 7 Verify success.

After the patch uninstalls and the module reboots, confirm that the module has the correct software version. ChooseConfiguration > ASA FirePOWER Configurations > Device Management > Device.

Step 8 Redeploy configurations.

What to do next

• For ASA failover/cluster deployments, repeat this procedure for each device in your planned sequence.

• For ASA FirePOWER modules, reenable the ASA REST API if you disabled it earlier. From the ASACLI: rest-api agent.


Uninstall a Version 6.4.0.x PatchUninstall from ASA FirePOWER (ASDM Managed)

Uninstall PackagesWhen you patch a Firepower appliances, the uninstaller for that patch is automatically created in the upgradedirectory:

• /ngfw/var/sf/updates on FTD devices

• /var/sf/updates on the FMC and all other devices (7000/8000 series, ASA FirePOWER,NGIPSv)

If the package is not in the upgrade directory (for example, if you manually deleted it) contact Cisco TAC.Do not untar signed (.tar) packages.

PackagePlatform

Cisco_Firepower_Mgmt_Center_Patch_Uninstaller-version-build.sh.REL.tarFMC/FMCv

Cisco_FTD_SSP_FP1K_Patch_Uninstaller-version-build.sh.REL.tarFirepower 1000 series

Cisco_FTD_SSP_FP2K_Patch_Uninstaller-version-build.sh.REL.tarFirepower 2100 series

Cisco_FTD_SSP_Patch_Uninstaller-version-build.sh.REL.tarFirepower 4100/9300chassis

Cisco_FTD_Patch_Uninstaller-version-build.sh.REL.tarASA 5500-X series withFTD

ISA 3000 with FTD

FTDv

Cisco_Firepower_NGIPS_Appliance_Patch_Uninstaller-version-build.sh.REL.tarFirepower 7000/8000series

Cisco_Firepower_NGIPS_Virtual_Patch_Uninstaller-version-build.sh.REL.tarNGIPSv

Cisco_Network_Sensor_Patch_Uninstaller-version-build.sh.REL.tarASA FirePOWER


Uninstall a Version 6.4.0.x PatchUninstall Packages


Uninstall a Version 6.4.0.x PatchUninstall Packages

C H A P T E R 6Freshly Install Version 6.4.0

If you are unable to upgrade a Firepower appliance, or are disinclined to follow the required upgrade path,you can freshly install major Firepower releases. To run a particular patch, install Version 6.4.0, then upgrade.

• Deciding to Freshly Install, on page 47• Guidelines and Limitations for Fresh Installs, on page 48• Unregistering Smart Licenses, on page 50• Installation Instructions, on page 52

Deciding to Freshly InstallUse this table to identify scenarios where you need to freshly install (also called reimaging). In all of thesescenarios—including switching device management between local and remote—you will lose deviceconfigurations.

Always address licensing concerns before you reimage or switch management. If you are using Cisco SmartLicensing, you must unregister from the Cisco Smart Software Manager (CSSM) to avoid accruing orphanentitlements. These can prevent you from reregistering.

Note


Table 35: Scenarios: Do You Need a Fresh Install?

LicensingSolutionScenario

Removing devices from the FMCunregisters them. Reassign licenses afteryou re-add the devices.

The upgrade path from older versions can includeintermediate versions. Especially in larger deploymentswhere you must alternate FMC and device upgrade, thismulti-step process can be time consuming.

To save time, you can reimage older devices instead ofupgrading:

1. Remove the devices from the FMC.

2. Upgrade the FMC only to its target version.

3. Reimage the devices.

If you need to reimage a 7000/8000 series devicerunning Version 5.x, see Guidelines and Limitationsfor Fresh Installs, on page 48.

4. Re-add the devices to the FMC.

Upgrade FMC-manageddevices from a much olderFirepower version.

Unregister the device before you switchmanagement. Reassign its license after youadd it to the FMC.

Use the configure managerCLI command; see CommandReference for Firepower Threat Defense.

Change FTD managementfrom FDM to FMC (local toremote).

Remove the device from the FMC tounregister it. Reregister using FDM.

Use the configure managerCLI command; see CommandReference for Firepower Threat Defense.

Exception: The device is running or was upgraded fromVersion 6.0.1. In this case, reimage.

Change FTD managementfrom FMC to FDM (remoteto local).

Contact Sales for new Classic licenses.ASA FirePOWER licenses are associatedwith a specific manager.

Start using the other management method.Change ASA FirePOWERmanagement betweenASDM and FMC.

Convert Classic to Smart licenses; see theFirepower Management CenterConfiguration Guide.

Reimage.Replace ASAFirePOWERwith FTD onthe same physical device.

Contact Sales for new Smart licenses.Reimage.Replace NGIPSv withFTDv.

Unregister the device before you reimage.Reregister after.

Reimage.

You cannot uninstall patches in FDM deployments.

Uninstall an FTD patch withFDM.

Guidelines and Limitations for Fresh InstallsCareful planning and preparation can help you avoid missteps. Even if you are familiar with Firepower releasesand have previous experience reimaging Firepower appliances, make sure you read these guidelines andlimitations, as well as the instructions linked in Installation Instructions, on page 52.


Freshly Install Version 6.4.0Guidelines and Limitations for Fresh Installs

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/fdm/fptd-fdm-config-guide-622.html






Back Up Event and Configuration Data

We strongly recommend you back up to an external locationand verify transfer success. Reimaging returnsmost settings to factory defaults, including the system password (Admin123).

Note, however, if you are reimaging so that you don't have to upgrade, you cannot use a backup to importyour old configurations. You can restore a backup only from an appliance of the same model and Firepowerversion, with the same VDB.

As the first step in any backup, note the patch level and VDB version. Before you restore a backup, you mustupdate the reimaged appliance to exactly those versions.

Remove Devices from the Firepower Management Center

Always remove devices from remote management before you reimage. If you are:

• Reimaging the FMC, remove all its devices from management.

• Reimaging a single device or switching from remote to local management, remove that one device.

Address Licensing Concerns

Before you reimage any Firepower appliance, address licensing concerns. You may need to unregister fromthe Cisco Smart SoftwareManager, or you may need to contact Sales for new licenses. See Deciding to FreshlyInstall to determine what you need to do, depending on your scenario.

For more information on licensing, see:

• Cisco Firepower System Feature Licenses Guide

• Frequently Asked Questions (FAQ) about Firepower Licensing

• The licensing chapter in your Configuration Guide.

Appliance Access

Reimaging returns most settings to factory defaults.

If you do not have physical access to an appliance, the reimage process lets you keep management networksettings. This allows you to connect to the appliance after you reimage to perform the initial configuration. Ifyou delete network settings, you must have physical access to the appliance. You cannot use Lights-OutManagement (LOM).

Reimaging to an earlier major version automatically deletes network settings. In this rare case, you must havephysical access.

Note

For devices, make sure traffic from your location does not have to traverse the device itself to access thedevice's management interface. In FMC deployments, you should also able to access the FMC managementinterface without traversing the device.

Sharing Data with Cisco

Some features involve sharing data with Cisco.


Freshly Install Version 6.4.0Guidelines and Limitations for Fresh Installs

http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-licenseroadmap.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/licensing/faq/firepower-licence-FAQ.html

In 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essential toprovide you with technical support. During initial setup, you may be asked to accept or decline participation.You can also opt in or out at any time.

In 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, including but notlimited to page interactions, browser versions, product versions, user location, and management IP addressesor hostnames of your FMCs. Web analytics tracking is on by default, but you can opt out at any time afteryou complete initial setup.

In 6.5.0+, Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration andoperational health data to Cisco, and processes that data through our automated problem detection system,allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essentialinformation from your devices during the course of a TAC case. During initial setup, you may be asked toaccept or decline participation. You can also opt in or out at any time.

Reimaging Firepower 1000/2100 Series Devices to Earlier Major Versions

We recommend that you perform a complete reimage if you need to revert a Firepower 1000/ 2100 seriesdevice to an earlier major version. If you use the erase configuration method, FXOS may not revert alongwith the Firepower Threat Defense software. This can cause failures, especially in high availability deployments.

For more information, see the reimage procedures in the Cisco FXOS Troubleshooting Guide for the Firepower1000/2100 Series Running Firepower Threat Defense.

Reimaging Version 5.x Hardware to Version 6.3.0+

The renamed installation packages in Version 6.3+ cause issues with reimaging older physical appliances:FMC 750, 1500, 2000, 3500, and 4000, as well as 7000/8000 series devices and AMP models. If you arecurrently running Version 5.x and need to freshly install Version 6.4.0, rename the installation package to the"old" name after you download it; see the Renamed Upgrade and Installation Packages information in theCisco Firepower Release Notes, Version 6.3.0.

After you reimage an FMC (Defense Center) from Version 5.x to a more recent version, it cannot manage itsolder devices. You should also reimage those devices, then re-add them to the FMC. Note that Series 2 devicesare EOL and cannot run Firepower software past Version 5.4.0.x. You must replace them.

Unregistering Smart LicensesFirepower Threat Defense devices, whether locally (Firepower Device Manager) or remotely (FirepowerManagement Center) managed, use Cisco Smart Licensing. To use licensed features, you must register withCisco Smart Software Manager (CSSM). If you later decide to reimage or switch management, you mustunregister to avoid accruing orphan entitlements. These can prevent you from reregistering.

Unregistering removes the appliance from your virtual account and releases associated licenses so they canbe can be reassigned.When you unregister an appliance, it enters Enforcement mode. Its current configurationand policies continue to work as-is, but you cannot make or deploy any changes.

Manually unregister from CSSM before you:

• Reimage a Firepower Management Center that manages FTD devices.

• Reimage a Firepower Threat Defense device that is locally managed by FDM.

• Switch a Firepower Threat Defense device from FDM to FMC management.


Freshly Install Version 6.4.0Unregistering Smart Licenses

https://www.cisco.com/c/en/us/td/docs/security/firepower/2100/troubleshoot_fxos/b_2100_CLI_Troubleshoot.html


https://www.cisco.com/c/en/us/td/docs/security/firepower/630/relnotes/firepower-release-notes-630/upgrade.html

Automatically unregister from CSSM when you remove a device from the FMC so you can:

• Reimage an Firepower Threat Defense device that is managed by an FMC.

• Switch a Firepower Threat Defense device from FMC to FDM management.

Note that in these two cases, removing the device from the FMC is what automatically unregisters the device.You do not have to unregister manually as long as you remove the device from the FMC.

Classic licenses for NGIPS devices are associatedwith a specific manager (ASDM/FMC), and are not controlledusing CSSM. If you are switching management of a Classic device, or if you are migrating from an NGIPSdeployment to an FTD deployment, contact Sales.

Tip

Unregister a Firepower Management CenterUnregister a Firepower Management Center from the Cisco Smart Software Manager before you reimage theFMC. This also unregisters any managed Firepower Threat Defense devices.

If the FMC is configured for high availability, licensing changes are automatically synchronized. You do notneed to unregister the other FMC.

Step 1 Log into the Firepower Management Center.Step 2 Choose System > Licenses > Smart Licenses.

Step 3 Next to Smart License Status, click the stop sign ( ).Step 4 Read the warning and confirm that you want to unregister.

Unregister an FTD Device Using FDMUnregister locally managed Firepower Threat Defense devices from the Cisco Smart SoftwareManager beforeyou either reimage or switch to remote (FMC) management.

If the device is configured for high availability, you must log into the other unit in the high availability pairto unregister that unit.

Step 1 Log into the Firepower Device Manager.Step 2 Click Device, then click View Configuration in the Smart License summary.Step 3 Select Unregister Device from the gear drop-down list.Step 4 Read the warning and confirm that you want to unregister.


Freshly Install Version 6.4.0Unregister a Firepower Management Center

Installation InstructionsNeither the release notes nor the upgrade guide contain installation instructions. Instead, see one of thefollowing documents. Installation packages are available on the Cisco Support & Download site.

Table 36: Firepower Management Center Installation Instructions

GuideFMC Platform

Cisco Firepower Management Center 1600, 2600, and 4600 HardwareInstallation Guide: Restoring a Firepower Management Center to FactoryDefaults

FMC 1600, 2600, 4600

Cisco FirepowerManagement Center Getting Started Guide forModels 1000,2500, and 4500: Restoring a Firepower Management Center to FactoryDefaults

FMC 1000, 2500, 4500

Cisco Firepower Management Center Getting Started Guide for Models 750,1500, 2000, 3500 and 4000: Restoring a Firepower Management Center toFactory Defaults

FMC 750, 1500, 3500

FMC 2000, 4000

Cisco Firepower Management Center Virtual Getting Started GuideFMCv

Table 37: Firepower Threat Defense Installation Instructions

GuideFTD Platform

Cisco ASA and Firepower Threat Defense Reimage Guide

Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 SeriesRunning Firepower Threat Defense


Cisco Firepower 4100/9300 FXOSConfigurationGuides: Image Managementchapters

Cisco Firepower 4100 Getting Started Guide

Cisco Firepower 9300 Getting Started Guide

Firepower 4100/9300 chassis

Cisco ASA and Firepower Threat Defense Reimage GuideASA 5500-X series

Cisco ASA and Firepower Threat Defense Reimage GuideISA 3000

Cisco Firepower Threat Defense Virtual for VMware Getting Started GuideFTDv: VMware

Cisco Firepower Threat DefenseVirtual for KVMDeployment Getting StartedGuide

FTDv: KVM

Cisco Firepower Threat Defense Virtual Quick Start Guide for the AWSCloud

FTDv: AWS

Cisco Firepower Threat Defense Virtual for theMicrosoft Azure Cloud QuickStart Guide

FTDv: Azure


Freshly Install Version 6.4.0Installation Instructions

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc-1600-2600-4600/hw/guide/install-fmc-1600-2600-4600.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fmc-1600-2600-4600/hw/guide/install-fmc-1600-2600-4600.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/fmc-1000-2500-4500/fmc-1000-2500-4500-gsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/fmc-1000-2500-4500/fmc-1000-2500-4500-gsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-management-center/Firepower-MC-Getting-Started.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-management-center/Firepower-MC-Getting-Started.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmcv/fpmc-virtual.html




https://www.cisco.com/c/en/us/support/security/firepower-9000-series/products-installation-and-configuration-guides-list.html

https://www.cisco.com/go/firepower4100-quick

https://www.cisco.com/go/firepower9300-quick



https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/vmware/ftdv/ftdv-vmware-gsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/kvm/ftdv-kvm-gsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/kvm/ftdv-kvm-gsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/aws/ftdv-aws-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/aws/ftdv-aws-qsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/azure/ftdv-azure-gsg.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/azure/ftdv-azure-gsg.html

Table 38: Firepower 7000/8000 Series, NGIPSv, and ASA FirePOWER Installation Instructions

GuideNGIPS Platform

Cisco Firepower 7000 Series Getting Started Guide: Restoring a Device toFactory Defaults

Firepower 7000 series

Cisco Firepower 8000 Series Getting Started Guide: Restoring a Device toFactory Defaults

Firepower 8000 series

Cisco Firepower NGIPSv Quick Start Guide for VMwareNGIPSv

Cisco ASA and Firepower Threat Defense Reimage Guide

ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide:Managing the ASA FirePOWER Module

ASA FirePOWER



https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-7000/FP7000-Getting-Started.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hw/getting-started/firepower-8000/FP8000-Getting-Started.html



https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

C H A P T E R 7Documentation

The following topics provide links to Firepower documentation:

• Updated Documentation for Version 6.4.0.x, on page 55• Documentation Roadmaps, on page 55

Updated Documentation for Version 6.4.0.xThe following Firepower documentation was updated for at least one Version 6.4.0.x patch:

• Cisco Firepower Compatibility Guide

• Cisco Firepower Management Center Upgrade Guide

• Firepower Management Center Configuration Guide, Version 6.4 and online help

For links to documentation not updated or newly available with this release, see the Documentation Roadmaps,on page 55.

Documentation RoadmapsDocumentation roadmaps provide links to currently available and legacy documentation:

• Navigating the Cisco Firepower Documentation

• Navigating the Cisco ASA Series Documentation

• Navigating the Cisco FXOS Documentation



https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html

https://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asaroadmap.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/roadmap/fxos-roadmap.html


DocumentationDocumentation Roadmaps

C H A P T E R 8Resolved Issues

Bugs listed for a patch were verified as resolved when that patch was initially released.

For your convenience, this document provides lists of resolved bugs for each patch. These lists areauto-generated once and are not subsequently updated. Depending on how and when a particular resolvedissue was categorized or updated in our system, it may not appear in the release notes. You should regard theCisco Bug Search Tool as the 'source of truth.'

Note

• Searching for Resolved Issues, on page 57• Resolved Issues in New Builds, on page 58• Version 6.4.0.8 Resolved Issues, on page 58• Version 6.4.0.7 Resolved Issues, on page 61• Version 6.4.0.6 Resolved Issues, on page 61• Version 6.4.0.5 Resolved Issues, on page 63• Version 6.4.0.4 Resolved Issues, on page 64• Version 6.4.0.3 Resolved Issues, on page 68• Version 6.4.0.2 Resolved Issues, on page 69• Version 6.4.0.1 Resolved Issues, on page 71

Searching for Resolved IssuesIf you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of resolvedbugs for Firepower products. These general queries display resolved bugs for Firepower products runningVersion 6.4.0.x patches:

• Firepower Management Center

• Firepower Management Center Virtual

• ASA with FirePOWER Services

• NGIPSv

You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also searchby bug ID, or for specific keywords.


https://tools.cisco.com/bugsearch/


https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=286259685&rls=6.4.0.1,6.4.0.2,6.4.0.3,6.4.0.4,6.4.0.5,6.4.0.6,6.4.0.7,6.4.0.8&sb=afr&sts=fd&bt=custV


https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=6.4.0.1,6.4.0.2,6.4.0.3,6.4.0.4,6.4.0.5,6.4.0.6,6.4.0.7,6.4.0.8,9.12(1)&sb=afr&sts=fd&bt=custV


Resolved Issues in New BuildsSometimes Cisco releases updated builds. In most cases, only the latest build for each platform is availableon the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloadedan earlier build, do not use it.

You cannot upgrade from one build to another for the same Firepower version. If a new build would fix yourissue, determine if an upgrade or hotfix would work instead. If not, contact Cisco TAC. See the Cisco FirepowerHotfix Release Notes for quicklinks to publicly available Firepower hotfixes.

Use this table to determine if a new Version 6.4.0.x build is available for your platform.

Table 39: Version 6.4.0.x Patches with New Builds

ResolvesPlatformsReleasedNew BuildVersion

CSCvq34224: Firepower PrimaryDetectionEngineprocess terminated after Manager upgrade

If you already upgraded to Version 6.4.0.2-34 andhave FTD devices configured for high availability,apply Hotfix F. In FMC deployments, apply thehotfix to the FMC. In FDM deployments, applythe hotfix to both devices.

FMC/FMCv

FTD/FTDv,except Firepower1000 series

2019-07-03356.4.0.2

Version 6.4.0.8 Resolved IssuesTable 40: Version 6.4.0.8 Resolved Issues

HeadlineBug ID

DHCP Client Proxy doesn't disable after FO units are flippedCSCul34972

ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right AfterSuccessful SSL handshake

CSCva36446

fireamp.pl using 100% Cpu after restore backup.CSCvd33448

Duplicate preprocessor keyword: sslCSCvh75756

Try to assign devices to platform settings policy list of devices randomly disappearunder policy

CSCvk55766

Not able to ssh, ssh_exec: open(pager) error on consoleCSCvm85823

High unmanaged disk space on Firepower devices due to untracked filesCSCvo74833

Traceback in HTTP Cli Exec when upgrading to 9.12.1CSCvp04134

Manage the sfhassd thread CPU affinity to match the Snort CPU affinityCSCvp06526


Resolved IssuesResolved Issues in New Builds

https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes.html

https://www.cisco.com/c/en/us/td/docs/security/firepower/hotfix/Firepower_Hotfix_Release_Notes.html


https://bst.cloudapps.cisco.com/bugsearch/bug/CSCul34972

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva36446

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd33448

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh75756

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk55766

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm85823

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo74833

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp04134


HeadlineBug ID

/var/opt/CSCOpx/MDC/tomcat/log/stdout.logs writing excessive log messages whichmay fill the disk

CSCvp39970

ASA/Lina Traceback related to TLS/VPNCSCvp81083

With SSL HW acceleration enabled, FTD TCP Proxy tears down the connection after3 retransmissions

CSCvq10239

Slave unit having mgmt-only can't join to clusterCSCvq14954

Firepower Recommendations rule count changes even when not regeneratedCSCvq29969

traceback and reload when establishing ASDM connection to fp1000 series platformCSCvq34160

Overrides cannot be added for port object if it is used in variable sets in sub domainsCSCvq43453

ENH: Add "Management-access" to FDM flex-config CLI and a CLI-console APIissue via SSE/CDO

CSCvq45105

After failover, Active unit tcp sessions are not removed when timeout reachedCSCvq46587

ASA/FTD may traceback and reload in Thread Name 'BGP Router'CSCvq50587

FPR 2100, low block 9472 causes packet loss through the device.CSCvq51284

Cached malware disposition does not always expire as expectedCSCvq56257

Retrieving an specfic rule by ID of a child Access Policy returns a 404 : Not Foundstatus.

CSCvq67271

Cisco VPN session replay vulnerability : STRAP fix on ASA for SSL(OpenSSL 1.0.2)and SCEP proxy

CSCvq73599

Management interface configuration leads to immediate traceback and reloadCSCvq75634

Traffic interruptions for FreeBSD systemsCSCvq76198

Long processing time to insert policy deploy task if many application filter object usedin ACPolicy

CSCvq83019

Multiple context 5585 ASA, transparent context losing mangement interfaceconfiguration.

CSCvq87797

Traceback in tcp-proxyCSCvq88644

IPSEC SA is deleted by failover which is caused by link downCSCvq95058

NAT rules deleted from FDM backend after moving NAT rules in UI and deployingCSCvq97346

Stack Units: Deploy fails after upgrade on different Domain with unable to loadNDPolicy obj err

CSCvr04954

ASA Traceback in Ikev2 DaemonCSCvr10777


Resolved IssuesVersion 6.4.0.8 Resolved Issues






















https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr04954


HeadlineBug ID

Only a subset of devices where deployed from a device group during scheduled deployCSCvr11395

ASA may traceback on display_hole_ogCSCvr25768

FTD/LINA Standby may traceback and reload during logging command replicationfrom Active

CSCvr25954

App-sync failure if unit tries to join HA during policy deploymentCSCvr27445

HA FTD on FPR2110 traceback after deploy ACP from FMCCSCvr29638

Changing a rule and saving quickly might remove configuration.CSCvr29978

Overrides cannot be added for network object if it is used in variable sets in sub domainsCSCvr36687

Dual stack ASAv failover triggered by reload issueCSCvr50266

AC policy lookup done for SYN+ACK packet when tcp-intercept and a monitor ACpolicy is configured

CSCvr53058

Mac Rewrite Occurring for Identity Nat TrafficCSCvr54054

FTD/LINA traceback and reload observed in thread name: cli_xml_serverCSCvr55400

Deployment failure if SRU install is in progressCSCvr59927

configurations getting wiped off from standby, while deployment fails on activeCSCvr60111

Information systems must use the POST method over TLS when transmittingCSCvr61239

Information Systems implementing file upload feature must validate the file sizeCSCvr61241

systems must enforce controls that prevent confidential information from being storedwithin cookie

CSCvr61252

device loading slow, related REST API callsCSCvr61492

Lina Traceback during FTD deployment when PBR config is being pushedCSCvr66768

FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block.CSCvr81457

Cisco Adaptive Security Appliance Software and Firepower Threat Defense SoftwareRemote

CSCvr85295

Nested network object group not getting expanded for NAP rules resulting indeployment failure

CSCvs10114

6.4.0.4 FMC WebUI cannot create a Series-3 stackCSCvs23750

Turn off egress-optimization processingCSCvs32023

Anyconnect sessions limited incorrectlyCSCvs53705























https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs10114





HeadlineBug ID

Duplicate preprocessor keyword: sslCSCvh75756

FTDmay not match correct Access Control rule following a deploy to multiple devicesCSCvr52109

multi-deploy causes a sudden drop of intrusion eventsCSCvr88123

Cisco Firepower Management Center LDAP Authentication Bypass VulnerabilityCSCvr95287

Turn off egress-optimization processingCSCvs32023

Version 6.4.0.6 Resolved Issues

Version 6.4.0.6 was removed from the Cisco Support & Download site on 2019-12-19. If you are runningthis version, we recommend you upgrade. The bugs listed here are also fixed in Version 6.4.0.7.

Note

Table 42: Version 6.4.0.6 Resolved Issues

HeadlineBug ID

Intrusion Event Performance Graphs load blank on 4100 and 9300CSCvm48451

SDI - SUSPENDED servers cause 15sec delay in the completion of a authenticationwith a good server

CSCvn77388

ASAEnhancement: Generate syslogmessage oncemember of the SDI cluster changesstate

CSCvo11280

Traceback in VPN Clustering HA timer thread when member tries to join the clusterCSCvo28118

OSPF Process ID doesnot change even after clearing OSPF processCSCvo43795

ENH: ACE details for warning "found duplicate element"CSCvo73250

ENH: Add process information to "Command Ignored, configuration in progress..."CSCvo74397

FTD inline/transparent sends packets back through the ingress interfaceCSCvo88762

cts import-pac tftp: syntax does not workCSCvp04186

Option to display port number on access-list instead of well known port name on ASACSCvp12582

ASA HA IKEv2 generic RA - AnyConnect Premium All In Use incorrect on standbyCSCvp23109









https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn77388










HeadlineBug ID

Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site ScriptingVulnerability

CSCvp33341

LINA traceback on ASA in HA Active Unit repeatedlyCSCvp55901

FILE RESUME BLOCK being randomly thrown causing access issues on files fromSMB share.

CSCvp55941

"Too much data during a write" messages flooding communication channelCSCvp56805

Cisco ASA and FTD Software WebVPN CPU Denial of Service VulnerabilityCSCvp76944

Cluster master reload cause ping failure to the Management virtual IPCSCvp85736

Upload an update gives "update request entity too large" error when using CAC(HTTPSClient Certs)

CSCvp87623

ASA failover LANTEST messages are sent on first 10 interfaces in the configuration.CSCvq05113

VPN Pre-deploy validations takes around 20 seconds for each deviceCSCvq09093

FTD LINA traceback at DATAPATH-8-15821CSCvq17263

FP2100 - Flow oversubscribing ring/CPU core causing disruption to working flowson FP2100 platforms

CSCvq24494

ENH: ASA Cluster debug for syn cookie issuesCSCvq28250

lost heartbeat causing reloadCSCvq36042

ASA is unable to verify the file integrityCSCvq39317

FTD 4150 VPN s2s deployment failure with 6K spokesCSCvq40943

FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabledCSCvq44665

Policy deployment to FP 8000 sensor is failing when NAT is configuredCSCvq45000

Cisco Firepower Management Center Stored Cross-Site Scripting VulnerabilityCSCvq46443

Cisco Firepower Management Center Multiple Cross-Site Scripting VulnerabilitiesCSCvq53915

SSL VPN may not be able to establish due to SSL negotiation issueCSCvq54667

When only IP communication is disrupted on failover link LANTEST msg is not senton data interfaces

CSCvq57591

Connection events stop coming from device after lost handshake messageCSCvq59702

ASA traceback observed when moving EZVPN spokes to the device.CSCvq60131

Dual stacked ASAv manual failover issuesCSCvq63024

ASA5515-K9 standby traceback in Thread Name sshCSCvq64742




























HeadlineBug ID

ASA Traceback on Saleen in Thread Name: IPv6 IDBCSCvq65241

Disable asp load-balance per-packet functionality from fp2100 until all bugs fixedCSCvq65542

Traceback: Cluster unit lina assertion in thread name:Cluster controllerCSCvq69111

ASA cluster does not flush OSPF routesCSCvq70468

Slow "securityzones" REST APICSCvq70485

FPR2100 FTD Standby unit leaking 9K blocksCSCvq70775

High Disk Utilization due to mysql-server.err failing to rotate after CSCvn30118CSCvq71217

ASA:BGP recursive route lookup for destination 3 hop away is failing.CSCvq75743

F_RNA_EVENT_LIMIT for MC4000 should be 20 millionCSCvq76533

Connections fail to replicate in failover due to failover descriptor mis-match onport-channels

CSCvq77547

ASA generates incorrect error message about PCI cfg space when enumeratingInternal-Data0/1

CSCvq80318

VPN events between 12 and 1 PM UTC are not displayed on the FMCCSCvq81516

DNS lookup using mgmt VRF not possible because FMC doesn't allow interface afterserver address

CSCvq83168

Active device is not reporting correct peer state.CSCvq87703

Flow Offload Hashing Change of BehaviorCSCvq91645

ASA traceback in Thread IPsec Message HandlerCSCvq92126

Deployment rollback causes momentary traffic drop when error in a LINA ONLYsection of delta cli

CSCvq94729

where clause not working for external data base accessCSCvr00892

Policy deployment fails with 400+ interfaces in security zone due to incorrect formationof deployDB

CSCvr07421


HeadlineBug ID

Read sAMAccountUserName from ISE when it is availableCSCvh73096

InlineResult for IPS event missing metadata "Would have blocked"CSCvp95663
























HeadlineBug ID

URL Filtering Shows All URLs as UncategorizedCSCvp97061

Upgrade anomalies result in policy deploy failure: NGFW_UPGRADE is missing inmap file

CSCvq32678

Fail to Wire configuration disabled for multiple interface-pair inline-sets during FTDupgrades

CSCvq32681

Security Intelligence does not drop HTTPS connections to blacklisted URLs whenSSL policy is enabled

CSCvq39083

Must disable and then re-enable SNMP in FMC UI after adding new userCSCvq41936

Flooding of logs with message "Unknown HPQ rule key"CSCvq44594

Unable to login with AD username containing upper case RADIUSCSCvq46804

SNMPv3 User(s) deleted after upgradeCSCvq46918

Warrning "There is an empty group in the source networks" in SSL policyCSCvq54242

User login fails into FMC GUI for LDAP user if the password contains SPACE in thestring

CSCvq56138

File policy not inspecting somemalware document (.doc) and Adobe flash (.swf) files.CSCvq56462

Slow device related REST API callsCSCvq65092

FMT | MTU value not within the permissible rangeCSCvq66217

Policy deployment from FMC to FTD fails due to domain_snapshot_timeout (20m)CSCvr23858


HeadlineBug ID

Traceback on Thread Name: DATAPATH-2-1785CSCvf83160

False positive for general microengine faultCSCvg29468

ASA IKEv2 unable to open aaa session: session limit [2048] reachedCSCvh13869

ASA traceback with Thread: DATAPATH-8-2035CSCvj61580

ASA Traceback (watchdog timeout) when syncing config from active unit (inc.cachefs_umount)

CSCvk22322

"default Keyring's certificate is invalid, reason: expired" health alertCSCvk26612

Traceback in DATAPATH on ASACSCvk29685

















https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf83160

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg29468


https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj61580




HeadlineBug ID

Route tracking failureCSCvm36362

ENH: ASA - support for more than 4 servers in multiple mode.CSCvm39901

Port-Channel issues on HA linkCSCvm40288

IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platformCSCvm64400

review of CVE-2016-8858 (OpenSSH) on Firepower softwareCSCvm68648

Graceful Restart BGP does not work intermittentlyCSCvn76875

Control-plane ACL doesn't work correctly on FTDCSCvn78593

ASAMulticontext traceback and reload due to allocate-interface out of range commandCSCvn78870

FXOS lacp related logs pktmgr.out and lacp.out grows too largeCSCvn99658

ASA may traceback in thread logger when cluster is enabled on slave unitCSCvo03700

ASAmay traceback and reload while waiting for "dns_cache_timer" process to finish.CSCvo14961

Cisco FirePower Threat Defense Information Disclosure VulnerabilityCSCvo29989

Traceback in threadname DATAPATH-0-1668 while freeing memory blockCSCvo31695

ASA SCP transfer to box stall mid-transferCSCvo45755

ASA traceback in thread SSHCSCvo47390

Lina does not properly report the error for configuration line that is too longCSCvo48838

SCP large file transfer to the box result in a tracebackCSCvo51265

ASA App stuck in installing state on few imagesCSCvo55809

ASA: BGP routes is cleared on routing table after failover occur and bgp routes arechanged

CSCvo65741

Traceback and reload citing Datapath as affected threadCSCvo66534

management-only of diagnostic I/F on secondary FTD get disappearedCSCvo68184

ASA may traceback and reload. Potentially related to WebVPN trafficCSCvo74350

6.4.0 - IPv6 routing doesn't work for WM and KP when mgmt gateway configure asdata-interfaces

CSCvo74625

Cisco Adaptive Security Appliance Smart Tunnel VulnerabilitiesCSCvo78789

Standby Firewall reloads with a traceback upon doing a manual failoverCSCvo80501

HTTP with ipv6 using w3m is failingCSCvo87930

ASA sends password in plain text for "copy" commandCSCvo87985






























HeadlineBug ID

ASA unable to authenticate users with special characters via httpsCSCvo90153

LACPDUs should not be sent to snort for inline-set interfacesCSCvo90998

The delay command in interface configuration is modified after rebootedCSCvo97979

ASA may traceback and reload. suspecting webvpn relatedCSCvp12052

ASAv Azure: Route table BGP propagation setting reset when ASAv fails overCSCvp14674

Unable to process gtpv1 identification req message for header TEID : 0CSCvp19910

ASA drops GTPV1 SGSN Context Req message with header TEID:0CSCvp19998

ASA/FTD generates syslog for missing SSD 2: /dev/sdb is present. Status: Inoperable.CSCvp23137

Syslog alerts are not sent to server when Global Rule Thresholding is disabled onIntrusion Policy

CSCvp30447

"established tcp" does not work post 9.6.2CSCvp32617

ASA sends invalid redirect response for POST requestCSCvp35141

IKEv2 RAGeneric client - stuck outgoing asp table entry - traffic encrypted with staleSPI

CSCvp35384

Unable to configure more than 100 aaa-server group limit reachedCSCvp38530

CCM Infrastructure Update for WR8CSCvp42275

DHCPNACK silently dropped by ASA sent fromDHCP server if configured as DHCPrelay

CSCvp43066

Fail-to-Wire (FTW) Ports fail to recover on 2100 Firepower platforms.CSCvp46341

FTD Cluster traceback experienced when other unit leaves the ClusterCSCvp49576

Audit syslog for SFR module/7000/8000 devices uses TCP instead of UDP for syslogcommunication

CSCvp54261

Fail-Closed FTD passes packets through on Snort processes downCSCvp55880

IP Address stuck in local pool and showing as "In Use" even when the AnyConnectclient disconnects

CSCvp59864

Thread Name: CP DP SFR Event Processing tracebackCSCvp63068

ASA does not respond to DHCP request packet on BVI interfaceCSCvp65134

After reboot, "ssh version 1 2" added to running-configCSCvp70020

ASA Failover split brain (both units active) after rebooting a Firepower chassisCSCvp70699

MCA+AAA+OTP with RADIUS challenge fails to send aggauth handle in challengeCSCvp71180




























HeadlineBug ID

Time zone in syslogs messagesCSCvp72412

rna_networks is empty after Network Discovery deployment.CSCvp73555

FTD/Firepower Policy deployment fails when running simultaneous deployment tomany devices.

CSCvp79157

Unsupported runtime JavaScript exception handling in the client sideWebVPN rewriterCSCvp80775

Firepower: Network file trajectory graph does not loadCSCvp83687

ASA 9.9.2 Clientless WebVPN - HTML entities are incorrectly decoded whenprocessing HTML

CSCvp84546

FTD traceback and reload on LINA threadCSCvq00005

Snort processes dump core with memory corruption on Series 3 devicesCSCvq06790

Policy Deployment Failure due to Special Characters & encodingCSCvq08684

Deployment failing in snort validation- SMTP: Could not allocate SMTP mimemempool

CSCvq08767

Traceback: "saml identity-provider" command will crash multi-context ASAsCSCvq11513

ASA may traceback due to SCTP traffic despite fix CSCvj98964CSCvq12411

When deleting context the ssh key-exchange goes to Default GLOBALLY!CSCvq13442

"ssl trust-point" command will be removed when restoring backup via CLICSCvq21607

ASA IKEv2 - ASA sends additional delete message after initiating a phase 2 rekeyCSCvq24134

Watchdog on ASAv when logging to bufferCSCvq25626

Correlation rule alerting is not working in 6.4.0CSCvq25912

GTP response messages with non existent cause are getting dropped with error messageTID is 0

CSCvq26794

Memory leak observed when ASA-SFR dataplane communication flapsCSCvq27010

TID fails to add source as a URL - Flat fileCSCvq37902

SFDC crashes inserting into packet_log table after upgrading to 6.4.0CSCvq39828

Failed SSH Login attempts not being exported via syslogCSCvq50314

Firepower Primary Detection Engine process might terminated after Manager upgradeCSCvq57710

URL DB download failure alerts on FMC; new URL DB updates not taking effect onFMC/FDM

CSCvq61651

Traffic not matching expected ACP rule after updating to 6.4.0CSCvq86553




























HeadlineBug ID

Deleted URL Objects are not being removed from the ngfw.rules.CSCvq87068

Fatal Error message in FMC GUI when upgrading 5525 from 6.4.0-102 > 6.4.0.4-31but upgrade completes

CSCvq97301


HeadlineBug ID

GUI should allow max 256 addresses per DHCP poolCSCve24102

AnyConnect connections fail with TCP connection limit exceeded errorCSCvp10132

Deploy fails on FTD HA due to exception when parsing big xml responseCSCvp66559

Unable to create RAVPN Conn-Profile if group-policy attr and FQDN are edited inthe same wizard flow

CSCvp25570

FDM-HA formation has failed after upgrading to 6.3.0.3-69CSCvp32659

Help pages always show up in EnglishCSCvp56910

ASA report SFR module as 'Unresponsive' after reloading ASA module on 5585platform

CSCvo68448

FMC 6.3 Multitenancy/Domain LDAPS User/Group Download Failure Due toCertificate Location

CSCvp01542

Network FIle Trajectory page takes 90 seconds to load each timeCSCvp23579

Firepower 8000 interfacesmight flap due to unhandled resource temporarily unavailableissue

CSCvp33052

FTD show tech from troubleshooting files incompleteCSCvp37779

Changes in interface-group or interface-zone in subdomain overwrites Global domain.CSCvp46173

natd thread of nfm_exceptiond uses about 90% to 100% CPU timeCSCvp58028

FMC UI: VPN Hub and Spoke topology slow loadingCSCvp72601

BCDB file copy from FMC on to vFTD getting truncated, vFTD running on Azureplatform.

CSCvp72770

Deployment failure after upgrade to 6.4 in ASA5500-X running FTDCSCvp75594

HTTP blacklist - blacklist rules are not removed from sensor when unassigned anddeplyed from FMC

CSCvp94588





https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve24102

















HeadlineBug ID

Policy deploy failure 6.5.0-1148 post upgrade with CCmode with openSSL call duringSSL pol Export

CSCvp97799

On reset CD not clearing its flags[parseFailoverReqIssued] which prevents furthernode join attempts

CSCvp98066

FMC 6.4.0 - Policy deployment failure - Duplicate domain entries in domains.confCSCvq07914

600_schema/100_update_database.sh should return error if database update failsCSCvq14586


Bug IDBug ID

Unable to edit the system policy of a SFR module via ASDM after upgrading to 6.2.2CSCvi63474

FTD Files are Allowed Through Multiple Pre-existing Connections Despite the FilePolicy Verdict

CSCvk06386

sfstunnel process in FTD is holding large cloud db files that are already deletedCSCvk14242

tcp proxy: ASA traceback on DATAPATHCSCvm70274

712x devices become unstable when switching inline set from TAP to inlineCSCvn07452

4140 Multi-Instance Not Load-Balancing Correctly with 4 InstancesCSCvn12381

Loading AC policy editor takes too long, needs loading indicatorCSCvn34246

FMC Audit Logs will only display Admin and System as owners when deploying to3D devices -GUI/SYSLOG

CSCvn45750

Unsupported EC curve x25519 on FTDCSCvn57284

FTDv does not have configuration on initial bringup with mix of vmxnet3 and ixgbevfinterfaces

CSCvn74112

FPR platform IPsec VPN goes down intermittentlyCSCvn75368

Deployment on FTD with low memory results on interface nameif to be removedCSCvn86777

Upgrading ASA cluster to 9.10.1.7 cause tracebackCSCvo02097

EIGRP breaks when new sub-interface is added and "mac-address auto" is enabledCSCvo17775

Deploy failed because adaptive profiling config file corruptCSCvo23366

ids_event_alerter high memory usage due to large firewall_rule_cache tableCSCvo24145

Mysql traffic on non standard port is not correctly classifiedCSCvo33348







https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi63474

















Bug IDBug ID

ngfwManager doesn't start if ngfw.properties is emptyCSCvo33851

FMC shows connection events with packet count as 0CSCvo41572

FTD-CLUSTER:Adding new unit in cluster can cause traffic dropCSCvo45209

VPN sessions failing due to PKI handles not freed during rekeysCSCvo47562

Audit Log Settings Failing Leading to being unable to edit System SettingsCSCvo50168

SCALE: with 500+ devices, UMS causes the UI to hang, especially during deployCSCvo56836

Enhancement to address high IKE CPU seen due to tunnel replace scenarioCSCvo58847

ASA traceback and reloads when issuing "show inventory" commandCSCvo60580

Internal Error when editing an Access Control PolicyCSCvo60862

ASA Traceback and reload while running IKE DebugCSCvo62031

Telemetry not sent when FMC managing lots of devicesCSCvo62060

Enhancement: add counter for Duplicate remote proxyCSCvo66920

For SMB, remote storage configuration should allow configuring version string withdot(.)

CSCvo72179

Do not decrypt rule causes traffic interruptions.CSCvo72462

cloud agent core after generating a large number of continuous URL lookups (>30M)CSCvo74745

SSL rules with App-ID conditions can limit decryption capabilityCSCvo88188

NAT rules can get applied in the wrong order when you have duplicate rulesCSCvo88306

FMC times out after 10 mins to fetch device list for deploymentCSCvo89224

Firepower Recommendations does not enable IPS rules that are GID 3CSCvo90550

Cisco Firepower Management Center RSS Cross-Site Scripting VulnerabilitiesCSCvo90805

Health monitoring options for user identity functionality on FMC.CSCvp03498

DTLS 1.2 and AnyConnect oMTUCSCvp07143

ENH - Option to configure Port Block Allocation on FTDCSCvp14576

ASA: Watchdog traceback in DatapathCSCvp18878

FTD lina cored with Thread name: cli_xml_serverCSCvp19549

Allow FTDs to perform URL lookups directly without having to go through the FMCCSCvp21837

Random SGT tags added by FTDCSCvp24728






























Bug IDBug ID

(snort)File is not getting detected when going over HTTPS (SSL Resign)CSCvp24787

FTD sets automatically metric 0 when we redistribute OSPF into BGP via FMC GUI.CSCvp25583

Multiple ClamAV Vulnerabilities For Cisco Firepower Management Center for pre6.5.0

CSCvp27263

FIPS mode gets disabled after rollback from a failed policy deployCSCvp29692

FMC-ISE integration doesn't work if explicit UPN doesn't match implicit UPNCSCvp35359

ASA 5506/5508/5516 traceback in Thread Name octnic_hm_threadCSCvp36425

REST API query /api/fmc_config/v1/domain/UUID/devices/devicerecords failsCSCvp43474

On upgraded FMC Device FXOS devices are shown dirty even after successfuldeployment.

CSCvp43536

Wrong rule matched when using ambiguous DNDCSCvp54634

integrate pxgrid capability, connection hang, curl hang issuesCSCvp58310

Misleading deploy Warning message when Flex Config policy is being deployedCSCvp75098

Policy deployment remove and add back ospf neighborCSCvp78197

Slowness in loading Device Management page on FMC when there are over 500managed devices

CSCvp81967

NAT policy apply failing with error duplicateCSCvp82945

Ensure Error Message with Dup NATs Is Clear and ActionableCSCvp96934

FMC Global Pre-deployment Phase takes longer after upgrade to 6.4CSCvq07573

Policy deployment failed with error snort validation failed (Bad value specified formemcap )

CSCvq09209

Firepower Primary Detection Engine process terminated after Manager upgradeCSCvq34224


HeadlineBug ID

Random packet drops by session preprocessorCSCvh51853

Network discovery not working with network groups containing literals - user or Ciscocreated.

CSCvp59960























C H A P T E R 9Known Issues

For known issues, see:

• Searching for Known Issues, on page 73

Searching for Known IssuesIf you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of openbugs for Firepower products. These general queries display open bugs for Firepower products running Version6.4.0.x patches:

• Firepower Management Center

• Firepower Management Center Virtual

• ASA with FirePOWER Services

• NGIPSv

You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also searchby bug ID, or for specific keywords.



https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=286259685&rls=6.4.0.1,6.4.0.2,6.4.0.3,6.4.0.4,6.4.0.5,6.4.0.6,6.4.0.7,6.4.0.8&sb=afr&sts=open&bt=custV


https://bst.cloudapps.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=6.4.0.1,6.4.0.2,6.4.0.3,6.4.0.4,6.4.0.5,6.4.0.6,6.4.0.7,6.4.0.8,9.12(1)&sb=afr&sts=open&bt=custV



Known IssuesSearching for Known Issues

C H A P T E R 10For Assistance

Thank you for choosing Firepower.

• Online Resources, on page 75• Contact Cisco, on page 75

Online ResourcesCisco provides online resources to download documentation, software, and tools, to query bugs, and to openservice requests. Use these resources to install and configure Firepower software and to troubleshoot andresolve technical issues.

• Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html

• Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/

• Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html

Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.

Contact CiscoIf you cannot resolve an issue using the online resources listed above, contact Cisco TAC:

• Email Cisco TAC: [email protected]

• Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447

• Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts


https://www.cisco.com/c/en/us/support/index.html


https://www.cisco.com/cisco/support/notifications.html

mailto:[email protected]

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html


For AssistanceContact Cisco

cisco firepower release notes, version 6.4.0.1, 6.4.0.2, 6.4.0.3, … · chapter 1 welcome to...

Documents