cisco firepower release notes, version 6.4.0.1, 6.4.0.2, 6.4.0.3, … · chapter 1 welcome to...
TRANSCRIPT
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4,6.4.0.5, 6.4.0.7, and 6.4.0.8First Published: 2019-05-15
Last Modified: 2020-02-25
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000
800 553-NETS (6387)Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.comgo trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and anyother company. (1721R)
© 2019–2020 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
Welcome to Version 6.4.0.x 1C H A P T E R 1
About the Release Notes 1
Release Dates 1
Compatibility 3C H A P T E R 2
Firepower Management Centers 3
Firepower Devices 4
Manager-Device Compatibility 6
Web Browser Compatibility 7
Screen Resolution Requirements 8
Additional Compatibility Resources 9
Features and Functionality 11C H A P T E R 3
New Features 11
Deprecated Features 12
FMC How-To Walkthroughs 13
Upgrade to Version 6.4.0.x 15C H A P T E R 4
Guidelines and Warnings for Version 6.4.0.x 15
Upgrade Failure: Insufficient Disk Space on Container Instances 15
EtherChannels on Firepower 1010 Devices Can Blackhole Egress Traffic 16
Versions 6.4.0.1 and 6.4.0.2 Not Supported on Firepower 1000 Series 16
General Guidelines and Warnings 16
Minimum Version to Upgrade 18
Time Tests and Disk Space Requirements 19
About Time Tests 19
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8iii
About Disk Space Requirements 20
Version 6.4.0.8 Time and Disk Space 20
Version 6.4.0.7 Time and Disk Space 21
Version 6.4.0.6 Time and Disk Space 21
Version 6.4.0.5 Time and Disk Space 21
Version 6.4.0.4 Time and Disk Space 22
Version 6.4.0.3 Time and Disk Space 22
Version 6.4.0.2 Time and Disk Space 23
Version 6.4.0.1 Time and Disk Space 24
Traffic Flow, Inspection, and Device Behavior 24
FTD Upgrade Behavior: Firepower 4100/9300 Chassis 24
FTD Upgrade Behavior: Other Devices 28
Firepower 7000/8000 Series Upgrade Behavior 29
ASA FirePOWER Upgrade Behavior 31
NGIPSv Upgrade Behavior 31
Upgrade Instructions 32
Upgrade Packages 32
Uninstall a Version 6.4.0.x Patch 35C H A P T E R 5
Guidelines and Limitations for Uninstalling 35
Uninstall Order for HA/Scalability Deployments 38
Uninstall Instructions 40
Uninstall from a Standalone FMC 40
Uninstall from High Availability FMCs 41
Uninstall from Any Device (FMC Managed) 42
Uninstall from ASA FirePOWER (ASDM Managed) 43
Uninstall Packages 45
Freshly Install Version 6.4.0 47C H A P T E R 6
Deciding to Freshly Install 47
Guidelines and Limitations for Fresh Installs 48
Unregistering Smart Licenses 50
Unregister a Firepower Management Center 51
Unregister an FTD Device Using FDM 51
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8iv
Contents
Installation Instructions 52
Documentation 55C H A P T E R 7
Updated Documentation for Version 6.4.0.x 55
Documentation Roadmaps 55
Resolved Issues 57C H A P T E R 8
Searching for Resolved Issues 57
Resolved Issues in New Builds 58
Version 6.4.0.8 Resolved Issues 58
Version 6.4.0.7 Resolved Issues 61
Version 6.4.0.6 Resolved Issues 61
Version 6.4.0.5 Resolved Issues 63
Version 6.4.0.4 Resolved Issues 64
Version 6.4.0.3 Resolved Issues 68
Version 6.4.0.2 Resolved Issues 69
Version 6.4.0.1 Resolved Issues 71
Known Issues 73C H A P T E R 9
Searching for Known Issues 73
For Assistance 75C H A P T E R 1 0
Online Resources 75
Contact Cisco 75
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8v
Contents
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.8vi
Contents
C H A P T E R 1Welcome to Version 6.4.0.x
Thank you for choosing Firepower.
• About the Release Notes, on page 1• Release Dates, on page 1
About the Release NotesThe release notes provide critical and release-specific information for Version 6.4.0.x, including upgradewarnings and behavior changes. Read this document even if you are familiar with Firepower releases andhave previous experience upgrading Firepower deployments.
Upgrading or freshly installing (reimaging) a Firepower deployment can be a complex process. Rather thanprovide instructions here, the release notes point you to the appropriate resources. For links to upgrade andinstallation instructions, see:
• Upgrade Instructions, on page 32
• Installation Instructions, on page 52
Release DatesFor a list of all platforms available with Version 6.4.0.x, see Compatibility, on page 3.
Sometimes Cisco releases updated builds. In most cases, only the latest build for each platform is availableon the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloadedan earlier build, do not use it. For more information, see Resolved Issues in New Builds, on page 58.
Table 1: Version 6.4.0.x Release Dates
PlatformsDateBuildVersion
All2020-01-29286.4.0.8
All2019-12-19536.4.0.7
Not available. See Deprecated Features, on page 12.2019-10-16286.4.0.6
All2019-09-18236.4.0.5
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.81
PlatformsDateBuildVersion
All2019-08-21346.4.0.4
All2019-07-17296.4.0.3
FMC/FMCv
FTD/FTDv, except Firepower 1000 series
2019-07-03356.4.0.2
—2019-06-2734
Firepower 7000/8000 series
ASA FirePOWER
NGIPSv
2019-06-26
FMC 1600, 2600, 46002019-06-27176.4.0.1
Firepower 4115, 4125, 4145
Firepower 9300 with SM-40, SM-48, and SM-56modules
2019-06-20
FMC 750, 1000, 1500, 2000, 2500, 3500, 4000, 4500
FMCv
Firepower 2110, 2120, 2130, 2140
Firepower 4110, 4120, 4140, 4150
Firepower 9300 with SM-24, SM-36, and SM-44modules
ASA 5508-X, 5515-X, 5516-X, 5525-X, 5545-X,5555-X
ASA 5585-X-SSP-10, -20, -40, -60
ISA 3000
FTDv
Firepower 7000/8000 series
NGIPSv
2019-05-15
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.82
Welcome to Version 6.4.0.xRelease Dates
C H A P T E R 2Compatibility
This chapter provides compatibility information for Firepower Version 6.4.0.x patches.
• Firepower Management Centers, on page 3• Firepower Devices, on page 4• Manager-Device Compatibility, on page 6• Web Browser Compatibility, on page 7• Screen Resolution Requirements, on page 8• Additional Compatibility Resources, on page 9
Firepower Management CentersVersion 6.4.0.x Firepower Management Center software is supported on physical and virtual platforms. AnyFMC can manage any Firepower device.
Firepower Management Center Physical Platforms
Version 6.4.0.x supports:
• FMC 1600, 2600, 4600
• FMC 1000, 2500, 4500
• FMC 2000, 4000
• FMC 750, 1500, 3500
We recommend you keep the BIOS and RAID controller firmware up to date. For more information, see theCisco Firepower Compatibility Guide.
Firepower Management Center Virtual (FMCv) platforms:
Version 6.4.0.x supports:
• FMCv on VMware vSphere/VMware ESXi 6.0 or 6.5
• FMCv on Kernel-based virtual machine (KVM)
• FMCv on Amazon Web Services (AWS)
• FMCv on Microsoft Azure
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.83
For supported FMCv instances, see the Cisco Firepower Management Center Virtual Getting Started Guide.
Firepower DevicesAbout Firepower Devices
Version 6.4.0.x Firepower device software is supported on a wide range of physical and virtual platforms.
• Software: Some Firepower devices run Firepower Threat Defense (FTD) software; some runNGIPS/ASAFirePOWER software. Some can run either — but not both at the same time.
• Remote Management:All Firepower devices support remotemanagement with a FirepowerManagementCenter, which can manage multiple devices.
• Local Management: Some Firepower devices support local, single-devicemanagement. You canmanageFTD with the Firepower Device Manager (FDM), or ASA FirePOWER with ASDM. You can use onlyone management method for a device at a time.
• OS/Hypervisor: Some Firepower implementations bundle the operating systemwith the software. Othersrequire that you upgrade the operating system yourself. For versions and builds of bundled operatingsystems, refer to the Bundled Components information in the Cisco Firepower Compatibility Guide.
Supported Firepower Devices
The following table provides compatibility information for Firepower devices running Version 6.4.0.x. Again,remember that all devices support remote FMC management.
Table 2: Firepower Devices in Version 6.4.0.x
OS/HypervisorLocal Mgmt.SoftwareDevice Platform
—FDMFTDFirepower 1010, 1120, 1140
Firepower 2110, 2120, 2130, 2140
FXOS 2.6.1.157 or later build.
Separate upgrade. Upgrade FXOS first.
To resolve issues, you may need to upgrade FXOSto the latest build. To help you decide, see the CiscoFirepower 4100/9300 FXOS Release Notes, 2.6(1).
—FTDFirepower 4110, 4120, 4140, 4150
Firepower 4115, 4125, 4145
Firepower 9300 with SM-24, SM-36,SM-44 modules
Firepower 9300 with SM-40, SM-48,SM-56 modules
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.84
CompatibilityFirepower Devices
OS/HypervisorLocal Mgmt.SoftwareDevice Platform
—FDMFTDISA 3000
ASA 5508-X, 5516-X
ASA 5515-X, 5525-X, 5545-X, 5555-XAny of:
• ASA 9.5(2), 9.5(3)
• ASA 9.6(x) through 9.13(x)
Except:
• ASA 5515-X devices running ASA 9.13(x)+do not support ASA FirePOWER.
Separate upgrade. See the Cisco ASA UpgradeGuide for order of operations.
There is wide compatibility between ASA and ASAFirePOWER versions. However, even if an ASAupgrade is not strictly required, resolving issues mayrequire an upgrade to the latest supported version.
We do recommend you upgrade the ASA 5508-Xand 5516-X to the latest ROMMON image; see theinstructions in the Cisco ASA and Firepower ThreatDefense Reimage Guide.
ASDMASAFirePOWER(NGIPS)
Any of:
• ASA 9.5(2), 9.5(3)
• ASA 9.6(x) through 9.12(x)
Separate upgrade. See the Cisco ASA UpgradeGuide for order of operations.
There is wide compatibility between ASA and ASAFirePOWER versions. However, even if an ASAupgrade is not strictly required, resolving issues mayrequire an upgrade to the latest supported version.
ASDMASAFirePOWER(NGIPS)
ASA 5585-X-SSP-10, -20, -40, -60
Any of:
• VMware vSphere/VMware ESXi 6.0 or 6.5
• KVM
• AWS
• Microsoft Azure
For supported instances, see the appropriate FTDvQuick Start/Getting Started guide.
FDM (VMwareand KVM only)
FTDFTDv
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.85
CompatibilityFirepower Devices
OS/HypervisorLocal Mgmt.SoftwareDevice Platform
VMware vSphere/VMware ESXi 6.0 or 6.5
For supported instances, see the Cisco FirepowerNGIPSv Quick Start Guide for VMware.
—NGIPSNGIPSv
—Limited localGUI for selectmanagementfunctions.
NGIPSFirepower 7010, 7020, 7030, 7050
Firepower 7110, 7115, 7120, 7125
Firepower 8120, 8130, 8140
Firepower 8250, 8260, 8270, 8290
Firepower 8350, 8360, 8370, 8390
AMP 7150, 8050, 8150
AMP 8350, 8360, 8370, 8390
Manager-Device CompatibilityThe FMC must run at least the same major version as the devices it manages. Although you can manage apatched device with an unpatched FMC, new features and resolved issues often require the latest patch onboth the FMC and its managed devices. We strongly recommend that you patch your entire deployment.
Table 3: Version 6.4.0.x Manager-Device Compatibility
Firepower Management Center
Version 6.1 through 6.4.0.x devices.can manageVersion 6.4.0.x FMC
Version 6.4.0 FMC.requireVersion 6.4.0.x devices
Firepower Device Manager
One FTD device.can manageVersion 6.4.0.x FDM
ASDM
Version 6.4.0.x and earlier ASA FirePOWERmodules.
can manageVersion 7.12.1 ASDM
Version 7.12.1 ASDM.requireVersion 6.4.0.x ASAFirePOWER modules
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.86
CompatibilityManager-Device Compatibility
Web Browser CompatibilityBrowsing the Web from a Firepower-Monitored Network
Many browsers use Transport Layer Security (TLS) v1.3 by default. If you are using an SSL policy to handleencrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites thatsupport TLS v1.3 may fail to load.
For more information, see the software advisory titled: Failures loading websites using TLS 1.3 with SSLinspection enabled.
Secure Communications with the FMC
SSL certificates allow the FMC (and 7000/8000 series devices) to establish an encrypted channel betweenthe appliance and your browser.
By default, the system comes with a self-signed HTTPS server certificate. We recommend that you replaceit with a certificate signed by a globally known or internally trusted certificate authority (CA). You can generatecustom server certificate requests and import custom server certificates on the HTTPS Certificates page;choose System > Configuration, then click HTTPS Certificates.
For more information, see the online help or the Firepower Management Center Configuration Guide.
Browsers Tested with Firepower Web Interfaces
Firepower web interfaces are tested with the latest versions of popular browsers: Google Chrome, MozillaFirefox, and Microsoft Internet Explorer, running on currently supported versions of macOS and MicrosoftWindows. If you encounter issues with any other browser, or are running an operating system that has reachedend of life, we ask that you switch or upgrade. If you continue to encounter issues, contact Cisco TAC.
Although we do not perform extensive testing with either Apple Safari or Microsoft Edge, Cisco TAC alsowelcomes feedback on issues you encounter with the latest version of these browsers.
Note
Table 4: Browsers Tested with Firepower Web Interfaces
Required Settings and Additional WarningsBrowser
JavaScript, cookies
Chrome does not cache static content, such as images, CSS, or JavaScript, withthe system-provided self-signed certificate. Especially in low bandwidthenvironments, this can extend page load times. If you do not want to replacethe self-signed certificate, you can instead add it to the trust store of thebrowser/OS.
Google Chrome
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.87
CompatibilityWeb Browser Compatibility
Required Settings and Additional WarningsBrowser
JavaScript, cookies, TLS v1.2
When it updates, Firefox sometimes stops trusting the system-providedself-signed certificate. If you do not want to replace the certificate, and thelogin page does not load, refresh Firefox. Type about:support in theFirefox search bar and click Refresh Firefox. You will lose some settings; seethe Refresh Firefox support page.
Mozilla Firefox
JavaScript, cookies, TLS v1.2, 128-bit encryption
Also, you must:
• For the Check for newer versions of stored pages browsing historyoption, choose Automatically.
• Disable the Include local directory path when uploading files to servercustom security setting.
• Enable Compatibility View for the Firepower web interface IPaddress/URL.
Not tested with FMC walkthroughs.
Microsoft Internet Explorer11 (Windows only)
Browser Extension Compatibility
Some browser extensions (for example, Grammarly and Whatfix Editor) can prevent you from saving valuesin fields like the certificate and key in PKI objects. These extensions insert characters (such as HTML) in thefields, which causes the FMC to see them as invalid. We recommend you disable these extensions whileyou’re using the FMC.
Screen Resolution RequirementsTable 5: Screen Resolution Requirements for Firepower User Interfaces
ResolutionInterface
1280 x 720Firepower Management Center
1280 x 7207000/8000 series device (limited local interface)
1024 x 768Firepower Device Manager
1024 x 768ASDM managing an ASA FirePOWER module
1024 x 768Firepower Chassis Manager for Firepower 4100/9300 chassis
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.88
CompatibilityScreen Resolution Requirements
Additional Compatibility ResourcesThis table provides links to release notes and additional compatibility information. For full documentationroadmaps, see Documentation Roadmaps, on page 55.
Table 6: Additional Compatibility Resources
ResourcesDescription
Cisco Firepower Compatibility Guide
Cisco ASA Compatibility
Cisco Firepower 4100/9300 FXOS Compatibility
Compatibility guides provide detailed compatibilityinformation for supported hardware models andsoftware versions, including bundled components andintegrated products.
Cisco Firepower Release Notes
Cisco ASA Release Notes
Cisco Firepower 4100/9300 FXOS Release Notes
Release notes provide critical and release-specificinformation, including upgradewarnings and behaviorchanges.
Cisco NGFW Product Line Software Release andSustaining Bulletin
Sustaining bulletins provide support timelines forthe Cisco Next Generation Firewall product line,including management platforms and operatingsystems.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.89
CompatibilityAdditional Compatibility Resources
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.810
CompatibilityAdditional Compatibility Resources
C H A P T E R 3Features and Functionality
Firepower Version 6.4.0.x includes:
• New Features, on page 11• Deprecated Features, on page 12• FMC How-To Walkthroughs, on page 13
New FeaturesThis table summarizes the new features available in Version 6.4.0.x patches.
Table 7: Version 6.4.0.x New Features
DescriptionVersionFeature
After you upgrade to Version 6.4.0.2, you can no longer create FTDNAT policies with conflicting rules (often referred to as duplicate oroverlapping rules). This fixes an issue where conflicting NAT ruleswere applied out-of-order.
If you currently have conflicting NAT rules, you will be able to deploypost-upgrade. However, your NAT rules will continue to be appliedout-of-order.
Therefore, we recommend that after the upgrade, you inspect your FTDNAT policies by editing (no changes are needed) then attempting toresave. If you have rule conflicts, the system will prevent you fromsaving. Correct the issues, save, and then deploy.
Supported platforms: FTD with FMC
6.4.0.2Detection of rule conflictsin FTD NAT policies
A new health module, the ISE Connection Status Monitor, monitors thestatus of the server connections between the Cisco Identity ServicesEngine (ISE) and the FMC.
New/modified screens: System > Health > Policy > create or edit policy> ISE Connection Status Monitor
Supported platforms: FMC
6.4.0.2ISE Connection StatusMonitor health module
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.811
DescriptionVersionFeature
These new syslog fields collectively identify a unique connection event:
• Sensor UUID
• First Packet Time
• Connection Instance ID
• Connection Counter
These fields also appear in syslogs for intrusion, file, andmalware events,allowing connection events to be associated with those events.
Supported platforms: Any
6.4.0.4New syslog fields
Deprecated Features
End of support is planned for user control with the Cisco Firepower User Agent software and identity source.You should switch to Cisco Identity Services Engine/Passive Identity Connector (ISE/ISE-PIC) now. Thiswill also allow you to take advantage of features that are not available with the user agent. To convert yourlicense, contact Sales.
For more information, see the appropriate Cisco Firepower User Agent Configuration Guide on the CiscoFirepower Management Center Configuration Guides page.
Note
These features were deprecated in Version 6.4.0.x patches.
Table 8: Version 6.4.0.x Deprecated Features
DescriptionVersionFeature
To mitigate CSCvq34340, patching an FTD device to Version 6.4.0.7turns off egress optimization processing. This happens regardless ofwhether the egress optimization feature is enabled or disabled.
Upgrading to Version 6.5.0 will turn egress optimization backon, if you left the feature 'enabled.' We recommend you patchto Version 6.5.0.2+. If you remain at Version 6.5.0 or 6.5.0.1,you should manually disable egress optimization from theFTD CLI: no asp inspect-dp egress-optimization.
Note
For more information, see the software advisory: FTD traffic outagedue to 9344 block size depletion caused by the egress optimizationfeature.
Affected platforms: FTD
6.4.0.7Egress optimization
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.812
Features and FunctionalityDeprecated Features
DescriptionVersionFeature
Version 6.4.0.6 was removed from the Cisco Support & Download siteon 2019-12-19. If you are running this version, we recommend youupgrade.
If you upgrade from Version 6.4.0.6 to a later patch, and then uninstallthat patch, you return to Version 6.4.0.6. At that point, you should eitherimmediately upgrade, or uninstall Version 6.4.0.6. Do not remain atVersion 6.4.0.6.
Affected platforms: All
6.4.0.6Version 6.4.0.6 no longeravailable
FMC How-To WalkthroughsVersion 6.3.0 introduces walkthroughs (also called how-tos) on the FMC, which guide you through a varietyof basic tasks such as device setup and policy configuration. Just click How To at the bottom of the browserwindow, choose a walkthrough, and follow the step-by-step instructions.
Walkthroughs are tested on the Firefox and Chrome browsers. If you encounter issues with a different browser,we ask that you switch to Firefox or Chrome. If you continue to encounter issues, contact Cisco TAC.
Note
The following table lists some common problems and solutions. To end a walkthrough at any time, click thex in the upper right corner.
Table 9: Troubleshooting Walkthroughs
SolutionProblem
Make sure walkthroughs are enabled. From the drop-down list under yourusername, select User Preferences then click How-To Settings.
Cannot find theHow To linkto start walkthroughs.
If a walkthrough appears when you do not expect it, end the walkthrough.Walkthrough appears whenyou do not expect it.
If a walkthrough disappears:
• Move your pointer.
Sometimes the FMC stops displaying an in-progress walkthrough. Forexample, pointing to a different top-level menu can make this happen.
• Navigate to a different page and try again.
If moving your pointer does not work, the walkthrough may have quit.
Walkthrough disappears orquits suddenly.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.813
Features and FunctionalityFMC How-To Walkthroughs
SolutionProblem
If a walkthrough is out of sync, you can:
• Attempt to continue.
For example, if you enter an invalid value in a field and the FMC displaysan error, the walkthrough can prematurely move on. You may need to goback and resolve the error to complete the task.
• End the walkthrough, navigate to a different page, and try again.
Sometimes you cannot continue. For example, if you do not click Nextafter you complete a step, you may need to end the walkthrough.
Walkthrough is out of syncwith the FMC:
• Starts on the wrongstep.
• Advances prematurely.
• Will not advance.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.814
Features and FunctionalityFMC How-To Walkthroughs
C H A P T E R 4Upgrade to Version 6.4.0.x
This chapter provides critical and release-specific information for Version 6.4.0.x.
You should also read Features and Functionality, on page 11 for information on any new, changed, ordeprecated features and functionality.
• Guidelines and Warnings for Version 6.4.0.x, on page 15• General Guidelines and Warnings, on page 16• Minimum Version to Upgrade, on page 18• Time Tests and Disk Space Requirements, on page 19• Traffic Flow, Inspection, and Device Behavior, on page 24• Upgrade Instructions, on page 32• Upgrade Packages, on page 32
Guidelines and Warnings for Version 6.4.0.xThis checklist contains important upgrade guidelines and warnings that apply to Version 6.4.0.x patches. Also,make sure to review General Guidelines and Warnings, on page 16.
Table 10: Version 6.4.0.x Guidelines
Directly ToUpgrading FromPlatformsGuideline✓
Later patches
6.5.0
6.4.0.xFirepower4100/9300
Upgrade Failure: Insufficient Disk Spaceon Container Instances, on page 15
6.4.0.3 through6.4.0.5
6.4.0 onlyFirepower 1010EtherChannels on Firepower 1010Devices Can Blackhole Egress Traffic,on page 16
6.4.0.1 or 6.4.0.26.4.0 onlyFirepower 1000series
Versions 6.4.0.1 and 6.4.0.2 NotSupported on Firepower 1000 Series, onpage 16
Upgrade Failure: Insufficient Disk Space on Container InstancesDeployments: Firepower 4100/9300 with FTD
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.815
Upgrading from: Version 6.3.0 through 6.4.0.x
Directly to: Version 6.3.0.1 through Version 6.5.0
Most often during major upgrades — but possible while patching — FTD devices configured with containerinstances can fail in the precheck stage with an erroneous insufficient-disk-space warning.
If this happens to you, you can try to free up more disk space. If that does not work, contact Cisco TAC.
EtherChannels on Firepower 1010 Devices Can Blackhole Egress TrafficDeployments: Firepower 1010 with FTD
Affected Versions: Version 6.4.0 to 6.4.0.5
Related Bug: CSCvq81354
We strongly recommend you do not configure EtherChannels on Firepower 1010 devices running FTDVersion6.4.0 to Version 6.4.0.5. (Note that Versions 6.4.0.1 and 6.4.0.2 are not supported on this model.)
Due to an internal traffic hashing issue, some EtherChannels on Firepower 1010 devices may blackhole someegress traffic. The hashing is based on source/destination IP address so the behavior will be consistent for agiven source/destination IP pair. That is, some traffic consistently works and some consistently fails.
We will fix this issue in an upcoming 6.4.0.x patch. It is also fixed in Version 6.5.0.
Versions 6.4.0.1 and 6.4.0.2 Not Supported on Firepower 1000 SeriesDeployments: Firepower 1000 series
Upgrading from: Version 6.4.0
Directly to: Version 6.4.0.1 or 6.4.0.2
You cannot upgrade a Firepower 1000 series device to Version 6.4.0.1 or 6.4.0.2.
General Guidelines and WarningsThese important guidelines and warnings apply to every upgrade. However, this list is not comprehensive.For links to additional important information on the upgrade process, which can include planning upgradepaths, OS upgrades, readiness checks, backups, maintenance windows, and so on, see Upgrade Instructions,on page 32.
Back Up Event and Configuration Data
We strongly recommend you back up to an external location and verify transfer success. When you upgradean appliance, it purges locally stored backups. In FMC deployments, we also recommend you back up theFMC after you upgrade your deployment. This is so you have a new FMC backup file that 'knows' that itsdevices have been upgraded.
As the first step in any backup, note the patch level and VDB version. This is important because if you needto restore the backup to a new or reimaged appliance, you must first update that new appliance to exactlythose versions. You can restore a backup only from an appliance of the same model and Firepower version,with the same VDB.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.816
Upgrade to Version 6.4.0.xEtherChannels on Firepower 1010 Devices Can Blackhole Egress Traffic
Verify NTP Synchronization
Before you upgrade, make sure Firepower appliances are synchronized with any NTP server you are usingto serve time. Being out of sync can cause upgrade failure. In FMC deployments, the Time SynchronizationStatus health module does alert if clocks are out of sync by more than 10 seconds, but you should still checkmanually.
To check time:
• FMC: Choose System > Configuration > Time.
• Devices: Use the show time CLI command.
Appliance Access
Firepower devices can stop passing traffic during the upgrade (depending on interface configurations), or ifthe upgrade fails. Before you upgrade a Firepower device, make sure traffic from your location does not haveto traverse the device itself to access the device's management interface. In Firepower Management Centerdeployments, you should also able to access the FMC management interface without traversing the device.
Signed Upgrade Packages
So that Firepower can verify that you are using the correct files, upgrade packages from (and hotfixes to)Version 6.2.1+ are signed tar archives (.tar). Upgrades from earlier versions continue to use unsigned packages.
When you manually download upgrade packages from the Cisco Support & Download site—for example,for a major upgrade or in an air-gapped deployment—make sure you download the correct package. Do notuntar signed (.tar) packages.
After you upload a signed upgrade package, the GUI can take several minutes to load as the system verifiesthe package. To speed up the display, remove signed packages after you no longer need them.
Note
Disable ASA REST API on ASA FirePOWER Devices
Before you upgrade an ASA FirePOWERmodule, make sure the ASA REST API is disabled. Otherwise, theupgrade could fail. From the ASA CLI: no rest api agent. You can reenable after the uninstall: rest-apiagent.
Sharing Data with Cisco
Some features involve sharing data with Cisco.
In Version 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essentialto provide you with technical support. During upgrades, you may be asked to accept or decline participation.You can also opt in or out at any time.
In Version 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, includingbut not limited to page interactions, browser versions, product versions, user location, and management IPaddresses or hostnames of your FMCs. If you are upgrading from Version 6.1 through 6.2.2.x, the upgradeenables web analytics tracking. If you do not want Cisco to collect this data, you can opt out after the upgrade.(If you are upgrading from Version 6.2.3.x or Version 6.3.0.x, the upgrade process respects your currentsetting.)
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.817
Upgrade to Version 6.4.0.xGeneral Guidelines and Warnings
In Version 6.5.0+,Cisco Support Diagnostics (sometimes calledCisco Proactive Support) sends configurationand operational health data to Cisco, and processes that data through our automated problem detection system,allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essentialinformation from your devices during the course of a TAC case. During upgrades, you may be asked to acceptor decline participation. You can also opt in or out at any time.
Upgrades Can Import and Auto-Enable Intrusion Rules
If a newer intrusion rule uses keywords that are not supported in your current Firepower version, that rule isnot imported when you update the intrusion rule database (SRU).
After you upgrade the Firepower software and those keywords become supported, the new intrusion rules areimported and, depending on your IPS configuration, can become auto-enabled and thus start generating eventsand affecting traffic flow.
Supported keywords depend on the Snort version included with your Firepower software:
• FMC: Choose Help > About.
• FTD with FDM: Use the show summary CLI command.
• ASA FirePOWER with ASDM: Choose ASA FirePOWER Configuration > System Information.
You can also find your Snort version on the Bundled Components section of the Cisco Firepower CompatibilityGuide.
The Snort release notes contain details on new keywords. You can read the release notes on the Snort downloadpage: https://www.snort.org/downloads.
Unresponsive Upgrades
Do not deploy changes to or from, manually reboot, or shut down an upgrading appliance. Do not restart anupgrade in progress. The upgrade process may appear inactive during prechecks; this is expected. If youencounter issues with the upgrade, including a failed upgrade or unresponsive appliance, contact Cisco TAC.
Minimum Version to UpgradeYou can patch Firepower software only within the current major version sequence. Patches are cumulative,so you can always skip directly to the latest patch.
Table 11: Minimum Version to Upgrade Firepower Software to Version 6.4.0.x
Minimum VersionPlatform
6.4.0Firepower Management Center
All managed devices in FMC deployments.
6.4.0Firepower Threat Defense (all platforms) with FDM
6.4.0ASA FirePOWER with ASDM
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.818
Upgrade to Version 6.4.0.xMinimum Version to Upgrade
Time Tests and Disk Space RequirementsTo upgrade a Firepower appliance, you must have enough free disk space or the upgrade fails. When you usethe Firepower Management Center to upgrade a managed device, the FMC requires additional disk space inits /Volume partition, for the device upgrade package. You must also have enough time to perform the upgrade.
We provide reports of in-house time and disk space tests for reference purposes.
About Time TestsTime values given here are based on in-house tests.
Although we report the slowest time of all upgrades tested for a particular platform/series, your upgrade willlikely take longer than the provided times for multiple reasons, provided below.
Note
Basic Test Conditions
• Deployment: Values are from tests in a Firepower Management Center deployment. This is because rawupgrade times for remotely and locally managed devices are similar, given similar conditions.
• Versions: For major upgrades, we test upgrades from all eligible previous major versions. For patches,we test upgrades from the base version and from the immediately preceding patch.
• Models: In most cases, we test on the lowest-end models in each series, and sometimes on multiplemodels in a series.
• Virtual settings: We test with the default settings for memory and resources.
Time Is For Upgrade Only
Values represent the time it took for the Firepower upgrade script to run on each platform. For releases afterearly 2020, we also provide our observed reboot time.
Values do not include time for:
• Transferring upgrade packages, including copying (pushing) upgrade packages from the FMC to devices.
• Readiness checks.
• VDB and SRU updates.
• Deploying configurations.
• Reboots, for releases before early 2020.
Note that in FMC deployments, insufficient bandwidth between the FMC and managed devices can extendupgrade time or even cause the upgrade to time out. Make sure you have the bandwidth to perform a largedata transfer from the FMC to its devices. For more information, see Guidelines for Downloading Data fromthe Firepower Management Center to Managed Devices (Troubleshooting TechNote).
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.819
Upgrade to Version 6.4.0.xTime Tests and Disk Space Requirements
Time Is For Single Devices
Values are per device. In a high availability or clustered configuration, devices upgrade one at a time topreserve continuity of operations, with each device operating inmaintenancemodewhile it upgrades. Upgradinga device pair or entire cluster, therefore, takes longer than upgrading a standalone device.
Note that stacked 8000 series devices upgrade simultaneously, with the stack operating in limited, mixed-versionstate until all devices complete the upgrade. This should not take significantly longer than upgrading astandalone device.
Affected Configurations and Data
We test on appliances with minimal configurations and traffic load. Upgrade time can increase with thecomplexity of your configurations, size of event databases, and whether/how those things are affected by theupgrade. For example, if you use a lot of access control rules and the upgrade needs to make a backend changeto how those rules are stored, the upgrade can take longer.
About Disk Space RequirementsSpace estimates are the largest reported for all upgrades. For releases after early 2020, they are:
• Not rounded up (under 1 MB).
• Rounded up to the next 1 MB (1 MB - 100 MB).
• Rounded up to the next 10 MB (100 MB - 1GB).
• Rounded up to the next 100 MB (greater than 1 GB).
Version 6.4.0.8 Time and Disk SpaceTable 12: Version 6.4.0.8 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
44 min—170 MB5 GBFMC
32 min—170 MB5.1 GBFMCv: VMware 6.0
18 min530 MB3 GB3 GBFirepower 1000 series
18 min510 MB2.5 GB2.5 GBFirepower 2100 series
14 min310 MB1.8 GB1.8 GBFirepower 4100 series
11 min310 MB2 GB2 GBFirepower 9300
17 min290 MB110 MB1.8 GBASA 5500-X series with FTD
12 min290 MB110 MB1.9 GBFTDv: VMware 6.0
25 min650 MB190 MB3.7 GBFirepower 7000/8000 series
16 min590 MB110 MB2.2 GBASA FirePOWER
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.820
Upgrade to Version 6.4.0.xAbout Disk Space Requirements
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
9 min450 MB150 MB2.1 GBNGIPSv: VMware 6.0
Version 6.4.0.7 Time and Disk SpaceTable 13: Version 6.4.0.7 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
41 min—170 MB4.9 GBFMC
32 min—170 MB5.1 GBFMCv: VMware 6.0
17 min530 MB2.9 GB2.9 GBFirepower 1000 series
17 min500 MB2.4 GB2.4 GBFirepower 2100 series
15 min310 MB1.7 GB1.7 GBFirepower 4100 series
12 min310 MB2.4 GB2.4 GBFirepower 9300
18 min290 MB110 MB1.9 GBASA 5500-X series with FTD
9 min290 MB110 MB1.8 GBFTDv: VMware 6.0
28 min650 MB190 MB3.7 GBFirepower 7000/8000 series
54 min590 MB36 MB4.2 GBASA FirePOWER
9 min450 MB150 MB2.3 GBNGIPSv: VMware 6.0
Version 6.4.0.6 Time and Disk SpaceVersion 6.4.0.6 was removed from the Cisco Support & Download site on 2019-12-19. If you are runningthis version, we recommend you upgrade.
Version 6.4.0.5 Time and Disk SpaceTable 14: Version 6.4.0.5 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
39 min—170 MB5 GBFMC
27 min—170 MB3.7 GBFMCv: VMware 6.0
26 min530 MB2.9 GB2.9 GBFirepower 1000 series
16 min500 MB2.5 GB2.5 GBFirepower 2100 series
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.821
Upgrade to Version 6.4.0.xVersion 6.4.0.7 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
12 min310 MB1.8 GB1.8 GBFirepower 4100 series
11 min310 MB1.8 GB1.8 GBFirepower 9300
20 min290 MB110 MB1.8 GBASA 5500-X series with FTD
10 min290 MB110 MB1.8 GBFTDv: VMware 6.0
26 min650 MB170 MB3.6 GBFirepower 7000/8000 series
45 min590 MB36 MB4.1 GBASA FirePOWER
10 min450 MB150 MB2.1 GBNGIPSv: VMware 6.0
Version 6.4.0.4 Time and Disk SpaceTable 15: Version 6.4.0.4 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
35 min—170 MB4.4 GBFMC
31 min—170 MB4.8 GBFMCv: VMware 6.0
28 min520 MB2.9 GB2.9 GBFirepower 1000 series
10 min500 MB2.4 GB2.4 GBFirepower 2100 series
12 min310 MB2 GB2 GBFirepower 4100 series
10 min310 MB1.7 GB1.7 GBFirepower 9300
29 min290 MB110 MB1.8 GBASA 5500-X series with FTD
8 min290 MB110 MB1.8 GBFTDv: VMware 6.0
24 min650 MB170 MB3.6 GBFirepower 7000/8000 series
55 min600 MB36 MB4.2 GBASA FirePOWER
10 min550 MB150 MB2.1 GBNGIPSv: VMware 6.0
Version 6.4.0.3 Time and Disk SpaceTable 16: Version 6.4.0.3 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
34 min—24 MB3.2 GBFMC
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.822
Upgrade to Version 6.4.0.xVersion 6.4.0.4 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
25 min—23 MB2.5 GBFMCv: VMware 6.0
22 min520 MB2.9 GB2.9 GBFirepower 1000 series
19 min500 MB2.4 GB2.4 GBFirepower 2100 series
12 min310 MB1.7 GB1.7 GBFirepower 4100 series
14 min310 MB1.7 GB1.7 GBFirepower 9300
18 min290 MB110 MB1.8 GBASA 5500-X series with FTD
12 min290 MB110 MB1.8 GBFTDv: VMware 6.0
20 min370 MB21 MB1.9 GBFirepower 7000/8000 series
28 min320 MB2.5 GB2.5 GBASA FirePOWER
8 min210 MB21 MB690 MBNGIPSv: VMware 6.0
Version 6.4.0.2 Time and Disk SpaceTable 17: Version 6.4.0.2 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
39 min—24 MB3.1 GBFMC
24 min—23 MB2.5 GBFMCv: VMware 6.0
19 min480 MB1.9 GB1.9 GBFirepower 2100 series
11 min290 MB2.3 GB2.3 GBFirepower 4100 series
11 min290 MB1.7 GB1.7 GBFirepower 9300
21 min270 MB110 MB1.8 GBASA 5500-X series with FTD
10 min270 MB110 MB1.2 GBFTDv: VMware 6.0
20 min350 MB36 MB1.9 GBFirepower 7000/8000 series
34 min300 MB21 MB2 GBASA FirePOWER
10 min190 MB21 MB630 MBNGIPSv: VMware 6.0
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.823
Upgrade to Version 6.4.0.xVersion 6.4.0.2 Time and Disk Space
Version 6.4.0.1 Time and Disk SpaceTable 18: Version 6.4.0.1 Time and Disk Space
Time from 6.4.0Space on FMCSpace on /Space on /VolumePlatform
50 min—24 MB1.8 GBFMC
20 min—23 MB1.8 GBFMCv: VMware 6.0
17 min300 MB1.4 GB1.4 GBFirepower 2100 series
9 min95 MB1.1 GB1.1 GBFirepower 4100 series
10 min95 MB1.1 GB1.1 GBFirepower 9300
16 min76 MB110 MB550 MBASA 5500-X series with FTD
15 min76 MB110 MB550 MBFTDv: VMware 6.0
14 min2 MB21 MB59 MBFirepower 7000/8000 series
30 min2 MB20 MB85 MBASA FirePOWER
10 min2 MB21 MB45 MBNGIPSv: VMware 6.0
Traffic Flow, Inspection, and Device BehaviorYou must identify potential interruptions in traffic flow and inspection during the upgrade. This can occur:
• When a device is rebooted.
• When you upgrade the operating system or virtual hosting environment on a device.
• When you upgrade the Firepower software on a device, or uninstall a patch.
• When you deploy configuration changes as part of the upgrade or uninstall process (Snort process restarts).
Device type, deployment type (standalone, high availability, clustered), and interface configurations (passive,IPS, firewall, and so on) determine the nature of the interruptions. We strongly recommend performing anyupgrade or uninstall in a maintenance window or at a time when any interruption will have the least impacton your deployment.
FTD Upgrade Behavior: Firepower 4100/9300 ChassisThis section describes device and traffic behavior when you upgrade a Firepower 4100/9300 chassis withFTD.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.824
Upgrade to Version 6.4.0.xVersion 6.4.0.1 Time and Disk Space
Firepower 4100/9300 Chassis: FXOS Upgrade
Upgrade FXOS on each chassis independently, even if you have inter-chassis clustering or high availabilitypairs configured. How you perform the upgrade determines how your devices handle traffic during the FXOSupgrade.
Table 19: Traffic Behavior During FXOS Upgrade
Traffic BehaviorMethodDeployment
Dropped—Standalone
UnaffectedBest Practice: Update FXOS on thestandby, switch active peers, upgrade thenew standby.
High availability
Dropped until one peer is onlineUpgrade FXOS on the active peer beforethe standby is finished upgrading.
UnaffectedBest Practice: Upgrade one chassis at atime so at least one module is alwaysonline.
Inter-chassis cluster(6.2+)
Dropped until at least one module is onlineUpgrade chassis at the same time, so allmodules are down at some point.
Passed without inspectionFail-to-wire enabled:Bypass: Standby orBypass-Force. (6.1+)
Intra-chassis cluster(Firepower 9300only)
Dropped until at least one module is onlineFail-to-wire disabled: Bypass: Disabled.(6.1+)
Dropped until at least one module is onlineNo fail-to-wire module.
Standalone FTD Device: Firepower Software Upgrade
Interface configurations determine how a standalone device handles traffic during the upgrade.
Table 20: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device
Traffic BehaviorInterface Configuration
DroppedRouted or switched includingEtherChannel, redundant, subinterfaces
Switched interfaces are also known asbridge group or transparent interfaces.
Firewall interfaces
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.825
Upgrade to Version 6.4.0.xFTD Upgrade Behavior: Firepower 4100/9300 Chassis
Traffic BehaviorInterface Configuration
Either:
• Dropped (6.1 through 6.2.2.x)
• Passed without inspection (6.2.3+)
Inline set, fail-to-wire enabled: Bypass:Standby or Bypass-Force (6.1+)
IPS-only interfaces
DroppedInline set, fail-to-wire disabled: Bypass:Disabled (6.1+)
DroppedInline set, no fail-to-wire module
Egress packet immediately, copy notinspected
Inline set, tap mode
Uninterrupted, not inspectedPassive, ERSPAN passive
High Availability Pairs: Firepower Software Upgrade
You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.
The standby device upgrades first. The devices switch roles, then the new standby upgrades.When the upgradecompletes, the devices' roles remain switched. If you want to preserve the active/standby roles, manuallyswitch the roles before you upgrade. That way, the upgrade process switches them back.
Clusters: Firepower Software Upgrade
You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in Firepower Threat Defense clusters. To ensure continuity of operations, they upgrade one at atime. Devices operate in maintenance mode while they upgrade.
The slave security module or modules upgrade first, then the master. Security modules operate in maintenancemode while they upgrade.
During the master security module upgrade, although traffic inspection and handling continues normally, thesystem stops logging events. Events for traffic processed during the logging downtime appear with out-of-synctimestamps after the upgrade is completed. However, if the logging downtime is significant, the system mayprune the oldest events before they can be logged.
Upgrading an inter-chassis cluster fromVersion 6.2.0, 6.2.0.1, or 6.2.0.2 causes a 2-3 second traffic interruptionin traffic inspection when each module is removed from the cluster. Whether traffic drops during thisinterruption or passes without further inspection depends on how the device handles traffic.
Note
High Availability and Clustering Hitless Upgrade Requirements
Performing hitless upgrades have the following additional requirements.
Flow Offload: Due to bug fixes in the flow offload feature, some combinations of FXOS and FTD do notsupport flow offload; see the Cisco Firepower Compatibility Guide. To perform a hitless upgrade in a highavailability or clustered deployment, you must make sure you are always running a compatible combination.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.826
Upgrade to Version 6.4.0.xFTD Upgrade Behavior: Firepower 4100/9300 Chassis
If your upgrade path includes upgrading FXOS to 2.2.2.91, 2.3.1.130, or later (including FXOS 2.4.1.x, 2.6.1.x,and so on) use this path:
1. Upgrade FTD to 6.2.2.2 or later.
2. Upgrade FXOS to 2.2.2.91, 2.3.1.130, or later.
3. Upgrade FTD to your final version.
For example, if you are running FXOS 2.2.2.17/FTD 6.2.2.0, and you want to upgrade to FXOS 2.6.1/FTD6.4.0, then you can:
1. Upgrade FTD to 6.2.2.5.
2. Upgrade FXOS to 2.6.1.
3. Upgrade FTD to 6.4.0.
Version 6.1.0 Upgrades: Performing a hitless upgrade of an FTD high availability pair to Version 6.1.0requires a preinstallation package. For more information, see Firepower System Release Notes Version 6.1.0Preinstallation Package.
Traffic Behavior During Deployment
You deploy configurations multiple times during the upgrade process. Snort typically restarts during the firstdeployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,you modify specific policy or device configurations. For more information, see Configurations that Restartthe Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.
When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, includingthose configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.
Table 21: Traffic Behavior During FTD Deployment
Traffic BehaviorInterface Configuration
DroppedRouted or switched includingEtherChannel, redundant, subinterfaces
Switched interfaces are also known asbridge group or transparent interfaces.
Firewall interfaces
Passed without inspection
A few packets might drop if Failsafe isdisabled and Snort is busy but not down.
Inline set, Failsafe enabled or disabled(6.0.1 - 6.1.0.x)
IPS-only interfaces
DroppedInline set, Snort Fail Open: Down:disabled (6.2+)
Passed without inspectionInline set, Snort Fail Open: Down:enabled (6.2+)
Egress packet immediately, copy notinspected
Inline set, tap mode
Uninterrupted, not inspectedPassive, ERSPAN passive
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.827
Upgrade to Version 6.4.0.xFTD Upgrade Behavior: Firepower 4100/9300 Chassis
FTD Upgrade Behavior: Other DevicesThis section describes device and traffic behavior when you upgrade Firepower Threat Defense on Firepower1000/2100 series, ASA 5500-X series, ISA 3000, and FTDv.
Standalone FTD Device: Firepower Software Upgrade
Interface configurations determine how a standalone device handles traffic during the upgrade.
Table 22: Traffic Behavior During Firepower Software Upgrade: Standalone FTD Device
Traffic BehaviorInterface Configuration
DroppedRouted or switched includingEtherChannel, redundant, subinterfaces
Switched interfaces are also known asbridge group or transparent interfaces.
Firewall interfaces
Either:
• Dropped (6.1 through 6.2.2.x)
• Passed without inspection (6.2.3+)
Inline set, fail-to-wire enabled: Bypass:Standby or Bypass-Force (6.1+)
IPS-only interfaces
DroppedInline set, fail-to-wire disabled: Bypass:Disabled (6.1+)
DroppedInline set, no fail-to-wire module
Egress packet immediately, copy notinspected
Inline set, tap mode
Uninterrupted, not inspectedPassive, ERSPAN passive
High Availability Pairs: Firepower Software Upgrade
You should not experience interruptions in traffic flow or inspection while upgrading the Firepower softwareon devices in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.
The standby device upgrades first. The devices switch roles, then the new standby upgrades.When the upgradecompletes, the devices' roles remain switched. If you want to preserve the active/standby roles, manuallyswitch the roles before you upgrade. That way, the upgrade process switches them back.
Traffic Behavior During Deployment
You deploy configurations multiple times during the upgrade process. Snort typically restarts during the firstdeployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,you modify specific policy or device configurations. For more information, see Configurations that Restartthe Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.
When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, including
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.828
Upgrade to Version 6.4.0.xFTD Upgrade Behavior: Other Devices
those configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.
Table 23: Traffic Behavior During FTD Deployment
Traffic BehaviorInterface Configuration
DroppedRouted or switched includingEtherChannel, redundant, subinterfaces
Switched interfaces are also known asbridge group or transparent interfaces.
Firewall interfaces
Passed without inspection
A few packets might drop if Failsafe isdisabled and Snort is busy but not down.
Inline set, Failsafe enabled or disabled(6.0.1 - 6.1.0.x)
IPS-only interfaces
DroppedInline set, Snort Fail Open: Down:disabled (6.2+)
Passed without inspectionInline set, Snort Fail Open: Down:enabled (6.2+)
Egress packet immediately, copy notinspected
Inline set, tap mode
Uninterrupted, not inspectedPassive, ERSPAN passive
Firepower 7000/8000 Series Upgrade BehaviorThe following sections describe device and traffic behavior when you upgrade Firepower 7000/8000 seriesdevices.
Standalone 7000/8000 Series: Firepower Software Upgrade
Interface configurations determine how a standalone device handles traffic during the upgrade.
Table 24: Traffic Behavior During Upgrade: Standalone 7000/8000 Series
Traffic BehaviorInterface Configuration
Passed without inspection, although traffic is interrupted briefly at twopoints:
• At the beginning of the upgrade process as link goes down and up(flaps) and the network card switches into hardware bypass.
• After the upgrade finishes as link flaps and the network cardswitches out of bypass. Inspection resumes after the endpointsreconnect and reestablish link with the device interfaces.
Inline, hardware bypass enabled(Bypass Mode: Bypass)
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.829
Upgrade to Version 6.4.0.xFirepower 7000/8000 Series Upgrade Behavior
Traffic BehaviorInterface Configuration
DroppedInline, no hardware bypassmodule,or hardware bypassdisabled (Bypass Mode:Non-Bypass)
Egress packet immediately, copy not inspectedInline, tap mode
Uninterrupted, not inspectedPassive
DroppedRouted, switched
7000/8000 Series High Availability Pairs: Firepower Software Upgrade
You should not experience interruptions in traffic flow or inspection while upgrading devices (or devicestacks) in high availability pairs. To ensure continuity of operations, they upgrade one at a time. Devicesoperate in maintenance mode while they upgrade.
Which peer upgrades first depends on your deployment:
• Routed or switched: Standby upgrades first. The devices switch roles, then the new standby upgrades.When the upgrade completes, the devices' roles remain switched. If youwant to preserve the active/standbyroles, manually switch the roles before you upgrade. That way, the upgrade process switches them back.
• Access control only: Active upgrades first.When the upgrade completes, the active and standbymaintaintheir old roles.
8000 Series Stacks: Firepower Software Upgrade
In an 8000 series stack, devices upgrade simultaneously. Until the primary device completes its upgrade andthe stack resumes operation, traffic is affected as if the stack were a standalone device. Until all devicescomplete the upgrade, the stack operates in a limited, mixed-version state.
Traffic Behavior During Deployment
You deploy configurations multiple times during the upgrade process. Snort typically restarts during the firstdeployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,you modify specific policy or device configurations. For more information, see Configurations that Restartthe Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.
When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection on all Firepower devices, includingthose configured for HA/scalability. Interface configurations determine whether traffic drops or passes withoutinspection during the interruption.
Table 25: Traffic Behavior During Deployment: 7000/8000 Series
Traffic BehaviorInterface Configuration
Passed without inspection
A few packets might drop if Failsafe is disabled and Snort is busy butnot down.
Inline, Failsafe enabled or disabled
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.830
Upgrade to Version 6.4.0.xFirepower 7000/8000 Series Upgrade Behavior
Traffic BehaviorInterface Configuration
Egress packet immediately, copy bypasses SnortInline, tap mode
Uninterrupted, not inspectedPassive
DroppedRouted, switched
ASA FirePOWER Upgrade BehaviorYour ASA service policies for redirecting traffic to the ASA FirePOWER module determine how the modulehandles traffic during the Firepower software upgrade, including when you deploy certain configurations thatrestart the Snort process.
Table 26: Traffic Behavior During ASA FirePOWER Upgrade
Traffic BehaviorTraffic Redirection Policy
Passed without inspectionFail open (sfr fail-open)
DroppedFail closed (sfr fail-close)
Egress packet immediately, copy not inspectedMonitor only (sfr {fail-close}|{fail-open}monitor-only)
Traffic Behavior During ASA FirePOWER Deployment
Traffic behavior while the Snort process restarts is the same as when you upgrade the ASA FirePOWERmodule.
You deploy configurations multiple times during the upgrade process. Snort typically restarts during the firstdeployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,you modify specific policy or device configurations. For more information, see Configurations that Restartthe Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.
When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection. Your service policies determine whethertraffic drops or passes without inspection during the interruption.
NGIPSv Upgrade BehaviorThis section describes device and traffic behavior when you upgrade NGIPSv.
Firepower Software Upgrade
Interface configurations determine how NGIPSv handles traffic during the upgrade.
Table 27: Traffic Behavior During NGIPSv Upgrade
Traffic BehaviorInterface Configuration
DroppedInline
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.831
Upgrade to Version 6.4.0.xASA FirePOWER Upgrade Behavior
Traffic BehaviorInterface Configuration
Egress packet immediately, copy not inspectedInline, tap mode
Uninterrupted, not inspectedPassive
Traffic Behavior During Deployment
You deploy configurations multiple times during the upgrade process. Snort typically restarts during the firstdeployment immediately after the upgrade. It does not restart during other deployments unless, before deploying,you modify specific policy or device configurations. For more information, see Configurations that Restartthe Snort Process when Deployed or Activated in the Firepower Management Center Configuration Guide.
When you deploy, resource demands may result in a small number of packets dropping without inspection.Additionally, restarting the Snort process interrupts traffic inspection. Interface configurations determinewhether traffic drops or passes without inspection during the interruption.
Table 28: Traffic Behavior During NGIPSv Deployment
Traffic BehaviorInterface Configuration
Passed without inspection
A few packets might drop if Failsafe is disabled andSnort is busy but not down.
Inline, Failsafe enabled or disabled
Egress packet immediately, copy bypasses SnortInline, tap mode
Uninterrupted, not inspectedPassive
Upgrade InstructionsThe release notes do not contain upgrade instructions. After you read the guidelines and warnings in theserelease notes, see one of:
• Cisco Firepower Management Center Upgrade Guide: Upgrade FMC deployments, including manageddevices and companion operating systems.
• Cisco ASA Upgrade Guide: Upgrade ASA FirePOWER modules with ASDM.
• Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager: Upgrade FTDwith FDM.
Upgrade PackagesUpgrade packages are available on the Cisco Support & Download site.
• Firepower Management Center, including FMCv: https://www.cisco.com/go/firepower-software
• Firepower Threat Defense (ISA 3000): https://www.cisco.com/go/isa3000-software
• Firepower Threat Defense (all other models, including FTDv): https://www.cisco.com/go/ftd-software
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.832
Upgrade to Version 6.4.0.xUpgrade Instructions
• Firepower 7000 series: https://www.cisco.com/go/7000series-software
• Firepower 8000 series: https://www.cisco.com/go/8000series-software
• ASA with FirePOWER Services (ASA 5500-X series): https://www.cisco.com/go/asa-firepower-sw
• ASA with FirePOWER Services (ISA 3000): https://www.cisco.com/go/isa3000-software
• NGIPSv: https://www.cisco.com/go/ngipsv-software
Do not untar signed (.tar) packages.
Table 29: Upgrade Packages for Version 6.4.0.x
PackagePlatform
Cisco_Firepower_Mgmt_Center_Patch-version-build.sh.REL.tarFMC/FMCv
Cisco_FTD_SSP_FP1K_Patch-version-build.sh.REL.tarFirepower 1000 series
Cisco_FTD_SSP_FP2K_Patch-version-build.sh.REL.tarFirepower 2100 series
Cisco_FTD_SSP_Patch-version-build.sh.REL.tarFirepower 4100/9300 chassis
Cisco_FTD_Patch-version-build.sh.REL.tarASA 5500-X series with FTD
ISA 3000 with FTD
Firepower Threat Defense Virtual
Cisco_Firepower_NGIPS_Appliance_Patch-version-build.sh.REL.tarFirepower 7000/8000 series
Cisco_Network_Sensor_Patch-version-build.sh.REL.tarASA FirePOWER
Cisco_Firepower_NGIPS_Virtual_Patch-version-build.sh.REL.tarNGIPSv
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.833
Upgrade to Version 6.4.0.xUpgrade Packages
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.834
Upgrade to Version 6.4.0.xUpgrade Packages
C H A P T E R 5Uninstall a Version 6.4.0.x Patch
You can uninstall Firepower patches from:
• FMCs and their managed devices
• ASA FirePOWER modules managed by ASDM
Uninstalling a patch results in an appliance running the version you upgraded from.
You cannot uninstall a patch from an FTD device managed by FDM. You also cannot uninstall a major versionof the Firepower software from any appliance. In those cases, you must freshly install.
Note
For more information, see:
• Guidelines and Limitations for Uninstalling, on page 35• Uninstall Order for HA/Scalability Deployments, on page 38• Uninstall Instructions, on page 40• Uninstall Packages, on page 45
Guidelines and Limitations for UninstallingThese important guidelines and limitations apply to uninstall.
Verify Uninstall is Supported for Your Patch
Uninstalling specific patches can cause issues on Firepower appliances, including:
• Inability to deploy configuration changes after uninstall.
• Incompatibilities between the operating system and the Firepower software.
• FSIC (file system integrity check) failure when the appliance reboots, if you patched with securitycertifications compliance enabled (CC/UCAPL mode).
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.835
If security certifications compliance is enabled and the FSIC fails, Firepower software does not start, remoteSSH access is disabled, and you can access the appliance only via local console. If this happens, contact CiscoTAC.
Caution
In these cases, if you need to revert to an earlier patch, we recommend you reimage and then upgrade.
The following table lists situations where you should not uninstall.
Table 30: Version 6.4.0.x Patches with Subsequent Issues on Uninstall
If Upgraded FromUninstalling FromPlatforms
6.4.0 through 6.4.0.16.4.0.2+FMC/FMCv
Firepower 7000/8000 series
ASA FirePOWER
NGIPSv
6.4.0 through 6.4.0.26.4.0.3+FMC/FMCv
Firepower 7000/8000 series
ASA FirePOWER
NGIPSv
6.4.0. through 6.4.0.36.4.0.4+Any
Uninstall from Devices First, Using the Shell
In FMC deployments, uninstall patches from managed devices first. We recommend that FMCs run a higherversion than their managed devices.
To uninstall a device patch, you must use the Linux shell, also called expert mode. This means that youuninstall from devices both individually and locally. In other words:
• You cannot batch-uninstall patches from clustered, stacked, or high availability (HA) Firepower devices,or from clustered or failover ASA with FirePOWER Services devices. To plan an uninstall order thatminimizes disruption, see Uninstall Order for HA/Scalability Deployments, on page 38.
• You cannot use an FMC, ASDM, or FDM to uninstall a patch from a device, nor can you use the localweb interface on a 7000/8000 series device.
• You cannot use an FMC user account to log into and uninstall the patch from one of its managed devices.Firepower appliances maintain their own user accounts.
• You must have access to the device shell as the admin user for the device, or as another local user withCLI configuration access. If you disabled shell access, you cannot uninstall device patches. Contact CiscoTAC to reverse the device lockdown.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.836
Uninstall a Version 6.4.0.x PatchGuidelines and Limitations for Uninstalling
Uninstall from FMCs After Devices
Uninstall patches from FMCs after you uninstall from their managed devices. As with upgrade, you mustuninstall from high availability FMCs one at a time; see Uninstall Order for HA/Scalability Deployments, onpage 38.
We recommend you use the FMC web interface to uninstall FMC patches. You must have Administratoraccess. If you cannot use the web interface, you can use the Linux shell as either the admin user for the shell,or as an external user with shell access. If you disabled shell access, contact Cisco TAC to reverse the FMClockdown.
Verify NTP Synchronization
Before you uninstall, make sure Firepower appliances are synchronized with any NTP server you are usingto serve time. Being out of sync can cause uninstall failure. In FMC deployments, the Time SynchronizationStatus health module does alert if clocks are out of sync by more than 10 seconds, but you should still checkmanually.
To check time:
• FMC: Choose System > Configuration > Time.
• Devices: Use the show time CLI command.
Appliance Access
Firepower devices can stop passing traffic during the uninstall (depending on interface configurations), or ifthe uninstall fails. Before you uninstall a patch from a Firepower device, make sure traffic from your locationdoes not have to traverse the device itself to access the device's management interface. In FirepowerManagement Center deployments, you should also able to access the FMC management interface withouttraversing the device.
Disable ASA REST API on ASA FirePOWER Devices
Before you uninstall an ASA FirePOWER patch, make sure the ASA REST API is disabled. Otherwise, theuninstall could fail. From the ASA CLI: no rest api agent. You can reenable after the uninstall: rest-apiagent.
Unresponsive Uninstalls
Do not deploy changes to or from, manually reboot, or shut down an uninstalling appliance. Do not restart anuninstall in progress. The uninstall process may appear inactive at times; this is expected. If you encounterissues with the uninstall, including a failed uninstall or unresponsive appliance, contact Cisco TAC.
A failed uninstall may require a reimage, which returns most settings to factory defaults. For this reason, westrongly recommend you back up event and configuration data to an external location before you reimage.
Traffic Flow, Inspection, and Device Behavior
Interruptions in traffic flow and inspection during an uninstall are the same as the interruptions that occurduring an upgrade. We strongly recommend performing any uninstall in a maintenance window or at a timewhen any interruption will have the least impact on your deployment. For more information, see Traffic Flow,Inspection, and Device Behavior, on page 24.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.837
Uninstall a Version 6.4.0.x PatchGuidelines and Limitations for Uninstalling
Uninstall Order for HA/Scalability DeploymentsYou uninstall patches from Firepower appliances individually, even those that you upgraded as a unit. Especiallyin high availability (HA) and scalability deployments, you should plan an uninstall order that minimizesdisruption. Unlike upgrade, the system does not do this for you. The tables below outline uninstall order forHA/scalability deployments.
Note that in most cases, you will:
• Uninstall from the secondary/standby/slave units first, then the primary/active/master.
• Uninstall one at a time. Wait until the patch has fully uninstalled from one unit before you move on tothe next unit.
Table 31: Uninstall Order for FMCs in HA
Uninstall OrderFMC Deployment
With synchronization paused, which is a state called split-brain, uninstall fromFMC peers one at a time. Do not make or deploy configuration changes whilethe pair is split-brain.
1. Pause synchronization (enter split-brain).
2. Uninstall from the standby.
3. Uninstall from the active.
4. Restart synchronization (exit split-brain).
FMC high availability
Table 32: Uninstall Order for FTD devices in HA or Clusters
Uninstall OrderFTD Deployment
You cannot uninstall a patch from FTD devices configured for high availability.You must break high availability first.
1. Break high availability.
2. Uninstall from the former standby.
3. Uninstall from the former active.
4. Reestablish high availability.
FTD high availability
Uninstall from one unit at a time, leaving the master unit for last. Clustered unitsoperate in maintenance mode while the patch uninstalls.
1. Uninstall from the slave modules one at a time.
2. Make one of the slave modules the new master module.
3. Uninstall from the former master.
FTD cluster
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.838
Uninstall a Version 6.4.0.x PatchUninstall Order for HA/Scalability Deployments
Table 33: Uninstall Order for 7000/8000 Series Devices in HA or Stacks
Uninstall Order7000/8000 SeriesDeployment
Always uninstall from the standby. An 7000/8000 series device in an HA pairoperates in maintenance mode while the patch uninstalls.
1. Uninstall from the standby.
2. Switch roles.
3. Uninstall from the new standby.
7000/8000 series highavailability
Uninstall from all devices in the stack at the same time. Until you uninstall thepatch from all devices in a stack, the stack operates in a limited, mixed-versionstate.
8000 series stack
Table 34: Uninstall Order for ASA with FirePOWER Services Devices in ASA Failover Pairs/Clusters
Uninstall OrderASA Deployment
Always uninstall from the standby.
1. Uninstall from the ASA FirePOWER module on the standby ASA device.
2. Fail over.
3. Uninstall from theASAFirePOWERmodule on the new standbyASA device.
ASA active/standbyfailover pair, with ASAFirePOWER
Make both failover groups active on the unit you are not uninstalling.
1. Make both failover groups active on the primary ASA device.
2. Uninstall from the ASA FirePOWERmodule on the secondary ASA device.
3. Make both failover groups active on the secondary ASA device.
4. Uninstall from the ASA FirePOWER module on the primary ASA device.
ASA active/active failoverpair, with ASAFirePOWER
Disable clustering on each unit before you uninstall. Uninstall from one unit ata time, leaving the master unit for last.
1. On a slave unit, disable clustering.
2. Uninstall from the ASA FirePOWER module on that unit.
3. Reenable clustering. Wait for the unit to rejoin the cluster.
4. Repeat for each slave unit.
5. On the master unit, disable clustering. Wait for a new master to take over.
6. Uninstall from the ASA FirePOWER module on the former master.
7. Reenable clustering.
ASA cluster, with ASAFirePOWER
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.839
Uninstall a Version 6.4.0.x PatchUninstall Order for HA/Scalability Deployments
Uninstall InstructionsThe following sections explain how to uninstall Firepower patches from eligible appliances.
Uninstall from a Standalone FMCUse this procedure to uninstall a patch from a standalone FirepowerManagement Center, including FirepowerManagement Center Virtual.
Before you begin
Uninstall patches from managed devices. We recommend that FMCs run a higher version than their manageddevices.
Step 1 Deploy to managed devices whose configurations are out of date.
Deploying before you uninstall reduces the chance of failure.
Step 2 Perform prechecks.
• Check health: Use the Message Center on the FMC (click the System Status icon on the menu bar). Make surethe appliances in your deployment are successfully communicating and that there are no issues reported by thehealth monitor.
• Running tasks: Also in the Message Center, make sure essential tasks are complete. Tasks running when theuninstall begins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed statusmessages later.
Step 3 Choose System > Updates.Step 4 Click the Install icon next to the uninstall package for the FMC, then choose the FMC.
If you do not have the correct uninstall package, contact Cisco TAC.
Step 5 Click Install to begin the uninstall.Confirm that you want to uninstall and reboot the FMC.
Step 6 Monitor progress in the Message Center until you are logged out.Do not make configuration changes or deploy to any device while the patch is uninstalling. Even if the Message Centershows no progress for several minutes or indicates that the uninstall has failed, do not restart the uninstall or reboot theFMC. Instead, contact Cisco TAC.
Step 7 Log back into the FMC after the patch uninstalls and the FMC reboots.Step 8 Verify success.
Choose Help > About to display current software version information.
Step 9 Use the Message Center to recheck deployment health.Step 10 Redeploy configurations.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.840
Uninstall a Version 6.4.0.x PatchUninstall Instructions
Uninstall from High Availability FMCsUse this procedure to uninstall a patch from a Firepower Management Center in a high availability pair.
You uninstall from peers one at a time. With synchronization paused, first uninstall from the standby, thenthe active. When the standby FMC starts the uninstall, its status switches from standby to active, so that bothpeers are active. This temporary state is called split-brain and is not supported except during upgrade anduninstall. Do not make or deploy configuration changes while the pair is split-brain. Your changes will belost after you restart synchronization.
Before you begin
Uninstall patches from managed devices. We recommend that FMCs run a higher version than their manageddevices.
Step 1 On the active FMC, deploy to managed devices whose configurations are out of date.
Deploying before you uninstall reduces the chance of failure.
Step 2 Use the Message Center to check deployment health before you pause synchronization.
Click the System Status icon on the FMC menu bar to display the Message Center. Make sure the appliances in yourdeployment are successfully communicating and that there are no issues reported by the health monitor.
Step 3 Pause synchronization.a) Choose System > Integration.b) On the High Availability tab, click Pause Synchronization.
Step 4 Uninstall the patch from the FMCs one at a time—first the standby, then the active.
Follow the instructions in Uninstall from a Standalone FMC, on page 40, but omit the initial deploy, and stop after youverify update success on each FMC. In summary, for each FMC:
a) Perform prechecks (health, running tasks).b) On the System > Updates page, uninstall the patch.c) Monitor progress until you are logged out, then log back in when you can.d) Verify uninstall success.
Do not make or deploy configuration changes while the pair is split-brain.
Step 5 On the FMC you want to make the active peer, restart synchronization.a) Choose System > Integration.b) On the High Availability tab, click Make-Me-Active.c) Wait until synchronization restarts and the other FMC switches to standby mode.
Step 6 Use the Message Center to recheck deployment health.Step 7 Redeploy configurations.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.841
Uninstall a Version 6.4.0.x PatchUninstall from High Availability FMCs
Uninstall from Any Device (FMC Managed)Use this procedure to uninstall a patch from a single managed device in a Firepower Management Centerdeployment. This includes physical and virtual devices, security modules, and ASA FirePOWER modules.
Before you begin
• Make sure you are uninstalling from the correct device, especially in HA/scalability deployments. SeeUninstall Order for HA/Scalability Deployments, on page 38.
• For ASA FirePOWERmodules, make sure the ASA RESTAPI is disabled. From the ASACLI: no rest
api agent. You can reenable after the uninstall: rest-api agent.
Step 1 If the device's configurations are out of date, deploy now from the FMC.
Deploying before you uninstall reduces the chance of failure.
Exception:Do not deploy to mixed-version stacks, clusters, or HA pairs. In an HA/scalability deployment, deploy beforeyou uninstall from the first device, but then not again until you have uninstalled the patch from all members.
Step 2 Perform prechecks.
• Check health: Use the Message Center on the FMC (click the System Status icon on the menu bar). Make sure theappliances in your deployment are successfully communicating and that there are no issues reported by the healthmonitor.
• Running tasks: Also in theMessage Center, make sure essential tasks are complete. Tasks running when the uninstallbegins are stopped, become failed tasks, and cannot be resumed. You can manually delete failed status messageslater.
Step 3 Access the Firepower CLI on the device. Log in as admin or another Firepower CLI user with configuration access.
You can either SSH to the device's management interface (hostname or IP address) or use the console. Note that ASA5585-X series devices have a dedicated ASA FirePOWER console port.
If you use the console, some devices default to the operating systemCLI, and require an extra step to access the FirepowerCLI.
connect ftdFirepower 1000/2100 series
connect module slot_number console, then connect ftd (first login only)Firepower 4100/9300 chassis
session sfrASAFirePOWER, exceptASA5585-Xseries
Step 4 At the Firepower CLI prompt, use the expert command to access the Linux shell.Step 5 Run the uninstall command, entering your password when prompted.
sudo install_update.pl --detach /var/sf/updates/uninstall_package_name
The package name varies by platform; see Uninstall Packages, on page 45. Do not untar signed (.tar) packages.
Unless you are running the uninstall from the console, use the --detach option to ensure the uninstall does not stop ifyour user session times out. Otherwise, the uninstall runs as a child process of the user shell. If your connection isterminated, the process is killed, the check is disrupted, and the appliance may be left in an unstable state.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.842
Uninstall a Version 6.4.0.x PatchUninstall from Any Device (FMC Managed)
The system does not ask you to confirm that you want to uninstall. Entering this command starts the uninstall,which includes a device reboot. Interruptions in traffic flow and inspection during an uninstall are the same asthe interruptions that occur during an upgrade. Make sure you are ready.
Caution
Step 6 Monitor the uninstall.
If you did not detach the uninstall, progress is displayed on the console or terminal. If you did detach, you can use tailor tailf to display logs:
• FTD devices: tail /ngfw/var/log/sf/update.status
• All other devices: tail /var/log/sf/update.status
Step 7 Verify success.
After the patch uninstalls and the device reboots, confirm that the device has the correct software version. On the FMC,choose Devices > Device Management.
Step 8 Use the Message Center to recheck deployment health.Step 9 Redeploy configurations.
Exception: In a HA/scalability deployment, do not deploy to mixed-version stacks, clusters, or HA pairs. Deploy onlyafter you repeat this procedure for all members.
What to do next
• For HA/scalability deployments, repeat this procedure for each device in your planned sequence. Then,make any final adjustments. For example, in an FTD HA deployment, reestablish HA after you uninstallfrom both peers.
• For ASA FirePOWER modules, reenable the ASA REST API if you disabled it earlier. From the ASACLI: rest-api agent.
Uninstall from ASA FirePOWER (ASDM Managed)Use this procedure to uninstall a patch from a locally managed ASA FirePOWER module. If you manageASA FirePOWER with an FMC, see Uninstall from Any Device (FMC Managed), on page 42.
Before you begin
• Make sure you are uninstalling from the correct device, especially in ASA failover/cluster deployments.See Uninstall Order for HA/Scalability Deployments, on page 38.
• Make sure the ASA REST API is disabled. From the ASA CLI: no rest api agent. You can reenableafter the uninstall: rest-api agent.
Step 1 If the device's configurations are out of date, deploy now from ASDM.
Deploying before you uninstall reduces the chance of failure.
Step 2 Perform prechecks.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.843
Uninstall a Version 6.4.0.x PatchUninstall from ASA FirePOWER (ASDM Managed)
• System status: Choose Monitoring > ASA FirePOWER Monitoring > Statistics and make sure everything is asexpected.
• Running tasks: Choose Monitoring > ASA FirePOWER Monitoring > Tasks and make sure essential tasks arecomplete. Tasks running when the uninstall begins are stopped, become failed tasks, and cannot be resumed. Youcan manually delete failed status messages later.
Step 3 Access the Firepower CLI on the ASA FirePOWER module. Log in as admin or another Firepower CLI user withconfiguration access.
You can either SSH to the module's management interface (hostname or IP address) or use the console. If you use theconsole, note that ASA 5585-X series devices have a dedicated ASA FirePOWER console port. On other ASA models,the console port defaults to the ASA CLI and you must use the session sfr command to access the Firepower CLI.
Step 4 At the Firepower CLI prompt, use the expert command to access the Linux shell.Step 5 Run the uninstall command, entering your password when prompted.
sudo install_update.pl --detach
/var/sf/updates/Cisco_Network_Sensor_Patch_Uninstaller-version-build.sh.REL.tar
Do not untar signed (.tar) packages.
Unless you are running the uninstall from the console, use the --detach option to ensure the uninstall does not stop ifyour user session times out. Otherwise, the uninstall runs as a child process of the user shell. If your connection isterminated, the process is killed, the check is disrupted, and the appliance may be left in an unstable state.
The system does not ask you to confirm that you want to uninstall. Entering this command starts the uninstall,which includes a device reboot. Interruptions in traffic flow and inspection during an uninstall are the same asthe interruptions that occur during an upgrade. Make sure you are ready.
Caution
Step 6 Monitor the uninstall.
If you did not detach the uninstall, progress is displayed on the console or terminal. If you did detach, you can use tailor tailf to display logs:
tail /var/log/sf/update.status
Do not deploy configurations to the device while the patch is uninstalling. Even if the log shows no progress for severalminutes or indicates that the uninstall has failed, do not restart the uninstall or reboot the device. Instead, contact CiscoTAC.
Step 7 Verify success.
After the patch uninstalls and the module reboots, confirm that the module has the correct software version. ChooseConfiguration > ASA FirePOWER Configurations > Device Management > Device.
Step 8 Redeploy configurations.
What to do next
• For ASA failover/cluster deployments, repeat this procedure for each device in your planned sequence.
• For ASA FirePOWER modules, reenable the ASA REST API if you disabled it earlier. From the ASACLI: rest-api agent.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.844
Uninstall a Version 6.4.0.x PatchUninstall from ASA FirePOWER (ASDM Managed)
Uninstall PackagesWhen you patch a Firepower appliances, the uninstaller for that patch is automatically created in the upgradedirectory:
• /ngfw/var/sf/updates on FTD devices
• /var/sf/updates on the FMC and all other devices (7000/8000 series, ASA FirePOWER,NGIPSv)
If the package is not in the upgrade directory (for example, if you manually deleted it) contact Cisco TAC.Do not untar signed (.tar) packages.
PackagePlatform
Cisco_Firepower_Mgmt_Center_Patch_Uninstaller-version-build.sh.REL.tarFMC/FMCv
Cisco_FTD_SSP_FP1K_Patch_Uninstaller-version-build.sh.REL.tarFirepower 1000 series
Cisco_FTD_SSP_FP2K_Patch_Uninstaller-version-build.sh.REL.tarFirepower 2100 series
Cisco_FTD_SSP_Patch_Uninstaller-version-build.sh.REL.tarFirepower 4100/9300chassis
Cisco_FTD_Patch_Uninstaller-version-build.sh.REL.tarASA 5500-X series withFTD
ISA 3000 with FTD
FTDv
Cisco_Firepower_NGIPS_Appliance_Patch_Uninstaller-version-build.sh.REL.tarFirepower 7000/8000series
Cisco_Firepower_NGIPS_Virtual_Patch_Uninstaller-version-build.sh.REL.tarNGIPSv
Cisco_Network_Sensor_Patch_Uninstaller-version-build.sh.REL.tarASA FirePOWER
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.845
Uninstall a Version 6.4.0.x PatchUninstall Packages
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.846
Uninstall a Version 6.4.0.x PatchUninstall Packages
C H A P T E R 6Freshly Install Version 6.4.0
If you are unable to upgrade a Firepower appliance, or are disinclined to follow the required upgrade path,you can freshly install major Firepower releases. To run a particular patch, install Version 6.4.0, then upgrade.
• Deciding to Freshly Install, on page 47• Guidelines and Limitations for Fresh Installs, on page 48• Unregistering Smart Licenses, on page 50• Installation Instructions, on page 52
Deciding to Freshly InstallUse this table to identify scenarios where you need to freshly install (also called reimaging). In all of thesescenarios—including switching device management between local and remote—you will lose deviceconfigurations.
Always address licensing concerns before you reimage or switch management. If you are using Cisco SmartLicensing, you must unregister from the Cisco Smart Software Manager (CSSM) to avoid accruing orphanentitlements. These can prevent you from reregistering.
Note
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.847
Table 35: Scenarios: Do You Need a Fresh Install?
LicensingSolutionScenario
Removing devices from the FMCunregisters them. Reassign licenses afteryou re-add the devices.
The upgrade path from older versions can includeintermediate versions. Especially in larger deploymentswhere you must alternate FMC and device upgrade, thismulti-step process can be time consuming.
To save time, you can reimage older devices instead ofupgrading:
1. Remove the devices from the FMC.
2. Upgrade the FMC only to its target version.
3. Reimage the devices.
If you need to reimage a 7000/8000 series devicerunning Version 5.x, see Guidelines and Limitationsfor Fresh Installs, on page 48.
4. Re-add the devices to the FMC.
Upgrade FMC-manageddevices from a much olderFirepower version.
Unregister the device before you switchmanagement. Reassign its license after youadd it to the FMC.
Use the configure managerCLI command; see CommandReference for Firepower Threat Defense.
Change FTD managementfrom FDM to FMC (local toremote).
Remove the device from the FMC tounregister it. Reregister using FDM.
Use the configure managerCLI command; see CommandReference for Firepower Threat Defense.
Exception: The device is running or was upgraded fromVersion 6.0.1. In this case, reimage.
Change FTD managementfrom FMC to FDM (remoteto local).
Contact Sales for new Classic licenses.ASA FirePOWER licenses are associatedwith a specific manager.
Start using the other management method.Change ASA FirePOWERmanagement betweenASDM and FMC.
Convert Classic to Smart licenses; see theFirepower Management CenterConfiguration Guide.
Reimage.Replace ASAFirePOWERwith FTD onthe same physical device.
Contact Sales for new Smart licenses.Reimage.Replace NGIPSv withFTDv.
Unregister the device before you reimage.Reregister after.
Reimage.
You cannot uninstall patches in FDM deployments.
Uninstall an FTD patch withFDM.
Guidelines and Limitations for Fresh InstallsCareful planning and preparation can help you avoid missteps. Even if you are familiar with Firepower releasesand have previous experience reimaging Firepower appliances, make sure you read these guidelines andlimitations, as well as the instructions linked in Installation Instructions, on page 52.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.848
Freshly Install Version 6.4.0Guidelines and Limitations for Fresh Installs
Back Up Event and Configuration Data
We strongly recommend you back up to an external locationand verify transfer success. Reimaging returnsmost settings to factory defaults, including the system password (Admin123).
Note, however, if you are reimaging so that you don't have to upgrade, you cannot use a backup to importyour old configurations. You can restore a backup only from an appliance of the same model and Firepowerversion, with the same VDB.
As the first step in any backup, note the patch level and VDB version. Before you restore a backup, you mustupdate the reimaged appliance to exactly those versions.
Remove Devices from the Firepower Management Center
Always remove devices from remote management before you reimage. If you are:
• Reimaging the FMC, remove all its devices from management.
• Reimaging a single device or switching from remote to local management, remove that one device.
Address Licensing Concerns
Before you reimage any Firepower appliance, address licensing concerns. You may need to unregister fromthe Cisco Smart SoftwareManager, or you may need to contact Sales for new licenses. See Deciding to FreshlyInstall to determine what you need to do, depending on your scenario.
For more information on licensing, see:
• Cisco Firepower System Feature Licenses Guide
• Frequently Asked Questions (FAQ) about Firepower Licensing
• The licensing chapter in your Configuration Guide.
Appliance Access
Reimaging returns most settings to factory defaults.
If you do not have physical access to an appliance, the reimage process lets you keep management networksettings. This allows you to connect to the appliance after you reimage to perform the initial configuration. Ifyou delete network settings, you must have physical access to the appliance. You cannot use Lights-OutManagement (LOM).
Reimaging to an earlier major version automatically deletes network settings. In this rare case, you must havephysical access.
Note
For devices, make sure traffic from your location does not have to traverse the device itself to access thedevice's management interface. In FMC deployments, you should also able to access the FMC managementinterface without traversing the device.
Sharing Data with Cisco
Some features involve sharing data with Cisco.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.849
Freshly Install Version 6.4.0Guidelines and Limitations for Fresh Installs
In 6.2.3+, Cisco Success Network sends usage information and statistics to Cisco, which are essential toprovide you with technical support. During initial setup, you may be asked to accept or decline participation.You can also opt in or out at any time.
In 6.2.3+, Web analytics tracking sends non-personally-identifiable usage data to Cisco, including but notlimited to page interactions, browser versions, product versions, user location, and management IP addressesor hostnames of your FMCs. Web analytics tracking is on by default, but you can opt out at any time afteryou complete initial setup.
In 6.5.0+, Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration andoperational health data to Cisco, and processes that data through our automated problem detection system,allowing us to proactively notify you of issues. This feature also allows Cisco TAC to collect essentialinformation from your devices during the course of a TAC case. During initial setup, you may be asked toaccept or decline participation. You can also opt in or out at any time.
Reimaging Firepower 1000/2100 Series Devices to Earlier Major Versions
We recommend that you perform a complete reimage if you need to revert a Firepower 1000/ 2100 seriesdevice to an earlier major version. If you use the erase configuration method, FXOS may not revert alongwith the Firepower Threat Defense software. This can cause failures, especially in high availability deployments.
For more information, see the reimage procedures in the Cisco FXOS Troubleshooting Guide for the Firepower1000/2100 Series Running Firepower Threat Defense.
Reimaging Version 5.x Hardware to Version 6.3.0+
The renamed installation packages in Version 6.3+ cause issues with reimaging older physical appliances:FMC 750, 1500, 2000, 3500, and 4000, as well as 7000/8000 series devices and AMP models. If you arecurrently running Version 5.x and need to freshly install Version 6.4.0, rename the installation package to the"old" name after you download it; see the Renamed Upgrade and Installation Packages information in theCisco Firepower Release Notes, Version 6.3.0.
After you reimage an FMC (Defense Center) from Version 5.x to a more recent version, it cannot manage itsolder devices. You should also reimage those devices, then re-add them to the FMC. Note that Series 2 devicesare EOL and cannot run Firepower software past Version 5.4.0.x. You must replace them.
Unregistering Smart LicensesFirepower Threat Defense devices, whether locally (Firepower Device Manager) or remotely (FirepowerManagement Center) managed, use Cisco Smart Licensing. To use licensed features, you must register withCisco Smart Software Manager (CSSM). If you later decide to reimage or switch management, you mustunregister to avoid accruing orphan entitlements. These can prevent you from reregistering.
Unregistering removes the appliance from your virtual account and releases associated licenses so they canbe can be reassigned.When you unregister an appliance, it enters Enforcement mode. Its current configurationand policies continue to work as-is, but you cannot make or deploy any changes.
Manually unregister from CSSM before you:
• Reimage a Firepower Management Center that manages FTD devices.
• Reimage a Firepower Threat Defense device that is locally managed by FDM.
• Switch a Firepower Threat Defense device from FDM to FMC management.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.850
Freshly Install Version 6.4.0Unregistering Smart Licenses
Automatically unregister from CSSM when you remove a device from the FMC so you can:
• Reimage an Firepower Threat Defense device that is managed by an FMC.
• Switch a Firepower Threat Defense device from FMC to FDM management.
Note that in these two cases, removing the device from the FMC is what automatically unregisters the device.You do not have to unregister manually as long as you remove the device from the FMC.
Classic licenses for NGIPS devices are associatedwith a specific manager (ASDM/FMC), and are not controlledusing CSSM. If you are switching management of a Classic device, or if you are migrating from an NGIPSdeployment to an FTD deployment, contact Sales.
Tip
Unregister a Firepower Management CenterUnregister a Firepower Management Center from the Cisco Smart Software Manager before you reimage theFMC. This also unregisters any managed Firepower Threat Defense devices.
If the FMC is configured for high availability, licensing changes are automatically synchronized. You do notneed to unregister the other FMC.
Step 1 Log into the Firepower Management Center.Step 2 Choose System > Licenses > Smart Licenses.
Step 3 Next to Smart License Status, click the stop sign ( ).Step 4 Read the warning and confirm that you want to unregister.
Unregister an FTD Device Using FDMUnregister locally managed Firepower Threat Defense devices from the Cisco Smart SoftwareManager beforeyou either reimage or switch to remote (FMC) management.
If the device is configured for high availability, you must log into the other unit in the high availability pairto unregister that unit.
Step 1 Log into the Firepower Device Manager.Step 2 Click Device, then click View Configuration in the Smart License summary.Step 3 Select Unregister Device from the gear drop-down list.Step 4 Read the warning and confirm that you want to unregister.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.851
Freshly Install Version 6.4.0Unregister a Firepower Management Center
Installation InstructionsNeither the release notes nor the upgrade guide contain installation instructions. Instead, see one of thefollowing documents. Installation packages are available on the Cisco Support & Download site.
Table 36: Firepower Management Center Installation Instructions
GuideFMC Platform
Cisco Firepower Management Center 1600, 2600, and 4600 HardwareInstallation Guide: Restoring a Firepower Management Center to FactoryDefaults
FMC 1600, 2600, 4600
Cisco FirepowerManagement Center Getting Started Guide forModels 1000,2500, and 4500: Restoring a Firepower Management Center to FactoryDefaults
FMC 1000, 2500, 4500
Cisco Firepower Management Center Getting Started Guide for Models 750,1500, 2000, 3500 and 4000: Restoring a Firepower Management Center toFactory Defaults
FMC 750, 1500, 3500
FMC 2000, 4000
Cisco Firepower Management Center Virtual Getting Started GuideFMCv
Table 37: Firepower Threat Defense Installation Instructions
GuideFTD Platform
Cisco ASA and Firepower Threat Defense Reimage Guide
Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 SeriesRunning Firepower Threat Defense
Firepower 1000/2100 series
Cisco Firepower 4100/9300 FXOSConfigurationGuides: Image Managementchapters
Cisco Firepower 4100 Getting Started Guide
Cisco Firepower 9300 Getting Started Guide
Firepower 4100/9300 chassis
Cisco ASA and Firepower Threat Defense Reimage GuideASA 5500-X series
Cisco ASA and Firepower Threat Defense Reimage GuideISA 3000
Cisco Firepower Threat Defense Virtual for VMware Getting Started GuideFTDv: VMware
Cisco Firepower Threat DefenseVirtual for KVMDeployment Getting StartedGuide
FTDv: KVM
Cisco Firepower Threat Defense Virtual Quick Start Guide for the AWSCloud
FTDv: AWS
Cisco Firepower Threat Defense Virtual for theMicrosoft Azure Cloud QuickStart Guide
FTDv: Azure
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.852
Freshly Install Version 6.4.0Installation Instructions
Table 38: Firepower 7000/8000 Series, NGIPSv, and ASA FirePOWER Installation Instructions
GuideNGIPS Platform
Cisco Firepower 7000 Series Getting Started Guide: Restoring a Device toFactory Defaults
Firepower 7000 series
Cisco Firepower 8000 Series Getting Started Guide: Restoring a Device toFactory Defaults
Firepower 8000 series
Cisco Firepower NGIPSv Quick Start Guide for VMwareNGIPSv
Cisco ASA and Firepower Threat Defense Reimage Guide
ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide:Managing the ASA FirePOWER Module
ASA FirePOWER
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.853
Freshly Install Version 6.4.0Installation Instructions
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.854
Freshly Install Version 6.4.0Installation Instructions
C H A P T E R 7Documentation
The following topics provide links to Firepower documentation:
• Updated Documentation for Version 6.4.0.x, on page 55• Documentation Roadmaps, on page 55
Updated Documentation for Version 6.4.0.xThe following Firepower documentation was updated for at least one Version 6.4.0.x patch:
• Cisco Firepower Compatibility Guide
• Cisco Firepower Management Center Upgrade Guide
• Firepower Management Center Configuration Guide, Version 6.4 and online help
For links to documentation not updated or newly available with this release, see the Documentation Roadmaps,on page 55.
Documentation RoadmapsDocumentation roadmaps provide links to currently available and legacy documentation:
• Navigating the Cisco Firepower Documentation
• Navigating the Cisco ASA Series Documentation
• Navigating the Cisco FXOS Documentation
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.855
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.856
DocumentationDocumentation Roadmaps
C H A P T E R 8Resolved Issues
Bugs listed for a patch were verified as resolved when that patch was initially released.
For your convenience, this document provides lists of resolved bugs for each patch. These lists areauto-generated once and are not subsequently updated. Depending on how and when a particular resolvedissue was categorized or updated in our system, it may not appear in the release notes. You should regard theCisco Bug Search Tool as the 'source of truth.'
Note
• Searching for Resolved Issues, on page 57• Resolved Issues in New Builds, on page 58• Version 6.4.0.8 Resolved Issues, on page 58• Version 6.4.0.7 Resolved Issues, on page 61• Version 6.4.0.6 Resolved Issues, on page 61• Version 6.4.0.5 Resolved Issues, on page 63• Version 6.4.0.4 Resolved Issues, on page 64• Version 6.4.0.3 Resolved Issues, on page 68• Version 6.4.0.2 Resolved Issues, on page 69• Version 6.4.0.1 Resolved Issues, on page 71
Searching for Resolved IssuesIf you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of resolvedbugs for Firepower products. These general queries display resolved bugs for Firepower products runningVersion 6.4.0.x patches:
• Firepower Management Center
• Firepower Management Center Virtual
• ASA with FirePOWER Services
• NGIPSv
You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also searchby bug ID, or for specific keywords.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.857
Resolved Issues in New BuildsSometimes Cisco releases updated builds. In most cases, only the latest build for each platform is availableon the Cisco Support & Download site. We strongly recommend you use the latest build. If you downloadedan earlier build, do not use it.
You cannot upgrade from one build to another for the same Firepower version. If a new build would fix yourissue, determine if an upgrade or hotfix would work instead. If not, contact Cisco TAC. See the Cisco FirepowerHotfix Release Notes for quicklinks to publicly available Firepower hotfixes.
Use this table to determine if a new Version 6.4.0.x build is available for your platform.
Table 39: Version 6.4.0.x Patches with New Builds
ResolvesPlatformsReleasedNew BuildVersion
CSCvq34224: Firepower PrimaryDetectionEngineprocess terminated after Manager upgrade
If you already upgraded to Version 6.4.0.2-34 andhave FTD devices configured for high availability,apply Hotfix F. In FMC deployments, apply thehotfix to the FMC. In FDM deployments, applythe hotfix to both devices.
FMC/FMCv
FTD/FTDv,except Firepower1000 series
2019-07-03356.4.0.2
Version 6.4.0.8 Resolved IssuesTable 40: Version 6.4.0.8 Resolved Issues
HeadlineBug ID
DHCP Client Proxy doesn't disable after FO units are flippedCSCul34972
ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right AfterSuccessful SSL handshake
CSCva36446
fireamp.pl using 100% Cpu after restore backup.CSCvd33448
Duplicate preprocessor keyword: sslCSCvh75756
Try to assign devices to platform settings policy list of devices randomly disappearunder policy
CSCvk55766
Not able to ssh, ssh_exec: open(pager) error on consoleCSCvm85823
High unmanaged disk space on Firepower devices due to untracked filesCSCvo74833
Traceback in HTTP Cli Exec when upgrading to 9.12.1CSCvp04134
Manage the sfhassd thread CPU affinity to match the Snort CPU affinityCSCvp06526
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.858
Resolved IssuesResolved Issues in New Builds
HeadlineBug ID
/var/opt/CSCOpx/MDC/tomcat/log/stdout.logs writing excessive log messages whichmay fill the disk
CSCvp39970
ASA/Lina Traceback related to TLS/VPNCSCvp81083
With SSL HW acceleration enabled, FTD TCP Proxy tears down the connection after3 retransmissions
CSCvq10239
Slave unit having mgmt-only can't join to clusterCSCvq14954
Firepower Recommendations rule count changes even when not regeneratedCSCvq29969
traceback and reload when establishing ASDM connection to fp1000 series platformCSCvq34160
Overrides cannot be added for port object if it is used in variable sets in sub domainsCSCvq43453
ENH: Add "Management-access" to FDM flex-config CLI and a CLI-console APIissue via SSE/CDO
CSCvq45105
After failover, Active unit tcp sessions are not removed when timeout reachedCSCvq46587
ASA/FTD may traceback and reload in Thread Name 'BGP Router'CSCvq50587
FPR 2100, low block 9472 causes packet loss through the device.CSCvq51284
Cached malware disposition does not always expire as expectedCSCvq56257
Retrieving an specfic rule by ID of a child Access Policy returns a 404 : Not Foundstatus.
CSCvq67271
Cisco VPN session replay vulnerability : STRAP fix on ASA for SSL(OpenSSL 1.0.2)and SCEP proxy
CSCvq73599
Management interface configuration leads to immediate traceback and reloadCSCvq75634
Traffic interruptions for FreeBSD systemsCSCvq76198
Long processing time to insert policy deploy task if many application filter object usedin ACPolicy
CSCvq83019
Multiple context 5585 ASA, transparent context losing mangement interfaceconfiguration.
CSCvq87797
Traceback in tcp-proxyCSCvq88644
IPSEC SA is deleted by failover which is caused by link downCSCvq95058
NAT rules deleted from FDM backend after moving NAT rules in UI and deployingCSCvq97346
Stack Units: Deploy fails after upgrade on different Domain with unable to loadNDPolicy obj err
CSCvr04954
ASA Traceback in Ikev2 DaemonCSCvr10777
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.859
Resolved IssuesVersion 6.4.0.8 Resolved Issues
HeadlineBug ID
Only a subset of devices where deployed from a device group during scheduled deployCSCvr11395
ASA may traceback on display_hole_ogCSCvr25768
FTD/LINA Standby may traceback and reload during logging command replicationfrom Active
CSCvr25954
App-sync failure if unit tries to join HA during policy deploymentCSCvr27445
HA FTD on FPR2110 traceback after deploy ACP from FMCCSCvr29638
Changing a rule and saving quickly might remove configuration.CSCvr29978
Overrides cannot be added for network object if it is used in variable sets in sub domainsCSCvr36687
Dual stack ASAv failover triggered by reload issueCSCvr50266
AC policy lookup done for SYN+ACK packet when tcp-intercept and a monitor ACpolicy is configured
CSCvr53058
Mac Rewrite Occurring for Identity Nat TrafficCSCvr54054
FTD/LINA traceback and reload observed in thread name: cli_xml_serverCSCvr55400
Deployment failure if SRU install is in progressCSCvr59927
configurations getting wiped off from standby, while deployment fails on activeCSCvr60111
Information systems must use the POST method over TLS when transmittingCSCvr61239
Information Systems implementing file upload feature must validate the file sizeCSCvr61241
systems must enforce controls that prevent confidential information from being storedwithin cookie
CSCvr61252
device loading slow, related REST API callsCSCvr61492
Lina Traceback during FTD deployment when PBR config is being pushedCSCvr66768
FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block.CSCvr81457
Cisco Adaptive Security Appliance Software and Firepower Threat Defense SoftwareRemote
CSCvr85295
Nested network object group not getting expanded for NAP rules resulting indeployment failure
CSCvs10114
6.4.0.4 FMC WebUI cannot create a Series-3 stackCSCvs23750
Turn off egress-optimization processingCSCvs32023
Anyconnect sessions limited incorrectlyCSCvs53705
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.860
Resolved IssuesVersion 6.4.0.8 Resolved Issues
Version 6.4.0.7 Resolved IssuesTable 41: Version 6.4.0.7 Resolved Issues
HeadlineBug ID
Duplicate preprocessor keyword: sslCSCvh75756
FTDmay not match correct Access Control rule following a deploy to multiple devicesCSCvr52109
multi-deploy causes a sudden drop of intrusion eventsCSCvr88123
Cisco Firepower Management Center LDAP Authentication Bypass VulnerabilityCSCvr95287
Turn off egress-optimization processingCSCvs32023
Version 6.4.0.6 Resolved Issues
Version 6.4.0.6 was removed from the Cisco Support & Download site on 2019-12-19. If you are runningthis version, we recommend you upgrade. The bugs listed here are also fixed in Version 6.4.0.7.
Note
Table 42: Version 6.4.0.6 Resolved Issues
HeadlineBug ID
Intrusion Event Performance Graphs load blank on 4100 and 9300CSCvm48451
SDI - SUSPENDED servers cause 15sec delay in the completion of a authenticationwith a good server
CSCvn77388
ASAEnhancement: Generate syslogmessage oncemember of the SDI cluster changesstate
CSCvo11280
Traceback in VPN Clustering HA timer thread when member tries to join the clusterCSCvo28118
OSPF Process ID doesnot change even after clearing OSPF processCSCvo43795
ENH: ACE details for warning "found duplicate element"CSCvo73250
ENH: Add process information to "Command Ignored, configuration in progress..."CSCvo74397
FTD inline/transparent sends packets back through the ingress interfaceCSCvo88762
cts import-pac tftp: syntax does not workCSCvp04186
Option to display port number on access-list instead of well known port name on ASACSCvp12582
ASA HA IKEv2 generic RA - AnyConnect Premium All In Use incorrect on standbyCSCvp23109
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.861
Resolved IssuesVersion 6.4.0.7 Resolved Issues
HeadlineBug ID
Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site ScriptingVulnerability
CSCvp33341
LINA traceback on ASA in HA Active Unit repeatedlyCSCvp55901
FILE RESUME BLOCK being randomly thrown causing access issues on files fromSMB share.
CSCvp55941
"Too much data during a write" messages flooding communication channelCSCvp56805
Cisco ASA and FTD Software WebVPN CPU Denial of Service VulnerabilityCSCvp76944
Cluster master reload cause ping failure to the Management virtual IPCSCvp85736
Upload an update gives "update request entity too large" error when using CAC(HTTPSClient Certs)
CSCvp87623
ASA failover LANTEST messages are sent on first 10 interfaces in the configuration.CSCvq05113
VPN Pre-deploy validations takes around 20 seconds for each deviceCSCvq09093
FTD LINA traceback at DATAPATH-8-15821CSCvq17263
FP2100 - Flow oversubscribing ring/CPU core causing disruption to working flowson FP2100 platforms
CSCvq24494
ENH: ASA Cluster debug for syn cookie issuesCSCvq28250
lost heartbeat causing reloadCSCvq36042
ASA is unable to verify the file integrityCSCvq39317
FTD 4150 VPN s2s deployment failure with 6K spokesCSCvq40943
FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabledCSCvq44665
Policy deployment to FP 8000 sensor is failing when NAT is configuredCSCvq45000
Cisco Firepower Management Center Stored Cross-Site Scripting VulnerabilityCSCvq46443
Cisco Firepower Management Center Multiple Cross-Site Scripting VulnerabilitiesCSCvq53915
SSL VPN may not be able to establish due to SSL negotiation issueCSCvq54667
When only IP communication is disrupted on failover link LANTEST msg is not senton data interfaces
CSCvq57591
Connection events stop coming from device after lost handshake messageCSCvq59702
ASA traceback observed when moving EZVPN spokes to the device.CSCvq60131
Dual stacked ASAv manual failover issuesCSCvq63024
ASA5515-K9 standby traceback in Thread Name sshCSCvq64742
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.862
Resolved IssuesVersion 6.4.0.6 Resolved Issues
HeadlineBug ID
ASA Traceback on Saleen in Thread Name: IPv6 IDBCSCvq65241
Disable asp load-balance per-packet functionality from fp2100 until all bugs fixedCSCvq65542
Traceback: Cluster unit lina assertion in thread name:Cluster controllerCSCvq69111
ASA cluster does not flush OSPF routesCSCvq70468
Slow "securityzones" REST APICSCvq70485
FPR2100 FTD Standby unit leaking 9K blocksCSCvq70775
High Disk Utilization due to mysql-server.err failing to rotate after CSCvn30118CSCvq71217
ASA:BGP recursive route lookup for destination 3 hop away is failing.CSCvq75743
F_RNA_EVENT_LIMIT for MC4000 should be 20 millionCSCvq76533
Connections fail to replicate in failover due to failover descriptor mis-match onport-channels
CSCvq77547
ASA generates incorrect error message about PCI cfg space when enumeratingInternal-Data0/1
CSCvq80318
VPN events between 12 and 1 PM UTC are not displayed on the FMCCSCvq81516
DNS lookup using mgmt VRF not possible because FMC doesn't allow interface afterserver address
CSCvq83168
Active device is not reporting correct peer state.CSCvq87703
Flow Offload Hashing Change of BehaviorCSCvq91645
ASA traceback in Thread IPsec Message HandlerCSCvq92126
Deployment rollback causes momentary traffic drop when error in a LINA ONLYsection of delta cli
CSCvq94729
where clause not working for external data base accessCSCvr00892
Policy deployment fails with 400+ interfaces in security zone due to incorrect formationof deployDB
CSCvr07421
Version 6.4.0.5 Resolved IssuesTable 43: Version 6.4.0.5 Resolved Issues
HeadlineBug ID
Read sAMAccountUserName from ISE when it is availableCSCvh73096
InlineResult for IPS event missing metadata "Would have blocked"CSCvp95663
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.863
Resolved IssuesVersion 6.4.0.5 Resolved Issues
HeadlineBug ID
URL Filtering Shows All URLs as UncategorizedCSCvp97061
Upgrade anomalies result in policy deploy failure: NGFW_UPGRADE is missing inmap file
CSCvq32678
Fail to Wire configuration disabled for multiple interface-pair inline-sets during FTDupgrades
CSCvq32681
Security Intelligence does not drop HTTPS connections to blacklisted URLs whenSSL policy is enabled
CSCvq39083
Must disable and then re-enable SNMP in FMC UI after adding new userCSCvq41936
Flooding of logs with message "Unknown HPQ rule key"CSCvq44594
Unable to login with AD username containing upper case RADIUSCSCvq46804
SNMPv3 User(s) deleted after upgradeCSCvq46918
Warrning "There is an empty group in the source networks" in SSL policyCSCvq54242
User login fails into FMC GUI for LDAP user if the password contains SPACE in thestring
CSCvq56138
File policy not inspecting somemalware document (.doc) and Adobe flash (.swf) files.CSCvq56462
Slow device related REST API callsCSCvq65092
FMT | MTU value not within the permissible rangeCSCvq66217
Policy deployment from FMC to FTD fails due to domain_snapshot_timeout (20m)CSCvr23858
Version 6.4.0.4 Resolved IssuesTable 44: Version 6.4.0.4 Resolved Issues
HeadlineBug ID
Traceback on Thread Name: DATAPATH-2-1785CSCvf83160
False positive for general microengine faultCSCvg29468
ASA IKEv2 unable to open aaa session: session limit [2048] reachedCSCvh13869
ASA traceback with Thread: DATAPATH-8-2035CSCvj61580
ASA Traceback (watchdog timeout) when syncing config from active unit (inc.cachefs_umount)
CSCvk22322
"default Keyring's certificate is invalid, reason: expired" health alertCSCvk26612
Traceback in DATAPATH on ASACSCvk29685
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.864
Resolved IssuesVersion 6.4.0.4 Resolved Issues
HeadlineBug ID
Route tracking failureCSCvm36362
ENH: ASA - support for more than 4 servers in multiple mode.CSCvm39901
Port-Channel issues on HA linkCSCvm40288
IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platformCSCvm64400
review of CVE-2016-8858 (OpenSSH) on Firepower softwareCSCvm68648
Graceful Restart BGP does not work intermittentlyCSCvn76875
Control-plane ACL doesn't work correctly on FTDCSCvn78593
ASAMulticontext traceback and reload due to allocate-interface out of range commandCSCvn78870
FXOS lacp related logs pktmgr.out and lacp.out grows too largeCSCvn99658
ASA may traceback in thread logger when cluster is enabled on slave unitCSCvo03700
ASAmay traceback and reload while waiting for "dns_cache_timer" process to finish.CSCvo14961
Cisco FirePower Threat Defense Information Disclosure VulnerabilityCSCvo29989
Traceback in threadname DATAPATH-0-1668 while freeing memory blockCSCvo31695
ASA SCP transfer to box stall mid-transferCSCvo45755
ASA traceback in thread SSHCSCvo47390
Lina does not properly report the error for configuration line that is too longCSCvo48838
SCP large file transfer to the box result in a tracebackCSCvo51265
ASA App stuck in installing state on few imagesCSCvo55809
ASA: BGP routes is cleared on routing table after failover occur and bgp routes arechanged
CSCvo65741
Traceback and reload citing Datapath as affected threadCSCvo66534
management-only of diagnostic I/F on secondary FTD get disappearedCSCvo68184
ASA may traceback and reload. Potentially related to WebVPN trafficCSCvo74350
6.4.0 - IPv6 routing doesn't work for WM and KP when mgmt gateway configure asdata-interfaces
CSCvo74625
Cisco Adaptive Security Appliance Smart Tunnel VulnerabilitiesCSCvo78789
Standby Firewall reloads with a traceback upon doing a manual failoverCSCvo80501
HTTP with ipv6 using w3m is failingCSCvo87930
ASA sends password in plain text for "copy" commandCSCvo87985
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.865
Resolved IssuesVersion 6.4.0.4 Resolved Issues
HeadlineBug ID
ASA unable to authenticate users with special characters via httpsCSCvo90153
LACPDUs should not be sent to snort for inline-set interfacesCSCvo90998
The delay command in interface configuration is modified after rebootedCSCvo97979
ASA may traceback and reload. suspecting webvpn relatedCSCvp12052
ASAv Azure: Route table BGP propagation setting reset when ASAv fails overCSCvp14674
Unable to process gtpv1 identification req message for header TEID : 0CSCvp19910
ASA drops GTPV1 SGSN Context Req message with header TEID:0CSCvp19998
ASA/FTD generates syslog for missing SSD 2: /dev/sdb is present. Status: Inoperable.CSCvp23137
Syslog alerts are not sent to server when Global Rule Thresholding is disabled onIntrusion Policy
CSCvp30447
"established tcp" does not work post 9.6.2CSCvp32617
ASA sends invalid redirect response for POST requestCSCvp35141
IKEv2 RAGeneric client - stuck outgoing asp table entry - traffic encrypted with staleSPI
CSCvp35384
Unable to configure more than 100 aaa-server group limit reachedCSCvp38530
CCM Infrastructure Update for WR8CSCvp42275
DHCPNACK silently dropped by ASA sent fromDHCP server if configured as DHCPrelay
CSCvp43066
Fail-to-Wire (FTW) Ports fail to recover on 2100 Firepower platforms.CSCvp46341
FTD Cluster traceback experienced when other unit leaves the ClusterCSCvp49576
Audit syslog for SFR module/7000/8000 devices uses TCP instead of UDP for syslogcommunication
CSCvp54261
Fail-Closed FTD passes packets through on Snort processes downCSCvp55880
IP Address stuck in local pool and showing as "In Use" even when the AnyConnectclient disconnects
CSCvp59864
Thread Name: CP DP SFR Event Processing tracebackCSCvp63068
ASA does not respond to DHCP request packet on BVI interfaceCSCvp65134
After reboot, "ssh version 1 2" added to running-configCSCvp70020
ASA Failover split brain (both units active) after rebooting a Firepower chassisCSCvp70699
MCA+AAA+OTP with RADIUS challenge fails to send aggauth handle in challengeCSCvp71180
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.866
Resolved IssuesVersion 6.4.0.4 Resolved Issues
HeadlineBug ID
Time zone in syslogs messagesCSCvp72412
rna_networks is empty after Network Discovery deployment.CSCvp73555
FTD/Firepower Policy deployment fails when running simultaneous deployment tomany devices.
CSCvp79157
Unsupported runtime JavaScript exception handling in the client sideWebVPN rewriterCSCvp80775
Firepower: Network file trajectory graph does not loadCSCvp83687
ASA 9.9.2 Clientless WebVPN - HTML entities are incorrectly decoded whenprocessing HTML
CSCvp84546
FTD traceback and reload on LINA threadCSCvq00005
Snort processes dump core with memory corruption on Series 3 devicesCSCvq06790
Policy Deployment Failure due to Special Characters & encodingCSCvq08684
Deployment failing in snort validation- SMTP: Could not allocate SMTP mimemempool
CSCvq08767
Traceback: "saml identity-provider" command will crash multi-context ASAsCSCvq11513
ASA may traceback due to SCTP traffic despite fix CSCvj98964CSCvq12411
When deleting context the ssh key-exchange goes to Default GLOBALLY!CSCvq13442
"ssl trust-point" command will be removed when restoring backup via CLICSCvq21607
ASA IKEv2 - ASA sends additional delete message after initiating a phase 2 rekeyCSCvq24134
Watchdog on ASAv when logging to bufferCSCvq25626
Correlation rule alerting is not working in 6.4.0CSCvq25912
GTP response messages with non existent cause are getting dropped with error messageTID is 0
CSCvq26794
Memory leak observed when ASA-SFR dataplane communication flapsCSCvq27010
TID fails to add source as a URL - Flat fileCSCvq37902
SFDC crashes inserting into packet_log table after upgrading to 6.4.0CSCvq39828
Failed SSH Login attempts not being exported via syslogCSCvq50314
Firepower Primary Detection Engine process might terminated after Manager upgradeCSCvq57710
URL DB download failure alerts on FMC; new URL DB updates not taking effect onFMC/FDM
CSCvq61651
Traffic not matching expected ACP rule after updating to 6.4.0CSCvq86553
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.867
Resolved IssuesVersion 6.4.0.4 Resolved Issues
HeadlineBug ID
Deleted URL Objects are not being removed from the ngfw.rules.CSCvq87068
Fatal Error message in FMC GUI when upgrading 5525 from 6.4.0-102 > 6.4.0.4-31but upgrade completes
CSCvq97301
Version 6.4.0.3 Resolved IssuesTable 45: Version 6.4.0.3 Resolved Issues
HeadlineBug ID
GUI should allow max 256 addresses per DHCP poolCSCve24102
AnyConnect connections fail with TCP connection limit exceeded errorCSCvp10132
Deploy fails on FTD HA due to exception when parsing big xml responseCSCvp66559
Unable to create RAVPN Conn-Profile if group-policy attr and FQDN are edited inthe same wizard flow
CSCvp25570
FDM-HA formation has failed after upgrading to 6.3.0.3-69CSCvp32659
Help pages always show up in EnglishCSCvp56910
ASA report SFR module as 'Unresponsive' after reloading ASA module on 5585platform
CSCvo68448
FMC 6.3 Multitenancy/Domain LDAPS User/Group Download Failure Due toCertificate Location
CSCvp01542
Network FIle Trajectory page takes 90 seconds to load each timeCSCvp23579
Firepower 8000 interfacesmight flap due to unhandled resource temporarily unavailableissue
CSCvp33052
FTD show tech from troubleshooting files incompleteCSCvp37779
Changes in interface-group or interface-zone in subdomain overwrites Global domain.CSCvp46173
natd thread of nfm_exceptiond uses about 90% to 100% CPU timeCSCvp58028
FMC UI: VPN Hub and Spoke topology slow loadingCSCvp72601
BCDB file copy from FMC on to vFTD getting truncated, vFTD running on Azureplatform.
CSCvp72770
Deployment failure after upgrade to 6.4 in ASA5500-X running FTDCSCvp75594
HTTP blacklist - blacklist rules are not removed from sensor when unassigned anddeplyed from FMC
CSCvp94588
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.868
Resolved IssuesVersion 6.4.0.3 Resolved Issues
HeadlineBug ID
Policy deploy failure 6.5.0-1148 post upgrade with CCmode with openSSL call duringSSL pol Export
CSCvp97799
On reset CD not clearing its flags[parseFailoverReqIssued] which prevents furthernode join attempts
CSCvp98066
FMC 6.4.0 - Policy deployment failure - Duplicate domain entries in domains.confCSCvq07914
600_schema/100_update_database.sh should return error if database update failsCSCvq14586
Version 6.4.0.2 Resolved IssuesTable 46: Version 6.4.0.2 Resolved Issues
Bug IDBug ID
Unable to edit the system policy of a SFR module via ASDM after upgrading to 6.2.2CSCvi63474
FTD Files are Allowed Through Multiple Pre-existing Connections Despite the FilePolicy Verdict
CSCvk06386
sfstunnel process in FTD is holding large cloud db files that are already deletedCSCvk14242
tcp proxy: ASA traceback on DATAPATHCSCvm70274
712x devices become unstable when switching inline set from TAP to inlineCSCvn07452
4140 Multi-Instance Not Load-Balancing Correctly with 4 InstancesCSCvn12381
Loading AC policy editor takes too long, needs loading indicatorCSCvn34246
FMC Audit Logs will only display Admin and System as owners when deploying to3D devices -GUI/SYSLOG
CSCvn45750
Unsupported EC curve x25519 on FTDCSCvn57284
FTDv does not have configuration on initial bringup with mix of vmxnet3 and ixgbevfinterfaces
CSCvn74112
FPR platform IPsec VPN goes down intermittentlyCSCvn75368
Deployment on FTD with low memory results on interface nameif to be removedCSCvn86777
Upgrading ASA cluster to 9.10.1.7 cause tracebackCSCvo02097
EIGRP breaks when new sub-interface is added and "mac-address auto" is enabledCSCvo17775
Deploy failed because adaptive profiling config file corruptCSCvo23366
ids_event_alerter high memory usage due to large firewall_rule_cache tableCSCvo24145
Mysql traffic on non standard port is not correctly classifiedCSCvo33348
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.869
Resolved IssuesVersion 6.4.0.2 Resolved Issues
Bug IDBug ID
ngfwManager doesn't start if ngfw.properties is emptyCSCvo33851
FMC shows connection events with packet count as 0CSCvo41572
FTD-CLUSTER:Adding new unit in cluster can cause traffic dropCSCvo45209
VPN sessions failing due to PKI handles not freed during rekeysCSCvo47562
Audit Log Settings Failing Leading to being unable to edit System SettingsCSCvo50168
SCALE: with 500+ devices, UMS causes the UI to hang, especially during deployCSCvo56836
Enhancement to address high IKE CPU seen due to tunnel replace scenarioCSCvo58847
ASA traceback and reloads when issuing "show inventory" commandCSCvo60580
Internal Error when editing an Access Control PolicyCSCvo60862
ASA Traceback and reload while running IKE DebugCSCvo62031
Telemetry not sent when FMC managing lots of devicesCSCvo62060
Enhancement: add counter for Duplicate remote proxyCSCvo66920
For SMB, remote storage configuration should allow configuring version string withdot(.)
CSCvo72179
Do not decrypt rule causes traffic interruptions.CSCvo72462
cloud agent core after generating a large number of continuous URL lookups (>30M)CSCvo74745
SSL rules with App-ID conditions can limit decryption capabilityCSCvo88188
NAT rules can get applied in the wrong order when you have duplicate rulesCSCvo88306
FMC times out after 10 mins to fetch device list for deploymentCSCvo89224
Firepower Recommendations does not enable IPS rules that are GID 3CSCvo90550
Cisco Firepower Management Center RSS Cross-Site Scripting VulnerabilitiesCSCvo90805
Health monitoring options for user identity functionality on FMC.CSCvp03498
DTLS 1.2 and AnyConnect oMTUCSCvp07143
ENH - Option to configure Port Block Allocation on FTDCSCvp14576
ASA: Watchdog traceback in DatapathCSCvp18878
FTD lina cored with Thread name: cli_xml_serverCSCvp19549
Allow FTDs to perform URL lookups directly without having to go through the FMCCSCvp21837
Random SGT tags added by FTDCSCvp24728
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.870
Resolved IssuesVersion 6.4.0.2 Resolved Issues
Bug IDBug ID
(snort)File is not getting detected when going over HTTPS (SSL Resign)CSCvp24787
FTD sets automatically metric 0 when we redistribute OSPF into BGP via FMC GUI.CSCvp25583
Multiple ClamAV Vulnerabilities For Cisco Firepower Management Center for pre6.5.0
CSCvp27263
FIPS mode gets disabled after rollback from a failed policy deployCSCvp29692
FMC-ISE integration doesn't work if explicit UPN doesn't match implicit UPNCSCvp35359
ASA 5506/5508/5516 traceback in Thread Name octnic_hm_threadCSCvp36425
REST API query /api/fmc_config/v1/domain/UUID/devices/devicerecords failsCSCvp43474
On upgraded FMC Device FXOS devices are shown dirty even after successfuldeployment.
CSCvp43536
Wrong rule matched when using ambiguous DNDCSCvp54634
integrate pxgrid capability, connection hang, curl hang issuesCSCvp58310
Misleading deploy Warning message when Flex Config policy is being deployedCSCvp75098
Policy deployment remove and add back ospf neighborCSCvp78197
Slowness in loading Device Management page on FMC when there are over 500managed devices
CSCvp81967
NAT policy apply failing with error duplicateCSCvp82945
Ensure Error Message with Dup NATs Is Clear and ActionableCSCvp96934
FMC Global Pre-deployment Phase takes longer after upgrade to 6.4CSCvq07573
Policy deployment failed with error snort validation failed (Bad value specified formemcap )
CSCvq09209
Firepower Primary Detection Engine process terminated after Manager upgradeCSCvq34224
Version 6.4.0.1 Resolved IssuesTable 47: Version 6.4.0.1 Resolved Issues
HeadlineBug ID
Random packet drops by session preprocessorCSCvh51853
Network discovery not working with network groups containing literals - user or Ciscocreated.
CSCvp59960
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.871
Resolved IssuesVersion 6.4.0.1 Resolved Issues
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.872
Resolved IssuesVersion 6.4.0.1 Resolved Issues
C H A P T E R 9Known Issues
For known issues, see:
• Searching for Known Issues, on page 73
Searching for Known IssuesIf you have a support contract, you can use the Cisco Bug Search Tool to obtain an up-to-date list of openbugs for Firepower products. These general queries display open bugs for Firepower products running Version6.4.0.x patches:
• Firepower Management Center
• Firepower Management Center Virtual
• ASA with FirePOWER Services
• NGIPSv
You can constrain searches to bugs affecting specific Firepower platforms and versions. You can also searchby bug ID, or for specific keywords.
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.873
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.874
Known IssuesSearching for Known Issues
C H A P T E R 10For Assistance
Thank you for choosing Firepower.
• Online Resources, on page 75• Contact Cisco, on page 75
Online ResourcesCisco provides online resources to download documentation, software, and tools, to query bugs, and to openservice requests. Use these resources to install and configure Firepower software and to troubleshoot andresolve technical issues.
• Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
• Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
• Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact CiscoIf you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
• Email Cisco TAC: [email protected]
• Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
• Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.875
Cisco Firepower Release Notes, Version 6.4.0.1, 6.4.0.2, 6.4.0.3, 6.4.0.4, 6.4.0.5, 6.4.0.7, and 6.4.0.876
For AssistanceContact Cisco