Firepower System Release Notes
Supported Platforms and Compatibility
Management Platform-Managed Device Compatibility
New Features and Functionality
Features and Changed Functionality Introduced in Previous Versions
Before You Begin: Important Update and Compatibility Notes
Configuration and Event Backup Guidelines
Disk Performance Management and Longevity on Firepower 4100 Devices
Traffic Flow and Inspection During the Update
Audit Logging During the Update
Time and Disk Space Requirements for Updating to Version 6.0.1.3
Firepower Version Requirements for Updating to Version 6.0.1.3
Web Browser and Screen Resolution Compatibility in Version 6.0.1.3
Integrated Product Compatibility in Version 6.0.1.3
Updating Firepower Management Centers
Updating 7000 Series, 8000 Series, NGIPSv, and ASA FirePOWER
Updating Firepower Threat Defense Devices
Uninstalling the Update from a Managed Device
Uninstalling the Update from a Virtual Managed Device
Uninstalling the Update from a Firepower Threat Defense device
Uninstalling the Update from a Cisco ASA with FirePOWER Services
Uninstalling the Update from a Firepower Management Center
Uninstalling the Update from a Cisco ASA with FirePOWER Services Managed by ASDM
First Published: January 12, 2017
These release notes are valid for Version 6.0.1.3 of the Firepower System.
Even if you are familiar with the update process, make sure you thoroughly read and understand these release notes. They describe supported platforms, new and changed features and functionality, manager-device compatibility, and known and resolved issues. They also contain detailed information on prerequisites, warnings, and specific installation and uninstallation instructions.
Tip To access the full documentation for the Firepower System, see the documentation roadmap at http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html.
Supported platforms, minimum originating versions, and operating systems vary by version. For more information, see:
You can run Version 6.0.1.3 on the platforms specified in the following table. For minimum Firepower System version requirements, see Firepower Version Requirements for Updating to Version 6.0.1.3.
Management capability varies by version. The following tables detail available management platforms and the devices that those platforms can manage:
This section of the release notes summarizes the new and updated features and functionality included in Version 6.0.1.3 of the Firepower System:
The terminology used in Version 6.0.1.3 may differ from the terminology used in previous releases. For more information, see the Firepower Compatibility Guide.
To access the full documentation for the Firepower System, see the documentation roadmap at http://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html. In Version 6.0.1.3, the following documents were updated to reflect the addition of new features and changed functionality and to address reported documentation issues:
The documentation updated for Version 6.0.1.3 contains the following errors:
Note: The online help content may differ from the Firepower Management Center Configuration Guide content. The Firepower Management Center Configuration Guide content is updated more regularly than the online help.
Functionality described in previous versions may be superseded by other new functionality or updated through resolved issues. The following features and functionality were introduced in previous versions:
Most next-generation firewalls (NGFWs) focus heavily on enabling application control, but little on their threat defense capabilities. To compensate, some NGFWs try to supplement their first-generation intrusion prevention with a series of non-integrated add-on products. However, this approach does little to protect your business against the risks posed by sophisticated attackers and advanced malware. Further, once you do get infected, they offer no assistance in scoping the infection, containing it, and remediating quickly.
The Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry’s first fully integrated, threat-focused NGFW. It delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.
The Firepower Threat Defense software package can be deployed on Cisco Firepower 4100 and 9300 appliances to provide a performance and density optimized NGFW security platform for Internet edge and other high-performance environments. Firepower Threat Defense functionality added in this release includes device and interface management, routing, NAT, and device high availability, in addition to support for the full Firepower NGIPS offering.
This release introduces support for Firepower Threat Defense on the Firepower 4100 Series and the Firepower 9300, as well as on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X, ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.
Stop more threats with our fully integrated next-generation firewall (NGFW) platform. The Firepower 4100 Series’ 1-rack-unit size is ideal at the Internet edge and in high-performance environments. It shows you what is happening on your network, detects attacks earlier so you can act faster, and reduces management complexity.
This carrier-grade platform is ideal for data centers and other high-performance settings that require low latency and high throughput. Deliver scalable, consistent security to workloads and data flows across physical, virtual, and cloud environments. With tightly integrated services, the Firepower 9300 lowers costs and supports open, programmable networks. The Firepower 9300 Series offers up to 1.2 Tbps clustered throughput, 10/40/100 GB network interfaces, up to 57 million concurrent connections with application control, and 500,000 new connections per second. Available features and services include a stateful firewall, application visibility and control, NGIPS, advanced malware protection, reputation-based URL filtering, and DDoS mitigation.
URL and DNS-based Security Intelligence
New Security Intelligence feeds based on URLs and Domain Name System (DNS) servers are provided to enhance the existing IP-based Security Intelligence capability. Currently, IP-based intelligence is used to control access to known malware, phishing, command & control, and Bot sites. New attack methods designed to defeat IP-based intelligence (e.g., fast flux) abuse DNS load balancing features in an effort to hide the actual IP address of a malicious server. While the IP addresses associated with the attack are frequently swapped in and out, the domain name will rarely change. The URL-based intelligence will supplement the IP-based intelligence in addressing this kind of attack, and the DNS-based intelligence will help identify known DNS servers that are complicit in these kinds of attacks. Access control policies can be created using these new intelligence feeds and new dashboards provide visibility and analysis. In addition, both URL-based and DNS-based Security Intelligence events will also feed in to the Indications of Compromise (IoC) correlation feature. These new feeds are provided through regular updates from the Cisco Talos Security Intelligence and Research Group and, like the IP-based Security Intelligence feature, are part of the base product and do not require a separate license.
The same way that attackers use the SSL protocol to hide their activity, attackers use the DNS protocol with the same intentions. For that reason, and as another way to address fast flux-type attacks, the Firepower system provides the ability to intercept DNS traffic requests and take appropriate action based on the policy setting. A DNS policy allows for requests to known command & control, spam, phishing, etc., sites to be blocked, to return a Domain Not Found
message, or have the traffic directed to a preconfigured sinkhole. This last option routes the traffic directly through the Firepower managed device and gives information about the endpoint that could result in an IoC alert.
SSL Decryption for Cisco ASA with FirePOWER Services Managed Via ASDM
Cisco’s next-generation firewall (NGFW), Cisco ASA with FirePOWER Services, now has the ability to locally manage SSL communications and decrypt the traffic before performing attack, application, and malware detection against it. This is the same capability we introduced in Version 5.4 for Cisco’s Firepower next-generation IPS (NGIPS) appliances. SSL decryption can be deployed in both passive and inline modes, and supports HTTPS and StartTLS-based applications (e.g., SMTPS, POP3S, FTPS, IMAPS, TelnetS). Decryption policies can be configured to exert granular control over encrypted traffic logging and handling, such as limiting decryption based on URL categories to enforce privacy concerns. It also provides the ability to block self-signed encrypted traffic, or on SSL version, specific Cipher Suites, and/or unapproved mobile devices.
Support for OpenAppID-Defined Applications
OpenAppID is Cisco’s open source, application-focused detection language that enables users to create, share and implement new application detection signatures for custom, localized, and cloud applications, without being dependent upon a NGFW vendor’s release cycle or roadmap. In Version 6.0, the Firepower application detection engine that identifies and controls access to over 3,000 applications has been enhanced to recognize OpenAppID-defined applications. In the same way that Snort was an effort to open source the intrusion detection game, OpenAppID is a way to open source the application detection game. Support for OpenAppID-defined applications demonstrates Cisco’s commitment to the open source initiatives and the flexibility that it provides to our customers.
Captive Portal and Active Authentication
In order to provide better visibility in mapping users to IP addresses and their associated network events, the Captive Portal and Active Authentication feature can be configured to require users to enter their credentials when prompted through a browser window. The mapping also allows policies to be based on a user or group of users. This feature supplements the existing Sourcefire User Agent (SUA) integration with Active Directory to address non-Windows environments, BYOD users, and guests.
Note: Cisco ASA with FirePOWER Services running ASA Version 9.5(2) and ASA Version 9.5(3) does not support the Captive Portal and Active Authentication feature.
Integration with Cisco Identity Services Engine (ISE)
The integration with Cisco ISE enhances the user identity data available to the system to use in analysis and policy control. By subscribing to Cisco’s Platform Exchange Grid (PxGrid), the Firepower Management Center is able to download additional user data, device type data, device location data, and Security Group Tags (SGTs—a method used by ISE to provide network access control). Beyond the added visibility into the users on your network, this data is also actionable intelligence because it extends the control you can provide by creating policies based on SGTs, or on device type, or any of the other information provided by ISE.
Note: In Version 6.0, you cannot use ISE to automatically quarantine an infected endpoint. This functionality will be added in a later release.
This feature provides the ability to identify popular/common malware directly on the Firepower appliance, and reduces the need to send files for dynamic analysis (sandboxing), either in the cloud or on-prem (see Integration with AMP Threat Grid). Using high-fidelity ClamAV signatures, files whose SHA-256 lookup return a disposition of Unknown
will be analyzed locally on the Firepower appliance to identify common characteristics associated with malware, reducing the need for dynamic analysis.
Because certain file types support nested content that can be used to hide malware, this feature provides local analysis of files to determine the viability of malware hidden within. For example, a PDF file can contain different types of files nested inside the file. A file composition report is then run that identifies if nested data exists within the file, what file types those nested files represent, and how likely each nested file is to contain malware. Based on this information, you can choose whether or not to send the file on for dynamic analysis.
Integration with AMP Threat Grid
Cisco’s acquisition of ThreatGrid in June 2014 increased our abilities in helping our customers address advanced persistent threats, and that technology has now been fully integrated in Firepower v6.0. AMP Threat Grid now provides our sandboxing capabilities in the cloud when using our AMP for Firepower option. Files sent to the cloud for dynamic analysis are securely analyzed and correlated against hundreds of millions of other analyzed malware artifacts to provide a global view of malware attacks, campaigns, and their distribution. Detailed reports identify key behavioral indicators and determine threat scores for faster prioritization and recovery from advanced attacks.
In addition, we have greatly expanded the file types we support for automatic dynamic analysis from just executable files to include PDF and Office documents.
To address the service provider market which must manage separate customer environments, as well as enterprises with acquisitions (resulting in overlapping IP addresses) or geographic business units that need to be managed separately, the Firepower Management Center now has the ability to create multiple management domains. These domains (up to 50) enable separate management environments and are administered using granular role-based access control (RBAC). Each domain provides separate event data, reporting, and network maps.
Policy Hierarchy and Inheritance
To support multiple domain management and make policy administration more efficient, Version 6.0 provides the ability to create a hierarchy of policies. Global policies (e.g., access control) can be established that will apply to all management environments. A policy hierarchy can then be constructed underneath the global policy level to represent different environments, different companies, different business units, or different parts of the organization. Each of these policy environments will inherit the policies of the hierarchy above it, allowing for more consistent and efficient policy management.
Expanded ASDM Management Availability
Cisco’s Adaptive Security Device Manager (ASDM) is the local management feature for Cisco ASA with FirePOWER Services. It was introduced as part of the Cisco ASA 5506-X, ASA 5508-X, and ASA 5516-X appliances. With Firepower v6.0, ASDM is now available on the remaining Cisco ASA with FirePOWER Services appliances (ASA 5512-X / ASA 5515-X / ASA 5525-X / ASA 5545-X / ASA 5555-X / ASA 5585-X).
Before you begin the update process for Version 6.0.1.3, you should familiarize yourself with the behavior of the system during the update process, as well as with any compatibility issues or required pre- or post-update configuration changes.
For more information, see the following sections:
Before you begin the update, Cisco strongly recommends that you delete or move any backup files that reside on your appliance, then back up current event and configuration data to an external location.
Before you begin the update, Cisco strongly recommends that you back up current event and configuration data to an external location. This data is not backed up as part of the update process.
Use the Firepower Management Center to back up event and configuration data for itself and the devices it manages. For more information on the backup and restore feature, see the Firepower Management Center Configuration Guide.
Note: The Firepower Management Center purges locally stored backups from previous updates. To retain archived backups, store the backups externally.
Version 6.0.1.3 does not support AMP for Firepower signature lookups with the private AMP cloud. In Version 6.0, the system automatically submits SHA-256 signatures to the public AMP cloud. If you have a private AMP cloud and are receiving events from endpoints, the Version 6.0 Firepower Management Center will continue to receive those events without any additional changes to your configuration.
If you have a Firepower 4100 series device running Firepower Threat Defense, we recommend that you update to the latest version of the software (and at least Version 6.1.0) to take advantage of software updates that enhance disk management performance and disk longevity.
When you update your sensing devices, traffic either drops throughout the update or traverses the network without inspection depending on how your sensing devices are configured and deployed: routed or transparent, inline vs passive, bypass mode settings, and so on. We strongly recommend performing the update in a maintenance window or at a time when the interruptions will have the least impact on your deployment.
Note: When you update 8000 Series clusters or stack pairs, the system performs the update one device at a time to avoid traffic interruption. When you update clustered Cisco ASA with FirePOWER Services devices, apply the update one device at a time, allowing the update to complete before updating the second device.
This section discusses traffic behavior during the following update stages:
Traffic Behavior During the Update
The following table describes how updates, including related device reboots, affect traffic flow for different deployments. Note that appliances do not perform switching, routing, NAT, and VPN during the update process, regardless of how you configure any inline sets.
Traffic Behavior When Updating FXOS on Clustered Firepower Threat Defense Devices
Updating FXOS reboots the chassis, which drops traffic in a clustered environment until at least one module comes online.
Traffic Behavior During Configuration Deployment
During the upgrade process, you deploy configurations either twice (standalone devices) or three times (devices managed by the Firepower Management Center). When you deploy, resource demands may result in a small number of packets dropping without inspection. In most cases, the deployment immediately after the upgrade restarts the Snort process. During subsequent deployments, the Snort process restarts only if, before deploying, you modify specific policy or device configurations that always restart the process when deployed.
The following table describes how different devices handle traffic during Snort process restarts.
When updating appliances that have a web interface, after the system completes its pre-update tasks and the streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the update process is complete and the appliance reboots.
The table below provides disk space and time guidelines for the Version 6.0.1.3 update. Note that when you use the Firepower Management Center to update a managed device, the Firepower Management Center requires additional disk space on its /Volume
partition.
The reboot portion of the update includes a database check. If errors are found during the database check, the update requires additional time to complete. System daemons that interact with the database do not run during the database check and repair.
Note: The closer your appliance’s current version to the release version (Version 6.0.1.3), the less time the update takes.
If you encounter issues with the progress of your update, contact TAC Support.
Appliances must be running the minimum versions specified in the following table in order to update to Version 6.0.1.3 of the Firepower System. For minimum operating system requirements and information about management platform-managed device compatibility, see Supported Platforms and Compatibility.
Note: A Firepower Management Center must be running at least Version 6.0.1.3 if you want to use it to update its managed devices to Version 6.0.1.3.
Note the following to optimize your experience using the web interface.
Version 6.0.1.3 of the web interface for the Firepower System has been tested on the browsers listed in the following table.
Note: The Chrome browser does not cache static content, such as images, CSS, or Javascript, with the system-provided self-signed certificate. This may cause the system to redownload static content when you refresh. To avoid this, add a self-signed certificate to the trust store of the browser/OS or use another web browser.
Note: If you use the Microsoft Internet Explorer 11 browser, you must disable the Include local directory path when uploading files to server option in your Internet Explorer settings via Tools > Internet Options > Security > Custom level.
JavaScript, cookies, Secure Sockets Layer (SSL) v3, 128-bit encryption, Active scripting security setting, Compatibility View, set Check for newer versions of stored pages to Automatically |
Note: Many browsers use Transport Layer Security (TLS) v1.3 by default. If you have an active SSL policy and your browser uses TLSv1.3, websites that support TLSv1.3 fail to load As a workaround, configure your managed device to remove extension 43 (TLS 1.3) from ClientHello negotiation. See this software advisory for more information.
Screen Resolution Compatibility
Cisco recommends selecting a screen resolution that is at least 1280 pixels wide. The user interface is compatible with lower resolutions, but a higher resolution optimizes the display.
The required versions for the following integrated products vary by Firepower System version:
For more information, see the Firepower System Compatibility Guide.
Before you begin the update, you must thoroughly read and understand these release notes, especially Supported Platforms and Compatibility and Before You Begin: Important Update and Compatibility Notes.
Updates can require large data transfers from the Firepower Management Center to managed devices. Before you begin, make sure your management network has sufficient bandwidth to successfully perform the transfer. See the Troubleshooting Tech Note at https://www.cisco.com/c/en/us/support/docs/security/ firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html.
For minimum Firepower System version requirements, see Firepower Version Requirements for Updating to Version 6.0.1.3. To update your appliances, see the guidelines and procedures outlined below:
Because the update process may affect traffic inspection, traffic flow, and link state, Cisco strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment.
Use the Firepower Management Center’s web interface to perform the update. Update the Firepower Management Center first, then use it to update the devices it manages.
Update your Firepower Management Centers before updating the devices they manage.
Firepower Threat Defense is new for Version 6.0 of the Firepower System. For information about installing the Firepower Threat Defense image Version 6.0.1.3 on supported ASA models, see the Cisco Firepower Threat Defense Quick Start Guide
Installing the Update on Paired Firepower Management Centers
Updating Firepower Management Center in a high availability pair is not supported in Version 6.0.X. In order to update Firepower Management Centers in a high availability environment, you must break the pair and update each Firepower Management Center individually. In order to update to Version 6.0.1.3, you must break the high availability pair.
Installing the Update on High Availability Devices
When you install an update on Firepower Threat Defense devices in a high availability pair, the system updates the devices one at a time. When the update starts, the system first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the device is processing traffic again. The system then updates the primary device, which follows the same process.
When you update a Cisco ASA with FirePOWER Services high availability pair, apply the update one device at a time, allowing the update to complete before updating the second device.
Installing the Update on Stacked Devices
When you install an update on stacked devices, the system performs the updates simultaneously. Each device resumes normal operation when the update completes. Note that:
When you update clustered Firepower Threat Defense devices, the primary device completes the update after all of the secondary devices. You must reboot the device cluster before you deploy configuration from the Firepower Management Center.
After you perform the update on either the Firepower Management Center or managed devices, you must redeploy your configurations. For more information, see the Firepower Management Center Configuration Guide.
There are several additional post-update steps you should take to ensure that your appliances are performing properly. These include:
The next sections include detailed instructions not only on performing the update, but also on completing any post-update steps. Make sure you complete all of the listed tasks.
Use the procedure in this section to update your Firepower Management Centers, including Firepower Management Center Virtuals. For the Version 6.0.1.3 update, Firepower Management Centers reboot.
Note: Updating a Firepower Management Center to Version 6.0.1.3 removes existing uninstallers from the appliance.
To update a Firepower Management Center:
1. Read these release notes and complete any required pre-update tasks.
2. Download the update from the Support site:
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
3. Upload the update to the Firepower Management Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.
4. Make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
5. Click the System Status icon, then click the Tasks tab and make sure that there are no tasks in progress.
You must wait until any long-running tasks are complete before you begin the update. After the system update completes, to reduce clutter, remove the messages for these tasks from the Message Center.
The Product Updates tab appears.
7. Click the install icon next to the update you uploaded.
The Install Update page appears.
8. Select the Firepower Management Center and click Install. Confirm that you want to install the update and reboot the Firepower Management Center.
The update process begins. To view the task status, click the System Status icon, then click on the Tasks tab. After the Firepower Management Center completes its necessary pre-update checks, you are logged out. When you log back in, the Upgrade Status page appears. The Upgrade Status page displays a progress bar and provides details about the script currently running.
If the update fails for any reason, the page displays an error message indicating the time and date of the failure, which script was running when the update failed, and instructions on how to contact TAC Support. Do not restart the update.
When the update completes, the Firepower Management Center displays a success message and reboots.
The update process begins. You can monitor the update's progress in the Tasks tab of the Firepower Message Center.
9. After the update finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
10. Log into the Firepower Management Center.
11. Review and accept the End User License Agreement (EULA). Note that you are logged out of the appliance if you do not accept the EULA.
12. Select Help > About and confirm that the software version is listed correctly: Version 6.0.1.3. Also note the versions of the intrusion rule update and VDB on the Firepower Management Center; you will need this information later.
13. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
14. If the rule update available on the Support site is newer than the rules on your Firepower Management Center, import the newer rules. Do not auto-apply the imported rules at this time.
For information on rule updates, see the Firepower Management Center Configuration Guide.
15. If the VDB available on the Support site is newer than the VDB on your Firepower Management Center, install the latest VDB.
Installing a VDB update causes a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Firepower Management Center Configuration Guide.
16. Redeploy your configurations to all managed devices.
Deployment may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Firepower Management Center Configuration Guide.
17. If a patch for Version 6.0.1.3 is available on the Support site, apply the latest patch as described in the Firepower System Release Notes for that version.
You must update to the latest patch to take advantage of the latest enhancements and security fixes.
After you update your Firepower Management Centers to Version 6.0.1.3, use them to update the devices they manage.
You must use a Firepower Management Center running Version 6.0 to update any managed device that does not have its own web interface. For Cisco ASA with FirePOWER Services running on the ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, or ASA 5516-X, you can update the module using the Firepower Management Center or connect to the ASA device and update the ASA FirePOWER module using local management via ASDM. For more information see the Cisco ASA with FirePOWER Services Local Management Release Notes.
Updating managed devices is a two-step process. First, download the update from the Support site and upload it to the managing Firepower Management Center. Next, install the software. You can update multiple devices at once, but only if they use the same update file.
When you update clustered Cisco ASA with FirePOWER Services, apply the update one device at a time, allowing the update to complete before updating the second device.
For the Version 6.0.1.3 update, all devices reboot. 7000 Series and 8000 Series devices do not perform traffic inspection, switching, routing, NAT, VPN, or related functions during the update. Firepower Threat Defense devices do not perform VPN functions. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
Firepower Threat Defense is new for the Version 6.0 Firepower System. You can reimage your Cisco ASA with FirePOWER Services to use Firepower Threat Defense, or you can reimage Cisco ASA devices with Firepower Threat Defense to a supported ASA version. For information about installing a Version 6.0.1.3 Firepower Threat Defense image on supported ASA models, see the Cisco Firepower Threat Defense Quick Start Guide
To update 7000 Series, 8000 Series, NGIPSv, or ASA FirePOWER devices with the Firepower Management Center:
1. Read these release notes and complete any required pre-update tasks.
For more information, see Before You Begin: Important Update and Compatibility Notes.
2. Update the software on the devices’ managing Firepower Management Center; see Updating Firepower Management Centers.
3. Download the update from the Support site:
Note: Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
4. Upload the update to the Firepower Management Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.
5. Make sure that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
6. Click the install icon next to the update you are installing.
The Install Update page appears.
7. Select the devices where you want to install the update.
If you are updating a stacked pair, selecting one member of the pair automatically selects the other. You must update members of a stacked pair together.
8. Click Install. Confirm that you want to install the update and reboot the devices.
9. The update process begins. Monitor the update's progress in the Firepower Management Center by clicking the System Status icon, then clicking the Tasks tab.
Managed devices may reboot twice during the update; this is expected behavior.
10. Select Devices > Device Management and confirm that the devices you updated have the correct software version: Version 6.0.1.3.
11. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
12. Redeploy your configurations to all managed devices.
Deployment may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the Firepower Management Center Configuration Guide, Version 6.0.
13. If a patch for Version 6.0.1.3 is available on the Support site, apply the latest patch as described in the release notes for that version.
After you update your Firepower Management Centers to Version 6.0.1.3, use them to update the devices they manage. You can update ASA devices and Firepower 9300 Security Appliances running the Firepower Threat Defense preview Version 6.0.0 to Version 6.0.1.3. This procedure documents update of Firepower Threat Defense running on at least Version 6.0.0. A Firepower Management Center must be running at least Version 6.0.1.3 to update Firepower Threat Defense devices to Version 6.0.1.3. Because they do not have a web interface, you must use the Firepower Management Center to update these devices.
Updating managed devices is a two-step process. First, download the update from the Support site and upload it to the managing Firepower Management Center. Next, install the software. You can update multiple devices at once, but only if they use the same update file.
To update your appliances, see the guidelines and procedures outlined below:
1. Read these release notes and complete any required pre-update tasks.
For more information, see Before You Begin: Important Update and Compatibility Notes.
2. Update the software on the devices’ managing Firepower Management Center; see Updating Firepower Management Centers.
3. If you are updating a Firepower 9300 Security Appliance, update the operating system to FXOS 1.1.4 or later and restart the system; for more information see the Cisco FXOS Firepower Chassis Manager Configuration Guide.
You must update the ROMMON image on Cisco ASA with FirePOWER Services to Version 1.1.8 prior to updating toVersion 6.0.1.3. For more information about updating the ROMMON image, see Cisco ASA Series General Operations CLI Configuration Guide.
4. Download the update from the Support site:
5. Upload the update to the Firepower Management Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Firepower Management Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated. The page also indicates whether a reboot is required as part of the update.
6. Make sure the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
7. Click the install icon next to the update you are installing.
8. Select the devices where you want to install the update.
9. Click Install. Confirm that you want to install the update and reboot the devices.
10. The update process begins. You can monitor the update’s progress on the Tasks tab of the Message Center.
Note: Devices may reboot twice during the update; this is expected behavior.
11. Select Devices > Device Management and confirm that the devices you updated have the correct software version: 6.0.1.3.
12. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
13. Redeploy policies to all managed devices.
Click Deploy and select all available devices, then click Deploy.
The following sections help you uninstall the Version 6.0.1.3 update from your appliances:
Before you uninstall the update, you must thoroughly read and understand the following sections.
You must uninstall updates locally. You cannot use a Firepower Management Center to uninstall the update from a managed device.
For all physical appliances and Firepower Management Centers Virtuals, uninstall the update using the local web interface. Because virtual managed devices do not have a web interface, you must use the bash shell to uninstall the update.
Uninstall the update in the reverse order that you installed it. That is, first uninstall the update from managed devices, then from Firepower Management Centers.
Uninstalling the Update from Clustered or Paired Appliances
Clustered devices and Firepower Management Centers in high availability pairs must run the same version of the Firepower System. Although the uninstallation process triggers an automatic failover, appliances in mismatched pairs or clusters do not share configuration information, nor do they install or uninstall updates as part of their synchronization. If you need to uninstall an update from redundant appliances, plan to perform the uninstallations in immediate succession.
To ensure continuity of operations, uninstall the update from clustered devices and paired Firepower Management Centers one at a time. First, uninstall the update from the secondary appliance. Wait until the uninstallation process completes, then immediately uninstall the update from the primary appliance.
Uninstalling the Update from Stacked Devices
All devices in a stack must run the same version of the Firepower System. Uninstalling the update from any of the stacked devices causes the devices in that stack to enter a limited, mixed-version state.
To minimize impact on your deployment, Cisco recommends that you uninstall an update from stacked devices simultaneously. The stack resumes normal operation when the uninstallation completes on all devices in the stack.
Uninstalling the Update from Devices Deployed Inline
Managed devices do not perform traffic inspection, switching, routing, or related functions while the update is being uninstalled. Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
Uninstalling the Update and Online Help
Uninstalling the Version 6.0.1.3 update does not revert the online help to its previous version. If the version of your online help does not match that of your Firepower System software, your online help may contain documentation for unavailable features and may have problems with context sensitivity and link functionality.
After you uninstall the update, there are several steps you should take to ensure that your deployment is performing properly. These include verifying that the uninstall succeeded and that all appliances in your deployment are communicating successfully.
The next sections include detailed instructions not only on performing the uninstallation, but also on completing any post-uninstallation steps. Make sure you complete all of the listed tasks.
The following procedure explains how to use the local web interface to uninstall the Version 6.0.1.3 update from managed devices. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.0.1.3 update results in a device running Version 6.0.1.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.0.1.3 update reboots the device. Managed devices do not perform traffic inspection, switching, routing, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
To uninstall the update from a managed device:
1. Read and understand Planning the Uninstallation.
2. On the managing Firepower Management Center, make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
3. On the managed device, view the Tasks tab to make sure that there are no tasks in progress.
Tasks that are running when the uninstallation begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the Tasks tab after the uninstallation completes.
The Product Updates tab appears.
5. Click the install icon next to the uninstaller that matches the update you want to remove, then confirm that you want to uninstall the update and reboot the device.
The uninstallation process begins. You can monitor the uninstallation progress in the Tasks tab.
6. After the uninstallation finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
8. Select Help > About and confirm that the software version is listed correctly: Version 6.0.1.2.
9. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
The following procedure explains how to uninstall the Version 6.0.1.3 update from virtual managed devices. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.0.1.3 update results in a device running Version 6.0.1.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.0.1.3 update reboots the device. Virtual managed devices do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Traffic Flow and Inspection During the Update.
To uninstall the update from a virtual managed device:
1. Read and understand Planning the Uninstallation.
2. Log into the device as admin
via SSH or through the virtual console.
3. At the CLI prompt, type expert
to access the bash shell.
4. At the bash shell prompt, type sudo su -
.
5. Type the admin password to continue the process with root privileges.
6. At the prompt, enter the following on a single line:
install_update.pl --detach /var/sf/updates/Sourcefire_3D_Device_Virtual64_VMware_Patch_Uninstaller-6.0.1.3-1053.sh
The uninstallation process begins.
7. After the uninstallation finishes, log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version: Version 6.0.1.2.
8. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
The following procedure explains how to uninstall the Version 6.0.1.3 update from Firepower Threat Defense devices managed by the Firepower Management Center. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.0.1.3 update results in a device running Version 6.0.1.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.0.1.3 update reboots the device. Firepower Threat Defense devices do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Traffic Flow and Inspection During the Update.
To uninstall the update from a Firepower Threat Defense device:
1. Read and understand Planning the Uninstallation.
2. Log into the device as admin via SSH or through the device console.
3. For Firepower 4100 Series devices and Firepower 9300 Security Appliances, type connect module <slot number> console
and then connect ftd
.
4. At the CLI prompt, type expert to access the bash shell.
5. At the bash shell prompt, type sudo su -
.
6. Type the admin password to continue the process with root privileges.
7. At the prompt, enter the following on a single line:
The uninstallation process begins.
8. After the uninstallation finishes, the device reboots.
9. Log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version: Version 6.1.0.
10. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
The following procedure explains how to uninstall the Version 6.0.1.3 update from ASA FirePOWER modules. You cannot use a Firepower Management Center to uninstall the update from a managed device.
Uninstalling the Version 6.0.1.3 update results in a device running Version 6.0.1.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
Uninstalling the Version 6.0.1.3 update reboots the device. ASA FirePOWER modules do not perform traffic inspection or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow. For more information, see Traffic Flow and Inspection During the Update.
To uninstall the update from an ASA FirePOWER module:
1. Read and understand Planning the Uninstallation.
2. Log into the device as admin
via SSH, or through the virtual console.
3. At the CLI prompt, type session sfr console
.
4. At the CLI prompt, type expert
to access the bash shell.
5. At the bash shell prompt, type sudo su -
.
6. Type the admin password to continue the process with root privileges.
7. At the prompt, enter the following on a single line:
install_update.pl --detach /var/sf/updates/Sourcefire_3D_Device_Virtual64_VMware_Patch_Uninstaller-6.0.1.3-1053.sh
The uninstallation process begins.
8. After the uninstallation finishes, log into the managing Firepower Management Center and select Devices > Device Management. Confirm that the device where you uninstalled the update has the correct software version: Version 6.0.1.2.
9. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
Use the following procedure to uninstall the Version 6.0.1.3 update from Firepower Management Centers and virtual Firepower Management Centers. Note that the uninstallation process reboots the Firepower Management Center.
Uninstalling the Version 6.0.1.3 update results in a Firepower Management Center running Version 6.0.1.2. For information on uninstalling a previous version, refer to the Firepower System Release Notes for that version.
To uninstall the update from a Firepower Management Center:
1. Read and understand Planning the Uninstallation.
2. Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
3. Monitor the Tasks tab to make sure that there are no tasks in progress.
Tasks that are running when the uninstallation begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the Tasks tab after the uninstallation completes.
The Product Updates tab appears.
5. Click the install icon next to the uninstaller that matches the update you want to remove.
The Install Update page appears.
6. Select the Firepower Management Center and click Install, then confirm that you want to uninstall the update and reboot the device.
The uninstallation process begins. You can monitor the uninstallation progress in the Tasks tab.
7. After the uninstallation finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
8. Log in to the Firepower Management Center.
9. Select Help > About and confirm that the software version is listed correctly: Version 6.0.1.2.
10. Verify that the appliances in your deployment are successfully communicating with the Firepower Management Center and that there are no issues reported by the health monitor.
You can use ASDM to uninstall a patch from a locally managed Cisco ASA with FirePOWER Services. Note that devices do not perform traffic inspection or related functions while the update is being uninstalled. Depending on how your devices are configured and deployed, the uninstallation process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
1. Read and understand Planning the Uninstallation.
2. Log into the device as admin
via SSH or through the virtual console.
3. At the CLI prompt, type expert
to access the bash shell.
4. At the bash shell prompt, type sudo su -
.
5. Type the admin password to continue the process with root privileges.
6. At the prompt, enter the following on a single line:
The uninstallation process begins.
7. After the uninstall finishes, reconnect ASDM to the ASA device.
8. Select Configuration > ASA FirePOWER Configuration > System Information and confirm that the software version is listed correctly: Version 6.0.1.2.
For more information, see the Cisco ASA with FirePOWER Services Local Management Configuration Guide, Version 6.0.
You can view defects resolved in this release using the Cisco Bug Search Tool ( https://tools.cisco.com/bugsearch/). A Cisco account is required.
The following issues are resolved in Version 6.0.1.3:
Error Moving Data - An internal error has occurred
error message and the access control policy was not accessible. You can no longer use commas in access control policy category names. (CSCuy68147) Object deletion restricted. Remove object from the following: Access control policies
error even if the security zone was not referenced within a rule. (CSCuy68648) www.
, and another lookup request for the same URL but without the www.
prefix, the system generated an extraneous health alert message. (CSCuy86036) The data correlator process exited (x) times
error message. (CSCuz15233) system support capture-traffic
CLI command, the command rejected IPv6 host addresses. (CSCuz40373) Out of memory
error. (CSCuz54616) Out of memory!
error message. (CSCva12919) Device Configuration
error message. (CSCva67810) unable to add SHA list
warning and adding the SHA list to the file list the second time failed. (CSCuy34083) HOME_NET
variable in the Variable section of the Object Management page ( Objects > Object Management), then edit the EXTERNAL_NET
variable to exclude the modified HOME_NET
variable and save. (CSCuy34504) Dynamic Analysis Failed (Network Issue)
error and did not successfully submit the files for analysis. (CSCuy49613) Policy has rules with missing detectors. The following rules specify applications for which a detector is not defined
error. (CSCuy87939) Access Control Policy apply failed (Not a HASH reference)
error. (CSCuy92630) decompress_swf { lzma deflate }
or decompress_pdf { deflate }
keywords in the HTTP Preprocessor settings and deployed, deploying on a registered Firepower Threat Defense device failed. (CSCuy93165) /usr/local/sf/bin/delete_rules.pl --prune -n local
SSH command and redeployed configuration, the Firepower Management Center did not remove the deleted intrusion rule when it should have. (CSCuy94809) Australia
time on a Firepower Management Center with a registered Firepower Threat Defense device, deploying to the Firepower Threat Defense device failed. (CSCuz00284) eth0
caused system issues. (CSCux22564) Load container -Invalid domain permission
error even though the high availability successfully broke. (CSCuy30473) any
. (CSCuy60748)The following issues were resolved in Version 6.0:
4096
failed. (134385/CSCze89030) Unknown Error (9999): Couldn't get a lock on /var/tmp/.ac_lock
error message. (CSCur55338) Internal Server Error
message if the password for your registered ASA FirePOWER module included an unsupported character. (CSCus68604) show fastpath-rules
CLI command, the system reported intrusion rules as inactive. (CSCut32479) Having Inspect traffic during policy apply disabled may cause network disruptions until deployment completes
warning if you deploy without enabling Inspect traffic during policy apply. (CSCut36078) show managers
CLI command on a device registered to a system with multiple interfaces configured caused the system displayed the incorrect IP address. (CSCut95947) show ntp
CLI command on your Firepower Threat Defense devices. (CSCuv57818) ystem support ssl-debug
or system support debug-DAQ-NSE
CLI command and your system experienced a high amount of traffic for an extended amount of time, the system experienced disk space issues. (CSCuw68004)You can view known issues reported in this release using the Cisco Bug Search Tool ( https://tools.cisco.com/bugsearch/). A Cisco account is required.
The following known issues are reported in Version 6.0.1.3:
Error 404: Page not found
error. (CSCvb73325) Invalid Password: invalid characters
error even though the system saves the new password. (CSCvb82719) 96
and redeploy, the system incorrectly generates an ERROR: unable to update object (Object Name) due to internal error
message. As a workaround, delete the network object from the NAT rule and edit the network object's IP address, then add the network object as the NAT rule's original destination IP and redeploy. (CSCvb82803) 96
and redeploy, the system incorrectly generates an ERROR: unable to update object (Object Name) due to internal error
message. As a workaround, delete the network object from the NAT rule and edit the network object's IP address, then add the network object as the NAT rule's original destination IP and deploy. (CSCvc11489)The following known issues were reported in previous releases:
+
) character even though the system generates a This field contains invalid characters. Only alphanumerics, hyphen ( -), underscore ( _), period (.), and plus ( +) are allowed
message. (CSCuw44373) prime192v1
, prime256v1
, secp384r1
and secp521r1
. You must update your system to Version 6.0 to obtain supported external certificates. (CSCuw54749) No cache exists to discard and resume
error and you cannot deploy. As a workaround, refresh the Device Management page and redeploy. (CSCuw77505) Initial policy deployment not started due to validation errors. For details, redeploy manually
message. For more information on the correct licenses to select for your device, see the Firepower Management Center Configuration Guide. (CSCuw85743) 119
and SID 15
. (CSCuw90033) OPSFv3 router process will not start as no router ID has been configured. Neither router ID in OSPFv3 nor IPv4 address configured in Interfaces
error message. (CSCuw95485) Warning: no vendors match this string
warning and does not execute the correlation rule. As a workaround, update your vulnerability database (VDB). If the VDB update does not resolve the issue, use the MAC Vendor contains condition instead of the MAC Vendor is condition. (CSCuw96022) /etc/rc.d/init.d/pm restart
CLI command. If you continue to experience connectivity issues, contact TAC Support. (CSCuw97948) system shutdown
CLI command causes Firepower Threat Defense devices (ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5516-X) to restart instead of shut down. (CSCuw98231) Updating Domain management changes failed
error message. (CSCux08012) Pre-deploy Global Configuration Generation. Cannot find policy information
error message. As a workaround, remove the VPN configuration prior to moving the device to another domain. An alternative workaround is to unregister and then register the device to the Firepower Management Center, then create a VPN deployment and deploy. (CSCux10820, CSCuz42235) Unable to authorize access. If you continue to have difficulty accessing this device, please contact the system administrator
error. As a workaround, prior to update, generate and install an SSL certificate with either a sha1WithRSAEncryption
or sha256WithRSAEncryption
algorithm and restart the Firepower Management Center, or use the default Firepower Management Center certificate and restart the appliance. If you are unable to access the user interface on your Firepower Management Center, contact TAC Support. (CSCux30610) Failed to parse the message sent from the server
error and you cannot deploy the production license. As a workaround, select the evaluation mode license and deploy. If the system continues to experience errors after deploying the workaround, contact TAC Support. (CSCux48513) Please make sure HTTP server is enabled. Press 'Yes' to continue
error regardless of whether Enable HTTP Server is checked or not. (CSCux67336) any
, any-ipv4
, and any-ipv6
. (CSCux94621) Deployment failed due to configuration error. If problem persists after retrying, contact Cisco TAC.
error. As a workaround, check the Enable Router Advertisement option and redeploy. (CSCux98850) HTTP 403 Forbidden error
page. You can correctly download and view files with the.jpg extension. (CSCux99481) 00000000000000000000000000000000
. (CSCuy01702) Pre-deploy Global Configuration Generation. _storePerms: Unable to store perms
error in the Tasks tab of the Message Center. As a workaround, redeploy policies. (CSCuy02038) Warning: this rule is preempted by rule <second rule listed>
warning. (CSCuy03840) Selecting this action will reset the Intrusion Policy and File Policy to "None". Are you sure you want to continue?
warning whether the access control policy contains an intrusion policy and a file policy or not. Close out the warning message to deploy changes. (CSCuy14455) CISCO-MEMORY-POOL-MIB
or CISCO-ENHANCED-MEMPOOL-MIB
on a Cisco ASA with FirePOWER Services or Firepower Threat Defense, the ASA may experience high CPU utilization. (CSCuy14724) Policy has rules with missing detectors. The following rules specify applications for which a detector is not defined
error and does not save changes. (CSCuy18141) Error - 403 Forbidden You have tried to access a page that is forbidden
error. (CSCuy27084) Error 404:page not found page
error. (CSCuy28935) HTTP Error 500 Internal server error
page. (CSCuy36187) Deployment failed in policy and object collection. If problem persists after retrying, contact Cisco TAC
. error when it should not. As a workaround, redeploy configuration. (CSCuy36942) 0-255
, the system allows all network condition types even if the rule is configured to Block. (CSCuy43967) An internal error occurred
error. As a workaround, use either Internet Explorer or Firefox browsers. (CSCuy44276) Authorization Failure: Invalid or expired session (code = 0) at /usr/local/sf/lib/perl/5.10.1/SF/EOHandler.pm line 3212
error. (CSCuy45377) This policy includes access to pot 161 (snmp), but no SNMP users have been added.
error and you cannot save the policy with SNMP settings. As a workaround, click either SNMP Version 1 or Version 2. If you must use SNMP Version 3, add SNMP users before selecting the SNMP version and save, then enable port access in the Access List tab of the Platforms Settings page and save. (CSCuy46080) You have unapplied changes
message even though there are no changes to deploy. (CSCuz48049) Deployment failed due to configuration
error message in the Message Center. (CSCva51022) Error: Failed to delete
message when the manager is deleted successfully. (CSCva61777) Invalid Values: Errors on the page, unable to navigate. Do you want to revert back the configuration?
error message. Ignore the message and continue. (CSCva83773)Thank you for choosing the Firepower System.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about the Firepower System, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions or require assistance with the Firepower System, please contact Cisco Support: