Threat Defense Release Notes 72

Cisco Secure Firewall Threat Defense Release Notes, Version 7.
2
First Published: 2022-06-06
Last Modified: 2023-05-12
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© 2022–2023 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 Welcome 1
Release Highlights 1
Release Dates 2
Suggested Release 2
Sharing Data with Cisco 2
For Assistance 3
CHAPTER 2 System Requirements 5
Management Center Platforms 5

Threat Defense Platforms 6
Threat Defense Management 8
Browser Requirements 10
CHAPTER 3 Features and Functionality 13
New Features in Management Center Version 7.2 13
New Features in Device Manager Version 7.2 31
Intrusion Rules and Keywords 34

Deprecated FlexConfig Commands 35
CHAPTER 4 Upgrade Guidelines 37
Planning Your Upgrade 37

Minimum Version to Upgrade 38
Guidelines for Cloud-delivered Firewall Management Center 39
Upgrade Guidelines for Version 7.2 39
Extended Post-Upgrade Deploy for Large Configurations 41

Threat Defense Virtual for GCP Cannot Upgrade Across Version 7.2.0 41
Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

iii
Contents
Reconnect with Cisco Secure Malware Analytics for High Availability Management Centers 41
Upgrade Failure: Firepower 1010 Switch Ports with Invalid VLAN IDs 42
Upgrade Guidelines for FXOS 42
Unresponsive Upgrades 42
Revert or Uninstall the Upgrade 43
Traffic Flow and Inspection 43
Traffic Flow and Inspection for FXOS Upgrades 43
Traffic Flow and Inspection for Threat Defense Upgrades with Management Center 44
Traffic Flow and Inspection for Threat Defense Upgrades with Device Manager 46
Time and Disk Space Tests 47
Time and Disk Space for Version 7.2.4 48
Time and Disk Space for Version 7.2.3.1 49
Time and Disk Space for Version 7.2.0.1 53
CHAPTER 5 Install the Software 55
Installation Guidelines 55
Installation Guides 57
CHAPTER 6 Open and Resolved Bugs 59
Open Bugs 59
Open Bugs in Version 7.2.0 59
Resolved Bugs 60
Resolved Bugs in Version 7.2.4 60
Resolved Bugs in Version 7.2.3.1 84
Resolved Bugs in Version 7.2.0.1 90

iv
CHAPTER 1
Welcome
This document contains release information for Version 7.2 of Cisco Secure Firewall Threat Defense, Secure
Firewall Management Center, and Secure Firewall device manager.
For Cisco Defense Orchestrator (CDO) deployments, see the Cisco Cloud-Delivered Firewall Management
Center Release Notes or What's New for Cisco Defense Orchestrator.
• Release Highlights, on page 1
• Release Dates, on page 2
• Suggested Release, on page 2
• Sharing Data with Cisco, on page 2
• For Assistance, on page 3
Release Highlights
Rebranding to Cisco Secure Firewall
The following products have been rebranded in Version 7.2.
Table 1: Rebranded Products in Version 7.2
Former Name Rebranded Name
Firepower Threat Defense (FTD) Secure Firewall Threat Defense
Firepower Threat Defense Virtual (FTDv) Secure Firewall Threat Defense Virtual
Firepower Device Manager (FDM) Secure Firewall device manager
Firepower Management Center (FMC) Secure Firewall Management Center
Firepower Management Center Virtual (FMCv) Secure Firewall Management Center Virtual
Firepower eXtensible Operating System (FXOS) Secure Firewall eXtensible Operating System (FXOS)
Firepower Chassis Manager Secure Firewall chassis manager

1
Welcome
Release Dates
Release Dates
Table 2: Version 7.2 Dates
Version Build Date Platforms
7.2.4 169 2023-05-10 Management center
165 2023-05-03 Devices
7.2.3.1 13 2023-04-18 Management center
7.2.3 77 2023-02-27 All
7.2.2 54 2022-11-29 All
7.2.1 40 2022-10-03 All
7.2.0.1 12 2022-08-10 All
7.2.0 82 2022-06-06 All
Suggested Release
To take advantage of new features and resolved issues, we recommend you upgrade all eligible appliances to
at least the suggested release. On the Cisco Support & Download site, the suggested release is marked with
a gold star.
We also list the suggested release in the new feature guides:
• Cisco Secure Firewall Management Center New Features by Release
• Cisco Secure Firewall Device Manager New Features by Release
Suggested Releases for Older Appliances

If an appliance is too old to run the suggested release and you do not plan to refresh the hardware right now,
choose a major version then patch as far as possible. Some major versions are designated long-term or extra
long-term, so consider one of those. For an explanation of these terms, see Cisco NGFW Product Line Software
Release and Sustaining Bulletin.
If you are interested in a hardware refresh, contact your Cisco representative or partner contact.
Sharing Data with Cisco

The following features share data with Cisco.

2
Welcome
For Assistance
Cisco Success Network

Cisco Success Network sends usage information and statistics to Cisco, which are essential to provide you
with technical support.
During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any
time.
Cisco Support Diagnostics

Cisco Support Diagnostics (sometimes called Cisco Proactive Support) sends configuration and operational
health data to Cisco, and processes that data through our automated problem detection system, allowing us
to proactively notify you of issues. This feature also allows Cisco TAC to collect essential information from
your devices during the course of a TAC case.
During initial setup and upgrades, you may be asked to enroll. You can also change your enrollment at any
time. This feature is not supported with device manager.
Web Analytics
Web analytics provides non-personally-identifiable usage data to Cisco, including but not limited to page
interactions, browser versions, product versions, user location, and management IP addresses or hostnames
of your management centers.
You are enrolled by default but you can change your enrollment at any time after you complete initial setup.
Note that ad blockers can block web analytics, so if you choose to remain enrolled, please disable ad blocking
for the hostnames/IP addresses of your Cisco appliances.
For Assistance
Online Resources
Cisco provides the following online resources to download documentation, software, and tools; to query bugs;
and to open service requests. Use these resources to install and configure Cisco software and to troubleshoot
and resolve technical issues.
• Documentation: http://www.cisco.com/go/threatdefense-72-docs
• Cisco Support & Download site: https://www.cisco.com/c/en/us/support/index.html
• Cisco Bug Search Tool: https://tools.cisco.com/bugsearch/
• Cisco Notification Service: https://www.cisco.com/cisco/support/notifications.html
Access to most tools on the Cisco Support & Download site requires a Cisco.com user ID and password.
Contact Cisco
If you cannot resolve an issue using the online resources listed above, contact Cisco TAC:
• Email Cisco TAC: tac@cisco.com
• Call Cisco TAC (North America): 1.408.526.7209 or 1.800.553.2447
• Call Cisco TAC (worldwide): Cisco Worldwide Support Contacts

3
Welcome
For Assistance

4
CHAPTER 2
System Requirements
This document includes the system requirements for Version 7.2.
• Management Center Platforms, on page 5
• Threat Defense Platforms, on page 6
• Threat Defense Management, on page 8
• Browser Requirements, on page 10
Management Center Platforms

The management center provides a centralized firewall management console. For device compatibility with
the management center, see Threat Defense Management, on page 8. For general compatibility information,
see the Cisco Secure Firewall Management Center Compatibility Guide.
Management Center Hardware

Version 7.2 supports the following management center hardware:
• Secure Firewall Management Center 1600
You should also keep the BIOS and RAID controller firmware up to date; see the Cisco Secure Firewall Threat
Defense/Firepower Hotfix Release Notes.
Management Center Virtual

Version 7.2 supports management center virtual deployments in both public and private/on-prem clouds.
With the management center virtual, you can purchase licenses that enable you to manage 2, 10, 25, or 300
devices. Note that only some platforms support 300 devices. Also, two-device virtual management centers
do not support high availability. For full details on supported instances, see the Cisco Secure Firewall
Management Center Virtual Getting Started Guide.

5
System Requirements
Threat Defense Platforms
Table 3: Version 7.2 Management Center Virtual Platforms
Platform Devices Managed High Availability
2, 10, 25 300
Public Cloud
Alibaba YES — —
Amazon Web Services (AWS) YES YES YES
Google Cloud Platform (GCP) YES — —
Microsoft Azure YES — —
Oracle Cloud Infrastructure (OCI) YES YES YES
On-Prem/Private Cloud
Cisco HyperFlex YES — —
Kernel-based virtual machine (KVM) YES — —
Nutanix Enterprise Cloud YES — —
OpenStack YES — —
VMware vSphere/VMware ESXi 6.5, 6.7, YES YES YES

or 7.0
Cloud-Delivered Management Center

The Cisco Cloud-delivered Firewall Management Center is delivered via the Cisco Defense Orchestrator
(CDO) platform, which unites management across multiple Cisco security solutions. The cloud-delivered
Firewall Management Center does not have a version, and we take care of feature updates.
Note that the customer-deployed management center is often referred to as the on-prem management center,
even for virtual platforms.

Threat defense devices monitor network traffic and decide whether to allow or block specific traffic based on
a defined set of security rules. For details on device management methods, see Threat Defense Management,
on page 8. For general compatibility information, see the Cisco Secure Firewall Threat Defense Compatibility
Guide.
Threat Defense Hardware

Version 7.2 threat defense hardware comes in a range of throughputs, scalability capabilities, and form factors.

6
System Requirements
Table 4: Version 7.2 Threat Defense Hardware
Platform Management Center Device Manager Notes

Compatibility Compatibility
Customer Cloud Device Device

Deployed Delivered Manager Manager +
Only CDO
Firepower 1010E, 1010, YES YES YES YES Firepower 1010E requires
1120, 1140, 1150 Version 7.2.3+.
Do not use a Version 7.2.3
or Version 7.3.0
management center to
manage the Firepower
1010E. Instead, use a
Version 7.2.3.1+ or
Version 7.3.1+
management center.
Firepower 2110, 2120, YES YES YES YES —

2130, 2140
Secure Firewall3110, YES YES YES YES —

3120, 3130, 3140
Firepower 4110, 4120, YES YES YES YES Requires FXOS 2.12.0.31
4140, 4150 or later build.
Firepower 4112, 4115, We recommend the latest
4125, 4145 firmware. See the Cisco
Firepower 4100/9300
Firepower 9300: SM-24,
FXOS Firmware Upgrade
SM-36, SM-44 modules
Guide.
Firepower 9300: SM-40,
SM-48, SM-56 modules
ISA 3000 YES YES YES YES May require a ROMMON

update. See the Cisco
Secure Firewall ASA and
Secure Firewall Threat
Defense Reimage Guide.
Threat Defense Virtual

Version 7.2 threat defense virtual implementations support performance-tiered Smart Software Licensing,
based on throughput requirements and remote access VPN session limits. Options run from FTDv5 (100
Mbps/50 sessions) to FTDv100 (16 Gbps/10,000 sessions). For more information on supported instances,
throughputs, and other hosting requirements, see the appropriate Getting Started Guide.

7
System Requirements
Threat Defense Management
Table 5: Version 7.2 Threat Defense Virtual Platforms
Device Platform Management Center Compatibility Device Manager Compatibility
Customer Deployed Cloud Delivered Device Manager Device Manager +

Only CDO
Public Cloud
Alibaba YES YES — —
Amazon Web Services YES YES YES YES

(AWS)
Microsoft Azure YES YES YES YES
Google Cloud Platform YES YES YES YES

(GCP)
Oracle Cloud YES YES — —

Infrastructure (OCI)
On-Prem/Private Cloud
Cisco Hyperflex YES YES YES YES
Kernel-based virtual YES YES YES YES

machine (KVM)
Nutanix Enterprise Cloud YES YES YES YES
OpenStack YES YES — —
VMware YES YES YES YES

vSphere/VMware ESXi
6.5, 6.7, or 7.0

Depending on device model and version, we support the following management methods.
Customer-Deployed Management Center

All devices support remote management with a customer-deployed management center, which must run the
same or newer version as its managed devices. This means:
• You can manage older devices with a newer management center, usually a few major versions back.
However, we recommend you always update your entire deployment. New features and resolved issues
often require the latest release on both the management center and its managed devices.
• You cannot upgrade a device past the management center. Even for maintenance (third-digit) releases,
you must upgrade the management center first.

8
System Requirements
Note that in most cases you can upgrade an older device directly to the management center's major or
maintenance version. However, sometimes you can manage an older device that you cannot directly upgrade,
even though the target version is supported on the device. For release-specific requirements, see Minimum
Version to Upgrade, on page 38. Rarely, there are issues with specfic management center-device combinations,
which would be listed in Threat Defense Platforms, on page 6.
Table 6: Customer-Deployed Management Center-Device Compatibility
Management Center Version Oldest Device Version You Can Manage
7.3 6.7
7.2 6.6
7.1 6.5
7.0 6.4
6.7 6.3
6.6 6.2.3
6.5 6.2.3
6.4 6.1
6.3 6.1
6.2.3 6.1
6.2.2 6.1
6.2.1 6.1
6.2 6.1
6.1 5.4.0.2/5.4.1.1
6.0.1 5.4.0.2/5.4.1.1
6.0 5.4.0.2/5.4.1.1
5.4.1 5.4.1 for ASA FirePOWER on the ASA-5506-X series, ASA5508-X,

and ASA5516-X.
5.3.1 for ASA FirePOWER on the ASA5512-X, ASA5515-X,
ASA5525-X, ASA5545-X, ASA5555-X, and ASA-5585-X series.
5.3.0 for Firepower 7000/8000 series and legacy devices.
Cloud-delivered Firewall Management Center

The cloud-delivered Firewall Management Center can manage threat defense devices running:
• Version 7.2+
• Version 7.0.3 and later maintenance releases

9
System Requirements
Browser Requirements
The cloud-delivered Firewall Management Center cannot manage threat defense devices running Version 7.1,
or Classic devices running any version. You cannot upgrade a cloud-managed device from Version 7.0.x to
Version 7.1 unless you unregister and disable cloud management. We recommend you upgrade the device
directly to Version 7.2+.
You can add a cloud-managed device to a Version 7.2+ customer-deployed management center for event
logging and analytics purposes only. Or, you can send security events to the Cisco cloud with Security Analytics
and Logging (SaaS).
Device Manager
You can use device manager to locally manage a single threat defense device.
Optionally, add Cisco Defense Orchestrator (CDO) to remotely manage multiple threat defense devices, as
an alternative to the management center. Although some configurations still require device manager, CDO
allows you to establish and maintain consistent security policies across your threat defense deployment.
Browsers
We test with the latest versions of these popular browsers, running on currently supported versions of macOS
and Microsoft Windows:
• Google Chrome
• Mozilla Firefox
• Microsoft Edge (Windows only)
If you encounter issues with any other browser, or are running an operating system that has reached end of
life, we ask that you switch or upgrade. If you continue to encounter issues, contact Cisco TAC.
Note We do not perform extensive testing with Apple Safari, nor do we extensively test Microsoft Edge with FMC
walkthroughs. However, Cisco TAC welcomes feedback on issues you encounter.
Browser Settings and Extensions

Regardless of browser, you must make sure JavaScript, cookies, and TLS v1.2 remain enabled. If you are
using Microsoft Edge, do not enable IE mode.
Note that some browser extensions can prevent you from saving values in fields like the certificate and key
in PKI objects. These extensions include, but are not limited to, Grammarly and Whatfix Editor. This happens
because these extensions insert characters (such as HTML) in the fields, which causes the system to see them
invalid. We recommend you disable these extensions while you’re logged into our products.
Screen Resolution
Interface Minimum Resolution
Management Center 1280 x 720

10
System Requirements
Interface Minimum Resolution
Device Manager 1024 x 768
Chassis Manager for the Firepower 4100/9300 1024 x 768
Securing Communications
When you first log in, the system uses a self-signed digital certificate to secure web communications. Your
browser should display an untrusted authority warning, but also should allow you to add the certificate to the
trust store. Although this will allow you to continue, we do recommend that you replace the self-signed
certificate with a certificate signed by a globally known or internally trusted certificate authority (CA).
To begin replacing the self-signed certificate:
• Management Center: Choose System > Configuration, then click HTTPS Certificates.
• Device Manager: Click Device, then the System Settings > Management Access link, then the
Management Web Server tab.
For detailed procedures, see the online help or the configuration guide for your product.
Note If you do not replace the self-signed certificate:

• Google Chrome does not cache static content, such as images, CSS, or JavaScript. Especially in low
bandwidth environments, this can extend page load times.
• Mozilla Firefox can stop trusting the self-signed certificate when the browser updates. If this happens,
you can refresh Firefox, keeping in mind that you will lose some settings; see Mozilla's Refresh Firefox
support page.
Browsing from a Monitored Network

Many browsers use Transport Layer Security (TLS) v1.3 by default. If you are using an SSL policy to handle
encrypted traffic, and people in your monitored network use browsers with TLS v1.3 enabled, websites that
support TLS v1.3 may fail to load. For more information, see the software advisory titled: Failures loading
websites using TLS 1.3 with SSL inspection enabled.

11
System Requirements

12
CHAPTER 3
Features and Functionality
This document describes new and deprecated features for Version 7.2, including upgrade impact. For Cisco
Defense Orchestrator (CDO) deployments, see What's New for Cisco Defense Orchestrator.
Important New and deprecated features can require pre- or post-upgrade configuration changes, or even prevent upgrade.
If your upgrade skips versions, see those release notes for historical feature information and upgrade impact,
or see the appropriate New Features by Release guide.
• New Features in Management Center Version 7.2, on page 13

• New Features in Device Manager Version 7.2, on page 31
• Intrusion Rules and Keywords, on page 34
• Deprecated FlexConfig Commands, on page 35
New Features in Management Center Version 7.2

Although you can manage older devices with a newer management center, we recommend you always update
your entire deployment. New traffic-handling features usually require the latest release on both the management
center and device. Features where devices are not obviously involved (cosmetic changes to the web interface,
cloud integrations) may only require the latest version on the management center, but that is not guaranteed.
In this document, we are explicit when version requirements deviate from the standard expectation.
New Features
Table 7: New Features in Management Center Version 7.2.4
New Feature Description
Default Forward Error When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default
Correction (FEC) on type is now set to Clause 108 RS-FEC instead of Clause 74 FC-FEC for 25 GB+
Secure Firewall 3100 SR, CSR, and LR transceivers.
fixed ports changed to
For more information on FEC, see Interface Overview in the device configuration
Clause 108 RS-FEC from
guide.
Clause 74 FC-FEC for 25
GB+ SR, CSR, and LR
transceivers.

13
Automatically update CA Upgrade impact. The system connects to Cisco for something new.
bundles.
The local CA bundle contains certificates to access several Cisco services. The
system now automatically queries Cisco for new CA certificates at a daily
system-defined time. Previously, you had to upgrade the software to update CA
certificates. You can use the CLI to disable this feature.
Note This feature is not supported in Version 7.0.0–7.0.4, 7.1.0–7.1.0.2,
or 7.2.0–7.2.3. If you upgrade from a supported version to an
unsupported version, the feature is temporarily disabled and the
system stops contacting Cisco.
New/modified CLI commands: configure cert-update auto-update, configure

cert-update run-now, configure cert-update test, show cert-update
For more information, see the Secure Firewall Management Center Command
Line Reference in the management center administration guide, and the Cisco
Secure Firewall Threat Defense Command Reference.
Access control Upgrade impact. First deployment after upgrade can take a long time and
performance increase CPU use on the device.
improvements (object
Version 7.2.4 improves performance in deployments with access control rules
optimization).
that use overlapping networks. These configurations now consume fewer device
resources due to optimization of overlapping objects.
The improvements take effect after the management center's first post-upgrade
deploy. However, if you have a high number of rules, the system can take several
minutes to an hour to evaluate your policies and perform object optimization.
During this time, you may also see higher CPU use on the device.
We strongly recommend you deploy when it will have the least impact, such as
a maintenance window or a low-traffic time.
Note This feature is not supported in Version 7.3. Upgrading from a
supported release to an unsupported release removes these
optimizations. When you upgrade to a supported release again, you
will re-experience this issue.
Firepower 1010E. We introduced the Firepower 1010E, which does not support power over Ethernet
(PoE). Do not use a Version 7.2.3 or Version 7.3.0 management center to manage
the Firepower 1010E. Instead, use a Version 7.2.3.1+ or Version 7.3.1+
management center.
For more information on PoE with the Firepower 1010, see Regular Firewall
Interfaces in the device configuration guide.
Minimum threat defense: 7.2.3

14
Hardware bypass We introduced these hardware bypass network modules for the Secure Firewall
("fail-to-wire") network 3100:
modules for the Secure
• 6-port 1G SFP Hardware Bypass Network Module, SX (multimode)
Firewall 3100.
(FPR-X-NM-6X1SX-F)
• 6-port 10G SFP Hardware Bypass Network Module, SR (multimode)
(FPR-X-NM-6X10SR-F)
• 6-port 10G SFP Hardware Bypass Network Module, LR (single mode)
(FPR-X-NM-6X10LR-F)
• 6-port 25G SFP Hardware Bypass Network Module, SR (multimode)
(FPR-X-NM-X25SR-F)
• 6-port 25G Hardware Bypass Network Module, LR (single mode)
(FPR-X-NM-6X25LR-F)
• 8-port 1G Copper Hardware Bypass Network Module, RJ45 (copper)
(FPR-X-NM-8X1G-F)
New/modified screens: Devices > Device Management > Interfaces > Edit
Physical Interface
For more information, see Inline Sets and Passive Interfaces in the device
configuration guide.
Intel Ethernet Network We now support the Intel Ethernet Network Adapter E810-CQDA2 driver with
Adapter E810-CQDA2 threat defense virtual for KVM.
driver with threat defense
For more information, see Getting Started with Secure Firewall Threat Defense
virtual for KVM.
Virtual and KVM in the getting started guide.
Platform
Management center We introduced Secure Firewall Management Center Virtual and Secure Firewall
virtual and threat defense Threat Defense for Alibaba. You must manage threat defense virtual for Alibaba
virtual for Alibaba. with a management center; device manager is not supported.
Note that due to underlying issues in the Alibaba infrastructure, the threat defense
virtual instance type ecs.g5ne.4xLarge has low performance, especially in terms
of connections per second (CPS). We recommend the 2xlarge or 4xlarge.
Snapshots allow quick You can now take a snapshot of a threat defense virtual for AWS or Azure
deploy of threat defense instance, then use that snapshot to quickly deploy new instances. This feature
virtual for AWS and also improves the performance of the autoscale solutions for AWS and Azure.
Azure.
For more information, see the Cisco Secure Firewall Threat Defense Virtual
Getting Started Guide.

15
Analytics mode for Concurrently with Version 7.2, we introduced the Cisco Cloud-delivered Firewall
cloud-managed threat Management Center. The cloud-delivered Firewall Management Center uses the
defense devices. Cisco Defense Orchestrator (CDO) platform and unites management across
multiple Cisco security solutions. We take care of feature updates.
Customer-deployed hardware and virtual management centers running Version
7.2+ can "co-manage" cloud-managed threat defense devices, but for event logging
and analytics purposes only. You cannot deploy policy to these devices from a
customer-deployed management center.
New/modified screens:
• When you add a cloud-managed device to a customer-deployed management
center, use the new CDO Managed Device check box to specify that it is
analytics-only.
• View which devices are analytics-only on Devices > Device Management.
New/modified CLI commands: configure manager add, configure manager

delete, configure manager edit, show managers
For more information, see Managing Firewall Threat Defense with
Cloud-Delivered Firewall Management Center in Cisco Defense Orchestrator.
Network modules for the We introduced these network modules for the Firepower 4100:
Firepower 4100.
• 2-port 100-Gigabit Ethernet QSFP28 (FPR4K-NM-2X100G)
ISA 3000 support for Support returns for shutting down the ISA 3000. This feature was introducted in
shutting down. Version 7.0.2 but was temporarily deprecated in Version 7.1.
High Availability/Scalability

16
Clustering for threat You can now configure clustering for the following threat defense virtual
defense virtual in both platforms:
public and private clouds.
• Threat defense virtual for AWS: 16-node clusters
• Threat defense virtual for GCP: 16-node clusters
• Threat defense virtual for KVM: 4-node clusters
• Threat defense virtual for VMware: 4-node clusters
• Devices > Device Management > Add Cluster
• Devices > Device Management > More menu
• Devices > Device Management > Cluster
For more information, see Clustering for Threat Defense Virtual in a Public Cloud
(AWS, GCP) or Clustering for Threat Defense Virtual in a Private Cloud (KVM,
VMware) in the device configuration guide.
Support for 16-node You can now configure 16-node clusters for the following platforms:
clusters.
• Firepower 4100/9300
• Threat defense virtual for AWS
• Threat defense virtual for GCP
The Secure Firewall 3100 still only supports 8 nodes.

For more information, see Clustering for the Firepower 4100/9300 or Clustering
for Threat Defense Virtual in a Public Cloud in the device configuration guide.
Autoscale for threat We now support autoscale for threat defense virtual for AWS gateway load
defense virtual for AWS balancers, using a CloudFormation template.
gateway load balancers.
Autoscale for threat We now support autoscale for threat defense virtual for GCP, by positioning a
defense virtual for GCP. threat defense virtual instance group between a GCP internal load balancer (ILB)
and a GCP external load balancer (ELB).
Interfaces

17
LLDP support for the You can now enable Link Layer Discovery Protocol (LLDP) for Firepower 2100
Firepower 2100 and and Secure Firewall 3100 series interfaces.
Secure Firewall 3100.
New/modified screens: Devices > Device Management > Interfaces > >
Hardware Configuration > LLDP
New/modified commands: show lldp status, show lldp neighbors, show lldp
statistics
For more information, see Interface Overview in the device configuration guide.
Pause frames for flow If you have a traffic burst, dropped packets can occur if the burst exceeds the
control for the Secure buffering capacity of the FIFO buffer on the NIC and the receive ring buffers.
Firewall 3100. Enabling pause frames for flow control can alleviate this issue.
New/modified screens: Devices > Device Management > Interfaces > Hardware
Configuration > Network Connectivity
Breakout ports for the You can now configure four 10 GB breakout ports for each 40 GB interface on
Secure Firewall 3130 and the Secure Firewall 3130 and 3140.
3140.
New/modified screens: Devices > Device Management > Chassis Operations
Configure VXLAN from You can now use the management center web interface to configure VXLAN
the management center interfaces. VXLANs act as Layer 2 virtual network over a Layer 3 physical
web interface. network to stretch the Layer 2 network.
If you configured VXLAN interfaces with FlexConfig in a previous version, they
continue to work. In fact, FlexConfig takes precedence in this case—if you redo
your VXLAN configurations in the web interface, remove the FlexConfig settings.
• Configure the VTEP source interface: Devices > Device Management >
VTEP
• Configure the VNI interface: Devices > Device Management > Interfaces >
Add VNI Interface
For more information, see Regular Firewall Interfaces in the device configuration
guide.
NAT
Ability to enable, disable, You can select multiple NAT rules and enable, disable, or delete them all at the
or delete more than one same time. Enable and disable apply to manual NAT rules only, whereas delete
NAT rule at a time. applies to any NAT rule.
For more information, see Network Address Translation in the device
VPN

18
Certificate and SAML We now support certificate and SAML authentication for RA VPN connection
authentication for RA profiles. You can authenticate a machine certificate or user certificate before a
VPN connection profiles. SAML authentication/authorization is initiated. This can be done using DAP
certificate attributes along with user specific SAML DAP attributes.
New/modified screens: You can now choose Certificate & SAML option when
choosing the authentication method for the connection profile in an RA VPN
policy.
For more information, see Remote Access VPN in the device configuration guide.
Route-based site-to-site We added support for route-based site-to-site VPNs in a hub and spoke topology.
VPN with hub and spoke Previously, that topology only supported policy-based (crypto map) VPNs.
topology.
New/modified screens: When you add a new VPN topology and choose Route
Based (VTI), you can now also choose Hub and Spoke.
For more information, see Site-to-Site VPNs in the device configuration guide.
IPsec flow offload for the On the Secure Firewall 3100, IPsec flows are offloaded by default. After the
Secure Firewall 3100. initial setup of an IPsec site-to-site VPN or remote access VPN security association
(SA), IPsec connections are offloaded to the field-programmable gate array
(FPGA) in the device, which should improve device performance.
You can change the configuration using FlexConfig and the flow-offload-ipsec
command.
For more information, see Site-to-Site VPNs in the device configuration guide.
Routing
Configure EIGRP from You can now use the management center web interface to configure EIGRP. Note
the management center that you can only enable EIGRP on interfaces belonging to the device's Global
web interface. virtual router.
If you configured EIGRP with FlexConfig in a previous version, the system
allows you to deploy post-upgrade, but also warns you to redo your EIGRP
configurations in the web interface. When you are satisfied with the new
configuration, you can delete the deprecated FlexConfig objects or commands.
To help you with this process, we provide a command-line migration tool.
New/modified screens: Devices > Device Management > Routing > EIGRP
For more information, see EIGRP and Migrating FlexConfig Policies in the device
Virtual router support for You can now configure up to five virtual routers on the Firepower 1010.
the Firepower 1010.
For more information, see Virtual Routers in the device configuration guide.

19
Support for VTIs in You can now assign virtual tunnel interfaces to user-defined virtual routers.
user-defined virtual Previously, you could only assign VTIs to Global virtual routers.
routers.
New/modified screens: Devices > Device Management > Routing > Virtual
Router Properties
For more information, see Virtual Routers in the device configuration guide.
Policy-based routing with You can now use path monitoring to collect the performance metrics (RTT, jitter,
path monitoring. packet-lost, and MOS) of a device's egress interfaces. Then, you can use these
metrics to determine the best path for policy based routing.
• Enable path monitoring and choose metrics to collect: Devices > Device
Management > Interfaces > Path Monitoring
• Use the new Interface Ordering option when you are adding a policy based
route and specifying a forwarding action: Devices > Device Management >
Routing > Policy Based Routing
• Monitor path metrics in each device's health monitoring dashboard: System
( ) > Health > Monitor > add dashboard > Interface - Path Metrics.
New/modified CLI commands: show policy route, show path-monitoring, clear

path-monitoring
For more information, see Policy Based Routing in the device configuration
guide.
Threat Intelligence
DNS-based threat We now support DNS-based Security Intelligence using regularly updated
intelligence from Cisco information from Cisco Umbrella. You can use both a local DNS policy and an
Umbrella. Umbrella DNS policy, for two layers of protection.
• Configure connection to Umbrella: Integration > Other Integrations >
Cloud Services > Cisco Umbrella Connection
• Configure Umbrella DNS policy: Policies > DNS > Add DNS Policy >
Umbrella DNA Policy
• Associate Umbrella DNS policy with access control: Policies > Access
Control > Edit Policy > Security Intelligence > Umbrella DNS Policy
For more information, see DNS Policies in the device configuration guide.

20
IP-based threat You can now handle traffic based on malicious IP addresses detected by Amazon
intelligence from Amazon GuardDuty, when integrated with management center virtual for AWS. The
GuardDuty. system consumes this threat intelligence via a custom Security Intelligence feed,
or via a regularly updated network object group, which you can then use in your
security policies.
Access Control and Threat Detection
Dynamic object Concurrently with Version 7.2, we released the following updates to the Cisco
management with: Secure Dynamic Attributes Connector:
• Cloud-delivered • Cloud-delivered Cisco Secure Dynamic Attributes Connector (CDO-managed
Cisco Secure service)
Dynamic Attributes
Supported management centers: Version 7.1+ and the cloud-delivered
Connector
management center.
• On-prem Cisco Supported virtual/cloud workloads: AWS, Azure, Azure service tags, Google
Secure Dynamic Cloud Connector, GitHub, and Office 365.
Attributes Connector
2.0 For more information: Managing the Cisco Secure Dynamic Attributes
Connector with Cisco Defense Orchestrator chapters in Managing Firewall
Threat Defense with Cloud-Delivered Firewall Management Center in Cisco
Defense Orchestrator.
• On-prem Cisco Secure Dynamic Attributes Connector 2.0
Supported management centers: Version 7.0+ and the cloud-delivered
management center.
Supported virtual/cloud workloads: AWS, Azure, Azure service tags, Google
Cloud Connector, GitHub, Office 365, and VMware.
For more information: Cisco Secure Dynamic Attributes Connector
Configuration Guide 2.0.
Bypass inspection or You can now detect and optionally bypass inspection or throttle elephant flows.
throttle elephant flows on By default, access control policies are set to generate an event when the system
Snort 3 devices. sees an unencrypted connection larger than 1 GB/10 sec; the rate limit is
configurable.
For the Firepower 2100 series, you can detect elephant flows but not bypass
inspection or throttle. For devices running Snort 2 and for devices running Version
7.1 and earlier, continue to use Intelligent Application Bypass (IAB).
New/modified screens: We added Elephant Flow Settings to the access control
policy's Advanced tab.
For more information, see Elephant Flow Detection in the device configuration
guide.

21
Encrypted visibility We made the following enhancements to the encrypted visibility engine (EVE):
engine enhancements for
• EVE can detect the operating system used by the host, which is reported in
Snort 3 devices.
events and the network map.
• EVE can detect application traffic by assigning EVE processes that were
identified with high confidence to applications, which you can then use in
access control rules to control network traffic. (In Version 7.1, you could
see EVE processes for connections, but you could not act on that knowledge.)
To add additional assignments, create custom applications/custom application
detectors. When adding a detection pattern to your custom detector, choose
Encrypted Visibility Engine as the application. Then, specify the process
name and confidence level.
• EVE now works with QUIC traffic.
The following connection event fields have changed along with these
enhancements:
TLS Fingerprint Process Name is now Encrypted Visibility Process Name
TLS Fingerprint Process is now Encrypted Visibility Process

Confidence Score Confidence Score
TLS Fingerprint Malware is now Encrypted Visibility Threat

Confidence Confidence
TLS Fingerprint Malware is now Encrypted Visibility Threat

Confidence Score Confidence Score
Detection Type: TLS Fingerprint is now Detection Type: Encrypted

Visibility
This feature now requires a Threat license.

For more information, see Access Control Policies and Application Detection in
the device configuration guide.
TLS 1.3 inspection for We now support inspection of TLS 1.3 traffic.
Snort 3 devices.
New/modified screens: We added the Enable TLS 1.3 Decryption option to the
Advanced Settings tab in SSL policies. Note that this option is disabled by default.
For more information, see SSL Policies in the device configuration guide.
Improved portscan With an improved portscan detector, you can easily configure the system to detect
detection for Snort 3 or prevent portscans. You can refine the networks you want to protect, set the
devices. sensitivity, and so on. For devices running Snort 2 and for devices running Version
7.1 and earlier, continue to use the network analysis policy for portscan detection.
New/modified screens: We added Threat Detection to the access control policy's
Advanced tab.
For more information, see Threat Detection in the device configuration guide.

22
VBA macro inspection for We now support inspection of VBA (Visual Basic for Applications) macros in
Snort 3 devices. Microsoft Office documents, which is done by decompressing the macros and
matching rules against the decompressed content.
By default, VBA macro decompression is disabled in all system-provided network
analysis policies. To enable it use the decompress_vba setting in the imap, smtp,
http_inspect, and pop Snort 3 inspectors.
To configure custom intrusion rules to match against decompressed macros, use
the vba_data option.
For more information, see the appropriate chapters in the Snort 3 Inspector
Reference, as well as the Cisco Secure Firewall Management Center Snort 3
Configuration Guide.
Improved JavaScript We improved JavaScript inspection, which is done by normalizing the JavaScript
inspection for Snort 3 and matching rules against the normalized content. A new normalizer's
devices. enhancements include improved white-space normalization, semicolon insertions,
cross-site script handling, identifier normalization and dealiasing, just-in-time
(JIT) inspection, and the ability to inspect external scripts.
By default, the new normalizer is enabled in all system-provided network analysis
policies. To tweak performance or disable the feature in a custom network analysis
policy, use the js_norm (improved normalizer) and normalize_javascript (legacy
normalizer) settings in the https_inspect Snort 3 inspector.
To configure custom intrusion rules to match against normalized JavaScript, use
the js_data option, for example:
alert tcp any any -> any any (msg:"Script detected!";
js_data; content:"var var_0000=1;"; sid:1000001;)
For more information, see HTTP Inspect Inspector in the Snort 3 Inspector
Reference, as well as the Cisco Secure Firewall Management Center Snort 3
Configuration Guide.
Improved SMB 3 We now support inspection of SMB 3 traffic in the following situations:
inspection for Snort 3
• During file server node failover for clusters configured for SMB Transparent
devices.
Failover.
• In multiple file server nodes for clusters using SMB Scale-Out.
• Through directory information changes due to SMB Directory Leasing.
• Spread across multiple connections due to SMB Multichannel.
For more information, see the Snort 3 Inspector Reference and the Cisco Secure
Firewall Management Center Snort 3 Configuration Guide.
Policy Management

23
Access control policy You can now lock an access control policy to prevent other administrators from
locking. editing it. Locking the policy ensures that your changes will not be invalidated
if another administrator edits the policy and saves changes before you save your
changes. Any user who has permission to modify the access control policy has
permission to lock it.
We added an icon to lock or unlock a policy next to the policy name while editing
the policy. In addition, there is a new permission to allow users to unlock policies
locked by other administrators: Override Access Control Policy Lock. This
permission is enabled by default in the Administrator, Access Admin, and Network
Admin roles.
For more information, see Access Control Policies in the device configuration
guide.
Object group search is Upgrade Impact

enabled by default.
The Object Group Search setting is now enabled by default. Upgrading to
Version 7.2+ enables this setting.
New/modified screens: Devices > Device Management > Device > Advanced
Settings
For more information, see Device Management in the device configuration guide.
Access control rule hit Rebooting a managed device no longer resets access control rule hit counts to
counts persist over reboot. zero. Hit counts are reset only if you actively clear the counters. In addition,
counts are maintained by each unit in an HA pair or cluster separately. You can
use the show rule hits command to see cumulative counters across the HA pair
or cluster, or see the counts per node.
New/modified CLI commands: show rule hits
For more information, see the Cisco Secure Firewall Threat Defense Command
Reference
Usability improvements There is a new user interface available for the access control policy. You can
for the access control continue to use the legacy user interface, or you can try out the new user interface.
policy.
The new interface has both a table and a grid view for the rules list, the ability
to show or hide columns, enhanced search, infinite scroll, a clearer view of the
packet flow related to policies associated with the access control policy, and a
simplified add/edit dialog box for creating rules. You can freely switch back and
forth between the legacy and new user interfaces while editing an access control
policy.
For more information, see Access Control Policies in the device configuration
guide.
Event Logging and Analysis

24
Improved SecureX We have streamlined the SecureX integration process. Now, as long as you already
integration, SecureX have a SecureX account, you just choose your cloud region on the new
orchestration. Integration > SecureX page, click Enable SecureX, and authenticate to SecureX.
The option to send events to the cloud, as well as to enable Cisco Success Network
and Cisco Support Diagnostics, are also moved to this new page.
When you enable SecureX integration on this new page, licensing and
management for the system's cloud connection switches from Cisco Smart
Licensing to SecureX. If you already enabled SecureX the "old" way, you must
disable and re-enable to get the benefits of this cloud connection management.
Note that this page also governs the cloud region for and event types sent to the
Secure Network Analytics (Stealthwatch) cloud using Security Analytics and
Logging (SaaS), even though the web interface does not indicate this. Previously,
these options were on System ( ) > Integration > Cloud Services. Enabling
SecureX does not affect communications with the Secure Network Analytics
cloud; you can send events to both.
The management center also now supports SecureX orchestration—a powerful
drag-and-drop interface you can use to automate workflows across security tools.
After you enable SecureX, you can enable orchestration.
As part of this feature, you can no longer use the REST API to configure SecureX
integration. You must use the FMC web interface.
This feature was introduced Version 7.0.2 and temporarility deprecated in Version
7.1.
For more information, see the Cisco Secure Firewall Management Center (7.0.2
and 7.2) and SecureX Integration Guide.
Log security events to When you configure a Secure Network Analytics Data Store (multi-node)
multiple Secure Network integration, you can now add multiple flow collectors for security events. You
Analytics on-prem data assign each flow collector to one or more threat defense devices running Version
stores. 7.0+.
• Setup: Integration > Security Analytics & Logging > Secure Network
Analytics Data Store
• Modify: Integration > Security Analytics & Logging > Update Device
Assignments
This feature requires Secure Network Analytics Version 7.1.4.

For more information, see the Cisco Security Analytics and Logging (On
Premises): Firewall Event Integration Guide.
Database access changes. We added ten new tables, deprecated one table, and prohibited joins in six tables.
We also added fields to various tables for Snort 3 support and to provide
timestamps and IP addresses in human-readable format.
For more information, see the What's New topic in the Cisco Secure Firewall
Management Center Database Access Guide, Version 7.2.

25
eStreamer changes. A new Python-based reference client has been added to the SDK. Also, you can
now request fully qualified events.
For more information, see the What's New topic in the Cisco Secure Firewall
Management Center Event Streamer Integration Guide, Version 7.2.
Upgrade
Copy upgrade packages Instead of copying upgrade packages to each device from the management center
("peer-to-peer sync") from or internal web server, you can use the threat defense CLI to copy upgrade
device to device. packages between devices ("peer to peer sync"). This secure and reliable
resource-sharing goes over the management network but does not rely on the
management center. Each device can accommodate 5 package concurrent transfers.
This feature is supported for Version 7.2+ standalone devices managed by the
same standalone management center. It is not supported for:
• Container instances.
• Device high availability pairs and clusters.
These devices get the package from each other as part of their normal sync
process. Copying the upgrade package to one group member automatically
syncs it to all group members.
• Devices managed by high availability management centers.
• Devices managed by the cloud-delivered management center, but added to
a customer-deployed management center in analytics mode.
• Devices in different domains, or devices separated by a NAT gateway.
• Devices upgrading from Version 7.1 or earlier, regardless of management
center version.
New/modified CLI commands: configure p2psync enable, configure p2psync

disable, show peers, show peer details, sync-from-peer, show p2p-sync-status
Minimum threat defense: 7.2
For more information, see Copy Threat Defense Upgrade Packages between
Devices in the management center upgrade guide.
Auto-upgrade to Snort 3 When you use a Version 7.2+ management center to upgrade threat defense, you
after successful threat can now choose whether to Upgrade Snort 2 to Snort 3.
defense upgrade.
After the software upgrade, eligible devices will upgrade from Snort 2 to Snort
3 when you deploy configurations. For devices that are ineligible because they
use custom intrusion or network analysis policies, we strongly recommend you
manually upgrade to Snort 3 for improved detection and performance. For
migration assistance, see the Cisco Secure Firewall Management Center Snort 3
Configuration Guide for your version.
This option is supported for major and maintenance threat defense upgrades to
Version 7.2+. It is not supported for threat defense upgrades to Version 7.0 or
7.1, or for patches to any version.

26
Upgrade for single-node You can now use the device upgrade page (Devices > Device Upgrade) to upgrade
clusters. clusters with only one active node. Any deactivated nodes are also upgraded.
Previously, this type of upgrade would fail. This feature is not supported from
the system updates page (System > Updates).
Hitless upgrades are also not supported in this case. Interruptions to traffic flow
and inspection depend on the interface configurations of the lone active unit, just
as with standalone devices.
Supported platforms: Firepower 4100/9300, Secure Firewall 3100
Revert threat defense You can now revert threat defense upgrades from the device CLI if
upgrades from the CLI. communications between the management center and device are disrupted. Note
that in high availability/scalability deployments, revert is more successful when
all units are reverted simultaneously. When reverting with the CLI, open sessions
with all units, verify that revert is possible on each, then start the processes at the
same time.
Caution Reverting from the CLI can cause configurations between the device
and the management center to go out of sync, depending on what
you changed post-upgrade. This can cause further communication
and deployment issues.
New/modified CLI commands: upgrade revert, show upgrade revert-info.

Minimum threat defense: 7.2
For more information, see Revert the Upgrade in the management center upgrade
guide.
Administration & Troubleshooting
Dropped packet statistics The new show packet-statistics threat defense CLI command displays
for the Secure Firewall comprehensive information about non-policy related packet drops. Previously
3100. this information required using several commands.
For more information, see the Cisco Secure Firewall Threat Defense Command
Reference.
Multiple DNS server You can configure multiple DNS groups for the resolution of DNS requests from
groups for resolving DNS client systems. You can use these DNS server groups to resolve requests for
requests. different DNS domains. For example, you could have a catch-all default group
that uses public DNS servers, for use with connections to the Internet. You could
then configure a separate group to use internal DNS servers for internal traffic,
for example, any connection to a machine in the example.com domain. Thus,
connections to an FQDN using your organization’s domain name would be
resolved using your internal DNS servers, whereas connections to public servers
use external DNS servers.
New/modified screens: Platform Settings > DNS
For more information, see Platform Settings in the device configuration guide.

27
Configure certificate You can now specify the usage types where validation is allowed with the
validation with threat trustpoint (the threat defense device): IPsec client connections, SSL client
defense by usage type. connections, and SSL server certificates.
New/modified screens: We added a Validation Usage option to certificate
enrollment objects: Objects > Object Manager > PKI > Cert Enrollment.
For more information, see Object Management in the device configuration guide.
Auto rollback of a You can now enable auto rollback of the configuration if a deployment causes
deployment that causes a the management connection between the management center and the threat defense
loss of management to go down. Previously, you could only manually rollback a configuration using
connectivity. the configure policy rollback command.
• Devices > Device Management > Device > Deployment Settings
• Deploy > Advanced Deploy > Preview
• Deploy > Deployment History > Preview
For more information, see Device Management in the device configuration guide.
Generate and email a You can now generate a report for any deploy task. The report contains details
report when you deploy about the deployed configuration.
configuration changes.
New/modified pages: Deploy > Deployment History icon > More ( )Generate
Report
For more information, see Configuration Deployment in the device configuration
guide.
GeoDB is split into two In May 2022, shortly before the Version 7.2 release, we split the GeoDB into
packages. two packages: a country code package that maps IP addresses to
countries/continents, and an IP package that contains additional contextual data
associated with routable IP addresses. The contextual data in the IP package can
include additional location details, as well as connection information such as ISP,
connection type, proxy type, domain name, and so on.
If your Version 7.2+ management center has internet access and you enable
recurring updates or you manually kick off a one-time update from the Cisco
Support & Download site, the system automatically obtains and imports both
packages. However, if you manually download updates—for example, in an
air-gapped deployment—make sure you get and import both GeoDB packages:
• Country code package: Cisco_GEODB_Update-date-build.sh.REL.tar
• IP package: Cisco_IP_GEODB_Update-date-build.sh.REL.tar
The Geolocation Updates (System ( ) > Updates > Geolocation Updates) page
and the About page (Help > About) list the versions of the packages currently
being used by the system.
For more information, see Updates in the management center admin guide.

28
French language option You can now switch the management center web interface to French.
for web interface.
New/modified screens: System ( ) > Configuration > Language
For more information, see System Configuration in the management center admin
guide.
Web interface changes: Version 7.2 changes these management center menu options in all cases.
deployment and user
activity integrations. Deploy > Deployment History is now Deploy > Deployment History
(bottom right corner)
Deploy > Deployment is now Deploy > Advanced Deploy
Analysis > Users > Active is now Integration > Users > Active
Sessions Sessions
Analysis > Users > Users is now Integration > Users > Users
Analysis > Users > User Activity is now Integration > Users > User
Activity
Web interface changes: Version 7.2 changes these management center menu options if you are upgrading
SecureX, threat from Version 7.0.1 or earlier, or from Version 7.1.
intelligence, and other
Note If you are upgrading from Version 7.0.2 or any later Version 7.0.x
integrations.
maintenance release, your menu structure already looks like this.
AMP > AMP Management is now Integration > AMP > AMP
Management
AMP > Dynamic Analysis is now Integration > AMP > Dynamic
Connections Analysis Connections
Intelligence > Sources is now Integration > Intelligence >

Sources
Intelligence > Elements is now Integration > Intelligence >

Elements
Intelligence > Settings is now Integration > Intelligence >

Settings
Intelligence > Incidents is now Integration > Intelligence >

Incidents
System ( ) > Integration is now Integration > Other Integrations
System ( ) > Logging > Security is now Integration > Security Analytics
Analytics & Logging & Logging
System ( ) > SecureX is now Integration > SecureX

29
Management Center REST API
Management center REST For information on changes to the FMC REST API, see What's New in 7.2 in the
API services/operations. REST API quick start guide.
Deprecated Features
Table 11: Deprecated Features in Management Center Version 7.2.0
Deprecated Feature Description
Deprecated: EIGRP with You can now configure EIGRP routing from the management center web interface.
FlexConfig.
You no longer need these FlexConfig objects: Eigrp_Configure,
Eigrp_Interface_Configure, Eigrp_Unconfigure, Eigrp_Unconfigure_all.
And these associated text objects: eigrpAS, eigrpNetworks,
eigrpDisableAutoSummary, eigrpRouterId, eigrpStubReceiveOnly,
eigrpStubRedistributed, eigrpStubConnected, eigrpStubStatic, eigrpStubSummary,
eigrpIntfList, eigrpAS, eigrpAuthKey, eigrpAuthKeyId, eigrpHelloInterval,
eigrpHoldTime, eigrpDisableSplitHorizon.
The system does allow you to deploy post-upgrade, but also warns you to redo
your EIGRP configurations. To help you with this process, we provide a
command-line migration tool. For details, see Migrating FlexConfig Policies in
the device configuration guide.
Deprecated: VXLAN with You can now configure VXLAN interfaces from the management center web
FlexConfig. interface.
You no longer need these FlexConfig objects: VxLAN_Clear_Nve,
VxLAN_Clear_Nve_Only, VxLAN_Configure_Port_And_Nve,
VxLAN_Make_Nve_Only, VxLAN_Make_Vni.
And these associated text objects: vxlan_Port_And_Nve, vxlan_Nve_Only,
vxlan_Vni.
If you configured VXLAN interfaces with FlexConfig in a previous version, they
continue to work. In fact, FlexConfig takes precedence in this case—if you redo
your VXLAN configurations in the web interface, remove the FlexConfig settings.
Deprecated: Automatic To save time and disk space, the management center upgrade process no longer
pre-upgrade automatically generates troubleshooting files before the upgrade begins. Note
troubleshooting. that device upgrades are unaffected and continue to generate troubleshooting
files.
To manually generate troubleshooting files for the management center, choose
System ( ) > Health > Monitor, click Firewall Management Center in the
left panel, then View System & Troubleshoot Details, then Generate
Troubleshooting Files.

30
New Features in Device Manager Version 7.2

Table 12: New and Deprecated Features in Device Manager Version 7.2
Feature Description
Platform Features
Firepower 1010E. We introduced the Firepower 1010E, which does not support power
over Ethernet (PoE).
For more information on PoE with the Firepower 1010, see Getting
Started in the configuration guide.
Threat defense virtual for GCP. You can now use device manager to configure threat defense virtual for
GCP.
Network modules for the Secure We introduced these network modules for the Secure Firewall 3100:
Firewall 3100.
• 6-port 1G SFP Network Module, SX (multimode)
(FPR-X-NM-6X1SX-F)
• 6-port 10G SFP Network Module, SR (multimode)
(FPR-X-NM-6X10SR-F)
• 6-port 10G SFP Network Module, LR (single mode)
(FPR-X-NM-6X10LR-F)
• 6-port 25G SFP Network Module, SR (multimode)
(FPR-X-NM-X25SR-F)
• 6-port 25G Network Module, LR (single mode)
(FPR-X-NM-6X25LR-F)
• 8-port 1G Copper Network Module, RJ45 (copper)
(FPR-X-NM-8X1G-F)
Network modules for the Firepower We introduced these network modules for the Firepower 4100:
4100.
Intel Ethernet Network Adapter We now support the Intel Ethernet Network Adapter E810-CQDA2
E810-CQDA2 driver with threat driver with threat defense virtual for KVM.
defense virtual for KVM.
For more information, see Getting Started with Secure Firewall Threat
Defense Virtual and KVM in the getting started guide.

31
Feature Description
ISA 3000 support for shutting Support returns for shutting down the ISA 3000. This feature was
down. introducted in Version 7.0.2 but was temporarily deprecated in Version
7.1.
Firewall and IPS Features
Object-group search is enabled by The CLI configuration command object-group-search access-control

default for access control. is now enabled by default for new deployments. If you are configuring
the command using FlexConfig, you should evaluate whether that is
still needed. If you need to disable the feature, use FlexConfig to
implement the no object-group-search access-control command.
For more information, see https://www.cisco.com/c/en/us/td/docs/
security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/
o-commands.html#wp1852298285.
Rule hit counts persist over reboot. Rebooting a device no longer resets access control rule hit counts to
zero. Hit counts are reset only if you actively clear the counters. In
addition, counts are maintained by each unit in an HA pair or cluster
separately. You can use the show rule hits command to see cumulative
counters across the HA pair or cluster, or see the counts per node.
We modified the following threat defense CLI command: show rule
hits.
security/firepower/720/fdm/fptd-fdm-config-guide-720/
fptd-fdm-access.html#id_92394.
VPN Features
IPsec flow offload. On the Secure Firewall 3100, IPsec flows are offloaded by default. After
the initial setup of an IPsec site-to-site VPN or remote access VPN
security association (SA), IPsec connections are offloaded to the
field-programmable gate array (FPGA) in the device, which should
improve device performance.
You can change the configuration using FlexConfig and the
flow-offload-ipsec command.
fptd-fdm-s2svpn.html#Cisco_Concept.dita_
83d8d2c7-8a9c-4094-9649-91744c9fff06.
Interface Features

32
Feature Description
Breakout port support for the You can now configure four 10GB breakout ports for each 40GB
Secure Firewall 3130 and 3140. interface on the Secure Firewall 3130 and 3140.
New/Modified screens:
• Devices > Interfaces

fptd-fdm-interfaces.html#Cisco_Concept.dita_
14e59bb1-dd81-455d-bf70-f26fa2cc097e.
Enabling or disabling Cisco You can enable or disable Cisco Trustsec on physical, subinterface,
Trustsec on an interface. EtherChannel, VLAN, Management, or BVI interfaces, whether named
or unnamed. By default, Cisco Trustsec is enabled automatically when
you name an interface.
We added the Propagate Security Group Tag attribute to the interface
configuration dialog boxes, and the ctsEnabled attribute to the various
interface APIs.
fptd-fdm-interfaces.html#task_
D0C0FB15621B4F49B29CB010F7D6C2D1.
Licensing Features
Permanent License Reservation ISA 3000 now supports Universal Permanent License Reservation for
Support for ISA 3000. approved customers.
fptd-fdm-license.html#id_123878.
Administrative and Troubleshooting Features
Ability to force full deployment. When you deploy changes, the system normally deploys just the changes
made since the last successful deployment. However, if you are
experiencing problems, you can elect to force a full deployment, which
completely refreshes the configuration on the device. We added the
Apply Full Deployment option to the deployment dialog box.
fptd-fdm-get-started.html#task_
BEE4E37389B64E518EE91FF3824476A9.

33
Intrusion Rules and Keywords
Feature Description
Automatically update CA bundles. The local CA bundle contains certificates to access several Cisco
services. The system now automatically queries Cisco for new CA
certificates at a daily system-defined time. Previously, you had to
upgrade the software to update CA certificates. You can use the CLI to
disable this feature.
Note This feature is not supported in Version 7.0.0–7.0.4,
7.1.0–7.1.0.2, or 7.2.0–7.2.3. If you upgrade from a
supported version to an unsupported version, the feature
is temporarily disabled and the system stops contacting
Cisco.
New/modified CLI commands: configure cert-update auto-update,

configure cert-update run-now, configure cert-update test, show
cert-update
For more information, see the Cisco Secure Firewall Threat Defense
Command Reference.
Threat defense REST API version The threat defense REST API for software version 7.2 is version 6.3
6.3 (v6). You can use v6 in the API URLs, or preferentially, use /latest/ to signify
you are using the most recent API version that is supported on the device.
Note that the URL version path element for 6.3 is the same as 6.0, 6.1,
and 6.2: v6.
Please re-evaluate all existing calls, as changes might have been mode
to the resource models you are using. To open the API Explorer, where
you can view the resources, log into device manager, then click the more
options button ( ) and choose API Explorer.
security/firepower/ftd-api/guide/ftd-rest-api.html.
Intrusion Rules and Keywords

Upgrades can import and auto-enable intrusion rules.
Intrusion rule updates (SRUs/LSPs) provide new and updated intrusion rules and preprocessor rules, modified
states for existing rules, and modified default intrusion policy settings. If a newer intrusion rule uses keywords
that are not supported in your current version, that rule is not imported when you update the SRU/LSP.
After you upgrade and those keywords become supported, the new intrusion rules are imported and, depending
on your IPS configuration, can become auto-enabled and thus start generating events and affecting traffic
flow.
You can find your Snort version in the Bundled Components section of the compatibility guide, or use one of
these commands:
• Management Center: Choose Help > About.
• Device Manager: Use the show summary CLI command.

34
Deprecated FlexConfig Commands
The Snort release notes contain details on new keywords. You can read the release notes on the Snort download
page: https://www.snort.org/downloads.

This document lists deprecated FlexConfig objects and commands along with the other deprecated features
for this release. For a full list of prohibited commands, including those prohibited when FlexConfig was
introduced and those deprecated in previous releases, see your configuration guide.
Caution In most cases, your existing FlexConfig configurations continue to work post-upgrade and you can still deploy.
However, in some cases, using deprecated commands can cause deployment issues.
About FlexConfig
Some threat defense features are configured using ASA configuration commands. You can use Smart CLI or
FlexConfig to manually configure various ASA features that are not otherwise supported in the web interface.
Upgrades can add GUI or Smart CLI support for features that you previously configured using FlexConfig.
This can deprecate FlexConfig commands that you are currently using; your configurations are not automatically
converted. After the upgrade, you cannot assign or create FlexConfig objects using the newly deprecated
commands.
After the upgrade, examine your FlexConfig policies and objects. If any contain commands that are now
deprecated, messages indicate the problem. We recommend you redo your configuration. When you are
satisfied with the new configuration, you can delete the problematic FlexConfig objects or commands.

35

36
CHAPTER 4
Upgrade Guidelines
This document provides critical and release-specific upgrade guidelines for Version 7.2.
• Planning Your Upgrade, on page 37
• Minimum Version to Upgrade, on page 38
• Guidelines for Cloud-delivered Firewall Management Center, on page 39
• Upgrade Guidelines for Version 7.2, on page 39
• Upgrade Guidelines for FXOS, on page 42
• Unresponsive Upgrades, on page 42
• Revert or Uninstall the Upgrade, on page 43
• Traffic Flow and Inspection, on page 43
• Time and Disk Space Tests, on page 47
Planning Your Upgrade

Careful planning and preparation can help you avoid missteps. This table summarizes the upgrade planning
process. For detailed checklists and procedures, see the appropriate upgrade or configuration guide:
http://www.cisco.com/go/threatdefense-72-docs.
Table 13: Upgrade Planning Phases
Planning Phase Includes
Planning and Feasibility Assess your deployment.

Plan your upgrade path.
Read all upgrade guidelines and plan configuration changes.
Check appliance access.
Check bandwidth.
Schedule maintenance windows.
Backups Back up the software.

Back up FXOS on the Firepower 4100/9300.

37
Upgrade Guidelines
Minimum Version to Upgrade
Planning Phase Includes
Upgrade Packages Download upgrade packages from Cisco.

Upload upgrade packages to the system.
Associated Upgrades Upgrade virtual hosting in virtual deployments.

Upgrade firmware on the Firepower 4100/9300.
Upgrade FXOS on the Firepower 4100/9300.
Final Checks Check configurations.

Check NTP synchronization.
Deploy configurations.
Run readiness checks.
Check disk space.
Check running tasks.
Check deployment health and communications.

You can upgrade directly to Version 7.2, including maintenance releases, as follows.
Table 14: Minimum Version to Upgrade to Version 7.2
Platform Minimum Version
Management Center 6.6
Threat Defense 6.6

(except Threat Defense Virtual with FXOS 2.12.0.31 is required for the Firepower 4100/9300. In most cases,
GCP) we recommend you use the latest FXOS build in each major version.
To help you decide, see the Cisco Firepower 4100/9300 FXOS Release
Notes, 2.12.
Threat Defense Virtual with GCP 7.2

You cannot upgrade to Version 7.2+ from Version 7.1 and earlier; you
must deploy a new instance. The mininum version to upgrade to a
Version 7.2.x maintenance release is Version 7.2.0. See Threat Defense
Virtual for GCP Cannot Upgrade Across Version 7.2.0, on page 41.
Minimum Version to Patch

Patches change the fourth digit only. You cannot upgrade directly to a patch from a previous major or
maintenance release.

38
Upgrade Guidelines
Guidelines for Cloud-delivered Firewall Management Center
Guidelines for Cloud-delivered Firewall Management Center

You do not upgrade the cloud-delivered Firewall Management Center. It does not have a version and we take
care of feature updates.
Upgrading Threat Defense with Cloud-delivered Firewall Management Center

To upgrade threat defense with the cloud-delivered Firewall Management Center, use the latest released
version of the Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center.
Note The cloud-delivered Firewall Management Center cannot manage threat defense Version 7.1. You cannot
upgrade a cloud-managed device from Version 7.0 to Version 7.1 unless you unregister and disable cloud
management. We recommend you upgrade the device directly to Version 7.2+.
Upgrading Co-Managed Devices

Customer-deployed management centers running Version 7.2+ can co-manage cloud-managed threat defense
devices, but for event logging and analytics purposes only. You must use the cloud-delivered Firewall
Management Center to manage and configure all other aspects of threat defense, including upgrade.
Remember, a customer-deployed management center must run the same or newer version as its managed
devices—and this includes devices co-managed by the cloud-delivered Firewall Management Center. That
is, you cannot use the cloud-delivered Firewall Management Center to upgrade a co-managed device past its
customer-deployed management center.
For example, consider a threat defense device with two managers:
• Device, running Version A.
• Customer-deployed management center, running Version B.
• Cloud-delivered Firewall Management Center, no version.
In this scenario, you can use the cloud-delivered Firewall Management Center to upgrade the device to Version
B (the same version as the co-manager), but not to Version C (past the co-manager).
Upgrade Guidelines for Version 7.2

These checklists provide new and/or previously published upgrade guidelines that may apply to you.
Table 15: Upgrade Guidelines for Threat Defense with Management Center Version 7.2
✓ Guideline Platforms Upgrading From Directly To
Cisco Secure Firewall Management Any Any Any

Center New Features by Release, for new
and deprecated features that have
upgrade impact. Check all versions
between your current and target version.

39
Upgrade Guidelines
Upgrade Guidelines for Version 7.2
Open and Resolved Bugs, on page 59, Any Any Any

for bugs that have upgrade impact.
Check all versions of the release notes
Minimum Version to Upgrade, on page Any Any Any

38
Upgrade Guidelines for FXOS, on page Firepower Any Any

42 4100/9300
Threat Defense Virtual for GCP Cannot Threat Defense 6.7.0 through 7.1.x 7.2+
Upgrade Across Version 7.2.0, on page Virtual for GCP
41
Extended Post-Upgrade Deploy for Management 6.6.0 through 7.2.3 7.2.4 through 7.2.x
Large Configurations, on page 41 Center
Reconnect with Cisco Secure Malware Management 6.4.0 through 6.7.x 7.0+
Analytics for High Availability Center
Management Centers, on page 41
Upgrade Failure: Firepower 1010 Switch Firepower 1010 6.4.0 through 6.6.x 6.7+
Ports with Invalid VLAN IDs, on page
42
Table 16: Upgrade Guidelines for Threat Defense with Device Manager Version 7.2
Cisco Secure Firewall Device Manager Any Any Any

New Features by Release, for new and
deprecated features that have upgrade
impact. Check all versions between your
current and target version.
Open and Resolved Bugs, on page 59, Any Any Any

for bugs that have upgrade impact.
Check all versions of the release notes
Minimum Version to Upgrade, on page Any Any Any

38
Upgrade Guidelines for FXOS, on page Firepower Any Any

42 4100/9300
Upgrade Failure: Firepower 1010 Switch Firepower 1010 6.4.0 through 6.6.x 6.7+
Ports with Invalid VLAN IDs, on page
42

40
Upgrade Guidelines
Extended Post-Upgrade Deploy for Large Configurations
Extended Post-Upgrade Deploy for Large Configurations

Deployment: Management Center
Upgrading from: Version 6.7 through 7.2.3
Directly to: Version 7.2.4 or later maintenance release
Version 7.2.4 improves performance in deployments with access control rules that use overlapping networks.
These configurations now consume fewer device resources due to optimization of overlapping objects.
The improvements take effect after the management center's first post-upgrade deploy. However, if you have
a high number of rules, the system can take several minutes to an hour to evaluate your policies and perform
object optimization. During this time, you may also see higher CPU use on the device.
We strongly recommend you deploy when it will have the least impact, such as a maintenance window or a
low-traffic time.
Note This feature is not supported in Version 7.3. Upgrading from a supported version to an unsupported version
removes these optimizations. When you upgrade to a supported version again, you will re-experience this
issue.
Threat Defense Virtual for GCP Cannot Upgrade Across Version 7.2.0
Deployments: Threat Defense Virtual for GCP
Upgrade from: Version 6.7.0 through 7.1.x
Directly to: Version 7.2.0+
Due to interface changes required to support autoscaling, Threat Defense Virtual for GCP upgrades cannot
cross Version 7.2.0. That is, you cannot upgrade to Version 7.2.0+ from Version 7.1.x and earlier. You must
deploy a new instance and redo any device-specific configurations.
Reconnect with Cisco Secure Malware Analytics for High Availability

Management Centers
Deployments: High availability/AMP for Networks (malware detection) deployments where you submit files
for dynamic analysis
Upgrading from: Version 6.4.0 through 6.7.x
Directly to: Version 7.0.0+
Related bug: CSCvu35704
Version 7.0.0 fixes an issue with high availability where, after failover, the system stopped submitting files
for dynamic analysis. For the fix to take effect, you must reassociate with the Cisco Secure Malware Analytics
public cloud.
After you upgrade the high availability pair, on the primary management center:
1. Choose AMP > Dynamic Analysis Connections.

41
Upgrade Guidelines
Upgrade Failure: Firepower 1010 Switch Ports with Invalid VLAN IDs
2. Click Associate in the table row corresponding to the public cloud.

A portal window opens. You do not have to sign in. The reassociation happens in the background, within
a few minutes.
Upgrade Failure: Firepower 1010 Switch Ports with Invalid VLAN IDs
Deployments: Firepower 1010
Upgrading from: Version 6.4 through 6.6
Directly to: Version 6.7+
For the Firepower 1010, threat defense upgrades to Version 6.7+ will fail if you configured switch ports with
a VLAN ID in the 3968–4047 range. These IDs are for internal use only.
Upgrade Guidelines for FXOS

For the Firepower 4100/9300, major threat defense upgrades also require an FXOS upgrade.
Major threat defense versions have a specially qualified and recommended companion FXOS version. Use
these combinations whenever possible because we perform enhanced testing for them. Maintenance release
and patches rarely require FXOS upgrades, but you may still want to upgrade to the latest FXOS build to take
advantage of resolved issues.
We also recommend the latest firmware; see the Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide.
For critical and release-specific upgrade guidelines, new and deprecated features, and open and resolved bugs,
see the Cisco Firepower 4100/9300 FXOS Release Notes.
Minimum FXOS Version to Upgrade Threat Defense

The minimum FXOS version to run Version 7.2 is FXOS 2.12.0.31.
Minimum FXOS Version to Upgrade FXOS

You can upgrade to any later FXOS version from as far back as FXOS 2.2.2.
Time to Upgrade FXOS

An FXOS upgrade can take up to 45 minutes and can affect traffic flow and inspection. For more information,
see Traffic Flow and Inspection for FXOS Upgrades, on page 43.
Unresponsive Upgrades
Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not
manually reboot or shut down during upgrade. You could place the system in an unusable state and require
a reimage.

42
Upgrade Guidelines
Revert or Uninstall the Upgrade
Unresponsive Management Center Upgrade

Do not restart an upgrade in progress. If you encounter issues with the upgrade, including a failed upgrade or
unresponsive appliance, contact Cisco TAC.
Unresponsive Threat Defense Upgrade

For major and maintenance upgrades, you can manually cancel failed or in-progress upgrades, and retry failed
upgrades:
• Management Center: Use the Upgrade Status pop-up, accessible from the Upgrade tab on the Device
Management page, and from the Message Center.
• Device Manager: Use the System Upgrade panel.
You can also use the threat defense CLI.
Note By default, threat defense automatically reverts to its pre-upgrade state upon upgrade failure ("auto-cancel").
To be able to manually cancel or retry a failed upgrade, disable the auto-cancel option when you initiate the
upgrade. Auto-cancel is not supported for patches. In a high availability/scalability deployment, auto-cancel
applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.
This feature is not supported for patches or for upgrades from Version 6.6 and earlier.
Revert or Uninstall the Upgrade

If an upgrade succeeds but the system does not function to your expectations, you may be able to revert or
uninstall:
• Revert is supported for major and maintenance upgrades to threat defense, regardless of manager.
• Uninstall is supported for patches to threat defense with management center. You can also uninstall
management center patches.
If this will not work for you and you still need to return to an earlier version, you must reimage. For guidelines,
limitations, and procedures, see the upgrade guide for the version of the management center/device manager
you are currently running.
Traffic Flow and Inspection

Device upgrades (software and operating system) affect traffic flow and inspection. Schedule maintenance
windows when this will have the least impact.
Traffic Flow and Inspection for FXOS Upgrades

Upgrading FXOS reboots the chassis. Even in high availability/scalability deployments, you upgrade FXOS
on each chassis independently. To minimize disruption, upgrade one chassis at a time.

43
Upgrade Guidelines
Traffic Flow and Inspection for Threat Defense Upgrades with Management Center
Table 17: Traffic Flow and Inspection: FXOS Upgrades
Threat Defense Traffic Behavior Method

Deployment
Standalone Dropped. —
High availability Unaffected. Best Practice: Update FXOS on the

standby, switch active peers, upgrade the
new standby.
Dropped until one peer is online. Upgrade FXOS on the active peer before
the standby is finished upgrading.
Inter-chassis cluster Unaffected. Best Practice: Upgrade one chassis at a

time so at least one module is always
online.
Dropped until at least one module is online. Upgrade chassis at the same time, so all
modules are down at some point.
Intra-chassis cluster Passed without inspection. Hardware bypass enabled: Bypass:

(Firepower 9300 Standby or Bypass-Force.
only)
Dropped until at least one module is online. Hardware bypass disabled: Bypass:
Disabled.
Dropped until at least one module is online. No hardware bypass module.
Traffic Flow and Inspection for Threat Defense Upgrades with Management
Center
Software Upgrades for Standalone Devices
Devices operate in maintenance mode while they upgrade. Entering maintenance mode at the beginning of
the upgrade causes a 2-3 second interruption in traffic inspection. Interface configurations determine how a
standalone device handles traffic both then and during the upgrade.
Table 18: Traffic Flow and Inspection: Software Upgrades for Standalone Devices
Interface Configuration Traffic Behavior
Firewall interfaces Routed or switched including Dropped.

EtherChannel, redundant, subinterfaces.
For bridge group interfaces on the ISA
Switched interfaces are also known as 3000 only, you can use a FlexConfig policy
bridge group or transparent interfaces. to configure hardware bypass for power
failure. This causes traffic to drop during
software upgrades but pass without
inspection while the device completes its
post-upgrade reboot.

44
Upgrade Guidelines
Traffic Flow and Inspection for Threat Defense Upgrades with Management Center
IPS-only interfaces Inline set, hardware bypass force-enabled: Passed without inspection until you either
Bypass: Force disable hardware bypass, or set it back to
standby mode.
Inline set, hardware bypass standby mode: Dropped during the upgrade, while the
Bypass: Standby device is in maintenance mode. Then,
passed without inspection while the device
completes its post-upgrade reboot.
Inline set, hardware bypass disabled: Dropped.

Bypass: Disabled
Inline set, no hardware bypass module. Dropped.
Inline set, tap mode. Egress packet immediately, copy not

inspected.
Passive, ERSPAN passive. Uninterrupted, not inspected.
Software Upgrades for High Availability/Scalability

You should not experience interruptions in traffic flow or inspection while upgrading high availability or
clustered devices. For high availability pairs, the standby device upgrades first. The devices switch roles, then
the new standby upgrades.
For clusters, the data security module or modules upgrade first, then the control module. During the control
security module upgrade, although traffic inspection and handling continues normally, the system stops logging
events. Events for traffic processed during the logging downtime appear with out-of-sync timestamps after
the upgrade is completed. However, if the logging downtime is significant, the system may prune the oldest
events before they can be logged.
Note that hitless upgrades are not supported for single-unit clusters. Interruptions to traffic flow and inspection
depend on interface configurations of the active unit, just as with standalone devices.
Software Revert (Major/Maintenance Releases)

You should expect interruptions to traffic flow and inspection during revert, even in a high
availability/scalability deployment. This is because revert is more successful when all units are reverted
simultaneously. Simultaneous revert means that interruptions to traffic flow and inspection depend on interface
configurations only, as if every device were standalone.
Software Uninstall (Patches)

For standalone devices, interruptions to traffic flow and inspection during patch uninstall are the same as for
upgrade. In high availability/scalability deployments, you must explicitly plan an uninstall order that minimizes
disruption. This is because you uninstall patches from devices individually, even those that you upgraded as
a unit.
Deploying Configuration Changes

Restarting the Snort process briefly interrupts traffic flow and inspection on all devices, including those
configured for high availability/scalability. Interface configurations determine whether traffic drops or passes

45
Upgrade Guidelines
Traffic Flow and Inspection for Threat Defense Upgrades with Device Manager
without inspection during the interruption. When you deploy without restarting Snort, resource demands may
result in a small number of packets dropping without inspection.
Snort typically restarts during the first deployment immediately after the upgrade. It does not restart during
other deployments unless, before deploying, you modify specific policy or device configurations.
Table 19: Traffic Flow and Inspection: Deploying Configuration Changes
Firewall interfaces Routed or switched including Dropped.

EtherChannel, redundant, subinterfaces.
Switched interfaces are also known as
bridge group or transparent interfaces.
IPS-only interfaces Inline set, Failsafe enabled or disabled. Passed without inspection.
A few packets might drop if Failsafe is
disabled and Snort is busy but not down.
Inline set, Snort Fail Open: Down: Dropped.

disabled.
Inline set, Snort Fail Open: Down: Passed without inspection.

enabled.
Inline set, tap mode. Egress packet immediately, copy not

inspected.
Passive, ERSPAN passive. Uninterrupted, not inspected.
Traffic Flow and Inspection for Threat Defense Upgrades with Device Manager
Software Upgrades
Traffic is dropped while you upgrade. In a high availability deployment, you can minimize disruption by
upgrading devices one at a time.
For the ISA 3000 only, if you configured hardware bypass for power failure, traffic is dropped during the
upgrade but is passed without inspection while the device completes its post-upgrade reboot.
Software Revert (Major/Maintenance Releases)

Traffic is dropped while you revert. In a high availability deployment, revert is more successful when you
revert both units simultaneously. Traffic flow and inspection resume when the first unit comes back online.
Deploying Configuration Changes

Restarting the Snort process briefly interrupts traffic flow and inspection on all devices, including those
configured for high availability. When you deploy without restarting Snort, resource demands may result in
a small number of packets dropping without inspection.

46
Upgrade Guidelines
Time and Disk Space Tests
Snort typically restarts during the first deployment immediately after the upgrade. It does not restart during
other deployments unless, before deploying, you modify specific policy or device configurations.
Time and Disk Space Tests

For reference purposes, we provide reports of in-house time and disk space tests for management center and
device software upgrades.
Time Tests
We report the slowest tested time of all software upgrades tested on a particular platform/series. Your upgrade
will likely take longer than the provided times for multiple reasons, as explained in the following table. We
recommend you track and record your own upgrade times so you can use them as future benchmarks.
Caution Do not make or deploy configuration changes during upgrade. Even if the system appears inactive, do not
manually reboot or shut down. In most cases, do not restart an upgrade in progress. You could place the system
in an unusable state and require a reimage. If you encounter issues with the upgrade, including a failed upgrade
or unresponsive appliance, see Unresponsive Upgrades, on page 42.
Table 20: Time Test Conditions for Software Upgrades
Condition Details
Deployment Times for device upgrades are from tests in a management center deployments.
Raw upgrade times for remotely and locally managed devices are similar, given
similar conditions.
Versions For major and maintenance releases, we test upgrades from all eligible previous
major versions. For patches, we test upgrades from the base version. Upgrade time
usually increases if your upgrade skips versions.
Models In most cases, we test on the lowest-end models in each series, and sometimes on
multiple models in a series.
Virtual appliances We test with the default settings for memory and resources. However, note that
upgrade time in virtual deployments is highly hardware dependent.
High Unless otherwise noted, we test on standalone devices.

availability/scalability
In a high availability or clustered configuration, devices upgrade one at a time to
preserve continuity of operations, with each device operating in maintenance mode
while it upgrades. Upgrading a device pair or entire cluster, therefore, takes longer
than upgrading a standalone device.
Configurations We test on appliances with minimal configurations and traffic load.

Upgrade time can increase with the complexity of your configurations, size of
event databases, and whether/how those things are affected by the upgrade. For
example, if you use a lot of access control rules and the upgrade needs to make a
backend change to how those rules are stored, the upgrade can take longer.

47
Upgrade Guidelines
Time and Disk Space for Version 7.2.4
Condition Details
Components We report times for the software upgrade itself and the subsequent reboot only.
This does not include time for operating system upgrades, transferring upgrade
packages, readiness checks, VDB and intrusion rule (SRU/LSP) updates, or
deploying configurations.
Disk Space Tests

We report the most disk space used of all software upgrades tested on a particular platform/series. This includes
the space needed to copy the upgrade package to the device.
We also report the space needed on the management center (in either /Volume or /var) for the device upgrade
package. If you have an internal server for threat defense upgrade packages, or if you are using device manager,
ignore those values.
When we report disk space estimates for a particular location (for example, /var or /ngfw), we are reporting
the disk space estimate for the partition mounted in that location. On some platforms, these locations may be
on the same partition.
Without enough free disk space, the upgrade fails.
Table 21: Checking Disk Space
Platform Command
Management Center Choose System > Monitoring > Statistics and select the
management center. Under Disk Usage, expand the By Partition
details.
Threat Defense with management center Choose System > Monitoring > Statistics and select the device
you want to check. Under Disk Usage, expand the By Partition
details.
Threat Defense with device manager Use the show disk CLI command.

Table 22: Time and Disk Space for Version 7.2.4
Platform Space in /Volume Space in / Space on Upgrade Time Reboot Time

Mgmt Ctr
Management from Version 18.9 GB in /var 20 MB in / — 38 min 9 min

Center 6.6–6.7
from Version 21.1 GB in /Volume 22 MB in /

7.0–7.2

48
Upgrade Guidelines
Time and Disk Space for Version 7.2.3.1

Mgmt Ctr

Center Virtual: 6.6–6.7
VMware
7.0–7.2
Firepower 1000 series — 8.0 GB in /ngfw 930 MB 19 min 28 min
Firepower 2100 series — 7.9 GB in /ngfw 1.0 GB 13 min 15 min
Secure Firewall 3100 series — 9.1 GB in /ngfw 1.2 GB 9 min 22 min
Firepower 4100 series container — 8.4 GB in /ngfw 880 MB 17 min 10 min

instance
Firepower 9300 — 7.7 GB in /ngfw 880 MB 11 min 11 min
ISA 3000 from Version 3.6 GB in /home 956 KB in /ngfw 1.0 GB 27 min 44 min
6.6
from Version 5.5 GB in 208 KB in /ngfw

6.7 /ngfw/Volume
from Version 5.3 GB in /ngfw/var 360 MB in /ngfw/bin

7.0–7.2
Threat Defense from Version 4.3 GB in /home 928 KB in /ngfw 1.0 GB 19 min 8 min
Virtual: 6.6
VMware
6.7 /ngfw/Volume

7.0–7.2

Version 7.2.3.1 is available for the management center only.
Table 23: Time and Disk Space for Version 7.2.3.1

Mgmt Ctr
Management Center 2.0 GB in /Volume 22 MB in / — 19 min 6 min
Management Center Virtual: 2.0 GB in /Volume 15 MB in / — 27 min 6 min

VMware

49
Upgrade Guidelines


Mgmt Ctr
Management Center 23.6 GB in /var 22 MB in / — 37 min 9 min
Management Center Virtual: 19.5 GB in /var 23 MB in / — 43 min 5 min

VMware

instance
6.6
from Version 350 MB in 208 KB in /ngfw

6.7 /ngfw/Volume

7.0–7.2
Virtual: 6.6
VMware
6.7 /ngfw/Volume

7.0–7.2

50
Upgrade Guidelines


Mgmt Ctr
Management from Version 18.7 GB in /var 19.6 MB in / — 39 min 18 min

Center 6.6–6.7
from Version 22.6 GB in /Volume 21.5 MB in /

7.0–7.2
Management from Version 20.7 GB in /var 22.6 MB in / — 40 min 6 min

VMware
from Version 24.1 GB in /Volume 15.5 MB in /
7.0–7.2

instance
6.6

6.7 /ngfw/Volume

7.0–7.2
Virtual: 6.6
VMware
6.7 /ngfw/Volume

7.0–7.2

51
Upgrade Guidelines


Mgmt Ctr

Center 6.6–6.7

7.0–7.2

VMware
from Version 23.9 in /Volume 23 MB in /
7.0–7.2

instance
6.6

6.7 /ngfw/Volume

7.0–7.2
Virtual: 6.6
VMware
6.7 /ngfw/Volume

7.0–7.2

52
Upgrade Guidelines

Table 27: Time and Disk Space for Version 7.2.0.1

Mgmt Ctr
Management Center 59 MB in /Volume 22 MB in / — 7 min 7 min
Management Center Virtual: 61 MB in /Volume 15 MB in / — 10 min 4 min

VMware
Firepower 2100 series — 1.2 GBi n /ngfw 300 MB 5 min 10 min
Secure Firewall 3100 series — 2.1 GB in /ngfw 490 MB 9 min 4 min

instance
ISA 3000 630 MB in /ngfw/var 180 MB in /ngfw/bin 56 MB 9 min 12 min
Threat Defense Virtual: 660 MB in /ngfw/var 170 MB in /ngfw/bin 56 MB 4 min 4 min

VMware


Mgmt Ctr

Center 6.6–6.7

7.0–7.1

VMware
7.0–7.1

53
Upgrade Guidelines

Mgmt Ctr
Secure Firewall 3100 series — not available 1.2 GB not available not available
Firepower 4100 series — 7.8 GB in /ngfw 880 MB 12 min 9 min min

instance
6.6

6.7 /ngfw/Volume
from Version 9.3 GB in /ngfw/var 270 KB in /ngfw/bin

7.0–7.1
Virtual: 6.6
VMware
6.7 /ngfw/Volume
from Version 5.4 GB in /ngfw/var 250 KB in /ngfw/bin

7.0–7.1

54
CHAPTER 5
Install the Software
If you cannot or do not want to upgrade to Version 7.2, you can freshly install major and maintenance releases.
This is also called reimaging. We do not provide installation packages for patches. To run a particular patch,
install the appropriate major or maintenance release, then apply the patch.
• Installation Guidelines, on page 55
• Installation Guides, on page 57
Installation Guidelines
These guidelines can prevent common reimage issues, but are not comprehensive. For detailed checklists and
procedures, see the appropriate installation guide.
Backups
Before you reimage, we strongly recommend you back up to a secure remote location and verify transfer
success. Reimaging returns most settings to factory defaults, including the system password. It deletes any
backups left on the appliance.
Note If you want to reimage so that you don't have to upgrade, due to version restrictions you cannot use a backup
to import your old configurations. You must recreate your configurations manually.
Appliance Access
If you do not have physical access to an appliance, reimaging to the current major or maintenance release lets
you keep management network settings. This allows you to connect to the appliance after you reimage to
perform the initial configuration. Note that if you delete network settings or if you reimage to an earlier release,
you must have physical access to the appliance. You cannot use Lights-Out Management (LOM).
For devices, make sure traffic from your location does not have to traverse the device itself to access the
device's management interface. In management center deployments, you should also able to access the
management center's management interface without traversing the device.

55
Installation Guidelines
Unregistering from Smart Software Manager

Before you reimage any appliance or switch device management, you may need to unregister from the Cisco
Smart Software Manager (CSSM). This is to avoid accruing orphan entitlements, which can prevent you from
reregistering.
Unregistering removes an appliance from your virtual account, unregisters it from the cloud and cloud services,
and releases associated licenses so they can be can be reassigned. When you unregister an appliance, it enters
Enforcement mode. Its current configuration and policies continue to work as-is, but you cannot make or
deploy any changes.
If you plan to restore from backup, do not unregister before you reimage and do not remove devices from the
management center. Instead, manually revert any licensing changes made since you took the backup. After
the restore completes, reconfigure licensing. If you notice licensing conflicts or orphan entitlements, contact
Cisco TAC.
Table 29: Scenarios for Unregistering from CSSM (Not Restoring from Backup)
Scenario Action
Reimage the management center. Unregister manually.
Model migration for the management center. Unregister manually, before you shut down the source
management center.
Reimage threat defense with management center. Unregister automatically, by removing the device
from the management center.
Reimage threat defense with device manager. Unregister manually.
Switch threat defense from management center to Unregister automatically, by removing the device
device manager. from the management center.
Switch threat defense from device manager to Unregister manually.

management center.
Removing Devices from the Management Center

In management center deployments, if you plan to manually configure the reimaged appliance, remove devices
from the management center before you reimage either. If you plan to restore from backup, you do not need
to do this.
Table 30: Scenarios for Removing Devices from the Management Center (Not Restoring from Backup)
Scenario Action
Reimage the management center. Remove all devices from management.
Reimage threat defense. Remove the one device from management.
Switch threat defense from management center to Remove the one device from management.
device manager.

56
Installation Guides
Fully Reimaging Threat Defense Hardware to Downgrade FXOS

For threat defense hardware models that use the FXOS operating system, reimaging to an earlier software
version may require a full reimage, regardless of whether FXOS is bundled with the software or upgraded
separately.
Table 31: Scenarios for Full Reimages
Model Details
Firepower 1000 series If you use the erase configuration method to reimage, FXOS may not downgrade
along with the software. This can cause failures, especially in high availability
Firepower 2100 series
deployments. We recommend that you perform full reimages of these devices.
Secure Firewall 3100
series
Firepower 4100/9300 Reverting threat defense does not downgrade FXOS.

For the Firepower 4100/9300, major threat defense versions have a specially
qualified and recommended companion FXOS version. After you return to the
earlier version of threat defense, you may be running a non-recommended version
of FXOS (too new).
Although newer versions of FXOS are backwards compatible with older threat
defense versions, we do perform enhanced testing for the recommended
combinations. You cannot manually downgrade FXOS, so if you find yourself
in this situation and you want to run a recommended combination, you will need
a full reimage.
Installation Guides
Table 32: Installation Guides
Platform Guide
Management Center
FMC 1600, 2600, 4600 Cisco Firepower Management Center 1600, 2600, and 4600 Getting
Started Guide
Management Center Virtual Cisco Secure Firewall Management Center Virtual Getting Started Guide
Threat Defense
Firepower 1000/2100 series Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage
Guide
Secure Firewall 3100 series
Cisco FXOS Troubleshooting Guide for the Firepower 1000/2100 and
Secure Firewall 3100 with Firepower Threat Defense

57
Installation Guides
Platform Guide
Firepower 4100/9300 Cisco Firepower 4100/9300 FXOS Configuration Guides: Image

Management chapters
Cisco Firepower 4100 Getting Started Guide
Cisco Firepower 9300 Getting Started Guide
ISA 3000 Cisco Secure Firewall ASA and Secure Firewall Threat Defense Reimage
Guide
Threat Defense Virtual Cisco Secure Firewall Threat Defense Virtual Getting Started Guide

58
CHAPTER 6
Open and Resolved Bugs
This document lists open and resolved bugs for Version 7.2 devices and customer-deployed management
centers.
For cloud-delivered Firewall Management Center bugs, see the Cisco Cloud-Delivered Firewall Management
Center Release Notes.
Important Bug lists are auto-generated once and may not be subsequently updated. If updated, the 'table last updated'
date does not mean that the list was fully accurate on that date—only that some change was made. Depending
on how and when a bug was categorized or updated in our system, it may not appear in the release notes. We
also do not list open bugs for maintenance releases or patches. If you have a support contract, you can obtain
up-to-date bug lists with the Cisco Bug Search Tool.
• Open Bugs, on page 59

• Resolved Bugs, on page 60
Open Bugs
Open Bugs in Version 7.2.0
Table last updated: 2022-11-02
Table 33: Open Bugs in Version 7.2.0
Bug ID Headline
CSCwb43433 Jumbo frame performance has degraded up to -45% on Firepower 2100 series
CSCwb78233 7.2.0 1984 Nutanix vFMC not accessible after upgrade from 7.1.0
CSCwb80789 TLS 1.3 connections to sites previously decrypted may fail
CSCwb87724 Evicted units re-joined existing Cluster but not listed on Control and other evicted
vFTD Cluster

59
Resolved Bugs
Bug ID Headline
CSCwb88887 snp_fp_vxlan_encap_and_grp_send_common: failed to find adj. bp->l3_type = 8,

inner_sip message
CSCwb89905 vFTD installed with JF but still FMC shows info about JF getting enabled and to reboot
vFTD
CSCwb90105 Upgrade to 7.2 on FTDv for Nutanix is stuck after reboot
CSCwb96990 Early data may cause xtls to not wait for probe response
CSCwb97486 FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports
CSCwb99960 onPremFMC with only CDO Managed devices registered, Malware Event pages shows
license warning
Resolved Bugs
Resolved Bugs in Version 7.2.4
Table 34: Resolved Bugs in Version 7.2.4
Bug ID Headline
CSCvq20057 Improve logging of Secure Firewall (Firepower)backups and retry for gzip when using
remote storage
CSCvq25866 Flex config Preview of $SYS_FW_ENABLED_INSPECT_PROTOCOL_LIST throws

error
CSCvq70838 Traceback in the output of tail-logs command
CSCvu24703 FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS)
CSCvv18009 Performing packet trace using the sub-interface nameif results in an error
CSCvw90399 FMC HA issues with too many open file descriptors for sfipproxy UDP conn
CSCvx24207 FQDN Object Containing IPv4 and IPv6 Addresses Only Install IPv6 Entries
CSCvx55978 Performance Degradation in GetGroupDependency API
CSCvx65032 FMC ACL Search Move arrows do not work
CSCvx67856 Prometheus process doesnt come up when system ungracefully rebooted
CSCvx68173 Observed few snort instances stuck at 100%

60
Bug ID Headline
CSCvx71936 FXOS: Fault "The password encryption key has not been set." displayed on FPR1000
and FPR2100 devices
CSCvx75441 File list preview: Deleting two list having few similar contents throws stacktrace on
FMC-UI
CSCvx86569 Access Control Rule - Comment disappears if clicked to another tab before saving the
comment.
CSCvy38650 Unable to download captured file from FMC Captured files UI
CSCvy45048 Subsystem query parameter not filtering records for "auditrecords" restapi
CSCvz07004 SNORT2: FTD is performing Full proxy even when SSL rule has DND action.
CSCvz07712 Deployment fails with internal_errors - Cannot get fresh id
CSCvz19364 FXOS does not send any syslog messages when the duplex changes to "Half Duplex"
CSCvz34289 In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows
CSCvz36903 ASA traceback and reload while allocating a new block for cluster keepalive packet
CSCvz40586 Incorrect error when creating two RA-VPN profiles with different SAML servers that
have the same IDP
CSCvz41551 FP2100: ASA/FTD with threat-detection statistics may traceback and reload in Thread
Name 'lina'
CSCvz42065 IPS policy should be imported when its referred in Access Control policy
CSCvz71596 "Number of interfaces on Active and Standby are not consistent" should trigger warning
syslog
CSCvz77213 41xx FTD: show ntp shows managing DC even though NTP sync is done via FXOS
CSCvz94841 Grammatical errors in failover operating mode mismatch error message
CSCwa04262 Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via
"/"URI
CSCwa16626 Syslog over TLS accepting wildcard in middle of FQDN
CSCwa36535 Standby unit failed to join failover due to large config size.
CSCwa59907 LINA observed traceback on thread name "snmp_client_callback_thread"
CSCwa72481 API key corrupted for FMC with multiple interfaces
CSCwa72929 SNMPv3 polling may fail using privacy algorithms AES192/AES256
CSCwa74063 Disable NLP rules installation workaround after mgmt-access into NLP is enabled

61
Bug ID Headline
CSCwa82850 ASA Failover does not detect context mismatch before declaring joining node as
"Standby ready"
CSCwa83133 FMC showing "INVALID ID" under "Traffic by User" Widget but error not seen on
Connection Events
CSCwa89116 Clean up session index handling in IKEv2/SNMP/Session-mgr for MIB usage
CSCwa92822 TLS client in the sftunnel TLS tunnel offers curves in CC mode that are not allowed
by CC
CSCwa94440 syncd process exits due to invalid GID and database synchronization issue
CSCwa96920 ASA/FTD may traceback and reload in process Lina
CSCwa97917 ISA3000 in boot loop after powercycle
CSCwb00749 FMC upgrade failure: 114_DB_table_data_integrity_check.pl failed
CSCwb00871 ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress
CSCwb02955 Modify /800_post/1027_ldap_external_auth_fix.pl to not fail FMC upgrade when

objects are corrupt
CSCwb03704 ASA/FTD datapath threads may run into deadlock and generate traceback
CSCwb04000 ASA/FTD: DF bit is being set on packets routed into VTI
CSCwb04975 FTD Snort3 traceback in daq-pdts while handling FQDN based traffic
CSCwb05291 Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability
CSCwb09606 FP2100: ASA/FTD high availability is not resilient to unexpected lacp process
termination
CSCwb17362 Losing ssh connection while copying huge file to device though device has enough
space.
CSCwb20206 FTD: Logs and Debugs for SSL/TLS traffic drop due to NAP in Detection Mode
CSCwb31551 When inbound packet contains SGT header, FPR2100 cannot distribute properly per
5 tuple
CSCwb32107 FMC shows limited interfaces in policy-based routing config (egress interface selection)
CSCwb38961 Bootstrap After Upgrade failed due to Duplicate Key of Network Object
CSCwb43433 Jumbo frame performance has degraded up to -45% on Firepower 2100 series
CSCwb44848 ASA/FTD Traceback and reload in Process Name: lina
CSCwb57213 FTD - Unable to resolve DNS when only diagnostic interface is used for DNS lookups

62
Bug ID Headline
CSCwb57524 FTD upgrade fails - not enough disk space from old FXOS bundles in distributables
partition
CSCwb58007 CVE-2022-28199: Evaluation for FTDv and ASAv
CSCwb58554 Resumed SSL sessions with uncached tickets may fail to complete
CSCwb58817 FMC Deploying negative and positive form of BGP password command across
deployments
CSCwb60993 FDM Need to block the deployment when a Security zone object is not associated with
an interface
CSCwb66382 ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks
OSPF MD5
CSCwb68993 FTD/FDM: SSL connections to sites using RSA certs with 3072 bit keys may fail
CSCwb78323 Update diskmanager to monitor cisco_uridb files in /ngfw/var/sf/cloud_download

folder.
CSCwb80108 FP2100/FP1000: Built-in RJ45 ports randomly not coming up after portmanager restart
events
CSCwb84901 CIAM: heimdal 1.0.1
CSCwb86171 Breaking FMCv HA in AWS gives VTEP CONFIGURATION IS NOT SUPPORTED

FOR CURRENT PERFORMANCE TIER alert
CSCwb88406 FMC-HA upgrade failure due to presence of this file "update.status"
CSCwb88729 FTD - %FTD-3-199015: port-manager: Error: DOM Block Read failure, port X, st =
X log false/positive
CSCwb89963 ASA Traceback & reload in thread name: Datapath
CSCwb91598 copying FMC backup to remote storage will fail if FMC has never connected via
SSH/SCP to remote host
CSCwb92937 Error 403: Forbidden when expanding in view group objects
CSCwb99375 Config sync fails for command "quit"
CSCwb99960 onPremFMC with only CDO Managed devices registered, Malware Event pages shows
license warning
CSCwc00115 FTD registration fails on on-prem FMC
CSCwc02488 ASA/FTD may traceback and reload in Thread Name 'None'
CSCwc03069 Interface internal data0/0 is up/up from cli but up/down from SNMP polling
CSCwc03332 FTD on FP2100 can take over as HA active unit during reboot process

63
Bug ID Headline
CSCwc03393 Lina traceback and core file size is beyond 40G and compression fails on FTD
CSCwc03507 No-buffer drops on Internal Data interfaces despite little evidence of CPU hog
CSCwc04959 Disk usage is 100% on secondary FMC .dmp files created utilized all the disk space
CSCwc05375 AnyConnect SAML - Client Certificate Prompt incorrectly appears within External
Browser
CSCwc05434 FMC shows 'File Not Stored' after download a file
CSCwc06833 Deployment failure with ERROR Process Manager failed to verify LSP ICDB
CSCwc07262 Standby ASA goes to booting loop during configuration replication after upgrade to
9.16(3).
CSCwc08374 Azure ASA NIC MAC address for Gigeth 0/1 and 0/2 become out of order when adding
interfaces
CSCwc08646 User without password prompted to change password when logged in from SSH Client
CSCwc08683 The interface's LED remains green blinking when the optical fiber is unplugged on
FPR1150
CSCwc10145 FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL
listening socket"
CSCwc10241 Temporary HA split-brain following upgrade or device reboot
CSCwc10483 ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread
CSCwc11511 FTD: SNMP failures after upgrade to 7.0.2
CSCwc11597 ASA tracebacks after SFR was upgraded to 6.7.0.3
CSCwc13017 FTD/ASA traceback and reload at at ../inspect/proxy.h:439
CSCwc18285 Conn data-rate command can be enabled or disabled in unprivileged user EXEC mode
CSCwc18524 ASA/FTD Voltage information is missing in the command "show environment"
CSCwc18668 Failed user login on FMC does not record entry in audit log when using external
authentication
CSCwc19124 FMC Deployment does not start for cluster devices
CSCwc20153 IPv6 ICMP configuration is added and removed during policy deployment
CSCwc22170 Issue with snort perfstat parsing / Hmdeamon not starting after disk full reported
CSCwc23113 LTP feature not working on KP ASA with 9.18
CSCwc23844 ASAv high CPU and stack memory allocation errors despite over 30% free memory

64
Bug ID Headline
CSCwc24582 Update diskmanager to monitor deploy directories in /ngfw/var/cisco/deploy/db
CSCwc24906 ASA/FTD traceback and reload on Thread id: 1637
CSCwc25683 JOBS_TABLE not getting purged if deployReports not available
CSCwc26406 FMC: Slowness in Device management page
CSCwc26538 With scaled EFD throttle connections, de-throttle using clear efd-throttle command
traceback lina
CSCwc26648 ASA/FTD Traceback and Reload in Thread name Lina or Datatath
CSCwc27236 FMC Health Monitoring JSON error
CSCwc27424 Unable to removed not used SAL On-Premise FMC configuration
CSCwc27846 Traceback and Reload while HA sync after upgrading and reloading.
CSCwc28334 Cisco ASA and FTD Software RSA Private Key Leak Vulnerability
CSCwc28532 9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow
processing
CSCwc28684 MI hangs and not repsonding when FTD container instance is reloaded
CSCwc28806 ASA Traceback and Reload on process name Lina
CSCwc28928 ASA: SLA debugs not showing up on VTY sessions
CSCwc31163 FPR1010 upgrade failed - Error running script 200_pre/100_get_snort_from_dc.pl
CSCwc31457 ASA process with cleartext token when not able to encrypt it
CSCwc32245 FMC: Validation check to prevent exponential expansion of NAT rules
CSCwc32246 NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is
used
CSCwc33036 Observed Logs at syslog server side as more than configured message limit per/sec.
CSCwc33076 JOBS_TABLE not getting purged due to foreign Key constraint violation in
policy_diff_main
CSCwc33323 FMC 7.0 - Receiving alert "health monitor process: no events received yet" for multiple
devices
CSCwc34818 The device is unregistered when Rest API calls script.
CSCwc35181 OSPF template adds "default-information-originate" to area <area-id> nssa statement

on hitting OK.
CSCwc35969 cannot add IP from event to global lists (block or do-not-block) if similar IP is already
on list

65
Bug ID Headline
CSCwc36905 ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c
CSCwc37061 SNMP: FMC doesn't reply to OID 1.3.6.1.2.1.25.3.3.1.2
CSCwc37256 SSL AnyConnect access blocked after upgrade
CSCwc37695 In addition to the c_rehash shell command injection identified in CVE-2022-1292
CSCwc38500 FMC: Extended ACL object should support mixed protocols on different entries
CSCwc38567 ASA/FTD may traceback and reload while executing SCH code
CSCwc40352 Lina Netflow sending permited events to Stealthwatch but they are block by snort
afterwards
CSCwc40381 ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled
CSCwc41180 AWS ASAv Clustering: enable cluster breaking ssh session
CSCwc41592 False positives for Ultrasurf
CSCwc41728 FMC - Cannot Edit Standard ACL with error regarding "Only Host objects allowed"
CSCwc42174 CIAM: mariadb - multiple versions CVE-2022-32081
CSCwc42561 Deploy page listing takes 1.5 to 2 mins with 462 HA device
CSCwc43807 FTD is unusable post reboot if manager is deleted and FIPS is enabled
CSCwc44289 FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations
CSCwc44608 Selective deployment of IPS may cause outage due to incorrectly written FTD
configuration files
CSCwc45108 ASA/FTD: GTP inspection causing 9344 sized blocks leak
CSCwc45397 ASA HA - Restore in primary not remove new interface configuration done after
backup
CSCwc45575 ASA/FTD traceback and reload when ssh using username with nopassword keyword
CSCwc45759 NTP logs will eventually overwrite all useful octeon kernel logs
CSCwc46847 FXOS partition opt_cisco_platform_logs on FP1K/FPR2K may go Full due to

ucssh_*.log
CSCwc47586 vFMC upgrade 7.0.4-36 > 7.3.0-1553 failed: Error running script
200_pre/007_check_sru_install.sh
CSCwc48375 Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show
crypto ipsec sa"
CSCwc48853 SFDataCorrelator Discovery Event bottleneck can cause Connection Event delay and
backlog

66
Bug ID Headline
CSCwc49095 ASA/FTD 2100 platform traceback and reload when fragments are coalesced and sent
to PDTS
CSCwc49364 mojo_server processes unnecessarily restarting during log rotation
CSCwc49369 When searching IPv6 rule in the access-control policy, no result will show
CSCwc49936 FMC 7.2.0|7.3.0 Integration > Identity Sources page does not load, keeps spinning
CSCwc49942 Reload mercury when userappid.conf is modified on FMC and deploy is issued
CSCwc49952 Selective deploy enables interaction with SRU interdependent-policies due to FMC
API timeout
CSCwc50098 show ssl-policy-config does not show the policy when countries are being used in
source/dest network
CSCwc50519 Excessive logging from hm_du.pm may lead to syslog-ng process restarts
CSCwc50846 FTD Upgrade Fail - Readiness Check Successful, but Readiness status never shown
CSCwc50887 FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL
link
CSCwc50891 MPLS tagging removed by FTD
CSCwc51326 FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX
ring watermarks
CSCwc52351 ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching
broadcast IP
CSCwc52357 Estreamer page fails to load in ASDM
CSCwc53280 ASA parser accepts incomplete network statement under OSPF process and is present
in show run
CSCwc54217 syslog related to failover is not outputted in FPR2140
CSCwc54901 Scheduled tasks may not run on active FMC in HA after switchover or split-brain
resolution
CSCwc54984 IKEv2 rekey - Responding Invalid SPI for the new SPI received right after
Create_Child_SA response
CSCwc56003 Trigger FTD backup with remote storage option enabled along with retrieval to FMC
fails
CSCwc56048 AD username with trailing space causes download of users/groups to fail
CSCwc56952 Able to see the SLA debug logs on both console & VTY sessions even if we enable
only on VTY session.

67
Bug ID Headline
CSCwc57088 Limit the number of deployment jobs in deploy history to 50 as default to avoid
slowness
CSCwc57575 FMC: Scheduled backups working fine, but FMC email alerts displaying it failed.
CSCwc60037 ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware
context
CSCwc60907 WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 35)
CSCwc61132 KP-2130 - Observed crash with PPK configured
CSCwc61912 ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6
CSCwc62144 FMC does not use proxy with authentication when accessing AMP cloud services
CSCwc62384 Vulnerabilities on Cisco FTD Captive Portal on TCP port 885
CSCwc63273 SFDataCorrelator host timeout query can block event processing and cause a deadlock
restart
CSCwc64333 FMC GUI timeout and issues with loading http page due to exceeded http connections
CSCwc64923 ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr
CSCwc66671 FMC ACP PDF report generared in blank/0 bytes using UI
CSCwc66757 ASA/FTD may traceback and reload in Thread Name 'lina'
CSCwc67031 vti hub with NAT-T enabled pinholes connections are looping and causing snort busy
drops
CSCwc67687 ASA HA failover triggers HTTP server restart failure and ASDM outage
CSCwc67886 ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread'
CSCwc68543 mismatch in the config pushed from FMC and running config on FTD
CSCwc68656 ASA CLI for TCP Maximum unprocessed segments
CSCwc69583 Portchannel configured from FDM breaks "Use the Data Interfaces as the Gateway"
for Mgmt interface
CSCwc69992 Essentials licenses are not assigned to the device and Edit licenses also not working
CSCwc70962 FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake
failure
CSCwc72155 ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb"
CSCwc72284 TACACS Accounting includes an incorrect IPv6 address of the client
CSCwc73224 Call home configuration on standby device is lost after reload

68
Bug ID Headline
CSCwc74099 FPR2140 ASA Clock Timezone reverts to UTC after appliance restart/reload
CSCwc74103 ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591'
CSCwc74378 FMC UI should disallow simultaneous deactivation of FMC interface management

and event channels
CSCwc74841 FMC RSS Feed broken because FeedBurner is no longer active - "Unable to parse
feed"
CSCwc74858 FTD - Traceback in Thread Name: DATAPATH
CSCwc75061 FMC allows shell access for user name with "." but external authentication will fail
CSCwc75082 25G-SR should default to RS-FEC (IEEE CL108) instead of FC-FEC
CSCwc76195 Fail-To-Wire interfaces flaps intermittently due to watchdog timeout in Firepower

2100 platform
CSCwc77519 FPR1000 ASA/FTD: Primary takes active role after reloading
CSCwc77680 FTD may traceback and reload in Thread Name 'DATAPATH-0-4948'
CSCwc77892 CGroups errors in ASA syslog after startup
CSCwc78296 Database may fail to shut down and/or start up properly during upgrade
CSCwc79366 During the deployment time, device got stuck processing the config request.
CSCwc79682 FMC 7.1+ allows ECMP FlexConfig depoyment
CSCwc80234 "inspect snmp" config difference between active and standby
CSCwc80357 [Deploy Performance] degrade in deployment page on FMC
CSCwc81184 ASA/FTD traceback and reload caused by SNMP process failure
CSCwc81219 Intrusion events intermittently stop appearing in FMC when using snort3
CSCwc81727 Default Domain in VPN group policy objects cannot be deleted
CSCwc81945 Traffic on data unit gets dropped with "LU allocate xlate failed" on GCP cluster with
interface NAT
CSCwc81960 Unable to configure 'match ip address' under route-map when using object-group in
access list
CSCwc82124 ASA NAT rules are not working as expected after an upgrade to 9.18.2
CSCwc82188 FTD Traceback and reload when applying long capture commands from FMC UI
CSCwc83037 WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 36)
CSCwc83346 ASA/FTD Traceback and reload in Threadname: IKE Daemon

69
Bug ID Headline
CSCwc86330 Vulnerabilities in spring-framework - multiple versions CVE-2022-22970
CSCwc86391 On slow networks with some packets loss sftunnel may mark connections as STALE
CSCwc87387 Valid DNS requests are being dropped by Lina DNS inspection when Umbrella DNS
is configured
CSCwc87441 for system processes limit the CPUs used to the number of system CPUs
CSCwc87963 ASAv "Unable to retrieve license info. Please try again later"
CSCwc88108 Prefilter policy - Available port menu long response time, Prefilter Network Search
takes long time
CSCwc88425 FMC can download only the first 10000 cross-domain user groups
CSCwc88629 Group delete during realm download can cause inconsistent user_to_group map on
FTD
CSCwc88897 ASA traceback and reload due to null pointer in Umbrella after modifying DNS
inspection policy
CSCwc89661 FTD reboots due to heartbeat loss and "Communication with NPU lost"
CSCwc89796 ASA/FTD may traceback and reload in Thread Name

'appagent_async_client_receive_thread' hog detection
CSCwc89924 FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters
CSCwc90091 ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global"
visibility.
CSCwc93166 Using write standby in a user context leaves secondary firewall license status in an
invalid state
CSCwc93964 ASA using WebVPN tracebacks in Unicorn thread during memory tracking
CSCwc94085 Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5.
CSCwc94267 Cluster disabled unit getting registered as standalone in FMC and further deployment
failing
CSCwc94501 ASA/FTD tracebacks due to ctm_n5 resets
CSCwc94547 Lina Traceback and reload when issuing 'debug menu fxos_parser 4'
CSCwc95290 ESP rule missing in vpn-context may cause IPSec traffic drop
CSCwc96016 Captive portal support in cross domain
CSCwc96136 CCM layer (Seq 38) WR8, LTS18, LTS21
CSCwc96726 R2130 use the Wind River CIS_LTS21_R2130 OS branch for the 7.3.0 Beta2 release.

70
Bug ID Headline
CSCwc96780 FMC module specific health exclusion disables all health checks
CSCwc96805 traceback and reload due to tcp intercept stat in thread unicorn
CSCwc97260 Continual ngfwManager process restarts due to incomplete FMC HA device registration
CSCwc98997 FMC - Deployment blocked when ECMP route configured via same interface
CSCwc99242 ISA3000 LACP channel member SFP port suspended after reload
CSCwd00386 ASA/FTD may traceback and reload when clearing the configration due to
"snp_clear_acl_log_flow_all"
CSCwd00583 SNMP 'Confirm Community String' string is not auto-populated after the FMC upgrade
CSCwd00778 ifAdminStatus output is abnormal via snmp polling
CSCwd02864 logging/syslog is impacted by SNMP traps and logging history
CSCwd03104 Cluster status is not updated across 16 node GCP cluster
CSCwd03113 FMC local backup fails cause of "Update Task: Database integrity check failed" -
Syslog server issue
CSCwd03793 FTD Traceback and reload
CSCwd03810 ASA Custom login page is not working through webvpn after an upgrade
CSCwd04135 Snort3 unexpectedly dropping packets after 4MB when using file inspection with
detection mode NAP
CSCwd04210 ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT
CSCwd05443 Config-dispatcher to fail the deployment immediately when download fails, instead
of failing later
CSCwd05756 FTD traceback on Lina due to syslog component.
CSCwd05814 PDTS write from Daq can fail when PDTS buffer is full eventually leads to block
depletion
CSCwd06005 ASA/FTD Cluster Traceback and Reload during node leave
CSCwd07059 multiple snort3 crashes after upgrading FTD from 7.2.0 to 7.2.0.1
CSCwd07278 ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off
CSCwd08402 HTTP URI is sometimes missing from intrusion event view
CSCwd08430 Create a resiliency configuration option for SFTunnel to support HA and FTD
connectivity
CSCwd09093 Access rule policy page takes longer time to load

71
Bug ID Headline
CSCwd09341 Multiple log files have zero bytes due to logrotate failure
CSCwd09870 AnyConnect SAML using external browser and round robin DNS intermittently fails
CSCwd09967 Deployment Fails with stacktrace: Invalid type (LocalIdentitySource)
CSCwd10497 FTD sensor rules missing from ngfw.rules file after a sensor backup restore execution
CSCwd10880 critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on

2100/3100 devices
CSCwd11005 Missing fqdns_old.conf file causes FTD HA app sync failure
CSCwd11165 "Move" option is greyed out on Backup-Restore in FMC
CSCwd11303 ASA might generate traceback in ikev2 process and reload
CSCwd11855 ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event'
CSCwd12334 Deployment fails with Config Error -- proxy paired
CSCwd13083 FMC - Unable to initiate deployment due to incorrect threat license validation
CSCwd13917 during download from file event on FMC, high CPU use on FMC for 20 minutes before
download fails
CSCwd14688 FTD upgrade failure due to Syslog files getting generated/deleted rapidly
CSCwd14972 ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread
CSCwd16017 Object edit slowness when it is associated with NAT rules
CSCwd16294 GTP inspection drops packets for optional IE Header Length being too short
CSCwd16517 GTP drops not always logged on buffer and syslog
CSCwd16689 ASA/FTD traceback due to block data corruption
CSCwd16712 Device readiness upgrade check failure - sftunnel sync issue due to time change
CSCwd16902 File events show Action as "Malware Block" for files with correct disposition of
unknown
CSCwd16906 ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment
CSCwd17037 SFDataCorrelator RNA-Stop action should not block when database operations are
hung
CSCwd17856 ASA goes for traceback/reload with message - snmp_ma_kill_restart: vf is NULL
CSCwd17940 HA did not failover due to misleading status updates from NDClient
CSCwd18744 FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb
index"

72
Bug ID Headline
CSCwd19053 ASA/FTD may traceback with large number of network objects deployment using
distribute-list
CSCwd20627 ASA/FTD: NAT configuration deployment failure
CSCwd20900 HTTP Block Response and Interactive Block response pages not being displayed by
Snort3
CSCwd22349 ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication
certificate" enabled
CSCwd22413 EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA.
CSCwd22907 ASA/FTD High CPU in SNMP Notify Thread
CSCwd23188 ASA/FTD may traceback and reload in Thread Name 'lina'
CSCwd23913 FTD in HA traceback multiple times after adding a BGP neighbour with prefix list.
CSCwd24072 rsc_5_min.log store location should move to a different partition
CSCwd24289 Cert serial number not displayed properly in PCA debug and syslogs
CSCwd24639 Functional: FMCv patch upgrade is fails
CSCwd25201 ASA/FTD SNMP traps enqueued when no SNMP trap server configured
CSCwd25256 ASA/FTD Transactional Commit may result in mismatched rules and traffic loss
CSCwd26867 Device should not move to Active state once Reboot is triggered
CSCwd28236 standby unit using both active and standby IPs causing duplicate IP issues due to nat
"any"
CSCwd29835 log rotate failing to cycle files, resulting in large file sizes
CSCwd30774 FMC HA - files in tmp/Sync are left on secondary when synchronisation task fails
CSCwd30977 FMC deleted some access-rules due to an incorrect delta generated during the policy
deployment.
CSCwd31181 Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying
channel
CSCwd31960 Management access over VPN not working when custom NAT is configured
CSCwd32892 lost cac.conf after upgrade to 7.2.1 for FMC smart-card auth
CSCwd33054 DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the
FTD/ASA
CSCwd33479 Duplicate SMB session id packets causing snort3 crash
CSCwd33721 ADI process may become unstable when downloading a large number of users

73
Bug ID Headline
CSCwd33811 Cluster registration is failing because DATA_NODE isn't joining the cluster
CSCwd34662 LTS18 and LTS21 commit id update in CCM layer (seq 39)
CSCwd36246 Filtering of jobs in deploy history page is applying the criteria only on Top50 jobs
CSCwd37135 ASA/FTD traceback and reload on thread name fover_fail_check
CSCwd37238 TLS connections to Exchange 2007 server may fail
CSCwd37718 Prevent cluster heartbeat probing failure in virtual platform
CSCwd38526 FMC can allow deployment of NAP in test mode with Decrypt policy
CSCwd38805 Syslog 106016 is not rate-limited by default
CSCwd39039 FMC - Error message "The server response was not understood. Please contact support."
on UI
CSCwd39468 ASA/FTD Traceback and reload when configuring ISAKMP captures on device
CSCwd39710 SFDataCorrelator delay in processing events when the intrusion event rate is high
CSCwd40141 Firepower Management Center GUI view for Snort2 Local Intrusion Rules is missing
CSCwd40260 Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD
CSCwd40955 Very long validation time during Policy Deployment due to big network object in SSL
policy
CSCwd41083 ASA traceback and reload due to DNS inspection
CSCwd41466 Re-downloaded users from a forest with trusted domains may become
unresolved/un-synchronized
CSCwd41553 PIM register packets are not sent to Rendezvous Point (RP) due to PIM tunnel interface
down state
CSCwd41806 deployment failed with OOM (out of memory) for policy_apply.pl process
CSCwd42620 Deploying objects with escaped values in the description might cause all future
deployments to fail
CSCwd43666 Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log
CSCwd44326 Object NAT edit is failing
CSCwd46741 fxos log rotate failing to cycle files, resulting in large file sizes
CSCwd47340 FXOS: memory leak in svc_sam_envAG process
CSCwd47424 Device name always shows as 'firepower' in CDO event view

74
Bug ID Headline
CSCwd47442 800_post/1027_ldap_external_auth_fix.pl upgrade error -- reference to missing

authentication object
CSCwd47481 WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 40)
CSCwd48633 ASA - traceback and reload when Webvpn Portal is used
CSCwd48776 Port-channel interface went down post deployment
CSCwd49636 FMC UI showing disabled/offline for multiple devices as health events are not processed
CSCwd49685 Missing SSL MEMCAP causes deployment failure due timeout waiting for snort
detection engines
CSCwd49758 Pre-deployment failure seen in FMC due to huge number policies
CSCwd50131 Upgrades are not cleaning up mysql files leading to alert for 'High unmanaged disk
usage on /ngfw'
CSCwd50218 ASA restore is not applying vlan configuration
CSCwd51757 Unable to get polling results using snmp GET for connection rate OID’s
CSCwd51964 Add validation in lua detector api to check for empty patterns for service apps
CSCwd52448 Route leaking of local host having /32 mask may lead to crash
CSCwd52995 FMC not opening deployment preview window
CSCwd53135 ASA/FTD: Object Group Search Syslog for flows exceeding threshold
CSCwd53340 FTD PDTS LINA RX queue can become stuck when snort send messages with
4085-4096 bytes size
CSCwd53448 FPR3100: 4x40 network module LEDs do not blink with traffic
CSCwd53863 Data migration from Sybase to MariaDB taking more time due to large data size of
POLICY_SNAPSHOT
CSCwd54439 FMC gives an irrelevant error message for Snort2 to Snort3 rules conversion failure
CSCwd55673 Need corrections in log_handler_file watchdog crash fix
CSCwd55853 Deployment failure with localpool overlap error after upgrade
CSCwd56254 "show tech-support" generation does not include "show inventory" when run on FTD
CSCwd56431 Disable asserts in FTD production builds
CSCwd56774 Misleading drop reason in "show asp drop"
CSCwd56834 [IMS_7_3_0/7_2_0] Lina crashed on VMware 2 node cluster during sending GRE
traffic

75
Bug ID Headline
CSCwd56995 Clientless Accessing Web Contents using application/octet-stream vs text/plain
CSCwd57698 Recursive panic under lina_duart_write
CSCwd57784 Config Archive should get created if Rest-GET method failed on device
CSCwd58337 allocate more cgroup memory for policy deployment subgroup
CSCwd58417 HA Periodic sync is failing due to cfg files are missing
CSCwd58430 At times AC Policy save takes longer time, may be around 10 or above mins
CSCwd58528 Memory depletion while running EMIX traffic profile on QP HA active node
CSCwd59736 ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade
CSCwd61016 ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM
is configured
CSCwd61082 FMC UI Showing inaccurate data in S2S VPN Monitoring page
CSCwd61410 mdbtrace.log can fill storage on FMC
CSCwd62025 FTDv: Policy Deployment failure due to interface setting on failover interface
CSCwd62138 ASA Connections stuck in idle state when DCD is enabled
CSCwd62915 Cross-domain users with non-ASCII characters are not resolved
CSCwd63580 FPR2100: Increase in failover convergence time with ASA in Appliance mode
CSCwd63722 FTDv Single-Arm Proxy behind AWS GWLB drops due to

geneve-invalid-udp-checksum with all 0 checksum
CSCwd63961 AC clients fail to match DAP rules due to attribute value too large
CSCwd64480 Packets through cascading contexts in ASA are dropped in gateway context after
software upgrade
CSCwd64919 FXOS is not rotating PoE logs
CSCwd65327 WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 41)
CSCwd66820 Object network service has empty objects when NSG created from FMC with predefined
apps
CSCwd66822 FDM FPR2k Netmork module interfaces are greyed out post 7.1.0 update
CSCwd68088 ASA|FTD: Implement different TLS diffie-hellman prime based on RFC

recommendation
CSCwd69139 Snort 3 traceback on stream prune_lru
CSCwd69236 FMC Connection Event stop displaying latest event

76
Bug ID Headline
CSCwd69454 Port-channel interfaces of secondary unit are in waiting status after reload
CSCwd70490 Port-channel member port status flag and membership status are Down if LACPDUs
are not received
CSCwd70716 Clustering is disabled on all data nodes after power off/on
CSCwd71254 ASA/FTD may traceback and reload in idfw fqdn hash lookup
CSCwd72425 internal.cloudapp.net_snort3 core file is generated on DST setup
CSCwd72680 FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control
Policy deploy.
CSCwd72915 FMC 7.1.0.1 Doesn't throw warning that S2S VPN Configs contain deprecated MD5
Hash during deployment
CSCwd73981 FMC: Updates page takes more than 5 minutes to load
CSCwd74116 S2S Tunnels do not come up due to DH computation failure caused by DSID Leak
CSCwd74839 30+ seconds data loss when unit re-join cluster
CSCwd75738 Predefined FlexConfig Text Objects are not exported by Import-Export
CSCwd76622 FTD with Snort3 might have memory corruption BT in snort file with same IP traffic
scaling
CSCwd78123 ASA/FTD traceback and reload when IPSec/Ikev2 vpn session bringup with dh group
31 in fips mode
CSCwd78624 ASA configured with HA may traceback and reload with multiple input/output error
messages
CSCwd79388 intrusion events fail to migrate from MariaDB to MonetDB following FMC upgrade
from 7.0.3 to 7.1.0
CSCwd80343 MI FTD running 7.0.4 is on High disk utilization
CSCwd80741 Snort drops Bomgar application packets with Early Application Detection enabled
CSCwd81384 FMC upgrade fails: 114_DB_table_data_integrity_check.pl, stating

Snort2IPSNAPCleanup.pm not be found
CSCwd81897 Snort3 crash seen sometimes while processing a future flow connection after appid
detectors reload
CSCwd82235 LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage
CSCwd82801 Snort outputs massive volume of packet events - IPS event view may show "No Packet
Information"
CSCwd83956 snort2 does not match rules based on application SMTP/SMTPS anymore after a while

77
Bug ID Headline
CSCwd83990 FTD -Snort match incorrect NAP id for traffic
CSCwd84133 ASA/FTD may traceback and reload in Thread Name 'telnet/ci'
CSCwd84153 ASA/FTD may traceback and reload in Thread Name 'lina'
CSCwd84868 Observing some devcmd failures and checkheaps traceback when flow offload is not
used.
CSCwd85178 AWS ASAv PAYG Licensing not working in GovCloud regions.
CSCwd85609 FTDs running 6.6.x show as disconnected on new HM (6.7+) but checks are running
and updating
CSCwd85927 Traceback and reload when webvpn users match DAP access-list with 36k elements
CSCwd86313 Unable to access Dynamic Access policy
CSCwd86457 Number of objects are not getting updated under policies>>>Security intelligence
>>>Block list
CSCwd86929 Cut-Through Proxy does not work with HTTPS traffic
CSCwd87227 High disk usage due to process_stdout.log and process_stderr.log logrotate failure (no
rotation)
CSCwd88585 ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units
CSCwd88641 Deployment changes to push VDB package based on Device model and snort engine
CSCwd89349 WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 42)
CSCwd90112 MariaDB crash (segmentation fault) related to netmap query
CSCwd91421 ASA/FTD may traceback and reload in logging_cfg processing
CSCwd92804 FAN LED flashing amber on FPR2100
CSCwd93465 FMCv 7.2.0 - FTD management IP is not correctly updated on the FMC after changing
the FTD mngmnt IP
CSCwd93792 SFDataCorrelator performance degradation involving hosts with many discovered

MAC addresses
CSCwd94096 Anyconnect users unable to connect when ASA using different authentication and
authorization server
CSCwd94840 snort sets tunnel bypass for geneve encoded packets
CSCwd95415 The Standby Device going in failed state due to snort heartbeat failure
CSCwd95436 Primary ASA traceback upon rebooting the secondary
CSCwd95908 ASA/FTD traceback and reload, Thread Name: rtcli async executor process

78
Bug ID Headline
CSCwd96041 FMC SecureX via proxy stops working after upgrade to 7.x
CSCwd96493 Link Up seen for a few seconds on FPR1010 during bootup
CSCwd96500 FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100
CSCwd96755 ASA is unexpected reload when doing backup
CSCwd96766 41xx: Blade does not capture or log a reboot signal
CSCwd96790 High FMC backup file size due to configurations snapshot for all managed devices
CSCwd97276 Unified events and connection events pages don't load anymore. DB Cores generated
every few minutes
CSCwe00757 Summary status dashboard takes more than 3 mins to load upon login
CSCwe00828 Interactive Block action doesn't work when websites are redirected to https
CSCwe00864 License Commands go missing in Cluster data unit if the Cluster join fails.
CSCwe03991 FTD/ASA traceback and reload during to tmatch compilation process
CSCwe04437 collection of top.log.gz in troubleshoot can be corrupt due to race condition
CSCwe05913 FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity
CSCwe06724 Database table optimization not working for some of the tables
CSCwe06828 FMC HA Synchronization can hang forever if no response from

SendUserReloadSGTAndEndpointsEvent
CSCwe07103 FMC: Upgrade fails at DB Integrity check due to large number of EO warnings for
"rule_comments"
CSCwe07734 ASA goes to failsafe mode after FXOS upgrade
CSCwe07928 On a cloud-delivered FMC there is no way to send events to syslog without sending
to SAL/CDO as well
CSCwe08729 FPR1120:connections are getting teardown after switchover in HA
CSCwe08908 Threatgrid integration configuration is not sync'd as part of the FMC HA

Synchronisation
CSCwe09074 None option under trustpoint doesn't work when CRL check is failing
CSCwe09121 FTD Deployment failures due to "snort3.validation.lua:5: '=' expected near 'change'"
CSCwe09811 FTD traceback and reload during policy deployment adding/removing/editing of NAT
statements.
CSCwe10290 FTD is dropping GRE traffic from WSA

79
Bug ID Headline
CSCwe10548 ASA binding with LDAP as authorization method with missing configuration
CSCwe11119 ASA: Traceback and reload while processing SNMP packets
CSCwe11304 Snort crashing on FTD
CSCwe11727 Purging of Config Archive failed for all the devices if one device has no versions
CSCwe12407 High Lina memory use due to leaked SSL handles
CSCwe14174 FTD - 'show memory top-usage' providing improper value for memory allocation
CSCwe14417 FTD: IPSLA Pre-emption not working even when destination becomes reachable
CSCwe14514 ASA/FTD Traceback and reload of Standby Unit while removing capture configurations
CSCwe16554 TLS sessions dropped under certain conditions after a fragmented Client Hello
CSCwe16620 FMC Health Monitor does not report alerts for the Interface Status module
CSCwe17858 FMC HA info is not sync'ed reliably to FTD to support CLOUD_SERVICE
CSCwe18859 After device registration or FMC upgrade, devices sometimes don't send events to the
FMC
CSCwe18974 ASA/FTD may traceback and reload in Thread Name: CTM Daemon
CSCwe19286 Snort3 crashes on SMB with files_not_processed counter incrementing
CSCwe20043 256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on
ASA5516
CSCwe21959 Snort3: Process in D state resulting in OOM with jemalloc memory manager
CSCwe22216 Maria DB crashing/holding high CPU and not allowing users to login GUI and CLI
CSCwe22302 Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated
CSCwe22386 Unexpected firewalls reloads with traceback.
CSCwe22492 Slow UI loading for Table View of Hosts
CSCwe22980 Database integrity check takes several minutes to complete
CSCwe23039 NTP polling frequency changed from 5 minutes to 1 second causes large useless log
files
CSCwe23139 FTD HA does not break from FMC GUI but HA bootstrap is removed from devices
CSCwe24532 Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/
CSCwe24880 Using proxy authentication in FMC for smart licensing is failing after upgrading to
7.0.5

80
Bug ID Headline
CSCwe25391 rpc service detector causing snort traceback due to universal address being an empty
string
CSCwe28094 ASA/FTD may traceback and reload after executing 'clear counters all' when VPN
tunnels are created
CSCwe28726 The command "app-agent heartbeat" is getting removed when deleting any created
context
CSCwe29179 CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from
flow owner.
CSCwe29583 ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo
CSCwe29850 ASA/FTD Show chunkstat top command implementation
CSCwe29952 SFDataCorrelator cores due to stuck database query after 1 hour deadlock timeout
CSCwe30228 ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to

cf_reinject_hide flag
CSCwe30653 FTD upgrade failure at "999_finish/999_zz_install_bundle.sh" due to bad key cert
CSCwe32058 ASA/FTD may traceback and reload in Thread Name 'ci/console' when checking
Geneve capture
CSCwe32448 changing time window settings in FMC GUI event viewers may not work with FMC
integrated with SecureX
CSCwe36176 ASA/FTD: High failover delay with large number of (sub)interfaces and http server
enabled
CSCwe38640 EventHandler warnings if syslog facility is CONSOLE
CSCwe39425 2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest"
reset
CSCwe39431 FMC Upgrade: generation of sftunnel.json file per FTD does not check for duplicate
names
CSCwe40463 Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete
from the peer
CSCwe41336 FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as
management
CSCwe41898 ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control
Policy deploy.
CSCwe42236 FMC: Domain creation fails with error "Index 'netmap_num' for table
'domain_control_info'"

81
Bug ID Headline
CSCwe44311 FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated

filenames
CSCwe44620 Question mark in NAT description causes config mismatch on Data members of an
FTD cluster
CSCwe44766 IMS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control
Policy deploy.
CSCwe45222 Snort3 crashes are seen under Dce2Smb2FileTracker processing of data
CSCwe45779 ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid
adjacency
CSCwe48378 Remove FMC drop_cache trigger to prevent Disk I/O increase due to file cache
thrashing
CSCwe48432 Unable to save Access Control Policy changes due to Internal error
CSCwe49127 log rotation for process_stderr.log and process_stdout.log files may fail due to race
condition
CSCwe52640 Certain containers have extra gray borders and certain containers are styled incorrectly
CSCwe58576 FTD:Node not joining cluster with "Health check detected that control left cluster"
due to SSL error
CSCwe59380 FTD: "timeout floating-conn" not operating as expected
CSCwe59809 WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (seq 45)
CSCwe62971 Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration
CSCwe62997 ASA/FTD traceback in snp_tracer_format_route
CSCwe63232 ASA/FTD: Ensure flow-offload states within cluster are the same
CSCwe64043 FTD: cluster access-list mismatch between units due to missing group-object
CSCwe64404 ASA/FTD may traceback and reload after changing IP of authentication server
CSCwe64542 TID python processes stuck at 100% CPU
CSCwe64557 ASA: Prevent SFR module configuration on unsuported platforms
CSCwe64563 The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting
any created context
CSCwe66132 ASA/FTD may traceback and reload in Thread Name 'lina'
CSCwe69833 IP addresses are susceptible to be skipped by geolocation rules when using snort 3
CSCwe70558 FTD: unable to run any commands on CLISH prompt

82
Bug ID Headline
CSCwe70721 Deployment is blocked due to Pre-deploy Validation Error - Invalid endpoint
CSCwe71238 Requests from intelligence page fail after RMQ was stopped for some time
CSCwe71284 ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853
CSCwe71672 Selective deployment negating the route configs
CSCwe71673 Selective deployment removing the prefilter-configs
CSCwe72535 Unable to login to FTD using external authentication
CSCwe73240 FMC runs out of space when Snort sends massive numbers of packet logs
CSCwe74290 SFDataCorrelator spam seen in /var/log/messages
CSCwe74328 AnyConnect - mobile devices are not able to connect when hostscan is enabled
CSCwe75018 Snort2 rule recommendations increases disabled rule count drastically
CSCwe75124 Upgraded FMC didn't mark FTD's with Hot Fix as light registered - failed FMC HA
sync
CSCwe75207 High rate of network map updates can cause large delays and backlogs in event
processing
CSCwe83069 Fix Snort3 Memory Utilisation Value
CSCwe83478 Prune target should account for the allocated memory from the thread pruned
CSCwe83812 SFDataCorrelator log spam when network map is full
CSCwe87873 Requirement: Log rotate utility needs to handle the rotating of the asa-appagent.log
file
CSCwe89030 Serial number attribute from the subject DN of certificate should be taken as the
username
CSCwe89731 Notification Daemon false alarm of Service Down
CSCwe90095 Username-from-certificate feature cannot extract the email attribute
CSCwe91674 Mserver restarts frequently
CSCwe91719 Getting "Unknown" for multiple SSL fields when status is Do Not Decrypt
(Unsupported Cipher Suite)
CSCwe93202 FXOS REST API: Unable to create a keyring with type "ecdsa"
CSCwe97704 DOC: Add note regarding FTD/Lina syslog message format
CSCwf07030 Upgrade Device listing page is taking more than 15 mins to load page fully with 25
FTDs registered

83
Resolved Bugs in Version 7.2.3.1
Bug ID Headline
CSCwf11004 Can't log with "info" and "debug".

Table 35: Resolved Bugs in Version 7.2.3.1
Bug ID Headline
CSCwe53746 Firepower 1010E speed and duplex are set to "auto" on the FMC, deployment fails

Bug ID Headline
CSCwd09341 Multiple log files have zero bytes due to logrotate failure
CSCwd87227 FTD process log files can fill disk and cause system down events and block user login
ability
CSCwc37695 In addition to the c_rehash shell command injection identified in CVE-2022-1292

Bug ID Headline
CSCwc10241 Temporary HA split-brain following upgrade or device reboot

Bug ID Headline
CSCvo17612 Return error messages when failing to retrieve objects from database
CSCvw82067 ASA/FTD 9344 blocks depleted due to high volume of fragmented traffic

84
Bug ID Headline
CSCvx24207 FQDN Object Containing IPv4 and IPv6 Addresses Only Install IPv6 Entries
CSCvx68586 Not able to login to UI/SSH on FMC, console login doesn't prompt for password
CSCvy24180 Default variable set missing on FMC
CSCvy50598 BGP table not removing connected route when interface goes down
CSCvy99348 Shutdown command reboots instead of shutting the FP1k device down.
CSCvz36903 ASA traceback and reload while allocating a new block for cluster keepalive packet
CSCvz69729 Unstable client processes may cause LINA zmqio traceback on FTD
CSCwa08640 MonetDB crashing due to file size error
CSCwa59907 LINA observed traceback on thread name "snmp_client_callback_thread"
CSCwa72528 username form cert feature does not work with SER option
CSCwa75966 ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault:
Address not mapped
CSCwa85492 URL lookup responding with two categories
CSCwa89347 Cannot add object to network group on FMC
CSCwa97917 ISA3000 in boot loop after powercycle
CSCwa99171 Chassis and application sets the time to Jan 1, 2010 after reboot
CSCwb01633 FXOS misses logs to diagnose root cause of module show-tech file generation failure
CSCwb05291 Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability
CSCwb06847 ASA/FTD may traceback and reload in Thread Name 'DATAPATH-9-11543'
CSCwb08393 SSL policy deploy failing when using special characters on SSL rule names
CSCwb12465 FIPS self-tests must be run when CC mode is enabled - files are missing
CSCwb13294 WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 25)
CSCwb17963 Unable to identify dynamic rate liming mechanism & not following msg limit per/sec
at syslog server.
CSCwb19648 SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS
tunnels.
CSCwb19664 Malware Block false positives triggered after upgrade to version 7.0.1
CSCwb20926 FDM: Policy deployment failure after upgrade due to unused IKEv1 policies
CSCwb38406 GeoDB updates on multi-domain environment requires a manual policy deployment

85
Bug ID Headline
CSCwb41361 WR8, LTS18 and LTS21 commit id update in CCM layer (seq 26)
CSCwb49416 ASA snmpd Traceback & cores on an active unit
CSCwb51821 Disk usage errors on Firepower Azure device due to large backup unified files under
ngfw directory
CSCwb53172 FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated
CSCwb53328 ASA/FTD Traceback and reload caused by Smart Call Home process
sch_dispatch_to_url
CSCwb54791 ASA DHCP server fails to bind reserved address to Linux devices
CSCwb58007 CVE-2022-28199: Evaluation for FTDv and ASAv
CSCwb59619 PM needs to restart the Disk Manager after creating ramdisk to make DM aware of
the ramdisk
CSCwb65447 FTD: AAB cores are not complete and not decoding
CSCwb65718 FMC is stuck on loading SI objects page
CSCwb67040 FP4112|4115 Traceback & reload on Thread Name: netfs_thread_init
CSCwb68642 ASA traceback in Thread Name: SXP CORE
CSCwb69503 ASA unable to configure aes128-gcm@openssh.com when FIPS enabled
CSCwb71460 ASA traceback in Thread Name: fover_parse and triggered by snmp related functions
CSCwb73248 FW traceback in timer infra / netflow timer
CSCwb74357 FXOS is not rotating log files for partition opt_cisco_platform_logs
CSCwb74571 PBR not working on ASA routed mode with zone-members
CSCwb76129 Some SSL patterns not detected after VDB 356 or higher is installed
CSCwb76423 ASA crashes on fp2100 when checking CRL
CSCwb79812 RIP is advertising all connected Anyconnect users and not matching route-map for
redistribution
CSCwb80559 FTD offloads SGT tagged packets although it should not
CSCwb80862 ASA/FTD proxy arps any traffic when using the built-in 'any' object in translated
destination
CSCwb82796 ASA/FTD firewall may traceback and reload when tearing down IKE tunnels
CSCwb83388 ASA HA Active/standby tracebacks seen approximately every two months.
CSCwb83691 ASA/FTD traceback and reload due to the initiated capture from FMC

86
Bug ID Headline
CSCwb84638 Portmanager/LACP improvement to capture logging events on external event restarts
CSCwb85633 Snmpwalk output of memory does not match show memory/show memory detail
CSCwb85822 Deployment failing when collecting policies.
CSCwb86118 TPK ASA: Device might get stuck on ftp copy to disk
CSCwb86339 ACP Network Validation Failure - Unable to parse ip - Can't call method "binip" -
Blank Space
CSCwb86565 FMC upgrade fails due Mismatch in number of entries between /etc/passwd and
/etc/shadow
CSCwb87498 Lina traceback and reload during EIGRP route update processing.
CSCwb88651 Cisco ASA and FTD Software RSA Private Key Leak Vulnerability
CSCwb88887 snp_fp_vxlan_encap_and_grp_send_common: failed to find adj. bp->l3_type = 8,

inner_sip message
CSCwb89004 FMC DBcheck.pl hungs at "Checking mysql.rna_flow_stats_template against the

current schema"
CSCwb89187 Flex Config allow - "timeout icmp-error hh:mm:ss"
CSCwb90074 ASA: Multiple Context Mixed Mode SFR Redirection Validation
CSCwb90105 Upgrade to 7.2 on FTDv for Nutanix is stuck after reboot
CSCwb90532 ASA/FTD traceback and reload on NAT related function nat_policy_find_location
CSCwb91101 SNMP interface threshold doesn't trigger properly when traffic sent to interface ~4gbps
CSCwb92376 FMC syslog-ng daemon fails to start if log facility is set to ALERT
CSCwb92583 upgrade with a large amount of unmonitored disk space used can cause failed upgrade
and hung device
CSCwb92709 We can't monitor the interface via "snmpwalk" once interface is removed from context.
CSCwb93932 ASA/FTD traceback and reload with timer services assertion
CSCwb94190 ASA graceful shut down when applying ACL's with forward reference feature and
FIPS enabled.
CSCwb94312 Unable to apply SSH settings to ASA version 9.16 or later
CSCwb95112 Intrusion Policy shows last modified by admin even though changes are made by a
different user
CSCwb95787 FPR1010 - No ARP on switchport VLAN interface after portmanager DIED event
CSCwb97251 ASA/FTD may traceback and reload in Thread Name 'ssh'

87
Bug ID Headline
CSCwb97486 FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports
CSCwc01155 New ACP UI does not load if there are manually entered Location IP literal values in
that policy
CSCwc02416 Not re-subscribing to ISE topics after certain ISE connectivity issues.
CSCwc02488 ASA/FTD may traceback and reload in Thread Name 'None'
CSCwc02700 Fragmented packets are dropped when unit leaves cluster
CSCwc03069 Interface internal data0/0 is up/up from cli but up/down from SNMP polling
CSCwc03296 Upgrade fails when using DDNS Service with user and password
CSCwc04162 TTL values causing packets to retransmit
CSCwc04187 Watchdog crash on FP1000 during very heavy AnyConnect SSL VPN tunnel
establishment
CSCwc05132 Unable to disable "Retrieve to Management Center
CSCwc07015 snort3 crash due to NULL pointer in TLS Client Hello Evaluation
CSCwc08374 Azure ASA NIC MAC address for Gigeth 0/1 and 0/2 become out of order when adding
interfaces
CSCwc09414 ASA/FTD may traceback and reload in Thread Name 'ci/console'
CSCwc10483 ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread
CSCwc10792 ASA/FTD IPSEC debugs missing reason for change of peer address and timer delete
CSCwc10900 URL cloud lookup if enabled on the FMC may not work on newly registered devices.
CSCwc11597 ASA tracebacks after SFR was upgraded to 6.7.0.3
CSCwc11663 ASA traceback and reload when modifying DNS inspection policy via CSM or CLI
CSCwc12652 Control-Plane ACL Non-Functional After Upgrade to 9.18(1) or 7.2.0-82 Firepower
CSCwc13017 FTD/ASA traceback and reload at at ../inspect/proxy.h:439
CSCwc13382 DCERPC traffic is dropped after upgrade to snort3 due to Parent flow is closed
CSCwc13994 ASA - Restore not remove the new configuration for an interface setup after backup
CSCwc14885 FMC logs user out when editing any backdraft page
CSCwc15530 Syslog facility "ALERT" should be changed on FDM since is not supported anymore
by syslog-ng
CSCwc18218 Database files on disk grow larger than expected for some frequently updated tables

88
Bug ID Headline
CSCwc18312 "show nat pool cluster" commands run within EEM scripts lead to traceback and reload
CSCwc23075 Upgrade to MariaDB 10.5.16 to get security vulnerability fixes
CSCwc23356 ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695'
CSCwc23695 ASA/FTD can not parse UPN from SAN field of user's certificate
CSCwc24422 AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert
has empty subject
CSCwc24906 ASA/FTD traceback and reload on Thread id: 1637
CSCwc25275 AC Policy UI: Cannot search rules while the rules are loading
CSCwc25451 AC Policy New UI: Adding rule inside a category throws index error
CSCwc28532 9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow
processing
CSCwc28660 Snort3: NFSv3 mount may fail for traffic through FTD
CSCwc28928 ASA: SLA debugs not showing up on VTY sessions
CSCwc29591 Retrospective file disposition updates fail due to incorrect eventsecond values in
fileevent tables
CSCwc30487 High unmanaged disk usage on Firepower 2110 device
CSCwc32246 NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is
used
CSCwc37196 FPR3100: 8x1G copper netmod may incorrectly report obsolete firmware on boot
CSCwc40322 Onboarding on-prem FMC to CDO using SecureX fails due to User Authentication
Failed error
CSCwc40850 FMC authentication with SecureX Orchestration fails
CSCwc41590 Upgrade fail & App Instance fail to start with err "CSP_OP_ERROR. CSP signature
verification error."
CSCwc41661 FTD Multiple log files with zero byte size.
CSCwc59953 Snort3 crash with TLS 1.3
CSCwc65907 snort3 hangs in Crash handler which can lead to extended outage time during a snort
crash
CSCwc69376 v7.2 post-upgrade performance issues due to excessive intrusionevent partition tables

89
Bug ID Headline
CSCwc76658 SFDataCorrelator fails to start after <7.1 to >=7.1.0 upgrade due to

compliance.rules "session_both"
CSCwc88583 Deployment fails with error Invalid Snort3IntrusionPolicy mode. Supports only inline
and inline-test

Table 39: Resolved Bugs in Version 7.2.0.1
Bug ID Headline
CSCwb88651 Cisco ASA and FTD Software RSA Private Key Leak Vulnerability
CSCwb93932 ASA/FTD traceback and reload with timer services assertion

Bug ID Headline
CSCwa70008 Expired certs cause Security Intelligence updates to fail
CSCvz67001 FMC Event backups to remote SSH storage targets fail
CSCvy46482 Redundant service-object group created while crypto ACL is used in S2S VPN.
CSCwb22359 Portmanager/LACP improvement to avoid false restarts and increase of logging events
CSCwb64551 FMC Backup failure- Monetdb backup failure code 102
CSCwa00038 Disk corruption occurs when /mnt/disk0 partition is full and blade is rebooted
CSCwa40223 Cisco Firepower Management Center Software Cross-Site Scripting Vulnerability
CSCwa45656 SLR license application failes on manged devices
CSCwa34110 FMC should support southern hemisphere DST configurations
CSCwa32956 Connection events are not sent to Firepower Management Center due to deploy race
condition
CSCvz40765 FMC CPU graph displays the wrong number of Snort and System cores
CSCvy19453 SFDataCorrelator performance problems involving redundant new host events with
only MAC addresses

90
Bug ID Headline
CSCwa12688 Radius external authentication object fails to install on FTD due to invalid retries
CSCwb40001 Long delays when executing SNMP commands
CSCwa95694 Snort cores generated intermittently when SSL policy is enabled on the ASA-SFR
module
CSCwa08262 AnyConnect users with mapped group-policies take attributes from default GP under
the tunnel-group
CSCvz27235 Multiple Cisco Products Snort Modbus Denial of Service Vulnerability
CSCvz14377 Losing admin and other users from Mysql DB and EO
CSCvz80981 SNMPv3 doesn't work for SFR modules running version 7.0
CSCvz68336 SSL decryption not working due to single connection on multiple in-line pairs
CSCvx75683 The 'show cluster info trace' output is overwhelmed by 'tag does not exist' messages
CSCwa79604 Infinitely running jobs in the task list
CSCwa43497 Datapath deadlocks seen on when sending ICMP PMTU for AnyConnect-SSL
CSCvx59252 FXOS is not rotating log files for management interface
CSCwa15093 Access Policy Control Clear Hit Count throwing Error 403: Forbidden
CSCwa06608 WM 1010 HA Failover is not successful when we give failover active in secondary.
CSCvz41761 FMC Does not allow to create an EIGRP authentication secret key using the $ character
CSCwb46481 SNMPv3 not working after upgrade of FMC
CSCvq29993 FPR2100 ONLY - PERMANENT block leak of size 80, 256, and 1550 memory blocks
& blackholes traffic
CSCwa70323 Unable to push extra domains >1024 Character, as part of Custom Attribute under
Anyconnect VPN
CSCwb46340 Elektra upgrade failed while upgrading
CSCvz77050 Occasionally policy deployment failure are reported as successful
CSCvz61456 Software upgrade on ASA application may failure without obvious reasons
CSCwb16561 FMC GUI does not load Intrusion Policies
CSCwa74984 Cannot open FMC Access Details -> Configuration tab after FMC upgrade
CSCvy89713 FMC process dbsrv16 has high CPU utilization after the FMC upgrade
CSCvz73583 FTD does not send the authentication information to proxy server when download the
VDB and GEODB.

91
Bug ID Headline
CSCvz02027 Update host from URL if not available in the packet to stop cloud lookup for null host
http requests
CSCwa84862 Unable to remove/modify Standard Access List objects in FMC
CSCvz03524 PKI "OCSP revocation check" failing due to sha256 request instead of sha1
CSCwa85340 Unable to generate the PDF with access policy having large nested objects
CSCwa27488 Fail to import with error "is not a table"
CSCwa89689 Server hello done on TLS stripped by FTD after enabling 'early application detection'
with snort3
CSCwb50405 ASA/FTD Traceback in crypto hash function
CSCvz08588 User unrecognized alarm for discovered identity realm users
CSCug96057 Devices with same catagory are catagorized with multiple catagory names
CSCwb11939 ASA/FTD MAC modification is seen in handling fragmented packets with INSPECT
on
CSCvz09109 Cluster CCL interface capture shows full packets although headers-only is configured
CSCwb20940 FMC: Add validation checks for the combination of SSL/Snort3/NAP in Detection
mode
CSCvz90654 FTD Failover unit does not join HA due to "HA state progression failed due to APP
SYNC timeout"
CSCwa55868 QP vFTD Policy Deployment with snort2 Failed with Undefined package variable
CSCvz78331 SNMP polling fails after a re-image
CSCwa70482 ASDM on MAC popup remove hostscan/CSD pkg
CSCvz62517 SRU install should validate files upon completion
CSCwa41918 ssl inspection may have unexpected behavior when evicting certificates
CSCvz29656 FMC connection event search causing high memory utilisation for index.cgi
CSCvz78548 Unable to load Devices --> Certificates page
CSCwa79676 FPR1010 in HA Printing Broadcast Storm Alerts for Multiple Interfaces
CSCwa81395 A carefully crafted request body can cause a buffer overflow in the ...
CSCwa81143 Unable to save the application policy filter. Save tab is stuck and its continuously
loading.
CSCvy75131 Occasionally deleted sensor/interfaces are not removed from security zones

92
Bug ID Headline
CSCvz73957 FTD stops generating Syslog ID 430002 and 430003 with EventHandler cores
CSCvy24921 SNMPv3 - SNMP EngineID changes after every configuration change
CSCvy24435 FMC GUI can be accessed by an expired password when using .cgi with
https://FMCIP/login.cgi
CSCwa97423 Deployment rollback causes brief traffic drop due to order of operations
CSCvz89106 Multiple Cisco Products Server Name Identification Data Exfiltration Vulnerability
CSCwa11088 Access rule-ordering gets automatically changed while trying to edit it before page
refresh/load
CSCvz62261 Unable to restrict user access when using ASDM
CSCwb19387 ASA SNMP Poll is failing & show display "Unable to honour this request now.Please
try again later."
CSCwa98983 7.1.0.1-25 upgrade failed on KP-HA at 800_post/901_reapply_sensor_policy.pl
CSCwa83078 snort3 - resumed sessions not being decrypted can fail
CSCwb42846 Snort instance CPU stuck at 100%
CSCwb59218 Unable to save DAP Endpoint Criteria as "Disabled"
CSCvx90486 In some cases snmpwalk for ifXTable may not return data interfaces
CSCvz76745 SFDataCorrelator memory growth with cloud-based malware events
CSCvz13564 Firepower 2100 FTD: ssh-access-list configuration are lost after upgrading
CSCwa35179 FTD AC VPN certificate is lost across reloads
CSCwb84225 Evaluation OpenJDK CVEs for ASDM & ASA REST API
CSCwa38996 Big number of repetitive messages in snmpd.log leading to huge log size
CSCvy80380 Disk utilization increasing /var/tmp in FPR4150-ASA chassis
CSCwb01126 DNS server configuration is lost if configuring through RA VPN page on FDM 7.1.0
CSCwa68004 FMC 7.0 FlexConfig blocked mac-address-table aging-time for transparent FTD without
any alternativ
CSCwb29126 Cannot use underscore (_) in FMC's realm AD Primary Domain configuration
CSCwa99370 ASDM:DAP config missing AAA Attributes type (Radius/LDAP)
CSCwa89560 NAT rule modification after rule search changes rule order
CSCvy33501 FDM failover pair - new configured sVTI IPSEC SA is not synced to standby. FDM
shows HA not in sync

93
Bug ID Headline
CSCwa75077 Time-range objects incorrectly populated in prefilter rules
CSCwb07319 Entitlement tags contain invalid character.
CSCwa91070 Cgroup triggering oom-k for backup process
CSCwa45369 Execution of commands appears to result in a new zombie process
CSCwb44048 Event Rate on FMC Health Monitoring Dashboard shows extremely high values
CSCvz72467 Cisco FXOS and NX-OS Software Cisco Discovery Protocol Service Denial of Service
CSCwb37999 Customized Variables name cause Snort3 validation failure
CSCvz73315 Connection events are not seen on FMC, SFDataC doesn't process events from
to_import dir
CSCwb21704 FDM: Add validation checks for the combination of SSL/Snort3/NAP in Detection
mode
CSCwb32841 NAT (any,any) statements in-states the failover interface and resulting on Split Brain
events
CSCvz79930 Snort3 .dmp and crashinfo files are not managed by diskmanager
CSCwa51867 FDM IKEv2 S2S PSK Not Deploying Correctly (Changing Asymmetric to Symmetric
PSK)
CSCwa39683 log file flooded by ssl_policy log_error messages when ssl debug is enabled
CSCwa25033 Unexpected HTTP/2 data frame causing segfault
CSCwa39680 Snort stops processing packets when SSL decryption debug enabled - Snort2
CSCvz24238 CiscoÂ Firepower Management Center Cross-site Scripting Vulnerability
CSCwa31373 duplicate ACP rules are generated on FMC 6.6.5 after rule copy.
CSCwa43311 Snort blocking and dropping packet, with bigger size(1G) file download
CSCwa32286 WR6, WR8 and LTS18 commit id update in CCM layer(sprint 125, seq 21)
CSCwb24039 ASA traceback and reload on routing
CSCwa46963 Security: CVE-2021-44228 -> Log4j 2 Vulnerability
CSCwb06543 Increase logging level to diagnose LACP process unexpected restart events
CSCwb43018 Implement SNP API to check ifc and ip belongs to HA LU or CMD interface
CSCvz76652 Proxy URI URL for URL Filtering (beaker service) includes encoded user/password
strings
CSCvz51570 FDM: Management interface name mismatch between HA units and FDM UI / CLI

94
Bug ID Headline
CSCvz66236 Threshold mis-behavior of "-1" after configuring Type:Both for specific rule
CSCwb59488 ASA/FTD Traceback in memory allocation failed
CSCwa42350 ASA installation/upgrade fails due to internal error "Available resources not updated
by module"
CSCvz32593 QP4110 and QW4115 in disabled state with CD App Sync error is Rsync is not enabled
on active device
CSCwa76621 HM process OOM killed on FTD 1120
CSCvy67765 FTD VTI reports TUNNEL_SRC_IS_UP false despite source interface is up/up and
working
CSCvz02076 Snort reload times out causing restart
CSCwa32628 SFDataCorrelator crash at AddFileToPendingHash() due to race condition
CSCwa07390 Config only FMC: SI feed downloaded file does not match expected checksum
CSCwa97910 Connection event report displays the same device twice
CSCwb48686 ASAV will not boot on REDHAT KVM under Dell PowerEdge R650
CSCwa27822 Lina process remains in started status after a major FTD upgrade to 6.7 or 7.0
CSCwb11325 nullPointerException during 100_ftd_onbox_data_import.pl causes upgrade from 7.0.0

to 7.1.0 to fail
CSCwb32721 Syslog IDs 725021 and 725022 are not listed as valid IDs
CSCwa35596 Registered devices may miss on standby FMC due to AnyConnect HostScan class files
sync failure
CSCwa26353 snort3 - Policy does not become dirty after updating LSP -when only custom intrusion
policies in use
CSCvz70539 Loggerd process is getting killed due to OOM under high logging rate
CSCvr97157 ENH: Enhance the deployment failure behavior on FTD managed by FDM
CSCwb28047 FMC - "Receiving thread exited with an exception: stoi" causing pxGrid to flap
CSCwa21016 Cisco Firepower Threat Defense Software DNS Enforcement Denial of Service
Vulnerability
CSCwb16663 Unable to configure NAP under Advanced Tab in AC policy
CSCvy82655 REST API - Bulk AC rules creation fails with 422 Unprocessable Entity
CSCvt76856 If a connection to Smart Satellite Server is using a certificate, it cannot be reverted
CSCwa77396 Unable to create Monitor Alerts in FMC

95
Bug ID Headline
CSCvy50797 Policy deployment may fail if platform settings contain DH group1 for SSL
CSCvz91266 FXOS A crafted request uri-path can cause mod_proxy to forward the request to an
origin server...
CSCwa86210 When PM disables mysqld, sometimes it is taking longer than expected to fully
shutdown.
CSCwa72641 URL incorrectly extracted for TLS v1.2 self signed URLs when "Early application
detection" enabled
CSCwa85138 Multiple issues with transactional commit diagnostics
CSCwa48169 ASA/FTD traceback and reload on netsnmp_handler_check_cache function
CSCvx24470 FTD/FDM: RA VPN sessions disconnected after every deployment if custom port for
RA VPN is configured
CSCvz96440 FMC should not create archival for NGIPS devices
CSCwa04171 FMC is generating and removing the AAA commands for the realm unnecessarily
CSCwa31488 FDM High Availability cannot be created using Etherchannel as failover interface.
CSCvy65200 Random characters displayed on DNSQuery field for specific queries.
CSCwb31699 Primary takes active role after reload
CSCwb19648 SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS
tunnels.
CSCvz70688 default-information originate is configured first then Stub command is not allowed for
config
CSCwa03732 Deployment gets hung at snapshot generation phase during deploy
CSCvz69699 FMC UI may become inaccessible due to connection leaks in internal database
CSCwa69279 FMC: Unable to configure AnyConnect MTU for group-policy with only IKEv2
protocol enabled
CSCwa62167 CIAM: Apache-http-server CVE-2021-44790 and CVE-2021-44224
CSCwa48849 ssl unexpected behavior with resumed sessions
CSCwa52215 Uploading firmware triggers data port-channel to flap
CSCvy99218 VDB Version shouldn't be update if fails
CSCwa50145 FPR8000 sensor UI login creates shell user with basic privileges
CSCvz19634 FTD software upgrade may fail at 200_pre/505_revert_prep.sh
CSCwa85220 Authorization Failure in DCCSM bridge during device registration.

96
Bug ID Headline
CSCwa21061 FTD upgrade fails on 800_post/100_ftd_onbox_data_import.sh
CSCwa98853 Error F0854 FDM Keyring's RSA modulus is invalid
CSCvv59757 FMC event report generation fails if one is already running
CSCvz66506 Continuous ADI traceback and reload on FPR2100 registered to FMC HA
CSCvz85234 Facilities ALERT, AUDIT, CLOCK and KERN do not work in sending Audit Log to
syslog from FMC.
CSCvz84733 LACP packets through inline-set are silently dropped
CSCvx89451 ISA3000 shutdown command reboots system and does not shut system down.
CSCvz43325 Active FMC not deregistering sensors after breaking HA
CSCwa55974 FMC should do an abort of any previous configuration sessions before applying new
delta
CSCwa77083 Host information is missing when Security Zones are configured in Network Discovery
rules
CSCwa42596 ASA with SNMPv3 configuration observes unexpected reloads with snmpd cores
CSCwb84638 Portmanager/LACP improvement to capture logging events on external event restarts
CSCwa31139 FMC does not check for IP overlap with FTD failover interface
CSCwa08084 FMC hardware appliance restore ends with an error "Unknown Failure Condition"
CSCwb08828 FP1010 Switchport access vlan interface in up/up status but not passing traffic
CSCvz53993 Random packet block by Snort in SSL flow
CSCvv82681 RTC unstable clock register read causes "watchdog: BUG: soft lockup - CPU#0 stuck"
error on console
CSCwa67145 Realm download fails if one of the groups is deleted on the AD
CSCvu82743 Snort Generator ID 3 rules disabled following Snort reload
CSCwa17918 Unable to uncheck option Always advertise the default route for OSPF
CSCvp15884 FMC SI Health Alerts: SI URL List and Feeds - Failure False Positives
CSCwa55418 multiple db folders current-policy-bundle after deployment with anyconnect package

before upgrade
CSCvz35787 FTD misleading OVER_SUBSCRIBED flow flag for mid-stream flow
CSCwa53088 snort 2 ssl-debug files may not be written

97
Bug ID Headline
CSCwa29956 "Interface configuration has changed on device" message may be shown after FTD
upgrade
CSCwa60574 ASA traceback and reload on snp_ha_trans_alloc_msg_muxbuf_space function
CSCwb38669 LACP policy name set to Null after upgrade to 7.1.0.90 (2.11.1.154) on FPR1150
CSCwb08644 ASA/FTD traceback and reload at IKEv2 from Scaled S2S+AC-DTLS+SNMP long
duration test
CSCvz97196 Can't create Flexconfig Object with ldap-naming-attribute pager cause pager is block.
CSCwb09219 ASA/FTD: OCSP may fail to work after upgrade due to "signer certificate not found"
CSCwa85297 Multi-instance internal portchannel VLANs may be misprogrammed causing traffic

loss
CSCvz25197 Multiple Cisco Products Snort Modbus Denial of Service Vulnerability
CSCug44895 upload is failed when more number of cursors are returned from PAS
CSCwa67209 FMC may disable autonegotiation for port-channels with 1Gbps SFP fiber members
after FTD upgrade
CSCwb24101 Loggerd syslog has stray incorrect timestamps, e.g. well before FirstPacketSecond
CSCwa51862 LSP downloads fail when using proxy
CSCwa78082 FMC intrusion event search produces inconsistent results
CSCwa80040 FMC NFS configuration failling after upgrade from 6.4.0.4 to 7.0.1
CSCvz52430 FDM UI inaccessible 503 Service Unavailable due to five DNS servers configured
CSCwb07981 Traceback: Standby FTD reboots and generates crashinfo and lina core on thread name
cli_xml_server
CSCwb02316 "Non stop forwarding not supported on '1'" error while configuring MAC address
CSCwa92883 Deployment Failed at phase-2 with domain snapshot error
CSCvz61463 FP9k SM-44 6.7.0.2 High CPU on radware vdp Cores after upgrade
CSCwa55142 SNORT3 / SSL / Definitive DND verdict when there's an extra DND bottom rule,
instead of regular DND
CSCvy88460 Unable to add additional RADIUS authentication objects after upgrade to 6.7.0
CSCvz72771 ASA/FTD may traceback and reload. "c_assert_cond_terminate" in stack trace
CSCwb07908 Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0
CSCwa13721 FDM-managed FTD upgrade failure when custom cipher is selected in SSL Settings

98
Bug ID Headline
CSCvj08826 FMC ibdata1 file might grow large in size
CSCwa14524 Snort cores in pdts_sftls_daq_acquire with SSL activated
CSCwb43629 License and rule counts telemetry data incorrectly generated for HA managed devices
CSCwa31508 Continuous deployment failure on QW-4145 device
CSCwa79905 FMC NAT Policy report generation does not record the rules every 51*x
CSCwa90660 FMC Realm user/group download doesn't spin the task
CSCwb56718 Policy deployment fails with error- Rule update is running but there are no updates in
progress.

99

100

Threat Defense Release Notes 72

Uploaded by

Copyright:

Available Formats

Threat Defense Release Notes 72

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Defense Release Notes 72

Uploaded by

Copyright:

Available Formats

Cisco Secure Firewall Threat Defense Release Notes, Version 7.

CHAPTER 2 System Requirements 5

Management Center Platforms 5

CHAPTER 3 Features and Functionality 13

New Features in Management Center Version 7.2 13

New Features in Device Manager Version 7.2 31

Intrusion Rules and Keywords 34

CHAPTER 4 Upgrade Guidelines 37

Planning Your Upgrade 37

Extended Post-Upgrade Deploy for Large Configurations 41

Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

Time and Disk Space for Version 7.2.3.1 49

Time and Disk Space for Version 7.2.3 50

Time and Disk Space for Version 7.2.2 51

Time and Disk Space for Version 7.2.1 52

Time and Disk Space for Version 7.2.0.1 53

Time and Disk Space for Version 7.2.0 53

CHAPTER 5 Install the Software 55

CHAPTER 6 Open and Resolved Bugs 59

Resolved Bugs in Version 7.2.3.1 84

Resolved Bugs in Version 7.2.3 84

Resolved Bugs in Version 7.2.2 84

Resolved Bugs in Version 7.2.1 84

Resolved Bugs in Version 7.2.0.1 90

Resolved Bugs in Version 7.2.0 90

Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

Table 1: Rebranded Products in Version 7.2

Former Name Rebranded Name

Firepower Threat Defense (FTD) Secure Firewall Threat Defense

Firepower Device Manager (FDM) Secure Firewall device manager

Firepower Management Center (FMC) Secure Firewall Management Center

Firepower Chassis Manager Secure Firewall chassis manager

Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

Version Build Date Platforms

7.2.4 169 2023-05-10 Management center

165 2023-05-03 Devices

7.2.3.1 13 2023-04-18 Management center

7.2.3 77 2023-02-27 All

7.2.2 54 2022-11-29 All

7.2.1 40 2022-10-03 All

7.2.0.1 12 2022-08-10 All

7.2.0 82 2022-06-06 All

Suggested Releases for Older Appliances

Sharing Data with Cisco

Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

Cisco Success Network

Cisco Support Diagnostics

Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

Management Center Platforms

Management Center Hardware

Management Center Virtual

Cisco Secure Firewall Threat Defense Release Notes, Version 7.2

Table 3: Version 7.2 Management Center Virtual Platforms

Platform Devices Managed High Availability

Amazon Web Services (AWS) YES YES YES

Google Cloud Platform (GCP) YES — —

Microsoft Azure YES — —