Cisco FXOS Release Notes, 1.1(3)
Resolved Bugs in FXOS 1.1.3.97
Resolved Bugs in FXOS 1.1.3.86
Resolved Bugs in FXOS 1.1.3.84
Obtaining Documentation and Submitting a Service Request
First Published: December 14, 2015
Last Revised: June 23, 2016
This document contains release information for Cisco Firepower eXtensible Operating System 1.1(3).
Use this release note as a supplement with the other documents listed in the documentation roadmap:
http://www.cisco.com/go/firepower9300-docs
Note: The online versions of the user documentation are occasionally updated after the initial release. As a result, the information contained in the documentation on Cisco.com supersedes any information contained in the context-sensitive help included with the product.
This document contains the following sections:
–New Features in FXOS 1.1.3.97
–New Features in FXOS 1.1.3.86
–New Features in FXOS 1.1.3.84
–Resolved Bugs in FXOS 1.1.3.97
–Resolved Bugs in FXOS 1.1.3.86
–Resolved Bugs in FXOS 1.1.3.84
■Obtaining Documentation and Submitting a Service Request
The Cisco Firepower 9300 security appliance is a next-generation platform for network and content security solutions. The Firepower 9300 is part of the Cisco Application Centric Infrastructure (ACI) Security Solution and provides an agile, open, secure platform that is built for scalability, consistent control, and simplified management.
The Firepower 9300 provides the following features:
■Modular chassis-based security system—provides high performance, flexible input/output configurations, and scalability.
■Firepower Chassis Manager—graphical user interface provides a streamlined, visual representation of the current chassis status and allows for simplified configuration of chassis features.
■FXOS CLI—provides command-based interface for configuring features, monitoring chassis status, and accessing advanced troubleshooting features.
■FXOS REST API—allows users to programmatically configure and manage their chassis.
Cisco Firepower eXtensible Operating System 1.1.3.97 introduces the following new features:
■Fixes for various problems (see Resolved Bugs in FXOS 1.1.3.97).
Cisco Firepower eXtensible Operating System 1.1.3.86 introduces the following new features:
■Fixes for various problems (see Resolved Bugs in FXOS 1.1.3.86).
Cisco Firepower eXtensible Operating System 1.1.3.84 introduces the following new features:
■Inter-chassis clustering—FXOS 1.1.3 introduces support for clustering security modules together across multiple Firepower 9300 security appliances (also known as inter-chassis clustering). Inter-chassis clustering has been tested using up to six security modules.
■Flow offload—On security modules running ASA 9.5(2), you can identify select traffic to be off-loaded to a super fast path, where the flows are switched in the NIC itself. Off-loading can help you improve performance for data-intensive applications such as large file transfers.
■Packet Capture—allows you collect packets being sent to and from the customer-facing ports and backplane ports on a Firepower 9300.
■Support of the Smart License Manager satellite for the Firepower 9300. Customers who cannot, or do not, want to manage their Cisco products using the Cisco Smart Software Manager residing at software.cisco.com can choose to install the Cisco Smart Manager satellite on-premises. When the satellite application is enabled, you can activate, register, view, and transfer your company's licenses without sending data to Cisco Smart Software Manager using the Internet.
■Configuration Import/Export—allows you to import and export logical device and platform configuration settings as an XML file. You can also configure a recurring export task or configure a notification to remind you to perform an export.
■QoS—FXOS 1.1(3) adds support for prioritizing traffic based on QoS settings. QoS configurations specific to the Firepower 9300 are not user configurable. Most of the configurations are applied automatically during initialization, and some are applied during logical-device configuration.
■SGT Load Balancing—FXOS 1.1(3) adds support for load balancing of traffic with Secure Group Tags. There is no specific configuration or CLI available for this feature. It is statically enabled and cannot be disabled. SGT Load Balancing is supported for IPv4 traffic only.
■Fixes for various problems (see Resolved Bugs in FXOS 1.1.3.84).
FXOS 1.1.3.97 includes the following components:
FXOS 1.1.3.86 includes the following components:
FXOS 1.1.3.84 includes the following components:
■Beginning with FXOS 1.1(3), the behavior for port-channels has changed. Now, when a port-channel is created, it will be configured as lacp cluster-detach by default and its status will show as down even if the physical link is up. The port-channel will be brought out of cluster-detach mode in the following situations:
–The port-channel's port-type is set to either cluster or mgmt
–The port-channel is added as a data port for a logical device that is part of a cluster and at least one security module has joined the cluster
If the port-channel is removed from the logical device or the logical device is deleted, the port-channel will revert to cluster-detach mode.
■With the 1.1(3) release, the password hashing mechanism was modified to use SHA512 for security reasons. The existing hashing mechanism was MD5 for the 1.1(1) and 1.1(2) releases. As a result of this change, any previous password history will not be migrated to 1.1(3). In other words, the system will behave as if the set clear password-history yes command was used after migrating to 1.1(3). All subsequent passwords created or changed while running 1.1(3) will be entered into and maintained in the password history mechanism.
■To use ASDM and other strong encryption features such as VPN, after you deploy a cluster you must enable the Strong Encryption (3DES) license on the master unit using the ASA CLI.
■If you encounter any issues with accessing the ASA console, we recommend that you switch to a different SSH client or upgrade to a newer version.
For information about FXOS software and hardware requirements and compatibility, including module compatibility, see Cisco FXOS Compatibility.
You can access the Firepower Chassis Manager using the following browsers:
■Mozilla Firefox – Version 42 and later
■Google Chrome – Version 47 and later
Testing on FXOS 1.1(3) was performed using Mozilla Firefox version 42 and Google Chrome version 47. We anticipate that future versions of these browsers will also work. However, if you experience any browser-related issues, we suggest you revert to one of the tested versions.
After upgrading to FXOS 1.1(3), you must perform the following procedure.
The default trustpoint is generated by the SSL library. FXOS 1.1(3) has been upgraded to use Cisco SSL. Before your unit can connect to the Smart Licensing servers and download entitlements, you must first delete the default trustpoint so that the trustpoint can be regenerated using the new SSL library.
2. Enter the following commands to delete the default trustpoint:
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
All open bugs severity 3 and higher for Firepower eXtensible Operating System 1.1(3) can be accessed using the following search and are also listed in the table below:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 1.1.3.97:
The following table lists the defects that were resolved in Firepower eXtensible Operating System 1.1.3.86:
For additional information on the Firepower 9300 security appliance and the Firepower eXtensible Operating System, see Navigating the Cisco Firepower 9300 Documentation.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)