Table of Contents
FireSIGHT System Release Notes
New Features and Functionality
Management of Cisco ASA with FirePOWER Services
Feature Limitations of Cisco ASA with FirePOWER Services
Before You Begin: Important Update and Compatibility Notes
Configuration and Event Backup Guidelines
Audit Logging During the Update
Version Requirements for Updating to Version 5.3.1
Time and Disk Space Requirements for Updating to Version 5.3.1
Product Compatibility After Updating to Version 5.3.1
Returning to a Previous Version
Using the Shell to Perform the Update
FireSIGHT System Release Notes
First Published: June 19th, 2014
Even if you are familiar with the update process, make sure you thoroughly read and understand these release notes, which describe supported platforms, new and changed features and functionality, known and resolved issues, and product and web browser compatibility. They also contain detailed information on prerequisites, warnings, and specific installation instructions for the following appliances:
- Series 2 and Series 3 Defense Centers (the DC500, DC750, DC1000, DC1500, DC3000, and the DC3500)
- 64-bit virtual Defense Centers
Note This update is for Defense Centers only. It is not supported on physical or virtual managed devices or Sourcefire Software for X-Series.
Tip For detailed information on the FireSIGHT System, refer to the online help or download the FireSIGHT System User Guide from the Support site.
These release notes are valid for Version 5.3.1 of the FireSIGHT System. You can update appliances running at least Version 5.3.0.1 of the FireSIGHT System to Version 5.3.1.
New Features and Functionality
This section of the release notes summarizes the new and updated features and functionality included in Version 5.3.1 of the FireSIGHT System:
- Management of Cisco ASA with FirePOWER Services
- Feature Limitations of Cisco ASA with FirePOWER Services
- Terminology
For detailed information, see the FireSIGHT System User Guide, FireSIGHT System Installation Guide, and FireSIGHT System Virtual Installation Guide.
Management of Cisco ASA with FirePOWER Services
Version 5.3.1 introduces the ability to manage Cisco ASA with FirePOWER Services (ASA FirePOWER devices) with the FireSIGHT Defense Center. Defense Centers running Version 5.3.1 can manage ASA FirePOWER modules on the following ASA devices:
- ASA5512-X
- ASA5515-X
- ASA5525-X
- ASA5545-X
- ASA5555-X
- ASA5585-X-SSP-10, ASA5585-X-SSP-20, ASA5585-X-SSP-40, and ASA5585-X-SSP-60
The ASA FirePOWER module must be running Version 5.3.1 to be managed by a Defense Center running Version 5.3.1. ASA FirePOWER modules can only be installed on the above platforms running Version 9.2.2 or later of the ASA software.
Feature Limitations of Cisco ASA with FirePOWER Services
When you use a Defense Center to manage Cisco ASA with FirePOWER Services devices, the ASA FirePOWER module provides the first-line system policy and passes traffic to the FireSIGHT System for access control, intrusion detection and prevention, discovery, and advanced malware protection.
Regardless of the licenses installed and applied, ASA FirePOWER devices do not support any of the following features through the FireSIGHT System:
- ASA FirePOWER devices do not support the FireSIGHT System’s hardware-based features, including clustering, stacking, switching, routing, virtual private networks (VPN), and network address translation (NAT).
Note The ASA platform provides these features, configured using the ASA command line interface (CLI) and Adaptive Security Device Manager (ASDM). For more information, see the ASA FirePOWER module documentation.
- You cannot use the Defense Center web interface to configure ASA FirePOWER interfaces.
- You cannot use the Defense Center to shut down, restart, or otherwise manage ASA FirePOWER processes.
- You cannot use the Defense Center to create backups from or restore backups to ASA FirePOWER devices.
- You cannot write access control rules to match traffic using VLAN tag conditions.
The ASA FirePOWER device does not have a FireSIGHT web interface. However, it has software and a CLI specific to the ASA platform. You use these ASA-specific tools to install the system and to perform other platform-specific administrative tasks. For more information, see the ASA FirePOWER module documentation.
Note The Defense Center does not display ASA interfaces when the ASA FirePOWER device is deployed in SPAN port mode.
Terminology
Version 5.3.1 introduces the ability to manage Cisco ASA with FirePOWER Services using FireSIGHT Defense Centers. If you reference documentation for Version 5.3 or Version 5.3.0.1, you may notice the terminology differs from the documentation for Version 5.3.1.
Tip Cisco documentation may refer to the Defense Center as the FireSIGHT Management Center. The Defense Center and the FireSIGHT Management Center are the same appliance.
Documentation Updates
You can download all updated documentation from the Support site. In Version 5.3.1, the following documents were updated to reflect the addition of new features and changed functionality and to address reported documentation issues:
- FireSIGHT System Online Help
- FireSIGHT System User Guide
- FireSIGHT System Installation Guide
- FireSIGHT System Virtual Installation Guide
- FireSIGHT System eStreamer Integration Guide
- FireSIGHT System Database Access Guide
The documentation updated for Version 5.3.1 contains the following errors:
- The documentation incorrectly states the following about devices in a stack:
If a secondary device fails, the primary device continues to sense traffic, generate alerts, and send traffic to all secondary devices. On failed secondary devices, traffic is dropped. A health alert is generated indicating loss of link.
The documentation should specify that, when a secondary device fails, the system sends the primary device into maintenance mode. The primary device does not sense traffic, generate alerts, or send traffic to secondary devices. A health alert is generated to indicate loss of link. (122708, 123380, 138433)
Before You Begin: Important Update and Compatibility Notes
Before you begin the update process for Version 5.3.1, you should familiarize yourself with the behavior of the system during the update process, as well as with any compatibility issues or required pre- or post-update configuration changes.
Caution Cisco strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment.
For more information, see the following sections:
- Configuration and Event Backup Guidelines
- Audit Logging During the Update
- Version Requirements for Updating to Version 5.3.1
- Time and Disk Space Requirements for Updating to Version 5.3.1
- Product Compatibility After Updating to Version 5.3.1
- Returning to a Previous Version
Configuration and Event Backup Guidelines
Before you begin the update, Cisco strongly recommends that you delete or move any backup files that reside on your appliance, then back up current event and configuration data to an external location.
Use the Defense Center to back up event and configuration data. For more information on the backup and restore feature, see the FireSIGHT System User Guide.
Note The Defense Center purges locally stored backups from previous updates. To retain archived backups, store the backups externally.
Audit Logging During the Update
When updating appliances that have a web interface, after the system completes its pre-update tasks and the streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the update process is complete and the appliance reboots.
Version Requirements for Updating to Version 5.3.1
To update to Version 5.3.1, a Defense Center must be running at least Version 5.3.0.1. If you are running an earlier version, you can obtain updates from the Support site.
Note This update is not supported on managed devices or Sourcefire Software for X-Series.
The closer your appliances’ current version to the release version (Version 5.3.1), the less time the update takes.
Time and Disk Space Requirements for Updating to Version 5.3.1
The table below provides disk space and time guidelines for the Version 5.3.1 update. Note that when you use the Defense Center to update a managed device, the Defense Center requires additional disk space on its
/Volume
partition.
Caution Do not restart the update or reboot your appliance at any time during the update process. Cisco provides time estimates as a guide, but actual update times vary depending on the appliance model, deployment, and configuration. Note that the system may appear inactive during the pre-checks portion of the update and after rebooting; this is expected behavior.
The reboot portion of the update includes a database check. If errors are found during the database check, the update requires additional time to complete. System daemons that interact with the database do not run during the database check and repair.
If you encounter issues with the progress of your update, contact Support.
Product Compatibility After Updating to Version 5.3.1
Defense Centers running Version 5.3.1 can manage managed devices and ASA FirePOWER modules installed on ASA devices. Devices must be running the versions identified in the following table to be managed by a Defense Center.
Operating System Compatibility
You can host 64-bit virtual appliances on the following hosting environments:
You can install ASA FirePOWER modules on the following ASA platforms running Version 9.2.2 or later:
- ASA5512-X
- ASA5515-X
- ASA5525-X
- ASA5545-X
- ASA5555-X
- ASA5585-X-SSP-10, ASA5585-X-SSP-20, ASA5585-X-SSP-40, and ASA5585-X-SSP-60
For more information, see the FireSIGHT System Installation Guide or the FireSIGHT System Virtual Installation Guide.
Version 5.3.1 of the web interface for the FireSIGHT System has been tested on the browsers listed in the following table.
JavaScript, cookies, Secure Sockets Layer (SSL) v3, 128-bit encryption, Active scripting security setting, Compatibility View, set Check for newer versions of stored pages to Automatically
Screen Resolution Compatibility
Cisco recommends selecting a screen resolution that is at least 1280 pixels wide. The user interface is compatible with lower resolutions, but a higher resolution optimizes the display.
Installing the Update
Before you begin the update, you must thoroughly read and understand these release notes, especially Before You Begin: Important Update and Compatibility Notes.
To update appliances running at least Version 5.3.0.1 of the FireSIGHT System to Version 5.3.1, see the guidelines and procedures outlined below:
Note This update is not supported on physical or virtual managed devices or Sourcefire Software for X-Series.
Caution Do not reboot or shut down your appliances during the update until you see the login prompt. The system may appear inactive during the pre-checks portion of the update; this is expected behavior and does not require you to reboot or shut down your appliances.
Because the update process may affect traffic inspection, traffic flow, and link state, Cisco strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment.
Use the Defense Center’s web interface to perform the update.
Installing the Update on Paired Defense Centers
When you begin to update one Defense Center in a high availability pair, the other Defense Center in the pair becomes the primary, if it is not already. In addition, the paired Defense Centers stop sharing configuration information; paired Defense Centers do not receive software updates as part of the regular synchronization process.
To ensure continuity of operations, do not update paired Defense Centers at the same time. First, complete the update procedure for the secondary Defense Center, then update the primary Defense Center.
After you perform the update on the Defense Center, you must reapply device configuration and access control policies. Applying an access control policy may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the FireSIGHT System User Guide.
There are several additional post-update steps you should take to ensure that your deployment is performing properly. These include:
- verifying that the update succeeded
- making sure that all appliances in your deployment are communicating successfully
- updating to the latest patch for Version 5.3.1, if available, to take advantage of the latest enhancements and security fixes
- optionally, updating your intrusion rules and vulnerability database (VDB) and reapplying your access control policies
- making any required configuration changes based on the information in New Features and Functionality.
The next sections include detailed instructions not only on performing the update, but also on completing any post-update steps. Make sure you complete all of the listed tasks.
Updating Defense Centers
Use the procedure in this section to update your Defense Centers, including virtual Defense Centers. For the Version 5.3.1 update, Defense Centers reboot.
Caution Do not reboot or shut down your appliances during the update until after you see the login prompt. The system may appear inactive during the pre-checks portion of the update; this is expected behavior and does not require you to reboot or shut down your appliances.
Note Updating a Defense Center to Version 5.3.1 removes existing uninstallers from the appliance.
Step 1 Read these release notes and complete any required pre-update tasks.
For more information, see Before You Begin: Important Update and Compatibility Notes.
Step 2 Download the update from the Support site:
Note Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
Step 3 Upload the update to the Defense Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Defense Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.
Step 4 Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 5 View the task queue ( System > Monitoring > Task Status) to make sure that there are no tasks in progress.
Tasks that are running when the update begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the task queue after the update completes. The task queue automatically refreshes every 10 seconds. You must wait until any long-running tasks are complete before you begin the update.
Step 6 Select System > Updates.
The Product Updates tab appears.
Step 7 Click the install icon next to the update you uploaded.
The Install Update page appears.
Step 8 Select the Defense Center and click Install. Confirm that you want to install the update and reboot the Defense Center.
The update process begins. You can begin monitoring the update's progress in the task queue ( System > Monitoring > Task Status). However, after the Defense Center completes its necessary pre-update checks, you are logged out. When you log back in, the Upgrade Status page appears. The Upgrade Status page displays a progress bar and provides details about the script currently running.
If the update fails for any reason, the page displays an error message indicating the time and date of the failure, which script was running when the update failed, and instructions on how to contact Support. Do not restart the update.
Caution If you encounter any other issue with the update (for example, if a manual refresh of the Update Status page shows no progress for several minutes), do not restart the update. Instead, contact Support.
When the update completes, the Defense Center displays a success message and reboots.
Step 9 After the update finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
Step 10 Log into the Defense Center.
Step 11 Review and accept the End User License Agreement (EULA). Note that you are logged out of the appliance if you do not accept the EULA.
Step 12 Select Help > About and confirm that the software version is listed correctly: Version 5.3.1. Also note the versions of the rule update and VDB on the Defense Center; you will need this information later.
Step 13 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 14 If the rule update available on the Support site is newer than the rules on your Defense Center, import the newer rules.
For information on rule updates, see the FireSIGHT System User Guide.
Step 15 If the VDB available on the Support site is newer than the VDB on your Defense Center, install the latest VDB.
Installing a VDB update causes a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the FireSIGHT System User Guide.
Step 16 Reapply device configurations to all managed devices.
To reactivate a grayed-out Apply button, edit any interface in the device configuration, then click Save without making changes.
Step 17 Reapply access control policies to all managed devices.
Caution Do not reapply your intrusion policies individually; you must reapply all access control policies completely.
Applying an access control policy may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the FireSIGHT System User Guide.
Step 18 If a patch for Version 5.3.1 is available on the Support site, apply the latest patch as described in the FireSIGHT System Release Notes for that version. You must update to the latest patch to take advantage of the latest enhancements and security fixes.
Note If your Defense Center experiences a FSIC failure while updating from Version 5.3 to Version 5.3.1, install Version 5.3.0.2 before updating to Version 5.3.1.
Using the Shell to Perform the Update
Although Cisco recommends that you use the web interface on your Defense Centers to perform updates, there may be rare situations where you need to update the appliance using the bash shell.
For the Version 5.3.1 update, all appliances reboot. For more information, see Audit Logging During the Update.
To install the update using the shell:
Step 1 Read these release notes and complete any required pre-update tasks.
For more information, see Before You Begin: Important Update and Compatibility Notes.
Step 2 Download the appropriate update from the Support site:
Note Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
Step 3 Log into the appliance's shell using an account with Administrator privileges.
For virtual appliances, log in using the virtual console in the VMware vSphere Client.
Step 4 At the prompt, run the update as the root user, providing your password when prompted:
where update_name is the file name of the update you downloaded earlier.
Step 5 When the update is complete, the appliance reboots. You can monitor the update and complete any post-update steps as described in the following section:
Note If your Defense Center experiences a FSIC failure while updating from Version 5.3 to Version 5.3.1, install Version 5.3.0.2 before updating to Version 5.3.1.
Resolved Issues
The following sections list the issues resolved in the Version 5.3.1 update.
Issues Resolved in Version 5.3.1
- Resolved an issue where, in some cases, the intrusion event packet view displayed a rule message that did not match the rule that generated the event. (138208)
- Resolved an issue where you could not import an intrusion rule that referenced a custom variable. (138211)
- Resolved an issue where enabling telnet on a Cisco IOS Null Route remediation module and configuring the username for the Cisco IOS instance to enable by default on the Cisco IOS router caused Cisco IOS Null Route remediations to fail on the Defense Center. (139506)
- Resolved an issue where the system did not prevent you from creating a network variable with an excluded network value that excluded all ( any) networks. (139510)
Known Issues
The following known issues are reported in Version 5.3.1:
- The system requires additional time to reboot appliances or ASA FirePOWER modules running Version 5.3 or later due to a database check. If errors are found during the database check, the reboot requires additional time to repair the database. (135564, 136439)
- You cannot create an access control rule with a
GRE 47
port condition. (140642, 140644, 140646, 140648, 140650)- If you delete a managed device from a Defense Center, then add a different device, then reapply an access control policy with an intrusion policy associated with the default action, the system indicates that the intrusion policy is out of date on more devices than the Defense Center currently manages. (140705)
- If you add a device stack to a group of devices and edit the applied access control policy, the system removes all targeted devices from the policy, prevents you from adding new devices, and corrupts the policy name. As a workaround, remove device stacks from the device group and target standalone devices, device stacks, and device groups separately. (140710)
- If you configure both a proxy and single sign-on (SSO) on the Defense Center and the proxy cannot reach the Cisco Security Manager (CSM) server, SSO attempts timeout and fail. (140897)
- In rare cases, applying a single health policy to 100 or more managed devices causes system issues. As a workaround, reduce the number of managed devices with the health policy applied. (140977)
- If you automatically download a patch update by clicking Download Updates on the Product Updates page ( System > Updates), your Defense Center may download the incorrect patch. As a workaround, download patch updates manually by clicking Upload Update on the Product Updates page. (141056)
- You cannot use the web interface of a Defense Center to configure single sign-on (SSO) without first using the web interface to register an ASA device to the Defense Center. To configure SSO on Defense Centers in a high availability (HA) pair, Cisco recommends registering an ASA device to both Defense Centers and configuring SSO from the primary Defense Center. (141150)
- In some cases, syslog alerts sent as intrusion event notifications may contain incorrect intrusion rule classification data. (141213, 141216, 141220)
- If eStreamer retrieves a large number of file events, the system experiences a memory issue. (141222)
- If you use a network variable as your Networks value when configuring adaptive profiles, adaptive profiles fail. As a workaround, explicitly specify IP addresses or address blocks. (141225)
- If you create an access control or intrusion rule that blocks traffic, then apply the access control or intrusion policy to a virtual managed device that uses an inline interface set, you experience a disruption in traffic until you restart the appliance. (141230)
- If you create a configuration-only backup, the backup file includes extraneous discovery event data. (141246)
- If you create a saved search that uses a VLAN tag object, the system saves the search with the value
0
in the field where you used the VLAN tag object. (141330)- If you create a custom workflow with a large number of pages, the time window in the top right portion of the page may obscure the link to the final pages of the workflow. (141336)
- In rare cases, if you add multiple passive interfaces to a security zone, then reference the security zone in a managed device configuration, the configuration apply fails and the system experiences a disruption in detection. (141625, 141628)
- In some cases, if one or more detection resources are unresponsive on a managed device, installing an update of the vulnerability database (VDB) causes system issues. (141758)
- In rare cases, if you complete a large number of access control policy applies, the system experiences a memory issue and may generate multiple High unmanaged disk usage health alerts. (141830)
- If you remove the LSI RegEx card from the top blade of an ASA5585 device, you cannot install the ASA FirePOWER module. (CSCus89754)
The following known issues were reported in previous releases:
- If the system generates intrusion events with a Destination Port/ICMP Code of
0
, the Top 10 Destination Ports section of the Intrusion Event Statistics page ( Overview > Summary > Intrusion Event Statistics) omits port numbers from the display. (125581)- Defense Center local configurations ( System > Local > Configuration) are not synchronized between high availability peers. You must edit and apply the changes on all Defense Centers, not just the primary. (130612, 130652)
- In some cases, large system backups may fail if disk space usage exceeds the disk space threshold before the system begins pruning. (132501)
- In some cases, using the RunQuery tool to execute a
SHOW TABLES
command may cause the query to fail. To avoid query failure, only run this query interactively using the RunQuery application. (132685)- If you delete a previously imported local intrusion rule, you cannot re-import the deleted rule. (132865)
- In rare cases, the system may not generate events for intrusion rules 141:7 or 142:7. (132973)
- In some cases, remote backups of managed devices include extraneous unified files, generating large backup files on your Defense Center. (133040)
- You must edit the maximum transmission unit (MTU) on a Defense Center or managed device using the appliance’s CLI or shell. You cannot edit MTUs via the user interface. (133802)
- If you create a URL object with an asterisk (
*
) in the URL, the system does not generate preempted rule warnings for access control policies containing rules that reference the object. Do not use asterisks (*
) in URL object URLs. (134095, 134097)- If you configure your intrusion policy to generate intrusion event syslog alerts, the syslog alert message for intrusion events generated by intrusion rules with preprocessor options enabled is
Snort Alert
, not a customized message. (134270)- If the secondary device in a stack generates an intrusion event, the system does not populate the table view of intrusion events with security zone data. (134402)
- If you configure an Nmap scan remediation with the Fast Port Scan option enabled, Nmap remediation fails. As a workaround, disable the Fast Port Scan option. (134499)
- If you generate a report containing connection event summary data based on a connection event table saved search, reports on that table populate with no data. (134541)
- Scheduling and running simultaneous system backup tasks negatively impacts system performance. As a workaround, stagger your scheduled tasks so only one backup runs at a time. (134575)
- If you edit a previously configured LDAP connection where user and group access control parameters are enabled, clicking Fetch Groups does not populate the Available Groups box. You must re-enter your password when editing an LDAP connection in order to fetch available groups. (134872)
- In some cases, if you enable Resolve IP Addresses in the Event Preferences section of the Event View Settings page, hostnames associated with IPv6 addresses may not resolve as expected in the dashboard or event views. (135182)
- You cannot enter more than 450 characters in the Base Filter field when creating an LDAP authentication object. (135314)
- In some cases, if you schedule a task while observing Daylight Saving Time (DST), the task does not run during periods when you are not observing DST. As a workaround, select Europe, London as your local time zone on the Time Zone Preference page ( Admin > User Preferences) and recreate the task during a period when you are not observing DST. (135480)
- In some cases, the system may generate a false positive for the SSH preprocessor rule 128:1. (135567)
- If you apply an intrusion policy containing a rule with the Extract Original Client IP Address HTTP preprocessor option enabled, the system may populate intrusion events with incorrect data in the Original Client IP field if traffic passes through a dedicated proxy server. (135651)
- If you schedule a task with Report as the job type, the system does not attach the report to the emailed status report. (136026)
- If you apply an access control policy to multiple devices, the Defense Center displays the task status differently on the Task Status page, the Access Control policy page, and the Device Management page of the web interface. The status on the Device Management page ( Devices > Device Management) is correct. (136364, 136614)
- In some cases, if you create a custom workflow based on the health events table, the Defense Center displays conflicting data in the event viewer. (136419)
- If you import a custom intrusion rule as an
.rtf
file, the system does not warn you that the.rtf
file type is not supported. (136500)- If you configure a Security Intelligence feed and specify a Feed URL that was created on a computer running a Windows operating system, the system does not display the correct number of submitted IP addresses in the tooltips on the Security Intelligence tab. As a workaround, use
dos2unix
commands to convert the file from Windows encoding to Unix encoding and click Update Feeds on the Security Intelligence page. (136557)- If you disable a physical interface, the logical interfaces associated with it are disabled but remain green on the Interfaces tab of the appliance editor for that managed device. (136560)
- If you create a custom table based on the captured files table, the system generates an error message. The system does not support creating a custom table based on the captured files table. (136844)
- If you register a managed device with a hostname containing more than 40 characters, device registration fails. (137235)
- In some cases, the system does not filter objects in the Object Manager as expected if you include any of the following special characters in the filter criteria: dollar sign (
$
), caret (^
), asterisk (*
), brackets ([ ]
), vertical bar (|
), forward slash (\
), period (.
), and question mark (?
). (137493)- In some cases, if you enabled Simple Network Management Protocol (SNMP) polling in your system policy, modifying the high availability (HA) link interface configuration on one of your clustered managed devices causes the system to generate inaccurate SNMP polling requests. (137546)
- In some cases, configuring your access control policy to log blacklisted connections to the syslog or SNMP trap server causes system issues. (137952)
- In some cases, the Operating System Summary workflow displays incorrect DNS server counts, NTP server counts, and DNS port counts if the system receives DNS or NTP packets out of order. (138047)
- The table view of file events appears to support viewing the file trajectory for ineligible file events. You can only view file trajectories for files with a calculated SHA-256 value. (138155)
- If you generate a report in HTML or PDF format that includes a chart with File Name as the x-axis, the system does not display UTF-8 characters in the x-axis filenames. (138297)
- In rare cases, if you have ever used your Defense Center to manage more than one device, the system displays inaccurate intrusion event counts in the dashboard. (138298)
- In rare cases, editing and reapplying an intrusion policy hundreds of times causes intrusion rule updates and system updates to require over 24 hours to complete. (138333)
- If the latest version of the geolocation database (GeoDB) is installed on your Defense Center and you attempt to update the GeoDB with the same version, the system generates an error message. (138348)
- Connection events logged to the syslog or SNMP trap server may have incorrect URL Reputation values. (138504, 139466)
- In some cases, if you apply more than one access control policy across your deployment, searching for intrusion or connection events ( Analysis > Search) matching a specific access control rule may retrieve events generated by unrelated rules in other policies. (138542)
- You cannot cut and paste access control rules from one policy to another. (138713)
- In the Security Intelligence Source/Destination metadata (rec_type:281), the eStreamer server identifies the source as the destination and the destination as the source. (138740)
- In an access control policy, the system processes certain Trust rules before the policy’s Security Intelligence blacklist. Trust rules placed before either the first Monitor rule or before a rule with an application, URL, user, or geolocation-based network condition are processed before the blacklist. That is, Trust rules that are near the top of an access control policy (rules with a low number) or that are used in a simple policy allow traffic that should have been blacklisted to pass uninspected instead. (138743, 139017)
- If you disable Drop When Inline in your intrusion policy, inline normalization stops modifying packets seen in traffic and the system does not indicate what traffic would be modified. In some cases, other devices or applications on your network may not function in the same way after you re-enable Drop When Inline. (139174, 139177)
- Security Known Issue Sourcefire is aware of a vulnerability inherent in the Intelligent Platform Management Interface (IPMI) standard (CVE-2013-4786). Enabling Lights-Out Management (LOM) on an appliance exposes this vulnerability. To mitigate the vulnerability, deploy your appliances on a secure management network accessible only to trusted users. To prevent exposure to the vulnerability, do not enable LOM. (139286)
- In rare cases, the Task Status page ( System > Monitoring > Task Status) incorrectly reports that a failed system policy apply succeeded. (139428)
- If you configure and save three or more intrusion policies that reference each other through their base policies, the system does not update the Last Modified dates for all policies on the Intrusion Policy page ( Policies > Intrusion > Intrusion Policy). As a workaround, wait 5 to 10 minutes and refresh the Intrusion Policy page. (139647)
- In some cases, if you configure and save a report with a time window that includes the transition day from observing Daylight Saving Time (DST) to not observing DST, the system adjusts the time window to begin an hour earlier than you specified. As a workaround, set the time window to begin one hour later. (139713)
- If you remove an IP address from the global whitelist via the Object Manager page of the Defense Center web interface, the command line interface (CLI) on your Defense Center does not reflect the change. (139784)
For Assistance
Thank you for choosing the FireSIGHT System.
If you are a new customer, please visit https://support.sourcefire.com/ to download the Sourcefire Support Welcome Kit, a document to help you get started with Sourcefire Support and set up your Customer Center account.
If you have any questions, want to download updated documentation, or require assistance with the Sourcefire Defense Center, please contact Sourcefire Support:
- Visit the Sourcefire Support site at https://support.sourcefire.com/.
- Email Sourcefire Support at support@sourcefire.com.
- Call Sourcefire Support at 410.423.1901 or 1.800.917.4134.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about Cisco ASA devices, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions or require assistance with Cisco ASA devices, please contact Cisco Support:
- Visit the Cisco Support site at http://support.cisco.com/.
- Email Cisco Support at tac@cisco.com.
- Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.