FireSIGHT System Release Notes
New Features and Functionality
Detection and Security Enhancements
Enhancements for International Compatibility
Before You Begin: Important Update and Compatibility Notes
Configuration and Event Backup Guidelines
Traffic Flow and Inspection During the Update
Audit Logging During the Update
Version Requirements for Updating to Version 5.4
Time and Disk Space Requirements for Updating to Version 5.4
Product Compatibility After Updating to Version 5.4
Updating Managed Devices and ASA FirePOWER Modules
First Published: March 24, 2015
Last Updated: September 17, 2020
Even if you are familiar with the update process, make sure you thoroughly read and understand these release notes, which describe supported platforms, new and changed features and functionality, known and resolved issues, and product and web browser compatibility. They also contain detailed information on prerequisites, warnings, and specific installation instructions for the following appliances:
Note You cannot update Cisco NGIPS for Blue Coat X-Series running Version 5.3.0.x of the FireSIGHT System directly to Version 5.4. Instead, you must uninstall the previous version and install Version 5.4. Note that this results in the loss of all configuration and event data on the X-Series installation. For more information, see the Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide.
Note To reduce the time to update to Version 5.4.0, install the Version 5.4.0 Pre-Installation Package before you update. For more information, see FireSIGHT System Release Notes for the Version 5.4.0 Pre-Installation Package.
Tip For detailed information on the FireSIGHT System, refer to the online help or download the FireSIGHT System User Guide from the Support site.
These release notes are valid for Version 5.4 of the FireSIGHT System. You can update Series 2 devices and Series 3 devices running at least Version 5.3.0.1 of the FireSIGHT System to Version 5.4. You can update Defense Centers and ASA FirePOWER modules running at least Version 5.3.1 to Version 5.4.
This section of the release notes summarizes the new and updated features and functionality included in Version 5.4 of the FireSIGHT System:
For detailed information, see the FireSIGHT System User Guide, FireSIGHT System Installation Guide, FireSIGHT System Virtual Installation Guide, and Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide.
FirePOWER (Series 3) devices can now identify SSL communications and decrypt the traffic before applying attack, application, and malware detection. You can use SSL decryption in any of the supported Series 3 device deployment modes, including inline and passive. SSL policies control characteristics of SSL in use within the enterprise, with SSL rules to exert granular control over encrypted traffic logging and handling.
Simplified Normalization and Preprocessor Configuration
You now configure traffic normalization and preprocessing in the access control policy, rather than the intrusion policy. This simplifies configuration, especially for new users. The sensitive data preprocessor, rule states, alerting, and event thresholds can still be configured at an individual intrusion policy level.
New file_type
Keyword in the Snort Rule Language
A new file_type
keyword is available in the Snort rules language that enables the specification of a file type for detection. This is a streamlined alternative to the existing flowbits-driven method.
Expanded IoOC support from FireAMP Connectors
The list of Indicators of Compromise provided by FireAMP is now dynamic and data-driven. As new IOCs become available, they are automatically supported by the Defense Center. This enhances the IOC correlation capability in any deployment where FireAMP is used.
A new capability of the Snort rule language is available for use in high-security environments. You can now create a Snort content match using hashed data. This allows the rule writer to specify what content to search for, but never exposes the content in plain text.
You can now use VMware Tools with FireSIGHT System virtual appliances. This enhances compatibility with the VMware environment and improves management of virtual devices by enabling soft power down, migration, and other virtual specific capabilities. VMware tools are supported on:
Note With the FireSIGHT System, Version 5.4, the supported ESXi versions are upgraded to 5.0, 5.1, and 5.5.
Support for vmxet3 Interfaces in VMware Virtual Appliances
Vmxnet3 interface types are now supported on virtual devices. This allows you to use high-speed network interfaces, up to 10Gbits/s.
Multiple Management Interfaces
You can now use multiple management interface ports on Series 3 Defense Centers, FirePOWER (Series 3) managed devices, and virtual Defense Centers. You can set one interface for management traffic and another interface for event traffic. This improves deployment options in some environments.
FirePOWER (Series 3) devices are now able to take part in Link Aggregation Control Protocol (LACP) (IEEE 802.3ad) negotiation to aggregate multiple links together into one. This allows both link redundancy and bandwidth sharing.
Version 5.4 introduces the 3D7050 as a 70xx Family device with a dual core quad thread processor, 8GB of RAM, and a 80GB hard drive.
Version 5.4 also introduces two new Series 3 FirePOWER managed devices designed with additional processing power to maximize the performance of the FireSIGHT System’s AMP features. The AMP8050 is a 81xx Family device with support for Netmods and includes the additional storage necessary to function as a dedicated AMP appliance. The AMP8350 is an 83xx Family device also with support for Netmods and the additional storage required for AMP functionality. The AMP8350 model can be used as a stacked unit as the AMP8360, AMP8370, and AMP8390, for 2, 3, and 4 stacks, respectively.
The DC2000 is a new Defense Center appliance platform that offers double the performance and capacity of the DC1500.
The DC4000 is a new Defense Center appliance platform that offers double the performance and capacity of the DC3500.
The system now displays the names of files detected through file detection, malware detection, and FireAMP file events. This allows the display of non-Western characters, including those that are double-byte encoded.
Geolocation and Security Intelligence Data in Correlation Rules
The correlation rules engine has been updated to make connection geolocation and security intelligence data available. This allows you to generate correlated events or take correlated actions based on these two new constraints. For example, if an Impact 1
intrusion event is detected from a specific country, you can set up an alert to log that information to an external syslog server.
Support for Private FireAMP Cloud
With Version 5.4, you can use a private FireAMP cloud rather than the Cisco public cloud. This requires installation of a private cloud virtual appliance. The private cloud mediates interactions with the public cloud so you can gather collected threat information from the public cloud without exposing information from your network.
.rtf
file now generates an Invalid Rules File 'rtf_rule.rtf': Must be a plain text file that is ASCII or UTF-8 encoded
warning. – ECN Flags Normalized in TCP Traffic/Packet
– ECN Flags Normalized in TCP Traffic/Session
– IPv4 Reserved Flag Normalizations
– TCP Header Padding Normalizations
– TCP No Option Normalizations
– TCP Packets Blocked by Normalization
– TCP Reserved Flags Normalizations
– TCP Segment Reassembly Normalizations
– TCP SYN Option Normalizations
– TCP Timestamp ECR Normalizations
– TCP Urgent Flag Normalizations
Decompress SWF File (LZMA)
, Decompress SWF File (Deflate)
, and Decompress PDF File (Default)
HTTP Inspect preprocessor options offer enhanced decompression support for PDF and SWF file content.If you reference documentation for Version 5.3.1.x or Version 5.3.0.x, you may notice the terminology differs from the documentation for Version 5.4.
Tip Cisco documentation may refer to the Defense Center as the FireSIGHT Management Center. The Defense Center and the FireSIGHT Management Center are the same appliance.
You can download all updated documentation from the Support site. In Version 5.4, the following documents were updated to reflect the addition of new features and changed functionality and to address reported documentation issues:
The documentation updated for Version 5.4 contains the following errors:
Before you begin the update process for Version 5.4, you should familiarize yourself with the behavior of the system during the update process, as well as with any compatibility issues or required pre- or post-update configuration changes.
Note To reduce the time to update to Version 5.4.0, install the Version 5.4.0 Pre-Installation Package before you update. For more information, see FireSIGHT System Release Notes for the Version 5.4.0 Pre-Installation Package.
For more information, see the following sections:
Before you begin the update, Cisco strongly recommends that you delete or move any backup files that reside on your appliance, then back up current event and configuration data to an external location.
Use the Defense Center to back up event and configuration data for itself and the devices it manages. For more information on the backup and restore feature, see the FireSIGHT System User Guide.
Note The Defense Center purges locally stored backups from previous updates. To retain archived backups, store the backups externally.
The update process reboots managed devices. Depending on how your devices are configured and deployed, the following capabilities are affected:
Note that when you update clustered devices, the system performs the update one device at a time to avoid traffic interruption.
Traffic Inspection and Link State
In an inline deployment, your managed devices (depending on model) can affect traffic flow via application control, user control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and VPN. For more information on appliance capabilities, see the FireSIGHT System Installation Guide.
The following table provides details on how traffic flow, inspection, and link state are affected during the update, depending on your deployment. Note that regardless of how you configured any inline sets, switching, routing, NAT, and VPN are not performed during the update process.
Series 3 devices do not perform switching, routing, NAT, VPN, or related functions during the update. If you configured your devices to perform only switching and routing, network traffic is blocked throughout the update.
When updating appliances that have a web interface, after the system completes its pre-update tasks and the streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the update process is complete and the appliance reboots.
A Defense Center must be running at least Version 5.3.1 to update to Version 5.4. If you are running an earlier version, you can obtain updates from the Support site.
A Defense Center must be running at least Version 5.4 to update its managed devices to Version 5.4.
The closer your appliances’ current version to the release version (Version 5.4), the less time the update takes.
The table below provides disk space and time guidelines for the Version 5.4 update. Note that when you use the Defense Center to update a managed device, the Defense Center requires additional disk space on its /Volume
partition.
The reboot portion of the update includes a database check. If errors are found during the database check, the update requires additional time to complete. System daemons that interact with the database do not run during the database check and repair.
If you encounter issues with the progress of your update, contact Support.
You must use Version 5.4 of the Defense Center to manage devices running Version 5.4. Defense Centers running Version 5.4 can manage managed devices and ASA FirePOWER modules installed on ASA devices. Devices must be running the versions identified in the following table to be managed by a Defense Center.
Note You cannot update Cisco NGIPS for Blue Coat X-Series running Version 5.3.0.x of the FireSIGHT System directly to Version 5.4. Instead, you must uninstall the previous version and install Version 5.4. Note that this results in the loss of all configuration and event data on the X-Series installation. For more information, see the Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide.
Operating System Compatibility
You can host 64-bit virtual appliances running Version 5.4 on the following hosting environments:
You can install ASA FirePOWER modules running Version 5.4 on the following ASA platforms running ASA Version 9.2(2.4) and later, ASA Version 9.2(3) and later, and ASA Version 9.2(4)and later:
For more information, see the FireSIGHT System Installation Guide or the FireSIGHT System Virtual Installation Guide.
You can run Version 5.4 of the Cisco NGIPS for Blue Coat X-Series on the X-Series platform running XOS Version 9.7.2 and later and Version 10.0 and later. For more information, see the Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide.
Version 5.4 of the web interface for the FireSIGHT System has been tested on the browsers listed in the following table.
Note If you use the Microsoft Internet Explorer 11 browser, you must disable the Include local directory path when uploading files to server option in your Internet Explorer settings via Tools > Internet Options > Security > Custom level.
JavaScript, cookies, Secure Sockets Layer (SSL) v3, 128-bit encryption, Active scripting security setting, Compatibility View, set Check for newer versions of stored pages to Automatically |
Note Many browsers use Transport Layer Security (TLS) v1.3 by default. If you have an active SSL policy and your browser uses TLSv1.3, websites that support TLSv1.3 fail to load As a workaround, configure your managed device to remove extension 43 (TLS 1.3) from ClientHello negotiation. See this software advisory for more information.
Screen Resolution Compatibility
Cisco recommends selecting a screen resolution that is at least 1280 pixels wide. The user interface is compatible with lower resolutions, but a higher resolution optimizes the display.
Before you begin the update, you must thoroughly read and understand these release notes, especially Before You Begin: Important Update and Compatibility Notes.
Note Updates can require large data transfers from the Firepower Management Center to managed devices. Before you begin, make sure your management network has sufficient bandwidth to successfully perform the transfer. See the Troubleshooting Tech Note at https://www.cisco.com/c/en/us/support/docs/security/ firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html.
You can update Defense Centers and ASA FirePOWER modules running at least Version 5.3.1 of the FireSIGHT System to Version 5.4. You can update Series 2 devices running at least Version 5.3.1 of the FireSIGHT System to Version 5.4. To update your appliances to Version 5.4, see the guidelines and procedures outlined below:
Because the update process may affect traffic inspection, traffic flow, and link state, Cisco strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment.
Use the Defense Center’s web interface to perform the update. Update the Defense Center first, then use it to update the devices it manages.
Update your Defense Centers before updating the devices they manage.
Installing the Update on Paired Defense Centers
When you begin to update one Defense Center in a high availability pair, the other Defense Center in the pair becomes the primary, if it is not already. In addition, the paired Defense Centers stop sharing configuration information; paired Defense Centers do not receive software updates as part of the regular synchronization process.
To ensure continuity of operations, do not update paired Defense Centers at the same time. First, complete the update procedure for the secondary Defense Center, then update the primary Defense Center.
Installing the Update on Clustered Devices
When you install an update on clustered devices, the system performs the update on the devices one at a time. When the update starts, the system first applies it to the secondary device, which goes into maintenance mode until any necessary processes restart and the device is processing traffic again. The system then applies the update to the primary device, which follows the same process.
Installing the Update on Stacked Devices
When you install an update on stacked devices, the system performs the updates simultaneously. Each device resumes normal operation when the update completes. Note that:
Installing the Update on Cisco NGIPS for Blue Coat X-Series
You cannot update Cisco NGIPS for Blue Coat X-Series running Version 5.3.0.x of the FireSIGHT System directly to Version 5.4. Instead, you must uninstall the previous version and install Version 5.4. Note that this results in the loss of all configuration and event data on the X-Series installation. For more information, see the Cisco NGIPS for Blue Coat X-Series Installation and Configuration Guide.
After you perform the update on either the Defense Center or managed devices, you must reapply device configuration and access control policies. Applying an access control policy may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the FireSIGHT System User Guide.
There are several additional post-update steps you should take to ensure that your deployment is performing properly. These include:
The next sections include detailed instructions not only on performing the update, but also on completing any post-update steps. Make sure you complete all of the listed tasks.
Note To reduce the time to update to Version 5.4.0, install the Version 5.4.0 Pre-Installation Package before you update. For more information, see FireSIGHT System Release Notes for the Version 5.4.0 Pre-Installation Package.
Use the procedure in this section to update your Defense Centers, including virtual Defense Centers. For the Version 5.4 update, Defense Centers reboot.
Note Updating a Defense Center to Version 5.4 removes existing uninstallers from the appliance.
Note If you have inline normalization enabled and you update a Defense Center currently running Version 5.3.x to Version 5.4, the update process does not change the behavior of your policies. The system now adds user layers as necessary to preserve the settings that carried over.
Step 1 Read these release notes and complete any required pre-update tasks.
For more information, see Before You Begin: Important Update and Compatibility Notes.
Step 2 Download the update from the Support site:
Note Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
Step 3 Upload the update to the Defense Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Defense Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated.
Step 4 Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 5 View the task queue ( System > Monitoring > Task Status) to make sure that there are no tasks in progress.
You must wait until any long-running tasks are complete before you begin the update. Tasks that are running when the update begins are stopped, become failed tasks, and cannot be resumed; you must manually delete them from the task queue after the update completes. The task queue automatically refreshes every 10 seconds.
Step 6 Select System > Updates.
The Product Updates tab appears.
Step 7 Click the install icon next to the update you uploaded.
The Install Update page appears.
Step 8 Select the Defense Center and click Install. Confirm that you want to install the update and reboot the Defense Center.
The update process begins. You can begin monitoring the update's progress in the task queue ( System > Monitoring > Task Status). However, after the Defense Center completes its necessary pre-update checks, you are logged out. When you log back in, the Upgrade Status page appears. The Upgrade Status page displays a progress bar and provides details about the script currently running.
If the update fails for any reason, the page displays an error message indicating the time and date of the failure, which script was running when the update failed, and instructions on how to contact Support. Do not restart the update.
When the update completes, the Defense Center displays a success message and reboots.
Step 9 After the update finishes, clear your browser cache and force a reload of the browser. Otherwise, the user interface may exhibit unexpected behavior.
Step 10 Log into the Defense Center.
Step 11 Review and accept the End User License Agreement (EULA). Note that you are logged out of the appliance if you do not accept the EULA.
Step 12 Select Help > About and confirm that the software version is listed correctly: Version 5.4. Also note the versions of the rule update and VDB on the Defense Center; you will need this information later.
Step 13 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 14 If the rule update available on the Support site is newer than the rules on your Defense Center, import the newer rules. Do not auto-apply the imported rules at this time.
For information on rule updates, see the FireSIGHT System User Guide.
Step 15 If the VDB available on the Support site is newer than the VDB on your Defense Center, install the latest VDB.
Installing a VDB update causes a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the FireSIGHT System User Guide.
Step 16 Reapply device configurations to all managed devices.
To reactivate a grayed-out Apply button, edit any interface in the device configuration, then click Save without making changes.
Step 17 Reapply access control policies to all managed devices.
Applying an access control policy may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the FireSIGHT System User Guide.
Step 18 If a patch for Version 5.4 is available on the Support site, apply the latest patch as described in the FireSIGHT System Release Notes for that version.
You must update to the latest patch to take advantage of the latest enhancements and security fixes.
After you update your Defense Centers to Version 5.4, use them to update the devices they manage.
A Defense Center must be running at least Version 5.4 to update its managed devices to Version 5.4. Because they do not have a web interface, you must use the Defense Center to update your virtual managed devices. ASA FirePOWER modules do not have a web interface you can use to update the ASA FirePOWER modules. To update your physical and virtual ASA FirePOWER modules, use your Defense Center.
Updating managed devices is a two-step process. First, download the update from the Support site and upload it to the managing Defense Center. Next, install the software. You can update multiple devices at once, but only if they use the same update file.
For the Version 5.4 update, all devices reboot. Series 3 devices do not perform traffic inspection, switching, routing, NAT, VPN, or related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic flow and link state. For more information, see Traffic Flow and Inspection During the Update.
To update managed devices and ASA FirePOWER modules:
Step 1 Read these release notes and complete any required pre-update tasks.
For more information, see Before You Begin: Important Update and Compatibility Notes.
Step 2 Update the software on the devices’ managing Defense Center; see Updating Defense Centers.
Step 3 Download the update from the Support site:
Note Download the update directly from the Support site. If you transfer an update file by email, it may become corrupted.
Step 4 Upload the update to the Defense Center by selecting System > Updates, then clicking Upload Update on the Product Updates tab. Browse to the update and click Upload.
The update is uploaded to the Defense Center. The web interface shows the type of update you uploaded, its version number, and the date and time it was generated. The page also indicates whether a reboot is required as part of the update.
Step 5 Make sure that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 6 Click the install icon next to the update you are installing.
The Install Update page appears.
Step 7 Select the devices where you want to install the update.
If you are updating a stacked pair, selecting one member of the pair automatically selects the other. You must update members of a stacked pair together.
Step 8 Click Install. Confirm that you want to install the update and reboot the devices.
Step 9 The update process begins. You can monitor the update's progress in the Defense Center’s task queue ( System > Monitoring > Task Status).
Note that managed devices may reboot twice during the update; this is expected behavior.
Step 10 Select Devices > Device Management and confirm that the devices you updated have the correct software version: Version 5.4.
Step 11 Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health monitor.
Step 12 Reapply device configurations to all managed devices.
Tip To reactivate a grayed-out Apply button, edit any interface in the device configuration, then click Save without making changes.
Step 13 Reapply access control policies to all managed devices.
Applying an access control policy may cause a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For more information, see the FireSIGHT System User Guide.
Step 14 If a patch for Version 5.4 is available on the Support site, apply the latest patch as described in the FireSIGHT System Release Notes for that version.
You must update to the latest patch to take advantage of the latest enhancements and security fixes.
You can track defects resolved in this release using the Cisco Bug Search Tool ( https://tools.cisco.com/bugsearch/). A Cisco account is required. To view defects addressed in older versions, refer to the legacy caveat tracking system. The following sections list the issues resolved in the Version 5.4 update.
Issues Resolved in Version 5.4
SHOW TABLES
command caused the query to fail. (132685/CSCze89153) Snort Alert
message instead of a customized message. (134270/CSCze88831) WARNING: normalizations disabled because not inline
error. (140117/CSCze92324) Sent for Analysis
instead of a timed out status. (142309/CSCze93757) Back-end failed for import
error and did not import the policy. (144905/CSCze96093)The following known issues are reported in Version 5.4:
file_type
and a file_group
to your detection options, moving the file_type
detection option up or down in order clears the selection you made for file_group
when it should not. (139441/CSCze91218) uncached session
errors in the SSL Status column of the Connection Events table view. Cisco recommends creating an SSL policy with the Session Not Cached option set to Do Not Decrypt so traffic is not blocked. (143335/CSCze93608) Unknown
in the intrusion events table view ( Analysis > Intrusion > Events). (143665/CSCze94947) :
) on the file events table view page ( Analysis > Files > File Events). (143666/CSCze94954) show users
as a supported CLI command. (144400/CSCze95719) eth1
is enabled for DHCP and Event Only Traffic, the system incorrectly saves the configuration with both eth0
and eth1
enabled for DHCP when only eth1
should be configured for DHCP. (144525/CSCze95666) Unable to load container
error. (144576/CSCze95166)Thank you for choosing the FireSIGHT System.
If you are a new customer, please visit https://support.sourcefire.com/ to download the Sourcefire Support Welcome Kit, a document to help you get started with Sourcefire Support and set up your Customer Center account.
If you have any questions, want to download updated documentation, or require assistance with the Sourcefire Defense Center or managed devices, please contact Sourcefire Support:
If you have any questions or require assistance with Cisco NGIPS for Blue Coat X-Series, please visit the Blue Coat Support site at: https://www.bluecoat.com/support/contactsupport/.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about Cisco ASA devices, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions or require assistance with Cisco ASA devices, please contact Cisco Support: