45 Comments

  1. Jonathan
    April 29, 2019 @ 8:41 am

    Did you upgrade the FTD to 6.4 as well and then test Deploy time? Or did you only upgrade the FMC? I believe you will see an improvement in deploy time once both devices are on same version.

    Reply

    • lammle
      April 29, 2019 @ 8:43 am

      Hi Jonathan, thank you for your post
      I did both, and I received the same deploy time with both, which were the same as 6.2.3/6.3 deploys
      I have a full class this week and I will get a lot of perspective with the code!
      I’ll post again at the end of this week!
      Todd

      Reply

      • Jonathan
        April 29, 2019 @ 8:52 am

        I will update you on our deploy times once I upgrade (currently on 6.2.3). I have heard of others saving a few minutes on deploy. Hopefully it helps us.

        Reply

        • lammle
          May 1, 2019 @ 6:55 pm

          so I added two 6.4 devices and the deploy time was a lot faster, but it’s not apples to apples, as the 6.4 devices had 16G or Ram and 8 cores, more than twice my other devices

          Reply

          • Jonathan
            May 4, 2019 @ 8:50 am

            Cool. I upgraded one 2110 FTD and now our WCCP redirect isn’t working and getting two security intelligence list feed errors. Not cool.

    • Roy
      May 7, 2019 @ 1:06 pm

      Just sharing my deploy time experience. I have 3 2110 FTD’s talking to a Virtual FMC. The FTD’s are all configured the same with 1Gb interfaces. Right now I have 2 at 6.3.0.3 and one at 6.4.0. First of all I saw a significant deploy reduction when I went from 6.2.3.x to 6.3.x. I cut about 30 to 40 seconds on average off the deploy times after I switched. I could easily confirm this by only upgrading one FTD and then deploying the exact same config to all 3. The one that was upgraded to 6.3 always deployed faster. I did this same test after upgrading the one to 6.4.0 and so far I have not seen any improvement over 6.3. All of my deployments have been the same over all 3 FTD’s. I am looking at about 1:35 deploy times. That does bring up a curious question. What general deploy times are you guys seeing?

      Reply

      • lammle
        May 7, 2019 @ 3:28 pm

        I have two 5506 FTD with 6.2.3 and two vFTDs with 6.4
        the 6.4 code are faster, but it’s not a fair comparison as the 6.4 has 8 cores and 16G or ram….
        I’m seeing upward of 6 minutes, with all policies configured..

        Reply

  2. Steve Drzaszcz
    April 29, 2019 @ 10:13 am

    Is it worth it to sunset 5506-X devices that can never get to 6.4? 6.4 FMC still allows for management of them even if they are only on 6.2.3 right?

    Reply

    • lammle
      April 29, 2019 @ 11:58 am

      they are going to announce the new 1000 FTD series at Cisco Live, so don’t buy anymore 5506’s!!

      Reply

    • lammle
      April 29, 2019 @ 11:59 am

      yes, you can use the 6.2.3.10 code for a long time!

      Reply

  3. tewv.networks
    May 1, 2019 @ 9:51 am

    Can anyone give me info on WCCP configuration, we have FTD’s 2120’s and want to use Baraacuda devices but not inline, HELP

    Reply

  4. Roy
    May 3, 2019 @ 1:12 pm

    Hey Todd,

    I upgraded FMCv and 1 FTD to 6.4.0 from 6.3.0.2 and under Status|Product Updates FMCv shows Current 6.4.0 and Latest 6.4.0. But the FTD’s show Current 6.3.0.2 and 6.4.0 but the Latest show 2019. Have you seen this on any of your deployements?

    Reply

    • lammle
      May 4, 2019 @ 8:55 am

      you mean one 2110 to 6.4? Yea, it’s not ready yet. I had too many problems this last week. 6.3.0.2 is great…wait for 6.4.0.1

      Reply

      • Jonathan
        May 4, 2019 @ 9:19 am

        Yes. To 6.4. HA FMC pair upgraded fine and don’t see any issues with that.

        Time for TAC I guess. That’s too bad. Was hoping for no issues.

        Reply

        • lammle
          May 4, 2019 @ 9:27 am

          so most of 6.4 worked fine, yes, but we found issues and I haven’t had time write them up yet….we found a serious issue, and then a few not so serious issues….I’ll create a new post soon…
          Jonathan, always just ping me before you upgrade, I won’t mind getting an email…about 100 people do every time code comes out…I get to test it seriously in production (not beta, but in real life area’s) when it is released. my response to my customers were NO on 6.4 for now…there is great stuff here, just wait for 6.4.0.1

          Reply

          • Jonathan
            May 4, 2019 @ 6:23 pm

            5 hours on phone with TAC. 6.4 breaks WCCP. Had to reimage production firewall. 2110 FTD. Not fun.

          • lammle
            May 4, 2019 @ 6:48 pm

            Did they not know this, and why it took so long? No, that is not fun….we’ll have to remember to never do a .0 code again! Sorry Jonathan!

          • Earl G
            May 21, 2019 @ 12:00 pm

            Im glad Im reading over these comments before upgrading my customer over to 6.4

          • lammle
            May 21, 2019 @ 12:20 pm

            Hi Earl, yes, you should read all my posts on 6.4, and now 6.4.0.1
            there are some great features with 6.4, and 6.4.0.1 solved the problems I mention in this post
            thanks for writing
            Todd

    • Jonathan
      May 5, 2019 @ 12:02 pm

      Roy, yes, my FMC is doing same thing. Showing 2019 as latest for FTDs. Pretty annoying.

      Reply

      • Roy
        May 5, 2019 @ 9:10 pm

        Thanks Jonathan for confirmation. I’m glad you guys brought up the issues before I upgraded my production FTD’s. I did upgrade FMC though. Should I revert that back to 6.3 or will I be ok with Judy leaving the FTD’s at 6.3?

        Reply

        • Roy
          May 5, 2019 @ 9:15 pm

          Thanks Jonathan for confirmation. I’m glad you guys brought up the issues before I upgraded my production FTD’s. I did upgrade FMC though. Should I revert that back to 6.3 or will I be ok with just leaving the FTD’s at 6.3?

          Reply

          • lammle
            May 6, 2019 @ 4:52 am

            I have mine at 6.4 and it is good, but I did have the Firepower Network Discovery issue, but I used the workaround.

      • Roy
        May 6, 2019 @ 7:18 am

        So my Geo-location updated to the latest version over the weekend and now my latest is showing correctly. Can’t say for sure that is what cleared it up but that is the only thing that changed.

        Reply

        • lammle
          May 6, 2019 @ 7:22 am

          Thanks, Roy, for all your posts and information! Very helpful

          Reply

        • Jonathan
          May 10, 2019 @ 7:12 am

          Roy,

          Yes, mine is fixed now too. Showing correct update version. No more 2019 (which didn’t even make sense)

          Reply

  5. lammle
    May 6, 2019 @ 4:55 am

    There is a bug you need to be aware of!
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-frpwrtd-dos

    Make sure you are running one fo these FTD codes:
    6.2.3.12, 6.3.0.3 or 6.4.0

    Reply

  6. tewv.networks
    May 7, 2019 @ 6:21 am

    Hi
    Anyone give me info on configuring the FTD for WCCP redirection to 3rd Party devices please.??

    Reply

    • lammle
      May 7, 2019 @ 6:47 am

      That is just one thing I have not done. I hope you find your solutions! Maybe call barracuda?

      Reply

    • lammle
      May 7, 2019 @ 6:49 am

      good morning. This is one thing I have not done, and I hope you find your solution soon. Did you call barracuda?

      Reply

    • Deepak Chauhan
      May 8, 2019 @ 3:57 am

      I have done this for Websense on FTD 6.2.3. Pretty simple. using flex config, as you do it regularly in ASAs.

      Reply

    • Jonathan
      May 10, 2019 @ 7:16 am

      Yes, you have to use FlexConfig. The setup is really the same as an ASA. There are guides online.

      Keep in mind our WCCP broke on 6.4. We had to go back to 6.2.3

      https://community.cisco.com/t5/firewalls/wccp-redirection-on-firepower-ftd-2110/td-p/3219612

      Reply

  7. Roy
    May 16, 2019 @ 8:41 am

    6.4.0.1 is out now. Has anyone tried it? Did it clear up the bugs in 6.4.0 if so?

    Reply

    • lammle
      May 16, 2019 @ 8:42 am

      Hi Roy, they list a couple fixes in the release notes, but Im at a customer and will need more time before I can get to this, but I will shortly! I know other people have started testing! Will post results!
      thank you!

      Reply

  8. Roy
    May 17, 2019 @ 8:37 am

    I just thought of something that has been annoying me since day one. I use a custom block page for URL filtering. Has anyone found a way to show the category of why the user was blocked? I have not been able to figure that out. Right now I just have it to where it shows the URL they accessed with a hyperlink to talos so they can click to show the category. But that is cumbersome and not very clean. I have been wanting to just integrate it directly into the page but can’t seem to get it going. If you have done this your help is greatly appreciated.

    Reply

    • lammle
      May 17, 2019 @ 8:45 am

      anyway to show me your custom block page? todd@lammle.com

      Reply

      • Roy
        May 17, 2019 @ 11:50 am

        Alright I got wrapped up but you should have it.

        Reply

  9. Roy
    May 21, 2019 @ 3:36 pm

    Got a new one for you guys. FMCv is 6.4.0.1 FTD 2110 is 6.3.0.3. Setup a correlation Policy to email on rule hits. The events are happening but nothing is emailing. I can see the events in correlation events to confirm and it shows the policy and rule being generated. I know email is working because the email relay test works and other events are emailing. Just none of the correlation events. Have any of you seen this or can duplicate? I did not have any setup before so I can’t say if it has ever worked on prior versions.

    Reply

    • Roy
      May 23, 2019 @ 6:59 am

      Updated the FTD to 6.4.0.1 to see if that would be the fix and it is still not emailing. So it is either a problem with 6.4.0.1 or I have something horribly wrong going on. I did test the relay again to make sure it was working.

      Reply

      • Roy
        May 23, 2019 @ 9:51 am

        OK Nervermind. I found the reason why it isn’t working, “external email alerting is not supported for connection events”. Although not really sure why that isn’t an option.

        Reply

    • lammle
      May 24, 2019 @ 7:56 am

      So I have a lab that uses a rule when its hit that generates and email. I think if you were plain connection events, than that is the issue as you stated, but I know I can get it for a particular rule hit

      Reply

    • Jonathan
      May 24, 2019 @ 1:40 pm

      Roy,

      This worked for us in 6.2.3.6. Now that I went to FMC 6.4, it broke. No longer works. I am seeing the exact same thing you are.

      I have a TAC case open on it. They are trying to help me out. No luck as of yet.

      Reply

      • lammle
        May 24, 2019 @ 3:06 pm

        Jonathan, I knew I had that working in a lab before!

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *