Updates

This chapter explains how to perform content updates.


Important

To upgrade the management center, or threat defense software or chassis, see the upgrade guide for the version that your management center is currently running: http://www.cisco.com/go/ftd-fmc-upgrade-74.

About System Updates

Use the management center to upgrade the system software for itself and the devices it manages. You can also update various databases and feeds that provide advanced services.

If the management center has internet access, the system can often obtain updates directly from Cisco. We recommend you schedule or enable automatic content updates whenever possible. Some updates are auto-enabled by the initial setup process or when you enable the related feature. Other updates you must schedule yourself. After initial setup, we recommend you review all auto-updates and adjust them if necessary.

Table 1. Upgrades and Updates

Component

Description

Details

System software

Major software releases contain new features, functionality, and enhancements. They may include infrastructure or architectural changes.

Maintenance releases contain general bug and security related fixes. Behavior changes are rare, and are related to those fixes.

Patches are on-demand updates limited to critical fixes with time urgency.

Hotfixes can address specific customer issues.

Direct Download: Select patches and maintenance releases only, usually some time after the release is available for manual download. The length of the delay depends on release type, release adoption, and other factors. Both on-demand and scheduled downloads are supported.

Note

 

In Version 7.4.1, we begin support for on-demand direct download of all releases (except hotfixes). However, support for scheduled downloads of maintenance releases is discontinued.

Schedule Install: Patches and maintenance releases only, as a scheduled task.

Uninstall: Patches only.

Revert: Major and maintenance releases for threat defense only. Revert is not supported for the management center or for Classic devices.

Reimage: Major and maintenance releases only.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Vulnerability database (VDB)

The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.

Direct Download: Yes.

Schedule: Yes, as a scheduled task.

Uninstall: Starting with VDB 357, you can install any VDB as far back as the baseline VDB for the management center.

See: Update the Vulnerability Database (VDB)

Geolocation database (GeoDB)

The Cisco geolocation database (GeoDB) is a database of geographical and connection-related data associated with routable IP addresses.

Direct Download: Yes.

Schedule: Yes, from its own update page

Uninstall: No.

See: Update the Geolocation Database (GeoDB)

Intrusion rules (SRU/LSP)

Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings.

Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values.

Direct Download: Yes.

Schedule: Yes, from its own update page.

Uninstall: No.

See: Update Intrusion Rules

Security Intelligence feeds

Security Intelligence feeds are collections of IP addresses, domain names, and URLs that you can use to quickly filter traffic that matches an entry.

Direct Download: Yes.

Schedule: Yes, from the object manager.

Uninstall: No.

See: Cisco Secure Firewall Management Center Device Configuration Guide

URL categories and reputations

URL filtering allows you to control access to websites based on the URL’s general classification (category) and risk level (reputation).

Direct Download: Yes.

Schedule: Yes, when you configure integrations/cloud services, or as a scheduled task.

Uninstall: No.

See: Cisco Secure Firewall Management Center Device Configuration Guide

Requirements and Prerequisites for System Updates

Model Support

Any

Supported Domains

Global unless indicated otherwise.

User Roles

Admin

Guidelines and Limitations for System Updates

Before You Update

Before you update any component of your deployment (including intrusion rules, VDB, or GeoDB) read the release notes or advisory text that accompanies the update. These provide critical and release-specific information, including compatibility, prerequisites, new capabilities, behavior changes, and warnings.

Scheduled Updates

The system schedules tasks — including updates — in UTC. This means that when they occur locally depends on the date and your specific location. Also, because updates are scheduled in UTC, they do not adjust for Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location. If you are affected, scheduled updates occur one hour "later" in the summer than in the winter, according to local time.


Important

We strongly recommend you review scheduled updates to be sure they occur when you intend.

Bandwidth Guidelines

To upgrade a the system software or perform a readiness check, the upgrade package must be on the appliance. Upgrade package sizes vary. Make sure you have the bandwidth to perform a large data transfer to your managed devices. See Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).

Update the Vulnerability Database (VDB)

The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.

Cisco issues periodic updates to the VDB. The time it takes to update the VDB and its associated mappings on the management center depends on the number of hosts in your network map. As a rule of thumb, divide the number of hosts by 1000 to determine the approximate number of minutes to perform the update.

The initial setup on the management center automatically downloads and installs the latest VDB from Cisco as a one-time operation. It also schedules a weekly task to download the latest available software updates, which includes the latest VDB. We recommend you review this weekly task and adjust if necessary. Optionally, schedule a new weekly task to actually update the VDB and deploy configurations. For more information, see Vulnerability Database Update Automation.

For VDB 343+, all application detector information is available through Cisco Secure Firewall Application Detectors. This site includes a searchable database of application detectors. The release notes provide information on changes for a particular VDB release.

Manually Update the VDB

Use this procedure to manually update the VDB. Starting with VDB 357, you can install any VDB as far back as the baseline VDB for the management center.


Caution

Do not perform tasks related to mapped vulnerabilities while the VDB is updating. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC.

In most cases, the first deploy after a VDB update restarts the Snort process, interrupting traffic inspection. The system warns you when this will happen (updated application detectors and operating system fingerprints require a restart; vulnerability information does not). Whether traffic drops or passes without further inspection during this interruption depends on how the targeted device handles traffic. For more information, see Snort Restart Traffic Behavior.

Before you begin

If the management centercannot access the Cisco Support & Download site, get the update yourself: https://www.cisco.com/go/firepower-software. Select or search for your model (or choose any model—you use the same VDB for all management centers), then browse to the Coverage and Content Updates page.

Procedure

Step 1

Go to the rule update page.

  • Version 7.4.0: System (system gear icon) > Updates > Product Updates

  • Version 7.4.1+: System (system gear icon) > Content Updates > VDB Updates

Step 2

Choose how you want to get the VDB onto the management center.

  • Direct download: Click the Download Updates button.

  • Manual upload: Click Upload Update, then Choose File and browse to the VDB. After you choose the file, click Upload.

Note

 

In Version 7.2.0–7.2.5 7.4.0, clicking Download Updates also immediately gets the latest maintenance release and the latest critical patches for your deployment.

Step 3

Install the VDB.

  1. Next to the Vulnerability and Fingerprint Database update you want to install, click either the Install icon (for a newer VDB) or the Rollback icon (for an older VDB).

  2. Choose the management center.

  3. Click Install.

Monitor update progress in the Message Center. After the update completes, the system uses the new vulnerability information. However, you must deploy before updated application detectors and operating system fingerprints can take effect.

Step 4

Verify update success.

The VDB update page and Help (help icon) > About both show the current version.

What to do next

  • Deploy configuration changes; see the Cisco Secure Firewall Management Center Device Configuration Guide.

  • If you based configurations on vulnerabilities, application detectors, or fingerprints that are no longer available, examine those configurations to make sure you are handling traffic as expected. Also, keep in mind a scheduled task to update the VDB can undo a rollback. To avoid this, change the scheduled task or delete any newer VDB packages.

Update the Geolocation Database (GeoDB)

The geolocation database (GeoDB) is a database that you can leverage to view and filter traffic based on geographical location. We issue periodic updates to the GeoDB, and you must regularly update the GeoDB to have accurate geolocation information. You can see your current version on Help (help icon) > About.

The system comes with an GeoDB country code package that maps IP addresses to countries/continents. We also provide an IP package with contextual data. This includes additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

  • In Version 7.4.0–7.4.1, when the system downloads GeoDB updates (whether on-demand or on a schedule), it downloads both packages by default. If the contextual data is not important to you, you can save disk space by disabling and deleting the IP package.

  • In Version 7.4.2+, by default the system downloads only the country code package, although you can configure it to download both packages if the contextual data is important to you and you have sufficient disk space.

A GeoDB update overrides any previous versions. The management center automatically updates its managed devices and you do not need to redeploy. The time needed to update the GeoDB depends on your deployment, but can take up to 45 minutes depending on the size of the update—for example, if you are downloading and processing a full IP package. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes.

As part of the initial configuration, the system schedules weekly GeoDB updates. We recommend you review this task and make changes if necessary, as described in Schedule GeoDB Updates.

Schedule GeoDB Updates

As part of the initial configuration, the system schedules weekly GeoDB updates. We recommend you review this task and make changes if necessary, as described in this procedure.

Before you begin

Make sure the management center can access the Cisco Support & Download site.

Procedure

Step 1

Go to the GeoDB update page.

  • Version 7.4.0: System (system gear icon) > Updates > Geolocation Updates

  • Version 7.4.1+: System (system gear icon) > Content Updates > Geolocation Updates

Step 2

Under IP Package Configuration, use the IP Package Download option to specify whether you want to download only the required country code package, or if you also want the IP package.

Not using the IP package saves disk space, but also eliminates contextual geolocation data for IP addresses. If you change this configuration, click Save.

Step 3

Under Recurring Geolocation Updates, check Enable Recurring Weekly Updates....

Step 4

Specify the Update Start Time.

Step 5

Click Save.

Manually Update the GeoDB

Use this procedure to perform an on-demand GeoDB update.

Before you begin

If the management center cannot access the Cisco Support & Download site, get the update yourself: Software Download. Select or search for your model (or choose any model—you use the same GeoDB for all management centers), then browse to the Coverage and Content Updates page. Download the country code package and, optionally, the IP package.

Procedure

Step 1

Go to the GeoDB update page.

  • Version 7.4.0: System (system gear icon) > Updates > Geolocation Updates

  • Version 7.4.1+: System (system gear icon) > Content Updates > Geolocation Updates

Step 2

Under One-Time Geolocation Update, choose how you want to update the GeoDB.

  • Direct download: Choose Download and install....

  • Manual upload: Choose Upload and install..., then click Choose File and browse to the country code package you downloaded earlier.

Step 3

Under IP Package Configuration, use the IP Package Download option to specify whether you want to use the country code package only, or if you also want to use the IP package.

Not using the IP package saves disk space, but also eliminates contexual geolocation data for IP addresses. Note that even if you manually upload GeoDB packages, you should disable this option if you do not need the data in the IP package. This is because disabling the option deletes any existing/stale IP package.

If you change this configuration, click Save.

Step 4

Click Import.

Monitor update progress in the Message Center.

Step 5

Verify update success.

The GeoDB update page and Help (help icon) > About both show the current version.

Step 6

(Optional) If you are manually uploading the update, repeat this procedure for the IP package.

Update Intrusion Rules

As new vulnerabilities become known, the Talos Intelligence Group releases intrusion rule updates. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules. Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. You cannot import an intrusion rule update that either matches or predates the version of the currently installed rules.

An intrusion rule update may provide the following:

  • New and modified rules and rule states—Rule updates provide new and updated intrusion and preprocessor rules. For new rules, the rule state may be different in each system-provided intrusion policy. For example, a new rule may be enabled in the Security over Connectivity intrusion policy and disabled in the Connectivity over Security intrusion policy. Rule updates may also change the default state of existing rules, or delete existing rules entirely.

  • New rule categories—Rule updates may include new rule categories, which are always added.

  • Modified preprocessor and advanced settings—Rule updates may change the advanced settings in the system-provided intrusion policies and the preprocessor settings in system-provided network analysis policies. They can also update default values for the advanced preprocessing and performance options in your access control policies.

  • New and modified variables—Rule updates may modify default values for existing default variables, but do not override your changes. New variables are always added.

In a multidomain deployment, you can import local intrusion rules in any domain, but you can import intrusion rule updates from Talos in the Global domain only.

Understanding When Intrusion Rule Updates Modify Policies

Intrusion rule updates can affect both system-provided and custom network analysis policies, as well as all access control policies:

  • system provided—Changes to system-provided network analysis and intrusion policies, as well as any changes to advanced access control settings, automatically take effect when you re-deploy the policies after the update.

  • custom—Because every custom network analysis and intrusion policy uses a system-provided policy as its base, or as the eventual base in a policy chain, rule updates can affect custom network analysis and intrusion policies. However, you can prevent rule updates from automatically making those changes. This allows you to update system-provided base policies manually, on a schedule independent of rule update imports. Regardless of your choice (implemented on a per-custom-policy basis), updates to system-provided policies do not override any settings you customized.

Note that importing a rule update discards all cached changes to network analysis and intrusion policies. For your convenience, the Rule Updates page lists policies with cached changes and the users who made those changes.

Deploying Intrusion Rule Updates

For changes made by an intrusion rule update to take effect, you must redeploy configurations. When importing a rule update, you can configure the system to automatically redeploy to affected devices. This approach is especially useful if you allow the intrusion rule update to modify system-provided base intrusion policies.


Caution

Although a rule update by itself does not restart the Snort process when you deploy, other changes you have made may. Restarting Snort briefly interrupts traffic flow and inspection on all devices, including those configured for high availability/scalability. Interface configurations determine whether traffic drops or passes without inspection during the interruption. When you deploy without restarting Snort, resource demands may result in a small number of packets dropping without inspection.

Recurring Intrusion Rule Updates

You can import rule updates on a daily, weekly, or monthly basis, using the Rule Updates page.

If your deployment includes a high availability pair of management centers, import the update on the primary only. The secondary management center receives the rule update as part of the regular synchronization process.

Applicable subtasks in the intrusion rule update import occur in the following order: download, install, base policy update, and configuration deploy. When one subtask completes, the next subtask begins.

At the scheduled time, the system installs the rule update and deploys the changed configuration as you specified in the previous step. You can log off or use the web interface to perform other tasks before or during the import. When accessed during an import, the Rule Update Log displays a Red Status (red status icon), and you can view messages as they occur in the Rule Update Log detailed view. Depending on the rule update size and content, several minutes may pass before status messages appear.

As part of the initial configuration, the system schedules daily intrusion rule updates. We recommend you review this task and make changes if necessary, as described in Schedule Intrusion Rule Updates.

Importing Local Intrusion Rules

A local intrusion rule is a custom standard text rule that you import from a local machine as a plain text file with ASCII or UTF-8 encoding. You can create local rules using the instructions in the Snort users manual, which is available at http://www.snort.org.

In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.

Schedule Intrusion Rule Updates

As part of the initial configuration, the system schedules daily intrusion rule updates. We recommend you review this task and make changes if necessary, as described in this procedure.

Before you begin

  • Make sure your process for updating intrusion rules complies with your security policies.

  • Consider the update's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend performing updates in a maintenance window.

  • Make sure the management center can access the Cisco Support & Download site.

Procedure

Step 1

Go to the rule update page.

  • Version 7.4.0: System (system gear icon) > Updates > Rule Updates

  • Version 7.4.1+: System (system gear icon) > Content Updates > Rule Updates

Step 2

Under Recurring Rule Update Imports, check Enable Recurring Rule Update Imports.

Step 3

Specify the Import Frequency and start time.

Step 4

(Optional) Check Reapply all policies... to deploy after each update.

Step 5

Click Save.

Manually Update Intrusion Rules

Use this procedure to perform an on-demand intrusion rule update.

Before you begin

  • Make sure your process for updating intrusion rules complies with your security policies.

  • Consider the update's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend performing updates in a maintenance window.

  • If the management center cannot access the Cisco Support & Download site, get the update yourself: Software Download . Select or search for your model (or choose any model—you use the same SRU or LSP for all management centers), then browse to the Coverage and Content Updates page.

Procedure

Step 1

Go to the rule update page.

  • Version 7.4.0: System (system gear icon) > Updates > Rule Updates

  • Version 7.4.1+: System (system gear icon) > Content Updates > Rule Updates

Step 2

Under One-Time Rule Update/Rules Import, choose how you want to update intrusion rules.

  • Direct download: Choose Download new rule update....

  • Manual upload: Choose Rule update or text rule file..., then click Choose File and browse to the intrusion rule update.

Step 3

(Optional) Check Reapply all policies... to deploy after the update.

Step 4

Click Import.

Monitor update progress in the Message Center. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC.

Step 5

Verify update success.

The rule update page and Help (help icon) > About both show the current version.

What to do next

If you did not deploy as a part of the update, deploy now; see Cisco Secure Firewall Management Center Device Configuration Guide.

Import Local Intrusion Rules

Use this procedure to import local intrusion rules. Imported intrusion rules appear in the local rule category in a disabled state. You can perform this task in any domain.

Before you begin

  • Make sure your local rule file follows the guidelines described in Best Practices for Importing Local Intrusion Rules.

  • Make sure your process for importing local intrusion rules complies with your security policies.

  • Consider the import's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend scheduling rule updates during maintenance windows.

Procedure

Step 1

Go to the rule update page.

  • Version 7.4.0: System (system gear icon) > Updates > Rule Updates

  • Version 7.4.1+: System (system gear icon) > Content Updates > Rule Updates

  • Any version: Click Import Rules in the intrusion rules editor (Objects > Intrusion Rules).

Step 2

(Optional) Delete existing local rules.

Click Delete All Local Rules, then confirm that you want to move all created and imported intrusion rules to the deleted folder.

Step 3

Under One-Time Rule Update/Rules Import, choose Rule update or text rule file to upload and install, then click Choose File and browse to your local rule file.

Step 4

Click Import.

You can monitor import progress in the Message Center. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the import. Instead, contact Cisco TAC.

What to do next

Best Practices for Importing Local Intrusion Rules

Observe the following guidelines when importing a local rule file:

  • The rules importer requires that all custom rules are imported in a plain text file encoded in ASCII or UTF-8.

  • The text file name can include alphanumeric characters, spaces, and no special characters other than underscore (_), period (.), and dash (-).

  • The system imports local rules preceded with a single pound character (#), but they are flagged as deleted.

  • The system imports local rules preceded with a single pound character (#), and does not import local rules preceded with two pound characters (##).

  • Rules cannot contain any escape characters.

  • In a multidomain deployment, the system assigns a GID of 1 to a rule imported into or created in the Global domain, and a domain-specific GID between 1000 and 2000 for all other domains.

  • You do not have to specify a Generator ID (GID) when importing a local rule. If you do, specify only GID 1 for a standard text rule.

  • When importing a rule for the first time, do not specify a Snort ID (SID) or revision number. This avoids collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule the next available custom rule SID of 1000000 or greater, and a revision number of 1.

    If you must import rules with SIDs, a SID can be any unique number 1,000,000 or greater.

    In a multidomain deployment, if multiple administrators are importing local rules at the same time, SIDs within an individual domain might appear to be non-sequential because the system assigned the intervening numbers in the sequence to another domain.

  • When importing an updated version of a local rule you have previously imported, or when reinstating a local rule you have deleted, you must include the SID assigned by the system and a revision number greater than the current revision number. You can determine the revision number for a current or deleted rule by editing the rule.


    Note

    The system automatically increments the revision number when you delete a local rule; this is a device that allows you to reinstate local rules. All deleted local rules are moved from the local rule category to the deleted rule category.

  • Import local rules on the primary management center in a high availability pair to avoid SID numbering issues.

  • The import fails if a rule contains any of the following: .

    • A SID greater than 2147483647.

    • A list of source or destination ports that is longer than 64 characters.

    • When importing into the Global domain in a multidomain deployment, a GID:SID combination uses GID 1 and a SID that already exists in another domain; this indicates that the combination existed before Version 6.2.1. You can reimport the rule using GID 1 and a unique SID.

  • Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword in combination with the intrusion event thresholding feature in an intrusion policy.

  • All imported local rules are automatically saved in the local rule category.

  • The system always sets local rules that you import to the disabled rule state. You must manually set the state of local rules before you can use them in your intrusion policy.

View Intrusion Rule Update Logs

The system generates logs of rule updates/imports, listed by timestamp, user, and whether each update succeeded or failed. These logs contain detailed import information on all updated rules and components; see Intrusion Rule Update Log Details. Use this procedure to view rule import logs. Note that deleting an import log does not delete the imported objects. In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Procedure

Step 1

Go to the rule update page.

  • Version 7.4.0: System (system gear icon) > Updates > Rule Updates

  • Version 7.4.1+: System (system gear icon) > Content Updates > Rule Updates

Step 2

Click Rule Update Log.

Step 3

(Optional) View details for any rule update by clicking View (View button) next to the log file.

Intrusion Rule Update Log Details


Tip

You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed. Make sure you set your time constraints to include all objects you want to include in the search.

Table 2. Intrusion Rule Update Log Details

Field

Description

Action

An indication that one of the following has occurred for the object type:

  • new (for a rule, this is the first time the rule has been stored on this appliance)

  • changed (for a rule update component or rule, the rule update component has been modified, or the rule has a higher revision number and the same GID and SID)

  • collision (for a rule update component or rule, import was skipped because its revision conflicts with an existing component or rule on the appliance)

  • deleted (for rules, the rule has been deleted from the rule update)

  • enabled (for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy provided with the system)

  • disabled (for rules, the rule has been disabled in a default policy provided with the system)

  • drop (for rules, the rule has been set to Drop and Generate Events in a default policy provided with the system)

  • error (for a rule update or local rule file, the import failed)

  • apply (the Reapply all policies after the rule update import completes option was enabled for the import)

Default Action

The default action defined by the rule update. When the imported object type is rule, the default action is Pass, Alert, or Drop. For all other imported object types, there is no default action.

Details

A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed rule, displayed as previously (GID:SID:Rev). This field is blank for a rule that has not changed.

Domain

The domain whose intrusion policies can use the updated rule. Intrusion policies in descendant domains can also use the rule. This field is only present in a multidomain deployment.

GID

The generator ID for a rule. For example, 1 (standard text rule, Global domain or legacy GID) or 3 (shared object rule).

Name

The name of the imported object, which for rules corresponds to the rule Message field, and for rule update components is the component name.

Policy

For imported rules, this field displays All. This means that the rule was imported successfully, and can be enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.

Rev

The revision number for a rule.

Rule Update

The rule update file name.

SID

The SID for a rule.

Time

The time and date the import began.

Type

The type of imported object, which can be one of the following:

  • rule update component (an imported component such as a rule pack or policy pack)

  • rule (for rules, a new or updated rule)

  • policy apply (the Reapply all policies after the rule update import completes option was enabled for the import)

Count

The count (1) for each record. The Count field appears in a table view when the table is constrained, and the Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.

History for System Updates

Table 3. Version 7.4.2 Features

Feature

Minimum Management Center

Minimum Threat Defense

Details

Content Updates

Default behavior change for geolocation IP package downloads.

7.4.2

Any

Upgrade impact. Upgrade can delete the IP package.

In Version 7.4.2+ the IP Package Download geolocation option is disabled by default after being enabled by default in Versions 7.4.0–7.4.1. This option governs whether the system downloads an extra IP package that contains contextual data.

In most cases, upgrading to Version 7.4.2+ deletes any IP package. You cannot view contextual geolocation data for IP addresses until you manually enable the option and update the GeoDB. The exception is that if you are upgrading from a Version 7.2.x release where you manually enabled this option, the upgrade respects your setting.

New/modified screens: System (system gear icon) > Content Updates > Geolocation Updates
Table 4. Version 7.4.1 Features

Feature

Minimum Management Center

Minimum Threat Defense

Details

Threat Defense Upgrade

Firmware upgrades included in FXOS upgrades.

Any

Any

Chassis/FXOS upgrade impact. Firmware upgrades cause an extra reboot.

For the Firepower 4100/9300, FXOS upgrades to Version 2.14.1 now include firmware upgrades. If any firmware component on the device is older than the one included in the FXOS bundle, the FXOS upgrade also updates the firmware. If the firmware is upgraded, the device reboots twice—once for FXOS and once for the firmware.

Just as with software and operating system upgrades, do not make or deploy configuration changes during firmware upgrade. Even if the system appears inactive, do not manually reboot or shut down during firmware upgrade.

See: Cisco Firepower 4100/9300 FXOS Firmware Upgrade Guide

Chassis upgrade for the Secure Firewall 3100 in multi-instance mode.

7.4.1

7.4.1

For the Secure Firewall 3100 in multi-instance mode, you upgrade the operating system and the firmware (chassis upgrade) separately from the container instances (threat defense upgrade).

New/modified screens:

  • Upgrade the chassis: Devices > Chassis Upgrade

  • Upgrade threat defense: Devices > Threat Defense Upgrade

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Management Center Upgrade

Automatically generate configuration change reports after management center upgrade.

Any

Any

You can automatically generate reports on configuration changes after major and maintenance management center upgrades. This helps you understand the changes you are about to deploy. After the system generates the reports, you can download them from the Tasks tab in the Message Center.

Other version restrictions: Only supported for management center upgrades from Version 7.4.1+. Not supported for upgrades to Version 7.4.1 or any earlier version.

New/modified screens: System (system gear icon) > Configuration > Upgrade Configuration > Enable Post-Upgrade Report
Table 5. Version 7.4.0 Features

Feature

Minimum Management Center

Minimum Threat Defense

Details

Management Center Upgrade: Deprecated Features

Temporarily deprecated features.

7.4.0

Feature dependent

If you are running Version 7.2.6+, upgrading to Version 7.4.0 removes these upgrade-related features:

Table 6. Version 7.3.0 Features

Feature

Minimum Management Center

Minimum Threat Defense

Details

Deprecated Features

Temporarily deprecated features.

any

Feature dependent

If you are running Version 7.2.6+, upgrading to Version 7.3.x removes these upgrade-related features:

  • Improved upgrade starting page and package management.

  • Enable revert from the threat defense upgrade wizard.

  • View detailed upgrade status from the threat defense upgrade wizard.

  • Suggested release notifications.

  • New upgrade wizard for the management center.

  • Hotfix high availability management centers without pausing synchronization.

  • Updated internet access requirements for direct-downloading software upgrades.

  • Download only the country code geolocation package.

  • Scheduled tasks download patches and VDB updates only.

Upgrading is supported, but will remove critical fixes and enhancements that are included in your current version. We recommend you upgrade directly to Version 7.4.1+.

Threat Defense Upgrade

Choose and direct-download upgrade packages to the management center from Cisco.

7.3.0

Any

You can now choose which threat defense upgrade packages you want to direct download to the management center. Use the new Download Updates sub-tab on > Updates > Product Updates.

Other version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1.

See: Download Upgrade Packages with the Management Center

Upload upgrade packages to the management center from the threat defense wizard.

7.3.0

Any

You now use the wizard to upload threat defense upgrade packages or specify their location. Previously (depending on version), you used System (system gear icon) > Updates or System (system gear icon) > Product Upgrades.

Other version restrictions: this feature is replaced by an improved package management system in Version 7.2.6/7.4.1.

See: Upgrade Threat Defense

Auto-upgrade to Snort 3 after successful threat defense upgrade is no longer optional.

7.3.0

Any

Upgrade impact.

When you upgrade threat defense to Version 7.3+, you can no longer disable the Upgrade Snort 2 to Snort 3 option.

After the software upgrade, all eligible devices will upgrade from Snort 2 to Snort 3 when you deploy configurations. Although you can switch individual devices back, Snort 2 will be deprecated in a future release and we strongly recommend you stop using it now.

For devices that are ineligible for auto-upgrade because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For migration assistance, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Combined upgrade and install package for Secure Firewall 3100.

7.3.0

7.3.0

Reimage Impact.

In Version 7.3, we combined the threat defense install and upgrade package for the Secure Firewall 3100, as follows:

  • Version 7.1–7.2 install package: cisco-ftd-fp3k.version.SPA

  • Version 7.1–7.2 upgrade package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

  • Version 7.3+ combined package: Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar

Although you can upgrade threat defense without issue, you cannot reimage from older threat defense and ASA versions directly to threat defense Version 7.3+. This is due to a ROMMON update required by the new image type. To reimage from those older versions, you must "go through" ASA 9.19+, which is supported with the old ROMMON but also updates to the new ROMMON. There is no separate ROMMON updater.

To get to threat defense Version 7.3+, your options are:

Content Updates

Automatic VDB downloads.

7.3.0

Any

The initial setup on the management center schedules a weekly task to download the latest available software updates, which now includes the latest vulnerability database (VDB). We recommend you review this weekly task and adjust if necessary. Optionally, schedule a new weekly task to actually update the VDB and deploy configurations.

New/modified screens: The Vulnerability Database check box is now enabled by default in the system-created Weekly Software Download scheduled task.

Install any VDB.

7.3.0

Any

Starting with VDB 357, you can now install any VDB as far back as the baseline VDB for that management center.

After you update the VDB, deploy configuration changes. If you based configurations on vulnerabilities, application detectors, or fingerprints that are no longer available, examine those configurations to make sure you are handling traffic as expected. Also, keep in mind a scheduled task to update the VDB can undo a rollback. To avoid this, change the scheduled task or delete any newer VDB packages.

New/modified screens: On System (system gear icon) > Updates > Product Updates > Available Updates, if you upload an older VDB, a new Rollback icon appears instead of the Install icon.

Table 7. Version 7.2.6 Features

Feature

Minimum Management Center

Minimum Threat Defense

Details

Upgrade

Improved upgrade starting page and package management.

7.2.6

7.4.1

Any

A new upgrade page makes it easier to choose, download, manage, and apply upgrades to your entire deployment. This includes the management center, threat defense devices, and any older NGIPSv/ASA FirePOWER devices. The page lists all upgrade packages that apply to your current deployment, with suggested releases specially marked. You can easily choose and direct-download packages from Cisco, as well as manually upload and delete packages.

Internet access is required to retrieve the list/direct download upgrade packages. Otherwise, you are limited to manual management. Patches are not listed unless you have at least one appliance at the appropriate maintenance release (or you manually uploaded the patch). You must manually upload hotfixes.

New/modified screens:

  • System (system gear icon) > Product Upgrades is now where you upgrade the management center and all managed devices, as well as manage upgrade packages.

  • System (system gear icon) > Content Updates is now where you update intrusion rules, the VDB, and the GeoDB.

  • Devices > Threat Defense Upgrade takes you directly to the threat defense upgrade wizard.

  • System (system gear icon) > Users > User Role > Create User Role > Menu-Based Permissions allows you to grant access to Content Updates (VDB, GeoDB, intrusion rules) without allowing access to Product Upgrades (system software).

Deprecated screens/options:

  • System (system gear icon) > Updates is deprecated. All threat defense upgrades now use the wizard.

  • The Add Upgrade Package button on the threat defense upgrade wizard has been replaced by a Manage Upgrade Packages link to the new upgrade page.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Suggested release notifications.

7.2.6

7.4.1

Any

The management center now notifies you when a new suggested release is available. If you don't want to upgrade right now, you can have the system remind you later, or defer reminders until the next suggested release. The new upgrade page also indicates suggested releases.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Management Center New Features by Release

Updated internet access requirements for direct-downloading software upgrades.

7.2.6

7.4.1

Any

Upgrade impact. The system connects to new resources.

The management center has changed its direct-download location for software upgrade packages from sourcefire.com to amazonaws.com.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

Threat Defense Upgrade

Enable revert from the threat defense upgrade wizard.

7.2.6

7.4.1

Any, if upgrading to 7.1+

You can now enable revert from the threat defense upgrade wizard.

Other version restrictions: You must be upgrading threat defense to Version 7.1+. Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Select devices to upgrade from the threat defense upgrade wizard.

7.2.6

Any

Use the wizard to select devices to upgrade.

You can now use the threat defense upgrade wizard to select or refine the devices to upgrade. On the wizard, you can toggle the view between selected devices, remaining upgrade candidates, ineligible devices (with reasons why), devices that need the upgrade package, and so on. Previously, you could only use the Device Management page and the process was much less flexible.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

View detailed upgrade status from the threat defense upgrade wizard.

7.2.6

7.4.1

Any

The final page of the threat defense upgrade wizard now allows you to monitor upgrade progress. This is in addition to the existing monitoring capability on the Upgrade tab on the Device Management page, and on the Message Center. Note that as long as you have not started a new upgrade flow, Devices > Threat Defense Upgrade brings you back to this final wizard page, where you can view the detailed status for the current (or most recently complete) device upgrade.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Unattended threat defense upgrades.

7.2.6

Any

The threat defense upgrade wizard now supports unattended upgrades, using a new Unattended Mode menu. You just need to select the target version and the devices you want to upgrade, specify a few upgrade options, and step away. You can even log out or close the browser.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Simultaneous threat defense upgrade workflows by different users.

7.2.6

Any

We now allow simultaneous upgrade workflows by different users, as long as you are upgrading different devices. The system prevents you from upgrading devices already in someone else's workflow. Previously, only one upgrade workflow was allowed at a time across all users.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Skip pre-upgrade troubleshoot generation for threat defense devices.

7.2.6

Any

You can now skip the automatic generating of troubleshooting files before major and maintenance upgrades by disabling the new Generate troubleshooting files before upgrade begins option. This saves time and disk space.

To manually generate troubleshooting files for a threat defense device, choose System (system gear icon) > Health > Monitor, click the device in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Management Center Upgrade

New upgrade wizard for the management center.

7.2.6

7.4.1

Any

A new upgrade starting page and wizard make it easier to perform management center upgrades. After you use System (system gear icon) > Product Upgrades to get the appropriate upgrade package onto the management center, click Upgrade to begin.

Other version restrictions: Only supported for management center upgrades from Version 7.2.6+/7.4.1+. Not supported for upgrades from Version 7.3.x or 7.4.0.

See: Cisco Secure Firewall Threat Defense Upgrade Guide for Management Center

Hotfix high availability management centers without pausing synchronization.

7.2.6

7.4.1

Any

Unless otherwise indicated by the hotfix release notes or Cisco TAC, you do not have to pause synchronization to install a hotfix on high availability management centers.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

Content Updates

Scheduled tasks download patches and VDB updates only.

7.2.6

7.4.1

Any

Upgrade impact. Scheduled download tasks stop retrieving maintenance releases.

The Download Latest Update scheduled task no longer downloads maintenance releases; now it only downloads the latest applicable patches and VDB updates. To direct-download maintenance (and major) releases to the management center, use System (system gear icon) > Product Upgrades.

Other version restrictions: Not supported with management center Version 7.3.x or 7.4.0.

Download only the country code geolocation package.

7.2.6

7.4.0

Any

Upgrade impact. Upgrading can delete the IP package.

In Version 7.2.6+/7.4.0+, you can configure the system to download only the country code package of the geolocation database (GeoDB), which maps IP addresses to countries/continents. The larger IP package with contextual data is now optional.

IP package download is:

  • Version 7.2.0–7.2.5: Always enabled.

  • Version 7.2.6–7.2.x: Disabled by default, but you can enable it.

  • Version 7.3.x: Always enabled.

  • Version 7.4.0–7.4.1: Enabled by default, but you can disable it.

  • Version 7.4.2+: Disabled by default, but you can enable it.

The first time you upgrade to any version where download is disabled by default, the system disables download and deletes any existing IP package. (Exception: If you manually enable download in 7.2.6+ then upgrade to 7.4.2+, the system respects your setting.) Without the IP package, you cannot view contextual geolocation data for IP addresses until you manually enable the option and update the GeoDB.

New/modified screens:

  • Version 7.2.6/7.4.1: System (system gear icon) > Content Updates > Geolocation Updates

  • Version 7.4.0: System (system gear icon) > Updates > Geolocation Updates
Table 8. Version 7.2.0 Features

Feature

Details

Threat Defense Upgrade

Copy upgrade packages ("peer-to-peer sync") from device to device.

Instead of copying upgrade packages to each device from the management center or internal web server, you can use the threat defense CLI to copy upgrade packages between devices ("peer to peer sync"). This secure and reliable resource-sharing goes over the management network but does not rely on the management center. Each device can accommodate 5 package concurrent transfers.

This feature is supported for Version 7.2.x–7.4.x standalone devices managed by the same Version 7.2.x–7.4.x standalone management center. It is not supported for:

  • Container instances.

  • Device high availability pairs and clusters. These devices get the package from each other as part of their normal sync process. Copying the upgrade package to one group member automatically syncs it to all group members.

  • Devices managed by high availability management centers.

  • Devices managed by the cloud-delivered Firewall Management Center, but added to an on-prem management center in analytics mode.

  • Devices in different domains, or devices separated by a NAT gateway.

  • Devices upgrading from Version 7.1 or earlier, regardless of management center version.

New/modified CLI commands: configure p2psync enable , configure p2psync disable , show peers , show peer details , sync-from-peer , show p2p-sync-status

Auto-upgrade to Snort 3 after successful threat defense upgrade.

When you use a Version 7.2+ management center to upgrade threat defense to Version 7.2+, you can now choose whether to Upgrade Snort 2 to Snort 3.

After the software upgrade, eligible devices upgrade from Snort 2 to Snort 3 when you deploy configurations. For devices that are ineligible because they use custom intrusion or network analysis policies, we strongly recommend you manually upgrade to Snort 3 for improved detection and performance. For help, see the Cisco Secure Firewall Management Center Snort 3 Configuration Guide for your version.

Version restrictions: Not supported for threat defense upgrades to Version 7.0.x or 7.1.x.

Upgrade for single-node clusters.

You can now use the device upgrade page (Devices > Device Upgrade) to upgrade clusters with only one active node. Any deactivated nodes are also upgraded. Previously, this type of upgrade would fail. This feature is not supported from the system updates page (System (system gear icon)Updates).

Hitless upgrades are also not supported in this case. Interruptions to traffic flow and inspection depend on the interface configurations of the lone active unit, just as with standalone devices.

Supported platforms: Firepower 4100/9300, Secure Firewall 3100

Revert threat defense upgrades from the CLI.

You can now revert threat defense upgrades from the device CLI if communications between the management center and device are disrupted. Note that in high availability/scalability deployments, revert is more successful when all units are reverted simultaneously. When reverting with the CLI, open sessions with all units, verify that revert is possible on each, then start the processes at the same time.

Caution

 

Reverting from the CLI can cause configurations between the device and the management center to go out of sync, depending on what you changed post-upgrade. This can cause further communication and deployment issues.

New/modified CLI commands: upgrade revert , show upgrade revert-info .

Management Center Upgrade

Management center upgrade does not automatically generate troubleshooting files.

To save time and disk space, the management center upgrade process no longer automatically generates troubleshooting files before the upgrade begins. Note that device upgrades are unaffected and continue to generate troubleshooting files.

To manually generate troubleshooting files for the management center, choose System (system gear icon) > Health > Monitor, click Firewall Management Center in the left panel, then View System & Troubleshoot Details, then Generate Troubleshooting Files.

Content Updates

GeoDB is split into two packages.

In May 2022, shortly before the Version 7.2 release, we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The contextual data in the IP package can include additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on.

If your Version 7.2.0–7.2.5 management center has internet access and you enable recurring updates or you manually kick off a one-time update from the Cisco Support & Download site, the system automatically obtains both packages. In Version 7.2.6+/7.4.0+, you can configure whether you want the system to obtain the IP package.

If you manually download updates—for example, in an air-gapped deployment—you must import the packages separately:

  • Country code package: Cisco_GEODB_Update-date-build.sh.REL.tar​

  • IP package: Cisco_IP_GEODB_Update-date-build.sh.REL.tar​

Help (help icon) > About lists the versions of the packages currently being used by the system.

Table 9. Version 7.1.0 Features

Feature

Details

Threat Defense Upgrade

Revert a successful device upgrade.

You can now revert major and maintenance upgrades to FTD. Reverting returns the software to its state just before the last upgrade, also called a snapshot. If you revert an upgrade after installing a patch, you revert the patch as well as the major and/or maintenance upgrade.

Important

 

If you think you might need to revert, you must use System (system gear icon) > Updates to upgrade FTD. The System Updates page is the only place you can enable the Enable revert after successful upgrade option, which configures the system to save a revert snapshot when you initiate the upgrade. This is in contrast to our usual recommendation to use the wizard on the Devices > Device Upgrade page.

This feature is not supported for container instances.

Minimum FTD: 7.1

Improvements to the upgrade workflow for clustered and high availability devices.

We made the following improvements to the upgrade workflow for clustered and high availability devices:

  • The upgrade wizard now correctly displays clustered and high availability units as groups, rather than as individual devices. The system can identify, report, and preemptively require fixes for group-related issues you might have. For example, you cannot upgrade a cluster on the Firepower 4100/9300 if you have made unsynced changes on Firepower Chassis Manager.

  • We improved the speed and efficiency of copying upgrade packages to clusters and high availability pairs. Previously, the FMC copied the package to each group member sequentially. Now, group members can get the package from each other as part of their normal sync process.

  • You can now specify the upgrade order of data units in a cluster. The control unit always upgrades last.

Table 10. Version 7.0.0 Features

Feature

Details

Threat Defense Upgrade

Improved FTD upgrade performance and status reporting.

FTD upgrades are now easier faster, more reliable, and take up less disk space. A new Upgrades tab in the Message Center provides further enhancements to upgrade status and error reporting.

Easy-to-follow upgrade workflow for FTD devices.

A new device upgrade page (Devices > Device Upgrade) on the FMC provides an easy-to-follow wizard for upgrading Version 6.4+ FTD devices. It walks you through important pre-upgrade stages, including selecting devices to upgrade, copying the upgrade package to the devices, and compatibility and readiness checks.

To begin, use the new Upgrade Firepower Software action on the Device Management page (Devices > Device Management > Select Action).

As you proceed, the system displays basic information about your selected devices, as well as the current upgrade-related status. This includes any reasons why you cannot upgrade. If a device does not "pass" a stage in the wizard, it does not appear in the next stage.

If you navigate away from wizard, your progress is preserved, although other users with Administrator access can reset, modify, or continue the wizard.

Note

 

You must still use System (system gear icon) > Updates to upload or specify the location of FTD upgrade packages. You must also use the System Updates page to upgrade the FMC itself, as well as all non-FTD managed devices.

Note

 

In Version 7.0, the wizard does not correctly display devices in clusters or high availability pairs. Even though you must select and upgrade these devices as a unit, the wizard displays them as standalone devices. Device status and upgrade readiness are evaluated and reported on an individual basis. This means it is possible for one unit to appear to "pass" to the next stage while the other unit or units do not. However, these devices are still grouped. Running a readiness check on one, runs it on all. Starting the upgrade on one, starts it on all.

To avoid possible time-consuming upgrade failures, manually ensure all group members are ready to move on to the next step of the wizard before you click Next.

Upgrade more FTD devices at once.

The FTD upgrade wizard lifts the following restrictions:

  • Simultaneous device upgrades.

    The number of devices you can upgrade at once is now limited by your management network bandwidth—not the system's ability to manage simultaneous upgrades. Previously, we recommended against upgrading more than five devices at a time.

    Important

     

    Only upgrades to FTD Version 6.7+ see this improvement. If you are upgrading devices to an older FTD release—even if you are using the new upgrade wizard—we still recommend you limit to five devices at a time.

  • Grouping upgrades by device model.

    You can now queue and invoke upgrades for all FTD models at the same time, as long as the system has access to the appropriate upgrade packages.

    Previously, you would choose an upgrade package, then choose the devices to upgrade using that package. That meant that you could upgrade multiple devices at the same time only if they shared an upgrade package. For example, you could upgrade two Firepower 2100 series devices at the same time, but not a Firepower 2100 series and a Firepower 1000 series.

Table 11. Version 6.7.0 Features

Feature

Details

Threat Defense Upgrade

Upgrades remove PCAP files to save disk space.

Upgrades now remove locally stored PCAP files. To upgrade, you must have enough free disk space or the upgrade fails.

Improved FTD upgrade status reporting and cancel/retry options.

You can now view the status of FTD device upgrades and readiness checks in progress on the Device Management page, as well as a 7-day history of upgrade success/failures. The Message Center also provides enhanced status and error messages.

A new Upgrade Status pop-up, accessible from both Device Management and the Message Center with a single click, shows detailed upgrade information, including percentage/time remaining, specific upgrade stage, success/failure data, upgrade logs, and so on.

Also on this pop-up, you can manually cancel failed or in-progress upgrades (Cancel Upgrade), or retry failed upgrades (Retry Upgrade). Canceling an upgrade reverts the device to its pre-upgrade state.

Note

 

To be able to manually cancel or retry a failed upgrade, you must disable the new auto-cancel option, which appears when you use the FMC to upgrade an FTD device: Automatically cancel on upgrade failure and roll back to the previous version. With the option enabled, the device automatically reverts to its pre-upgrade state upon upgrade failure.

Auto-cancel is not supported for patches. In an HA or clustered deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted.

New/modified screens:

  • System (system gear icon) > Updates > Product Updates > Available Updates > Install icon for the FTD upgrade package

  • Devices > Device Management > Upgrade

  • Message Center > Tasks

New/modified CLI commands: show upgrade status detail , show upgrade status continuous , show upgrade status , upgrade cancel , upgrade retry

Content Updates

Custom intrusion rule import warns when rules collide.

The FMC now warns you of rule collisions when you import custom (local) intrusion rules. Previously, the system would silently skip the rules that cause collisions—with the exception of Version 6.6.0.1, where a rule import with collisions would fail entirely.

On the Rule Updates page, if a rule import had collisions, a warning icon is displayed in the Status column. For more information, hover your pointer over the warning icon and read the tooltip.

Note that a collision occurs when you try to import an intrusion rule that has the same SID/revision number as an existing rule. You should always make sure that updated versions of custom rules have new revision numbers.

New/modified screens: We added a warning icon to System (system gear icon) > Updates > Rule Updates.

Table 12. Version 6.6.0 Features

Feature

Details

Threat Defense Upgrade

Get FTD upgrade packages from an internal web server.

FTD devices can now get upgrade packages from your own internal web server, rather than from the FMC. This is especially useful if you have limited bandwidth between the FMC and its devices. It also saves space on the FMC.

Note

 

This feature is supported only for FTD devices running Version 6.6+. It is not supported for upgrades to Version 6.6, nor is it supported for the FMC or Classic devices.

New/modified screens: We added a Specify software update source option to the page where you upload upgrade packages.

Content Updates

Automatic VDB update during initial setup.

When you set up a new or reimaged FMC, the system automatically attempts to update the vulnerability database (VDB).

This is a one-time operation. If the FMC has internet access, we recommend you schedule tasks to perform automatic recurring VDB update downloads and installations.

Table 13. Version 6.5.0 Features

Feature

Details

Content Updates

Automatic software downloads and GeoDB updates.

When you set up a new or reimaged FMC, the system automatically schedules:

  • A weekly task to download software updates for the FMC and its managed devices.

  • Weekly updates for the GeoDB.

The tasks are scheduled in UTC, which means that when they occur locally depends on the date and your specific location. Also, because tasks are scheduled in UTC, they do not adjust for Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location. If you are affected, scheduled tasks occur one hour “later” in the summer than in the winter, according to local time. We recommend you review the auto-scheduled configurations and adjust them if necessary.

Table 14. Version 6.4.0 Features

Feature

Details

Management Center Upgrade

Upgrades postpone scheduled tasks.

The management center upgrade process now postpones scheduled tasks. Any task scheduled to begin during the upgrade will begin five minutes after the post-upgrade reboot.

Note

 

Before you begin any upgrade, you must still make sure running tasks are complete. Tasks running when the upgrade begins are stopped, become failed tasks, and cannot be resumed.

Note that this feature is supported for all upgrades from a supported version. This includes Version 6.4.0.10 and later patches, Version 6.6.3 and later maintenance releases, and Version 6.7.0+. This feature is not supported for upgrades to a supported version from an unsupported version.

Content Updates

Signed SRU, VDB, and GeoDB updates.

So the system can verify that you are using the correct update files, Version 6.4+ uses signed updates for intrusion rules (SRU), the vulnerability database (VDB), and the geolocation database (GeoDB). Earlier versions continue to use unsigned updates.

Unless you manually download updates from the Cisco Support & Download site—for example, in an air-gapped deployment—you should not notice any difference in functionality. If, however, you do manually download and install SRU, VDB, and GeoDB updates, make sure you download the correct package for your current version.

Signed update files begin with 'Cisco' instead of 'Sourcefire,' and terminate in .sh.REL.tar instead of .sh, as follows:

  • SRU: Cisco_Firepower_SRU-date-build-vrt.sh.REL.tar

  • VDB: Cisco_VDB_Fingerprint_Database-4.5.0-version.sh.REL.tar

  • GeoDB: Cisco_GEODB_Update-date-build.sh.REL.tar

We will provide both signed and unsigned updates until the end-of-support for versions that require unsigned updates. Do not untar signed (.tar) packages. If you accidentally upload a signed update to an older FMC or ASA FirePOWER device, you must manually delete it. Leaving the package takes up disk space, and also may cause issues with future upgrades.

Table 15. Version 6.2.3 Features

Feature

Details

Device Upgrade

Copy upgrade packages to managed devices before the upgrade.

You can now copy (or push) an upgrade package from the FMC to a managed device before you run the actual upgrade. This is useful because you can push during times of low bandwidth use, outside of the upgrade maintenance window.

When you push to high availability, clustered, or stacked devices, the system sends the upgrade package to the active/control/primary first, then to the standby/data/secondary.

New/modified screens: System (system gear icon) > Updates

Content Updates

FMC warns of Snort restart before VDB updates.

The FMC now warns you that Vulnerability Database (VDB) updates restart the Snort process. This interrupts traffic inspection and, depending on how the managed device handles traffic, possibly interrupts traffic flow. You can cancel the install until a more convenient time, such as during a maintenance window.

These warnings can appear:

  • After you download and manually install a VDB.

  • When you create a scheduled task to install the VDB.

  • When the VDB installs in the background, such as during a previously scheduled task or as part of a software upgrade.