Updates

This chapter explains how to perform content updates.


Important


To upgrade managed devices, see the upgrade guide: https://www.cisco.com/go/ftd-cdfmc-upgrade.


About System Updates

Use the management center to upgrade the system software for the devices it manages. You can also update various databases and feeds that provide advanced services.

If the management center has internet access, the system can often obtain updates directly from Cisco. We recommend you schedule or enable automatic content updates whenever possible. Some updates are auto-enabled by the initial setup process or when you enable the related feature. Other updates you must schedule yourself. After initial setup, we recommend you review all auto-updates and adjust them if necessary.

Table 1. Upgrades and Updates

Component

Description

Details

System software

Major software releases contain new features, functionality, and enhancements. They may include infrastructure or architectural changes.

Maintenance releases contain general bug and security related fixes. Behavior changes are rare, and are related to those fixes.

Patches are on-demand updates limited to critical fixes with time urgency.

Hotfixes can address specific customer issues.

Direct Download: Select patches and maintenance releases only, usually some time after the release is available for manual download. The length of the delay depends on release type, release adoption, and other factors. Both on-demand and scheduled downloads are supported.

Schedule Install: Patches and maintenance releases only, as a scheduled task.

Uninstall: Patches only.

Revert: Major and maintenance releases only.

Reimage: Major and maintenance releases only.

See: https://www.cisco.com/go/ftd-cdfmc-upgrade

Vulnerability database (VDB)

The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.

Direct Download: Yes.

Schedule: Yes, as a scheduled task.

Uninstall: Starting with VDB 357, you can install any VDB as far back as the baseline VDB for the management center.

See: Update the Vulnerability Database (VDB)

Geolocation database (GeoDB)

The Cisco geolocation database (GeoDB) is a database of geographical and connection-related data associated with routable IP addresses.

Direct Download: Yes.

Schedule: Yes, from its own update page

Uninstall: No.

See: Update the Geolocation Database (GeoDB)

Intrusion rules (SRU/LSP)

Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings.

Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values.

Direct Download: Yes.

Schedule: Yes, from its own update page.

Uninstall: No.

See: Update Intrusion Rules

Security Intelligence feeds

Security Intelligence feeds are collections of IP addresses, domain names, and URLs that you can use to quickly filter traffic that matches an entry.

Direct Download: Yes.

Schedule: Yes, from the object manager.

Uninstall: No.

See: Cisco Secure Firewall Management Center Device Configuration Guide

URL categories and reputations

URL filtering allows you to control access to websites based on the URL’s general classification (category) and risk level (reputation).

Direct Download: Yes.

Schedule: Yes, when you configure integrations/cloud services, or as a scheduled task.

Uninstall: No.

See: Cisco Secure Firewall Management Center Device Configuration Guide

Requirements and Prerequisites for System Updates

Model Support

Any

Supported Domains

Global unless indicated otherwise.

User Roles

Admin

Guidelines and Limitations for System Updates

Before You Update

Before you update any component of your deployment (including intrusion rules, VDB, or GeoDB) read the release notes or advisory text that accompanies the update. These provide critical and release-specific information, including compatibility, prerequisites, new capabilities, behavior changes, and warnings.

Scheduled Updates

The system schedules tasks — including updates — in UTC. This means that when they occur locally depends on the date and your specific location. Also, because updates are scheduled in UTC, they do not adjust for Daylight Saving Time, summer time, or any such seasonal adjustments that you may observe in your location. If you are affected, scheduled updates occur one hour "later" in the summer than in the winter, according to local time.


Important


We strongly recommend you review scheduled updates to be sure they occur when you intend.


Bandwidth Guidelines

To upgrade a the system software or perform a readiness check, the upgrade package must be on the appliance. Upgrade package sizes vary. Make sure you have the bandwidth to perform a large data transfer to your managed devices. See Guidelines for Downloading Data from the Firepower Management Center to Managed Devices (Troubleshooting TechNote).

Update the Vulnerability Database (VDB)

The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.

Cisco issues periodic updates to the VDB. The time it takes to update the VDB and its associated mappings on the management center depends on the number of hosts in your network map. As a rule of thumb, divide the number of hosts by 1000 to determine the approximate number of minutes to perform the update.

Beginning with VDB 343, all application detector information is available through Cisco Secure Firewall Application Detectors. This site includes a searchable database of application detectors. The release notes provide information on changes for a particular VDB release.


Note


The initial setup on the management center automatically downloads and installs the latest VDB from Cisco as a one-time operation. It also schedules a weekly task to download the latest available software updates, which includes the latest VDB. We recommend you review this weekly task and adjust if necessary. Optionally, schedule a new weekly task to actually update the VDB and deploy configurations. For more information, see Vulnerability Database Update Automation.


Manually Update the VDB

Use this procedure to manually update the VDB. Starting with VDB 357, you can install any VDB as far back as the baseline VDB for the management center.


Caution


Do not perform tasks related to mapped vulnerabilities while the VDB is updating. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC.

In most cases, the first deploy after a VDB update restarts the Snort process, interrupting traffic inspection. The system warns you when this will happen (updated application detectors and operating system fingerprints require a restart; vulnerability information does not). Whether traffic drops or passes without further inspection during this interruption depends on how the targeted device handles traffic. For more information, see Snort Restart Traffic Behavior.


Before you begin

If the management center cannot access the internet, get the update from the Cisco Support & Download site: https://www.cisco.com/go/firepower-software. Select or search for your model (or choose any model—you use the same VDB for all management centers), then browse to the Coverage and Content Updates page.

Procedure


Step 1

Choose System (system gear icon) > Updates > Product Updates.

Step 2

Choose how you want to get the VDB onto the management center.

  • Direct download: Click the Download Updates button to immediately download the latest VDB, latest maintenance release, and the latest critical patches for your deployment.

  • Manual upload: Click Upload Update, then Choose File and browse to the VDB.

Step 3

Install the VDB.

  1. Next to the Vulnerability and Fingerprint Database update you want to install, click either the Install icon (for a newer VDB) or the Rollback icon (for an older VDB).

  2. Choose the management center.

  3. Click Install.

Monitor update progress in the Message Center. After the update completes, the system uses the new vulnerability information. However, you must deploy before updated application detectors and operating system fingerprints can take effect.

Step 4

Verify update success.

Choose Help (help icon) > About to view the current VDB version.


What to do next

  • Deploy configuration changes.

  • If you based configurations on vulnerabilities, application detectors, or fingerprints that are no longer available, examine those configurations to make sure you are handling traffic as expected. Also, keep in mind a scheduled task to update the VDB can undo a rollback. To avoid this, change the scheduled task or delete any newer VDB packages.

Update the Geolocation Database (GeoDB)

The geolocation database (GeoDB) is a database that you can leverage to view and filter traffic based on geographical location. We issue periodic updates to the GeoDB, and you must regularly update the GeoDB to have accurate geolocation information. You can see your current version on Help (help icon) > About.

The GeoDB includes a country code package that maps IP addresses to countries/continents, and an IP package with contextual data. This contextual data includes additional location details, as well as connection information such as ISP, connection type, proxy type, domain name, and so on. If you manually update the VDB, update both packages.


Note


As a part of initial configuration, the system schedules weekly GeoDB updates. We recommend you review this task and adjust if necessary, as described in Schedule GeoDB Updates.


A GeoDB update overrides any previous versions of the GeoDB and is effective immediately. The management center automatically updates its managed devices. You do not need to redeploy.

The time needed to update the GeoDB depends on your appliance, but can take up to 45 minutes depending on the size of the update—for example, if the system is downloading and processing a full IP package. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes. Consider this when planning your updates.

Schedule GeoDB Updates

As a part of initial configuration, the system schedules weekly GeoDB updates. We recommend you review this task and adjust if necessary, as described in this procedure.

Before you begin

Make sure the management center can access the internet.

Procedure


Step 1

Choose System (system gear icon) > Updates > Geolocation Updates.

Step 2

Under Recurring Geolocation Updates, check Enable Recurring Weekly Updates....

Step 3

Specify the Update Start Time.

Step 4

Click Save.


Manually Update the GeoDB

Use this procedure to perform an on-demand GeoDB update.

Before you begin

If the management center cannot access the internet, get the update from the Cisco Support & Download site: https://www.cisco.com/go/firepower-software. Select or search for your model (or choose any model—you use the same GeoDB for all management centers), then browse to the Coverage and Content Updates page. Download the country code package and the IP package.

Procedure


Step 1

Choose System (system gear icon) > Updates > Geolocation Updates.

Step 2

Under One-Time Geolocation Update, choose how you want to update the GeoDB.

  • Direct download: Choose Download and install....

  • Manual upload: Choose Upload and install..., then click Choose File and browse to the country code package you downloaded earlier.

Step 3

Click Import.

Monitor update progress in the Message Center.

Step 4

Verify update success.

The Geolocation Updates page and the Help (help icon) > About page both list the current version.

Step 5

If you are manually uploading the update, repeat this procedure for the IP package.


Update Intrusion Rules

As new vulnerabilities become known, the Talos Intelligence Group releases intrusion rule updates that you can import onto your management center, and then implement by deploying the changed configuration to your managed devices. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.

Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. You cannot import an intrusion rule update that either matches or predates the version of the currently installed rules.

If your deployment includes a high availability pair of management centers, import the update on the primary only. The secondary management center receives the rule update as part of the regular synchronization process.

An intrusion rule update may provide the following:

  • New and modified rules and rule states—Rule updates provide new and updated intrusion and preprocessor rules. For new rules, the rule state may be different in each system-provided intrusion policy. For example, a new rule may be enabled in the Security over Connectivity intrusion policy and disabled in the Connectivity over Security intrusion policy. Rule updates may also change the default state of existing rules, or delete existing rules entirely.

  • New rule categories—Rule updates may include new rule categories, which are always added.

  • Modified preprocessor and advanced settings—Rule updates may change the advanced settings in the system-provided intrusion policies and the preprocessor settings in system-provided network analysis policies. They can also update default values for the advanced preprocessing and performance options in your access control policies.

  • New and modified variables—Rule updates may modify default values for existing default variables, but do not override your changes. New variables are always added.

In a multidomain deployment, you can import local intrusion rules in any domain, but you can import intrusion rule updates from Talos in the Global domain only.

Understanding When Intrusion Rule Updates Modify Policies

Intrusion rule updates can affect both system-provided and custom network analysis policies, as well as all access control policies:

  • system provided—Changes to system-provided network analysis and intrusion policies, as well as any changes to advanced access control settings, automatically take effect when you re-deploy the policies after the update.

  • custom—Because every custom network analysis and intrusion policy uses a system-provided policy as its base, or as the eventual base in a policy chain, rule updates can affect custom network analysis and intrusion policies. However, you can prevent rule updates from automatically making those changes. This allows you to update system-provided base policies manually, on a schedule independent of rule update imports. Regardless of your choice (implemented on a per-custom-policy basis), updates to system-provided policies do not override any settings you customized.

Note that importing a rule update discards all cached changes to network analysis and intrusion policies. For your convenience, the Rule Updates page lists policies with cached changes and the users who made those changes.

Deploying Intrusion Rule Updates

For changes made by an intrusion rule update to take effect, you must redeploy configurations. When importing a rule update, you can configure the system to automatically redeploy to affected devices. This approach is especially useful if you allow the intrusion rule update to modify system-provided base intrusion policies.


Caution


Although a rule update by itself does not restart the Snort process when you deploy, other changes you have made may. Restarting Snort briefly interrupts traffic flow and inspection on all devices, including those configured for high availability/scalability. Interface configurations determine whether traffic drops or passes without inspection during the interruption. When you deploy without restarting Snort, resource demands may result in a small number of packets dropping without inspection.


Recurring Intrusion Rule Updates

You can import rule updates on a daily, weekly, or monthly basis, using the Rule Updates page.

If your deployment includes a high availability pair of management centers, import the update on the primary only. The secondary management center receives the rule update as part of the regular synchronization process.

Applicable subtasks in the intrusion rule update import occur in the following order: download, install, base policy update, and configuration deploy. When one subtask completes, the next subtask begins.

At the scheduled time, the system installs the rule update and deploys the changed configuration as you specified in the previous step. You can log off or use the web interface to perform other tasks before or during the import. When accessed during an import, the Rule Update Log displays a Red Status (red status icon), and you can view messages as they occur in the Rule Update Log detailed view. Depending on the rule update size and content, several minutes may pass before status messages appear.

As a part of initial configuration, the system schedules daily intrusion rule updates. We recommend you review this task and adjust if necessary, as described in Schedule Intrusion Rule Updates.

Importing Local Intrusion Rules

A local intrusion rule is a custom standard text rule that you import from a local machine as a plain text file with ASCII or UTF-8 encoding. You can create local rules using the instructions in the Snort users manual, which is available at http://www.snort.org.

In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.

Schedule Intrusion Rule Updates

As a part of initial configuration, the system schedules daily intrusion rule updates. We recommend you review this task and adjust if necessary, as described in this procedure.

Before you begin

  • Make sure your process for updating intrusion rules complies with your security policies.

  • Consider the update's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend performing updates in a maintenance window.

  • Make sure the management center can access the internet.

Procedure


Step 1

Choose System (system gear icon) > Updates > Rule Updates.

Step 2

Under Recurring Rule Update Imports, check Enable Recurring Rule Update Imports.

Step 3

Specify the Import Frequency and start time.

Step 4

(Optional) Check Reapply all policies... to deploy after each update.

Step 5

Click Save.


Manually Update Intrusion Rules

Use this procedure to perform an on-demand intrusion rule update.

Before you begin

  • Make sure your process for updating intrusion rules complies with your security policies.

  • Consider the update's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend performing updates in a maintenance window.

  • If the management center cannot access the internet, get the update from the Cisco Support & Download site: https://www.cisco.com/go/firepower-software. Select or search for your model (or choose any model—you use the same SRU or LSP for all management centers), then browse to the Coverage and Content Updates page.

Procedure


Step 1

Choose System (system gear icon) > Updates > Rule Updates.

Step 2

Under One-Time Rule Update/Rules Import, choose how you want to update intrusion rules.

  • Direct download: Choose Download new rule update....

  • Manual upload: Choose Rule update or text rule file..., then click Choose File and browse to the intrusion rule update.

Step 3

(Optional) Check Reapply all policies... to deploy after the update.

Step 4

Click Import.

Monitor update progress in the Message Center. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC.

Step 5

Verify update success.

Choose Help (help icon) > About to view the current rule update version.


What to do next

If you did not deploy as a part of the update, deploy now; see Deploy Configuration Changes.

Import Local Intrusion Rules

Use this procedure to import local intrusion rules. Imported intrusion rules appear in the local rule category in a disabled state. You can perform this task in any domain.

Before you begin

  • Make sure your local rule file follows the guidelines described in Best Practices for Importing Local Intrusion Rules.

  • Make sure your process for importing local intrusion rules complies with your security policies.

  • Consider the import's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend scheduling rule updates during maintenance windows.

Procedure


Step 1

Choose System (system gear icon) > Updates > Rule Updates.

You can also click Import Rules in the intrusion rules editor (Objects > Intrusion Rules).

Step 2

(Optional) Delete existing local rules.

Click Delete All Local Rules, then confirm that you want to move all created and imported intrusion rules to the deleted folder.

Step 3

Under One-Time Rule Update/Rules Import, choose Rule update or text rule file to upload and install, then click Choose File and browse to your local rule file.

Step 4

Click Import.

You can monitor import progress in the Message Center. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the import. Instead, contact Cisco TAC.

What to do next

  • Edit intrusion policies and enable the rules you imported.

  • Deploy configuration changes.

Best Practices for Importing Local Intrusion Rules

Observe the following guidelines when importing a local rule file:

  • The rules importer requires that all custom rules are imported in a plain text file encoded in ASCII or UTF-8.

  • The text file name can include alphanumeric characters, spaces, and no special characters other than underscore (_), period (.), and dash (-).

  • The system imports local rules preceded with a single pound character (#), but they are flagged as deleted.

  • The system imports local rules preceded with a single pound character (#), and does not import local rules preceded with two pound characters (##).

  • Rules cannot contain any escape characters.

  • In a multidomain deployment, the system assigns a GID of 1 to a rule imported into or created in the Global domain, and a domain-specific GID between 1000 and 2000 for all other domains.

  • You do not have to specify a Generator ID (GID) when importing a local rule. If you do, specify only GID 1 for a standard text rule.

  • When importing a rule for the first time, do not specify a Snort ID (SID) or revision number. This avoids collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule the next available custom rule SID of 1000000 or greater, and a revision number of 1.

    If you must import rules with SIDs, a SID can be any unique number 1,000,000 or greater.

    In a multidomain deployment, if multiple administrators are importing local rules at the same time, SIDs within an individual domain might appear to be non-sequential because the system assigned the intervening numbers in the sequence to another domain.

  • When importing an updated version of a local rule you have previously imported, or when reinstating a local rule you have deleted, you must include the SID assigned by the system and a revision number greater than the current revision number. You can determine the revision number for a current or deleted rule by editing the rule.


    Note


    The system automatically increments the revision number when you delete a local rule; this is a device that allows you to reinstate local rules. All deleted local rules are moved from the local rule category to the deleted rule category.
  • Import local rules on the primary management center in a high availability pair to avoid SID numbering issues.

  • The import fails if a rule contains any of the following: .

    • A SID greater than 2147483647.

    • A list of source or destination ports that is longer than 64 characters.

    • When importing into the Global domain in a multidomain deployment, a GID:SID combination uses GID 1 and a SID that already exists in another domain; this indicates that the combination existed before Version 6.2.1. You can reimport the rule using GID 1 and a unique SID.

  • Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword in combination with the intrusion event thresholding feature in an intrusion policy.

  • All imported local rules are automatically saved in the local rule category.

  • The system always sets local rules that you import to the disabled rule state. You must manually set the state of local rules before you can use them in your intrusion policy.

View Intrusion Rule Update Logs

The system generates logs of rule updates/imports, listed by timestamp, user, and whether each update succeeded or failed. These logs contain detailed import information on all updated rules and components; see Intrusion Rule Update Log Details.

Use this procedure to view rule import logs. Note that deleting an import log does not delete the imported objects. In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Procedure


Step 1

Choose System (system gear icon) > Updates > Rule Updates.

Step 2

Click Rule Update Log.

Step 3

(Optional) View details for any rule update by clicking View (View button) next to the log file.


Intrusion Rule Update Log Details


Tip


You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed. Make sure you set your time constraints to include all objects you want to include in the search.


Table 2. Intrusion Rule Update Log Details

Field

Description

Action

An indication that one of the following has occurred for the object type:

  • new (for a rule, this is the first time the rule has been stored on this appliance)

  • changed (for a rule update component or rule, the rule update component has been modified, or the rule has a higher revision number and the same GID and SID)

  • collision (for a rule update component or rule, import was skipped because its revision conflicts with an existing component or rule on the appliance)

  • deleted (for rules, the rule has been deleted from the rule update)

  • enabled (for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy provided with the system)

  • disabled (for rules, the rule has been disabled in a default policy provided with the system)

  • drop (for rules, the rule has been set to Drop and Generate Events in a default policy provided with the system)

  • error (for a rule update or local rule file, the import failed)

  • apply (the Reapply all policies after the rule update import completes option was enabled for the import)

Default Action

The default action defined by the rule update. When the imported object type is rule, the default action is Pass, Alert, or Drop. For all other imported object types, there is no default action.

Details

A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed rule, displayed as previously (GID:SID:Rev). This field is blank for a rule that has not changed.

Domain

The domain whose intrusion policies can use the updated rule. Intrusion policies in descendant domains can also use the rule. This field is only present in a multidomain deployment.

GID

The generator ID for a rule. For example, 1 (standard text rule, Global domain or legacy GID) or 3 (shared object rule).

Name

The name of the imported object, which for rules corresponds to the rule Message field, and for rule update components is the component name.

Policy

For imported rules, this field displays All. This means that the rule was imported successfully, and can be enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.

Rev

The revision number for a rule.

Rule Update

The rule update file name.

SID

The SID for a rule.

Time

The time and date the import began.

Type

The type of imported object, which can be one of the following:

  • rule update component (an imported component such as a rule pack or policy pack)

  • rule (for rules, a new or updated rule)

  • policy apply (the Reapply all policies after the rule update import completes option was enabled for the import)

Count

The count (1) for each record. The Count field appears in a table view when the table is constrained, and the Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.