Installing Software Updates
You can install updates to the system databases and to the system software. The following topics explain how to install these updates.
Updating System Databases and Feeds
The system uses several databases and Security Intelligence feeds to provide advanced services. Cisco provides updates to these databases and feeds so that your security policies use the latest information available.
Overview of System Database and Feed Updates
Threat Defense uses the following databases and feeds to provide advanced services.
- Intrusion rules
-
As new vulnerabilities become known, the Cisco Talos Intelligence Group (Talos) releases intrusion rule updates that you can import. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.
Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values.
For changes made by an intrusion rule update to take effect, you must redeploy the configuration.
Intrusion rule updates may be large, so import rules during periods of low network use. On slow networks, an update attempt might fail, and you will need to retry.
- Geolocation database (GeoDB)
-
The Cisco Geolocation Database (GeoDB) is a database of geographical data (such as country, city, coordinates) associated with routable IP addresses.
GeoDB updates provide updated information on physical locations that your system can associate with detected routable IP addresses. You can use geolocation data as a condition in access control rules.
The time needed to update the GeoDB depends on your appliance; the installation usually takes 30 to 40 minutes. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes. Consider this when planning your updates.
- Vulnerability database (VDB)
-
The Cisco Vulnerability Database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The firewall system correlates the fingerprints with the vulnerabilities to help you determine whether a particular host increases your risk of network compromise. The Cisco Talos Intelligence Group (Talos) issues periodic updates to the VDB.
The time it takes to update vulnerability mappings depends on the number of hosts in your network map. You may want to schedule the update during low system usage times to minimize the impact of any system downtime. As a rule of thumb, divide the number of hosts on your network by 1000 to determine the approximate number of minutes to perform the update.
After you update the VDB, you must redeploy configurations before updated application detectors and operating system fingerprints can take effect.
- Cisco Talos Intelligence Group (Talos) Security Intelligence Feeds
-
Talos provides access to regularly updated intelligence feeds for use in Security Intelligence policies. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations. These feeds contain addresses and URLs for known threats. When the system updates a feed, you do not have to redeploy. The new lists are used for evaluating subsequent connections.
- URL Category/Reputation Database
-
The system obtains the URL category and reputation database from Cisco Collective Security Intelligence (CSI). If you configure URL filtering access control rules that filter on category and reputation, requested URLs are matched against the database. You can configure database updates and some other URL filtering preferences on
. You cannot manage URL category/reputation database updates the same way you manage updates for the other system databases.
Updating System Databases
You can manually retrieve and apply system database updates at your convenience. Updates are retrieved from the Cisco support site. Thus, there must be a path to the internet from the system's management address.
Alternatively, you can retrieve the update packages from the internet yourself, then upload them from your workstation. This method is primarily meant for air-gapped networks, where there is no path to the internet for retrieving the updates from Cisco. Download the updates from software.cisco.com from the same folders where you would download system software upgrades.
Note |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The device manager does not and has never used the information in the IP package. This split saves significant disk space in locally managed threat defense deployments. If you are getting the GeoDB from Cisco yourself, make sure you get the country code package, which has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. |
You can also set up a regular schedule to retrieve and apply database updates. Because these updates can be large, schedule them for times of low network activity.
Note |
While a database update is in progress, you might find that the user interface is sluggish to respond to your actions. |
Before you begin
To avoid any potential impact to pending changes, deploy the configuration to the device before manually updating these databases.
Please be aware that VDB and URL category updates can remove applications or categories. You need to update any access control or SSL decryption rules that use these deprecated items before you can deploy changes.
Procedure
Step 1 |
Click Device, then click View Configuration in the Updates summary. This opens the Updates page. Information on the page shows the current version for each database and the last date and time each database was updated. |
||
Step 2 |
To manually update a database, click one of the following options in the section for that database:
Rule and VDB updates require a configuration deployment to make them active. When you update from the cloud, you are asked whether you want to deploy now; click Yes. If you click No, remember to initiate a deployment job at your earliest convenience. If you upload your own file, you must always deploy the changes manually.
|
||
Step 3 |
(Optional) To set up a regular database update schedule:
|
Updating Cisco Security Intelligence Feeds
Cisco Talos Intelligence Group (Talos) provides access to regularly updated Security Intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations. When the system updates a feed, you do not have to redeploy. The new lists are used for evaluating subsequent connections.
If you want strict control over when the system updates a feed from the Internet, you can disable automatic updates for that feed. However, automatic updates ensure the most up-to-date, relevant data.
Procedure
Step 1 |
Click Device, then click View Configuration in the Updates summary. This opens the Updates page. Information on the page shows the current version for the Security Intelligence Feeds and the last date and time the feeds were updated. |
Step 2 |
To manually update the feeds, click Update Now in the Security Intelligence Feeds group. If you manually update the feeds on one unit in a high availability group, you need to also manually update them on the other unit to ensure consistency. |
Step 3 |
(Optional.) To configure a regular update frequency: |
Upgrading Threat Defense
Use this procedure to upgrade a standalone threat defense device. If you need to update FXOS, do that first. To upgrade high availability threat defense, see Upgrading High Availability Threat Defense.
Caution |
Traffic is dropped while you upgrade. Even if the system appears inactive or unresponsive, do not manually reboot or shut down during upgrade; you could place the system in an unusable state and require a reimage. You can manually cancel failed or in-progress upgrades, and retry failed upgrades. If you continue to have issues, contact Cisco TAC. For details on these and other issues you may encounter during upgrade, see Troubleshooting Threat Defense Upgrades. |
Before you begin
Complete upgrade planning. Make sure your deployment is healthy and successfully communicating.
Tip |
Upgrade planning starts with reading the Cisco Secure Firewall Threat Defense Release Notes. It then includes taking backups, obtaining upgrade packages, and performing associated upgrades (such as FXOS for the Firepower 4100/9300). It also includes checks for necessary configuration changes, readiness checks, disk space checks, and checks for both running and scheduled tasks. For details, see the Cisco Secure Firewall Threat Defense Upgrade Guide for Device Manager for your version. |
Procedure
Step 1 |
Select Device, then click View Configuration in the Updates panel. |
Step 2 |
Upload the upgrade package. You can upload one package only. If you upload a new package, it replaces the old one. Make sure you have the correct package for your target version and device model. Click Browse or Replace File to begin the upload. When the upload completes, the system displays a confirmation dialog box. Before you click OK, optionally select Run Upgrade Immediately to choose rollback options and upgrade now. If you upgrade now, it is especially important to have completed as much of the pre-upgrade checklist as possible (see the next step). |
Step 3 |
Perform final pre-upgrade checks, including the readiness check. Revisit the pre-upgrade checklist. Make sure you have completed all relevant tasks, especially the final checks. If you do not run the readiness check manually, it runs when you initiate the upgrade. If the readiness check fails, the upgrade is canceled. For more information, see Running an Upgrade Readiness Check. |
Step 4 |
Click Upgrade Now to start the upgrade. |
Step 5 |
Log back in when you can and verify upgrade success. The Device Summary page shows the currently running software version. |
Step 6 |
Complete post-upgrade tasks.
|
Running an Upgrade Readiness Check
Before the system installs an upgrade, it runs a readiness check to ensure the upgrade is valid for the system, and to check other items that sometimes prevent a successful upgrade. If the readiness check fails, you should fix the problems before trying the installation again. If the check has failed, you will be prompted about the failure the next time you try the installation, and you are given the option to force the installation if you want to.
You can also manually run the readiness check prior to initiating the upgrade, as described in this procedure.
Before you begin
Upload the upgrade package you want to check.
Procedure
Step 1 |
Select Device, then click View Configuration in the Updates summary. The System Upgrade section shows the currently running software version and any update that you have already uploaded. |
Step 2 |
Look at the Readiness Check section.
|
Step 3 |
If the readiness check fails, you should resolve the issues before you install the upgrade. The detailed information includes help on how to fix indicated problems. For a failed script, click the Show Recovery Message link to see the information. Following are some typical problems:
|
Monitoring Threat Defense Upgrades
When you start the threat defense upgrade, you are automatically logged off and taken to a status page where you can monitor overall upgrade progress. The page also includes an option to cancel the in-progress installation. If you disabled automatic rollback and the upgrade fails, the page allows you to manually cancel or retry the upgrade.
You can also SSH to the device and use the CLI: show upgrade status . Add the continuous keyword to view log entries as they are made, and detail to see detailed information. Add both keywords to get continuous detailed information.
After the upgrade completes, you lose access to the status page and the CLI when the device reboots.
Canceling or Retrying Threat Defense Upgrades
Use the upgrade status page or the CLI to manually cancel failed or in-progress major or maintenance upgrades, and to retry failed upgrades:
-
Upgrade status page: Click Cancel Upgrade to cancel an in-process upgrade. If the upgrade fails, you can click Cancel Upgrade to stop the job and to return to the state of the device prior to the upgrade, or click Continue to retry the upgrade.
-
CLI: Use upgrade cancel to cancel an in-process upgrade. If the upgrade fails, you can use upgrade cancel to stop the job and to return to the state of the device prior to the upgrade, or use upgrade retry to retry the upgrade.
Note |
By default, threat defense automatically reverts to its pre-upgrade state upon upgrade failure ("auto-cancel"). To be able to manually cancel or retry a failed upgrade, disable the auto-cancel option when you initiate the upgrade. In a high availability deployment, auto-cancel applies to each device individually. That is, if the upgrade fails on one device, only that device is reverted. |
Cancel and retry are not supported for patches. For information on reverting a successful upgrade, see Reverting Threat Defense.
Reverting Threat Defense
If a major or maintenance upgrade succeeds but the system does not function to your expectations, you can revert. Reverting threat defense returns the software to its state just before the last major or maintenance upgrade; post-upgrade configuration changes are not retained. Reverting after patching necessarily removes patches as well. Note that you cannot revert hotfixes.
The following procedure explains how to revert from device manager. If you cannot get into device manager, you can revert from the threat defense command line in an SSH session using the upgrade revert command. You can use the show upgrade revert-info command to see what version the system will revert to.
Before you begin
If the unit is part of a high availability pair, you must revert both units. Ideally, initiate the revert on both units at the same time so that the configuration can be reverted without failover issues. Open sessions with both units and verify that revert will be possible on each, then start the processes. Note that traffic will be interrupted during the revert, so do this at off hours if at all possible.
For the Firepower 4100/9300 chassis, major threat defense versions have a specially qualified and recommended companion FXOS version. This means that after you revert the threat defense software, you might be running a non-recommended version of FXOS (too new). Although newer versions of FXOS are backwards compatible with older the threat defense versions, we do perform enhanced testing for the recommended combinations. You cannot downgrade FXOS, so if you find yourself in this situation, and you want to run a recommended combination, you will need to reimage the device.
Procedure
Step 1 |
Select Device, then click View Configuration in the Updates summary. |
Step 2 |
In the System Upgrade section, click the Revert Upgrade link. You are presented with a confirmation dialog box that shows the current version and the version to which the system will revert. If there is no available version to revert to, there will not be a Revert Upgrade link. |
Step 3 |
If you are comfortable with the target version (and one is available), click Revert. After you revert, you must re-register the device with the Smart Software Manager. |
Troubleshooting Threat Defense Upgrades
These issues can occur when you are upgrading any device, whether standalone or in a high availability pair. To troubleshoot issues specific to high availability upgrades, see Troubleshooting High Availability Threat Defense Upgrades.
- Upgrade package errors.
-
To find the correct upgrade package, select or search for your model on the Cisco Support & Download site, then browse to the software download page for the appropriate version. Available upgrade packages are listed along with installation packages, hotfixes, and other applicable downloads. Upgrade package file names reflect the platform, package type (upgrade, patch, hotfix), software version, and build.
Upgrade packages from Version 6.2.1+ are signed, and terminate in .sh.REL.tar. Do not untar signed upgrade packages. Do not rename upgrade packages or transfer them by email.
- Cannot reach the device at all during upgrade.
-
Devices stop passing traffic during the upgrade or if the upgrade fails. Before you upgrade, make sure traffic from your location does not have to traverse the device itself to access the device's management interface.
- Device appears inactive or is unresponsive during upgrade.
-
You can manually cancel in-progress major and maintenance upgrades; see Canceling or Retrying Threat Defense Upgrades. If the device is unresponsive, or if you cannot cancel the upgrade, contact Cisco TAC.
- Upgrade is successful but the system does not function to your expectations.
-
First, make sure that cached information gets refreshed. Do not simply refresh the browser window to log back in. Instead, delete any "extra" path from the URL and reconnect to the home page; for example, http://threat-defense.example.com/.
- Upgrade fails.
-
When you initiate a major or maintenance upgrade, you use the Automatically cancel on upgrade failure... (auto-cancel) option to choose what happens if upgrade fails, as follows:
-
Auto-cancel enabled (default): If upgrade fails, the upgrade cancels and the device automatically reverts to its pre-upgrade state. Correct any issues and try again later.
-
Auto-cancel disabled: If upgrade fails, the device remains as it is. Correct the issues and retry immediately, or manually cancel the upgrade and try again later.
For more information, see Canceling or Retrying Threat Defense Upgrades. If you cannot retry or cancel, or if you continue to have issues, contact Cisco TAC.
-
Reimaging the Device
Reimaging a device involves wiping out the device configuration and installing a fresh software image. The intention of reimaging is to have a clean installation with a factory default configuration.
You would reimage the device in these circumstances:
-
You want to convert the system from ASA Software to threat defense Software. You cannot upgrade a device running an ASA image to one running a threat defense image.
-
The device is not functioning correctly and all attempts at fixing the configuration have failed.
For information on how to reimage a device, see Reimage the Cisco ASA or Threat Defense Device or the Threat Defense Quick Start guide for your device model. These guides are available at http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html.