Choose and direct-download upgrade
packages to the management center from Cisco.
|
Any
|
You can now choose which threat defense upgrade packages you
want to direct download to the management center. Use the
new Download
Updates sub-tab on .
Other version restrictions: this feature is replaced by an
improved package management system in Version 20240203.
See: Download Upgrade Packages
with the Management Center
|
Upload upgrade packages to the
management center from the threat defense wizard.
|
Any
|
You now use the wizard to upload threat defense upgrade
packages or specify their location. Previously
you used System ().
Minimum management center: 7.3.0
See: Upgrade Threat
Defense
|
Select devices to upgrade from
the threat defense upgrade wizard.
|
Any
|
Use the wizard to select devices to upgrade.
You can now use the threat defense upgrade wizard to select
or refine the devices to upgrade. On the wizard, you can
toggle the view between selected devices, remaining upgrade
candidates, ineligible devices (with reasons why), devices
that need the upgrade package, and so on. Previously, you
could only use the Device Management page and the process
was much less flexible.
See: Cisco Secure Firewall Threat
Defense Upgrade Guide for Management Center
|
Unattended threat defense
upgrades.
|
Any
|
|
Simultaneous threat defense
upgrade workflows by different users.
|
Any
|
|
Skip pre-upgrade troubleshoot
generation for threat defense devices.
|
Any
|
You can now
skip the automatic generating of troubleshooting files
before major and maintenance upgrades by disabling the new
Generate troubleshooting files before upgrade
begins option. This saves time and disk
space.
To manually generate troubleshooting files for a threat
defense device, choose System (), click the device in the left panel, then View
System & Troubleshoot Details, then
Generate Troubleshooting
Files.
See: Cisco Secure Firewall Threat
Defense Upgrade Guide for Management Center
|
Auto-upgrade to Snort 3 after
successful threat defense upgrade is no longer
optional.
|
Any
|
Upgrade impact.
When you upgrade threat defense to Version 7.3+, you can no
longer disable the Upgrade Snort 2 to Snort
3 option.
After the software upgrade, all eligible devices will upgrade
from Snort 2 to Snort 3 when you deploy configurations.
Although you can switch individual devices back, Snort 2
will be deprecated in a future release and we strongly
recommend you stop using it now.
For devices that are ineligible for auto-upgrade because they
use custom intrusion or network analysis policies, we
strongly recommend you manually upgrade to Snort 3 for
improved detection and performance. For migration
assistance, see the Cisco Secure Firewall
Management Center Snort 3 Configuration
Guide for your version.
|
Combined upgrade and install package
for Secure Firewall 3100.
|
7.3.0
|
Reimage Impact.
In Version 7.3, we combined the threat defense install and
upgrade package for the Secure Firewall 3100, as
follows:
-
Version 7.1–7.2 install package:
cisco-ftd-fp3k.version.SPA
-
Version 7.1–7.2 upgrade package:
Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar
-
Version 7.3+ combined package:
Cisco_FTD_SSP_FP3K_Upgrade-version-build.sh.REL.tar
Although you can upgrade threat defense without issue, you
cannot reimage from older threat defense and ASA versions
directly to threat defense Version 7.3+. This is due to a
ROMMON update required by the new image type. To reimage
from those older versions, you must "go through" ASA 9.19+,
which is supported with the old ROMMON but also updates to
the new ROMMON. There is no separate ROMMON updater.
To get to threat defense Version 7.3+, your options are:
|
Content Updates
|
Automatic VDB downloads.
|
Any
|
The initial setup on the management center schedules a weekly
task to download the latest available software updates,
which now includes the latest vulnerability database (VDB).
We recommend you review this weekly task and adjust if
necessary. Optionally, schedule a new weekly task to
actually update the VDB and deploy configurations.
New/modified screens: The Vulnerability
Database check box is now enabled by default
in the system-created Weekly Software
Download scheduled task.
|
Install any VDB.
|
Any
|
Starting with VDB 357, you can now install any VDB as far
back as the baseline VDB for that management center.
After you update the VDB, deploy configuration changes. If
you based configurations on vulnerabilities, application
detectors, or fingerprints that are no longer available,
examine those configurations to make sure you are handling
traffic as expected. Also, keep in mind a scheduled task to
update the VDB can undo a rollback. To avoid this, change
the scheduled task or delete any newer VDB packages.
New/modified screens: On System (), if you upload an older VDB, a new
Rollback icon appears instead of
the Install icon.
|