topic @niravgunjan , in Network Security

VDB update to Firepower module on ASA

niravgunjan — Tue, 12 Mar 2019 13:18:26 GMT

Do we need to update VDB update separately on firepower module or updarting on FMC is enough?FMC version 5.4

Hi There,

yogdhanu — Sun, 26 Feb 2017 09:54:22 GMT

Hi There,

Yes VDB needs to be updated separately apart from FMC/module upgrade.

FMC or module upgrade, upgrades the software/OS of the device. VDB is a database on which application detection/prevention works.

Hope that helps.

Thanks

Yogesh

Rate if helps.

how can i check what is VDB

niravgunjan — Sun, 26 Feb 2017 15:10:51 GMT

how can i check what is VDB version on Sensors which are managed by FMC?

If your access Control

Marvin Rhoads — Mon, 27 Feb 2017 03:34:28 GMT

If your access Control Policies are up to date on all of your sensors, they will have the VDB that is installed on your FMC.

The best practice is to have scheduled jobs to download and install the latest updates and re-deploy policy on a regular basis. I use weekly periodicity.

Your audit log should also show you the events when the above happens (whether scheduled or manual). You can filter as shown in this example:

https://<Your FMC address or FQDN>/events/?table=audit_log&constraints=message%3DDeployment-%2C-VDB&workflow=Audit%20Log&page=0

Make sure you adjust the time window to be a couple of weeks - the default is last hour.

It shows VDB updated on FMC

niravgunjan — Mon, 27 Feb 2017 08:03:58 GMT

It shows VDB updated on FMC .Does it mean redeploying policies also installs VDB updates to sensor?

You are correct. You can

yogdhanu — Mon, 27 Feb 2017 09:21:04 GMT

You are correct. You can check current VDB version by navigating to Help>About and match it with the current VDB update 279.

Deploying policy will push the new update to sensors as well.

Thanks

Yogesh

Rate if helps.

Is there a way to directly

tato386 — Sun, 12 Mar 2017 22:01:08 GMT

Is there a way to directly confirm which VDB is loaded on a sensor?

Thanks,

Diego

The method Yogesh and I both

Marvin Rhoads — Mon, 13 Mar 2017 02:09:40 GMT

The method Yogesh and I both mentioned is the supported approach.

If you log into a sensor and change to expert mode you can also see the information in the ngfw.rules file.

Take care not to change anything in this mode - it can brick your sensor without too much effort.

> expert
admin@firepower:~$ cat /var/sf/detection_engines/*/ngfw.rules
#### ngfw.rules
##############################################################################
#
# AC Name : Lab Access Control
# Policy Exported : Fri Mar 10 04:08:34 2017 (UTC)
# File Written : Fri Mar 10 04:09:32 2017 (UTC)
#
# DC Version : 6.2.0
# SRU : 2017-03-09-002-vrt
# VDB : 279
#
##############################################################################
#
policy 00505687-0476-0ed3-0000-034359744830
revision 00000000-0000-0000-0000-000058c226c2
interface 123 78c50696-90ac-11e6-bb9e-9db906e7ee0d
zone 0 78f9cf34-90ac-11e6-bb9e-9db906e7ee0d
http_block /var/sf/detection_engines/da31b3fa-7a01-11e6-a59a-8e590377015b/httpBlock.html
http_bypass /var/sf/detection_engines/da31b3fa-7a01-11e6-a59a-8e590377015b/httpBypass.html

iab_mode Off
# Start of AC rule. 
268435461 audit any any any any any any any any (log dcforward flowend) (urlcat 76)
268435464 allow any any any any any any any any (log dcforward flowend) (ipspolicy 52)
# End of AC rule. 
admin@firepower:~$

This certainly works (and so

tato386 — Mon, 13 Mar 2017 15:32:42 GMT

This certainly works (and so does "show version" from the > prompt) but what I had in mind was something I can do from the FMC since that is where you spend 95% of your time and also this being an enterprise management console we don't want to have to go SSHing around to a few dozen boxes!

Thanks

Diego

If you just look at the top

Marvin Rhoads — Tue, 14 Mar 2017 02:41:53 GMT

If you just look at the top level device management page it indicates whether all of your devices' policies are up to date. If they are, then they all have the same VDB version that's installed on the FMC.

Yes, I agree but it would

tato386 — Tue, 14 Mar 2017 14:05:17 GMT

Yes, I agree but it would just make me feel better if they would explicitly show versions so that you don't have to infer or extrapolate that since the access policy is up to date then so are all other components.

It's just the paranoid/ocd part of me showing a little bit. 😉

Thanks,

Diego

I am not able to login to

niravgunjan — Tue, 21 Mar 2017 14:53:25 GMT

I am not able to login to Firepower module in ASA-5555-x via CLI.these modules are managed by FMC.How can i reset ID paaswprd?

@niravgunjan ,

Marvin Rhoads — Tue, 21 Mar 2017 16:06:32 GMT

niravgunjan ,

Please see the following doc:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118631-technote-firesight-00.html#anc5

The command, from the ASA enable mode, is:

session sfr do password-reset

Thankyou all for the response

niravgunjan — Mon, 27 Mar 2017 10:44:06 GMT

Thankyou all for the response

Re: Yes, I agree but it would

Muhammad Abubakar — Thu, 12 Mar 2020 06:22:28 GMT

Hi All, Any workaround for this to see device VDB & SRU versions from FMC CLI?