topic Re: How often does IPS update on Firepower devices in Network Security

How often does IPS update on Firepower devices

carl.townshend — Thu, 02 Jan 2025 11:39:28 GMT

Hi All

On Firepower firewalls, how often does the IPS update?

I can see timers for the "security intelligence" feeds, default 2 hours, but nothing for the intrusion side, I can see some settings under system > content updates, is this it? if so, it looks like you have to push a policy to the FTD for it to get the latest updates? can this not be automatic?

Cheers

Re: How often does IPS update on Firepower devices

Marvin Rhoads — Thu, 02 Jan 2025 13:58:55 GMT

As shown in the screenshot, there is an option to deploy policy after the recurring rule update discovers and downloads new IPS rule sets (Snort Rule Updates (SRUs) for Snort 2 and Local Security Policies (LSPs) for Snort 3 intrusion policies) from cisco.com. That will sync your managed devices' rule sets with those available from Cisco. Rule sets are typically updated by Cisco a couple of times per month.

You also have the option of automatically tuning your IPS policies by using Firepower recommendations which further fine tune your IPS policy based on observed traffic / hosts on your network. That is done via a combination of a setting within the IPS policy and an (optional) recurring job that your setup in the FMC scheduling section.

Re: How often does IPS update on Firepower devices

PacketWhisperer — Thu, 02 Jan 2025 14:11:42 GMT

Yep, under System > Content Updates > Rule Updates, you can set up Recurring Rule Update Imports (e.g., daily). For it to be fully automatic, check "Deploy updated policies after rule update completes." Without that, you'll need to manually push the policy to apply the updates. Security Intelligence updates are separate (default every 2 hours).

Re: How often does IPS update on Firepower devices

carl.townshend — Thu, 02 Jan 2025 15:15:39 GMT

Hi, thanks for the info, are you saying the above setting will push the latest IPS updates out daily? I thought with this being a security device it would pretty much be an automatic setting, on Checkpoint for example, the daily update happens at midnight by default, why is this switched off by default and has to be enabled?

What would the recommendation be?

cheers

Re: How often does IPS update on Firepower devices

Marvin Rhoads — Thu, 02 Jan 2025 15:28:52 GMT

Cisco does not publish IPS rule updates daily. You can see the published updates in the software.cisco.com site for FMC here:

https://software.cisco.com/download/home/286259687/type/286321931/release/LSP

For instance, there were 10 updates published in October 2024, 7 each in November and December.

Every vendor bundles their software differently. Cisco Talos has determined that is it most effective to stream SI updates throughout the day, with a 2 hour feed update being the default for FMC and FDM. Snort rules are less frequent - several times monthly as I noted. So if you check for them daily, you will always have the latest ones.

Many customers do not want to have constant changes to IPS rules since it may be counter to their change management process. Thus, Cisco gives you the option of being anywhere on the spectrum from no updates to having updates the day they are published and further deploying the updates as soon as you get them. If they didn't provide this flexibility, some very large customers would choose not to use them. What's optimal for your use case may be the opposite for another customer.

Re: How often does IPS update on Firepower devices

carl.townshend — Thu, 02 Jan 2025 15:59:05 GMT

Thanks Marvin, nice response there

So when we talk about IPS updates, we are talking about new signatures etc?

With regards to the SI updates, these are not signatures but networks and URL's right ?

Re: How often does IPS update on Firepower devices

Marvin Rhoads — Thu, 02 Jan 2025 16:05:57 GMT

You're welcome @carl.townshend .

Yes and yes re your two latest questions.

Re: How often does IPS update on Firepower devices

daniel_rs — Fri, 31 Oct 2025 12:47:38 GMT

Hello Marvin,

I am still starting to understand how IPS works with FTD, one question please. In the scenario with FTD version 7.X managed with an on prem FMC, the IPS updates are downloaded by the FMC and the deployed to FTD with policy push? or they are downloaded directly to FTD? I enabled IPS in a new FTD deployment but i get an error about connectivity with updates URL. This connectivity required from the FMC or from FTD? i assume this downloads use the management interface rigth? Thanks in advance.

Regards

Re: How often does IPS update on Firepower devices

Marvin Rhoads — Fri, 31 Oct 2025 17:32:54 GMT

In an FMC-managed FTD deployment, the IPS updates (SRU and LSP for Snort2 and Snort 3 respectively) are downloaded from Cisco by the FMC. They are deployed to the managed FTDs only when deployed (the update can be setup to automatically deploy if desired). Only the FMC management interface requires https (TLS) access to Cisco's repositories. It then sends the updates to the managed devices (when deploying) via the sftunnel management connection (FMC management interface to FTD management interface via TLS over tcp/8305).

Re: How often does IPS update on Firepower devices

danielpacheco613 — Tue, 09 Dec 2025 21:38:35 GMT

Hi Marvin, do you have any additional info on Cisco Talos SI updates? It seems to me administrators don't have the same control on when these get applied. When we go to deploy a change we see that user "system" modified something, but the details are opaque. I've been bit with what I believe is a bad EVE fingerprint blocking legit traffic. Any idea on how we can control or see Talos SI updates? Thanks,

Re: How often does IPS update on Firepower devices

Marvin Rhoads — Wed, 10 Dec 2025 15:00:43 GMT

SI feeds are pushed to the managed devices when they arrive on FMC, there's no deployment required.

The updates attributed to the system user when you do a deployment are more likely IPS rules that result from FMC having updated the SRU / LSP packages for Snort 2 / 3 respectively.