topic Re: Firepower rulee update in Network Security

Firepower rulee update

sahrizal123 — Fri, 21 Feb 2020 15:34:18 GMT

Hi,

I have cisco 5516x with firepower.

My firepower install at FMC version 5.4.1.

Below my question.

1. what is the best practice to update the rule ( System > Update > Rule Updates ) by weekly basis or monthly ?

2. Any impact during the rule update?

3. how rollback in case any issue.

Re: Firepower rulee update

yogdhanu — Wed, 28 Mar 2018 09:00:36 GMT

Hello,

Its recommended to update the rules weekly basis as they are released to make sure you are covered by latest security update.

There is no direct impact during the update. Once the update is downloaded, its stored in FMC but not yet applied on sensor/FTD unless you have selected to deploy policy also with auto update.

Once you deploy the policy again, new updates are installed along with the deployment.

You can track the changes as well. Check an old forum update (related)

https://supportforums.cisco.com/t5/firesight-system-3d-system/firesight-rule-update/td-p/2777508

But there is not official/easy way of rollback. But in case its absolutely required, you can reach out to TAC and it can be done although not recommended.

Hope it helps,

Yogesh

Re: Firepower rulee update

Marvin Rhoads — Wed, 28 Mar 2018 12:15:14 GMT

@sahrizal123,

My firepower install at FMC version 5.4.1.

You should really upgrade your Firepower software. Your version is quite old and there are many bug fixes and new features in the 3 major and many minor releases since 5.4.x.

Re: Firepower rulee update

sahrizal123 — Thu, 29 Mar 2018 03:22:28 GMT

Thank you Yogesh, noted will update weekly basis.

Re: Firepower rulee update

sahrizal123 — Thu, 29 Mar 2018 03:23:18 GMT

Thank you Marvin, we will upgrade after updated the Rule.
Now pending maintenance window.

Re: Firepower rulee update

sahrizal123 — Thu, 29 Mar 2018 03:49:39 GMT

Hi Marvin,
What is the different between manage device and defence centre.
As my understanding defence centre is FMC.
I have read somewhere that FMC and manage device only need one version older.

Re: Firepower rulee update

sahrizal123 — Thu, 29 Mar 2018 03:59:43 GMT

Hi Yogesh,
Should we upgrade VDB version on weekly basis too ?
Any impact after upgrade VDB version ?

Below is current software :

Model Virtual Defense Center 64bit
Serial Number None
Software Version 5.4.1 (build 59)
OS Sourcefire Linux OS 5.4.0 (build126)
Snort Version 2.9.7 GRE (Build 178)
Rule Update Version 2016-12-01-001-vrt
Rulepack Version 1812
Module Pack Version 2083
Geolocation Update Version None
VDB Version build 211 ( 2014-07-18 02:21:53 )

Re: Firepower rulee update

yogdhanu — Thu, 29 Mar 2018 05:58:14 GMT

You are correct about the naming convention.

FMC is defence center and managed device could be your SFR module or hardware SFR box also called sensor.

I would really suggest to update the VDB as well as current VDB is 294.

VDB is for application awareness and yes as SRU (snort rules) update, you should update the VDB as well.

Everything else remains same for VDB as well where you need to apply the access control policy first to push the new VDB changes to managed device

Hope it helps,

Yogesh

Re: Firepower rulee update

sahrizal123 — Thu, 29 Mar 2018 06:17:41 GMT

Hi Yogesh,

Thank you.
Is this correct ?
Software Version 5.4.1 (build 59) <--- FMC
OS Sourcefire Linux OS 5.4.0 (build126) <--- Manage device

Re: Firepower rulee update

yogdhanu — Thu, 29 Mar 2018 08:56:08 GMT

Hi Sahrizal,

Yes, that would be correct.

Re: Firepower rulee update

Marvin Rhoads — Thu, 04 Jul 2019 14:13:44 GMT

Cisco has a good explanation of the naming as it has changed across the releases since they acquired Sourcefire back in 2013. You can find it here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_9C7ED89DF14645BDA166E80F7BDA5FB7

As of release 6.2, Firepower Management Center cannot manage devices running anything prior to 6.1.

FMC 6.1 could manage both 5.x and 6.x devices.

Re: Firepower rulee update

sahrizal123 — Tue, 03 Apr 2018 01:20:26 GMT

Hi Marvin,

If we upgrade from 5.4.1 to 6.2.2 , it will not effect the ASA traffic right ? ( currently set to monitor-only )

It require atleast 4 hour to upgrade to 6.2.2 ?

Thank you

Re: Firepower rulee update

Marvin Rhoads — Tue, 03 Apr 2018 08:27:53 GMT

If your ASA Firepower service module is at 5.4.1 and being used in monitor-only mode, then an upgrade (or even uninstall) will not affect traffic through the ASA.

It it would be easier to de-register it from FMC, upgrade FMC to the current 6.2.3 release (that will take several hours by itself) and then re-image the module to 6.2.3, re-register it and re-deploy the policies.

Re: Firepower rulee update

sahrizal123 — Tue, 03 Apr 2018 08:55:12 GMT

Thank you Marvin,
De-register FMC, upgrade FMC and reimage module require to access server or only can be done at GUI ( i done have server access ESXi).
Kindly advise step to redeploy policy.

Re: Firepower rulee update

Marvin Rhoads — Tue, 03 Apr 2018 13:37:46 GMT

You don't need console (ESXi) access to FMC to upgrade it. You do need to be able to transfer files you have downloaded from cisco.com onto a PC to the server via the web interface.

You do need console (ssh) access to the Firepower (sfr) service module to reimage it. If you upgraded it step-by-step instead you can do it all via the FMC but it will take most of an entire day (assuming it all goes well) vs. about 2 hours to reimage.

I really recommend you read the documentation on the above steps. It's all covered there - upgrading, re-imaging, registering, deploying policy etc. There are many good free presentations available on Cisco Live as well. You should understand the basics before logging into any production system and making significant changes.

Re: Firepower rulee update

Bill CARTER — Thu, 12 Apr 2018 13:27:04 GMT

I set rule updates for daily during non-business hours. I have never had a problem.

Re: Firepower rulee update

D@1984 — Thu, 04 Jul 2019 12:33:28 GMT

I have few questions regarding the SRU & VDB upgrade that would be grateful if someone could help me with:

1- for both SRU& VDB upgrade, doesn't matter what version of FMC/ FIREPOWER we are in:

FMC:

SOFTWARE VERSION: 6.2.3

SNORT VERSION: 2.9.12

VDB VERSION: BUILD 291

FirePOWER module: 6.2.3

2-Do I need malware license to get the weekly basis updates?

Thanks

Re: Firepower rulee update

Marvin Rhoads — Thu, 04 Jul 2019 14:19:27 GMT

1. SRU and VDB updates are generally independent of your FMC and Firepower versions.

2. Malware (AMP) license is required only for File policies. They inspect files using cloud-based analysis of a SHA-256 hash of the file. (or AMP private cloud for some customers with that product). It does not affect or interact with the SRU or VDB or entitlement to those.

SRU and VDB updates do require a current IPS subscription (known as "Threat" for FTD devices) to be entitled to download them (although there's not any technical enforcement of that requirement).

Re: Firepower rulee update

D@1984 — Thu, 04 Jul 2019 15:31:32 GMT

many thanks. How/where FMC get the updates from if I set to have weekly updates automatically?

Just want to make sure there is no firewall, etc in between to block the updates.

Re: Firepower rulee update

Marvin Rhoads — Fri, 05 Jul 2019 02:14:13 GMT

The SRU and VDB updates should be coming from support.sourcefire.com.

Details and troubleshooting instructions can be found here:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118791-technote-firesight-00.html