Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7689
Views
0
Helpful
4
Replies

Outdated Definitions

harrysocker
Level 1
Level 1

‎04-13-2018 03:34 AM - edited ‎03-08-2019 05:47 PM

I'm currently trialling AMP for Endpoints and have found there's no consistency with the status of the connectors I've installed on machines. Some show that the definitions are up to date. Some show as 'outdated definitions'. There isn't anything referenced in the documentation I've seen or on the forum.

 

Is there a way to force the clients to update, either from client side or the portal? What prompts the connector to download new definitions that are available?

 

Thanks for any help.

14 people had this problem
Labels:
0 Helpful
4 Replies 4

Jetsy Mathew
Cisco Employee
Cisco Employee

‎04-13-2018 11:19 PM

Hello Harry

 

Did you added the required server address based on the Cloud that you have registered account with ?

 

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html

 

If you want to schedule the new connector  updates, then you can schedule it accordingly in the Management > Policies.

 

Regards

Jetsy  

Regards

Jetsy 

0 Helpful

tonypearce1
Level 3
Level 3

‎12-13-2018 10:49 PM

OP did you get this sorted? I'm having the same issue as you. I have the policy set with these two options and these are all that I can see that would be required:

1. "automatic content updates" this is checked / enabled

2. "content update interval" this is set to 1 hour which is the default

Both options above around found in edit policy > Advanced > TETRA

 

@Jetsy Mathew - the OP is talking about TETRA definitions, not software or AMP client update

0 Helpful

Jetsy Mathew
Cisco Employee
Cisco Employee
In response to tonypearce1

‎12-13-2018 11:31 PM

Hello Tony

 

Is this was something working previously? In the following link there are server address that you should allow for the successful tetra definition update based on the cloud that you have registered with. Just make sure based on the cloud (EU,APJC,NAM) allow the traffic and make sure no inspection happens on the same.

 

https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html

 

If its still doesnt work then its better to get a wireshark capture for a day or so from any of those workstation which shows definition outdated along with the diagnostics file and submit it to the Cisco TAC.

 

Just fyi there was a known bug which got fixed sometime back.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj58637/?reffering_site=dumpcr

 

But if the issue has started recently then please contact the Cisco TAC and we will help you on the same.

 

Regards

Jetsy

0 Helpful

harrysocker
Level 1
Level 1
In response to Jetsy Mathew

‎12-14-2018 01:10 AM

Hi both,

 

We didn't get this working in the end, or at least I never found out the cause. The endpoints that hadn't been updated would suddenly show as compliant days later - so it could be the bug Jetsy linked. I didn't make any changes myself to our settings.

 

Thanks.

0 Helpful
Customers Also Viewed These Support Documents