Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
6
Replies

1.0.3 Firmware

lawrence.david
Level 1
Level 1

‎06-16-2012 06:45 PM

This weekend I installed the 1.0.3 firmware.  I thought I would share my experience.  Especially since this area of the Cisco Community has been quiet.  I'd like to hear other experiences with the ISA500 series if anyone would care to share.

The entire process took about 45 minutes, but most of that was making sure I had snapshots of the current configuration to make sure I could rebuild it if the configuration restore from my backup failed.  (Better safe than sorry).  With the Factory Default requirement, I wanted to make sure I didn't miss anything if the restore of my configuration failed.

I also use a different internal LAN then the factory default configuration, so I wanted to make sure I had all of the neccessary files (firmware, backup configuration, update steps) on my notebook.  I'd created a backup a couple of days ago, so I planned to use that.

I configured an available port on the ISA570W as an access port on the default LAN from another system, then plugged in the notebook to that port.  My local DHCP server (not on the ISA) assigned an IP address and I was able to remote into the ISA570W from the notebook. 

The next step was to upload the latest firmware to the device requesting an update and factory reset.  The firmware load paused for a long time at 2%.  After waiting for what felt like a minute or two (but could have been less) the installation stepped quickly to 100% and started a reboot. 

From experience with the ISA, I knew it would be about 3 minutes to complete the reboot even though you can get light indications that suggest it has completed sooner.  After the reboot, I waited for my network adapter to sense the factory default configuration.  At that point the DHCP server on the device assigned an IP address from the default LAN 192.168.75.0.  I was then able to log back into the device and upload my old configuration.  This took about 3 minutes to reboot again and I was back at my old configuration with the new firmware.

I walked through the configuration and it appears it restored almost everything the way I had it previously.  One exception I noted was my Link failover detection. I had set it before the firmware update to failover based on DNS detetction and specified the Google DNS at 8.8.8.8.  While browsing the configuration I found it had been reset to the default: Ping detection on the Default IP gateways.  Maybe I had made that change after my last backup.

I've turned on Anti-Virus and the Spam Filter.  We pre-filter incoming mail with a web-based email scanner, so I on't expected to see much email captured.  So I will note it, I set the Spam Filter configuration to tag spam and suspected spam.  I also st the Reputation Threhold to High just to see if anything gets caught.

I've been using the Web URL Filtering, but one disappointment has been the inability to filter sites like Facebook if the user simply adds https:// instead of http:// to the URL.

I'm planning to try the Application Control when I have someone more familiar with the different choices (like Facebook items).  Hopefully sometime during the comming week.

In summary, in the future I expect firmware updates without the reset to factory default required to take a minute or two to upload the firmware, than 3 minutes to reboot.

Now, what's your story?

0 Helpful
6 Replies 6

Ben M Johnson
Level 4
Level 4

‎06-16-2012 10:29 PM

Updated to 1.03, similiar experience, with upgrade - same feedback. Better than the earlier SA firmware updates, for sure though.

HTTPS URL/Application filtering they know about and are working on - I know other vendors have solved this, so hopefully Cisco can.  Hell, use the application filtering and block IPs.

we've had some random sites not resolving (and the blocked site message not coming up), and this is on our production network - so we turned off all security services for right now.

I sure hope that Cisco puts more resources toward this project - with Sonicwall being acquired by Dell, there is a very large opportunity here and easy pickings, but even with the major improvements over the SA series, we are still a long way from the more mature UTM players in the market.

OnPlus integration is super limited right now, and reports aren't very useful.

Clock's ticking.

0 Helpful

ddiep
Level 4
Level 4
In response to Ben M Johnson

‎06-18-2012 08:18 AM

Thanks David+Ben for your comments + feedbacks.

- Major changes were applied in 1.0.3 and thus required factory reset. Future fw upgrade won't require it.

- Web filtering not effective with https. We're aware of this issue and currently working on for alternative/solution.

- Ben, can you find out which and why random sites are not resolving? You can check the log to see which security service is blocking or turn on 1 security service at the time.

Is everyone else doing ok with your upgrade?

Regards, Don.

0 Helpful

weilia
Cisco Employee
Cisco Employee
In response to Ben M Johnson

‎06-20-2012 05:34 PM

Hi Ben,

Could you give us some detail about the random site not resolving issue ?

thanks

Wei

0 Helpful

Ben M Johnson
Level 4
Level 4
In response to weilia

‎06-20-2012 06:13 PM

I'm at the SBEE in Monterey right now. 

I'll turn the services back on 1 by 1 when I get back friday and get you more details.

0 Helpful

jrengel
Level 1
Level 1

‎07-23-2012 02:55 PM

HI All:

I finally got back to messing with this little beastie.  Stepped through the ,5,12 to 1.0.3 firmware updates without a hiccup.  It seems to be running fine but we have not really flexed its muscles yet.  We are sliding it into limited production so we'll see what happens next.

One little suggestion to the initial configuration process.  One of the wizard steps is to configure a connection toi the administrators Cisco.com account.  Which is a good idea.  But.

Typically on first configurations, there is no Internet connetion.  The ISA is usually just directly connected to a laptop or desktop computer.  But if you select this step, the ISA (without warning) immediately attempts to verify the account on the Internet.  Obviously there is no Internet.  So it appears to just hang there forever.  Which means a "start all over" process.    This step needs a "skip" warning if no Internet connected.  Set up later!.

Joe         

0 Helpful

weilia
Cisco Employee
Cisco Employee
In response to jrengel

‎07-23-2012 04:22 PM

Hi Joe,

this is fixed in the later release (engineer builds). Credential will not be checked if

WAN connection is down.

thanks,

Wei

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents