02-06-2017 11:30 AM - edited 03-12-2019 01:53 AM
We have a Cisco ASA w/FirePOWER and are trying to determine if there is a Cisco product that will go out to the internet and determine if there are any vulnerabilities in the ASA firmware and then download and upgrade the device. This is something I do manually right now and would like to automate the process. We are managing the ASA with FirePOWER Management Center (FMC). As far as I know their is no native ability to do the automatic upgrades in FMC or ASDM. If there is such a product out there can someone please send me in the right direction?
Solved! Go to Solution.
02-07-2017 02:43 PM
Scripting the upgrade is probably the best idea. In case you are managing a large amount of devices that would be the best way to go. Parsing outputs is a huge pain but its not impossible.
02-06-2017 11:36 AM
Firepower upgrades are, in general, a huge pain. They often have pre-requisites. Often you can't just just from version x to y, and have to step through intermediate upgrades. Sometimes we re-images the modules because it is faster and then re-apply the config with Firesight.
The idea of trying to automate that task sounds risky to me.
I don't think you'll find such a product.
02-06-2017 11:40 AM
Philip,
Now are you just referring to FirePOWER upgrades, or ASA firmware upgrades, too? I'm really just interested in automating the firmware upgrades, I just mentioned that it has FirePOWER to be more specific about what we are using.
02-06-2017 11:41 AM
Both.
02-06-2017 11:44 AM
Yeah...I don't disagree. I was asked to look into a solution but I stated my concerns. In my experience upgrading the ASA firmware can lead to unexpected results and even if we were to automate I would need to be available for testing. However, I am curious if there is anything out there that would do the automated upgrades.
02-06-2017 11:48 AM
You could perhaps check out Cisco CDO. I'm not sure if it can or can't do it, but Cisco seem to be putting a lot of effort into it.
http://www.cisco.com/c/en/us/products/security/defense-orchestrator/index.html
02-06-2017 11:49 AM
Thanks, Philip. I'll take a look.
02-07-2017 02:43 PM
Scripting the upgrade is probably the best idea. In case you are managing a large amount of devices that would be the best way to go. Parsing outputs is a huge pain but its not impossible.
02-08-2017 07:07 AM
Thanks, kaisero. I did research this more and it appears that scripting is our only real option.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: