cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8465
Views
20
Helpful
8
Replies

ASA FirePOWER Module Push Vs Install

johnlloyd_13
Level 9
Level 9

hi,

i'm trying to patch my ASA 5506 FP module via ASDM. tried searching for the difference between update 'push' and 'install' but my google skills failing me. see attached screenshot.

can also advice what's difference between the two or give me a helpful link?

also what are the difference between the 3x update tabs?

i.e. is 'product' specific for FP/sensor patch, 'rule' is snort? and geolocation is for the public ip (kinda like whois)?

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

The Push option stages the (large) update files on the sensor for later installation. The option to push (apart from install) was introduced in Firepower 6.2.3. It's most useful when the sensor is at the other end of a WAN and you want to pre-deploy the update file first and then install it during a scheduled outage window.

 

Product updates are the Firepower operating system upgrades and patches. It also will include Vulnerability Database (VDB) upgrades. Only updates at the second ordinal or below (e.g., 6.2.2 to 6.2.3) will automatically download. Major upgrades (like 6.2 to 6.3) need to be manually downloaded on your management PC, uploaded and then applied.

 

Rules are the Snort Rule Updates (SRUs). Basically the IPS rules.

 

Geolocation is a database of mapping IP addresses to countries. Can then be used in your rules to restrict access from certain locations or in your reporting to analyze the source / destination of connections (whether or not they are associated with threats or attacks).

View solution in original post

8 Replies 8

Marvin Rhoads
Hall of Fame
Hall of Fame

The Push option stages the (large) update files on the sensor for later installation. The option to push (apart from install) was introduced in Firepower 6.2.3. It's most useful when the sensor is at the other end of a WAN and you want to pre-deploy the update file first and then install it during a scheduled outage window.

 

Product updates are the Firepower operating system upgrades and patches. It also will include Vulnerability Database (VDB) upgrades. Only updates at the second ordinal or below (e.g., 6.2.2 to 6.2.3) will automatically download. Major upgrades (like 6.2 to 6.3) need to be manually downloaded on your management PC, uploaded and then applied.

 

Rules are the Snort Rule Updates (SRUs). Basically the IPS rules.

 

Geolocation is a database of mapping IP addresses to countries. Can then be used in your rules to restrict access from certain locations or in your reporting to analyze the source / destination of connections (whether or not they are associated with threats or attacks).

hi marvin,

thanks for confirming the different update tabs.

just to confirm my understanding regarding the 'push' option, so it will download the patch file first (to the SSD/FP module), then i need to set a FP module downtime and click install?

if i just click install, will it just directly download the patch and FP module will reboot (no confirm), similar to a non-interactive mode?

You're welcome.

 

Yes - the understanding you described is pretty much correct.

 

You do get a warning that the upgrade or patch will reboot the affected systems; but once you click OK there's no further confirmation given.

hi marvin,

thanks for your time and input! have a good weekend!

Dear Marvin, 
We're currently running 6.2.3 with 53 build version of Firepower Operating System managed by 6.2.3 version of FMC. The SFR is installed in 5525-X firewall. Our enterprise is interested to upgrade the Firepower OS to the latest version 6.4.0. Could you please tell me what is the possible way to accomplish the subject task.

PS: I googled and found out to upload (Cisco_Network_Sensor_Patch-6.4.0.7-53.REL.tar) file from FireSight Management Center, please tell me if this is the appropirate file for our objective. 

Waiting your kind reply. 

Regards,
Esmatullah Saidy

You need to upgrade the FMC first, then the managed module(s).

Upload the 6.4.0 release for both FMC and the Firepower service module to your FMC.

Install the FMC upgrade. Redeploy policy. Then install the module upgrade and redeploy once more.

Then "download updates" from FMC. It should find the latest 6.4.0.x patch and download it from cisco.com for you.

Then repeat the installation process, this time for the patches of both FMC and the module.

Hi @Marvin Rhoads  - I was looking for a concise guide to help me upgrade a pair of 5525-X running Firepower modules (still traditional ASA/ASDM managed) - there is also FMC in the mix to manage the 5525 Firepower "modules" and a NGIPSv. 

 

The 5525-X Active/Failover pair will be upgraded to the final release for that product, and the rest will fall in line with the support matrix as per Cisco.com

ASA 9.12 -> 9.14

ASDM 7.13 -> 7.14

FMC 6.4.0 -> 6.6.4 (and Firepower modules and NGIPSv on same release)

 

I have read so many Cisco docs but I can't find answers to the following:

  • What device do I upgrade first? I assume it's FMC, then Firepower Modules, then NGIPSv and then the ASA/ASDM.
  • In you previous posting you also mentioned that after an FMC upgrade you deploy the Policy again - why is that? And then again after updating the Firepower modules.

I will continue researching - but your expert tips are always welcome

 

@Arne Bier the order you suggested is fine.

Definitely upgrade FMC first. Always consult the compatibility matrix but the upgrade process in FMC will warn you if you are getting too far ahead of the managed sensors.

We always sync policy just to make sure things don't get out of sync. Often the Snort rules or other components will be updated as part of an upgrade. The software itself reminds you to redeploy after a sucessful upgrade (of FMC or Firepower software on a managed device). (You don't need to resync after upgrading ASA or ASDM software.)

Review Cisco Networking for a $25 gift card