03-28-2018 12:46 AM - edited 02-21-2020 07:34 AM
Hi,
I have cisco 5516x with firepower.
My firepower install at FMC version 5.4.1.
Below my question.
1. what is the best practice to update the rule ( System > Update > Rule Updates ) by weekly basis or monthly ?
2. Any impact during the rule update?
3. how rollback in case any issue.
03-28-2018 02:00 AM
Hello,
Its recommended to update the rules weekly basis as they are released to make sure you are covered by latest security update.
There is no direct impact during the update. Once the update is downloaded, its stored in FMC but not yet applied on sensor/FTD unless you have selected to deploy policy also with auto update.
Once you deploy the policy again, new updates are installed along with the deployment.
You can track the changes as well. Check an old forum update (related)
https://supportforums.cisco.com/t5/firesight-system-3d-system/firesight-rule-update/td-p/2777508
But there is not official/easy way of rollback. But in case its absolutely required, you can reach out to TAC and it can be done although not recommended.
Hope it helps,
Yogesh
03-28-2018 08:22 PM
03-28-2018 08:59 PM
03-28-2018 05:15 AM
My firepower install at FMC version 5.4.1.
You should really upgrade your Firepower software. Your version is quite old and there are many bug fixes and new features in the 3 major and many minor releases since 5.4.x.
03-28-2018 08:23 PM
03-28-2018 08:49 PM
03-28-2018 10:58 PM
Hi
You are correct about the naming convention.
FMC is defence center and managed device could be your SFR module or hardware SFR box also called sensor.
I would really suggest to update the VDB as well as current VDB is 294.
VDB is for application awareness and yes as SRU (snort rules) update, you should update the VDB as well.
Everything else remains same for VDB as well where you need to apply the access control policy first to push the new VDB changes to managed device
Hope it helps,
Yogesh
03-28-2018 11:17 PM
03-29-2018 01:56 AM
Hi Sahrizal,
Yes, that would be correct.
07-04-2019 05:33 AM
I have few questions regarding the SRU & VDB upgrade that would be grateful if someone could help me with:
1- for both SRU& VDB upgrade, doesn't matter what version of FMC/ FIREPOWER we are in:
FMC:
SOFTWARE VERSION: 6.2.3
SNORT VERSION: 2.9.12
VDB VERSION: BUILD 291
FirePOWER module: 6.2.3
2-Do I need malware license to get the weekly basis updates?
3-
Thanks
Thanks
07-04-2019 07:19 AM
1. SRU and VDB updates are generally independent of your FMC and Firepower versions.
2. Malware (AMP) license is required only for File policies. They inspect files using cloud-based analysis of a SHA-256 hash of the file. (or AMP private cloud for some customers with that product). It does not affect or interact with the SRU or VDB or entitlement to those.
SRU and VDB updates do require a current IPS subscription (known as "Threat" for FTD devices) to be entitled to download them (although there's not any technical enforcement of that requirement).
07-04-2019 08:31 AM
many thanks. How/where FMC get the updates from if I set to have weekly updates automatically?
Just want to make sure there is no firewall, etc in between to block the updates.
07-04-2019 07:14 PM
The SRU and VDB updates should be coming from support.sourcefire.com.
Details and troubleshooting instructions can be found here:
03-29-2018 04:17 AM - edited 07-04-2019 07:13 AM
Cisco has a good explanation of the naming as it has changed across the releases since they acquired Sourcefire back in 2013. You can find it here:
As of release 6.2, Firepower Management Center cannot manage devices running anything prior to 6.1.
FMC 6.1 could manage both 5.x and 6.x devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide