Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6286
Views
35
Helpful
19
Replies

Firepower rulee update

sahrizal123
Level 1
Level 1

‎03-28-2018 12:46 AM - edited ‎02-21-2020 07:34 AM

Hi,

I have cisco 5516x with firepower.

My firepower install at FMC version 5.4.1.

Below my question.

 

1. what is the best practice to update the rule ( System > Update > Rule Updates  ) by weekly basis or monthly ?

2. Any impact during the rule update?

3. how rollback in case any issue.

 

Labels:
0 Helpful
19 Replies 19

sahrizal123
Level 1
Level 1
In response to Marvin Rhoads

‎04-02-2018 06:20 PM

Hi Marvin,

If we upgrade from 5.4.1 to 6.2.2 , it will not effect the ASA traffic right ? ( currently set to monitor-only )

It require atleast 4 hour to upgrade to 6.2.2 ?

Thank you

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sahrizal123

‎04-03-2018 01:23 AM - edited ‎04-03-2018 01:27 AM

If your ASA Firepower service module is at 5.4.1 and being used in monitor-only mode, then an upgrade (or even uninstall) will not affect traffic through the ASA. 

 

It it would be easier to de-register it from FMC, upgrade FMC to the current 6.2.3 release (that will take several hours by itself) and then re-image the module to 6.2.3, re-register it and re-deploy the policies. 

sahrizal123
Level 1
Level 1
In response to Marvin Rhoads

‎04-03-2018 01:55 AM

Thank you Marvin,
De-register FMC, upgrade FMC and reimage module require to access server or only can be done at GUI ( i done have server access ESXi).
Kindly advise step to redeploy policy.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to sahrizal123

‎04-03-2018 06:34 AM - edited ‎04-03-2018 06:37 AM

You don't need console (ESXi) access to FMC to upgrade it. You do need to be able to transfer files you have downloaded from cisco.com onto a PC to the server via the web interface. 

 

You do need console (ssh) access to the Firepower (sfr) service module to reimage it. If you upgraded it step-by-step instead you can do it all via the FMC but it will take most of an entire day (assuming it all goes well) vs. about 2 hours to reimage.

 

I really recommend you read the documentation on the above steps. It's all covered there - upgrading, re-imaging, registering, deploying policy etc. There are many good free presentations available on Cisco Live as well. You should understand the basics before logging into any production system and making significant changes.

Bill CARTER
Level 5
Level 5

‎04-12-2018 06:27 AM

I set rule updates for daily during non-business hours. I have never had a problem.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card