Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3906
Views
35
Helpful
19
Replies
Highlighted
sahrizal123
Beginner
Beginner
‎03-28-2018 12:46 AM
‎03-28-2018 12:46 AM

Firepower rulee update

Hi,

I have cisco 5516x with firepower.

My firepower install at FMC version 5.4.1.

Below my question.

 

1. what is the best practice to update the rule ( System > Update > Rule Updates  ) by weekly basis or monthly ?

2. Any impact during the rule update?

3. how rollback in case any issue.

 

Labels:
0 Helpful
Reply
19 REPLIES 19
Highlighted
yogdhanu
Cisco Employee
Cisco Employee
‎03-28-2018 02:00 AM
‎03-28-2018 02:00 AM

Hello,

 

Its recommended to update the rules weekly basis as they are released to make sure you are covered by latest security update.

There is no direct impact during the update. Once the update is downloaded, its stored in FMC but not yet applied on sensor/FTD unless you have selected to deploy policy also with auto update.

Once you deploy the policy again, new updates are installed along with the deployment.

You can track the changes as well. Check an old forum update (related)

https://supportforums.cisco.com/t5/firesight-system-3d-system/firesight-rule-update/td-p/2777508

 

But there is not official/easy way of rollback. But in case its absolutely required, you can reach out to TAC and it can be done although not recommended.

 

Hope it helps,

Yogesh

Reply
Highlighted
sahrizal123
Beginner
Beginner
In response to yogdhanu
‎03-28-2018 08:22 PM
‎03-28-2018 08:22 PM

Thank you Yogesh, noted will update weekly basis.
0 Helpful
Reply
Highlighted
sahrizal123
Beginner
Beginner
In response to sahrizal123
‎03-28-2018 08:59 PM
‎03-28-2018 08:59 PM

Hi Yogesh,
Should we upgrade VDB version on weekly basis too ?
Any impact after upgrade VDB version ?


Below is current software :

Model Virtual Defense Center 64bit
Serial Number None
Software Version 5.4.1 (build 59)
OS Sourcefire Linux OS 5.4.0 (build126)
Snort Version 2.9.7 GRE (Build 178)
Rule Update Version 2016-12-01-001-vrt
Rulepack Version 1812
Module Pack Version 2083
Geolocation Update Version None
VDB Version build 211 ( 2014-07-18 02:21:53 )
0 Helpful
Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
‎03-28-2018 05:15 AM
‎03-28-2018 05:15 AM

@sahrizal123,

 

 

My firepower install at FMC version 5.4.1.

You should really upgrade your Firepower software. Your version is quite old and there are many bug fixes and new features in the 3 major and many minor releases since 5.4.x.

 

Reply
Highlighted
sahrizal123
Beginner
Beginner
In response to Marvin Rhoads
‎03-28-2018 08:23 PM
‎03-28-2018 08:23 PM

Thank you Marvin, we will upgrade after updated the Rule.
Now pending maintenance window.
0 Helpful
Reply
Highlighted
sahrizal123
Beginner
Beginner
In response to sahrizal123
‎03-28-2018 08:49 PM
‎03-28-2018 08:49 PM

Hi Marvin,
What is the different between manage device and defence centre.
As my understanding defence centre is FMC.
I have read somewhere that FMC and manage device only need one version older.
0 Helpful
Reply
Highlighted
yogdhanu
Cisco Employee
Cisco Employee
In response to sahrizal123
‎03-28-2018 10:58 PM
‎03-28-2018 10:58 PM

Hi

 

You are correct about the naming convention.

FMC is defence center and managed device could be your SFR module or hardware SFR box also called sensor.

I would really suggest to update the VDB as well as current VDB is 294.

VDB is for application awareness and yes as SRU (snort rules) update, you should update the VDB as well.

Everything else remains same for VDB as well where you need to apply the access control policy first to push the new VDB changes to managed device

 

Hope it helps,

Yogesh

Reply
Highlighted
sahrizal123
Beginner
Beginner
In response to yogdhanu
‎03-28-2018 11:17 PM
‎03-28-2018 11:17 PM

Hi Yogesh,

Thank you.
Is this correct ?
Software Version 5.4.1 (build 59) <--- FMC
OS Sourcefire Linux OS 5.4.0 (build126) <--- Manage device
0 Helpful
Reply
Highlighted
yogdhanu
Cisco Employee
Cisco Employee
In response to sahrizal123
‎03-29-2018 01:56 AM
‎03-29-2018 01:56 AM

Hi Sahrizal,

 

Yes, that would be correct.

 

0 Helpful
Reply
Highlighted
D@1984
Beginner
Beginner
In response to yogdhanu
‎07-04-2019 05:33 AM
‎07-04-2019 05:33 AM

I have few questions regarding the SRU & VDB upgrade that would be grateful if someone could help me with:

1- for both SRU& VDB upgrade, doesn't matter what version of FMC/ FIREPOWER  we are in: 

FMC:

SOFTWARE VERSION: 6.2.3

SNORT VERSION: 2.9.12

VDB VERSION: BUILD 291

 

FirePOWER module: 6.2.3

 

2-Do I need malware license to get the weekly basis updates? 

3-

 

Thanks

 

Thanks

0 Helpful
Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to D@1984
‎07-04-2019 07:19 AM
‎07-04-2019 07:19 AM

1. SRU and VDB updates are generally independent of your FMC and Firepower versions.

2. Malware (AMP) license is required only for File policies. They inspect files using cloud-based analysis of a SHA-256 hash of the file. (or AMP private cloud for some customers with that product). It does not affect or interact with the SRU or VDB or entitlement to those.

SRU and VDB updates do require a current IPS subscription (known as "Threat" for FTD devices) to be entitled to download them (although there's not any technical enforcement of that requirement).

0 Helpful
Reply
Highlighted
D@1984
Beginner
Beginner
In response to Marvin Rhoads
‎07-04-2019 08:31 AM
‎07-04-2019 08:31 AM

many thanks. How/where FMC get the updates from if I set to have weekly updates automatically?

Just want to make sure there is no firewall, etc in between to block the updates. 

0 Helpful
Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to D@1984
‎07-04-2019 07:14 PM
‎07-04-2019 07:14 PM

The SRU and VDB updates should be coming from support.sourcefire.com.

Details and troubleshooting instructions can be found here:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118791-technote-firesight-00.html

Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
In response to sahrizal123
‎03-29-2018 04:17 AM
‎03-29-2018 04:17 AM

Cisco has a good explanation of the naming as it has changed across the releases since they acquired Sourcefire back in 2013. You can find it here:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_9C7ED89DF14645BDA166E80F7BDA5FB7

 

As of release 6.2, Firepower Management Center cannot manage devices running anything prior to 6.1.

 

FMC 6.1 could manage both 5.x and 6.x devices.

 

 

0 Helpful
Reply
Latest Contents
Bridge the security gap with Cisco Remote Secure Worker
Created by Kelli Glass on 02-26-2021 04:37 PM
0
0
0
0
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use. Learn about Cisco Remote Secure Worker solutions that verify workers, secu... view more
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
214
11
214
    ISE Node Terminology PAN MNT PSN PXG Policy Administration Node Monitoring & Troubleshooting Node Policy Services Node Platform Exchange Grid Node The single plane of glass for ISE administration and configuration operatio... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Cisco Secure Endpoint Free Trial Guide
Created by E.L. Howard on 02-15-2021 07:36 PM
0
0
0
0
  About this Document Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par... view more
Content for Community-Ad