Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
10
Helpful
5
Replies

Firepower Updates

Go to solution
dm2020
Level 1
Level 1

‎12-02-2018 04:53 AM - edited ‎03-12-2019 07:08 AM

Hi All,

 

Quick question regarding Recurring Rule Updates within FMC. If it tick the 'Deploy Updated Policies to targeted devices' does that mean that the update will be automatically deployed to my FTDs and the Snort Process restarted? 

 

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
phil.hydea
Level 1
Level 1
In response to dm2020

‎12-02-2018 06:20 AM

I've just editted my previous post. Yes they would all be impacted, you can use the Deploy Policy scheduled tasks to schedule the updates and target specific devices. (Leave the automatic deploy SRU checkbox unchecked)

Thanks

View solution in original post

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to dm2020

‎12-02-2018 06:22 AM

Hi , If you are running version 6.2.3, then you can configure from cli to preserve the snort connections

configure snort preserve-connection enable

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy_management.html#concept_uc1_gtq_ty

 

HTH

Abheesh

 

 

View solution in original post

5 Replies 5

Go to solution
phil.hydea
Level 1
Level 1

‎12-02-2018 06:08 AM - edited ‎12-02-2018 06:18 AM

Hi - yes it will automatically deploy the updates and there will be detection engine restarts which will disrupt traffic inspection.

 

You can uncheck that box and create a scheduled task > Deploy Policy. This would allow you to choose the desired time (eg. a maintenance window) and frequency. This would mean if there are 3 SRU updates since the last policy deploy, the FMC would wait to deploy them (culminative).

 

Thanks

0 Helpful

Go to solution
dm2020
Level 1
Level 1
In response to phil.hydea

‎12-02-2018 06:17 AM

Hi,

Thanks for the response. If I have 10 FTDs in my deployment, will these all be impacted at the same time if I configure this? Is there anyway to deploy the updates the the FTDs one by one?

 

Thanks

0 Helpful

Go to solution
phil.hydea
Level 1
Level 1
In response to dm2020

‎12-02-2018 06:20 AM

I've just editted my previous post. Yes they would all be impacted, you can use the Deploy Policy scheduled tasks to schedule the updates and target specific devices. (Leave the automatic deploy SRU checkbox unchecked)

Thanks

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to dm2020

‎12-02-2018 06:22 AM

Hi , If you are running version 6.2.3, then you can configure from cli to preserve the snort connections

configure snort preserve-connection enable

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/policy_management.html#concept_uc1_gtq_ty

 

HTH

Abheesh

 

 

Go to solution
phil.hydea
Level 1
Level 1
In response to Abheesh Kumar

‎12-02-2018 06:25 AM

Yes good point. To also add to this, whilst existing connections can be
preserved, new connections will be dropped during the snort/detection
engine reload
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card