Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
3
Helpful
6
Replies

How often does IPS update on Firepower devices

Go to solution
carl.townshend
Level 1
Level 1

‎01-02-2025 03:39 AM

Hi All

On Firepower firewalls, how often does the IPS update?

I can see timers for the "security intelligence" feeds, default 2 hours, but nothing for the intrusion side, I can see some settings under system > content updates, is this it? if so, it looks like you have to push a policy to the FTD for it to get the latest updates? can this not be automatic?

carltownshend_0-1735817875183.png

Cheers

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to carl.townshend

‎01-02-2025 07:28 AM

Cisco does not publish IPS rule updates daily. You can see the published updates in the software.cisco.com site for FMC here:

https://software.cisco.com/download/home/286259687/type/286321931/release/LSP

For instance, there were 10 updates published in October 2024, 7 each in November and December.

Every vendor bundles their software differently. Cisco Talos has determined that is it most effective to stream SI updates throughout the day, with a 2 hour feed update being the default for FMC and FDM. Snort rules are less frequent - several times monthly as I noted. So if you check for them daily, you will always have the latest ones.

Many customers do not want to have constant changes to IPS rules since it may be counter to their change management process. Thus, Cisco gives you the option of being anywhere on the spectrum from no updates to having updates the day they are published and further deploying the updates as soon as you get them. If they didn't provide this flexibility, some very large customers would choose not to use them. What's optimal for your use case may be the opposite for another customer.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-02-2025 05:58 AM

As shown in the screenshot, there is an option to deploy policy after the recurring rule update discovers and downloads new IPS rule sets (Snort Rule Updates (SRUs) for Snort 2 and Local Security Policies (LSPs) for Snort 3 intrusion policies) from cisco.com. That will sync your managed devices' rule sets with those available from Cisco. Rule sets are typically updated by Cisco a couple of times per month.

You also have the option of automatically tuning your IPS policies by using Firepower recommendations which further fine tune your IPS policy based on observed traffic / hosts on your network. That is done via a combination of a setting within the IPS policy and an (optional) recurring job that your setup in the FMC scheduling section.

Go to solution
PacketWhisperer
Level 1
Level 1

‎01-02-2025 06:11 AM

Yep, under System > Content Updates > Rule Updates, you can set up Recurring Rule Update Imports (e.g., daily). For it to be fully automatic, check "Deploy updated policies after rule update completes." Without that, you'll need to manually push the policy to apply the updates. Security Intelligence updates are separate (default every 2 hours).

Go to solution
carl.townshend
Level 1
Level 1
In response to PacketWhisperer

‎01-02-2025 07:15 AM

Hi, thanks for the info, are you saying the above setting will push the latest IPS updates out daily? I thought with this being a security device it would pretty much be an automatic setting, on Checkpoint for example, the daily update happens at midnight by default, why is this switched off by default and has to be enabled?

What would the recommendation be?

cheers

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to carl.townshend

‎01-02-2025 07:28 AM

Cisco does not publish IPS rule updates daily. You can see the published updates in the software.cisco.com site for FMC here:

https://software.cisco.com/download/home/286259687/type/286321931/release/LSP

For instance, there were 10 updates published in October 2024, 7 each in November and December.

Every vendor bundles their software differently. Cisco Talos has determined that is it most effective to stream SI updates throughout the day, with a 2 hour feed update being the default for FMC and FDM. Snort rules are less frequent - several times monthly as I noted. So if you check for them daily, you will always have the latest ones.

Many customers do not want to have constant changes to IPS rules since it may be counter to their change management process. Thus, Cisco gives you the option of being anywhere on the spectrum from no updates to having updates the day they are published and further deploying the updates as soon as you get them. If they didn't provide this flexibility, some very large customers would choose not to use them. What's optimal for your use case may be the opposite for another customer.

0 Helpful

Go to solution
carl.townshend
Level 1
Level 1
In response to Marvin Rhoads

‎01-02-2025 07:59 AM

Thanks Marvin, nice response there

So when we talk about IPS updates, we are talking about new signatures etc?

With regards to the SI updates, these are not signatures but networks and URL's right ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to carl.townshend

‎01-02-2025 08:05 AM

You're welcome @carl.townshend .

Yes and yes re your two latest questions.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card