cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
3
Helpful
6
Replies

How often does IPS update on Firepower devices

carl.townshend
Level 1
Level 1

Hi All

On Firepower firewalls, how often does the IPS update?

I can see timers for the "security intelligence" feeds, default 2 hours, but nothing for the intrusion side, I can see some settings under system > content updates, is this it? if so, it looks like you have to push a policy to the FTD for it to get the latest updates? can this not be automatic?

carltownshend_0-1735817875183.png

Cheers

1 Accepted Solution

Accepted Solutions

Cisco does not publish IPS rule updates daily. You can see the published updates in the software.cisco.com site for FMC here:

https://software.cisco.com/download/home/286259687/type/286321931/release/LSP

For instance, there were 10 updates published in October 2024, 7 each in November and December.

Every vendor bundles their software differently. Cisco Talos has determined that is it most effective to stream SI updates throughout the day, with a 2 hour feed update being the default for FMC and FDM. Snort rules are less frequent - several times monthly as I noted. So if you check for them daily, you will always have the latest ones.

Many customers do not want to have constant changes to IPS rules since it may be counter to their change management process. Thus, Cisco gives you the option of being anywhere on the spectrum from no updates to having updates the day they are published and further deploying the updates as soon as you get them. If they didn't provide this flexibility, some very large customers would choose not to use them. What's optimal for your use case may be the opposite for another customer.

View solution in original post

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

As shown in the screenshot, there is an option to deploy policy after the recurring rule update discovers and downloads new IPS rule sets (Snort Rule Updates (SRUs) for Snort 2 and Local Security Policies (LSPs) for Snort 3 intrusion policies) from cisco.com. That will sync your managed devices' rule sets with those available from Cisco. Rule sets are typically updated by Cisco a couple of times per month.

You also have the option of automatically tuning your IPS policies by using Firepower recommendations which further fine tune your IPS policy based on observed traffic / hosts on your network. That is done via a combination of a setting within the IPS policy and an (optional) recurring job that your setup in the FMC scheduling section.

PacketWhisperer
Level 1
Level 1

Yep, under System > Content Updates > Rule Updates, you can set up Recurring Rule Update Imports (e.g., daily). For it to be fully automatic, check "Deploy updated policies after rule update completes." Without that, you'll need to manually push the policy to apply the updates. Security Intelligence updates are separate (default every 2 hours).

Hi, thanks for the info, are you saying the above setting will push the latest IPS updates out daily? I thought with this being a security device it would pretty much be an automatic setting, on Checkpoint for example, the daily update happens at midnight by default, why is this switched off by default and has to be enabled?

What would the recommendation be?

cheers

Cisco does not publish IPS rule updates daily. You can see the published updates in the software.cisco.com site for FMC here:

https://software.cisco.com/download/home/286259687/type/286321931/release/LSP

For instance, there were 10 updates published in October 2024, 7 each in November and December.

Every vendor bundles their software differently. Cisco Talos has determined that is it most effective to stream SI updates throughout the day, with a 2 hour feed update being the default for FMC and FDM. Snort rules are less frequent - several times monthly as I noted. So if you check for them daily, you will always have the latest ones.

Many customers do not want to have constant changes to IPS rules since it may be counter to their change management process. Thus, Cisco gives you the option of being anywhere on the spectrum from no updates to having updates the day they are published and further deploying the updates as soon as you get them. If they didn't provide this flexibility, some very large customers would choose not to use them. What's optimal for your use case may be the opposite for another customer.

Thanks Marvin, nice response there

So when we talk about IPS updates, we are talking about new signatures etc?

With regards to the SI updates, these are not signatures but networks and URL's right ?

You're welcome @carl.townshend .

Yes and yes re your two latest questions.

Review Cisco Networking for a $25 gift card