02-06-2017 11:30 AM - edited 03-12-2019 01:53 AM
We have a Cisco ASA w/FirePOWER and are trying to determine if there is a Cisco product that will go out to the internet and determine if there are any vulnerabilities in the ASA firmware and then download and upgrade the device. This is something I do manually right now and would like to automate the process. We are managing the ASA with FirePOWER Management Center (FMC). As far as I know their is no native ability to do the automatic upgrades in FMC or ASDM. If there is such a product out there can someone please send me in the right direction?
Solved! Go to Solution.
02-07-2017 02:43 PM
Scripting the upgrade is probably the best idea. In case you are managing a large amount of devices that would be the best way to go. Parsing outputs is a huge pain but its not impossible.
02-06-2017 11:36 AM
Firepower upgrades are, in general, a huge pain. They often have pre-requisites. Often you can't just just from version x to y, and have to step through intermediate upgrades. Sometimes we re-images the modules because it is faster and then re-apply the config with Firesight.
The idea of trying to automate that task sounds risky to me.
I don't think you'll find such a product.
02-06-2017 11:40 AM
Philip,
Now are you just referring to FirePOWER upgrades, or ASA firmware upgrades, too? I'm really just interested in automating the firmware upgrades, I just mentioned that it has FirePOWER to be more specific about what we are using.
02-06-2017 11:41 AM
Both.
02-06-2017 11:44 AM
Yeah...I don't disagree. I was asked to look into a solution but I stated my concerns. In my experience upgrading the ASA firmware can lead to unexpected results and even if we were to automate I would need to be available for testing. However, I am curious if there is anything out there that would do the automated upgrades.
02-06-2017 11:48 AM
You could perhaps check out Cisco CDO. I'm not sure if it can or can't do it, but Cisco seem to be putting a lot of effort into it.
http://www.cisco.com/c/en/us/products/security/defense-orchestrator/index.html
02-06-2017 11:49 AM
Thanks, Philip. I'll take a look.
02-07-2017 02:43 PM
Scripting the upgrade is probably the best idea. In case you are managing a large amount of devices that would be the best way to go. Parsing outputs is a huge pain but its not impossible.
02-08-2017 07:07 AM
Thanks, kaisero. I did research this more and it appears that scripting is our only real option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide