Solved: Re: The latest VDB for FMC virtual

ctx2507 · ‎02-09-2023

Hello,

Does anyone have any idea why no VDB update for FMC since version 361 released on Nov 15 2022? I can't answer that question to my boss and I am so sick to Cisco support incompetence to bother to ask them.

Marvin Rhoads · ‎02-10-2023

I believe 362 was an engineering release only available by Special File Publish from Cisco TAC. Apparently some people were hitting issues with 361 and 362 has a work around for that problem. So the download page still only has 261 as the latest as of today (10 February 2023):

https://software.cisco.com/download/home/286259687/type/286321931/release/VDB

Given the bug encountered and the fact that Cisco has their annual down time the last two week of December, it may be a few weeks more until 363 is out as an official release.

View solution in original post

adamgerber · ‎02-10-2023

Hi - not sure why it took so long but it looks like VDB362 is out:

https://appid.cisco.com/relnotes

Marvin Rhoads · ‎02-10-2023

I believe 362 was an engineering release only available by Special File Publish from Cisco TAC. Apparently some people were hitting issues with 361 and 362 has a work around for that problem. So the download page still only has 261 as the latest as of today (10 February 2023):

https://software.cisco.com/download/home/286259687/type/286321931/release/VDB

Given the bug encountered and the fact that Cisco has their annual down time the last two week of December, it may be a few weeks more until 363 is out as an official release.

ctx2507 · ‎02-10-2023

Thank you for the clarification, Marvin. But that's bad news for us who Cisco customers using their NGFW. That's the conclusion my boss sees it. We're not protected against new threats in the last three months and continuing defenseless couple more months until Cisco figured it out (hopefully). Not to mention their NGFW products were a big mess in the last couple years. Enough is enough.

adamgerber · ‎02-10-2023

Hi, the VDB contains app detectors/fingerprinting info and lists of known system vulnerabilities. This may help you with IoC/visibility/policy.

But if your goal is active defense against known threats then you need to ensure your IPS rules are being updated/tuned and that you have enabled the use of security intelligence under your access control policy. You can view when last your Talos security intelligence updated under Objects. These items are updated frequently by Cisco.

Marvin Rhoads · ‎02-13-2023

As @adamgerber correctly noted, VDB is only one part of the several sources of information used in the NGFW.

Arguably the more important (and more frequently updated) bits are Security Intelligence feeds (updated every 2 hours by default but can be set as low as every 15 minutes), Snort rules (updated several times monthly) and the Geolocation database (updated every month or two). If you are using Malware protection, the file hashes are examined in real time using Cisco's AMP cloud.

Those all augment your firewall rules to provide comprehensive broad spectrum protection against threats.

ctx2507 · ‎02-14-2023

So you are saying that you TRUST the traffic that LEGITIMATELY PASSED all the rules and don't see the need to inspect them after that? Then you are right, you don't need VDB.

Marvin Rhoads · ‎02-15-2023

VDB updates are not a prerequisite for inspection by any step in the NGFW order of operations. They only help in IOC assessment and somewhat in IPS rule recommendations. SI feeds and IPS rules are much more important and are being updated quite often.