02-24-2017 07:48 AM - edited 03-12-2019 06:18 AM
Do we need to update VDB update separately on firepower module or updarting on FMC is enough?FMC version 5.4
02-26-2017 01:54 AM
Hi There,
Yes VDB needs to be updated separately apart from FMC/module upgrade.
FMC or module upgrade, upgrades the software/OS of the device. VDB is a database on which application detection/prevention works.
Hope that helps.
Thanks
Yogesh
Rate if helps.
02-26-2017 07:10 AM
how can i check what is VDB version on Sensors which are managed by FMC?
02-26-2017 07:34 PM
If your access Control Policies are up to date on all of your sensors, they will have the VDB that is installed on your FMC.
The best practice is to have scheduled jobs to download and install the latest updates and re-deploy policy on a regular basis. I use weekly periodicity.
Your audit log should also show you the events when the above happens (whether scheduled or manual). You can filter as shown in this example:
https://<Your FMC address or FQDN>/events/?table=audit_log&constraints=message%3DDeployment-%2C-VDB&workflow=Audit%20Log&page=0
Make sure you adjust the time window to be a couple of weeks - the default is last hour.
02-27-2017 12:03 AM
It shows VDB updated on FMC .Does it mean redeploying policies also installs VDB updates to sensor?
02-27-2017 01:21 AM
You are correct. You can check current VDB version by navigating to Help>About and match it with the current VDB update 279.
Deploying policy will push the new update to sensors as well.
Thanks
Yogesh
Rate if helps.
03-12-2017 03:01 PM
Is there a way to directly confirm which VDB is loaded on a sensor?
Thanks,
Diego
03-12-2017 07:09 PM
The method Yogesh and I both mentioned is the supported approach.
If you log into a sensor and change to expert mode you can also see the information in the ngfw.rules file.
Take care not to change anything in this mode - it can brick your sensor without too much effort.
> expert
admin@firepower:~$ cat /var/sf/detection_engines/*/ngfw.rules
#### ngfw.rules
##############################################################################
#
# AC Name : Lab Access Control
# Policy Exported : Fri Mar 10 04:08:34 2017 (UTC)
# File Written : Fri Mar 10 04:09:32 2017 (UTC)
#
# DC Version : 6.2.0
# SRU : 2017-03-09-002-vrt
# VDB : 279
#
##############################################################################
#
policy 00505687-0476-0ed3-0000-034359744830
revision 00000000-0000-0000-0000-000058c226c2
interface 123 78c50696-90ac-11e6-bb9e-9db906e7ee0d
zone 0 78f9cf34-90ac-11e6-bb9e-9db906e7ee0d
http_block /var/sf/detection_engines/da31b3fa-7a01-11e6-a59a-8e590377015b/httpBlock.html
http_bypass /var/sf/detection_engines/da31b3fa-7a01-11e6-a59a-8e590377015b/httpBypass.html
iab_mode Off
# Start of AC rule.
268435461 audit any any any any any any any any (log dcforward flowend) (urlcat 76)
268435464 allow any any any any any any any any (log dcforward flowend) (ipspolicy 52)
# End of AC rule.
admin@firepower:~$
03-13-2017 08:32 AM
This certainly works (and so does "show version" from the > prompt) but what I had in mind was something I can do from the FMC since that is where you spend 95% of your time and also this being an enterprise management console we don't want to have to go SSHing around to a few dozen boxes!
Thanks
Diego
03-13-2017 07:41 PM
If you just look at the top level device management page it indicates whether all of your devices' policies are up to date. If they are, then they all have the same VDB version that's installed on the FMC.
03-14-2017 07:05 AM
Yes, I agree but it would just make me feel better if they would explicitly show versions so that you don't have to infer or extrapolate that since the access policy is up to date then so are all other components.
It's just the paranoid/ocd part of me showing a little bit. ;)
Thanks,
Diego
03-21-2017 07:53 AM
I am not able to login to Firepower module in ASA-5555-x via CLI.these modules are managed by FMC.How can i reset ID paaswprd?
03-21-2017 09:06 AM
Please see the following doc:
http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118631-technote-firesight-00.html#anc5
The command, from the ASA enable mode, is:
session sfr do password-reset
03-27-2017 03:44 AM
Thankyou all for the response
03-11-2020 11:22 PM
Hi All, Any workaround for this to see device VDB & SRU versions from FMC CLI?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide