Cisco Cisco Firepower Management Center 2000
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
13
Note that when you update 8000 Series clusters or stack pairs, the system performs the update one device at a
time to avoid traffic interruption. When you update clustered Cisco ASA with FirePOWER Services devices, apply
the update one device at a time, allowing the update to complete before updating the second device.
time to avoid traffic interruption. When you update clustered Cisco ASA with FirePOWER Services devices, apply
the update one device at a time, allowing the update to complete before updating the second device.
The following table explains how Snort restarts affect traffic inspection. It is reasonable to anticipate that the
product update could affect traffic similarly.
product update could affect traffic similarly.
Link State
In 7000 Series and 8000 Series inline deployments with Bypass enabled, network traffic is interrupted at two
points during the update:
points during the update:
At the beginning of the update process, traffic is briefly interrupted while link goes down and up (flaps) and
the network card switches into hardware bypass. Traffic is not inspected during hardware bypass.
the network card switches into hardware bypass. Traffic is not inspected during hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps and the network card switches out
of bypass. After the endpoints reconnect and reestablish link with the sensor interfaces, traffic is inspected
again.
of bypass. After the endpoints reconnect and reestablish link with the sensor interfaces, traffic is inspected
again.
Note:
The configurable Bypass option is not supported on NGIPSv devices, Cisco ASA with FirePOWER
Services, non-bypass NetMods on Firepower 8000 Series devices, SFP transceivers on 71xx Family devices,
or ASA Firepower modules running Firepower Threat Defense.
or ASA Firepower modules running Firepower Threat Defense.
Switching and Routing
Firepower 7000 Series and 8000 Series managed devices do not perform switching, routing, NAT, VPN, or related
functions during the update. If you configured your devices to perform only switching and routing, network traffic
is blocked throughout the update.
functions during the update. If you configured your devices to perform only switching and routing, network traffic
is blocked throughout the update.
Devices running Firepower Threat Defense do not support VPN functionality in Version 6.0.1 but do support
switching and routing functions.
switching and routing functions.
Audit Logging During the Update
When updating appliances that have a web interface, after the system completes its pre-update tasks and the
streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until
the update process is complete and the appliance reboots.
streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until
the update process is complete and the appliance reboots.
Table 4
Restart Traffic Effects by Managed Device Model
On this managed device
model...
model...
Configured as...
Traffic during restart is...
7000 Series, 8000 Series,
NGIPSv, Firepower Threat
Defense, and Firepower Threat
Defense Virtual
NGIPSv, Firepower Threat
Defense, and Firepower Threat
Defense Virtual
Inline with Failsafe enabled or
disabled, or inline tap mode
disabled, or inline tap mode
Passed without inspection (a few packets
might drop if Failsafe is disabled and
Snort is busy but not down)
might drop if Failsafe is disabled and
Snort is busy but not down)
Passive
Uninterrupted and not inspected
7000 Series and 8000 Series
Routed, switched, or transparent
Dropped
Firepower Threat Defense
Routed or transparent
Dropped
Cisco ASA with FirePOWER
Services
Services
Routed or transparent with fail-open
(Permit Traffic)
(Permit Traffic)
Passed without inspection
Routed or transparent with fail-close
(Close Traffic)
(Close Traffic)
Dropped