Cisco Cisco Firepower Management Center 2000
10
FireSIGHT System Release Notes
Before You Begin: Important Update and Compatibility Notes
Note:
The Defense Center purges locally stored backups from previous updates. To retain archived backups, store the
backups externally.
Caution:
BIOS Version 2.0.1b must be running on your DC2000 and DC4000 appliances in order to update to version
5.4.0.4. If updating your appliances fails due to an incompatible BIOS version, contact Support.
Traffic Flow and Inspection During the Update
The update process reboots managed devices. Depending on how your devices are configured and deployed, the
following capabilities are affected:
following capabilities are affected:
traffic inspection, including application awareness and control, URL filtering, Security Intelligence, intrusion detection
and prevention, and connection logging
and prevention, and connection logging
traffic flow, including switching, routing, NAT, VPN, and related functionality
link state
Note that when you update clustered devices, the system performs the update one device at a time to avoid traffic
interruption.
interruption.
Traffic Inspection and Link State
In an inline deployment, your managed devices (depending on model) can affect traffic flow via application control, user
control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and VPN. For
more information on appliance capabilities, see the FireSIGHT System Installation Guide.
control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and VPN. For
more information on appliance capabilities, see the FireSIGHT System Installation Guide.
The following table provides details on how traffic flow, inspection, and link state are affected during the update,
depending on your deployment. Note that regardless of how you configured any inline sets, switching, routing, NAT, and
VPN are not performed during the update process.
depending on your deployment. Note that regardless of how you configured any inline sets, switching, routing, NAT, and
VPN are not performed during the update process.
Switching and Routing
Series 3 devices do not perform switching, routing, NAT, VPN, or related functions during the update. If you configured
your devices to perform only switching and routing, network traffic is blocked throughout the update.
your devices to perform only switching and routing, network traffic is blocked throughout the update.
Table 2
Network Traffic Interruptions
Deployment
Network Traffic Interrupted?
Inline with configurable bypass
(Configurable bypass option
enabled for inline sets)
enabled for inline sets)
Network traffic is interrupted at two points during the update:
At the beginning of the update process, traffic is briefly interrupted while link goes
down and up (flaps) and the network card switches into hardware bypass. Traffic is
not inspected during hardware bypass.
down and up (flaps) and the network card switches into hardware bypass. Traffic is
not inspected during hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps and the
network card switches out of bypass. After the endpoints reconnect and reestablish
link with the sensor interfaces, traffic is inspected again.
network card switches out of bypass. After the endpoints reconnect and reestablish
link with the sensor interfaces, traffic is inspected again.
The configurable bypass option is not supported on virtual devices, Cisco NGIPS for
Blue Coat X-Series, Cisco ASA with FirePOWER Services, non-bypass NetMods on
8000 Series devices, or SFP transceivers on 71xx Family devices.
Blue Coat X-Series, Cisco ASA with FirePOWER Services, non-bypass NetMods on
8000 Series devices, or SFP transceivers on 71xx Family devices.
Inline
Network traffic is blocked throughout the update.
Passive
Network traffic is not interrupted, but also is not inspected during the update.