Cisco Cisco Firepower Management Center 2000
18
FireSIGHT System Release Notes
Installing the Update
When you apply an access control policy, resource demands may result in a small number of packets dropping
without inspection. Additionally, applying some configurations requires the Snort process to restart, which interrupts
traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the
model of the managed device and how it handles traffic. For more information, see the Configurations that Restart
the Snort Process section of the FireSIGHT System User Guide.
without inspection. Additionally, applying some configurations requires the Snort process to restart, which interrupts
traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the
model of the managed device and how it handles traffic. For more information, see the Configurations that Restart
the Snort Process section of the FireSIGHT System User Guide.
18.
If a patch for Version 5.4.1.6 is available on the Support site, apply the latest patch as described in the FireSIGHT
System Release Notes for that version. You must update to the latest patch to take advantage of the latest
enhancements and security fixes.
System Release Notes for that version. You must update to the latest patch to take advantage of the latest
enhancements and security fixes.
Updating Managed Devices, ASA FirePOWER Modules
After you update your Defense Centers to Version 5.4, Version 5.4.1, or Version 5.4.1.6, use them to update the devices
they manage.
they manage.
A Defense Center must be running at least Version 5.4 to update its managed devices to Version 5.4.1.6. Because they
do not have a web interface, you must use the Defense Center to update your virtual managed devices, , and ASA
FirePOWER modules.
do not have a web interface, you must use the Defense Center to update your virtual managed devices, , and ASA
FirePOWER modules.
Updating managed devices is a two-step process. First, download the update from the Support site and upload it to the
managing Defense Center. Next, install the software. You can update multiple devices at once, but only if they use the
same update file.
managing Defense Center. Next, install the software. You can update multiple devices at once, but only if they use the
same update file.
When you updated clustered Cisco ASA with FirePOWER Services (in 6.0, high availability device or stack pairs) apply
the update one device at a time and allow the update to complete before updating the second device.
the update one device at a time and allow the update to complete before updating the second device.
Prior to updating an ASA FirePOWER module running FirePOWER Services or a Cisco ASA managed by ASDM, set the
device clock to the correct time. If an ASA device clock is set to the incorrect time before updating, the Access Control
Licensing page does not load.
device clock to the correct time. If an ASA device clock is set to the incorrect time before updating, the Access Control
Licensing page does not load.
For the Version 5.4.0.7 update, all devices reboot; VAP groups reload. Series 3 devices do not perform traffic inspection,
switching, routing, NAT, VPN, or related functions during the update. Depending on how your devices are configured and
deployed, the update process may also affect traffic flow and link state. For more information, see
switching, routing, NAT, VPN, or related functions during the update. Depending on how your devices are configured and
deployed, the update process may also affect traffic flow and link state. For more information, see
.
Caution:
Before you update a managed device, use its managing Defense Center to reapply the appropriate access
control policy to the managed device. Otherwise, the managed device update may fail.
Caution:
Installing the updates and applying policies can interrupt traffic inspection due to Snort restarts and system
restarts. How these interruptions affect traffic depends on the model of the managed device and how it handles traffic.
For more information, see
For more information, see
Caution:
Do not reboot or shut down your appliances during the update until after you see the login prompt. The system
may appear inactive during the pre-checks portion of the update; this is expected behavior and does not require you to
reboot or shut down your appliances.
reboot or shut down your appliances.
To update managed devices and ASA FirePOWER modules, and :
1.
Read these release notes and complete any required pre-update tasks.
Note
: Download the update directly from the Support site. If you transfer an update file by email, it may become
corrupted.
Caution
: Failing to set the device clock of an ASA FirePOWER module running FirePOWER Services or a Cisco ASA
managed by ASDM to the correct time prior to updating the device causes the Access Control Licensing page to not load.
For more information, see
.
2.
Update the software on the devices’ managing Defense Center; see
3.
Download the update from the Support site: