Cisco Cisco Firepower Management Center 2000
Firepower System Release Notes
Installing the Update
Step 13
Verify that the appliances in your deployment are successfully communicating and that there are no
issues reported by the health monitor.
issues reported by the health monitor.
Step 14
If the rule update available on the Support site is newer than the rules on your Firepower Management
Center, import the newer rules. Do not auto-apply the imported rules at this time.
Center, import the newer rules. Do not auto-apply the imported rules at this time.
For information on rule updates, see the Firepower Management Center Configuration Guide.
Step 15
If the VDB available on the Support site is newer than the VDB on your Firepower Management Center,
install the latest VDB.
install the latest VDB.
Installing a VDB update causes a short pause in traffic flow and processing, and may also cause a few packets to pass
uninspected. For more information, see the Firepower Management Center Configuration Guide.
uninspected. For more information, see the Firepower Management Center Configuration Guide.
Step 16
Redeploy your configurations to all managed devices.
Deployment may cause a short pause in traffic flow and processing, and may also cause a few packets to pass
uninspected. For more information, see the Firepower Management Center Configuration Guide.
uninspected. For more information, see the Firepower Management Center Configuration Guide.
Step 17
If a patch for Version 6.0 is available on the Support site, apply the latest patch as described in the for
that version.
that version.
Caution:
Updating a Firepower Management Center to Version 6.0 with managed devices running Version 5.4.0.6,
Version 5.4.1.5, or earlier to Version 6.0 may cause traffic outages and system issues. You must disable the Retry
URL cache miss lookup option in the Advanced Options section of the Access Control page to managed devices
running Version 5.4.0.6, Version 5.4.1.5, or earlier prior to deploying configuration. For more information, see
URL cache miss lookup option in the Advanced Options section of the Access Control page to managed devices
running Version 5.4.0.6, Version 5.4.1.5, or earlier prior to deploying configuration. For more information, see
.
You must update to the latest patch to take advantage of the latest enhancements and security fixes.
Preventing URL Cache Miss Lookup Retries
URL category determination can introduce up to two seconds of delay in packet delivery, depending on local network
conditions. If such delay is not acceptable, URL retry should not be allowed.
conditions. If such delay is not acceptable, URL retry should not be allowed.
When you allow URL retry, the system delays packets for URLs that have not been previously seen by the firewall while
the URL category and reputation are determined so URL filtering rules can be resolved. Until the lookup of the URL
category and reputation is completed, or the lookup request times out, in inline, routed, or transparent deployments the
packet will be held at the firewall. If a two second time limit is reached without the category and reputation determination
completing, the URL category Uncategorized is used with no reputation, and rule evaluation proceeds. Note that without
URL retry, URL filtering may not be effective until such time as URL category and reputation determination completes for
each URL. Until that time, packets that would have been filtered based on the URL’s category or reputation will be filtered
based on the Uncategorized category.
the URL category and reputation are determined so URL filtering rules can be resolved. Until the lookup of the URL
category and reputation is completed, or the lookup request times out, in inline, routed, or transparent deployments the
packet will be held at the firewall. If a two second time limit is reached without the category and reputation determination
completing, the URL category Uncategorized is used with no reputation, and rule evaluation proceeds. Note that without
URL retry, URL filtering may not be effective until such time as URL category and reputation determination completes for
each URL. Until that time, packets that would have been filtered based on the URL’s category or reputation will be filtered
based on the Uncategorized category.
To disable URL retry on managed devices, disable the Retry URL cache miss lookup option in the General advanced
settings of the access control policy (Policies > Access Control > edit policy > Advanced >edit General Settings) and
redeploy the access control policy to the device. Note that this option is enabled and URL retry is not allowed by default.
settings of the access control policy (Policies > Access Control > edit policy > Advanced >edit General Settings) and
redeploy the access control policy to the device. Note that this option is enabled and URL retry is not allowed by default.
Updating Managed Devices and ASA FirePOWER Modules
After you update your Firepower Management Centers to Version 6.0, use them to update the devices they manage.
Caution:
Updating the system with managed devices running Version 5.4.0.5 or earlier to Version 6.0 may cause
traffic outages and system issues. Prior to updating to Version 6.0, you
must
update managed devices to Version
5.4.0.6 or later prior to updating to Version 6.0.