Cisco Cisco Firepower Management Center 2000
17
FireSIGHT System Release Notes
Installing the Update
11.
Review and accept the End User License Agreement (EULA). Note that you are logged out of the appliance if you do not accept the
EULA.
EULA.
12.
Select Help > About and confirm that the software version is listed correctly: Version 5.4.1.8. Also note the versions of the rule update
and VDB on the Defense Center; you will need this information later.
and VDB on the Defense Center; you will need this information later.
13.
Verify that the appliances in your deployment are successfully communicating and that there are no issues reported by the health
monitor.
monitor.
14.
If the rule update available on the Support site is newer than the rules on your Defense Center, import the newer rules. Do not
auto-apply the imported rules at this time.
auto-apply the imported rules at this time.
For information on rule updates, see the FireSIGHT System User Guide.
15.
If the VDB available on the Support site is newer than the VDB on your Defense Center, install the latest VDB.
Installing a VDB update causes a short pause in traffic flow and processing, and may also cause a few packets to pass uninspected. For
more information, see the FireSIGHT System User Guide.
more information, see the FireSIGHT System User Guide.
16.
Reapply device configurations to all managed devices.
To reactivate a grayed-out Apply button, edit any interface in the device configuration, then click Save without making changes.
17.
Reapply access control policies to all managed devices.
Caution:
Do not reapply your intrusion policies individually; you must reapply all access control policies completely.
When you apply an access control policy, resource demands may result in a small number of packets dropping without inspection.
Additionally, applying some configurations requires the Snort process to restart, which interrupts traffic inspection. Whether traffic
drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles
traffic. For more information, see the Configurations that Restart the Snort Process section of the FireSIGHT System User Guide.
Additionally, applying some configurations requires the Snort process to restart, which interrupts traffic inspection. Whether traffic
drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles
traffic. For more information, see the Configurations that Restart the Snort Process section of the FireSIGHT System User Guide.
18.
If a patch for Version 5.4.1.8 is available on the Support site, apply the latest patch as described in the FireSIGHT System Release Notes
for that version. You must update to the latest patch to take advantage of the latest enhancements and security fixes.
for that version. You must update to the latest patch to take advantage of the latest enhancements and security fixes.
Updating Managed Devices
After you update your Defense Centers to Version 5.4, Version 5.4.1, or Version 5.4.1.8, use them to update the devices they manage.
A Defense Center must be running at least Version 5.4 to update its managed devices to Version 5.4.1.8. Because they do not have a web
interface, you must use the Defense Center to update your virtual managed devices, and ASA FirePOWER modules.
interface, you must use the Defense Center to update your virtual managed devices, and ASA FirePOWER modules.
Updating managed devices is a two-step process. First, download the update from the Support site and upload it to the managing Defense
Center. Next, install the software. You can update multiple devices at once, but only if they use the same update file.
Center. Next, install the software. You can update multiple devices at once, but only if they use the same update file.
When you updated clustered Cisco ASA with FirePOWER Services apply the update one device at a time and allow the update to complete
before updating the second device.
before updating the second device.
Before you update an ASA FirePOWER module, set the device clock to the correct time. If an ASA device clock is set to the incorrect time
before updating, the Access Control Licensing page does not load.
before updating, the Access Control Licensing page does not load.
For the Version 5.4.0.9 update, all devices reboot. Series 3 devices do not perform traffic inspection, switching, routing, NAT, VPN, or
related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic
flow and link state. For more information, see
related functions during the update. Depending on how your devices are configured and deployed, the update process may also affect traffic
flow and link state. For more information, see
.
Caution:
Before you update a managed device, use its managing Defense Center to reapply the appropriate access control policy to the
managed device. Otherwise, the managed device update may fail.