Cisco Cisco Firepower Management Center 2000
2
Firepower System Release Notes
Important Update Notes
In an inline deployment, your managed device (depending on the model and how it handles traffic) can affect traffic when you deploy configurations.
The following table provides details on how traffic flow, inspection, and link state are affected during the update, depending on your deployment.
Note that regardless of how you configured any inline sets, switching, routing, NAT, and VPN are not performed during the update process.
Note that regardless of how you configured any inline sets, switching, routing, NAT, and VPN are not performed during the update process.
Note:
Rebooting the ASA FirePOWER module on an ASA 5585-X, including a reboot that occurs during a module upgrade, causes traffic to drop
for up to thirty seconds on the interfaces on the ASA FirePOWER hardware module while the module reboots.
Additional Memory Requirements
Version 6.1.0 of the Firepower System requires more memory than the previous versions for some Firepower Management Center models
(previously referred to as the FireSIGHT Management Center or the Defense Center). To be specific, MC750 requires two 4GB dual in-line memory
modules (DIMM). Similarly, MC1500 with 6GB of memory also requires additional memory.
(previously referred to as the FireSIGHT Management Center or the Defense Center). To be specific, MC750 requires two 4GB dual in-line memory
modules (DIMM). Similarly, MC1500 with 6GB of memory also requires additional memory.
Because the increase in memory was driven by Cisco product requirements, Cisco is making memory upgrade kits available for customers with
these models. These kits can be ordered at no cost by customers who are entitled to run Version 6.1.0 on a qualifying MC750 or MC1500 Firepower
Management Center model.
these models. These kits can be ordered at no cost by customers who are entitled to run Version 6.1.0 on a qualifying MC750 or MC1500 Firepower
Management Center model.
For more information on ordering memory kits, see
http://www.cisco.com/c/en/us/support/docs/field-notices/640/fn64077.html
. For instructions on
replacing the memory after you receive the kit, see “Memory Upgrade Instructions for Firepower Management Centers” in the Firepower
Management Center Installation Guide.
Management Center Installation Guide.
Time and Disk Space Requirements
The table below provides disk space and time guidelines for the Version 6.1.0 update. Note that when you use the Firepower Management Center
to update a managed device, the Firepower Management Center requires additional disk space on its /Volume partition.
to update a managed device, the Firepower Management Center requires additional disk space on its /Volume partition.
Table 9
Network Traffic Interruptions
Deployment
Network Traffic Interrupted?
Inline with configurable bypass
(Configurable bypass mode enabled
for inline sets)
for inline sets)
Network traffic is interrupted at two points during the update:
At the beginning of the update process, traffic is briefly interrupted while link goes down and up
(flaps) and the network card switches into hardware bypass. Traffic is not inspected during
hardware bypass.
(flaps) and the network card switches into hardware bypass. Traffic is not inspected during
hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps and the network card
switches out of bypass. After the endpoints reconnect and reestablish link with the sensor
interfaces, traffic is inspected again.
switches out of bypass. After the endpoints reconnect and reestablish link with the sensor
interfaces, traffic is inspected again.
The configurable bypass option is not supported on NGIPSv devices, ASA with FirePOWER Services,
non-bypass NetMods on Firepower 8000 Series devices, SFP transceivers on Firepower 7000 Series, or
Cisco ASA with Firepower Threat Defense devices.
non-bypass NetMods on Firepower 8000 Series devices, SFP transceivers on Firepower 7000 Series, or
Cisco ASA with Firepower Threat Defense devices.
Inline on 7000 and 8000 Series or
NGIPSv
NGIPSv
Network traffic is blocked throughout the update.
Passive on 7000 and 8000 Series or
NGIPSv
NGIPSv
Network traffic is not interrupted, but also is not inspected, during the update.
Routed or transparent interfaces on
ASA FirePOWER module managed
by ASDM
ASA FirePOWER module managed
by ASDM
If the redirection service policy is set to fail-open, traffic is passed without inspection.
If the redirection service policy is set to fail-close, traffic is blocked.
Clustered Firepower 9300 Security
Appliances
Appliances
Upgrading FXOS reboots the chassis, dropping traffic on clustered Firepower Threat Defense blades
until the primary node comes back online. For more information, see
until the primary node comes back online. For more information, see