Cisco Cisco Firepower Management Center 2000 릴리즈 노트
10
FireSIGHT System Release Notes
Before You Begin: Important Update and Compatibility Notes
Traffic Inspection and Link State
In an inline deployment, your managed devices (depending on model) can affect traffic flow via application control, user
control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and VPN. For
more information on appliance capabilities, see the FireSIGHT System Installation Guide.
control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and VPN. For
more information on appliance capabilities, see the FireSIGHT System Installation Guide.
The following table provides details on how traffic flow, inspection, and link state are affected during the update,
depending on your deployment. Note that regardless of how you configured any inline sets, switching, routing, NAT, and
VPN are not performed during the update process.
depending on your deployment. Note that regardless of how you configured any inline sets, switching, routing, NAT, and
VPN are not performed during the update process.
Inline with configurable bypass
(Configurable bypass option
enabled for inline sets)
enabled for inline sets)
Network traffic is interrupted at two points during the update:
Inline
Network traffic is blocked throughout the update.
Passive
Network traffic is not interrupted, but also is not inspected during the update.
Switching and Routing
Series 3 devices do not perform switching, routing, NAT, VPN, or related functions during the update. If you configured
your devices to perform only switching and routing, network traffic is blocked throughout the update.
your devices to perform only switching and routing, network traffic is blocked throughout the update.
Audit Logging During the Update
When updating appliances that have a web interface, after the system completes its pre-update tasks and the
streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the
update process is complete and the appliance reboots.
streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the
update process is complete and the appliance reboots.
Version Requirements for Updating to Version 5.4.0.3 and Version 5.4.1.2
You can update devices to Version 5.4.0.3 or Version 5.4.1.2 using a Defense Center running at least Version 5.4.
However, if you plan on decrypting and inspecting SSL traffic, update your Defense Center to at least Version 5.4.1 prior
to updating your devices.To update to Version 5.4.1.2, a Defense Center must be running at least Version 5.4. If you are
running an earlier version, you can obtain updates from the Support site.
However, if you plan on decrypting and inspecting SSL traffic, update your Defense Center to at least Version 5.4.1 prior
to updating your devices.To update to Version 5.4.1.2, a Defense Center must be running at least Version 5.4. If you are
running an earlier version, you can obtain updates from the Support site.
Note:
This update is not supported on virtual managed devices or Cisco NGIPS for Blue Coat X-Series.
A Defense Center must be running at least Version 5.4 to update its managed devices to Version 5.4.1.2.
The closer your device’s or ASA module’s current version to the release version (Version 5.4.0.3), the less time the
update takes.
update takes.
Caution:
If your MC2000 or MC4000 is not running BIOS Version 2.0.1b before you update to Version 5.4.1.1, the update
will fail. Press F2 during appliance boot to open the BIOS setup utility and confirm the BIOS version. If you need to update
the BIOS or if the update fails due to the BIOS version, contact Support.
the BIOS or if the update fails due to the BIOS version, contact Support.
Table 2
Network Traffic Interruptions
Deployment
Network Traffic Interrupted?
At the beginning of the update process, traffic is briefly interrupted while link goes
down and up (flaps) and the network card switches into hardware bypass. Traffic is
not inspected during hardware bypass.
down and up (flaps) and the network card switches into hardware bypass. Traffic is
not inspected during hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps and the
network card switches out of bypass. After the endpoints reconnect and reestablish
link with the sensor interfaces, traffic is inspected again.
network card switches out of bypass. After the endpoints reconnect and reestablish
link with the sensor interfaces, traffic is inspected again.
The configurable bypass option is not supported on virtual devices, Cisco NGIPS for
Blue Coat X-Series, Cisco ASA with FirePOWER Services, non-bypass NetMods on
8000 Series devices, or SFP transceivers on 71xx Family devices.
Blue Coat X-Series, Cisco ASA with FirePOWER Services, non-bypass NetMods on
8000 Series devices, or SFP transceivers on 71xx Family devices.