Cisco Cisco Firepower Management Center 2000
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
10
Before you begin the update, Cisco strongly recommends that you back up current event and configuration data
to an external location. This data is not backed up as part of the update process.
to an external location. This data is not backed up as part of the update process.
Use the Firepower Management Center to back up event and configuration data for itself and the devices it
manages. For more information on the backup and restore feature, see the Firepower Management Center
Configuration Guide.
manages. For more information on the backup and restore feature, see the Firepower Management Center
Configuration Guide.
Note:
The Firepower Management Center purges locally stored backups from previous updates. To retain archived
backups, store the backups externally.
Traffic Flow and Inspection During the Update
The update process (and any uninstallation of the update) reboots managed devices. Depending on how your
devices are configured and deployed, the following capabilities are affected:
devices are configured and deployed, the following capabilities are affected:
traffic inspection, including application awareness and control, URL filtering, Security Intelligence, intrusion
detection and prevention, and connection logging
detection and prevention, and connection logging
traffic flow, including switching, routing, NAT, VPN, and related functionality
link state
Note that when you update clustered devices or device stacks (in 6.0, high availability device or stack pairs), the
system performs the update one device at a time to avoid traffic interruption.
system performs the update one device at a time to avoid traffic interruption.
Traffic Inspection and Link State
In an inline deployment, your managed devices (depending on model) can affect traffic flow via application control,
user control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and
VPN on Firepower 7000 Series and 8000 Series devices. For more information on appliance capabilities, see the
Firepower Management Center Configuration Guide.
user control, URL filtering, Security Intelligence, and intrusion prevention, as well as switching, routing, NAT, and
VPN on Firepower 7000 Series and 8000 Series devices. For more information on appliance capabilities, see the
Firepower Management Center Configuration Guide.
The following table provides details on how traffic flow, inspection, and link state are affected during the update,
depending on your deployment. Note that regardless of how you configured any inline sets, switching, routing,
NAT, and VPN are not performed during the update process.
depending on your deployment. Note that regardless of how you configured any inline sets, switching, routing,
NAT, and VPN are not performed during the update process.
Table 4
Network Traffic Interruptions
Deployment
Network Traffic Interrupted?
Inline with configurable bypass
(
Configurable bypass
option
enabled for inline sets)
Network traffic is interrupted at two points during the update:
At the beginning of the update process, traffic is briefly interrupted while link
goes down and up (flaps) and the network card switches into hardware bypass.
Traffic is not inspected during hardware bypass.
goes down and up (flaps) and the network card switches into hardware bypass.
Traffic is not inspected during hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps and
the network card switches out of bypass. After the endpoints reconnect and
reestablish link with the sensor interfaces, traffic is inspected again.
the network card switches out of bypass. After the endpoints reconnect and
reestablish link with the sensor interfaces, traffic is inspected again.
Note:
The configurable bypass option is not supported on NGIPSv devices,
Cisco ASA with FirePOWER Services, non-bypass NetMods on Firepower
8000 Series devices, or SFP transceivers on 71xx Family devices.
8000 Series devices, or SFP transceivers on 71xx Family devices.
Inline
Network traffic is blocked throughout the update.
Passive
Network traffic is not interrupted, but also is not inspected during the update.