Cisco Cisco Firepower Management Center 2000 發佈版本通知
10
FireSIGHT System Release Notes
Before You Begin: Important Update and Compatibility Notes
link state
Note that when you update clustered 7000 or 8000 Series devices or device stacks (in 6.0, high availability device or
stack pairs), the system performs the update one device at a time to avoid traffic interruption. When you update clustered
Cisco ASA with FirePOWER Services, apply the update one device at a time, allowing the update to complete before
updating the second device.
stack pairs), the system performs the update one device at a time to avoid traffic interruption. When you update clustered
Cisco ASA with FirePOWER Services, apply the update one device at a time, allowing the update to complete before
updating the second device.
The following table explains how Snort restarts affect traffic inspection. It is reasonable to anticipate that the product
update could affect traffic similarly.
update could affect traffic similarly.
Link State
In 7000 Series and 8000 Series inline deployments with Bypass enabled, network traffic is interrupted at two points
during the update:
during the update:
At the beginning of the update process, traffic is briefly interrupted while link goes down and up (flaps) and the
network card switches into hardware bypass. Traffic is not inspected during hardware bypass.
network card switches into hardware bypass. Traffic is not inspected during hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps, and the network card switches out of
bypass. After the endpoints reconnect and reestablish link with the sensor interfaces, traffic is inspected again.
bypass. After the endpoints reconnect and reestablish link with the sensor interfaces, traffic is inspected again.
Note:
The configurable Bypass option is not supported on NGIPSv devices, Cisco ASA with FirePOWER Services,
non-bypass NetMods on 8000 Series devices, or SFP transceivers on 71xx Family devices.
Switching and Routing
Series 3 devices do not perform switching, routing, NAT, VPN, or related functions during the update. If you configured
your devices to perform only switching and routing, network traffic is blocked throughout the update.
your devices to perform only switching and routing, network traffic is blocked throughout the update.
Audit Logging During the Update
When updating appliances that have a web interface, after the system completes its pre-update tasks and the
streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the
update process is complete and the appliance reboots.
streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the
update process is complete and the appliance reboots.
Version Requirements for Updating to Version 5.4.0.7 and Version 5.4.1.6
To update to Version 5.4.1.6, a Defense Center must be running at least Version 5.4. Defense Centers running Version
5.4.1.1 can manage devices running Version 5.4.0.7 and Version 5.4.1.6. If you are running an earlier version, you can
obtain updates from the Support site.
5.4.1.1 can manage devices running Version 5.4.0.7 and Version 5.4.1.6. If you are running an earlier version, you can
obtain updates from the Support site.
Table 2
Snort Restart Traffic Effects by Managed Device Model
On this managed device model...
Configured as...
Traffic during restart is...
Series 2, Series 3, and virtual
Inline with Failsafe enabled or disabled,
or inline tap mode
or inline tap mode
Passed without inspection (a few
packets might drop if Failsafe is
disabled and Snort is busy but not
down)
packets might drop if Failsafe is
disabled and Snort is busy but not
down)
Passive
Uninterrupted and not inspected
Series 3
Routed, switched, or transparent
Dropped
Cisco ASA with FirePOWER
Services
Services
Routed or transparent with fail-open
(Permit Traffic)
(Permit Traffic)
Passed without inspection
Routed or transparent with fail-close
(Close Traffic)
(Close Traffic)
Dropped