System Software Updates

The following topics explain how to update Firepower deployments:

About Firepower Updates

Cisco distributes several types of upgrades and updates for Firepower deployments. Unless otherwise documented in the release notes or advisory text, updating does not modify configurations. Note that you cannot uninstall major upgrades, nor can you return to previous versions of the VDB, GeoDB, or SRU.

Table 1. Firepower Upgrades and Updates
Update Type	Description	Domain
Major upgrade	Includes new features and functionality, and may entail large-scale changes to the product. Can be freshly installed or restored, but not uninstalled. For devices where you upgrade the operating system separately, likely to have a companion operating system upgrade. May require you to re-accept the Cisco End User License Agreement (EULA)	Global only
Minor upgrade (patch)	Contains a limited range of fixes. Can be uninstalled, but not freshly installed or restored. You must restore to a major version, then upgrade to the minor version.	Global only
Vulnerability Database (VDB)	Updates detection of vulnerabilities, operating systems, applications, clients, and file types eligible for dynamic analysis.	Global only
Intrusion rules (SRUs)	Provides new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. May also delete rules, provide new rule categories and default variables, and modify default variable values.	Cisco-provided: Global only Local imports: Any
Geolocation database (GeoDB)	Updates information on physical locations, connection types, and so on, that can be associated with detected routable IP addresses. You must install the GeoDB to view geolocation details or perform geolocation-based access control.	Global only

Guidelines and Limitations for Firepower Updates

Before You Update

Before you update any component of your Firepower deployment (including the VDB, GeoDB, or SRU) you must read the release notes or advisory text that accompanies the update. These provide critical and release-specific information, including compatibility, prerequisites, new capabilities, behavior changes, and warnings.

For details on how to prepare for and complete a successful system software upgrade of a Firepower Management Center deployment, see the Cisco Firepower Management Center Upgrade Guide.

Bandwidth Guidelines

Updates can require large data transfers from the Firepower Management Center to managed devices. Before you begin, make sure your management network has sufficient bandwidth to successfully perform the transfer. See the Troubleshooting Tech Note at https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212043-Guidelines-for-Downloading-Data-from-the.html.

Upgrade Firepower System Software

Upgrading a Firepower Management Center deployment can be complex process. Careful planning and preparation can help you avoid missteps. You should consider planning and preparation as much a part of the upgrade process as actually performing the mechanical steps that invoke the upgrade scripts.

The first step in the process is to assess your deployment and create an upgrade path—a detailed plan for which appliances you will upgrade, what components you will upgrade, and in what order. Your upgrade path should:

Maintain manager-device compatibility.
Include operating system and hosting environment upgrades where necessary.
Include other tasks such as backups, package downloads, bandwidth and disk space checks, pre- and post-upgrade configuration changes, and so on.
Identify potential interruptions in traffic flow and inspection.

For details on how to prepare for and complete a successful upgrade of a Firepower Management Center deployment, see Cisco Firepower Management Center Upgrade Guide.

Update the Vulnerability Database (VDB) Manually


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

The Cisco vulnerability database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The system uses the VDB to help determine whether a particular host increases your risk of compromise.

The Cisco Talos Security Intelligence and Research Group (Talos) issues periodic updates to the VDB. The time it takes to update the VDB and its associated mappings on the Firepower Management Center depends on the number of hosts in your network map. As a rule of thumb, divide the number of hosts by 1000 to determine the approximate number of minutes to perform the update.

If the Firepower Management Center cannot access the internet, or you want to manually upload the VDB update to the Firepower Management Center, use this procedure. To automate VDB updates, use task scheduling (System > Tools > Scheduling). For details, see Vulnerability Database Update Automation.

Important

If you do not schedule automatic VDB updates, you should regularly check for these updates. Updates occur no more than once daily and are posted to the appropriate child pages of https://www.cisco.com/go/firepower-software.

Caution

Installing a vulnerability database (VDB) update immediately restarts the Snort process on all managed devices. Additionally, the first deploy after installing the VDB might cause a Snort restart depending on the VDB content. In either scenario, the restart interrupts traffic inspection. Whether traffic drops during the interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Before you begin

Download the update from https://www.cisco.com/go/firepower-software.
Consider the update's effect on traffic flow and inspection due to Snort restarts. We recommend performing updates in a maintenance window.

Procedure

Step 1	Choose System > Updates, then click the Product Updates tab.
Step 2	Choose how you want to upload the VDB update to the Firepower Management Center. Download directly from Cisco.com—Click Download Updates. If it can access the Cisco Support & Download site, the Firepower Management Center downloads the latest VDB. Note that the Firepower Management Center also downloads a package for each patch and hotfix (but not major release) associated with the version your appliances are currently running. Upload manually—Click Upload Update, then Choose File. Browse to the update you downloaded earlier, and click Upload. VDB updates appear on the same page as Firepower software upgrade and uninstaller packages.
Step 3	Install the update. Click the Install icon next to the Vulnerability and Fingerprint Database update. Choose the Firepower Management Center. Click Install.
Step 4	(Optional) Monitor update progress in the Message Center. Do not perform tasks related to mapped vulnerabilities until the update completes. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC. After the update completes and Snort restarts, the system uses the new vulnerability information. However, you must deploy before updated application detectors and operating system fingerprints can take effect.
Step 5	(Optional) Monitor update progress in the Message Center. Do not perform tasks related to mapped vulnerabilities until the update completes. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC. After the update completes and Snort restarts, the system uses the new vulnerability information. However, you must deploy before updated application detectors and operating system fingerprints can take effect.
Step 6	Verify update success. Choose Help > About to view the current VDB version.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Update the Geolocation Database (GeoDB)

The Cisco Geolocation Database (GeoDB) is a database of geographical data (such as country, city, coordinates) and connection-related data (such as Internet service provider, domain name, connection type) associated with routable IP addresses. When your system detects GeoDB information that matches a detected IP address, you can view the geolocation information associated with that IP address. You must install the GeoDB on your system to view any geolocation details other than country or continent. Cisco issues periodic updates to the GeoDB.

To update the GeoDB, use the Geolocation Updates page (System > Updates > Geolocation Updates) on the Firepower Management Center. When you upload GeoDB updates you obtained from Support or from your appliance, they appear on this page.

Note

Download the update directly from the Support Site, either manually or by clicking Download and install geolocation update from the Support Site on the Geolocation Updates page. If you transfer an update file by email, it may become corrupted.

Time needed to update the GeoDB depends on your appliance; the installation usually takes 30 to 40 minutes. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes. Consider this when planning your updates.

The GeoDB update overrides any previous versions of the GeoDB and is effective immediately. When you update the GeoDB, the Firepower Management Center automatically updates the related data on its managed devices. It may take a few minutes for a GeoDB update to take effect throughout your deployment. You do not need to re-deploy after you update.

Manually Update the GeoDB (Internet Connection)


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

You can import a new GeoDB update by automatically connecting to the Support Site only if the appliance has Internet access.

Procedure

Step 1	Choose System > Updates.
Step 2	Click the Geolocation Updates tab.
Step 3	Choose Download and install geolocation update from the Support Site.
Step 4	Click Import. The system queues a Geolocation Update task, which checks for the latest updates on the Cisco Support Site (http://www.cisco.com/cisco/web/support/index.html).
Step 5	Optionally, monitor the task status; see Viewing Task Messages.
Step 6	After the update finishes, return to the Geolocation Updates page or choose Help > About to confirm that the GeoDB build number matches the update you installed.

Manually Update the GeoDB (No Internet Connection)


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

If your Firepower Management Center does not have Internet access, you can download the GeoDB update from the Cisco Support Site to a local machine on your network, then manually upload it to your Firepower Management Center.

Procedure

Step 1	Manually download the update from the Cisco Support Site (http://www.cisco.com/cisco/web/support/index.html).
Step 2	Choose System > Updates.
Step 3	Click the Geolocation Updates tab.
Step 4	Choose Upload and install geolocation update.
Step 5	Browse to the update you downloaded, and click Upload.
Step 6	Click Import.
Step 7	Optionally, monitor the task status; see Viewing Task Messages.
Step 8	After the update finishes, return to the Geolocation Updates page or choose Help > About to confirm that the GeoDB build number matches the update you installed.

Schedule GeoDB Updates


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

If the Firepower Management Center has internet access, we recommend you schedule weekly GeoDB updates.

Before you begin

Make sure the Firepower Management Center can access the internet.

Procedure

Step 1	Choose System > Updates, then click the Geolocation Updates tab.
Step 2	Under Recurring Geolocation Updates, check Enable Recurring Weekly Updates.
Step 3	Specify the Update Start Time.
Step 4	Click Save.

Update Intrusion Rules

As new vulnerabilities become known, the Cisco Talos Security Intelligence and Research Group (Talos) releases intrusion rule updates that you can import onto your Firepower Management Center, and then implement by deploying the changed configuration to your managed devices. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.

Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. You cannot import an intrusion rule update that either matches or predates the version of the currently installed rules.

An intrusion rule update may provide the following:

New and modified rules and rule states—Rule updates provide new and updated intrusion and preprocessor rules. For new rules, the rule state may be different in each system-provided intrusion policy. For example, a new rule may be enabled in the Security over Connectivity intrusion policy and disabled in the Connectivity over Security intrusion policy. Rule updates may also change the default state of existing rules, or delete existing rules entirely.
New rule categories—Rule updates may include new rule categories, which are always added.
Modified preprocessor and advanced settings—Rule updates may change the advanced settings in the system-provided intrusion policies and the preprocessor settings in system-provided network analysis policies. They can also update default values for the advanced preprocessing and performance options in your access control policies.
New and modified variables—Rule updates may modify default values for existing default variables, but do not override your changes. New variables are always added.

In a multidomain deployment, you can import local intrusion rules in any domain, but you can import intrusion rule updates from Talos in the Global domain only.

Caution

The first deploy after importing an intrusion rule update restarts the Snort process, which interrupts traffic inspection. Whether traffic drops during the interruption or passes without further inspection depends on how the target device handles traffic. For more information, see Snort® Restart Traffic Behavior.

Understanding When Intrusion Rule Updates Modify Policies

Intrusion rule updates can affect both system-provided and custom network analysis policies, as well as all access control policies:

system provided—Changes to system-provided network analysis and intrusion policies, as well as any changes to advanced access control settings, automatically take effect when you re-deploy the policies after the update.
custom—Because every custom network analysis and intrusion policy uses a system-provided policy as its base, or as the eventual base in a policy chain, rule updates can affect custom network analysis and intrusion policies. However, you can prevent rule updates from automatically making those changes. This allows you to update system-provided base policies manually, on a schedule independent of rule update imports. Regardless of your choice (implemented on a per-custom-policy basis), updates to system-provided policies do not override any settings you customized.

Note that importing a rule update discards all cached changes to network analysis and intrusion policies. For your convenience, the Rule Updates page lists policies with cached changes and the users who made those changes.

Deploying Intrusion Rule Updates

For changes made by an intrusion rule update to take effect, you must redeploy configurations. When importing a rule update, you can configure the system to automatically redeploy to affected devices. This approach is especially useful if you allow the intrusion rule update to modify system-provided base intrusion policies.

Recurring Intrusion Rule Updates

You can import rule updates on a daily, weekly, or monthly basis, using the Rule Updates page.

Applicable subtasks in the intrusion rule update import occur in the following order: download, install, base policy update, and configuration deploy. When one subtask completes, the next subtask begins.

At the scheduled time, the system installs the rule update and deploys the changed configuration as you specified in the previous step. You can log off or use the web interface to perform other tasks before or during the import. When accessed during an import, the Rule Update Log displays a red status icon (), and you can view messages as they occur in the Rule Update Log detailed view. Depending on the rule update size and content, several minutes may pass before status messages appear.

Importing Local Intrusion Rules

A local intrusion rule is a custom standard text rule that you import from a local machine as a plain text file with ASCII or UTF-8 encoding. You can create local rules using the instructions in the Snort users manual, which is available at http://www.snort.org.

In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains.

Update Intrusion Rules One-Time Manually


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

Import a new intrusion rule update manually if your Firepower Management Center does not have Internet access.

Caution

Procedure

Step 1

Manually download the update from the Cisco Support Site (http://www.cisco.com/cisco/web/support/index.html).

Step 2

Choose System > Updates, then click the Rule Updates tab.

Step 3

If you want to move all user-defined rules that you have created or imported to the deleted folder, you must click Delete All Local Rules in the toolbar, then click OK.

Step 4

Choose Rule Update or text rule file to upload and install and click Browse to navigate to and choose the rule update file.

Step 5

If you want to automatically re-deploy policies to your managed devices after the update completes, choose Reapply all policies after the rule update import completes.

Step 6

Click Import. The system installs the rule update and displays the Rule Update Log detailed view.

Note

Contact Support if you receive an error message while installing the rule update.

Update Intrusion Rules One-Time Automatically


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

To import a new intrusion rule update automatically, your appliance must have Internet access to connect to the Support Site.

Caution

Before you begin

Ensure the Firepower Management Center has internet access; see Security, Internet Access, and Communication Ports.

Procedure

Step 1

Choose System > Updates.

Step 2

Click the Rule Updates tab.

Step 3

If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete All Local Rules in the toolbar, then click OK.

Step 4

Choose Download new Rule Update from the Support Site.

Step 5

If you want to automatically re-deploy the changed configuration to managed devices after the update completes, check the Reapply all policies after the rule update import completes check box.

Step 6

Click Import.

The system installs the rule update and displays the Rule Update Log detailed view.

Caution

Contact Support if you receive an error message while installing the rule update.

Configure Recurring Intrusion Rule Updates


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

Caution

Procedure

Step 1

Choose System > Updates.

Step 2

Click the Rule Updates tab.

Step 3

If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete All Local Rules in the toolbar, then click OK.

Step 4

Check the Enable Recurring Rule Update Imports check box.

Import status messages appear beneath the Recurring Rule Update Imports section heading.

Step 5

In the Import Frequency field, specify:

The frequency of the update (Daily, Weekly, or Monthly)
The day of the week or month you want the update to occur
The time you want the update to start

Step 6

If you want to automatically re-deploy the changed configuration to your managed devices after the update completes, check the Deploy updated policies to targeted devices after rule update completes check box.

Step 7

Click Save.

Caution

Contact Support if you receive an error message while installing the intrusion rule update.

The status message under the Recurring Rule Update Imports section heading changes to indicate that the rule update has not yet run.

Guidelines for Importing Local Intrusion Rules

Observe the following guidelines when importing a local rule file:

The rules importer requires that all custom rules are imported in a plain text file encoded in ASCII or UTF-8.
The text file name can include alphanumeric characters, spaces, and no special characters other than underscore (_), period (.), and dash (-).
The system imports local rules preceded with a single pound character (#), but they are flagged as deleted.
The system imports local rules preceded with a single pound character (#), and does not import local rules preceded with two pound characters (##).
Rules cannot contain any escape characters.
You do not have to specify a Generator ID (GID) when importing a local rule. If you do, specify only GID 1 for a standard text rule.
When importing a rule for the first time, do not specify a Snort ID (SID) or revision number. This avoids collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule the next available custom rule SID of 1000000 or greater, and a revision number of 1.

If you must import rules with SIDs, the SIDs must be unique numbers between 1,000,000 and 9,999,999.

In a multidomain deployment, the system assigns SIDs to imported rules from a shared pool used by all domains on the Firepower Management Center. If multiple administrators are importing local rules at the same time, SIDs within an individual domain might appear to be non-sequential, because the system assigned the intervening numbers in the sequence to another domain.

When importing an updated version of a local rule you have previously imported, or when reinstating a local rule you have deleted, you must include the SID assigned by the system and a revision number greater than the current revision number. You can determine the revision number for a current or deleted rule by editing the rule.

Note

The system automatically increments the revision number when you delete a local rule; this is a device that allows you to reinstate local rules. All deleted local rules are moved from the local rule category to the deleted rule category.

The import fails if a rule contains any of the following: .
- A SID greater than 2147483647.
- A list of source or destination ports that is longer than 64 characters.
Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword in combination with the intrusion event thresholding feature in an intrusion policy.
All imported local rules are automatically saved in the local rule category.
The system always sets local rules that you import to the disabled rule state. You must manually set the state of local rules before you can use them in your intrusion policy.

Import Local Intrusion Rules

Make sure your local rule file follows the guidelines described in Guidelines for Importing Local Intrusion Rules.
Make sure your process for importing local intrusion rules complies with your security policies.
Consider the import's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend scheduling rule updates during maintenance windows.


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Any	Admin

Use this procedure to import local intrusion rules. Imported intrusion rules appear in the local rule category in a disabled state.

Procedure

Step 1	Choose System > Updates, then click the Rule Updates tab.
Step 2	(Optional) Delete existing local rules. Click Delete All Local Rules, then confirm that you want to move all created and imported intrusion rules to the deleted folder.
Step 3	Under One-Time Rule Update/Rules Import, choose Rule update or text rule file..., then click Choose File and browse to your local rule file.
Step 4	Click Import.
Step 5	Monitor import progress in the Message Center. To display the Message Center, click the System Status icon on the menu bar. Even if the Message Center shows no progress for several minutes or indicates that the import has failed, do not restart the import. Instead, contact Cisco TAC.

What to do next

Edit intrusion policies and enable the rules you imported.
Deploy configuration changes; see Deploy Configuration Changes.

Rule Update Log

The Firepower Management Center generates a record for each rule update and local rule file that you import.

Each record includes a time stamp, the name of the user who imported the file, and a status icon indicating whether the import succeeded or failed. You can maintain a list of all rule updates and local rule files that you import, delete any record from the list, and access detailed records for all imported rules and rule update components.

The Rule Update Import Log detailed view lists a detailed record for each object imported in a rule update or local rule file. You can also create a custom workflow or report from the records listed that includes only the information that matches your specific needs.

Intrusion Rule Update Log Table

Table 2. Intrusion Rule Update Log Fields
Field	Description
Summary	The name of the import file. If the import fails, a brief statement of the reason for the failure appears under the file name.
Time	The time and date that the import started.
User ID	The user name of the user that triggered the import.
Status	Whether the import: succeeded ( ) failed or is currently in progress ( ) The red status icon indicating an unsuccessful or incomplete import appears on the Rule Update Log page during the import and is replaced by the green icon only when the import has successfully completed.

Tip

You can view import details as they appear while an intrusion rule update import is in progress.

Viewing the Intrusion Rule Update Log


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Any	Admin

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Procedure

Step 1

Choose System > Updates.

Tip

You can also click Import Rules on the intrusion rules editor page (Objects > Intrusion Rules).

Step 2

Click the Rule Updates tab.

Step 3

Click Rule Update Log.

Step 4

You have two options:

View details — To view details for each object imported in a rule update or local rule file, click view icon () next to the file you want to view; see Viewing Details of the Intrusion Rule Update Import Log.

Delete — To delete an import file record from the import log, including detailed records for all objects included with the file, click the delete icon (

) next to the import file name.

Note

Deleting the file from the log does not delete any object imported in the import file, but only deletes the import log records.

Fields in an Intrusion Rule Update Log

Tip

You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed. Make sure you set your time constraints to include all objects you want to include in the search.

Table 3. Rule Update Import Log Detailed View Fields
Field	Description
Action	An indication that one of the following has occurred for the object type: `new` (for a rule, this is the first time the rule has been stored on this appliance) `changed` (for a rule update component or rule, the rule update component has been modified, or the rule has a higher revision number and the same GID and SID) `collision` (for a rule update component or rule, import was skipped because its revision conflicts with an existing component or rule on the appliance) `deleted` (for rules, the rule has been deleted from the rule update) `enabled` (for a rule update edit, a preprocessor, rule, or other feature has been enabled in a default policy provided with the system) `disabled` (for rules, the rule has been disabled in a default policy provided with the system) `drop` (for rules, the rule has been set to Drop and Generate Events in a default policy provided with the system) `error` (for a rule update or local rule file, the import failed) `apply` (the Reapply all policies after the rule update import completes option was enabled for the import)
Default Action	The default action defined by the rule update. When the imported object type is `rule`, the default action is `Pass`, `Alert`, or `Drop`. For all other imported object types, there is no default action.
Details	A string unique to the component or rule. For rules, the GID, SID, and previous revision number for a changed rule, displayed as `previously (GID:SID:Rev)`. This field is blank for a rule that has not changed.
Domain	The domain whose intrusion policies can use the updated rule. Intrusion policies in descendant domains can also use the rule. This field is only present in a multidomain deployment.
GID	The generator ID for a rule. For example, `1` (standard text rule) or `3` (shared object rule).
Name	The name of the imported object, which for rules corresponds to the rule Message field, and for rule update components is the component name.
Policy	For imported rules, this field displays `All`. This means that the rule was imported successfully, and can be enabled in all appropriate default intrusion policies. For other types of imported objects, this field is blank.
Rev	The revision number for a rule.
Rule Update	The rule update file name.
SID	The SID for a rule.
Time	The time and date the import began.
Type	The type of imported object, which can be one of the following: `rule update component` (an imported component such as a rule pack or policy pack) `rule` (for rules, a new or updated rule; note that in Version 5.0.1 this value replaced the `update` value, which is deprecated) `policy apply` (the Reapply all policies after the rule update import completes option was enabled for the import)
Count	The count (`1`) for each record. The Count field appears in a table view when the table is constrained, and the Rule Update Log detailed view is constrained by default to rule update records. This field is not searchable.

Viewing Details of the Intrusion Rule Update Import Log


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Any	Admin

In a multidomain deployment, you can view data for the current domain and for any descendant domains. You cannot view data from higher level or sibling domains.

Procedure

Step 1	Choose System > Updates.
Step 2	Click the Rule Updates tab.
Step 3	Click Rule Update Log.
Step 4	Click the view icon () next to the file whose detailed records you want to view.
Step 5	You can take any of the following actions: Bookmark — To bookmark the current page, click Bookmark This Page. Edit Search — To open a search page prepopulated with the current single constraint, choose Edit Search or Save Search next to Search Constraints. Manage bookmarks — To navigate to the bookmark management page, click Report Designer. Report — To generate a report based on the data in the current view, click Report Designer. Search — To search the entire Rule Update Import Log database for rule update import records, click Search. Sort — To sort and constain records on the current workflow page, see Using Drill-Down Pages for more information. Switch workflows — To temporarily use a different workflow, click (switch workflows).

Maintain Your Air-Gapped Deployment

If your Firepower system is not connected to the internet, essential updates will not occur automatically.

You must manually obtain and install these updates. See the following information:

Update the Vulnerability Database (VDB) Manually
Update Intrusion Rules One-Time Manually
Manually Update the GeoDB (No Internet Connection)
The Firepower Management Center Software Upgrade Guide at

https://www.cisco.com/c/en/us/td/docs/security/firepower/upgrade/fpmc-upgrade-guide.html

Firepower Management Center Configuration Guide, Version 6.0

Results

Chapter: System Software Updates

System Software Updates

About Firepower Updates

Guidelines and Limitations for Firepower Updates

Before You Update

Bandwidth Guidelines

Upgrade Firepower System Software

Update the Vulnerability Database (VDB) Manually

Before you begin

Procedure

What to do next

Update the Geolocation Database (GeoDB)

Manually Update the GeoDB (Internet Connection)

Procedure

Manually Update the GeoDB (No Internet Connection)

Procedure

Schedule GeoDB Updates

Before you begin

Procedure

Update Intrusion Rules

Understanding When Intrusion Rule Updates Modify Policies

Deploying Intrusion Rule Updates

Recurring Intrusion Rule Updates

Importing Local Intrusion Rules

Update Intrusion Rules One-Time Manually

Procedure

Update Intrusion Rules One-Time Automatically

Before you begin

Procedure

Configure Recurring Intrusion Rule Updates

Procedure

Guidelines for Importing Local Intrusion Rules

Import Local Intrusion Rules

Procedure

What to do next

Rule Update Log

Intrusion Rule Update Log Table

Viewing the Intrusion Rule Update Log

Procedure

Fields in an Intrusion Rule Update Log

Viewing Details of the Intrusion Rule Update Import Log

Procedure

Maintain Your Air-Gapped Deployment

Was this Document Helpful?

Contact Cisco

Related Cisco Community Discussions