Installing Software Updates
You can install updates to the system databases and to the system software. The following topics explain how to install these updates.
Updating System Databases
The system uses several databases to provide advanced services. Cisco provides updates to these databases so that your security policies use the latest information available.
Overview of System Database Updates
Firepower Threat Defense uses the following databases to provide advanced services.
- Intrusion rules
As new vulnerabilities become known, the Cisco Talos Intelligence Group (Talos) releases intrusion rule updates that you can import. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.
Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values.
For changes made by an intrusion rule update to take effect, you must redeploy the configuration.
Intrusion rule updates may be large, so import rules during periods of low network use. On slow networks, an update attempt might fail, and you will need to retry.
- Geolocation database (GeoDB)
The Cisco Geolocation Database (GeoDB) is a database of geographical data (such as country, city, coordinates) and connection-related data (such as Internet service provider, domain name, connection type) associated with routable IP addresses.
GeoDB updates provide updated information on physical locations, connection types, and so on that your system can associate with detected routable IP addresses. You can use geolocation data as a condition in access control rules.
The time needed to update the GeoDB depends on your appliance; the installation usually takes 30 to 40 minutes. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes. Consider this when planning your updates.
- Vulnerability database (VDB)
The Cisco Vulnerability Database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The Firepower System correlates the fingerprints with the vulnerabilities to help you determine whether a particular host increases your risk of network compromise. The Cisco Talos Intelligence Group (Talos) issues periodic updates to the VDB.
The time it takes to update vulnerability mappings depends on the number of hosts in your network map. You may want to schedule the update during low system usage times to minimize the impact of any system downtime. As a rule of thumb, divide the number of hosts on your network by 1000 to determine the approximate number of minutes to perform the update.
After you update the VDB, you must redeploy configurations before updated application detectors and operating system fingerprints can take effect.
- URL Category/Reputation Database
The system obtains the URL category and reputation database from Cisco Collective Security Intelligence (CSI). If you configure URL filtering access control rules that filter on category and reputation, requested URLs are matched against the database. You can configure database updates and some other URL filtering preferences on. You cannot manage URL category/reputation database updates the same way you manage updates for the other system databases.
Updating System Databases
You can manually retrieve and apply system database updates at your convenience. Updates are retrieved from the Cisco support site. Thus, there must be a path to the Internet from the system's management address.
You can also set up a regular schedule to retrieve and apply database updates. Because these updates can be large, schedule them for times of low network activity.
While a database update is in progress, you might find that the user interface is sluggish to respond to your actions.
Before you begin
To avoid any potential impact to pending changes, deploy the configuration to the device before manually updating these databases.
Please be aware that VDB and URL category updates can remove applications or categories. You need to update any access control or SSL decryption rules that use these deprecated items before you can deploy changes.
Click the name of the device in the menu, then click View Configuration in the Updates summary.
This opens the Updates page. Information on the page shows the current version for each database and the last date and time each database was updated.
To manually update a database, click Update Now in the section for that database.
After downloading and applying the update, the system automatically re-deploys policies to the device so that the system can use the updated information.
(Optional) To set up a regular database update schedule:
Upgrading Firepower Threat Defense Software
You can install Firepower Threat Defense software upgrades as they become available. The following procedure assumes that your system is already running Firepower Threat Defense software and that it is operating normally.
You cannot reimage a device, or migrate from ASA software to Firepower Threat Defense software, using this procedure.
Before you begin
Ensure that you deploy any pending changes, and wait until the deployment is complete (see the task list to verify). The system does not allow you to apply an upgrade if there are pending changes.
Then, log out of Firepower Device Manager. Do not make any configuration changes while upgrading the software.
During upgrade, all events are erased.
Obtain the upgrade image and prepare it for installation.
Use an SSH client to log into the management IP address using the admin user account and password.
Alternatively, you can connect to the Console port.
Enter the expert command to access expert mode.
Change the working directory (cd ) to /var/sf/updates/.
Download the upgrade file from your HTTP server.
sudo wget url
For example, the following command downloads the fictitious Cisco_FTD_Upgrade-6.2.0-181.sh upgrade file from the ftd folder on the files.example.com HTTP server. Because the sudo command operates under root user, you see a stock warning, and you must re-enter the admin password before the command executes. Wait for the download to complete.
Use the tftp or scp commands instead if you are not using an HTTP server.
Install the upgrade file.
sudo install_update.pl --detach /var/sf/updates/filename
You must include the full path to the upgrade file in the command. We recommend including the --detach keyword to ensure that the install process does not stop if your user session times out or is otherwise closed during the process. For example:
Wait until installation is complete. The system reboots itself when installation is complete.
Installation might take 30 minutes or more.
Verify that the installation is complete.
Use an SSH client to log into the management IP address using the admin user account and password. The banner information includes a line (highlighted) that should show the new build number. For example, the following output indicates that the Firepower Threat Defense version is now 6.2.0-181, which matches the example upgrade file. The show version command also shows software version information.
Reimaging the Device
Reimaging a device involves wiping out the device configuration and installing a fresh software image. The intention of reimaging is to have a clean installation with a factory default configuration.
You would reimage the device in these circumstances:
You want to convert the system from ASA Software to Firepower Threat Defense Software. You cannot upgrade a device running an ASA image to one running a Firepower Threat Defense image.
The device is running a pre-6.1.0 image, and you want to upgrade to 6.1 or a later image and configure the device using Firepower Device Manager. You cannot use Firepower Management Center to upgrade a pre-6.1 device and then switch to local management.
The device is not functioning correctly and all attempts at fixing the configuration have failed.
For information on how to reimage a device, see Reimage the Cisco ASA or Firepower Threat Defense Device or the Firepower Threat Defense Quick Start guide for your device model. These guides are available at http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html.