Automatic VDB downloads.
|
7.3.0
|
Any
|
The initial setup on the Firewall Management
Center schedules a weekly task to download the latest available
software updates, which now includes the latest
vulnerability database (VDB). We recommend you review this
weekly task and adjust if necessary. Optionally, schedule a
new weekly task to actually update the VDB and deploy
configurations.
New/modified screens: The Vulnerability
Database check box is now enabled by default
in the system-created Weekly Software
Download scheduled task.
|
Install any VDB.
|
7.3.0
|
Any
|
Starting with VDB 357, you can now install any VDB as far
back as the baseline VDB for that Firewall Management
Center.
After you update the VDB, deploy configuration changes. If
you based configurations on vulnerabilities, application
detectors, or fingerprints that are no longer available,
examine those configurations to make sure you are handling
traffic as expected. Also, keep in mind a scheduled task to
update the VDB can undo a rollback. To avoid this, change
the scheduled task or delete any newer VDB packages.
New/modified screens: On System( ), if you upload an older VDB, a new Rollback icon appears instead of the Install icon.
|
Content updates and product upgrades no longer share a page.
|
7.2.6
7.4.1
|
Any
|
Content updates and product upgrades no longer share a page.
-
System( ) is where you update intrusion rules, the VDB, and the
GeoDB.
-
System( ) is where you upgrade the
Firewall Management
Center and all managed devices, as well as manage upgrade packages.
-
System( ) is deprecated. All Firewall Threat Defense upgrades now use the wizard.
Other version restrictions: Not supported with Firewall Management
Center Version 7.3.x or 7.4.0.
|
Deprecated: scheduled download
of maintenance releases.
|
7.2.6
7.4.1
|
Any
|
Upgrade impact. Scheduled
download tasks stop retrieving maintenance
releases.
The Download Latest Update scheduled
task no longer downloads maintenance releases; now it only
downloads the latest applicable patches and VDB updates. To
direct-download maintenance (and major) releases to the Firewall Management
Center, use System( ).
Version restrictions: Not
supported with Firewall Management
Center Version 7.3.x or 7.4.0.
|
Custom intrusion rule import warns when rules collide.
|
6.7.0
|
Any
|
The FMC now warns you of rule collisions when you import custom (local) intrusion
rules. Previously, the system would silently skip the rules that cause
collisions—with the exception of Version 6.6.0.1, where a rule import with
collisions would fail entirely.
On the Rule Updates page, if a rule import had collisions, a warning icon is
displayed in the Status column. For more information, hover your pointer over the
warning icon and read the tooltip.
Note that a collision occurs when you try to import an intrusion rule that has
the same SID/revision number as an existing rule. You should always make sure that
updated versions of custom rules have new revision
numbers.
New/modified screens: We added a warning icon to
System( ).
|
Automatic VDB update during initial setup.
|
6.6.0
|
Any
|
When you set up a new or reimaged FMC, the system automatically attempts to
update the vulnerability database (VDB).
This is a one-time operation. If the FMC has internet access, we recommend you
schedule tasks to perform automatic recurring VDB update downloads and
installations.
|
Automatic software downloads and GeoDB updates.
|
6.5.0
|
Any
|
When you set up a new or reimaged FMC, the system automatically attempts to
update the vulnerability database (VDB).
This is a one-time operation. If the FMC has internet access, we recommend you
schedule tasks to perform automatic recurring VDB update downloads and
installations.
|
Signed SRU, VDB, and GeoDB updates.
|
6.4.0
|
Any
|
So the system can verify that you are using the correct update files, Version
6.4+ uses signed updates for intrusion rules (SRU), the vulnerability
database (VDB), and the geolocation database (GeoDB). Earlier versions continue to
use unsigned updates.
Unless you manually download updates, for example, in an air-gapped
deployment—you should not notice any difference in functionality. If, however, you
do manually download and install SRU, VDB, and GeoDB updates, make sure you
download the correct package for your current version.
Signed update files begin with 'Cisco' instead of 'Sourcefire,' and terminate in
.sh.REL.tar instead of .sh, as follows:
-
SRU: Cisco_Firepower_SRU-date-build-vrt.sh.REL.tar
-
VDB:
Cisco_VDB_Fingerprint_Database-4.5.0-version.sh.REL.tar
-
GeoDB: Cisco_GEODB_Update-date-build.sh.REL.tar
We will provide both signed and unsigned updates until the end-of-support for
versions that require unsigned updates. Do not untar signed (.tar) packages. If
you accidentally upload a signed update to an older FMC or ASA FirePOWER device,
you must manually delete it. Leaving the package takes up disk space, and also may
cause issues with future upgrades.
|
FMC warns of Snort restart before VDB updates.
|
6.2.3
|
Any
|
The FMC now warns you that vulnerability database (VDB) updates restart the Snort
process. This interrupts traffic inspection and, depending on how the managed
device handles traffic, possibly interrupts traffic flow. You can cancel the
install until a more convenient time, such as during a maintenance window.
These warnings can appear:
-
After you download and manually install a VDB.
-
When you create a scheduled task to install the VDB.
-
When the VDB installs in the background, such as during a previously
scheduled task or as part of a software upgrade.
|
Deprecated: Geolocation details
|
6.2.3
|
Any
|
We
no longer provide the geolocation IP
package, which contained contextual data associated with
routable IP addresses. This saves disk space and does not affect
geolocation rules or traffic handling in any way. Any contextual
data is now stale, and upgrading to most later versions deletes
the IP package. Options to download
the IP package or view contextual data have no effect,
and are removed in later versions.
|