Installing Software Updates
You can install updates to the system databases and to the system software. The following topics explain how to install these updates.
Updating System Databases and Feeds
The system uses several databases and Security Intelligence feeds to provide advanced services. Cisco provides updates to these databases and feeds so that your security policies use the latest information available.
Overview of System Database and Feed Updates
FTD uses the following databases and feeds to provide advanced services.
- Intrusion rules
-
As new vulnerabilities become known, the Cisco Talos Intelligence Group(Talos) releases intrusion rule updates that you can import. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.
Intrusion rule updates provide new and updated intrusion rules and preprocessor rules, modified states for existing rules, and modified default intrusion policy settings. Rule updates may also delete rules, provide new rule categories and default variables, and modify default variable values.
For changes made by an intrusion rule update to take effect, you must redeploy the configuration.
Intrusion rule updates may be large, so import rules during periods of low network use. On slow networks, an update attempt might fail, and you will need to retry.
- Geolocation database (GeoDB)
-
The Cisco Geolocation Database (GeoDB) is a database of geographical data (such as country, city, coordinates) associated with routable IP addresses.
GeoDB updates provide updated information on physical locations that your system can associate with detected routable IP addresses. You can use geolocation data as a condition in access control rules.
The time needed to update the GeoDB depends on your appliance; the installation usually takes 30 to 40 minutes. Although a GeoDB update does not interrupt any other system functions (including the ongoing collection of geolocation information), the update does consume system resources while it completes. Consider this when planning your updates.
- Vulnerability database (VDB)
-
The Cisco Vulnerability Database (VDB) is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications. The firewall system correlates the fingerprints with the vulnerabilities to help you determine whether a particular host increases your risk of network compromise. The Cisco Talos Intelligence Group(Talos) issues periodic updates to the VDB.
The time it takes to update vulnerability mappings depends on the number of hosts in your network map. You may want to schedule the update during low system usage times to minimize the impact of any system downtime. As a rule of thumb, divide the number of hosts on your network by 1000 to determine the approximate number of minutes to perform the update.
After you update the VDB, you must redeploy configurations before updated application detectors and operating system fingerprints can take effect.
- Cisco Talos Intelligence Group(Talos) Security Intelligence Feeds
-
Talos provides access to regularly updated intelligence feeds for use in Security Intelligence policies. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations. These feeds contain addresses and URLs for known threats. When the system updates a feed, you do not have to redeploy. The new lists are used for evaluating subsequent connections.
- URL Category/Reputation Database
-
The system obtains the URL category and reputation database from Cisco Collective Security Intelligence (CSI). If you configure URL filtering access control rules that filter on category and reputation, requested URLs are matched against the database. You can configure database updates and some other URL filtering preferences on
. You cannot manage URL category/reputation database updates the same way you manage updates for the other system databases.
Updating System Databases
You can manually retrieve and apply system database updates at your convenience. Updates are retrieved from the Cisco support site. Thus, there must be a path to the internet from the system's management address.
Alternatively, you can retrieve the update packages from the internet yourself, then upload them from your workstation. This method is primarily meant for air-gapped networks, where there is no path to the internet for retrieving the updates from Cisco. Download the updates from software.cisco.com from the same folders where you would download system software upgrades.
(注) |
In May 2022 we split the GeoDB into two packages: a country code package that maps IP addresses to countries/continents, and an IP package that contains additional contextual data associated with routable IP addresses. The FDM does not and has never used the information in the IP package. This split saves significant disk space in locally managed FTD deployments. If you are getting the GeoDB from Cisco yourself, make sure you get the country code package, which has the same file name as the old all-in-one package: Cisco_GEODB_Update-date-build. |
You can also set up a regular schedule to retrieve and apply database updates. Because these updates can be large, schedule them for times of low network activity.
(注) |
While a database update is in progress, you might find that the user interface is sluggish to respond to your actions. |
始める前に
To avoid any potential impact to pending changes, deploy the configuration to the device before manually updating these databases.
Please be aware that VDB and URL category updates can remove applications or categories. You need to update any access control or SSL decryption rules that use these deprecated items before you can deploy changes.
手順
ステップ 1 |
Click [デバイス(Device)] , then click View Configuration in the Updates summary. This opens the Updates page. Information on the page shows the current version for each database and the last date and time each database was updated. |
||
ステップ 2 |
To manually update a database, click one of the following options in the section for that database:
Rule and VDB updates require a configuration deployment to make them active. When you update from the cloud, you are asked whether you want to deploy now; click Yes. If you click No, remember to initiate a deployment job at your earliest convenience. If you upload your own file, you must always deploy the changes manually. |
||
ステップ 3 |
(Optional) To set up a regular database update schedule:
|
Updating Cisco Security Intelligence Feeds
Cisco Talos Intelligence Group(Talos) provides access to regularly updated Security Intelligence feeds. Sites representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you can update and deploy custom configurations. When the system updates a feed, you do not have to redeploy. The new lists are used for evaluating subsequent connections.
If you want strict control over when the system updates a feed from the Internet, you can disable automatic updates for that feed. However, automatic updates ensure the most up-to-date, relevant data.
手順
ステップ 1 |
Click Device, then click View Configuration in the Updates summary. This opens the Updates page. Information on the page shows the current version for the Security Intelligence Feeds and the last date and time the feeds were updated. |
ステップ 2 |
To manually update the feeds, click Update Now in the Security Intelligence Feeds group. If you manually update the feeds on one unit in a high availability group, you need to also manually update them on the other unit to ensure consistency. |
ステップ 3 |
(Optional.) To configure a regular update frequency: |
You can install the FTD software upgrades as they become available. The following procedure assumes that your system is already running the FTD version 6.2.0 or higher and that it is operating normally.
Upgrades can be major (A.x), maintenance release (A.x.y), or patch (A.x.y.z). We also may provide hotfixes, which are minor updates that address particular, urgent issues. A hotfix might not require a reboot, while the other upgrade types do require a reboot. The system automatically reboots after installation if a reboot is required. Installing any update can disrupt traffic, so do the installation in off hours.
If you also need to upgrade the FXOS software on the chassis, install the FXOS upgrade before following this procedure.
If you are upgrading the units in a high availability group, upgrade the standby device, switch modes to swap the active/standby units, then install the upgrade on the new standby device. For detailed information, see fptd-fdm-ha.html#task_AE850BD023684725BBA13AEC03BFE1DF.
You cannot reimage a device, or migrate from ASA software to FTD software, using this procedure.
(注) |
Before installing an update, make sure that you deploy any pending changes. You should also run a backup and download the backup copy. Note that all upgrades except hot fixes will delete all backup files retained on the system. |
始める前に
タスクリストをチェックして、実行中のタスクがないことを確認します。アップグレードをインストールする前に、データベースの更新などのすべてのタスクが完了するまでお待ちください。また、スケジュール設定したタスクがないか確認してください。スケジュール設定されたタスクは、アップグレードタスクと重複しないようにする必要があります。
更新を実行する前に、アプリケーションフィルタ、アクセスルール、または SSL 復号ルールに廃止されたアプリケーションが存在しないことを確認してください。これらのアプリケーションには、アプリケーション名の後に「(廃止)(Deprecated)」が付加されています。これらのオブジェクトに廃止されたアプリケーションを追加することはできませんが、後続の VDB 更新により、以前は有効だったアプリケーションが廃止される場合があります。廃止されると、アップグレードは失敗し、デバイスは使用不能状態になります。
シスコ サポートおよびダウンロード サイト:https://www.cisco.com/go/ftd-software からアップグレードファイルをダウンロードします。
-
ファミリまたはシリーズのすべてのモデルに同じアップグレードパッケージを使用します。適切なソフトウェアを見つけるには、使用しているモデルを選択または検索し、適切なバージョンのソフトウェアのダウンロードページを参照します。適切なアップグレード ファイル(ファイル タイプが REL.tar)を入手していることを確認します。システム ソフトウェア パッケージまたはブート イメージをダウンロードしないでください。
-
アップグレード ファイルの名前を変更しないでください。名前が変更されたファイルは無効だと見なされます。
-
パッチをダウングレードまたはアンインストールすることはできません。
-
アップグレードに必要なベースライン イメージを実行していることを確認します。互換性の情報については、『 Cisco Secure Firewall 互換性ガイド』(http://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html)を参照してください。
-
新しいバージョンの場合は、リリース ノートをお読みください。リリース ノートは http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-release-notes-list.html をご覧ください。
手順
ステップ 1 |
Select Device, then click View Configuration in the Updates summary. The System Upgrade section shows the currently running software version and any update that you have already uploaded. |
||
ステップ 2 |
Upload the upgrade file.
|
||
ステップ 3 |
Click Install to start the installation process. Information next to the icon indicates whether the device will reboot during installation. You are automatically logged out of the system. Installation might take 30 minutes or more. Wait before logging into the system again. The Device Summary, or System monitoring dashboard, should show the new version.
|
||
ステップ 4 |
(Optional.) Update the system databases. If you do not have automatic update jobs configured for Geolocation, Rule, and Vulnerability (VDB) databases, this is a good time to update them. |
次のタスク
You can check on the upgrade from the device CLI using the show upgrade status command. If the upgrade does not complete and you run into problems, you can cancel the upgrade using the upgrade cancel command.
Reimaging the Device
Reimaging a device involves wiping out the device configuration and installing a fresh software image. The intention of reimaging is to have a clean installation with a factory default configuration.
You would reimage the device in these circumstances:
-
You want to convert the system from ASA Software to FTD Software. You cannot upgrade a device running an ASA image to one running a FTD image.
-
The device is running a pre-6.1.0 image, and you want to upgrade to 6.1 or a later image and configure the device using the FDM. You cannot use the FMC to upgrade a pre-6.1 device and then switch to local management.
-
The device is not functioning correctly and all attempts at fixing the configuration have failed.
For information on how to reimage a device, see Reimage the Cisco ASA or Threat Defense Device or the Threat Defense Quick Start guide for your device model. These guides are available at http://www.cisco.com/c/en/us/support/security/firepower-ngfw/products-installation-guides-list.html.