Contents
Introduction
Prerequisites
Requirements
Components Used
Background Information
Type of Updates
Configure Firepower Module Updates
Install Product (Firmware) Update
Install VDB Update
Install Rule Updates
One-Time Rule Update/Rule Import
Recurring Rule Update Imports
Install Geolocation Updates
One-Time Geolocation Updates
Recurring Geolocation Updates
Verify the Update Installation
Troubleshoot
Related Information
Introduction
This document describes the various Upgrade/Update/Patch available in Firepower module and
their installation procedure using Adaptive Security Device Manager (On-Box Management).
Contributed by Avinash, Prashant Joshi, and Sunil Kumar, Cisco TAC Engineers.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
●
●
Knowledge of Adaptive Security Appliance(ASA) firewall and Adaptive Security Device
Manager (ASDM)
Firepower Appliance Knowledge
Components Used
The information in this document is based on these software and hardware versions:
●
●
ASA Firepower modules (ASA 5506X/5506H-X/5506W-X, ASA 5508-X, ASA 5516-X )
running software version 5.4.1 and above
ASA Firepower module (ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X) running
software version 6.0.0 and above
The version of ASDM depends on the version running on the ASA. A detailed compatibility
matrix ASA and ASDM Compatibility
The information in this document is created from the devices in a particular lab environment. All of
the devices used in this document started with a cleared (default) configuration. If your network is
live, make sure that you understand the potential impact of any command.
●
Background Information
Type of Updates
Firepower module has these types of updates:
●
●
●
●
Product (Firmware) Upgrade/ Patch
Vulnerability Database (VDB) Update
Rule (Signature) Update
Geolocation Update
Configure Firepower Module Updates
Install Product (Firmware) Update
Product Updates are of two types.
Type 1. Product upgrade is the upgrading system from minor version to major version.
For Example: Upgrading Firepower from version 5.4.x to 6.0.x. These updates contain major
enhancement in product functionality.
Type 2. Patch installation is a minor upgrade which includes the bug fixes for the current version.
For Example: Upgrading Firepower Module from Version 5.4.1 to 5.4.x.
Note: Cisco recommends to review Release Notes before installation of any update/patch.
In order to install product updates/patch for the Firepower Module, navigate to Configuration >
ASA Firepower Configuration > Updates.
Here,
you
get
twoimage,
Manual
As
Vulnerability
Auto
Once
shown
Download:
the
Update:
update
in
the
Database
Download
Ifisoptions.
Firepower
manually
(aVDB)
progress
the
Module
uploaded
update
Product
has
contains
appears
or
Upgrade/
Internet
downloaded
updates
while
Patch
access,
uploading
from
from
forFirepower
updates
Application
Cisco
Cisco
aupgrade
site,
website,
file
can
site
Module
toSelect
Detection
be
to
Firepower
the
downloaded
Select
can
local
the (Application
download
version
the
module.
system
version
directly
and
and
theand
click
1.
Tip:
Navigate
to Monitoring
>bar
Task
Status
to monitor
the
installation.
from
upload
the
it
Cisco
manually
site
by
clicking
clicking
the
Upload
Download
Update.
Updates.
Select
File andUpdates.
browse the file from the
the install
Filter)
VDB
click
the
updates
and
install
VDB
icon,
directly
icon,
update.
as by
shown
as
from
VDB
shown
in
Cisco
the
update
inimage.
website
the
isimage.
listed
by clicking
under
Product
onChoose
the Download
Updates.
1. Tip: Navigate to Monitoring > Task Status, in order to monitor the VDB installation.
Install Rule Updates
Rule (Signature) updates are Cisco IOS Intrusion Prevention System (IPS) signature updates
which Cisco TALOS team releases on a regular basis to provide the coverage for latest threats.
In order to install Rule Updates, navigate to Configuration > ASA Firepower Configuration >
Updates and then click Rule Updates.
There are two options to configure the rule updates.
●
●
One-Time Rule Update/ Rule Import
Recurring Rule Update Import
One-Time Rule Update/Rule Import
One-Time Rule Update/Rule Import is a manual process of updating signatures. Here, you have
two options.
Auto download: If Firepower Module has Internet connectivity, select Download Rule update
from the support site.
Manual Update: If you have manually downloaded the rule update file from Cisco website at your
local system then select Rule update or text rule file to upload and install and then click
Choose File to upload the signature file.
Once the upload/download of rules is complete, you can select Reapply all policies after rule
update import completes then click Import to automatically apply the signature update to all
Access Control policies after the Rule update/install has completed.
To apply policies manually, leave the checkbox uncheck.
1. Tip: In order to monitor rule import installation, navigate to Configuration > ASA Firepower
Configuration > Updates > rule Updates > Rule Update log.
Recurring Rule Update Imports
Recurring Rule Update option is to schedule the Firepower Module to check for rule updates.
Download and install new rule if new rule database is available.
Note: Firepower Module must have connectivity to Cisco Support Site.
In order to configure Recurring Rule Updates, Select Enable Recurring Rule Update Imports
from the Support Site. Configure frequency to check for the new Rule Update and download/
install rule update if available.
You can choose to apply access policies automatically by selecting Deploy updated policies to
targeted devices after rule update completes if you want to apply new rule changes to the
module and then click Save.
1. Tip: In order to monitor rule import installation, navigate to Configuration > ASA Firepower
Configuration > Updates > Rule Updates > Rule Update log.
Install Geolocation Updates
Geolocation update.
There are two options to configure the Geolocation updates, they are as follows:
One-Time Geolocation Updates
One-Time Geolocation Updates is a manual process of updating Geolocation database. There are
two ways to get these updates.
Manual Update: If you have manually downloaded the geolocation file from Cisco website then
select Upload and install geolocation update and click Choose File to upload the geolocation
file.
Auto download: If Firepower Module has internet connectivity, select Download and Install
geolocation update from the Support Site and click Import.
Recurring Geolocation Updates
Recurring Geolocation Updates option is an user-defined schedule to check for the availability of
geolocation updates. It downloads and installs the new database if available.
Note: Firepower Module must have connectivity to Cisco Support Site.
In order to configure Recurring Geolocation Updates, Select Enable Recurring Weekly Updates
from the Support Site and define the frequency to check the Geolocation Updates & download/
install the updates if it is available and then click Save.
1. Tip: In order to monitor the upgrade installation, navigate to Monitoring > Task Status.
Verify the Update Installation
In order to verify the various update installation, navigate to Configuration > ASA Firepower
Configuration > System Information.
Software version and OS: The OS section shows the upgraded version of the software
VDB Version: VDB shows the upgraded version of VDB
Geolocation Update version: Geolocation Update Version
Rule Update Version: Shows SRU version
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
●
Technical Support & Documentation - Cisco Systems