Sourcefire vdb update

You can maintain a list of all rule updates and local rule files that you import, delete any record from the list, and access detailed records for all imported rules and rule update components. The fields in the Rule Update Log are described in the following table. Table Rule Update Log Actions. Note Deleting the file from the log does not delete any object imported in the import file, but only deletes the import log records. Step 2 Click Rule Update Log. The Rule Update Log page appears.

This page lists each imported rule update and local rule file. The fields in the list of rule updates and local rule files that you import are described in the following table. Table Rule Update Log Fields. The name of the import file. If the import fails, a brief statement of the reason for the failure appears under the file name. The user name of the user that triggered the import.

Click the view icon next to the rule update or file name to view the Rule Update Log detailed page for the rule update or local rule file, or click the delete icon to delete the file record and all detailed object records imported with the file.

Tip You can view import details as they appear while a rule update import is in progress. The Rule Update Import Log detailed view lists a detailed record for each object imported in a rule update or local rule file. You can also create a custom workflow or report from the records listed that includes only the information that matches your specific needs. The following table describes specific actions you can perform on a Rule Update Import Log detailed view workflow page.

For information on selecting workflows, see Selecting Workflows. For information on creating custom workflows, see Creating Custom Workflows.

For more information, see Using Bookmarks. Step 3 Click the view icon next to the file whose detailed records you want to view. You can view a detailed record for each object imported in a rule update or local rule file.

The fields in the Rule Update Log detailed view are described in the following table. The name of the imported object, which for rules corresponds to the rule Message field, and for rule update components is the component name.

The type of imported object, which can be one of the following:. An indication that one of the following has occurred for the object type:. The default action defined by the rule update. When the imported object type is rule , the default action is Pass , Alert , or Drop.

For all other imported object types, there is no default action. The generator ID for a rule. For example, 1 standard text rule or 3 shared object rule.

See Table for more information. For imported rules, this field displays All , which indicates that the imported rule was included in all default intrusion policies.

For other types of imported objects, this field is blank. A string unique to the component or rule. This field is blank for a rule that has not changed. The count 1 for each record.

The Count field appears in a table view when the table is constrained, and the Rule Update Log detailed view is constrained by default to rule update records. Note Beta Users: This feature will be fully explained in the final version of the documentation. You can search the import log for specific records or for all records matching the search criteria. You may want to create customized searches and save them to reuse later.

Tip You search the entire Rule Update Import Log database even when you initiate a search by clicking Search on the toolbar from the Rule Update Import Log detailed view with only the records for a single import file displayed.

Make sure you set your time constraints to include all objects you want to include in the search. See Specifying Time Constraints in Searches for more information. The search criteria you can use are described in the following table. Note that record searches are case-insensitive. For example, searching for RULE or rule yields the same results.

Specify the date and time the record was generated. See Specifying Time Constraints in Searches for the syntax for entering time. Specify all or part of the content of the rule Message field. Specify the type of record, which can be rule update component , rule , or policy apply. Note that you can use the update search value to search for rules imported prior to Version 5.

Specify an action for the object you want to view. When the type is rule , new returns all rules imported for the first time on the appliance.

Specify the default policy the rule is imported into. All returns rules imported into all default policies. For more information on searching, including how to load and delete saved searches, see Searching for Events. The page reloads with the appropriate constraints. Step 3 Optionally, if you want to save the search, enter a name for the search in the Name field. If you do not enter a name, the web interface automatically creates one when you save it.

If you enter multiple criteria, the search returns the records that match all the criteria. Step 5 If you want to save the search so that other users can access it, clear the Save As Private check box.

Otherwise, leave the check box selected to save the search as private. If you want to use the search as a data restriction for a custom user role, you must save it as a private search. Your search results appear in the default Rule Update Import Log detailed view workflow. To use a different workflow, including a custom workflow, click switch workflows. For information on specifying a different default workflow, see Configuring Event View Settings.

The Cisco Geolocation Database GeoDB is a database of geographical data such as country, city, coordinates, and so on and connection-related data such as Internet service provider, domain name, connection type, and so on associated with routable IP addresses. When your system detects GeoDB information that matches a detected IP address, you can view the geolocation information associated with that IP address.

You must install the GeoDB on your system to view any geolocation details other than country or continent. Cisco issues periodic updates to the GeoDB. When you upload GeoDB updates you obtained from Support or from your appliance, they appear on this page. Time needed to update the GeoDB depends on your appliance; the installation usually takes 30 to 40 minutes.

Although a GeoDB update does not interrupt any other system functions including the ongoing collection of geolocation information , the update does consume system resources while it completes. Consider this when planning your updates. This section explains how to plan for and perform manual GeoDB updates. You can also take advantage of the automated update feature to schedule GeoDB updates; for more information, see Automating Geolocation Database Updates.

For more information on geolocation, see Using Geolocation. Step 2 Click the Geolocation Updates tab. Step 3 Upload the update to the Defense Center. Note Download the update directly from the Support Site, either manually or by clicking Download and install geolocation update from the Support Site on the Geolocation Updates page.

The average duration of update installation is 30 to 40 minutes; this may vary depending on your appliance hardware. Although it may take a few minutes for a GeoDB update to take effect throughout your deployment, you do not have to reapply access control policies after you update. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. Updated: April 25, Chapter: Updating System Software.

Updating S ystem Softw are. The release notes provide important information, including supported platforms, compatibility, prerequisites, warnings, and specific installation and uninstallation instructions. Understanding Update Types License: Any Cisco electronically distributes several different types of updates, including major and minor updates to the system software itself, as well as intrusion rule updates and VDB updates. Operating System Requirements Make sure the computers where you installed software-based devices are running the correct versions of their operating systems.

Time and Disk Space Requirements Make sure you have enough free disk space and allow enough time for the update. Configuration and Event Backup Guidelines Before you begin a major update, Cisco recommends that you delete any backups that reside on the appliance after copying them to an external location.

When to Perform the Update Because the update process may affect traffic inspection, traffic flow, and link state, and because the Data Correlator is disabled while an update is in progress, Cisco recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment. Caution If you encounter issues with the update for example, if the web interface indicates that the update has failed or if a manual refresh of the task queue or Update Status page shows no progress , do not restart the update.

Instead, contact Support. Caution When you apply an access control policy, resource demands may result in a small number of packets dropping without inspection.

This option is not supported for major updates. You can manually download the update from the Support Site and then upload it to the Defense Center. Choose this option if your Defense Center does not have access to the Internet or if you are performing a major update. Caution To ensure continuity of operations, do not update paired Defense Centers at the same time; see Updating Paired Defense Centers.

Caution Regardless of the update type, do not use the web interface to perform tasks other than monitoring the update until the update has completed and, if necessary, the Defense Center reboots. Caution Installing a VDB update restarts the Snort process when you apply your access control policy, temporarily interrupting traffic inspection.

Caution If you encounter issues with the update for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress , do not restart the update. Caution If you encounter any other issue with the update for example, if a manual refresh of the page shows no progress for an extended period of time , do not restart the update.

Uninstalling Software Updates License: Any When you apply a patch or feature update to a Cisco appliance, the update process creates an uninstaller that allows you to remove the update from that appliance, using its web interface. Caution If the uninstallation process on a clustered device or paired Defense Center fails, do not restart the uninstall or change configurations on its peer. Caution Do not use the web interface to perform tasks other than monitoring the update until the uninstall has completed and, if necessary, the appliance reboots.

Updating the Vulne rability Databa se License: Any The Cisco Vulnerability Database VDB is a database of known vulnerabilities to which hosts may be susceptible, as well as fingerprints for operating systems, clients, and applications.

Caution Do not use the web interface to perform tasks related to mapped vulnerabilities until the update has completed. If you encounter issues with the update for example, if the task queue indicates that the update has failed or if a manual refresh of the task queue shows no progress do not restart the update.

Importing Rule Upd ates and Loca l Rule Files License: Any As new vulnerabilities become known, the Cisco Vulnerability Research Team VRT releases rule updates that you can first import onto your Defense Center, then implement by applying affected access control, network analysis, and intrusion policies to your managed devices.

Caution When you apply an access control or intrusion policy, resource demands may result in a small number of packets dropping without inspection.

Additionally, applying some configurations requires the Snort process to restart. This includes applying an access control or intrusion policy after importing an intrusion rule update that includes a new or updated shared object rule. Restarting the Snort process temporarily interrupts traffic inspection. Using One-Time Rule Updates License: Any There are two methods that you can use for one-time rule updates: Using Manual One-Time Rule Updates explains how to manually download a rule update from the Support Site to your local machine and then manually install the rule update.

Using Automatic One-Time Rule Updates explains how to use an automated feature on the web interface to search the Support Site for new rule updates and upload them. Step 3 Navigate to the latest rule update. The Rule Updates page appears. You must include the SID assigned by the system and a revision number greater than the current revision number when importing an updated version of a local rule that you have previously imported.

You can reinstate a local rule that you have deleted by importing the rule using the SID assigned by the system and a revision number greater than the current revision number. Note that the system automatically increments the revision number when you delete a local rule; this is a device that allows you to reinstate local rules.

You cannot import a rule file that includes a rule with a SID greater than ; the import will fail. If you import a rule that includes a list of source or destination ports that is longer than 64 characters, the import will fail. The system always sets local rules that you import to the disabled rule state; you must manually set the state of local rules before you can use them in your intrusion policy. See Setting Rule States for more information.

You must make sure that the rules in the file do not contain any escape characters. Includes bug fixes. Resolves known issues. Includes the resolutions provided in the previous hotfixes. Can be installed on software version 5. Updates Snort rules and shared object rules. Updates the fingerprints, detectors, and vulnerability information for applications and operating systems.

Do not perform tasks related to mapped vulnerabilities until the update completes. Even if the Message Center shows no progress for several minutes or indicates that the update has failed, do not restart the update. Instead, contact Cisco TAC. Deploy configuration changes; see Deploy Configuration Changes.

See Vulnerability Database Update Automation. The Cisco Geolocation Database GeoDB is a database of geographical data such as country, city, coordinates and connection-related data such as Internet service provider, domain name, connection type associated with routable IP addresses. When your system detects GeoDB information that matches a detected IP address, you can view the geolocation information associated with that IP address.

The system comes with an initial GeoDB, so country and continent information should always be available. When you upload GeoDB updates you obtained from Support or from your appliance, they appear on this page. Download the update directly from the Support Site, either manually or by clicking Download and install geolocation update from the Support Site on the Geolocation Updates page. If you transfer an update file by email, it may become corrupted. Time needed to update the GeoDB depends on your appliance; the installation usually takes 30 to 40 minutes.

Although a GeoDB update does not interrupt any other system functions including the ongoing collection of geolocation information , the update does consume system resources while it completes.

Consider this when planning your updates. When you update the GeoDB, the Firepower Management Center automatically updates the related data on its managed devices. It may take a few minutes for a GeoDB update to take effect throughout your deployment.

You do not need to re-deploy after you update. You can import a new GeoDB update by automatically connecting to the Support Site only if the appliance has Internet access. Click Geolocation Updates.

Choose Download and install geolocation update from the Support Site. Click Import. Optionally, monitor the task status; see Viewing Task Messages. Choose Upload and install geolocation update.

Browse to the update you downloaded, and click Upload. Make sure the FMC can access the internet. Specify the Update Start Time. Click Save. As new vulnerabilities become known, the Cisco Talos Intelligence Group Talos releases intrusion rule updates that you can import onto your Firepower Management Center , and then implement by deploying the changed configuration to your managed devices. These updates affect intrusion rules, preprocessor rules, and the policies that use the rules.

Intrusion rule updates are cumulative, and Cisco recommends you always import the latest update. You cannot import an intrusion rule update that either matches or predates the version of the currently installed rules.

An intrusion rule update may provide the following:. New and modified rules and rule states —Rule updates provide new and updated intrusion and preprocessor rules. For new rules, the rule state may be different in each system-provided intrusion policy.

For example, a new rule may be enabled in the Security over Connectivity intrusion policy and disabled in the Connectivity over Security intrusion policy. Rule updates may also change the default state of existing rules, or delete existing rules entirely. New rule categories —Rule updates may include new rule categories, which are always added. Modified preprocessor and advanced settings —Rule updates may change the advanced settings in the system-provided intrusion policies and the preprocessor settings in system-provided network analysis policies.

They can also update default values for the advanced preprocessing and performance options in your access control policies. New and modified variables —Rule updates may modify default values for existing default variables, but do not override your changes.

New variables are always added. In a multidomain deployment, you can import local intrusion rules in any domain, but you can import intrusion rule updates from Talos in the Global domain only. Intrusion rule updates can affect both system-provided and custom network analysis policies, as well as all access control policies:. However, you can prevent rule updates from automatically making those changes. This allows you to update system-provided base policies manually, on a schedule independent of rule update imports.

Regardless of your choice implemented on a per-custom-policy basis , updates to system-provided policies do not override any settings you customized. Note that importing a rule update discards all cached changes to network analysis and intrusion policies. For your convenience, the Rule Updates page lists policies with cached changes and the users who made those changes.

For changes made by an intrusion rule update to take effect, you must redeploy configurations. When importing a rule update, you can configure the system to automatically redeploy to affected devices. This approach is especially useful if you allow the intrusion rule update to modify system-provided base intrusion policies.

You can import rule updates on a daily, weekly, or monthly basis, using the Rule Updates page. If your deployment includes a high availability pair of Firepower Management Center s, import the update on the primary only. The secondary Firepower Management Center receives the rule update as part of the regular synchronization process.

Applicable subtasks in the intrusion rule update import occur in the following order: download, install, base policy update, and configuration deploy. When one subtask completes, the next subtask begins. At the scheduled time, the system installs the rule update and deploys the changed configuration as you specified in the previous step.

You can log off or use the web interface to perform other tasks before or during the import. When accessed during an import, the Rule Update Log displays a Red Status , and you can view messages as they occur in the Rule Update Log detailed view. Depending on the rule update size and content, several minutes may pass before status messages appear. As a part of initial configuration the FMC configures a daily automatic intrusion rule update from the Cisco support site.

The FMC deploys automatic intrusion rule updates to affected managed devices when it next deploys affected policies. You can observe the status of this update using the web interface Message Center. If configuring the update fails and your FMC has internet access, we recommend you configure regular intrusion rule updates as described in Schedule Intrusion Rule Updates.

In a multidomain deployment, you can import local intrusion rules in any domain. You can view local intrusion rules imported in the current domain and ancestor domains. Import a new intrusion rule update manually if your Firepower Management Center does not have Internet access.

If you want to move all user-defined rules that you have created or imported to the deleted folder, you must click Delete All Local Rules in the toolbar, then click OK.

Choose Rule Update or text rule file to upload and install and click Browse to navigate to and choose the rule update file. If you want to automatically re-deploy policies to your managed devices after the update completes, choose Reapply all policies after the rule update import completes. The system installs the rule update and displays the Rule Update Log detailed view.

Contact Support if you receive an error message while installing the rule update. To import a new intrusion rule update automatically, your appliance must have Internet access to connect to the Support Site. Click Rule Updates. If you want to move all user-defined rules that you have created or imported to the deleted folder, click Delete All Local Rules in the toolbar, then click OK.

If you want to automatically re-deploy the changed configuration to managed devices after the update completes, check the Reapply all policies after the rule update import completes check box. Import status messages appear beneath the Recurring Rule Update Imports section heading.

In the Import Frequency field, specify:. If you want to automatically re-deploy the changed configuration to your managed devices after the update completes, check the Deploy updated policies to targeted devices after rule update completes check box.

Contact Support if you receive an error message while installing the intrusion rule update. Observe the following guidelines when importing a local rule file:. The system imports local rules preceded with a single pound character , but they are flagged as deleted. The system imports local rules preceded with a single pound character , and does not import local rules preceded with two pound characters.

In a multidomain deployment, the system assigns a GID of 1 to a rule imported into or created in the Global domain, and a domain-specific GID between and for all other domains.

If you do, specify only GID 1 for a standard text rule. This avoids collisions with SIDs of other rules, including deleted rules. The system will automatically assign the rule the next available custom rule SID of or greater, and a revision number of 1.

In a multidomain deployment, if multiple administrators are importing local rules at the same time, SIDs within an individual domain might appear to be non-sequential because the system assigned the intervening numbers in the sequence to another domain. When importing an updated version of a local rule you have previously imported, or when reinstating a local rule you have deleted, you must include the SID assigned by the system and a revision number greater than the current revision number.

You can determine the revision number for a current or deleted rule by editing the rule. Import local rules on the primary Firepower Management Center in a high availability pair to avoid SID numbering issues. The import fails if a rule contains any of the following:. Policy validation fails if you enable an imported local rule that uses the deprecated threshold keyword in combination with the intrusion event thresholding feature in an intrusion policy.

All imported local rules are automatically saved in the local rule category. The system always sets local rules that you import to the disabled rule state. You must manually set the state of local rules before you can use them in your intrusion policy.

Make sure your local rule file follows the guidelines described in Best Practices for Importing Local Intrusion Rules. Make sure your process for importing local intrusion rules complies with your security policies. Consider the import's effect on traffic flow and inspection due to bandwidth constraints and Snort restarts. We recommend scheduling rule updates during maintenance windows.

Use this procedure to import local intrusion rules. Imported intrusion rules appear in the local rule category in a disabled state.

Click Delete All Local Rules , then confirm that you want to move all created and imported intrusion rules to the deleted folder. To display the Message Center, click System Status on the menu bar. Even if the Message Center shows no progress for several minutes or indicates that the import has failed, do not restart the import. The Firepower Management Center generates a record for each rule update and local rule file that you import.

Each record includes a time stamp, the name of the user who imported the file, and a status icon indicating whether the import succeeded or failed.

You can maintain a list of all rule updates and local rule files that you import, delete any record from the list, and access detailed records for all imported rules and rule update components. The Rule Update Import Log detailed view lists a detailed record for each object imported in a rule update or local rule file. You can also create a custom workflow or report from the records listed that includes only the information that matches your specific needs.

The name of the import file. If the import fails, a brief statement of the reason for the failure appears under the file name. The user name of the user that triggered the import.