cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6115
Views
29
Helpful
14
Replies

VDB update to Firepower module on ASA

niravgunjan
Level 1
Level 1

Do we need to update VDB update separately on firepower module or updarting on FMC is enough?FMC version 5.4 

14 Replies 14

yogdhanu
Cisco Employee
Cisco Employee

Hi There,

Yes VDB needs to be updated separately apart from FMC/module upgrade.

FMC or module upgrade, upgrades the software/OS of the device. VDB is a database on which application detection/prevention works.

Hope that helps.

Thanks

Yogesh

Rate if helps.

how can i check what is VDB version on Sensors which are managed by FMC?

If your access Control Policies are up to date on all of your sensors, they will have the VDB that is installed on your FMC.

The best practice is to have scheduled jobs to download and install the latest updates and re-deploy policy on a regular basis. I use weekly periodicity. 

Your audit log should also show you the events when the above happens (whether scheduled or manual). You can filter as shown in this example:

https://<Your FMC address or FQDN>/events/?table=audit_log&constraints=message%3DDeployment-%2C-VDB&workflow=Audit%20Log&page=0

Make sure you adjust the time window to be a couple of weeks - the default is last hour.

It shows VDB updated on FMC .Does it mean redeploying policies also  installs VDB updates to sensor?

You are correct. You can check current VDB version by navigating to Help>About and match it with the current VDB update 279.

Deploying policy will push the new update to sensors as well.

Thanks

Yogesh

Rate if helps.

Is there a way to directly confirm which VDB is loaded on a sensor?

Thanks,

Diego

The method Yogesh and I both mentioned is the supported approach.

If you log into a sensor and change to expert mode you can also see the information in the ngfw.rules file.

Take care not to change anything in this mode - it can brick your sensor without too much effort.

> expert
admin@firepower:~$ cat /var/sf/detection_engines/*/ngfw.rules
#### ngfw.rules
##############################################################################
#
# AC Name : Lab Access Control
# Policy Exported : Fri Mar 10 04:08:34 2017 (UTC)
# File Written : Fri Mar 10 04:09:32 2017 (UTC)
#
# DC Version : 6.2.0
# SRU : 2017-03-09-002-vrt
# VDB : 279
#
##############################################################################
#
policy 00505687-0476-0ed3-0000-034359744830
revision 00000000-0000-0000-0000-000058c226c2
interface 123 78c50696-90ac-11e6-bb9e-9db906e7ee0d
zone 0 78f9cf34-90ac-11e6-bb9e-9db906e7ee0d
http_block /var/sf/detection_engines/da31b3fa-7a01-11e6-a59a-8e590377015b/httpBlock.html
http_bypass /var/sf/detection_engines/da31b3fa-7a01-11e6-a59a-8e590377015b/httpBypass.html

iab_mode Off
# Start of AC rule.
268435461 audit any any any any any any any any (log dcforward flowend) (urlcat 76)
268435464 allow any any any any any any any any (log dcforward flowend) (ipspolicy 52)
# End of AC rule.
admin@firepower:~$

 

This certainly works (and so does "show version" from the > prompt) but what I had in mind was something I can do from the FMC since that is where you spend 95% of your time and also this being an enterprise management console we don't want to have to go SSHing around to a few dozen boxes!

Thanks

Diego

If you just look at the top level device management page it indicates whether all of your devices' policies are up to date. If they are, then they all have the same VDB version that's installed on the FMC. 

Yes, I agree but it would just make me feel better if they would explicitly show versions so that you don't have to infer or extrapolate that since the access policy is up to date then so are all other components. 

It's just the paranoid/ocd part of me showing a little bit.  ;)

Thanks,

Diego

I am not able to login to Firepower module in ASA-5555-x via CLI.these modules are managed by FMC.How can i reset ID paaswprd?

niravgunjan  ,

Please see the following doc:

http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118631-technote-firesight-00.html#anc5

The command, from the ASA enable mode, is:

session sfr do password-reset

Thankyou all for the response

Hi All, Any workaround for this to see device VDB & SRU versions from FMC CLI?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: