Before You Begin: Important Update and Compatibility Notes. Cisco Firepower Management Center 2000
Add to my manuals
44 Pages
advertisement
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
Policy Hierarchy and Inheritance
To support multiple domain management and make policy administration more efficient, Version 6.0 provides the ability to create a hierarchy of policies. Global policies (e.g., access control) can be established that will apply to all management environments. A policy hierarchy can then be constructed underneath the global policy level to represent different environments, different companies, different business units, or different parts of the organization. Each of these policy environments will inherit the policies of the hierarchy above it, allowing for more consistent and efficient policy management.
Expanded ASDM Management Availability
Cisco’s Adaptive Security Device Manager (ASDM) is the local management feature for Cisco ASA with
FirePOWER Services. It was introduced as part of the Cisco ASA 5506-X, ASA 5508-X, and ASA 5516-X appliances. With Firepower v6.0, ASDM is now available on the remaining Cisco ASA with FirePOWER Services appliances (ASA 5512-X / ASA 5515-X / ASA 5525-X / ASA 5545-X / ASA 5555-X / ASA 5585-X).
You cannot compare policies on the following pages: the NAT Policy page, the Platform Settings page, and the SSL Policy page.
Version 6.0 does not support AMP for Firepower signature lookups with the private AMP cloud. In Version 6.0, the system automatically submits SHA-256 signatures to the public AMP cloud. If you have a private AMP cloud and are receiving events from endpoints, the Version 6.0 Firepower Management Center will continue to receive those events without any additional changes to your configuration.
Syslog messages for connection events now populate information for the following fields: HTTP Referrer, User
Agent, and Referenced Host.
Version 6.0 does not support Discovery Event Health Monitoring.)
You can now edit Automatic Application Bypass (AAB) settings on Cisco ASA with FirePOWER Services.
Before You Begin: Important Update and Compatibility
Notes
Before you begin the update process for Version 6.0.1, you should familiarize yourself with the behavior of the system during the update process, as well as with any compatibility issues or required pre- or post-update configuration changes.
Note: To reduce the time to update to Version 6.0.1, install the Version 6.0.1 Pre-Installation Package before you update. For more information, see the FireSIGHT System Release Notes for Version 6.0.1 Pre-Installation Package .
Caution: Cisco strongly recommends you perform the update in a maintenance window or at a time when the interruption will have the least impact on your deployment.
For more information, see the following sections:
Configuration and Event Backup Guidelines, page 12
Firepower Management Center High Availability in Version 6.0.x, page 12
Traffic Flow and Inspection During the Update, page 12
Audit Logging During the Update, page 13
Time and Disk Space Requirements for Updating to Version 6.0.1, page 13
Web Browser and Screen Resolution Compatibility in Version 6.0.1, page 15
Integrated Product Compatibility in Version 6.0.1, page 16
11
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
Configuration and Event Backup Guidelines
Before you begin the update, Cisco strongly recommends that you delete or move any backup files that reside on your appliance, then back up current event and configuration data to an external location.
Use the Firepower Management Center to back up event and configuration data for itself and the devices it manages. For more information on the backup and restore feature, see the Firepower Management Center
Configuration Guide .
Version 6.0.1 does not support AMP for Firepower signature lookups with the private AMP cloud. In Version 6.0, the system automatically submits SHA-256 signatures to the public AMP cloud. If you have a private AMP cloud and are receiving events from endpoints, the Version 6.0 Firepower Management Center will continue to receive those events without any additional changes to your configuration.
Note: The Firepower Management Center purges locally stored backups from previous updates. To retain archived backups, store the backups externally.
Firepower Management Center High Availability in Version 6.0.x
Although the configuration options for Firepower Management Center high availability appear in the Integration page of the user interface, high availability is not supported for Firepower Management Centers in this release.
Do not attempt to place Firepower Management Centers into high availability.
Traffic Flow and Inspection During the Update
The update process reboots managed devices and might restart the Snort process. Depending on how your devices are configured and deployed, the following capabilities could be affected:
traffic inspection, including application awareness and control, user control, URL filtering, Security
Intelligence, intrusion detection and prevention, and connection logging
traffic flow, including switching, routing, NAT, VPN, and related functionality
link state
Note that when you update 8000 Series clusters or stack pairs, the system performs the update one device at a time to avoid traffic interruption. When you update clustered Cisco ASA with FirePOWER Services devices, apply the update one device at a time, allowing the update to complete before updating the second device.
The following table explains how Snort restarts affect traffic inspection. It is reasonable to anticipate that the product update could affect traffic similarly.
Table 4 Restart Traffic Effects by Managed Device Model
On this managed device model...
7000 Series, 8000 Series,
NGIPSv, Firepower Threat
Defense, and Firepower Threat
Defense Virtual
Configured as...
Inline with Failsafe enabled or disabled, or inline tap mode
7000 Series and 8000 Series
Firepower Threat Defense
Cisco ASA with FirePOWER
Services
Passive
Routed, switched, or transparent
Routed or transparent
Routed or transparent with fail-open
( Permit Traffic )
Routed or transparent with fail-close
( Close Traffic )
Traffic during restart is...
Passed without inspection (a few packets might drop if Failsafe is disabled and
Snort is busy but not down)
Uninterrupted and not inspected
Dropped
Dropped
Passed without inspection
Dropped
12
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
Link State
In 7000 Series and 8000 Series inline deployments with Bypass enabled, network traffic is interrupted at two points during the update:
At the beginning of the update process, traffic is briefly interrupted while link goes down and up (flaps) and the network card switches into hardware bypass. Traffic is not inspected during hardware bypass.
After the update finishes, traffic is again briefly interrupted while link flaps and the network card switches out of bypass. After the endpoints reconnect and reestablish link with the sensor interfaces, traffic is inspected again.
Note: The configurable Bypass option is not supported on NGIPSv devices, Cisco ASA with FirePOWER
Services, non-bypass NetMods on Firepower 8000 Series devices, SFP transceivers on 71xx Family devices, or ASA Firepower modules running Firepower Threat Defense.
Switching and Routing
Firepower 7000 Series and 8000 Series managed devices do not perform switching, routing, NAT, VPN, or related functions during the update. If you configured your devices to perform only switching and routing, network traffic is blocked throughout the update.
Devices running Firepower Threat Defense do not support VPN functionality in Version 6.0.1 but do support switching and routing functions.
Audit Logging During the Update
When updating appliances that have a web interface, after the system completes its pre-update tasks and the streamlined update interface page appears, login attempts to the appliance are not reflected in the audit log until the update process is complete and the appliance reboots.
Time and Disk Space Requirements for Updating to Version 6.0.1
The table below provides disk space and time guidelines for the Version 6.0.1 update. Note that when you use the
Firepower Management Center to update a managed device, the Firepower Management Center requires additional disk space on its
/Volume
partition.
Caution: Do not restart the update or reboot your appliance at any time during the update process. Cisco provides time estimates as a guide, but actual update times vary depending on the appliance model, deployment, and configuration. Note that the system may appear inactive during the pre-checks portion of the update and after rebooting; this is expected behavior.
The reboot portion of the update includes a database check. If errors are found during the database check, the update requires additional time to complete. System daemons that interact with the database do not run during the database check and repair.
Note: The closer your appliance’s current version to the release version (Version 6.0.1), the less time the update takes.
If you encounter issues with the progress of your update, contact Support.
13
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
Table 5 Time and Disk Space Requirements
Appliance Space on /
Firepower Management Centers (the
MC750, MC1500, MC3500,
MC2000, and the MC4000)
64-bit Firepower Management
Centers Virtual
7000 Series and 8000 Series devices (the 7010, 7020, 7030,
7050, 7110, 7115, 7120, 7125,
8120, 8130, 8140, 8250, 8260,
8270, 8290, 8350, 8360, 8370,
8390, AMP7150, AMP8050,
AMP8150, AMP8350, AMP8360,
AMP8370, AMP8380, and the
AMP8390)
Cisco ASA with Firepower Services
(the ASA 5506-X, ASA 5506H-X,
ASA 5506W-X, ASA 5508-X, ASA
5516-X, ASA 5512-X, ASA 5515-X,
ASA 5525-X, ASA 5545-X, ASA
5555-X, ASA 5585-X-SSP-10, ASA
5585-X-SSP-20, ASA
5585-X-SSP-40, and the ASA
5585-X-SSP-60)
ASA FirePOWER device managed via ASDM (the ASA 5506-X, ASA
5506H-X, ASA 5506W-X, ASA
5508-X, ASA 5516-X, ASA 5512-X,
ASA 5515-X, ASA 5525-X, ASA
5545-X, ASA 5555-X, ASA
5585-X-SSP-10, ASA
5585-X-SSP-20, ASA
5585-X-SSP-40, and the ASA
5585-X-SSP-60)
NGIPSv (virtual managed devices)
18 MB
MB
227 MB
54 MB
54 MB
196 MB
Cisco ASA with Firepower Threat
Defense (the ASA 5506-X, ASA
5506H-X, ASA 5506W-X, ASA
5508-X, ASA 5512-X, ASA 5515-X,
ASA 5516-X, ASA 5525-X, ASA
5545-X, and the ASA 5555-X)
Firepower 9300 Series with Threat
Defense
1 MB
1 MB
Space on /Volume Space on /Volume on Manager
8959 MB n/a
Time
66 minutes
MB
3683 MB
2966 MB
2966 MB
2090 MB
3685 MB
3685 MB
n/a
614 MB
429 MB
429 MB
350 MB
631 MB
631 MB hardware dependent
30 minutes
91 minutes
91 minutes hardware dependent
33 minutes
66 minutes
14
Firepower System Release Notes
Before You Begin: Important Update and Compatibility Notes
Firepower Version Requirements for Updating to Version 6.0.1
Appliances must be running the minimum versions specified in the following table in order to update to Version
6.0.1 of the Firepower System. For minimum operating system requirements and information about management platform-managed device compatibility, see
Supported Platforms and Compatibility, page 1 .
Note: A Firepower Management Center must be running at least Version 6.0.1 if you want to use it to update its managed devices to Version 6.0.1.
Platform
Table 6 Platform Support in Version 6.0.1
Minimum version required to update to
Version 6.0.1
Version 6.0
Firepower Management Centers (the MC750, MC1500,
MC3500, MC2000, and the MC4000)
64-bit Firepower Management Centers Virtual
Firepower 7000 Series and 8000 Series (the 7010, 7020,
7030, 7050, 7110, 7115,7120, 7125,8120, 8130, 8140,
8250,8260, 8270, 8290, 8350, 8360, 8370, 8390,
AMP7150, AMP8050, AMP8150, AMP8350, AMP8360,
AMP8370, AMP8380, and the AMP8390)
Cisco ASA with FirePOWER Services (the ASA 5506-X, ASA
5506H-X, ASA 5506W-X, ASA 5508-X, and the ASA
5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA
5585-X-SSP-20, ASA 5585-X-SSP-40, and the ASA
5585-X-SSP-60)
ASA Firepower module managed via ASDM (the ASA
5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA
5516-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA
5545-X, ASA 5555-X, ASA 5585-X-SSP-10, ASA
5585-X-SSP-20, ASA 5585-X-SSP-40, and the ASA
5585-X-SSP-60)
NGIPSv (virtual managed devices)
Cisco ASA with Firepower Threat Defense (the ASA 5506-X,
ASA 5506H-X, ASA 5506W-X, ASA 5508-X, ASA 5512-X,
ASA 5515-X, ASA 5516-X, ASA 5525-X, ASA 5545-X, and the ASA 5555-X)
Firepower 4100 Series with Threat Defense (the 4110,
4120, and the 4140)
Firepower 9300 Series with Threat Defense
Firepower Threat Defense Virtual: VMware
Version 6.0
Version 6.0
Version 6.0
Version 6.0
Version 6.0
Version 6.0
Version 6.0.1
Version 6.0.1
Version 6.0
Web Browser and Screen Resolution Compatibility in Version 6.0.1
Note the following to optimize your experience using the web interface.
Web Browser Compatibility
Version 6.0.1 of the web interface for the Firepower System has been tested on the browsers listed in the following table.
15
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement