Upgrade Cisco Sourcefire to 6.0

Just a few days after we have upgraded our Sourcefire infrastructure to 5.4, Cisco released the 6.0 version. Before we do an upgrade, first let’s briefly check out what do we get with this major release:

  • SSL Traffic inspection
  • DNS-based Security Intelligence
  • DNS Inspection and Sinkholes
  • Support for OpenAppID Defined Applications
  • Captive Portal Active User Authentication
  • Integration with Cisco ISE via PxGrid
  • Local Malware Checks
  • Multiple Domain Management

If we need one or more of these features, or just want to upgrade for any other reason, this blog will briefly shows us how to do that.

The process of upgrading is the same as we saw in upgrading from 5.3 to 5.4. The same principles apply for upgrading from 5.4 to 6.0. The only differences are system requirements for the latest 6.0 version.

The requirements are as follows:

  • ESXi must be running version 5.1 or 5.5
  • Defense Center must be running at least version 5.4.1
  • ASA FirePOWER SFR modules must be running version 5.4.0.2 or later
  • ASA software must be at least at version 9.4(2) or 9.5(1.5)
  • Disk requirements are as follows:
    • For DC:
      • 16MB on / partition
      • 8GB on /Volume partition
      • Additional 1.5GB on /Volume partition if we upgrade SFR modules through DC
    • For SFR module:
      • 32MB on / partition
      • 7.7GB on /Volume partition

In the “Firepower System Release Notes” I did not find any memory requirements for the DC virtual machine. So, when I tried upgrading DC from 5.4.1.3, which was given 4GB of RAM (actually this amount of RAM was given to initial 5.3.1 installation), I got this error message:

11-16-2015 9-55-21 AM

Actually, the DC 6.0 requires 8GB of RAM. This info can be found in the “Cisco Firepower Management Center Virtual Quick Start Guide for VMware“, in this table:

11-16-2015 10-19-00 AM

What we have is:

11-16-2015 10-00-39 AM

The upgrade did not fail, so we don’t have to contact Cisco support. We have to shutdown the DC, add more memory and start the upgrade process again. The DC is shut down from System->Local->Configuration->Process->Shutdown Defense Center->Run Command:

System-Local-Configuration-Process-Shutdown Defense Center

After we add memory, we power on the virtual DC and, when it boots, we start the upgrade process again.

Finally, when we meet the requirements, the procedure is the same as in upgrading from 5.3 to 5.4.

If we followed that procedure, we have already met almost all requirements: the DC is running 5.4.1.3, the modules are at 5.4.0.4 and ESXi is 5.1 or 5.5. We should check the disk requirements, as they are somewhat different. And we should take care of the ASA version. This must be at least 9.4(2) or 9.5(1.5). If it’s not, here is how to upgrade the ASA software. Here is more current version of the ASA upgrade paths:

11-13-2015 1-21-17 PM

The ASA upgrade procedure remains the same as described here.

 

See you soon in 6.0 🙂

 

Advertisements
This entry was posted in Cisco, FirePOWER, FireSight, Firewall, IPS, Security, Sourcefire and tagged , , , , , . Bookmark the permalink.

19 Responses to Upgrade Cisco Sourcefire to 6.0

  1. Boyan Kurtev says:

    Hi mate,

    I did my FireSIGHT Manager upgrade to version 6 last Friday and (almost) everything went smoothly ( somehow I’ve managed to break the sensor on the ASA so I was not able to apply any policies to it. Quick sensor rebuild fixed the issue ). GUI menu structure has been changed a bit, with some new options, but I thing this is a positive change. Do you have experience with configuring SSL inspection for ASA firewalls ? It would be great if you can write a blog post for it ! 😉

    I am looking forward for your next articles !

    Cheers,
    Boyan

  2. Ol says:

    Hello Sasa,
    We just got started with Firesight and also upgraded to 6.0. One issue was that the realm was not properly updated from 5.4. OU path was still in the old format so fetching users didnt work.
    Now i’m fighting with the 2000+ pages manual.
    Could you post some screenshots of your current access policy (ofcourse with sensitive info removed) I really would like to see how a ‘running’ setup looks like.
    Thanks in advance!

  3. Zach says:

    I really am excited about the new options for DNS-based Security Intelligence and DNS Inspection and Sinkholes; I think this is very useful with the types of malicious traffic and attack vectors I have seen. I am going to hold off on upgrading to this due to bad experiences with previous upgrades and Cisco bugs that I encountered on them.
    Regarding SSL inspection, I know that this utilizes a whole lot of CPU overhead in order to properly handle the “on-the-fly” decryption and re-encryption. I am looking forward to your upcoming posts on SSL inspection.

  4. Aminki says:

    Hello Sasa
    I prepare to install Cisco firepower for the first time (I want to install the version 6.0):
    I instaled Defense Center 6.0
    I will upgrade the ASA 5525X from 9.2 to 9.4(2)
    but I need help about the fire power module service, the version installed by default is 5.3.1,could you tell me how to proceed?

    Thanks for help

  5. kima amine says:

    Hello Sasa
    I prepare to install Cisco firepower for the first time (I want to install version 6.0):
    I instaled Defense Center 6.0
    I will upgrade ASA 5525X from 9.2 to 9.4(2)
    but I need help about fire power modul service, the version installed by default is 5.3.1
    Could you tell me how to proceed?
    Thanks for help

  6. Ronnie says:

    I just got our VM FireSIGHT and three asa’s to 6.0. The upgrade went fairly well, but I am having a problem with one of our asa’s. We have two 5525’s and one 5512 and for some reason since the update to 6.0 the 5512 will randomly start dropping all traffic through the SFR module. The only way I get the network back up is by disabling the SFR forwarding rule in the Firewall Service Policy. Any ideas?

    • Sasa says:

      If the upgrade has been done by the book, then I would suggest opening TAC case. There are a lot of things with 6.0 that can only be solved by Cisco.

    • Siegi says:

      We see the same behaviour, and Cisco TAC is not able to tell why packets are dropped. Even with debuging of the SFR module. Pray for an update soon.

    • Siegi says:

      And there it is: patch!
      https://support.sourcefire.com/sections/1
      🙂

    • Ronnie says:

      Opened a TAC case and this is what I received:

      “CSCux49653 snort crash in file_capture_stop

      In certain scenarios, SMB traffic being inspected by Snort with a file policy doing malware block can cause a memory corruption in Snort leading to a Snort crash.

      The workarounds are as follows:
      1) Not to use ‘malware block’ in all file policies that have SMB configured as an application protocol (or if all application protocols are selected).

      2) Configure all file policies to not have SMB configured as an application protocol (or all Application Protocols)”

      Changing the file policy for malware block from Any to only HTTP fixed the issue. Hope they release an update soon to fix this bug.

      https://tools.cisco.com/bugsearch/bug/CSCux49653

  7. Ronnie says:

    Having another issue since upgrading to 6…. For Analysis > Connection > Events under the Initiator User column it says “No Authentication Required” for all the packets it’s logging. Anyone come across this issue?

  8. NateC says:

    Updated 6.0.0 release notes:

    Updating the system with managed devices running Version 5.4.0.5 or earlier to Version 6.0 may cause traffic outages and system issues. Prior to updating to Version 6.0, you must update managed devices to Version 5.4.0.6 or later prior to updating to Version 6.0.

  9. Pingback: Upgrade Cisco Sourcefire to 6.2.0 | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s